ACL IPSEC site to site VPN question
Okay, so just as a test of validation, I have a question for the group. When you configure the cryptographic ACL that defines interesting traffic for a tunnel, are we able to use summaries?
So let say site B is 10.5.10.0/24 and site A can be summarized with 10.10.0.0/16. Is it acceptable to write something like below for the crypto acl?
access-list 101 permit ip 10.5.10.0 0.0.0.255 10.10.0.0 0.0.255.255
A site would have the networks
10.10.0.0/24
10.10.1.0/24
etc.
Terminal head, then the ACL would be:
access-list 101 permit ip 10.10.0.0 0.0.255.255 10.5.10.0 0.0.0.255
Thanks for all your comments!
Hello
Yes, that's perfectly fine.
As long as we have routes set up correctly, nothing should stand in your way of configuring the acl like this.
Kind regards
Praveen
Tags: Cisco Security
Similar Questions
-
Site to site VPN question: passing a public IP with IPSEC
Hi all
I need to create a VPN tunnel site to site using IPSEC between two offices on the Internet. The offices belong to two different companies.
They gave me a series of 16 public IP addresses. One of these IP addresses is used on the ISP router and this is the next hop for my router. Another IP in the range is used on my router? s external interface (which is a Cisco 851) and he is also my site VPN endpoint. So far so good...
Here's my problem: the IP source of encrypted traffic, is a public address from within the IPs public 16 I (not the one on my router interface). The actual application that needs to send the encrypted data is a server in my local network, and it has a private IP address. The other site, expects to receive data, however, the public IP address. I used NAT between the private IP address of the server and its public IP address, but no data goes through the tunnel. Moreover, the tunnel between the two end points established without problem. The problem is that the source of my encrypted data is the public IP address and I don't know how to get through the tunnel. I enclose my router configuration.
Any help is appreciated.
The access list "natted-traffic" should say:
extended traffic natted IP access list
deny ip host 192.168.0.160 BB. ABM ABM BD
deny ip host 192.168.0.160 BB. ABM BB.BE
output
I hope this helps.
-Kanishka
-
Hello world
The vendor name is implemented server in our environment.
We implement VPN site-to-site.
Subnet it is interesting traffic 192.168.50.x
Server IP 192.168.50.1 - Switch1 - ASA - Site to site VPN - provider ASA.
Gateway server is on switch1 if this server requires access to the internet I need to know what config I need on ASA on my site?
I want the server to access the internet through the provider network
Concerning
Mahesh
Hello
Your crypto ACL would be:
ip access-list VPN-TO-VENDOR permit ip 192.168.50.0 255.255.255.0 any
Cryptography providers ACL would be:ip acces-list VPN-TO-COMPANY permit ip any 192.168.50.0 255.255.255.0
All traffic from 192.168.50.0/24 out of the application interface map encryption for any destination would be sent to the seller through the VPN. It will be useful. -
ASA (Active standby) site-to-Site VPN Question
Hello
I had the question as below
Site A - 1 unit of VPN Netscreen firewall
Site B - 2 units of ASA VPN firewall
I'm trying to set up a VPN from Site to Site, but a problem with the configuration of the active standby.
Initially, I tried Site A 1 unit Netscreen and Site B 1 unit ASA vpn site-to-site. There's no problem.
but joins another ASA at site B and configure it as active / standby then I saw a few questions that I need help from here
Things that confuse me.
(1) do I need to use 2 public IP address on the SAA? (public IP for assets and the other a public IP ensures IP. it seems like a waste of the public IP address.)
(2) link failover and dynamic failover can be configured on the same interface?
Please help in this case, configuring VPN from Site to Site with active configuration / standby.
