2 one-Site VPN between HQ, Site A and Site B

Dear brothers,

Really I need your kindly help on Site 2 Site VPN.

We have a HQ and 2 Sites (Site A Site & B), and we think to set up VPN Site-2-Site between them now.

HQ--> 3845 router (will be the hub)--> a given vlan 11 & vlan voice 21

Site A--> router 2901 (will be the Spoke1)--> a given vlan 12 & vlan voice 22

Site B--> router 1941 (will be the Spoke2)--> a given vlan 13 & vlan voice 23

So my questions are:

1 - when the VPN going up, are only the HQ VLAN data & voice will be able to reach the Site & A B data & Voice VLAN and Vice versa?

2 - when the VPN is going up, are that the Site has data & Voice VLAN will be able to reach the Site B Data & Voice VLAN and Vice versa?

Thank you

Hello

I think this example explains what you need:http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation...

Kind regards

Averroès.

Tags: Cisco Security

Similar Questions

  • Site to Site VPN between Cisco ASA 5505 and Sonicwall TZ170

    I'm trying to implement a VPN site-to site between our data center and office.  The data center has a Cisco ASA 5505 and the Office has a Sonicwall TZ170.  I managed to configure the two so that the vpn connects.  Each of the firewall I ping the IP Address of the internet firewall on the other side and a desktop computer I can ping the IP Address of the firewall internal datacenter but I can't carry traffic between private subnets datacenter and desktop.  Can anyone help?

    The config below has had IPs/passwords has changed.

    External Datacenter: 1.1.1.4

    External office: 1.1.1.1

    Internal data center: 10.5.0.1/24

    Internal office: 10.10.0.1/24

    : Saved
    :
    ASA Version 8.2 (1)
    !
    hostname datacenterfirewall
    mydomain.tld domain name
    activate the password encrypted
    passwd encrypted
    names of
    name 10.10.0.0 OfficeNetwork
    10.5.0.0 DatacenterNetwork name
    !
    interface Vlan1
    nameif inside
    security-level 100
    10.5.0.1 IP address 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    1.1.1.4 IP address 255.255.255.0
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    passive FTP mode
    clock timezone IS - 5
    clock to summer time EDT recurring
    DNS server-group DefaultDNS
    buydomains.com domain name
    permit same-security-traffic inter-interface
    permit same-security-traffic intra-interface
    inside_access_in list extended access permit icmp any one
    inside_access_in list extended access permitted tcp a whole
    inside_access_in list extended access udp allowed a whole
    inside_access_in of access allowed any ip an extended list
    outside_access_in list extended access permit icmp any one
    outside_access_in list extended access udp allowed any any eq isakmp
    IP DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0 allow Access-list extended pixtosw
    pixtosw list extended access allow icmp DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0
    IP OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0 allow Access-list extended pixtosw
    pixtosw list extended access allow icmp OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0
    outside_cryptomap_66.1 list of allowed ip extended access all OfficeNetwork 255.255.255.0
    outside_cryptomap_66.1 ip OfficeNetwork 255.255.255.0 allowed extended access list all
    outside_cryptomap_66.1 list extended access permit icmp any OfficeNetwork 255.255.255.0
    outside_cryptomap_66.1 list extended access allowed icmp OfficeNetwork 255.255.255.0 everything
    pager lines 24
    Enable logging
    asdm of logging of information
    Within 1500 MTU
    Outside 1500 MTU
    IP verify reverse path to the outside interface
    ICMP unreachable rate-limit 1 burst-size 1
    ASDM image disk0: / asdm - 623.bin
    don't allow no asdm history
    ARP timeout 14400
    NAT-control
    Global 1 interface (outside)
    NAT (inside) 1 0.0.0.0 0.0.0.0
    inside_access_in access to the interface inside group
    Access-group outside_access_in in interface outside
    Route inside 0.0.0.0 0.0.0.0 1.1.1.1 1
    Route OfficeNetwork 255.255.255.0 outside 1.1.1.1 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-registration DfltAccessPolicy
    Enable http server
    http 10.5.0.0 255.255.255.0 inside
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set esp-aes-256 walthamoffice, esp-sha-hmac
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    Crypto dynamic-map ciscopix 1 corresponds to the address outside_cryptomap_66.1
    Crypto dynamic-map ciscopix 1 transform-set walthamoffice
    Crypto dynamic-map ciscopix 1 the value reverse-road
    map dynmaptosw 66-isakmp ipsec crypto dynamic ciscopix
    dynmaptosw interface card crypto outside
    crypto isakmp identity address
    crypto ISAKMP allow outside
    crypto ISAKMP policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    crypto ISAKMP policy 13
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    lifetime 28800
    crypto ISAKMP policy 30
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    No encryption isakmp nat-traversal
    Telnet 10.5.0.0 255.255.255.0 inside
    Telnet timeout 5
    SSH 10.5.0.0 255.255.255.0 inside
    SSH timeout 5
    Console timeout 0
    management-access inside
    dhcpd address 10.5.0.2 - 10.5.0.254 inside
    dhcpd allow inside
    !

    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    NTP server 66.250.45.2 source outdoors
    NTP server 72.18.205.157 source outdoors
    NTP server 208.53.158.34 source outdoors
    WebVPN
    attributes of Group Policy DfltGrpPolicy
    VPN-idle-timeout no
    username admin password encrypted
    tunnel-group 1.1.1.1 type ipsec-l2l
    tunnel-group 1.1.1.1 ipsec-attributes
    pre-shared-key *.
    !
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    message-length maximum 512
    !
    context of prompt hostname
    Cryptochecksum:7f319172e5de9c0e550804a263f8e49e
    : end

    Mattew, obvious lack of education is the rule exempt from nat for your tunnel, your access list pixtosw is similar on this example, I assume that you have gone through this link, if it does not see the configs on both sides.

    Add the statement of rule sheep in asa and try again.

    NAT (inside) 0-list of access pixtosw

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a008052c9d4.shtml

    Concerning

  • Site to Site VPN between ISR4331(Data Center) and 25 branches with RV042 and dynamic public IP address

    Hi, we just got router ISR4331. We will use this router to our datacenter as pummel hub. Not to mention that it will be the static IP address. Our goal is to connect 30 small offices to the Datacenter by VPN site-to-site. All of our offices a RV042 router and DSL connection, so dynamic public IP. How to accomplish this task. Before the VPN connection is stable and the need not to configure tunnels frequently.

