2 VPN tunnels on ASA common; A PRI a BKP at the same address-end peer

Similar Questions

• Cisco ASA cannot create several tunnels at the same address in hand?

  We have several remote sites with Linksys WRVS4400N and Smoothwall firewall/vpn devices.  I need these sites to be able to connect to several tell-contiguous subnets to our main office.  This was done easily with smoothwall and linksys.  You create a separate tunnel for each subnet, and voila, you're done.  However, when I tried this with our ASA newly installed, it won't let me create several tunnels at the same address of the remote peer.  It is a problem because these sites have only a single IP address public static.  Did I miss something or ASA not allow connections to and from multiple subnets form a site with a unique address peer?

  Resembles the limitation on the WRVS4400N as Cisco ASA supports several subnets by tunnel.

  Is there anyway that you can configure a subnet more instead of specific subnets on the ACL?

  For example:

  If you 192.168.0.0/24 and 192.168.1.0/24, instead of having 2 subnets configured, you can combine them into 1 subnet 192.168.0.0/23

• Help with a VPN tunnel between ASA 5510 and Juniper SSG20

  Hello

  We have a customer wanting to configure a VPN Site to Site tunnel between a new purchased 5510 of ASA located in his direction with its Juniper SSG20 Office, located in the main office. We contacted HP and they send us a Cisco professional to do the job.

  After 2 days from 16:00 to 22:00 and error and countless hours of research online and nunerous calls, we are still unable to get traffic from the network of agencies to enter the tunnel.

  Main branch
  1.1.1.2                                 1.1.1.1
  -----                                               -----------
  192.168.8.0/24 | ASA|-----------------------------------| Juniper |    192.168.1.0/24
  -----                                               -----------
  192.168.8.254 192.168.1.254

  According to Cisco professionals, the tunnel is now in place but no traffic through. We are unable to ping anything on the network on the other side (192.168.1.0/24). We receive timeout ping all the time. The Cisco professional told us it's a routing or NAT problem and he's working on a solution!

  Through research, I came across a post on Experts-Exchange (here) [the 1st comment on the original post] which States "...". that both sides of the VPN must have a different class of LAN for the VPN to work... " Would that be our problem?

  It has become a critical issue to the point that he had to replace the Cisco ASA with a temporary Juniper SSG5 on another subnet (192.168.7.0/24) to get the tunnel upward and through traffic until the ASA VPN issue is resolved and I didn't need to say that the client is killing us!

  Help is very appreciated.

  Thank you

  1. Yes, ping package from the interface of the ASA is considered valuable traffic to the LAN of Juniper.

  SAA, need you traffic from the interface source ASA's private, because interesting to determine by crypto ACL MYLIST traffic between 192.168.8.0/24 and 192.168.1.0/24.

  You will also need to add the following configuration to be able to get the ping of the interface of the ASA:

  management-private access

  To initiate the ping of the private interface ASA:

  ping 192.168.1.254 private

  2. the default time before the next generation of new key is normally 28800 seconds, and if there is no interesting traffic flowing between 2 subnets, he'll tear the VPN tunnel down. As soon as there is interesting traffic, the VPN tunnel will be built automatically into the next generation of new key. However, if there is traffic before generating a new key, the new tunnel will be established, and VPN tunnel will remain standing and continue encrypt and decrypt traffic.

  Currently, your configuration has been defined with ITS lifetime of 3600 seconds GOLD / 4608000 kilobytes of traffic before the next generate a new key (it will be either 3600 seconds, or 4608000 kilobytes period expires first). You can certainly change it by default to 28800 seconds without configuring kilobytes. SA life is negotiated between the ASA and Juniper, and whatever is the lowest value will be used.

  Hope that helps.

• NAT before going on a VPN Tunnel Cisco ASA or SA520

  I have a friend who asked me to try to help.  We are established VPN site to site with a customer.  Our camp is a Cisco sa520 and side there is a control point. The tunnel is up, we checked the phase 1 and 2 are good. The question is through the tunnel to traffic, our LAN ip address are private addresses 10.10.1.0/24 but the client says must have a public IP address for our local network in order to access that server on local network there.  So, in all forums, I see that you cannot NAT before crossing the VPN tunnel, but our problem is that our site has only 6 assigned IP addresses and the comcast router, on the side of the firewall SA520 WAN.  So we were wondering was there a way we can use the WAN on the SA520 interface or use another available 6 who were assigned to the NAT traffic and passes through the tunnel.  That sounds confusing to you?  Sorry, but it's rarely have I a customer say that I must have a public IP address on my side of the LAN.  Now, I say this is a SA520 firewall, but if it is not possible to do with who he is a way were able with an ASA5505?

