Adding another IPSec tunnel

Similar Questions

• Cannot reach the destination of an IPSec tunnel through another IPSec tunnel

  Hi all

  I have a PIX 515E version 8.0 (2).

  I have two remote sites connected to this PIX via IPSec tunnels.

  Each remote site can reach local networks behind the PIX, but I can't reach remoteSiteB remoteSiteA.

  Thus,.

  SiteA <----- ipsec="" -----="">PIX1 SiteX <---------------->10.0.8.1 10.30.8.254

  SiteB <----- ipsec="" -----="">PIX1 SiteX <---------------->10.0.8.1 10.138.34.21

  SiteA can ping SiteX

  SiteB can ping SiteX

  SiteA cannot ping SiteB

  SiteB cannot ping SiteA

  If I do not show crypto isakmp ipsec his I see appropriate subnets:

  Tag crypto map: CRYPTO-MAP, seq num: 4, local addr: 203.166.1.1

  permit access-list ACLVPN-TO_SITEA ip 10.138.34.16 255.255.255.240 host 10.30.8.254

  local ident (addr, mask, prot, port): (10.138.34.16/255.255.255.240/0/0)

  Remote ident (addr, mask, prot, port): (10.30.8.254/255.255.255.255/0/0)

  current_peer: 104.86.2.4

  Tag crypto map: CRYPTO-MAP, seq num: 5, local addr: 203.166.1.1

  access-list ACLVPN-TO_SITEB allowed host ip 10.30.8.254 10.138.34.16 255.255.255.240

  local ident (addr, mask, prot, port): (10.30.8.254/255.255.255.255/0/0)

  Remote ident (addr, mask, prot, port): (10.138.34.16/255.255.255.240/0/0)

  current_peer: 216.178.200.200

  Journal messages that seem to point to the problem...

  April 18, 2013 13:27:35: % PIX-4-402116: IPSEC: received a package of ESP (SPI = 0xD51BB13A, sequence number = 0x21A) 104.86.2.4 (user = 104.86.2.4) at 203.166.1.1.  Inside the package décapsulés does not match policy negotiated in the SA.  The package indicates its destination as 10.138.34.21, its source as 10.30.8.254 and its Protocol 6.  SA specifies its local proxy like 10.0.8.0/255.255.255.0/0/0 and his remote_proxy as 10.30.8.254/255.255.255.255/0/0

  My question is really what I have to do something funky to allow traffic to pass between the two tunnels?

  Hello

  This could be much easier if we have seen the real configurations.

  But here are some things to be confirmed in the configurations (some of them you mentioned above, but I still quote once again)

  • Make sure that each firewall, you set the appropriate VPN L2L ACL
  • Make sure that you have configured NAT0 on the central PIX "outside" interface for the Site A and Site B
  • Make sure the Central PIX has "same-security-traffic permit intra-interface" configured. This will allow the Site traffic to enter the Central PIX 'outside' interface and head back on the same interface to Site B. And vice versa.

  To view some actual configurations that may be required provided everything else is ok. (I assume that all devices are Cisco)

  Central PIX

  permit same-security-traffic intra-interface

  A connection to the site

  SITE-A-CRYPTOMAP of the 10.0.8.0 ip access list allow 255.255.255.0 host 10.30.8.254

  SITE-A-CRYPTOMAP of the 10.138.34.16 ip access list allow 255.255.255.240 host 10.30.8.254

  Site B connection

  SITE-B-CRYPTOMAP of the 10.0.8.0 ip access list allow 255.255.255.0 10.138.34.16 255.255.255.240

  SITE-B-CRYPTOMAP to the list of allowed access host ip 10.30.8.254 10.138.34.16 255.255.255.240

  NAT0

  access list for the INTERIOR-NAT0 allowed ip 10.0.8.0 255.255.255.0 host 10.30.8.254

  access list for the INTERIOR-NAT0 allowed ip 10.0.8.0 255.255.255.0 10.138.34.16 255.255.255.240

  NAT (inside) 0-list of access to the INTERIOR-NAT0

  OUTSIDE-NAT0 allowed host ip 10.30.8.254 access list 10.138.34.16 255.255.255.240

  OUTSIDE-NAT0 allowed ip 10.138.34.16 access list 255.255.255.240 host 10.30.8.254

  NAT (outside) 0-list of access OUTSIDE-NAT0

  Site has

  CENTRAL-SITE-CRYPTOMAP to the list of allowed access host ip 10.30.8.254 10.0.8.0 255.255.255.0

  CENTRAL-SITE-CRYPTOMAP to the list of allowed access host ip 10.30.8.254 10.138.34.16 255.255.255.240

  the INTERIOR-NAT0 allowed host ip 10.30.8.254 access list 10.0.8.0 255.255.255.0

  the INTERIOR-NAT0 allowed host ip 10.30.8.254 access list 10.138.34.16 255.255.255.240

  NAT (inside) 0-list of access to the INTERIOR-NAT0

  Site B

  CENTRAL-SITE-CRYPTOMAP of the 10.138.34.16 ip access list allow 255.255.255.240 10.0.8.0 255.255.255.0

  CENTRAL-SITE-CRYPTOMAP of the 10.138.34.16 ip access list allow 255.255.255.240 host 10.30.8.254

  the INTERIOR-NAT0 allowed host ip 10.138.34.16 access list 255.255.255.240 10.0.8.0 255.255.255.0

  the INTERIOR-NAT0 allowed host ip 10.138.34.16 access list 255.255.255.240 host 10.30.8.254

  NAT (inside) 0-list of access to the INTERIOR-NAT0

  Hope this helps

  -Jouni

• Decision on DMVPN and L2L simple IPsec tunnels

  I have a project where I need to make a decision on which solution to implement... environment is as follows...

  • 4 branches.
  • Each branch has 2 subnets; one for DATA and another for VOICE
  • 2 ISPS in each (an Internet access provider and a provider of MPLS)
  • Branch #1 isn't necessarily the HUB office that all database servers and files are there are
  • Branch #2 is actually where the phone equipment
  • Other 2 branches are just branches speaks (may not need never DATA interconnectivy, but they do need interconnection VOICE when they call since we spoke directly to the other)
  • MPLS is currently used for telephone traffic.
  • ISP provider link is used for site to site tunnels that traverse the internet, and it is the primary path for DATA. Means that all branch DATA subnets use the tunnels from site to site as main road to join the #1 branch where all files and databases are located.
  • I'd like to have redundancy in case the network MPLS down for all traffic VOICE switch to L2L tunnels.

  My #1 Option

  Because it isn't really a star to the need, I don't really know if I want to apply DMVPN, although I read great things about it. In addition, another reason, I would have perhaps against DMVPN is the 'delay' involved, at least during initialization, communications having spoke-to-spoke. There is always a broken package when a department wants to initiate communication with one another.

  My #2 Option

  My other choice is just deploy L2L IPSec tunnels between all 4 branches. It's certainly much easier to install than DMVPN although DMVPN can without routing protocols that I think I'll need. But with these Plains L2L IPSec tunnels, I can also add the GRE tunnels and the routing of traffic protocols it as well as all multicast traffic. In addition, I can easily install simple IP SLA that will keep all tunnels upwards forever.

  Can someone please help to choose one over the other is? or if I'm just okay with the realization of the #2 option

  Thanks in advance

  Hi ciscobigcat

  Yes, OSPF will send periodic packets 'Hello' and they will maintain the tunnels at all times.

  The numbers that you see (143 and 1001) are the "cost" of the track, so OSPF (Simplified) will calculate what different paths there are to a destination and assign each of them a 'cost' (by assigning a cost to each segment of the path, for example GigabitEthernet is "lower cost" Fastethernet and then adding the costs of all segments).

  Then it will take the path to the lowest cost (143 in your case, in normal operation) and insert this in the routing table.

  So since traffic is already going the right way, I don't know if you still need any tweaking? Personally, I would not add a second routing protocol because, generally, makes things more complicated.

  QoS, it is important to use "prior qos rank".

  See for example

  http://www.Cisco.com/en/us/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/IPSecQoS.html

  http://www.Cisco.com/en/us/Tech/tk543/tk757/technologies_tech_note09186a00800b3d15.shtml

  HTH

  Herbert

• How to troubleshoot an IPSec tunnel GRE?

