2811: connecting two VPN l2l ASA5505

Hello

We have a HQ site with a 2811 (w/ADVSECURITYK9-M) acting as the firewall. We currently have 1 ASA5505 with an established ipsec VPN l2l.

I'm trying to connect a 2nd ASA, but I noticed that I only add 1 cryptomap to the external interface.

A worm watch 1 Module of virtual private network... Surely this does not mean only 1 VPN?

Can I use a card encryption and add a second "peer set" & "corresponds to" address inside the card Cryptography itself?

Thank you

Jason

Yes, you add another poicy to your configuration encryption.

Thank you

Tarik Admani
* Please note the useful messages *.

Tags: Cisco Security

Similar Questions

  • Cannot access any internal IPs when you are connected by VPN to ASA5505

    Hello

    I was able to configure VPN to work a bit on my ASA 5505. I can connect to the VPN and ping some IP addresses within the network. But some IPs don't react, I get "Request Timed Out"

    For example:

    10.10.0.4 - it works
    10.10.0.5 - is not word
    10.10.0.10 - it works
    10.10.0.11 - it works
    10.10.0.13 - does not work

    If I ping from the network internally, all works well.

    Does anyone have recommendations on how to address the issue?

    VPN is the marking of the packages in a way that would trigger a firewall block?

    It is the configuration of my ASA:

    VPN with the name 'VPN-Remote' is the one I use.

