Adding an additional VPN tunnel to a PIX515

Similar Questions

• Help: Adding to the IPsec Tunnel encryption field Questions

  Good evening everyone,

  I'm looking for help and/or advise in what concerns adding more networking in the field of encryption of an existing IPsec site-to-site tunnel.  Both sides of the tunnel are of ASA.  The client on the remote end is eager to access the networks more on my end.  They have already updated their ACL crypto map to include the new networks.  When they perform "show crypto IPsec his counterpart x.x.x.x" it shows already encap packets attempting to join my network.

  On my side, I updated my ACL crypto map to reference the new 2 networks, created the double NAT and added the ACL needed to allow the inbound access through ports they want.  When I perform a 'see the crypto IPsec his counterpart x.x.x.x' output is NOT up-to-date with the new networks added to the field of encryption.  When I run a tracer of package of supply of one of the servers in the new network, the traffic is translated as he should, but a fall when it hits the outgoing interface for the VPN tunnel.

  Am I missing something here? Can I bounce the tunnel so that the new networks must be recognized in the surveillance society?

  Thanks in advance.

  Hello

  You must bounce the tunnel when you change the interesting traffic, otherwise the new SA will not be created, is a little funny that you say that SA is already build on the remote side, SA cannot be established only on one side, is like building a new tunnel, if you don't have it on one side, it can not simply prevail and create the entry of SA. In addition, adding new networks and bounce the tunnel you need to generate traffic to trigger the ITS new or you will never see that it created. Check your no nats and routing and it should work.

  Best regards, please rate.

• Unable to pass traffic between ASA Site to Site VPN Tunnel

  Hello

  I have problems passing traffic between two ASA firewall. The VPN tunnel is up with a dynamic IP and static IP address. I have attached a diagram of the VPN connection. I'm not sure where the problem lies and what to check next. I think I have all the roads and in the access lists are needed.

  I've also attached the ASA5505 config and the ASA5510.

  This is the first time that I've set up a VPN connection any guidance would be greatly appreciated.

  Thank you

  Adam

  Hello

  Regarding your opinion of configuration Remote Site ASA that you have not added the internal networks of the Central Site VPN L2L configurations at all so the traffic does not pass through the VPN.

   access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.0.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.170.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.172.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 140.15.0.0 255.255.*.* 

  Take a look at ACL configurations above. The 'exempt' ACL is used in configurations NAT0 and tells the ASA what traffic of exempting from NAT. "outside_1_cryptomap" ACL is used to tell the traffic between the subnets should be using the L2L VPN connection.

  So in short on the Remote Site ASA these ACLs should be identical. Make additions to the LIST of VPN L2L, then try again.

  I would also like to point out that to ensure that the Central ASAs L2L VPN ACL Site contains the same networks. The ACL on the Central Site will, of course, its internal subnets as the source and the site LAN remote destination.

  THW out of ' crypto ipsec to show his " shows you that only the SA between binding Site Central network and the Remote Site LAN was established. Others have not formed as the configuration is lacking at LEAST on the Remote Site ASA. Can also be the Central Site.

  -Jouni

• 2 VPN tunnels between 2 devices on separate links

  Hello

  I have a 2811 connected to two different ISPS, which means I have 2 separate interfaces for the two links. Initially, I set up a VPN tunnel to a 3rd party remote site on one of the links/interfaces. I'm now required to configure a VPN tunnel to additional on the same remote site on the other interface/link. When I finished the config and run tests, I get an error saying that the card encryption does not apply on the correct interface and that the peer is routed through a non-crypto map interface.

  One thing I would like to know is if it is possible to configure the router to establish these two tunnels on the different links and interfaces of the same peer. Please note that the first VPN tunnel is still active, but the other comes to refuse to come. Please see excerpts of my router config below:

  Crypto ipsec transform-set esp-3des esp-md5-hmac ABCD

  !

  crypto ISAKMP policy 4

  BA 3des

  md5 hash

  preshared authentication

  Group 5

  !

  crypto ISAKMP policy 5

  BA 3des

  preshared authentication

  Group 2

  !

  crypto ISAKMP policy 6

  BA 3des

  preshared authentication

  Group 2

  ISAKMP crypto key 123key address x.x.130.130

  !

  map SDM_CMAP_1 3 ipsec-isakmp crypto

  Tunnel VPN to ABCD description on x.x.130.130

  the value of x.x.130.130 peer

  game of transformation-ABCD

  PFS Set group5

  match address ABCD

  !

  SDM_CMAP_2 1 ipsec-isakmp crypto map

  Description Description PROD VPN Tunnel to ABCD

  the value of x.x.130.130 peer

  game of transformation-ABCD

  PFS Set group5

  match address ABCD_PROD

  !

  !

  interface FastEthernet0/1

  Description isps1 $ETH - WAN WAN INTERFACE $

  IP address a.a.42.66 255.255.255.252

  NBAR IP protocol discovery

  penetration of the IP stream

  stream IP output

  NAT outside IP

  IP virtual-reassembly

  automatic duplex

  automatic speed

  Autodiscover QoS

  map SDM_CMAP_1 crypto

  !

  !

  interface FastEthernet0/2/0

  Description ISP2_WAN_INTERFACE

  IP address y.y.12.94 255.255.255.192

  NBAR IP protocol discovery

  penetration of the IP stream

  stream IP output

  NAT outside IP

  IP virtual-reassembly

  automatic duplex

  automatic speed

  Autodiscover QoS

  card crypto SDM_CMAP_2

  !

  ABCD extended IP access list

  permit ip host 172.30.50.2 host x.x.130.138

  ABCD_PROD extended IP access list

  permit ip host 172.19.205.31 host x.x.130.134

  !