  Hello

  My topology includes two firewalls connected through the Internet "" (router) and behind each firewall, there is a router.

  The routers I configured a GRE tunnel that is successful, then I configured an IPsec tunnel on the firewall.

  I does not change the mode to transport mode in the transform-set configuration.

  Everything works; If I connect a PC to the router, it can ping another PC on the other router. However if I change mode of transport mode that they cannot.

  I was wondering how can I ensure that the IPSec tunnel WILL really works? How can I fix it or package tracking?

  Thank you.

  I was wondering how can I ensure that the IPSec tunnel WILL really works? How can I fix it or package tracking?

  To verify that the VPN tunnel works well, check the output of
  ISAKMP crypto to show his
  Crypto ipsec to show his

  Here are the commands of debug
  Debug condition crypto x.x.x.x, where x.x.x.x IP = peer peer
  Debug crypto isakmp 200
  Debug crypto ipsec 200

  You will see ACTIVE int the first output and program non-zero and decaps on the output of the latter.

  For the GRE tunnel.
  check the condition of the tunnel via "int ip see the brief.

  In addition, you can configure keepalive via the command:

  Router # configure terminal
  Router (config) #interface tunnel0
  Router(Config-if) 5 4 #keepalive

  and then run "debug keepalive tunnel" to see packets hello tunnel going and coming from the router.

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.

• Problem on the establishment of a GRE/IPsec tunnel between 2 cisco routers

  Hello world

  I am trying to establish a GRE IPsec tunnel between two cisco routers (2620XM and a 836).

  I created a tunnel interfaces on both routers as follows.

  2620XM

  interface Tunnel0

  IP 10.1.5.2 255.255.255.252

  tunnel source x.x.x.x

  tunnel destination y.y.y.y

  end

  836

  interface Tunnel0

  IP 10.1.5.1 255.255.255.252

  tunnel source y.y.y.y

  tunnel destination x.x.x.x

  end

  and configuration of isakmp/ipsec as follows,

  2620XM

  crypto ISAKMP policy 10

  md5 hash

  preshared authentication

  ISAKMP crypto key {keys} address y.y.y.y no.-xauth

  !

  !

  Crypto ipsec transform-set esp - esp-md5-hmac to_melissia

  !

  myvpn 9 ipsec-isakmp crypto map

  defined peer y.y.y.y

  Set transform-set to_melissia

  match address 101

  2620XM-router #sh ip access list 101

  Expand the access IP 101 list

  10 permit host x.x.x.x y.y.y.y host will

  836

  crypto ISAKMP policy 10

  md5 hash

  preshared authentication

  ISAKMP crypto key {keys} address x.x.x.x No.-xauth

  !

  !

  Crypto ipsec transform-set esp - esp-md5-hmac to_metamorfosi

  !

  myvpn 10 ipsec-isakmp crypto map

  defined peer x.x.x.x

  Set transform-set to_metamorfosi

  match address 101

  836-router #sh access list 101

  Expand the access IP 101 list

  10 licences will host host x.x.x.x y.y.y.y

  Unfortunately I had no isakmp security associations at all and when I enter the debugging to this output.

  CRYPTO: IPSEC (crypto_map_check_encrypt_core): CRYPTO: removed package as currently being created cryptomap.

  Any ideas why I get this result? Any help will be a great help

  Thank you!!!

  I think it's possible. It seems to me that you are assuming that the address of the interface where goes the card encryption is peering address. While this is the default action, it is possible to configure it differently.

  As you have discovered the card encryption must be on the physical output interface. If you want the peering address to have a different value of the physical interface address outgoing, then you can add this command to your crypto card:

  card crypto-address

  so if you put loopback0 as the id_interface then he would use loopback0 as peering address even if the card encryption may be affected on serial0/0 or another physical interface.

  HTH

  Rick

• ASA: VPN IPSEC Tunnel from 5505(ver=8.47) to 5512 (ver = 9.23)

  Hi-

  We have connected tunnel / VPN configuration between an ASA 5505 - worm = 8.4 (7) and 5512 - worm = 9.2 (3).
  We can only ping in a sense - 5505 to the 5512, but not of vice-versa(5512 to 5505).

  Networks:

  Local: 192.168.1.0 (answering machine)
  Distance: 192.168.54.0 (initiator)

  See details below on our config:

  SH run card cry

  card crypto outside_map 2 match address outside_cryptomap_ibfw
  card crypto outside_map 2 pfs set group5
  outside_map 2 peer XX crypto card game. XX.XXX.XXX
  card crypto outside_map 2 set transform-set ESP-AES-256-SHA ikev1
  crypto map outside_map 2 set ikev2 AES256 ipsec-proposal

  outside_map interface card crypto outside

  Note:
  Getting to hit numbers below on rules/ACL...

  SH-access list. I have 54.0

  permit for access list 6 outside_access_out line scope ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0 (hitcnt = 15931) 0x01aecbcc
  permit for access list 1 outside_cryptomap_ibfw line extended ip object NETWORK_OBJ_192.168.1.0_24 object NETWORK_OBJ_192.168.54.0_24 (hitcnt = 3) 0xa75f0671
  access-list 1 permit line outside_cryptomap_ibfw extended ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0 (hitcnt = 3) 0xa75f0671

  SH run | I have access-group
  Access-group outside_access_out outside interface

  NOTE:
  WE have another working on the 5512 - VPN tunnel we use IKE peer #2 below (in BOLD)...

  HS cry his ikev1

  IKEv1 SAs:

  HIS active: 2
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 2

  1 peer IKE: XX. XX.XXX.XXX
  Type: L2L role: answering machine
  Generate a new key: no State: MM_ACTIVE
  2 IKE peers: XXX.XXX.XXX.XXX
  Type: L2L role: answering machine
  Generate a new key: no State: MM_ACTIVE

  SH run tunnel-group XX. XX.XXX.XXX
  tunnel-group XX. XX.XXX.XXX type ipsec-l2l
  tunnel-group XX. XX.XXX.XXX General-attributes
  Group - default policy - GroupPolicy_XX.XXX.XXX.XXX
  tunnel-group XX. XX.XXX.XXX ipsec-attributes
  IKEv1 pre-shared-key *.
  remote control-IKEv2 pre-shared-key authentication *.

  SH run | I have political ikev1

  ikev1 160 crypto policy
  preshared authentication
  aes-256 encryption
  Group 5
  life 86400

  SH run | I Dynamics
  NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
  NAT source auto after (indoor, outdoor) dynamic one interface

  NOTE:
  To from 5512 at 5505-, we can ping a host on the remote network of ASA local

  # ping inside the 192.168.54.20
  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 192.168.54.20, wait time is 2 seconds:
  !!!!!
  Success rate is 100 per cent (5/5), round-trip min/avg/max = 30/32/40 ms

  Determination of 192.168.1.79 - local host route to 192.168.54.20 - remote host - derivation tunnel?

  The IPSEC tunnel check - seems OK?

  SH crypto ipsec his
  Interface: outside
  Tag crypto map: outside_map, seq num: 2, local addr: XX.XXX.XXX.XXX

  outside_cryptomap_ibfw to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.54.0 255.255.255.0
  local ident (addr, mask, prot, port): (192.168.1.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.54.0/255.255.255.0/0/0)
  current_peer: XX. XX.XXX.XXX

  #pkts program: 4609, #pkts encrypt: 4609, #pkts digest: 4609
  #pkts decaps: 3851, #pkts decrypt: 3851, #pkts check: 3851
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 4609, model of #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #TFC rcvd: 0, #TFC sent: 0
  #Valid errors ICMP rcvd: 0, #Invalid ICMP errors received: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt. : XX.XXX.XXX.XXX/0, remote Start crypto. : XX. XX.XXX.XXX/0
  Path mtu 1500, ipsec 74 (44) generals, media, mtu 1500
  PMTU time remaining: 0, political of DF: copy / df
  Validation of ICMP error: disabled, TFC packets: disabled
  current outbound SPI: CDC99C9F
  current inbound SPI: 06821CBB

  SAS of the esp on arrival:
  SPI: 0x06821CBB (109190331)
  transform: aes-256-esp esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, group 5 PFS, IKEv1}
  slot: 0, id_conn: 339968, crypto-card: outside_map
  calendar of his: service life remaining (KB/s) key: (3914789/25743)
  Size IV: 16 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0xFFFFFFFF to 0xFFFFFFFF
  outgoing esp sas:
  SPI: 0xCDC99C9F (3452542111)
  transform: aes-256-esp esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, group 5 PFS, IKEv1}
  slot: 0, id_conn: 339968, crypto-card: outside_map
  calendar of his: service life remaining (KB/s) key: (3913553/25743)
  Size IV: 16 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001

  --> The local ASA 5512 - where we have questions - tried Packet Tracer... seems we receive requests/responses...

