ASA 8.4. (1) VPN L2L can only be established through default gateway
Hi all!
We have an ASA 5510, with two internet connections. A destined for VPN l2l and the other to access inet users in general.
On asa 8.04, I configured the encryption on inteface "VPNAccess" card and a static route on the remote peer L2L with access internet VPN, the default rotue pointed the router General inet.
We bought a new firewall with 8.4.1 and now asa only tries to open the remote if peer traffic is on the default gateway.
It does not take into account routes more specific (I mean longer masks) and always tries to use the gateway by default, but only for VPN, if I do a trace to that peer route, it uses the routing table correctly.
Any advice?
Thank you!
Well well, (any, any) certainly does not help.
You need to be more specific, otherwise, even once, as suggested earlier, he does not know which interface to use because you don't have specify it.
In addition, you must also be precise with the source network and destination. Otherwise, the firewall will not know which interface the subnet should be connected to.
More precise best for NAT statement.
NAT (, PublicTESAVPNBackup) source static static destination
Tags: Cisco Security
Similar Questions
-
Error for this user account details can only be updated through the site where it was created first
I get this error will receive try to put in place a new email: "Details of the error for this user account can only be updated through the site where it was created first." What should I do?
My email is down. If you respond by email please send it to [email protected]
Thank you
Rick
All sorted
Thank you very much for your help
2014 12-15 10:04, Anshul.sharma wrote:
ERROR FOR THIS USER ACCOUNT DETAILS CAN ONLY BE UPDATED THROUGH THE SITE WHERE IT WAS CREATED FIRST
created by Anshul.sharma in going live (Emails, users, domains) - discover complete discussion
-
I can't connect to my default gateway
I'm trying to port before my router because I can host a server on a game. For the port forward, I need to connect to my default gateway to change the things I need to change.
Resettlement will almost certainly cause the loss of your data files and applications that you added. First, consider the following steps.
1) run the SFC/scannow command. This will check and repair if necessary all of the critical Windows system files.
Click on start / all programs/accessories then
Right-click on the command prompt option and select "Run as Administrator".
(or "Safe Mode" open a command prompt)
At the command prompt, enter: SFC/scannowWindows 7 - order SCANNOW SFC - System File Checker
http://www.SevenForums.com/tutorials/1538-SFC-SCANNOW-Command-System-File-Checker.htmlHow to use the System File Checker tool to fix the system files missing or corrupted on Windows Vista or Windows 7
http://support.Microsoft.com/kb/929833How to analyze the entries in log file generating the program Checker (SFC.exe) resources of Microsoft Windows in Windows Vista:
http://support.Microsoft.com/kb/928228(2) how to run a startup repair in Windows 7:
http://www.SevenForums.com/tutorials/681-startup-repair.html
"Startup Repair is a Windows 7 system recovery tool that can fix certain problems, such as missing or damaged system files
(ex: boot MBR file), that might prevent Windows from starting correctly.How to start on the System Recovery Options in Windows 7:
http://www.SevenForums.com/tutorials/668-system-recovery-options.html
"The System Recovery Options menu is on the Windows 7 installation disc. If your computer (OEM) manufacturer has preinstalled the recovery options, the menu can also be installed on your hard drive as a recovery partition. »How to create a Windows 7 system repair disc:
http://www.SevenForums.com/tutorials/2083-system-repair-disc-create.html
"That you will show how to create a Windows 7 system repair disc to use at startup in the system recovery options if you do not have a disk Windows installation, cannot find your Windows installation disc, or cannot access to the recovery options provided by your computer manufacturer."Windows 7 - repair facility:
http://www.SevenForums.com/tutorials/3413-repair-install.html
"This will show how to do a repair of trouble Windows 7 installation and to preserve your user accounts, data, programs and drivers of the system."Windows 7 - download the repair disc
http://NeoSmart.net/blog/2009/Windows-7-system-repair-discs/ -
VPN tunnel between 2 ASA 5505 with the same default gateway
Hello
Is it possible to create a vpn ipsec site to site (laboratory environment) between two 5505 (ASA IOS 8.2 (5) & asdm-645-206) with the same default gateway. That is a VPN tunnel or a back to back-to-one site that I have to deploy a router and hang each 5505 out a different interface? We have a lot of public IP but only one gateway our ISP (Internet). Any suggestions or recommendations are very appeciated!
d
Yes - you can even do it with a xover cable and a 30 ip on both external interfaces.
