Adding another IPSec tunnel
I have two remote sites (PIX501) connection to the platform (2811). All sites can talk to all the sites. For the rays to talk, they go through the hub. I try to add a third site and I can get connectivity to the hub without problem, but not the rays. Here's an ipsec crypto see the his new site.
Hub site: 192.168.12.0/24
Remote site A: 192.168.13.0 24 (work)
Remote site B: 192.168.14.0 24 (work)
Remote site C: 192.168.15.0/24 (does not work)
There is also a diagram attached which show all this a little better.
Sounds good except that there is no site of remote controls. This network connectivity is fine and it is the hub.
130 extended access-list allow ip 192.168.15.0 255.255.255.0 192.168.12.0 255.255.255.0
local ident (addr, mask, prot, port): (192.168.15.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.12.0/255.255.255.0/0/0)
Here is the command even in workplaces.
local ident (addr, mask, prot, port): (192.168.13.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.12.0/255.255.255.0/0/0)
local ident (addr, mask, prot, port): (192.168.13.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.15.0/255.255.255.0/0/0)
local ident (addr, mask, prot, port): (192.168.13.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.14.0/255.255.255.0/0/0)
As you can see it built the tunnel toward the hub and each remote site. I can not get the ASA again to do the same. It seems to me that the problem is on the hub. I removed the encryption from the interface card, built the config VPN several times, etc., etc. Please tell me I'm missing something easy. Thank you.
Collin,
You can reach IPSec SA output? Not only the heads of spokes and hub.
If you add 'reverse static set' on the roads of the coast hub will be added no matter its IPSec being upward.
I understand you have already done to ensure traffic between 192.168.13.0/24 and 192.168.15.0/24 (and vice versa) are not using a NAT.
Marcin
Tags: Cisco Security
Similar Questions
-
Cannot reach the destination of an IPSec tunnel through another IPSec tunnel
Hi all
I have a PIX 515E version 8.0 (2).
I have two remote sites connected to this PIX via IPSec tunnels.
Each remote site can reach local networks behind the PIX, but I can't reach remoteSiteB remoteSiteA.
Thus,.
SiteA <----- ipsec="" -----="">PIX1 SiteX <---------------->10.0.8.1 10.30.8.254
SiteB <----- ipsec="" -----="">PIX1 SiteX <---------------->10.0.8.1 10.138.34.21
SiteA can ping SiteX
SiteB can ping SiteX
SiteA cannot ping SiteB
SiteB cannot ping SiteA
If I do not show crypto isakmp ipsec his I see appropriate subnets:
Tag crypto map: CRYPTO-MAP, seq num: 4, local addr: 203.166.1.1
permit access-list ACLVPN-TO_SITEA ip 10.138.34.16 255.255.255.240 host 10.30.8.254
local ident (addr, mask, prot, port): (10.138.34.16/255.255.255.240/0/0)
Remote ident (addr, mask, prot, port): (10.30.8.254/255.255.255.255/0/0)
current_peer: 104.86.2.4
Tag crypto map: CRYPTO-MAP, seq num: 5, local addr: 203.166.1.1
access-list ACLVPN-TO_SITEB allowed host ip 10.30.8.254 10.138.34.16 255.255.255.240
local ident (addr, mask, prot, port): (10.30.8.254/255.255.255.255/0/0)
Remote ident (addr, mask, prot, port): (10.138.34.16/255.255.255.240/0/0)
current_peer: 216.178.200.200
Journal messages that seem to point to the problem...
April 18, 2013 13:27:35: % PIX-4-402116: IPSEC: received a package of ESP (SPI = 0xD51BB13A, sequence number = 0x21A) 104.86.2.4 (user = 104.86.2.4) at 203.166.1.1. Inside the package décapsulés does not match policy negotiated in the SA. The package indicates its destination as 10.138.34.21, its source as 10.30.8.254 and its Protocol 6. SA specifies its local proxy like 10.0.8.0/255.255.255.0/0/0 and his remote_proxy as 10.30.8.254/255.255.255.255/0/0
My question is really what I have to do something funky to allow traffic to pass between the two tunnels?
Hello
This could be much easier if we have seen the real configurations.
But here are some things to be confirmed in the configurations (some of them you mentioned above, but I still quote once again)
- Make sure that each firewall, you set the appropriate VPN L2L ACL
- Make sure that you have configured NAT0 on the central PIX "outside" interface for the Site A and Site B
- Make sure the Central PIX has "same-security-traffic permit intra-interface" configured. This will allow the Site traffic to enter the Central PIX 'outside' interface and head back on the same interface to Site B. And vice versa.
To view some actual configurations that may be required provided everything else is ok. (I assume that all devices are Cisco)
Central PIX
permit same-security-traffic intra-interface
A connection to the site
SITE-A-CRYPTOMAP of the 10.0.8.0 ip access list allow 255.255.255.0 host 10.30.8.254
SITE-A-CRYPTOMAP of the 10.138.34.16 ip access list allow 255.255.255.240 host 10.30.8.254
Site B connection
SITE-B-CRYPTOMAP of the 10.0.8.0 ip access list allow 255.255.255.0 10.138.34.16 255.255.255.240
SITE-B-CRYPTOMAP to the list of allowed access host ip 10.30.8.254 10.138.34.16 255.255.255.240
NAT0
access list for the INTERIOR-NAT0 allowed ip 10.0.8.0 255.255.255.0 host 10.30.8.254
access list for the INTERIOR-NAT0 allowed ip 10.0.8.0 255.255.255.0 10.138.34.16 255.255.255.240
NAT (inside) 0-list of access to the INTERIOR-NAT0
OUTSIDE-NAT0 allowed host ip 10.30.8.254 access list 10.138.34.16 255.255.255.240
OUTSIDE-NAT0 allowed ip 10.138.34.16 access list 255.255.255.240 host 10.30.8.254
NAT (outside) 0-list of access OUTSIDE-NAT0
Site has
CENTRAL-SITE-CRYPTOMAP to the list of allowed access host ip 10.30.8.254 10.0.8.0 255.255.255.0
CENTRAL-SITE-CRYPTOMAP to the list of allowed access host ip 10.30.8.254 10.138.34.16 255.255.255.240
the INTERIOR-NAT0 allowed host ip 10.30.8.254 access list 10.0.8.0 255.255.255.0
the INTERIOR-NAT0 allowed host ip 10.30.8.254 access list 10.138.34.16 255.255.255.240
NAT (inside) 0-list of access to the INTERIOR-NAT0
Site B---------------->----->---------------->----->
CENTRAL-SITE-CRYPTOMAP of the 10.138.34.16 ip access list allow 255.255.255.240 10.0.8.0 255.255.255.0
CENTRAL-SITE-CRYPTOMAP of the 10.138.34.16 ip access list allow 255.255.255.240 host 10.30.8.254
the INTERIOR-NAT0 allowed host ip 10.138.34.16 access list 255.255.255.240 10.0.8.0 255.255.255.0
the INTERIOR-NAT0 allowed host ip 10.138.34.16 access list 255.255.255.240 host 10.30.8.254
NAT (inside) 0-list of access to the INTERIOR-NAT0
Hope this helps
-Jouni
-
Decision on DMVPN and L2L simple IPsec tunnels
I have a project where I need to make a decision on which solution to implement... environment is as follows...
