ASA ASA Site2Site VPN with dynamic NAT in version 8.2

I did everything for NAT to 9.x and I don't have much at all with NAT in 8.2 and earlier with this configuration.

I have some local subnets:

172.30.1.0/24
172.30.16.0/24
172.30.3.0/24
172.30.12.0/24
172.30.7.0/24
172.30.35.0/24

who will need to access a remote subnet:

10.31.255.128/25

and the requirement is to NAT the following text:

A lot of requirement much NAT.
172.30.1.0/24 NAT at 192.168.104.0/24
172.30.16.0/24 NAT at 192.168.105.0/24
172.30.3.0/24 NAT at 192.168.108.0/24
172.30.12.0/24 NAT at 192.168.106.0/24
172.30.7.0/24 NAT at 192.168.107.0/24
172.30.35.0/24 NAT at 192.168.103.0/24

When you go to the 10.31.255.128/25 subnet.

Here's what I think, I need and I'm looking for confirmation and/or messages.

Config group *.

object-group, LAN using a NAT-NETWORKS
192.168.104.0 subnet 255.255.255.0
192.168.105.0 subnet 255.255.255.0
192.168.108.0 subnet 255.255.255.0
192.168.106.0 subnet 255.255.255.0
192.168.107.0 subnet 255.255.255.0
192.168.103.0 subnet 255.255.255.0

Group of objects to REMOTE-network
subnet 10.31.255.128 255.255.255.128

ACL for the crypto-card *.

REMOTE_cryptomap_72 list extended access permitted ip object-group LOCAL-using a NAT-NETWORKS-group of objects to REMOTE-NETWORK

Config NAT

NAT (inside) 10 172.30.1.0 255.255.255.0
NAT (inside) 20 172.30.16.0 255.255.255.0
NAT (inside) 30 172.30.3.0 255.255.255.0
NAT (inside) 40 172.30.12.0 255.255.255.0
NAT (inside) 50 172.30.7.0 255.255.255.0
NAT (inside) 60 172.30.35.0 255.255.255.0

Global (outside) 10 192.168.104.0 255.255.255.0
Global (outside) 20 192.168.105.0 255.255.255.0
Global (outside) 30 192.168.108.0 255.255.255.0
Global (outside) 40 192.168.106.0 255.255.255.0
Global (outside) 50 192.168.107.0 255.255.255.0
Global (outside) 60 192.168.103.0 255.255.255.0

This sets up the set of transformation which is called in the Crypto map.* *.

Crypto ipsec transform-set ikev1 REMOTE-SET esp-3des esp-sha-hmac

This sets up the Crypto map.* *.

address for correspondence card crypto outside_map 72 REMOTE_cryptomap_72
peer set card crypto outside_map 72 5.5.5.4
card crypto outside_map 72 set transform-set REMOTE-SET ikev1
outside_map card crypto 72 the value reverse-road

Implements IKE *.

IKEv1 crypto policy 72
sha hash
preshared authentication
Group 2
lifetime 28800
3des encryption

Sets up the Group of tunnel (connection profile) *.

tunnel-group 5.5.5.4 type ipsec-l2l
IPSec-attributes tunnel-group 5.5.5.4
IKEv1 pre-shared-key * TBD *.

Thank you

Mike

With your existing global declarations, my suggestion should meet the requirement. Here is some additional info: http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/gu...

Tags: Cisco Security

Similar Questions

  • ASA - s2s vpn with dynamic ip - Dungeon tunnel upward

    Hi guys,.

    We want to set up a vpn between our central asa5520, and a new branch office asa5505 with dynamic public ip address.

    This type of configuration is supported, but the tunnel can only be initiated from the asa distance (the asa central do not know how to reach the asa remote).

    prove that on this vpn also transit traffic voice, we must always maintain the tunnel.

    A solution would be to have a kind of continuous ping from the remote office to the central office... is more 'professional' wat to reach our goal?

    Thank you.

