ASA-dynamic to static VPN fails

Similar Questions

• PIX and ASA static, dynamic and RA VPN does not

  Hello

  I am facing a very interesting problem between a PIX 515 and an ASA 5510.

  The PIX is in HQ and has several dynamic VPN connections (around 130) and IPsec vpn remote works very well. I had to add a PIX to ASA L2L VPN static and it does not work as it is supposed to be. The ASA 5510, at the remote end, connects and rest for a small period of time, however, all other VPN connections stop working.

  The most interesting thing is that ASA is associated with the dynamic map and not the static map that I created (check by sh crypto ipsec his counterpart x.x.x.x). However, if I make any changes in the ACL 'ACL-Remote' it affects the tunnel between the PIX and ASA.

  Someone saw something like that?

  Here is more detailed information:

  HQ - IOS 8.0 (3) - PIX 515

  ASA 5510 - IOS 7.2 (3) - remote provider

  Several Huawei and Cisco routers dynamically connected via ADSL

  Several users remote access IPsec

  A VPN site-to site static between PIX and ASA - does not.

  Here is the config on the PIX:

  Crypto ipsec transform-set ESP-3DES-ESP-SHA-HMAC-IPSec esp-3des esp-sha-hmac

  Dyn - VPN game 100 Dynamics-card crypto transform-set ESP-3DES-ESP-SHA-HMAC-IPSec

  Crypto dynamic-map Dyn - VPN 100 the value reverse-road

  VPN - card 30 crypto card matches the ACL address / remote

  card crypto VPN-card 30 peers set 20 x. XX. XX. XX

  card crypto VPN-card 30 the transform-set ESP-3DES-ESP-SHA-HMAC-IPSec value

  VPN crypto card - 100 - isakmp dynamic Dyn - VPN ipsec

  interface card crypto VPN-card outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  crypto ISAKMP policy 65535

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  access list ACL-remote ext ip 10.0.0.0 allow 255.255.255.0 192.168.1.0 255.255.255.0

  Thank you.

  Marcelo Pinheiro

  The problem is that the ASA has a crypto acl defined between host and network, while the remote end has to the network.

  Make sure that the acl is reversed.

• VPN site-to-site dynamic-to-static

  Dear

  I have a few sites already connected with ASA 5505 VPN site to site with both ending static IP address.  Normally, all traffic can be found without any problems.  Even, I used 'inside access management' for the two ASA.

  Now I have a new office with only the ADSL pppoe.  I used to install between Site B:remote the site dynamic IP and IP SiteA:static with a similar example of this easy VPN: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml

  All my ASA 5505 run 1 8.4 (4)

  Site A - Static IP

  Site B - Dynamic IP with pppoe connection.

  After EasyVPN connected, I don't know how I remote manangment of the site a lan at the ASA 5505 B site?

  Best regards

  Alan.

  If you're ok with or the other solution, it is probably easier to use dynamic to static lan-to-lan, so, at least, that your solution is consistent and fair use lan-to-lan tunnel instead of customer vpn solution mixture and lan-to-lan.

• Dynamic to static L2L IPSec VPN

  Hello

  I've implemented a dynamic to static IPSec Site to Site VPN between a branch (ship) ASA5505 and headquarters. Now, this solution does not allow HQ initiate the IPsec connection.

  There is a router behind the ASA5505. I heard that if I want to keep the tunnel upward, so that the HQ customers can switch the traffic to remote clients through the tunnel, I would need to run ALS IP icmp probes on the router behind the ASA.

  Could someone explain how to implement it?

  Thanks for your help.

  Frank

  The ICMP probe can be done through any device that is able to do ping, not only of the router.

  The reason is that it is interesting traffic triggers the traffic is encrypted by the vpn tunnel, tunnel will stay up, so you will be able to open the connection to the AC to your remote site.

  Hope that helps.

• Dynamic to static IPSec with certificate-based authentication

  I'm trying to implement a dynamic to static LAN2LAN vpn from an ASA 5505 (with a dynamic IP address) to an ASA5520 (with a static IP address)
  I wish I had a small (/ 30) network on the side dynamics which I can connect to a larger (/ 24) network on the static side.
  I also try to use the identity for authentication certificates.