just to add to this,
just be careful when you dedicate an interface for dynamic failover, make sure that it is the highest capacity, or at least the same ability as an interface offers th
so if you use concert for passing traffic interface uses a concert for dynamic failover port, several times we saw people using the management for steful interface when they ports of concert and they run into issues where the dynamic function does not work as expected
You can read more here
https://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/failover.html#wp1051759
-
Cisco ASA Site to Site VPN IPSEC and NAT question
Hi people,
I have a question about the two Site to Site VPN IPSEC and NAT. basically what I want to achieve is to do the following:
ASA2 is at HQ and ASA1 is a remote site. I have no problem setting a static static is a Site to IPSEC VPN between sites. Guests residing in 10.1.0.0/16 are able to communicate with hosts in 192.168.1.0/24, but what I want is to configure the NAT with IPSEC VPN for this host to 10.1.0.0/16 will communicate with hosts in 192.168.1.0/24 with translated addresses
Just an example:
N2 host (10.1.0.1/16) contacted N1 192.168.1.5 with destination host say 10.23.1.5 No 192.168.1.5 (notice the last byte is the same in the present case,.5)
The translation still for the rest of the communication (host pings ip destination host 10.23.1.6 N3 N2 not 192.168.1.6 new last byte is the same)
It sounds a bit confusing to me, but I've seen this type of configuration before when I worked for the supplier of managed services where we have given our customers (Ipsec Site to Site VPN with NAT, don't know how it was setup)
Basically we contact the customer via site-to-site VPN hosts but their real address were hidden and we used as translated address more high 10.23.1.0/24 instead of (real) 192.168.1.0/24, last byte must be the same.
Grateful if someone can shed some light on this subject.
Hello
OK so went with the old format of NAT configuration
It seems to me that you could do the following:
- Configure the ASA1 with static NAT strategy
- access-list L2LVPN-POLICYNAT allowed ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
- public static 10.23.1.0 (inside, outside) access-list L2LVPN-POLICYNAT
- Because the above is a static NAT of the policy, this means that the translation will be made only when the destination network is 10.1.0.0/16
- If you have for example a PAT basic configuration to inside-> external traffic, the above NAT configuration and the custom of the actual configuration of PAT interfere with eachother
- ASA2 side, you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
- Note of the INTERIOR-SHEEP access-list SHEEP L2LVPN
- the permitted INSIDE SHEEP 10.1.0.0 ip access list 255.255.0.0 10.23.1.0 255.255.255.0
- NAT (inside) 0-list of access to the INTERIOR-SHEEP
- You will need to consider that your access-list defining the VPN encrypted L2L traffic must reflect the new NAT network
- ASA1: allowed to access-list L2LVPN-ENCRYPTIONDOMAIN ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
- ASA2: list L2LVPN-ENCRYPTIONDOMAIN allowed ip 10.1.0.0 access 255.255.0.0 10.23.1.0 255.255.255.0
I could test this configuration to work tomorrow but I would like to know if it works.
Please rate if this was helpful
-Jouni
- Configure the ASA1 with static NAT strategy
-
Question about ACL's with the 2621 when using site to site VPN
I set up two site to site vpn. We have an ASA at our headquarters and branches will IOS routers - one is a 1811 and the other 2621. Both are running the latest versions of IOS, respectively. The two VPN site-to-site do not work. I have a list of inbound on the external interfaces of both routers, access that allows only the IP address of the ASA IP traffic. All other traffic is denied. I put NAT overload upward in the typical form, and I use ip outgoing inspection on the same interface, to allow incoming traffic back to surfing the internet. This configuration works very well with the 1811, where all traffic is blocked except traffic IP (IPSEC) coming from the ASA. Guests at our headquarters can reach hosts behind the 1811 and vice versa.
Here's my problem: the 2621 is processing traffic encapsulated on the external interface and block this traffic because it does not match. I know because when I turn on logging / debugging on the 2621, I see inbound traffic blocked by the ACL. Technically, I guess that it does not, but to this interface, the traffic is always encapsulated so I think it fits to this access list and then go to the Cryptography decapsulation card and be sent to the destination host. Just as it does on the 1811. I have not 'wan' t to create another line in the access list for all subnets to Headquarters. Why is not it works the same way as it does on the 1811? Is there something else I need to activate?
------------------------------------------------------------------------
Config of 1811:
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime localtime show-timezone msec
encryption password service
!
hostname BranchVPN1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 notifications
!
AAA new-model
!
!
AAA authentication login default local
activate the default AAA authentication no
authorization AAA console
AAA authorization exec default local
!
AAA - the id of the joint session
no ip source route
IP cef
!
!
IP inspect the audit trail
inspect the IP dns-timeout 10
inspect the name IP internet udp timeout 30
inspect the name IP internet tcp timeout 30
inspect the name IP internet ftp timeout 30
inspect the name IP internet http timeout 30
inspect the name firewall tcp IP
inspect the name IP firewall udp
inspect the name IP firewall icmp
IP inspect the dns name of the firewall
inspect the name IP firewall ftp
inspect the name IP firewall http
inspect the name IP firewall https
inspect the IP firewall name ftps
property intellectual auth-proxy max-nodata-& 3
property intellectual admission max-nodata-& 3
!
