ASA ASA Site2Site VPN with dynamic NAT in version 8.2
I did everything for NAT to 9.x and I don't have much at all with NAT in 8.2 and earlier with this configuration.
I have some local subnets:
172.30.1.0/24
172.30.16.0/24
172.30.3.0/24
172.30.12.0/24
172.30.7.0/24
172.30.35.0/24
who will need to access a remote subnet:
10.31.255.128/25
and the requirement is to NAT the following text:
A lot of requirement much NAT.
172.30.1.0/24 NAT at 192.168.104.0/24
172.30.16.0/24 NAT at 192.168.105.0/24
172.30.3.0/24 NAT at 192.168.108.0/24
172.30.12.0/24 NAT at 192.168.106.0/24
172.30.7.0/24 NAT at 192.168.107.0/24
172.30.35.0/24 NAT at 192.168.103.0/24
When you go to the 10.31.255.128/25 subnet.
Here's what I think, I need and I'm looking for confirmation and/or messages.
Config group *.
object-group, LAN using a NAT-NETWORKS
192.168.104.0 subnet 255.255.255.0
192.168.105.0 subnet 255.255.255.0
192.168.108.0 subnet 255.255.255.0
192.168.106.0 subnet 255.255.255.0
192.168.107.0 subnet 255.255.255.0
192.168.103.0 subnet 255.255.255.0
Group of objects to REMOTE-network
subnet 10.31.255.128 255.255.255.128
ACL for the crypto-card *.
REMOTE_cryptomap_72 list extended access permitted ip object-group LOCAL-using a NAT-NETWORKS-group of objects to REMOTE-NETWORK
Config NAT
NAT (inside) 10 172.30.1.0 255.255.255.0
NAT (inside) 20 172.30.16.0 255.255.255.0
NAT (inside) 30 172.30.3.0 255.255.255.0
NAT (inside) 40 172.30.12.0 255.255.255.0
NAT (inside) 50 172.30.7.0 255.255.255.0
NAT (inside) 60 172.30.35.0 255.255.255.0
Global (outside) 10 192.168.104.0 255.255.255.0
Global (outside) 20 192.168.105.0 255.255.255.0
Global (outside) 30 192.168.108.0 255.255.255.0
Global (outside) 40 192.168.106.0 255.255.255.0
Global (outside) 50 192.168.107.0 255.255.255.0
Global (outside) 60 192.168.103.0 255.255.255.0
This sets up the set of transformation which is called in the Crypto map.* *.
Crypto ipsec transform-set ikev1 REMOTE-SET esp-3des esp-sha-hmac
This sets up the Crypto map.* *.
address for correspondence card crypto outside_map 72 REMOTE_cryptomap_72
peer set card crypto outside_map 72 5.5.5.4
card crypto outside_map 72 set transform-set REMOTE-SET ikev1
outside_map card crypto 72 the value reverse-road
Implements IKE *.
IKEv1 crypto policy 72
sha hash
preshared authentication
Group 2
lifetime 28800
3des encryption
Sets up the Group of tunnel (connection profile) *.
tunnel-group 5.5.5.4 type ipsec-l2l
IPSec-attributes tunnel-group 5.5.5.4
IKEv1 pre-shared-key * TBD *.
Thank you
Mike
With your existing global declarations, my suggestion should meet the requirement. Here is some additional info: http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/gu...
Tags: Cisco Security
Similar Questions
-
ASA - s2s vpn with dynamic ip - Dungeon tunnel upward
Hi guys,.
We want to set up a vpn between our central asa5520, and a new branch office asa5505 with dynamic public ip address.
This type of configuration is supported, but the tunnel can only be initiated from the asa distance (the asa central do not know how to reach the asa remote).
prove that on this vpn also transit traffic voice, we must always maintain the tunnel.
A solution would be to have a kind of continuous ping from the remote office to the central office... is more 'professional' wat to reach our goal?
Thank you.
Try, 'management-access to the inside' of the asa and ping
-
VPN with ASA 5500 VPN with PIX 515E vs
I wonder what are the differences between the use of an exisitng PIX 515E for VPN remote users as appossed to acquire an ASA 5500 VPN remote users? Information or advice are appreciated to help me lean toward one or the other.