     ASA Version 9.2(2)4 ! hostname ciscoasa enable password NuLKvvWGg.x9HEKO encrypted passwd NuLKvvWGg.x9HEKO encrypted names ip local pool RA_VPN 10.10.1.1-10.10.1.255 mask 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 10.10.0.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address dhcp setroute ipv6 enable ! boot system disk0:/asa922-4-k8.bin ftp mode passive clock timezone CST -6 clock summer-time CDT recurring same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network obj_any subnet 0.0.0.0 0.0.0.0 object network INSIDE-SUBNET object network sb-service-80 host 10.10.0.143 object network sbservicetest object network sb-service-443 host 10.10.0.143 object network dvr_web host 10.10.0.30 object service DVR-Tomcat_port service tcp source eq 8080 destination eq 8080 object network NETWORK_OBJ_10.10.1.0_24 subnet 10.10.1.0 255.255.255.0 object network dvr_mobile host 10.10.0.30 object service DVR-Mobile_port service tcp source eq 18004 destination eq 18004 object network WAN host 98.195.48.88 object service Web80 service tcp source eq www destination eq www object network NETWORK_OBJ_10.10.2.0_24 subnet 10.10.2.0 255.255.255.0 object network NETWORK_OBJ_10.10.0.0_24 subnet 10.10.0.0 255.255.255.0 object-group network sb-service network-object object sb-service-443 network-object object sb-service-80 object-group network DVR-service network-object object dvr_web network-object object dvr_mobile object-group protocol TCPUDP protocol-object udp protocol-object tcp access-list outside_access_in extended permit icmp any any access-list inside_access_in extended permit ip any any access-list inside_access_in extended permit icmp any any inactive access-list Outside_access_in extended permit tcp any object sb-service-80 eq www access-list Outside_access_in extended permit tcp any object sb-service-443 eq https log disable access-list Outside_access_in extended permit tcp any object dvr_web eq 8080 log disable access-list Outside_access_in extended permit tcp any object dvr_mobile eq 18004 log disable access-list Outside_access_in extended permit icmp any any time-exceeded access-list Outside_access_in extended permit icmp any any unreachable log warnings access-list Outside_access_in extended permit icmp any any echo-reply access-list Outside_access_in extended permit icmp any any source-quench access-list global_mpc extended permit ip any any access-list RA_VPN-ACL extended permit ip object NETWORK_OBJ_10.10.2.0_24 any access-list Remote-VPN_splitTunnelAcl standard permit 10.10.0.0 255.255.255.0 access-list AnyConnect_Client_Local_Print extended deny ip any4 any4 access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631 access-list AnyConnect_Client_Local_Print remark Windows' printing port access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100 access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353 access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355 access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137 access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns pager lines 24 logging enable logging asdm notifications no logging message 106015 no logging message 313001 no logging message 313008 no logging message 106023 no logging message 710003 no logging message 106100 no logging message 302015 no logging message 302014 no logging message 302013 no logging message 302018 no logging message 302017 no logging message 302016 no logging message 302021 no logging message 302020 flow-export destination inside 10.10.0.111 2055 mtu inside 1500 mtu outside 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-731.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (any,any) source static NETWORK_OBJ_10.10.1.0_24 NETWORK_OBJ_10.10.1.0_24 ! object network obj_any nat (inside,outside) dynamic interface object network sb-service-80 nat (inside,outside) static interface no-proxy-arp service tcp www www object network sb-service-443 nat (inside,outside) static interface no-proxy-arp service tcp https https object network dvr_web nat (inside,outside) static interface no-proxy-arp service tcp 8080 8080 object network dvr_mobile nat (inside,outside) static interface no-proxy-arp service tcp 18004 18004 ! nat (inside,outside) after-auto source dynamic any interface inactive access-group inside_access_in in interface inside access-group Outside_access_in in interface outside timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL http server enable http 10.10.0.0 255.255.255.0 inside http 0.0.0.0 0.0.0.0 outside snmp-server group snmp_g v3 auth snmp-server user snmp_u snmp_g v3 encrypted auth md5 1d:1b:67:96:29:9b:5c:49:42:d5:a4:10:13:e0:b2:ee snmp-server host inside 10.10.0.111 community ***** version 2c no snmp-server location no snmp-server contact snmp-server community ***** crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec security-association pmtu-aging infinite crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map inside_map interface inside crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0 enrollment self subject-name CN=10.10.0.1,CN=ciscoasa crl configure crypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=ciscoasa proxy-ldc-issuer crl configure crypto ca trustpool policy crypto ca certificate chain ASDM_TrustPoint0 certificate aa711054 308201af 30820159 a0030201 020204aa 71105430 0d06092a 864886f7 0d010105 0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648 86f70d01 09021608 63697363 6f617361 301e170d 31353035 32303230 34353137 5a170d32 35303531 37323034 3531375a 302c3111 300f0603 55040313 08636973 636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 7361305c 300d0609 2a864886 f70d0101 01050003 4b003048 024100bc 4278aeda 26601456 0e035bb5 6021adc5 0ac9149a 11d95e72 c5a8509b 514fd50d 7a86bdb3 a00bda84 4e6bda8d 50124c64 1179acc4 b2869092 9a742b52 f97c2302 03010001 a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06 03551d23 04183016 8014d86a b4f1585d 7d93a0c7 7a1df9dd b37b0051 18aa301d 0603551d 0e041604 14d86ab4 f1585d7d 93a0c77a 1df9ddb3 7b005118 aa300d06 092a8648 86f70d01 01050500 034100a3 f0441214 1add483b 286fa44e 3844acce 27a68b2e 54f21dce 9a917783 1ab394f7 2d87e4d4 bcfcc7ef 6b26d604 bd0ea56f 05a72d0d 6c37413a b60216f3 612e0a quit crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable outside crypto ikev1 enable outside crypto ikev1 policy 10 authentication crack encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 40 authentication crack encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 70 authentication crack encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 100 authentication crack encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 130 authentication crack encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 telnet timeout 5 ssh stricthostkeycheck ssh 10.10.0.0 255.255.255.0 inside ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 no vpn-addr-assign dhcp dhcpd auto_config outside ! dhcpd address 10.10.0.5-10.10.0.254 inside ! threat-detection basic-threat threat-detection statistics port threat-detection statistics protocol threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp server 166.70.136.41 source outside ntp server 108.166.189.70 source outside ntp server 63.245.214.136 source outside ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip webvpn enable outside group-policy DfltGrpPolicy attributes group-policy Remote-VPN internal group-policy Remote-VPN attributes dns-server value 10.10.0.201 8.8.8.8 vpn-tunnel-protocol ikev1 split-tunnel-policy tunnelspecified split-tunnel-network-list value Remote-VPN_splitTunnelAcl default-domain value local.prv username snmp_test password Ocwq862v84DTwooX encrypted username VPN_User password KgHsdRdYP0lAyeqPIXn51g== nt-encrypted privilege 15 tunnel-group DefaultRAGroup general-attributes address-pool RA_VPN tunnel-group DefaultRAGroup ipsec-attributes ikev1 pre-shared-key ***** tunnel-group Remote-VPN type remote-access tunnel-group Remote-VPN general-attributes address-pool RA_VPN default-group-policy Remote-VPN tunnel-group Remote-VPN ipsec-attributes ikev1 pre-shared-key ***** ! class-map global-class match access-list global_mpc class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect pptp inspect icmp inspect icmp error class global-class flow-export event-type all destination 10.10.0.111 ! service-policy global_policy global prompt hostname context no call-home reporting anonymous hpm topN enable Cryptochecksum:f249b6940d463cc987b9aa828d8d8282 : end