    Thank you

    GM

    Hello

    Please check the config below:

    HUBS:

    crypto ISAKMP policy 1

     BA 3des
    md5 hash
    preshared authentication
    Group 2
    life 86400
    crypto isakmp secretkey key address 0.0.0.0 0.0.0.0 (Having said that the dynamic router HUB remote routers have public ip address)
    Describe your valuable traffic. Note that I have sepcified for both tunnels, but basically, it will be the same for the rest out for the destination. For example, I used 192.168.1.0/24 and 192.168.2.0/24. You will need to replace it with your existing installation.
    TUN1 extended IP access list
    ip permit 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
    TUN2 extended IP access list
    ip permit 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
    Create your strategy to Phase 2
    Crypto ipsec transform-set esp-3des esp-md5-hmac TS
    card crypto S2STUN 1-isakmp dynamic ipsec HUB_TUN
    crypto dynamic-map HUB_TUN 10

    86400 seconds, life of security association set
    game of transformation-TS
    match address TUN1
    !
    crypto dynamic-map HUB_TUN 11
    86400 seconds, life of security association set
    game of transformation-TS
    match address TUN2
    Now apply the card encryption to your WAN interface
    gi0/1 interface
    card crypto S2STUN
    Now configure on your remote routers
    Remote router 1
    crypto ISAKMP policy 1
    BA 3des

    md5 hash
    preshared authentication
    Group 2
    life 86400
    !
    ISAKMP crypto secretkey key address x.x.x.x (replace with your public ip address of the HUB)
    !
    TUNNEL TRAFFIC extended IP access list
    permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
    !
    Crypto ipsec transform-set esp-3des esp-md5-hmac TS
    !
    crypto card TUN_TO_HUB 10 ipsec-isakmp
    defined peer x.x.x.x (replace with your public ip address of the hub)
    game of transformation-TS
    match address TRAFFIC TUNNEL
    !
    gi0/1 interface
    card crypto TUN_TO_HUB
    Remote router 2
    crypto ISAKMP policy 1

    BA 3des

    md5 hash
    preshared authentication
    Group 2
    life 86400
    !
    ISAKMP crypto secretkey key address x.x.x.x (replace with your public ip address of the HUB)
    !
    TUNNEL TRAFFIC extended IP access list
    ip licensing 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
    !
    Crypto ipsec transform-set esp-3des esp-md5-hmac TS
    !
    crypto card TUN_TO_HUB 10 ipsec-isakmp
    defined peer x.x.x.x (replace with your public ip address of the hub)
    game of transformation-TS
    match address TRAFFIC TUNNEL
    !
    gi0/1 interface
    card crypto TUN_TO_HUB

    HTH.
    Evaluate the useful ticket.
    Kind regards
    Terence

  • Need some advice about the VPN between local Cisco router and remote Watchguard

    Hi all

    I am configuring a Cisco 887 to VPN router to a device of watchguard at the remote site.

    From what I understand, the VPN tunnel is in PLACE. I can ping to the remote server on the 192.168.110.0 of the network, but whenever I try to navigate to it on the local server, it wouldn't work.

    I ping the remote server via the IP address on the local server, but not on the Cisco router. Is - will this work as expected?

    --------------------------------------------------------------------------------------

    R5Router #sh crypto isakmp his

    IPv4 Crypto ISAKMP Security Association

    DST CBC conn-State id

    110.142.127.237 122.3.112.10 QM_IDLE 2045 ACTIVE

    IPv6 Crypto ISAKMP Security Association

    --------------------------------------------------------------------------------------

    R5Router #sh encryption session

    Current state of the session crypto

    Interface: Virtual-Access2

    The session state: down

    Peer: 122.3.112.10 port 500

    FLOW IPSEC: allowed ip 192.168.0.0/255.255.255.0 192.168.110.0/255.255.255.0

    Active sAs: 0, origin: card crypto

    FLOW IPSEC: allowed 1 192.168.0.0/255.255.255.0 192.168.110.0/255.255.255.0

    Active sAs: 0, origin: card crypto

    FLOW IPSEC: allowed 6 192.168.0.0/255.255.255.0 192.168.110.0/255.255.255.0

    Active sAs: 0, origin: card crypto

    FLOW IPSEC: allowed ip host 122.3.112.10 192.168.0.0/255.255.255.0

    Active sAs: 0, origin: card crypto

    Interface: Dialer0

    The session state: UP-ACTIVE

    Peer: 122.3.112.10 port 500

    IKEv1 SA: local 110.142.127.237/500 remote 122.3.112.10/500 Active

    FLOW IPSEC: allowed ip 192.168.0.0/255.255.255.0 192.168.110.0/255.255.255.0

    Active sAs: 2, origin: card crypto

    FLOW IPSEC: allowed 1 192.168.0.0/255.255.255.0 192.168.110.0/255.255.255.0

    Active sAs: 0, origin: card crypto

    FLOW IPSEC: allowed 6 192.168.0.0/255.255.255.0 192.168.110.0/255.255.255.0

    Active sAs: 0, origin: card crypto

    FLOW IPSEC: allowed ip host 122.3.112.10 192.168.0.0/255.255.255.0

    Active sAs: 0, origin: card crypto

    Crypto ACL 102, should really include only 1 line, that is to say:

    10 permit ip 192.168.0.0 0.0.0.255 192.168.110.0 0.0.0.255

    and you should have the image mirror on the remote end ACL line too.

    PLS, remove the remaining lines on 102 ACL ACL.

    I guess that the ACL 101 is NAT exemption, if it is pls include "deny ip 192.168.0.0 0.0.0.255 192.168.110.0 0.0.0.255" on top of your current line "license".

    Clear the tunnels as well as the NAT translation table after the changes described above.

  • Troubleshooting IPSec Site to Site VPN between ASA and 1841

    Hi all

    in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.

    I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).

    I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.

