837 to 837 VPN with PAT?
I have a working VPN connecting to of Cisco 837.
The client has a requirement for external access to RDP, POP3 and OWA... seemed pretty simple, just add:
IP nat inside source static tcp etc... but as soon as I add these PAT, internal access to these services fails immediately via the VPN to the other end (Site B).
Site to config following (Site B is running 192.168.42.x range with a virtually identical config (No. PAT of good)
!
version 12.3
no service button
horodateurs service debug uptime
Log service timestamps uptime
encryption password service
!
hostname FNN0755241374
!
logging buffered debugging 10000
no console logging
Select the secret xxxxxxxx
!
xxxxx xxxxxxxx password username
clock timezone IS 10
summer clock-time DEST recurring last Sun Oct 02:00 last Sun Mar 02:00
No aaa new-model
IP subnet zero
no ip domain search
!
!
IP cef
audit of IP notify Journal
Max-events of po verification IP 100
No ftp server enable write
!
!
!
!
crypto ISAKMP policy 10
md5 hash
preshared authentication
ISAKMP crypto key address 203.x.x.25 xxxxxxxxxxx
!
!
Crypto ipsec transform-set esp - esp-md5-hmac tweed_to_mur
!
tweed_vpn 10 ipsec-isakmp crypto map
defined by peer 203.149.73.25
Set transform-set tweed_to_mur
match address 102
!
!
!
!
interface Ethernet0
Description FNN0755241374 LAN
IP 192.168.40.254 255.255.255.0
IP nat inside
No keepalive
Hold-queue 100 on
!
ATM0 interface
no ip address
No atm ilmi-keepalive
DSL-ITU - dmt operation mode
!
point-to-point interface ATM0.1
Description 0755241374 (L2TP)
PVC 8/35
aal5mux encapsulation ppp Dialer
Dialer pool-member 1
!
!
interface FastEthernet1
no ip address
automatic duplex
automatic speed
!
interface FastEthernet2
no ip address
automatic duplex
automatic speed
!
interface FastEthernet3
no ip address
automatic duplex
automatic speed
!
interface FastEthernet4
no ip address
automatic duplex
automatic speed
!
interface Dialer1
Description 0755241374 (L2TP) PPPoa RRSM512
MTU 1400
the negotiated IP address
NAT outside IP
encapsulation ppp
Dialer pool 1
Dialer-Group 1
No cdp enable
PPP chap hostname xxxx
PPP chap password xxxx
tweed_vpn card crypto
!
overload of IP nat inside source list 103 interface Dialer1
IP nat inside source static tcp 192.168.40.1 21 203.149.71.130 21 expandable
IP nat inside source static tcp 192.168.40.1 20 203.149.71.130 20 expandable
IP nat inside source static tcp 192.168.40.1 80 203.149.71.130 80 extensible
IP nat inside source static tcp 192.168.40.4 25 203.149.71.130 25 expandable
IP nat inside source static tcp 192.168.40.4 110 203.149.71.130 110 extensible
IP nat inside source static tcp 192.168.40.4 143 203.149.71.130 143 extensible
IP nat inside source static tcp 192.168.40.4 80 203.149.67.193 80 extensible
IP classless
IP route 0.0.0.0 0.0.0.0 Dialer1
no ip address of the http server
no ip http secure server
!
Note access-list 11 * license end customer address space for NAT
access-list 11 permit 192.168.1.0 0.0.0.255
Journal of access list 99 license 203.149.69.5
Journal of access list 99 license 203.149.64.91
access-list 99 refuse any newspaper
access-list 102 permit ip 192.168.40.0 0.0.0.255 192.168.42.0 0.0.0.255
access-list 102 deny ip 192.168.40.0 0.0.0.255 any
access-list 103 deny ip 192.168.40.0 0.0.0.255 192.168.42.0 0.0.0.255
access-list 103 allow ip 192.168.40.0 0.0.0.255 any
Dialer-list 1 ip protocol allow
Server SNMP community readstring RO
SNMP-Server RO community readwritestring
Enable SNMP-Server intercepts ATS
!
Line con 0
exec-timeout 0 0
password xxxx
opening of session
no activation of the modem
StopBits 1
line to 0
line vty 0 4
access-class 99 in
exec-timeout 2 0
password xxxx
local connection
!
max-task-time 5000 Planner
!
end
FNN0755241374 #.
