ASA encrypt interesting VPN traffic

Hello everybody out there using ASA.

I had a few IPSEC VPN tunnels between the company's central site and remote sites.

Two dsl lines were connected to the ASA, one for VPN traffic and the other for the internet.

The default gateway has been configured online internet, some static while insured roads as traffic to the sites of the company was sent through the other line.

A few days ago we changed the configuration of ASA to use only a single dsl connection, then the line serving the internet has been cut, while the other will become the gateway default and static routes have been removed.

The VPN connections instant stopped working and trying to send packets to the remote lan, it seems that ASA will not recognize that the traffic is encrypted. Obviousely we checked cryptomap, acl, ecc, but we find no problem... do you have any suggestions?

Thanks in advance,

Matt

-----------------------------------------------------------------------------------------------------------------------------------------------------------------

XNetwork object network
10.10.0.0 subnet 255.255.255.0

network of the YNetwork object
172.0.1.0 subnet 255.255.255.0

card crypto RB1ITSHDSL001_map2 1 corresponds to the address RB1ITSHDSL001_1_cryptomap
card crypto RB1ITSHDSL001_map2 1 set peer a.b.c.186
RB1ITSHDSL001_map2 1 transform-set ESP-3DES-SHA crypto card game

RB1ITSHDSL001_1_cryptomap list extended access permitted ip XNetwork object YNetwork

-------------------------------------------------------------------------------------------------------------------------------------------------------------------

Hello

Your exit the ASA must be encrypting the traffic between XNetwork and YNetwork.

If the ASA does not encrypt this traffic, it could be because there is a problem with the NAT configuration.

When the ASA receives a packet, it must first check if there are ACLs that allows traffic, passes through the inspection engine and check that the associated NAT. For example, if the package is coordinated, then the private IP encryption will never take place.

Could ensure you that packets from the XNetwork are really reach the ASA, the NAT rule is correct and you may be looking for "debugging cry isa 127" and "scream ips 127" debug to check for errors of incompatibility.

In addition, what is the condition of the tunnel trying to communicate: "sh cry isa his"

Federico.

Tags: Cisco Security

Similar Questions

Source of interesting VPN traffic to PIX / ASA

Is it possible the CLI to interesting to implement traffic source or otherwise test a VPN strategy?

As far as I KNOW - this is not possible, because you cannot create a tcp/udp/icmp from a source interface in the device.

Interesting VPN traffic

Hi all

can someone explain something please? I have VPN on cisco router and I want 7 host IPs to be able to communiate via VPN. I have this ACL:

10 ip 10.1.1.0 allow 0.0.0.7 host 192.168.1.57

What I was wondering if another IP 10.1.1.7 can be represented by the IP host?

He can.

Games of skill in ACLs take similarities in the notation of subnets and subnet masks, but they aren't really the same.

If we were talking about a 10.1.1.0/29 subnet (255.255.255.248) then you would have only six hosts available on the network: 10.1.1.1 - 6.

Because we are talking about an ACL, it will really cares about the rules of subnets. It is just to define whatever it is in the 10.1.1.0 Beach - 7.

So, if your network is 10.1.1.0/24 (255.255.255.0), but you don't want the first seven hosts on this network to be able to cross your VPN, this ACL will do the job perfectly because the ACL does not consider the 10.1.1.7 address (or other, for that matter) to be something special.

ASA base S2S VPN, Tunnel establishes only when interesting traffic hits to end distance

Dear all,

I need your help to solve the problem mentioned below.

VPN tunnel established between the unit two ASA. A DEVICE and device B

(1) if interesting traffic initiates a LAN device. traffic ACL hits. TUNEL is not coming

(2) if interesting traffic initiates B LAN device. Tunnel will establish all the works of serivces

(3) after the Tunnel device establishmnet B. We forced to tunnel down at both ends. Interesting again traffic initiates device a surpringly tunnel

will go up. After 2 or 3 days (after life expire 86400 seconds) initiated traffic of device A, tunnel will not esatblish.

(it comes to rescue link: interesting won't be there all the time.)

checked all parametrs, everthing seems fine. Here are the logs of attached but not more informative debugging on the balls. Please suggest.

