8.3 Cisco ASA VPN problem
Hi all
I have some problems with the implementation of a VPN using IPSEC to establish a connection from Site to Site.
What I'm trying to Setup is the following, his IP address of a site can reach the beaches on site B and visa versa.
Site A Site B
192.168.10.0 172.16.0.0
192.168.20.0 IPSEC tunnel - 172.17.0.0 -.
192.168.30.0 172.18.0.0
I tested with one subnet to another subnet that works. However, when I try to group the objects it fails.
As an example I can set up a VPN of 192.168.20.0 to 172.18.0.0 that I can pass the traffic through but its unable to reach other subnets.
Excerpts from the config.
crypto ISAKMP allow outside
ACL
list of allowed outside_1_cryptomap ip access dmz LAN object dmz-network-remote
Tunnel group
tunnel-group
IPSec-attributes tunnel-group
pre-shared key
ISAKMP retry threshold 10 keepalive 2 Phase 1 part of pre authentication isakmp crypto policy 10 crypto ISAKMP policy 10 3des encryption crypto ISAKMP policy hash 10 sah 10 crypto isakmp policy group 2 crypto ISAKMP policy life 10 86400 Phase 2 Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac card crypto outside_map 1 match address outside_1_cryptomap card crypto outside_map 1 set pfs Group1 map 1 set outside_map crypto peer
card crypto outside_map 1 set of transformation-ESP-3DES-SHA outside_map interface card crypto outside NAT NAT (inside, outside) 1 static source local-network-dmz dmz LAN destination static remote-network-dmz dmz-network distance Any advice would be greatly appreciated. Thank you. Andrew, Accroding to your config, each network is behind a different interface of the SAA, so you will need to change the NAT rule for each of them, for example: NAT (DMZ_Zone, outside) 1 static source ad-network-local ad-network-local destination static obj obj-remote control-remote control NAT (DB_Zone, outside) 1 static source local-network-db db-network-local destination static obj obj-remote control-remote control NAT (AD_Zone, outside) 1 static source local-network-dmz dmz LAN destination static obj obj-remote-distance Please review and give it a try. I hope hear from you soon. Tags: Cisco Security Between Cisco ASA VPN tunnels with VLAN + hairpin. I have two Cisco ASA (5520 and 5505) both with version 9.1 (7) with Over VPN and Security Plus licenses. I try to understand all the internet a traffic tunnel strategy VLAN especially on the 5520 above the 5505 for further routing to the internet (such as a hair/u-turn hairpin). A few warnings: Let me know if I need to post my current config. Basically, I'm starting from scratch after several attempts. Thank you! You can use the following doc to set up the VPN and then this document to configure Hairping/U tuning 2. the 5505 has sometimes no device turned on behind her, bringing interfaces down to the inside (which can cause problems from site to site). Make sure that the interface is connected to a switch so that it remains all the TIME. 3. 5520 the may not be a ezvpn customer due to she has current as one role anyconnect webvpn ()) server. You can use dynamic VPN with normal static rather EZVPN tunnel. Kind regards PS Please rate helpful messages. the Cisco asa vpn processing error payload: payload ID: 1 Hello I set up vpn L2TP by using ASDM and now I am not able to connect my Cisco ASA 5505. It is showing the error message Please suggest me how to solve this problem (by using ASDM) Thank you Hi Nikhil, Your config seems incomplete, command 'IPSec l2tp ipsec vpn-tunnel-Protocol' is missing, what is needed to connect L2tp try to reconfigure your firewall using the link:- http://www.Cisco.com/en/us/customer/docs/security/ASA/asa80/configuration/guide/l2tp_ips.html Hope this helps, Parminder Sian Cisco ASA VPN session reflect a public IP of different source Hi all I tested and managed to successfully establish the vpn on my cisco asa 5520. On my syslog, I can see "parent anyconnect session has begun" during my setting up vpn and "webvpn session is over" at the end of my vpn session where public ip used to establish the