    It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),

    On the ASA:

    Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.

    address of the peers: 217.86.154.120
    Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.cc

    access extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
    local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
    current_peer: 217.xx.yy.zz

    #pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
    #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
    success #frag before: 0, failures before #frag: 0, #fragments created: 0
    Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
    #send errors: 0, #recv errors: 0

    local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz

    Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
    current outbound SPI: 39135054
    current inbound SPI: B2E9E500

    SAS of the esp on arrival:
    SPI: 0xB2E9E500 (3001672960)
    transform: esp-3des esp-sha-hmac no compression
    running parameters = {L2L, Tunnel, PFS 2 group}
    slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
    calendar of his: service life remaining (KB/s) key: (4374000/1598)
    Size IV: 8 bytes
    support for replay detection: Y
    Anti-replay bitmap:
    0x00000000 0x00000001
    outgoing esp sas:
    SPI: 0 x 39135054 (957567060)
    transform: esp-3des esp-sha-hmac no compression
    running parameters = {L2L, Tunnel, PFS 2 group}
    slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
    calendar of his: service life remaining (KB/s) key: (4373976/1598)
    Size IV: 8 bytes
    support for replay detection: Y
    Anti-replay bitmap:
    0x00000000 0x00000001

    Output of the command: "sh crypto isakmp his."

    HIS active: 4
    Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
    Total SA IKE: 4

    IKE Peer: 217.xx.yy.zz
    Type: L2L role: initiator
    Generate a new key: no State: MM_ACTIVE

    On the 1841

    1841 crypto isakmp #sh its
    IPv4 Crypto ISAKMP Security Association
    DST CBC conn-State id
    217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE

    1841 crypto ipsec #sh its

    Interface: Dialer1
    Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

    protégé of the vrf: (none)
    local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
    current_peer 62.153.156.163 port 500
    LICENCE, flags is {origin_is_acl},
    #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
    #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    Errors #send 0, #recv 0 errors

    local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
    Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
    current outbound SPI: 0xB2E9E500 (3001672960)
    PFS (Y/N): Y, Diffie-Hellman group: group2

    SAS of the esp on arrival:
    SPI: 0 x 39135054 (957567060)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
    calendar of his: service life remaining (k/s) key: (4505068/1306)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:
    SPI: 0xB2E9E500 (3001672960)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
    calendar of his: service life remaining (k/s) key: (4505118/1306)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    outgoing ah sas:

    outgoing CFP sas:

    Interface: virtual Network1
    Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

    protégé of the vrf: (none)
    local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
    current_peer 62.153.156.163 port 500
    LICENCE, flags is {origin_is_acl},
    #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
    #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    Errors #send 0, #recv 0 errors

    local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
    Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
    current outbound SPI: 0xB2E9E500 (3001672960)
    PFS (Y/N): Y, Diffie-Hellman group: group2

    SAS of the esp on arrival:
    SPI: 0 x 39135054 (957567060)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
    calendar of his: service life remaining (k/s) key: (4505068/1306)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:
    SPI: 0xB2E9E500 (3001672960)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
    calendar of his: service life remaining (k/s) key: (4505118/1306)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    outgoing ah sas:

    outgoing CFP sas:

    It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.

    Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto.      (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.

    I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!

    It's the running of the 1841 configuration

    !
    version 15.1
    horodateurs service debug datetime msec
    Log service timestamps datetime msec
    encryption password service
    !
    host name 1841
    !
    boot-start-marker
    start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
    boot-end-marker
    !
    logging buffered 51200 notifications
    !
    AAA new-model
    !
    !
    AAA authentication login default local
    !
    AAA - the id of the joint session
    !
    iomem 20 memory size
    clock timezone PCTime 1
    PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
    dot11 syslog
    IP source-route
    !
    No dhcp use connected vrf ip
    !
    IP cef
    no ip bootp Server
    IP domain name test
    name of the IP-server 194.25.2.129
    name of the IP-server 194.25.2.130
    name of the IP-server 194.25.2.131
    name of the IP-server 194.25.2.132
    name of the IP-server 194.25.2.133
    No ipv6 cef
    !
    Authenticated MultiLink bundle-name Panel
    !
    !
    object-group network phone
    VoIP phone description
    Home 172.20.2.50
    Home 172.20.2.51
    !
    redundancy
    !
    !
    controller LAN 0/0/0
    atm mode
    Annex symmetrical shdsl DSL-mode B
    !
    !
    crypto ISAKMP policy 1
    BA 3des
    preshared authentication
    Group 2
    isakmp encryption key * address 62.aa.bb.cc
    !
    !
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    !
    map SDM_CMAP_1 1 ipsec-isakmp crypto
    Description Tunnel to62.aa.bb.cc
    the value of 62.aa.bb.cc peer
    game of transformation-ESP-3DES-SHA
    PFS group2 Set
    match address 100
    !
    !
    !
    interface FastEthernet0/0
    DMZ description $ FW_OUTSIDE$
    10.10.10.254 IP address 255.255.255.0
    IP nat inside
    IP virtual-reassembly
    automatic duplex
    automatic speed
    !
    interface FastEthernet0/1
    Description $ETH - LAN$ $FW_INSIDE$
    IP 172.20.2.254 255.255.255.0
    IP access-group 100 to
    IP nat inside
    IP virtual-reassembly
    IP tcp adjust-mss 1412
    automatic duplex
    automatic speed
    !
    ATM0/0/0 interface
    no ip address
    No atm ilmi-keepalive
    !
    point-to-point interface ATM0/0/0.1
    PVC 1/32
    PPPoE-client dial-pool-number 1
    !
    !
    interface Dialer1
    Description $FW_OUTSIDE$
    the negotiated IP address
    IP mtu 1452
    NAT outside IP
    IP virtual-reassembly
    encapsulation ppp
    Dialer pool 1
    Dialer-Group 2
    PPP authentication chap callin pap
    PPP chap hostname xxxxxxx
    PPP chap password 7 xxxxxxx8
    PPP pap sent-name of user password xxxxxxx xxxxxxx 7
    map SDM_CMAP_1 crypto
    !
    IP forward-Protocol ND
    IP http server
    local IP http authentication
    IP http secure server
    !
    !
    The dns server IP
    IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
    IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
    IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
    IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
    IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
    !
    logging trap notifications
    Note category of access list 1 = 2 CCP_ACL
    access-list 1 permit 172.20.2.0 0.0.0.255
    Note access-list category 2 CCP_ACL = 2
    access-list 2 allow 10.10.10.0 0.0.0.255
    Note access-list 100 category CCP_ACL = 4
    Note access-list 100 IPSec rule
    access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
    Note CCP_ACL the access list 101 = 2 category
    Note access-list 101 IPSec rule
    access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
    access-list 101 permit ip 172.20.2.0 0.0.0.255 any
    Note access-list 102 CCP_ACL category = 2
    Note access-list 102 IPSec rule
    access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
    access-list 102 permit ip 10.10.10.0 0.0.0.255 any
    !