    Try, 'management-access to the inside' of the asa and ping

  • VPN with ASA 5500 VPN with PIX 515E vs

    I wonder what are the differences between the use of an exisitng PIX 515E for VPN remote users as appossed to acquire an ASA 5500 VPN remote users? Information or advice are appreciated to help me lean toward one or the other.

    Craig

    According to the version of the code that you run on the PIX on the PIX or ASA VPN features must be the same. So if the choice is not based on differences in features, what else would help guide the choice? You can consider if the existing PIX has sufficient resources to add the extra processing VPN load or if you should put that on another box. You might consider that the PIX is an older product range, and his end is near, while the ASA is the product that is the strategic replacement for the PIX. Given a choice I probably prefer to use a technology newer than the old technology. I also believe that the ASA will give you more choice of technology to go forward (a way of better growth) while the PIX provides current capacity but no path of growth.

    On the other hand, there is the aspect of consider that using the existing PIX does not need not to buy something new and ASA would be an expense you have to cover in the budget. And for some people the budget constraint is an important consideration.

    HTH

    Rick

  • IPSec VPN (remote VPN access) - dynamic NAT

    Hello dear group

    I like ASA 5510 is configured for remote access VPN, ASA authenticates Clients remoter with Radius Server (accounting software) and will be assigned an address IP of VPN-pool (172.16.20.0/24). Prose all in use of authentication with radius server is successful, but there is no any Internet browsing on the client side. I've set up a dynamic NAT rule on the external interface of SAA, I write in the following:

    Interface: outside

    Source: VPN-users object (address pool 172.16.20.0/24)

    The translation of the output interface.

    the NAT rule to above does not. (I think that traffic is not clothed with VPN POOL address via external interface)

    Note: this VPN users access the INTERNET only. (because of this, the pool address range is different with inside the Network Interface)

    Its a favor if you help me how NAT.

    Thank you

    Best regards

    Hello

    Would really need to see your current NAT configurations to the CLI format to determine the problem.

    Naturally, the problem could be as simple as missing the following command on the SAA

    permit same-security-traffic intra-interface

    This command is required on the SAA for traffic to come through an interface and let the same interface. In your case this interface would be "Outside" the customer VPN traffic arrives at the ASA via this interface what is leaving through this interface to the Internet.

    -Jouni

  • L2l VPN with IPSEC NAT

    Hi all!

    I have a question about L2L VPN and NAT.

    Can I set up the VPN tunnel between two ASAs or routers using the NAT translation from within the private IP addresses to a single public IP address outside the interface and then implement interesting crypto with the source of the public IP address and the destination of the remote private network on the other end (also ASA). For example, I want to translate a private network to the public ip address at one end and use the VPN tunnel with a public IP address as the source. Policy-NAT is not an option, because we really do not want to provide any IP address to the remote end, and IP addresses of the remote end can overlap with our end.

    Thank you!

    Hello

    You can definitely set up an IPSec tunnel between two devices in the translation of your subnet in a single public IP address. You just create the translation and as you mentioned define interesting traffic using the public IP address.

    This is exactly what we call political NAT, I don't understand why you say that NAT policy is not an option. Perhapps you misunderstood concept NAT policy or I misunderstood your question.

    For example, assuming that the LAN private at your side is 172.16.1.0/24, the remote subnet is 192.168.150.0/24, and that the public IP address that you want to use is 200.200.200.200 your NAT config should look like this:

    access-list 199 permit ip 172.16.1.0 255.255.252.0 192.168.150.0 255.255.255.0

    Global (outside) 6 200.200.200.200

    NAT (inside) 6 access-L199

    Which would be NAT traffic to the public IP address only when the traffic matches the ACL.

    Your ACL crypto should then be something like

    cryptomap list of allowed access host ip 200.200.200.200 192.168.150.0 255.255.255.0

    That would hide your address real and all they see is the public IP address you give them. Note that since the NAT takes place on your side your side will be able to raise the tunnel.

    I hope this helps.

    Raga

  • VPN with static nat for a whole subnet

    Hey there,

    For some reason, I can't do this on the router. Errrr...

