ASA / ASA site-site as a rescue link

I was instructed to implement a plan to use a link from site to site vpn as a link to backup remote offices. I try to simulate the solution in a laboratory, but have some difficulty with it. Our offices are currently a point-to-point fiber. The site to site VPN will act as a backup if this link should happen to fail.

The sites use OSPF to establish the route between HQ core router and the L3 switch at the remote site. I have set up with a metric of 250 that will kick in if the link goes down and the OSPF routes are removed static routes. The static route goes to the ASA devices. Once the link does not work, the fall of OSPF routes and the static shot in (this set works very well), sending traffic to the ASAs, who then set up the VPN tunnel between sites. With the logging at the debug, I can see the connections under construction and destroyed normally and two ASAs looks like traffic flow, but it's not. I can't ping everywhere, and nothing connects. My test of office, printers, etc, all lose the connection to the side of HQ and will not function. I get no message of refusal on the ASA.

I have one site to site with a provider using the same ASA at Headquarters, and that works very well. All VPN settings have been created using the wizard ASMD VPN.

The two ASA run 8.3. The two ASA have their default route defined on the outside.

Any suggestions on where to find would be appreciated. The HQ uses several different subnets, which must be accessible from the remote site. The VPN is defined for all 4, but if I look at the his (sh crypto ipsec his), it only shows me a. However, the tunnel client that works uses 2 on the side of HQ and working. I'm trying a lot with 4? Should I try build 4 separate virtual private networks, one for each subnet?

Hello

You should be fine with 4 different statements within your traffic interesting ACL on the 5505. I noticed one thing, is that the 5505 receives its IP via DHCP, so I guess that you have a static dynamic L2L type of an installation. With this type of configuration, the tunnel must always be launched side 5505 (dynamic). One thing to watch is to check that your NAT statement are properly sorted. With 8.3, the NAT order is very important.

NAT (inside, outside) source Dynamics one interface
NAT static NETWORK_OBJ_10.107.0.0_16 NETWORK_OBJ_10.107.0.0_16 destination (indoor, outdoor) static source DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1

If the dynamic NAT is in front of the VPN NAT rule, the VPN NAT rule will never be implemented. You should be able to issue the command 'See the nat' or 'show nat performance' to check the VPN NAT comes before the dynamic NAT. If the dynamic NAT appears before the VPN NAT rule, you want to remove the dynamic NAT rule and reapply.

Some good troubleshooting commands are to check that the phase 1/phase 2 is in place on both sides and see you live 2/decaps program:

See the isa scream his

IPS Cree to show his

Thank you!
Brian

Tags: Cisco Security

Similar Questions

ASA Site to not tunnel no transmission of traffic for some subnets after awhile

Hello

We have a question really strange tunnel from site to site on several ASAs.

We organize VPN tunnels between a small site and three largest.

The den has an ASA 5505, the other three principles are ASA 5510.

One of the tunnels working for months without problems.

Each tunnel has several class C network.

example Site:

-192.168.50.0/24 (named A1)

-192.168.51.0/24 (called A2)

Site b:

-192.168.60.0/24 (named B1)

-192.168.61.0/24 (called B2)

On two faulty tunnels, all is well at the beginning. After a few days (1-14) some networks to cease to work. So I can ping both A1 and A2 B1 network networks, but only from A2 B2 network. Pings from A1 to B2 doesn't expire. The ASA site showed tx = 0 traffic for <=>A1, B2, but progressive count rx traffic. ASA b it shows rx = 0 to B2<=>A1 and tx counties upward.

This happens unexpected after different periods. Sometimes he hits ASA on site B, where tx = 0, it is sometimes ASA on A site.

I tried to fix it as a result of orders:

ISAKMP crypto claire his
clear crypto ipsec his
clear xlate

but nothing has worked. The only solution for now is to restart the ASA where tx County indicates 0. After restarting, everything goes well for a while.

On one of the affected sites, we have a failover configuration - ASA. A failover of the active device also solves the problem. But if you change your prior back restart the old principal question will return immediately.

I think that there is no configuration because:

-All tunnels are configured in the same way, and one of them is running for moths without any problem

-Tunnels work for all combinations of subnet after a reboot

-The problem occurs after different and long periods of time. So I think that the period between failures is long to be caused by tunnel a.s.o. timeouts.

All ASA are running 9.1. (5) 21.

I updated the firmware of several releases these past few months and had the same problem with any version I tested.

So I hope that someone else has also had this problem and found a solution.

Christian Hey!

Hopefully, solve or find the root cause?