    !
    allowed SDM_RMAP_1 1 route map
    corresponds to the IP 101
    !
    allowed SDM_RMAP_2 1 route map
    corresponds to the IP 102
    !
    !
    control plan
    !
    !
    Line con 0
    line to 0
    line vty 0 4
    length 0
    transport input telnet ssh
    !
    Scheduler allocate 20000 1000
    NTP-Calendar Update
    NTP 172.20.2.250 Server prefer
    end

    As I mentioned previously: suspicion is much appreciated!

    Best regards

    Joerg

    Joerg,

    ASA receives not all VPN packages because IOS does not send anything.

    Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)

    The problem seems so on the side of the router.

    I think that is a routing problem, but you only have one default gateway (no other channels on the router).

    The ACL 100 is set to encrypt the traffic between the two subnets.

    It seems that the ACL 101 is also bypassing NAT for VPN traffic.

    Follow these steps:

    Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.

    I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.

    Federico.

  • Site to Site VPN between 5510 and 5505

    Am trying to get a VPN site-to site and the race between a branch office and our main office. I have the settings in place, but I'm trying to determine if it's my settings or the provider DSL, Verizon.

    They have a 5505 with a static IP is connected by cable modem. Their 5505 I can ping external IP of my 5510 without problem. All the settings are correct on both sides; they reflect the same settings and yet static VPN is not launched.

    Is there some sort of CLI command I must issue to bring it?

    Also, I was wondering if maybe my 2821 prevents all VPN traffic because it doesn't have to be re - NAT'ed to the 192.168.250.0/23 and 192.168.252.0/24 subnets.

    Simply to traffic of their 192.168.40.0 in our 192.168.250.0/23 VOIP subnet subnet.

    Join a basic outline. I can provide the configs for almost everything

    Hello

    you have two instances of sequence card crypto with parameters similar (except transform set). Get rid of the rest of sequences card crypto:

    On the ASA Satellite:

    no card crypto outside_map 2 match address outside_cryptomap

    no card crypto outside_map 2 set pfs

    no card crypto outside_map 2 peers set smivpn.sorensonmedia.com

    no card crypto outside_map 2 the transform-set ESP-3DES-MD5 value

    No crypto outside_map 2 set security-association life card seconds 28800

    No kilobytes of life card crypto outside_map 2 set security-association 4608000

    no card crypto outside_map 2 the value reverse-road

    About the ASA company:

    No crypto outside_map 1 game card address outside_1_cryptomap_1

    no card crypto outside_map 1 set pfs

    no card crypto outside_map 1 set cda.asa5505 counterpart

    no card crypto outside_map 1 the value transform-set ESP-3DES-SHA

    no card crypto outside_map 1 lifetime of security association set seconds 28800

    No kilobytes of life card crypto outside_map 1 set security-association 4608000

    no card crypto outside_map 1 the value reverse-road

    Then check and capture debugs.

    HTH

    Sangaré

  • Ask about hub and spoke VPN between several sites

    Hello

    I currently have a 'hub' ASA 5505 that connects to 4 sites running 877 routers.

    Since the network hub, I can connect to all the sites fine but what I would do is almost to compartmentalize the different VPN links in small groups.

    The ASA 5505 hub mainly provides IP telephony via the VPN from a PBX allowing users at the other end of the VPN to make outgoing calls and receive incoming calls. However, a couple of the sites would be able to call them internally through the hub. It must obviously be allowed between their different networks of traffic.

    Currently, when you try an internal call rings, but there is no audio data anyway. I guess that's due to restrictions of access list. I don't know yet if what I'm trying to achieve is possible as I'm a bit of a rookie, but any help would be appreciated. I have attached the hub and 2 rays below.

    The ideal final result would be the interconnectivity between the two rays through the hub, it seems reading as its possible, but I do not understand my head around it! It would involve using different subnet to the hub masks?

    Any help would be greatly appreciated!

    Thank you

    Jack

    ASA "hub" VPN config

    network of the OAKOW object
    255.255.255.0 subnet 192.168.12.0
    network of the OAKIV object
    subnet 192.168.11.0 255.255.255.0

    ACL_OAKOW to access extended list ip 192.168.5.0 allow 255.255.255.0 192.168.12.0 255.255.255.0
    ACL_OAKIV to access extended list ip 192.168.5.0 allow 255.255.255.0 192.168.11.0 255.255.255.0

    interface Vlan1

    nameif inside

    security-level 100

    192.168.5.1 IP address 255.255.255.0

    Static NAT to destination for static LAN LAN OAKOW OAKOW source (indoor, outdoor)
    Static NAT to destination for static LAN LAN OAKIV OAKIV source (indoor, outdoor)

    network obj_any object
    NAT dynamic interface (indoor, outdoor)

    Access-group interface incoming outside

    Crypto ipsec transform-set esp-3des esp-sha-hmac HOSTEDTS ikev1
    card crypto HOSTEDMAP 100 corresponds to the address ACL_OAKOW
    card crypto HOSTEDMAP 100 set pfs
    card crypto HOSTEDMAP 100 peer set 4.3.2.1

    card crypto HOSTEDMAP 100 set transform-set HOSTEDTS ikev1
    card crypto HOSTEDMAP 101 corresponds to the address ACL_OAKIV
    card crypto HOSTEDMAP 101 set pfs
    HOSTEDMAP 101 peer set 5.6.7.8 crypto card
    card crypto HOSTEDMAP 101 set transform-set HOSTEDTS ikev1

    HOSTEDMAP interface card crypto outside
    crypto isakmp identity address
    No encryption isakmp nat-traversal
    Crypto ikev1 allow outside
    Crypto ikev1 am - disable

    IKEv1 crypto policy 1
    preshared authentication
    3des encryption
    sha hash
    Group 2
    lifetime 28800

    internal TBOakOW group strategy
    attributes of Group Policy TBOakOW
    Ikev1 VPN-tunnel-Protocol

    internal TBOakIV group strategy
    attributes of Group Policy TBOakIV
    Ikev1 VPN-tunnel-Protocol

    tunnel-group 4.3.2.1 type ipsec-l2l
    tunnel-group 4.3.2.1 General attributes
    Group Policy - by default-TBOakOW

    4.3.2.1 tunnel-group ipsec-attributes
    IKEv1 pre-shared-key *.

    tunnel-group 5.6.7.8 type ipsec-l2l
    tunnel-group 5.6.7.8 General attributes
    Group Policy - by default-TBOakIV
    tunnel-group 5.6.7.8 ipsec-attributes
    IKEv1 pre-shared-key *.