  IP route 0.0.0.0 0.0.0.0 a.a.42.65

  Therefore the tunnel running on isps1 it's very good, while the tunnel on ISP2 does not come to the top.

  While this sticky if I realized that there is no default route to ISP2, this could be the problem and adding another default route would not create a sort of loop?

  Kind regards

  Femi

  Femi,

  You don't need to put the two ISPs in the VRF, Anthony I'm not seeing something it does not require in your case.

  But anways for config ipsec check the Nico cheat sheet:

  https://supportforums.Cisco.com/docs/doc-13524

  Special attention around bunch of keys.

  You will notice that bunch of keys is defined by prior VRF.

  Note also that "FFS" set out in isakmp profile shows where are the clear text packets, generally it should be the same VRF as your LAN interface.

  HTH,

  Marcin

• SBS 2008 office1 Serv2008 Office 2 need to share assets between them via a site to site VPN tunnel

  Hi all.

  I really need help on this one.

  The office 1 installer running SBS2008 Office 2 running Server 2008.

  Each firm has its own FQDN Office 1 CompanyABC 2 A_B_C of the company office.

  Each firm has its own internal IP address pool Office 1 192.168.69.xxx and office 192.168.20.xxx 2.

  Site to site VPN tunnel between 2 office routers Netgear SRX5308 1 and 2 Netgear FVS318G Office established and working.

  Each firm has its own DNS server and acts as a domain controller

  How to configure the 2 networks to see each other and be able to use assets on every network (files, printers)?

  Is it so simple that the addition of another pool internal IP for each DNS server?

  Thanks in advance for your help.

  Hello

  Your Question is beyond the scope of this community.

  I suggest that repost you your question in the Forums of SBS.

  https://social.technet.Microsoft.com/forums/en-us/home?Forum=smallbusinessserver

  "Windows Small Business Server 2011 Essentials online help"

  https://msdn.Microsoft.com/en-us/library/home-client.aspx

  TechNet Server forums.

  http://social.technet.Microsoft.com/forums/WindowsServer/en-us/home?category=WindowsServer

  See you soon.

• How to change an existing in ASDM VPN tunnel?

  I currently have a VPN tunnel together upwards, but to change some of the configurations as making ikev2, replacing the SHA512 hash and change it in the DH group 14. I intend to do this in ASDM. I already created a group of tunnel ikev2 that I put the tunnel and created a Card Crypto that is configured with the right proposal ikev2 IPSec and Diffie-Hellman group. All other configurations such as the IP of Peer address and subnets configured and I'll work with the engineers at the other end of the tunnel to ensure that configurations are, I want to just make sure I'm not missing anything. Someone at - he never comes to change the configuration of an existing ASDM so tunnel, and it worked correctly? Here are the steps that I have will be taken as well as those I've already mentioned:

  -Edit the connection profile so that the name of group policy use the correct tunnel that was created for ikev2

  -Enter the pre-shared key local and remote pre-shared key ikev2 tab

  -Change the IKE Policy so that it uses the ikev2 policy that was created to use SHA512

  -Modify the IPSEC proposal so that it uses AES256-SHA512

  -THE CRYPTO MAP IS ALREADY CREATED

  -Change the secret of transfer perfect in group 14

  Hello

  Let me go through your questions to clarify this double:

  1. If I have a Crypto map applied to my external interface with a proposal of IPSec of ikev1 can I just add a proposal ikev2 in this Crypto map as well?

  If you have a card encryption applied to different peers outside and 3 with different order number, you will need to replace the proposal for the peer using IKEv2: IKEv2 IKEv1, the others must continue to use their IKEv1 IPSec proposal.

  2. so can I add an ikev2 with AES256 SHA512 hash proposal to my 123.123.123.456 tunnel group and continue to have all three tunnel groups always pass traffic? What happens if I add the proposal ikev2, but REMOVE the ikev1 this group of tunnel proposal because I don't want this group of tunnel use one other than AES256-SHA512 hash?

  123.123.123.456 - ikev2 - AES256-SHA512

  I would like to expand this a little more, if her counterpart 123.123.123.456, must use IKEv2, you need to declare the IKEv2 in the tunnel group and add the relevant "Local and remote PSK"--> is for phase 1, and this means that it will use the IKEv2 defined policy before, and IPSec IKEv2 proposal is on phase 2, where the encryption card is you will need to replace the IKEv1 and use IPSec IKEv2 proposal. That way it will use for the phase 1 of the policy of IKEv2, that you set and defined transformation IKEv2, by making this change make sure that both sides are mirrored with IKEv2 and IPSec policy projects, as well as the tunnel will remain and will come with the new proposals.

  This custom affect no matter what another tunnel, as long as you change the settings to the correct tunnel group and do not delete all the proposals, simply remove the profile connection, those employees.

  3. you know what I mean? All groups of three tunnels on that off interface use different cryptographic cards, with only two of the three using ikev1 as a proposal of IPSec. Which will work?

  You can only have one card encryption applied by interface, and 3 tunnels using different sequence number with the same crypto map name, you cannot 2 tunnels on the same card encryption using IKEV1, and always in the same encryption card have the third tunnel using IKEv2 (different transformation defined using IKEv2). This custom cause no problem. 

  4. what Group Policy DfltGrpPolicy? Currently use all my groups of tunnel, but it is configured for ikev1. I'm not really sure what role is in everything it can so I simply add ikev2?

