ASA 8.4. (1) VPN L2L can only be established through default gateway

Hi all!

We have an ASA 5510, with two internet connections. A destined for VPN l2l and the other to access inet users in general.

On asa 8.04, I configured the encryption on inteface "VPNAccess" card and a static route on the remote peer L2L with access internet VPN, the default rotue pointed the router General inet.

We bought a new firewall with 8.4.1 and now asa only tries to open the remote if peer traffic is on the default gateway.

It does not take into account routes more specific (I mean longer masks) and always tries to use the gateway by default, but only for VPN, if I do a trace to that peer route, it uses the routing table correctly.

Any advice?

Thank you!

Well well, (any, any) certainly does not help.

You need to be more specific, otherwise, even once, as suggested earlier, he does not know which interface to use because you don't have specify it.

In addition, you must also be precise with the source network and destination. Otherwise, the firewall will not know which interface the subnet should be connected to.

More precise best for NAT statement.

NAT (, PublicTESAVPNBackup) source static static destination

Tags: Cisco Security

Similar Questions

Error for this user account details can only be updated through the site where it was created first

I get this error will receive try to put in place a new email: "Details of the error for this user account can only be updated through the site where it was created first." What should I do?
My email is down. If you respond by email please send it to [email protected]
Thank you
Rick

All sorted

Thank you very much for your help

2014 12-15 10:04, Anshul.sharma wrote:

ERROR FOR THIS USER ACCOUNT DETAILS CAN ONLY BE UPDATED THROUGH THE SITE WHERE IT WAS CREATED FIRST

created by Anshul.sharma in going live (Emails, users, domains) - discover complete discussion

I can't connect to my default gateway

I'm trying to port before my router because I can host a server on a game. For the port forward, I need to connect to my default gateway to change the things I need to change.

Resettlement will almost certainly cause the loss of your data files and applications that you added. First, consider the following steps.

1) run the SFC/scannow command. This will check and repair if necessary all of the critical Windows system files.

Click on start / all programs/accessories then
Right-click on the command prompt option and select "Run as Administrator".
(or "Safe Mode" open a command prompt)
At the command prompt, enter: SFC/scannow

Windows 7 - order SCANNOW SFC - System File Checker
http://www.SevenForums.com/tutorials/1538-SFC-SCANNOW-Command-System-File-Checker.html

How to use the System File Checker tool to fix the system files missing or corrupted on Windows Vista or Windows 7
http://support.Microsoft.com/kb/929833

How to analyze the entries in log file generating the program Checker (SFC.exe) resources of Microsoft Windows in Windows Vista:
http://support.Microsoft.com/kb/928228

(2) how to run a startup repair in Windows 7:
http://www.SevenForums.com/tutorials/681-startup-repair.html
"Startup Repair is a Windows 7 system recovery tool that can fix certain problems, such as missing or damaged system files
(ex: boot MBR file), that might prevent Windows from starting correctly.

How to start on the System Recovery Options in Windows 7:
http://www.SevenForums.com/tutorials/668-system-recovery-options.html
"The System Recovery Options menu is on the Windows 7 installation disc. If your computer (OEM) manufacturer has preinstalled the recovery options, the menu can also be installed on your hard drive as a recovery partition. »

How to create a Windows 7 system repair disc:
http://www.SevenForums.com/tutorials/2083-system-repair-disc-create.html
"That you will show how to create a Windows 7 system repair disc to use at startup in the system recovery options if you do not have a disk Windows installation, cannot find your Windows installation disc, or cannot access to the recovery options provided by your computer manufacturer."

Windows 7 - repair facility:
http://www.SevenForums.com/tutorials/3413-repair-install.html
"This will show how to do a repair of trouble Windows 7 installation and to preserve your user accounts, data, programs and drivers of the system."

