Allowing ports through a VPN tunnel question
I have a VPN tunnel established and I can ping above but my application fails and I think its because I encouraged not 2 ports (ports TCP 19813 and 19814) through. I'm not clear how should I do for allowing these ports through. I need to add a statement to permit to access my list 'sheep' or what I need to add a statement of license to my list of access interface "external"?
Remote users have an IP address of 172.16.5.x 24 and they're trying to connect to users on the 192.168.200.x 24 192.168.201.x 24. I can't do a ping of the 24 192.168.200.x to the 172.16.5.0/24.
The commands below are what I currently have in my PIX.
My current sheep-access list:
IP 192.168.201.0 allow Access-list sheep 255.255.255.0 172.16.5.0 255.255.255.0
IP 192.168.200.0 allow Access-list sheep 255.255.255.0 172.16.5.0 255.255.255.0
My current outside of the access-list interface:
acl_inbound list access permit tcp any host xx.xx.xx.xx eq smtp
acl_inbound list access permit tcp any host xx.xx.xx.xx eq - ica citrix
acl_inbound list access permit tcp any host xx.xx.xx.xx eq www
acl_inbound list access permit tcp any host xx.xx.xx.xx eq www
acl_inbound list access permit tcp any host xx.xx.xx.xx eq www
acl_inbound list access permit tcp any host xx.xx.xx.xx eq 500
acl_inbound esp allowed access list any host xx.xx.xx.xx
acl_inbound list access permit icmp any any echo response
access-list acl_inbound allow icmp all once exceed
acl_inbound list all permitted access all unreachable icmp
acl_inbound list access permit tcp any host xx.xx.xx.xx eq www
acl_inbound list access permit tcp any host xx.xx.xx.xx eq https
first of all, you disable the commnad "sysopt connection permit-ipsec" on the pix? with this enabled command, which is enabled by default, the pix will ignore any ACLs for encrypted traffic. so if you have Hell no this command, then the acl that you applied on the outside int won't make a difference.
However, if "sysopt connection permit-ipsec" is always on, and then all the port/protocol should be allowed.
you said you could do a ping of 192.168.200.0 to 172.16.5.0. How about you 172.16.5.0 to 192.168.200.0 and 192.168.201.0?
also, just wondering if the vpn lan-to-lan or access remote vpn (i.e. using the cisco vpn client).
Tags: Cisco Security
Similar Questions
-
Is it possible to allow ports through the NatAlePortFilter, or disabled in Windows 7? It prevents Crysis 2 to bind to a port.
Hello
I thought I would provide an update to my problem.After reflection, I realized that the 'Base filtering engine' service was stuffing up and realized that a restarrt was all that necessary. Whenever I have the question, all I need to do is to restart the service, and that solves the problem of port binding.
Thank you
303i -
Impossible to pass traffic through the VPN tunnel
I have an ASA 5505 9.1 running. I have the VPN tunnel connection, but I am not able to pass traffic. through the tunnel. Ping through the internet works fine.
Here is my config
LN-BLF-ASA5505 > en
Password: *.
ASA5505-BLF-LN # sho run
: Saved
:
: Serial number: JMX1216Z0SM
: Material: ASA5505, 256 MB RAM, 500 MHz Geode Processor
:
ASA 5,0000 Version 21
!
LN-BLF-ASA5505 hostname
domain lopeznegrete.com
activate the password
volatile xlate deny tcp any4 any4
volatile xlate deny tcp any4 any6
volatile xlate deny tcp any6 any4
volatile xlate deny tcp any6 any6
volatile xlate deny udp any4 any4 eq field
volatile xlate deny udp any4 any6 eq field
volatile xlate deny udp any6 any4 eq field
volatile xlate deny udp any6 any6 eq field
passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.116.254 255.255.255.0
OSPF cost 10
!
interface Vlan2
nameif outside
security-level 0
IP 50.201.218.69 255.255.255.224
OSPF cost 10
!