- 4 branches.
- Each branch has 2 subnets; one for DATA and another for VOICE
- 2 ISPS in each (an Internet access provider and a provider of MPLS)
- Branch #1 isn't necessarily the HUB office that all database servers and files are there are
- Branch #2 is actually where the phone equipment
- Other 2 branches are just branches speaks (may not need never DATA interconnectivy, but they do need interconnection VOICE when they call since we spoke directly to the other)
- MPLS is currently used for telephone traffic.
- ISP provider link is used for site to site tunnels that traverse the internet, and it is the primary path for DATA. Means that all branch DATA subnets use the tunnels from site to site as main road to join the #1 branch where all files and databases are located.
- I'd like to have redundancy in case the network MPLS down for all traffic VOICE switch to L2L tunnels.
My #1 Option
Because it isn't really a star to the need, I don't really know if I want to apply DMVPN, although I read great things about it. In addition, another reason, I would have perhaps against DMVPN is the 'delay' involved, at least during initialization, communications having spoke-to-spoke. There is always a broken package when a department wants to initiate communication with one another.
My #2 Option
My other choice is just deploy L2L IPSec tunnels between all 4 branches. It's certainly much easier to install than DMVPN although DMVPN can without routing protocols that I think I'll need. But with these Plains L2L IPSec tunnels, I can also add the GRE tunnels and the routing of traffic protocols it as well as all multicast traffic. In addition, I can easily install simple IP SLA that will keep all tunnels upwards forever.
Can someone please help to choose one over the other is? or if I'm just okay with the realization of the #2 option
Thanks in advance
Hi ciscobigcat
Yes, OSPF will send periodic packets 'Hello' and they will maintain the tunnels at all times.
The numbers that you see (143 and 1001) are the "cost" of the track, so OSPF (Simplified) will calculate what different paths there are to a destination and assign each of them a 'cost' (by assigning a cost to each segment of the path, for example GigabitEthernet is "lower cost" Fastethernet and then adding the costs of all segments).
Then it will take the path to the lowest cost (143 in your case, in normal operation) and insert this in the routing table.
So since traffic is already going the right way, I don't know if you still need any tweaking? Personally, I would not add a second routing protocol because, generally, makes things more complicated.
QoS, it is important to use "prior qos rank".
See for example
http://www.Cisco.com/en/us/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/IPSecQoS.html
http://www.Cisco.com/en/us/Tech/tk543/tk757/technologies_tech_note09186a00800b3d15.shtml
HTH
Herbert
-
How to troubleshoot an IPSec tunnel GRE?
Hello
My topology includes two firewalls connected through the Internet "" (router) and behind each firewall, there is a router.
The routers I configured a GRE tunnel that is successful, then I configured an IPsec tunnel on the firewall.
I does not change the mode to transport mode in the transform-set configuration.
Everything works; If I connect a PC to the router, it can ping another PC on the other router. However if I change mode of transport mode that they cannot.
I was wondering how can I ensure that the IPSec tunnel WILL really works? How can I fix it or package tracking?
Thank you.
I was wondering how can I ensure that the IPSec tunnel WILL really works? How can I fix it or package tracking?
To verify that the VPN tunnel works well, check the output of
ISAKMP crypto to show his
Crypto ipsec to show hisHere are the commands of debug
Debug condition crypto x.x.x.x, where x.x.x.x IP = peer peer
Debug crypto isakmp 200
Debug crypto ipsec 200You will see ACTIVE int the first output and program non-zero and decaps on the output of the latter.
For the GRE tunnel.
check the condition of the tunnel via "int ip see the brief.In addition, you can configure keepalive via the command:
Router # configure terminal
Router (config) #interface tunnel0
Router(Config-if) 5 4 #keepaliveand then run "debug keepalive tunnel" to see packets hello tunnel going and coming from the router.
Kind regards
Dinesh MoudgilPS Please rate helpful messages.
-
Problem on the establishment of a GRE/IPsec tunnel between 2 cisco routers
Hello world
I am trying to establish a GRE IPsec tunnel between two cisco routers (2620XM and a 836).
I created a tunnel interfaces on both routers as follows.
2620XM
interface Tunnel0
IP 10.1.5.2 255.255.255.252
tunnel source x.x.x.x
tunnel destination y.y.y.y
end
836
interface Tunnel0
IP 10.1.5.1 255.255.255.252
tunnel source y.y.y.y
tunnel destination x.x.x.x
end
and configuration of isakmp/ipsec as follows,
2620XM
crypto ISAKMP policy 10
md5 hash
preshared authentication
ISAKMP crypto key {keys} address y.y.y.y no.-xauth
!
!
Crypto ipsec transform-set esp - esp-md5-hmac to_melissia
!
myvpn 9 ipsec-isakmp crypto map
defined peer y.y.y.y
Set transform-set to_melissia
match address 101
2620XM-router #sh ip access list 101
Expand the access IP 101 list
10 permit host x.x.x.x y.y.y.y host will
836
crypto ISAKMP policy 10
md5 hash
preshared authentication
ISAKMP crypto key {keys} address x.x.x.x No.-xauth
!
!
Crypto ipsec transform-set esp - esp-md5-hmac to_metamorfosi
!
myvpn 10 ipsec-isakmp crypto map
defined peer x.x.x.x
Set transform-set to_metamorfosi
match address 101
836-router #sh access list 101
Expand the access IP 101 list
10 licences will host host x.x.x.x y.y.y.y
Unfortunately I had no isakmp security associations at all and when I enter the debugging to this output.
CRYPTO: IPSEC (crypto_map_check_encrypt_core): CRYPTO: removed package as currently being created cryptomap.
Any ideas why I get this result? Any help will be a great help
Thank you!!!
I think it's possible. It seems to me that you are assuming that the address of the interface where goes the card encryption is peering address. While this is the default action, it is possible to configure it differently.
As you have discovered the card encryption must be on the physical output interface. If you want the peering address to have a different value of the physical interface address outgoing, then you can add this command to your crypto card:
card crypto-address
so if you put loopback0 as the id_interface then he would use loopback0 as peering address even if the card encryption may be affected on serial0/0 or another physical interface.
HTH
Rick
-
Hi-
We have connected tunnel / VPN configuration between an ASA 5505 - worm = 8.4 (7) and 5512 - worm = 9.2 (3).