Craig
According to the version of the code that you run on the PIX on the PIX or ASA VPN features must be the same. So if the choice is not based on differences in features, what else would help guide the choice? You can consider if the existing PIX has sufficient resources to add the extra processing VPN load or if you should put that on another box. You might consider that the PIX is an older product range, and his end is near, while the ASA is the product that is the strategic replacement for the PIX. Given a choice I probably prefer to use a technology newer than the old technology. I also believe that the ASA will give you more choice of technology to go forward (a way of better growth) while the PIX provides current capacity but no path of growth.
On the other hand, there is the aspect of consider that using the existing PIX does not need not to buy something new and ASA would be an expense you have to cover in the budget. And for some people the budget constraint is an important consideration.
HTH
Rick
-
IPSec VPN (remote VPN access) - dynamic NAT
Hello dear group
I like ASA 5510 is configured for remote access VPN, ASA authenticates Clients remoter with Radius Server (accounting software) and will be assigned an address IP of VPN-pool (172.16.20.0/24). Prose all in use of authentication with radius server is successful, but there is no any Internet browsing on the client side. I've set up a dynamic NAT rule on the external interface of SAA, I write in the following:
Interface: outside
Source: VPN-users object (address pool 172.16.20.0/24)
The translation of the output interface.
the NAT rule to above does not. (I think that traffic is not clothed with VPN POOL address via external interface)
Note: this VPN users access the INTERNET only. (because of this, the pool address range is different with inside the Network Interface)
Its a favor if you help me how NAT.
Thank you
Best regards
Hello
Would really need to see your current NAT configurations to the CLI format to determine the problem.
Naturally, the problem could be as simple as missing the following command on the SAA
permit same-security-traffic intra-interface
This command is required on the SAA for traffic to come through an interface and let the same interface. In your case this interface would be "Outside" the customer VPN traffic arrives at the ASA via this interface what is leaving through this interface to the Internet.
-Jouni
-
Hi all!
I have a question about L2L VPN and NAT.
Can I set up the VPN tunnel between two ASAs or routers using the NAT translation from within the private IP addresses to a single public IP address outside the interface and then implement interesting crypto with the source of the public IP address and the destination of the remote private network on the other end (also ASA). For example, I want to translate a private network to the public ip address at one end and use the VPN tunnel with a public IP address as the source. Policy-NAT is not an option, because we really do not want to provide any IP address to the remote end, and IP addresses of the remote end can overlap with our end.
Thank you!
Hello
You can definitely set up an IPSec tunnel between two devices in the translation of your subnet in a single public IP address. You just create the translation and as you mentioned define interesting traffic using the public IP address.
This is exactly what we call political NAT, I don't understand why you say that NAT policy is not an option. Perhapps you misunderstood concept NAT policy or I misunderstood your question.
For example, assuming that the LAN private at your side is 172.16.1.0/24, the remote subnet is 192.168.150.0/24, and that the public IP address that you want to use is 200.200.200.200 your NAT config should look like this:
access-list 199 permit ip 172.16.1.0 255.255.252.0 192.168.150.0 255.255.255.0
Global (outside) 6 200.200.200.200
NAT (inside) 6 access-L199
Which would be NAT traffic to the public IP address only when the traffic matches the ACL.
Your ACL crypto should then be something like
cryptomap list of allowed access host ip 200.200.200.200 192.168.150.0 255.255.255.0
That would hide your address real and all they see is the public IP address you give them. Note that since the NAT takes place on your side your side will be able to raise the tunnel.
I hope this helps.
Raga
-
VPN with static nat for a whole subnet
Hey there,
For some reason, I can't do this on the router. Errrr...
I'm trying to config a static nat (many to one), which will be in effect only when traffic needs to go on our vpn tunnel to the remote location.
example:
internal LAN 192.168.0.0
remote network: 10.10.10.0 and 10.10.15.0
When traffic passes over the tunnel vpn - at the remote site, I need to translate my internal network (192.168.0.0) to an ip address 172.16.32.65 static
any ideas?
also on my crypto map ACL, which must be specified for interesting traffic? my local network or static ip address search?
Let me know your thoughts on the matter.
Kind regards
R.
NAT you describe is named PAT or overload, at least in terms of Ciscos...
What you need:
(1) a NAT - ACL when you describe your traffic which should be natted.