vpn address is reflected. However after the line "webvpn session is over", I can see other lines in my syslog example "group = vpngroup, username = test, ip = x.x.x.x, disconnected session, session type: anyconnect parent, duration 0 h: 00m23s, xmt bytes: 0, rcv:0 bytes, reason: requested user" where x.x.x.x is not the ip address used to establish my vpn for remote access, it is not related to my vpn ip address below. I am very sure that the x.x.x.x ip failed any vpn for my cisco asa5520. So why it is reflected in my logs to asa cisco? Pls advise, TIA! Hello Think I remember some display on a similar question in the past. Did some research on google and the next BugID was mentioned in the discussion. Configure Cisco ASA VPN client I did some research and the answers it was supposed to be possible, but no info on how to do it. I wonder if it is possible to configure a Cisco ASA 5505/10/20 to be a customer to an existing (in this case) cisco vpn client. The reasons why are complicated (and irrelevant IMO), but basically, I need to be able to make a small network that may be on this vpn rather than on individual computers. The vpn client is a Basic IPSec over UDP Cisco VPN to an ASA5505. So, how to set up an another ASA to connect to it as if it were a client? Hello Here is a document from Cisco on the configuration, the easy ASA of VPN server and Client Although in this case, they use a PIX firewall as a client. http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805c5ad9.shtml Here's another site with instructions related to this installation program http://www.petenetlive.com/kb/article/0000337.htm I imagine that the site of Cisco ASA Configuration Guide documents will also give instructions how to configure it. -Jouni Static ip address linking to remote Cisco ASA vpn users Hai, is possible to way static ip binding for users of customer remote cisco ASA of the dhcp pool that we create for users of vpn? / Please let me know your suggestions if possible. !!! That can be done with DHCP. But your authentication server can do. If authenticate you local on the SAA, and then specify the IP address in the attributes of the user, if you are authenticating with RADIUS, you can send the "Box-IP-Address" attribute to assign the address. All, The situation is that I'm trying to initiates a connection outside a Firewall ASA, to a destination IP address that is on the remote end of a VPN tunnel looked SAA even on the external interface. So logically slow traffic is outside to outside. The SAA is to deny the traffic that the conversation shows the source as the destination and the outside outside. Is there something smart, that I can do on the SAA to solve this problem? Thank you D Hello Use the following command on the ASA: permit same-security-traffic intra-interface Kind regards Aditya Please evaluate the useful messages and mark the correct answers. Problem with the Cisco ASA vpn redundancy? Hi all I have a series ASA 5500 firewall and need to set a different peer ip for the connection of site2sitevpn. In fact, my goal is, ASA tent first pair ip of the site2site tunnel, when ASA may not reach this ip, try to reach another ip I set before. I can configure this scenerio on Cisco router with this command; but I wonder what can I do about ASA? Thank you. Best regards. Shane, You can configure multiple IP addresses, under the same entry of homologous set on ASA, but it works the same on IOS with preferred peer, it passes between defined peer. Marcin Cisco ASA vpn site to site with access internet, error Hello I have two offises, Central and removed, with the external IP addresses. They are connected to the site to site vpn, LAN works fine, then NAT is disable, but then there is no internet access, then I Internet in NAT is working well, but then there is no access to the local network. There's config: Two things are here according to you needs. First you encrypt all the traffic on the network 192.168.204.0/24... do you intend to send all traffic on that subnet via the VPN? If this