A Site to remote access VPN behind the same public IP address
Got a problem quite stupid. We have a VPN from Site to Site configured for a new data center, which will be responsible for general traffic management. In addition, some users need to use use a VPN client to access certain areas. The firewall at the Office only has a public IP address, so the two will come to the Site to Site VPN for remote access from the same source.
This seems a problem with legacy Cisco VPN clients because encryption card matches the entry VPN site-to-site, even if they use VPN clients. A good/simple solution to solve this problem?
Some newspapers (198.18.85.23) is the address public IP for the office and the tom.jones is the user. 192.168.1.0/24 is the pool of the VPN client.
January 7, 2014 19:12:52 ASA5515: % 713130-5-ASA: Group = Corp-VPN, Username = tom.smith, IP = 198.18.85.23, transaction mode attribute unhandled received: 5
January 7, 2014 19:12:52 ASA5515: % 737003-5-ASA: PISG: DHCP not configured, no viable servers found for tunnel-group "Corp-VPN.
January 7, 2014 19:12:52 ASA5515: % 713119-5-ASA: Group = Corp-VPN, Username = tom.smith, IP = 198.18.85.23, PHASE 1 COMPLETED
January 7, 2014 19:12:52 ASA5515: % ASA-3-713061: Group = Corp-VPN, Username = tom.smith, IP = 198.18.85.23, IPSec tunnel rejecting: no entry for crypto for proxy card remote proxy 192.168.1.4/255.255.255.255/0/0 local 0.0.0.0/0.0.0.0/0/0 on the interface outside
January 7, 2014 19:12:52 ASA5515: % ASA-3-713902: Group = Corp-VPN, Username = tom.smith, IP = 198.18.85.23, error QM WSF (P2 struct & 0x00007fff28dab560, mess id 0x37575f3c).
January 7, 2014 19:12:52 ASA5515: % ASA-3-713902: Group = Corp-VPN, Username = tom.smith, IP = 198.18.85.23, peer table correlator Removing failed, no match!
January 7, 2014 19:12:52 ASA5515: % 713259-5-ASA: Group = Corp-VPN, Username = tom.smith, IP = 198.18.85.23, Session is be demolished. Reason: political crypto card not found
January 7, 2014 19:12:52 ASA5515: % ASA-4-113019: Group = Corp-VPN, Username = tom.smith, IP = 198.18.85.23, disconnected Session. Session type: IKEv1, duration: 0 h: 00 m: 02s, xmt bytes: 0, RRs bytes: 0, right: not found card crypto policy
January 7, 2014 19:12:53 ASA5515: % 713904-5-ASA: IP = 198.18.85.23, encrypted packet received with any HIS correspondent, drop
Hello
Don't know if this will work, but you can try the following configuration (with the rest of the VPN configuration)
list-access CLIENT VPN ip enable any 192.168.1.0 255.255.255.0
card crypto OUTSIDE_map 4 is the VPN CLIENT address
card crypto OUTSIDE_map 4 set peer 198.18.85.23
card crypto OUTSIDE_map 4 set ikev1 transform-set ESP-AES-128-SHA ESP-3DES-SHA
The idea would be to have the ACL matches the VPN full Tunnel that the Client attempts to establish. (destination "any" from the point of view of the customer, the ASAs view source)
I tested briefly on my own SAA by connecting from an IP address to which the ASA offers free VPN in L2L. But as I don't have the operational L2L VPN, I can't really verify the VPN L2L at the moment. Thus, certain risks may be involved if you can afford it.
-Jouni
Tags: Cisco Security
Similar Questions
-
PIX 7 - several remote VPN sessions to the same public IP address
Hello
Here's my problem:
Employee A and employee B make VPN connections to the PIX even with their Cisco VPN clients. The two employees are behind the same NAT device, so have the same public IP address.
As soon as the second employee initiates the VPN connection, the first employee is disconnected.
I have a similar situation with a PIX 6.x version and it does not. Two employees can connect at the same time with the same credentials.
Here is the configuration of remote access VPN I use:
attributes of the strategy group gpolicy
DHCP-scope network 10.X.X.X
VPN - 5 concurrent connections
Protocol-tunnel-VPN IPSec
enable IPSec-udp
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list splitTunnelAcl
the authentication of the user activation
the firewall client no
remoteuser password remotepass username
remoteuser attributes username
VPN-group-policy labtronix
VPN - connections 2
Protocol-tunnel-VPN IPSec
value of group-lock vpngroup
tunnel-group vpngroup type ipsec-ra
tunnel-group vpngroup General attributes
address ip_pool pool
Group Policy - by default-gpolicy
Any contribution is appreciated.
Thank you.
Most likely problem of nat - t
Add "isakmp nat-traversal" in pix
-
several L2L ipsec VPN to the same destination (ip address)
Hi all
im lookin to establish an a L2L ips multiple tunnels (a tunnel for each subnet) of my cisco asa 5510 to the same destination.
should the cisco asa capable of this?
How can I do?
concerning
You can do this if you want to say-
Lets say site A - got 3 subnet and Site B has had a.
In this case, you need to do is to add ACL to crypto.
Thank you
Ajay
-
IP overlapping between VPN remote access and within the interface
Hi all
I tried to replace an ASA and configured vpn for remote access using cisco VPN client.