  I produced a root and intermediate CA signed of the intermediate CA with the certificate authority root and then created identity cases for
  the ASAs, signed with the intermediate CA using OpenSSL and imported to a trustpoint

  I tried to use the instructions on:
  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080930f21.shtml
  to configure certificates (replacing MS with OpenSSL) and following the instructions to:

  I tried the ASDM to set up the cert to identity appropriate on the external interface
  [Configuration-> Device Management-> advanced-> SSL settings]

  and establish a connection profile [Configuration-> Device Management-> connection profiles] on both devices,
  setting the part that gets its IP via DHCP static and the side that has the IP permanently to accept dynamic.

  I apply the settings, and nothing happens.

  See the crypto isakmp just returns "there is none its isakmp.

  I don't know where to start debugging it. How can I force the side DHCP to initiate a connection?

  We are sure that both peers are using the same isakmp settings? It seems the policy that uses rsa - sig on one end uses a different Diffie-Hellman group.

• Static - VPN Site to Site DMVPN Tunnel

  Hello

  I have two sites, Site-a with Cisco ASA 5505 static IP Configuration & Site-B 1841 Cisco ISR with dynamic IP Configuration.

  See the diagram attached for a glimpse.

  The goal is to have the tunnel VPN Site to Site between the site of two so that desktop sitting in Site B can access the server applications residing in the Site-A.

  Please suggest

  Concerning

  @Mohammed

  Hello

  A site to Site IPSec, the ASA is the static side and he should have the 'dynamic' configuration, and the side Dynamics SRI 1841 should have the static side:

  I'll give an example configuration to achieve, but you can use a different encryption algorithms:

  ASA 5505:

  Phase 1:

  crypto ISAKMP policy 1

  3des encryption

  md5 hash

  preshared authentication

  Group 2

   
  IPSec-attributes tunnel-group DefaultL2LGroup

  pre-shared-key cisco123

   

• Unable to pass traffic between ASA Site to Site VPN Tunnel

  Hello

  I have problems passing traffic between two ASA firewall. The VPN tunnel is up with a dynamic IP and static IP address. I have attached a diagram of the VPN connection. I'm not sure where the problem lies and what to check next. I think I have all the roads and in the access lists are needed.

  I've also attached the ASA5505 config and the ASA5510.

  This is the first time that I've set up a VPN connection any guidance would be greatly appreciated.

  Thank you

  Adam

  Hello

  Regarding your opinion of configuration Remote Site ASA that you have not added the internal networks of the Central Site VPN L2L configurations at all so the traffic does not pass through the VPN.

   access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.0.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.170.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.172.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 140.15.0.0 255.255.*.* 

  Take a look at ACL configurations above. The 'exempt' ACL is used in configurations NAT0 and tells the ASA what traffic of exempting from NAT. "outside_1_cryptomap" ACL is used to tell the traffic between the subnets should be using the L2L VPN connection.

  So in short on the Remote Site ASA these ACLs should be identical. Make additions to the LIST of VPN L2L, then try again.

  I would also like to point out that to ensure that the Central ASAs L2L VPN ACL Site contains the same networks. The ACL on the Central Site will, of course, its internal subnets as the source and the site LAN remote destination.

  THW out of ' crypto ipsec to show his " shows you that only the SA between binding Site Central network and the Remote Site LAN was established. Others have not formed as the configuration is lacking at LEAST on the Remote Site ASA. Can also be the Central Site.

  -Jouni

• ASA with several L2L VPN Dynamics

  I have an ASA 5510 such as VPN, used for about 30 L2L - VPN concentrator.

  I need also some VPN L2L with dynamic peer remote.

  While the configuration for a single dyn - VPN is quite simple (as described in several examples), how can I configure the ASA in the case of many dyn - VPN?

  Basically, all the VPN - dyn must use the same PSK (the DefaultL2LGroup).

  But using the "aggressive" on the remote peer mode, I could use a different PSK for every dyn - VPN:

  tunnel-group ipsec-attributes ABCD

  pre-shared-key *.

  This configuration is correct?