We can only ping in a sense - 5505 to the 5512, but not of vice-versa(5512 to 5505).Networks:
Local: 192.168.1.0 (answering machine)
Distance: 192.168.54.0 (initiator)See details below on our config:
SH run card cry
card crypto outside_map 2 match address outside_cryptomap_ibfw
card crypto outside_map 2 pfs set group5
outside_map 2 peer XX crypto card game. XX.XXX.XXX
card crypto outside_map 2 set transform-set ESP-AES-256-SHA ikev1
crypto map outside_map 2 set ikev2 AES256 ipsec-proposaloutside_map interface card crypto outside
Note:
Getting to hit numbers below on rules/ACL...SH-access list. I have 54.0
permit for access list 6 outside_access_out line scope ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0 (hitcnt = 15931) 0x01aecbcc
permit for access list 1 outside_cryptomap_ibfw line extended ip object NETWORK_OBJ_192.168.1.0_24 object NETWORK_OBJ_192.168.54.0_24 (hitcnt = 3) 0xa75f0671
access-list 1 permit line outside_cryptomap_ibfw extended ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0 (hitcnt = 3) 0xa75f0671SH run | I have access-group
Access-group outside_access_out outside interfaceNOTE:
WE have another working on the 5512 - VPN tunnel we use IKE peer #2 below (in BOLD)...HS cry his ikev1
IKEv1 SAs:
HIS active: 2
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 21 peer IKE: XX. XX.XXX.XXX
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE
2 IKE peers: XXX.XXX.XXX.XXX
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVESH run tunnel-group XX. XX.XXX.XXX
tunnel-group XX. XX.XXX.XXX type ipsec-l2l
tunnel-group XX. XX.XXX.XXX General-attributes
Group - default policy - GroupPolicy_XX.XXX.XXX.XXX
tunnel-group XX. XX.XXX.XXX ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.SH run | I have political ikev1
ikev1 160 crypto policy
preshared authentication
aes-256 encryption
Group 5
life 86400SH run | I Dynamics
NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
NAT source auto after (indoor, outdoor) dynamic one interfaceNOTE:
To from 5512 at 5505-, we can ping a host on the remote network of ASA local# ping inside the 192.168.54.20
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.54.20, wait time is 2 seconds:
!!!!!
Success rate is 100 per cent (5/5), round-trip min/avg/max = 30/32/40 msDetermination of 192.168.1.79 - local host route to 192.168.54.20 - remote host - derivation tunnel?
The IPSEC tunnel check - seems OK?
SH crypto ipsec his
Interface: outside
Tag crypto map: outside_map, seq num: 2, local addr: XX.XXX.XXX.XXXoutside_cryptomap_ibfw to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.54.0 255.255.255.0
local ident (addr, mask, prot, port): (192.168.1.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.54.0/255.255.255.0/0/0)
current_peer: XX. XX.XXX.XXX#pkts program: 4609, #pkts encrypt: 4609, #pkts digest: 4609
#pkts decaps: 3851, #pkts decrypt: 3851, #pkts check: 3851
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 4609, model of #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid errors ICMP rcvd: 0, #Invalid ICMP errors received: 0
#send errors: 0, #recv errors: 0local crypto endpt. : XX.XXX.XXX.XXX/0, remote Start crypto. : XX. XX.XXX.XXX/0
Path mtu 1500, ipsec 74 (44) generals, media, mtu 1500
PMTU time remaining: 0, political of DF: copy / df
Validation of ICMP error: disabled, TFC packets: disabled
current outbound SPI: CDC99C9F
current inbound SPI: 06821CBBSAS of the esp on arrival:
SPI: 0x06821CBB (109190331)
transform: aes-256-esp esp-sha-hmac no compression
running parameters = {L2L, Tunnel, group 5 PFS, IKEv1}
slot: 0, id_conn: 339968, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (3914789/25743)
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0xFFFFFFFF to 0xFFFFFFFF
outgoing esp sas:
SPI: 0xCDC99C9F (3452542111)
transform: aes-256-esp esp-sha-hmac no compression
running parameters = {L2L, Tunnel, group 5 PFS, IKEv1}
slot: 0, id_conn: 339968, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (3913553/25743)
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001--> The local ASA 5512 - where we have questions - tried Packet Tracer... seems we receive requests/responses...
SH cap CAP
34 packets captured
1: 16:41:08.120477 192.168.1.79 > 192.168.54.20: icmp: echo request
2: 16:41:08.278138 192.168.54.20 > 192.168.1.79: icmp: echo request
3: 16:41:08.278427 192.168.1.79 > 192.168.54.20: icmp: echo reply
4: 16:41:09.291992 192.168.54.20 > 192.168.1.79: icmp: echo request
5: 16:41:09.292282 192.168.1.79 > 192.168.54.20: icmp: echo reply--> On the ASA 5505 distance - we can ping through the 5512 to the local host (192.168.1.79)
SH cap A2
42 packets captured
1: 16:56:16.136559 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
2: 16:56:16.168860 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
3: 16:56:17.140434 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
4: 16:56:17.171652 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
5: 16:56:18.154426 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
6: 16:56:18.186178 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
7: 16:56:19.168417 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request--> Package trace on 5512 does no problem... but we cannot ping from host to host?
entry Packet-trace within the icmp 192.168.1.79 8 0 detailed 192.168.54.20
Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map default class
match any
Policy-map global_policy
class class by default
Decrement-ttl connection set
global service-policy global_policy
Additional information:
Direct flow from returns search rule:
ID = 0x7fffa2d0ba90, priority = 7, area = conn-set, deny = false
hits = 4417526, user_data = 0x7fffa2d09040, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = output_ifc = any to inside,Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
Additional information:
Definition of dynamic 192.168.1.79/0 to XX.XXX.XXX.XXX/43904
Direct flow from returns search rule:
ID = 0x7fffa222d130, priority = 6, area = nat, deny = false
hits = 4341877, user_data = 0x7fffa222b970, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = inside, outside = output_ifc...
Phase: 14
Type: CREATING STREAMS
Subtype:
Result: ALLOW
Config:
Additional information:
New workflow created with the 7422689 id, package sent to the next module
Information module for forward flow...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_statInformation for reverse flow...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_statResult:
input interface: inside
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: allow--> On remote ASA 5505 - Packet track is good and we can ping remote host very well... dunno why he "of Nations United-NAT?
Destination - initiator:
entry Packet-trace within the icmp 192.168.54.20 8 0 detailed 192.168.1.79
...
Phase: 4
Type: UN - NAT
Subtype: static
Result: ALLOW
Config:
NAT (inside, outside) static source NETWORK_OBJ_192.168.54.0_24 NETWORK_OBJ_192.168.54.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
Additional information:
NAT divert on exit to the outside interface
Untranslate 192.168.1.79/0 to 192.168.1.79/0
...Summary:
We "don't" ping from a host (192,168.1.79) on 5512 - within the network of the 5505 - inside the network host (192.168.54.20).
But we can ping the 5505 - inside the network host (192.168.54.20) 5512 - inside the network host (192.168.1.79).Please let us know what other details we can provide to help solve, thanks for any help in advance.
-SP
Well, I think it is a NAT ordering the issue.
Basically as static and this NAT rule-
NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
are both in article 1 and in this article, it is done on the order of the rules so it does match the dynamic NAT rule rather than static because that seems to be higher in the order.
To check just run a 'sh nat"and this will show you what order everthing is in.
The ASA is working its way through the sections.
You also have this-
NAT source auto after (indoor, outdoor) dynamic one interface
which does the same thing as first statement but is in section 3, it is never used.
If you do one of two things-
(1) configure the static NAT statement is above the dynamic NAT in section 1 that is to say. You can specify the command line
or
(2) remove the dynamic NAT of section 1 and then your ASA will use the entry in section 3.
There is a very good document on this site for NAT and it is recommended to use section 3 for your general purpose NAT dynamic due precisely these questions.
It is interesting on your ASA 5505 you duplicated your instructions of dynamic NAT again but this time with article 2 and the instructions in section 3 that is why your static NAT works because he's put in correspondence before all your dynamic rules.
The only thing I'm not sure of is you remove the dynamic NAT statement in article 1 and rely on the statement in section 3, if she tears the current connections (sorry can't remember).