Remote access users are not able to access within the network, but have no problem accessing the network through a VPN site-to site.
One thing to note is that remote access VPN users are assigned an ip address of 10.X.3.1 - 10.X.3.200 mask 255.255.255.0. The inside interface is on 10.X.1.2 255.255.0.0.
Remote access users will have no problem to access within the network if the pool of the vpn client is changed to 192.168.1.1 to 192.168.1.100.
ASA errors
6 January 7, 2012 16:25:08 302013 10.X.3.1 27724 3389 10.X.1.66 built of TCP connections incoming 20940 for outside:10.X.3.1/27724 (10.X.3.1/27724)(LOCAL\Cisco) at inside:10.X.1.66/3389 (10.X.1.66/3389) (Cisco)
6 January 7, 2012 16:25:08 106015 10.X.1.66 3389 10.X.3.1 27724 Deny TCP 10.X.1.66/3389 to 10.X.3.1/27724 flags SYN ACK on dmz interface (no link)
I understand that the overlap between access ip address range remote vpn network interface network and inside will cause routing problems, but why the syn - ack makes its appearance in the DMZ interface? The interface of the DMZ is on ip address 172.16.Y.1 255.255.255.0.
I intend to reduce the interface 10.X.0.0 255.255.254.0 inside if it is in fact a routing problem due to the IP address that overlap, but I understand why the syn - ack comes from the dmz interface and the diagnosis of the problem is correct. I check with the customer and was informed that the existing design works on an another ASA with no such problems.
I agree what you said and also tried, but it does not work.
http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a00807e0aca.shtml#overlap
Solution, that you already know
Solution
Always ensure that the IP addresses in the pool should be assigned to VPN, network clients internal head unit and the internal network to the VPN Client must be in different networks. You can assign the same major network with different subnets, but sometimes the routing problems.
Thank you
Ajay
-
Hello
I have 2 Cisco Pix (Pix1, Pix2) 515E (8.0.4). Between these devices exist VPN L2L, which are configured on the external interfaces. On Pix2 I configured remote access VPN on the external interface, too.
Is it possible to achieve LAN behind Pix1, by using remote access VPN on Pix2 then VPN L2L?
I don't want to set up remote access on Pix1.
Thank you very much.
Kind regards
Vladislav
NAT (outside) 1 140.40.30.0 255.255.255.0 (PAT for RA vpn to access the internet if you complete tunnel)
It is simply because I have configured tunnel RA as complete tunnel instead of split, nat (outside) 1 at the RA 140.40.30.0 pool have internet access through your firewall ASA_SITE_B and translate with global ID 1 who is your external interface of the firewall SA_SITE_B. This has nothing to do with what you are trying to accomplish, but I posted it because it was part of the very common scenario. There are some example PIX 6.3 cases where you will need split tunnel so that RA users have internet access not passing not through the encrypted tunnel code 6.0 does not feature of intra-interface support but 7.x above is of the code. Other examples are that some people configure split RA RA user tunnel will have access to their local resources in their homes as the printers network etc...
It is therefore, I need to translate 172.27.1.0/24 RA pool?
No there is no address translation in place in this scenario to work and you don't need to translate something too long, there is no of networks that overlap in one of the SITES u do not need to translate, this scenario is completely free sheep as you access lists free of nat in two firewalls for networks involved in communication in tunnels ASA_SITE_B.
Because I want to see IP addresses from PIX_SITE_A to 172.27.1.0/24, not 140.40.30.0/24. Is it possible to do it this way?
Im not clear on this issue, but if I think what it means, it's possible but you need to have political NATing but I think this will make complicated setup, I would say to make this as simple as possible.
Concerning
All helpful PLS rate valid if it helped
-
Configuration remote access VPN (IPSec) using FULL domain name
Hi friends of Cisco,
We have the DNS (only the internal IP) within our network, right now that we have configured VPN for remote access using public IP address and connect us with the same public IP address. I need help to use the domain name FULL rather than use public IP.
Can you please provide the configuration for this.
Feature: ASA 5520
Type of configuration: IPSec
Thank you
Estel
Hi Philippe,.
You can use one of the free Web of DNS dynamic sites and configure ASA to dynamic DNS.
Reference - http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/basic_ddns.html
HTH,
-Dieng
-
Remote access VPN with ASA 5510 by using the DHCP server
Hello
Can someone please share your knowledge to help me find out why I'm not able to receive an IP address on the remote access VPN connection so that I can get an IP local pool DHCP?
I'm trying to set up remote access VPN with ASA 5510. It works with dhcp local pool but does not seem to work when I tried to use an existing DHCP server. It is tested in an internal network as follows:
!
ASA Version 8.2 (5)
!
interface Ethernet0/1
nameif inside
security-level 100
IP 10.6.0.12 255.255.254.0
!
IP local pool testpool 10.6.240.150 - 10.6.240.159 a mask of 255.255.248.0. (worked with it)
!
Route inside 0.0.0.0 0.0.0.0 10.6.0.1 1
!
Crypto ipsec transform-set esp-3des esp-md5-hmac FirstSet
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic dyn1 1jeu transform-set FirstSet
dynamic mymap 1 dyn1 ipsec-isakmp crypto map
mymap map crypto inside interface
crypto ISAKMP allow inside
crypto ISAKMP policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 43200
!