    877 VPN "spoke 1' config '.

    VPDN enable

    crypto ISAKMP policy 1
    BA 3des
    preshared authentication
    Group 2
    lifetime 28800

    isakmp encryption key * address 1.2.3.4

    Crypto ipsec transform-set esp-3des esp-sha-hmac TB0ak

    map OakOW 10 ipsec-isakmp crypto
    defined peer 1.2.3.4
    game of transformation-TB0ak
    PFS group2 Set
    match address VPN

    interface Vlan1
    Description - LAN-
    192.168.12.1 IP address 255.255.255.0
    IP nat inside

    interface Dialer0
    card crypto OakOW

    overload of IP nat inside source list NAT interface Dialer0

    NAT extended IP access list
    refuse the 192.168.12.0 ip 0.0.0.255 192.168.5.0 0.0.0.255
    IP 192.168.12.0 allow 0.0.0.255 any
    list of IP - VPN access scope
    IP 192.168.12.0 allow 0.0.0.255 192.168.5.0 0.0.0.255

    877 config VPN "talked about 2'.

    VPDN enable

    crypto ISAKMP policy 1
    BA 3des
    preshared authentication
    Group 2
    lifetime 28800

    isakmp encryption key * address 1.2.3.4

    Crypto ipsec transform-set esp-3des esp-sha-hmac HOSTEDTS

    map TBVPNOak 10 ipsec-isakmp crypto
    defined peer 1.2.3.4

    game of transformation-HOSTEDTS
    PFS group2 Set
    match address ACL-VPN-to-ASA

    interface Vlan1
    Description internal LAN-
    192.168.11.1 IP address 255.255.255.0
    IP nat inside

    interface Dialer0
    card crypto TBVPNOak

    overload of IP nat inside source list NAT interface Dialer0

    IP extended ACL-VPN-to-ASA access list

    ip licensing 192.168.11.0 0.0.0.255 192.168.5.0 0.0.0.255

    NAT extended IP access list
    deny ip 192.168.11.0 0.0.0.255 192.168.5.0 0.0.0.255
    ip licensing 192.168.11.0 0.0.0.255 any

    You must rewrite it ACL on spoke1:

    NAT extended IP access list

    refuse the 192.168.12.0 ip 0.0.0.255 192.168.5.0 0.0.0.255

    refuse the 192.168.12.0 ip 0.0.0.255 192.168.11.0 0.0.0.255

    IP 192.168.12.0 allow 0.0.0.255 any

    list of IP - VPN access scope

    IP 192.168.12.0 allow 0.0.0.255 192.168.5.0 0.0.0.255

    IP 192.168.12.0 allow 0.0.0.255 192.168.11.0 0.0.0.255

    and talk 2:

    NAT extended IP access list

    deny ip 192.168.11.0 0.0.0.255 192.168.5.0 0.0.0.255

    deny ip 192.168.11.0 0.0.0.255 192.168.12.0 0.0.0.255

    ip licensing 192.168.11.0 0.0.0.255 any

    IP extended ACL-VPN-to-ASA access list

    ip licensing 192.168.11.0 0.0.0.255 192.168.5.0 0.0.0.255

    ip licensing 192.168.11.0 0.0.0.255 192.168.12.0 0.0.0.255

    And ACL on SAA

    ACL_OAKOW to access extended list ip 192.168.5.0 allow 255.255.255.0 192.168.12.0 255.255.255.0

    ACL_OAKOW to access extended list ip 192.168.11.0 allow 255.255.255.0 192.168.12.0 255.255.255.0

    ACL_OAKIV to access extended list ip 192.168.5.0 allow 255.255.255.0 192.168.11.0 255.255.255.0

    ACL_OAKIV to access extended list ip 192.168.12.0 allow 255.255.255.0 192.168.11.0 255.255.255.0

    You must allow the traffic of intra-interface:

    permit same-security-traffic intra-interface

    also, you can check the translation NAT nat debug command

    _____________________________________________________________________________

    Help seriously ill children all together. All information on this subject, is posted on my blog

  • Site to Site VPN between PIX and Linksys RV042

    I am trying to create a tunnel between a 506th PIX and a Linksys RV042 vpn .  I configured the Phase 1 and Phase 2 as well as the transformation defined and interested traffic and connected to the external interface, but it will not create the tunnel.  Configurations are as follows:

    506th PIX running IOS 6.3

    part of pre authentication ISAKMP policy 40
    ISAKMP policy 40 cryptographic 3des
    ISAKMP policy 40 sha hash
    40 2 ISAKMP policy group
    ISAKMP duration strategy of life 40 86400
    ISAKMP key * address 96.10.xxx.xxx netmask 255.255.255.255
    access-list 101 permit ip 192.168.21.0 255.255.255.0 192.168.1.0 255.255.255.0crypto map Columbia_to_Office 10 ipsec-isakmp
    crypto Columbia_to_Office 10 card matches the address 101
    card crypto Columbia_to_Office 10 set peer 96.10.xxx.xxx
    10 Columbia_to_Office transform-set ESP-3DES-SHA crypto card game
    Columbia_to_Office interface card crypto outside

    Linksys RV042

    Configuration of local groups
    IP only
         IP address: 96.10.xxx.xxx
    Type of local Security group: subnet
    IP address: 192.168.1.0
    Subnet mask: 255.255.255.0

    Configuration of the remote control groups
    IP only
    IP address: 66.192.xxx.xxx
    Security remote control unit Type: subnet
    IP address: 192.168.21.0
    Subnet mask: 255.255.255.0

    IPSec configuration
    Input mode: IKE with preshared key
    Group Diffie-Hellman phase 1: group2
    Phase 1 encryption: 3DES
    Authentication of the phase 1: SHA1
    Life of ITS phase 1: 86400
       
    Phase2 encryption: 3DES
    Phase2 authentication: SHA1
    Phase2 life expectancy: 3600 seconds
    Pre-shared key *.

    I'm a novice on the VPN. Thanks in advance for your expertise.

    Yes, version PIX 6.3 does not support HS running nat or sh run crypto.

    Please please post the complete config if you don't mind.

    Please also try to send traffic between subnets 2 and get the output of:

    See the isa scream his

    See the ipsec scream his

  • automatic loading of user name and password take place on a site and one site and I don't want to do but can ' t stop.

    As my question States I don't want automatic loading on any site and it happens on this one site. I went through the tools and options and there is no sites listed for automatic loading. There is no saved passwords. If I go on the site using Internet explorer, the problem does not occur.

