ASA (Active standby) site-to-Site VPN Question

Similar Questions

• Site to Site VPN question

  Hello world

  The vendor name is implemented server in our environment.

  We implement VPN site-to-site.

  Subnet it is interesting traffic 192.168.50.x

  Server IP 192.168.50.1 - Switch1 - ASA - Site to site VPN - provider ASA.

  Gateway server is on switch1 if this server requires access to the internet I need to know what config I need on ASA on my site?

  I want the server to access the internet through the provider network

  Concerning

  Mahesh

  Hello

  Your crypto ACL would be:

  ip access-list VPN-TO-VENDOR permit ip 192.168.50.0 255.255.255.0 any

  Cryptography providers ACL would be:

  ip acces-list VPN-TO-COMPANY permit ip any 192.168.50.0 255.255.255.0

  All traffic from 192.168.50.0/24 out of the application interface map encryption for any destination would be sent to the seller through the VPN. It will be useful.

• Site to site VPN question: passing a public IP with IPSEC

  Hi all

  I need to create a VPN tunnel site to site using IPSEC between two offices on the Internet. The offices belong to two different companies.

  They gave me a series of 16 public IP addresses. One of these IP addresses is used on the ISP router and this is the next hop for my router. Another IP in the range is used on my router? s external interface (which is a Cisco 851) and he is also my site VPN endpoint. So far so good...

  Here's my problem: the IP source of encrypted traffic, is a public address from within the IPs public 16 I (not the one on my router interface). The actual application that needs to send the encrypted data is a server in my local network, and it has a private IP address. The other site, expects to receive data, however, the public IP address. I used NAT between the private IP address of the server and its public IP address, but no data goes through the tunnel. Moreover, the tunnel between the two end points established without problem. The problem is that the source of my encrypted data is the public IP address and I don't know how to get through the tunnel. I enclose my router configuration.

  Any help is appreciated.

  The access list "natted-traffic" should say:

  extended traffic natted IP access list

  deny ip host 192.168.0.160 BB. ABM ABM BD

  deny ip host 192.168.0.160 BB. ABM BB.BE

  output

  I hope this helps.

  -Kanishka

• Cisco ASA active / standby Mac addresses

  Hi all

  Please advise on the underside.

  Say that I have to active / standby. I have two interfaces on each firewall configured as below

  For the primary (active)

  interface GigabitEthernet1 / 0--> Say burned in mac address is 6c41.6bb0.1111
  nameif test1
  security-level 0
  10.1.1.1 IP address 255.255.255.0 ensures 10.1.1.2

  im int 2/0

  Test2 nameif--> Say burned in mac address is 6c41.6aa0.1111
  security-level 0
  10.2.1.1 IP address 255.255.255.0 ensures 10.2.1.2

  For secondary school (currently idle)

  interface GigabitEthernet1 / 0--> Say burned in mac address is 6c41.6bb0.2222
  nameif test1
  security-level 0
  10.1.1.1 IP address 255.255.255.0 ensures 10.1.1.2

  im int 2/0

  Test2 nameif--> Say burned in mac address is 6c41.6aa0.2222
  security-level 0
  10.2.1.1 IP address 255.255.255.0 ensures 10.2.1.2

  According to my understanding of the DOC.

  To transfer traffic, other devices will use the main unit mac address and IP addresses.

  Please consider under the scenario:

  My primary unit has failed and secondary took over as active unit.

  Primary (standby)

  Secondary (active)

  secondary Q1) so now will use the IP address and Mac address as below? Please confirm

  10.1.1.1 & 6c41.6bb0.1111

  10.2.1.1 & 6c41.6aa0.1111

  Q2) I believe that the ip address of the primary (Standby) in aid will be

  10.1.1.2

  10.2.1.2

  It will use what mac addresses? What is the BIA of the secondary unit? Please notify

  Thanks in advance.

  Q1 Yes), IP address and the MAC will be moving to the new active unit so no matter who the network except the switch will notice failover event

  Q2) Yes, primary (watch now) will use IP addresses and MAC addresses available for secondary:

  6C41.6bb0.2222

  6C41.6aa0.2222

  Kind regards.

• ACL IPSEC site to site VPN question

  Okay, so just as a test of validation, I have a question for the group.  When you configure the cryptographic ACL that defines interesting traffic for a tunnel, are we able to use summaries?

  So let say site B is 10.5.10.0/24 and site A can be summarized with 10.10.0.0/16. Is it acceptable to write something like below for the crypto acl?

  access-list 101 permit ip 10.5.10.0 0.0.0.255 10.10.0.0 0.0.255.255

  A site would have the networks

  10.10.0.0/24

  10.10.1.0/24

  etc.