    Hello

    If please check windows or any of application firewall PC side. It's less likely the issue VPN or ASA.

    HTH

    Averroès.

  • VPN L2L: ASA5505-> ASA5520, initiator of IKE unable to find policy

    Hello!

    Periodically, we are experiencing a problem with tunnel between 5505 and 5520 L2L

    Sometimes there is no 5505 LAN access to one of the LAN's 5520

    ex: ping from the inside interface (10.1.13.1) 5505 to 5520 (10.1.1.1) does not work

    5505:
    - cry isa his we can see the peer - it's OK

    -in Cree its pe ip itsnecessary there, but program is not increase and still no ping

    -all the other itsof the acl work properly

    5505 debugging:

    % ASA-3-713042: unable to find political initiator IKE: outside Intf, Src: 10.1.13.1, Dst: 10.1.1.1
    % ASA-3-313001: Denied ICMP type = 8, code = 0 to 10.1.1.1

    ACL on both sides is correct

    Erase isakmp his helps solve the problem

    p.s., asa 5505 has two ISP and two crypto cards with 5520

    This happens whenever your primary or secondary provider fails

  • ASA5510 VPN L2L cannot reach hosts on the other side

    Hello experts,

    I have an ASA5510 with 3 VPN L2L and remote VPN access. Two VPN L2L, Marielle and Aeromique no problem, but for VPN ASPCANADA, to a host behind the ASA 192.168.100.xx, I can't reach 57.5.64.250 or 251 and vice versa. But the tunnel is up. Can you help me please, thank you in advance.

    Add these two lines to the NAT 0 access list:

    inside_outbound_nat0_acl list extended access allowed hosting ASP-NETWORK 255.255.255.0 ip 57.5.64.251

    inside_outbound_nat0_acl list extended access allowed hosting ASP-NETWORK 255.255.255.0 ip 57.5.64.250

    Also make sure this reflection of these statements are also in the distance of the ASA NAT 0-list of access.

    Test and validate results

    HTH

    Sangaré

    Pls rate helpful messages

  • Question of redundancy VPN l2l using 2811 as endpoint devices

    I have a new implementation of VPN L2L passes using two 2811 s than VPN terminal devices. I'll try to use the HSRP address between the public interfaces of both routers as VPN peer address. The problem that I found during the test is that the tunnel will become active and debugs watch the HSRP address as an invalid address to form the tunnel. Have a work-around, or a better plan for redundancy on peering address using similar devices? Thanks in advance.

    Take a look at this doc about IOS IPSec HA.

    http://www.Cisco.com/en/us/docs/iOS/security/configuration/guide/sec_vpn_ha_enhance_ps6922_TSD_Products_Configuration_Guide_Chapter.html#wp1039849

  • Two LRT224 a connection using VPN

    What is the best way to connect two LRT224 between them, which are in two different cities?

    Open VPN or IPSec?

    I think gateway to gateway should be the correct mode, but I'm very unsure with the large number of parameters...

    Try the EasyLink VPN from LRT214/LRT224, which simplifies the site to site VPN configuration.

    http://KB.Linksys.com/Linksys/UKP.aspx?VW=1&docid=03cf456383fc4d958cf918110c7fcd42_How_to_configure _...