!
IP domain name xxxx
!
!
!
!
username xxxxxxxxxx
!
!
!
class-map correspondence vpn_traffic
police name of group-access game
!
!
VPN policy-map
class vpn_traffic
in line-action police 2000000 37500 pass drop exceeds-action
!
!
!
crypto ISAKMP policy 10
BA aes 256
preshared authentication
Group 2
ISAKMP crypto key address xxxx xxxxxx
ISAKMP crypto keepalive 10
!
life crypto ipsec security association seconds 28800
!
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac xxtransform
!
xxmap 10 ipsec-isakmp crypto map
defined peer xxxx
Set transform-set xxtransform
PFS group2 Set
match the address tunnelnetworks
static inverse-road
!
!
!
interface Loopback0
172.16.99.1 the IP 255.255.255.255
!
interface FastEthernet0/0
Description Connection to Internet (DHCP)
DHCP IP address
IP access-group outside_in in
no ip redirection
no ip unreachable
no ip proxy-arp
inspect the firewall on IP
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
No cdp enable
xxmap card crypto
!
interface FastEthernet0/1
Description of the connection to the local network
address 172.20.1.1 IP 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
IP virtual-reassembly
automatic duplex
automatic speed
No cdp enable
VPN service-policy input
!
interface Serial0/0/0
no ip address
Shutdown
No cdp enable
!
interface Serial0/1/0
no ip address
Shutdown
!
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 dhcp
!
no ip address of the http server
local IP http authentication
no ip http secure server
IP nat inside source list nat - acl interface FastEthernet0/0 overload
!
IP nat - acl extended access list
refuse any 10.0.0.0 0.255.255.255 ip
allow an ip
outside_in extended IP access list
allow udp any eq bootps host 255.255.255.255 eq bootpc
allow an ip host (ASA IPADDR)
deny ip any any newspaper
IP extended access list police
deny ip host xxxx any
deny ip any host xxxx
IP 172.20.1.0 allow 0.0.0.255 10.0.0.0 0.255.255.255
tunnelnetworks extended IP access list
permit host 172.16.99.1 ip 10.0.0.0 0.255.255.255
IP 172.20.1.0 allow 0.0.0.255 10.0.0.0 0.255.255.255
!
recording of debug trap
logging source-interface Loopback0
exploitation forest xxxx
access-list 160 note t is
not run cdp
!
!
control plan
!
Banner motd ^ CCAuthorized technician!
^ C
!
Line con 0
line to 0
line vty 0 4
exec-timeout 5 0
Synchronous recording
entry ssh transport
line vty 5 15
exec-timeout 5 0
Synchronous recording
entry ssh transport
!
Scheduler allocate 20000 1000
end------------------------------------------------------------------------
2621 Config:
!
version 12.3
horodateurs service debug datetime msec
Log service timestamps datetime localtime show-timezone msec
encryption password service
!
hostname BranchVPN2
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 notifications
no console logging
!
AAA new-model
!
!
AAA authentication login default local
activate the default AAA authentication no
authorization AAA console
AAA authorization exec default local
AAA - the id of the joint session
IP subnet zero
no ip source route
IP cef
!
!
IP domain name xxxx
!
IP inspect the audit trail
inspect the IP dns-timeout 10
inspect the name IP internet udp timeout 30
inspect the name IP internet tcp timeout 30
inspect the name IP internet ftp timeout 30
inspect the name IP internet http timeout 30
inspect the name firewall tcp IP
inspect the name IP firewall udp
inspect the name IP firewall icmp
inspect the name IP firewall ftp
inspect the name IP firewall http
Max-events of po verification IP 100
!
!
!
!
!
!
!
!
!
!
!
!
username xxxxxxxxxxxx
!
!
!
class-map correspondence vpn_traffic
police name of group-access game
!
!
VPN policy-map
class vpn_traffic
in line-action police 2000000 37500 pass drop exceeds-action
!
!
!
crypto ISAKMP policy 10
BA aes 256
preshared authentication
Group 2
ISAKMP crypto key address xxxx xxxxx
ISAKMP crypto keepalive 10
!
life crypto ipsec security association seconds 28800
!
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac xxtransform
!
xxmap 10 ipsec-isakmp crypto map
defined peer xxxx
Set transform-set xxtransform
PFS group2 Set
match the address tunnelnetworks
reverse-road remote-peer
!
!
!