  Terminal head, then the ACL would be:

  access-list 101 permit ip 10.10.0.0 0.0.255.255 10.5.10.0 0.0.0.255

  Thanks for all your comments!

  Hello

  Yes, that's perfectly fine.

  As long as we have routes set up correctly, nothing should stand in your way of configuring the acl like this.

  Kind regards

  Praveen

• ASA active / standby after failover

  ASA 5520 tipping very well. My problem is I want the ASA elementary school to become active after returning to the line. I can't find all the commands that provide the primary unit back to active after a failure, I know I can get it back manually, but to be really dynamic. Thanks for your help.

  Jake,

  You must configure a failover pre-emption group to accomplish this kind of behavior.

  http://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/failover.html#wp1002608

  HTH

  Rgds

  Jorge

  Any useful message rate

• Cisco ASA Site to Site VPN IPSEC and NAT question

  Hi people,

  I have a question about the two Site to Site VPN IPSEC and NAT. basically what I want to achieve is to do the following:

  ASA2 is at HQ and ASA1 is a remote site. I have no problem setting a static static is a Site to IPSEC VPN between sites. Guests residing in 10.1.0.0/16 are able to communicate with hosts in 192.168.1.0/24, but what I want is to configure the NAT with IPSEC VPN for this host to 10.1.0.0/16 will communicate with hosts in 192.168.1.0/24 with translated addresses

  Just an example:

  N2 host (10.1.0.1/16) contacted N1 192.168.1.5 with destination host say 10.23.1.5 No 192.168.1.5 (notice the last byte is the same in the present case,.5)

  The translation still for the rest of the communication (host pings ip destination host 10.23.1.6 N3 N2 not 192.168.1.6 new last byte is the same)

  It sounds a bit confusing to me, but I've seen this type of configuration before when I worked for the supplier of managed services where we have given our customers (Ipsec Site to Site VPN with NAT, don't know how it was setup)

  Basically we contact the customer via site-to-site VPN hosts but their real address were hidden and we used as translated address more high 10.23.1.0/24 instead of (real) 192.168.1.0/24, last byte must be the same.

  Grateful if someone can shed some light on this subject.

  Hello

  OK so went with the old format of NAT configuration

  It seems to me that you could do the following:

  • Configure the ASA1 with static NAT strategy
    • access-list L2LVPN-POLICYNAT allowed ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
    • public static 10.23.1.0 (inside, outside) access-list L2LVPN-POLICYNAT
  • Because the above is a static NAT of the policy, this means that the translation will be made only when the destination network is 10.1.0.0/16
  • If you have for example a PAT basic configuration to inside-> external traffic, the above NAT configuration and the custom of the actual configuration of PAT interfere with eachother
  • ASA2 side, you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
    • Note of the INTERIOR-SHEEP access-list SHEEP L2LVPN
    • the permitted INSIDE SHEEP 10.1.0.0 ip access list 255.255.0.0 10.23.1.0 255.255.255.0
    • NAT (inside) 0-list of access to the INTERIOR-SHEEP
  • You will need to consider that your access-list defining the VPN encrypted L2L traffic must reflect the new NAT network
    • ASA1: allowed to access-list L2LVPN-ENCRYPTIONDOMAIN ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
    • ASA2: list L2LVPN-ENCRYPTIONDOMAIN allowed ip 10.1.0.0 access 255.255.0.0 10.23.1.0 255.255.255.0

  I could test this configuration to work tomorrow but I would like to know if it works.

  Please rate if this was helpful

  -Jouni

• Troubleshooting IPSec Site to Site VPN between ASA and 1841

  Hi all

  in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.

  I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).

  I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.

  It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),

  On the ASA:

  Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.

  address of the peers: 217.86.154.120
  Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.cc

  access extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
  local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
  current_peer: 217.xx.yy.zz

  #pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz

  Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
  current outbound SPI: 39135054
  current inbound SPI: B2E9E500

  SAS of the esp on arrival:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, PFS 2 group}
  slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
  calendar of his: service life remaining (KB/s) key: (4374000/1598)
  Size IV: 8 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001
  outgoing esp sas:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, PFS 2 group}
  slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
  calendar of his: service life remaining (KB/s) key: (4373976/1598)
  Size IV: 8 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001

  Output of the command: "sh crypto isakmp his."