Windows 7 - download the repair disc
http://NeoSmart.net/blog/2009/Windows-7-system-repair-discs/

VPN tunnel between 2 ASA 5505 with the same default gateway

Hello

Is it possible to create a vpn ipsec site to site (laboratory environment) between two 5505 (ASA IOS 8.2 (5) & asdm-645-206) with the same default gateway. That is a VPN tunnel or a back to back-to-one site that I have to deploy a router and hang each 5505 out a different interface? We have a lot of public IP but only one gateway our ISP (Internet). Any suggestions or recommendations are very appeciated!

d

Yes - you can even do it with a xover cable and a 30 ip on both external interfaces.

ASA problem inside the VPN client routing

Hello

I have a problem where I can't reach the VPN clients with their vpn IP pool from the inside or the asa itself. Connect VPN clients can access internal network very well. I have no nat configured for the pool of vpn and packet trace crypt packages and puts it into the tunnel. I'm not sure what's wrong.

Here are a few relevant config:

network object obj - 192.168.245.0

192.168.245.0 subnet 255.255.255.0

192.168.245.1 - 192.168.245.50 vpn IP local pool

NAT (inside, outside) static source any any destination static obj - 192.168.245.0 obj - 192.168.245.0 no-proxy-arp-search to itinerary

Out of Packet trace:

Firewall # entry packet - trace inside the x.x.x.x icmp 8 0 192.168.245.33

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit rule

Additional information:

MAC access list

Phase: 2

Type:-ROUTE SEARCH

Subtype: entry

Result: ALLOW

Config:

Additional information:

in 192.168.245.33 255.255.255.255 outside

Phase: 3

Type: ACCESS-LIST

Subtype: Journal

Result: ALLOW

Config:

Access-group acl-Interior interface inside

access list acl-Interior extended icmp permitted an echo

Additional information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional information:

Phase: 5

Type: INSPECT

Subtype: np - inspect

Result: ALLOW

Config:

Additional information:

Phase: 6

Type:

Subtype:

Result: ALLOW

Config:

Additional information:

Phase: 7

Type: NAT

Subtype:

Result: ALLOW

Config:

NAT (inside, outside) static source any any destination static obj - 192.168.245.0

obj - 192.168.245.0 no-proxy-arp-search to itinerary

Additional information:

Definition of static 0/x.x.x.x-x.x.x.x/0

Phase: 8

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional information:

Phase: 9

Type: CREATING STREAMS

Subtype:

Result: ALLOW

Config:

Additional information:

New workflow created with the 277723432 id, package sent to the next module

Result:

input interface: inside

entry status: to the top

entry-line-status: to the top

output interface: outside

the status of the output: to the top

output-line-status: to the top

Action: allow

There is no route to the address pool of vpn. Maybe that's the problem? I don't know than that used to work before we went to 8.4.

Check if the firewall is enabled on your host from the client ravpn and blocking your pings.

Design of VPN L2L ASA question

We expect to have more than 10,000 remote VPN L2L clients.

I see that each crypto card needs a statement of 'same game' and the IP address is the address of the remote peer VPN L2L.

:

EX:

card encryption UNI-POP 3 set peer 172.23.0.3

: . . .

card crypto UNI-POP 10000 set peer 172.26.0.250

:

I already feel that this will be a VERY long config, maybe too big to save/read/from memory.

:

Anyone would be a better approach?

Thank you

Frank

Frank,

If the remote end will run only from time to time, you should not have set peer statements and normally it would suffice to have a dynamic encryption card.

If the remote ends do not support certificates, it is possible to land on defaultl2l tunnel-group.
```
bsns-asa5505-19# sh run all tunnel-group
tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup general-attributes
(...)
```
You need to test yourself to see if it will work.

I also agree in terms of more than one firewall. With devices for two in the load balancing or if possible 2pairs of devices in the failover cluster could be great way to have a decent charge by machine and equipment redundancy (ideal circumstances]);. I suggest you ping your system engineer for sure any deployment involving 5585, guys can usually give good advice (and discounts;]).

Marcin

ASA IPP on VPN L2L w/NAT

I have a tunnel VPN L2L on a Cisco ASA 5520 I am trying to get IPPS, to work on. On my ACL cryptomap I defined a local group object and a remote object-group, and I'm the one-to-one NAT scene on the local group. I also have a configured route map that will take the static routes and redistribute in my ACE. EIGRP two things - 1, I noticed, I don't see on my ASA static routes that point to remote subnets and 2, the ACL that I used in my definition of route map is not getting any hits on it.