Kind regards
MB
This is because have priority the static NAT NAT overload control and therefore access list 103 is no longer deny these packets to be NAT had
This example configuration you get:
http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080094634.shtml
Tags: Cisco Security
Similar Questions
-
With PAT on Cisco PIX VPN client
Dear all,
I have a PIX 515 to the main site with the IPSec security is enabled. Homepage user using 3.x VPN client connects to the PIX for VPN access. When user Home use real IP, I can ping to the local network of the main site. However, when the Home user using a router with PAT, the VPN can be established.
Is there a setting I should put on PIX, VPN client or router?
Thank you.
Doug
And if you still have problems, upgrade your pix, 6.3 and usage:
ISAKMP nat-traversal
But the first thing would be to check the IPSEC passthrough as Ade suggested. If the device is a linksys check the version of the firmware as well.
Kind regards
-
I use a Windows Vista Home Edition on a laptop. The system connects to the Internet through a cellular router EDGE (via Ethernet) and receives the data by linking receiver DVB - S2 satellite broadband connected via a USB interface. The connection is through a VPN. Windows Vista loses the symbol of the "blue planet", as soon as the VPN connects. Authentication and connectivity is OK. DNS also works OK by the way VPN, with pointing to the VPN IP address 0.0.0.0. The diagnosis indicates an error where Vista says that she finds multiple active dial connections. Y at - it a configuration option that allows me to bind the interface transmission (VPN) with return channel satellite? The same software and configuration under Windows XP SP3 works OK.
Thanks in advance for your advice.
Hello
Your question of Windows 7 is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for the IT Pro TechNet public. Please post your question in the Technet Forum. You can follow the link to your question:
http://social.technet.Microsoft.com/forums/en-us/category/w7itproYou can also check the links below for assistance.
http://TechNet.Microsoft.com/en-us/library/cc728078 (WS.10) .aspx
http://TechNet.Microsoft.com/en-us/library/cc737767 (WS.10) .aspx
Hope that helps.
-
How to create vpn with vista home premium on basis of vpn xp settings?
I can connect to the vpn with xp machine, but when I try to imitate xp setting with machine to vista Home premium I can't connect to the same vpn. What do you suggest me?
How to create a vpn connection in Vista: http://techrepublic.com.com/2346-1035_11-61437-1.html?tag=content;leftCol. NOTE: I don't know what you mean "based" vpn xp settings, but you will have to do the best you can with the options and settings available in Vista (that I n "' t know how they compare to XP, but I hope that you will be able to do so because).
Here is another article on the procedure: http://www.publicvpn.com/support/Vista.php.
Here is an article on how configure a VPN with an ISP in Vista: http://www.web-articles.info/e/a/title/How-to-create-a-VPN-connection-over-your-ISP-connection/.
Here is an article with a number of different other items all on vpn in Vista (I don't know exactly what type of configuration you "AVIC - as a host, as a customer, on what type of connection,--but this article covers many different aspects and I hope that at least a couple will be a help for you: http://compnetworking.about.com/od/vpnsetup/VPN_Setup_How_to_Set_Up_a_VPN.htm.)
I hope this helps.
Good luck!
Lorien - MCSA/MCSE/network + / has + - if this post solves your problem, please click the 'Mark as answer' or 'Useful' button at the top of this message. Marking a post as answer, or relatively useful, you help others find the answer more quickly.
-
Hi guys,.
I would like to know if the accesslist with PAT, you can refuse statements. IE reject the order under the access list for the traffic that you do not want to be PATed.
example:
access list acl-pat deny ip 10.0.0.1 0.0.0.0 all
permit access-list acl - pat ip 10.0.0.0 0.0.0.255 any
If I won't 10.0.0.1 PATed.
Hello
It's perfectly legal and quite a common practice.
Hope that help - rate pls post if it does.
Paresh
-
Cisco IOS IPSec failover | Route based VPN with HSRP
I can find the redundancy of vpn IPSec using policy based VPN with HSRP.
Any document which ensures redundancy of the road-base-vpn with HSRP?
OK, I now understand the question. Sorry, I have no documents for this task.
