A PIX-to-PIX VPN can allow traffic in only one direction?

Similar Questions

• Traffic permitted only one-way for VPN-connected computers

  Hello

  I currently have an ASA 5505.  I put up as a remote SSL VPN access. My computers can connect to the VPN very well.  They just cannot access the internal network (192.168.250.0).  They cannot ping the inside interface of the ASA, nor any of the machines.  It seems that all traffic is blocked for them.  The strange thing is that when someone is connected to the VPN, I can ping this ASA VPN connection machine and other machines inside the LAN.  It seems that the traffic allows only one way.  I messed up with ACL with nothing doesn't.  Any suggestions please?

  Pool DHCP-192.168.250.20 - 50--> for LAN

  Pool VPN: 192.168.250.100 and 192.168.250.101

  Outside interface to get the modem DHCP

  The inside interface: 192.168.1.1

  Courses Running Config:

  : Saved

  :

  ASA Version 8.2 (5)

  !

  hostname HardmanASA

  activate the password # encrypted

  passwd # encrypted

  names of

  !

  interface Ethernet0/0

  switchport access vlan 20

  !

  interface Ethernet0/1

  switchport access vlan 10

  !

  interface Ethernet0/2

  switchport access vlan 10

  !

  interface Ethernet0/3

  Shutdown

  !

  interface Ethernet0/4

  Shutdown

  !

  interface Ethernet0/5

  Shutdown

  !

  interface Ethernet0/6

  Shutdown

  !

  interface Ethernet0/7

  switchport access vlan 10

  !

  interface Vlan1

  No nameif

  no level of security

  no ip address

  !

  interface Vlan10

  nameif inside

  security-level 100

  IP 192.168.250.1 255.255.255.0

  !

  interface Vlan20

  nameif outside

  security-level 0

  IP address dhcp setroute

  !

  passive FTP mode

  DNS lookup field inside

  DNS domain-lookup outside

  pager lines 24

  Within 1500 MTU

  Outside 1500 MTU

  mask 192.168.250.100 - 192.168.250.101 255.255.255.0 IP local pool VPN_Pool

  ICMP unreachable rate-limit 1 burst-size 1

  don't allow no asdm history

  ARP timeout 14400

  Global interface 10 (external)

  NAT (inside) 10 192.168.250.0 255.255.255.0

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  the ssh LOCAL console AAA authentication

  Enable http server

  http 192.168.250.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  Telnet timeout 5

  SSH 192.168.250.0 255.255.255.0 inside

  SSH timeout 5

  SSH version 2

  Console timeout 0

  dhcpd dns 8.8.8.8

  !

  dhcpd address 192.168.250.20 - 192.168.250.50 inside

  dhcpd allow inside

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  WebVPN

  allow outside

  SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 1 image

  SVC disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2 image

  Picture disk0:/anyconnect-linux-2.5.2014-k9.pkg 3 SVC

  enable SVC

  tunnel-group-list activate

  attributes of Group Policy DfltGrpPolicy

  value of server DNS 8.8.8.8

  Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn

  tunnel-group AnyConnect type remote access

  tunnel-group AnyConnect General attributes

  address pool VPN_Pool

  tunnel-group AnyConnect webvpn-attributes

  enable AnyConnect group-alias

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  Review the ip options

  inspect the netbios

  inspect the rsh

  inspect the rtsp

  inspect the skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect the tftp

  inspect the sip

  inspect xdmcp

  !

  global service-policy global_policy

  context of prompt hostname

  no remote anonymous reporting call

  call-home

  Profile of CiscoTAC-1

  no active account

  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

  email address of destination [email protected] / * /

  destination-mode http transport

  Subscribe to alert-group diagnosis

  Subscribe to alert-group environment

  Subscribe to alert-group monthly periodic inventory

  monthly periodicals to subscribe to alert-group configuration

  daily periodic subscribe to alert-group telemetry

  Cryptochecksum:30fadff4b400e42e73e17167828e046f

  : end

  Hello

  No worries

  As we change the config I would do as well as possible.

  First, it is strongly recommended to use a different range of IP addresses for VPN clients and the internal network

  No VPN_Pool 192.168.250.100 - 192.168.250.101 255.255.255.0 ip local pool mask

  mask 192.168.251.100 - 192.168.251.101 255.255.255.0 IP local pool VPN_Pool

  NAT_0 ip 192.168.250.0 access list allow 255.255.255.0 192.168.251.0 255.255.255.0

  NAT (inside) 0-list of access NAT_0

  Then give it a try and it work note this post hehe

• The tunnel from site to Site - just traffic flowing in one direction.