(2) a nat pool with your 172.16.32.65 address
(3) a statement-NAT for dynamic NAT inside based on the ACL for the pool
Here are some examples:
Your crypto ACL then referred to the NATted IP as NAT happens before encryption.
-
ASA IPSEC VPN with public IP dynamic
Hey,.
I have never deployed IPSEC VPN tunnel using ASA on two sides of a side using public IP dynamic production. I normally deploy VPN Tunnels with both sides using public static IP addresses (not always a public IP address on ASA directly however).
So I wonder how stable it works with a static public IP and the other side uses dynamic public IP?
Thank you
Shuai
If you use certificates and psk or main mode and aggressive it will work very well. I have a number of production sites using this method.
Sent by Cisco Support technique iPad App
-
ASA to Juniper VPN with policy NAT
I'm trying to configure a VPN tunnel between a remote site 66.18.106.160/27 and my network 192.168.190.0/24 client. I need NAT all traffic leaving 192.168.190.0/24 to 192.168.191.0/24.
Here is my current config:
xxxxx host name
domain xxxxx.local
enable the encrypted password xxxxx
XXXXX encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.190.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 207.98.218.26 255.255.255.248
!
interface Vlan3
prior to interface Vlan1
nameif DMZ
security-level 50
IP 192.168.100.1 address 255.255.255.0
!
interface Vlan12
description of interface vlan2 backup
nameif CharterBackup
security-level 0
IP 72.14.9.50 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 12
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
switchport access vlan 3
!
passive FTP mode
DNS server-group DefaultDNS
domain xxxxx.local
access-list extended 110 permit ip 192.168.190.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list extended 110 permit ip 192.168.190.0 255.255.255.0 66.18.106.160 255.255.255.224
access-list extended 110 permit ip 192.168.191.0 255.255.255.0 66.18.106.160 255.255.255.224
access-list extended 100 permit tcp any host 207.98.218.27 eq 3389
access-list extended 100 permit tcp any host 207.98.218.28 eq 3389
access-list extended 100 permit tcp any host 207.98.218.27 eq 9000
access-list extended 100 permit tcp any host 207.98.218.27 eq 9001
access-list extended 100 permit tcp any host 207.98.218.28 eq 9000
access-list extended 100 permit tcp any host 207.98.218.28 eq 9001
access-list standard split allow 192.168.190.0 255.255.255.0
Access extensive list ip 192.168.190.0 POLICYNAT allow 255.255.255.0 66.18.106.160 255.255.255.224
extended VPN ip 192.168.191.0 access list allow 255.255.255.0 66.18.106.160 255.255.255.224
pager lines 24
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
MTU 1500 DMZ
MTU 1500 CharterBackup
IP local pool vpnpool 192.168.10.75 - 192.168.10.85
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 524.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
Global interface (CharterBackup) 1
NAT (inside) - 0 110 access list
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (DMZ) 1 0.0.0.0 0.0.0.0
public static 192.168.191.0 (inside, outside) - POLICYNAT access list
Access-group 100 in external interface
Route outside 0.0.0.0 0.0.0.0 207.98.218.25 1 track 1
Route 0.0.0.0 CharterBackup 0.0.0.0 71.14.9.49 254
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
Enable http server
http 192.168.190.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
monitor SLA 123
type echo protocol ipIcmpEcho 4.2.2.2 outside interface
timeout of 1000
frequency 3
Annex ALS life monitor 123 to always start-time now
Crypto ipsec transform-set esp - esp-md5-hmac romanset
Crypto ipsec transform-set esp-aes - AES-128-SHA esp-sha-hmac
Crypto-map dynamic dynmap 10 transform-set romanset
romanmap card crypto 10 corresponds to the VPN address
peer set card crypto romanmap 10 66.18.99.68
card crypto romanmap 10 game of transformation-AES-128-SHA
map romanmap 65535-isakmp ipsec crypto dynamic dynmap
romanmap interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
the Encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 20
preshared authentication
aes encryption
sha hash
Group 2
life 86400
!
track 1 rtr 123 accessibility
Telnet 0.0.0.0 0.0.0.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH 0.0.0.0 0.0.0.0 CharterBackup
SSH timeout 5
Console timeout 0
management-access inside
dhcpd dns 8.8.8.8
dhcpd outside auto_config
!
dhcpd address 192.168.100.100 - DMZ 192.168.100.130
dhcpd enable DMZ
!internal group xxxxx policy
attributes of the strategy group xxxxx
value of server WINS 192.168.190.3
value of server DNS 192.168.190.3
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value split
tunnel-group xxxxx type ipsec-ra
tunnel-group xxxxx General attributes
address vpnpool pool
Group Policy - by default-romangroup
tunnel-group ipsec-attributes xxxxx
pre-shared-key *.