  Help or direction would be very useful.

  Hello

  I guess I could quickly write a basic configuration. Can't be sure I remember all correctly. But should be the biggest part of it.

  Some of the course settings may be different depending on the type of VPN L2L connection settings, you have chosen.

  Naturally, there are also a lot of the basic configuration which is not mentioned below.

  For example

  • Configurations management and AAA
  • DHCP for LAN
  • Logging
  • Interface "nonstop."
  • etc.

  Information for parameters below

  • x.x.x.x = ASA 'outside' of the public IP interface
  • y.y.y.y = ASA "outside" network mask
  • z.z.z.z = ASA "outside" IP address of the default gateway
  • a.a.a.a = the address of the remote site VPN L2L network
  • b.b.b.b = mask of network to the remote site VPN L2L
  • c.c.c.c = IP address of the public peer device VPN VPN L2L remote site
  • PSK = The Pre Shared Key to connect VPN L2L

  Interfaces - Default - Access-list Route

  interface Vlan2

  WAN description

  nameif outside

  security-level 0

  Add IP x.x.x.x y.y.y.y

  Route outside 0.0.0.0 0.0.0.0 z.z.z.z

  interface Ethernet0

  Description WAN access

  switchport access vlan 2

  • All interfaces are on default Vlan1 so their ' switchport access vlan x "will not need to be configured

  interface Vlan1

  LAN description

  nameif inside

  security-level 100

  10.10.1.0 add IP 255.255.255.0

  Note to access the INSIDE-IN list allow all local network traffic

  access to the INTERIOR-IN ip 10.10.1.0 list allow 255.255.255.0 any

  group-access INTERIOR-IN in the interface inside

  Configuring NAT and VPN L2L - ASA 8.2 software and versions prior

  Global 1 interface (outside)

  NAT (inside) 1 10.10.1.0 255.255.255.0

  Crypto ipsec transform-set AES-256 aes-256-esp esp-sha-hmac

  crypto ISAKMP policy 10

  preshared authentication

  aes-256 encryption

  sha hash

  Group 2

  lifetime 28800

  L2L-VPN-CRYPTOMAP of the access list allow ip x.x.x.x a.a.a.a b.b.b.b host

  card crypto WAN-CRYPTOMAP 10 matches L2L-VPN-CRYPTOMAP address

  card crypto WAN-CRYPTOMAP 10 set peer c.c.c.c

  card crypto WAN-CRYPTOMAP 10 the value transform-set AES-256

  card crypto WAN-CRYPTOMAP 10 set security-association second life 3600

  CRYPTOMAP WAN interface card crypto outside

  crypto isakmp identity address

  crypto ISAKMP allow outside

  tunnel-group c.c.c.c type ipsec-l2l

  tunnel-group c.c.c.c ipsec-attributes

  pre-shared key, PSK

  NAT and VPN L2L - ASA 8.3 software configuration and after
  

  NAT source auto after (indoor, outdoor) dynamic one interface

  Crypto ipsec transform-set ikev1 AES-256 aes-256-esp esp-sha-hmac

  IKEv1 crypto policy 10

  preshared authentication

  aes-256 encryption

  sha hash

  Group 2

  lifetime 28800

  L2L-VPN-CRYPTOMAP of the access list allow ip x.x.x.x a.a.a.a b.b.b.b host

  card crypto WAN-CRYPTOMAP 10 matches L2L-VPN-CRYPTOMAP address

  card crypto WAN-CRYPTOMAP 10 set peer c.c.c.c

  card crypto WAN-CRYPTOMAP 10 set transform-set AES-256 ikev1

  card crypto WAN-CRYPTOMAP 10 set security-association second life 3600

  CRYPTOMAP WAN interface card crypto outside

  crypto isakmp identity address

  Crypto ikev1 allow outside

  tunnel-group c.c.c.c type ipsec-l2l

  tunnel-group c.c.c.c ipsec-attributes

  IKEv1 pre-shared key, PSK

  I hope that the above information was useful please note if you found it useful

  If it boils down to the configuration of the connection with the ASA5505 and does not cut the above configuration, feel free to ask for more

  -Jouni

• ASA AnyConnect client is unable to obtain the IP address of the remote DHCP server

  I and ASA with 10 client AnyConnect profiles set up to get their IP address of my Windows DHCP server.

  It was working fine yesterday.

  I saved the config and rebooted the device.

  Now it won't deliver to my vpn clients intellectual property.

  I don't understand what is happening.

  If I change the profiles to use a local pool he assigns an IP address and works very well.