  Greetings to all,

  I configured a (Site-to-Site) IPSec tunnel between an ASA5510 and Linux Sytem connection a network has with a and B network in the following way:

  * Chart:

  #---------------IPSec-----------------#

  private network (A) - router Linux (GW1) - WAN-(GW2) ASA5510 - public network (B).

  * Results:

  I checked the IPSec Tunnel on the linux router and the Phase 1 and Phase 2 are on the RISE. ASDM also shows an IPSec connection with the correct settings (GW, LAN, left network etc.).

  If I understand "show iskmp crypto his ', ' show crypto ikev1 his ' and ' show crypto ipsec his" also shows that the connection is correct and MORE.

  * Now comes the interesting thing:

  If I ping from network A to network B, the icmp echo request go thorugh the tunnel and I can see the Rx bytes on the cisco ASA pick-me-up.

  If I ping from network to network B, I do not see any Tx Bytes on the Tunnel. The Linux router does not see also all packets through the tunnel.

  When I ping from network to network B, the firewall logs ICMP denies. This means that traffic from B to A, I don't know why, is does not match the corresponding ACL of Tunnel, the icmp, packets are routed to the default gateway instead through the tunnel and they are then adapt a less specific rule droping on the main firewall.

  * Configurations:

  I specially configured Crypto card that corresponds to networks in both directions.

  There is an ACL that allows traffic in both directions.

  There is a NAT rules that allows traffic between the two networks without being coordinated, so that the two networks to pass freely through the tunnels.

  * Ideas?

  crypto card?

  NAT?

  ACL?

  security at the level of the interface?

  Thanks in advance.

  Hey Gomez,

  Please try the plotter command of package

  CIP in icmp 8 0 detailed

  the output of this command would show where the package is abandoned

  Please send the output of the above command

  HTH!

  Concerning

  Regnier

• Frustrated... I can't be the only one

  I have to date inadvertently a license 6 images. I'm hoping to get a credit for 4 of them. As I read on the forum of the community, I believe that I'm not alone.  For an image of license may need a three step process, or something of this nature. I comb on all of your wonderful images I save those who I believe represent the feeling I'm looking for.  After my research, I have delete the ones I like is more and inadvertently license unwanted images. Can find us a solution... I know I'm not the only one having this problem may be that someone has a suggestion that may help I'm open to suggestions. The image only I intentionally a license is # 77107461. Help, please...

  Distraught

  Hi johnr50399020

  Save you previews in a library and selecting the option delete from there?  Do you remember how the image is licensed by mistake?

  The design team are working to improve the workflow license in order to avoid this kind of problem.

  In the meantime, I have credited 4 images to your account.

  Kind regards

  Bev

• VPN site-to-site initiated in one direction

  Hello. We try to establish a VPN site-to site between two ASA firewalls, let's call them ASA1 and ASA2. Problem is that ASA1 cannot start the connection. ISAKMP of ASA1 packets reach ASA2, but removed by an unwritten rule.

  When ASA2 launches, everything is OK. And while the stream exists on ASA2, ASA1 use flow, so he can start VPN also.

  Here's the output of packet - trace on ASA2:

  ASA2 # packet - trace entry outside udp ASA1_IP isakmp ASA2_IP isakmp detailed

  Phase: 1
  Type: CAPTURE
  Subtype:
  Result: ALLOW
  Config:
  Additional information:
  Direct flow from returns search rule:
  ID = 0xaffd1bc8, priority = 13, area = capture, deny = false
  hits = 14830976, user_data = 0xaee75a18, cs_id = 0 x 0, l3_type = 0 x 0
  Mac SRC = 0000.0000.0000, mask is 0000.0000.0000
  DST = 0000.0000.0000 Mac, mask is 0000.0000.0000
  input_ifc = out, output_ifc = any

  Phase: 2
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit rule
  Additional information:
  Direct flow from returns search rule:
  ID = 0xae06b0c0, priority = 1, domain = allowed, deny = false
  hits = 16921285389, user_data = 0 x 0, cs_id = 0 x 0, l3_type = 0 x 8
  Mac SRC = 0000.0000.0000, mask is 0000.0000.0000
  DST = 0000.0000.0000 Mac, mask is 0100.0000.0000
  input_ifc = out, output_ifc = any

  Phase: 3
  Type:-ROUTE SEARCH
  Subtype: entry
  Result: ALLOW
  Config:
  Additional information:
  identity of ASA2_IP 255.255.255.255