    Hi again, I solved the problem. I reinstalled Firefox first but that does not do so I reset Firefox and who took out clear Auto-complete in. Now will have to reinstall the extensions, etc., but I am happy, thank you for spending the time.

  • I am trying to export information from one site to the other; i.e. doba products to sell on ebay. I get an error telling me to "set associations"?

    I'm trying to export information from one site to another, i.e. the products to sell from doba to ebay.  I get an error telling me to "set associations"?

    Looks like a command prompt to set the default program for opening a certain type of file.

    This can be done in two contexts > Apps or right click on the Start button to open the Control Panel, choose the command display by: icons, then default programs.

  • Is there a way to copy / transfer / export existing assets from one site to the other?

    Is there a way to copy / transfer / export existing assets from one site to the other?

    I have like 20 + documents in one of my sites that I need to transfer to another site... What is a quick way to do without re - upload all my new Web site?

    Anyway, you would still re - download.

    If they are both sites of Muse you can open sites in Muse and copy and paste the desired content moved above.

  • Execute a statement select twice in one sitting, what is happening in the PGA?

    Hi guys,.

    Oracle 10g.
    I was just asked while executing a select twice in one sitting, what is happening in the PGA?
    I know that oracle does not need to analyze this statement because of the LMS "library cache", and perhaps not necessary to perform the work of IO because BMG "cache db pads" oracle, but is the first fetch result set cached in the PGA, so that it could be directly returned to the user without doing anything to the LMS?
    I'm not familiar with the details of the structure of the memory in Oracle, that contain exactly PGA?

    Thank you very much!

    The results would be extracted once again, not cached. By default.

    However, in 11g, you can try using the CLIENT_RESULT_CACHE (which should work with a sqlplus Oracle client).
    See http://download.oracle.com/docs/cd/E11882_01/server.112/e16638/memory.htm#PFGRF961

    Hemant K Collette

  • VPN between 2 routers Cisco 1841 (LAN to LAN)

    Hello

    I need to connect two offices (two different LAN) using routers cisco 1841 at both ends.

    Currently the two cisco router are in working condition and refer the internet LAN clients. (making the NAT).

    Can someone please tell us what is the easiest way to set up a VPN between two sites, so that LAN users to an office to access mail servers electronic/request to the office LAN.

    I understand that I need IPSec Site to Site VPN (I think).

    Anyonce can you please advise.

    Kind regards.

    s.nasheet wrote:
    

    Hi ,
    

    I need to connect two offices ( two different LAN's) together using cisco 1841 routers at both end.
    

    Currently both cisco router are in working order and  acting as a internet gateway to the LAN clients. ( doing NAT).
    

    Can anybody please advise what is the easiest method to configure VPN between two sites so that  LAN users at one office be able to access  the  email/application servers at the other LAN office.
    

    I understand I need IPSec Site to Site VPN  ( i think).
    

    Can anyonce please advise.
    

    Regards.

    Yes, you need a VPN site-to site. Start with this link which gives a number of examples to set up a VPN S2S between 2 routers Cisco.

    http://www.Cisco.com/en/us/Tech/tk583/TK372/tech_configuration_examples_list.html#anchor16

    Jon

  • L2l VPN between two ASA5505 works not

    Let me start who I know a thing or two about networks.  VPN not so much.

    I am trying to configure a Site-toSite VPN between two ASA 5505.  I am building this in a laboratory of the Office before I deploy it to the end sites.  I are the indications on this very informative forum and think I have it set up correctly.  I can see the tunnel is being built and I see same incrementation of the traffic counters.  But the real user sessions do not seem to work.  For example, ping and telnet does not work.

    An excerpt from the syslog for a ping test on a computer on the remote end.

    (10.1.10.5 is the local computer, 10.1.11.5 is the remote computer.  10.1.11.1 is the interface of the ASA remote interior)

    6. January 20, 2012 | 01:04:12 | 302021 | 10.1.11.1 | 0 | 10.1.10.5 | 1. Connection of disassembly for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.1/0 ICMP
    6. January 20, 2012 | 01:04:10 | 302020 | 10.1.10.5 | 1. 10.1.11.1 | 0 | Built of outbound ICMP connection for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.1/0
    6. January 20, 2012 | 01:04:07 | 302021 | 10.1.11.1 | 0 | 10.1.10.5 | 1. Connection of disassembly for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.1/0 ICMP
    6. January 20, 2012 | 01:04:05 | 302020 | 10.1.10.5 | 1. 10.1.11.1 | 0 | Built of outbound ICMP connection for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.1/0
    6. January 20, 2012 | 01:04:02 | 302021 | 10.1.11.1 | 0 | 10.1.10.5 | 1. Connection of disassembly for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.1/0 ICMP
    6. January 20, 2012 | 01:04:00 | 302020 | 10.1.10.5 | 1. 10.1.11.1 | 0 | Built of outbound ICMP connection for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.1/0
    6. January 20, 2012 | 01:03:57 | 302021 | 10.1.11.1 | 0 | 10.1.10.5 | 1. Connection of disassembly for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.1/0 ICMP
    6. January 20, 2012 | 01:03:55 | 302020 | 10.1.10.5 | 1. 10.1.11.1 | 0 | Built of outbound ICMP connection for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.1/0
    6. January 20, 2012 | 01:03:48 | 302021 | 10.1.11.5 | 0 | 10.1.10.5 | 1. Connection of disassembly for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.5/0 ICMP
    6. January 20, 2012 | 01:03:46 | 302020 | 10.1.10.5 | 1. 10.1.11.5 | 0 | Built of outbound ICMP connection for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.5/0
    6. January 20, 2012 | 01:03:43 | 302021 | 10.1.11.5 | 0 | 10.1.10.5 | 1. Connection of disassembly for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.5/0 ICMP
    6. January 20, 2012 | 01:03:41 | 302020 | 10.1.10.5 | 1. 10.1.11.5 | 0 | Built of outbound ICMP connection for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.5/0
    6. January 20, 2012 | 01:03:38 | 302021 | 10.1.11.5 | 0 | 10.1.10.5 | 1. Connection of disassembly for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.5/0 ICMP
    6. January 20, 2012 | 01:03:36 | 302020 | 10.1.10.5 | 1. 10.1.11.5 | 0 | Built of outbound ICMP connection for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.5/0
    5. January 20, 2012 | 01:03:32 | 713041 | IP = 192.168.24.211, initiator of IKE: New Phase 1, Intf inside, IKE Peer 192.168.24.211 address local proxy 10.1.10.0, address remote Proxy 10.1.11.0, Card Crypto (outside_map)

    This is the configuration for one of them.  The other is configured in the same way with the usual across settings.

