ACL by crypto-interesting setting direct tunnel IPSEC-L2L
Hi all
I need to put additional hosts on the existing ACL crypto-interesting on a tunnel directly with real-time traffic.
I have a network-side remote engineer to apply the same to their end.
My question is it will interrupt existing tunnel/traffic if we put additional hosts on the ACL on both sides at the same time?
Thank you!
Each permit in TS in ACL generates its own IPsec security association.
There should be no impact on existing services - just pay more attention is not to introduce any overlap of the ACL.
Another topic that is very often updated card crypto DB that sometimes one must remove and re-add the crypto map configuration - which will cause traffic distruption.
Marcin
Tags: Cisco Security
Similar Questions
-
How to set up a one-way IPSec-L2L tunnel
This may be a silly question, since VPN for communications between the parties of confidence and that most people would try to correct a unidirectional tunnel.
But I'm interested to transform a regular one-way only, tunnel that traffic to my side can initiate the tunnel.
Recently, we built this tunnel between our ASA5510 and ASA5510 of our biz partner to run critical applications on their web servers not connected to the Internet. I want to tie down so that they cannot launch the VPN. I have the crypto ACL set to limit to a port address, so they can only come from this port once the tunnel is established. We also have a personal firewall installed on each host.
Any idea on how to make the one-way tunnel and protect also us better once the tunnel is mounted?
Hello
You can use the following command:
defined card crypto seq - num connection-type name {only answer | only | two-way}
This command defines whether the tunnel is come only or single answer. If you set the tunnel on your side to come alone, the asa will never accept the installation of tunnel from your business partner. However, you can still start the configuration of the vpn tunnel.
Check:
http://www.Cisco.com/en/us/partner/docs/security/ASA/asa80/command/reference/C5.html#wp2152576
Even if the reference is to ASA8.0 I know it works for 7.2.x so
Hope this helps
Kind regards
Pieter-Jan
-
L2l Tunnel between 2POIGNEES: general query on ACL sheep/crypto
Hi all
For the L2L tunnel between 2POIGNEES work very well, we configure normally same network to network - sheep & cryptos ACL on both ends of the SAA. My question is...
It will work without any problem, if on one end of the ASA, the ACL sheep & crypto are combined to form the group object (to limit the ASA configs) and on the other end address net net address ACL sheep & crypto still exists (not consolidated in the Group of objects)... ? If it works, it works even if the tunnel is between ASA--> router.
Thanks in advance
MS
MS, it will work if the other side does not use the same scenario of acl consolidated using groups of objects. ACLs and groups of objects are significant locally on the device.
You can consolidate the ACLs on the ASA/PIX using TCP or UDP-groups of objects or groups of objects network and that your acl to the respective object-group, they always have the same effect as when they have been configured individually line by line.
This works even if the tunnel is between ASA--> router
Yes
HTH
Jorge
-
L2l VPN Access-list crypto-interesting
Hi everyone, I have a question.
I have ASA1 and ASA2 connected via a private cloud to intellectual property and two hosts behind each of the ASA.
The tunnel is up, and I can ping to host1, which is behind ASA1 host2 which is behind ASA2 over the VPN tunnel.
When I show crypto ipsec his on ASA2 I see
#pkts program: 451, #pkts encrypt: 451, #pkts digest: 451
#pkts decaps: 451, #pkts decrypt: 451, #pkts check: 451
and they are multiplying, each ping I have sent to host1 host2. But when I do sh cryptointeresting access-list that defines my crypto interesting traffic on ASA2 I see not growing hits with each ping I send host1 who is behind ASA1.
The question is whether I'm supposed to see crtyptointeresting access-list hits rising on ASA2, when I ping host2 to host1, which is on the other end behind ASA1 (behind ASA2).
Thank you
Hi my friend.
When you ping with the ASA2 ASA1 you won't see hitcounts in the ASA2 ACL. This happens because the number of access number to increase traffic must be defined in the ACL.
Basically when you ping ASA1 with the ASA2 traffic does not match the direction of the ACL on ASA 2 crypto (which is defined from ASA2 LAN to LAN ASA1) so it does not count as a success.
You see decrypted packets and decapsualated because the traffic corresponding to the terms previously negotiated for the VPN Tunnel, then the traffic gets encryped and sent through the tunnel.
I hope this clarifies your questions.
BTW sorry I did not get back to you on your second post NAT, I see that Varun has given you a great answer.
Have fun!
Raga
-
HTTPS protocol between the client vpn and host of the internet through tunnel ipsec-parody
Hello
We have a cisco ASA 5505 and try to get the next job:
ip (192.168.75.5) - connected to the Cisco ASA 5505 VPN client
the customer gets a specific route for an internet address (79.143.218.35 255.255.255.255 192.168.75.1 192.168.75.5 100)
When I try to access the url of the client, I get a syn sent with netstat
When I try trace ASA package, I see the following:
1 FLOW-SEARCH ALLOW Not found no corresponding stream, creating a new stream
2 ROUTE SEARCH entry ALLOW in 0.0.0.0 0.0.0.0 outdoors
3 ACCESS-LIST Journal ALLOW Access-group outside_access_in in interface outside
outside_access_in list extended access permitted tcp everything any https eq
access-list outside_access_in note hyperion outside inside
4 IP-OPTIONS ALLOW 5 CP-PUNT ALLOW 6 VPN IPSec-tunnel-flow ALLOW 7 IP-OPTIONS ALLOW 8 VPN encrypt ALLOW outdoors upward upward outdoors upward upward drop (ipsec-parody) Parody of detected IPSEC When I try the reverse (i.e. from the internet host to vpn client), it seems to work:
1 FLOW-SEARCH ALLOW Not found no corresponding stream, creating a new stream
2 ROUTE SEARCH entry ALLOW in 192.168.75.5 255.255.255.255 outside
3 ACCESS-LIST Journal ALLOW Access-group outside_access_in in interface outside
outside_access_in of access allowed any ip an extended list
4 IP-OPTIONS ALLOW 5 VPN IPSec-tunnel-flow ALLOW 6 VPN encrypt ALLOW My question is why this phenomenon happens and how solve us this problem?