I can see in the crypto ipsec profile that you will use under the Tunnel interface configuration to enable the protection, you can configure the redundancy:
cisco(config)#crypto ipsec profile VTIcisco(ipsec-profile)#?Crypto Map configuration commands: default Set a command to its defaults description Description of the crypto map statement policy dialer Dialer related commands exit Exit from crypto map configuration mode no Negate a command or set its defaults redundancy Configure HA for this ipsec profile responder-only Do not initiate SAs from this device set Set values for encryption/decryption
cisco(ipsec-profile)#redundancy ? WORD Redundancy group name
cisco(ipsec-profile)#redundancy MRT ? stateful enable stateful failover
I suggest that it is the same as redundancy card crypto. But no documentation or examples found... -
question links to site 2 site VPN with authentication cert
Currently we are accumulate tunnel site-2-site VPN with our client. Usually we use pre-shared key as authentication with other customers without any problems, but it must use authentication cert with her this time. But the question is that our CA is different from theirs. I tried a few times, but he failed. Is it someone please let me know that he must have the certificate issued by the same certification authority to create the VPN tunnel?
Thank you very much!
Hello
You can read this document to get a simple example of setting up a VPN S2S using certificates on an ASA:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080aa5be1.shtml
Basically the sides must have the same certification authority and If there is an intermediate certificate that must be installed also. The ASA 2 will generate a CSR (certificate access code request), now then PKI will create a certificate for both parties, commonly called "certificate of identity".
Please pass a note and mark as he corrected the post helpful!
David Castro,
Kind regards
-
ASA vpn with a public ip address different addresses
Hello world. I can not find someone who can give me an answer 'for sure' of this thing. I want to connect via vpn ASA5505, called 2A and b. inside one we have net 10.0.0.0/24 and 10.0.1.0/24 net b. now, we can have 2 outside for one ip addresses (e.g. 215.18.18.10 and 222.26.12.12) because we have 2 providers to connect to the internet. the asa can follow 2 VPN - with the same cryptomap for the destination inside) so that if a grave he will switch to the other vpn by itself?
This thing can be done with other cisco devices (for example, a 2800 series router?)
Thank you very much
Who are you looking to
1. If the failure of the connection to B then A will use secondary WAN connection to try to raise the tunnel.
I would use the backup ISP for this function.
2. If the connection to A failed then B will try to set up the tunnel with secondary address peer.
You can set several counterparts by using cryptographic cards to provide redundancy
-
IPSEC VPN with Dynamics to dynamic IP
Hello
I tried IPSEC VPN with dynamic IP to dynamic (router to router) for some time. But still can not auto-établir the tunnel.
Is someone can you please tell me if it is possible to do?
If so, please share with me the secret to do work.
Thank you!
Best regards
Rather than the Crypto map, I would use the profile of Crypto. Then, establish you an IPSEC tunnel. The beauty of the profile, is that you can run through it routing protocols, and you do not have to change constantly the cards whenever you change the topology of the network. The "* * *" in the timer event is "minute hour day week month" so "* * *" is updated every minute. In Tunnel destination, it's an IP address, not a hostname that is stored, but when you set it, you can put in a HOST name and it converts to the moment where you configure it to an IP address.
So, if you type:
config t
interface tunnel100
destination remote.dyndns.com tunneloutput
See the race int tunnel100
It shows:
interface Tunnel100
tunnel destination 75.67.43.79That's why the event handler goes and becomes the destination of tunnel every minute what ever the DDNS says that is the new IP address.
I have seen that two of your routers running DDNS. They will have to do this.
Local router:
crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 2
ISAKMP crypto key XXXXXXX address 0.0.0.0 0.0.0.0 no.-xauth
!
!
Crypto ipsec transform-set ESP-AES-SHA esp - aes 256 esp-sha-hmac
!
Profile of crypto ipsec CRYPTOPROFILE
game of transformation-ESP-AES-SHA
!
interface Tunnel100
Description of remote.dyndns.org
IP 10.254.220.10 255.255.255.252
IP virtual-reassembly
IP tcp adjust-mss 1400
source of Dialer0 tunnel
tunnel destination 75.67.43.79
ipv4 ipsec tunnel mode
Tunnel CRYPTOPROFILE ipsec protection profileIP route 192.168.2.0 255.255.255.0 10.254.220.9
Change-tunnel-dest applet event handler
cron-event entry timer cron name "CHRON" * * *"
command action 1.0 cli 'enable '.
action 1.1 cli command "configures terminal.
Action 1.2 command cli "interface tunnel100".
Action 1.3 cli command "destination remote.dyndns.org tunnel".