February 2, 2010 13:23:17: % ASA-7-713236: IP = 81.145.x.x, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 496

February 2, 2010 13:23:18: % ASA-6-713219: IP = 81.x.x.x, KEY-ACQUIRE Queuing messages are treated when SA P1 is finished.

February 2, 2010 13:23:18: % ASA-6-713219: IP = 81.x.x.x, KEY-ACQUIRE Queuing messages are treated when SA P1 is finished.

February 2, 2010 13:23:23: % ASA-6-713219: IP = 81.x.x.x, KEY-ACQUIRE Queuing messages are treated when SA P1 is finished.

February 2, 2010 13:23:25: % ASA-7-715065: IP = 81.x.x.x, history of mistake IKE MM Initiator WSF (struct & 0x1abb1e10) , : MM_DONE, EV_ERROR--> MM_WAIT_MSG2, EV_RETRY--> MM_WAIT_MSG2, EV_TIMEOUT--> MM_WAIT_MSG2 NullEvent--> MM_SND_MSG1, EV_SND_MSG--> MM_SND_MSG1, EV_START_TMR--> MM_SND_MSG1, EV_RESEND_MSG--> MM_WAIT_MSG2, EV_RETRY

February 2, 2010 13:23:25: % ASA-7-713906: IP = 81.x.x.x, IKE SA MM:56f95c85 ending: flags 0 x 01000022, refcnt 0, tuncnt 0

February 2, 2010 13:23:25: % ASA-7-713906: IP = 81.x.x.x, sending clear/delete with the message of reason

February 2, 2010 13:23:25: % ASA-3-713902: IP = 81.x.x.x, counterpart of drop table counterpart, didn't match!

February 2, 2010 13:23:25: % ASA-4-713903: IP = 81.x.x.x, error: cannot delete PeerTblEntry

Hi, I have a similar problem a long time ago. You can choose which set up the tunnel in your crypto card:

card crypto bidirectional IPsec_map 1 set-type of connection

I hope that it might help to solve your problem. Kind regards.

Site2Site VPN ASA 5505 - allow established traffic

Hello

I have an ikev1/Ipsec tunnel between two ASA.

Network with local 10.31.0.0/16

The other network with local 172.21.0.0/24

But I would like that only traffic that is launched from the 10.31.0.0/16 is allowed to 172.21.0.0/24 to 10.31.0.0/16 is it possible?

(to answer 10.31.0.0/16 is enable between this remote network 172.21.0.0/24)

Best regards, Steffen.

Hello

If I didn't understand anything wrong in the above question then I think you might be able to perform the following operations on the ASA with the local network of 10.31.0.0/16.

The ASA has the following global configuration, which is the default if you don't the have not changed

Sysopt connection permit VPN

This show CUSTOMARY in CLI configuration given above is the default setting.

You can check this with the command

See the race all the sysopt

This will list even the default setting

Now that this configuration means essentially is allow ALL traffic that comes through a VPN connection to get through the ASA ACL interface. So in your case at the location where the ASA with the network 10.31.0.0/16, the ASA would allow connections coming through the other network of 172.21.0.0/24 sites (as long as it was OK on other sites ASAs LAN interface ACL)

What you could do is to insert the following configuration

No vpn sysopt connection permit

What this would do is ask you to ALLOW ALL traffic that is coming through the VPN connection via the interface ' outside ' of the ASA you want to spend. (which I suppose is the name of your current interface that handles VPN connections). In other words, the VPN traffic would not receive a "pass" to get through the ACL of 'outside'interface, instead you must allow as all other traffic from the Internet.