  Default group policy is added by default to all your groups of tunnel (connection profile), whenever create you one default group policy is inherited him by default, you can change to group policy that you can create, group policy is a set of attributes that will be used to define something or limit , for example, for a site, you can configure a VPN filter (filters the traffic that goes through the tunnel), now back to your topic, you define the protocols that will be negotiated as for an L2L IKEv1 or IKEv2, Anyconnect SSL or IKEv2, on default group policy, and so on, it is therefore important that you add the IKEv2 , so trading will be permitted, or both to create a new group policy and add the IKEv2 Protocol; and in the tunnel group, add the group policy relevant, that you just created.

  I hope that this is precisely, keep me posted!

  Please go to the note, and mark it as correct this post and the previous that it helped you!

  David Castro,

• Site to site VPN tunnel - cannot ping the second interface of the firewall peer inside2

  I have two ASA 5505 firewall each with a basic license: FWa and FWb. currently there is a VPN tunnel between them work. I added a second (inside2) interface to the firewall, FWb, but I can't ping firewall FWa, so that I can ping the inside interface of FWa.

  I can ping the FWb inside interface 192.168.20.1 from the FWa inside 172.16.1.1 interface, but I can not ping to the 10.52.100.10 of the FWa FWb inside2 interface. I can not ping the gateway host FWa 10.52.100.1.

  I show the essential configuration of two firewalls as well as the debug icmp output on the two firewalls that I ping the internal interfaces and of FWa FWb inside2.
  =========================================================

  Here is a skeleton of the FWa configuration:

  name 172.16.1.0 network-inside
  name 192.168.20.0 HprCnc Thesys
  name 10.52.100.0 ring52-network
  name 10.53.100.0 ring53-network
  name S.S.S.S outside-interface

  interface Vlan1
  nameif inside
  security-level 100
  IP 172.16.1.1 255.255.255.0
  !
  interface Vlan2
  Description Connection to 777 VLAN to work around static Comast external Modem and IP address.
  nameif outside
  security-level 0
  outside interface IP address 255.255.255.240

  the DM_INLINE_NETWORK_5 object-group network
  network-object HprCnc Thesys 255.255.255.0
  ring52-network 255.255.255.0 network-object
  ring53-network 255.255.255.0 network-object

  the DM_INLINE_NETWORK_3 object-group network
  ring52-network 255.255.255.0 network-object
  network-object HprCnc Thesys 255.255.255.0
  ring53-network 255.255.255.0 network-object

  outside-interface of the access-list extended permitted Outside_5_cryptomap ip host object-group DM_INLINE_NETWORK_3
  inside_nat_outbound list extended access allowed inside-network ip, 255.255.255.0 DM_INLINE_NETWORK_5 object-group
  permit access list extended ip host 173.162.149.72 Outside_nat0_outbound aus_asx_uat 255.255.255.0

  NAT (inside) 0 access-list sheep
  NAT (inside) 101-list of access inside_nat_outbound
  NAT (inside) 101 0.0.0.0 0.0.0.0
  NAT (outside) 0-list of access Outside_nat0_outbound

  card crypto VPN 5 corresponds to the address Outside_5_cryptomap
  card crypto VPN 5 set pfs Group1
  VPN 5 set peer D.D.D.D crypto card
  VPN 5 value transform-set VPN crypto card
  tunnel-group D.D.D.D type ipsec-l2l
  IPSec-attributes tunnel-Group D.D.D.D
  pre-shared key *.

  =========================================================

  FWb:

  name 10.52.100.0 ring52-network
  name 10.53.100.0 ring53-network
  name 10.51.100.0 ring51-network
  name 10.54.100.0 ring54-network

  interface Vlan1
  nameif inside
  security-level 100
  address 192.168.20.1 255.255.255.0
  !
  interface Vlan2
  nameif outside
  security-level 0
  address IP D.D.D.D 255.255.255.240
  !
  interface Vlan52
  prior to interface Vlan1
  nameif inside2
  security-level 100
  IP 10.52.100.10 255.255.255.0

  the DM_INLINE_NETWORK_3 object-group network
  ring52-network 255.255.255.0 network-object
  ring53-network 255.255.255.0 network-object

  the DM_INLINE_NETWORK_2 object-group network
  ring52-network 255.255.255.0 network-object
  object-network 192.168.20.0 255.255.255.0
  ring53-network 255.255.255.0 network-object

  inside_nat0_outbound to access extended list ip 192.168.20.0 allow 255.255.255.0 host S.S.S.S
  inside2_nat0_outbound list extended access allowed object-group DM_INLINE_NETWORK_3 S.S.S.S ip host

  outside_1_cryptomap list extended access allowed object-group DM_INLINE_NETWORK_2 S.S.S.S ip host

  NAT (inside) 0-list of access inside_nat0_outbound
  NAT (inside) 1 0.0.0.0 0.0.0.0
  inside2_nat0_outbound (inside2) NAT 0 access list
  NAT (inside2) 1 0.0.0.0 0.0.0.0

  Route inside2 network ring51 255.255.255.0 10.52.100.1 1
  Route inside2 network ring53 255.255.255.0 10.52.100.1 1
  Route inside2 network ring54 255.255.255.0 10.52.100.1 1

  card crypto outside_map 1 match address outside_1_cryptomap
  card crypto outside_map 1 set pfs Group1
  outside_map game 1 card crypto peer S.S.S.S
  card crypto outside_map 1 set of transformation-ESP-3DES-SHA
  outside_map interface card crypto outside

  tunnel-group S.S.S.S type ipsec-l2l
  IPSec-attributes tunnel-group S.S.S.S
  pre-shared key *.

  =========================================================================
  I'm Tournai on icmp trace debugging on both firewalls and could see the traffic arriving at the inside2 interface, but never return to FWa.