  SH cap CAP

  34 packets captured

  1: 16:41:08.120477 192.168.1.79 > 192.168.54.20: icmp: echo request
  2: 16:41:08.278138 192.168.54.20 > 192.168.1.79: icmp: echo request
  3: 16:41:08.278427 192.168.1.79 > 192.168.54.20: icmp: echo reply
  4: 16:41:09.291992 192.168.54.20 > 192.168.1.79: icmp: echo request
  5: 16:41:09.292282 192.168.1.79 > 192.168.54.20: icmp: echo reply

  --> On the ASA 5505 distance - we can ping through the 5512 to the local host (192.168.1.79)

  SH cap A2

  42 packets captured

  1: 16:56:16.136559 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
  2: 16:56:16.168860 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
  3: 16:56:17.140434 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
  4: 16:56:17.171652 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
  5: 16:56:18.154426 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
  6: 16:56:18.186178 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
  7: 16:56:19.168417 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request

  --> Package trace on 5512 does no problem... but we cannot ping from host to host?

  entry Packet-trace within the icmp 192.168.1.79 8 0 detailed 192.168.54.20

  Phase: 4
  Type: CONN-SETTINGS
  Subtype:
  Result: ALLOW
  Config:
  class-map default class
  match any
  Policy-map global_policy
  class class by default
  Decrement-ttl connection set
  global service-policy global_policy
  Additional information:
  Direct flow from returns search rule:
  ID = 0x7fffa2d0ba90, priority = 7, area = conn-set, deny = false
  hits = 4417526, user_data = 0x7fffa2d09040, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
  IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
  IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
  input_ifc = output_ifc = any to inside,

  Phase: 5
  Type: NAT
  Subtype:
  Result: ALLOW
  Config:
  NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
  Additional information:
  Definition of dynamic 192.168.1.79/0 to XX.XXX.XXX.XXX/43904
  Direct flow from returns search rule:
  ID = 0x7fffa222d130, priority = 6, area = nat, deny = false
  hits = 4341877, user_data = 0x7fffa222b970, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
  IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
  IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
  input_ifc = inside, outside = output_ifc

  ...

  Phase: 14
  Type: CREATING STREAMS
  Subtype:
  Result: ALLOW
  Config:
  Additional information:
  New workflow created with the 7422689 id, package sent to the next module
  Information module for forward flow...
  snp_fp_tracer_drop
  snp_fp_inspect_ip_options
  snp_fp_inspect_icmp
  snp_fp_translate
  snp_fp_adjacency
  snp_fp_fragment
  snp_ifc_stat

  Information for reverse flow...
  snp_fp_tracer_drop
  snp_fp_inspect_ip_options
  snp_fp_translate
  snp_fp_inspect_icmp
  snp_fp_adjacency
  snp_fp_fragment
  snp_ifc_stat

  Result:
  input interface: inside
  entry status: to the top
  entry-line-status: to the top
  output interface: outside
  the status of the output: to the top
  output-line-status: to the top
  Action: allow

  --> On remote ASA 5505 - Packet track is good and we can ping remote host very well... dunno why he "of Nations United-NAT?

  Destination - initiator:
   
  entry Packet-trace within the icmp 192.168.54.20 8 0 detailed 192.168.1.79
   
  ...
  Phase: 4
  Type: UN - NAT
  Subtype: static
  Result: ALLOW
  Config:
  NAT (inside, outside) static source NETWORK_OBJ_192.168.54.0_24 NETWORK_OBJ_192.168.54.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
  Additional information:
  NAT divert on exit to the outside interface
  Untranslate 192.168.1.79/0 to 192.168.1.79/0
  ...

  Summary:
  We "don't" ping from a host (192,168.1.79) on 5512 - within the network of the 5505 - inside the network host (192.168.54.20).
  But we can ping the 5505 - inside the network host (192.168.54.20) 5512 - inside the network host (192.168.1.79).

  Please let us know what other details we can provide to help solve, thanks for any help in advance.

  -SP

  Well, I think it is a NAT ordering the issue.

  Basically as static and this NAT rule-

  NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)

  are both in article 1 and in this article, it is done on the order of the rules so it does match the dynamic NAT rule rather than static because that seems to be higher in the order.

  To check just run a 'sh nat"and this will show you what order everthing is in.

  The ASA is working its way through the sections.

  You also have this-

  NAT source auto after (indoor, outdoor) dynamic one interface

  which does the same thing as first statement but is in section 3, it is never used.

  If you do one of two things-

  (1) configure the static NAT statement is above the dynamic NAT in section 1 that is to say. You can specify the command line

  or

  (2) remove the dynamic NAT of section 1 and then your ASA will use the entry in section 3.

  There is a very good document on this site for NAT and it is recommended to use section 3 for your general purpose NAT dynamic due precisely these questions.

  It is interesting on your ASA 5505 you duplicated your instructions of dynamic NAT again but this time with article 2 and the instructions in section 3 that is why your static NAT works because he's put in correspondence before all your dynamic rules.

  The only thing I'm not sure of is you remove the dynamic NAT statement in article 1 and rely on the statement in section 3, if she tears the current connections (sorry can't remember).

  Then you can simply try to rearrange so your static NAT is above it just to see if it works.

  Just in case you want to see the document here is the link-

  https://supportforums.Cisco.com/document/132066/ASA-NAT-83-NAT-operation-and-configuration-format-CLI

  Jon

• Resolution in real-time for IPSec Tunnel peer

  Hello

  There is a document on Cisco's Web site

  http://www.Cisco.com/en/us/docs/iOS/12_3t/12_3t4/feature/guide/gtrlres.html

  explaining that when setting up a card encryption static and peer instead of the IP address peer, we can specify following domain COMPLETE with "dynamic" command name I tried this option and no luck. My VPN end point (routers 2611XM and 831) solve another name with a DNS server, but when it starts to lap crypto maps to interfaces I get the following error message:

  ISAKMP: reminder: no SA is for 0.0.0.0/0.0.0.0 [vrf 0]

  Virtually no SAs are set up and malfunctioning coming IPSec tunnel.

  Everyone tried and had the same problem? I would appreciate your help on this.

  Thank you

  Remi

  What authentication method you use? If you use "pre-shared" you can't always use not "cry isa key... name...". "even if the DNS resolves this IP. It is a feature of the IKE Messrs. use so, CERT.

• ASA 8.6 - l2l IPsec tunnel established - not possible to ping

  Hello world

  I have a problem of configuration of the CISCO ASA 5512-x (IOS 8.6).

  The IPsec tunnel is created between ASA and an another non-CISCO router (hereinafter "router"). I can send packets ping from router to ASA, but ASA is NOT able to meet these demands. Sending requests of ASA is also NOT possible.

  I'm trying to interconnect with the network 192.168.2.0/24 (CISCO, interface DMZ) premises and 192.168.3.0/24 (router).

  The CISCO ASA has a static public IP address. The router has a dynamic IP address, so I use the dynamic-map option...