ISAKMP ikev1-user authentication no
tunnel-group 66.18.99.68 type ipsec-l2l
IPSec-attributes tunnel-group 66.18.99.68
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
context of prompt hostnameCurrently, traffic that originates on 192.168.190.0/24 generates no traffic phase 1. However, if the traffic is coming in FRO the side remote (66.18.106.160/27) the tunnel arrives, but no traffic passes.
Although this isn't my area of expertise, it seems to me that my ASA is not 'see' interesting traffic from 192.168.190.0/24 will 66.18.106.160/27.
Any help you could provide would be GREATLY appreciated.
Just remove the 2 following lines:
access-list extended 110 permit ip 192.168.190.0 255.255.255.0 66.18.106.160 255.255.255.224
access-list extended 110 permit ip 192.168.191.0 255.255.255.0 66.18.106.160 255.255.255.224
Then 'clear xlate '.
That should solve your problem.
-
Cisco ASA 5510 VPN with PIX 515
Hello
I have VPN between Cisco ASA and Cisco PIX.
I saw in my syslog server this error that appears once a day, more or less:
Received a package encrypted with any HIS correspondent, drop
I ve seen issue in another post, but in none of then the solution.
Here are my files from the firewall configuration:
Output from the command: 'show running-config '.
: Saved
:
ASA Version 8.2 (1)
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto WAN_map2 2 corresponds to the address WAN_cryptomap_1
card crypto WAN_map2 2 set pfs
card crypto WAN_map2 2 peer 62.80.XX game. XX
map WAN_map2 2 game of transformation-ESP-DES-MD5 crypto
card crypto WAN_map2 2 defined security-association 2700 seconds life
card crypto WAN_map2 2 set nat-t-disable
card crypto WAN_map2 WAN interface
enable LAN crypto ISAKMP
ISAKMP crypto enable WAN
crypto ISAKMP policy 1
preshared authentication
the Encryption
md5 hash
Group 5
lifetime 28800
No encryption isakmp nat-traversal
tunnel-group 62.80.XX. XX type ipsec-l2l
tunnel-group 62.80.XX. IPSec-attributes of XX
pre-shared-key *.++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
8.0 (4) version PIX
!
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card encryption VPN_map2 3 corresponds to the address VPN_cryptomap_2
card encryption VPN_map2 3 set pfs
card crypto VPN_map2 3 peer 194.30.XX game. XX
VPN_map2 3 transform-set ESP-DES-MD5 crypto card game
card encryption VPN_map2 3 defined security-association life seconds 2700
card encryption VPN_map2 3 set security-association kilobytes of life 4608000
card VPN_map2 3 set nat-t-disable encryption
VPN crypto map VPN_map2 interface
crypto ISAKMP enable VPN
crypto ISAKMP allow inside
crypto ISAKMP policy 30
preshared authentication
the Encryption
md5 hash
Group 5
lifetime 28800
No encryption isakmp nat-traversal
ISAKMP crypto am - disable
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec
tunnel-group 194.30.XX. XX type ipsec-l2l
tunnel-group 194.30.XX. IPSec-attributes of XX
pre-shared-key *.If you need more information dedailed ask me questions.
Thanks in advance for your help.
Javi
Hi Javi,
Please after the release of "see broadcasting DfltGrpPolicy of any political group." See if you have the "vpn-idle-timoeout" command configured in that. If so, please change to "vpn-idle-timeout no" and see if that stops at these popping up error messages.
http://www.Cisco.com/en/us/docs/security/ASA/asa80/command/reference/uz.html#wp1571426
Thank you and best regards,
Assia
-
ASA SSL VPN with RSA authentication
All those implemented SSL VPN on a device of the ASA using remote Securid tokens? The technical sheets indicate native RSA can be used for authentication, but this works with SSL VPN?