  Ping Successul FWa inside the interface on FWb

  FWa # ping 192.168.20.1
  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 192.168.20.1, time-out is 2 seconds:
  Echo request ICMP from outside-interface to 192.168.20.1 ID = 32068 seq = 23510 len = 72
  ! ICMP echo reply to 192.168.20.1 in outside-interface ID = 32068 seq = 23510 len = 72
  ....

  FWb #.
  Echo ICMP of S.S.S.S to 192.168.20.1 ID request = 32068 seq = 23510 len = 72
  ICMP echo reply 192.168.20.1 S.S.S.S ID = 32068 seq = 23510 len = 72
  ==============================================================================
  Successful ping of Fwa on a host connected to the inside interface on FWb

  FWa # ping 192.168.20.15
  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 192.168.20.15, wait time is 2 seconds:
  Echo request ICMP from outside-interface to 192.168.20.15 ID = seq 50862 = 18608 len = 72
  ! ICMP echo reply to 192.168.20.15 in outside-interface ID = seq 50862 = 18608 len = 72
  ...

  FWb #.
  Inside outside:S.S.S.S ICMP echo request: 192.168.20.15 ID = seq 50862 = 18608 len = 72
  ICMP echo reply to Interior: 192.168.20.15 outside:S.S.S.S ID = seq 50862 = 18608 len = 72

  ===========================
  Unsuccessful ping of FWa to inside2 on FWb interface

  FWa # ping 10.52.100.10
  Send 5, echoes ICMP 100 bytes to 10.52.100.10, wait time is 2 seconds:
  Echo request ICMP from outside-interface to 10.52.100.10 ID = 19752 seq = 63173 len = 72
  ? Echo request ICMP from outside-interface to 10.52.100.10 ID = 19752 seq = 63173 len = 72
  ...

  FWb #.
  10.52.100.10 ID of S.S.S.S ICMP echo request = 19752 seq = 63173 len = 72
  10.52.100.10 ID of S.S.S.S ICMP echo request = 19752 seq = 63173 len = 72
  ....

  ==================================================================================

  Unsuccessful ping of Fwa to a host of related UI inside2 on FWb

  FWa # ping 10.52.100.1
  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 10.52.100.1, wait time is 2 seconds:
  Echo request ICMP from outside-interface to 10.52.100.1 ID = 11842 seq = 15799 len = 72

  FWb #.
  Echo request ICMP outside:S.S.S.S to inside2:10.52.100.1 ID = 11842 seq = 15799 len = 72
  Echo request ICMP outside:S.S.S.S to inside2:10.52.100.1 ID = 11842 seq = 15799 len = 72

  =======================

  Thank you

  Hi odelaporte2,

  Is very probably the "access management" command is not applied in the second inside, only inside primary (see the race management) which will confirm.

  This command can be applied to an interface at a time, for example, if the law is now applied to the inside, it can not be applied to the inside2 at the same time.

  It may be useful

  -Randy-

• Possible to assign security levels in the VPN tunnel?

  Currently I have a PIX-2-ASA VPN tunnel works without any problem.

  Here's my problem, I want to know if there is a way to configure one side of the tunnel as an interface "drop safety" of sorts. I want only one side to be able to open traffic.

  ACLs are not useful on one side at least as return traffic generated on the random ports. I want only one side to answer Insider sessions, but not be able to start a session on its own.

  Since the terminiates of VPN tunnel on the external interface, the security level of each side is '0 '. If all traffic behind on part and on the other the tunnel can innitate sessions.

  Any ideas?

  Thank you

  Edit: One side is a v6.3 (5) of PIX515E, another ASA5510 v7.2 (1)

  Hello

  On your ASA, you can specify the following 3 connection types in your crypto card:

  1 crypto map set type of connection are created only

  2 crypto map set connection type response only

  3 crypto map set-type of two-way connection

  This should allow you to control what end can initiate the tunnel.

  Concerning

  Pradeep

• Cisco ASA 5515 two asa firewall ipsec vpn tunnel is not coming

  HelloW everyone.

  I configured ipsec vpn tunnel between Singapore and Malaysia with asa firewall.

  but the vpn does not come to the top. can someone tell me what can be the root cause?

  Here is the configuration of twa asa: (I changed the ip address all the)

  Singapore:

  See the race
  ASA 2.0000 Version 4
  !
  ASA5515-SSG520M hostname
  activate the encrypted password of PVSASRJovmamnVkD
  names of
  !
  interface GigabitEthernet0/0
  nameif inside
  security-level 100
  IP 192.168.15.4 255.255.255.0
  !
  interface GigabitEthernet0/1
  nameif DMZ
  security-level 50
  IP 192.168.5.3 255.255.255.0
  !
  interface GigabitEthernet0/2
  nameif outside
  security-level 0
  IP 160.83.172.8 255.255.255.224
  <--- more="" ---="">
                
  !
  <--- more="" ---="">
                
  interface GigabitEthernet0/3
  <--- more="" ---="">
                
  Shutdown
  <--- more="" ---="">
                
  No nameif
  <--- more="" ---="">
                
  no level of security
  <--- more="" ---="">
                
  no ip address
  !
  interface GigabitEthernet0/4
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface GigabitEthernet0/5
  nameif test
  security-level 100
  IP 192.168.168.219 255.255.255.0
  !
  interface Management0/0
  management only
  nameif management
  security-level 100
  IP 192.168.1.1 255.255.255.0
  !
  connection of the banner ^ C please disconnect if you are unauthorized access ^ C
  connection of the banner please disconnect if you are unauthorized access
  boot system Disk0: / asa922-4-smp - k8.bin
  passive FTP mode
  network of the SG object
  <--- more="" ---="">
                