-
ASA problem inside the VPN client routing
Hello
I have a problem where I can't reach the VPN clients with their vpn IP pool from the inside or the asa itself. Connect VPN clients can access internal network very well. I have no nat configured for the pool of vpn and packet trace crypt packages and puts it into the tunnel. I'm not sure what's wrong.
Here are a few relevant config:
network object obj - 192.168.245.0
192.168.245.0 subnet 255.255.255.0
192.168.245.1 - 192.168.245.50 vpn IP local pool
NAT (inside, outside) static source any any destination static obj - 192.168.245.0 obj - 192.168.245.0 no-proxy-arp-search to itinerary
Out of Packet trace:
Firewall # entry packet - trace inside the x.x.x.x icmp 8 0 192.168.245.33
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit rule
Additional information:
MAC access list
Phase: 2
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
in 192.168.245.33 255.255.255.255 outside
Phase: 3
Type: ACCESS-LIST
Subtype: Journal
Result: ALLOW
Config:
Access-group acl-Interior interface inside
access list acl-Interior extended icmp permitted an echo
Additional information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Phase: 5
Type: INSPECT
Subtype: np - inspect
Result: ALLOW
Config:
Additional information:
Phase: 6
Type:
Subtype:
Result: ALLOW
Config:
Additional information:
Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT (inside, outside) static source any any destination static obj - 192.168.245.0
obj - 192.168.245.0 no-proxy-arp-search to itinerary
Additional information:
Definition of static 0/x.x.x.x-x.x.x.x/0
Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional information:
Phase: 9
Type: CREATING STREAMS
Subtype:
Result: ALLOW
Config:
Additional information:
New workflow created with the 277723432 id, package sent to the next module
Result:
input interface: inside
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: allow
There is no route to the address pool of vpn. Maybe that's the problem? I don't know than that used to work before we went to 8.4.
Check if the firewall is enabled on your host from the client ravpn and blocking your pings.
-
Design of VPN L2L ASA question
We expect to have more than 10,000 remote VPN L2L clients.
I see that each crypto card needs a statement of 'same game' and the IP address is the address of the remote peer VPN L2L.
:
EX:
card encryption UNI-POP 3 set peer 172.23.0.3
: . . .
card crypto UNI-POP 10000 set peer 172.26.0.250
:
I already feel that this will be a VERY long config, maybe too big to save/read/from memory.
:
Anyone would be a better approach?
Thank you
Frank
Frank,
If the remote end will run only from time to time, you should not have set peer statements and normally it would suffice to have a dynamic encryption card.
If the remote ends do not support certificates, it is possible to land on defaultl2l tunnel-group.
bsns-asa5505-19# sh run all tunnel-group
tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup general-attributes
(...)
You need to test yourself to see if it will work.
I also agree in terms of more than one firewall. With devices for two in the load balancing or if possible 2pairs of devices in the failover cluster could be great way to have a decent charge by machine and equipment redundancy (ideal circumstances]);. I suggest you ping your system engineer for sure any deployment involving 5585, guys can usually give good advice (and discounts;]).
Marcin
-
I have a tunnel VPN L2L on a Cisco ASA 5520 I am trying to get IPPS, to work on. On my ACL cryptomap I defined a local group object and a remote object-group, and I'm the one-to-one NAT scene on the local group. I also have a configured route map that will take the static routes and redistribute in my ACE. EIGRP two things - 1, I noticed, I don't see on my ASA static routes that point to remote subnets and 2, the ACL that I used in my definition of route map is not getting any hits on it.
Any thoughts on where I can go wrong?