    I'm trying to config a static nat (many to one), which will be in effect only when traffic needs to go on our vpn tunnel to the remote location.

    example:

    internal LAN 192.168.0.0

    remote network: 10.10.10.0 and 10.10.15.0

    When traffic passes over the tunnel vpn - at the remote site, I need to translate my internal network (192.168.0.0) to an ip address 172.16.32.65 static

    any ideas?

    also on my crypto map ACL, which must be specified for interesting traffic? my local network or static ip address search?

    Let me know your thoughts on the matter.

    Kind regards

    R.

    NAT you describe is named PAT or overload, at least in terms of Ciscos...

    What you need:

    (1) a NAT - ACL when you describe your traffic which should be natted.

    (2) a nat pool with your 172.16.32.65 address

    (3) a statement-NAT for dynamic NAT inside based on the ACL for the pool

    Here are some examples:

    http://www.Cisco.com/en/us/docs/iOS/ipaddr/configuration/guide/iadnat_addr_consv_ps10591_TSD_Products_Configuration_Guide_Chapter.html#wp1073436

    Your crypto ACL then referred to the NATted IP as NAT happens before encryption.

  • ASA IPSEC VPN with public IP dynamic

    Hey,.

    I have never deployed IPSEC VPN tunnel using ASA on two sides of a side using public IP dynamic production. I normally deploy VPN Tunnels with both sides using public static IP addresses (not always a public IP address on ASA directly however).

    So I wonder how stable it works with a static public IP and the other side uses dynamic public IP?

    Thank you

    Shuai

    If you use certificates and psk or main mode and aggressive it will work very well. I have a number of production sites using this method.

    Sent by Cisco Support technique iPad App

  • ASA to Juniper VPN with policy NAT

    I'm trying to configure a VPN tunnel between a remote site 66.18.106.160/27 and my network 192.168.190.0/24 client.  I need NAT all traffic leaving 192.168.190.0/24 to 192.168.191.0/24.

    Here is my current config:

    xxxxx host name

    domain xxxxx.local
    enable the encrypted password xxxxx
    XXXXX encrypted passwd
    names of
    !
    interface Vlan1
    nameif inside
    security-level 100
    IP 192.168.190.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    IP 207.98.218.26 255.255.255.248
    !
    interface Vlan3
    prior to interface Vlan1
    nameif DMZ
    security-level 50
    IP 192.168.100.1 address 255.255.255.0
    !
    interface Vlan12
    description of interface vlan2 backup
    nameif CharterBackup
    security-level 0
    IP 72.14.9.50 255.255.255.248
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    switchport access vlan 12
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    switchport access vlan 3
    !
    interface Ethernet0/7
    switchport access vlan 3
    !
    passive FTP mode
    DNS server-group DefaultDNS
    domain xxxxx.local
    access-list extended 110 permit ip 192.168.190.0 255.255.255.0 192.168.10.0 255.255.255.0
    access-list extended 110 permit ip 192.168.190.0 255.255.255.0 66.18.106.160 255.255.255.224
    access-list extended 110 permit ip 192.168.191.0 255.255.255.0 66.18.106.160 255.255.255.224
    access-list extended 100 permit tcp any host 207.98.218.27 eq 3389
    access-list extended 100 permit tcp any host 207.98.218.28 eq 3389
    access-list extended 100 permit tcp any host 207.98.218.27 eq 9000
    access-list extended 100 permit tcp any host 207.98.218.27 eq 9001
    access-list extended 100 permit tcp any host 207.98.218.28 eq 9000
    access-list extended 100 permit tcp any host 207.98.218.28 eq 9001
    access-list standard split allow 192.168.190.0 255.255.255.0
    Access extensive list ip 192.168.190.0 POLICYNAT allow 255.255.255.0 66.18.106.160 255.255.255.224
    extended VPN ip 192.168.191.0 access list allow 255.255.255.0 66.18.106.160 255.255.255.224
    pager lines 24
    asdm of logging of information
    Within 1500 MTU
    Outside 1500 MTU
    MTU 1500 DMZ
    MTU 1500 CharterBackup
    IP local pool vpnpool 192.168.10.75 - 192.168.10.85
    no failover
    ICMP unreachable rate-limit 1 burst-size 1
    ASDM image disk0: / asdm - 524.bin
    don't allow no asdm history
    ARP timeout 14400
    Global 1 interface (outside)
    Global interface (CharterBackup) 1
    NAT (inside) - 0 110 access list
    NAT (inside) 1 0.0.0.0 0.0.0.0
    NAT (DMZ) 1 0.0.0.0 0.0.0.0
    public static 192.168.191.0 (inside, outside) - POLICYNAT access list
    Access-group 100 in external interface
    Route outside 0.0.0.0 0.0.0.0 207.98.218.25 1 track 1
    Route 0.0.0.0 CharterBackup 0.0.0.0 71.14.9.49 254
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    Enable http server
    http 192.168.190.0 255.255.255.0 inside
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    monitor SLA 123
    type echo protocol ipIcmpEcho 4.2.2.2 outside interface
    timeout of 1000
    frequency 3
    Annex ALS life monitor 123 to always start-time now
    Crypto ipsec transform-set esp - esp-md5-hmac romanset
    Crypto ipsec transform-set esp-aes - AES-128-SHA esp-sha-hmac
    Crypto-map dynamic dynmap 10 transform-set romanset
    romanmap card crypto 10 corresponds to the VPN address
    peer set card crypto romanmap 10 66.18.99.68
    card crypto romanmap 10 game of transformation-AES-128-SHA
    map romanmap 65535-isakmp ipsec crypto dynamic dynmap
    romanmap interface card crypto outside
    crypto isakmp identity address
    crypto ISAKMP allow outside
    crypto ISAKMP policy 10
    preshared authentication
    the Encryption
    md5 hash
    Group 2
    life 86400
    crypto ISAKMP policy 20
    preshared authentication
    aes encryption
    sha hash
    Group 2
    life 86400
    !
    track 1 rtr 123 accessibility
    Telnet 0.0.0.0 0.0.0.0 inside
    Telnet timeout 5
    SSH 0.0.0.0 0.0.0.0 outdoors
    SSH 0.0.0.0 0.0.0.0 CharterBackup
    SSH timeout 5
    Console timeout 0
    management-access inside
    dhcpd dns 8.8.8.8
    dhcpd outside auto_config
    !
    dhcpd address 192.168.100.100 - DMZ 192.168.100.130
    dhcpd enable DMZ
    !

    internal group xxxxx policy
    attributes of the strategy group xxxxx
    value of server WINS 192.168.190.3
    value of server DNS 192.168.190.3
    Split-tunnel-policy tunnelspecified
    Split-tunnel-network-list value split
    tunnel-group xxxxx type ipsec-ra
    tunnel-group xxxxx General attributes
    address vpnpool pool
    Group Policy - by default-romangroup
    tunnel-group ipsec-attributes xxxxx
    pre-shared-key *.
    ISAKMP ikev1-user authentication no
    tunnel-group 66.18.99.68 type ipsec-l2l
    IPSec-attributes tunnel-group 66.18.99.68
    pre-shared-key *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    !
    global service-policy global_policy
    context of prompt hostname

    Currently, traffic that originates on 192.168.190.0/24 generates no traffic phase 1.  However, if the traffic is coming in FRO the side remote (66.18.106.160/27) the tunnel arrives, but no traffic passes.

    Although this isn't my area of expertise, it seems to me that my ASA is not 'see' interesting traffic from 192.168.190.0/24 will 66.18.106.160/27.

    Any help you could provide would be GREATLY appreciated.

    Just remove the 2 following lines:

    access-list extended 110 permit ip 192.168.190.0 255.255.255.0 66.18.106.160 255.255.255.224

    access-list extended 110 permit ip 192.168.191.0 255.255.255.0 66.18.106.160 255.255.255.224

    Then 'clear xlate '.

    That should solve your problem.

  • Cisco ASA 5510 VPN with PIX 515

    Hello

    I have VPN between Cisco ASA and Cisco PIX.

