ASA 8.6 - l2l IPsec tunnel established - not possible to ping

Similar Questions

• Cisco ASA - l2l IPSEC tunnel two dynamic hosts

  Hello

  I have two firewall Cisco ASA an i want to made a l2l between two ipsec tunnel, the problem is that both parties have a dynamic IP, on both sides I have configured dyndns, can I did an ipsec tunnel using dyndns name such as address peer?

  Hello

  ASA supports only the RFC compliant method for updates used with dynamic DNS, not updates HTTP, such as dyndns.org and others use.
  i.e. https://tools.cisco.com/bugsearch/bug/CSCsk25102/?reffering_site=dumpcr

  On ASA, it is not possible to configure the tunnel between two dynamic peers.
  You will need to have a static end to configure static to dynamic IP.

  For routers, you can follow this link.
  I hope this helps.

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.

• IPSec tunnel does not work

  Hi all

  We have an IPSec tunnel that does not work. I think that Phase 2 is not established but I don't know why.

  Add the output and the newspaper.

  Thanks for your help

  ASA-VPN-PRI/act/pri # sh crypto isakmp his
  !
  13 peer IKE: 91.209.243.5
  Type: L2L role: answering machine
  Generate a new key: no State: MM_ACTIVE

  !

  ASA-VPN-PRI/act/pri # sh crypto isakmp his | include the 91.209.243.5
  12 peer IKE: 91.209.243.5
  ASA-VPN-PRI/act/pri #.

  ASA-VPN-PRI/act/pri # sh crypto ipsec his | include the 91.209.243.5
  ASA-VPN-PRI/act/pri #.

  7. December 17, 2014 | 15: 40:48 | 713236 | IP = 91.209.243.5, IKE_DECODE SEND Message (msgid = c516994b) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
  7. December 17, 2014 | 15: 40:48 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, build payloads of hash qm
  7. December 17, 2014 | 15: 40:48 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, payload of empty hash construction
  7. December 17, 2014 | 15: 40:48 | 715036 | Group = 91.209.243.5, IP = 91.209.243.5, sending persistent type DPD R-U-HERE-ACK (seq number 0x7d6c)
  7. December 17, 2014 | 15: 40:48 | 715075 | Group = 91.209.243.5, IP = 91.209.243.5, received persistent type DPD R-U-LÀ (seq number 0x7d6c)
  7. December 17, 2014 | 15: 40:48 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, processing notify payload
  7. December 17, 2014 | 15: 40:48 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, payload of hash of treatment
  7. December 17, 2014 | 15: 40:48 | 713236 | IP = 91.209.243.5, IKE_DECODE RECEIPT Message (msgid = 29bf4142) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
  7. December 17, 2014 | 15: 40:43 | 713236 | IP = 91.209.243.5, IKE_DECODE SEND Message (msgid = b72ddf0a) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
  7. December 17, 2014 | 15: 40:43 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, build payloads of hash qm
  7. December 17, 2014 | 15: 40:43 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, payload of empty hash construction
  7. December 17, 2014 | 15: 40:43 | 715036 | Group = 91.209.243.5, IP = 91.209.243.5, sending persistent type DPD R-U-HERE-ACK (seq number 0x7d6b)
  7. December 17, 2014 | 15: 40:43 | 715075 | Group = 91.209.243.5, IP = 91.209.243.5, received persistent type DPD R-U-LÀ (seq number 0x7d6b)
  7. December 17, 2014 | 15: 40:43 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, processing notify payload
  7. December 17, 2014 | 15: 40:43 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, payload of hash of treatment
  7. December 17, 2014 | 15: 40:43 | 713236 | IP = 91.209.243.5, IKE_DECODE RECEIPT Message (msgid = ae5305df) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
  7. December 17, 2014 | 15: 40:38 | 713236 | IP = 91.209.243.5, IKE_DECODE SEND Message (msgid = b796798d) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
  7. December 17, 2014 | 15: 40:38 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, build payloads of hash qm
  7. December 17, 2014 | 15: 40:38 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, payload of empty hash construction
  7. December 17, 2014 | 15: 40:38 | 715036 | Group = 91.209.243.5, IP = 91.209.243.5, sending persistent type DPD R-U-HERE-ACK (seq number 0x7d6a)
  7. December 17, 2014 | 15: 40:38 | 715075 | Group = 91.209.243.5, IP = 91.209.243.5, received persistent type DPD R-U-LÀ (seq number 0x7d6a)
  7. December 17, 2014 | 15: 40:38 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, processing notify payload
  7. December 17, 2014 | 15: 40:38 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, payload of hash of treatment
  7. December 17, 2014 | 15: 40:38 | 713236 | IP = 91.209.243.5, IKE_DECODE RECEIPT Message (msgid = 98241c 63) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
  7. December 17, 2014 | 15: 40:33 | 713236 | IP = 91.209.243.5, IKE_DECODE SEND Message (msgid = e233621d) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
  7. December 17, 2014 | 15: 40:33 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, build payloads of hash qm
  7. December 17, 2014 | 15: 40:33 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, payload of empty hash construction
  7. December 17, 2014 | 15: 40:33 | 715036 | Group = 91.209.243.5, IP = 91.209.243.5, sending persistent type DPD R-U-HERE-ACK (seq number 0x7d69)
  7. December 17, 2014 | 15: 40:33 | 715075 | Group = 91.209.243.5, IP = 91.209.243.5, received persistent type DPD R-U-LÀ (seq number 0x7d69)
  7. December 17, 2014 | 15: 40:33 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, processing notify payload
  7. December 17, 2014 | 15: 40:33 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, payload of hash of treatment
  7. December 17, 2014 | 15: 40:33 | 713236 | IP = 91.209.243.5, IKE_DECODE RECEIPT Message (msgid = 36ecdf6a) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
  7. December 17, 2014 | 15: is.40:28 | 713236 | IP = 91.209.243.5, IKE_DECODE SEND Message (msgid = cb1b978d) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
  7. December 17, 2014 | 15: is.40:28 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, build payloads of hash qm
  7. December 17, 2014 | 15: is.40:28 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, payload of empty hash construction
  7. December 17, 2014 | 15: is.40:28 | 715036 | Group = 91.209.243.5, IP = 91.209.243.5, sending persistent type DPD R-U-HERE-ACK (seq number 0x7d68)
  7. December 17, 2014 | 15: is.40:28 | 715075 | Group = 91.209.243.5, IP = 91.209.243.5, received persistent type DPD R-U-LÀ (seq number 0x7d68)
  7. December 17, 2014 | 15: is.40:28 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, processing notify payload
  7. December 17, 2014 | 15: is.40:28 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, payload of hash of treatment
  7. December 17, 2014 | 15: is.40:28 | 713236 | IP = 91.209.243.5, IKE_DECODE RECEIPT Message (msgid = f25bcdb5) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
  7. December 17, 2014 | 15: 40:23 | 713236 | IP = 91.209.243.5, IKE_DECODE SEND Message (msgid = 32bca075) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
  7. December 17, 2014 | 15: 40:23 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, build payloads of hash qm
  7. December 17, 2014 | 15: 40:23 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, payload of empty hash construction
  7. December 17, 2014 | 15: 40:23 | 715036 | Group = 91.209.243.5, IP = 91.209.243.5, sending persistent type DPD R-U-HERE-ACK (seq number 0x7d67)
  7. December 17, 2014 | 15: 40:23 | 715075 | Group = 91.209.243.5, IP = 91.209.243.5, received persistent type DPD R-U-LÀ (seq number 0x7d67)
  7. December 17, 2014 | 15: 40:23 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, processing notify payload
  7. December 17, 2014 | 15: 40:23 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, payload of hash of treatment
  7. December 17, 2014 | 15: 40:23 | 713236 | IP = 91.209.243.5, IKE_DECODE RECEIPT Message (msgid = a3f0e3f9) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84

  Please repeat the debug with "debug crypto isakmp 100". And compare the config of the Phase 2 on both sides:

  1. Is what ACL crypto exactly in the opposite direction on both sides?
  2. Your transformation sets include exactly the same algorithms?

• IPSEC tunnels does not connect

  Out of sudden IPSEC tunnel on remote site 202.68.211.20 is not plug in. Previously is OK. There is no change in config.

  IKE Phase 1 even not connect.

  I'm debugging, but I don't know what could be the error.