    EasyLink VPN works in the following way conceptually.

    1. on the main site, activate EasyLink VPN Server (tab incoming on the Web GUI) and create an account (name and password) for each remote site.

    2. at a remote site, activate EasyLink VPN Client (tab on the Web GUI) and between the identifiers of account for (name of user and password).

    3. the remote site will automatically reach the primary site to establish an IPsec tunnel.

    Note: LRT224 can support up to five peers EasyLink VPN in a star VPN topology.

  • Routing of traffic between two VPN Site-to-Site Tunnels

    Hi people,

    I am trying to establish routing between two vpn Site-to-Site tunnels which are destined for the same outside the interface of my Cisco ASA.

    Please find attached flowchart for the same thing. All used firewalls are Cisco ASA 5520.

    Two VPN tunnels between Point A and Point B, Point B and Point C is too much upward. I activated same command to permit security level interface also intra.

    How can I activate the LAN subnets traffic behind Point to join LAN subnets behind C Point without having to create a tunnel separated between Point A and Point C

    Thank you very much.

    Hello

    Basically, you will need to NAT0 and VPN rules on each site to allow this traffic.

    I think that the configurations should look something like below. Naturally you will already probably a NAT0 configuration and certainly the L2L VPN configuration

    Site has

    access-list NAT0 note NAT0 rule for SiteA SiteC traffic

    access-list allowed NAT0 ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

    NAT (inside) 0 access-list NAT0

    Note L2L-VPN-CRYPTO-SITEB access-list interesting traffic for SiteA to SiteC

    access-list L2L-VPN-CRYPTO-SITEB permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

    Where

    • NAT0 = is the ACL to be used in the NAT0 rules that will exempt SiteA SiteC NAT traffic
    • NAT = is the line of configuration NAT0
    • L2l-VPN-CRYPTO-SITEB = LCA in configurations VPN L2L that defines the SiteA LAN to LAN SiteC traffic must use the VPN L2L existing SiteB

    Site B

    access list OUTSIDE-NAT0 note NAT0 rule for SiteA SiteC traffic

    OUTSIDE-NAT0 allowed 192.168.1.0 ip access list 255.255.255.0 192.168.3.0 255.255.255.0

    NAT (outside) 0-list of access OUTSIDE-NAT0

    Note L2L-VPN-CRYPTO-SITEA access-list traffic for SiteA to SiteC through a Tunnel between A - B

    access-list L2L-VPN-CRYPTO-SITEA ip 192.168.3.0 allow 255.255.255.0 192.168.1.0 255.255.255.0

    Note L2L-VPN-CRYPTO-SITEC access-list traffic for SiteA to SiteC through a Tunnel between B - C

    access-list L2L-VPN-CRYPTO-SITEC permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

    Where

    • OUTSIDE-NAT0 = is the ACL to be used in the NAT0 rules that will exempt SiteA SiteC NAT traffic. It is this time tied to the 'outer' interface, as traffic will be coming in and out through this interface to SiteB
    • NAT = is the line of configuration NAT0
    • L2l-VPN-CRYPTO-SITEA (and SITEC) = are the ACL in the configurations of VPN L2L that defines the SiteA LAN to LAN SiteC traffic should use existing VPN L2L connections.

    Site C

    access-list NAT0 note NAT0 rule for SiteC SiteA traffic

    NAT0 192.168.3.0 ip access list allow 255.255.255.0 192.168.1.0 255.255.255.0

    NAT (inside) 0 access-list NAT0

    Note list-access-L2L-VPN-CRYPTO-SITEB SiteC to SiteA interesting traffic

    L2L-VPN-CRYPTO-SITEB 192.168.3.0 ip access list allow 255.255.255.0 192.168.1.0 255.255.255.0

    Where

    • NAT0 = is the ACL to be used in the NAT0 rules that will exempt SiteC to SiteA NAT traffic
    • NAT = is the line of configuration NAT0
    • L2l-VPN-CRYPTO-SITEB = LCA in configurations VPN L2L that defines the SiteC LAN to LAN SiteA traffic must use the VPN L2L existing SiteB

    To my knowledge, the foregoing must manage the selection NAT0 and traffic for VPN L2L connections. Naturally, the Interface/ACL names may be different depending on your current configuration.