  Here is the output of "show run":

  ---------------------------------------------------------------------------------------------------------------------------------------------

  ASA 1.0000 Version 2

  !

  ciscoasa hostname

  activate oBGOJTSctBcCGoTh encrypted password

  2KFQnbNIdI.2KYOU encrypted passwd

  names of

  !

  interface GigabitEthernet0/0

  nameif outside

  security-level 0

  address IP X.X.X.X 255.255.255.0

  !

  interface GigabitEthernet0/1

  nameif inside

  security-level 100

  the IP 192.168.0.1 255.255.255.0

  !

  interface GigabitEthernet0/2

  nameif DMZ

  security-level 50

  IP 192.168.2.1 255.255.255.0

  !

  interface GigabitEthernet0/3

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface GigabitEthernet0/4

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface GigabitEthernet0/5

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Management0/0

  nameif management

  security-level 100

  IP 192.168.1.1 255.255.255.0

  management only

  !

  passive FTP mode

  internal subnet object-

  192.168.0.0 subnet 255.255.255.0

  object Web Server external network-ip

  host Y.Y.Y.Y

  Network Web server object

  Home 192.168.2.100

  network vpn-local object - 192.168.2.0

  Subnet 192.168.2.0 255.255.255.0

  network vpn-remote object - 192.168.3.0

  subnet 192.168.3.0 255.255.255.0

  outside_acl list extended access permit tcp any object Web server

  outside_acl list extended access permit tcp any object webserver eq www

  access-list l2l-extensive list allowed ip, vpn-local - 192.168.2.0 vpn-remote object - 192.168.3.0

  dmz_acl access list extended icmp permitted an echo

  pager lines 24

  asdm of logging of information

  Outside 1500 MTU

  Within 1500 MTU

  MTU 1500 DMZ

  management of MTU 1500

  ICMP unreachable rate-limit 1 burst-size 1

  don't allow no asdm history

  ARP timeout 14400

  NAT (DMZ, outside) static static vpn-local destination - 192.168.2.0 vpn-local - 192.168.2.0, 192.168.3.0 - remote control-vpn vpn-remote control - 192.168.3.0

  !

  internal subnet object-

  NAT dynamic interface (indoor, outdoor)

  Network Web server object

  NAT (DMZ, outside) Web-external-ip static tcp www www Server service

  Access-Group global dmz_acl

  Route outside 0.0.0.0 0.0.0.0 Z.Z.Z.Z 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  identity of the user by default-domain LOCAL

  Enable http server

  http 192.168.1.0 255.255.255.0 management

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

  IKEv1 crypto ipsec transform-set ikev1-trans-set esp-3des esp-md5-hmac

  Crypto ipsec ikev2 proposal ipsec 3des-GNAT

  Esp 3des encryption protocol

  Esp integrity md5 Protocol

  Crypto dynamic-map dynMidgeMap 1 match l2l-address list

  Crypto dynamic-map dynMidgeMap 1 set pfs

  Crypto dynamic-map dynMidgeMap 1 set ikev1 ikev1-trans-set transform-set

  Crypto dynamic-map dynMidgeMap 1 set ikev2 ipsec-proposal 3des-GNAT

  Crypto dynamic-map dynMidgeMap 1 life span of seconds set association security 28800

  Crypto dynamic-map dynMidgeMap 1 the value reverse-road

  midgeMap 1 card crypto ipsec-isakmp dynamic dynMidgeMap

  midgeMap interface card crypto outside

  ISAKMP crypto identity hostname

  IKEv2 crypto policy 1

  3des encryption

  the md5 integrity

  Group 2

  FRP md5

  second life 86400

  Crypto ikev2 allow outside

  Crypto ikev1 allow outside

  IKEv1 crypto policy 1

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  management of 192.168.1.2 - dhcpd address 192.168.1.254

  enable dhcpd management

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  WebVPN

  internal midgeTrialPol group policy

  attributes of the strategy of group midgeTrialPol

  L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2

  enable IPSec-udp

  tunnel-group midgeVpn type ipsec-l2l

  tunnel-group midgeVpn General-attributes

  Group Policy - by default-midgeTrialPol

  midgeVpn group of tunnel ipsec-attributes

  IKEv1 pre-shared-key *.

  remote control-IKEv2 pre-shared-key authentication *.

  pre-shared-key authentication local IKEv2 *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  !

  global service-policy global_policy

  context of prompt hostname

  no remote anonymous reporting call

  Cryptochecksum:fa02572f9ff8add7bbfe622a4801e606

  : end

  ------------------------------------------------------------------------------------------------------------------------------

  X.X.X.X - ASA public IP

  Y.Y.Y.Y - a web server

  Z.Z.Z.Z - default gateway

  -------------------------------------------------------------------------------------------------------------------------------

  ASA PING:

  ciscoasa # ping DMZ 192.168.3.1

  Type to abort escape sequence.

  Send 5, echoes ICMP 100 bytes to 192.168.3.1, time-out is 2 seconds:

  ?????

  Success rate is 0% (0/5)

  PING from router (debug on CISCO):

  NAT ciscoasa #: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0

  NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0

  NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0

  Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 0 len = 40

  Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 1 len = 40

  Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 2 len = 40

  Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = len 3 = 40

  -------------------------------------------------------------------------------------------------------------------------------

  ciscoasa # show the road outside

  Code: C - connected, S - static, RIP, M - mobile - IGRP, R - I, B - BGP

  D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone

  N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2

  E1 - OSPF external type 1, E2 - external OSPF of type 2, E - EGP

  i - IS - L1 - IS - IS level 1, L2 - IS - IS IS level 2, AI - IS inter zone

  * - candidate by default, U - static route by user, o - ODR

  P periodical downloaded static route

  Gateway of last resort is Z.Z.Z.Z to network 0.0.0.0

  C Z.Z.Z.0 255.255.255.0 is directly connected to the outside of the

  S 192.168.3.0 255.255.255.0 [1/0] via Z.Z.Z.Z, outdoors

  S * 0.0.0.0 0.0.0.0 [1/0] via Z.Z.Z.Z, outdoors

  -------------------------------------------------------------------------------------------------------------------------------

  Do you have an idea that I am wrong? Probably some bad NAT/ACL I suppose, but I could always find something only for 8.4 iOS and not 8.6... Perhaps and no doubt I already missed the configuration with the unwanted controls, but I've tried various things...

  Please, if you have an idea, let me know! Thank you very much!

  Hello

  I've never used "global" option in ACL, but it looks to be the origin of the problem. Cisco doc.

  "The global access rules are defined as a special ACL that is processed for each interface on the device for incoming traffic in the interface. Thus, although the ACL is configured once on the device, it acts as an ACL defined for Management In secondary interface-specific. (Global rules are always in the direction of In, never Out Management). "

  You ACL: access-list extended dmz_acl to any any icmp echo

  For example, when you launch the ASA, there is an echo response from the router on the external interface--> global can block.

  Then to initiate router, the ASA Launches echo-reply being blocked again.

  Try to add permit-response to echo as well.

  In addition, you can use both "inspect icmp" in world politics than the ACL.

  If none does not work, you can run another t-shoot with control packet - trace on SAA.

  THX

  MS

• WILL secure IPSec tunnel

  Hi all

  I have just set up an IPSec tunnel, except use debug crypto ipsec / isakmp how can I check IPSec works? When I configure the encryption card, can I use ip of the tunnel as the peer address.

  Thanks in advance.

  Banlan

  Hi Banlan,

  Thanks for your appreciation. I feel honoured!

  Back to your question about free WILL inside the IPSec, you must use the gre as the Protocol in the access list; This right, shud you get points for that! (because the ip packet is encapsulated by GRE and then AH / ESP headers are added). Also remember that the ip address as the destination of the tunnel should be globally routable. You cannot use tunneling as a destination of the tunnel (except of course when the routers are connected back to back)

  See the following configs for GRE inside IPSec.

  ! ON THE INITIATOR

  ...

  ...

  access-list 110 permit host WILL

  ...

  12 crypto isakmp policy

  preshared authentication

  !

  address ISAKMP crypto key xxxxx

  Crypto ipsec transform-set esp TS - a

  !

  card 11 CM ipsec-isakmp crypto

  defined by peers

  game of transformation-TS

  match address 110

  !

  tunnel1 interface

  IP unnumbered

  source of tunnel

  tunnel destination

  card crypto CM

  !

  interface

  card crypto CM

  !

  IP route x.x.x.x tunnel1

  ! ON THE ANSWERING MACHINE

  ...

  ...

  access-list 111 allow host WILL

  ...

  crypto ISAKMP policy 11

  preshared authentication

  !

  address ISAKMP crypto key xxxxx

  Crypto ipsec transform-set esp TS - a

  !

  Map 10 CM ipsec-isakmp crypto

  defined by peers

  game of transformation-TS

  match address 111

  !

  interface tunnels2

  IP unnumbered

  source of tunnel

  tunnel destination

  card crypto CM

  !

  interface

  card crypto CM

  !