If you decide to do, then you MUST CONSIDER the following thing. If you have other VPN connections as other connections L2L VPN or VPN Client, THEN you must first allow their traffic in your 'external' ACL interface for the SAA to the LAN. If you do this and insert the configuration above, you will notice that the traffic will start to get blocked by the "external" ACL interface (or if you don't have an ACL configured then the ASAs 'security level' will naturally block traffic in the same way as would an ACL)

So if we assume that the L2L VPN is the only link you had configured on the SAA with 10.31.0.0/16 then the following changes would happen.
- Hosts in the network 10.31.0.0/16 would be able to open connections to the remote network of 172.21.0.0/24 provided interfaces LAN what ACL allow this traffic
- Return for this connection of course traffic be would allow by the same ASA like all other traffic.
- IF certain incoming connection requests to the ASA with 10.31.0.0/16 network 172.21.0.0/24 network, it could crash except IF you ALLOW it to the 'outside' interfaces ACL
Hope this made sense and helped

Think about scoring the answer as the answer if it answered your question.

Naturally ask more if necessary

-Jouni

L2L ASA sends not encryted traffic

I currently have a problem passing an ASA 5520 traffic to a 877W. Traffic is being encryption on the router to the ASA (as shown below), but ASA doesn't send any encrypted traffic. I tried the upgrade to 8.4 (7) 9.1 (5), wiping the config and, configure the VPN via CLI and using the wizard ASDM. I also tried a 1841 and encounter the same problem.

Any ideas before I connect to a TAC case? Pulling my hair out with this one!

877W Config:

crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
lifetime 28800
ISAKMP crypto key psk address ASA-EXTERNAL

Crypto ipsec transform-set esp-3des esp-sha-hmac TS

CMAP 10 ipsec-isakmp crypto card
defined by the ASA-EXTERNAL peers
Set security-association second life 28800
game of transformation-TS
match address VPN-TRAFFIC

interface Dialer0
card crypto WCPA

IP route 0.0.0.0 0.0.0.0 Dialer0

overload of IP nat inside source list 100 interface Dialer0

VPN-TRAFFIC extended IP access list
ip licensing 192.168.20.0 0.0.0.255 172.16.250.0 0.0.0.255

access-list 100 remark set NAT
access-list 100 deny ip 192.168.20.0 0.0.0.255 172.16.250.0 0.0.0.255
Access-list 100 remark
access-list 100 deny ip 192.168.20.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 100 permit ip 192.168.20.0 0.0.0.255 any

ASA:

interface GigabitEthernet0/0
nameif outside
security-level 0
IP EXTERNAL-ASA-IP address
!
interface GigabitEthernet0/1
nameif inside
security-level 100
IP 172.16.250.247 255.255.255.0
!
permit same-security-traffic inter-interface
network of the VPNLocal object
172.16.250.0 subnet 255.255.255.0
VPNRemote object network
subnet 192.168.20.0 255.255.255.0

access extensive list ip 172.16.250.0 outside_cryptomap allow 255.255.255.0 VPNRemote object
outside_access_in extended access list permit ip object VPNRemote 172.16.250.0 255.255.255.0 disable log
access extensive list ip 172.16.250.0 inside_access_in allow 255.255.255.0 VPNRemote object

ICMP allow all outside
ICMP allow any inside

NAT (inside, outside) static source VPNLocal VPNLocal static destination VPNRemote VPNRemote non-proxy-arp-search to itinerary
Access-group outside_access_in in interface outside
inside_access_in access to the interface inside group

Route outside 0.0.0.0 0.0.0.0 ISP - IP GATEWAY 1
Route inside 10.0.0.0 255.0.0.0 CORE - ROUTER 1

Sysopt preserve-vpn-flow of connection
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec pmtu aging infinite - the security association

card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set counterpart 877W-IP
card crypto outside_map 1 set transform-set ESP-3DES-SHA ikev1
outside_map card crypto 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
card crypto outside_map 1 the value reverse-road
outside_map interface card crypto outside
Crypto ikev1 allow outside

IKEv1 crypto policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400

Statistics-list of access threat detection
no statistical threat detection tcp-interception

Group Policy GroupPolicy_877W-IP internal
attributes of Group Policy GroupPolicy_877W-IP
Ikev1 VPN-tunnel-Protocol

type of tunnel-group ipsec-l2l 877W-IP
attributes global-tunnel-group 877W-IP
Group - default policy - GroupPolicy_81.133.227.150
877W-IP ipsec-attributes tunnel-group
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
Global class-card class
match default-inspection-traffic
!
!
Policy-map global_policy
World-Policy policy-map
Global category
inspect the icmp
inspect the icmp error
!
service-policy-international policy global
context of prompt hostname