VPN-addr-assign aaa
VPN-addr-assign dhcp
!
internal group testgroup strategy
testgroup group policy attributes
DHCP-network-scope 10.6.192.1
enable IPSec-udp
IPSec-udp-port 10000
!
username testlay password * encrypted
!
tunnel-group testgroup type remote access
tunnel-group testgroup General attributes
strategy-group-by default testgroup
DHCP-server 10.6.20.3
testgroup group tunnel ipsec-attributes
pre-shared key *.
!
I got following output when I test connect to the ASA with Cisco VPN client 5.0
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: (4) SA (1) + KE + NUNCIO (10) + ID (5), HDR + VENDO
4024 bytesR copied in 3,41 0 seconds (1341 by(tes/sec) 13) of the SELLER (13) seller (13) + the SELLER (13), as well as the SELLER (13) ++ (0) NONE total length: 853
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, SA payload processing
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ke payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing ISA_KE
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, nonce payload processing
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing ID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received xauth V6 VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, DPD received VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received Fragmentation VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, IKE Peer included IKE fragmentation capability flags: Main Mode: real aggressive Mode: false
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received NAT-Traversal worm 02 VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, the customer has received Cisco Unity VID
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, connection landed on tunnel_group testgroup
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA payload processing
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA proposal # 1, turn # 9 entry overall IKE acceptable matches # 1
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build the payloads of ISAKMP security
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building ke payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building nonce payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Generating keys for answering machine...
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, construction of payload ID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash for ISAKMP
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of Cisco Unity VID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing payload V6 VID xauth
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building dpd vid payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing the payload of the NAT-Traversal VID ver 02
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, NAT-discovery payload construction
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, NAT-discovery payload construction
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, construction of Fragmentation VID + load useful functionality
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads VID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR SA (1) KE (4) NUNCIO (10) + ID (5) + HASH (8) + SELLER (13) + the SELLER (13) + the SELLER (13) + the SELLER (13) NAT - D (130) + NAT - D (130) of the SELLER (13) + the seller (13) + NONE (0) total length: 440
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + HASH (8) + NOTIFY (11) + NAT - D (130) + NAT - D (130) of the SELLER (13) + the seller (13) + NONE (0) overall length: 168
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash for ISAKMP
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing notify payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload NAT-discovery of treatment
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload NAT-discovery of treatment
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, useful treatment IOS/PIX Vendor ID (version: 1.0.0 capabilities: 00000408)
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, the customer has received Cisco Unity VID
Jan 16 15:39:21 [IKEv1]: Group = testgroup, I
[OK]
KenS-mgmt-012 # P = 10.15.200.108, status of automatic NAT detection: remote end is NOT behind a NAT device this end is NOT behind a NAT device
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, empty building hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of hash qm
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = d4ca48e4) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 72
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = d4ca48e4) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 87
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, process_attr(): enter!
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, transformation MODE_CFG response attributes.
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary DNS = authorized
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary DNS = authorized
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: = authorized primary WINS
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: = authorized secondary WINS
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Compression IP = disabled
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Split Tunneling political = disabled
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: setting Proxy browser = no - modify
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: browser Local Proxy bypass = disable
Jan 16 15:39:26 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, (testlay) the authenticated user.
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, empty building hash payload
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, build payloads of hash qm
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 6b1b471) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 64
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 6b1b471) with payloads: HDR + HASH (8) + ATTR (14) + NONE (0) overall length: 60
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): enter!
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, cfg ACK processing attributes
Jan 16 15:39:27 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 49ae1bb8) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 182
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): enter!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, treatment cfg request attributes
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the IPV4 address!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the IPV4 network mask!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for DNS server address.
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the address of the WINS server.
Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, transaction mode attribute unhandled received: 5
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the banner!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for setting save PW!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: receipt of request for default domain name!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for Split-Tunnel list!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for split DNS!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for PFS setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the Proxy Client browser setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the list of backup peer ip - sec!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for setting disconnect from the Client Smartcard Removal!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the Version of the Application.
Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Type of Client: Windows NT Client Application Version: 5.0.07.0440
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for FWTYPE!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: request received for the DHCP for DDNS hostname is: DEC20128!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the UDP Port!
Jan 16 15:39:32 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, in double Phase 2 detected packets. No last packet retransmit.
Jan 16 15:39:37 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = b04e830f) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing hash payload
Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing notify payload
Jan 16 15:39:37 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, in double Phase 2 detected packets. No last packet retransmit.