Thanks in advance, Sipke
our running-config:
: Saved
:
ASA Version 8.0 (4)
!
ciscoasa hostname
domain somedomain
activate the password - encrypted
passwd - encrypted
names of
name 10.10.1.0 Hyperion
name 164.140.159.x xxxx
name 192.168.72.25 xxxx
name 192.168.72.24 xxxx
name 192.168.72.196 xxxx
name 192.168.75.0 vpn clients
name 213.206.236.0 xxxx
name 143.47.160.0 xxxx
name 141.143.32.0 xxxx
name 141.143.0.0 xxxx
name 192.168.72.27 xxxx
name 10.1.11.0 xxxx
name 10.1.2.240 xxxx
name 10.1.1.0 xxxx
name 10.75.2.1 xxxx
name 10.75.2.23 xxxx
name 192.168.72.150 xxxx
name 192.168.33.0 xxxx
name 192.168.72.26 xxxx
name 192.168.72.5 xxxx
name 192.168.23.0 xxxx
name 192.168.34.0 xxxx
name 79.143.218.35 inethost
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.72.254 255.255.255.0
OSPF cost 10
!
interface Vlan2
nameif outside
security-level 0
IP address 193.173.x.x 255.255.255.240
OSPF cost 10
!
interface Vlan3
Shutdown
nameif dmz
security-level 50
192.168.50.1 IP address 255.255.255.0
OSPF cost 10
!
interface Vlan23
nameif wireless
security-level 80
192.168.40.1 IP address 255.255.255.0
OSPF cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
switchport access vlan 23
!
interface Ethernet0/7
!
passive FTP mode
clock timezone THATS 1
clock to summer time CEDT recurring last Sun Mar 02:00 last Sun Oct 03:00
DNS lookup field inside
DNS server-group DefaultDNS
domain pearle.local
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
object-group service RDP - tcp
Remote Desktop Protocol Description
EQ port 3389 object
object-group service UDP - udp VC
range of object-port 60000 60039
object-group VC - TCP tcp service
60000 60009 object-port Beach
object-group service tcp Fortis
1501 1501 object-port Beach
Beach of port-object 1502-1502
Beach of port-object sqlnet sqlnet
1584 1584 object-port Beach
1592 1592 object-port Beach
object-group service tcp fortis
1592 1592 object-port Beach
Beach of port-object 1502-1502
1584 1584 object-port Beach
Beach of port-object sqlnet sqlnet
1501 1501 object-port Beach
1500 1500 object-port Beach
the DM_INLINE_NETWORK_1 object-group network
object-network 192.168.50.0 255.255.255.0
object-network 192.168.72.0 255.255.255.0
object-network 192.168.40.0 255.255.255.0
object-network VPN_Pool_2 255.255.255.0
the DM_INLINE_NETWORK_2 object-group network
object-network 192.168.50.0 255.255.255.0
object-network 192.168.72.0 255.255.255.0
object-group network inside-networks
object-network 192.168.72.0 255.255.255.0
WingFTP_TCP tcp service object-group
Secure FTP description
port-object eq 989
port-object eq 990
DM_INLINE_TCP_1 tcp service object-group
port-object eq ftp
port-object eq ftp - data
Group object WingFTP_TCP
DM_INLINE_TCP_2 tcp service object-group
port-object eq ftp
port-object eq ftp - data
Group object WingFTP_TCP
the DM_INLINE_NETWORK_3 object-group network
object-network 192.168.72.0 255.255.255.0
object-network VPN_Pool_2 255.255.255.0
the DM_INLINE_NETWORK_4 object-group network
object-network 192.168.72.0 255.255.255.0
object-network VPN_Pool_2 255.255.255.0
object-group network Oracle
network-object OracleTwo 255.255.224.0
network-object OracleOne 255.255.240.0
network-object OracleThree 255.255.224.0
the DM_INLINE_NETWORK_5 object-group network
network-object Grandvision 255.255.255.0
network-object Grandvision2 255.255.255.240
object-network Grandvision3 255.255.255.0
host of the object-Network Grandvision4
host of the object-Network GrandVision_PC
the DM_INLINE_NETWORK_6 object-group network
network-object Grandvision 255.255.255.0
network-object Grandvision2 255.255.255.240
object-network Grandvision3 255.255.255.0
host of the object-Network Grandvision4
host of the object-Network GrandVision_PC
the DM_INLINE_NETWORK_7 object-group network
network-object Grandvision 255.255.255.0
network-object Grandvision2 255.255.255.240
object-network Grandvision3 255.255.255.0
host of the object-Network GrandVision_PC
the DM_INLINE_NETWORK_8 object-group network
network-object Grandvision 255.255.255.0
network-object Grandvision2 255.255.255.240
object-network Grandvision3 255.255.255.0
host of the object-Network GrandVision_PC
object-group service DM_INLINE_SERVICE_2
the purpose of the ip service
EQ-3389 tcp service object
the DM_INLINE_NETWORK_9 object-group network
network-object OracleThree 255.255.0.0
network-object OracleTwo 255.255.224.0
network-object OracleOne 255.255.240.0
object-group service DM_INLINE_SERVICE_3
the purpose of the ip service
EQ-3389 tcp service object
Atera tcp service object-group
Atera Webbased monitoring description
8001 8001 object-port Beach
8002 8002 object-port Beach
8003 8003 object-port Beach
WingFTP_UDP udp service object-group
port-object eq 989
port-object eq 990
WingFTP tcp service object-group
Description range of ports for the transmission of data
object-port range 1024-1054
HTTPS_redirected tcp service object-group
Description redirect WingFTP Server
port-object eq 40200
Note to inside_access_in to access list ICMP test protocol inside outside
inside_access_in list extended access allow icmp 192.168.72.0 255.255.255.0 any
Note to inside_access_in to access list ICMP test protocol inside outside
access-list inside_access_in note HTTP inside outside
inside_access_in list extended access allowed object-group TCPUDP 192.168.72.0 255.255.255.0 any eq www
access-list inside_access_in note queries DNS inside to outside
inside_access_in list extended access allowed object-group TCPUDP 192.168.72.0 255.255.255.0 no matter what eq field
access-list inside_access_in note the HTTPS protocol inside and outside
inside_access_in list extended access permitted tcp 192.168.72.0 255.255.255.0 any https eq
Note to inside_access_in to access list ICMP test protocol inside outside
access-list inside_access_in note 7472 Epo-items inside outside
inside_access_in list extended access permitted tcp 192.168.72.0 255.255.255.0 any eq 7472
access-list inside_access_in note POP3 inside outside