Then you can simply try to rearrange so your static NAT is above it just to see if it works.
Just in case you want to see the document here is the link-
Jon
-
Resolution in real-time for IPSec Tunnel peer
Hello
There is a document on Cisco's Web site
http://www.Cisco.com/en/us/docs/iOS/12_3t/12_3t4/feature/guide/gtrlres.html
explaining that when setting up a card encryption static and peer instead of the IP address peer, we can specify following domain COMPLETE with "dynamic" command name I tried this option and no luck. My VPN end point (routers 2611XM and 831) solve another name with a DNS server, but when it starts to lap crypto maps to interfaces I get the following error message:
ISAKMP: reminder: no SA is for 0.0.0.0/0.0.0.0 [vrf 0]
Virtually no SAs are set up and malfunctioning coming IPSec tunnel.
Everyone tried and had the same problem? I would appreciate your help on this.
Thank you
Remi
What authentication method you use? If you use "pre-shared" you can't always use not "cry isa key... name...". "even if the DNS resolves this IP. It is a feature of the IKE Messrs. use so, CERT.
-
ASA 8.6 - l2l IPsec tunnel established - not possible to ping
Hello world
I have a problem of configuration of the CISCO ASA 5512-x (IOS 8.6).
The IPsec tunnel is created between ASA and an another non-CISCO router (hereinafter "router"). I can send packets ping from router to ASA, but ASA is NOT able to meet these demands. Sending requests of ASA is also NOT possible.
I'm trying to interconnect with the network 192.168.2.0/24 (CISCO, interface DMZ) premises and 192.168.3.0/24 (router).
The CISCO ASA has a static public IP address. The router has a dynamic IP address, so I use the dynamic-map option...
Here is the output of "show run":
---------------------------------------------------------------------------------------------------------------------------------------------
ASA 1.0000 Version 2
!
ciscoasa hostname
activate oBGOJTSctBcCGoTh encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface GigabitEthernet0/0
nameif outside
security-level 0
address IP X.X.X.X 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
the IP 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
IP 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
passive FTP mode
internal subnet object-
192.168.0.0 subnet 255.255.255.0
object Web Server external network-ip
host Y.Y.Y.Y
Network Web server object
Home 192.168.2.100
network vpn-local object - 192.168.2.0
Subnet 192.168.2.0 255.255.255.0
network vpn-remote object - 192.168.3.0
subnet 192.168.3.0 255.255.255.0
outside_acl list extended access permit tcp any object Web server
outside_acl list extended access permit tcp any object webserver eq www
access-list l2l-extensive list allowed ip, vpn-local - 192.168.2.0 vpn-remote object - 192.168.3.0
dmz_acl access list extended icmp permitted an echo
pager lines 24
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
MTU 1500 DMZ
management of MTU 1500
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT (DMZ, outside) static static vpn-local destination - 192.168.2.0 vpn-local - 192.168.2.0, 192.168.3.0 - remote control-vpn vpn-remote control - 192.168.3.0
!
internal subnet object-
NAT dynamic interface (indoor, outdoor)
Network Web server object
NAT (DMZ, outside) Web-external-ip static tcp www www Server service
Access-Group global dmz_acl
Route outside 0.0.0.0 0.0.0.0 Z.Z.Z.Z 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 192.168.1.0 255.255.255.0 management
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
IKEv1 crypto ipsec transform-set ikev1-trans-set esp-3des esp-md5-hmac
Crypto ipsec ikev2 proposal ipsec 3des-GNAT
Esp 3des encryption protocol
Esp integrity md5 Protocol
Crypto dynamic-map dynMidgeMap 1 match l2l-address list
Crypto dynamic-map dynMidgeMap 1 set pfs
Crypto dynamic-map dynMidgeMap 1 set ikev1 ikev1-trans-set transform-set
Crypto dynamic-map dynMidgeMap 1 set ikev2 ipsec-proposal 3des-GNAT
Crypto dynamic-map dynMidgeMap 1 life span of seconds set association security 28800
Crypto dynamic-map dynMidgeMap 1 the value reverse-road
midgeMap 1 card crypto ipsec-isakmp dynamic dynMidgeMap
midgeMap interface card crypto outside
ISAKMP crypto identity hostname
IKEv2 crypto policy 1
3des encryption
the md5 integrity
Group 2
FRP md5
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal midgeTrialPol group policy
attributes of the strategy of group midgeTrialPol
L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
enable IPSec-udp
tunnel-group midgeVpn type ipsec-l2l
tunnel-group midgeVpn General-attributes
Group Policy - by default-midgeTrialPol
midgeVpn group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:fa02572f9ff8add7bbfe622a4801e606
: end
------------------------------------------------------------------------------------------------------------------------------
X.X.X.X - ASA public IP
Y.Y.Y.Y - a web server
Z.Z.Z.Z - default gateway
-------------------------------------------------------------------------------------------------------------------------------
ASA PING:
ciscoasa # ping DMZ 192.168.3.1
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.3.1, time-out is 2 seconds:
?????
Success rate is 0% (0/5)
PING from router (debug on CISCO):
NAT ciscoasa #: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0
NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0
NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 0 len = 40
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 1 len = 40
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 2 len = 40
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = len 3 = 40
-------------------------------------------------------------------------------------------------------------------------------
ciscoasa # show the road outside
Code: C - connected, S - static, RIP, M - mobile - IGRP, R - I, B - BGP
D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone
N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2
E1 - OSPF external type 1, E2 - external OSPF of type 2, E - EGP
i - IS - L1 - IS - IS level 1, L2 - IS - IS IS level 2, AI - IS inter zone
* - candidate by default, U - static route by user, o - ODR
P periodical downloaded static route
Gateway of last resort is Z.Z.Z.Z to network 0.0.0.0
C Z.Z.Z.0 255.255.255.0 is directly connected to the outside of the
S 192.168.3.0 255.255.255.0 [1/0] via Z.Z.Z.Z, outdoors
S * 0.0.0.0 0.0.0.0 [1/0] via Z.Z.Z.Z, outdoors
-------------------------------------------------------------------------------------------------------------------------------
Do you have an idea that I am wrong? Probably some bad NAT/ACL I suppose, but I could always find something only for 8.4 iOS and not 8.6... Perhaps and no doubt I already missed the configuration with the unwanted controls, but I've tried various things...
Please, if you have an idea, let me know! Thank you very much!
Hello
I've never used "global" option in ACL, but it looks to be the origin of the problem. Cisco doc.
"The global access rules are defined as a special ACL that is processed for each interface on the device for incoming traffic in the interface. Thus, although the ACL is configured once on the device, it acts as an ACL defined for Management In secondary interface-specific. (Global rules are always in the direction of In, never Out Management). "
You ACL: access-list extended dmz_acl to any any icmp echo
For example, when you launch the ASA, there is an echo response from the router on the external interface--> global can block.
Then to initiate router, the ASA Launches echo-reply being blocked again.
Try to add permit-response to echo as well.
In addition, you can use both "inspect icmp" in world politics than the ACL.
If none does not work, you can run another t-shoot with control packet - trace on SAA.
THX
MS
-
Hi all
I have just set up an IPSec tunnel, except use debug crypto ipsec / isakmp how can I check IPSec works? When I configure the encryption card, can I use ip of the tunnel as the peer address.