877W sh crypto ipsec his

Interface: Dialer0
Tag crypto map: CMAP, local addr 877W-IP

protégé of the vrf: (none)
local ident (addr, mask, prot, port): (192.168.20.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.16.250.0/255.255.255.0/0/0)
current_peer ASA - 500 EXTERNAL port
LICENCE, flags is {origin_is_acl},
#pkts program: 1771, #pkts encrypt: 1771, #pkts digest: 1771
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
#send 17, #recv errors 0

endpt local crypto. : 877W-IP, remote Start crypto. : ASA-EXTERNAL
Path mtu 1500, mtu 1500 ip, ip mtu BID Dialer0
current outbound SPI: 0xD82FD3CE (3627013070)

SAS of the esp on arrival:
SPI: 0x31F9F14C (838463820)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 29, flow_id: Motorola SEC 1.0:29, card crypto: CMAP
calendar of his: service life remaining (k/s) key: (4544227/24786)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:
SPI: 0xD82FD3CE (3627013070)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 30, flow_id: Motorola SEC 1.0:30, card crypto: CMAP
calendar of his: service life remaining (k/s) key: (4544168/24786)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

outgoing ah sas:

outgoing CFP sas:

Interface: virtual-Access2
Tag crypto map: CMAP, local addr 0.0.0.0

protégé of the vrf: (none)
local ident (addr, mask, prot, port): (192.168.20.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.16.250.0/255.255.255.0/0/0)
current_peer ASA - 500 EXTERNAL port
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors

endpt local crypto. : 0.0.0.0, remote Start crypto. : ASA-EXTERNAL
Path mtu 1500, mtu 1500 ip, ip mtu IDB virtual-Access2
current outbound SPI: 0x0 (0)

SAS of the esp on arrival:

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:

outgoing ah sas:

outgoing CFP sas:

ASA crypto ipsec HS her

peer address: 877W-IP
Tag crypto map: outside_map, seq num: 1, local addr: ASA-EXERNAL

access extensive list ip 172.16.250.0 outside_cryptomap allow 255.255.255.0 192.168.20.0 255.255.255.0
local ident (addr, mask, prot, port): (172.16.250.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.20.0/255.255.255.0/0/0)
current_peer: 877W-IP

#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 539, #pkts decrypt: 539, #pkts check: 539
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid errors ICMP rcvd: 0, #Invalid ICMP errors received: 0
#send errors: 0, #recv errors: 0

endpt local crypto. : ASA-EXERNAL/0, crypto Start distance. : 877W-IP/0
Path mtu 1500, ipsec 58 (36) generals, media, mtu 1500
PMTU time remaining: 0, political of DF: copy / df
Validation of ICMP error: disabled, TFC packets: disabled
current outbound SPI: 31F9F14C
current inbound SPI: D82FD3CE

SAS of the esp on arrival:
SPI: 0xD82FD3CE (3627013070)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, IKEv1}
slot: 0, id_conn: 81920, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (4373968/24993)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0xFFFFFFFF to 0xFFFFFFFF
outgoing esp sas:
SPI: 0x31F9F14C (838463820)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, IKEv1}
slot: 0, id_conn: 81920, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (4374000/24993)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001

Happy that you guessed it sort :-)

--

Please do not forget to select a correct answer and rate useful posts

ASA L2L filter-VPN Tunnels

I need help to understand how the vpn-filter command is applied to the traffic tunnel. Until very recently, I was under the command of printing the vpn-filter (applied in Group Policy) provided an access control incoming (outside to inside) for VPN traffic after decryption. Recently I change any of my VPN connections (add a phase access list entry 2) which causes questioning me how the vpn-filter.

Example-

original vpn connection - my side hosted the server and the clients were on the other side. My vpn-filter rule has allowed customers to come to my server.

more - (above the original setting still in place) - the other side is now hosting a server and on my side has clients.