    Hope this helps

    -Jouni

  • Using VPN L2L static and dynamic dedicated tunnels

    We have an ASA 5510 running 8.0 at our company headquarters. We have remote sites who need to create VPN L2L at the HQ ASA tunnels. Some remote sites have static IP addresses and others have dynamic IP addresses.

    I found documentation Cisco L2L static IP VPN tunnels and make them work. I found another Cisco documentation for static IP dynamic L2L VPN tunnels using the tunnel-group "DefaultL2LGroup".

    My question is, can you have two types of tunnels on the same ASA L2L? If so, simply by using the definitions of "DefaultL2LGroup" tunnel-group and of tunnel-group work? Is there a reason to not do? Is better technology (ASA HQ and a combination of ASA 5505 and 1861 at remote sites) available?

    Yes, you can have both types of tunnels L2L. If you use a PSK - remember that the IP address of the remote site is used to 'validate' to connect to Headquarters. As long as you use a sure PSK = 64 characters and all with upper/lower case alpha numeric - you should be OK.

    A better way to do it - is to get the static IP addresses for the site that currently have DHCP from ISP.

    HTH >

  • Policy NAT for VPN L2L

    Summary:

    We strive to establish a two-way VPN L2L tunnel with a partner. VPN traffic is one-to-many towards our partner, and our partner they need of a many-to-one to us (they need to access a host on our network). In addition, our partner has many VPN, so they force us to use a separate NAT with two private hosts addresses, one for each direction of the tunnel.

    My initial configuration of the tunnel on my grown up side of Phase 1, but not IPSec. Partner ran debug that revealed that my host did not address NAT'd in the NAT policy. We use an ASA5520, ver 7.0.

    Here is the config:

    # #List of OUR guests

    the OURHosts object-group network

    network-host 192.168.x.y object

    # Hosts PARTNER #List

    the PARTNERHosts object-group network

    network-host 10.2.a.b object

    ###ACL for NAT

    # Many - to - many outgoing

    access-list extended NAT2 allowed ip object-group OURHosts-group of objects PARTNERHosts

    # One - to - many incoming

    VIH3 list extended access permit ip host 192.168.c.d PARTNERHosts object-group

    # #NAT

    NAT (INSIDE) 2-list of access NAT2

    NAT (OUTSIDE) 2 172.20.n.0

    NAT (INSIDE) 3 access-list VIH3

    NAT (OUTSIDE) 3 172.20.n.1

    # #ACL for VPN

    access list permits extended VPN ip object-group objects PARTNERHosts OURHosts-group

    access allowed extended VPN ip host 192.168.c.d PARTNERHosts object-group list

    # #Tunnel

    tunnel-group type ipsec-l2l

    card <#>crypto is the VPN address

    card crypto <#>the value transform-set VPN

    card <#>crypto defined peer

    I realize that the ACL for the VPN should read:

    access allowed extended VPN ip host 172.20.n.0 PARTNERHosts object-group list

    access allowed extended VPN ip host 172.20.n.1 PARTNERHosts object-group list

    .. . If the NAT was working properly, but when this ACL is used, Phase 1 is not even negotiating, so I know the NAT is never translated.

    What am I missing to NAT guests for 172.20 addresses host trying to access their internal addresses via the VPN?

    Thanks in advance.

    Patrick

    Here is the order of operations for NAT on the firewall:

    1 nat 0-list of access (free from nat)

    2. match the existing xlates

    3. match the static controls

    a. static NAT with no access list

    b. static PAT with no access list

    4. match orders nat

    a. nat [id] access-list (first match)

    b. nat [id] [address] [mask] (best match)

    i. If the ID is 0, create an xlate identity

    II. use global pool for dynamic NAT

    III. use global dynamic pool for PAT

    If you can try

    (1) a static NAT with an access list that will have priority on instruction of dynamic NAT

    (2) as you can see on 4A it uses first match with NAT and access list so theoretically Exchange autour should do the trick.