    I saw in my syslog server this error that appears once a day, more or less:

    Received a package encrypted with any HIS correspondent, drop

    I ve seen issue in another post, but in none of then the solution.

    Here are my files from the firewall configuration:

    Output from the command: 'show running-config '.

    : Saved
    :
    ASA Version 8.2 (1)
    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    card crypto WAN_map2 2 corresponds to the address WAN_cryptomap_1
    card crypto WAN_map2 2 set pfs
    card crypto WAN_map2 2 peer 62.80.XX game. XX
    map WAN_map2 2 game of transformation-ESP-DES-MD5 crypto
    card crypto WAN_map2 2 defined security-association 2700 seconds life
    card crypto WAN_map2 2 set nat-t-disable
    card crypto WAN_map2 WAN interface
    enable LAN crypto ISAKMP
    ISAKMP crypto enable WAN
    crypto ISAKMP policy 1
    preshared authentication
    the Encryption
    md5 hash
    Group 5
    lifetime 28800
    No encryption isakmp nat-traversal
    tunnel-group 62.80.XX. XX type ipsec-l2l
    tunnel-group 62.80.XX. IPSec-attributes of XX
    pre-shared-key *.

    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    8.0 (4) version PIX
    !
    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    card encryption VPN_map2 3 corresponds to the address VPN_cryptomap_2
    card encryption VPN_map2 3 set pfs
    card crypto VPN_map2 3 peer 194.30.XX game. XX
    VPN_map2 3 transform-set ESP-DES-MD5 crypto card game
    card encryption VPN_map2 3 defined security-association life seconds 2700
    card encryption VPN_map2 3 set security-association kilobytes of life 4608000
    card VPN_map2 3 set nat-t-disable encryption
    VPN crypto map VPN_map2 interface
    crypto ISAKMP enable VPN
    crypto ISAKMP allow inside
    crypto ISAKMP policy 30
    preshared authentication
    the Encryption
    md5 hash
    Group 5
    lifetime 28800
    No encryption isakmp nat-traversal
    ISAKMP crypto am - disable
    attributes of Group Policy DfltGrpPolicy
    Protocol-tunnel-VPN IPSec
    tunnel-group 194.30.XX. XX type ipsec-l2l
    tunnel-group 194.30.XX. IPSec-attributes of XX
    pre-shared-key *.

    If you need more information dedailed ask me questions.

    Thanks in advance for your help.

    Javi

    Hi Javi,

    Please after the release of "see broadcasting DfltGrpPolicy of any political group." See if you have the "vpn-idle-timoeout" command configured in that. If so, please change to "vpn-idle-timeout no" and see if that stops at these popping up error messages.

    http://www.Cisco.com/en/us/docs/security/ASA/asa80/command/reference/uz.html#wp1571426

    Thank you and best regards,

    Assia

  • ASA SSL VPN with RSA authentication

    All those implemented SSL VPN on a device of the ASA using remote Securid tokens? The technical sheets indicate native RSA can be used for authentication, but this works with SSL VPN?

    Thank you

    Try this link

    http://www.Cisco.com/en/us/products/ps6120/prod_release_note09186a0080688004.html

  • ASA remote VPN with DHCP failed

    I am running a version 8.3 ASA5540 (2). I have several deletion of vpn users working on this server. Lately, I have had problems with people starting or being not not able to route any where and it seems to be cause that they fight for the same IP address using the local pool, so I decided to try to DHCP rather (I have no idea why he keeps overlapping IPs, we have tons in the pool and they fight for the same). This just started about a month ago, we use only maybe 3-5 fps on / 24 block. The only thing that changed was we hired more people, but we have separate groups for team operations corporate vs.

    So I configure the scope dhcp-network for the subnet and the server dhcp under the policies. I see demand go on the server, but it seems to put the MAC ASA in the field of the hardware address of the Client in the DHCP header. I have attached the IBDP of ASA showing this. Anyone know why this is happening and is there a way around it?

    Hello Keith,

    118 great option to have this info.

    Please keep an eye on it and if you still see it works please mark it as answered so future users can refer to this discussion for a solution

    Concerning

  • VPN with dynamic IP. How to use DNS?