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE has received the response from type [] at the request of the utility of IP address
Jan 16 15:39:39 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, cannot get an IP address for the remote peer
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, case of mistaken IKE TM V6 WSF (struct & 0xd8030048)
, : TM_DONE, EV_ERROR--> TM_BLD_REPLY, EV_IP_FAIL--> TM_BLD_REPLY NullEvent--> TM_BLD_REPLY, EV_GET_IP--> TM_BLD_REPLY, EV_NEED_IP--> TM_WAIT_REQ, EV_PROC_MSG--> TM_WAIT_REQ, EV_HASH_OK--> TM_WAIT_REQ, NullEvent Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, case of mistaken IKE AM Responder WSF (struct & 0xd82b6740)
, : AM_DONE, EV_ERROR--> AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL--> AM_TM_INIT_MODECFG_V6H NullEvent--> AM_TM_INIT_MODECFG, EV_WAIT--> AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG--> AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK--> AM_TM_INIT_XAUTH_V6H NullEvent--> AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE SA AM:bd3a9a4b ending: 0x0945c001, refcnt flags 0, tuncnt 0
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, sending clear/delete with the message of reason
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, empty building hash payload
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing the payload to delete IKE
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, build payloads of hash qm
Jan 16 15:39:39 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 9de30522) with payloads: HDR HASH (8) + DELETE (12) + (0) NONE total length: 80
Kind regards
Lay
For the RADIUS, you need a definition of server-aaa:
Protocol AAA - NPS RADIUS server RADIUS
AAA-server RADIUS NPS (inside) host 10.10.18.12
key *.
authentication port 1812
accounting-port 1813
and tell your tunnel-group for this server:
General-attributes of VPN Tunnel-group
Group-NPS LOCAL RADIUS authentication server
--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni -
ODA IP ASA when you browse the web via remote access vpn
Hi all
I was wondering if it is possible to configure an ASA5510 in a way to allow users remote access VPN use external IP of the ASA when browsing the web. So what I'm looking for is a solution to hide my IP address and use the IP address of the ASA, when browsing.
The firmware version of the ASA is 9.1 (6)
Thanks in advance
Hello
What you want to achieve is calles u-turn.
You must enable the feature allowed same-security-traffic intra-interface
For the configuration of the asa, here's the Cisco documentation (I don't copy paste on the post):
http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...
Thank you
PS: Please do not forget to rate and score as good response if this solves your problem
-
Connected to the Internet of VPN remote access VPN clients
Greetings,
I need to remote VPN clients to connect to the Internet from the same server VPN ASA
"client connects to ASA the external interface VPN tunnel can access Internet from the same external interface ASA new."
Thank you
you need to configure "same-security-traffic permit intra-interface" on the SAA.
Also, need to configure the relevant statements of nat for your range of pool of customers.
i.e.
Global 1 interface (outside)
NAT (outside) 1 access-list anyconnectacl
where anyconnectacl is the pool for your customers:
permit ip 172.16.1.0 access list anyconnectacl 255.255.255.0 any
-
Unable to SSH/telnet through the remote access VPN to ASA interface
Hi all - im trying to SSH/telnet to my ASA in my remote access VPN tunnel but
can't get this to work. what Miss me?
remote access VPN subnet: 192.168.25.0
LAN subnet: 192.168.1.0
config is attached. THX-
Please enter the command
Private access Managament
and you will be able to telnet/ssh to the asa on this ip 192.168.1.253
-
How to prohibit remote access vpn client to use the local DNS server
Hello
I'm on ASA5505 remote access vpn configuration.
Everything works fine so far, except when the client got connected, he always used the local DNS server provided by the ISP. How can I force the customer to use the DNS server configured on ASA?
Thank you.
Kind regards
The command "Activate dns split-tunnel-all" is supported only on SSL VPN and VPN IKEv2. Since you're using IKEv1, this command is not supported.
Here's the order reference:
http://www.Cisco.com/en/us/docs/security/ASA/asa82/command/reference/S8.html#wp1533793
You configure no split tunnel? If you are, then you need to configure "tunnelall" split tunnel policy, and that will force the dns resolution and everything else through the VPN tunnel.
-
Problem with remote access VPN on ASA 5505
I currently have a problem of an ASA 5505 configuration to connect via VPN remote access by using the Cisco VPN Client 5.0.07.0440 under Windows 8 Pro x 64. The VPN client will prompt you for the user name and password during the connection process, but fails soon after.
The VPN client connects is as follows:
---------------------------------------------------------------------------------------------------------------------------------------
Cisco Systems VPN Client Version 5.0.07.0440
Copyright (C) 1998-2010 Cisco Systems, Inc.. All rights reserved.
Customer type: Windows, Windows NT
Running: 6.2.9200
2 15:09:21.240 11/12/12 Sev = Info/4 CM / 0 x 63100002
Start the login process
3 15:09:21.287 11/12/12 Sev = Info/4 CM / 0 x 63100004
Establish a secure connection
4 15:09:21.287 11/12/12 Sev = Info/4 CM / 0 x 63100024
Attempt to connect with the server "*." **. ***. *** »
5 15:09:21.287 11/12/12 Sev = Info/6 IKE/0x6300003B
Try to establish a connection with *. **. ***. ***.
6 15:09:21.287 11/12/12 Sev = Info/4 IKE / 0 x 63000001
From IKE Phase 1 negotiation
7 15:09:21.303 11/12/12 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) to *. **. ***. ***
8 15:09:21.365 11/12/12 Sev = Info/6 GUI/0x63B00012
Attributes of the authentication request is 6: 00.