boot system Disk0: / asa915-21 - k8.bin
passive FTP mode
DNS server-group DefaultDNS
domain lopeznegrete.com
network obj_any object
subnet 0.0.0.0 0.0.0.0
the LNC_Local_TX_Nets object-group network
Description of internal networks Negrete Lopez (Texas)
object-network 192.168.1.0 255.255.255.0
object-network 192.168.2.0 255.255.255.0
object-network 192.168.3.0 255.255.255.0
object-network 192.168.4.0 255.255.255.0
object-network 192.168.5.0 255.255.255.0
object-network 192.168.51.0 255.255.255.0
object-network 192.168.55.0 255.255.255.0
object-network 192.168.52.0 255.255.255.0
object-network 192.168.20.0 255.255.255.0
object-network 192.168.56.0 255.255.255.0
object-network 192.168.59.0 255.255.255.0
object-network 10.111.14.0 255.255.255.0
object-network 10.111.19.0 255.255.255.0
the LNC_Blueleaf_Nets object-group network
object-network 192.168.116.0 255.255.255.0
access outside the permitted scope icmp any4 any4 list
extended outdoor access allowed icmp a whole list
outside_1_cryptomap list extended access permitted ip object-group LNC_Blueleaf_Nets-group of objects LNC_Local_TX_Nets
inside_nat0_outbound list extended access permitted ip object-group LNC_Blueleaf_Nets-group of objects LNC_Local_TX_Nets
LNC_BLF_HOU_VPN list extended access permitted ip object-group LNC_Blueleaf_Nets-group of objects LNC_Local_TX_Nets
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 741.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
outside access-group in external interface
!
router ospf 1
255.255.255.255 network 192.168.116.254 area 0
Journal-adj-changes
default-information originate always
!
Route outside 0.0.0.0 0.0.0.0 50.201.218.94 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
AAA authentication enable LOCAL console
Enable http server
http 192.168.2.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 1 match address outside_1_cryptomap
peer set card crypto outside_map 1 50.201.218.93
card crypto outside_map 1 set transform-set ESP-3DES-SHA ikev1
outside_map interface card crypto outside
Crypto ca trustpoint _SmartCallHome_ServerCA
no use of validation
Configure CRL
trustpool crypto ca policy
Crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
308204 4 a0030201 d 308205ec 0202106e cc7aa5a7 032009b 8 cebcf4e9 52d 49130
010105 05003081 09060355 04061302 55533117 ca310b30 0d 864886f7 0d06092a
30150603 55040 has 13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313 has 3038 06035504
0b 133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 7a 656420 75736520 6f6e6c79 31453043 06035504 03133c 56 686f7269
65726953 69676e20 436c 6173 73203320 5075626c 69632050 72696 72792043 61 d
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
30303230 38303030 3030305a 170d 3230 30323037 32333539 35395a 30 81b5310b
30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
496e632e 311f301d 06035504 0b 131656 65726953 69676e20 54727573 74204e65
74776f72 6b313b30 5465726d 20757365 20617420 73206f66 39060355 040b 1332
68747470 7777772e 733a2f2f 76657269 7369676e 2e636f6d 2f727061 20286329
302d 0603 55040313 26566572 69536967 61737320 33205365 6e20436c 3130312f
63757265 20536572 76657220 20473330 82012230 0d06092a 864886f7 4341202d
010101 05000382 010f0030 82010 0d has 02 b187841f 82010100 c20c45f5 bcab2597
a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
9c688b2e 957b899b 13cae234 34c1f35b f3497b62 d188786c 83488174 0253f9bc
7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8 63cd
18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 01 has 38201 02030100 df308201
082b 0601 05050701 01042830 26302406 082 b 0601 db303406 05050730 01861868
7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1 d 130101
ff040830 02010030 70060355 b 200469 30673065 060, 6086 480186f8 1 d 060101ff
45010717 03305630 2806082b 06010505 07020116 1 c 687474 70733a2f 2f777777
2e766572 69736967 6e2e636f 6d2f6370 73302 has 06 082 b 0601 05050702 02301e1a
1 c 687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
03551d1f 042d302b 3029 has 027 a0258623 68747470 3a2f2f63 726c2e76 65726973
69676e2e 636f6d2f 2d67352e 70636133 63726c 30 0e060355 1d0f0101 ff040403
02010630 6d06082b 06010505 07010c 59305730 55160969 5da05b30 04 61305fa1
6 d 616765 2f676966 3021301f 2b0e0302 30070605 1a04148f e5d31a86 ac8d8e6b
c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
1 b 311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301D 0603
445 1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355 c 1604140d 551d0e04
1 230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300 d 0609 d
2a 864886 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80 f70d0101
4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
b2227055 d9203340 3307c 265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
99 c 71928 8705 404167d 1 273aeddc 866d 24f78526 a2bed877 7d494aca 6decd018
481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
6c2527b9 deb78458 c61f381e a4c4cb66
quit smoking
crypto isakmp identity address
Crypto isakmp nat-traversal 1500
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
aes-256 encryption
sha hash
Group 5
life 86400
IKEv1 crypto policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH 0.0.0.0 0.0.0.0 inside
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 5
SSH version 2
SSH group dh-Group1-sha1 key exchange
Console timeout 0
management-access insidea basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
attributes of Group Policy DfltGrpPolicy
Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client
username
username
tunnel-group 50.201.218.93 type ipsec-l2l
IPSec-attributes tunnel-group 50.201.218.93
IKEv1 pre-shared-key *.