  HIS active: 4
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 4

  IKE Peer: 217.xx.yy.zz
  Type: L2L role: initiator
  Generate a new key: no State: MM_ACTIVE

  On the 1841

  1841 crypto isakmp #sh its
  IPv4 Crypto ISAKMP Security Association
  DST CBC conn-State id
  217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE

  1841 crypto ipsec #sh its

  Interface: Dialer1
  Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
  current_peer 62.153.156.163 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
  current outbound SPI: 0xB2E9E500 (3001672960)
  PFS (Y/N): Y, Diffie-Hellman group: group2

  SAS of the esp on arrival:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505068/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505118/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  Interface: virtual Network1
  Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
  current_peer 62.153.156.163 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
  current outbound SPI: 0xB2E9E500 (3001672960)
  PFS (Y/N): Y, Diffie-Hellman group: group2

  SAS of the esp on arrival:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505068/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505118/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.

  Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto.      (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.

  I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!

  It's the running of the 1841 configuration

  !
  version 15.1
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  encryption password service
  !
  host name 1841
  !
  boot-start-marker
  start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
  boot-end-marker
  !
  logging buffered 51200 notifications
  !
  AAA new-model
  !
  !
  AAA authentication login default local
  !
  AAA - the id of the joint session
  !
  iomem 20 memory size
  clock timezone PCTime 1
  PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
  dot11 syslog
  IP source-route
  !
  No dhcp use connected vrf ip
  !
  IP cef
  no ip bootp Server
  IP domain name test
  name of the IP-server 194.25.2.129
  name of the IP-server 194.25.2.130
  name of the IP-server 194.25.2.131
  name of the IP-server 194.25.2.132
  name of the IP-server 194.25.2.133
  No ipv6 cef
  !
  Authenticated MultiLink bundle-name Panel
  !
  !
  object-group network phone
  VoIP phone description
  Home 172.20.2.50
  Home 172.20.2.51
  !
  redundancy
  !
  !
  controller LAN 0/0/0
  atm mode
  Annex symmetrical shdsl DSL-mode B
  !
  !
  crypto ISAKMP policy 1
  BA 3des
  preshared authentication
  Group 2
  isakmp encryption key * address 62.aa.bb.cc
  !
  !
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  !
  map SDM_CMAP_1 1 ipsec-isakmp crypto
  Description Tunnel to62.aa.bb.cc
  the value of 62.aa.bb.cc peer
  game of transformation-ESP-3DES-SHA
  PFS group2 Set
  match address 100
  !
  !
  !
  interface FastEthernet0/0
  DMZ description $ FW_OUTSIDE$
  10.10.10.254 IP address 255.255.255.0
  IP nat inside
  IP virtual-reassembly
  automatic duplex
  automatic speed
  !
  interface FastEthernet0/1
  Description $ETH - LAN$ $FW_INSIDE$
  IP 172.20.2.254 255.255.255.0
  IP access-group 100 to
  IP nat inside
  IP virtual-reassembly
  IP tcp adjust-mss 1412
  automatic duplex
  automatic speed
  !
  ATM0/0/0 interface
  no ip address
  No atm ilmi-keepalive
  !
  point-to-point interface ATM0/0/0.1
  PVC 1/32
  PPPoE-client dial-pool-number 1
  !
  !
  interface Dialer1
  Description $FW_OUTSIDE$
  the negotiated IP address
  IP mtu 1452
  NAT outside IP
  IP virtual-reassembly
  encapsulation ppp
  Dialer pool 1
  Dialer-Group 2
  PPP authentication chap callin pap
  PPP chap hostname xxxxxxx
  PPP chap password 7 xxxxxxx8
  PPP pap sent-name of user password xxxxxxx xxxxxxx 7
  map SDM_CMAP_1 crypto
  !
  IP forward-Protocol ND
  IP http server
  local IP http authentication
  IP http secure server
  !
  !
  The dns server IP
  IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
  IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
  IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
  IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
  IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
  !
  logging trap notifications
  Note category of access list 1 = 2 CCP_ACL
  access-list 1 permit 172.20.2.0 0.0.0.255
  Note access-list category 2 CCP_ACL = 2
  access-list 2 allow 10.10.10.0 0.0.0.255
  Note access-list 100 category CCP_ACL = 4
  Note access-list 100 IPSec rule
  access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  Note CCP_ACL the access list 101 = 2 category
  Note access-list 101 IPSec rule
  access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  access-list 101 permit ip 172.20.2.0 0.0.0.255 any
  Note access-list 102 CCP_ACL category = 2
  Note access-list 102 IPSec rule
  access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  access-list 102 permit ip 10.10.10.0 0.0.0.255 any
  !

  !
  allowed SDM_RMAP_1 1 route map
  corresponds to the IP 101
  !
  allowed SDM_RMAP_2 1 route map
  corresponds to the IP 102
  !
  !
  control plan
  !
  !
  Line con 0
  line to 0
  line vty 0 4
  length 0
  transport input telnet ssh
  !
  Scheduler allocate 20000 1000
  NTP-Calendar Update
  NTP 172.20.2.250 Server prefer
  end

  As I mentioned previously: suspicion is much appreciated!