  But I can't use the local pools.  I have to use the DHCP server on the local network.

  The ONLY thing that was made was that a license allowing the AnyConnect Essentials has been installed recently.

  I get this in debugging:

  6 August 30, 2011 10:44:39 DAP: test49, Addr 107.44.142.20 user, connection AnyConnect: following DAP records were selected for this connection: DfltAccessPolicy

  6 August 30, 2011 10:44:39 group user IP <107.44.142.20>AnyConnect parent session began.

  7 August 30, 2011 10:44:39 IPAA: received message 'UTL_IP_ [IKE_] ADDR_REQ.

  6 August 30, 2011 10:44:39 IPAA: attempt to query DHCP 1 successful

  6 August 30, 2011 10:44:39 IPAA: DHCP configured, the request succeeded for tunnel-group "MCSO-mobile."

  6 August 30, 2011 10:44:39 172.18.4.7 67 172.18.1.46 67 Built UDP outgoing connection 30957 for Internal:172.18.1.46/67 (172.18.1.46/67) at identity:172.18.4.7/67 (172.18.4.7/67)

  7 August 30, 2011 10:44:39 192.168.6.1 built ISP1:192.168.6.1 local-home

  6 August 30, 2011 10:44:39 172.18.1.46 1 192.168.6.1 0 built outgoing ICMP connection for faddr gaddr laddr 172.18.1.46/1 172.18.1.46/1 192.168.6.1/0

  6 August 30, 2011 10:44:41 172.18.1.46 67 192.168.6.0 67 Built UDP outgoing connection 30960 for ISP1:192.168.6.0/67 (192.168.6.0/67) at Internal:172.18.1.46/67 (172.18.1.46/67)

  6 August 30, 2011 10:44:42 192.168.6.1 0 172.18.1.46 1 connection disassembly ICMP for faddr gaddr laddr 172.18.1.46/1 172.18.1.46/1 192.168.6.1/0

  7 August 30, 2011 10:44:52 IPAA: message received 'UTL_IP_DHCP_INVALID_ADDR '.

  4 August 30, 2011 10:44:52 IPAA: could not get the address of the local strategy group or tunnel-group pools

  Well, your config looks good. You also upgrade the operating system? Maybe you hit a new bug.

  I heard no problems after the installation of a license, but it might be interesting to open a TAC case and learn if you hit a bug.

• Should I apply a single to several L2L VPN VPN filter, or each VPN tunnel have their own VPN on an ASA filter?

  Currently, I am trying to decide if what VPN creation filters, if I just create one and apply to multiple VPN tunnels or if each must have their own VPN tunnel filter VPN. Creating a VPN filter for each VPN tunnel seems like extra work but do not know if this is the best choice. I looked through the documentation, but they never mention the VPN application filters to several tunnels.

  Hello Jork,

  If you add filters for each VPN tunnel group, it will be more work, but at the same, you will have more control over the external users trying to connect to your network.

  I would say that you have different groups tunnel (each of them will have their own funcionallity) therefore its depends on what you're trying to implement.

  If the people who are going to use X tunnel-group are the same as those who use the tunnel-group is then you can use the same than that.

  I hope I understood your question.

  Kind regards.

  Julio

  M Note all the useful po

• NAT, ASA, 2 neworks and a VPN tunnel

  Hello. I have a following question. I am trying to establish a VPN tunnel to a remote network used to be connected to our via a VPN tunnel. The problem is that the previous tunnel their share has been created for the x.x.x.x our coast network which will serve no more time a month, but is currently still active and used. As I'm trying to get this VPN tunnel as soon as possible without going through all the paperwork on the other side (political, don't ask) is it possible to make NAT of the new network in the network x.x.x.x for traffic through the VPN tunnel.

  Something like this:

  new network-> policy NAT in old x.x.x.x fork on ASA-> VPN tunnel to the remote network using x.x.x.x addresses

  It is possible to add the new policy, but sometimes it can conflict with the former.

• Limit the bandwidth in the tunnel VPN on Cisco ASA

  Hello

  I have a site VPN tunnel to create with the local desktop client. I fear that the traffic in the tunnel in impacting the Internet bandwidth for the entire office. Is it possible to limit bandwidth on the speed VPN tunnel. I have attached a configuration that shows the configuration of the ASA at the local office.

  Any help would be much appreciate. I watched QoS mapping but it's hard to make sense.

  Thank you very much

  Kind regards

  Michael.