  Best regards

  Claudio

  Hello

  Maybe the solutions provided in the following document may also be an option to configure multiple dynamic VPN L2L connections on the SAA

  http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a0080bc7d13.shtml

  Hope this helps

  -Jouni

• ASA problem inside the VPN client routing

  Hello

  I have a problem where I can't reach the VPN clients with their vpn IP pool from the inside or the asa itself. Connect VPN clients can access internal network very well. I have no nat configured for the pool of vpn and packet trace crypt packages and puts it into the tunnel. I'm not sure what's wrong.

  Here are a few relevant config:

  network object obj - 192.168.245.0

  192.168.245.0 subnet 255.255.255.0

  192.168.245.1 - 192.168.245.50 vpn IP local pool

  NAT (inside, outside) static source any any destination static obj - 192.168.245.0 obj - 192.168.245.0 no-proxy-arp-search to itinerary

  Out of Packet trace:

  Firewall # entry packet - trace inside the x.x.x.x icmp 8 0 192.168.245.33

  Phase: 1

  Type: ACCESS-LIST

  Subtype:

  Result: ALLOW

  Config:

  Implicit rule

  Additional information:

  MAC access list

  Phase: 2

  Type:-ROUTE SEARCH

  Subtype: entry

  Result: ALLOW

  Config:

  Additional information:

  in 192.168.245.33 255.255.255.255 outside

  Phase: 3

  Type: ACCESS-LIST

  Subtype: Journal

  Result: ALLOW

  Config:

  Access-group acl-Interior interface inside

  access list acl-Interior extended icmp permitted an echo

  Additional information:

  Phase: 4

  Type: IP-OPTIONS

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  Phase: 5

  Type: INSPECT

  Subtype: np - inspect

  Result: ALLOW

  Config:

  Additional information:

  Phase: 6

  Type:

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  Phase: 7

  Type: NAT

  Subtype:

  Result: ALLOW

  Config:

  NAT (inside, outside) static source any any destination static obj - 192.168.245.0

  obj - 192.168.245.0 no-proxy-arp-search to itinerary

  Additional information:

  Definition of static 0/x.x.x.x-x.x.x.x/0

  Phase: 8

  Type: VPN

  Subtype: encrypt

  Result: ALLOW

  Config:

  Additional information:

  Phase: 9

  Type: CREATING STREAMS

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  New workflow created with the 277723432 id, package sent to the next module

  Result:

  input interface: inside

  entry status: to the top

  entry-line-status: to the top

  output interface: outside

  the status of the output: to the top

  output-line-status: to the top

  Action: allow

  There is no route to the address pool of vpn. Maybe that's the problem? I don't know than that used to work before we went to 8.4.

  Check if the firewall is enabled on your host from the client ravpn and blocking your pings.

• KeepAlive to restore a dynamic to static tunnel?

  Hi all

  I have a dynamic to static 501 501 configuration of operating system 6.3 pix pix. I would use KeepAlive to re - establish the tunnel where the tunnel down. Is this possible?

  Theres a workaround for any solution, you have the pix to the extreme end use a local ntp or server syslog, this traffic would bring the tunnel upward, as it has been defined as interesting.

• Error of tunneling to ASA 5505 using "Software VPN Client"

  Here's my current network:

  

  I'm VPN tunnel in the ASA using the Cisco VPN Client software.

  Here is my config ASA config: http://pastebin.com/raw.php?i=ad6p1Zac

  Here's my entry for the VPN Client connection information:

  

  

  (Password: cisco)

  

  

  

  When I try to connect, I get the message error "the received HASH load cannot be verified.

  

  What is this error and how can I solve it?

  I think you need to enter this information in the fields of group authentiation:

  (Just below "Group authentication")

  Name: vpnclientgroup

  Password: [just what you entered as a pre shared key below]

  tunnel-group vpnclientgroup ipsec-attributes pre-shared-key *****

  After the establishmet tunnel you will get a password pop up, that you enter "David" and the associated password.

• 8.2 ASA dynamic VPN to ASA static config help

  Hello

  I'm trying to set up a tunnel l2l between an ASA and ASA remote central where the remote receives a DHCP provider address.