Thank you
Darren
You have configured the following:
crypto set reverse-road map
If you do, can you remove and Add again and see if that fixes the problem?
-
Do not do a ping ASA inside IP port of the remote site VPN L2L with her
The established VPN L2L OK between ASA-1/ASA-2:
ASA-2# see the crypto isakmp his
KEv1 SAs:
ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 1
1 peer IKE: 207.140.28.102
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE
There are no SAs IKEv2
QUESTION: 3750-2, we ping 3750-1 (10.10.2.253) are OK, but not ASA-1 inside port (10.10.2.254).
Debug icmp ASA-1 data:
ASA-1 debug icmp trace #.
trace of icmp debug enabled at level 1
Echo ICMP Internet request: 10.100.2.252 server: 10.10.2.253 ID = 400 seq = 0 len = 72
ICMP echo response from the server: 10.10.2.253 Internet: 10.100.2.252 ID = 400 seq = 0 len = 72
Echo ICMP Internet request: 10.100.2.252 server: 10.10.2.253 ID = 400 seq = 1 len = 72
ICMP echo response from the server: 10.10.2.253 Internet: 10.100.2.252 ID = 400 seq = 1 len = 72
Echo request ICMP 10.100.2.252 to 10.10.2.254 ID = 401 seq = 0 len = 72
Echo request ICMP 10.100.2.252 to 10.10.2.254 ID = 401 seq = 1 len = 72
Echo request ICMP 10.100.2.252 to 10.10.2.254 ID = 401 seq = 2 len = 72
Make sure you have access to the administration # inside
lt me know f This allows.
-
VPN l2l failed inside on ASA 5520 (8.02)
VPN l2l is dropping packets to Phase 5 because of a rule configured. I have an isakmp his but the client cannot connect to the destination here in my network. I'll post my config to access list at the bottom of the Packet-trace output.
vpnASA01 # entry packet - trace within the icmp [10.0.0.243] 0 8 10.97.29.73 det
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xc92087c8, priority = 12, area = capture, deny = false
hits = 85188209121, user_data = 0xc916a478, cs_id = 0 x 0, l3_type = 0 x 0
Mac SRC = 0000.0000.0000, mask is 0000.0000.0000
DST = 0000.0000.0000 Mac, mask is 0000.0000.0000
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit rule
Additional information:
Direct flow from returns search rule:
ID = 0xc87f1f98, priority = 1, domain = allowed, deny = false
hits = 85193048387, user_data = 0 x 0, cs_id = 0 x 0, l3_type = 0 x 8
Mac SRC = 0000.0000.0000, mask is 0000.0000.0000
DST = 0000.0000.0000 Mac, mask is 0000.0000.0000
Phase: 3
Type: FLOW-SEARCH
Subtype:
Result: ALLOW
Config:
Additional information:
Not found no corresponding stream, creating a new stream
Phase: 4
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
in 10.0.0.0 255.0.0.0 inside
Phase: 5
Type: ACCESS-LIST
Subtype:
Result: DECLINE
Config:
Implicit rule
Additional information:
Direct flow from returns search rule:
ID = 0xc87f3670, priority = 111, domain = allowed, deny = true
hits = 67416, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 4000, protocol = 0
SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
DST ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
Result:
input interface: inside
entry status: to the top
entry-line-status: to the top
the output interface: inside
the status of the output: to the top
output-line-status: to the top
Action: drop
Drop-reason: flow (acl-drop) is denied by the configured rule
= ACCESS-LIST + Config =.