Thank you

Cannot build the site offline with absolute links

Hello.
I'm building a site offline before uploading to the server.
At first I just use relative links, so everything is fine. But now that I've changed the absolute links, I can't get a preview of my work because all of the scripts, style sheets, images, etc. are linking to an online address that does not exist yet.
In site manager, I put in my local root folder information, and my http address. It seems to me that Dreamweaver must be able to substitute the local root folder for the http address and thus be able to process the links locally. But this doesn't seem to be the case.
So, how can I work offline but use absolute links in my documents.
Thank you.

> I went to absolute links because I have

> my pages in separate directories and names of

> these directories may change.

I'm not. If directory names are changing, you must update the links - you were using absolute and relative root site or document relative links. Of course, if you change the name of the directory in DW, it will update all your links for your - unless you use absolute links. DW does not have absolute links.

Dynamic IP address of the remote VPN L2L ASA sites

Hello

I have a client who is to change their links to backup from ADSL to 4 G - LTE using Cisco 819 s.

Unfortunately, access to 4G of PSI will have dynamic IP addressing. Online, I see configurations for one remote site with dynamic IP address, speaking to ASA, but I can't find anything on several sites of L2L linking to the ASA with dynamic addressing.

Does anyone can help with examples of configuration

concerning

Richard

Hi Richard,

the next days I will also write a blogpost with triple recovery WAN by using this configuration.

Michael

ASA Site, Remote Site cannot access DMZ to the Hub site

So I've been scratching my head and I just can't visualize what I what and how I want to do.

Here is the overview of my network:

Headquarters: ASA 5505

Site1: ASA 5505

Site2: ASA 5505

Training3: ASA 5505

All Sites are connected L2L to the location of the Headquarters with VPN Site to Site.

Since the HQ site I can ping each location by satellite, and each satellite location I can ping the HQ site. I will also mention that all other traffic is also correctly.

Here's my number: HQ site, I have a DMZ set up with a web/mail server. This mail/web server is accessible from my HQ LAN, but not from the satellite location. I need allow that.

What should I do?

My second question is that I want for satellite sites to see networks of eachother. I should create a VPN network between sites, or can this be solved in the same way that the question of the DMZ?

I enclose the show run from my ASA HQ

See the race HQ ASA

For the mail/web server that requires access on the remote site VPN tunnels, you must add the servers to the acl crypto, similar to the way you have it for network access. Make sure that both parties have the ACL in mirror. If you're natting from the DMZ to the outside, make sure you create an exemption from nat from the dmz to the outside for VPN traffic.

For the second question, because you have only three sites, I would recommend creating a tunnel from site to site between two satellite sites.

HTH

PS. If you found this post useful, please note it.

Unable to pass traffic between ASA Site to Site VPN Tunnel

Hello

I have problems passing traffic between two ASA firewall. The VPN tunnel is up with a dynamic IP and static IP address. I have attached a diagram of the VPN connection. I'm not sure where the problem lies and what to check next. I think I have all the roads and in the access lists are needed.

I've also attached the ASA5505 config and the ASA5510.

This is the first time that I've set up a VPN connection any guidance would be greatly appreciated.

Thank you

Adam

Hello

Regarding your opinion of configuration Remote Site ASA that you have not added the internal networks of the Central Site VPN L2L configurations at all so the traffic does not pass through the VPN.
```
 access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.0.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.170.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.172.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 140.15.0.0 255.255.*.* 
```
Take a look at ACL configurations above. The 'exempt' ACL is used in configurations NAT0 and tells the ASA what traffic of exempting from NAT. "outside_1_cryptomap" ACL is used to tell the traffic between the subnets should be using the L2L VPN connection.

So in short on the Remote Site ASA these ACLs should be identical. Make additions to the LIST of VPN L2L, then try again.

I would also like to point out that to ensure that the Central ASAs L2L VPN ACL Site contains the same networks. The ACL on the Central Site will, of course, its internal subnets as the source and the site LAN remote destination.

THW out of ' crypto ipsec to show his " shows you that only the SA between binding Site Central network and the Remote Site LAN was established. Others have not formed as the configuration is lacking at LEAST on the Remote Site ASA. Can also be the Central Site.

-Jouni

ASA SITE VPN 55XX survey?

Hi all

I was wondering if I have a Cisco ASA firewall and there several site to site VPN using pre-shared keys. If I want to add an another VPN Firewall. Do I have to add all the crypto ISAKMP stuff yet or what. Or I can just all ready config VPN in the firewall. I mean besides the new card Crypto, ACLs and the NAT 0 statement that other statements do I need to enter this new site to the other tunnel in the buld order? I don't want to end up ordering more than is necessary.