  IP route x.x.x.x tunnels2

  I think you have the answer now. Catch me if you want something else.

  Cheers :-))

  Naveen

  [email protected] / * /.

• Create the Ipsec tunnel using digital certificates

  Hello

  I try to open the IPSEC tunnel between 2 3800 of Cisco routers using additional 3800 router as a CA server.

  Before that I added the CA server all go smoothly.

  Attached is my configuration, attached debug commands from the configuration of server and router CA

  It seems that the routers does not receive the certificate of the CA (R3) router because I see the certificate is awaiting status:

  #
  R3 #.
  R3 #show cryptographic pki certificate cisco talkative
  CA
  Status: available
  Version: 3
  Certificate serial number (hex): 01
  Use of certificates: Signature
  Issuer:
  CN = cisco1. Cisco.com L\ = RTP it\ = US
  Object:
  CN = cisco1. Cisco.com L\ = RTP it\ = US
  Validity date:
  start date: 10:12:13 UTC Sep 8 2013
  end date: 10:12:13 UTC Sep 7 2016
  Subject key information:
  Public key algorithm: rsaEncryption
  RSA Public Key: (512 bits)
  Signature algorithm: MD5 with RSA encryption
  Fingerprint MD5: FAB9FFF7 87B580F3 7A65627E 56A378C9
  Fingerprint SHA1: F26CD817 91F8129D A9E46671 07E26F1E 55422DCD
  X509v3 extensions:
  X509v3 Key use: 86000000
  Digital signature
  Key Cert sign
  Signature of the CRL
  X509v3 subject Key ID: 56F091F7 7016A63F B 89, 46900 B13E6719 8B0D548E
  X509v3 Basic Constraints:
  CA: TRUE
  X509v3 Authority Key ID: 56F091F7 7016A63F B 89, 46900 B13E6719 8B0D548E
  Access to information the authority:
  Related Trustpoints: cisco
  Storage: nvram:cisco1ciscoc #4CA.cer

  R3 #.

  Appreciate your support and I will send additional if necessary evidence

  TX

  Roee

  I didn't look at your configuration, but accroding to your description, it seems that you have not approved the certificate requests pending on your router CA. Here are the commands that you need:

  To view the pending requests:

  information cryptographic pki server router 'CA '.

  To grant requests pending:

  Info Server 'CA' router cryptographic pki grant all

• Cisco's ASA IPsec tunnel disconnects after a while

  Hi all

  I've set up an IPsec tunnel between sonicwall pro road and cisco ASA 5510. The well established tunnel and two subnets can access each other.

  I then added a static route to a public ip address on the sonicwall ipsec policy, so that all traffic to this ip address will go through the IPsec tunnel. It also works very well.

  But the problem is aftre tunnel Ipsec sometimes breaks down, and then I need to renegotiate the ipsec on sonicwall to restore the tunnel.

  This happens twice a day. I'm whther fear that this behavior is because of problems with config. I'm pasting my ASA running Setup here. Plese give some advice.

  SonicWALL publicip 1.1.1.2 192.168.10.0 subnet

  Cisco ASA publicip 1.1.1.1 subnet 192.168.5.0

  ciscoasa # sh run
  : Saved
  :
  ASA Version 8.2 (1)
  !
  ciscoasa hostname
  domain default.domain.invalid
  activate 8Ry2YjIyt7RRXU24 encrypted password
  2KFQnbNIdI.2KYOU encrypted passwd
  names of
  !
  interface Ethernet0/0
  Speed 100
  full duplex
  nameif outside
  security-level 0
  IP 1.1.1.1 255.255.255.248
  !
  interface Ethernet0/1
  nameif inside
  security-level 100
  192.168.5.1 IP address 255.255.255.0
  !
  interface Ethernet0/2
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Ethernet0/3
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Management0/0
  nameif management
  security-level 100
  IP 192.168.1.1 255.255.255.0
  management only
  !
  passive FTP mode
  DNS domain-lookup outside
  DNS lookup field inside
  DNS server-group DefaultDNS
  Server name 66.28.0.45
  Server name 66.28.0.61
  domain default.domain.invalid
  permit same-security-traffic inter-interface
  permit same-security-traffic intra-interface
  object-group service rdp tcp
  EQ port 3389 object
  object-group service tcp OpenVPN
  port-object eq 1194
  access list outside extended permit icmp any any echo response
  access list outside extended permit tcp any host # eq pptp
  outside allowed extended access will list any host #.
  list of extended outside access permit udp any any eq 1701
  extended outdoor access allowed icmp a whole list
  access list outside extended permit tcp any host # eq ftp
  access list outside extended permit tcp any host # eq ssh
  list of extended outside access permit tcp any host # object - group rdp
  turn off journal
  access list outside extended permit tcp any host 1.1.1.1 object - group Open
  VPN
  access-list sheep extended ip 192.168.5.0 allow 255.255.255.0 192.168.5.0 255
  . 255.255.0
  access-list sheep extended ip 192.168.5.0 allow 255.255.255.0 192.168.10.0 255
  . 255.255.0
  L2L 192.168.5.0 ip extended access-list allow 255.255.255.0 192.168.10.0 255.2
  55.255.0
  pager lines 24
  Enable logging
  asdm of logging of information
  Outside 1500 MTU
  Within 1500 MTU
  management of MTU 1500
  IP local pool ippool 192.168.5.131 - 192.168.5.151 mask 255.255.255.0
  IP local pool l2tppool 192.168.5.155 - 192.168.5.200 mask 255.255.255.0
  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image disk0: / asdm - 621.bin
  don't allow no asdm history
  ARP timeout 14400
  Global 1 interface (outside)
  NAT (outside) 1 192.168.10.0 255.255.255.0
  NAT (outside) 1 192.168.5.0 255.255.255.0
  NAT (inside) 0 access-list sheep
  NAT (inside) 1 192.168.5.0 255.255.255.0
  outside access-group in external interface
  Route outside 0.0.0.0 0.0.0.0 38.106.51.121 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-registration DfltAccessPolicy
  the ssh LOCAL console AAA authentication
  AAA authentication LOCAL telnet console
  Enable http server
  http 192.168.1.0 255.255.255.0 management
  http 192.168.5.0 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  Crypto-map dynamic dynmap 5 the value reverse-road
  Crypto easyvpn dynamic-map 10 transform-set RIGHT
  Crypto-map dynamic easyvpn 10 reverse-drive value
  card crypto mymap 10 correspondence address l2l
  card crypto mymap 10 set peer 1.1.1.2
  card crypto mymap 10 transform-set RIGHT
  map mymap 30000-isakmp ipsec crypto dynamic easyvpn
  mymap outside crypto map interface
  crypto isakmp identity address
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  md5 hash
  Group 2
  life 86400
  crypto ISAKMP policy 20
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  crypto ISAKMP policy 65535
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  Crypto isakmp nat-traversal 3600
  Telnet 192.168.5.0 255.255.255.0 inside
  Telnet timeout 5
  SSH 0.0.0.0 0.0.0.0 outdoors
  SSH timeout 5
  Console timeout 0
  Hello to tunnel L2TP 10
  management of 192.168.1.2 - dhcpd address 192.168.1.254
  enable dhcpd management
  !
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  WebVPN
  internal DefaultRAGroup group strategy
  attributes of Group Policy DefaultRAGroup
  value of 66.28.0.45 DNS server 66.28.0.61
  Protocol-tunnel-VPN IPSec l2tp ipsec
  field default value cisco.com
  attributes of Group Policy DfltGrpPolicy
  internal band easyvpn strategy
  attributes of the strategy of band easyvpn
  value of 66.28.0.45 DNS server 66.28.0.61
  Protocol-tunnel-VPN IPSec
  enable IPSec-udp
  Split-tunnel-policy tunnelall
  the address value ippool pools
  VPN-group-policy DefaultRAGroup
  attributes global-tunnel-group DefaultRAGroup
  address l2tppool pool
  Group Policy - by default-DefaultRAGroup
  IPSec-attributes tunnel-group DefaultRAGroup
  pre-shared-key *.
  tunnel-group DefaultRAGroup ppp-attributes
  No chap authentication
  ms-chap-v2 authentication
  tunnel-group 1.1.1.2 type ipsec-l2l
  1.1.1.2 tunnel-group ipsec-attributes
  pre-shared-key *.
  tunnel-group easyvpn type remote access
  tunnel-group easyvpn General attributes
  Group Policy - by default-easyvpn
  easyvpn group tunnel ipsec-attributes
  pre-shared-key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the netbios
  inspect the tftp
  inspect the pptp
  !
  global service-policy global_policy
  context of prompt hostname
  Cryptochecksum:5542615c178d2803f764c9b8f104732b
  : end

  I guess you have typo in the configuration of the ASA?