Any thoughts on where I can go wrong?

Thank you

Darren

You have configured the following:

crypto set reverse-road map

If you do, can you remove and Add again and see if that fixes the problem?

Do not do a ping ASA inside IP port of the remote site VPN L2L with her

The established VPN L2L OK between ASA-1/ASA-2:

ASA-2# see the crypto isakmp his

KEv1 SAs:

ITS enabled: 1

Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)

Total SA IKE: 1

1 peer IKE: 207.140.28.102

Type: L2L role: answering machine

Generate a new key: no State: MM_ACTIVE

There are no SAs IKEv2

QUESTION: 3750-2, we ping 3750-1 (10.10.2.253) are OK, but not ASA-1 inside port (10.10.2.254).

Debug icmp ASA-1 data:

ASA-1 debug icmp trace #.

trace of icmp debug enabled at level 1

Echo ICMP Internet request: 10.100.2.252 server: 10.10.2.253 ID = 400 seq = 0 len = 72

ICMP echo response from the server: 10.10.2.253 Internet: 10.100.2.252 ID = 400 seq = 0 len = 72

Echo ICMP Internet request: 10.100.2.252 server: 10.10.2.253 ID = 400 seq = 1 len = 72

ICMP echo response from the server: 10.10.2.253 Internet: 10.100.2.252 ID = 400 seq = 1 len = 72

Echo request ICMP 10.100.2.252 to 10.10.2.254 ID = 401 seq = 0 len = 72

Echo request ICMP 10.100.2.252 to 10.10.2.254 ID = 401 seq = 1 len = 72

Echo request ICMP 10.100.2.252 to 10.10.2.254 ID = 401 seq = 2 len = 72

Make sure you have access to the administration # inside

lt me know f This allows.

VPN l2l failed inside on ASA 5520 (8.02)

VPN l2l is dropping packets to Phase 5 because of a rule configured. I have an isakmp his but the client cannot connect to the destination here in my network. I'll post my config to access list at the bottom of the Packet-trace output.

vpnASA01 # entry packet - trace within the icmp [10.0.0.243] 0 8 10.97.29.73 det

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional information:

Direct flow from returns search rule:

ID = 0xc92087c8, priority = 12, area = capture, deny = false

hits = 85188209121, user_data = 0xc916a478, cs_id = 0 x 0, l3_type = 0 x 0

Mac SRC = 0000.0000.0000, mask is 0000.0000.0000

DST = 0000.0000.0000 Mac, mask is 0000.0000.0000

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit rule

Additional information:

Direct flow from returns search rule:

ID = 0xc87f1f98, priority = 1, domain = allowed, deny = false

hits = 85193048387, user_data = 0 x 0, cs_id = 0 x 0, l3_type = 0 x 8

Mac SRC = 0000.0000.0000, mask is 0000.0000.0000

DST = 0000.0000.0000 Mac, mask is 0000.0000.0000

Phase: 3

Type: FLOW-SEARCH

Subtype:

Result: ALLOW

Config:

Additional information:

Not found no corresponding stream, creating a new stream

Phase: 4

Type:-ROUTE SEARCH

Subtype: entry

Result: ALLOW

Config:

Additional information:

in 10.0.0.0 255.0.0.0 inside

Phase: 5

Type: ACCESS-LIST

Subtype:

Result: DECLINE

Config:

Implicit rule

Additional information:

Direct flow from returns search rule:

ID = 0xc87f3670, priority = 111, domain = allowed, deny = true

hits = 67416, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 4000, protocol = 0

SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

DST ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

Result:

input interface: inside

entry status: to the top

entry-line-status: to the top

the output interface: inside

the status of the output: to the top

output-line-status: to the top

Action: drop

Drop-reason: flow (acl-drop) is denied by the configured rule

= ACCESS-LIST + Config =.