NOCHECK Peer-id-validate
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
call-home service
anonymous reporting remote call
call-home
contact-email-addr [email protected] / * /
Profile of CiscoTAC-1
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:e519f212867755f697101394f40d9ed7
: end
LN-BLF-ASA5505 #.Assuming that you have an active IPSEC security association (i.e. "show crypto ipsec his" shows the tunnel is up), please perform a packet trace to see why it's a failure:
packet-tracer input inside tcp 192.168.116.1 1025 192.168.1.1 80 detail
(simulating a hypothetical customer of blue LNC tries to navigate to a hypothetical LNC TX Local site server)
-
No traffic through the VPN tunnel but at the same time
Hey everybody,
Good enough at the end of my VPN configuration but I have a question. The VPN connection is established and the remote computer can set up a VPN with my router (phases 1 and 2 are ok) but I can't ping all devices on both sides. I think it might be something about the acl. I created an acl that I linked with my group of vpn, what should I do something with the card?
Here is the configuration of the router
AAA new-model
!
!
local AuthentVPN AAA authentication login
local AuthorizVPN AAA authorization network
!
AAA - the id of the joint session
clock timezone GMT 1 0
clock summer-time recurring GMT
!
IP cef
!
DHCP excluded-address IP 192.168.0.1 192.168.0.99
!
Authenticated MultiLink bundle-name Panel
!
VPDN enable
!
VPDN-group MyGroup
!
!
model virtual Network1
!
username admin privilege 15 secret 4 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
redundancy
!
crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 2
life 3600
!
ISAKMP crypto client configuration group myVPN
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx key
DNS 192.168.0.254
pool IPPoolVPN
ACL 100
!
!
Crypto ipsec transform-set esp - aes esp-sha-hmac T1
tunnel mode
!
!
!
crypto dynamic-map 10 DynMap
game of transformation-T1
market arriere-route
!
!
list of authentication of crypto client myMap AuthentVPN map
card crypto myMap AuthorizVPN isakmp authorization list
client configuration address map myMap crypto answer
card crypto myMap 100-isakmp dynamic ipsec DynMap
!
the Embedded-Service-Engine0/0 interface
no ip address
Shutdown
!
interface GigabitEthernet0/0
no ip address
automatic duplex
automatic speed
PPPoE enable global group
PPPoE-client dial-pool-number 1
No mop enabled
!
interface GigabitEthernet0/1
LAN description
no ip address
automatic duplex
automatic speed
No mop enabled
!
interface GigabitEthernet0/1.1
LAN description
encapsulation dot1Q 1 native
IP 192.168.0.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
IP tcp adjust-mss 1452
!
interface Dialer1
MTU 1492
the negotiated IP address
IP access-group RESTRICT_ENTRY_INTERNET in
NAT outside IP
IP virtual-reassembly in
encapsulation ppp
Dialer pool 1
Dialer-Group 1
PPP authentication pap callin
PPP chap hostname xxxx
PPP chap password 0 xxxx
PPP pap sent-name of user password xxxxx xxxx 0
crypto myMap map
!
IP pool local IPPoolVPN 192.168.10.0 192.168.10.100
IP forward-Protocol ND
!