Thanks in advance.
Banlan
Hi Banlan,
Thanks for your appreciation. I feel honoured!
Back to your question about free WILL inside the IPSec, you must use the gre as the Protocol in the access list; This right, shud you get points for that! (because the ip packet is encapsulated by GRE and then AH / ESP headers are added). Also remember that the ip address as the destination of the tunnel should be globally routable. You cannot use tunneling as a destination of the tunnel (except of course when the routers are connected back to back)
See the following configs for GRE inside IPSec.
! ON THE INITIATOR
...
...
access-list 110 permit host WILL
...
12 crypto isakmp policy
preshared authentication
!
address ISAKMP crypto key xxxxx
Crypto ipsec transform-set esp TS - a
!
card 11 CM ipsec-isakmp crypto
defined by peers
game of transformation-TS
match address 110
!
tunnel1 interface
IP unnumbered
source of tunnel
tunnel destination
card crypto CM
!
interface
card crypto CM
!
IP route x.x.x.x tunnel1
! ON THE ANSWERING MACHINE
...
...
access-list 111 allow host WILL
...
crypto ISAKMP policy 11
preshared authentication
!
address ISAKMP crypto key xxxxx
Crypto ipsec transform-set esp TS - a
!
Map 10 CM ipsec-isakmp crypto
defined by peers
game of transformation-TS
match address 111
!
interface tunnels2
IP unnumbered
source of tunnel
tunnel destination
card crypto CM
!
interface
card crypto CM
!
IP route x.x.x.x tunnels2
I think you have the answer now. Catch me if you want something else.
Cheers :-))
Naveen
-
Create the Ipsec tunnel using digital certificates
Hello
I try to open the IPSEC tunnel between 2 3800 of Cisco routers using additional 3800 router as a CA server.
Before that I added the CA server all go smoothly.
Attached is my configuration, attached debug commands from the configuration of server and router CA
It seems that the routers does not receive the certificate of the CA (R3) router because I see the certificate is awaiting status:
#
R3 #.
R3 #show cryptographic pki certificate cisco talkative
CA
Status: available
Version: 3
Certificate serial number (hex): 01
Use of certificates: Signature
Issuer:
CN = cisco1. Cisco.com L\ = RTP it\ = US
Object:
CN = cisco1. Cisco.com L\ = RTP it\ = US
Validity date:
start date: 10:12:13 UTC Sep 8 2013
end date: 10:12:13 UTC Sep 7 2016
Subject key information:
Public key algorithm: rsaEncryption
RSA Public Key: (512 bits)
Signature algorithm: MD5 with RSA encryption
Fingerprint MD5: FAB9FFF7 87B580F3 7A65627E 56A378C9
Fingerprint SHA1: F26CD817 91F8129D A9E46671 07E26F1E 55422DCD
X509v3 extensions:
X509v3 Key use: 86000000
Digital signature
Key Cert sign
Signature of the CRL
X509v3 subject Key ID: 56F091F7 7016A63F B 89, 46900 B13E6719 8B0D548E
X509v3 Basic Constraints:
CA: TRUE
X509v3 Authority Key ID: 56F091F7 7016A63F B 89, 46900 B13E6719 8B0D548E
Access to information the authority:
Related Trustpoints: cisco
Storage: nvram:cisco1ciscoc #4CA.cerR3 #.
Appreciate your support and I will send additional if necessary evidence
TX
Roee
I didn't look at your configuration, but accroding to your description, it seems that you have not approved the certificate requests pending on your router CA. Here are the commands that you need:
To view the pending requests:
information cryptographic pki server router 'CA '.
To grant requests pending:
Info Server 'CA' router cryptographic pki grant all
-
Cisco's ASA IPsec tunnel disconnects after a while
Hi all
I've set up an IPsec tunnel between sonicwall pro road and cisco ASA 5510. The well established tunnel and two subnets can access each other.
I then added a static route to a public ip address on the sonicwall ipsec policy, so that all traffic to this ip address will go through the IPsec tunnel. It also works very well.
But the problem is aftre tunnel Ipsec sometimes breaks down, and then I need to renegotiate the ipsec on sonicwall to restore the tunnel.
This happens twice a day. I'm whther fear that this behavior is because of problems with config. I'm pasting my ASA running Setup here. Plese give some advice.
SonicWALL publicip 1.1.1.2 192.168.10.0 subnet
Cisco ASA publicip 1.1.1.1 subnet 192.168.5.0
ciscoasa # sh run
: Saved
:
ASA Version 8.2 (1)
!
ciscoasa hostname
domain default.domain.invalid
activate 8Ry2YjIyt7RRXU24 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
Speed 100
full duplex
nameif outside
security-level 0
IP 1.1.1.1 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
192.168.5.1 IP address 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
passive FTP mode
DNS domain-lookup outside
DNS lookup field inside
DNS server-group DefaultDNS
Server name 66.28.0.45
Server name 66.28.0.61
domain default.domain.invalid
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
object-group service rdp tcp
EQ port 3389 object
object-group service tcp OpenVPN
port-object eq 1194
access list outside extended permit icmp any any echo response
access list outside extended permit tcp any host # eq pptp
outside allowed extended access will list any host #.
list of extended outside access permit udp any any eq 1701
extended outdoor access allowed icmp a whole list
access list outside extended permit tcp any host # eq ftp
access list outside extended permit tcp any host # eq ssh
list of extended outside access permit tcp any host # object - group rdp
turn off journal
access list outside extended permit tcp any host 1.1.1.1 object - group Open
VPN
access-list sheep extended ip 192.168.5.0 allow 255.255.255.0 192.168.5.0 255
. 255.255.0
access-list sheep extended ip 192.168.5.0 allow 255.255.255.0 192.168.10.0 255
. 255.255.0
L2L 192.168.5.0 ip extended access-list allow 255.255.255.0 192.168.10.0 255.2
55.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
management of MTU 1500
IP local pool ippool 192.168.5.131 - 192.168.5.151 mask 255.255.255.0
IP local pool l2tppool 192.168.5.155 - 192.168.5.200 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 621.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (outside) 1 192.168.10.0 255.255.255.0
NAT (outside) 1 192.168.5.0 255.255.255.0
NAT (inside) 0 access-list sheep
NAT (inside) 1 192.168.5.0 255.255.255.0
outside access-group in external interface
Route outside 0.0.0.0 0.0.0.0 38.106.51.121 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
Enable http server
http 192.168.1.0 255.255.255.0 management
http 192.168.5.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic dynmap 5 the value reverse-road
Crypto easyvpn dynamic-map 10 transform-set RIGHT
Crypto-map dynamic easyvpn 10 reverse-drive value
card crypto mymap 10 correspondence address l2l
card crypto mymap 10 set peer 1.1.1.2
card crypto mymap 10 transform-set RIGHT
map mymap 30000-isakmp ipsec crypto dynamic easyvpn
mymap outside crypto map interface
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 20
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Crypto isakmp nat-traversal 3600
Telnet 192.168.5.0 255.255.255.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 5
Console timeout 0
Hello to tunnel L2TP 10
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal DefaultRAGroup group strategy
attributes of Group Policy DefaultRAGroup
value of 66.28.0.45 DNS server 66.28.0.61
Protocol-tunnel-VPN IPSec l2tp ipsec
field default value cisco.com
attributes of Group Policy DfltGrpPolicy
internal band easyvpn strategy
attributes of the strategy of band easyvpn
value of 66.28.0.45 DNS server 66.28.0.61
Protocol-tunnel-VPN IPSec
enable IPSec-udp
Split-tunnel-policy tunnelall
the address value ippool pools
VPN-group-policy DefaultRAGroup
attributes global-tunnel-group DefaultRAGroup
address l2tppool pool
Group Policy - by default-DefaultRAGroup
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared-key *.