  The ASA supported QoS features are:
  Police, LLQ and Traffic Shaping

  To avoid the individual flows hogging the bandwidth of the network, you can limit the maximum bandwidth used by flow (with the police)
  The police is a way of ensuring that no traffic exceeds the rate (in bits per second) that you configure,
  so make that person not traffic or the class can return to any of the resource.
  When traffic is higher than the maximum rate, the ASA removes the excess traffic. Policy defines also the largest single burst of allowed traffic.

  Example of font options:
  class policing_map_name hostname(config-pmap) #.
  Police hostname(config-pmap-c) # {exit | entry} to compliance rates [conform burst]
  [action in line [drop | send]] [action exceed [drop | send]]

  That is to say

  HostName (config) # class - police-class card
  HostName(config-CMAP) # match any
  HostName(config-CMAP) # QoS_policy policy-map
  class police_class hostname(config-pmap) #.
  HostName(config-pmap-c) # exit police 56000 10500

  The configuration depends on the "this" base that you want to limit the connection.

  Federico.

• WCCP and ASA L2L VPN Tunnel

  How L2L WCCP vpn tunnel? If there is a Web page on the otherside of the tunnel that I need access on ports 80 and 443, it goes through the process of WCCP. How will I know the traffic through the tunnel for 80 and 443 to ignore the WCCP?

  Hello

  I have not had to deal with WCCP on the SAA configurations as it, but to my knowledge, this could be done in the ACL that is used in configuring WCCP on the SAA.

  I mean a single montage we have has an ACL that simply bypasses the WCCP for some destination addresses.

  The ACL was originally for example

  WCCP ip access list allow a whole

  Then we had to stop it for some destination network and we would add a Deny statement at the top of the ACL

  access-list 1 deny ip WCCP line any 10.10.10.0 255.255.255.0

  -Jouni

• With NAT VPN tunnels

  I have read on several posts on the topic and still think I'm missing something, I'm looking for help.

  Basically, I'm now implementing multiple VPN tunnels for external connections. We strive to keep the external "private addresses" our basic using NAT network.

  I can get the Tunnel to work without problems using the ACL SHEEP; However, this technique requires that our internal network is aware of their external addresses "private." Our goal is to enter an address on the inside that is NAT to the external address 'private' and then shipped via the VPN tunnel. Basically to hide the external address 'private' of our internal systems that they would appear as thought the connection was one of our own networks.

  The reverse is true coming from their external 'private' network. Any information of "their" private network external origin would result in our 'private' on arrival address space.

  Is this possible? I am attaching a schema, which could help.

  Hello

  Yes, this should be possible. Lets say you allocate 10.112.2.250 as the address that you use to present the external server 192.168.10.10.

  On your ASA device

  public static 10.112.2.250 (exterior, Interior) 192.168.10.10 netmask 255.255.255.255

  You will need to make sure that when the system tries to connect to 10.112.2.250 it is routed to the device of the SAA.

  HTH

  Jon

• VPN tunnel with U-turn

  Hello

  I am trying to understand the functioning of DNS with u-turn. I'm looking for in the configuration of VPN tunnel between ASA 5510 (main office) and PIX 506 (remote).

  Currently all the jobs in the remote offices are connected through VPN tunnel between PIX506 and VPN 3000 to a hub, so that they use the internal DNS server at the main office. I need to use u-Turn on ASA to allow remote surfing the net users. With u-Turn config, remote workstation still will use DNS server in the main office to resolve the IP addresses?

  Thank you

  LF

  Hey Forman.

  SplitDNS and Splittunneling are both used with remote access clients. In your case, that you try to configure a site to site VPN tunnel, so to 'divide' traffic you will use the crypto acl to set valuable traffic to the VPN. However, this ACL uses IP addresses in order to determine whether the traffic must be encrypted or not, this is why your DNS lookup would have to occur before the traffic is encrypted. Then, you can set the DNS server for the remote network to be the DNS through the VPN tunnel and ensure that the DNS server's IP address is part of the interesting traffic or you must ensure that the local DNS server is able to resolve names.

  In the previous case where you use u-turn, all gets automatically tunnele so you don't have to worry about your DNS queries in the tunnel.

  I hope that this explains the behavior.

  Kind regards

  ATRI.

• IPSec VPN tunnel only to come

  Hello

  I am trying to configure an IPSec VPN tunnel between my company and a remote company for the use of FTP secure.

  I used the SDM to configure the tunnel on my router based on the information provided by the society that we are trying to connect to. The other company has provided my debug log when I was testing the connection, but I do not know how to read and what could be the problem. I hope someone here can give me an overview of what prevents the tunnel connection.

  Please let me know if you need more information.

  Thank you

  Peter Haase

  Peter,

  Good job!