  192.168.15.0 subnet 255.255.255.0
  network of the MK object
  192.168.6.0 subnet 255.255.255.0
  service of the TCP_5938 object
  Service tcp destination eq 5938
  Team Viewer description
  service tcp_3306 object
  Service tcp destination eq 3306
  service tcp_465 object
  tcp destination eq 465 service
  service tcp_587 object
  Service tcp destination eq 587
  service tcp_995 object
  tcp destination eq 995 service
  service of the TCP_9000 object
  tcp destination eq 9000 service
  network of the Inside_host object
  Home 192.168.15.202
  service tcp_1111 object
  Service tcp destination eq 1111
  service tcp_7878 object
  Service tcp destination eq 7878
  service tcp_5060 object
  SIP, service tcp destination eq
  <--- more="" ---="">
                
  service tcp_5080 object
  Service tcp destination eq 5080
  network of the NETWORK_OBJ_192.168.15.0_24 object
  192.168.15.0 subnet 255.255.255.0
  inside_access_in list extended access allowed object SG ip everything
  OUTSIDE_IN list extended access permit tcp any newspaper EQ 9000 Inside_host object
  access extensive list ip 192.168.15.0 outside_cryptomap allow 255.255.255.0 object MK
  pager lines 24
  Enable logging
  timestamp of the record
  exploitation forest-size of the buffer of 30000
  debug logging in buffered memory
  recording of debug trap
  debugging in the history record
  asdm of logging of information
  host test 192.168.168.231 record
  host test 192.168.168.203 record
  Within 1500 MTU
  MTU 1500 DMZ
  Outside 1500 MTU
  test MTU 1500
  management of MTU 1500
  no failover
  <--- more="" ---="">
                
  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image disk0: / asdm - 7221.bin
  don't allow no asdm history
  ARP timeout 14400
  no permit-nonconnected arp
  NAT (inside, outside) static source SG SG static destination MK MK non-proxy-arp-search to itinerary
  !
  network of the SG object
  NAT dynamic interface (indoor, outdoor)
  network of the Inside_host object
  NAT (inside, outside) interface static 9000 9000 tcp service
  inside_access_in access to the interface inside group
  Access-group OUTSIDE_IN in interface outside
  Route outside 0.0.0.0 0.0.0.0 160.83.172.x 1
  Route inside 10.0.1.0 255.255.255.0 192.168.15.199 1
  Route inside 10.0.2.0 255.255.255.0 192.168.15.199 1
  Route inside 10.0.11.0 255.255.255.0 192.168.15.199 1
  Route inside 10.1.0.0 255.255.0.0 192.168.15.199 1
  Route inside 10.8.0.0 255.255.0.0 192.168.15.199 1
  Route inside 10.104.0.0 255.255.0.0 192.168.15.199 1
  Route inside 192.168.8.0 255.255.255.0 192.168.15.199 1
  Timeout xlate 03:00
  Pat-xlate timeout 0:00:30
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  <--- more="" ---="">
                
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  identity of the user by default-domain LOCAL
  the ssh LOCAL console AAA authentication
  Enable http server

  Community trap SNMP-server host test 192.168.168.231 *.
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps syslog
  Crypto ipsec transform-set ikev1 VPN-TRANSFORM esp-aes-256 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
  <--- more="" ---="">
                
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
  <--- more="" ---="">
                
  Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
  Crypto ipsec pmtu aging infinite - the security association
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
  crypto CRYPTO - map 2 map corresponds to the address outside_cryptomap
  card crypto CRYPTO-map 2 set peer 103.246.3.54
  card crypto CRYPTO-map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
  card crypto CRYPTO-map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
  CRYPTO-card interface card crypto outside
  trustpool crypto ca policy
  Crypto ikev1 allow outside
  IKEv1 crypto policy 10
  preshared authentication
  aes-256 encryption
  sha hash
  Group 2
  life 86400

  Console timeout 0
  management of 192.168.1.2 - dhcpd address 192.168.1.254
  enable dhcpd management
  !
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  SSL encryption rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1
  internal GroupPolicy1 group strategy
  attributes of Group Policy GroupPolicy1
  Ikev1 VPN-tunnel-Protocol
  username, password admin eY/fQXw7Ure8Qrz7 encrypted privilege 15
  username gmsadmin password HS/VyK0jtJ/PANQT encrypted privilege 15
  tunnel-group 143.216.30.7 type ipsec-l2l
  tunnel-group 143.216.30.7 General-attributes
  Group Policy - by default-GroupPolicy1
  <--- more="" ---="">
                
  IPSec-attributes tunnel-group 143.216.30.7
  IKEv1 pre-shared-key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  Overall description
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  <--- more="" ---="">
                
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  !
  global service-policy global_policy
  context of prompt hostname
  no remote anonymous reporting call
  Cryptochecksum:ccce9a600b491c8db30143590825c01d
  : end

  Malaysia:

  :
  ASA 2.0000 Version 4
  !
  hostname ASA5515-SSG5-MK
  activate the encrypted password of PVSASRJovmamnVkD
  names of
  !
  interface GigabitEthernet0/0
  nameif inside
  security-level 100
  IP 192.168.6.70 255.255.255.0
  !
  interface GigabitEthernet0/1
  nameif DMZ
  security-level 50
  IP 192.168.12.2 255.255.255.0
  !
  interface GigabitEthernet0/2
  nameif outside
  security-level 0
  IP 143.216.30.7 255.255.255.248
  <--- more="" ---="">
                