  Phase: 4
  Type: ACCESS-LIST
  Subtype:
  Result: DECLINE
  Config:
  Implicit rule
  Additional information:
  Direct flow from returns search rule:
  ID = 0xad731f30, priority = 0, domain = allowed, deny = true
  hits = 60834932, user_data = 0 x 9, cs_id = 0 x 0, use_real_addr, flags = 0 x 1000, protocol = 0
  IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0
  IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0
  input_ifc = out, output_ifc = any

  Result:
  input interface: outdoors
  entry status: to the top
  entry-line-status: to the top
  the output interface: NP identity Ifc
  the status of the output: to the top
  output-line-status: to the top
  Action: drop
  Drop-reason: flow (acl-drop) is denied by the configured rule

  ASA1 added to inbound ACL on the external interface of the ASA2 did not help. Using tracers of package in ASDM has not point to any specific rule, he just showed the entire list of the ACL rules. Using asp-menu type capture displays the reason of gout as packet-tracer, without more details. ASA2 layout only response did not help.

  How to interpret the values of phase 4, i.e. to find the rule that causes drops, based on the id and other data? There is no such id in HS to access lists.

  Any other ideas? Thank you very much.

  And an idea more :)

  Maybe you have something like this on ASA2:

  Access-group outside_access_in in interface outside control plan

  ?

  Keyword group-access-control-plan sentence, traffic, which is aimed at the interface of the ASA, may be filed. Please, see the following discussion:

  https://supportforums.Cisco.com/discussion/11130691/access-group-control-plane-Cisco-pixasa

• rv220 allow traffic on a port magnified

  Hello

  This should be a simple.  I am in my rv220, and the title of port forwarding, I created a rule.  I also created a personalized service for the particular port I want to allow traffic.  The problem is I want traffic to go to any computer on the local network.  What ip address I put as a destination.  I tried to put on a show, but it did not.  192.168.1.255. what I just put in the IP of the router LAN and it will do the rest?

  Please notify.

  Tony

  Hi Tony,.

  Packets transmitted by the WAN port are unicast. Broadcast packets are filtered and not allowed to the local network by default. No option in RV220 to rewrite a unicast packet to disseminate.

  There is only IGMP multicast support on this router, but I guess you do not speak on this subject.

  Normally with only firewall rule, you can allow traffic for a specific service to enter, WAN, LAN, but more NAT will be a problem.

  You can share the service you're trying to broadcast in the local network?

  Kind regards

  Bismuth

• I'm the only one who run out of ideas of Adobe and can't if used to Adobe draw?

  II have tried very hard to get used to draw Adobe, after love with Adobe ideas since the day wherever she launched.

  just the fact that there is no button to remove the last action is so confused. I can't count how many times I slide a return and I see a line instead of the last deleted action, and the contrary takes place also. I even liked the better graphics.

  I am on my knees. ADOBE, if you please, bring back updated for Adobe ideas. maybe having two apps autour isn't the worst idea.

  ! What do you think of everything? I can't be the only one here !

  So, you can use the pinch gesture to get an overview of all projects, if you missed that.

  Also, if you purchase a bluetooth stylus, you can use the pen to cancel slide 2 fingers instead.

• This allows traffic between two interfaces ethernet on a PIX

  I have a PIX with interface inside, IP 10.198.16.1. It also has an interface called WTS, IP 10.12.60.1. I'm having difficulty to allow traffic from the 10.198.16.0 network to cross the PIX in 10.12.60.0. I'm trying specifically to allow access to a server with an IP address of 10.12.60.2.

  I enclose my config. Any help would be greatly appreciated!

  OK, so the inside interface has a security level of 100, WTS has a security level of 75, so traffic from inside to WTS is considered outbound traffic, which is allowed by default. All you need is a pair of nat/global (or static) between both interfaces so that the PIX knows how NAT traffic between two interfaces (remember, the PIX do NAT).

  You have this in your config file:

  NAT (inside) 1 10.0.0.0 255.0.0.0 0 0

  who says all traffic inside, interface with the IP 10.x.x.x address will be NAT would have, but you must then a global for the interface WTS define what those IPS will be NAT would.

  Adding:

  Global (WTS) 1 interface

  will be PAT all inside resolves the IP address of the interface WTS and allow traffic to flow between the interfaces. If you prefer the hosts inside the interface to appear as their own IP address on the WTS network, then you can use a static command and NAT addresses themselves, actually doing NAT, but not actually change addresses:

  static (inside, WTS) 10.198.16.1 10.198.16.1 netmask 255.255.240.0

  Hope that helps.

