Conf ASA 5505 lanTOlan

[davidett]

Ciao a Tutti,
ringrazio anticipatamente tutti coloro che gentilmente potranno darmi una mano.
Sto configurando un Cisco ASA 5505 in uno scenario lanTOlan, il peer remoto è un Checkpoint NG AI R55 (non gestito da me) e purtroppo nonostante abbia inserito tutti i vari parametri richiesti (pre-shared key, peer isakmp etc etc) mon riesco ancora a vedere il tunnel attivo tra i due.

Inoltre, dovrei Nattare gli ip della mia lan interna e presentarmi al peer remoto con l'ip della mia outside.

I parametri sono i seguenti:
Remote PEER: 82.xxx.xxx.70
Remote Host: 82.xxx.xxx.82

Outside(ASA5505) PEER: 195.xxx.xxx.29
Inside(ASA5505) : 172.16.1.29
Local host: 172.16.1.28

Encryption : SHA-1, AES-256, PFS groupe 5


Posto la conf fatta, grazie ancora davvero a tutti quanti:

ASA Version 7.2(2)
!
hostname ONLASA001
domain-name online.priv
enable password 4q/LqhB2Sc7L8WvO encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.1.29 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 195.xxx.xxx.29 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name online.priv
access-list l2l_list extended permit ip 172.16.1.0 255.255.255.0 82.xxx.xxx.0 255
.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
static (inside,outside) 195.xxx.xxx.0 172.16.1.0 netmask 255.255.255.0
route outside 82.xxx.xxx.0 255.255.255.0 195.xxx.xxx.25 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs enable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not
been met or due to some specific group policy, you do not have permission to us
e any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
http server enable
http 172.16.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set set esp-aes-256 esp-none
crypto map abcmap 1 match address l2l_list
crypto map abcmap 1 set pfs group5
crypto map abcmap 1 set peer 82.xxx.xxx.70
crypto map abcmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
tunnel-group 82.xxx.xxx.70 type ipsec-l2l
tunnel-group 82.xxx.xxx.70 ipsec-attributes
pre-shared-key *
telnet 172.16.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:057f858b96c90fb029e5710af503ed66
: end

[riko1978]

Ciao,

Se sei sicuro che tutti i parametri sono corretti, provate a cambiare il tipo di encryption: p.e. 3DES/MD5

[Wizard]

Intanto mancano le regole di nat e quindi nat0 per la vpn l2l