  -----------------------------------------------------------------------------

  = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = PuTTY connect 2016.05.12 15:19:36 = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ =.
  12 May 12:06:50 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
  12 May 12:06:50 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
  12 May 12:06:53 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
  12 May 12:06:53 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
  12 May 12:06:54 [IKEv1 DEBUG]: IP = 202.68.211.20, case of mistaken IKE MM Initiator WSF (struct & 0xd84aff40) , : MM_DONE, EV_ERROR--> MM_WAIT_MSG2, EV_RETRY--> MM_WAIT_MSG2, EV_TIMEOUT--> MM_WAIT_MSG2 NullEvent--> MM_SND_MSG1, EV_SND_MSG--> MM_SND_MSG1, EV_START_TMR--> MM_SND_MSG1, EV_RESEND_MSG--> MM_WAIT_MSG2, EV_RETRY
  12 May 12:06:54 [IKEv1 DEBUG]: IP = 202.68.211.20, IKE SA MM:914f04ce ending: flags 0 x 01000022, refcnt 0, tuncnt 0
  12 May 12:06:54 [IKEv1 DEBUG]: IP = 202.68.211.20, sending clear/delete with the message of reason
  12 May 12:06:59 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
  12 May 12:06:59 [IKEv1]: IP = 202.68.211.20, initiator of IKE: New Phase 1, Intf internal, IKE Peer 202.68.211.20 address proxy local 10.215.20.0 address remote Proxy 10.210.0.0, Card Crypto (VPN_map)
  12 May 12:06:59 [IKEv1 DEBUG]: IP = 202.68.211.20, build the payloads of ISAKMP security
  12 May 12:06:59 [IKEv1 DEBUG]: IP = 202.68.211.20, construction of Fragmentation VID + load useful functionality
  12 May 12:06:59 [IKEv1]: IP = 202.68.211.20, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
  12 May 12:07 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
  12 May 12:07 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
  12 May 12:07:03 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
  12 May 12:07:03 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
  12 May 12:07:07 [IKEv1]: IP = 202.68.211.20, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
  12 May 12:07:09 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
  12 May 12:07:09 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
  12 May 12:07:15 [IKEv1]: IP = 202.68.211.20, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
  12 May 12:07:23 [IKEv1]: IP = 202.68.211.20, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
  12 May 12:07:31 [IKEv1 DEBUG]: IP = 202.68.211.20, case of mistaken IKE MM Initiator WSF (struct & 0xd8457958) , : MM_DONE, EV_ERROR--> MM_WAIT_MSG2, EV_RETRY--> MM_WAIT_MSG2, EV_TIMEOUT--> MM_WAIT_MSG2 NullEvent--> MM_SND_MSG1, EV_SND_MSG--> MM_SND_MSG1, EV_START_TMR--> MM_SND_MSG1, EV_RESEND_MSG--> MM_WAIT_MSG2, EV_RETRY
  12 May 12:07:31 [IKEv1 DEBUG]: IP = 202.68.211.20, IKE SA MM:be63ea64 ending: flags 0 x 01000022, refcnt 0, tuncnt 0
  12 May 12:07:31 [IKEv1 DEBUG]: IP = 202.68.211.20, sending clear/delete with the message of reason
  12 May 12:07:37 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
  12 May 12:07:37 [IKEv1]: IP = 202.68.211.20, initiator of IKE: New Phase 1, Intf internal, IKE Peer 202.68.211.20 address proxy local 10.215.20.0 address remote Proxy 10.210.0.0, Card Crypto (VPN_map)
  12 May 12:07:37 [IKEv1 DEBUG]: IP = 202.68.211.20, build the payloads of ISAKMP security
  12 May 12:07:37 [IKEv1 DEBUG]: IP = 202.68.211.20, construction of Fragmentation VID + load useful functionality
  12 May 12:07:37 [IKEv1]: IP = 202.68.211.20, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
  12 May 12:07:40 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
  12 May 12:07:40 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
  12 May 12:07:45 [IKEv1]: IP = 202.68.211.20, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
  12 May 12:07:46 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
  12 May 12:07:46 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
  12 May 12:07:53 [IKEv1]: IP = 202.68.211.20, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
  q

  Hello

  It seems that the tunnel is blocked to MSG_2.

  You can check if the UDP 500 traffic is not blocked between peers?

  Please check with your provider.

  Kind regards

  Aditya

  Please evaluate the useful messages and mark the correct answers.

• IPSec tunnels do not work

  Hello

  I practice a bit with 2 CISCO 2811 routers and 2621. I did the basic configuration for an IPSec connection, but the tunnel seems not to lead. Also, I can ping the external interface of the other router, but I cannot ping inside network behind each of them. Any ideas? The external interface are connected via a cable UTP croosover. Here's the sh run of each:

  2621 router:

  !

  version 12.2

  horodateurs service debug uptime

  Log service timestamps uptime

  encryption password service

  !

  hostname RPrueba2

  !

  logging buffered 51200 warnings

  enable secret 5 $1$ oNw1$ SQaqP.FazBuaiVZ3MHte70

  !

  username supervisor privilege 15 password 7 07062F49420C1A110513

  voice-card 1

  !

  IP subnet zero

  !

  !

  !

  !

  crypto ISAKMP policy 1

  md5 hash

  preshared authentication

  ISAKMP crypto keys Inelectra address 20.20.20.21

  !

  !

  Crypto ipsec transform-set base esp - esp-md5-hmac

  !

  Armadillo 1 ipsec-isakmp crypto map

  defined by peer 20.20.20.21

  security-association value seconds of life 4000

  Set transform-set basic

  PFS Group1 Set

  match address 101

  !

  call the rsvp-sync

  !

  !

  !

  !

  !

  !

  controller E1 1/0

  !

  !

  !

  interface FastEthernet0/0

  IP 192.168.250.1 255.255.255.0

  automatic duplex

  automatic speed

  !

  interface Serial0/0

  no ip address

  Shutdown

  !

  interface FastEthernet0/1

  IP 20.20.20.1 255.255.255.0

  automatic duplex

  automatic speed

  Armadillo card crypto

  !

  interface Serial0/1

  no ip address

  Shutdown

  !

  interface Serial0/2

  no ip address

  Shutdown

  !

  !

  IP classless

  IP route 0.0.0.0 0.0.0.0 20.20.20.21

  IP http server

  !

  !

  !

  !

  !

  !

  !

  !

  !

  access-list 101 permit ip 192.168.250.0 0.0.0.255 any

  access-list 102 permit ip 192.168.250.0 0.0.0.255 192.168.240.0 0.0.0.255

  !

  !

  Dial-peer cor custom

  !

  !

  !

  !

  !

  Line con 0

  password 7 020F0A5E07030C355E4F

  opening of session

  line to 0

  line vty 0 4

  privilege level 15

  password 7 12100B121E0E0F10382A

  opening of session

  transport input telnet ssh

  !

  end

  2811 router:

  !

  version 12.4

  horodateurs service debug datetime msec

  Log service timestamps datetime msec

  no password encryption service

  !

  hostname RPrueba

  !

  boot-start-marker

  boot-end-marker

  !

  logging buffered 51200 warnings

  enable secret 5 $1$ oNw1$ SQaqP.FazBuaiVZ3MHte70

  !

  No aaa new-model

  !

  resources policy

  !

  iomem 15 memory size

  No network-clock-participate wic 1

  IP subnet zero

  !

  !

  IP cef

  !

  !

  !

  !

  voice-card 0

  No dspfarm

  !

  username supervisor privilege 15 password 7 07062F49420C1A110513

  !

  !

  controller E1 1/0/0

  !

  !

  crypto ISAKMP policy 1

  md5 hash

  preshared authentication

  ISAKMP crypto keys Inelectra address 20.20.20.1

  !

  !

  Crypto ipsec transform-set Ineset ah-md5-hmac esp - a

  Crypto ipsec transform-set base esp - esp-md5-hmac

  !

  Armadillo 1 ipsec-isakmp crypto map

  defined by peer 20.20.20.1

  security-association value seconds of life 4000

  Set transform-set basic

  PFS Group1 Set

  match address 102

  !

  !

  !

  !

  interface FastEthernet0/0

  IP 192.168.240.1 255.255.255.0

  automatic duplex

  automatic speed

  !

  interface FastEthernet0/1

  IP 20.20.20.21 255.255.255.0

  automatic duplex

  automatic speed

  Armadillo card crypto

  !

  interface Serial0/0/0

  no ip address

  Shutdown

  no fair queue

  2000000 clock frequency

  !

  interface Serial0/0/1

  no ip address

  Shutdown

  2000000 clock frequency

  !

  IP classless

  IP route 0.0.0.0 0.0.0.0 20.20.20.1

  !

  !

  IP http server

  no ip http secure server

  !

  access-list 101 permit ip 192.168.240.0 0.0.0.255 any

  access-list 102 permit ip 192.168.240.0 0.0.0.255 192.168.250.0 0.0.0.255

  !

  control plan

  !