inside_access_in list extended access permitted tcp 192.168.72.0 255.255.255.0 any eq pop3
inside_access_in list extended access permit udp host LifeSize-PE-HQ any object-group UDP - VC
inside_access_in list extended access permit tcp host LifeSize-PE-HQ all eq h323
access-list inside_access_in note video conference services
inside_access_in list extended access permit tcp host LifeSize-PE-HQ any object-group VC - TCP
inside_access_in list extended access permitted tcp 192.168.72.0 255.255.255.0 any
Note to inside_access_in to access list Fortis
inside_access_in list extended access permitted tcp 192.168.72.0 255.255.255.0 any object-group Fortis
access extensive list ip 192.168.40.0 inside_access_in allow 255.255.255.0 any
inside_access_in list extended access permitted tcp 192.168.40.0 255.255.255.0 any
inside_access_in list extended access permitted tcp 192.168.40.0 255.255.255.0 any eq www
inside_access_in list extended access permitted tcp 192.168.40.0 255.255.255.0 any https eq
inside_access_in allowed all Hyperion 255.255.255.0 ip extended access list
inside_access_in list extended access udp allowed any any eq isakmp
inside_access_in list extended access udp allowed any any eq ntp
inside_access_in list extended access udp allowed any any eq 4500
inside_access_in list of allowed ip extended access any Oracle object-group
inside_access_in list extended access udp allowed any any eq 10000
access-list inside_access_in note PPTP inside outside
inside_access_in list extended access permit tcp any any eq pptp
access-list inside_access_in note WILL inside outside
inside_access_in list extended access will permit a full
Note to inside_access_in to access the Infrastructure of the RIM BES server list
inside_access_in list extended access permit tcp host BESServer any eq 3101
inside_access_in list extended access permit tcp any any DM_INLINE_TCP_2 object-group
inside_access_in list extended access permit tcp any any HTTPS_redirected object-group
access extensive list ip Hyperion 255.255.255.0 inside_access_in 255.255.255.0 allow VPN_Pool_2
inside_access_in list extended access permit udp any host 86.109.255.177 eq 1194
access extensive list ip 192.168.72.0 inside_access_in allow 255.255.255.0 DM_INLINE_NETWORK_7 object-group
access extensive list ip VPN_Pool_2 inside_access_in allow 255.255.255.0 any
inside_access_in list extended access deny ip any any inactive debug log
Note to outside_access_in to access list ICMP test protocol outside inside
outside_access_in list extended access permit icmp any one
access-list outside_access_in Note SMTP outside inside
outside_access_in list extended access permit tcp any any eq smtp
outside_access_in list extended access udp allowed any any eq ntp disable journal
access-list outside_access_in note 7472 EPO-items outside inside
outside_access_in list extended access permit tcp any any eq 7472
outside_access_in list extended access permit tcp any any object-group inactive RDP
outside_access_in list extended access permit tcp any any eq www
outside_access_in list extended access permit tcp any any HTTPS_redirected object-group
outside_access_in list extended access permitted tcp everything any https eq
access-list outside_access_in note hyperion outside inside
outside_access_in list extended access permitted tcp Hyperion 255.255.255.0 DM_INLINE_NETWORK_4 object-group
outside_access_in to access Hyperion 255.255.255.0 ip extended list object-group DM_INLINE_NETWORK_3 allow
outside_access_in list extended access permit tcp any host LifeSize-PE-HQ eq h323
outside_access_in list extended access permit tcp any host LifeSize-PE-HQ object-group VC - TCP
outside_access_in list extended access permit udp any host group-object-LifeSize-PE-HQ UDP - VC
outside_access_in of access allowed any ip an extended list
outside_access_in list extended access udp allowed any any eq 4500
outside_access_in list extended access udp allowed any any eq isakmp
outside_access_in list extended access udp allowed any any eq 10000
outside_access_in list extended access will permit a full
outside_access_in list extended access permit tcp any any eq pptp
outside_access_in list extended access permit tcp any any DM_INLINE_TCP_1 object-group
outside_access_in list extended access allowed object-group ip DM_INLINE_NETWORK_8 192.168.72.0 255.255.255.0 inactive
outside_access_in list extended access permit tcp any any Atera object-group
outside_access_in list extended access deny ip any any inactive debug log
outside_1_cryptomap list extended access allowed object-group Hyperion DM_INLINE_NETWORK_2 255.255.255.0 ip
outside_1_cryptomap to access extended list ip 192.168.50.0 allow Hyperion 255.255.255.0 255.255.255.0
access extensive list ip 192.168.72.0 inside_nat0_outbound allow Hyperion 255.255.255.0 255.255.255.0
inside_nat0_outbound list of allowed ip extended access all 193.172.182.64 255.255.255.240
inside_nat0_outbound list of allowed ip extended access all 192.168.72.192 255.255.255.192
inside_nat0_outbound list of allowed ip extended access all 192.168.72.0 255.255.255.0
access extensive list ip 192.168.72.0 inside_nat0_outbound allow 255.255.255.0 VPN_Pool_2 255.255.255.0
access extensive list ip 192.168.72.0 inside_nat0_outbound allow 255.255.255.0 DM_INLINE_NETWORK_5 object-group
inside_nat0_outbound list of allowed ip extended access all GrandVisionSoesterberg 255.255.255.0
inside_nat0_outbound list of allowed ip extended access any Swabach 255.255.255.0
access-list 200 scope allow tcp all fortis of fortis host object-group
access extensive list ip VPN_Pool_2 outside_nat0_outbound allow 255.255.255.0 DM_INLINE_NETWORK_9 object-group
outside_cryptomap_2 list extended access allowed object-group Hyperion DM_INLINE_NETWORK_1 255.255.255.0 ip
outside_cryptomap_2 to access extended list ip 192.168.50.0 allow Hyperion 255.255.255.0 255.255.255.0
Note Wireless_access_in of access list, select Hyperion / wifi access NAT rule.