Without any changes to vpn-filter, I have lived: phase 2 built tunnel but no packet encryption or decryption and no error in syslog.

Using packet - trace, I discovered a list of access (vpn-user subtype) blocked access. "vpn-user" must be a Cisco term because it is not in my config. I added an entry to my vpn-filter acl allowing their server to talk to my clients. Adding to the vpn-filter enabled that the tunnel started working.

I would have thought

vpn-filter acl was dynamic and not required an entry

or

the without the vpn-filter acl, the phase would have shown his encryption/decryption and perhaps an acl deny message in the system log. Basically, the traffic is encrypted, returns server, decrypted and then dropped access policy.

Have a further explanation or documentation?

Thank you

Rick

Rick,

The problem is that the ACL applied through the vpn-filter is not dynamic.

A vpn-filter command applies to traffic after decrypted once it comes out a tunnel and the previously encrypted traffic before entering a tunnel. An ACL that is used for a vpn-filter should NOT also be used to access interface group. When a vpn-filter command is applied to a group policy which governs customer connections access remote VPN, the ACL must be configured with the assigned client IP addresses in the position of src_ip of the ACL and the LAN in the position of dest_ip of the ACL.

When a vpn-filter command is applied to a political group that governs a connection VPN from LAN to LAN, the ACL must be configured with the remote network in the position of src_ip of the ACL and the LAN in the position of dest_ip of the ACL.

Caution when the construction of the ACL for use with the vpn-filter feature. The ACL are built with traffic after decrypted in mind. However, ACL also apply to the oncoming traffic. For this previously encrypted traffic that is intended for the tunnel, the ACL are built with exchanged src_ip and dest_ip positions.

More information here:

http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/vpn_groups.html

It will be useful.

Federico.

8.4 ASA using NAT VPN issue.

Hello

I'm working on a customer site and they have a problem with one of their VPN (we have other works well), but it is a major issue and I think it's because we use manual NAT and NAT of the object on the same server for different things.

Traffic between indoors and outdoors:

It works with a specific manual NAT rule of source from the server 10.10.10.10 object

Inside

SRC-> DST

10.10.10.10-> 1.1.2.10 1.1.1.10-> 1.1.2.10 SNAT = VPN =-> 1.1.2.10 1.1.1.10 1.1.1.10-> 1.1.2.10 <3rd party="" fw="">

It works with a specific using the NAT on the server of 10.10.10.10 object

Remote

SRC-> DST

1.1.1.10-> 1.1.2.10 1.1.1.10-> 1.1.2.10 <3rd party="" fw="">= VPN =-> 1.1.2.10 1.1.1.10 1.1.1.10-> DNAT 10.10.10.10

If we have the manual NAT and NAT object it does anyway.

So the question is (as I am new to zip code 8.3 ASA) should not mix the 2 types of NAt and look at configuring it all with manual NAT or NAT object?

With the NAT object out it does not work as it is taken in ouside NAT inside all:

Dynamic NAT (inside, outside) source no matter what interface (this NAT to 1.1.1.1 then does not match the card encryption for VPN)

and I tried a no - nat above that, but that does not work either.

Straws and hugging come to mind try to configure a different config. Any pointers in the right direction would be great.

Kind regards

Z

Hello

I'm not sure that installing even with the explanation. Each NAT configuration I did for VPN used Section 1 Manual / NAT twice.

You have configured the rule by default PAT that you use as Section 1 NAT rule. NAT rules in the new software are divided into 3 sections
- Section 1: Manual / twice by NAT
- Section 2: Purpose NAT
- Section 3: Manual / double NAT (moved to section 3 using the setting "auto after")
- The Sections are passed by from 1 to 2 and 3 in order to find a match.
You should also notice that the Section 1 and Section 3 NAT has "line number" similar to the ACL parameter type. So if you have a default existing PAT rule configured for Section 1 and just add another Section 1 NAT rule without line/order number (VPN NAT) then it will just fall under the existing rule, making the new useless rule.

I would advice against the use of the rule by default PAT as Section 1 NAT rule. Finally, this means that you be constantly watch and edit its configuration when you try to configure more specific rules.