!--------
Remote router:
crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 2
ISAKMP crypto key XXXXXXX address 0.0.0.0 0.0.0.0 no.-xauth
!
!
Crypto ipsec transform-set ESP-AES-SHA esp - aes 256 esp-sha-hmac
!
Profile of crypto ipsec CRYPTOPROFILE
game of transformation-ESP-AES-SHA
!
interface Tunnel100
Description of local.dyndns.org
IP 10.254.220.9 255.255.255.252
IP virtual-reassembly
IP tcp adjust-mss 1400
source of Dialer0 tunnel
tunnel destination 93.219.58.191
ipv4 ipsec tunnel mode
Tunnel CRYPTOPROFILE ipsec protection profileIP route 192.168.1.0 255.255.255.0 10.254.220.10
Change-tunnel-dest applet event handler
cron-event entry timer cron name "CHRON" * * *"
command action 1.0 cli 'enable '.
action 1.1 cli command "configures terminal.
Action 1.2 command cli "interface tunnel100".
Action 1.3 cli command "destination local.dyndns.org tunnel".Thank you
Bert
-
Easy VPN with the Tunnel Interface virtual IPSec dynamic
Hi all
I configured easy vpn remote on a cisco 1841 and dynamic server easy vpn with virtual tunnel interface on the server (cisco 7200, 12.4.15T14)
It works with easy vpn remote to the client mode and mode network-extesión, but it doesn't seem to work when I configure mode plus network on the client of the cpe, or when I try to have TWO inside the ez crypto interfaces. On the customer's site, I see two associations of security, but on the server PE site only security SA!
Without virtual dynamic tunnel interface, dynamic map configuration is ok... This is a limitation of the virtual tunnnel dynamic interface?
Federica
If one side is DVTI and the other uses a dynamic map, it does support only 1 SA. If the two end uses DVTI or the two end uses dynamic card then it supports several SAs.
Here is the note of documentation for your reference:
Note: Multiple inside interfaces are supported only when the Cisco Easy VPN server and the Cisco Easy VPN client have the same type of Easy VPN configuration. In other words, both must use a Legacy Easy VPN configuration, or both must use a DVTI configuration.
Here's the URL:
Hope that answers your question.
-
Problems with P2P VPN with interface DHCP
I have properly configured a P2P VPN with two Cisco 888 using the static IP address. If I put a single interface to DHCP and the unit is power cycling it won't ask an IP address, until I have don't deliver "no card crypto
-
Remote access VPN with ASA 5510 by using the DHCP server
Hello
Can someone please share your knowledge to help me find out why I'm not able to receive an IP address on the remote access VPN connection so that I can get an IP local pool DHCP?
I'm trying to set up remote access VPN with ASA 5510. It works with dhcp local pool but does not seem to work when I tried to use an existing DHCP server. It is tested in an internal network as follows:
!
ASA Version 8.2 (5)
!
interface Ethernet0/1
nameif inside
security-level 100
IP 10.6.0.12 255.255.254.0
!
IP local pool testpool 10.6.240.150 - 10.6.240.159 a mask of 255.255.248.0. (worked with it)
!
Route inside 0.0.0.0 0.0.0.0 10.6.0.1 1
!
Crypto ipsec transform-set esp-3des esp-md5-hmac FirstSet
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic dyn1 1jeu transform-set FirstSet
dynamic mymap 1 dyn1 ipsec-isakmp crypto map
mymap map crypto inside interface
crypto ISAKMP allow inside
crypto ISAKMP policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 43200
!
VPN-addr-assign aaa
VPN-addr-assign dhcp
!
internal group testgroup strategy
testgroup group policy attributes
DHCP-network-scope 10.6.192.1
enable IPSec-udp
IPSec-udp-port 10000
!
username testlay password * encrypted
!
tunnel-group testgroup type remote access
tunnel-group testgroup General attributes
strategy-group-by default testgroup
DHCP-server 10.6.20.3
testgroup group tunnel ipsec-attributes
pre-shared key *.
!