  Line con 0

  password 7 020F0A5E07030C355E4F

  opening of session

  line to 0

  line vty 0 4

  privilege level 15

  password 7 12100B121E0E0F10382A

  opening of session

  transport input telnet ssh

  !

  Scheduler allocate 20000 1000

  !

  end

  I also tried the isakmp crypto see the its and there is nothing on the table. Thanks for any help.

  Gustavo

  Under card crypto router armadilloin 2621 =

  Use the ACL 102 crypto instead of 101.

  match address 102

  And then disable the isakmp its ipsec and its

  then try to ping.

• IPSec tunnels does not work

  I have 2 Cat6, with IPsec SPA card, while the other did not.

  I tried setting IPsec tunnel between them, but somehow can't bring up the tunnel, can someone help me to watch set it up?

  A (with SPA):

  crypto ISAKMP policy 1

  BA aes 256

  preshared authentication

  Group 5

  ISAKMP crypto cisco123 key address 0.0.0.0 0.0.0.0

  ISAKMP crypto keepalive 10

  Crypto ipsec transform-set esp - aes 256 esp-sha-hmac testT1

  !

  Crypto ipsec profile P1

  Set transform-set testT1

  !

  Crypto call admission limit ike his 3000

  !

  Crypto call admission limit ike in-negotiation-sa 115

  !

  interface Tunnel962

  Loopback962 IP unnumbered

  tunnel GigabitEthernet2/37.962 source

  tunnel destination 172.16.16.6

  ipv4 ipsec tunnel mode

  Profile of tunnel P1 ipsec protection

  interface GigabitEthernet2/37.962

  encapsulation dot1Q 962

  IP 172.16.16.5 255.255.255.252

  interface Loopback962

  1.1.4.200 the IP 255.255.255.255

  IP route 2.2.4.200 255.255.255.255 Tunnel962

  B (wuthout SPA):

  crypto ISAKMP policy 1

  BA aes 256

  preshared authentication

  Group 5

  ISAKMP crypto cisco123 key address 0.0.0.0 0.0.0.0

  !

  !

  Crypto ipsec transform-set esp - aes 256 esp-sha-hmac T1

  !

  Crypto ipsec profile P1

  game of transformation-T1

  interface Tunnel200

  Loopback200 IP unnumbered

  tunnel GigabitEthernet2/1.1 source

  tunnel destination 172.16.16.5

  ipv4 ipsec tunnel mode

  Profile of tunnel T1 ipsec protection

  interface Loopback200

  2.2.4.200 the IP 255.255.255.255

  interface GigabitEthernet2/1.1

  encapsulation dot1Q 962

  IP 172.16.16.6 255.255.255.252

  IP route 1.1.4.200 255.255.255.255 Tunnel200

  I can ping from 172.16.16.6 to 172.16.16.5, but the tunnel just can not upwards. When I turned on "debugging ipsec cry ' and ' debug cry isa", nothing comes out, when I trun on 'cry of debugging sciences', I got:

  "00:25:17: crypto_engine_select_crypto_engine: can't handle more."

  Hello

  You need a map of IPSEC SPA on chassis B do IPSEC encryption. Please see the below URL for more details.

  Without a SPA-IPSEC - 2G or IPsec VPN Services Module of acceleration, the IPsec network security feature (configured with the crypto ipsec command) is supported in the software only for administrative for Catalyst 6500 series switches and routers for the Cisco 7600 Series connections.

  http://www.Cisco.com/en/us/docs/switches/LAN/catalyst6500/IOS/12.2SXF/native/release/notes/OL_4164.html

  Kind regards

  Arul

  * Rate pls if it helps *.

• ASA or 871 l2l ipsec to SSG - 140: tunnel is up, but no traffic

  Hello

  I am currently troubleshooting an ipsec VPN l2l between

  1. ASA 7.2 (4) SSG - 140

  2 cisco 871W to SSG - 140

  In both scenarios the tunnel is well established and the traffic is in the tunnel, but nothing comes out. Of all the encap, but no decap

  Looks a routing problem, but we cannot find anything on the two sites.

  So maybe I m running in a (known) problem between equipment cisco VPN and SSG-140?

  I've searched the forum, but can not find any idea on this subject.

  If anyone has an idea the most welcome.

  What is a proxy-id problem? Cause they set up stuff like 10.1.1.0/24 and I configure 10.1.1.0 0.0.0.255

  Thanks in advance!

  Tom, I have not seen the downloaded configs or poster. I would focus on the asa as it's easier to troubleshoot. You can use the ease of packet trace to verify that the syn is sent through the encrypted and external interface. Also gives you the ability to capture. Of course, the problem is that the traffic is encrypted. A syn packet is small and hard to distinguish. Try to send a ping from 10 to 1000 pkt size and see if you can locate in the capture (ipsec will add about 80 bytes). You will need to do a quiet moment to make it easier. Assuming that you can identify the packages, you can repeat the capture and ask someone to do the same thing at the remote end. Also, try to do the ping from the remote device and see if you can capture packets. My guess is that there is something wrong at the other end or a firewall drop packets (ip prot 50) esp. If you want to send the config, display, capture of the [email protected] / * / I can take a look. Matthew

• IPSec tunnel do not come between two ASA - 5540 s.

  I've included the appropriate configuration of the two ASA lines - 5540 s that I'm trying to set up a tunnel of 2 lan lan between. The first few lines show the messages that are generated when I try to ping another host on each side.

  Did I miss something that will prevent the tunnel to come?

  4 IP = 10.10.1.147, error: cannot delete PeerTblEntry

  3 IP = 10.10.1.147, Removing peer to peer table has not, no match!

  6 IP = 10.10.1.147, P1 retransmit msg sent to the WSF MM

  5 IP is 10.10.1.147, in double Phase 1 detected package. Retransmit the last packet.

  6 IP = 10.10.1.147, P1 retransmit msg sent to the WSF MM

  5 IP is 10.10.1.147, in double Phase 1 detected package. Retransmit the last packet.

  4 IP = 10.10.1.147, error: cannot delete PeerTblEntry

  3 IP = 10.10.1.147, Removing peer to peer table has not, no match!

  6 IP = 10.10.1.147, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.

  6 IP = 10.10.1.147, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.

  6 IP = 10.10.1.147, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.

  5 IP = 10.10.1.147, IKE initiator: New Phase 1, Intf inside, IKE Peer 10.10.1.147 address Proxy local 10.10.1.135, Proxy address remote 10.10.1.155, Card Crypto (outside_map0)

  ROC-ASA5540-A # sh run

  !

  ASA Version 8.0 (3)

  !

  CRO-ASA5540-A host name

  names of

  10.10.1.135 GHC_Laptop description name to test the VPN

  10.10.1.155 SunMed_pc description name to test the VPN

  !

  interface GigabitEthernet0/0

  Speed 100

  full duplex

  nameif inside

  security-level 100

  IP 10.10.1.129 255.255.255.240

  !

  interface GigabitEthernet0/3

  nameif outside

  security-level 0

  IP 10.10.1.145 255.255.255.248

  !

  !

  outside_2_cryptomap list extended access permit ip host host GHC_Laptop SunMed_pc

  !

  ASDM image disk0: / asdm - 603.bin

  !

  Route outside 255.255.255.248 10.10.1.152 10.10.1.147 1

  !

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  card crypto game 2 outside_map0 address outside_2_cryptomap

  outside_map0 crypto map peer set 2 10.10.1.147

  card crypto outside_map0 2 the value transform-set ESP-3DES-SHA

  outside_map0 card crypto 2 set nat-t-disable

  outside_map0 interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 5

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  !

  Group Policy Lan-2-Lan_only internal

  attributes of Lan-2-Lan_only-group policy

  VPN-filter no

  Protocol-tunnel-VPN IPSec

  tunnel-group 10.10.1.147 type ipsec-l2l

  IPSec-attributes tunnel-group 10.10.1.147

  pre-shared-key *.

  !

  ROC-ASA5540-A #.

  ----------------------------------------------------------

  ROC-ASA5540-B # sh run

  : Saved

  :

  ASA Version 8.0 (3)

  !

  name of host ROC-ASA5540-B

  !

  names of

  name 10.10.1.135 GHC_laptop

  name 10.10.1.155 SunMed_PC

  !

  interface GigabitEthernet0/0

  Speed 100

  full duplex

  nameif inside

  security-level 100

  IP 10.10.1.153 255.255.255.248

  !

  interface GigabitEthernet0/3

  nameif outside

  security-level 0

  IP 10.10.1.147 255.255.255.248

  !

  outside_cryptomap list extended access permit ip host host SunMed_PC GHC_laptop

  !