the object-group L2LVPN-blah_local network
network-object 10.97.29.73 255.255.255.255
the object-group L2LVPN-blah_remote network
network-object [10.0.0.240] 255.255.255.240INBOUND_OUTSIDE list of allowed ip extended access object-L2LVPN-blah_remote L2LVPN-blah_local group object
L2LVPN-blah_obj allowed extended ip access-list object-L2LVPN-blah_local group L2LVPN-blah_remote
access-list SHEEP extended permits all ip [10.0.0.243] 255.255.255.240
Route outside [10.0.0.240] [10.97.29.1] 255.255.255.240 1
address for correspondence card crypto outside-VPN 46 L2LVPN - blah_obj
peer set card crypto VPN-exterior 46 [10.0.0.243]
outside-VPN 46 transform-set esp-sha-aes-256 crypto card
outside-VPN interface card crypto outsideIPSec-l2l type tunnel-group [10.0.0.243]
IPSec-attributes of tunnel-group [10.0.0.243]
pre-shared-key *.[10.0.0.1] is to protect the global addresses of clients. Assume that these are still used in place of the current range of intellectual property. 10.0.0.240/28
===========================================
Thanks in advance.
Michael Garcia
Profit Systems, Inc..
Hi Michael,
-Is the IP peer really part of the network that make up the field of encryption?
-Is the ACL INBOUND_OUTSIDE applied (incoming) inside or outside interface (inbound)? It is the current form, it would need to be on the external interface.
-You specify the peer IP only in the ACL SHEEP, so all other traffic is NAT would and eventually denied because it does not match the field of encryption
Someone else may have a few ideas, but these are questions I have for the moment.
James
-
Easy VPN with IPSec VPN L2L (Site - to - Site) in the same ASA 5505
Hi Experts,
We have an ASA 5505 in our environment, and currently two IPSec VPN L2L tunnels are established. But we intend to connect with VPN (Network Extension Mode) easy to another site as a customer. Is it possible to configure easy VPN configurations by keeping the currently active IPSec L2L VPN(Site-to-Site) tunnels? If not possible is there any work around?
Here's the warning we get then tried to configure the easy VPN Client.
NOCMEFW1 (config) # vpnclient enable
* Delete "nat (inside) 0 S2S - VPN"
* Detach crypto card attached to the outside interface
* Remove the tunnel groups defined by the user
* Remove the manual configuration of ISA policies
CONFLICT of CONFIG: Configuration that would prevent the Cisco Easy VPN Remo success
you
operation was detected and listed above. Please solve the
above a configuration and re - activate.
Thanks and greetings
ANUP sisi
"Dynamic crypto map must be installed on the server device.
Yes, dynamic crypto is configured on the EasyVPN server.
Thank you
-
Unable to pass traffic between ASA Site to Site VPN Tunnel
Hello
I have problems passing traffic between two ASA firewall. The VPN tunnel is up with a dynamic IP and static IP address. I have attached a diagram of the VPN connection. I'm not sure where the problem lies and what to check next. I think I have all the roads and in the access lists are needed.
I've also attached the ASA5505 config and the ASA5510.
This is the first time that I've set up a VPN connection any guidance would be greatly appreciated.
Thank you
Adam
Hello
Regarding your opinion of configuration Remote Site ASA that you have not added the internal networks of the Central Site VPN L2L configurations at all so the traffic does not pass through the VPN.
access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.0.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.170.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.172.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 140.15.0.0 255.255.*.*
Take a look at ACL configurations above. The 'exempt' ACL is used in configurations NAT0 and tells the ASA what traffic of exempting from NAT. "outside_1_cryptomap" ACL is used to tell the traffic between the subnets should be using the L2L VPN connection.
So in short on the Remote Site ASA these ACLs should be identical. Make additions to the LIST of VPN L2L, then try again.
I would also like to point out that to ensure that the Central ASAs L2L VPN ACL Site contains the same networks. The ACL on the Central Site will, of course, its internal subnets as the source and the site LAN remote destination.
THW out of ' crypto ipsec to show his " shows you that only the SA between binding Site Central network and the Remote Site LAN was established. Others have not formed as the configuration is lacking at LEAST on the Remote Site ASA. Can also be the Central Site.