    ASA Version 8.2 (1)
    !
    hostname ASATWDS
    !

    names of
    name 10.1.11.0 remote control-network
    !
    interface Vlan1
    nameif inside
    security-level 100
    IP 10.1.10.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    IP 192.168.24.210 255.255.255.0
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    passive FTP mode
    access extensive list ip 10.1.10.0 outside_1_cryptomap allow 255.255.255.0 255.255.255.0 network-remote control
    access extensive list ip 10.1.10.0 inside_nat0_outbound allow 255.255.255.0 255.255.255.0 network-remote control
    pager lines 24
    Enable logging
    asdm of logging of information
    Within 1500 MTU
    Outside 1500 MTU
    ICMP unreachable rate-limit 1 burst-size 1
    don't allow no asdm history
    ARP timeout 14400
    Global 1 interface (outside)
    NAT (inside) 0-list of access inside_nat0_outbound
    NAT (inside) 1 0.0.0.0 0.0.0.0
    Route outside 0.0.0.0 0.0.0.0 192.168.24.1 1
    course outside remote control-network 255.255.255.0 192.168.24.1 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-registration DfltAccessPolicy
    Enable http server
    http 10.1.10.0 255.255.255.0 inside
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    card crypto outside_map 1 match address outside_1_cryptomap
    card crypto outside_map 1 set pfs
    peer set card crypto outside_map 1 192.168.24.211
    card crypto outside_map 1 set of transformation-ESP-3DES-SHA
    card crypto outside_map 1 phase 1-mode of aggressive setting
    card crypto outside_map 1 the value reverse-road
    outside_map interface card crypto outside
    crypto ISAKMP allow outside
    crypto ISAKMP policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    Telnet timeout 5
    SSH timeout 5
    Console timeout 0
    dhcpd outside auto_config
    !
    dhcpd address 10.1.10.5 - 10.1.10.36 inside
    dhcpd dns 209.18.47.61 209.18.47.62 interface inside
    dhcpd allow inside
    !

    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    WebVPN
    tunnel-group 192.168.24.211 type ipsec-l2l
    IPSec-attributes tunnel-group 192.168.24.211
    pre-shared-key *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    inspect the icmp
    !
    global service-policy global_policy
    context of prompt hostname
    Cryptochecksum:b4bea5393489da3aa83f281d3107a32e

    The Configuration looks good to me, but I think that you don't need next: -.

    card crypto outside_map 1 phase 1-mode of aggressive setting

    card crypto outside_map 1 the value reverse-road

    Anyway,.

    1 > can you please check if the computer you are trying to Ping or Telnet isn't the Machine based Firewall or anti-virus or iptables (Linux)?

    2 > dough out of the

    a > sh crypto ipsec his

    b > sh crypto isakmp his

    Manish

  • VPN between RV120W and ISA550W

    Hi guys,.

    Wonder if you can shed some light on my problem until I loose all my hair!

    I'm trying to create a VPN between a RV120W at a remote site and our ISA500W in our offices... I can't it connect!

    I'll put up an IPsec tunnel between the sites, but it does not want to connect.

    Remote site - RV120W

    The IKE policy table

    Management / time type

    Main mode Exchange

    3DES encryption

    AUTH - SHA-1

    DH group 2

    Pre-Shared Key AUTH

    HIS life 28800

    Xauth no

    VPN

    Type Auto policy

    IP of remote endpoint address

    Local IP subnet

    Remote IP subnet

    Auto policy settings

    Life 3600 seconds

    Encryption algorithm 3DES

    SHA-1 integrity algorithm

    Key Enable PFS group

    DH-group 2 (1024 bits)

    Headquarters - ISA550W

    IPsec policy

    Static IP address of remote Type

    AUTH Type pre-shared Key

    Local ID (empty)

    Remote ID (empty)

    IKE

    SHA1 hash

    Pre-shared Key

    D0H group group 2 (1024 bits)

    Lifetime 8 hours

    Transform

    integrity ESP_MD5_HMAC

    Encryption ESP_3DES

    Errors, I'm getting in the newspapers

    Remote RV120W (note! I changed the external IP to protect the innocent!)

    2013-10-29 14:39:20: [rv120w] [IKE] INFO: respond to the negotiation of the new phase 2: 69.193.0.0 [0]<=>80.4.0.0 [0]

    2013-10-29 14:39:20: [rv120w] [IKE] INFO: configuration using IPsec SA: 192.168.3.0/24<->192.168.1.0/24

    2013-10-29 14:39:20: [rv120w] [IKE] INFO: setting encmode 3 (3)-> Tunnel peer (1)

    2013-10-29 14:39:20: [rv120w] [IKE] WARNING: proposal of the peer:

    2013-10-29 14:39:20: [rv120w] [IKE] WARNING: (proto_id = spisize ESP = 4 spi = spi_p 8846693d = encmode = 00000000 Tunnel reqid = 0:0)

    2013-10-29 14:39:20: [rv120w] [IKE] WARNING: (trns_id = 3DES encklen = 0 authtype = hmac-md5)

    2013-10-29 14:39:20: [rv120w] [IKE] WARNING: Local proposal:

    2013-10-29 14:39:20: [rv120w] [IKE] WARNING: (proto_id = spisize ESP = 4 spi = 00000000 spi_p 00000000 encmode = Tunnel reqid = 5:5 =)

    2013-10-29 14:39:20: [rv120w] [IKE] WARNING: (trns_id = 3DES encklen = 0 authtype = hmac-sha)

    2013-10-29 14:39:20: [rv120w] [IKE] WARNING: proposal for Phase 2 of 80.4.0.0 [0] does not.

    2013-10-29 14:39:20: [rv120w] [IKE] ERROR: no adequate policy not found for 80.4.0.0 [0]

    2013-10-29 14:39:20: [rv120w] [IKE] INFO: sending of information Exchange: Notify payload [NON-PROPOSITION-SELECTED]

    2013-10-29 14:39:20: [rv120w] [IKE] INFO: purged-with proto_id = ISAKMP and spi = c8d68f74af9dfa9a:b4137fd6e0666914 ISAKMP Security Association.