Access extensive list ip 192.168.40.0 Wireless_access_in allow Hyperion inactive 255.255.255.0 255.255.255.0
Wireless_access_in list extended access deny ip 192.168.40.0 255.255.255.0 192.168.72.0 255.255.255.0
Comment by Wireless_access_in-list of the traffic Internet access
Access extensive list ip 192.168.40.0 Wireless_access_in allow 255.255.255.0 any
standard access list splittunnelclientvpn allow 192.168.72.0 255.255.255.0
splittunnelclientvpn list standard access allowed Hyperion 255.255.255.0
standard access list splittunnelclientvpn allow Pearleshare 255.255.255.0
splittunnelclientvpn list standard access allowed host 85.17.235.22
splittunnelclientvpn list standard access allowed OracleThree 255.255.224.0
standard access list splittunnelclientvpn allow 143.47.128.0 255.255.240.0
splittunnelclientvpn list standard access allowed host inethost
Standard access list SplittnlHyperion allow OracleThree 255.255.0.0
Standard access list SplittnlOOD allow OracleThree 255.255.0.0
Standard access list SplittnlOOD allow 143.47.128.0 255.255.240.0
access extensive list ip 192.168.72.0 outside_cryptomap allow 255.255.255.0 DM_INLINE_NETWORK_6 object-group
outside_cryptomap_1 list of allowed ip extended access all GrandVisionSoesterberg 255.255.255.0
outside_cryptomap_3 list of allowed ip extended access any Swabach 255.255.255.0
192.168.72.0 IP Access-list extended sheep 255.255.255.0 GrandVisionSoesterberg 255.255.255.0 allow
192.168.72.0 IP Access-list extended sheep 255.255.255.0 VPN_Pool_2 255.255.255.0 allow
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
MTU 1500 dmz
MTU 1500 wireless
local pool VPN_DHCP 192.168.72.220 - 192.168.72.235 255.255.255.0 IP mask
mask 192.168.75.1 - 192.168.75.50 255.255.255.0 IP local pool VPN_Range_2
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow all outside
ASDM image disk0: / asdm - 613.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0 access-list sheep
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (wireless) 1 192.168.40.0 255.255.255.0
public static tcp (indoor, outdoor) interface smtp smtp Mailsrv_Pearle_Europe netmask 255.255.255.255
public static tcp (indoor, outdoor) interface ftp ftp netmask 255.255.255.255 Pearle-DC02
public static 990 Pearle-DC02 990 netmask 255.255.255.255 interface tcp (indoor, outdoor)
static (inside, outside) tcp 3389 3389 Mailsrv_Pearle_Europe netmask 255.255.255.255 interface
public static tcp (indoor, outdoor) interface www Pearle-DC02 www netmask 255.255.255.255
public static 40200 Pearle-DC02 40200 netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static tcp (indoor, outdoor) interface https Exchange2010 https netmask 255.255.255.255
public static tcp (indoor, outdoor) interface h323 h323 LifeSize-PE-HQ netmask 255.255.255.255
public static 60000 60000 LifeSize-PE-HQ netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 60001 LifeSize-PE-HQ 60001 netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 60002 LifeSize-PE-HQ 60002 netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 60003 LifeSize-PE-HQ 60003 netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 60004 LifeSize-PE-HQ 60004 netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 60005 LifeSize-PE-HQ 60005 netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 60006 LifeSize-PE-HQ 60006 netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 60007 LifeSize-PE-HQ 60007 netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 60008 LifeSize-PE-HQ 60008 netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 60009 LifeSize-PE-HQ 60009 netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static (inside, outside) udp interface 60001 LifeSize-PE-HQ 60001 netmask 255.255.255.255
public static (inside, outside) udp interface 60002 LifeSize-PE-HQ 60002 netmask 255.255.255.255
public static (inside, outside) udp interface 60003 LifeSize-PE-HQ 60003 netmask 255.255.255.255
public static (inside, outside) udp interface 60004 LifeSize-PE-HQ 60004 netmask 255.255.255.255
public static (inside, outside) udp interface 60005 LifeSize-PE-HQ 60005 netmask 255.255.255.255
public static (inside, outside) udp interface 60006 LifeSize-PE-HQ 60006 netmask 255.255.255.255
public static (inside, outside) udp interface 60007 LifeSize-PE-HQ 60007 netmask 255.255.255.255
public static (inside, outside) udp interface 60008 LifeSize-PE-HQ 60008 netmask 255.255.255.255
public static (inside, outside) udp interface 60009 LifeSize-PE-HQ 60009 netmask 255.255.255.255
public static (inside, outside) udp interface 60010 LifeSize-PE-HQ 60010 netmask 255.255.255.255
public static (inside, outside) udp interface 60011 LifeSize-PE-HQ 60011 netmask 255.255.255.255
public static (inside, outside) udp interface 60012 LifeSize-PE-HQ 60012 netmask 255.255.255.255
public static (inside, outside) udp interface 60013 LifeSize-PE-HQ 60013 netmask 255.255.255.255
public static (inside, outside) udp interface 60014 LifeSize-PE-HQ 60014 netmask 255.255.255.255
public static (inside, outside) udp interface 60015 LifeSize-PE-HQ 60015 netmask 255.255.255.255
public static (inside, outside) udp interface 60016 LifeSize-PE-HQ 60016 netmask 255.255.255.255
public static (inside, outside) udp interface 60017 LifeSize-PE-HQ 60017 netmask 255.255.255.255
public static (inside, outside) udp interface 60018 LifeSize-PE-HQ 60018 netmask 255.255.255.255
public static (inside, outside) udp interface 60019 LifeSize-PE-HQ 60019 netmask 255.255.255.255
public static (inside, outside) udp interface 60020 LifeSize-PE-HQ 60020 netmask 255.255.255.255
public static (inside, outside) udp interface 60021 60021 LifeSize-PE-HQ netmask 255.255.255.255
public static (inside, outside) udp interface 60022 LifeSize-PE-HQ 60022 netmask 255.255.255.255
public static (inside, outside) udp interface 60023 LifeSize-PE-HQ 60023 netmask 255.255.255.255
public static (inside, outside) udp interface 60024 LifeSize-PE-HQ 60024 netmask 255.255.255.255
public static (inside, outside) udp interface 60025 LifeSize-PE-HQ 60025 netmask 255.255.255.255
public static (inside, outside) udp interface 60026 LifeSize-PE-HQ 60026 netmask 255.255.255.255
public static (inside, outside) udp interface 60027 LifeSize-PE-HQ 60027 netmask 255.255.255.255
public static (inside, outside) udp interface 60028 LifeSize-PE-HQ 60028 netmask 255.255.255.255
public static (inside, outside) udp interface 60029 LifeSize-PE-HQ 60029 netmask 255.255.255.255
public static (inside, outside) udp interface 60030 LifeSize-PE-HQ 60030 netmask 255.255.255.255
public static (inside, outside) udp interface 60031 LifeSize-PE-HQ 60031 netmask 255.255.255.255