  ASDM image disk0: / asdm - 603.bin

  !

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  card crypto outside_map2 1 match address outside_cryptomap

  outside_map2 card crypto 1jeu peer 10.10.1.145

  outside_map2 card crypto 1jeu transform-set ESP-3DES-SHA

  outside_map2 card crypto 1jeu nat-t-disable

  outside_map2 interface card crypto outside

  crypto ISAKMP allow inside

  crypto ISAKMP policy 5

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  !

  internal Lan-2-Lan group strategy

  Lan Lan 2-strategy of group attributes

  Protocol-tunnel-VPN IPSec

  tunnel-group 10.10.1.145 type ipsec-l2l

  IPSec-attributes tunnel-group 10.10.1.145

  pre-shared-key *.

  !

  ROC-ASA5540-B #.

  On the ASA of ROC-ASA5540-B, you have "isakmp allows inside", it should be "enable isakmp outside."

  Please reconfigure the ASA and let me know how it goes.

  Kind regards

  Arul

  * Please note the useful messages *.

• ASA 5505 VPN to IPSec website DOES NOT CONNECT

  I spent 2 days already to try to get 2 ASA 5505 to connect by using an IPSec vpn tunnel. I can't understand what im doing wrong, I'm using 192.168.97.0 and 192.168.100.0 as my internal networks that I am trying to connect via a link directly connected on the outside with 50.1.1.1 and 50.1.1.2 interfaces such as addresses (all 24). I also tried with and without active NAT. Here is for both of the ASA configs, the vpn config was conducted by the ASDM, but I also tried the approach of the command-line without success. I followed various guides to the letter online, starting with an empty config and factory default. I also tried the IOS 8.4.

  ASA 1 Config

  ASA 8.3 Version (2) ! VIC hostname activate 8Ry2YjIyt7RRXU24 encrypted password 2KFQnbNIdI.2KYOU encrypted passwd names of ! interface Vlan1 nameif inside security-level 100 IP 192.168.97.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 IP 50.1.1.1 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 Shutdown ! interface Ethernet0/3 Shutdown ! interface Ethernet0/4 Shutdown ! interface Ethernet0/5 Shutdown ! interface Ethernet0/6 Shutdown ! interface Ethernet0/7 Shutdown ! boot system Disk0: / asa832 - k8.bin passive FTP mode pager lines 24 Within 1500 MTU Outside 1500 MTU ICMP unreachable rate-limit 1 burst-size 1 don't allow no asdm history ARP timeout 14400 Timeout xlate 03:00 Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00 Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00 Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-registration DfltAccessPolicy Enable http server http 192.168.97.0 255.255.255.0 inside No snmp server location No snmp Server contact life crypto ipsec security association seconds 28800 Crypto ipsec kilobytes of life - safety 4608000 association Telnet timeout 5 SSH timeout 5 Console timeout 0 a basic threat threat detection Statistics-list of access threat detection no statistical threat detection tcp-interception WebVPN ! class-map inspection_default match default-inspection-traffic ! ! type of policy-card inspect dns preset_dns_map parameters maximum message length automatic of customer message-length maximum 512 Policy-map global_policy class inspection_default inspect the preset_dns_map dns inspect the ftp inspect h323 h225 inspect the h323 ras Review the ip options inspect the netbios inspect the rsh inspect the rtsp inspect the skinny inspect esmtp inspect sqlnet inspect sunrpc inspect the tftp inspect the sip inspect xdmcp ! global service-policy global_policy context of prompt hostname call-home Profile of CiscoTAC-1 no active account http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email address of destination [email protected] / * / destination-mode http transport Subscribe to alert-group diagnosis Subscribe to alert-group environment Subscribe to alert-group monthly periodic inventory monthly periodicals to subscribe to alert-group configuration daily periodic subscribe to alert-group telemetry Cryptochecksum:4745f7cd76c82340ba1e7920dbfd2395

  Config ASA2
  ASA 8.3 Version (2) ! hostname QLD

  activate 8Ry2YjIyt7RRXU24 encrypted password

  2KFQnbNIdI.2KYOU encrypted passwd

  names of

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 192.168.100.1 address 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP 50.1.1.2 255.255.255.0

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  Shutdown

  !

  interface Ethernet0/3

  Shutdown

  !

  interface Ethernet0/4

  Shutdown

  !

  interface Ethernet0/5

  Shutdown

  !

  interface Ethernet0/6

  Shutdown

  !

  interface Ethernet0/7

  Shutdown

  !

  passive FTP mode

  network of the SITEA object

  192.168.97.0 subnet 255.255.255.0

  network of the NETWORK_OBJ_192.168.100.0_24 object

  255.255.255.0 subnet 192.168.100.0

  outside_1_cryptomap to access extended list ip 192.168.100.0 allow 255.255.255.0 object SITEA

  pager lines 24

  Within 1500 MTU

  Outside 1500 MTU

  ICMP unreachable rate-limit 1 burst-size 1

  don't allow no asdm history

  ARP timeout 14400

  NAT (inside, outside) static source NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 static destination SITEA SITEA

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  dynamic-access-policy-registration DfltAccessPolicy

  Enable http server

  http 192.168.100.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  card crypto outside_map 1 match address outside_1_cryptomap

  card crypto outside_map 1 set pfs Group1

  peer set card crypto outside_map 1 50.1.1.1

  card crypto outside_map 1 set of transformation-ESP-3DES-SHA

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP policy 65535

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  WebVPN

  tunnel-group 50.1.1.1 type ipsec-l2l

  IPSec-attributes tunnel-group 50.1.1.1

  pre-shared key *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  Review the ip options

  inspect the netbios

  inspect the rsh

  inspect the rtsp

  inspect the skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect the tftp

  inspect the sip

  inspect xdmcp

  !

  global service-policy global_policy

  context of prompt hostname

  call-home

  Profile of CiscoTAC-1

  no active account

  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

  email address of destination [email protected] / * /

  destination-mode http transport

  Subscribe to alert-group diagnosis

  Subscribe to alert-group environment

  Subscribe to alert-group monthly periodic inventory

  monthly periodicals to subscribe to alert-group configuration

  daily periodic subscribe to alert-group telemetry

  Cryptochecksum:d987f3446fe780ab5fbb9d4213b3adff

  : end

  Hello Mitchell,

  Thanks for letting us know the resolution of this topic.

  Please answer the question as answered so future users can learn from this topic.

  Kind regards

  Julio

• Not possible to Ping from a computer on the Local IP network

  Through the IP address, I am unable, by using cmd.exe, ping multiple computers on the local network.  I'm able to do a ping of some local computers, but not all.  How can I solve this?

  Hello

  If the pings are not blocked by the firewall on the computers in question.

  Change their IPs and so you ping anything or something else is the problem with the network making it unreachable computers.

  Try to download and run this free application, may be it will show better the State of the network.

  http://www.SoftPerfect.com/products/networkscanner/

• Decision on DMVPN and L2L simple IPsec tunnels

  I have a project where I need to make a decision on which solution to implement... environment is as follows...

  • 4 branches.
  • Each branch has 2 subnets; one for DATA and another for VOICE
  • 2 ISPS in each (an Internet access provider and a provider of MPLS)
  • Branch #1 isn't necessarily the HUB office that all database servers and files are there are
  • Branch #2 is actually where the phone equipment
  • Other 2 branches are just branches speaks (may not need never DATA interconnectivy, but they do need interconnection VOICE when they call since we spoke directly to the other)
  • MPLS is currently used for telephone traffic.
  • ISP provider link is used for site to site tunnels that traverse the internet, and it is the primary path for DATA. Means that all branch DATA subnets use the tunnels from site to site as main road to join the #1 branch where all files and databases are located.
  • I'd like to have redundancy in case the network MPLS down for all traffic VOICE switch to L2L tunnels.

  My #1 Option

  Because it isn't really a star to the need, I don't really know if I want to apply DMVPN, although I read great things about it. In addition, another reason, I would have perhaps against DMVPN is the 'delay' involved, at least during initialization, communications having spoke-to-spoke. There is always a broken package when a department wants to initiate communication with one another.

  My #2 Option

  My other choice is just deploy L2L IPSec tunnels between all 4 branches. It's certainly much easier to install than DMVPN although DMVPN can without routing protocols that I think I'll need. But with these Plains L2L IPSec tunnels, I can also add the GRE tunnels and the routing of traffic protocols it as well as all multicast traffic. In addition, I can easily install simple IP SLA that will keep all tunnels upwards forever.