  Best regards

  Joerg

  Joerg,

  ASA receives not all VPN packages because IOS does not send anything.

  Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)

  The problem seems so on the side of the router.

  I think that is a routing problem, but you only have one default gateway (no other channels on the router).

  The ACL 100 is set to encrypt the traffic between the two subnets.

  It seems that the ACL 101 is also bypassing NAT for VPN traffic.

  Follow these steps:

  Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.

  I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.

  Federico.

• question links to site 2 site VPN with authentication cert

  Currently we are accumulate tunnel site-2-site VPN with our client. Usually we use pre-shared key as authentication with other customers without any problems, but it must use authentication cert with her this time. But the question is that our CA is different from theirs. I tried a few times, but he failed. Is it someone please let me know that he must have the certificate issued by the same certification authority to create the VPN tunnel?

  Thank you very much!

  Hello

  You can read this document to get a simple example of setting up a VPN S2S using certificates on an ASA:

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080aa5be1.shtml

  Basically the sides must have the same certification authority and If there is an intermediate certificate that must be installed also. The ASA 2 will generate a CSR (certificate access code request), now then PKI will create a certificate for both parties, commonly called "certificate of identity".

  Please pass a note and mark as he corrected the post helpful!

  David Castro,

  Kind regards

• Using Cisco Client to site VPN on a behind a NAT ASA 5520

  I apologize if this has been asked and we answered in the forums.  I looked, and while I found a large number of entries that were dancing all around this question, I never found nothing which addressed this specific issue.   We currently use an ASA 5520 as the head end of a relatively large customer to site IPSEC VPN (approximately 240 users, not consecutively).   This ASA is currently sitting behind a Checkpoint firewall with a real publicly addressable IP address on its public interface.  All of our customers use the legacy Cisco VPN (not the one anyconnect) client.  We plan to a few controllers F5 link set up between ISPS and firewalls.   For VPN connectivity F5 recommends that we NAT IP address (called a broad IP) to point back to a private IP address on the ASA and F5.  My question is, will this work?   I've always heard say that the head of line needed to have a public IP address on this subject because this is what will be placed in packages for the client to respond to.

  For further information, here's what we have now and what we are invited to attend.

  Current

  ISP - router - firewall-fire - ASA (public IP address as endpoint)

  Proposed

  ISP - router - F5 (public IP address as endpoint using a NAT to ASA) - Firewall - ASA (10.X.X.X as its external interface)

  Proposed alternative

  ISP - router - F5 (public IP address as endpoint using a NAT to ASA) - ASA (10.X.X.X as its external interface)

  All thoughts at this moment would be greatly appreciated.   Thank you!

  Hello

  If there is a static NAT one by one on F5 to the external interface of the ASA, then I don't think they would be any problems.
  Because when the client will attempt to connect to IKE to the translated public IP, F5 will redirect the request to ASA outside interface that is configured for the VPN.

  In addition, to ensure the udp500, 4500 and esp is allowed and then you should be good to go.

  HTH

  Concerning
  Mohit

• Site to Site VPN working without Crypto Card (ASA 8.2 (1))

  Hi all

  Find a strange situation on our firewall to ASA5540:

  We have a few Site to Site VPN and also activate on the ASA VPN cleint, all are working properly. But finding that a VPN from Site to Site is running without crypto map configuration. Is this possible?

  I tried to erase isa his and claire ipsec his then VPN came once again. Tested too, it's the ping requests to a remote site through the VPN.

  I saw there are config tunnel-group for VPN but saw no card crypto and ACL.

  How is the firewall knows what traffic should be encrypted for this VPN tunnel without crypto card?

  This is the bug?

  Thanks in advance,

  It can be an easy vpn configuration.

  Could you post output config operation remove any sensitive information.  This could help us answer your question more specifically.

• Order of operations NAT on Site to Site VPN Cisco ASA

  Hello

  I have a question about the order of operations NAT on Site to Site VPN Cisco ASA 8.2.x. I have a scenario where the internal IP address of the range 10.17.128.x are NATTED IP public 31.10.10.x. below is the config:

  Tunnel normally passes traffic to dmz - 31.10.11.10, 31.10.11.11 servers.