• Allowing the CPP through a PIX can afford some program only numbers?

  I can allow inbound access to port 111 allowing embryonic incoming connections for the purposes of the CPP. There is a big hole in security.

  Cbac on a router, you can inspect and allow some RPC program numbers. Is it possible to do it in the PIX firewall?

  Thank you very much

  Mark

  Mark,

  No, the PIX has no capability (such as CBAC) to inspect RPC program numbers. We offer limited fixup UDP RPC portmapper and rpcbind exchanges. I hope this helps.

  Scott

• Simple PIX PIX VPN issues

  I'm trying to implement a simple PIX PIX VPN using the simple PIX - PIX VPN documentation for the sample config page. I have a lot of VPN tunnels with other very happy other PIX devices so it's quite annoying. Anyway, on the source PIX config is as follows:-

  access-list 101 permit ip 172.18.138.0 255.255.255.0 172.18.133.0 255.255.255.0

  access-list 101 permit ip 172.18.133.0 255.255.255.0 172.18.138.0 255.255.255.0

  NAT (phoenix_private) 0-access list 101

  Permitted connection ipsec sysopt

  No sysopt route dnat

  Crypto ipsec transform-set esp - esp-md5-hmac chevelle

  ntlink 1 ipsec-isakmp crypto map

  1 ipsec-isakmp crypto map TransAm

  correspondence address 1 card crypto transam 101

  card crypto transam 1 set peer 172.18.126.233

  card crypto transam 1 transform-set chevelle

  interface inside crypto map transam

  ISAKMP allows inside

  ISAKMP key * address 172.18.126.233 netmask 255.255.255.255

  ISAKMP identity address

  part of pre authentication ISAKMP policy 1

  of ISAKMP policy 1 encryption

  ISAKMP policy 1 md5 hash

  1 1 ISAKMP policy group

  ISAKMP policy 1 lifetime 1000

  and if I generate the traffic logs show this: -.

  9 August 18:40:15 10.60.6.247% PIX-3-305005: no translation not found for icmp src phoenix_private:172.18.138.111 dst domestic group: 172.18.133.51 (type 8, code 0)

  9 August 18:40:17 10.60.6.247% PIX-3-305005: no translation not found for icmp src phoenix_private:172.18.138.111 dst domestic group: 172.18.133.51 (type 8, code 0)

  9 August 18:40:18 10.60.6.247% PIX-3-305005: no group of translation not found for udp src phoenix_private:172.18.138.111/3832 dst inside:172.18.133.51/53

  9 August 18:40:18 10.60.6.247% PIX-3-305005: no translation not found for icmp src phoenix_private:172.18.138.111 dst domestic group: 172.18.133.51 (type 8, code 0)

  9 August 18:40:19 10.60.6.247% PIX-3-305005: no group of translation not found for udp src phoenix_private:172.18.138.111/3832 dst inside:172.18.133.51/53

  No isakmp and ipsec debugging message appears, but you who wait that the PIX does not even link the traffic with the access list or a NAT.

  I do something obviously stupid, can someone tell me what it is, thank you.

  Jon.

  Hello

  1. you create a second access as list:

  outside_cryptomap ip 172.18.138.0 access list allow 255.255.255.0 172.18.133.0 255.255.255.0

  and

  2. instead of

  correspondence address 1 card crypto transam 101

  You must configure

  card crypto transam 1 match address outside_cryptomap

  the problem is that you configure an ACL for nat and crypto - that does not work

  concerning

  Alex

• Ping and PIX VPN

  Hello

  I have a strange problem and I was wondering if anyone has heard before. I have links from site to site with pix Configuration 3 a site works very well but the second remote site with same config (changing the IP etc tho) doesn't seem to work properly. I see the Terminal Services work fine on the remote site, but I cannot ping their internal ip addresses or browse their will. Curiously the remote site cannot ping or search by name or ip no matter what to my site, BUT the Terminal Services from there to here still works?

  Does anyone have an idea?

  Thanks for your time

  Andy

  Is sysopt for IPSEC configured in both places? If this isn't the case, ACL allow traffic in the external interfaces?

  If the remote site can connect to TS on your site? Can it ping the address of the TS Server? Is there an ACL entry that would allow that to happen without the VPN tunnel. It's probably a problem of access list for the match VPN and nat 0.

  Without any ideas of your configs, it is difficult to provide assistance.

• PIX stops passing all traffic at the entrance to command crypto

  I have a strange problem with a PIX 515 6.1 (2).