As a general rule 3 of the Section the PAT above default configuration would be the following

NAT (inside, outside) after the automatic termination of dynamic source no matter what interface

This would mean that you need to remove the old. That would mean as naturally as the change would temporarily dismantling all the current connections through "inside", "Outside" while you change the NAT rule format.

If after this configure a NAT twice to the VPN (wihtout the setting "auto after"), it will be the rule in article 1 while the default PAT will be Section 3. Of course, Section 1 will be matched first.

I'm not quite sure of what your setup of the foregoing have understood.

You're just source NAT?

I guess that the configuration you do is something like this?

network of the LAN-REAL object

10.10.10.0 subnet 255.255.255.0

purpose of the MAPPED in LAN network

1.1.1.0 subnet 255.255.255.0

being REMOTE-LAN network

1.1.2.0 subnet 255.255.255.0

NAT static destination of LAN LAN-REAL-MAPPED Shared source (indoor, outdoor) REMOTE - LAN LAN

If the network 1.1.1.0/24 is supposed to be one that is connected directly to your "external" to the format interface may need to be anything else.

-Jouni

VPN needs access to all external internal vpn traffic traffic all in tunnel

Hello

Could someone help me find the problem?

I am ASA configuration as firewall + vpn server, essentially outside of the device's access T1 (there are two VLANS in inside via an iptables, outside of iptables is on the same vlan as insdie of ASA (192.168.5.1 and 192.168.5.2).) VPN users are authenticated via authentication 2 factors (SDI, ip is 192.168.5.5) and get the ACL by local database. pool of VPN is 192.168.6.1 - 192.168.6.15. pool of VPN is coordinated to the external IP address

trying to access a remote host A from the host a is open for the IP and one specific Protocol. all vpn traffic are in the tunnel. the VPN user can connected and ACL vpnuser1_ONLY not working does not as expected.

Here is the part of configuration:

ASA Version 8.2 (2)
...........

Route outside 0.0.0.0 0.0.0.0 xx.10.194.193 1

Route inside companynet1 255.255.255.0 192.168.5.2 1

Route inside companynet2 255.255.255.0 192.168.5.2 1

Route inside companynet3 255.255.255.0 192.168.5.2 1

Route inside companynet4 255.255.255.0 192.168.5.2 1

...............

Route inside companynetn 255.255.255.0 192.168.5.2 1

NAT (inside) 4 vpnpool 255.255.255.0 outside <--------- is="" this="">

Global (outside) 4 xx.10.194.238 netmask 255.255.255.255

Split-tunnel-policy tunnelall

.....................

vpnuser1_ONLY list extended access permitted tcp vpnpool 255.255.255.0 192.168.1.28 host 255.255.255.255 eq ssh connect

vpnuser1_ONLY list extended access permitted tcp vpnpool 255.255.255.0 74.2.23.195 host 255.255.255.255 eq ssh connect

............

enable SVC

tunnel-group-list activate

attributes of Group Policy DfltGrpPolicy

VPN - connections 8

VPN-idle-timeout 10

VPN-session-timeout 60

Protocol-tunnel-VPN l2tp ipsec

WebVPN

SVC Dungeon - install any

time to generate a new key of SVC 8

SVC generate a new method ssl key

SVC request no svc default

internal GroupPolicy1 group strategy

attributes of Group Policy GroupPolicy1

VPN - connections 1

VPN-idle-timeout 9

VPN-session-timeout 45

VPN-tunnel-Protocol svc

Split-tunnel-policy tunnelall

WebVPN

SVC Dungeon - install any

time to generate a new key of SVC 15

SVC generate a new method ssl key

client of dpd-interval SVC 30

dpd-interval SVC 30 bridge

value of deny message connection succeeded, but because some criteria have not been met, or because of a specific group policy, you are not allowed to use the VPN features. For more information, contact your COMPUTER administrator.