public static (inside, outside) udp interface 60032 LifeSize-PE-HQ 60032 netmask 255.255.255.255
public static (inside, outside) udp interface 60033 LifeSize-PE-HQ 60033 netmask 255.255.255.255
public static (inside, outside) udp interface 60034 LifeSize-PE-HQ 60034 netmask 255.255.255.255
public static (inside, outside) udp interface 60035 LifeSize-PE-HQ 60035 netmask 255.255.255.255
public static (inside, outside) udp interface 60036 LifeSize-PE-HQ 60036 netmask 255.255.255.255
public static (inside, outside) udp interface 60037 LifeSize-PE-HQ 60037 netmask 255.255.255.255
public static (inside, outside) udp interface 60038 LifeSize-PE-HQ 60038 netmask 255.255.255.255
public static (inside, outside) udp interface 60039 LifeSize-PE-HQ 60039 netmask 255.255.255.255
public static (inside, outside) udp interface 60040 60040 LifeSize-PE-HQ netmask 255.255.255.255
public static Mailsrv_Pearle_Europe 7472 netmask 255.255.255.255 7472 interface tcp (indoor, outdoor)
public static LanSweep-XP netmask 255.255.255.255 8001 8001 interface tcp (indoor, outdoor)
public static 8002 8002 LanSweep-XP netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static LanSweep-XP netmask 255.255.255.255 8003 8003 interface tcp (indoor, outdoor)
static (inside, outside) 193.173.12.194 tcp https Pearle-DC02 https netmask 255.255.255.255
inside_access_in access to the interface inside group
Access-group outside_access_in in interface outside
Access-group Wireless_access_in in wireless interface
Route outside 0.0.0.0 0.0.0.0 193.173.12.206 1
Route outside OracleThree 255.255.224.0 193.173.12.198 1
Route outside 143.47.128.0 255.255.240.0 193.173.12.198 1
Route inside 172.27.0.0 255.255.255.0 Pearle-DC02 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
AAA authentication LOCAL telnet console
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.40.0 255.255.255.0 Wireless
http 192.168.1.0 255.255.255.0 inside
http 192.168.72.0 255.255.255.0 inside
http GrandVisionSoesterberg 255.255.255.0 inside
SNMP-server host inside 192.168.33.29 survey community public version 2 c
location of Server SNMP Schiphol
contact Server SNMP SSmeekes
SNMP-Server Public community
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set esp-aes-256 GRANDVISION esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define security association lifetime 28800 seconds
cryptographic kilobytes 4608000 life of the set - the association of security of the 65535 SYSTEM_DEFAULT_CRYPTO_MAP of the dynamic-map
card crypto outside_map0 1 match address outside_cryptomap_1
outside_map0 card crypto 1jeu pfs
outside_map0 card crypto 1jeu peer 212.78.223.182
outside_map0 card crypto 1jeu transform-set ESP ESP-3DES-SHA-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-ESP ESP-3DES-MD5 MD5-DES-SHA ESP-DES-MD5
outside_map0 map 1 lifetime of security association set seconds 28800 crypto
card crypto outside_map0 1 set security-association life kilobytes 4608000
card crypto game 2 outside_map0 address outside_cryptomap_2
outside_map0 crypto map peer set 2 193.173.12.193
card crypto outside_map0 2 game of transformation-ESP ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5-DES-SHA ESP-DES-MD5
life card crypto outside_map0 2 set security-association seconds 28800
card crypto outside_map0 2 set security-association life kilobytes 4608000
card crypto outside_map0 3 match address outside_1_cryptomap
outside_map0 card crypto 3 set pfs
outside_map0 card crypto 3 peers set 193.172.182.66
outside_map0 crypto map 3 the value transform-set ESP-3DES-SHA
life card crypto outside_map0 3 set security-association seconds 28800
card crypto outside_map0 3 set security-association life kilobytes 4608000
card crypto outside_map0 game 4 address outside_cryptomap
outside_map0 card crypto 4 peers set 213.56.81.58
outside_map0 4 set transform-set GRANDVISION crypto card
life card crypto outside_map0 4 set security-association seconds 28800
card crypto outside_map0 4 set security-association life kilobytes 4608000
card crypto outside_map0 5 match address outside_cryptomap_3
outside_map0 card crypto 5 set pfs
outside_map0 crypto card 5 peers set 86.109.255.177
outside_map0 card crypto 5 game of transformation-ESP ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5-DES-SHA ESP-DES-MD5
life card crypto outside_map0 5 set security-association seconds 28800
card crypto outside_map0 5 set security-association life kilobytes 4608000
Crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
outside_map0 interface card crypto outside
crypto ISAKMP allow inside
crypto ISAKMP allow outside
crypto ISAKMP enable dmz
crypto ISAKMP enable wireless
crypto ISAKMP policy 5
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet 192.168.72.0 255.255.255.0 inside
Telnet timeout 5
SSH 192.168.72.0 255.255.255.0 inside
SSH GrandVisionSoesterberg 255.255.255.0 inside
SSH 213.144.239.0 255.255.255.192 outside
SSH timeout 5
Console timeout 0
management-access inside
dhcpd dns 194.151.228.18 is 10.10.1.100
dhcpd outside auto_config
!
dhcpd address 192.168.72.253 - 192.168.72.253 inside
!
dhcpd address dmz 192.168.50.10 - 192.168.50.50
dhcpd enable dmz
!
dhcpd address wireless 192.168.40.10 - 192.168.40.99
dhcpd dns 194.151.228.18 wireless interface
dhcpd activate wireless
!
a basic threat threat detection
host of statistical threat detection
statistical threat detection port
Statistical threat detection Protocol
Statistics-list of access threat detection
no statistical threat detection tcp-interception
Group Policy "pearle_vpn_Hyp only" internal
attributes of Group Policy "pearle_vpn_Hyp only".
value of server WINS 192.168.72.25
value of server DNS 192.168.72.25
Protocol-tunnel-VPN IPSec l2tp ipsec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list SplittnlHyperion
Split-dns value pearle.local
internal pearle_vpn_OOD_only group policy
attributes of the strategy of group pearle_vpn_OOD_only
value of Split-tunnel-network-list SplittnlOOD
internal pearle_vpn group policy
attributes of the strategy of group pearle_vpn
value of server WINS 192.168.72.25
value of server DNS 192.168.72.25
Protocol-tunnel-VPN IPSec l2tp ipsec svc
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list splittunnelclientvpn
Pearle.local value by default-field
Split-dns value pearle.local
username anyone password encrypted password
username something conferred
VPN-group-policy pearle_vpn_OOD_only
type of remote access service
tunnel-group 193 type ipsec-l2l
tunnel-group 193 ipsec-attributes
pre-shared-key *.
tunnel-group 193.173.12.193 type ipsec-l2l
IPSec-attributes tunnel-group 193.173.12.193
pre-shared-key *.