9 15:09:21.334 11/12/12 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
10 15:09:21.334 11/12/12 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" ag="" (sa,="" ke,="" non,="" id,="" hash,="" vid(unity),="" vid(xauth),="" vid(dpd),="" vid(nat-t),="" nat-d,="" nat-d,="" vid(frag),="" vid(?))="" from="">
11 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000001
Peer is a compatible peer Cisco-Unity
12 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000001
Peer supports XAUTH
13 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000001
Peer supports the DPD
14 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000001
Peer supports NAT - T
15 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000001
Peer supports fragmentation IKE payloads
16 15:09:21.334 11/12/12 Sev = Info/6 IKE / 0 x 63000001
IOS Vendor ID successful construction
17 15:09:21.334 11/12/12 Sev = Info/4 IKE / 0 x 63000013
SENDING > ISAKMP OAK AG * (HASH, NOTIFY: NAT - D, NAT - D, VID (?), STATUS_INITIAL_CONTACT, VID (Unity)) to *. **. ***. ***
18 15:09:21.334 11/12/12 Sev = Info/6 IKE / 0 x 63000055
Sent a keepalive on the IPSec Security Association
19 15:09:21.334 11/12/12 Sev = Info/4 IKE / 0 x 63000083
IKE port in use - Local Port = 0xFBCE, Remote Port = 0 x 1194
20 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000072
Automatic NAT detection status:
Remote endpoint is NOT behind a NAT device
This effect is behind a NAT device
21 15:09:21.334 11/12/12 Sev = Info/4 CM/0x6310000E
ITS established Phase 1. 1 crypto IKE Active SA, 0 IKE SA authenticated user in the system
22 15:09:21.365 11/12/12 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
23 15:09:21.365 11/12/12 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">
24 15:09:21.365 11/12/12 Sev = Info/4 CM / 0 x 63100015
Launch application xAuth
25 15:09:21.474 11/12/12 Sev = Info/4 IPSEC / 0 x 63700008
IPSec driver started successfully
26 15:09:21.474 11/12/12 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
27 15:09:27.319 11/12/12 Sev = Info/4 CM / 0 x 63100017
xAuth application returned
28 15:09:27.319 11/12/12 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***
29 15:09:27.365 11/12/12 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
30 15:09:27.365 11/12/12 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">
31 15:09:27.365 11/12/12 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***
32 15:09:27.365 11/12/12 Sev = Info/4 CM/0x6310000E
ITS established Phase 1. 1 crypto IKE Active SA, 1 IKE SA authenticated user in the system
33 15:09:27.365 11/12/12 Sev = Info/5 IKE/0x6300005E
Customer address a request from firewall to hub
34 15:09:27.365 11/12/12 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***
35 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
36 15:09:27.397 11/12/12 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">
37 15:09:27.397 11/12/12 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS:, value = 192.168.2.70
38 15:09:27.397 11/12/12 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK:, value = 255.255.255.0
39 15:09:27.397 11/12/12 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (1):, value = 192.168.2.1
40 15:09:27.397 11/12/12 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (2):, value = 8.8.8.8
41 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD:, value = 0x00000001
42 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN:, value = NCHCO
43 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS:, value = 0x00000000
44 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc. ASA5505 Version 8.2 (5) built by manufacturers on Saturday, May 20, 11 16:00
45 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT:, value = 0x00000001
46 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = received and by using the NAT - T port number, value = 0 x 00001194
47 15:09:27.397 11/12/12 Sev = Info/4 CM / 0 x 63100019
Data in mode Config received
48 15:09:27.412 11/12/12 Sev = Info/4 IKE / 0 x 63000056
Received a request from key driver: local IP = 192.168.2.70, GW IP = *. **. ***. remote IP address = 0.0.0.0
49 15:09:27.412 11/12/12 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK QM * (HASH, SA, NO, ID, ID) to *. **. ***. ***
50 15:09:27.444 11/12/12 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
51 15:09:27.444 11/12/12 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:status_resp_lifetime)="" from="">
52 15:09:27.444 11/12/12 Sev = Info/5 IKE / 0 x 63000045
Answering MACHINE-LIFE notify has value of 86400 seconds
53 15:09:27.444 11/12/12 Sev = Info/5 IKE / 0 x 63000047
This SA was already alive for 6 seconds, setting expiration 86394 seconds now
54 15:09:27.459 11/12/12 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
55 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:no_proposal_chosen)="" from="">
56 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK INFO *(HASH, DEL) to *. **. ***. ***
57 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000049
IPsec security association negotiation made scrapped, MsgID = CE99A8A8
58 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000017
Marking of IKE SA delete (I_Cookie = A3A341F1C7606AD5 R_Cookie = F1F403018625E924) reason = DEL_REASON_IKE_NEG_FAILED
59 15:09:27.459 11/12/12 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
60 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000058
Received an ISAKMP for a SA message no assets, I_Cookie = A3A341F1C7606AD5 R_Cookie = F1F403018625E924
61 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" info="" *(dropped)="" from="">
62 15:09:27.490 11/12/12 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
63 15:09:30.475 11/12/12 Sev = Info/4 IKE/0x6300004B
IKE negotiation to throw HIS (I_Cookie = A3A341F1C7606AD5 R_Cookie = F1F403018625E924) reason = DEL_REASON_IKE_NEG_FAILED
64 15:09:30.475 11/12/12 Sev = Info/4 CM / 0 x 63100012
ITS phase 1 deleted before first Phase 2 SA is caused by "DEL_REASON_IKE_NEG_FAILED". Crypto 0 Active IKE SA, 0 IKE SA authenticated user in the system
65 15:09:30.475 11/12/12 Sev = Info/5 CM / 0 x 63100025
Initializing CVPNDrv
66 15:09:30.475 11/12/12 Sev = Info/6 CM / 0 x 63100046
Set indicator established tunnel to register to 0.