I got following output when I test connect to the ASA with Cisco VPN client 5.0
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: (4) SA (1) + KE + NUNCIO (10) + ID (5), HDR + VENDO
4024 bytesR copied in 3,41 0 seconds (1341 by(tes/sec) 13) of the SELLER (13) seller (13) + the SELLER (13), as well as the SELLER (13) ++ (0) NONE total length: 853
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, SA payload processing
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ke payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing ISA_KE
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, nonce payload processing
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing ID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received xauth V6 VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, DPD received VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received Fragmentation VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, IKE Peer included IKE fragmentation capability flags: Main Mode: real aggressive Mode: false
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received NAT-Traversal worm 02 VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, the customer has received Cisco Unity VID
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, connection landed on tunnel_group testgroup
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA payload processing
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA proposal # 1, turn # 9 entry overall IKE acceptable matches # 1
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build the payloads of ISAKMP security
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building ke payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building nonce payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Generating keys for answering machine...
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, construction of payload ID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash for ISAKMP
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of Cisco Unity VID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing payload V6 VID xauth
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building dpd vid payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing the payload of the NAT-Traversal VID ver 02
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, NAT-discovery payload construction
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, NAT-discovery payload construction
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, construction of Fragmentation VID + load useful functionality
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads VID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR SA (1) KE (4) NUNCIO (10) + ID (5) + HASH (8) + SELLER (13) + the SELLER (13) + the SELLER (13) + the SELLER (13) NAT - D (130) + NAT - D (130) of the SELLER (13) + the seller (13) + NONE (0) total length: 440
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + HASH (8) + NOTIFY (11) + NAT - D (130) + NAT - D (130) of the SELLER (13) + the seller (13) + NONE (0) overall length: 168
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash for ISAKMP
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing notify payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload NAT-discovery of treatment
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload NAT-discovery of treatment
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, useful treatment IOS/PIX Vendor ID (version: 1.0.0 capabilities: 00000408)
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, the customer has received Cisco Unity VID
Jan 16 15:39:21 [IKEv1]: Group = testgroup, I
[OK]
KenS-mgmt-012 # P = 10.15.200.108, status of automatic NAT detection: remote end is NOT behind a NAT device this end is NOT behind a NAT device
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, empty building hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of hash qm
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = d4ca48e4) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 72
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = d4ca48e4) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 87
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, process_attr(): enter!
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, transformation MODE_CFG response attributes.
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary DNS = authorized
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary DNS = authorized
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: = authorized primary WINS
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: = authorized secondary WINS
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Compression IP = disabled
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Split Tunneling political = disabled
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: setting Proxy browser = no - modify
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: browser Local Proxy bypass = disable
Jan 16 15:39:26 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, (testlay) the authenticated user.
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, empty building hash payload
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, build payloads of hash qm
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 6b1b471) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 64
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 6b1b471) with payloads: HDR + HASH (8) + ATTR (14) + NONE (0) overall length: 60
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): enter!
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, cfg ACK processing attributes
Jan 16 15:39:27 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 49ae1bb8) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 182
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): enter!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, treatment cfg request attributes
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the IPV4 address!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the IPV4 network mask!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for DNS server address.
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the address of the WINS server.
Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, transaction mode attribute unhandled received: 5
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the banner!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for setting save PW!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: receipt of request for default domain name!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for Split-Tunnel list!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for split DNS!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for PFS setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the Proxy Client browser setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the list of backup peer ip - sec!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for setting disconnect from the Client Smartcard Removal!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the Version of the Application.
Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Type of Client: Windows NT Client Application Version: 5.0.07.0440
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for FWTYPE!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: request received for the DHCP for DDNS hostname is: DEC20128!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the UDP Port!
Jan 16 15:39:32 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, in double Phase 2 detected packets. No last packet retransmit.
Jan 16 15:39:37 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = b04e830f) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing hash payload
Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing notify payload
Jan 16 15:39:37 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, in double Phase 2 detected packets. No last packet retransmit.