tunnel-group DefaultRAGroup ppp-attributes
No chap authentication
ms-chap-v2 authentication
tunnel-group 1.1.1.2 type ipsec-l2l
1.1.1.2 tunnel-group ipsec-attributes
pre-shared-key *.
tunnel-group easyvpn type remote access
tunnel-group easyvpn General attributes
Group Policy - by default-easyvpn
easyvpn group tunnel ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the netbios
inspect the tftp
inspect the pptp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:5542615c178d2803f764c9b8f104732b
: endI guess you have typo in the configuration of the ASA?
L2L 192.168.5.0 ip extended access-list allow 255.255.255.0 192.168.10.0 255.255.255.0
list access extended extended permitted host ip voip pubic ip 192.168.10.0 255.255.255.0Can you confirm that you have configured instead the following:
access-list l2l extended permitted host ip voip pubic ip 192.168.10.0 255.255.255.0
Moreover, even if the crypto map tag says easyvpn; peer address is correct to point 1.1.1.2
In addition, don't know why you have the following configuration (but if it is not necessary I suggest to be removed and 'clear xlate' after the withdrawal):
NAT (outside) 1 192.168.10.0 255.255.255.0
Finally, pls turn off keepalive to SonicWall.
If the foregoing still don't resolve the issue, can you try to remove the card dynamic encryption of the ASA (no map mymap 30000-isakmp ipsec crypto dynamic easyvpn), release the tunnel and try to open the tunnel between the ASA and SonicWall and take the exit of "show the isa cry his ' and ' show cry ipsec his» I'm curious to see why he is always referred to the easyvpn crypto map. When you remove the dynamic encryption card, dynamic vpn lan-to-lan of remote access client does not work.
-
How to configure ASA5520 of Checkpoint IPsec tunnel configuration
Hi guys and under tension, a lot of it!
I have a problem, I set up an IPsec tunnel between my ASA5520 at a Checkpoint Firewall (PE) CONFIG below (not true FT)
network of the ASA_MAPPED object
4.4.4.0 subnet 255.255.255.0
network of the CHECKPOINT_MAPPED object
5.5.5.5.0 SUBNET 255.255.255.0
OUT_CRYPTO extended access list permit ip object ASA_MAPPED object CHECKPOINT_MAPPED
Crypto ipsec transform-set ikev1 CHECKPOINT_SET aes - esp esp-sha-hmac
destination NAT (INSIDE, OUTSIDE) static source ALLNETWORKS(10.0.0.0/16) ASA_MAPPED CHECKPOINT_MAPPED of CHECKPOINT_MAPPED static
NAT (INSIDE, OUTSIDE) source of destination ALLNETWORKS(10.0.0.0/16) static ASA_MAPPED static 4.4.4.11 5.5.5.11
card crypto OUTSIDE_MAP 5 corresponds to the address OUT_CRYPTO
OUTSIDE_MAP 5 set crypto map peer X.X.X.X
card crypto OUTSIDE_MAP 5 set transform-set CHECKPOINT_SET ikev1
card crypto OUTSIDE_MAP 5 defined security-association life seconds 3600
CHECKPOINT_MAP interface card crypto OUTSIDE
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group ipsec-attributes X.X.X.X
IKEv1 pre-shared-key 1234
ISAKMP crypto 10 nat-traversal
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
aes encryption
sha hash
Group 5
life 86400
IPsec Tunnel is in place and I can access the server on the other side via the beach of NATTED, for example a server behind the checkpoint with the IP 10.90.55.11 is accessible behind the ASA as 4.4.4.11, the problem is that I have never worked on a Checkpoint Firewall and servers/Server 4.4.4.11 that I can't connect to my environment to that checkpoint is configured with a Tunnel interface that is also supposed to to make NAT because of the superimposition of networks, at one point, I added an access to an entire list and bidirectional routing has been reached, but I encountered a new problem, I could not overlook from my servers public became unaccessecable, since all traffic was encrypted and get dropped to VPN: ipsec-tunnel-flow... for now the Tunnel is up and I can access the server via NAT 4.4.4.11, but can't access my internal servers. What did I DO WRONG (also, I don't have access to the Checkpoint Firewall (PE)) how their installation would be or how it should be to allow bidirectional routing?
========================================================
Tag crypto map: CHECKPOINT_MAP, seq num: 5, local addr: X.X.X.X
Access extensive list ip 4.4.4.0 OUT_5_CRYPTO allow 255.255.255.0 5.5.5.0 255.255.255.0
local ident (addr, mask, prot, port): (4.4.4.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (5.5.5.0/255.255.255.0/0/0)
current_peer: X.X.X.X
#pkts program: 3207, #pkts encrypt: 3207, #pkts digest: 3207
#pkts decaps: 3417, #pkts decrypt: 3417, #pkts check: 3417
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 3207, model of #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0
local crypto endpt. : X.X.X.X/0, remote Start crypto. : X.X.X.X/0
Path mtu 1500, fresh ipsec generals 74, media, mtu 1500
current outbound SPI: 5254EDC6
current inbound SPI: 36DAB960
SAS of the esp on arrival:
SPI: 0x36DAB960 (920303968)
transform: aes - esp esp-sha-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 19099648, crypto-card: CHECKPOINT_MAP
calendar of his: service life remaining (KB/s) key: (3914999/3537)
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0 x 00000000 0x0000000F
outgoing esp sas:
SPI: 0x5254EDC6 (1381297606)
transform: aes - esp esp-sha-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 19099648, crypto-card: CHECKPOINT_MAP
calendar of his: service life remaining (KB/s) key: (3914999/3537)
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
unless I include any any on my access-list and the problem with that is that my Public servers then get encrypted from the OUTSIDE interface unless you know of a way to bypass the VPN
No, u certainly shouldn't allow 0.0.0.0 for proxy ACL. Again, your config is very good. In addition, package account, this show that traffic is going throug the tunnel in two ways:
#pkts program: 3207
#pkts decaps: 3417
Also, looking at the meter, I can guess that some of the traffic comes from the other site, but does not return back (maybe that's where you can not connect from behing Checkpoint). If you say that 0.0.0.0 solved the problem, are there no other NAT rules for subnet behind ASA, so the server IP, for which you are trying to connect behind the checkpoint, translates into something else (not the beach, included in proxy ACL), when to come back?
-
Strange problem in IPSec Tunnel - 8.4 NAT (2)
Helloo all,.
This must be the strangest question I've seen since the year last on my ASA.
I have an ASA 5540, who runs the code of 8.4 (2) without any problem until I ran into this problem last week and I spent sleepless nights with no resolution! Then, take a deep breath and here is a brief description of my setup and the problem:
A Simple IPSEC tunnel between my 8.4 (2) ASA 5540 and a Juniper SSG 140 6.3.0r9.0 (road OS based VPN) screen
The tunnel rises without any problem but the ASA refused to encrypt the traffic but it decrypts with GLORY!