!
interface Loopback0
172.16.99.2 the IP 255.255.255.255
!
interface FastEthernet0/0
Description Connection to Internet (DHCP)
DHCP IP address
IP access-group outside_in in
no ip redirection
no ip unreachable
no ip proxy-arp
NAT outside IP
inspect the firewall on IP
automatic duplex
automatic speed
No cdp enable
xxmap card crypto
!
interface Serial0/0
no ip address
Shutdown
No cdp enable
!
interface FastEthernet0/1
Description of the connection to the local network
IP 172.20.2.1 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
automatic duplex
automatic speed
No cdp enable
VPN service-policy input
!
interface Serial0/1
no ip address
Shutdown
No cdp enable
!
IP nat inside source list nat - acl interface FastEthernet0/0 overload
no ip address of the http server
local IP http authentication
no ip http secure server
IP classless
IP route 0.0.0.0 0.0.0.0 dhcp
!
!
!
IP nat - acl extended access list
refuse any 10.0.0.0 0.255.255.255 ip
allow an ip
outside_in extended IP access list
allow udp any eq bootps host 255.255.255.255 eq bootpc
allow an ip host (ASA IPADDR)
deny ip any any newspaper
IP extended access list police
deny ip host xxxx any
deny ip any host xxxx
IP 172.20.2.0 allow 0.0.0.255 10.0.0.0 0.255.255.255
tunnelnetworks extended IP access list
permit host 172.16.99.2 ip 10.0.0.0 0.255.255.255
IP 172.20.2.0 allow 0.0.0.255 10.0.0.0 0.255.255.255
recording of debug trap
logging source-interface Loopback0
exploitation forest xxxx
not run cdp
!
!
!
!
!
Banner motd ^ CCCAuthorized technician!
^ C
!
Line con 0
line to 0
line vty 0 4
exec-timeout 5 0
Synchronous recording
entry ssh transport
line vty 5 15
exec-timeout 5 0
Synchronous recording
entry ssh transport
!
!
endPlease check if this helps:
http://www.Cisco.com/en/us/docs/iOS/12_3t/12_3t8/feature/guide/gt_crpks.html
Federico.
-
Site VPN to IPsec with PAT through the tunnel configuration example
Hello
as I read a lot about vpn connections site-2-site
and pass by PAT through it I still haven't found an example configuration for it on e ASA 55xx.now, I got suite facility with two locations A and B.
192.168.0.0/24 Site has - ipsec - Site B 192.168.200.0/24
172.16.16.0/24 Site has---------------------------------------------------------------------------
Host--> participated in IP 192.168.0.4: 192.168.0.3-> to 192.168.200.20
Host 192.168.0.127--> participated in IP: 192.168.0.3-> to 192.168.200.20
Host 192.168.0.129--> participated in IP: 192.168.0.3-> to 192.168.200.20
Host 192.168.0.253--> participated in IP: 192.168.0.3-> to 192.168.200.20Host 172.16.16.127--> participated in IP: 192.168.0.3-> to 192.168.200.20
Host 172.16.16.253--> participated in IP: 192.168.0.3-> to 192.168.200.20---------------------------------------------------------------------------
Now that I have guests autour within networks 172.16.16.0 like 192.168.0.0,
witch need to access a server terminal server on the SITE b.As I have no influence on where and when guests pop up in my Site.
I would like to hide them behind a single ip address to SITE B.If in the event that a new hosts need access, or old hosts can be deleted,
its as simple as the ACL or conviniently inlet remove the object from the network.so I guess that the acl looks like this:
---------------------------------------------------------------------------
access VPN-PARTICIPATED-HOSTS list allow ip 192.168.0.4 host 192.168.200.20
VPN-PARTICIPATED-HOSTS access list permit ip host 192.168.0.127 192.168.200.20
VPN-PARTICIPATED-HOSTS access list permit ip host 192.168.0.129 192.168.200.20
access VPN-PARTICIPATED-HOSTS list allow ip 192.168.0.253 host 192.168.200.20
VPN-PARTICIPATED-HOSTS access list permit ip host 172.16.16.127 192.168.200.20
VPN-PARTICIPATED-HOSTS access list permit ip host 172.16.16.253 192.168.200.20---------------------------------------------------------------------------
But, now, my big question is, how do I said the asa to use: 192.168.0.3 as the
address for the translation of PAT?something like this he will say, it must be treated according to the policy:
NAT (1-access VPN INVOLVED-HOST internal list)
Now how do I do that?