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE has received the response from type [] at the request of the utility of IP address
Jan 16 15:39:39 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, cannot get an IP address for the remote peer
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, case of mistaken IKE TM V6 WSF (struct & 0xd8030048)
, : TM_DONE, EV_ERROR--> TM_BLD_REPLY, EV_IP_FAIL--> TM_BLD_REPLY NullEvent--> TM_BLD_REPLY, EV_GET_IP--> TM_BLD_REPLY, EV_NEED_IP--> TM_WAIT_REQ, EV_PROC_MSG--> TM_WAIT_REQ, EV_HASH_OK--> TM_WAIT_REQ, NullEvent Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, case of mistaken IKE AM Responder WSF (struct & 0xd82b6740)
, : AM_DONE, EV_ERROR--> AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL--> AM_TM_INIT_MODECFG_V6H NullEvent--> AM_TM_INIT_MODECFG, EV_WAIT--> AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG--> AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK--> AM_TM_INIT_XAUTH_V6H NullEvent--> AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE SA AM:bd3a9a4b ending: 0x0945c001, refcnt flags 0, tuncnt 0
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, sending clear/delete with the message of reason
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, empty building hash payload
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing the payload to delete IKE
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, build payloads of hash qm
Jan 16 15:39:39 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 9de30522) with payloads: HDR HASH (8) + DELETE (12) + (0) NONE total length: 80
Kind regards
Lay
For the RADIUS, you need a definition of server-aaa:
Protocol AAA - NPS RADIUS server RADIUS
AAA-server RADIUS NPS (inside) host 10.10.18.12
key *.
authentication port 1812
accounting-port 1813
and tell your tunnel-group for this server:
General-attributes of VPN Tunnel-group
Group-NPS LOCAL RADIUS authentication server
--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni -
Is site to site VPN with sufficiently secure router?
Hello
I have a question about the site to site VPN with router.
Internet <> router <> LAN
If I have a VPN site-to-site configured on the router above with another site. I configured to block incoming Internet connections with the exception of VPN to access list. What are the risks of the LAN is exposed to threats from the Internet? Recommend that you put in a firewall between the router and the LAN, or replace the router with a firewall?
Thank you
Hi Amanda,.
Assuming your L2L looks like this:
LAN - router - INTERNET - Router_Remote - LAN
|-------------------------------------------------------------------------------|
L2L
Traffic between the two local area networks is protected by the VPN tunnel. It is recommended to use the recommended security (strong encryption settings) to ensure that the encrypted traffic would not be compromised through the Internet.
On the other hand, if you talk about outbound plaintext to the Internet, as when a user acceses google.com, then you just make out traffic, but never allow all incoming connections.
If you want to protect your network with advanced security as a FW features, you can consider ZBF, which is the available in IOS Firewall/set function:
Design of the area Guide of Application and firewall policies
If you consider that this is not enough, check the ASA5500 series.
HTH.
Portu.
Please note all useful posts
-
I have a very simple deal put in place and wanted to similate a vpn with a site on the dhcp address.
R1 - R2 = R3 - R4.
R2 with static IP and R3 is supposed to be with DHCP. The underlying routing works very well. But when I apply cryptography to routers, it stops working.
When I got a ping from R1 to R4, R2 is decryption, but when I ping from R1 to R4, R2 is not encrypt.
Thank you.
===============
Chantal of R2
!
R2 #sh run
hostname R2
!!
crypto ISAKMP policy 10
BA aes
md5 hash
preshared authentication
Group 2
ISAKMP crypto cisco123 key address 0.0.0.0 0.0.0.0 no.-xauth
!
!
Crypto ipsec transform-set RIGHT aes - esp esp-md5-hmac
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
match address 150
!
!
map statmap 65000-isakmp ipsec crypto dynamic dynmap
!
!
!
!
interface FastEthernet0/0
1.1.12.2 IP address 255.255.255.0
automatic duplex
automatic speed
!
interface FastEthernet1/0
IP 1.1.23.2 255.255.255.0
automatic duplex
automatic speed
statmap card crypto
!
no ip address of the http server
no ip http secure server
IP classless
IP route 0.0.0.0 0.0.0.0 1.1.23.3
!
!
access-list 150 permit icmp 1.1.12.1 host 1.1.34.4
access-list 150 permit ip host 1.1.12.1 1.1.34.4
!
===============R3 racing
R3 #sh run
!
hostname R3
!
!
crypto ISAKMP policy 10
BA aes
md5 hash
preshared authentication
Group 2
ISAKMP crypto key cisco123 address 1.1.23.2 No.-xauth
!
!
Crypto ipsec transform-set RIGHT aes - esp esp-md5-hmac
!
MYmap 10 ipsec-isakmp crypto map
defined by peer 1.1.23.2
Set transform-set RIGHT
match address 150
!
!
!