-Jouni
-
Direct specific ports down a VPN L2L
I have a client who is trying to use an ISP hosted web filtering and content management a gateway, the ISP wants to use and L2L ISPEC VPN on site at their front door to control the traffic. Today we have the tunnel with an ACL test for peripheral test side customer down the tunnel, but that it blocks all traffic that is not being analyzed. The problem is that they are on an ASA 5510 with 8.2.2. You cannot add ports tcp in the ACL sheep, it error when you try to apply the nat 0 access-list statement sheep (inside). We can define the ports to go down the VPN traffic interesting ACL with number, but there is no way to send just the web ports down the VPN and allow the other ports on regular overflow interface NAT I was look in 8.4 and see if it allows a policy NAT (twice the NAT for virtual private networks) to set a port to a range of IPS (IE (: nat static destination WEBINSPECT-WEBINSPECT (indoor, outdoor) static source a whole) but who only define as web ports.
I do not have an ASA test to use, but I guess that vpn l2l will be only by IP and I can not define a port tunnel.
In any case, it is a strange, but the ideas are welcome. I don't think it's possible, but I thought I'd see if anyone encountered at the front.
Hello
Well to give you a simple example where we use the double NAT / manual transmission NAT to handle traffic
For example a configuration example I just did on my 8.4 (5) ASA
The following configuration will
- Set the 'object' that contains the source network for NAT
- Set the 'object' that contains the service for NAT
- Define the real NAT
The real NAT is going to make any connection from the network under 'Wireless' network object to the destination port TCP/80 will be sent 'WAN' interface without NAT
Of course it is the next step with VPN L2L network under 'network wireless of the object' would correspond to the ACL of VPN L2L. But that seemed straight forward for you already
the subject wireless network
10.0.255.0 subnet 255.255.255.0
service object WWW
Service tcp destination eq www
NAT (WLAN, WAN) static source without WIRE WIRELESS WWW WWW service
The following configuration will
- Define the "object-group", that defines networks of the source of the rule by default PAT for Internet traffic
- Set the 'object' for the PAT address (could just use 'interface' instead of the 'object')
- Define the real NAT
The NAT configuration will just make a rule by default PAT for the wireless network. The key thing to note here is that we use the setting "auto after." This basically inserts the NAT rule to the priority of the very bottom of the ASA.
object-group, network WIRELESS-network
object-network 10.0.255.0 255.255.255.0
network of the PAT object - 1.1.1.1
host 1.1.1.1
NAT (WLAN, WAN) after the automatic termination of wireless - NETWORK PAT dynamic source - 1.1.1.1
Now we can use the command "packet - trace" to confirm that the NAT works as expected.
WWW TEST-TRAFFIC
ASA (config) # packet - trace 12355 1.2.3.4 entry WLAN tcp 10.0.255.100 80
Phase: 1
Type: UN - NAT
Subtype: static
Result: ALLOW
Config:
NAT (WLAN, WAN) static source without WIRE WIRELESS WWW WWW service
Additional information:
NAT divert on the output WAN interface
Untranslate 1.2.3.4/80 to 1.2.3.4/80
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT (WLAN, WAN) static source without WIRE WIRELESS WWW WWW service
Additional information:
Definition of static 10.0.255.100/12355 to 10.0.255.100/12355
Phase: 4
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional information:
Phase: 5
Type: NAT
Subtype: rpf check
Result: ALLOW
Config:
NAT (WLAN, WAN) static source without WIRE WIRELESS WWW WWW service
Additional information:
Phase: 6
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Phase: 8
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional information:
Phase: 9
Type: CREATING STREAMS
Subtype:
Result: ALLOW
Config:
Additional information:
New workflow created with the 1727146 id, package sent to the next module
Result:
input interface: WLAN
entry status: to the top
entry-line-status: to the top
the output interface: WAN
the status of the output: to the top
output-line-status: to the top
Action: allow
TEST FTP - TRAFFIC
ASA (config) # packet - trace entry tcp 10.0.255.100 WLAN 12355 1.2.3.4 21
Phase: 1
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
in 0.0.0.0 0.0.0.0 WAN
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Phase: 3
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
Policy-map global_policy
class inspection_default
inspect the ftp
global service-policy global_policy
Additional information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT (WLAN, WAN) after the automatic termination of wireless - NETWORK PAT dynamic source - 1.1.1.1
Additional information:
Definition of dynamic 10.0.255.100/12355 to 1.1.1.1/12355
Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional information:
Phase: 6
Type: NAT
Subtype: rpf check
Result: ALLOW
Config:
NAT (WLAN, WAN) after the automatic termination of wireless - NETWORK PAT dynamic source - 1.1.1.1
Additional information:
Phase: 7
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Phase: 9
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional information:
Phase: 10
Type: CREATING STREAMS
Subtype:
Result: ALLOW
Config:
Additional information:
New workflow created with the 1727154 id, package sent to the next module
Result:
input interface: WLAN
entry status: to the top
entry-line-status: to the top
the output interface: WAN
the status of the output: to the top
output-line-status: to the top
Action: allow
As you can see traffic TCP/80 corresponds to rule on the other. And the FTP used for example corresponds to rule by default PAT as expected.