    I don't see any negative consequences? -Well Yes, you could lose all connectivity. I don't think that will happen, but I can't promise if you do absolutely not this after-hours.

    Jon

  • Site to site VPN router-ASA5505

    Hello

    I have a problem with the VPN between ASA5505 and 3825 router.

    behind the ASA, we have a server that serves the specific port. If for any reason any link is disconnected assets if the VPN will become not we do not generate traffic to this server. After generating even a ping VPN immediately become active and communication starts. another case is when you reboot ASA the VPn is not created without ping server behind this ASA.

    How we could solve this problem without sending a traffing who serve?

    How remote access to this ASA, I can access internal interface? If I open access on port 443 on the external interface of asa could I access it? or I must also exclude this traffic VPN

    I used the VPN Wizard to configure on asa and CLI on router

    some troubleshootingand configuration commands, if this is not enough please let me know what you otherwise.

    Thanks in advance for your help

    ciscoasa # sh crypto isakmp his

    ITS enabled: 1
    Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
    Total SA IKE: 1

    1 peer IKE: 10.10.10.1
    Type: L2L role: initiator
    Generate a new key: no State: AM_ACTIVE

    Configuration of the SAA.

    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    card crypto outside_map 1 match address outside_1_cryptomap
    card crypto outside_map 1 set pfs Group1
    card crypto outside_map 1 set counterpart 10.10.10.1
    map outside_map 1 set of transformation-ESP-DES-MD5 crypto
    outside_map interface card crypto outside
    crypto ISAKMP allow outside
    crypto ISAKMP policy 10
    preshared authentication
    the Encryption
    sha hash
    Group 2
    life 86400
    crypto ISAKMP policy 30
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400

    the main router configuration

    crypto ISAKMP policy 1
    preshared authentication
    !
    crypto ISAKMP policy 5
    BA 3des
    preshared authentication
    Group 2
    !
    crypto ISAKMP policy 10
    preshared authentication
    Group 2
    crypto ISAKMP key 6 _JQfe [BeRGNBCGfbGxxxxxxxxx address 10.10.10.10

    Crypto ipsec transform-set esp - esp-md5-hmac xxxxx

    ETH0 2696 ipsec-isakmp crypto map
    defined peer 10.10.10.10
    Set transform-set xxxxx
    match address 2001

    access-list 2001 permit ip any 192.168.26.96 0.0.0.7

    Post edited by: adriatikb
    I just read somewhere that might change the type VPN "bi-direcitonal' two 'initiator' or 'answering machine' could help me but I test and no results.

    I had the same problem last week, and told the TAC engineer on our service ticket downgrade from IOS 8.2 (3) 8.2 (1).  Since then, it works fine.

  • ASA 8.4. (1) VPN L2L can only be established through default gateway

    Hi all!

    We have an ASA 5510, with two internet connections. A destined for VPN l2l and the other to access inet users in general.

    On asa 8.04, I configured the encryption on inteface "VPNAccess" card and a static route on the remote peer L2L with access internet VPN, the default rotue pointed the router General inet.

    We bought a new firewall with 8.4.1 and now asa only tries to open the remote if peer traffic is on the default gateway.

    It does not take into account routes more specific (I mean longer masks) and always tries to use the gateway by default, but only for VPN, if I do a trace to that peer route, it uses the routing table correctly.

    Any advice?

    Thank you!

    Well well, (any, any) certainly does not help.

    You need to be more specific, otherwise, even once, as suggested earlier, he does not know which interface to use because you don't have specify it.

    In addition, you must also be precise with the source network and destination. Otherwise, the firewall will not know which interface the subnet should be connected to.

    More precise best for NAT statement.

    NAT (, PublicTESAVPNBackup) source static static destination

  • Design of VPN L2L ASA question

    We expect to have more than 10,000 remote VPN L2L clients.

    I see that each crypto card needs a statement of 'same game' and the IP address is the address of the remote peer VPN L2L.

    :

    EX:

    card encryption UNI-POP 3 set peer 172.23.0.3

    : . . .

    card crypto UNI-POP 10000 set peer 172.26.0.250

    :

    I already feel that this will be a VERY long config, maybe too big to save/read/from memory.