  But the servers NATTED (10.17.128.x <->31.10.10.x) does not work.

  inside_map crypto 50 card value transform-set ESP-3DES-SHA

  tunnel-group 100.1.1.1 type ipsec-l2l

  tunnel-group 100.1.1.1 General-attributes

  Group Policy - by default-PHX_HK

  IPSec-attributes tunnel-group 100.1.1.1

  pre-shared key *.

  internal PHX_HK group policy

  PHX_HK group policy attributes

  VPN-filter no

  Protocol-tunnel-VPN IPSec svc webvpn

  card crypto inside_map 50 match address outside_cryptomap_50

  peer set card crypto inside_map 50 100.1.1.1

  inside_map crypto 50 card value transform-set ESP-3DES-SHA

  inside_map crypto 50 card value reverse-road

  the PHX_Local object-group network

  host of the object-Network 31.10.11.10

  host of the object-Network 31.10.11.11

  host of the object-Network 31.10.10.10

  host of the object-Network 31.10.10.11

  host of the object-Network 31.10.10.12

  host of the object-Network 31.10.10.13

  host of the object-Network 10.17.128.20

  host of the object-Network 10.17.128.21

  host of the object-Network 10.17.128.22

  host of the object-Network 10.17.128.23

  the HK_Remote object-group network

  host of the object-Network 102.1.1.10

  inside_nat0_outbound list extended access permitted ip object-group PHX_Local-group of objects HK_Remote

  ACL_INSIDE list extended access permitted ip object-group PHX_Local-group of objects HK_Remote

  ACL_OUTSIDE list extended access permitted ip object-group HK_Remote-group of objects PHX_Local

  outside_cryptomap_50 list extended access permitted ip object-group PHX_Local-group of objects HK_Remote

  Route outside 102.1.1.10 255.255.255.255 30.1.1.1 1

  public static 31.10.10.10 (Interior, exterior) 10.17.128.20 netmask 255.255.255.255

  public static 31.10.10.11 (Interior, exterior) 10.17.128.21 netmask 255.255.255.255

  public static 31.10.10.12 (Interior, exterior) 10.17.128.22 netmask 255.255.255.255

  public static 31.10.10.13 (Interior, exterior) 10.17.128.23 netmask 255.255.255.255

  He started to work when I did another group of object by name PHX_Local1 and added to the list of access inside_nat0_outbound, instead of the object group PHX_Local, as below:

  the PHX_Local1 object-group network

  host of the object-Network 31.10.10.10

  host of the object-Network 31.10.10.11

  host of the object-Network 31.10.10.12

  host of the object-Network 31.10.10.13

  No inside_nat0_outbound access list extended only to allowed ip object-group PHX_Local-group of objects HK_Remote

  inside_nat0_outbound list extended access permitted ip object-group PHX_Local1-group of objects HK_Remote

  Can you please help me understand why group object PHX_Local failed with access-list inside_nat0_outbound, but he began to work with the Group of objects PHX_Local1.

  Also, if you could tell me the order of operations to NAT via VPN Site to Site, it would be useful.

  Thank you

  Kind regards

  Thomas

  Hello

  I think you could have said the original question in a way that could be missleading. In other words, if I understand now.

  From what I understand now, you have the DMZ set up the server that are measured with a public IP address on the real servers. And for those that you have configured NAT0.

  Then you have other servers that do not have public IP addresses themselves, but they are translated on the SAA.

  If this is the case, then the next question would be. The server with the NAT should attend the L2L VPN connection with their real IP or address IP NAT.

  Of course if you configure static NAT for the same servers and NAT0 the NAT0 will always win.

  You have these guests who were not able to use the VPN L2L

  31.10.10.10 10.17.128.20

  31.10.10.11 10.17.128.21

  31.10.10.12 10.17.128.22

  31.10.10.13 10.17.128.23

  IF you want them to go to the VPN L2L with their original IP address then you must configure

  object-group, LAN

  host of the object-Network 10.17.128.20

  host of the object-Network 10.17.128.21

  host of the object-Network 10.17.128.22

  host of the object-Network 10.17.128.23

  object-group, REMOTE network

  host of the object-Network 102.1.1.10

  inside_nat0_outbound list extended access allowed ip-group of objects LOCAL object-group remote

  outside_cryptomap_50 list extended access allowed ip-group of objects LOCAL object-group remote

  IF you want to use the L2L VPN with the public IP address, then you must configure

  object-group, LAN

  host of the object-Network 31.10.10.10

  host of the object-Network 31.10.10.11

  host of the object-Network 31.10.10.12

  host of the object-Network 31.10.10.13

  object-group, REMOTE network

  host of the object-Network 102.1.1.10

  outside_cryptomap_50 list extended access allowed ip-group of objects LOCAL object-group remote

  EDIT: in this case you naturally do not configure any NAT0 for actual IP addresses we want precisely the IP addresses to be visible to the L2L VPN with the IP NAT address.

  Or you can of course use the same "object-group" as currently but change the content in an appropriate manner

  Be sure to mark it as answered if it was answered.