the object-group L2LVPN-blah_local network
network-object 10.97.29.73 255.255.255.255
the object-group L2LVPN-blah_remote network
network-object [10.0.0.240] 255.255.255.240

INBOUND_OUTSIDE list of allowed ip extended access object-L2LVPN-blah_remote L2LVPN-blah_local group object

L2LVPN-blah_obj allowed extended ip access-list object-L2LVPN-blah_local group L2LVPN-blah_remote

access-list SHEEP extended permits all ip [10.0.0.243] 255.255.255.240

Route outside [10.0.0.240] [10.97.29.1] 255.255.255.240 1

address for correspondence card crypto outside-VPN 46 L2LVPN - blah_obj
peer set card crypto VPN-exterior 46 [10.0.0.243]
outside-VPN 46 transform-set esp-sha-aes-256 crypto card
outside-VPN interface card crypto outside

IPSec-l2l type tunnel-group [10.0.0.243]
IPSec-attributes of tunnel-group [10.0.0.243]
pre-shared-key *.

[10.0.0.1] is to protect the global addresses of clients. Assume that these are still used in place of the current range of intellectual property. 10.0.0.240/28

===========================================

Thanks in advance.

Michael Garcia

Profit Systems, Inc..

Hi Michael,

-Is the IP peer really part of the network that make up the field of encryption?

-Is the ACL INBOUND_OUTSIDE applied (incoming) inside or outside interface (inbound)? It is the current form, it would need to be on the external interface.

-You specify the peer IP only in the ACL SHEEP, so all other traffic is NAT would and eventually denied because it does not match the field of encryption

Someone else may have a few ideas, but these are questions I have for the moment.

James

Easy VPN with IPSec VPN L2L (Site - to - Site) in the same ASA 5505

Hi Experts,

We have an ASA 5505 in our environment, and currently two IPSec VPN L2L tunnels are established. But we intend to connect with VPN (Network Extension Mode) easy to another site as a customer. Is it possible to configure easy VPN configurations by keeping the currently active IPSec L2L VPN(Site-to-Site) tunnels? If not possible is there any work around?

Here's the warning we get then tried to configure the easy VPN Client.

NOCMEFW1 (config) # vpnclient enable

* Delete "nat (inside) 0 S2S - VPN"

* Detach crypto card attached to the outside interface

* Remove the tunnel groups defined by the user

* Remove the manual configuration of ISA policies

CONFLICT of CONFIG: Configuration that would prevent the Cisco Easy VPN Remo success

you

operation was detected and listed above. Please solve the

above a configuration and re - activate.

Thanks and greetings

ANUP sisi

"Dynamic crypto map must be installed on the server device.

Yes, dynamic crypto is configured on the EasyVPN server.

Thank you

Unable to pass traffic between ASA Site to Site VPN Tunnel

Hello

I have problems passing traffic between two ASA firewall. The VPN tunnel is up with a dynamic IP and static IP address. I have attached a diagram of the VPN connection. I'm not sure where the problem lies and what to check next. I think I have all the roads and in the access lists are needed.

I've also attached the ASA5505 config and the ASA5510.

This is the first time that I've set up a VPN connection any guidance would be greatly appreciated.

Thank you

Adam

Hello

Regarding your opinion of configuration Remote Site ASA that you have not added the internal networks of the Central Site VPN L2L configurations at all so the traffic does not pass through the VPN.
```
 access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.0.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.170.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.172.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 140.15.0.0 255.255.*.* 
```
Take a look at ACL configurations above. The 'exempt' ACL is used in configurations NAT0 and tells the ASA what traffic of exempting from NAT. "outside_1_cryptomap" ACL is used to tell the traffic between the subnets should be using the L2L VPN connection.

So in short on the Remote Site ASA these ACLs should be identical. Make additions to the LIST of VPN L2L, then try again.

I would also like to point out that to ensure that the Central ASAs L2L VPN ACL Site contains the same networks. The ACL on the Central Site will, of course, its internal subnets as the source and the site LAN remote destination.