isn't the case, specify the remote subnet instead of using all the crypto ACL. Second, you have not an exempt statement NAT so that encrypted traffic should not be translated. This statement would look like the following: being REMOTE-LAN network Static NAT LAN LAN (inside, outside) destination static REMOTE - LAN LAN -- Please do not forget to choose a good response and the rate Cisco ASA: Vpn SiteToSote with a backup VPN Hi all A partner have two VPN gateway. We have a connection on one of them, but we want to set up another tunnel for backup (if the first gateway goes down). How can I configure my ASA to only create a tunnel with a counterpart if approves it first failure? Thanks for the reply You can use multiple addresses peer in your map of cryto for example. card crypto mymap 10 set by peer Your ASA will use try in the order that they are entered, check out this link for more details. http://www.Cisco.com/en/us/docs/security/ASA/asa72/command/reference/c5_72.html#wp2066090 Jon Anconnect Cisco ASA VPN deployment Hello I have a request for information about the deployment for the ASA who must support more than 10000 clients. I understand that several ASA would be necessary for her however I was wondering what can be typical design for this? The ASA multiple is configured as vpn cluster/load balancing, etc... ? I would if there is any design document for it. The current configuration is that a pair of ASA active / standby, I was wondering how to combine the total connection, if I need 15000 connections vpn; pairs of example 2 active / standby with vpn clustering/load balancing, etc... ? Thank you. You are right, that the vpn load-balancing is the technology, you need to deploy for this. With this, you can combine multiple devices to a cluster of load sharing. These devices may be different, for example two 5555 with two 5545 that would give you a total of 15000 VPN connections. This is under the assumption that users connect to office even where the ASAs have one L2-connection to another which is necessary for the VPN load-balancing. If users connect through different places, then these ASAs cannot use VPN-load balancing, unless you have a L2 connection between the loacations. If you have multiple sites, you should also think about the shared license server that could save a lot of money if your users do not always use the same gateway. And last point: as much as possible for your AAA with a central RADIUS server set up to reduce the probability of a misconfiguration on ASAs multiples. Sent by Cisco Support technique iPad App 1800 to ASA VPN problem, fail to Phase 2 Hello I have a series of 1800 running IOS 12.4 (6) T11 and an ASA 5505 8.2 I try to connect using a lan lan tunnel 2 running. 1800: WAN a.b.c.141 LAN 192.168.0.0/24 ASA5505: WAN x.y.z.125 LAN 10-180.3.0/24 The 1800s also has pptp, 172.16.99.0/24 network clients. Problem: When I try to establish a connection to a host on a local network to another, I can see who works for phase 1. In phase 2, some interesting debugging messages are observed: 002611: * 19:15:24.142 Apr 11 UTC: map_db_find_best found no corresponding card When negotiating, 'show isakmp crypto' show first 'ACTIVE', but after a minute or two pass to ' ACTIVE (DELETED) ". From what I see, the cisco 1800 seem to put an end to the tunnel because it meets some of the options phase 2. # 1800 IPv4 Crypto ISAKMP Security Association # on 5505 # After a minute or so on the 1800 (no difference on output 5505 s) IPv4 Crypto ISAKMP Security Association I think it might be because of NATing on each side. I'm a little unsure on the NAT of the 1800 config, if he tries to nat the 192.168.0.0/24 as it passes above the tunnel? Hello I don't see an exemption from nat configured on the router. Please, try the following: overloading the IP nat inside source route NATMAP interface map. I hope this helps. Kind regards Anisha P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages. Cisco ASA VPN Site to Site WITH NAT inside Hello! I have 2 ASA 5505 related to IPSEC