disable the SVC routing-filtering-ignore

username vpnuser1 encrypted password xxxxxxx

username vpnuser1 attributes

VPN-group-policy GroupPolicy1

VPN-idle-timeout 6

VPN-session-timeout 20

VPN-filter value vpnuser1_ONLY

VPN-tunnel-Protocol svc

value of group-lock COMAVPN

type of remote access service

tunnel-group DefaultRAGroup webvpn-attributes

Disable group companyvpn aliases

type tunnel-group COMAVPN remote access

attributes global-tunnel-group COMAVPN

address (inside) vpnpool pool

address vpnpool pool

SDI Group-authentication server

authentication-server-group (inside) SDI

LOCAL authority-server-group

Group Policy - by default-GroupPolicy1

tunnel-group COMAVPN webvpn-attributes

activation of the Group companyremote alias

I did anything wrong / missing?

Thank you

Yijun

First of all, you can set "no nat-control" because once you have relieved of NAT, 'no nat-control' becomes disable anyway. 'No nat-control' is useful if you have no statement of NAT at all on the interface.

Second, if you can't access the outside inside which is because you must configure the NAT exemption. Not sure if you have configured it.

Here's the command:

access-list allowed sheep ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0

NAT (inside) 0 access-list sheep

You can then add all other subnets that are internal to the ACL sheep if you need VPN access.

Finally, for the error message deny on access-group "OUTSIDE", you would need check if you have configured "sysopt connection VPN-enabled'. If it is disabled, it will also check the "OUTSIDE" interface for VPN traffic.

PORT of Configuration.DEFAULT of ASA AnyConnect remote VPN access.

Hello!!! Now, I need to configure the AnyConnect VPN remote access. And I have a question.

The default 443 AnyConnect port, but the port is occupied on SAA. We use this port for another application.

How to change the port to connect? Is this true? Thank you!!!

Hi, please add the following configuration:
1. Enable the WebVPN on the SAA feature:
```
ASA(config)#webvpn
```
2. Enable WebVPN services for the external interface of the ASA:
```
ASA(config-webvpn)#enable outside
```
3. Allow the ASA to listen WebVPN traffic on the custom port number:
```
ASA(config-webvpn)#port <1-65535>
```

7.2 ASA5520 - filters VPN traffic

Hi all,

I would like to know how can I filter out VPN traffic with a list of access, by using the source address and port of destination as filters.

I tried with "no sysopt permit vpn connection" but it is to filter the traffic through the VPN tunnel and I want to filter the host which can establish the VPN tunnel.

I did it in a router with this access list:

Note access-list 101 VPN

access-list 101 permit ahp host x.x.x.x everything

access-list 101 permit esp host x.x.x.x any newspaper

access-list 101 permit host x.x.x.x esp all

access-list 101 permit udp host x.x.x.x any eq isakmp

access-list 101 permit udp host x.x.x.x any eq non500-isakmp

But I tried the same thing in the ASA and does not work, I think it's because the ASA does not apply the access list for VPN traffic.

Sincerely, Fernando.

Fernando

You can disable it with "no crypto isakmp are outside", but then even if you apply an acl to the outside which allows all IP, ESP, AH it still does not allow an IPSEC connection.

So for the moment I see no way to do this without using an acl on your router upstream.

I'll do a reading just in case I missed something.

Jon

Monitoring of VPN traffic

If a user connects using the AnyConnect client, and then connects via RDP to an internal Windows machine, I'd be able to see all traffic via syslog from the RDP session? I can see the client login, auth, DHCP, then the port 3389 in order to connect to the internal area of Windows, but only once the connection on port 3389 traffic (and subsequent termination of the VPN session at the request of the user). It seems that there is a kind of traffic through the ASA to the VPN client, at least at the level of the presentation layer. Asked me to look at this to determine if a person was actually connected and work or if they have just connected to make it look like they were doing their job.

Also, in the same sense - is there a difference shown when a session ends for max of the session and a user actually disconnection? The reason why I ask this question is the above user has been connected for exactly 12 hours, which is the Max connection time (720 minutes), but the newspaper it says was by the request of the user. My guess is that it was a max session timeout but I have to be positive about that.

Thanks in advance...