67 15:09:30.475 11/12/12 Sev = Info/4 IKE / 0 x 63000001
Signal received IKE to complete the VPN connection
68 15:09:30.475 11/12/12 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
69 15:09:30.475 11/12/12 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
70 15:09:30.475 11/12/12 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
71 15:09:30.475 11/12/12 Sev = Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
---------------------------------------------------------------------------------------------------------------------------------------
The running configuration is the following (there is a VPN site-to-site set up as well at an another ASA 5505, but that works perfectly):
: Saved
:
ASA Version 8.2 (5)
!
hostname NCHCO
Select hTjwXz/V8EuTw9p9 of encrypted password
hTjwXz/V8EuTw9p9 of encrypted passwd
names of
description of NCHCO name 192.168.2.0 City offices
name 192.168.2.80 VPN_End
name 192.168.2.70 VPN_Start
!
interface Ethernet0/0
switchport access vlan 2
Speed 100
full duplex
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address **. ***. 255.255.255.248
!
boot system Disk0: / asa825 - k8.bin
passive FTP mode
access extensive list ip NCHCO 255.255.255.0 outside_nat0_outbound allow 192.168.1.0 255.255.255.0
access extensive list ip NCHCO 255.255.255.0 inside_nat0_outbound allow 192.168.1.0 255.255.255.0
inside_nat0_outbound list of allowed ip extended access all 192.168.2.64 255.255.255.224
access extensive list ip NCHCO 255.255.255.0 outside_1_cryptomap allow 192.168.1.0 255.255.255.0
access extensive list ip NCHCO 255.255.255.0 outside_1_cryptomap_1 allow 192.168.1.0 255.255.255.0
Standard access list LAN_Access allow NCHCO 255.255.255.0
LAN_Access list standard access allowed 0.0.0.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
mask of VPN_Pool VPN_Start VPN_End of local pool IP 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 645.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (outside) 0-list of access outside_nat0_outbound
Route outside 0.0.0.0 0.0.0.0 74.219.208.49 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
network-acl outside_nat0_outbound
WebVPN
SVC request to enable default svc
Enable http server
http 192.168.1.0 255.255.255.0 inside
http *. **. ***. 255.255.255.255 outside
http 74.218.158.238 255.255.255.255 outside
http NCHCO 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac l2tp-transform
Crypto ipsec transform-set l2tp-transformation mode transit
Crypto ipsec transform-set vpn-transform esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA
Crypto ipsec transform-set transit mode TRANS_ESP_3DES_SHA
Crypto ipsec transform-set esp-3des esp-md5-hmac TRANS_ESP_3DES_MD5
Crypto ipsec transform-set transit mode TRANS_ESP_3DES_MD5
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map dyn-map 10 set pfs Group1
crypto dynamic-map dyn-map transform 10-set, vpn l2tp-transformation-transformation
dynamic-map encryption dyn-map 10 value reverse-road
Crypto-map dynamic outside_dyn_map 20 game of transformation-TRANS_ESP_3DES_MD5
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs Group1
peer set card crypto outside_map 1 74.219.208.50
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
map outside_map 20-isakmp ipsec crypto dynamic outside_dyn_map
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
inside crypto map inside_map interface
card crypto vpn-map 1 match address outside_1_cryptomap_1
card crypto vpn-card 1 set pfs Group1
set vpn-card crypto map peer 1 74.219.208.50
card crypto vpn-card 1 set of transformation-ESP-3DES-SHA
dynamic vpn-map 10 dyn-map ipsec isakmp crypto map
crypto isakmp identity address
crypto ISAKMP allow inside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 15
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 35
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP ipsec-over-tcp port 10000
enable client-implementation to date
Telnet 192.168.1.0 255.255.255.0 inside
Telnet NCHCO 255.255.255.0 inside
Telnet timeout 5
SSH 192.168.1.0 255.255.255.0 inside
SSH NCHCO 255.255.255.0 inside
SSH timeout 5
Console timeout 0
dhcpd address 192.168.2.150 - 192.168.2.225 inside
dhcpd dns 216.68.4.10 216.68.5.10 interface inside
lease interface 64000 dhcpd inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal DefaultRAGroup group strategy
attributes of Group Policy DefaultRAGroup
value of server DNS 192.168.2.1
Protocol-tunnel-VPN IPSec l2tp ipsec
nchco.local value by default-field
attributes of Group Policy DfltGrpPolicy
value of server DNS 192.168.2.1
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
allow password-storage
enable IPSec-udp
enable dhcp Intercept 255.255.255.0
the address value VPN_Pool pools
internal NCHVPN group policy
NCHVPN group policy attributes
value of 192.168.2.1 DNS Server 8.8.8.8
Protocol-tunnel-VPN IPSec l2tp ipsec
value by default-field NCHCO
admin LbMiJuAJjDaFb2uw encrypted privilege 15 password username
username privilege 15 encrypted password yB1lHEVmHZGj5C2Z 8njferg
username, encrypted NCHvpn99 QhZZtJfwbnowceB7 password
attributes global-tunnel-group DefaultRAGroup
address (inside) VPN_Pool pool
address pool VPN_Pool
authentication-server-group (inside) LOCAL
authentication-server-group (outside LOCAL)
LOCAL authority-server-group
authorization-server-group (inside) LOCAL
authorization-server-group (outside LOCAL)
Group Policy - by default-DefaultRAGroup
band-Kingdom
band-band
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared key *.