Here are a few outputs debug, see the output and a package tracer output that also has an explanation of my problem of NAT WEIRD:
my setup - (I won't get into the details of encryption tunnel as my tunnel negotiations are perfect and returns from the outset when the ASA is configured as response only)
CISCO ASA - IPSec network details
LAN - 10.2.4.0/28
REMOTE NETWORK - 192.168.171.8/32
JUNIPER SSG 140 - IPSec networks details
ID OF THE PROXY:
LAN - 192.168.171.8/32
REMOTE NETWORK - 10.2.4.0/28
Name host # sh cry counterpart his ipsec
peer address:
Tag crypto map: outside_map, seq num: 5, local addr:
outside_cryptomap_4 to access extended list ip 10.2.4.0 allow 255.255.255.240 host 192.168.171.8
local ident (addr, mask, prot, port): (10.2.4.0/255.255.255.240/0/0)
Remote ident (addr, mask, prot, port): (192.168.171.8/255.255.255.255/0/0)
current_peer:
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 72, #pkts decrypt: 72, #pkts check: 72
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0
local crypto endpt. :
0, remote Start. crypto: 0 Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: 5041C19F
current inbound SPI: 0EC13558
SAS of the esp on arrival:
SPI: 0x0EC13558 (247543128)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 22040576, crypto-card: outside_map
calendar of his: service life remaining key (s): 3232
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0xFFFFFFFF to 0xFFFFFFFF
outgoing esp sas:
SPI: 0x5041C19F (1346486687)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 22040576, crypto-card: outside_map
calendar of his: service life remaining key (s): 3232
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
CONTEXTS for this IPSEC VPN tunnel:
# Sh asp table det vpn context host name
VPN CTX = 0x0742E6BC
By peer IP = 192.168.171.8
Pointer = 0x78C94BF8
State = upwards
Flags = BA + ESP
ITS = 0X9C28B633
SPI = 0x5041C19D
Group = 0
Pkts = 0
Pkts bad = 0
Incorrect SPI = 0
Parody = 0
Bad crypto = 0
Redial Pkt = 0
Call redial = 0
VPN = filter
VPN CTX = 0x07430D3C
By peer IP = 192.168.1.8
Pointer = 0x78F62018
State = upwards
Flags = DECR + ESP
ITS = 0X9C286E3D
SPI = 0x9B6910C5
Group = 1
Pkts = 297
Pkts bad = 0
Incorrect SPI = 0
Parody = 0
Bad crypto = 0
Redial Pkt = 0
Call redial = 0
VPN = filter
outside_cryptomap_4 to access extended list ip 10.2.4.0 allow 255.255.255.240 host 192.168.171.8
NAT (inside, outside) static source Ren - Ren - about destination static counterpart-host peer to route non-proxy-arp-search
network of the Ren - around object
subnet 10.2.4.0 255.255.255.240
network of the host object counterpart
Home 192.168.171.8
HS cry ipsec his
IKE Peer:
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE
output packet tracer extracted a packet transmitted by the network of 10.2.4.0/28 to 192.168.171.8 host
Phase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0x7789d788, priority = 70, domain = encrypt, deny = false
Hits = 2, user_data is0x742e6bc, cs_id = 0x7ba38680, reverse, flags = 0 x 0 = 0 protocol
IP/ID=10.2.4.0 SRC, mask is 255.255.255.240, port = 0
IP/ID=192.168.171.8 DST, mask is 255.255.255.255, port = 0, dscp = 0 x 0
input_ifc = none, output_ifc = external
VPN settings corresponding to the encrytpion + encapsulation and the hits here increment only when I run a test of tracer from my host on the remote peer inside package.
A tracer complete package out for a packet of the 10.2.4.1 255.255.255.255 network to host 192.168.171.8:
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit rule
Additional information:
Direct flow from returns search rule:
ID = 0x77ebd1b0, priority = 1, domain = allowed, deny = false
hits = 3037156, user_data = 0 x 0, cs_id = 0 x 0, l3_type = 0 x 8
Mac SRC = 0000.0000.0000, mask is 0000.0000.0000
DST = 0000.0000.0000 Mac, mask is 0100.0000.0000
input_ifc = output_ifc = any to inside,
Phase: 2
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
in 192.168.171.0 255.255.255.0 outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0x77ec1030, priority = 0, sector = inspect-ip-options, deny = true
hits = 212950, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0
input_ifc = output_ifc = any to inside,
Phase: 4
Type:
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0x7c12cb18, priority = 18, area = import-export flows, deny = false
hits = 172188, user_data = 0x78b1f438, cs_id = 0 x 0, use_real_addr, flags = 0 x 0,
IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0
input_ifc = output_ifc = any to inside,
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT (inside, outside) static source Ren - Ren - about destination static counterpart-host peer to route non-proxy-arp-search
Additional information:
Definition of static 10.2.4.1/2700 to 10.2.4.1/2700
Direct flow from returns search rule:
ID = 0x77e0a878, priority = 6, area = nat, deny = false
hits = 9, user_data is 0x7b7360a8, cs_id = 0 x 0, use_real_addr, flags = 0 x 0, proto
IP/ID=10.2.4.1 SRC, mask is 255.255.255.240, port = 0
IP/ID=192.168.171.8 DST, mask is 255.255.255.255, port = 0, dscp = 0 x 0
input_ifc = inside, outside = output_ifc
(it's the weird NAT problem I see. I see the number of hits is increment only when I run the packet tracer understands even I have pings (traffic) the 192.168.171.8 constant welcomes the 10.2.4.1/28)-s'il please see the package I pasted after the capture section)
Phase: 6
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0x7b8751f8, priority = 70, domain = encrypt, deny = false
hits = 3, user_data = 0x7432b74, cs_id = 0x7ba38680, reverse, flags = 0 x 0, proto
IP/ID=10.2.4.1 SRC, mask is 255.255.255.240, port = 0
IP/ID=192.168.171.8 DST, mask is 255.255.255.255, port = 0, dscp = 0 x 0
input_ifc = none, output_ifc = external
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional information:
Reverse flow from returns search rule:
ID = 0x78b0c280, priority = 69 = ipsec-tunnel-flow area, deny = false
hits = 154, user_data is 0x7435f94, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
IP/ID=192.168.171.8 SRC, mask is 255.255.255.255, port = 0
IP/ID=10.2.4.1 DST, mask is 255.255.255.240, port = 0, dscp = 0 x 0
input_ifc = out, output_ifc = any
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Reverse flow from returns search rule:
ID = 0x77e7a510, priority = 0, sector = inspect-ip-options, deny = true
hits = 184556, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0
input_ifc = out, output_ifc = any
Phase: 9
Type: CREATING STREAMS
Subtype:
Result: ALLOW
Config:
Additional information:
New workflow created with the 119880921 id, package sent to the next module
Information module for forward flow...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Information for reverse flow...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input interface: inside
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: allow
Hostname # sh Cap A1
8 packets captured
1: 12:26:53.376033 192.168.10.252 > 10.2.4.1: icmp: echo request
2: 12:26:53.376597 10.2.4.1 > 192.168.10.252: icmp: echo reply
3: 12:26:56.487905 192.168.171.8 > 10.2.4.1: icmp: echo request
4: 12:27:01.489217 192.168.171.8 > 10.2.4.1: icmp: echo request
5: 12:27:03.378245 192.168.10.252 > 10.2.4.1: icmp: echo request
6: 12:27:03.378825 10.2.4.1 > 192.168.10.252: icmp: echo reply
7: 12:27:06.491597 192.168.171.8 > 10.2.4.1: icmp: echo request
8: 12:27:11.491856 192.168.171.8 > 10.2.4.1: icmp: echo request
8 packets shown
As you can see, there is no echo response packet at all because the package may not be wrapped while he was sent to.