Thank you
Try this link
http://www.Cisco.com/en/us/products/ps6120/prod_release_note09186a0080688004.html
-
ASA remote VPN with DHCP failed
I am running a version 8.3 ASA5540 (2). I have several deletion of vpn users working on this server. Lately, I have had problems with people starting or being not not able to route any where and it seems to be cause that they fight for the same IP address using the local pool, so I decided to try to DHCP rather (I have no idea why he keeps overlapping IPs, we have tons in the pool and they fight for the same). This just started about a month ago, we use only maybe 3-5 fps on / 24 block. The only thing that changed was we hired more people, but we have separate groups for team operations corporate vs.
So I configure the scope dhcp-network for the subnet and the server dhcp under the policies. I see demand go on the server, but it seems to put the MAC ASA in the field of the hardware address of the Client in the DHCP header. I have attached the IBDP of ASA showing this. Anyone know why this is happening and is there a way around it?
Hello Keith,
118 great option to have this info.
Please keep an eye on it and if you still see it works please mark it as answered so future users can refer to this discussion for a solution
Concerning
-
VPN with dynamic IP. How to use DNS?
Hello
I installed a site to site VPN IPSec between two routers cisco IPs public Static. I notice that I can use dynamic IPs for the case with point-to-multipoint or IPs instead host names. In this case, I can use this command to configure the VPN:
(config) #crypto isakmp identity hostname
(config) #crypto isakmp key XXXXX hostname 'Remote_name '.
(config-crypto-map) # defined peer 'Remote_name '.
I also noticed that I can use a router cisco as a DNS, and I can add the host records with:
IP host 'Remote_Name' "IP address"
In fact, I want only one router to work with Static public IP (Router_A) and the other with the dynamic public IP (Router_B) of ISP address. Then maybe I can put the router with static IP address to work as the DNS server. I know how DynDNS works with an account and update client software on a PC/server, but I've never used the hardware update DNS clients, and I don't know what steps I must follow to implement this.
Hi John,.
The section in the link below should help you to configure DDNS on your router:
(See example Http update)
http://www.Cisco.com/en/us/docs/iOS/12_3/12_3y/12_3ya8/gt_ddns.html#wp1203580
This link shows a \windows\system32\conifg\system summary:
http://www.no-IP.com/support/guides/routers/using_cisco_routers_with_no-IP.html
Static dynamic VPN to refer to this link (this requires no DDNS):
http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080093f86.shtml
HTH
Kind regards
Praveen
-
Hello
I want to configure a VPN SSL on an international search report which is to obtain a dynamic IP address from the ISP. I know that the static configuration using IP. How to configure this to a dynamic IP address?
Kind regards
TonyHello Tony,.
Just because u asked him
Use the following syntax:
WebVPN gateway x.x.x
port IP interface giga 0 443
In this case u get public ip address on giga 0,
Be sure to note all the useful messages.
For this community, which is as important as a thank you.
-
IPSEC VPN with Dynamics to dynamic IP
Hello
I tried IPSEC VPN with dynamic IP to dynamic (router to router) for some time. But still can not auto-établir the tunnel.
Is someone can you please tell me if it is possible to do?
If so, please share with me the secret to do work.
Thank you!
Best regards
Rather than the Crypto map, I would use the profile of Crypto. Then, establish you an IPSEC tunnel. The beauty of the profile, is that you can run through it routing protocols, and you do not have to change constantly the cards whenever you change the topology of the network. The "* * *" in the timer event is "minute hour day week month" so "* * *" is updated every minute. In Tunnel destination, it's an IP address, not a hostname that is stored, but when you set it, you can put in a HOST name and it converts to the moment where you configure it to an IP address.
So, if you type:
config t
interface tunnel100
destination remote.dyndns.com tunneloutput
See the race int tunnel100
It shows:
interface Tunnel100
tunnel destination 75.67.43.79That's why the event handler goes and becomes the destination of tunnel every minute what ever the DDNS says that is the new IP address.
I have seen that two of your routers running DDNS. They will have to do this.
Local router:
crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 2
ISAKMP crypto key XXXXXXX address 0.0.0.0 0.0.0.0 no.-xauth
!
!
Crypto ipsec transform-set ESP-AES-SHA esp - aes 256 esp-sha-hmac
!