If the RDP user in a device, the activity that takes place during the RDP session would be from this device to other applications. When you're talking about syslog, I guess you see syslog messages when the RDP box creates an outgoing link or other subnet that goes through the ASA and ASA sends syslog messages?

If you want to see activity in the RDP session, you need check the outbound RDP host connection, and for the SAA trigger and send syslog, traffic from the host RDP must pass through the ASA.

Example:

Connect to it via RDP 192.168.1.5 and AnyConnect.

If you want to check the activities, you will need to check if 192.168.1.5 launches all connections.

In regards to the max session disconnects, can you please share the syslog message which specifies that.

Hope that helps.

Can the NAT of ASA configuration for vpn local pool

We have a group of tunnel remote ipsec, clients address pool use 172.18.33.0/24 which setup from command "ip local pool. The remote cliens must use full ipsec tunnel.

Because of IP overlap or route number, we would like to NAT this local basin of 172.18.33.0 to 192.168.3.0 subnet when vpn users access certain servers or subnet via external interface of the ASA. I have nat mapping address command from an interface to another interface of Armi. The pool local vpn is not behind any physical interface of the ASA. My question is can ASA policy NAT configuration for vpn local pool. If so, how to set up this NAT.

Thank you

Haiying

Elijah,

NAT_VPNClients ip 172.18.33.0 access list allow 255.255.255.0 10.1.1.0 255.255.255.0

public static 192.168.33.0 (external, outside) - NAT_VPNClients access list

The above configuration will be NAT 172.18.33.0/24 to 192.168.33.0/24 when you go to 10.1.1.0/24 (assuming that 10.1.1.0/24 is your subnet of servers).

To allow the ASA to redirect rewritten traffic the same interface in which he receive, you must also order:

permit same-security-traffic intra-interface

Federico.

ASA 5505 ipsec vpn connection fails

Hello

I'm trying to configure a Cisco ASA 5505 for Remote Clients.

I use the ASDM interface and used assistants start and ipsec for my setup, but im hit a stumbling block.

To last make it work 2 days I have tried a number of configuration changes to try to make this work but didn't, so I did a factory reset and passed by the assistants, once again, I have a clean Setup that I hope someone can help me.

Currently I have an IP public static 81.137.x.x and I use a Netgear ADSL router, which transfers (UDP 500) VPN traffic to 192.168.171.35 (port wan on the ASA 5505).

The Cisco ASA has a default address of 192.168.1.1

I use the Cisco Client 5.0.06.0160.

I have configured the client to use authentication group with the same credentials as configuration through the wizard and im using Transparent Tunneling IPSec over UDP.

I have attached 2 documents

running_config.txt - what is shows the current configuration of ASA

Journal - View.txt - display of error messages displayed in the real-time log viewer when I try to connect from the remote client.

I'm not sure if I need to do on the other that additional configurations for my setup simply run the wizards.

Any help would be appreciated.

Thank you

Hello Philippe,

According to the lines in the journal, there is a problem of routing for ip vpn applicant address. ASA couldn't find the definition of route suitable for the return traffic. Add a default route to unknown destinations could solve this problem. As I see you are using modem netgear as a default gateway for your ASA. I write example of command line for this purpose.

Route outside 0.0.0.0 0.0.0.0 NetGear_LAN_IP_Address 1

Ufuk Güler

VPN traffic via a secondary access provider

Hello world

I have been asked by a client to implement this topology:

where:

ISP 1 is used as primary internet connection.

2 ISP will be used to connect remote users by IPsec VPN.

Currently, I'm not looking for the Active/Backup feature, I need to know if I can use both ISP connections (as I've written before) an ISP for the Internet company and the other for the user remote access VPN.

I read some post where, said, it's possible, but I want to be sure.

Kind regards

Jose

ASA must add the static route in the routing table automatically when the VPN client is connected. So, in general, you don't need to do anything. But if not, you can just manually configure who will forward a VPN client IP packet to ISP2.

With respect to NAT, in general, VPN traffic must ignore the NAT. You can use "nat (inside_interface_name) 0-list of access ' with an ACL that define the vpn traffic to do so.

ASA encrypt interesting VPN traffic

Similar Questions

Maybe you are looking for