  !
  interface GigabitEthernet0/3
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface GigabitEthernet0/4
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface GigabitEthernet0/5
  nameif test
  security-level 100
  IP 192.168.168.218 255.255.255.0
  !
  interface Management0/0
  management only
  nameif management
  security-level 100
  IP 192.168.1.1 255.255.255.0
  !
  <--- more="" ---="">
                
  Interface Port - Channel 1
  No nameif
  no level of security
  IP 1.1.1.1 255.255.255.0
  !
  boot system Disk0: / asa922-4-smp - k8.bin
  passive FTP mode
  clock timezone GMT + 8 8
  network of the SG object
  192.168.15.0 subnet 255.255.255.0
  network of the MK object
  192.168.6.0 subnet 255.255.255.0
  service of the TCP_5938 object
  Service tcp destination eq 5938
  Team Viewer description
  service tcp_3306 object
  Service tcp destination eq 3306
  service tcp_465 object
  tcp destination eq 465 service
  service tcp_587 object
  Service tcp destination eq 587
  service tcp_995 object
  tcp destination eq 995 service
  service of the TCP_9000 object
  <--- more="" ---="">
                
  tcp destination eq 9000 service
  network of the Inside_host object
  Home 192.168.6.23
  service tcp_1111 object
  Service tcp destination eq 1111
  service tcp_7878 object
  Service tcp destination eq 7878
  service tcp_5060 object
  SIP, service tcp destination eq
  service tcp_5080 object
  Service tcp destination eq 5080
  network of the NETWORK_OBJ_192.168.2.0_24 object
  192.168.6.0 subnet 255.255.255.0
  inside_access_in list extended access allowed object SG ip everything
  VPN-INTERESTING-TRAFFIC extended access list permit ip object MK SG
  OUTSIDE_IN list extended access permit tcp any newspaper EQ 9000 Inside_host object
  outside_cryptomap to access extended list ip 192.168.6.0 allow 255.255.255.0 object SG
  pager lines 24
  Enable logging
  timestamp of the record
  exploitation forest-size of the buffer of 30000
  debug logging in buffered memory
  recording of debug trap
  asdm of logging of information
  <--- more="" ---="">
                
  host test 192.168.168.231 record
  host test 192.168.168.203 record
  Within 1500 MTU
  MTU 1500 DMZ
  Outside 1500 MTU
  test MTU 1500
  management of MTU 1500
  reverse IP check management interface path
  no failover
  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image disk0: / asdm - 7221.bin
  don't allow no asdm history
  ARP timeout 14400
  no permit-nonconnected arp
  NAT (inside, outside) static source MK MK static destination SG SG route no-proxy-arp-search
  NAT (inside, outside) static source NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 static destination SG SG route no-proxy-arp-search
  !
  network of the MK object
  NAT dynamic interface (indoor, outdoor)
  network of the Inside_host object
  NAT (inside, outside) interface static 9000 9000 tcp service
  inside_access_in access to the interface inside group
  Access-group OUTSIDE_IN in interface outside
  Route outside 0.0.0.0 0.0.0.0 143.216.30.x 1
  <--- more="" ---="">
                
  Route inside 10.2.0.0 255.255.0.0 192.168.6.200 1
  Route inside 10.6.0.0 255.255.0.0 192.168.6.200 1
  Route inside 192.168.254.0 255.255.255.0 192.168.6.200 1
  Timeout xlate 03:00
  Pat-xlate timeout 0:00:30
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  identity of the user by default-domain LOCAL
  AAA authentication http LOCAL console
  the ssh LOCAL console AAA authentication
  Enable http server

  No snmp server location
  No snmp Server contact
  Crypto ipsec transform-set ikev1 VPN-TRANSFORM esp-aes-256 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
  <--- more="" ---="">
                
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
  <--- more="" ---="">
                
  Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
  Crypto ipsec pmtu aging infinite - the security association
  crypto CRYPTO - map 2 map corresponds to the address outside_cryptomap
  card crypto CRYPTO-map 2 set peer 160.83.172.8
  card crypto CRYPTO-map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
  CRYPTO-card interface card crypto outside
  trustpool crypto ca policy
  Crypto ikev1 allow outside
  IKEv1 crypto policy 10
  preshared authentication
  aes-256 encryption
  sha hash
  Group 2
  life 86400
  SSH timeout 60
  SSH group dh-Group1-sha1 key exchange
  Console timeout 0
  management of 192.168.1.2 - dhcpd address 192.168.1.254
  enable dhcpd management
  !
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  SSL encryption rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1
  attributes of Group Policy DfltGrpPolicy
  Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client
  internal GroupPolicy1 group strategy
  attributes of Group Policy GroupPolicy1
  Ikev1 VPN-tunnel-Protocol
  username, password admin eY/fQXw7Ure8Qrz7 encrypted privilege 15
  username gmsadmin password HS/VyK0jtJ/PANQT encrypted privilege 15
  <--- more="" ---="">
                
  tunnel-group MK SG type ipsec-l2l
  IPSec-attributes tunnel-group MK-to-SG
  IKEv1 pre-shared-key *.
  tunnel-group 160.83.172.8 type ipsec-l2l
  tunnel-group 160.83.172.8 General-attributes
  Group Policy - by default-GroupPolicy1
  IPSec-attributes tunnel-group 160.83.172.8
  IKEv1 pre-shared-key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  <--- more="" ---="">
                
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  !
  global service-policy global_policy
  context of prompt hostname
  no remote anonymous reporting call
  Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
  : end

  Good news, that VPN has been implemented!

