ASA L2L filter-VPN Tunnels

I need help to understand how the vpn-filter command is applied to the traffic tunnel. Until very recently, I was under the command of printing the vpn-filter (applied in Group Policy) provided an access control incoming (outside to inside) for VPN traffic after decryption. Recently I change any of my VPN connections (add a phase access list entry 2) which causes questioning me how the vpn-filter.

Example-

original vpn connection - my side hosted the server and the clients were on the other side. My vpn-filter rule has allowed customers to come to my server.

more - (above the original setting still in place) - the other side is now hosting a server and on my side has clients.

Without any changes to vpn-filter, I have lived: phase 2 built tunnel but no packet encryption or decryption and no error in syslog.

Using packet - trace, I discovered a list of access (vpn-user subtype) blocked access. "vpn-user" must be a Cisco term because it is not in my config. I added an entry to my vpn-filter acl allowing their server to talk to my clients. Adding to the vpn-filter enabled that the tunnel started working.

I would have thought

vpn-filter acl was dynamic and not required an entry

the without the vpn-filter acl, the phase would have shown his encryption/decryption and perhaps an acl deny message in the system log. Basically, the traffic is encrypted, returns server, decrypted and then dropped access policy.

Have a further explanation or documentation?

Thank you

Rick

Rick,

The problem is that the ACL applied through the vpn-filter is not dynamic.

A vpn-filter command applies to traffic after decrypted once it comes out a tunnel and the previously encrypted traffic before entering a tunnel. An ACL that is used for a vpn-filter should NOT also be used to access interface group. When a vpn-filter command is applied to a group policy which governs customer connections access remote VPN, the ACL must be configured with the assigned client IP addresses in the position of src_ip of the ACL and the LAN in the position of dest_ip of the ACL.

When a vpn-filter command is applied to a political group that governs a connection VPN from LAN to LAN, the ACL must be configured with the remote network in the position of src_ip of the ACL and the LAN in the position of dest_ip of the ACL.

Caution when the construction of the ACL for use with the vpn-filter feature. The ACL are built with traffic after decrypted in mind. However, ACL also apply to the oncoming traffic. For this previously encrypted traffic that is intended for the tunnel, the ACL are built with exchanged src_ip and dest_ip positions.

More information here:

http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/vpn_groups.html

It will be useful.

Federico.

Tags: Cisco Security

Similar Questions

Cisco ASA 5515 two asa firewall ipsec vpn tunnel is not coming

HelloW everyone.

I configured ipsec vpn tunnel between Singapore and Malaysia with asa firewall.

but the vpn does not come to the top. can someone tell me what can be the root cause?

Here is the configuration of twa asa: (I changed the ip address all the)

Singapore:

See the race
ASA 2.0000 Version 4
!
ASA5515-SSG520M hostname
activate the encrypted password of PVSASRJovmamnVkD
names of
!
interface GigabitEthernet0/0
nameif inside
security-level 100
IP 192.168.15.4 255.255.255.0
!
interface GigabitEthernet0/1
nameif DMZ
security-level 50
IP 192.168.5.3 255.255.255.0
!
interface GigabitEthernet0/2
nameif outside
security-level 0
IP 160.83.172.8 255.255.255.224
<--- more="" ---="">

!
<--- more="" ---="">

interface GigabitEthernet0/3
<--- more="" ---="">

Shutdown
<--- more="" ---="">

No nameif
<--- more="" ---="">

no level of security
<--- more="" ---="">

no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
nameif test
security-level 100
IP 192.168.168.219 255.255.255.0
!
interface Management0/0
management only
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
!
connection of the banner ^ C please disconnect if you are unauthorized access ^ C
connection of the banner please disconnect if you are unauthorized access
boot system Disk0: / asa922-4-smp - k8.bin
passive FTP mode
network of the SG object
<--- more="" ---="">