  Can someone please help to choose one over the other is? or if I'm just okay with the realization of the #2 option

  Thanks in advance

  Hi ciscobigcat

  Yes, OSPF will send periodic packets 'Hello' and they will maintain the tunnels at all times.

  The numbers that you see (143 and 1001) are the "cost" of the track, so OSPF (Simplified) will calculate what different paths there are to a destination and assign each of them a 'cost' (by assigning a cost to each segment of the path, for example GigabitEthernet is "lower cost" Fastethernet and then adding the costs of all segments).

  Then it will take the path to the lowest cost (143 in your case, in normal operation) and insert this in the routing table.

  So since traffic is already going the right way, I don't know if you still need any tweaking? Personally, I would not add a second routing protocol because, generally, makes things more complicated.

  QoS, it is important to use "prior qos rank".

  See for example

  http://www.Cisco.com/en/us/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/IPSecQoS.html

  http://www.Cisco.com/en/us/Tech/tk543/tk757/technologies_tech_note09186a00800b3d15.shtml

  HTH

  Herbert

• Cisco ASA 5515 two asa firewall ipsec vpn tunnel is not coming

  HelloW everyone.

  I configured ipsec vpn tunnel between Singapore and Malaysia with asa firewall.

  but the vpn does not come to the top. can someone tell me what can be the root cause?

  Here is the configuration of twa asa: (I changed the ip address all the)

  Singapore:

  See the race
  ASA 2.0000 Version 4
  !
  ASA5515-SSG520M hostname
  activate the encrypted password of PVSASRJovmamnVkD
  names of
  !
  interface GigabitEthernet0/0
  nameif inside
  security-level 100
  IP 192.168.15.4 255.255.255.0
  !
  interface GigabitEthernet0/1
  nameif DMZ
  security-level 50
  IP 192.168.5.3 255.255.255.0
  !
  interface GigabitEthernet0/2
  nameif outside
  security-level 0
  IP 160.83.172.8 255.255.255.224
  <--- more="" ---="">
                
  !
  <--- more="" ---="">
                
  interface GigabitEthernet0/3
  <--- more="" ---="">
                
  Shutdown
  <--- more="" ---="">
                
  No nameif
  <--- more="" ---="">
                
  no level of security
  <--- more="" ---="">
                
  no ip address
  !
  interface GigabitEthernet0/4
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface GigabitEthernet0/5
  nameif test
  security-level 100
  IP 192.168.168.219 255.255.255.0
  !
  interface Management0/0
  management only
  nameif management
  security-level 100
  IP 192.168.1.1 255.255.255.0
  !
  connection of the banner ^ C please disconnect if you are unauthorized access ^ C
  connection of the banner please disconnect if you are unauthorized access
  boot system Disk0: / asa922-4-smp - k8.bin
  passive FTP mode
  network of the SG object
  <--- more="" ---="">
                
  192.168.15.0 subnet 255.255.255.0
  network of the MK object
  192.168.6.0 subnet 255.255.255.0
  service of the TCP_5938 object
  Service tcp destination eq 5938
  Team Viewer description
  service tcp_3306 object
  Service tcp destination eq 3306
  service tcp_465 object
  tcp destination eq 465 service
  service tcp_587 object
  Service tcp destination eq 587
  service tcp_995 object
  tcp destination eq 995 service
  service of the TCP_9000 object
  tcp destination eq 9000 service
  network of the Inside_host object
  Home 192.168.15.202
  service tcp_1111 object
  Service tcp destination eq 1111
  service tcp_7878 object
  Service tcp destination eq 7878
  service tcp_5060 object
  SIP, service tcp destination eq
  <--- more="" ---="">
                
  service tcp_5080 object
  Service tcp destination eq 5080
  network of the NETWORK_OBJ_192.168.15.0_24 object
  192.168.15.0 subnet 255.255.255.0
  inside_access_in list extended access allowed object SG ip everything
  OUTSIDE_IN list extended access permit tcp any newspaper EQ 9000 Inside_host object
  access extensive list ip 192.168.15.0 outside_cryptomap allow 255.255.255.0 object MK
  pager lines 24
  Enable logging
  timestamp of the record
  exploitation forest-size of the buffer of 30000
  debug logging in buffered memory
  recording of debug trap
  debugging in the history record
  asdm of logging of information
  host test 192.168.168.231 record
  host test 192.168.168.203 record
  Within 1500 MTU
  MTU 1500 DMZ
  Outside 1500 MTU
  test MTU 1500
  management of MTU 1500
  no failover
  <--- more="" ---="">
                
  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image disk0: / asdm - 7221.bin
  don't allow no asdm history
  ARP timeout 14400
  no permit-nonconnected arp
  NAT (inside, outside) static source SG SG static destination MK MK non-proxy-arp-search to itinerary
  !
  network of the SG object
  NAT dynamic interface (indoor, outdoor)
  network of the Inside_host object
  NAT (inside, outside) interface static 9000 9000 tcp service
  inside_access_in access to the interface inside group
  Access-group OUTSIDE_IN in interface outside
  Route outside 0.0.0.0 0.0.0.0 160.83.172.x 1
  Route inside 10.0.1.0 255.255.255.0 192.168.15.199 1
  Route inside 10.0.2.0 255.255.255.0 192.168.15.199 1
  Route inside 10.0.11.0 255.255.255.0 192.168.15.199 1
  Route inside 10.1.0.0 255.255.0.0 192.168.15.199 1
  Route inside 10.8.0.0 255.255.0.0 192.168.15.199 1
  Route inside 10.104.0.0 255.255.0.0 192.168.15.199 1
  Route inside 192.168.8.0 255.255.255.0 192.168.15.199 1
  Timeout xlate 03:00
  Pat-xlate timeout 0:00:30
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  <--- more="" ---="">
                
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  identity of the user by default-domain LOCAL
  the ssh LOCAL console AAA authentication
  Enable http server

  Community trap SNMP-server host test 192.168.168.231 *.
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps syslog
  Crypto ipsec transform-set ikev1 VPN-TRANSFORM esp-aes-256 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
  <--- more="" ---="">
                
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
  <--- more="" ---="">
                
  Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
  Crypto ipsec pmtu aging infinite - the security association
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
  crypto CRYPTO - map 2 map corresponds to the address outside_cryptomap
  card crypto CRYPTO-map 2 set peer 103.246.3.54
  card crypto CRYPTO-map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
  card crypto CRYPTO-map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
  CRYPTO-card interface card crypto outside
  trustpool crypto ca policy
  Crypto ikev1 allow outside
  IKEv1 crypto policy 10
  preshared authentication
  aes-256 encryption
  sha hash
  Group 2
  life 86400

  Console timeout 0
  management of 192.168.1.2 - dhcpd address 192.168.1.254
  enable dhcpd management
  !
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  SSL encryption rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1
  internal GroupPolicy1 group strategy
  attributes of Group Policy GroupPolicy1
  Ikev1 VPN-tunnel-Protocol
  username, password admin eY/fQXw7Ure8Qrz7 encrypted privilege 15
  username gmsadmin password HS/VyK0jtJ/PANQT encrypted privilege 15
  tunnel-group 143.216.30.7 type ipsec-l2l
  tunnel-group 143.216.30.7 General-attributes
  Group Policy - by default-GroupPolicy1
  <--- more="" ---="">
                
  IPSec-attributes tunnel-group 143.216.30.7
  IKEv1 pre-shared-key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  Overall description
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  <--- more="" ---="">
                
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  !
  global service-policy global_policy
  context of prompt hostname
  no remote anonymous reporting call
  Cryptochecksum:ccce9a600b491c8db30143590825c01d
  : end

  Malaysia:

  :
  ASA 2.0000 Version 4
  !
  hostname ASA5515-SSG5-MK
  activate the encrypted password of PVSASRJovmamnVkD
  names of
  !
  interface GigabitEthernet0/0
  nameif inside
  security-level 100
  IP 192.168.6.70 255.255.255.0
  !
  interface GigabitEthernet0/1
  nameif DMZ
  security-level 50
  IP 192.168.12.2 255.255.255.0
  !
  interface GigabitEthernet0/2
  nameif outside
  security-level 0
  IP 143.216.30.7 255.255.255.248
  <--- more="" ---="">
                
  !
  interface GigabitEthernet0/3
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface GigabitEthernet0/4
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface GigabitEthernet0/5
  nameif test
  security-level 100
  IP 192.168.168.218 255.255.255.0
  !
  interface Management0/0
  management only
  nameif management
  security-level 100
  IP 192.168.1.1 255.255.255.0
  !
  <--- more="" ---="">
                