THW out of ' crypto ipsec to show his " shows you that only the SA between binding Site Central network and the Remote Site LAN was established. Others have not formed as the configuration is lacking at LEAST on the Remote Site ASA. Can also be the Central Site.

-Jouni

Direct specific ports down a VPN L2L

I have a client who is trying to use an ISP hosted web filtering and content management a gateway, the ISP wants to use and L2L ISPEC VPN on site at their front door to control the traffic. Today we have the tunnel with an ACL test for peripheral test side customer down the tunnel, but that it blocks all traffic that is not being analyzed. The problem is that they are on an ASA 5510 with 8.2.2. You cannot add ports tcp in the ACL sheep, it error when you try to apply the nat 0 access-list statement sheep (inside). We can define the ports to go down the VPN traffic interesting ACL with number, but there is no way to send just the web ports down the VPN and allow the other ports on regular overflow interface NAT I was look in 8.4 and see if it allows a policy NAT (twice the NAT for virtual private networks) to set a port to a range of IPS (IE (: nat static destination WEBINSPECT-WEBINSPECT (indoor, outdoor) static source a whole) but who only define as web ports.

I do not have an ASA test to use, but I guess that vpn l2l will be only by IP and I can not define a port tunnel.

In any case, it is a strange, but the ideas are welcome. I don't think it's possible, but I thought I'd see if anyone encountered at the front.

Hello

Well to give you a simple example where we use the double NAT / manual transmission NAT to handle traffic

For example a configuration example I just did on my 8.4 (5) ASA

The following configuration will
- Set the 'object' that contains the source network for NAT
- Set the 'object' that contains the service for NAT
- Define the real NAT
The real NAT is going to make any connection from the network under 'Wireless' network object to the destination port TCP/80 will be sent 'WAN' interface without NAT

Of course it is the next step with VPN L2L network under 'network wireless of the object' would correspond to the ACL of VPN L2L. But that seemed straight forward for you already

the subject wireless network

10.0.255.0 subnet 255.255.255.0

service object WWW

Service tcp destination eq www

NAT (WLAN, WAN) static source without WIRE WIRELESS WWW WWW service

The following configuration will
- Define the "object-group", that defines networks of the source of the rule by default PAT for Internet traffic
- Set the 'object' for the PAT address (could just use 'interface' instead of the 'object')
- Define the real NAT
The NAT configuration will just make a rule by default PAT for the wireless network. The key thing to note here is that we use the setting "auto after." This basically inserts the NAT rule to the priority of the very bottom of the ASA.

object-group, network WIRELESS-network

object-network 10.0.255.0 255.255.255.0

network of the PAT object - 1.1.1.1

host 1.1.1.1

NAT (WLAN, WAN) after the automatic termination of wireless - NETWORK PAT dynamic source - 1.1.1.1

Now we can use the command "packet - trace" to confirm that the NAT works as expected.

WWW TEST-TRAFFIC

ASA (config) # packet - trace 12355 1.2.3.4 entry WLAN tcp 10.0.255.100 80

Phase: 1

Type: UN - NAT

Subtype: static

Result: ALLOW

Config:

NAT (WLAN, WAN) static source without WIRE WIRELESS WWW WWW service

Additional information:

NAT divert on the output WAN interface

Untranslate 1.2.3.4/80 to 1.2.3.4/80

Phase: 2

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional information:

Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

NAT (WLAN, WAN) static source without WIRE WIRELESS WWW WWW service

Additional information:

Definition of static 10.0.255.100/12355 to 10.0.255.100/12355

Phase: 4

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional information:

Phase: 5

Type: NAT

Subtype: rpf check

Result: ALLOW

Config:

NAT (WLAN, WAN) static source without WIRE WIRELESS WWW WWW service

Additional information:

Phase: 6

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional information:

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional information:

Phase: 8

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional information:

Phase: 9

Type: CREATING STREAMS

Subtype:

Result: ALLOW

Config:

Additional information:

