Question : Pass thru IPsec on Cisco ASA

We have an ASA 5510 as our external firewall and have and internal Firewall 10.x.x.1 as the VPN server. I want to pass IPSec to the internal firewall to build the tunnel. From the logs on the internal firewall I can see that traffic is getting to it, packets are received by the other sites and a packet is sent back but on the remote sites firewall it never gets anything back, it shows that it is failing phase 2 negotiation because phase 1 times out. Here is my configuration. To make things a little more fun we also have an ISA server 10.x.x.2 doing PPTP connections (this is working though). Thought that I would add that to explain why some of that stuff is there in the configuration.
Code Snippet: 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:

names
dns-guard
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 204.x.x.50 255.255.255.248
!
interface Ethernet0/1
 nameif inside
 security-level 50
 ip address 10.x.x.254 255.255.252.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 172.x.x.35 255.255.252.0
 management-only
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
 domain-name vand1.oppy.com
access-list Outside_access_in extended permit tcp 64.18.0.0 255.255.240.0 host 204.x.x.50 eq smtp
access-list Outside_access_in extended permit tcp any host 204.x.x.50 eq ssh
access-list Outside_access_in extended permit tcp any host 204.x.x.50 eq 4080
access-list Outside_access_in extended permit tcp any host 204.x.x.51 eq https
access-list Outside_access_in extended permit tcp any host 204.x.x.51 eq www
access-list Outside_access_in extended permit tcp any host 204.x.x.201 eq www
access-list Outside_access_in extended permit tcp any host 204.x.x.201 eq https
access-list Outside_access_in extended permit tcp any host 204.x.x.54 eq www
access-list Outside_access_in extended permit tcp any host 204.x.x.54 eq https
access-list Outside_access_in extended permit tcp any host 204.x.x.52 eq https
access-list Outside_access_in extended permit tcp any host 204.x.x.53 eq www
access-list Outside_access_in extended permit tcp any host 204.x.x.53 eq https
access-list Outside_access_in extended permit gre any host 204.x.x.50
access-list Outside_access_in extended permit tcp any host 204.x.x.50 eq pptp
access-list Outside_access_in extended permit esp any host 204.x.x.50
access-list Outside_access_in extended permit udp any eq isakmp host 204.x.x.50
access-list Outside_access_in extended permit udp any eq 4500 host 204.x.x.50
access-list DMZ_access_in extended permit ip host 10.x.x.3 any
access-list DMZ_access_in extended permit ip host 10.x.x.2 any
access-list DMZ_access_in extended permit ip host 10.x.x.1 any
access-list DMZ_access_in extended permit udp host 10.x.x.1 any
access-list test-udp-acl extended permit udp any any eq isakmp
pager lines 24
logging asdm informational
mtu Outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
nat-control
global (Outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,Outside) tcp 204.x.x.53 https 10.x.x.2 https netmask 255.255.255.255
static (inside,Outside) tcp interface ssh 10.x.x.2 ssh netmask 255.255.255.255
static (inside,Outside) tcp interface smtp 10.x.x.2 smtp netmask 255.255.255.255
static (inside,Outside) tcp interface 4080 10.x.x.2 4080 netmask 255.255.255.255
static (inside,Outside) tcp interface pptp 10.x.x.2 pptp netmask 255.255.255.255
static (inside,Outside) tcp interface www 10.x.x.3 www netmask 255.255.255.255
static (inside,Outside) udp interface isakmp 10.x.x.1 isakmp netmask 255.255.255.255
static (inside,Outside) udp interface 4500 10.x.x.1 4500 netmask 255.255.255.255
static (inside,Outside) 204.x.x.51 10.x.x.4 netmask 255.255.255.255
static (inside,Outside) 204.x.x.52 10.x.x.6 netmask 255.255.255.255
static (inside,Outside) 204.x.x.54 10.x.x.5 netmask 255.255.255.255
static (inside,Outside) 204.x.x.201 10.x.x.7 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group DMZ_access_in in interface inside
route Outside 0.0.0.0 0.0.0.0 204.x.x.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 172.x.x.0 255.255.252.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto isakmp nat-traversal 30
telnet timeout 5
ssh 172.x.x.0 255.255.0.0 management
ssh timeout 15
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 172.x.x.4 source management prefer
privilege 15
!
class-map inspection_default
 match default-inspection-traffic
class-map pptp-port
 match port tcp eq pptp
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ipsec-pass-thru
policy-map pptp_policy
 class pptp-port
  inspect pptp
!
service-policy global_policy global
service-policy pptp_policy interface Outside
prompt hostname context
Cryptochecksum:a9ca6e3ebf006b777a1626c27e3b3a9f
: end
Open in New Window
Select All

Answer : Pass thru IPsec on Cisco ASA

Have a look here ..
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008045a2d2.shtml
Random Solutions  
 
programming4us programming4us