    :

    Anyone would be a better approach?

    Thank you

    Frank

    Frank,

    If the remote end will run only from time to time, you should not have set peer statements and normally it would suffice to have a dynamic encryption card.

    If the remote ends do not support certificates, it is possible to land on defaultl2l tunnel-group.

    bsns-asa5505-19# sh run all tunnel-group
    

    tunnel-group DefaultL2LGroup type ipsec-l2l
    

    tunnel-group DefaultL2LGroup general-attributes
    

    (...)

    You need to test yourself to see if it will work.

    I also agree in terms of more than one firewall. With devices for two in the load balancing or if possible 2pairs of devices in the failover cluster could be great way to have a decent charge by machine and equipment redundancy (ideal circumstances]);. I suggest you ping your system engineer for sure any deployment involving 5585, guys can usually give good advice (and discounts;]).

    Marcin

  • Easy VPN with IPSec VPN L2L (Site - to - Site) in the same ASA 5505

    Hi Experts,

    We have an ASA 5505 in our environment, and currently two IPSec VPN L2L tunnels are established. But we intend to connect with VPN (Network Extension Mode) easy to another site as a customer. Is it possible to configure easy VPN configurations by keeping the currently active IPSec L2L VPN(Site-to-Site) tunnels? If not possible is there any work around?

    Here's the warning we get then tried to configure the easy VPN Client.

    NOCMEFW1 (config) # vpnclient enable

    * Delete "nat (inside) 0 S2S - VPN"

    * Detach crypto card attached to the outside interface

    * Remove the tunnel groups defined by the user

    * Remove the manual configuration of ISA policies

    CONFLICT of CONFIG: Configuration that would prevent the Cisco Easy VPN Remo success

    you

    operation was detected and listed above. Please solve the

    above a configuration and re - activate.

    Thanks and greetings

    ANUP sisi

    "Dynamic crypto map must be installed on the server device.

    Yes, dynamic crypto is configured on the EasyVPN server.

    Thank you

  • Can I use two vpn set in my iPhone?

    Can I use two vpn set in my iPhone?

    Yes, you can use but not at the same time. You can add more than one vpn on your iPhone but can only use one at a time. Another way to use the two VPN at the same time, is that you can have an extra router to connect the two VPN at the same time. For more information on this, you can take a look at these answers https://www.quora.com/Why-cant-I-use-two-VPN-at-the-same-time hope this will solve your problem to his subject.

  • Go simple configuration of vpn L2L comply with security requirements

    Hello

    I have successfully install a L2L connection (5510, 7.2) and a 3rd party (SonicWall).

    Security requirements are such that (contractors) to our office users to connect to various devices to the 3rd party, BUT nothing to the 3rd party must connect to what be it at our office.

    I tried an outbound ACL (access-group L2L-RESTRICT the interface inside) inside the interface. But the funny thing is that I'm getting hits on the declarations of refusal on the ACL, although tests show no problems for you connect to multiple hosts to our site of the 3rd party. My ACL config looks like the following:

    <..snip..>

    Note to L2L-RESTRICT access-list * ATTENTION * WITH CAUTION - RESTRICTIONS ON the 3rd PARTY VPN L2L

    L2L-RESTRICT access-list scope allow icmp 192.168.16.0 255.255.255.0 10.180.21.0 255.255.255.0 echo-reply

    deny access list L2L-RESTRICT the scope ip 192.168.16.0 255.255.255.0 no matter what newspaper

    Note to L2L-RESTRICT access-list > NOTE< last="" line="" *must*="" be="" permit="" any="">

    L2L-RESTRICT access-list scope ip allow a whole

    !

    L2L-RESTRICT the interface inside access-group

    <..snip..>

    Their network is obviously 192.168.16.x and they won't be able to use a vlan from different source as "interesting traffic" ACL won't allow it. So that sounds good in theory

    I have it configured correctly? Is there a better way?

    Thanks in advance,

    Mike

    Mike,

    It seems that you might be able to assign a VPN ACL filter via a group assigned to each tunnel L2L policy. I have never done this personally before, but looks like it would work...

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml#configs

Maybe you are looking for