New workflow created with the 1727146 id, package sent to the next module

Result:

input interface: WLAN

entry status: to the top

entry-line-status: to the top

the output interface: WAN

the status of the output: to the top

output-line-status: to the top

Action: allow

TEST FTP - TRAFFIC

ASA (config) # packet - trace entry tcp 10.0.255.100 WLAN 12355 1.2.3.4 21

Phase: 1

Type:-ROUTE SEARCH

Subtype: entry

Result: ALLOW

Config:

Additional information:

in 0.0.0.0 0.0.0.0 WAN

Phase: 2

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional information:

Phase: 3

Type: INSPECT

Subtype: inspect-ftp

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

Policy-map global_policy

class inspection_default

inspect the ftp

global service-policy global_policy

Additional information:

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

NAT (WLAN, WAN) after the automatic termination of wireless - NETWORK PAT dynamic source - 1.1.1.1

Additional information:

Definition of dynamic 10.0.255.100/12355 to 1.1.1.1/12355

Phase: 5

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional information:

Phase: 6

Type: NAT

Subtype: rpf check

Result: ALLOW

Config:

NAT (WLAN, WAN) after the automatic termination of wireless - NETWORK PAT dynamic source - 1.1.1.1

Additional information:

Phase: 7

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional information:

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional information:

Phase: 9

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional information:

Phase: 10

Type: CREATING STREAMS

Subtype:

Result: ALLOW

Config:

Additional information:

New workflow created with the 1727154 id, package sent to the next module

Result:

input interface: WLAN

entry status: to the top

entry-line-status: to the top

the output interface: WAN

the status of the output: to the top

output-line-status: to the top

Action: allow

As you can see traffic TCP/80 corresponds to rule on the other. And the FTP used for example corresponds to rule by default PAT as expected.

If you want to know a little more about the new NAT 8.3 format + you can check a document I created

https://supportforums.Cisco.com/docs/doc-31116

Hope this helps you, please mark it as answered in the affirmative or rate of answer.

Naturally ask more if necessary

-Jouni

2811: connecting two VPN l2l ASA5505

Hello

We have a HQ site with a 2811 (w/ADVSECURITYK9-M) acting as the firewall. We currently have 1 ASA5505 with an established ipsec VPN l2l.

I'm trying to connect a 2nd ASA, but I noticed that I only add 1 cryptomap to the external interface.

A worm watch 1 Module of virtual private network... Surely this does not mean only 1 VPN?

Can I use a card encryption and add a second "peer set" & "corresponds to" address inside the card Cryptography itself?

Thank you

Jason

Yes, you add another poicy to your configuration encryption.

Thank you

Tarik Admani
* Please note the useful messages *.

VPN L2L dynamic to static w/o DefaultL2LGroup

I was looking for a method to have a VPN L2L static dyn without using DefaultL2LGroup but to set in place several groups of tunnel for each router with a dynamic IP address. Many people say it is not possible, but I found this guide: http://inetpro.org/wiki/LAN-to-LAN_IPSec_VPN_between_PIX/ASA_7.2_hub_and_IOS_spokes_with_dynamic_IP_addresses

Now the problem: the vpn rises, but I can't reach any device with a ping.