  ASA Remote Config:
  

  interface Vlan1

  nameif inside

  security-level 100

  IP 10.10.10.1 255.255.255.0

  # Receives an IP address of 90.0.1.203 from the provider.

  interface Vlan2

  nameif outside

  security-level 0

  IP address dhcp setroute

  the Corp_Networks object-group network

  object-network 172.16.0.0 255.240.0.0

  object-network 10.0.0.0 255.0.0.0

  object-network 192.168.252.0 255.255.255.0

  access-list SHEEP extended ip 10.10.10.0 allow 255.255.255.0 Corp_Networks object-group

  Remote access ip 10.10.10.0 extended list allow 255.255.255.0 Corp_Networks object-group

  NAT (inside) 0 access-list SHEEP

  NAT (inside) 1 0.0.0.0 0.0.0.0

  outdoor 10.0.0.0 255.255.255.0 90.0.1.1

  Route outside 172.16.0.0 255.240.0.0 90.0.1.1

  Route outside 192.168.252.0 255.255.255.0 90.0.1.1

  Crypto ipsec transform-set esp-3des esp-sha-hmac ToCorp

  outside_map card crypto 10 corresponds to the Remote address

  outside_map 10 peer Public_address crypto card game

  card crypto outside_map 10 game of transformation-ToCorp

  life safety association set card crypto outside_map 10 28800 seconds

  card crypto outside_map 10 set security-association life kilobytes 4608000

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 864000

  No encryption isakmp nat-traversal

  tunnel-group Public_address type ipsec-l2l

  IPSec-attributes tunnel-group Public_address

  pre-share-key Council

  ASA company Config:

  the Corp_Networks object-group network

  object-network 172.16.0.0 255.240.0.0

  object-network 10.0.0.0 255.0.0.0

  object-network 192.168.252.0 255.255.255.0

  access-list allowed extensive sheep object-group Corp_Networks 10.10.10.0 ip 255.255.255.0

  access-list ToRemote allowed ext object-group ip Corp_Networks 10.10.10.0 255.255.255.0

  NAT (inside) 0 access-list sheep

  Route outside 10.10.10.0 255.255.255.0 Public_Gateway

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  ToRemote game Dynamics-card 65530, crypto transform-set ESP-3DES-SHA

  outside_map map 8-isakmp dynamic ipsec ToRemote crypto

  outside_map interface card crypto outside

  crypto ISAKMP policy 20

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  IPSec-attributes tunnel-group DefaultL2LGroup

  pre-shared-key *.

  Output of remote endpoint:

  ISAKMP crypto #sh her

  ITS enabled: 1

  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)

  Total SA IKE: 1

  1 peer IKE: Public_Address

  Type: L2L role: initiator

  Generate a new key: no State: MM_ACTIVE

  #sh crypto ipsec his

  Interface: outside

  Tag crypto map: outside_map, seq num: 10, local addr: 90.0.1.203

  Hawaii2Avid to access extended list ip 10.10.10.0 allow 255.255.255.0 10.0.0.0 255.0.0.0

  local ident (addr, mask, prot, port): (10.10.10.0/255.255.255.0/0/0)

  Remote ident (addr, mask, prot, port): (10.0.0.0/255.0.0.0/0/0)

  current_peer: Public_address

  #pkts program: 616, #pkts encrypt: 616, #pkts digest: 616

  #pkts decaps: 22, #pkts decrypt: 22, #pkts check: 22

  compressed #pkts: 0, unzipped #pkts: 0

  #pkts uncompressed: 616, #pkts comp failed: 0, #pkts Dang failed: 0

  success #frag before: 0, failures before #frag: 0, #fragments created: 0

  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0

  #send errors: 0, #recv errors: 0

  local crypto endpt. : 90.0.1.203/4500, remote Start crypto. : Public_address/4500

  Path mtu 1500, fresh ipsec generals 66, media, mtu 1500

  current outbound SPI: D6A48143

  current inbound SPI: E0C4F32A

  SAS of the esp on arrival:

  SPI: 0xE0C4F32A (3771003690)

  transform: esp-3des esp-sha-hmac no compression

  running parameters = {L2L, Tunnel, NAT-T program,}

  slot: 0, id_conn: 36864, crypto-card: outside_map

  calendar of his: service life remaining (KB/s) key: (3914994/28098)

  Size IV: 8 bytes

  support for replay detection: Y

  Anti-replay bitmap:

  0 x 00000000 0x007FFFFF

  outgoing esp sas:

  SPI: 0xD6A48143 (3601105219)

  transform: esp-3des esp-sha-hmac no compression

  running parameters = {L2L, Tunnel, NAT-T program,}

  slot: 0, id_conn: 36864, crypto-card: outside_map

  calendar of his: service life remaining (KB/s) key: (3914952/28098)

  Size IV: 8 bytes

  support for replay detection: Y

  Anti-replay bitmap:

  0x00000000 0x00000001

  Tag crypto map: outside_map, seq num: 10, local addr: 90.0.1.203

  Hawaii2Avid to access extended list ip 10.10.10.0 allow 255.255.255.0 172.16.0.0 255.240.0.0

  local ident (addr, mask, prot, port): (10.10.10.0/255.255.255.0/0/0)

  Remote ident (addr, mask, prot, port): (172.16.0.0/255.240.0.0/0/0)

  current_peer: Public_Address

  #pkts program: 406, #pkts encrypt: 406, #pkts digest: 406

  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

  compressed #pkts: 0, unzipped #pkts: 0

  #pkts uncompressed: 406, model of #pkts failed: 0, #pkts Dang failed: 0

  success #frag before: 0, failures before #frag: 0, #fragments created: 0

  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0

  #send errors: 0, #recv errors: 0

  local crypto endpt. : 90.0.1.203/4500, remote Start crypto. : Public_Address/4500

  Path mtu 1500, fresh ipsec generals 66, media, mtu 1500

  current outbound SPI: 1BE239F9

  current inbound SPI: AC615F8D

  SAS of the esp on arrival:

  SPI: 0xAC615F8D (2892062605)

  transform: esp-3des esp-sha-hmac no compression

  running parameters = {L2L, Tunnel, NAT-T program,}

  slot: 0, id_conn: 36864, crypto-card: outside_map

  calendar of his: service life remaining (KB/s) key: (3915000/28095)

  Size IV: 8 bytes

  support for replay detection: Y

  Anti-replay bitmap:

  0x00000000 0x00000001

  outgoing esp sas:

  SPI: 0x1BE239F9 (467810809)

  transform: esp-3des esp-sha-hmac no compression

  running parameters = {L2L, Tunnel, NAT-T program,}

  slot: 0, id_conn: 36864, crypto-card: outside_map

  calendar of his: service life remaining (KB/s) key: (3914973/28092)

  Size IV: 8 bytes

  support for replay detection: Y

  Anti-replay bitmap:

  0x00000000 0 x 000000000

  We just seems stuck at this point and can't seem to get the traffic going back and forth, even if the tunnel does not seem to be connected.  The only concern I see is pkts getting encrypted but none decrypts.  It is usually something to do with the acl, but this one is pretty simple.

  Thank you

  -Geoff

  Please check if you have any other card/LAN-to-LAN crypto configured on the ASA Corporate where the crypto ACL may overlap.

  If you can share the map full encryption as well as the ACL of the ASA Corporate crypto, we can check for you.

  Misspelling of the ASA remote path statement:

  outdoor 10.0.0.0 255.255.255.0 90.0.1.1

  I understand that you want to access the full class on the site of the company, where the road should say:

  external route 10.0.0.0 255.0.0.0 90.0.1.1

• A dynamic Site static IOS ASA

  I had a hard time getting a VPN configuration from site to site with a dynamic address on IOS on a static address on ASA. I followed the example found here. http://www.Cisco.com/en/us/Products/HW/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml , but it won't work if I name the Group of Tunnel on the IP address of the WAN IOS port ASA if I use a generic name such as "cisco" as in the example, it will fail. Here's my current ASA configs and IOS. 192.168.7.5.0/24 is side LAN IOS and 192.168.254.0/24 side LAN ASA any help would be appreciated.

  You must use the tunnel group DefaultL2LGroup...

  tunnel-group DefaultL2LGroup type ipsec-l2l

• ASA & concentrator 3005 VPN fails

  Hi guys,.

  I set up a VPN between an ASA 5510 running OS 7.2 (Base) and a concentrator 3005.