  Interface Port - Channel 1
  No nameif
  no level of security
  IP 1.1.1.1 255.255.255.0
  !
  boot system Disk0: / asa922-4-smp - k8.bin
  passive FTP mode
  clock timezone GMT + 8 8
  network of the SG object
  192.168.15.0 subnet 255.255.255.0
  network of the MK object
  192.168.6.0 subnet 255.255.255.0
  service of the TCP_5938 object
  Service tcp destination eq 5938
  Team Viewer description
  service tcp_3306 object
  Service tcp destination eq 3306
  service tcp_465 object
  tcp destination eq 465 service
  service tcp_587 object
  Service tcp destination eq 587
  service tcp_995 object
  tcp destination eq 995 service
  service of the TCP_9000 object
  <--- more="" ---="">
                
  tcp destination eq 9000 service
  network of the Inside_host object
  Home 192.168.6.23
  service tcp_1111 object
  Service tcp destination eq 1111
  service tcp_7878 object
  Service tcp destination eq 7878
  service tcp_5060 object
  SIP, service tcp destination eq
  service tcp_5080 object
  Service tcp destination eq 5080
  network of the NETWORK_OBJ_192.168.2.0_24 object
  192.168.6.0 subnet 255.255.255.0
  inside_access_in list extended access allowed object SG ip everything
  VPN-INTERESTING-TRAFFIC extended access list permit ip object MK SG
  OUTSIDE_IN list extended access permit tcp any newspaper EQ 9000 Inside_host object
  outside_cryptomap to access extended list ip 192.168.6.0 allow 255.255.255.0 object SG
  pager lines 24
  Enable logging
  timestamp of the record
  exploitation forest-size of the buffer of 30000
  debug logging in buffered memory
  recording of debug trap
  asdm of logging of information
  <--- more="" ---="">
                
  host test 192.168.168.231 record
  host test 192.168.168.203 record
  Within 1500 MTU
  MTU 1500 DMZ
  Outside 1500 MTU
  test MTU 1500
  management of MTU 1500
  reverse IP check management interface path
  no failover
  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image disk0: / asdm - 7221.bin
  don't allow no asdm history
  ARP timeout 14400
  no permit-nonconnected arp
  NAT (inside, outside) static source MK MK static destination SG SG route no-proxy-arp-search
  NAT (inside, outside) static source NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 static destination SG SG route no-proxy-arp-search
  !
  network of the MK object
  NAT dynamic interface (indoor, outdoor)
  network of the Inside_host object
  NAT (inside, outside) interface static 9000 9000 tcp service
  inside_access_in access to the interface inside group
  Access-group OUTSIDE_IN in interface outside
  Route outside 0.0.0.0 0.0.0.0 143.216.30.x 1
  <--- more="" ---="">
                
  Route inside 10.2.0.0 255.255.0.0 192.168.6.200 1
  Route inside 10.6.0.0 255.255.0.0 192.168.6.200 1
  Route inside 192.168.254.0 255.255.255.0 192.168.6.200 1
  Timeout xlate 03:00
  Pat-xlate timeout 0:00:30
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  identity of the user by default-domain LOCAL
  AAA authentication http LOCAL console
  the ssh LOCAL console AAA authentication
  Enable http server

  No snmp server location
  No snmp Server contact
  Crypto ipsec transform-set ikev1 VPN-TRANSFORM esp-aes-256 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
  <--- more="" ---="">
                
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
  <--- more="" ---="">
                
  Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
  Crypto ipsec pmtu aging infinite - the security association
  crypto CRYPTO - map 2 map corresponds to the address outside_cryptomap
  card crypto CRYPTO-map 2 set peer 160.83.172.8
  card crypto CRYPTO-map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
  CRYPTO-card interface card crypto outside
  trustpool crypto ca policy
  Crypto ikev1 allow outside
  IKEv1 crypto policy 10
  preshared authentication
  aes-256 encryption
  sha hash
  Group 2
  life 86400
  SSH timeout 60
  SSH group dh-Group1-sha1 key exchange
  Console timeout 0
  management of 192.168.1.2 - dhcpd address 192.168.1.254
  enable dhcpd management
  !
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  SSL encryption rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1
  attributes of Group Policy DfltGrpPolicy
  Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client
  internal GroupPolicy1 group strategy
  attributes of Group Policy GroupPolicy1
  Ikev1 VPN-tunnel-Protocol
  username, password admin eY/fQXw7Ure8Qrz7 encrypted privilege 15
  username gmsadmin password HS/VyK0jtJ/PANQT encrypted privilege 15
  <--- more="" ---="">
                
  tunnel-group MK SG type ipsec-l2l
  IPSec-attributes tunnel-group MK-to-SG
  IKEv1 pre-shared-key *.
  tunnel-group 160.83.172.8 type ipsec-l2l
  tunnel-group 160.83.172.8 General-attributes
  Group Policy - by default-GroupPolicy1
  IPSec-attributes tunnel-group 160.83.172.8
  IKEv1 pre-shared-key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  <--- more="" ---="">
                
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  !
  global service-policy global_policy
  context of prompt hostname
  no remote anonymous reporting call
  Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
  : end

  Good news, that VPN has been implemented!

  According to the ping problem, my suggestion is to check, if some type of firewall based on host computers on both sides block ICMP requests.

  Anyway, you can still use the capture of packets on the inside of the interfaces of the two ASAs, to check if the ICMP traffic is to reach the ASA.

  In addition, you can try to enable ICMP inspection:

  Policy-map global_policy
  class inspection_default

  inspect the icmp

  inspect the icmp error

• Cisco's ASA IPsec tunnel disconnects after a while

  Hi all

  I've set up an IPsec tunnel between sonicwall pro road and cisco ASA 5510. The well established tunnel and two subnets can access each other.

  I then added a static route to a public ip address on the sonicwall ipsec policy, so that all traffic to this ip address will go through the IPsec tunnel. It also works very well.

  But the problem is aftre tunnel Ipsec sometimes breaks down, and then I need to renegotiate the ipsec on sonicwall to restore the tunnel.

  This happens twice a day. I'm whther fear that this behavior is because of problems with config. I'm pasting my ASA running Setup here. Plese give some advice.