    Hello

    I installed a site to site VPN IPSec between two routers cisco IPs public Static. I notice that I can use dynamic IPs for the case with point-to-multipoint or IPs instead host names. In this case, I can use this command to configure the VPN:

    (config) #crypto isakmp identity hostname

    (config) #crypto isakmp key XXXXX hostname 'Remote_name '.

    (config-crypto-map) # defined peer 'Remote_name '.

    I also noticed that I can use a router cisco as a DNS, and I can add the host records with:

    IP host 'Remote_Name' "IP address"

    In fact, I want only one router to work with Static public IP (Router_A) and the other with the dynamic public IP (Router_B) of ISP address. Then maybe I can put the router with static IP address to work as the DNS server. I know how DynDNS works with an account and update client software on a PC/server, but I've never used the hardware update DNS clients, and I don't know what steps I must follow to implement this.

    Hi John,.

    The section in the link below should help you to configure DDNS on your router:

    (See example Http update)

    http://www.Cisco.com/en/us/docs/iOS/12_3/12_3y/12_3ya8/gt_ddns.html#wp1203580

    This link shows a \windows\system32\conifg\system summary:

    http://www.no-IP.com/support/guides/routers/using_cisco_routers_with_no-IP.html

    Static dynamic VPN to refer to this link (this requires no DDNS):

    http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080093f86.shtml

    HTH

    Kind regards

    Praveen

  • SSL VPN with dynamic IP

    Hello

    I want to configure a VPN SSL on an international search report which is to obtain a dynamic IP address from the ISP. I know that the static configuration using IP. How to configure this to a dynamic IP address?

    Kind regards
    Tony

    Hello Tony,.

    Just because u asked him

    Use the following syntax:

    WebVPN gateway x.x.x

    port IP interface giga 0 443

    In this case u get public ip address on giga 0,

    Be sure to note all the useful messages.

    For this community, which is as important as a thank you.

  • IPSEC VPN with Dynamics to dynamic IP

    Hello

    I tried IPSEC VPN with dynamic IP to dynamic (router to router) for some time. But still can not auto-établir the tunnel.

    Is someone can you please tell me if it is possible to do?

    If so, please share with me the secret to do work.

    Thank you!

    Best regards

    Rather than the Crypto map, I would use the profile of Crypto.  Then, establish you an IPSEC tunnel.  The beauty of the profile, is that you can run through it routing protocols, and you do not have to change constantly the cards whenever you change the topology of the network.  The "* * *" in the timer event is "minute hour day week month" so "* * *" is updated every minute.  In Tunnel destination, it's an IP address, not a hostname that is stored, but when you set it, you can put in a HOST name and it converts to the moment where you configure it to an IP address.

    So, if you type:

    config t

    interface tunnel100
    destination remote.dyndns.com tunnel

    output

    See the race int tunnel100

    It shows:

    interface Tunnel100
    tunnel destination 75.67.43.79

    That's why the event handler goes and becomes the destination of tunnel every minute what ever the DDNS says that is the new IP address.

    I have seen that two of your routers running DDNS.  They will have to do this.

    Local router:

    crypto ISAKMP policy 1
    BA aes 256
    preshared authentication
    Group 2
    ISAKMP crypto key XXXXXXX address 0.0.0.0 0.0.0.0 no.-xauth
    !
    !
    Crypto ipsec transform-set ESP-AES-SHA esp - aes 256 esp-sha-hmac
    !
    Profile of crypto ipsec CRYPTOPROFILE
    game of transformation-ESP-AES-SHA
    !
    interface Tunnel100
    Description of remote.dyndns.org
    IP 10.254.220.10 255.255.255.252
    IP virtual-reassembly
    IP tcp adjust-mss 1400
    source of Dialer0 tunnel
    tunnel destination 75.67.43.79
    ipv4 ipsec tunnel mode
    Tunnel CRYPTOPROFILE ipsec protection profile

    IP route 192.168.2.0 255.255.255.0 10.254.220.9

    Change-tunnel-dest applet event handler
    cron-event entry timer cron name "CHRON" * * *"
    command action 1.0 cli 'enable '.
    action 1.1 cli command "configures terminal.
    Action 1.2 command cli "interface tunnel100".
    Action 1.3 cli command "destination remote.dyndns.org tunnel".
    !