The rest of the config, I guess that will be quite normal as follows:card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set of AA peers. ABM CC. DD
card crypto outside_map 1 set of transformation-ESP-AES-256-SHA
outside_map card crypto 1 lifetime of security set association, 3600 secondspermit access list extended ip 192.168.0.3 outside_1_cryptomap host 192.168.200.20
---------------------------------------------------------------------------
On SITE B
the config is pretty simple:
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set of peer SITE has IP
card crypto outside_map 1 set of transformation-ESP-AES-256-SHA
outside_map card crypto 1 lifetime of security set association, 3600 secondsoutside_1_cryptomap list extended access allowed host host 192.168.200.20 IP 192.168.0.3
inside_nat0_outbound list extended access allowed host host 192.168.200.20 IP 192.168.0.3
---------------------------------------------------------------------------
Thank you for you're extra eyes and precious time!
Colin
You want to PAT the traffic that goes through the tunnel?
list of access allowed PAT ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.255.0
PAT 172.16.16.0 permit ip access list 255.255.255.0 192.168.200.0 255.255.255.0
NAT (inside) 1 access list PAT
Global (outside) 1 192.168.0.3 255.255.255.255
Then, the VPN ACL applied to the card encryption:
list of access allowed vpn host ip 192.168.0.3 192.168.200.0 255.255.255.0
Thus, all traffic from Site A will be PATed when you remotely 192.168.200.0/24
The interesting thing is that traffic can only be activated from your end.
The remote end cannot initialize traffic to 192.168.0.3 if there is not a version of dynamic translation on your side.
Is that what you are looking for?
Federico.
-
Impossible to get to the beach for additional IP addresses on IPSec Site to Site VPN
Hello
I am trying to set up a free IPSec Site to Site VPN between an ASA 5510 (ASA Version 8.2 (3)) to the AC and a Cisco 877 (12.4 (24) T3) to a branch.At the end of the branch, I have the 192.168.244.0/24 subnet.
At the end of HQ, I have the 172.16.0.0/22 and the 10.0.0.0/8 subnets
The inside interface of the ASA at Headquarters is 172.16.0.15/22When installing VPN Wizard I ticked the box NAT - T, and I included the additional subnet in the list of protected LANs.
I can sucessfully all the subnets 172.16.0.0/22 but not access anything in the 10.0.0.0/8 subnets.
The Packet Trace ASA tool shows the traffic inside the interface of 172.16.0.0/22 in the direction of 192.168.244.0/24 through the outside interface properly spend, but the 10.0.0.0/8 does not work. He gives no precise information why the 10.0.0.0/8 traffic is dropped.[HQ_LAN]---10.0.0.0/8 & 172.16.0.0/22---172.16.0.15(inside_int)-[ASA 5510] - IPSEC-[RTR 877]---192.168.244.0/24---[BRANCH_LAN]
I suspect it might have something to do with NAT?
Help, please.
Hello
Peer VPN you do not accept the LAN between these two peers of vpn segment.
On your ASA
inside_outbound_nat0_acl list of allowed ip extended access all <> 255.255.255.0
and
Router:
access-list 100 permit ip 192.168.244.0 0.0.0.255 172.16.0.0 0.0.3.255
access-list 100 permit ip 192.168.244.0 0.0.0.255 10.0.0.0 0.255.255.255
Please make the same statement subnet explicitly between two vpn peers and finally please add this route on SAA.
Same question on this ACL so, statement of not identical subnet between two peers of vpn, please make sure it identical at both ends.
outside_cryptomap_2 list extended access allowed object-group ip <> <> 255.255.255.0
Route outside 192.168.244.0 255.255.255.0 ASA_EXTERNAL_GW
Let me know the result.
Thank you
Rizwan James
-
Troubleshooting IPSec Site to Site VPN between ASA and 1841
Hi all
in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.
I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).
I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.
It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),
On the ASA:
Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.
address of the peers: 217.86.154.120
Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.ccaccess extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
current_peer: 217.xx.yy.zz#pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz
Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: 39135054
current inbound SPI: B2E9E500SAS of the esp on arrival:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4374000/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
outgoing esp sas:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4373976/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001Output of the command: "sh crypto isakmp his."
HIS active: 4
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 4IKE Peer: 217.xx.yy.zz
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVEOn the 1841
1841 crypto isakmp #sh its
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE1841 crypto ipsec #sh its
Interface: Dialer1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorslocal crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
Interface: virtual Network1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorslocal crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.
Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto. (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.
I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!
It's the running of the 1841 configuration
!
version 15.1
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
host name 1841
!
boot-start-marker
start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
boot-end-marker
!
logging buffered 51200 notifications
!
AAA new-model
!
!
AAA authentication login default local
!
AAA - the id of the joint session
!
iomem 20 memory size
clock timezone PCTime 1
PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
dot11 syslog
IP source-route
!
No dhcp use connected vrf ip
!
IP cef
no ip bootp Server
IP domain name test
name of the IP-server 194.25.2.129
name of the IP-server 194.25.2.130
name of the IP-server 194.25.2.131
name of the IP-server 194.25.2.132
name of the IP-server 194.25.2.133
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
object-group network phone
VoIP phone description
Home 172.20.2.50
Home 172.20.2.51
!
redundancy
!
!
controller LAN 0/0/0
atm mode
Annex symmetrical shdsl DSL-mode B
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
isakmp encryption key * address 62.aa.bb.cc
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
map SDM_CMAP_1 1 ipsec-isakmp crypto
Description Tunnel to62.aa.bb.cc
the value of 62.aa.bb.cc peer
game of transformation-ESP-3DES-SHA
PFS group2 Set
match address 100
!
!
!
interface FastEthernet0/0
DMZ description $ FW_OUTSIDE$
10.10.10.254 IP address 255.255.255.0
IP nat inside
IP virtual-reassembly
automatic duplex
automatic speed
!
interface FastEthernet0/1
Description $ETH - LAN$ $FW_INSIDE$
IP 172.20.2.254 255.255.255.0
IP access-group 100 to
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1412
automatic duplex
automatic speed
!
ATM0/0/0 interface
no ip address
No atm ilmi-keepalive
!
point-to-point interface ATM0/0/0.1
PVC 1/32
PPPoE-client dial-pool-number 1
!
!
interface Dialer1
Description $FW_OUTSIDE$
the negotiated IP address
IP mtu 1452
NAT outside IP
IP virtual-reassembly
encapsulation ppp
Dialer pool 1
Dialer-Group 2
PPP authentication chap callin pap
PPP chap hostname xxxxxxx
PPP chap password 7 xxxxxxx8
PPP pap sent-name of user password xxxxxxx xxxxxxx 7
map SDM_CMAP_1 crypto
!
IP forward-Protocol ND
IP http server
local IP http authentication
IP http secure server
!
!
The dns server IP
IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
!
logging trap notifications
Note category of access list 1 = 2 CCP_ACL
access-list 1 permit 172.20.2.0 0.0.0.255
Note access-list category 2 CCP_ACL = 2
access-list 2 allow 10.10.10.0 0.0.0.255
Note access-list 100 category CCP_ACL = 4
Note access-list 100 IPSec rule
access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
Note CCP_ACL the access list 101 = 2 category
Note access-list 101 IPSec rule
access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 101 permit ip 172.20.2.0 0.0.0.255 any
Note access-list 102 CCP_ACL category = 2
Note access-list 102 IPSec rule
access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
!!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 101
!
allowed SDM_RMAP_2 1 route map
corresponds to the IP 102
!
!
control plan
!
!
Line con 0
line to 0
line vty 0 4
length 0
transport input telnet ssh
!
Scheduler allocate 20000 1000
NTP-Calendar Update
NTP 172.20.2.250 Server prefer
endAs I mentioned previously: suspicion is much appreciated!
Best regards
Joerg
Joerg,
ASA receives not all VPN packages because IOS does not send anything.
Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)
The problem seems so on the side of the router.
I think that is a routing problem, but you only have one default gateway (no other channels on the router).
The ACL 100 is set to encrypt the traffic between the two subnets.
It seems that the ACL 101 is also bypassing NAT for VPN traffic.
Follow these steps:
Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.
I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.
Federico.
-
IPSec site to site VPN cisco VPN client routing problem and
Hello
I'm really stuck with the configuration of ipsec site to site vpn (hub to spoke, multiple rays) with cisco vpn remote client access to this vpn.
The problem is with remote access - cisco vpn client access - I can communicate with hub lan - but I need also communication of all lans speaks of the cisco vpn client.
There are on the shelves, there is no material used cisco - routers DLINK.
Someone told me that it is possible to use NAT to translate remote access IP-lan-HUB customers and thus allow communication - but I'm unable to set up and operate.
Can someone help me please?