NOCHECK Peer-id-validate
type tunnel-group pearle_vpn remote access
tunnel-group pearle_vpn General-attributes
address pool VPN_Range_2
Group Policy - by default-pearle_vpn
pearle_vpn group of tunnel ipsec-attributes
pre-shared-key *.
type tunnel-group Pearle_VPN_2 remote access
attributes global-tunnel-group Pearle_VPN_2
address pool VPN_Range_2
strategy-group-by default "pearle_vpn_Hyp only".
IPSec-attributes tunnel-group Pearle_VPN_2
pre-shared-key *.
tunnel-group 213.56.81.58 type ipsec-l2l
IPSec-attributes tunnel-group 213.56.81.58
pre-shared-key *.
tunnel-group 212.78.223.182 type ipsec-l2l
IPSec-attributes tunnel-group 212.78.223.182
pre-shared-key *.
tunnel-group 86.109.255.177 type ipsec-l2l
IPSec-attributes tunnel-group 86.109.255.177
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the pptp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:7d4d9c7ca7c865d9e40f5d77ed1238eb
: end
ASDM image disk0: / asdm - 613.bin
ASDM BESServer 255.255.255.255 inside location
ASDM VPN_Pool_2 255.255.255.0 inside location
ASDM OracleTwo 255.255.224.0 inside location
ASDM OracleOne 255.255.240.0 inside location
ASDM OracleThree 255.255.224.0 inside location
ASDM location Exchange2010 255.255.255.255 inside
ASDM location Grandvision 255.255.255.0 inside
ASDM Grandvision2 255.255.255.240 inside location
ASDM Grandvision3 255.255.255.0 inside location
ASDM Grandvision4 255.255.255.255 inside location
ASDM GrandVision_PC 255.255.255.255 inside location
ASDM location LanSweep-XP 255.255.255.255 inside
ASDM GrandVisionSoesterberg 255.255.255.0 inside location
ASDM location Pearle-DC02 255.255.255.255 inside
ASDM location Pearle-WDS 255.255.255.255 inside
ASDM location Swabach 255.255.255.0 inside
ASDM GrandVisionSoesterberg2 255.255.255.0 inside location
don't allow no asdm history
Where is that host (inethost)? Inside of the ASA, or on the internet (on the outside)?
If it is outside, you must configure the NAT for the pool of vpn as you turn on the SAA.
NAT (outside) 1 192.168.75.0 255.255.255.0
-
Problem with tunnel IPSEC with NAT
Hello
I had an ipsec tunnel between a former Cisco router at a remote site. I'm the config 887 to an ASA migration. The remote site cannot establish the tunnel. This is the only site having problems. There are one number of other sites remote connection back without problem.
The Setup is
192.168.1.x (main site inside) - ASA - 86.x.x.x (outside) - Internet - 159.x.x.x (side remote outdoors) - Firewall - 10.10.10.x
The remote site will not accept the 192.168.1.x range so I'm NATing 192.168.50.x which is what they want to see
The config I have is
network of the NAT_TO_Remote1 object
192.168.50.0 subnet 255.255.255.0
network of the Remote1 object
subnet 10.10.10.0 255.255.252.0NAT NAT_TO_Remote1 (Interior, exterior) destination 192.168.1.0 source static static Remote1 Remote1
IKEv1 crypto policy 30
preshared authentication
3des encryption
sha hash
Group 2
life 86400Crypto ipsec transform-set esp-3des esp-sha-hmac ikev1 3DES-SHA1
card crypto Outside_map 10 corresponds to the address Qualcom_VPN
card crypto Outside_map 10 set peer 159.x.x.x
card crypto Outside_map 10 set transform-set 3DES-SHA1 ikev1
card crypto Outside_map 10 set pfs Group1
Outside_map interface card crypto outsideRemoteSite_VPN list extended access allowed host ip 192.168.50.20 10.10.10.0 255.255.252.0
RemoteSite_VPN list extended access allowed host ip 192.168.50.30 10.10.10.0 255.255.252.0
RemoteSite_VPN list extended access allowed host ip 192.168.50.40 10.10.10.0 255.255.252.0tunnel-group 159.x.x.x type ipsec-l2l
tunnel-group 159.x.x.x General-attributes
Group Policy - by default-RemoteSites
159.x.x.x group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.I was wondering if I'm missing something obvious here.
Hello
You must check the IPSEC transform set and see if they have enabled PFS group or not?
card crypto Outside_map 10 set pfs Group1
Try using group2, or turn it off.
Kind regards
Aditya
Please evaluate the useful messages and mark the correct answers.
-
I get the error message on debugging ipsec-l2l tunnel
Hello
Can someone help me understand the debug message?
I get the error message on debugging ipsec-l2l tunnelI tried to configure an ASA5520 with an ipsec-l2l to ios router 1721
= 1721 router =.
Cisco 1721 (flash: c1700-k9o3sy7 - mz.123 - 2.XC2.bin)
80.89.47.102 outside
inside 10.100.110.1 255.255.255.0Debug crypto ipsec
Debug crypto ISAKMP-config-
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
0 1234567890 128.39.189.10 crypto isakmp key address
!
!
Crypto ipsec transform-set esp-3des pix-series
!
ASA 10 ipsec-isakmp crypto map
defined by peer 128.39.189.10
transform-set pix - Set
match address 101
!
!
interface FastEthernet0Outside-interface description
IP 80.89.47.102 255.255.255.252
NAT outside IP
card crypto asa
!
interface Vlan10
Inside description
IP 10.100.110.1 255.255.255.0
IP nat inside!