  SonicWALL publicip 1.1.1.2 192.168.10.0 subnet

  Cisco ASA publicip 1.1.1.1 subnet 192.168.5.0

  ciscoasa # sh run
  : Saved
  :
  ASA Version 8.2 (1)
  !
  ciscoasa hostname
  domain default.domain.invalid
  activate 8Ry2YjIyt7RRXU24 encrypted password
  2KFQnbNIdI.2KYOU encrypted passwd
  names of
  !
  interface Ethernet0/0
  Speed 100
  full duplex
  nameif outside
  security-level 0
  IP 1.1.1.1 255.255.255.248
  !
  interface Ethernet0/1
  nameif inside
  security-level 100
  192.168.5.1 IP address 255.255.255.0
  !
  interface Ethernet0/2
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Ethernet0/3
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Management0/0
  nameif management
  security-level 100
  IP 192.168.1.1 255.255.255.0
  management only
  !
  passive FTP mode
  DNS domain-lookup outside
  DNS lookup field inside
  DNS server-group DefaultDNS
  Server name 66.28.0.45
  Server name 66.28.0.61
  domain default.domain.invalid
  permit same-security-traffic inter-interface
  permit same-security-traffic intra-interface
  object-group service rdp tcp
  EQ port 3389 object
  object-group service tcp OpenVPN
  port-object eq 1194
  access list outside extended permit icmp any any echo response
  access list outside extended permit tcp any host # eq pptp
  outside allowed extended access will list any host #.
  list of extended outside access permit udp any any eq 1701
  extended outdoor access allowed icmp a whole list
  access list outside extended permit tcp any host # eq ftp
  access list outside extended permit tcp any host # eq ssh
  list of extended outside access permit tcp any host # object - group rdp
  turn off journal
  access list outside extended permit tcp any host 1.1.1.1 object - group Open
  VPN
  access-list sheep extended ip 192.168.5.0 allow 255.255.255.0 192.168.5.0 255
  . 255.255.0
  access-list sheep extended ip 192.168.5.0 allow 255.255.255.0 192.168.10.0 255
  . 255.255.0
  L2L 192.168.5.0 ip extended access-list allow 255.255.255.0 192.168.10.0 255.2
  55.255.0
  pager lines 24
  Enable logging
  asdm of logging of information
  Outside 1500 MTU
  Within 1500 MTU
  management of MTU 1500
  IP local pool ippool 192.168.5.131 - 192.168.5.151 mask 255.255.255.0
  IP local pool l2tppool 192.168.5.155 - 192.168.5.200 mask 255.255.255.0
  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image disk0: / asdm - 621.bin
  don't allow no asdm history
  ARP timeout 14400
  Global 1 interface (outside)
  NAT (outside) 1 192.168.10.0 255.255.255.0
  NAT (outside) 1 192.168.5.0 255.255.255.0
  NAT (inside) 0 access-list sheep
  NAT (inside) 1 192.168.5.0 255.255.255.0
  outside access-group in external interface
  Route outside 0.0.0.0 0.0.0.0 38.106.51.121 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-registration DfltAccessPolicy
  the ssh LOCAL console AAA authentication
  AAA authentication LOCAL telnet console
  Enable http server
  http 192.168.1.0 255.255.255.0 management
  http 192.168.5.0 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  Crypto-map dynamic dynmap 5 the value reverse-road
  Crypto easyvpn dynamic-map 10 transform-set RIGHT
  Crypto-map dynamic easyvpn 10 reverse-drive value
  card crypto mymap 10 correspondence address l2l
  card crypto mymap 10 set peer 1.1.1.2
  card crypto mymap 10 transform-set RIGHT
  map mymap 30000-isakmp ipsec crypto dynamic easyvpn
  mymap outside crypto map interface
  crypto isakmp identity address
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  md5 hash
  Group 2
  life 86400
  crypto ISAKMP policy 20
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  crypto ISAKMP policy 65535
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  Crypto isakmp nat-traversal 3600
  Telnet 192.168.5.0 255.255.255.0 inside
  Telnet timeout 5
  SSH 0.0.0.0 0.0.0.0 outdoors
  SSH timeout 5
  Console timeout 0
  Hello to tunnel L2TP 10
  management of 192.168.1.2 - dhcpd address 192.168.1.254
  enable dhcpd management
  !
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  WebVPN
  internal DefaultRAGroup group strategy
  attributes of Group Policy DefaultRAGroup
  value of 66.28.0.45 DNS server 66.28.0.61
  Protocol-tunnel-VPN IPSec l2tp ipsec
  field default value cisco.com
  attributes of Group Policy DfltGrpPolicy
  internal band easyvpn strategy
  attributes of the strategy of band easyvpn
  value of 66.28.0.45 DNS server 66.28.0.61
  Protocol-tunnel-VPN IPSec
  enable IPSec-udp
  Split-tunnel-policy tunnelall
  the address value ippool pools
  VPN-group-policy DefaultRAGroup
  attributes global-tunnel-group DefaultRAGroup
  address l2tppool pool
  Group Policy - by default-DefaultRAGroup
  IPSec-attributes tunnel-group DefaultRAGroup
  pre-shared-key *.
  tunnel-group DefaultRAGroup ppp-attributes
  No chap authentication
  ms-chap-v2 authentication
  tunnel-group 1.1.1.2 type ipsec-l2l
  1.1.1.2 tunnel-group ipsec-attributes
  pre-shared-key *.
  tunnel-group easyvpn type remote access
  tunnel-group easyvpn General attributes
  Group Policy - by default-easyvpn
  easyvpn group tunnel ipsec-attributes
  pre-shared-key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the netbios
  inspect the tftp
  inspect the pptp
  !
  global service-policy global_policy
  context of prompt hostname
  Cryptochecksum:5542615c178d2803f764c9b8f104732b
  : end

  I guess you have typo in the configuration of the ASA?

  L2L 192.168.5.0 ip extended access-list allow 255.255.255.0 192.168.10.0 255.255.255.0
  list access extended extended permitted host ip voip pubic ip 192.168.10.0 255.255.255.0

  Can you confirm that you have configured instead the following:

  access-list l2l extended permitted host ip voip pubic ip 192.168.10.0 255.255.255.0

  Moreover, even if the crypto map tag says easyvpn; peer address is correct to point 1.1.1.2

  In addition, don't know why you have the following configuration (but if it is not necessary I suggest to be removed and 'clear xlate' after the withdrawal):

  NAT (outside) 1 192.168.10.0 255.255.255.0

  Finally, pls turn off keepalive to SonicWall.

  If the foregoing still don't resolve the issue, can you try to remove the card dynamic encryption of the ASA (no map mymap 30000-isakmp ipsec crypto dynamic easyvpn), release the tunnel and try to open the tunnel between the ASA and SonicWall and take the exit of "show the isa cry his ' and ' show cry ipsec his» I'm curious to see why he is always referred to the easyvpn crypto map. When you remove the dynamic encryption card, dynamic vpn lan-to-lan of remote access client does not work.

• ASA: VPN IPSEC Tunnel from 5505(ver=8.47) to 5512 (ver = 9.23)

  Hi-

  We have connected tunnel / VPN configuration between an ASA 5505 - worm = 8.4 (7) and 5512 - worm = 9.2 (3).
  We can only ping in a sense - 5505 to the 5512, but not of vice-versa(5512 to 5505).

  Networks:

  Local: 192.168.1.0 (answering machine)
  Distance: 192.168.54.0 (initiator)

  See details below on our config:

  SH run card cry

  card crypto outside_map 2 match address outside_cryptomap_ibfw
  card crypto outside_map 2 pfs set group5
  outside_map 2 peer XX crypto card game. XX.XXX.XXX
  card crypto outside_map 2 set transform-set ESP-AES-256-SHA ikev1
  crypto map outside_map 2 set ikev2 AES256 ipsec-proposal

  outside_map interface card crypto outside

  Note:
  Getting to hit numbers below on rules/ACL...

  SH-access list. I have 54.0

  permit for access list 6 outside_access_out line scope ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0 (hitcnt = 15931) 0x01aecbcc
  permit for access list 1 outside_cryptomap_ibfw line extended ip object NETWORK_OBJ_192.168.1.0_24 object NETWORK_OBJ_192.168.54.0_24 (hitcnt = 3) 0xa75f0671
  access-list 1 permit line outside_cryptomap_ibfw extended ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0 (hitcnt = 3) 0xa75f0671

  SH run | I have access-group
  Access-group outside_access_out outside interface

  NOTE:
  WE have another working on the 5512 - VPN tunnel we use IKE peer #2 below (in BOLD)...

  HS cry his ikev1

  IKEv1 SAs:

  HIS active: 2
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 2

  1 peer IKE: XX. XX.XXX.XXX
  Type: L2L role: answering machine
  Generate a new key: no State: MM_ACTIVE
  2 IKE peers: XXX.XXX.XXX.XXX
  Type: L2L role: answering machine
  Generate a new key: no State: MM_ACTIVE

  SH run tunnel-group XX. XX.XXX.XXX
  tunnel-group XX. XX.XXX.XXX type ipsec-l2l
  tunnel-group XX. XX.XXX.XXX General-attributes
  Group - default policy - GroupPolicy_XX.XXX.XXX.XXX
  tunnel-group XX. XX.XXX.XXX ipsec-attributes
  IKEv1 pre-shared-key *.
  remote control-IKEv2 pre-shared-key authentication *.

  SH run | I have political ikev1

  ikev1 160 crypto policy
  preshared authentication
  aes-256 encryption
  Group 5
  life 86400

  SH run | I Dynamics
  NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
  NAT source auto after (indoor, outdoor) dynamic one interface

  NOTE:
  To from 5512 at 5505-, we can ping a host on the remote network of ASA local

  # ping inside the 192.168.54.20
  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 192.168.54.20, wait time is 2 seconds:
  !!!!!
  Success rate is 100 per cent (5/5), round-trip min/avg/max = 30/32/40 ms

  Determination of 192.168.1.79 - local host route to 192.168.54.20 - remote host - derivation tunnel?

  The IPSEC tunnel check - seems OK?