  L2L 192.168.5.0 ip extended access-list allow 255.255.255.0 192.168.10.0 255.255.255.0
  list access extended extended permitted host ip voip pubic ip 192.168.10.0 255.255.255.0

  Can you confirm that you have configured instead the following:

  access-list l2l extended permitted host ip voip pubic ip 192.168.10.0 255.255.255.0

  Moreover, even if the crypto map tag says easyvpn; peer address is correct to point 1.1.1.2

  In addition, don't know why you have the following configuration (but if it is not necessary I suggest to be removed and 'clear xlate' after the withdrawal):

  NAT (outside) 1 192.168.10.0 255.255.255.0

  Finally, pls turn off keepalive to SonicWall.

  If the foregoing still don't resolve the issue, can you try to remove the card dynamic encryption of the ASA (no map mymap 30000-isakmp ipsec crypto dynamic easyvpn), release the tunnel and try to open the tunnel between the ASA and SonicWall and take the exit of "show the isa cry his ' and ' show cry ipsec his» I'm curious to see why he is always referred to the easyvpn crypto map. When you remove the dynamic encryption card, dynamic vpn lan-to-lan of remote access client does not work.

• How to configure ASA5520 of Checkpoint IPsec tunnel configuration

  Hi guys and under tension, a lot of it!

  I have a problem, I set up an IPsec tunnel between my ASA5520 at a Checkpoint Firewall (PE) CONFIG below (not true FT)

  network of the ASA_MAPPED object

  4.4.4.0 subnet 255.255.255.0

  network of the CHECKPOINT_MAPPED object

  5.5.5.5.0 SUBNET 255.255.255.0

  OUT_CRYPTO extended access list permit ip object ASA_MAPPED object CHECKPOINT_MAPPED

  Crypto ipsec transform-set ikev1 CHECKPOINT_SET aes - esp esp-sha-hmac

  destination NAT (INSIDE, OUTSIDE) static source ALLNETWORKS(10.0.0.0/16) ASA_MAPPED CHECKPOINT_MAPPED of CHECKPOINT_MAPPED static

  NAT (INSIDE, OUTSIDE) source of destination ALLNETWORKS(10.0.0.0/16) static ASA_MAPPED static 4.4.4.11 5.5.5.11

  card crypto OUTSIDE_MAP 5 corresponds to the address OUT_CRYPTO

  OUTSIDE_MAP 5 set crypto map peer X.X.X.X

  card crypto OUTSIDE_MAP 5 set transform-set CHECKPOINT_SET ikev1

  card crypto OUTSIDE_MAP 5 defined security-association life seconds 3600

  CHECKPOINT_MAP interface card crypto OUTSIDE

  tunnel-group X.X.X.X type ipsec-l2l

  tunnel-group ipsec-attributes X.X.X.X

  IKEv1 pre-shared-key 1234

  ISAKMP crypto 10 nat-traversal

  Crypto ikev1 allow outside

  IKEv1 crypto policy 10

  preshared authentication

  aes encryption

  sha hash

  Group 5

  life 86400

  IPsec Tunnel is in place and I can access the server on the other side via the beach of NATTED, for example a server behind the checkpoint with the IP 10.90.55.11 is accessible behind the ASA as 4.4.4.11, the problem is that I have never worked on a Checkpoint Firewall and servers/Server 4.4.4.11 that I can't connect to my environment to that checkpoint is configured with a Tunnel interface that is also supposed to to make NAT because of the superimposition of networks, at one point, I added an access to an entire list and bidirectional routing has been reached, but I encountered a new problem, I could not overlook from my servers public became unaccessecable, since all traffic was encrypted and get dropped to VPN: ipsec-tunnel-flow... for now the Tunnel is up and I can access the server via NAT 4.4.4.11, but can't access my internal servers. What did I DO WRONG (also, I don't have access to the Checkpoint Firewall (PE)) how their installation would be or how it should be to allow bidirectional routing?

  ========================================================

  Tag crypto map: CHECKPOINT_MAP, seq num: 5, local addr: X.X.X.X

  Access extensive list ip 4.4.4.0 OUT_5_CRYPTO allow 255.255.255.0 5.5.5.0 255.255.255.0

  local ident (addr, mask, prot, port): (4.4.4.0/255.255.255.0/0/0)

  Remote ident (addr, mask, prot, port): (5.5.5.0/255.255.255.0/0/0)

  current_peer: X.X.X.X

  #pkts program: 3207, #pkts encrypt: 3207, #pkts digest: 3207

  #pkts decaps: 3417, #pkts decrypt: 3417, #pkts check: 3417

  compressed #pkts: 0, unzipped #pkts: 0

  #pkts uncompressed: 3207, model of #pkts failed: 0, #pkts Dang failed: 0

  success #frag before: 0, failures before #frag: 0, #fragments created: 0

  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0

  #send errors: 0, #recv errors: 0

  local crypto endpt. : X.X.X.X/0, remote Start crypto. : X.X.X.X/0

  Path mtu 1500, fresh ipsec generals 74, media, mtu 1500

  current outbound SPI: 5254EDC6

  current inbound SPI: 36DAB960

  SAS of the esp on arrival:

  SPI: 0x36DAB960 (920303968)

  transform: aes - esp esp-sha-hmac no compression

  running parameters = {L2L, Tunnel}

  slot: 0, id_conn: 19099648, crypto-card: CHECKPOINT_MAP

  calendar of his: service life remaining (KB/s) key: (3914999/3537)

  Size IV: 16 bytes

  support for replay detection: Y

  Anti-replay bitmap:

  0 x 00000000 0x0000000F

  outgoing esp sas:

  SPI: 0x5254EDC6 (1381297606)

  transform: aes - esp esp-sha-hmac no compression

  running parameters = {L2L, Tunnel}

  slot: 0, id_conn: 19099648, crypto-card: CHECKPOINT_MAP

  calendar of his: service life remaining (KB/s) key: (3914999/3537)

  Size IV: 16 bytes

  support for replay detection: Y

  Anti-replay bitmap:

  0x00000000 0x00000001

  unless I include any any on my access-list and the problem with that is  that my Public servers then get encrypted from the OUTSIDE interface  unless you know of a way to bypass the VPN
  
  

  No, u certainly shouldn't allow 0.0.0.0 for proxy ACL. Again, your config is very good. In addition, package account, this show that traffic is going throug the tunnel in two ways:

  #pkts program: 3207

  #pkts decaps: 3417

  Also, looking at the meter, I can guess that some of the traffic comes from the other site, but does not return back (maybe that's where you can not connect from behing Checkpoint). If you say that 0.0.0.0 solved the problem, are there no other NAT rules for subnet behind ASA, so the server IP, for which you are trying to connect behind the checkpoint, translates into something else (not the beach, included in proxy ACL), when to come back?

• Strange problem in IPSec Tunnel - 8.4 NAT (2)

  Helloo all,.

  This must be the strangest question I've seen since the year last on my ASA.

  I have an ASA 5540, who runs the code of 8.4 (2) without any problem until I ran into this problem last week and I spent sleepless nights with no resolution! Then, take a deep breath and here is a brief description of my setup and the problem:

  A Simple IPSEC tunnel between my 8.4 (2) ASA 5540 and a Juniper SSG 140 6.3.0r9.0 (road OS based VPN) screen

  The tunnel rises without any problem but the ASA refused to encrypt the traffic but it decrypts with GLORY!