  Ask more if necessary

  -Jouni

• Site to Site VPN ASA 5510

  OK my forehead is painful to all keyboard strokes that I know that it must be something simple, but I am brand new to the SAA.  I had a site to site VPN configuration via routers 1751 that worked very well, but we're looking to add some more remote field offices, and I felt that it would be easier to maintain several sites is on the ASA 5510.  I have the VPN configured on the SAA and he said that the tunnel is up.  I can telnet to the ASA and ping the remote gateway on the even side of VPN and it pings fine.  If I try to ping on a local computer, I get a "Request timed out".  If I makes no changes apart from go to the computer room and replace the network cable the 1751 and then through the 1751 I can now ping the remote door way to my computer.  The remote router works obviously very well, my statement of route on my router for vpn push through the ASA (same ip address) IP traffic that has been used by the 1751 works obviously. It seems so just like ASA is not being pushed in the ethernet0/0 VPN traffic or at least it is not encrypted.  I also noticed that the ACL for NAT seems to increase in number of access either it seems, there is really just one small thing missing to make the ASA except and encrypt incoming traffic on ethernet0/0:

  My network is not configured with a DMZ is something like that, the ASA ethernet0/0 and my local network on the same subnet:

  Router (Cisco 2811)

  |

  Layer switch 2 (ProCurve)

  |                                      |

  ASA5510 LAN computers

  I'm trying to except both sides of the VPN in and out on Ethernet0/0 traffic I saw there was a framework for this "permit communication between VPN peers connected to the same interface' and I've activated this option.

  In short, I need to understand why the VPN tunnel shows that upward and I can ping the remote of the SAA, but peripheral gateway on my network can not ping to the remote gateway through the int Ethernet0/0 on the SAA.

  From the console of the ASA, I get this:

  ASA5510 # ping 192.52.128.1
  Send 5, echoes ICMP 100 bytes to 192.52.128.1, wait time is 2 seconds:
  !!!!!
  Success rate is 100 per cent (5/5), round-trip min/avg/max = 100/108/120 ms

  ASA5510 # show crypto ipsec his
  Interface: *.
  Tag crypto map: * _map, local addr: 10.52.120.23

  local ident (addr, mask, prot, port): (10.52.120.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.52.128.0/255.255.255.0/0/0)
  current_peer: x.x.x.204

  program #pkts: 9, #pkts encrypt: 9, #pkts digest: 9
  decaps #pkts: 9, #pkts decrypt: 9, #pkts check: 9
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 9, #pkts comp failed: 0, #pkts Dang failed: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt. : 10.52.120.23, remote Start crypto. : x.x.x.204

  Path mtu 1500, fresh ipsec generals 60, media, mtu 1500
  current outbound SPI: C49EF75F

  SAS of the esp on arrival:
  SPI: 0x21FDBB9D (570276765)
  transform: esp-3des esp-md5-hmac
  running parameters = {L2L, Tunnel}
  slot: 0, id_conn: 1, crypto-map: * _map
  calendar of his: service life remaining (KB/s) key: (3824999/3529)
  Size IV: 8 bytes
  support for replay detection: Y
  outgoing esp sas:
  SPI: 0xC49EF75F (3298752351)
  transform: esp-3des esp-md5-hmac
  running parameters = {L2L, Tunnel}
  slot: 0, id_conn: 1, crypto-map: * _map
  calendar of his: service life remaining (KB/s) key: (3824999/3527)
  Size IV: 8 bytes
  support for replay detection: Y

  From my office on the 10.52.120.0 even the etherenet0/0 interface on the ASA network I get this:

  C:\Users\***>ping 192.52.128.1

  Ping 192.52.128.1 with 32 bytes of data:
  Request timed out.
  Request timed out.
  Request timed out.
  Request timed out.

  Ping statistics for 192.52.128.1:
  Packets: Sent = 4, received = 0, lost = 4 (100% loss)

  C:\Users\***>ping 10.52.120.23

  Ping 10.52.120.23 with 32 bytes of data:
  Reply from 10.52.120.23: bytes = 32 time = 5ms TTL = 255
  Reply from 10.52.120.23: bytes = 32 time = 3ms TTL = 255
  Reply from 10.52.120.23: bytes = 32 time = 1ms TTL = 255
  Reply from 10.52.120.23: bytes = 32 time = 1ms TTL = 255

  Ping statistics for 10.52.120.23:
  Packets: Sent = 4, received = 4, lost = 0 (0% loss),
  Time approximate round trip in milli-seconds:
  Minimum = 1ms, Maximum = 5ms, average = 2ms

  Count on VPN Tunnel ACL does not increase when I try to ping the address of the remote gateway.