If you want to know a little more about the new NAT 8.3 format + you can check a document I created
https://supportforums.Cisco.com/docs/doc-31116
Hope this helps you, please mark it as answered in the affirmative or rate of answer.
Naturally ask more if necessary
-Jouni
-
2811: connecting two VPN l2l ASA5505
Hello
We have a HQ site with a 2811 (w/ADVSECURITYK9-M) acting as the firewall. We currently have 1 ASA5505 with an established ipsec VPN l2l.
I'm trying to connect a 2nd ASA, but I noticed that I only add 1 cryptomap to the external interface.
A worm watch 1 Module of virtual private network... Surely this does not mean only 1 VPN?
Can I use a card encryption and add a second "peer set" & "corresponds to" address inside the card Cryptography itself?
Thank you
Jason
Yes, you add another poicy to your configuration encryption.
Thank you
Tarik Admani
* Please note the useful messages *. -
VPN L2L dynamic to static w/o DefaultL2LGroup
I was looking for a method to have a VPN L2L static dyn without using DefaultL2LGroup but to set in place several groups of tunnel for each router with a dynamic IP address. Many people say it is not possible, but I found this guide: http://inetpro.org/wiki/LAN-to-LAN_IPSec_VPN_between_PIX/ASA_7.2_hub_and_IOS_spokes_with_dynamic_IP_addresses
Now the problem: the vpn rises, but I can't reach any device with a ping.
Side static: ASA 5505 - 8.22
Side Dynamics: Zyxel P-661HW-D3
Here is the config for the SAA:
access-list outside extended permit icmp any any
access-list outside extended deny ip any any
access-list inside extended permit ip 10.1.0.0 255.255.248.0 10.51.10.0 255.255.255.0
access-list inside extended deny ip any any
access-list VPN extended permit ip 10.1.0.0 255.255.248.0 10.51.10.0 255.255.255.0
access-list ST_3710 extended permit ip 10.1.0.0 255.255.248.0 10.51.10.0 255.255.255.0nat (inside) 0 access-list VPN
nat (inside) 1 10.1.0.0 255.255.248.0access-group inside in interface inside
access-group outside in interface outsidecrypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000crypto dynamic-map DN3710 1 match address ST_3710
crypto dynamic-map DN3710 1 set transform-set mysetcrypto map dyn-map 2 ipsec-isakmp dynamic DN3710
crypto map dyn-map interface outsidecrypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400crypto isakmp policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversalgroup-policy GP3710 internal
group-policy GP3710 attributes
vpn-filter value ST_3710
vpn-tunnel-protocol IPSectunnel-group TG3710 type ipsec-l2l
tunnel-group TG3710 general-attributes
default-group-policy GP3710
tunnel-group TG3710 ipsec-attributes
pre-shared-key *********As you can see it the vpn is in place:
2 IKE Peer: ***.***.***.***
Type : L2L Role : responder
Rekey : no State : AM_ACTIVEThanks in advance if anyone can help me with this problem.