!
IP nat inside source overload map route interface FastEthernet0 sheep
!
access-list 101 permit ip 10.100.110.0 0.0.0.255 10.100.4.0 0.0.3.255
!
access-list 110 deny ip 10.100.110.0 0.0.0.255 10.100.4.0 0.0.3.255
access-list 110 permit ip 10.100.110.0 0.0.0.255 any
!
sheep allowed 10 route map
corresponds to the IP 110
!= Config ASA =.
Cisco 5520 ASA Version 8.2 (1)
128.39.189.10 outside
inside 10.100.4.255 255.255.252.0Debug crypto ipsec
Debug crypto ISAKMP-Config-
!
Allow Access-list extended sheep 255.255.252.0 IP 10.100.4.0 10.100.110.0 255.255.255.0
!
access extensive list ip 10.100.4.0 outside110 allow 255.255.252.0 10.100.110.0 255.255.255.0
!Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
86400 seconds, duration of life crypto ipsec security association
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 11 match address outside110
peer set card crypto outside_map 11 80.89.47.102
card crypto outside_map 11 game of transformation-ESP-3DES-MD5
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400!
attributes of Group Policy DfltGrpPolicy
VPN-idle-timeout no
Protocol-tunnel-VPN IPSec!
tunnel-group 80.89.47.102 type ipsec-l2l
IPSec-attributes tunnel-group 80.89.47.102
pre-shared key 1234567890Concerning
TorYou have a transformation defined on the SAA named ESP-3DES-MD5? Your crypto card refers to that but I don't see it listed in the config you have posted. I don't have much experience with routers, but is MD5 hashing algoritm (and why it is not)?
James
-
Client VPN with tunneling IPSEC over TCP transport does not
Hello world
Client VPN works well with tunneling IPSEC over UDP transport.
I test to see if it works when I chose the VPN client with ipsec over tcp.
Under the group policy, I disabled the IPSEC over UDP and home port 10000
But the VPN connection has failed.
What should I do to work VPN using IPSEC over TCP
Concerning
MAhesh
Mahesh,
You must use "ikev1 crypto ipsec-over-tcp port 10000.
As crypto isakmp ipsec-over-tcp work on image below 8.3
HTH
-
Need help setting up tunneling split
Here's the senerio. I have a Cisco 1811 router with VPN access. I'm trying to configure the router so that I can access the outside network form. I can do but once I connect to the VPN I lose all internet connectivity. I gather that I need to put in place the split tunneling to do this, but I'm not sure how to configure the tunneling split of CCP or CLI.
Hello
To configure split tunneling on a router.
vpnacl 10.1.1.0 ip access list allow 0.0.0.255 10.2.2.0 0.0.0.255
Configuration group customer crypto isakmp GROUPNAME
ACL vpnacl
The example above, vpnacl ACL bsigns group crypto (to allow split tunneling).
Therefore, only traffic between the LAN 10.1.1.0/24 internal and VPN 10.2.2.0/24 pool will be encrypted (sent by the tunnel).
If this router is also made of NAT, then you need to subtract NAT that same traffic.
Federico.
-
VPN3005 and GRE as interesting traffic (in tunnel)
Hello
is it possible to qualify the GRE or interesting traffic IPinIP tunnel traffic
(in the Tunnel LAN2LAN) on a VPN3005.
On router or PIX simply define you access-list with gre or IP, how
can you do that on a hub if possible?
Thanks in advance,
Kind regards
Stefan
Hello
Just set the Lists(based on interesting traffic) network and hub crypt GRE traffic as IP or ICMP protocol, so no specific configuration is necessary.
Thank you
AFAQ
-
Random Tunnel IPSec Packet drops
Hi experts,
I am trying to solve a problem of fall of random package for tunneling IPSec between two VTI. For more than a month, we could not see not any question, and from today, we have 30% through a tunnel packet loss IPSec.
After analysis, I have concluded that packet loss is located somewhere on the way to the uc520 to the 2921. Package account see the correctly on the output interface physics uc520, but the number of packets is low on the interface of penetration on the 2921.
Pings outside of the tunnel by the way are very good.
I also deleted the tunnels on both ends and after they have recovery, the question was always present.
Pointers on research where packets get lost?
RR-hq-2921 #ping 10.1.13.1 g0/1 source rep 100
Type to abort escape sequence.
Send 100, echoes ICMP 100 bytes to 10.1.13.1, wait time is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!..!.!!!!!!!!!..!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
..!!.!!!!!!!!!!!.!!!!!!!!.!!!!
Topology:
[uc520] == HAVE == {{{cloud}}} == MODEM == [2921]
Test:
Claire 2921 # counters g0/0
Disable "show interface" counters on this interface [confirm]
% CLEAR-5-COUNTERS: claire counter on interface GigabitEthernet0/0
Execute on uc520: ping
source timeout 0 rep 4000 This is supposed to increase rapidly the number of packets at a distance of 4000 packages, as it has done on the output uc520 interface
# 2921 sho int g0/0 | I entered the packages
3348 packets input, 607812 bytes, 0 no buffer< missing="" ~650="">
# 2921 sho int g0/0
GigabitEthernet0/0 is up, line protocol is up
Material is CN Gigabit Ethernet, the address is XXXXXXXX
Description: Outdoors - WAN port
The Internet address is XXX.XXX.XXX.XXX/YY
MTU 1500 bytes, BW 35000 Kbit/s, 10 DLY usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
KeepAlive set (10 sec)
Full-Duplex, 1 Gbps, media type is RJ45
control output stream is XON, control of input stream is XON
Type of the ARP: ARPA, ARP Timeout 04:00
Last entry of 00:00:00, 00:00:00 exit, exit hang never
Final cleaning of the counters 'show interface' 00:00:42
Input queue: 0/75/0/0 (size/max/drops/dumps); Total output drops: 0
Strategy of queues: fifo
Output queue: 0/40 (size/max)
30 second entry rate 75000 bps, 51 packets/s
exit rate of 30 seconds 77000 bps, 52 packets/s
3456 packets input, 619794 bytes, 0 no buffer
Received 0 emissions (0 of IP multicasts)
0 Runts, 0 giants, 0 shifters
entry 0, 0 CRC errors, frame 0, saturation 0, 0 ignored
Watchdog 0, multicast 0, break 0 comments
3454 packets output, 632194 bytes, 0 underruns
0 output errors, 0 collisions, 0 resets interface
unknown protocol 0 drops
0 babbles, collision end 0, 0 deferred
carrier, 0 no carrier, lost 0 0 interrupt output
output buffer, the output buffers 0 permuted 0 failures
Good infor
Now, did you ask your ISP if they made the last changes made?