IP http server
23 class IP http access
local IP http authentication
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
The dns server IP
IP dns primary GVA. SOA INTRA NS. GUAM INTRA [email protected] / * / 21600 900 7776000 86400
IP nat inside source list 10 interface Dialer1 overload
overload of IP nat inside source list 11 interface Dialer1
overload of IP nat inside source list 20 interface Dialer1
overload of IP nat inside source list 30 interface Dialer1
overload of IP nat inside source list 110 interface Dialer1
IP route 0.0.0.0 0.0.0.0 Dialer1
Route IP 192.168.0.0 255.255.255.0 GigabitEthernet0/1.1
IP route 192.168.1.0 255.255.255.0 GigabitEthernet0/1.2
!
RESTRICT_ENTRY_INTERNET extended IP access list
TCP refuse any any eq telnet
TCP refuse any any eq 22
TCP refuse any any eq www
TCP refuse any any eq 443
TCP refuse any any eq field
allow udp any any eq 50
allow an ip
!
Dialer-list 1 ip protocol allow
!
!
SNMP - server RO G community
public RO SNMP-server community
entity-sensor threshold traps SNMP-server enable
access-list 10 permit 192.168.0.0 0.0.0.255
access-list 11 permit 192.168.1.0 0.0.0.255
access-list 20 allow 192.168.2.0 0.0.0.255
access-list 30 allow 192.168.3.0 0.0.0.255
access-list 100 permit ip 0.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 110 deny ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
access ip-list 110 permit a whole
I don't know if it useful, but here is the view the crypto ipsec command his:
Interface: Dialer1
Tag crypto map: myMap, local addr 213.3.1.13
protégé of the vrf: (none)
local ident (addr, mask, prot, port): (0.0.0.0/0.0.0.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.10.12/255.255.255.255/0/0)
current_peer 109.164.161.35 port 49170
LICENCE, flags is {}
#pkts program: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors
local crypto endpt. : 213.3.1.13, remote Start crypto. : 109.164.161.35
Path mtu 1492 mtu 1492 ip, ip mtu BID Dialer1
current outbound SPI: 0x54631F8B (1415782283)
PFS (Y/N): N, Diffie-Hellman group: no
SAS of the esp on arrival:
SPI: 0x8C432353 (2353210195)
transform: aes - esp esp-sha-hmac.
running parameters = {Tunnel UDP-program}
Conn ID: 2033, flow_id: VPN:33 on board, sibling_flags 80000040, crypto card: myMap
calendar of his: service life remaining (k/s) key: (4212355/1423)
Size IV: 16 bytes
support for replay detection: Y
Status: ACTIVE (ACTIVE)
the arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0x54631F8B (1415782283)
transform: aes - esp esp-sha-hmac.
running parameters = {Tunnel UDP-program}
Conn ID: 2034, flow_id: VPN:34 on board, sibling_flags 80000040, crypto card: myMap
calendar of his: service life remaining (k/s) key: (4212354/1423)
Size IV: 16 bytes
support for replay detection: Y
Status: ACTIVE (ACTIVE)
outgoing ah sas:
outgoing CFP sas:
And on the side of the customer, when I go to the status of--> statistics, all packages have been circumvented, nobody is encrypted
Thanks for your help!
Sylvain,
Let me explain again:
IP nat inside source list 10 interface Dialer1 overload
overload of IP nat inside source list 110 interface Dialer1
Here you are from two ACL, but they are the same with the difference, that NAT 10 110 also but WITHOUT user VPN and everything inside. Problem is that 10 matches first, if the connection will not work. You can disable entry NAT with 10 110 because that will also:
no nat ip inside the source list 10 interface Dialer1 overload
That should be enough.
Michael
Please note all useful posts
-
How to open all ports through a VPN
I'll put up a second exchange server 2010 in a place of DR and a few problems. The two sites are connected by a pair of ASA5510 via the VPN, point-to-point. I want to exclude any possible VPN problems which maybe blocking ports and I wanted to know if there is an easy way to do it and just allow all unrestricted traffic between the two ASAs. I have attached the configs recurees here... Ewing is the main site and DBSi's DR site. I would appreciate help on this one!
Hello
Seems to me at least that they both have "sysopt" configuration which controls the VPN traffic entering the "external" to its default interface
And the default setting is that all traffic entering the ASA via a VPN connection will bypass the ACL attached to the "outside" interface
The command is "vpn sysopt connection permit". By default put in is not indicated when you issue the command 'show sysopt run '. So you can't really see in your running configuration.