Side static: ASA 5505 - 8.22

Side Dynamics: Zyxel P-661HW-D3

Here is the config for the SAA:
```
access-list outside extended permit icmp any any

    access-list outside extended deny ip any any

    access-list inside extended permit ip 10.1.0.0 255.255.248.0 10.51.10.0 255.255.255.0

    access-list inside extended deny ip any any

    access-list VPN extended permit ip 10.1.0.0 255.255.248.0 10.51.10.0 255.255.255.0

    access-list ST_3710 extended permit ip 10.1.0.0 255.255.248.0 10.51.10.0 255.255.255.0
nat (inside) 0 access-list VPN

    nat (inside) 1 10.1.0.0 255.255.248.0
access-group inside in interface inside

    access-group outside in interface outside
crypto ipsec transform-set myset esp-3des esp-md5-hmac

    crypto ipsec security-association lifetime seconds 28800

    crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DN3710 1 match address ST_3710

    crypto dynamic-map DN3710 1 set transform-set myset
crypto map dyn-map 2 ipsec-isakmp dynamic DN3710

    crypto map dyn-map interface outside
crypto isakmp enable outside
crypto isakmp policy 10

    authentication pre-share

    encryption 3des

    hash md5

    group 2

    lifetime 86400
crypto isakmp policy 20

    authentication pre-share

    encryption des

    hash md5

    group 2

    lifetime 86400

    no crypto isakmp nat-traversal
group-policy GP3710 internal

    group-policy GP3710 attributes

    vpn-filter value ST_3710

    vpn-tunnel-protocol IPSec
tunnel-group TG3710 type ipsec-l2l

    tunnel-group TG3710 general-attributes

    default-group-policy GP3710

    tunnel-group TG3710 ipsec-attributes

    pre-shared-key *********
```
As you can see it the vpn is in place:
```
2   IKE Peer: ***.***.***.***

        Type    : L2L             Role    : responder

        Rekey   : no              State   : AM_ACTIVE
```
Thanks in advance if anyone can help me with this problem.

Kind regards

Luca

Hello Luca,

You have reason for it, you can have the spokes of landing on a separate tunnel-groups, not only for the DefaultL2LGroup, the ASA follows this sequence when making a tunnel-group looup for L2L tunnels with pre-shared keys:

- ike-id verified first and could be (full fqdn) host name or IP address

-If ike-id search fails ASA tent peer IP address

-DefaultRAGroup/DefaultL2LGroup is used as a last resort

The output of your "sh cry isa his" I can see that at least Phase 1 is in place for your tunnel, please make sure that it landed on the correct tunnel-group.

The problem I see clearly here is the VPN filter that you have applied Group Policy, keep in mind that we must apply filters on incoming management vpn.

When a vpn-filter is applied to a political group that governs a LAN to LAN VPN connection, the ACL must be configured with the
remote network in the position of the ACL src_ip and LAN in the position of dest_ip of the ACL. Be careful during the construction of the
ACL for use with the vpn-filter feature. The ACL are built with traffic after decrypted in mind, however, they are also applied to the traffic
in the direction opposite.

In your case, the remote network is 10.51.10.0 255.255.255.0 and the local network 10.1.0.0 255.255.248.0. so let's say you want to allow just telnet:

The following ACE will allow remote Telnet network for LAN:

permit access-list vpnfilt-l2l 10.51.10.0 255.255.255.0 10.1.0.0 255.255.248.0 eq 23

The following ACE will allow LAN to Telnet to the remote network:
permit access-list vpnfilt-l2l 10.0.0.0 255.255.255.0 eq 23 10.1.0.0 255.255.248.0

Note: The ACE access-list vpnfilt-l2l allowed 10.51.10.0 255.255.255.0 10.1.0.0 255.255.248.0 eq 23 will allow the local network establish a connection to the remote on any TCP port network if he uses a port source from 23.

The access-list vpnfilt-l2l allowed 10.0.0.0 ACE 255.255.255.0 eq 23 10.1.0.0 255.255.248.0 will allow the network to remote connect to the LAN on any TCP port if he uses a port source from 23.

Kind regards

ASA5510 VPN L2L cannot reach hosts on the other side

Hello experts,

I have an ASA5510 with 3 VPN L2L and remote VPN access. Two VPN L2L, Marielle and Aeromique no problem, but for VPN ASPCANADA, to a host behind the ASA 192.168.100.xx, I can't reach 57.5.64.250 or 251 and vice versa. But the tunnel is up. Can you help me please, thank you in advance.

Add these two lines to the NAT 0 access list:

inside_outbound_nat0_acl list extended access allowed hosting ASP-NETWORK 255.255.255.0 ip 57.5.64.251

inside_outbound_nat0_acl list extended access allowed hosting ASP-NETWORK 255.255.255.0 ip 57.5.64.250

Also make sure this reflection of these statements are also in the distance of the ASA NAT 0-list of access.

Test and validate results

HTH

Sangaré

Pls rate helpful messages

ASA 8.4. (1) VPN L2L can only be established through default gateway

Similar Questions

Maybe you are looking for