I'm Karen with it. In addition, he is a firewall multi-tenant live production with no problems at all outside this for a Juniper ipsec tunnel!
Also, the 192.168.10.0/24 is another remote network of IPSec tunnel to this network of 10.2.4.0/28 and this IPSEC tunnel has a similar Juniper SSG 140 screen os 6.3.0r9.0 at the remote end and this woks like a charm with no problems, but the 171 is not be encrypted by the ASA at all.
If someone could help me, that would be greatt and greatly appreciated!
Thanks heaps. !
Perfect! Now you must find something else inside for tomorrow--> forecast rain again
Please kindly marks the message as answered while others may learn from it. Thank you.
-
Traffic is failed on plain IPSec tunnel between two 892 s
Have a weird case and you are looking for some suggestions/thougs where to dig because I have exhausted the options.
Note: I replaced the Networkid real to a mentined below.
Topology: a classic IPSec VPN tunnel between two 892 s of Cisco, with pre-shared key and no GRE. A 892 (branch_892) has access to the Internet using PPPoE and has three network / VLAN behind it. A VLAN is coordinated to the PPPoE internet access. Access to the other two VLAN - VL92 (100.100.200.0/24) and VL93 (100.100.100.0/24) is performed via the VPN tunnel.
Second 892 (892_DC) has just one interface - WAN on Gigabit enabled/connected and a static route to the default GW. It doesn't have any defined interal network. If the router is strictly used to send traffic to VL92/VL93 to the domestic 892 via IPSec tunnel.
Here's the problem: access to VL93 (100.100.100.0/24) works, however for VL92 (100.100.100.0/24) - does not work.
Devices in VL92 I ping IP address of 892_DC through the VPN tunnel. The 892_DC router I can ping devices in VL92. However, I can't VL92 ping any device beyond the 892_DC and at the same time the packets arriving on 892_DC for VL92 are not sent through the VPN tunnel.
I took the package trace on 892_DC using capture point/buffer to nathalie caron to VL92 packages and saw that the traffic coming to the 892_DC. I run the nathalie caron even on Branch_892, and there was not a single package.
So... What's the problem? More interesting, I modified the way left on VL92 access list and still - no packets are sent through the tunnel.
Any idea? Two routers config are below
-------
892_DC #show ru
!
crypto ISAKMP policy 10
BA aes 256
hash sha256
preshared authentication
Group 2
isakmp encryption key * address 1.2.3.4
ISAKMP crypto keepalive 10 periodicals
!
address of 1.2.3.4 crypto isakmp peers
Description of-COIL-892
!
!
Crypto ipsec transform-set IT-IPSec-Transform-Set esp - aes 256 sha256-esp-hmac
Crypto ipsec df - bit clear
!
map IT ipsec - IPSec crypto - Crypto - map 10-isakmp
defined peer 1.2.3.4
disable the kilobytes of life together - the security association
86400 seconds, life of security association set
the transform-set IT-IPSec-Transform-Set value
match a lists 101
market arriere-route
QoS before filing
!
interface GigabitEthernet0
IP 10,20,30,40 255.255.255.240
IP 1400 MTU
IP tcp adjust-mss 1360
automatic duplex
automatic speed
card crypto IT-IPSec-Crypto-map
!
IP route 0.0.0.0 0.0.0.0 10.20.30.41
!
access list 101 ip allow any 100.100.100.0 0.0.0.255 connect
access list 101 ip allow any 100.100.200.0 0.0.0.255 connect
-------------------------------------------------------------------------------------
Branch_892 #sh run
!
crypto ISAKMP policy 10
BA aes 256
hash sha256
preshared authentication
Group 2
isakmp encryption key * address 10,20,30,40
ISAKMP crypto keepalive 10 periodicals
!
address peer isakmp crypto 10,20,30,40
!
!
Crypto ipsec transform-set IT-IPSec-Transform-Set esp - aes 256 sha256-esp-hmac
Crypto ipsec df - bit clear
!
map IT ipsec - IPSec crypto - Crypto - map 10-isakmp
defined peer 10,20,30,40
disable the kilobytes of life together - the security association
86400 seconds, life of security association set
the transform-set IT-IPSec-Transform-Set value
match address 101
market arriere-route
QoS before filing
!
FastEthernet6 interface
Description VL92
switchport access vlan 92
!
interface FastEthernet7
Description VL93
switchport access vlan 93
!
interface GigabitEthernet0
Description # to WAN #.
no ip address
automatic duplex
automatic speed
PPPoE-client dial-pool-number 1
!
interface Vlan1
Description # local to #.
IP 192.168.1.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
interface Vlan92
Description fa6-nexus e100/0/40
IP 100.100.200.1 255.255.255.0
!
interface Vlan93
Description fa7-nexus e100/0/38
IP 100.100.100.1 255.255.255.0
!
interface Dialer0
no ip address
No cdp enable
!
interface Dialer1
IP 1.2.3.4 255.255.255.248
IP mtu 1454
NAT outside IP
IP virtual-reassembly in max-pumping 256
encapsulation ppp
IP tcp adjust-mss 1414
Dialer pool 1
Dialer-Group 1
Authentication callin PPP chap Protocol
PPP chap hostname ~ ~ ~
PPP chap password =.
No cdp enable
card crypto IT-IPSec-Crypto-map
!
Dialer-list 1 ip protocol allow
!
access-list 101 permit ip 100.100.100.0 0.0.0.255 any
access-list 101 permit ip 100.100.200.0 0.0.0.255 any
!
IP route 0.0.0.0 0.0.0.0 Dialer1
Yes correct sounds - so another possible problem is the routing is routing 100% correct on both sides? Can you put the two sides config for review?
-
IPSec tunnel between a client connection mobility and WRV200
Someone has set up an IPSec tunnel between a client connection mobility and WRV200? I can't get the right configuration.
Agitation, these products are treated by the Cisco Small Business support community. Please refer to the URL: https://supportforums.cisco.com/community/netpro/small-business
Maybe you are looking for
-
I can't buy pokecoins
-
is there a way to get rid of the blue BLOB which covers the area around your current position?
-
Equium L40-156: graphics card problem - error code 12 in Device Manager
People of the night... Just got a family run Vista premium, Equium L40-156, everything is going well except a little problem with the display adapter (Mobile Intel 965). Tried the drivers that I had with the installerTried the drivers from the toshib
-
The last two I notice that the status bar in firefox, opera, and all ms office applications appears and do something to display the status bar does not work.Help!I installed windows xp sp3.
-
Is there no way to import my CC library .ai file draw Adobe?