Personally, if I don't get something not working after doing the settings, then I trust simply is newspapers that ASA sent to Syslog server or I followed the newspapers in real-time through ASDM.
If that gives no idea of what is the problem, I probably set up a capture on the ASA to confirm that when I see a link that I also see the return of traffic for this connection.
I also use the command of "packet - trace" often enough to verify that the appropriate NAT configuration is applied to the connection that a user tries.
Format of the command would be
entry Packet-trace
-Jouni
-
Cisco ASA VPN tunnel question - DMZ interface
I am trying to build a tunnel to a customer with NAT and I'm able to get 3 of the 4 networks to communicate. The 1 that is not responding is a DMZ network. Excerpts from config below. What am I doing wrong with the 10.0.87.0/24 network? The error in the log is "routing cannot locate the next hop.
interface Ethernet0/1
Speed 100
half duplex
nameif inside
security-level 100
the IP 10.0.0.1 255.255.255.0
OSPF cost 10
send RIP 1 version
!
interface Ethernet0/2
nameif DMZ
security-level 4
IP 172.16.1.1 255.255.255.0
OSPF cost 10network object obj - 172.16.1.0
subnet 172.16.1.0 255.255.255.0object network comm - 10.240.0.0
10.240.0.0 subnet 255.255.0.0
network object obj - 10.0.12.0
10.0.12.0 subnet 255.255.255.0
network object obj - 10.0.14.0
10.0.14.0 subnet 255.255.255.0
network of the DNI-NAT1 object
10.0.84.0 subnet 255.255.255.0
network of the DNI-NAT2 object
10.0.85.0 subnet 255.255.255.0
network of the DNI-VIH3 object
10.0.86.0 subnet 255.255.255.0
network of the DNI-NAT4 object
10.0.87.0 subnet 255.255.255.0the DNI_NAT object-group network
network-object DNI-NAT1
network-object DNI-NAT2
network-object ID-VIH3
network-object NAT4 DNIDNI_VPN_NAT1 to access ip 10.0.0.0 scope list allow 255.255.255.0 object comm - 10.240.0.0
Access extensive list ip 10.0.12.0 DNI_VPN_NAT2 allow 255.255.255.0 object comm - 10.240.0.0
Access extensive list ip 10.0.14.0 DNI_VPN_NAT3 allow 255.255.255.0 object comm - 10.240.0.0
Access extensive list ip 172.16.1.0 DNI_VPN_NAT4 allow 255.255.255.0 object comm - 10.240.0.0
access-list extended DNI-VPN-traffic permit ip object-group, object DNI_NAT comm - 10.240.0.0NAT (inside, outside) source static obj - 10.0.12.0 DNI-NAT2 destination static comm - 10.240.0.0 comm - net 10.240.0.0 to net non-proxy-arp
NAT (inside, outside) source static obj - 10.0.14.0 DNI-VIH3 destination static comm - 10.240.0.0 comm - net 10.240.0.0 to net non-proxy-arp
NAT (inside, outside) source static obj - 172.16.1.0 DNI-NAT4 destination static comm - 10.240.0.0 comm - net 10.240.0.0 to net non-proxy-arpHello
I see that the issue here is the declaration of NAT:
NAT (inside, outside) source static obj - 172.16.1.0 DNI-NAT4 destination static comm - 10.240.0.0 comm - net 10.240.0.0 to net non-proxy-arp
The correct statement would be:
NAT (DMZ, external) source static obj - 172.16.1.0 DNI-NAT4 destination static comm - 10.240.0.0 comm - net 10.240.0.0 to net non-proxy-arp
Go ahead and do a tracer of packages:
Packet-trace entry DMZ 172.16.1.15 tcp 443 detailed 10.240.X.X
Thus, you will see the exempt NAT works now.
I would like to know how it works!
Please don't forget to rate and score as correct the helpful post!
Kind regards
David Castro,
-
Problem passing traffic through the VPN tunnel
With well over 150 VPN lan-to-lan tunnels configured, I can usually get tunnels upward. However, this one is stumping me, unless the ISP is to give false information. Using a router Cisco 871 on-site a Cisco 3005 concentrator in my data center, I have set up my tunnel. The tunnel will go up but won't traffic. I am sure that the configurations on both devices are correct because I use a lot of "cut-and - paste." So, the only question seems to be the modem/router provided by your ISP. Usually, when this happens, the problem is with NAT enabled on their equipment. According to them, that it is not enabled on their NAT router. Where can else I check? Any ideas?