No, you don't need to add new isakmp crypto policies if you already have a configured strategies match. You can also reuse the crypto ipsec transform-set political if it is the same on the other site of the LAN-to-LAN tunnel (as long as it matches at both ends).

You're right, the only statements, you need to add would be the ACL for NAT entry 0 and new sequence card crypto (with crypto ACL, all processing and input of game peer).

Hope that helps.

PIX and ASA Site to Site (ACL)

I am trying to configure a VPN tunnel from site to site between my PIX515 (6.3) to a seller ASA 5510. We can get the tunnel when the ACL match is all of this period, but when we try to use TCP and a specific port, nothing comes through. Any thoughts? I would be able to limit the interesting traffic to what is not necessary? I'm only looking on the side of the ASA to access a resource on the side of PIX on 1521 TCP. The side PIX didn't need to access anything whatsoever on the side of the ASA.

PIX side ASA x.x.x.x y.y.y.y side

This ACL works...

PIX

ip host x.x.x.x y.y.y.y host access list vendor permit

ASA

host host x.x.x.x y.y.y.y ip access list vendor permit

This ACL is not...

PIX

access list provider permit TCP host x.x.x.x eq 1521 host y.y.y.y

ASA

access list provider permit TCP host x.x.x.x eq 1521 host y.y.y.y

Phase 1 Isakmp appears fine, fails just on the Ipsec data transfer.

No, only versions 7.X code support the use of the tunnel-groups and group policies that are needed to implement filtering of VPN.

I would suggest filtering traffic at the becauase of the SAA on the PIX, you will need to remove the 'permit sysopt-connection ipsec' command (if it is not already deleted) to start filtering on the external interface.

Cisco ASA Site to Site VPN IPSEC and NAT question

Hi people,

I have a question about the two Site to Site VPN IPSEC and NAT. basically what I want to achieve is to do the following:

ASA2 is at HQ and ASA1 is a remote site. I have no problem setting a static static is a Site to IPSEC VPN between sites. Guests residing in 10.1.0.0/16 are able to communicate with hosts in 192.168.1.0/24, but what I want is to configure the NAT with IPSEC VPN for this host to 10.1.0.0/16 will communicate with hosts in 192.168.1.0/24 with translated addresses

Just an example:

N2 host (10.1.0.1/16) contacted N1 192.168.1.5 with destination host say 10.23.1.5 No 192.168.1.5 (notice the last byte is the same in the present case,.5)

The translation still for the rest of the communication (host pings ip destination host 10.23.1.6 N3 N2 not 192.168.1.6 new last byte is the same)

It sounds a bit confusing to me, but I've seen this type of configuration before when I worked for the supplier of managed services where we have given our customers (Ipsec Site to Site VPN with NAT, don't know how it was setup)

Basically we contact the customer via site-to-site VPN hosts but their real address were hidden and we used as translated address more high 10.23.1.0/24 instead of (real) 192.168.1.0/24, last byte must be the same.

Grateful if someone can shed some light on this subject.

Hello

OK so went with the old format of NAT configuration

It seems to me that you could do the following:
- Configure the ASA1 with static NAT strategy
  - access-list L2LVPN-POLICYNAT allowed ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
  - public static 10.23.1.0 (inside, outside) access-list L2LVPN-POLICYNAT
- Because the above is a static NAT of the policy, this means that the translation will be made only when the destination network is 10.1.0.0/16
- If you have for example a PAT basic configuration to inside-> external traffic, the above NAT configuration and the custom of the actual configuration of PAT interfere with eachother
- ASA2 side, you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
  - Note of the INTERIOR-SHEEP access-list SHEEP L2LVPN
  - the permitted INSIDE SHEEP 10.1.0.0 ip access list 255.255.0.0 10.23.1.0 255.255.255.0
  - NAT (inside) 0-list of access to the INTERIOR-SHEEP
- You will need to consider that your access-list defining the VPN encrypted L2L traffic must reflect the new NAT network
  - ASA1: allowed to access-list L2LVPN-ENCRYPTIONDOMAIN ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
  - ASA2: list L2LVPN-ENCRYPTIONDOMAIN allowed ip 10.1.0.0 access 255.255.0.0 10.23.1.0 255.255.255.0
I could test this configuration to work tomorrow but I would like to know if it works.

Please rate if this was helpful

-Jouni

used right clik on site to get the link sent. which is to say it?

I used to be able to right click on the web site and "send link" appears. Not there now, how to do it?