    --------

    Remote router:

    crypto ISAKMP policy 1
    BA aes 256
    preshared authentication
    Group 2
    ISAKMP crypto key XXXXXXX address 0.0.0.0 0.0.0.0 no.-xauth
    !
    !
    Crypto ipsec transform-set ESP-AES-SHA esp - aes 256 esp-sha-hmac
    !
    Profile of crypto ipsec CRYPTOPROFILE
    game of transformation-ESP-AES-SHA
    !
    interface Tunnel100
    Description of local.dyndns.org
    IP 10.254.220.9 255.255.255.252
    IP virtual-reassembly
    IP tcp adjust-mss 1400
    source of Dialer0 tunnel
    tunnel destination 93.219.58.191
    ipv4 ipsec tunnel mode
    Tunnel CRYPTOPROFILE ipsec protection profile

    IP route 192.168.1.0 255.255.255.0 10.254.220.10

    Change-tunnel-dest applet event handler
    cron-event entry timer cron name "CHRON" * * *"
    command action 1.0 cli 'enable '.
    action 1.1 cli command "configures terminal.
    Action 1.2 command cli "interface tunnel100".
    Action 1.3 cli command "destination local.dyndns.org tunnel".

    Thank you

    Bert

  • VPN IPSEC ASA with counterpart with dynamic IP and certificates

    Hello!

    Someone please give me config the work of the ASA for ASA Site to Site IPSEC VPN with counterpart with dynamic IP and authentication certificates.

    He works with PSK authentication. But the connection landed at DefaultRAGroup instead of DefaultL2LGroup with certificate

    authentication.

    Should what special config I ask a DefaultRAGroup to activate the connection?

    Thank you!

    The ASA uses parts of the client cert DN to perform a tunnel-group  lookup to place the user in a group.  When "peer-id-validate req" is  defined the ASA also tries to compare the IKE ID (cert DN) with the  actual cert DN (also received in IKE negotiation), if the comparison  fails the connection fails. know you could set "peer-id-validate cert"  for the time being and the ASA will try to compare the values but allow  the connection if it cannot.

    In general I would suggest using option "cert."

    With nocheck, we are simply not strict on IKE ID matchin the certificate, which is normally not a problem of security :-)

Maybe you are looking for

  • Improve the speed of my Mac

    I work on a Mac Pro (2009) with a 2.93 GHz Quad - Core Processor and I noticed that my Mac seems to be much slower to perform tasks when that I start last year. I have 8 GB of memory, an NVIDIA GeForce 521 MB graphics card, my HD has a capacity of 64

  • Problem with Bootcamp 6.0.2

    Hello everyone I have a problem with my MBA. I have a Windows 7 partition with bootcamp assistant, but during the process, I have this problem: "no boot device, press any key to continue" I looked on the net, they said stop to reboot but nothing happ

  • Best option to use the mSATA SSD Drive - HP Envy 15 Sleekbook: Cache or primary storage?

    Product: HP Envy 15 t Sleekbook (15 t-j100) Technical specification: Intel Core i7-4700MQ @ 2.40 GHzIntel HM87 chipset12.0 GB RAM DD3 (two openings 8 GB + 4 GB)NVIDIA GeForce GT740M (2 GB) + Intel HD 4600 graphics card1 TB 5400 RPM SATA HDDWindows 8.

  • Task Scheduler loses credentials after reboot

    I have intalled Vista Basic and I have two scheduled tasks that run each night.  I chose properties to allow tasks to be performed weather a user is logged on or not.  After the establishment of the task and entering the appropriate information, the

  • Amount of the ACLs on an interface of the PIX

    Hi all I just wanted to know how much group-access entry (s) that you can attached to a 515ER PIX interface? I wonder if it's the same rule as the router, IE 1 ACL/interface/direction. En thank you your help.