Kind regards
Luca
Hello Luca,
You have reason for it, you can have the spokes of landing on a separate tunnel-groups, not only for the DefaultL2LGroup, the ASA follows this sequence when making a tunnel-group looup for L2L tunnels with pre-shared keys:
- ike-id verified first and could be (full fqdn) host name or IP address
-If ike-id search fails ASA tent peer IP address
-DefaultRAGroup/DefaultL2LGroup is used as a last resort
The output of your "sh cry isa his" I can see that at least Phase 1 is in place for your tunnel, please make sure that it landed on the correct tunnel-group.
The problem I see clearly here is the VPN filter that you have applied Group Policy, keep in mind that we must apply filters on incoming management vpn.
When a vpn-filter is applied to a political group that governs a LAN to LAN VPN connection, the ACL must be configured with the
remote network in the position of the ACL src_ip and LAN in the position of dest_ip of the ACL. Be careful during the construction of the
ACL for use with the vpn-filter feature. The ACL are built with traffic after decrypted in mind, however, they are also applied to the traffic
in the direction opposite.In your case, the remote network is 10.51.10.0 255.255.255.0 and the local network 10.1.0.0 255.255.248.0. so let's say you want to allow just telnet:
The following ACE will allow remote Telnet network for LAN:
permit access-list vpnfilt-l2l 10.51.10.0 255.255.255.0 10.1.0.0 255.255.248.0 eq 23
The following ACE will allow LAN to Telnet to the remote network:
permit access-list vpnfilt-l2l 10.0.0.0 255.255.255.0 eq 23 10.1.0.0 255.255.248.0Note: The ACE access-list vpnfilt-l2l allowed 10.51.10.0 255.255.255.0 10.1.0.0 255.255.248.0 eq 23 will allow the local network establish a connection to the remote on any TCP port network if he uses a port source from 23.
The access-list vpnfilt-l2l allowed 10.0.0.0 ACE 255.255.255.0 eq 23 10.1.0.0 255.255.248.0 will allow the network to remote connect to the LAN on any TCP port if he uses a port source from 23.
Kind regards
-
ASA5510 VPN L2L cannot reach hosts on the other side
Hello experts,
I have an ASA5510 with 3 VPN L2L and remote VPN access. Two VPN L2L, Marielle and Aeromique no problem, but for VPN ASPCANADA, to a host behind the ASA 192.168.100.xx, I can't reach 57.5.64.250 or 251 and vice versa. But the tunnel is up. Can you help me please, thank you in advance.
Add these two lines to the NAT 0 access list:
inside_outbound_nat0_acl list extended access allowed hosting ASP-NETWORK 255.255.255.0 ip 57.5.64.251
inside_outbound_nat0_acl list extended access allowed hosting ASP-NETWORK 255.255.255.0 ip 57.5.64.250
Also make sure this reflection of these statements are also in the distance of the ASA NAT 0-list of access.
Test and validate results
HTH
Sangaré
Pls rate helpful messages
Maybe you are looking for
-
I have the HP Photosmart C4500 all-in-one and it stopped scanning to my computer.
Until 2 weeks ago, it was scanning fine on my computer, but now nothing happens and I get the message 'error analysis. try scan from computer or see the documentation. "Then when I search, it says that the scanner is not initialized. I have to uninst
-
ASA allows 1 only RAS VPN Client IPSEC
Hi all I have a strange problem where an ASA 5510 configured for IPSEC - over - udp VPN RAS allows only one 1 customer vpn traffic through. Other clients can connect successfully (obtain IP/DNS etc., auth using LDAP) but only the all connected client
-
How to put black text instead of blue
I have a lot of text in blue (as the button_ refreshment I am visually impaired and have trouble seeing
-
BB blackBerry Smartphones and now the BBM upgrade does not
I've upgraded to the new version of BB (I think version 5?) two days ago. Yesterday, I could not find my BBM icon. At out the battery, etc... Didn't come back (even if it was listed in the application list). I reinstalled via the BB App World and
-
App store of Windows 8 will not open
I've had my laptop now for four months around thanksgiving for no apparent reason, windows 8, I cannot sign even through, I'm the administrator, after a few reboots, that he decided to let me and then rebooted itself as if it was new. then I lost all