I think that your suspcious is correct and if the number of packets do not match, then probably something in the environment has changed, since it worked before with the same configuration and IOS versions.
HTH.
-
VPN IPSec L2L between IOS and PIX 6.3 - MTU issue?
The side of the remote control (customer) is behind the 6.3 (5) PIX. And the side of the head end (server) is 2911 IOS on 15.0.
The IPSec tunnel rises very well and passes traffic. However, there is a server which are not fully accessible. Note, it is mainly the web traffic.
Client initiates a connection to the http://server:8000. They receive a redirect to go to http://server:8000 / somepage.jspa. Package caps show the customer acknowledges the redirect with a SYN - ACK response, but then the connection just hangs. And no other packets are received in return. I noticed that the redirected page is a .jsp and other pages that work OK are not. I also noticed that some MTU and TCP MSS configurations on the side of the head that are in place for another GRE VPN tunnel with another site. So I got in the way of the fragmentation of packets. The side PIX has all the standard configurations of IPSec as well as default MTU on the interface of the inside and outside.
When the MTU is set manually on the client computer to 1400, the access to the works of http://server:8000 / somepage.jspa very well. So I need to tweak the settings of PIX. I tried to adjust the MTU size on and abroad the interface as well as the parameter "sysopt connection tcp - mss. I don't know what else to do here.
Here is a summary of the MTU settings on the head of line:
End of the head:
int tunnel0 (it's the GRE tunnel)
IP mtu 1420
source of tunnel G0/0
dest X.X.X.X
tunnel path-mtu-discovery
card crypto vpn 1
tunnel GRE Description
blah blah blah
card crypto vpn 2
Description IPSec tunnel
blah blah blah
int g0/0 (external interface)
no ip redirection
no ip unreachable
no ip proxy-arp
Check IP unicast reverse
NAT outside IP
IP virtual-reassembly
vpn crypto card
int g0/1 (this is the interface to the server in question)
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1452
HA, sorry my bad. Read the previous post wrong.
(Note: Yes, the SMS on the tunnel interface should be 40 bytes less than MTU).
Do not twist the MTU, not for TCP problems (not as the first step), it is safer to play with the MSS. MTU may depend on other things (OSPF for example).
Make a sweep of a ping with DF bit set with the size (from 1300 bytes for example). By doing this, you want to check what is the maximum size of the package, which you can test through the IPsec tunnel. Once you have this value consider - subtract 40 and this defined as value MSS of the LAN interface (and adjust the value of PIX if you can).
M.
-
Router w / Tunnel dynamic L2L and Clients VPN
I have a 7200 router currently configured w / vpn clients. I'm looking to add a tunnel dynamic l2l. When I do, I am more able to connect using the vpn client. I following the configuration the following URL.
http://Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a00801dddbb.shtml
As soon as I add...
Crypto-map dynamic dynmap 5
Define VPNclient isakmp-profile
the vpn client no longer works. Have not access to the config right now as I took it. Someone at - it it works correctly?
Okay, mhhh I think that this is a problem with the configuration, give a shot at one of the L2L bouncing, set it to the profile and the keychain, which is the result.
-
Redirect peer tunnel VPN L2L ina
Question of curiosity... I have 2 new ASA5515 which I put up for an improvement of the equipment. In the time before I swap them I am using them as a sort of laboratory of fortune to get him going to setup VPN L2L. I didn't use current IP addresses for the test environment, so I used false numbers.
My question is: can I go back and change the IP address peer and address local/remote without having to tear them up to specifications plant again?
-Do I have reprint just the type of Tunnel-Group IPsec-l2l X.X.X.X command with the IP address?
I know that there are a few other of the region that I have to change the IP of both peers, but just of my question is, I can do or do I have to start over?
-Jon
Jon
You should not reconfigure from scratch if that's what you're asking.
You just need to change the peer IPs everywhere where they appear in your configuration.
Jon
-
supported vs IPSec VRF taking crypto maps for several tunnels
Hi all!
I came to know that we can use the same public ip address for the creation of several tunnels to different websites using crypto-cards featuring many lines each representing a reference to a particular tunnel and using vrf aware IPsec, but I would like to know what are the differences / advantages / cautions.
Thanks for your time
Murali.
Murali
That I understand the feature essentially allows you to have multiple IPSEC tunnels and traffic in the tunnel that is to say. source and destination IP of the high-end devices can be in different VRF.
So it works mainly with the MPLS VPN IE. If you had several MPLS VPN each with their own VRF you can then run ISPEC tunnels on the MPLS network and when packets are received, they are automatically in the correct VRF.
You could not do that normal crypto cards IE. You can cancel again several IPSEC tunnels on a public IP address but then everything would be traffic in the same global routing table.
If the benefit is basically the same that you get with any VRF installation IE. logical separation of traffic on a single device.
Can't really say much about the warnings as I've never used it but there are some restrictions.
See this link for more details-
Jon
Maybe you are looking for
-
Print job disappears to halfway
I use Macbook Air os x Yosemite and printer Epson L310. Recently I tried to print a large quantity of the best picture quality. Each photo will be taken aroud 10 minutes to finish printing. What happened after three hours of continuous printing, the
-
Less expensive, way to get GPS crapiest... All ideas welcome
Hi all... Ive been in way too many situations where I really. GPS REALLY wanted for the display of speed and the railway... I think that now all of you know me as that annoying guy with an AS50 that has many too many questions... Then... Here are my
-
Function Timer in Gigaframe Q80
Dear Toshiba. I bought a Gigaframe Q80 (model PA3650E-1ES1). On the package is listed including characteristics "function, clock, alarm & timer". The manual to keep information about how to use the clock and alarm. But how do I use the timer function
-
execution of the program missing from the bottom of my Start menu
execution of the program disappeared from the bottom of my menu start how do new
-
I have windows 2000 and you want to know what I have to do to update my program
I have a computer which was given to me which had not been used for awhile and has windows 2000 and I need to upgrade and do not know what to do help