  Here is the running of the ASA configuration:

  ASA Version 7.0 (2)
  names of
  !
  interface Ethernet0/0
  nameif InsideNetwork
  security-level 100
  IP 10.52.120.23 255.255.255.0
  !
  interface Ethernet0/1
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Ethernet0/2
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Management0/0
  Shutdown
  nameif management
  security-level 100
  IP 192.168.1.1 255.255.255.0
  management only
  !
  activate the encrypted password of XXXXXXXXXXXXXXXX
  passwd encrypted XXXXXXXXXXXXXXXXXXX
  ciscoasa hostname
  domain default.domain.invalid
  passive FTP mode
  permit same-security-traffic intra-interface
  Access extensive list ip 10.52.120.0 InsideNetwork_nat0_outbound allow 255.255.25
  5.0 192.52.128.0 255.255.255.0
  Access extensive list ip 10.52.120.0 InsideNetwork_cryptomap_20 allow 255.255.255
  .0 192.52.128.0 255.255.255.0
  pager lines 24
  asdm of logging of information
  management of MTU 1500
  MTU 1500 InsideNetwork
  management of the interface of the monitor
  the interface of the monitor InsideNetwork
  ASDM image disk0: / asdm - 502.bin
  don't allow no asdm history
  ARP timeout 14400
  NAT (InsideNetwork) 0-list of access InsideNetwork_nat0_outbound
  Route InsideNetwork 0.0.0.0 0.0.0.0 10.52.120.1 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00
  Timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
  Timeout, uauth 0:05:00 absolute
  Enable http server
  http 192.168.1.0 255.255.255.0 management
  http 10.52.120.0 255.255.255.0 InsideNetwork
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp
  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
  card crypto InsideNetwork_map 20 corresponds to the address InsideNetwork_cryptomap_20
  card crypto InsideNetwork_map 20 set peer x.x.x.204
  InsideNetwork_map 20 transform-set ESP-3DES-MD5 crypto card game
  InsideNetwork_map InsideNetwork crypto map interface
  ISAKMP enable InsideNetwork
  part of pre authentication ISAKMP policy 10
  ISAKMP policy 10 3des encryption
  ISAKMP policy 10 md5 hash
  10 2 ISAKMP policy group
  ISAKMP life duration strategy 10 86400
  Telnet 10.52.120.0 255.255.255.0 InsideNetwork
  Telnet timeout 5
  SSH timeout 5
  Console timeout 0
  management of 192.168.1.2 - dhcpd address 192.168.1.254
  dhcpd lease 3600
  dhcpd ping_timeout 50
  enable dhcpd management
  tunnel-group x.x.x.204 type ipsec-l2l
  x.x.x.204 group of tunnel ipsec-attributes
  pre-shared-key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  Policy-map global_policy
  class inspection_default
  inspect the dns-length maximum 512
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  !
  global service-policy global_policy
  Cryptochecksum:7e478b60b3e406091de466675c52eaaa
  : end

  I haven't added anything to the config except what seemed necessary to get the job of VPN tunnel.  It should be fairly clean.

  Thanks in advance for any help... I really hope that it is something really simple as a recruit ASA just forgot

  Strange, but good news. Thanks for the update. I'm glad everything is working.

  THX

  MS

• Site-to-Site VPN - road on ASA (8.4.2)

  ASA-SiteA-

  Outside the int: 4,5,6,7

  inside the int: 10.1.1.1

  DMZ:192.168.0.1 255.255.255.0

  National-SiteA routes-

  Route outside 0.0.0.0 0.0.0.0 4,5,6,7 - road by default

  Route inside 172.10.1.0 255.255.255.0 10.1.1.1 - road join the ASA-SiteB-inside interface

  ASA-SiteB-

  Int - 50.1.2.3 outdoor

  inside the int: 172.10.1.1

  DMZ:192.168.87.1 255.255.255.0

  routes on ASA-SiteB-

  Route outside 0.0.0.0 0.0.0.0 50.1.2.3 - road by default

  Route inside 10.1.1.0 255.255.255.0 172.10.1.1 - road join the ASA-SiteA-inside interface

  Inside the two ASAs interfaces can communicate with each other through circuits MPLS. We want to create a VPN tunnel between two DMZ networks so that traffic passes through a tunnel through the local network. You can check the config below and indicate if any changes are needed.

  1 tunnel VPN to work, not the traffic must match a route on the ASA or simply to match the access-list(interesting traffic) for example after the configuration of the VPN tunnel between 192.168.0.0 and 192.168.87.0 networks when I ping 192.168.87.1 route IP made it reveal the tunnel because it fits to the interesting traffic or packets go to 4,5,6,7 where they correspond to the default?