  I have 3 VPN tunnels already implemented. While trying to set up a 4th the PIX stops passing all traffic. He arrives precisely when I enter ANY command "crypto map.

  cancellation of the order by using "no card crypto...". ' or "clear xlate" is no help either. The PIX must be restarted before the traffic going on again. The CPU usage drops to zero and my telnet for the PIX session remains connected.

  Anyone have any ideas?

  I put the relevant configuration below:

  172.50.0.0 IP Access-list sheep 255.255.0.0 allow 192.168.0.0 255.255.0.0

  172.50.0.0 IP Access-list sheep 255.255.0.0 allow 10.0.0.0 255.0.0.0

  acl_vpn1 ip 172.50.0.0 access list allow 255.255.255.0 192.168.0.0 255.255.0.0

  acl_vpn2 ip 172.50.0.0 access list allow 255.255.255.0 10.0.0.0 255.255.255.0

  acl_vpn3 ip 172.50.0.0 access list allow 255.255.255.0 10.50.0.0 255.255.255.0

  NAT (inside) 0 access-list sheep

  Permitted connection ipsec sysopt

  No sysopt route dnat

  Crypto ipsec transform-set esp - esp-md5-hmac support

  toVPNs 10 ipsec-isakmp crypto map

  card crypto toVPNs 10 correspondence address acl_vpn1

  card crypto toVPNs 10 peers set 1xx.xxx.xxx.xxx

  support toVPNs 10 transform-set card crypto

  toVPNs 12 ipsec-isakmp crypto map

  card crypto toVPNs 12 match address acl_vpn2

  card crypto toVPNs 12 peers set 2xx.xxx.xxx.xxx

  support toVPNs 12 transform-set card crypto

  toVPNs 14 ipsec-isakmp crypto map

  card crypto toVPNs 14 correspondence address acl_vpn3

  card crypto toVPNs 14 peers set 3xx.xxx.xxx.xxx

  support toVPNs 14 transform-set card crypto

  toVPNs interface card crypto outside

  ISAKMP allows outside

  ISAKMP key * address 1xx.xxx.xxx.xxx netmask 255.255.255.255

  ISAKMP key * address 2xx.xxx.xxx.xxx netmask 255.255.255.255

  ISAKMP key * address 3xx.xxx.xxx.xxx netmask 255.255.255.255

  part of pre authentication ISAKMP policy 1

  of ISAKMP policy 1 encryption

  ISAKMP policy 1 md5 hash

  1 1 ISAKMP policy group

  ISAKMP policy 1 life 43200

  Hi Ishaq,

  Please make sure you remove the card "Crypto" off the coast of the Interface by doing a ' no card crypto toVPNs no interface out ' and then add the necessary commands before reconnecting the Crypto map. Usually when we add a new command "toVPNs xx ipsec-isakmp crypto map" without removing the Crypto Card it starts encrypt all traffic passing through the PIX. After you make the required changes, reapply card Cryptography.

  Hope this helps,

  Kind regards

  Abdelouahed

  -=-=-

• With PAT on Cisco PIX VPN client

  Dear all,

  I have a PIX 515 to the main site with the IPSec security is enabled. Homepage user using 3.x VPN client connects to the PIX for VPN access. When user Home use real IP, I can ping to the local network of the main site. However, when the Home user using a router with PAT, the VPN can be established.

  Is there a setting I should put on PIX, VPN client or router?

  Thank you.

  Doug

  And if you still have problems, upgrade your pix, 6.3 and usage:

  ISAKMP nat-traversal

  But the first thing would be to check the IPSEC passthrough as Ade suggested. If the device is a linksys check the version of the firmware as well.

  Kind regards

• SSH version pix 6.3.3 is the name of user pix, you can connect to?

  I test the SSH version 1 connections in a 515 6.3.3 I configuration of usernames within the pix and ssh allows connections via running ip address. THS problem is I can only connect to the PIX via the username "pix" and it will only allow one connection at a time.

  Does anyone know why not accept logings via SSH using user names defined in the device?

  Thanks in advance. Mike

  Enter the commands 'aaa-server protocol LOCAL local' and 'ssh LOCAL console aaa authentication. "

  You will then be able to connect using the local usernames on the Pix.

• On Pix VPN tunnel to the same subnet

  I have a customer who want to set up a the PIX VPN tunnel located on each site. For some reason, each side has the same subnet number, for example. 10.10.10.x/32. I'm sure we must run NAT, but is it possible.

  This can help

  http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a00800949f1.shtml