  According to the ping problem, my suggestion is to check, if some type of firewall based on host computers on both sides block ICMP requests.

  Anyway, you can still use the capture of packets on the inside of the interfaces of the two ASAs, to check if the ICMP traffic is to reach the ASA.

  In addition, you can try to enable ICMP inspection:

  Policy-map global_policy
  class inspection_default

  inspect the icmp

  inspect the icmp error

• Use the client VPN tunnel to cross the LAN-to-LAN tunnel

  I have been troubleshooting an issue and cannot cross an obstacle. The ASA is running ASA running 1,0000 code 24. I am using a client VPN tunnel to connect to the ASA. The ASA has already a LAN-to-LAN tunnel, set up and operating and I need the VPN client to access the remote site over the LAN-to-LAN tunnel.

  The internal IP address of the local part is 192.168.0.0/24 and the IP address of the Remote LAN-to-LAN tunnel is 172.20.1.0/24. The clients are distributed 192.168.200.0/24 IPs. I have attached the relevant configuration for the SAA.

  When the VPN client on the network, I can access resources on the ASA network internal. On the internal network of the SAA, users can access resources through the LAN-to-LAN tunnel. Client VPN cannot access resources on the LAN-to-LAN tunnel. For the latter, there are no hits on the C-TEST access list.

  Thank you for your help.

  try adding...

  permit same-security-traffic intra-interface

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_guide_chapter09186a00806370f2.html#wp1042114

• ASA5505 with 2 VPN tunnels failing to implement the 2nd tunnel

  Hello

  I have an ASA5505 that currently connects a desktop remotely for voip and data.  I added a 2nd site VPN tunnel to a vendor site.  It's this 2nd VPN tunnel that I have problems with.  It seems that the PHASE 1 negotiates well.  However, I'm not a VPN expert!  So, any help would be greatly appreciated.  I have attached the running_config on my box, debug (ipsec & isakmp) information and information about the provider they gave me today.  They use an ASA5510.

  My existing VPN tunnel (which works) is marked 'outside_1_cryptomap '.  It has the following as interesting traffic:

  192.168.1.0/24-> 192.168.3.0/24

  192.168.2.0/24-> 192.168.3.0/24

  10.1.1.0/24-> 192.168.3.0/24

  -> 192.168.3.0/24 10.1.2.0/24

  10.1.10.0/24-> 192.168.3.0/24

  10.2.10.0/24-> 192.168.3.0/24

  The new VPN tunnel (does not work) is labeled "eInfomatics_1_cryptomap".  It has the following as interesting traffic:

  192.168.1.25/32-> 10.10.10.83/32

  192.168.1.25/32-> 10.10.10.47/32

  192.168.1.26/32-> 10.10.10.83/32

  192.168.1.26/32-> 10.10.10.47/32

  Here's the info to other VPN (copy & pasted from the config)

  permit access list extended ip 192.168.1.26 eInfomatics_1_cryptomap host 10.10.10.83

  permit access ip host 192.168.1.25 extended list eInfomatics_1_cryptomap 10.10.10.83

  permit access ip host 192.168.1.25 extended list eInfomatics_1_cryptomap 10.10.10.47

  permit access list extended ip 192.168.1.26 eInfomatics_1_cryptomap host 10.10.10.47

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  card crypto outside_map 1 match address outside_1_cryptomap

  peer set card crypto outside_map 1 24.180.14.50

  card crypto outside_map 1 set of transformation-ESP-3DES-SHA

  card crypto outside_map 2 match address eInfomatics_1_cryptomap

  peer set card crypto outside_map 2 66.193.183.170

  card crypto outside_map 2 game of transformation-ESP-3DES-SHA

  outside_map interface card crypto outside

  crypto isakmp identity address

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  tunnel-group 24.180.14.50 type ipsec-l2l

  IPSec-attributes tunnel-group 24.180.14.50

  pre-shared key *.

  tunnel-group 66.193.183.170 type ipsec-l2l

  IPSec-attributes tunnel-group 66.193.183.170

  pre-shared key *.

  Thanks in advance

  -Matt

  Hello

  The seller put a parameter group2 PFS (Perfect Forward Secrecy) of Phase 2, so that you don't have it.

  So you can probalby try adding the following

  card crypto outside_map 2 pfs group2 set

  I think he'll simply enter as

  card crypto outside_map 2 set pfs

  Given that the 'group 2' is the default

  -Jouni

• How to get specific IP through VPN tunnel

  I've implemented remote access via VPN Cisco VPN.
  We use the tunneling split at the tunel internal IP of VPN tunnel only range.
  Now I need to get a specific IP address on the Cisco VPN Client
  through Internet and internal network.
  I added this specific IP address to split tunnel ACL
  I can check it out using Cisco VPN Client, status > statistics, details of the itinerary.
  but when I traceroute to that specific IP address it ends on
  first jump, ASA public interface.
  ASA road 0.0.0.0/0.
  I need to put in place?

  Hello

  If you need to allow the VPN client to connect to the ASA and you--turn to the Internet, you must:

  permit same-security-traffic intra-interface

  Also, make sure you NAT traffic:

  NAT (outside) 1 VPN-range

  Global 1 interface (outside)

  Be careful with the above NAT commands (is just one example and depends on your configuration).

  Federico.

• ASA L2L filter-VPN Tunnels

  I need help to understand how the vpn-filter command is applied to the traffic tunnel.  Until very recently, I was under the command of printing the vpn-filter (applied in Group Policy) provided an access control incoming (outside to inside) for VPN traffic after decryption.  Recently I change any of my VPN connections (add a phase access list entry 2) which causes questioning me how the vpn-filter.