  VPN stands up perfectly if launched from the ASA, but fails the Phase2 when momentum since the (1.1.1.5) 3005. Failing that, the ASA through the following errors:

  Dec 07 00:54:20 [IKEv1]: Group = 1.1.1.15, IP = 1.1.1.15, PHASE 1 COMPLETED
  Dec 07 00:54:20 [IKEv1 DEBUG]: Group = 1.1.1.15, IP = 1.1.1.15, payload processing ID
  Dec 07 00:54:20 [IKEv1 DECODER]: Group = 1.1.1.15, IP = 1.1.1.15, ID_IPV4_ADDR_SUBNET ID received - 172.19.0.0 - 255.255.0.0
  Dec 07 00:54:20 [IKEv1]: Group = 1.1.1.15, IP = 1.1.1.15, data Proxy received in payload ID remote IP subnet: address 172.19.0.0, the mask 255.255.0.0, protocol 0, Port 0
  Dec 07 00:54:20 [IKEv1 DEBUG]: Group = 1.1.1.15, IP = 1.1.1.15, payload processing ID
  Dec 07 00:54:20 [IKEv1 DECODER]: Group = 1.1.1.15, IP = 1.1.1.15, ID_IPV4_ADDR_SUBNET ID received - 192.168.2.0 - 255.255.255.0
  Dec 07 00:54:20 [IKEv1]: Group = 1.1.1.15, IP = 1.1.1.15, received from the IP local subnet in payload ID Proxy data: address 192.168.2.0, mask 255.255.255.0, protocol 0, Port 0
  Dec 07 00:54:20 [IKEv1 DEBUG]: Group = 1.1.1.15, IP = 1.1.1.15, processing notify payload
  Dec 07 00:54:20 [IKEv1]: Group = 1.1.1.15, IP = 1.1.1.15, QM IsRekeyed its not found old addr
  Dec 07 00:54:20 [IKEv1]: Group = 1.1.1.15, IP = 1.1.1.15, static check card Crypto, check card = mymap, seq = 9...
  Dec 07 00:54:20 [IKEv1]: Group = 1.1.1.15, IP = 1.1.1.15, static check card Crypto Card = mymap, seq = 9, ACL does not proxy IDs src:172.19.0.0 dst: 192.168.2.0
  Dec 07 00:54:20 [IKEv1]: Group = 1.1.1.15, IP = 1.1.1.15, remote peer IKE configured crypto card: dynmap
  Dec 07 00:54:20 [IKEv1 DEBUG]: Group = 1.1.1.15, IP = 1.1.1.15, ITS processing IPSec payload
  Dec 07 00:54:20 [IKEv1]: Group = 1.1.1.15, IP = 1.1.1.15, all IPSec security association proposals found unacceptable.
  Dec 07 00:54:20 [IKEv1 DEBUG]: Group = 1.1.1.15, IP = 1.1.1.15, sending prevent message
  

  What I gather from the above output is that seq 9 Crypto mymap map does not correspond to the proposal offered by the 3005. And guess what, it's not - so no surprise - but Seq 12 matches. SO I guess that the ASA is not verified the 3005 against the whole proposal Card Crypto. Fair supported? And if yes, what someone know why not?

  TIA

  See you soon

  Scott

  Hi Scott,.

  We found it.

  The dynamic Crypto map must be attached to the static Crypto map only once all static entries have been configured.

  The best way is to attach the dynamic map to the last line of the static map which is line no 65535.

  So follow these steps and let me know how it goes

  
  

  No map mymap 10-isakmp ipsec crypto dynamic dynmap

  
  

  map mymap 65535-isakmp ipsec crypto dynamic dynmap

  Please indicate in the commands above in the ASA configuration prompt.

  See you soon,.

  Nash.

• VPN L2L dynamic to static w/o DefaultL2LGroup

  I was looking for a method to have a VPN L2L static dyn without using DefaultL2LGroup but to set in place several groups of tunnel for each router with a dynamic IP address. Many people say it is not possible, but I found this guide: http://inetpro.org/wiki/LAN-to-LAN_IPSec_VPN_between_PIX/ASA_7.2_hub_and_IOS_spokes_with_dynamic_IP_addresses

  Now the problem: the vpn rises, but I can't reach any device with a ping.