    2013-10-29 14:39:29: [rv120w] [IKE] INFO: accept a request to establish IKE - SA: 80.4.0.0

    2013-10-29 14:39:29: [rv120w] [IKE] INFO: Configuration found for 80.4.0.0

    2013-10-29 14:39:29: [rv120w] [IKE] INFO: opening new phase 1 negotiation: 69.193.0.0 [500]<=>80.4.0.0 [500]

    2013-10-29 14:39:29: [rv120w] [IKE] INFO: Start Identity Protection mode.

    2013-10-29 14:39:29: [rv120w] [IKE] INFO: [ident_i1send:180]: XXX: NUMNATTVENDORIDS: 3

    2013-10-29 14:39:29: [rv120w] [IKE] INFO: [ident_i1send:184]: XXX: definition of vendorid: 4

    2013-10-29 14:39:29: [rv120w] [IKE] INFO: [ident_i1send:184]: XXX: definition of vendorid: 8

    2013-10-29 14:39:29: [rv120w] [IKE] INFO: [ident_i1send:184]: XXX: definition of vendorid: 9

    2013-10-29 14:39:30: [rv120w] [IKE] INFO: received unknown Vendor ID

    2013-10-29 14:39:30: [rv120w] [IKE] INFO: received Vendor ID: DPD

    2013-10-29 14:39:30: [rv120w] [IKE] INFO: received Vendor ID: RFC 3947

    2013-10-29 14:39:30: [rv120w] [IKE] INFO: for 80.4.0.0 [500], version selected NAT - T: RFC 3947

    2013-10-29 14:39:30: [rv120w] [IKE] INFO: payload NAT - D corresponds to 69.193.0.0 [500]

    2013-10-29 14:39:30: [rv120w] [IKE] INFO: NAT - D payload does not match for 80.4.0.0 [500]

    2013-10-29 14:39:30: [rv120w] [IKE] INFO: NAT detected: PEER

    2013-10-29 14:39:30: [rv120w] [IKE] INFO: for debugging: change ports2013-10-29 14:39:30: [rv120w] [IKE] INFO: change port!

    2013-10-29 14:39:30: [rv120w] [IKE] INFO: received unknown Vendor ID

    2013-10-29 14:39:30: [rv120w] [IKE] INFO: ISAKMP Security Association established for 69.193.0.0 [4500] - 80.4.0.0 [4500] with spi: 740e6a59f02eca3a:820460c448a5b74b

    2013-10-29 14:39:30: [rv120w] [IKE] INFO: sending of information Exchange: prevent the load [INITIAL CONTACT]

    2013-10-29 14:39:31: [rv120w] [IKE] INFO: new phase 2 negotiation: 69.193.0.0 [500]<=>80.4.0.0 [0]

    2013-10-29 14:39:31: [rv120w] [IKE] INFO: setting encryption mode to use UDP encapsulation

    2013-10-29 14:39:31: [rv120w] [IKE] ERROR: Unknown notify message from the 80.4.0.0 [4500]. No found handful of phase2.

    2013-10-29 14:39:41: [rv120w] [IKE] ERROR: Unknown notify message from the 80.4.0.0 [4500]. No found handful of phase2.

    2013-10-29 14:39:51: [rv120w] [IKE] ERROR: Unknown notify message from the 80.4.0.0 [4500]. No found handful of phase2.

    2013-10-29 14:40:01: [rv120w] [IKE] ERROR: Unknown notify message from the 80.4.0.0 [4500]. No found handful of phase2.

    2013-10-29 14:40:02: [rv120w] [IKE] ERROR: Phase 2 negotiation failed due to upward. c8d68f74af9dfa9a:b4137fd6e0666914:f6cdeead

    2013-10-29 14:40:02: [rv120w] [IKE] INFO: a calendar of undead has been removed: "quick_i1prep".

    Head Office ISA550

    2013-10-29 15:25:29 - WARNING - IPsec VPN: msg = "PixelNY" #4765: quick mode attempt fails, please check if IKE/transformation/PFS local are the same as remote site; (pluto)

    2013-10-29 15:25:29 - WARNING - IPsec VPN: msg = "PixelNY" #4765: max number of retransmissions (2) reached STATE_MAIN_I1.  No answer (or no acceptable answer) to our first post IKE. (pluto)

    2013-10-29 15:22:38 - WARNING - IPsec VPN: msg = "PixelNY" #4763: quick mode attempt fails, please check if IKE/transformation/PFS local are the same as remote site; (pluto)

    2013-10-29 15:22:38 - WARNING - IPsec VPN: msg = "PixelNY" #4763: max number of retransmissions (2) reached STATE_MAIN_I1.  No answer (or no acceptable answer) to our first post IKE. (pluto)

    2013-10-29 15:20:28 - WARNING - IPsec VPN: msg = "PixelNY" #4761: quick mode attempt fails, please check if IKE/transformation/PFS local are the same as remote site; (pluto)

    2013-10-29 15:20:28 - WARNING - IPsec VPN: msg = "PixelNY" #4761: max number of retransmissions (2) reached STATE_MAIN_I1.  No answer (or no acceptable answer) to our first post IKE. (pluto)

    2013-10-29 15:20:12 - WARNING - Firewall: type = ACL

    If someone could shed some light it would be fantastic!

    Configuration items you listed, it's what I see.  Transformations do not match between the AIS and the change integrity RV RV MD5 or change the game to transform ISA SHA1.  I would recommend changing the ISA in well SHA1As, you don't mention what is IKE ISA policy encryption, but there's 3DES in the RV, so you'll need to ensure its 3DES in ISA.  Also note that you are life spans SA do not match.  Technically, this should be ok, but it's really best to match as well.  The ISA is 8 hours and the RV is 1 hour (3600 seconds)

    Shawn Eftink
    CCNA/CCDA

    Please note all useful messages and mark the correct answers to help others looking for solutions in the community.

  • Easy VPN between two ASA 9.5 - Split tunnel does not

    Hi guys,.

    We have set up a site to site vpn using easy configuration vpn between ver 9.5 race (1) two ASA. The tunnels are up and ping is reached between sites. I also configured split tunnel for internet traffic under the overall strategy of the ASA easy vpn server. But for some unknown reason all the customer same internet traffic is sent to the primary site. I have configured NAT to relieve on the side of server and client-side. Please advise if no limitation so that the installation program.

    Thank you and best regards,

    Arjun T P

    I have the same question and open a support case.

    It's a bug in the software 9.5.1. See the bug: CSCuw22886

Maybe you are looking for