Tunnel VPN Site to Site. A 192.168.1.0/24 'remotely' inside the network and a local "192.168.200.0/24' inside the network (you can see the diagram) The local host have 192.168.200.254 as default gateway. I can't add static route to all army and I can't add static route to 192.168.200.254. NAT the VPN entering as 192.168.200.1 or a 192.168.200.x free to connect my host correcly? If my host sends packet to exit to the default gateway. Thank you for your support Best regards Marco The configuration must be applied on the SAA with the 192.168.200.0 subnet it is inside, there must be something like this: permit 192.168.1.0 ip access list VPN_NAT 255.255.255.0 192.168.200.0 255.255.255.0 NAT (outside) X VPN_NAT outside access list Global (inside) X Y.Y.Y.Y (where the Y.Y.Y.Y) is the ip address If you have other traffic on the vpn through the tunnel that requires no nat, then you must add external nat exemption rules since these lines above obliges all traffic through the asa to have a nat statement. See if it works for you, else post your config nat here. Transfer between Cisco ASA VPN Tunnels Hi Experts, I have a situation where I need to set up the transfer between two VPN Tunnels completed in the same box ASA. A VPN Tunnel will incoming traffic and that traffic should be sent to the bottom of the other VPN Tunnel to the ASA. The two VPN Tunnels are from the Internet and speak with the same IP address of the ASA peers. Retail Tunnel A Source: 192.168.1.0/25 Destination: 10.1.1.0/25 Local counterpart: 170.252.100.20 (ASA in question) Remote peer: 144.36.255.254 Tunnel B Source: 192.168.1.0/25 Destination: 10.1.1.0/25 Local peer IP: 170.252.100.20 (box of ASA in question) Distance from peer IP: 195.75.75.1 Can this be achieved? what configurations are needed in the ASA apart cryptographic ACL entries? Thanks in advance for your time. Believed that, in this case your config is good, and you can avoid using routes on your asa since it must route based on its default gateway, make sure you have good sheep in place rules and the inter-to interface same-security-interface allowed return you will need. Redundancy with double tis on cisco ASA VPN Site to Site Dear supporters, Could you help me to provide a configuration for the network as an attachment diagram. I am suitable with your help. Thank you Best regards Hi Sothengse, You can visit the below link and configure ASA @ head and Canes accordingly to your condition. You must change the configuration of the similar example with ends... Double TIS @ ends in your scenario... http://networkology.NET/2013/03/08/site-to-site-VPN-with-dual-ISP-for-BA... I hope this helps. Concerning Knockaert At startup, firefox always ask: "Help us -" question. When I open FireFox, I always asked the question ' help us improve Firefox - ' no matter if I click Yes, no, or change the setting in the options. on the 3.6 version, refreshment and the keys to the House were located at the top left with the left and right arrows. On the new version the line disappeared. I checked all the toolbars, and nowhere can I find these keys. Help, please I had a lot of problems with trying to install Roxio Creator 2010 by using the installation disk original. Today I tried again and got an error message saying that my configuration doesn't support all of the products. Anyone has any idea what it is? When I turn on the computer, this charge as it should be and my desk top shows. Then this white page, full screen appears and I have to press the arrows in the bottom left of the taskbar that brings up a list, and then click 'show desktop' to access Outlook express cannot receive e-mail An unknown error has occurred. Account: 'singnet email', server: 'pop.singnet.com.sg', Protocol: POP3, Port: 110, secure (SSL): no, error number: 0x800C0133Similar Questions
Dinesh Moudgil
3
July 7, 2011
18:57:38
IP = *. *. *. *, payload processing error: ID payload: 1
crypto map tohub 1 ipsec-isakmp set peer 10.1.1.1 default
set peer 10.2.2.2
Where would be the problem?ASA Version 8.4(4)1
!