Check access lists and a static route
Try these links: >
http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_tech_note09186a00800949c5.shtml
-
Send all traffic through the vpn tunnel
Does anyone know how to send all traffic through the tunnel vpn on both sides? I have a server EZVpn on one side and one EZVpn client on the other. I'm not natting on each side. I use the value default 'tunnelall' for the attributes of group policy. On the client side all traffic, even if not intended for the subnet of the side server, seems to pass through the tunnel. But if I ping the side server, the same rules don't seem to apply. Traffic destined for rates aside customer through the tunnel, but the traffic that is not pumped on the external interface in the clear. That's not cool.
Hello
Clinet traffic to server through tunnel, that's right, right?
Traffic from server to client through tunnel, but the rest of the traffic is not, no?
This works as expected because in ezvpn, politics of "tunnel all ' is for traffic is coming from the client., do not leave the server.
Side server, customer traffic will pass through tunnel, the rest used.
Sian
-
Question of access list for Cisco 1710 performing the 3DES VPN tunnel
I have a question about the use of access lists in the configuration of a router Cisco 1710 that uses access lists to control traffic through the VPN tunnel.
For example the following lines in a configuration on the remote router. My question is whether or not the traffic that matches the definition of list access-130 (something other than 192.168.100.0/24), cross the VPN tunnel or go directly to the Ethernet0 interface.
My understanding is that traffic that matches the access list 120 would be encrypted and sent through the IPSec tunnel. If there was "ban" set out in the statements of 120 access-list, the traffic for those would be sent through the IPSec tunnel but not encrypted (if possible). And finally, given that the definition of crypto card reference only "adapt to 120", any traffic that matches 130 access list would be sent Ethernet0 but not associated with the card encryption and thus not sent through the IPSec tunnel. "
Any input or assistance would be greatly appreciated.
Map Test 11 ipsec-isakmp crypto
..
match address 120
Interface Ethernet0
..
card crypto Test
IP nat inside source overload map route sheep interface Ethernet0
access-list 120 allow ip 192.168.100.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 130 refuse ip 192.168.100.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 130 allow ip 192.168.100.0 0.0.0.255 any
sheep allowed 10 route map
corresponds to the IP 130
He would go through the interface e0 to the Internet in clear text without going above the tunnel
Jean Marc
-
Interpret what is allowed on the VPN tunnel
Hello
I work with Cisco PIX equipment for the first time and I'm trying to understand what is allowed on one of the VPN tunnels which are established on the PIX.
I interpret this PIX did by reading the running configuration. I was able to understand most of it (with the help of the cisco site), so I'm starting to get comfortable with it. I'm looking for more help in the interpretation of what is allowed by a good VPN tunnel. Here are some details:
map Cyril 2 ipsec-isakmp crypto
Cyril 2 crypto card matches the acl-vpntalk address
access list acl-vpntalk allowed ip object-group my_inside_network 172.17.144.0 255.255.255.0
So, if I interpret it correctly, then the traffic matching ACL acl-vpntalk will go on the VPN tunnel.
As far as the lists others access dedicated, my inner interface I have:
Access-group acl-Interior interface inside
With ACL-Interior:
access list acl-Interior ip allow a whole
So nothing complicated there.
Now, just because of all this I conclude I encouraged all remote network traffic in my site. If all traffic 172.17.144.0/24 is allowed to join my network.
However, I don't know if this conclusion is correct.
This ACL is also applied:
Access-group acl-outside in external interface
And it looks like:
deny access list acl-outside ip a
I'm not sure if this ACL applies to vehicles coming from the IPSEC peer. It's for sure inbound on the external interface, but if it is valid for the IPSEC traffic I don't know.
If it is valid, then am I had reason to conclude that only connections initiated from my inside network to the remote control can come back?
Thanks in advance for your ideas.
With sincere friendships.
Kevin
Hey Kevin,
Here are my comments, hope you find them useful:
1. the ACL called "acl-vpntalk" sets traffic who will visit the IPSec tunnel, so you got that right. All traffic from the group called "my_inside_network" will 172.17.144.0/24 will pass through the tunnel, and there should be a similar to the other VPN end opposite ACL.