  2. virtue normal Site VPN to Site traffic scenarios run on high security interface (DMZ or inside) and goes to the interface (outside) low security, but in the case above traffic intiates on low security interface (DMZ) and goes to the high safety (inside) interface which usually gets blocked unless there is an access list entry to allow that traffic. We must therefore have an IP address a whole (on the access list applied to UI in DMZ) entered between the two dmz networks

  Config on ASA-SiteA-

  Political IKEv1

  ASA - SiteA (config) #crypto ikev1 allow inside - Does allowing ikev1 on UI interrupts traffic?

  Ikev1 crypto policy of ASA - SiteA (config) # 100

  ASA - SiteA(config-ikev1-policy) preshared #authentication

  ASA - SiteA(config-ikev1-policy) #encryption 3des

  ASA - SiteA(config-ikev1-policy) #hash sha

  ASA - SiteA(config-ikev1-policy) #group 2

  ASA - SiteA(config-ikev1-policy) #lifetime 86400

  IPSEC tunnel

  ASA - SiteA (config) # crypto ipsec ikev1 transform-set VPN MPLS esp-3des esp-sha-hmac

  ASA - SiteA(cfg-crypto-trans) #mode transport

  Tunnel group

  ASA - SiteA (config) # tunnel - group172.10.1.1 type ipsec-l2l

  ASA - SiteA (config) # group172.10.1.1 - tunnel ipsec-attributes

  ASA - SiteA(config-tunnel-ipsec) # test pre-shared key

  Interesting traffic

  ASA - SiteA (config) #object Network Site-A-DMZ

  ASA - SiteA(config-network-object) #subnet 192.168.0.0 255.255.255.0

  ASA - SiteA (config) #object Network Site-B-DMZ

  ASA - SiteA(config-network-object) #subnet 192.168.87.0 255.255.255.0

  ASA - SiteA (config) #access - list - INTERESTING - VPN TRAFFIC extended permitted ip object SN-A-Site B-Site-SN

  ASA - SiteA (config) #nat (demilitarized zone, inside) static static destination source Site-A-DMZ DMZ-A-Site B-Site-DMZ Site-B-DMZ

  Crypto MAP

  ASA - SiteA (config) # 100 LAN VPN ipsec-isakmp crypto map

  ASA - SiteA(config-crypto-map) # address of correspondence-INTERESTING-TRAFFIC VPN
  ASA - SiteA(config-crypto-map) # set pfs group2

  ASA - SiteA(config-crypto-map) #set peer 172.10.1.1

  ASA - SiteA(config-crypto-map) #set transform-set ESP-3DES-SHA

  ASA - SiteA(config-crypto-map) #crypto interface of VPN - LAN card inside

  Yes, you need the correct route otherwise it will be just forwarded through the default gateway.

  So, on A Site, you should have:

  Route inside 192.168.87.0 255.255.255.0 10.1.1.x--> x should be the next jump of the SAA within the interface

  On Site B, you should have:

  Route inside 192.168.0.0 255.255.255.0 172.10.1.x--> x should be the next jump of the SAA within the interface

  Delete "transport mode" of two ASA.

  To answer your questions:

  1. Yes, it would be necessary to match a route, otherwise it will be routed through the default gateway.

  2. Yes, you must have access-list to allow high traffic of low level of security. If you want a full IP access, you can configure IP allowed between 2 LANs.

• Unable to pass traffic between ASA Site to Site VPN Tunnel

  Hello

  I have problems passing traffic between two ASA firewall. The VPN tunnel is up with a dynamic IP and static IP address. I have attached a diagram of the VPN connection. I'm not sure where the problem lies and what to check next. I think I have all the roads and in the access lists are needed.

  I've also attached the ASA5505 config and the ASA5510.

  This is the first time that I've set up a VPN connection any guidance would be greatly appreciated.

  Thank you

  Adam

  Hello

  Regarding your opinion of configuration Remote Site ASA that you have not added the internal networks of the Central Site VPN L2L configurations at all so the traffic does not pass through the VPN.

   access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.0.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.170.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.172.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 140.15.0.0 255.255.*.* 

  Take a look at ACL configurations above. The 'exempt' ACL is used in configurations NAT0 and tells the ASA what traffic of exempting from NAT. "outside_1_cryptomap" ACL is used to tell the traffic between the subnets should be using the L2L VPN connection.

  So in short on the Remote Site ASA these ACLs should be identical. Make additions to the LIST of VPN L2L, then try again.

  I would also like to point out that to ensure that the Central ASAs L2L VPN ACL Site contains the same networks. The ACL on the Central Site will, of course, its internal subnets as the source and the site LAN remote destination.

  THW out of ' crypto ipsec to show his " shows you that only the SA between binding Site Central network and the Remote Site LAN was established. Others have not formed as the configuration is lacking at LEAST on the Remote Site ASA. Can also be the Central Site.

  -Jouni