hostname SalSK-ASA
domain-name ld.lt
enable password xxx encrypted
passwd xxx encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 81.X.X.X 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.204.254 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EET 2
dns server-group DefaultDNS
domain-name lietuvosdujos.lt
object network LAN
subnet 192.168.204.0 255.255.255.0
description Local Area Network
object network LD_Lanai
subnet 192.168.0.0 255.255.0.0
description LD lanai
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list vpn extended permit ip any 192.168.204.0 255.255.255.0
access-list vpn extended permit ip 192.168.204.0 255.255.255.0 any
access-list vpn extended permit ip object LD_Lanai 192.168.204.0 255.255.255.0
access-list vpn extended permit ip 192.168.204.0 255.255.255.0 object LD_Lanai
access-list outside_cryptomap_1 extended permit ip object LAN any
access-list outside extended permit ip any any
pager lines 24
logging enable
logging list VPN_events level informational class auth
logging list VPN_events level informational class vpdn
logging list VPN_events level informational class vpn
logging list VPN_events level informational class vpnc
logging list VPN_events_ID message 713120
logging list VPN_events_ID message 713167
logging list VPN_events_ID message 602303
logging list VPN_events_ID message 713228
logging list VPN_events_ID message 113012
logging list VPN_events_ID message 113015
logging list VPN_events_ID message 713184
logging list VPN_events_ID message 713119
logging list VPN_events_ID message 602304
logging monitor debugging
logging buffered debugging
logging trap VPN_events_ID
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic LAN interface inactive
access-group outside in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 81.7.77.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ISE protocol radius
aaa-server ISE (inside) host 192.168.200.48
key *****
user-identity default-domain LOCAL
aaa authentication enable console ISE LOCAL
aaa authentication http console ISE LOCAL
aaa authentication serial console ISE LOCAL
aaa authentication ssh console ISE LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set tripledes esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer 213.X.X.X
crypto map outside_map 1 set ikev1 transform-set tripledes
crypto map outside_map interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.201.200 source inside prefer
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
group-policy SalGP internal
group-policy SalGP attributes
vpn-filter value vpn
vpn-tunnel-protocol ikev1 l2tp-ipsec
username Admin password LVPpyc4ATztEAWtq encrypted privilege 15
tunnel-group 213.X.X.X type ipsec-l2l
tunnel-group 213.X.X.X general-attributes
default-group-policy SalGP
tunnel-group 213.X.X.X ipsec-attributes
ikev1 pre-shared-key *****
!
class-map global-class
match default-inspection-traffic
!
!
policy-map global-policy
class global-class
inspect dns
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect icmp
class class-default
user-statistics accounting
!
service-policy global-policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]/* */
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d8c29755eff807b1530e38b9ead9edd5
: endobject network LAN
subnet 192.168.204.0 255.255.255.0access-list outside_cryptomap_1 extended permit ip object LAN any
the object of the LAN network
192.168.204.0 subnet 255.255.255.0
255.255.255.0 subnet 192.168.100.0
Of course, you plan for failure of the device. So you can deploy 4 * 5555 and also if an ASA is lost you yet 15000 connections (well, at least based on the datasheet; I would not push the number of connections to the limit).
You can also deploy these devices also as FO-systems for redundancy. 3 * 2 * 5555 would also give you redundancy.
002612: * 19:15:24.142 Apr 11 UTC: IPSEC (crypto_ipsec_process_proposal): proxy unsupported identities
002613: * 19:15:24.142 Apr 11 UTC: ISAKMP: (2031): IPSec policy invalidated proposal with error 32
002614: * 19:15:24.142 Apr 11 UTC: ISAKMP: (2031): politics of ITS phase 2 is not acceptable! (local a.b.c.141 remote x.y.z.125)
002615: * 19:15:24.142 Apr 11 UTC: ISAKMP: node set-1883245570 to QM_IDLE
002616: * 19:15:24.142 Apr 11 UTC: ISAKMP: (2031): Protocol to send NOTIFIER PROPOSAL_NOT_CHOSEN 3
SPI 2215023312, message ID =-1883245570
002617: * 19:15:24.142 Apr 11 UTC: ISAKMP: (2031): sending x.y.z.125 my_port 500 peer_port 500 (R) QM_IDLE package
002618: * 19:15:24.142 Apr 11 UTC: ISAKMP: (2031): purge the node-1883245570
002619: * 19:15:24.142 Apr 11 UTC: ISAKMP: (2031): node-9204283 error suppression REAL reason "QM rejected."
002620: * 19:15:24.142 Apr 11 UTC: ISAKMP: (2031): entrance, node-9204283 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
status of DST CBC State conn-id slot
a.b.c.141 x.y.z.125 QM_IDLE 2029 0 ACTIVE
2 IKE peers: a.b.c.141
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE
status of DST CBC State conn-id slot
a.b.c.141 x.y.z.125 QM_IDLE 2030 0 ACTIVE
a.b.c.141 x.y.z.125 MM_NO_STATE 2029 0 ACTIVE (deleted)Maybe you are looking for