2. the 'acl-inside' applied to the inside interface allows any ip traffic coming out of the isnide to any destination.
3. the 'acl-outside' rejects all traffic from entering your home network, but the IPSec traffic is free and will cross because you will find a "sysopt connection permit-ipsec' configured on your PIX command that tells the operating system to allow all traffic destined for VPN tunnels without explicitly enabling it through the inbound ACL. If you have stopped the "sysopt" should stop your traffic and you will have more control on your tunnel traffic.
Personally, I usually disable the "sysopt" and control the VPN traffic in my incoming ACL.
Just a quick note, if you look more deeply into the ACL on the PIX functionality, you will find that no traffic moves inside, if she is not allowed on the external interface. For example, you can allow traffic between "inside" and "dmz" interfaces by adding an entry 'allow' on one of the ACLS applied to one of these interfaces. But when you want to allow traffic from the external interface (security level 0), you will need to allow in the inbound ACL applied on the external interface.
I could have written something vague, but I hope you get my point.
Thank you.
Salem.
-
VPN connected, stream out of VPN tunnel
I mean that we have in place of the VPN Sites manage to sites with 2 RV042 router but it seams not as I wanted. Are you sure that each transfer of data through Router 2 will go into the VPN tunnel or it shuts down the VPN tunnel. I checked the routing table and saw that:
Sources mask Gateway Interface
2 1 or wan wan IP 255.255.255.0 ipsec0 private
By default 0.0.0.0 (ip wan 1 or 2) wan1 or wan2
.........
So what you think what sense data will pass through the line, it will go through the ipsec section or through wan1 or wan2. Ofcouse each data will pass through wan1 or wan2, but it can go inside the ipsec tunnel or ipsec outside tunnel. If she goes inside the ipsec tunnel, everything is ok, but if this isn't the case, transfer of unsecured data. I'm trying to access some website is not in private ip and it was outside ipsec tunnel go, I can capture and now that you have access.
Why with linksys have 2 work as draytek product even photos follow:
Can someone help me to answer this question, thank you for your attention
1. it depends on what the tunnels of your business allows. As I've written before, there are other protocols that allows you to route traffic through the VPN tunnel. Only IPSec cannot do this. For example, if your company uses GRE over IPSec then they can route traffic through their tunnels. Your RV does not support this.
2. If it's really plain IPSec then you cannot configure several subnets. You can try to implement the security group remote as a subnet more grand, such as 10.0.0.0/8. Of course the groups must match on both sides.
3. If you want to route all traffic through the tunnel, and then try to set the local/remote security to 0.0.0.0/0.0.0.0 group. Maybe it works.
The configuration of IPSec in the RV042 does not allow extremely complex configurations. It's mainly to connect two subnets between them.
-
Connectivity on the VPN tunnel problem.
Hello
I have a site to tunnel between the PIX506 and Cisco VPN 3000 Concentrator. I'll be spending it again ASA5510, so the tunnel will be established between the ASA and PIX. After inistial tests, I found only one box of remote network (time clock lol) is down by connectivity while tunnel between Pix and ASA (works fine with the hub). All traffic is allowed through the VPN tunnel built on SAA is? I understand it should be as long as the tunnel is running, correct? (Note: the remote clock uses ports TCP 8888 and 8889 to communicate with the server)
Thank you
If there is no filter, again all traffic should be allowed.
You need not choose L2TP connection is pure IPsec.
If you wish, you can post your configurations to check them out (you can remove sensitive information)
Federico.
-
Hi all
I have a little problem concerning ASA and syslogs. I have a tunnel from site to site between a local ASA and ASA distance. Behind the ASA local, I have a central syslog server (which has no ASA as default gateway) which collects messages from all network devices and I want to get messages from the ASA remote as well.
The tunnel protects traffic between local networks behind each ASA, which includes ASA inside remote interface as well. The problem is that if I specify on the SAA distance my syslog server it does not pass through the VPN tunnel. The ASA remote sees my server syslog as being 'outside' so he's using the external IP address as the source-interface for the syslog message. Which of course does not pass through the tunnel. As much as I know there is no way to configure the interface source for logging under the SAA, that you can do on a normal IOS router.