I finally found it while searching on Internet. Its an add on.

How can I change a Web site address in a link that opens when you click on it

I now use the operating system Windows 7 and Firefox as my default browser. Previously, in Windows XP, when I entered a Web site address, it is automatically replaced by a link (HTML?) and if you have clicked on the link you went directly to the corresponding page on the Web site. I can't not added relevant plugin or module and perhaps that is the reason why I'm having the problem. I would like to have a simple way to do this and not some of the suggestion I found trying to fix myself.

In Thunderbird, I see that there is an Insert menu where I can do this thing, but I can't find the Insert menu in Firefox.

See also:
- Link - https://addons.mozilla.org/firefox/addon/make-link/

I can't access a shippers of the site after selecting a link in an e-mail message using Windows Mail.

I run Vista Basic on a laptop, for some reason, I'm not able to use a link in an email to take a shortcut to the site of the shippers. This has only started in the last four weeks, initially, I was directed to Microsoft Word and then no action on my part I'm now headed to the printer window. I took the laptop to various engineers, but none seem to be able to solve the problem. Roy Shears. E-mail address is removed from the privacy *.

Hi Roy Shears,

· What happens when you try to access the site from senders to a link highlighted in an e-mail using Windows Mail, do you have an error message?

· You did it last changes before the show?

I suggest that you follow the article Microsoft provide below and check if it helps.

Solve problems with Windows Mail

http://Windows.Microsoft.com/en-us/Windows-Vista/troubleshoot-problems-with-Windows-Mail

Redirect a part of the vrf traffic between 2 sites over a redundant link

Hey guys,.

We have one customer (in the vrf) with 2 sites in different States and the execution of our soul of mpls... Our main link in our heart is affected by the degradation of service and want to route the client on our redundant link while retaining all other clients going on our primary link - is it possible?

The customer in question has its own vrf (L3VPN) on both sites and running on mpls between sites. We would like to re - route this particular customer to take our backup path, while keeping everyone between sites through the primary. We do not use, rather LDP to build the SPLM.

I don't think it's possible to only re - route a customer, but I thought I would ask the question.

We cannot failover to secondary link for everyone between sites because the link doesn't have the capability.

Thanks in advance.

Hello

Using MPLS YOU would certainly be an option. You must configure MPLS TE LS during the backup. You must also set up a separate look-back on each PE interface and use this address of the loopback interface as the next hop for the specific VRF

IP vrf X

BGP jump next loopback 999

Route IP 255.255.255.255 Tu1

In this way make you sure that only the traffic for this specific VRF would be above the tunnel of TE.

Concerning

Some websites are not fully functional with the latest Firefox running on my desktop. For example: a Web site now I cannot link some pages - error

Recently updated to 42.0 on my computer.

A site where I used to go check my electricity bill does not accept my log in entries. Blocking my account after trying several times the user name and password. Opens well with Safari.
Another site, I cannot access the Estatements. Error message. Features on this site otherwise good. Works with Safari.
I would rather not use Safari.

This problem may be caused by corrupted cookies or cookies that are blocked.
- Check the permissions on the subject: permissions page and in "tools > Page Info > Permissions.
- https://support.Mozilla.org/KB/fix-login-issues-on-websites-require-passwords
Clear the cache and delete cookies only from Web sites that cause problems.

"Clear the Cache":
- Firefox > Preferences > advanced > network > content caching Web: 'clear now '.
'Delete Cookies' sites causing problems:
- Firefox > Preferences > privacy > "Use the custom settings for history" > Cookies: "show the Cookies".
If the deletion of cookies did not help, then it is possible that the cookies.sqlite file that stores the cookies has been corrupted.
- Rename (or delete) cookies.sqlite (cookies.sqlite.old) and if present remove cookies.sqlite - shm and cookies.sqlite - wal in the Firefox profile folder in the cookies.sqlite case has been corrupted.
You can use this button to go to the current Firefox profile folder:
- Help > troubleshooting information > profile directory: see file (Linux: open the directory;) Mac: View in the Finder)
- http://KB.mozillazine.org/Profile_folder_-_Firefox

When I export my site muse my video links youtube stop working. Why is this?

I would like to correct this

You upload your site to a URL? If so, please share the URL, so we can check.

If you are exporting to a file, and then view the HTML code of this local folder in your browser via the file protocol, some HTML embedded (like youtube) may not work, because the code that you have integrated assumes that it is viewed on the http protocol.

ASA / ASA site-site as a rescue link

Similar Questions

Maybe you are looking for