NOCHECK Peer-id-validate
tunnel-group DefaultRAGroup ppp-attributes
No chap authentication
no authentication ms-chap-v1
ms-chap-v2 authentication
tunnel-group DefaultWEBVPNGroup ppp-attributes
PAP Authentication
ms-chap-v2 authentication
tunnel-group 74.219.208.50 type ipsec-l2l
IPSec-attributes tunnel-group 74.219.208.50
pre-shared key *.
type tunnel-group NCHVPN remote access
attributes global-tunnel-group NCHVPN
address pool VPN_Pool
Group Policy - by default-NCHVPN
IPSec-attributes tunnel-group NCHVPN
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:15852745977ff159ba808c4a4feb61fa
: end
ASDM image disk0: / asdm - 645.bin
ASDM VPN_Start 255.255.255.255 inside location
ASDM VPN_End 255.255.255.255 inside location
don't allow no asdm history
Anyone have any idea why this is happening?
Thank you!
Add, crypto dynamic-map outside_dyn_map 20 value reverse-road.
With respect,
Safwan
-
Hi all
I need help with remote access vpn configuration. I want to some remote users who have access to the internet on their system to connect and access an application server in my seat social cisco vpn client user. I use Cisco 881. I am unable to use the SDM configuration because it seems that SDM is not supported by the router so I'm using command line. I'd appreciate any help I can get. Thank you.
This is the configuration I have:
VPNROUT #sho run
Building configuration...Current configuration: 6832 bytes
!
! Last configuration change at 10:50:45 UTC Saturday, May 30, 2015, by thomas
version 15.2
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname VPNROUT
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
AAA new-model
!
!
AAA authentication login default local
AAA authentication login userauthen1 local
AAA authorization groupauthor1 LAN
!
!
!
!
!
AAA - the id of the joint session
iomem 10 memory size
!
Crypto pki trustpoint TP-self-signed-1632305899
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 1632305899
revocation checking no
rsakeypair TP-self-signed-1632305899
!
!
TP-self-signed-1632305899 crypto pki certificate chain
certificate self-signed 01
3082022B 30820194 02020101 300 D 0609 2A 864886 F70D0101 05050030 A0030201
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
69666963 31363332 33303538 6174652D 3939301E 170 3134 30313233 31323132
33325A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 36333233 65642D
30353839 3930819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
8100BC0C 341CD79B A38572CE 1F0F9A91 F96B133C A889B564 E8352034 1CF5EE4B
B505616B 6014041B EC498C0A F6C5CD2B F5BF62DA BD6E1C44 0C7B9089 1FD0C6E5
299CEB40 28CD3F3B ADE3468A B07AAA9F AC42F0A7 4087172A 33C4013D 9A50884D
5778727E 53A4940E 6E622460 560C F597DD53 3B 261584 E45E8776 A848B73D 5252
92 50203 010001A 3 53305130 1 130101 FF040530 030101FF 301F0603 0F060355 D
551 2304 18301680 14E85AD0 DEF133D8 E09516FD 0AA5FDAD E10EAB1A FA301D06
03551D0E E85AD0DE 04160414 F133D8E0 9516FD0A A5FDADE1 0EAB1AFA 300 D 0609
2A 864886 818100A 5 05050003 5B23ED5B 9A380E1F 467ABB03 BAB1070B F70D0101
7A 218377 73089DC1 D32DA585 C5FD7ECE 0D000F96 7F3AB6CC 71509E8F 3F1C55AE
E37536A3 1008FBF9 A29329D5 6F76DDC0 AA1C70AE 958AAE5D 32388BE4 2C1C6839
0369 D 533 027B612C 8D199C35 C008FE00 F7E1DF62 9C73E603 85C3240A 63611D 93
854A61E2 794F8EF5 DA535DCC B209DA
quit smoking
!
!
!
no record of conflict ip dhcp
DHCP excluded-address IP 10.10.10.1
DHCP excluded-address IP 172.20.0.1 172.20.0.50
!
DHCP IP CCP-pool
import all
Network 10.10.10.0 255.255.255.248
default router 10.10.10.1
Rental 2 0
!
IP dhcp pool 1
network 172.20.0.0 255.255.240.0
domain meogl.net
router by default - 172.20.0.1
172.20.0.4 DNS server 41.79.4.11 4.2.2.2 8.8.8.8
8 rental
!
!
!
no ip domain search
IP domain name meogl.net
name of the IP-server 172.20.0.4
name of the IP-server 41.79.4.11
IP-server names 4.2.2.2
8.8.8.8 IP name-server
IP cef
No ipv6 cef
!
!
license udi pid CISCO881-K9 sn FCZ1804C3SL
!
!
username secret privilege 15 thomas 4 JXSizd1r/hMqPpGz94vKBb5somtpZLy03k50rJvHO6c
username privilege 15 secret 4 mowe hlfv/rdDRCAeTUzRXbOIfdaKhJCl1onoGdaQeaQsAnw
!
!
!
!