  Because the tunnel is up, we must not debugs.

  I'm glad that finally it works.

  HTH

  Sangaré

• RVI042 - max # of supported gw to gw vpn tunnels?

  What is the number taken gw to gw vpn tunnels max supported? What would you recommend for the remote router - MD1 / 1 phone? Modem cable, most likely.

  RV042 supports 50 Gw-2-Gw tunnels. With respect to the remote sites, you might consider WRV210 for its Wi - Fi, VPN and a lower cost. However, in a site remote using RV042 provides an option for redundant internet connection.

• Impossible to achieve secondary with VPN tunnel

  Hello

  I configured a Cisco Pix Firewall to my VPN tunnels and which works fine when I connect to the local network where the Pix is connected.

  When I want to communicate with a server on a secondary location over the vpn tunnel I get no response.

  The pix can ping the server, but I can't ping the server via the vpn tunnel rooms

  PIX from IP 10.1.0.254

  Router 10.1.10.254 IP address

  Secondary router IP address 10.2.10.254

  Secondary server IP address 10.2.0.1

  The default gateway on the local network is 10.1.10.254

  This router is a gre tunnel 3 of to 10.2.10.254

  On this router, there is a default route for the pix (for internet).

  Hello...

  Make sure that you send the IP pool configured on the PIX of the secondary router/server. just try to ping the IP address that the VPN client is obtained from the server...

  You must also make sure that you add this subnet secondary access sheep... otherwise list your ip pool will see the natted IP server...

  on sheep access list, allow all traffic from the pool of secondary for the IP pool...

  I hope this helps... all the best...

• ASA5505 with 2 VPN tunnels failing to implement the 2nd tunnel

  Hello

  I have an ASA5505 that currently connects a desktop remotely for voip and data.  I added a 2nd site VPN tunnel to a vendor site.  It's this 2nd VPN tunnel that I have problems with.  It seems that the PHASE 1 negotiates well.  However, I'm not a VPN expert!  So, any help would be greatly appreciated.  I have attached the running_config on my box, debug (ipsec & isakmp) information and information about the provider they gave me today.  They use an ASA5510.

  My existing VPN tunnel (which works) is marked 'outside_1_cryptomap '.  It has the following as interesting traffic:

  192.168.1.0/24-> 192.168.3.0/24

  192.168.2.0/24-> 192.168.3.0/24

  10.1.1.0/24-> 192.168.3.0/24

  -> 192.168.3.0/24 10.1.2.0/24

  10.1.10.0/24-> 192.168.3.0/24

  10.2.10.0/24-> 192.168.3.0/24

  The new VPN tunnel (does not work) is labeled "eInfomatics_1_cryptomap".  It has the following as interesting traffic:

  192.168.1.25/32-> 10.10.10.83/32

  192.168.1.25/32-> 10.10.10.47/32

  192.168.1.26/32-> 10.10.10.83/32

  192.168.1.26/32-> 10.10.10.47/32

  Here's the info to other VPN (copy & pasted from the config)

  permit access list extended ip 192.168.1.26 eInfomatics_1_cryptomap host 10.10.10.83

  permit access ip host 192.168.1.25 extended list eInfomatics_1_cryptomap 10.10.10.83

  permit access ip host 192.168.1.25 extended list eInfomatics_1_cryptomap 10.10.10.47

  permit access list extended ip 192.168.1.26 eInfomatics_1_cryptomap host 10.10.10.47

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  card crypto outside_map 1 match address outside_1_cryptomap

  peer set card crypto outside_map 1 24.180.14.50

  card crypto outside_map 1 set of transformation-ESP-3DES-SHA

  card crypto outside_map 2 match address eInfomatics_1_cryptomap

  peer set card crypto outside_map 2 66.193.183.170

  card crypto outside_map 2 game of transformation-ESP-3DES-SHA

  outside_map interface card crypto outside

  crypto isakmp identity address

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  tunnel-group 24.180.14.50 type ipsec-l2l

  IPSec-attributes tunnel-group 24.180.14.50

  pre-shared key *.

  tunnel-group 66.193.183.170 type ipsec-l2l

  IPSec-attributes tunnel-group 66.193.183.170

  pre-shared key *.

  Thanks in advance

  -Matt

  Hello

  The seller put a parameter group2 PFS (Perfect Forward Secrecy) of Phase 2, so that you don't have it.

  So you can probalby try adding the following

  card crypto outside_map 2 pfs group2 set

  I think he'll simply enter as

  card crypto outside_map 2 set pfs

  Given that the 'group 2' is the default

  -Jouni