  Example-

  original vpn connection - my side hosted the server and the clients were on the other side.  My vpn-filter rule has allowed customers to come to my server.

  more - (above the original setting still in place) - the other side is now hosting a server and on my side has clients.

  Without any changes to vpn-filter, I have lived: phase 2 built tunnel but no packet encryption or decryption and no error in syslog.

  Using packet - trace, I discovered a list of access (vpn-user subtype) blocked access.  "vpn-user" must be a Cisco term because it is not in my config.  I added an entry to my vpn-filter acl allowing their server to talk to my clients.  Adding to the vpn-filter enabled that the tunnel started working.

  I would have thought

  vpn-filter acl was dynamic and not required an entry

  or

  the without the vpn-filter acl, the phase would have shown his encryption/decryption and perhaps an acl deny message in the system log.  Basically, the traffic is encrypted, returns server, decrypted and then dropped access policy.

  Have a further explanation or documentation?

  Thank you

  Rick

  Rick,

  The problem is that the ACL applied through the vpn-filter is not dynamic.

  A vpn-filter command applies to traffic after decrypted once it comes out a tunnel and the previously encrypted traffic before entering a tunnel. An ACL that is used for a vpn-filter should NOT also be used to access interface group. When a vpn-filter command is applied to a group policy which governs customer connections access remote VPN, the ACL must be configured with the assigned client IP addresses in the position of src_ip of the ACL and the LAN in the position of dest_ip of the ACL.

  When a vpn-filter command is applied to a political group that governs a connection VPN from LAN to LAN, the ACL must be configured with the remote network in the position of src_ip of the ACL and the LAN in the position of dest_ip of the ACL.

  Caution when the construction of the ACL for use with the vpn-filter feature. The ACL are built with traffic after decrypted in mind. However, ACL also apply to the oncoming traffic. For this previously encrypted traffic that is intended for the tunnel, the ACL are built with exchanged src_ip and dest_ip positions.

  More information here:

  http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/vpn_groups.html

  It will be useful.

  Federico.

• Interpret what is allowed on the VPN tunnel

  Hello

  I work with Cisco PIX equipment for the first time and I'm trying to understand what is allowed on one of the VPN tunnels which are established on the PIX.

  I interpret this PIX did by reading the running configuration. I was able to understand most of it (with the help of the cisco site), so I'm starting to get comfortable with it. I'm looking for more help in the interpretation of what is allowed by a good VPN tunnel. Here are some details:

  map Cyril 2 ipsec-isakmp crypto

  Cyril 2 crypto card matches the acl-vpntalk address

  access list acl-vpntalk allowed ip object-group my_inside_network 172.17.144.0 255.255.255.0

  So, if I interpret it correctly, then the traffic matching ACL acl-vpntalk will go on the VPN tunnel.

  As far as the lists others access dedicated, my inner interface I have:

  Access-group acl-Interior interface inside

  With ACL-Interior:

  access list acl-Interior ip allow a whole

  So nothing complicated there.

  Now, just because of all this I conclude I encouraged all remote network traffic in my site. If all traffic 172.17.144.0/24 is allowed to join my network.

  However, I don't know if this conclusion is correct.

  This ACL is also applied:

  Access-group acl-outside in external interface

  And it looks like:

  deny access list acl-outside ip a

  I'm not sure if this ACL applies to vehicles coming from the IPSEC peer. It's for sure inbound on the external interface, but if it is valid for the IPSEC traffic I don't know.

  If it is valid, then am I had reason to conclude that only connections initiated from my inside network to the remote control can come back?

  Thanks in advance for your ideas.

  With sincere friendships.

  Kevin

  Hey Kevin,

  Here are my comments, hope you find them useful:

  1. the ACL called "acl-vpntalk" sets traffic who will visit the IPSec tunnel, so you got that right. All traffic from the group called "my_inside_network" will 172.17.144.0/24 will pass through the tunnel, and there should be a similar to the other VPN end opposite ACL.

  2. the 'acl-inside' applied to the inside interface allows any ip traffic coming out of the isnide to any destination.

  3. the 'acl-outside' rejects all traffic from entering your home network, but the IPSec traffic is free and will cross because you will find a "sysopt connection permit-ipsec' configured on your PIX command that tells the operating system to allow all traffic destined for VPN tunnels without explicitly enabling it through the inbound ACL. If you have stopped the "sysopt" should stop your traffic and you will have more control on your tunnel traffic.

  Personally, I usually disable the "sysopt" and control the VPN traffic in my incoming ACL.

  Just a quick note, if you look more deeply into the ACL on the PIX functionality, you will find that no traffic moves inside, if she is not allowed on the external interface. For example, you can allow traffic between "inside" and "dmz" interfaces by adding an entry 'allow' on one of the ACLS applied to one of these interfaces. But when you want to allow traffic from the external interface (security level 0), you will need to allow in the inbound ACL applied on the external interface.

  I could have written something vague, but I hope you get my point.

  Thank you.

  Salem.

• My Windows Live Hotmail account has been hacked and they have added an additional email address to recover passwords for security.

  How can I delete an email without sending a confirmation to this account?  My hotmail account has been hacked and they have added an additional email address to recover passwords for security.  To remove the address, the only apparent is to send a confirmation email to the address I want to delete.  It is counterproductive.  I have a password, but if they can obtain the information via another email address, my account is never going to be safe.   I got this address for a long time and do not want to lose.  However, he begins to feel that my only option is to go with another provider.

  Thank you

  original title: remove email address

  After all the Hotmail issues in the appropriate forum found here:
  http://windowslivehelp.com/