  Side static: ASA 5505 - 8.22

  Side Dynamics: Zyxel P-661HW-D3

  Here is the config for the SAA:

  access-list outside extended permit icmp any any
  
      access-list outside extended deny ip any any
  
      access-list inside extended permit ip 10.1.0.0 255.255.248.0 10.51.10.0 255.255.255.0
  
      access-list inside extended deny ip any any
  
      access-list VPN extended permit ip 10.1.0.0 255.255.248.0 10.51.10.0 255.255.255.0
  
      access-list ST_3710 extended permit ip 10.1.0.0 255.255.248.0 10.51.10.0 255.255.255.0
  nat (inside) 0 access-list VPN
  
      nat (inside) 1 10.1.0.0 255.255.248.0
  access-group inside in interface inside
  
      access-group outside in interface outside
  crypto ipsec transform-set myset esp-3des esp-md5-hmac
  
      crypto ipsec security-association lifetime seconds 28800
  
      crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map DN3710 1 match address ST_3710
  
      crypto dynamic-map DN3710 1 set transform-set myset
  crypto map dyn-map 2 ipsec-isakmp dynamic DN3710
  
      crypto map dyn-map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  
      authentication pre-share
  
      encryption 3des
  
      hash md5
  
      group 2
  
      lifetime 86400
  crypto isakmp policy 20
  
      authentication pre-share
  
      encryption des
  
      hash md5
  
      group 2
  
      lifetime 86400
  
      no crypto isakmp nat-traversal
  group-policy GP3710 internal
  
      group-policy GP3710 attributes
  
      vpn-filter value ST_3710
  
      vpn-tunnel-protocol IPSec
  tunnel-group TG3710 type ipsec-l2l
  
      tunnel-group TG3710 general-attributes
  
      default-group-policy GP3710
  
      tunnel-group TG3710 ipsec-attributes
  
      pre-shared-key *********
  

  As you can see it the vpn is in place:

  2   IKE Peer: ***.***.***.***
  
          Type    : L2L             Role    : responder
  
          Rekey   : no              State   : AM_ACTIVE
  

  Thanks in advance if anyone can help me with this problem.

  Kind regards

  Luca

  Hello Luca,

  You have reason for it, you can have the spokes of landing on a separate tunnel-groups, not only for the DefaultL2LGroup, the ASA follows this sequence when making a tunnel-group looup for L2L tunnels with pre-shared keys:

  - ike-id verified first and could be (full fqdn) host name or IP address

  -If ike-id search fails ASA tent peer IP address

  -DefaultRAGroup/DefaultL2LGroup is used as a last resort

  The output of your "sh cry isa his" I can see that at least Phase 1 is in place for your tunnel, please make sure that it landed on the correct tunnel-group.

  The problem I see clearly here is the VPN filter that you have applied Group Policy, keep in mind that we must apply filters on incoming management vpn.

  When a vpn-filter is applied to a political group that governs a LAN to LAN VPN connection, the ACL must be configured with the
  remote network in the position of the ACL src_ip and LAN in the position of dest_ip of the ACL.  Be careful during the construction of the
  ACL for use with the vpn-filter feature.  The ACL are built with traffic after decrypted in mind, however, they are also applied to the traffic
  in the direction opposite.

  In your case, the remote network is 10.51.10.0 255.255.255.0 and the local network 10.1.0.0 255.255.248.0. so let's say you want to allow just telnet:

  The following ACE will allow remote Telnet network for LAN:

  permit access-list vpnfilt-l2l 10.51.10.0 255.255.255.0 10.1.0.0 255.255.248.0 eq 23

  The following ACE will allow LAN to Telnet to the remote network:
  permit access-list vpnfilt-l2l 10.0.0.0 255.255.255.0 eq 23 10.1.0.0 255.255.248.0

  Note: The ACE access-list vpnfilt-l2l allowed 10.51.10.0 255.255.255.0 10.1.0.0 255.255.248.0 eq 23 will allow the local network establish a connection to the remote on any TCP port network if he uses a port source from 23.

  The access-list vpnfilt-l2l allowed 10.0.0.0 ACE 255.255.255.0 eq 23 10.1.0.0 255.255.248.0 will allow the network to remote connect to the LAN on any TCP port if he uses a port source from 23.

  Kind regards