I've found a few documents explaining this Setup on CCO, but they all imply I have extend the list for interesting traffic to access allow remote UDP/514 of the PIX traffic outside my local syslog server interface. This isn't something I want to do what I would get in routing complication in my LAN with a public IP address of the ASA remote.
Any suggestions? I thought I could use some sort of NAT on the ASA remote so that all traffic for my local network a source the remote PIX is translated on the inside interface, which in theory should pass the package via the tunnel. I did not go so far.
Any help is appreciated.
Best regards
Stefan
You can define the interface that the ASA will use to send the newspapers "syslog_ip host record.
Make sure you also do "access management".
Then the SAA should source the syslogs from inside the interface, which is probably encrypted with the crypto ACL.
I hope it helps.
PK
-
NAT, ASA, 2 neworks and a VPN tunnel
Hello. I have a following question. I am trying to establish a VPN tunnel to a remote network used to be connected to our via a VPN tunnel. The problem is that the previous tunnel their share has been created for the x.x.x.x our coast network which will serve no more time a month, but is currently still active and used. As I'm trying to get this VPN tunnel as soon as possible without going through all the paperwork on the other side (political, don't ask) is it possible to make NAT of the new network in the network x.x.x.x for traffic through the VPN tunnel.
Something like this:
new network-> policy NAT in old x.x.x.x fork on ASA-> VPN tunnel to the remote network using x.x.x.x addresses
It is possible to add the new policy, but sometimes it can conflict with the former.
-
Authentication of ACS in the VPN tunnel
We want to enable the ACS authentication to connect to different routers (Cisco 881 s) we have obtained who are communicating with our WAN via VPN tunnels. We want to avoid using public IP of the router to communicate and pass information to user/password with the ACS server and rely on the IP of the server private instead. The problem is that external interfaces of the router connect to the Internet using public IP addresses and when the router wishes to communicate with the ACS server it will use its IP of the interface to the public and which will fail. We can ping on the server of course when we set the source to the internal LAN IP.
The question is are there any way to have the router contact ACS through the VPN tunnel using a private IP address?
config is used and tested with success on local equipment:
AAA new-model
RADIUS-server host 10.x.x.x single-connection key xxxxxx
AAA authentication login Ganymede-local group local Ganymede
AAA authorization commands x Ganymede-local group Ganymede + if authenticated
AAA authorization exec Ganymede-local group Ganymede + authenticated if
See the establishment of privileges exec level x
line vty 0 4
Ganymede-local authentication login
authorization controls Ganymede-local x
-ACS ping to the router (WAN via VPN connection) when using public IP address of the router as the source address:
RT881 #ping 10.x.x.x
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 10.x.x.x, time-out is 2 seconds:
.....
Success rate is 0% (0/5)
-ACS ping to the router (WAN via VPN connection) when using IP private of the LAN as source address:
RT881 #ping source 10.x.x.1 10.x.x.x
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 10.x.x.x, time-out is 2 seconds:
Packet sent with a source address of 10.x.x.1
!!!!!
Success rate is 100 per cent (5/5), round-trip min/avg/max = 72/72/76 ms
Looking forward to your responses and suggestions.
Thanks, M.
Hey Maher,
You can use the command 'Ganymede-source interface ip' or 'RADIUS source-interface ip' for your scenario.
I hope this helps!
Kind regards
Assia
Maybe you are looking for
-
Hello. I know I have it tacked on the end of another thread, but I thought DLI make my own post; I got my A60 SP since last September and its good always worked, but now it doent goes into sleep mode more properly - or rather it enters mode standby b
-
Why iTunes classify an artist as being various artists albums
It therefore has no value GREAT HELP thanks again itunes
-
Windows Vista & Palm Centro 690 do not talk to each other
After my other phone went through the washing machine I changed to this Palm unit. Active, came home and installed the synchronization software, worked well. A few days later tried to synchronize again, no luck. I'm working on for a few weeks tryi
-
If I create a website in 2014 of Muse, I will be able to open and add breakpoints in 2015 of Muse?
-
Just bought a Nikon D750 but RAW files cannot be opened
I recently bought a Nikon D750 and tried to download my RAW files from my camera card only my Mac. Yes, I got the jpg files and they could be opened, but none of the RAW files open, message says that the files are incompatible. I use a version of Mac