Thank you
Peter
RAYS - not cisco devices / another provider
Cisco 1841 HSEC HUB:
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
ISAKMP crypto key x xx address no.-xauth
!
the group x crypto isakmp client configuration
x key
pool vpnclientpool
ACL 190
include-local-lan
!
86400 seconds, duration of life crypto ipsec security association
Crypto ipsec transform-set esp-3des esp-sha-hmac 1cisco
!
Crypto-map dynamic dynmap 10
Set transform-set 1cisco
!
card crypto ETH0 client authentication list userauthen
card crypto isakmp authorization list groupauthor ETH0
client configuration address card crypto ETH0 answer
ETH0 1 ipsec-isakmp crypto map
set peer x
Set transform-set 1cisco
PFS group2 Set
match address 180
card ETH0 10-isakmp ipsec crypto dynamic dynmap
!
!
interface FastEthernet0/1
Description $ES_WAN$
card crypto ETH0
!
IP local pool vpnclientpool 192.168.200.100 192.168.200.150
!
!
overload of IP nat inside source list LOCAL interface FastEthernet0/1
!
IP access-list extended LOCAL
deny ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255
IP 192.168.7.0 allow 0.0.0.255 any
!
access-list 180 allow ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255
!
How the DLINK has been configured for traffic between the site to site VPN subnets? You are able to add multiple remote subnets on DLINK? If you can, then you must add the pool of Client VPN subnet.
Alternatively, if you cannot add multiple subnet on DLINK router, you can change the pool of Client VPN 192.168.6.0/24, and on the crypto ACL between the site to site VPN, you must edit the 180 existing ACL
DE:
access-list 180 allow ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 180 allow ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255
TO:
access-list 180 allow ip 192.168.6.0 0.0.1.255 192.168.1.0 0.0.0.255
Also change the ACL 190 split tunnel:
DE:
access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 190 allow ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255
TO:
access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 190 allow ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
Finally, replace the remote subnet 192.168.7.0/255.255.255.0 192.168.6.0/255.255.254.0 DLINK.
Hope that helps.
-
ASA ASA from Site to Site VPN IPSec Tunnel
Any help would be greatly appreciated...
I have two devices Cisco ASA with a Site for the configuration of the tunnel VPN IPSec Site as follows: -.
Site #1 - Cisco ASA running version 8.2 (1) with an internal range of 10.0.0.x/24
Site #2 - Cisco ASA running version 8.2 (1) with an internal range of 10.1.1.x/24
Site #1 is simple and has a dynamic NAT rule which translates all of the inside and the outside (public IP) of the SAA.
Internet access works very well in all workstations of this site. A static route is configured to redirect all traffic to a public router upstream.
Site #2 is slightly more complicated; the Cisco ASA is configured with 10.1.1.254/24 as its interior IP address and 10.1.2.254/24 as its external IP address. A dynamic NAT rule is configured to translate everything inside as the 10.1.2.254 (outside) address of the ASA. A default static route is then configured to redirect all traffic to a Draytek device on 10.1.2.253. This device then performs its own private Public NAT. Again the Internet works fine all hosts inside the Cisco ASA (10.1.1.x)
The IPSec tunnel is created with the networks local and remote endpoint as above (10.0.0.x/24) and (10.1.1.x/24). The Draytek at the Site #2 device is configured with a form of DMZ that allows essentially ALL traffic toward the front directly on the external interface of the ASA (10.1.2.254). The Phase 1 and Phase 2 negotiation of the tunnel ends correctly, and the tunnel is formed without any problem. However, all traffic passing on networks ICMP does not end and the Syslog reports the following-
Site #1-
6 January 19, 2011 15:27:21 302020 ZEFF-SB-01_LAN 1 10.1.1.51 0 Built of outbound ICMP connection for faddr 10.1.1.51/0 gaddr ZEFF-SB-01_LAN/1 laddr ZEFF-SB-01_LAN/1 6 January 19, 2011 15:27:23 302021 10.1.1.51 0 ZEFF-SB-01_LAN 1 Connection of ICMP disassembly for faddr 10.1.1.51/0 gaddr ZEFF-SB-01_LAN/1 laddr ZEFF-SB-01_LAN/1 Site #2-
6 January 19, 2011 15:24:47 302020 10.1.1.51 0 10.0.0.30 1 Built of outbound ICMP connection for faddr gaddr laddr 10.1.1.51/0 10.1.1.51/0 10.0.0.30/1 6 January 19, 2011 15:24:49 302021 10.0.0.30 1 10.1.1.51 0 Connection of disassembly for faddr gaddr laddr 10.1.1.51/0 10.1.1.51/0 10.0.0.30/1 ICMP It's the same for any form of traffic passing over the tunnel. The ACL is configured to allow segments of LAN out to any destination. At this point, I left scratching my head, as my original theory was to blame the Draytek, but after reading the documentation given to the DMZ host configuration, it appears this parameter is configured all traffic is simply forwarded to the IP address (in this case, the Cisco ASA interface outside).