Profile of crypto ipsec CRYPTOPROFILE
game of transformation-ESP-AES-SHA
!
interface Tunnel100
Description of remote.dyndns.org
IP 10.254.220.10 255.255.255.252
IP virtual-reassembly
IP tcp adjust-mss 1400
source of Dialer0 tunnel
tunnel destination 75.67.43.79
ipv4 ipsec tunnel mode
Tunnel CRYPTOPROFILE ipsec protection profileIP route 192.168.2.0 255.255.255.0 10.254.220.9
Change-tunnel-dest applet event handler
cron-event entry timer cron name "CHRON" * * *"
command action 1.0 cli 'enable '.
action 1.1 cli command "configures terminal.
Action 1.2 command cli "interface tunnel100".
Action 1.3 cli command "destination remote.dyndns.org tunnel".
!--------
Remote router:
crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 2
ISAKMP crypto key XXXXXXX address 0.0.0.0 0.0.0.0 no.-xauth
!
!
Crypto ipsec transform-set ESP-AES-SHA esp - aes 256 esp-sha-hmac
!
Profile of crypto ipsec CRYPTOPROFILE
game of transformation-ESP-AES-SHA
!
interface Tunnel100
Description of local.dyndns.org
IP 10.254.220.9 255.255.255.252
IP virtual-reassembly
IP tcp adjust-mss 1400
source of Dialer0 tunnel
tunnel destination 93.219.58.191
ipv4 ipsec tunnel mode
Tunnel CRYPTOPROFILE ipsec protection profileIP route 192.168.1.0 255.255.255.0 10.254.220.10
Change-tunnel-dest applet event handler
cron-event entry timer cron name "CHRON" * * *"
command action 1.0 cli 'enable '.
action 1.1 cli command "configures terminal.
Action 1.2 command cli "interface tunnel100".
Action 1.3 cli command "destination local.dyndns.org tunnel".Thank you
Bert
-
VPN IPSEC ASA with counterpart with dynamic IP and certificates
Hello!
Someone please give me config the work of the ASA for ASA Site to Site IPSEC VPN with counterpart with dynamic IP and authentication certificates.
He works with PSK authentication. But the connection landed at DefaultRAGroup instead of DefaultL2LGroup with certificate
authentication.
Should what special config I ask a DefaultRAGroup to activate the connection?
Thank you!
The ASA uses parts of the client cert DN to perform a tunnel-group lookup to place the user in a group. When "peer-id-validate req" is defined the ASA also tries to compare the IKE ID (cert DN) with the actual cert DN (also received in IKE negotiation), if the comparison fails the connection fails. know you could set "peer-id-validate cert" for the time being and the ASA will try to compare the values but allow the connection if it cannot.
In general I would suggest using option "cert."
With nocheck, we are simply not strict on IKE ID matchin the certificate, which is normally not a problem of security :-)
Maybe you are looking for
-
I work on a Mac Pro (2009) with a 2.93 GHz Quad - Core Processor and I noticed that my Mac seems to be much slower to perform tasks when that I start last year. I have 8 GB of memory, an NVIDIA GeForce 521 MB graphics card, my HD has a capacity of 64
-
Problem with Bootcamp 6.0.2
Hello everyone I have a problem with my MBA. I have a Windows 7 partition with bootcamp assistant, but during the process, I have this problem: "no boot device, press any key to continue" I looked on the net, they said stop to reboot but nothing happ
-
Best option to use the mSATA SSD Drive - HP Envy 15 Sleekbook: Cache or primary storage?
Product: HP Envy 15 t Sleekbook (15 t-j100) Technical specification: Intel Core i7-4700MQ @ 2.40 GHzIntel HM87 chipset12.0 GB RAM DD3 (two openings 8 GB + 4 GB)NVIDIA GeForce GT740M (2 GB) + Intel HD 4600 graphics card1 TB 5400 RPM SATA HDDWindows 8.
-
Task Scheduler loses credentials after reboot
I have intalled Vista Basic and I have two scheduled tasks that run each night. I chose properties to allow tasks to be performed weather a user is logged on or not. After the establishment of the task and entering the appropriate information, the
-
Amount of the ACLs on an interface of the PIX
Hi all I just wanted to know how much group-access entry (s) that you can attached to a 515ER PIX interface? I wonder if it's the same rule as the router, IE 1 ACL/interface/direction. En thank you your help.