  SH crypto ipsec his
  Interface: outside
  Tag crypto map: outside_map, seq num: 2, local addr: XX.XXX.XXX.XXX

  outside_cryptomap_ibfw to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.54.0 255.255.255.0
  local ident (addr, mask, prot, port): (192.168.1.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.54.0/255.255.255.0/0/0)
  current_peer: XX. XX.XXX.XXX

  #pkts program: 4609, #pkts encrypt: 4609, #pkts digest: 4609
  #pkts decaps: 3851, #pkts decrypt: 3851, #pkts check: 3851
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 4609, model of #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #TFC rcvd: 0, #TFC sent: 0
  #Valid errors ICMP rcvd: 0, #Invalid ICMP errors received: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt. : XX.XXX.XXX.XXX/0, remote Start crypto. : XX. XX.XXX.XXX/0
  Path mtu 1500, ipsec 74 (44) generals, media, mtu 1500
  PMTU time remaining: 0, political of DF: copy / df
  Validation of ICMP error: disabled, TFC packets: disabled
  current outbound SPI: CDC99C9F
  current inbound SPI: 06821CBB

  SAS of the esp on arrival:
  SPI: 0x06821CBB (109190331)
  transform: aes-256-esp esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, group 5 PFS, IKEv1}
  slot: 0, id_conn: 339968, crypto-card: outside_map
  calendar of his: service life remaining (KB/s) key: (3914789/25743)
  Size IV: 16 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0xFFFFFFFF to 0xFFFFFFFF
  outgoing esp sas:
  SPI: 0xCDC99C9F (3452542111)
  transform: aes-256-esp esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, group 5 PFS, IKEv1}
  slot: 0, id_conn: 339968, crypto-card: outside_map
  calendar of his: service life remaining (KB/s) key: (3913553/25743)
  Size IV: 16 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001

  --> The local ASA 5512 - where we have questions - tried Packet Tracer... seems we receive requests/responses...

  SH cap CAP

  34 packets captured

  1: 16:41:08.120477 192.168.1.79 > 192.168.54.20: icmp: echo request
  2: 16:41:08.278138 192.168.54.20 > 192.168.1.79: icmp: echo request
  3: 16:41:08.278427 192.168.1.79 > 192.168.54.20: icmp: echo reply
  4: 16:41:09.291992 192.168.54.20 > 192.168.1.79: icmp: echo request
  5: 16:41:09.292282 192.168.1.79 > 192.168.54.20: icmp: echo reply

  --> On the ASA 5505 distance - we can ping through the 5512 to the local host (192.168.1.79)

  SH cap A2

  42 packets captured

  1: 16:56:16.136559 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
  2: 16:56:16.168860 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
  3: 16:56:17.140434 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
  4: 16:56:17.171652 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
  5: 16:56:18.154426 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
  6: 16:56:18.186178 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
  7: 16:56:19.168417 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request

  --> Package trace on 5512 does no problem... but we cannot ping from host to host?

  entry Packet-trace within the icmp 192.168.1.79 8 0 detailed 192.168.54.20

  Phase: 4
  Type: CONN-SETTINGS
  Subtype:
  Result: ALLOW
  Config:
  class-map default class
  match any
  Policy-map global_policy
  class class by default
  Decrement-ttl connection set
  global service-policy global_policy
  Additional information:
  Direct flow from returns search rule:
  ID = 0x7fffa2d0ba90, priority = 7, area = conn-set, deny = false
  hits = 4417526, user_data = 0x7fffa2d09040, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
  IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
  IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
  input_ifc = output_ifc = any to inside,

  Phase: 5
  Type: NAT
  Subtype:
  Result: ALLOW
  Config:
  NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
  Additional information:
  Definition of dynamic 192.168.1.79/0 to XX.XXX.XXX.XXX/43904
  Direct flow from returns search rule:
  ID = 0x7fffa222d130, priority = 6, area = nat, deny = false
  hits = 4341877, user_data = 0x7fffa222b970, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
  IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
  IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
  input_ifc = inside, outside = output_ifc

  ...

  Phase: 14
  Type: CREATING STREAMS
  Subtype:
  Result: ALLOW
  Config:
  Additional information:
  New workflow created with the 7422689 id, package sent to the next module
  Information module for forward flow...
  snp_fp_tracer_drop
  snp_fp_inspect_ip_options
  snp_fp_inspect_icmp
  snp_fp_translate
  snp_fp_adjacency
  snp_fp_fragment
  snp_ifc_stat

  Information for reverse flow...
  snp_fp_tracer_drop
  snp_fp_inspect_ip_options
  snp_fp_translate
  snp_fp_inspect_icmp
  snp_fp_adjacency
  snp_fp_fragment
  snp_ifc_stat

  Result:
  input interface: inside
  entry status: to the top
  entry-line-status: to the top
  output interface: outside
  the status of the output: to the top
  output-line-status: to the top
  Action: allow

  --> On remote ASA 5505 - Packet track is good and we can ping remote host very well... dunno why he "of Nations United-NAT?

  Destination - initiator:
   
  entry Packet-trace within the icmp 192.168.54.20 8 0 detailed 192.168.1.79
   
  ...
  Phase: 4
  Type: UN - NAT
  Subtype: static
  Result: ALLOW
  Config:
  NAT (inside, outside) static source NETWORK_OBJ_192.168.54.0_24 NETWORK_OBJ_192.168.54.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
  Additional information:
  NAT divert on exit to the outside interface
  Untranslate 192.168.1.79/0 to 192.168.1.79/0
  ...

  Summary:
  We "don't" ping from a host (192,168.1.79) on 5512 - within the network of the 5505 - inside the network host (192.168.54.20).
  But we can ping the 5505 - inside the network host (192.168.54.20) 5512 - inside the network host (192.168.1.79).

  Please let us know what other details we can provide to help solve, thanks for any help in advance.

  -SP

  Well, I think it is a NAT ordering the issue.

  Basically as static and this NAT rule-

  NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)

  are both in article 1 and in this article, it is done on the order of the rules so it does match the dynamic NAT rule rather than static because that seems to be higher in the order.

  To check just run a 'sh nat"and this will show you what order everthing is in.

  The ASA is working its way through the sections.

  You also have this-

  NAT source auto after (indoor, outdoor) dynamic one interface

  which does the same thing as first statement but is in section 3, it is never used.

  If you do one of two things-

  (1) configure the static NAT statement is above the dynamic NAT in section 1 that is to say. You can specify the command line

  or

  (2) remove the dynamic NAT of section 1 and then your ASA will use the entry in section 3.

  There is a very good document on this site for NAT and it is recommended to use section 3 for your general purpose NAT dynamic due precisely these questions.

  It is interesting on your ASA 5505 you duplicated your instructions of dynamic NAT again but this time with article 2 and the instructions in section 3 that is why your static NAT works because he's put in correspondence before all your dynamic rules.

  The only thing I'm not sure of is you remove the dynamic NAT statement in article 1 and rely on the statement in section 3, if she tears the current connections (sorry can't remember).

  Then you can simply try to rearrange so your static NAT is above it just to see if it works.

  Just in case you want to see the document here is the link-

  https://supportforums.Cisco.com/document/132066/ASA-NAT-83-NAT-operation-and-configuration-format-CLI

  Jon

• IPSec Tunnel upward, but not accessible from local networks

  Hello

  I have an ASA5520 and a Snapgear. The IPSec tunnel is in place and works very well. But I am not able to access the local LAN on both sides. Here are a few setups:

  SH crypt isakmp his

  Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 10.10.10.2
Type    : L2L             Role    : responder
Rekey   : no              State   : AM_ACTIVE

  Crypto/isakmp:

  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map IPSECTEST_map0 1 match address IPSECTEST_cryptomap
crypto map IPSECTEST_map0 1 set peer 10.10.10.2
crypto map IPSECTEST_map0 1 set transform-set ESP-3DES-SHA
crypto map IPSECTEST_map0 1 set nat-t-disable
crypto map IPSECTEST_map0 1 set phase1-mode aggressive
crypto map IPSECTEST_map0 interface IPSECTEST
crypto isakmp enable outside
crypto isakmp enable IPSECTEST
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 3600

  Route SH:

  C    172.16.3.0 255.255.255.0 is directly connected, VLAN10
C    10.10.10.0 255.255.255.0 is directly connected, IPSECTEST
C    192.168.112.0 255.255.254.0 is directly connected, inside

  access-list:

  IPSECTEST_cryptomap list extended access allowed object-group DM_INLINE_PROTOCOL_1 172.16.3.0 255.255.255.0 object 172.20.20.0

  and here's the scenario:

  

  If I make a ping of the asa to the Remote LAN, I got this:

  ciscoasa (config) # ping 172.20.20.1
  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 10.172.20.20.1, wait time is 2 seconds:
  No route to the host 172.20.20.1

  Success rate is 0% (0/1)

  No idea what I lack?

  Here's how to set up NAT ASA 8.3 exemption:

  network object obj - 172.16.3.0
  172.16.3.0 subnet 255.255.255.0

  network object obj - 172.20.20.0
  172.20.20.0 subnet 255.255.255.0

  NAT (inside, outside) source static obj - 172.16.3.0 obj - 172.16.3.0 destination static obj - 172.20.20.0 obj - 172.20.20.0

  Here's how it looks to the ASA 8.2 and below:

  Inside_nat0_outbound to access extended list ip 172.16.3.0 allow 255.255.255.0 172.20.20.0 255.255.255.0
  NAT (inside) 0-list of access Inside_nat0_outbound