Anyone can shed light on a possible cause of this problem?
Thank you
Nick
did you bypass the vpn traffic between 10.0.0 and 10.1.1 to be NAT - ed on the two ASA?
Please provide the following information
-set up the tunnel
-show the isa cry his
-show the ipsec cry his
-ping of the site 1 site 2 via tunnel
-capture "crypto ipsec to show his" once again
-ping from site 2 to 1 by the tunnel of the site
-capture "crypto ipsec to show his" once again
-two ASA configuration.
-
Site to Site VPN IPsec IPv6 on issue of routers-Tunnel
Hi, I am experiencing a problem can any one address the question below and let me know the solution. I have two routers and try to build "Site to Site VPN IPsec IPv6". I followed orders from Cisco and community document but when I apply my profile of ipsec for tunnel interfaces, that the tunnel is down.
https://supportforums.Cisco.com/docs/doc-27009
Ali,
VTI tunnels are meant to be broken when there is no active negotiated spinnakers.
The tunnel will go towards up/face upwards when there is a means of transport of packages - i.e. the SPIs are present.
You can control the order spinnakers 'show peer's crypto ipsec '.
For debugging:
Debug crypto isa
Debug crypto ipsec
M.
-
IPsec site to Site VPN on Wi - Fi router
Hello!
Can someone tell me if there is a router Netgear Wi - Fi that can form IPsec Site to Site VPN connection between 2 Wi - Fi routers via the WAN connection?
I know that this feature exists on the Netgear firewall, but can you have the same function on any Wi - Fi router?
See you soon!
Michael
I suspect that.
Thank you very much for the reply.
See you soon!
-
IPSec Site to Site VPN Solution needed?
Hi all
I need a solution to provide full connectivity to one of my clients. I created two IPSEC Site to Site VPN, one between the INFO and RITA and second between NIDA and RITA. I can access RITA machine that is 172.16.36.101 at the INFO and 10.0.0.5 to NIDA.
Now, I need to give access to my customer INFORMATION to direct NIDA 10.0.0.5 without established VPN machine to NIDA 10.0.0.5 of 172.16.36.101 access.
Could you please give me the solution how is that possible?
Concerning
Uzair Hussain
Hi uzair.infotech,
Looks like you need to set up a grouping between the 3 sites, at the end of that your topology will look like this:
INFO - RITA - NIDA
You can check this guide that explains step by step how to configure grouping:
https://supportforums.Cisco.com/document/12752536/how-configure-site-sit...
Hope this info helps!
Note If you help!
-JP-
-
887VDSL2 IPSec site to site vpn does NOT use the easy vpn
Much of community support.
as I'm looking through the config Guide about 870 router series, only to find information about the config with eazy vpn.
is there a classic way, about 870 Series site 2 site without eazy vpn IPSec configuration?
Have a classic way if a tunnel? Have the 870 is not as a vpn client?
Thank you
Of course, here's example of Site to Site VPN configuration for your reference:
http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080194650.shtml
Hope that helps.
Maybe you are looking for
-
Control Automation with Siri on Mac?
Control Automation with Siri on Mac?
-
Hello! I've just updated to the new version on Windows and I can see is the amount of funds remaining in my account, which was presented next to my name at the top left corner (see figure). How can I get him back?
-
Need advice for speakers or sound system for Satellite L series
Please advice or speakers acoustic system for L-series satellites
-
I just bought a new tablet of Hall 7 and am download apps. I have an inserted SD card and when I download the apps they go to the Tablet and I would like to transfer them to the SD card. On my old Tablet I could go to settings/applications and there
-
How you code multilevel subpages in the bb-hosts file?
I'm trying to create multilevel subpages in the bb-hosts file and I am so far unsuccessful. I want to create a hierarchy like this: From the main screen of BB have a page called "SAP systems". When I select this page, do display sub-pages for the 'Pr