  Here are a few outputs debug, see the output and a package tracer output that also has an explanation of my problem of NAT WEIRD:

  my setup - (I won't get into the details of encryption tunnel as my tunnel negotiations are perfect and returns from the outset when the ASA is configured as response only)

  CISCO ASA - IPSec network details

  LAN - 10.2.4.0/28

  REMOTE NETWORK - 192.168.171.8/32

  JUNIPER SSG 140 - IPSec networks details

  ID OF THE PROXY:

  LAN - 192.168.171.8/32

  REMOTE NETWORK - 10.2.4.0/28

  Name host # sh cry counterpart his ipsec

  peer address:

  Tag crypto map: outside_map, seq num: 5, local addr:

  outside_cryptomap_4 to access extended list ip 10.2.4.0 allow 255.255.255.240 host 192.168.171.8

  local ident (addr, mask, prot, port): (10.2.4.0/255.255.255.240/0/0)

  Remote ident (addr, mask, prot, port): (192.168.171.8/255.255.255.255/0/0)

  current_peer:

  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

  #pkts decaps: 72, #pkts decrypt: 72, #pkts check: 72

  compressed #pkts: 0, unzipped #pkts: 0

  #pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0

  success #frag before: 0, failures before #frag: 0, #fragments created: 0

  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0

  #send errors: 0, #recv errors: 0

  local crypto endpt. : 0, remote Start. crypto: 0

  Path mtu 1500, fresh ipsec generals 58, media, mtu 1500

  current outbound SPI: 5041C19F

  current inbound SPI: 0EC13558

  SAS of the esp on arrival:

  SPI: 0x0EC13558 (247543128)

  transform: esp-3des esp-sha-hmac no compression

  running parameters = {L2L, Tunnel}

  slot: 0, id_conn: 22040576, crypto-card: outside_map

  calendar of his: service life remaining key (s): 3232

  Size IV: 8 bytes

  support for replay detection: Y

  Anti-replay bitmap:

  0xFFFFFFFF to 0xFFFFFFFF

  outgoing esp sas:

  SPI: 0x5041C19F (1346486687)

  transform: esp-3des esp-sha-hmac no compression

  running parameters = {L2L, Tunnel}

  slot: 0, id_conn: 22040576, crypto-card: outside_map

  calendar of his: service life remaining key (s): 3232

  Size IV: 8 bytes

  support for replay detection: Y

  Anti-replay bitmap:

  0x00000000 0x00000001

  CONTEXTS for this IPSEC VPN tunnel:

  # Sh asp table det vpn context host name

  VPN CTX = 0x0742E6BC

  By peer IP = 192.168.171.8

  Pointer = 0x78C94BF8

  State = upwards

  Flags = BA + ESP

  ITS = 0X9C28B633

  SPI = 0x5041C19D

  Group = 0

  Pkts = 0

  Pkts bad = 0

  Incorrect SPI = 0

  Parody = 0

  Bad crypto = 0

  Redial Pkt = 0

  Call redial = 0

  VPN = filter

  VPN CTX = 0x07430D3C

  By peer IP = 192.168.1.8

  Pointer = 0x78F62018

  State = upwards

  Flags = DECR + ESP

  ITS = 0X9C286E3D

  SPI = 0x9B6910C5

  Group = 1

  Pkts = 297

  Pkts bad = 0

  Incorrect SPI = 0

  Parody = 0

  Bad crypto = 0

  Redial Pkt = 0

  Call redial = 0

  VPN = filter

  outside_cryptomap_4 to access extended list ip 10.2.4.0 allow 255.255.255.240 host 192.168.171.8

  NAT (inside, outside) static source Ren - Ren - about destination static counterpart-host peer to route non-proxy-arp-search

  network of the Ren - around object

  subnet 10.2.4.0 255.255.255.240

  network of the host object counterpart

  Home 192.168.171.8

  HS cry ipsec his

  IKE Peer:

  Type: L2L role: answering machine

  Generate a new key: no State: MM_ACTIVE

  output packet tracer extracted a packet transmitted by the network of 10.2.4.0/28 to 192.168.171.8 host

  Phase: 7

  Type: VPN

  Subtype: encrypt

  Result: ALLOW

  Config:

  Additional information:

  Direct flow from returns search rule:

  ID = 0x7789d788, priority = 70, domain = encrypt, deny = false

  Hits = 2, user_data is0x742e6bc, cs_id = 0x7ba38680, reverse, flags = 0 x 0 = 0 protocol

  IP/ID=10.2.4.0 SRC, mask is 255.255.255.240, port = 0

  IP/ID=192.168.171.8 DST, mask is 255.255.255.255, port = 0, dscp = 0 x 0

  input_ifc = none, output_ifc = external

  VPN settings corresponding to the encrytpion + encapsulation and the hits here increment only when I run a test of tracer from my host on the remote peer inside package.

  A tracer complete package out for a packet of the 10.2.4.1 255.255.255.255 network to host 192.168.171.8:

  Phase: 1

  Type: ACCESS-LIST

  Subtype:

  Result: ALLOW

  Config:

  Implicit rule

  Additional information:

  Direct flow from returns search rule:

  ID = 0x77ebd1b0, priority = 1, domain = allowed, deny = false

  hits = 3037156, user_data = 0 x 0, cs_id = 0 x 0, l3_type = 0 x 8

  Mac SRC = 0000.0000.0000, mask is 0000.0000.0000

  DST = 0000.0000.0000 Mac, mask is 0100.0000.0000

  input_ifc = output_ifc = any to inside,

  Phase: 2

  Type:-ROUTE SEARCH

  Subtype: entry

  Result: ALLOW

  Config:

  Additional information:

  in 192.168.171.0 255.255.255.0 outside

  Phase: 3

  Type: IP-OPTIONS

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  Direct flow from returns search rule:

  ID = 0x77ec1030, priority = 0, sector = inspect-ip-options, deny = true

  hits = 212950, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

  IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0

  IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0

  input_ifc = output_ifc = any to inside,

  Phase: 4

  Type:

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  Direct flow from returns search rule:

  ID = 0x7c12cb18, priority = 18, area = import-export flows, deny = false

  hits = 172188, user_data = 0x78b1f438, cs_id = 0 x 0, use_real_addr, flags = 0 x 0,

  IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0

  IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0

  input_ifc = output_ifc = any to inside,

  Phase: 5

  Type: NAT

  Subtype:

  Result: ALLOW

  Config:

  NAT (inside, outside) static source Ren - Ren - about destination static counterpart-host peer to route non-proxy-arp-search

  Additional information:

  Definition of static 10.2.4.1/2700 to 10.2.4.1/2700

  Direct flow from returns search rule:

  ID = 0x77e0a878, priority = 6, area = nat, deny = false

  hits = 9, user_data is 0x7b7360a8, cs_id = 0 x 0, use_real_addr, flags = 0 x 0, proto

  IP/ID=10.2.4.1 SRC, mask is 255.255.255.240, port = 0

  IP/ID=192.168.171.8 DST, mask is 255.255.255.255, port = 0, dscp = 0 x 0

  input_ifc = inside, outside = output_ifc

  
  

  (it's the weird NAT problem I see. I see the number of hits is increment only when I run the packet tracer understands even I have pings (traffic) the 192.168.171.8 constant welcomes the 10.2.4.1/28)-s'il please see the package I pasted after the capture section)

  Phase: 6

  Type: VPN

  Subtype: encrypt

  Result: ALLOW

  Config:

  Additional information:

  Direct flow from returns search rule:

  ID = 0x7b8751f8, priority = 70, domain = encrypt, deny = false

  hits = 3, user_data = 0x7432b74, cs_id = 0x7ba38680, reverse, flags = 0 x 0, proto

  IP/ID=10.2.4.1 SRC, mask is 255.255.255.240, port = 0

  IP/ID=192.168.171.8 DST, mask is 255.255.255.255, port = 0, dscp = 0 x 0

  input_ifc = none, output_ifc = external

  Phase: 7

  Type: VPN

  Subtype: ipsec-tunnel-flow

  Result: ALLOW

  Config:

  Additional information:

  Reverse flow from returns search rule:

  ID = 0x78b0c280, priority = 69 = ipsec-tunnel-flow area, deny = false

  hits = 154, user_data is 0x7435f94, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

  IP/ID=192.168.171.8 SRC, mask is 255.255.255.255, port = 0

  IP/ID=10.2.4.1 DST, mask is 255.255.255.240, port = 0, dscp = 0 x 0

  input_ifc = out, output_ifc = any

  Phase: 8

  Type: IP-OPTIONS

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  Reverse flow from returns search rule:

  ID = 0x77e7a510, priority = 0, sector = inspect-ip-options, deny = true

  hits = 184556, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

  IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0

  IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0

  input_ifc = out, output_ifc = any

  Phase: 9

  Type: CREATING STREAMS

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  New workflow created with the 119880921 id, package sent to the next module

  Information module for forward flow...

  snp_fp_tracer_drop

  snp_fp_inspect_ip_options

  snp_fp_tcp_normalizer

  snp_fp_translate

  snp_fp_adjacency

  snp_fp_encrypt

  snp_fp_fragment

  snp_ifc_stat

  Information for reverse flow...

  snp_fp_tracer_drop

  snp_fp_inspect_ip_options

  snp_fp_ipsec_tunnel_flow

  snp_fp_translate

  snp_fp_tcp_normalizer

  snp_fp_adjacency

  snp_fp_fragment

  snp_ifc_stat

  Result:

  input interface: inside

  entry status: to the top

  entry-line-status: to the top

  output interface: outside

  the status of the output: to the top

  output-line-status: to the top

  Action: allow

  Hostname # sh Cap A1

  8 packets captured

  1: 12:26:53.376033 192.168.10.252 > 10.2.4.1: icmp: echo request

  2: 12:26:53.376597 10.2.4.1 > 192.168.10.252: icmp: echo reply

  3: 12:26:56.487905 192.168.171.8 > 10.2.4.1: icmp: echo request

  4: 12:27:01.489217 192.168.171.8 > 10.2.4.1: icmp: echo request

  5: 12:27:03.378245 192.168.10.252 > 10.2.4.1: icmp: echo request

  6: 12:27:03.378825 10.2.4.1 > 192.168.10.252: icmp: echo reply

  7: 12:27:06.491597 192.168.171.8 > 10.2.4.1: icmp: echo request

  8: 12:27:11.491856 192.168.171.8 > 10.2.4.1: icmp: echo request

  8 packets shown

  As you can see, there is no echo response packet at all because the package may not be wrapped while he was sent to.

  I'm Karen with it. In addition, he is a firewall multi-tenant live production with no problems at all outside this for a Juniper ipsec tunnel!

  Also, the 192.168.10.0/24 is another remote network of IPSec tunnel to this network of 10.2.4.0/28 and this IPSEC tunnel has a similar Juniper SSG 140 screen os 6.3.0r9.0 at the remote end and this woks like a charm with no problems, but the 171 is not be encrypted by the ASA at all.

  If someone could help me, that would be greatt and greatly appreciated!

  Thanks heaps. !

  Perfect! Now you must find something else inside for tomorrow--> forecast rain again

  Please kindly marks the message as answered while others may learn from it. Thank you.

• Traffic is failed on plain IPSec tunnel between two 892 s

  Have a weird case and you are looking for some suggestions/thougs where to dig because I have exhausted the options.

  Note: I replaced the Networkid real to a mentined below.

  Topology: a classic IPSec VPN tunnel between two 892 s of Cisco, with pre-shared key and no GRE. A 892 (branch_892) has access to the Internet using PPPoE and has three network / VLAN behind it. A VLAN is coordinated to the PPPoE internet access. Access to the other two VLAN - VL92 (100.100.200.0/24) and VL93 (100.100.100.0/24) is performed via the VPN tunnel.

  Second 892 (892_DC) has just one interface - WAN on Gigabit enabled/connected and a static route to the default GW. It doesn't have any defined interal network. If the router is strictly used to send traffic to VL92/VL93 to the domestic 892 via IPSec tunnel.

  Here's the problem: access to VL93 (100.100.100.0/24) works, however for VL92 (100.100.100.0/24) - does not work.

  Devices in VL92 I ping IP address of 892_DC through the VPN tunnel. The 892_DC router I can ping devices in VL92. However, I can't VL92 ping any device beyond the 892_DC and at the same time the packets arriving on 892_DC for VL92 are not sent through the VPN tunnel.

  I took the package trace on 892_DC using capture point/buffer to nathalie caron to VL92 packages and saw that the traffic coming to the 892_DC. I run the nathalie caron even on Branch_892, and there was not a single package.

  So... What's the problem? More interesting, I modified the way left on VL92 access list and still - no packets are sent through the tunnel.

  Any idea? Two routers config are below

  -------

  892_DC #show ru

  !

  crypto ISAKMP policy 10

  BA aes 256

  hash sha256

  preshared authentication

  Group 2

  isakmp encryption key * address 1.2.3.4

  ISAKMP crypto keepalive 10 periodicals

  !

  address of 1.2.3.4 crypto isakmp peers

  Description of-COIL-892

  !

  !

  Crypto ipsec transform-set IT-IPSec-Transform-Set esp - aes 256 sha256-esp-hmac

  Crypto ipsec df - bit clear

  !

  map IT ipsec - IPSec crypto - Crypto - map 10-isakmp

  defined peer 1.2.3.4

  disable the kilobytes of life together - the security association

  86400 seconds, life of security association set

  the transform-set IT-IPSec-Transform-Set value

  match a lists 101

  market arriere-route

  QoS before filing

  !

  interface GigabitEthernet0

  IP 10,20,30,40 255.255.255.240

  IP 1400 MTU

  IP tcp adjust-mss 1360

  automatic duplex

  automatic speed

  card crypto IT-IPSec-Crypto-map

  !

  IP route 0.0.0.0 0.0.0.0 10.20.30.41

  !

  access list 101 ip allow any 100.100.100.0 0.0.0.255 connect

  access list 101 ip allow any 100.100.200.0 0.0.0.255 connect

  -------------------------------------------------------------------------------------

  Branch_892 #sh run

  !

  crypto ISAKMP policy 10

  BA aes 256

  hash sha256

  preshared authentication

  Group 2

  isakmp encryption key * address 10,20,30,40

  ISAKMP crypto keepalive 10 periodicals

  !

  address peer isakmp crypto 10,20,30,40

  !

  !

  Crypto ipsec transform-set IT-IPSec-Transform-Set esp - aes 256 sha256-esp-hmac

  Crypto ipsec df - bit clear

  !

  map IT ipsec - IPSec crypto - Crypto - map 10-isakmp

  defined peer 10,20,30,40

  disable the kilobytes of life together - the security association

  86400 seconds, life of security association set

  the transform-set IT-IPSec-Transform-Set value

  match address 101

  market arriere-route

  QoS before filing

  !

  FastEthernet6 interface

  Description VL92

  switchport access vlan 92

  !

  interface FastEthernet7

  Description VL93

  switchport access vlan 93

  !

  interface GigabitEthernet0

  Description # to WAN #.

  no ip address

  automatic duplex

  automatic speed

  PPPoE-client dial-pool-number 1

  !

  interface Vlan1

  Description # local to #.

  IP 192.168.1.254 255.255.255.0

  IP nat inside

  IP virtual-reassembly in

  !

  interface Vlan92

  Description fa6-nexus e100/0/40

  IP 100.100.200.1 255.255.255.0

  !

  interface Vlan93

  Description fa7-nexus e100/0/38

  IP 100.100.100.1 255.255.255.0

  !

  interface Dialer0

  no ip address

  No cdp enable

  !

  interface Dialer1

  IP 1.2.3.4 255.255.255.248

  IP mtu 1454

  NAT outside IP

  IP virtual-reassembly in max-pumping 256

  encapsulation ppp

  IP tcp adjust-mss 1414

  Dialer pool 1

  Dialer-Group 1

  Authentication callin PPP chap Protocol

  PPP chap hostname ~ ~ ~

  PPP chap password =.

  No cdp enable

  card crypto IT-IPSec-Crypto-map

  !

  Dialer-list 1 ip protocol allow

  !

  access-list 101 permit ip 100.100.100.0 0.0.0.255 any

  access-list 101 permit ip 100.100.200.0 0.0.0.255 any

  !

  IP route 0.0.0.0 0.0.0.0 Dialer1

  Yes correct sounds - so another possible problem is the routing is routing 100% correct on both sides? Can you put the two sides config for review?

• IPSec tunnel between a client connection mobility and WRV200

  Someone has set up an IPSec tunnel between a client connection mobility and WRV200? I can't get the right configuration.

  Agitation, these products are treated by the Cisco Small Business support community. Please refer to the URL: https://supportforums.cisco.com/community/netpro/small-business