!
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
ISAKMP crypto client configuration group moweclients
XXXXXXX key
DNS 172.20.0.4
meogl.net field
pool mowepool
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac moweset
tunnel mode
!
!
!
Dynmap crypto dynamic-map 1
Set transform-set moweset
market arriere-route
!
!
card crypto client mowemap of authentication list userauthen1
card crypto isakmp authorization list groupauthor1 mowemap
client configuration address card crypto mowemap answer
mowemap 1 card crypto ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface Loopback0
IP 172.30.30.1 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
switchport access vlan 100
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
IP 41.7.8.13 255.255.255.252
NAT outside IP
IP virtual-reassembly in
intellectual property policy map route VPN-CLIENT
Shutdown
automatic duplex
automatic speed
mowemap card crypto
!
interface Vlan1
Description $ETH_LAN$
IP 10.10.10.1 255.255.255.248
IP tcp adjust-mss 1452
!
interface Vlan100
IP 172.20.0.1 255.255.240.0
IP nat inside
IP virtual-reassembly in
!
local pool IP 192.168.1.1 mowepool 192.168.1.100
IP forward-Protocol ND
IP http server
23 class IP http access
local IP http authentication
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
IP nat inside source overload map route interface FastEthernet4 LAT
IP route 0.0.0.0 0.0.0.0 41.7.8.12
!
access-list 23 allow 10.10.10.0 0.0.0.7
access-list 23 allow 172.20.0.0 0.0.15.255
access-list 100 permit ip 172.20.0.0 0.0.15.255 everything
access-list 144 allow ip 192.168.1.0 0.0.0.255 any
not run cdp
!
LAT route map permit 1
corresponds to the IP 100
IP 41.7.8.12 jump according to the value
!
route VPN-CLIENT map permit 1
corresponds to the IP 144
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
!
!
endPlease the configuration above, give me the desired output.
Thank you.
Hello Thomas,.
I'm glad to hear that you have found useful in the example configuration.
I checked your configuration and everything seems ok with him, especially the statements of nat.
ip local pool mowepool 192.168.1.1 192.168.1.100 access-list 100 deny ip 172.20.0.0 0.0.15.255 192.168.1.0 0.0.0.255 access-list 100 permit ip 172.20.0.0 0.0.15.255 any route-map LAT permit 1 match ip address 100 ip nat inside source route-map LAT interface FastEthernet4 overload interface Vlan100 ip address 172.20.0.1 255.255.240.0 ip nat inside ip virtual-reassembly in
Try to generate ICMP traffic behind your 100 VLANS to the client VPN in order to answer the following questions:
-The router receives this traffic between VLAN100 unit?
-The router is encrypt this traffic, after receiving the ICMP packet?
#show crypto ipsec router its can help you with this question. Look for the program/decaps counters.
-The same, but the other way around (from VPN client to device behind VLAN100) try to locate the problem.
The following document explains more this crypto commands and debugs if necessary.
-
ASA remote access VPN cleaning
Experts,
I have about three or four remote access VPN that must be removed from my ASA. What is the best way to ensure that I remove all configurations of the ASA? Thank you. Best.
Hi Thomas,
You can run the command "clear configure vpn" to clear some vpn commands, if you do not have all the certificates or site to site, you can run the command "claire configure crypto" and remove any command associated crypto.
Rate if helps.
-Randy-
-
Service of ASA module does on 6509-E support remote access VPN?
I'm having a problem of configuration of remote access VPN (SSL, Anyconnect ect.) on the Module of ASA Service on 6509-E. It is even supported or I'm wasting my time trying to do something that won't work in a first place :) to work? Site-to-Site works without any problem.
Technical info:
6509-E current SUP 2 t SY 15.1 (2)
Module of ASA - WS-SVC-ASA-SM1 running of the image - asa912-smp-k8 & asdm-712
Licenses on ASA:
Encryption--Activated
3DES-AES-Encryption - enabled
Thank you for the support.
You run multiple context mode?
If you are, access remote VPN only is not supported in this case:
"Note several context mode only applies to the IKEv2 and IKEv1 site to another and applies not to the AnyConnect, clientless SSL VPN, the legacy Cisco VPN, native VPN client client of Apple, the VPN client from Microsoft or cTCP for IKEv1 IPsec."
Maybe you are looking for
-
Whence a picture to desktop screen?
I have a Chinese item on eBay that gets a lot of interest from Chinese-name users. However, after answering an e-mail in my e-mail client who hails from eBay, I was surprised to see that my image of the desktop has changed of the mountain landscape o
-
My shield of security in the taskbar indicates the automatic update is disabled. When I try to solve the problem, it said I have to go to systen and click auto update, and turn it on. When I go to automatic update it is said that it is on. I hit i
-
Windows 7 64 bit - need 32-bit Downgrade
I have a PC HP Elite 8300 comes with Windows 7 64 bit installed, there is recovery disc but only for 64 bit 32 No. How can I get a disk set to 32 bit, we have a 'CRITICAL' application that is not compatible with Windows 64-bit. When I bought the PC I
-
I buy a new computer and I need to re install my creative cloud, I can install my programs again, but on my new one? Thank you
-
How can I get my thread and sign back on my toolbar option?
How to get back my fill option and sign on my toolbar? I got it and it just disappeared.