!
interface FastEthernet0/0
IP 1.1.23.3 255.255.255.0
automatic duplex
automatic speed
crypto mymap map
!
interface FastEthernet1/0
IP 1.1.34.3 255.255.255.0
automatic duplex
automatic speed
!
no ip address of the http server
no ip http secure server
IP classless
IP route 0.0.0.0 0.0.0.0 1.1.23.2
!
!
access-list 150 permit ip host 1.1.34.4 1.1.12.1
access-list 150 permit icmp 1.1.34.4 host 1.1.12.1
!
endFor dynamic to static IPSec site to site VPN, you can only come from the dynamic end VPN tunnel.
In your topology, you can only start the VPN of R4 to R1, and once the VPN tunnel is established, you will be able to pass traffic in both directions, that is to say: R4 R1 and R1 to R4.
The reason why you cannot start the tunnel VPN of R1 to R4 is the static end won't know which IP address to connect to the VPN too since DHCP is.
If however, you want to say that even after the opening of the tunnel VPN of R4 to R1, still cannot you ping from R1 to R4, then it's probably a config problem.
Please kindly share the complete configuration of all 4 routers, as well as the output of "show the isa cry his ' and ' show cry ipsec his" of R2 and R3 after the test.
-
Hello
I am trying to set up a VPN between a VLAN I have defined and another office. I have been using nat on the interface for internet access with a NAT pool.
I created the VPN with crypto card and the VPN is successfully registered.
The problem I encounter is that with NAT is enabled, internet access is working but I can ping through the VPN.
If I disable NAT, VPN works perfectly, but then him VLAN cannot access the internet.
What should I do differently?
Here is the config:
Feature: 2911 with security package
Local network: 10.10.104.0/24
Remote network: 192.168.1.0/24
Public beach: 65.49.46.68/28
crypto ISAKMP policy 104
BA 3des
preshared authentication
Group 2
lifetime 28800
ISAKMP crypto key REDACTED address 75.76.102.50
Crypto ipsec transform-set esp-3des esp-sha-hmac strongsha
OFFICE 104 ipsec-isakmp crypto map
defined by peer 75.76.102.50
Set transform-set strongsha
match address 104
interface GigabitEthernet0/0
IP 65.49.46.68 255.255.255.240
penetration of the IP stream
NAT outside IP
IP virtual-reassembly
full duplex
Speed 100
standby mode 0 ip 65.49.46.70
0 6 2 sleep timers
standby 0 preempt
card crypto OFFICE WAN redundancy
interface GigabitEthernet0/2.104
encapsulation dot1Q 104
IP 10.10.104.254 255.255.255.0
IP nat pool wan_access 65.49.46.70 65.49.46.70 prefix length 28
overload of IP nat inside source list 99 pool wan_access
access-list 99 permit 10.10.104.0 0.0.0.255
access-list 104. allow ip 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104. allow ip 192.168.1.0 0.0.0.255 10.10.104.0 0.0.0.255
access-list 104 allow icmp 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104 allow icmp 192.168.1.0 0.0.0.255 10.10.104.0 0.0.0.255
ISAKMP crypto #sh her
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
65.49.46.70 75.76.102.50 QM_IDLE 1299 ACTIVE
Hello!
Please, make these changes:
extended Internet-NAT IP access list
deny ip 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255
IP 10.10.104.0 allow 0.0.0.255 any
IP nat inside source list Internet-NAT pool access-wan overload
* Please do not remove the old NAT instance until you add that above.
Please hold me.
Thank you!
Sent by Cisco Support technique Android app
Maybe you are looking for
-
IPhone 6, 9.3.2 version, 88 GB available, over 200 tickets just disappeared. Any suggestions?
-
I think that I asked the question as best as I can. On Internet Explorer, I could click at the bottom right and move from 100% to 150%. Given my view, this change would be extremely useful.
-
How to get the manual for Satellite Pro 4200?
How to get the manual for Pro 4200. I have download olm_up and setup.exe (72 kt) of http://eu.computers-toshiba-europe.com?.
-
How could I possibly remove the default image in the image control?
I use the image control and a bit of code to create a zoom on a picture effect. Everything works fine however I get a picture of labview when the Vi is loaded for the first time. I'm trying to get a blank area instead cause it looks like not really t
-
Cannot move Media Player 10 to 11
I have Media Player 10 on my computer Windows XP Media Center Version 2002 SP3. I have a Garmin application that requires Media Player 11. I can go through the entire installation, including the intitial validation, but it will always stop at the f