192.168.15.0 subnet 255.255.255.0
network of the MK object
192.168.6.0 subnet 255.255.255.0
service of the TCP_5938 object
Service tcp destination eq 5938
Team Viewer description
service tcp_3306 object
Service tcp destination eq 3306
service tcp_465 object
tcp destination eq 465 service
service tcp_587 object
Service tcp destination eq 587
service tcp_995 object
tcp destination eq 995 service
service of the TCP_9000 object
tcp destination eq 9000 service
network of the Inside_host object
Home 192.168.15.202
service tcp_1111 object
Service tcp destination eq 1111
service tcp_7878 object
Service tcp destination eq 7878
service tcp_5060 object
SIP, service tcp destination eq
<--- more="" ---="">

service tcp_5080 object
Service tcp destination eq 5080
network of the NETWORK_OBJ_192.168.15.0_24 object
192.168.15.0 subnet 255.255.255.0
inside_access_in list extended access allowed object SG ip everything
OUTSIDE_IN list extended access permit tcp any newspaper EQ 9000 Inside_host object
access extensive list ip 192.168.15.0 outside_cryptomap allow 255.255.255.0 object MK
pager lines 24
Enable logging
timestamp of the record
exploitation forest-size of the buffer of 30000
debug logging in buffered memory
recording of debug trap
debugging in the history record
asdm of logging of information
host test 192.168.168.231 record
host test 192.168.168.203 record
Within 1500 MTU
MTU 1500 DMZ
Outside 1500 MTU
test MTU 1500
management of MTU 1500
no failover
<--- more="" ---="">

ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 7221.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source SG SG static destination MK MK non-proxy-arp-search to itinerary
!
network of the SG object
NAT dynamic interface (indoor, outdoor)
network of the Inside_host object
NAT (inside, outside) interface static 9000 9000 tcp service
inside_access_in access to the interface inside group
Access-group OUTSIDE_IN in interface outside
Route outside 0.0.0.0 0.0.0.0 160.83.172.x 1
Route inside 10.0.1.0 255.255.255.0 192.168.15.199 1
Route inside 10.0.2.0 255.255.255.0 192.168.15.199 1
Route inside 10.0.11.0 255.255.255.0 192.168.15.199 1
Route inside 10.1.0.0 255.255.0.0 192.168.15.199 1
Route inside 10.8.0.0 255.255.0.0 192.168.15.199 1
Route inside 10.104.0.0 255.255.0.0 192.168.15.199 1
Route inside 192.168.8.0 255.255.255.0 192.168.15.199 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
<--- more="" ---="">

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
Enable http server

Community trap SNMP-server host test 192.168.168.231 *.
No snmp server location
No snmp Server contact
Server enable SNMP traps syslog
Crypto ipsec transform-set ikev1 VPN-TRANSFORM esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
<--- more="" ---="">

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
<--- more="" ---="">

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec pmtu aging infinite - the security association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
crypto CRYPTO - map 2 map corresponds to the address outside_cryptomap
card crypto CRYPTO-map 2 set peer 103.246.3.54
card crypto CRYPTO-map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto CRYPTO-map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
CRYPTO-card interface card crypto outside
trustpool crypto ca policy
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400

Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL encryption rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1
internal GroupPolicy1 group strategy
attributes of Group Policy GroupPolicy1
Ikev1 VPN-tunnel-Protocol
username, password admin eY/fQXw7Ure8Qrz7 encrypted privilege 15
username gmsadmin password HS/VyK0jtJ/PANQT encrypted privilege 15
tunnel-group 143.216.30.7 type ipsec-l2l
tunnel-group 143.216.30.7 General-attributes
Group Policy - by default-GroupPolicy1
<--- more="" ---="">

IPSec-attributes tunnel-group 143.216.30.7
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
Overall description
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
<--- more="" ---="">

inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:ccce9a600b491c8db30143590825c01d
: end

Malaysia:

:
ASA 2.0000 Version 4
!
hostname ASA5515-SSG5-MK
activate the encrypted password of PVSASRJovmamnVkD
names of
!
interface GigabitEthernet0/0
nameif inside
security-level 100
IP 192.168.6.70 255.255.255.0
!
interface GigabitEthernet0/1
nameif DMZ
security-level 50
IP 192.168.12.2 255.255.255.0
!
interface GigabitEthernet0/2
nameif outside
security-level 0
IP 143.216.30.7 255.255.255.248
<--- more="" ---="">

!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
nameif test
security-level 100
IP 192.168.168.218 255.255.255.0
!
interface Management0/0
management only
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
!
<--- more="" ---="">

Interface Port - Channel 1
No nameif
no level of security
IP 1.1.1.1 255.255.255.0
!
boot system Disk0: / asa922-4-smp - k8.bin
passive FTP mode
clock timezone GMT + 8 8
network of the SG object
192.168.15.0 subnet 255.255.255.0
network of the MK object
192.168.6.0 subnet 255.255.255.0
service of the TCP_5938 object
Service tcp destination eq 5938
Team Viewer description
service tcp_3306 object
Service tcp destination eq 3306
service tcp_465 object
tcp destination eq 465 service
service tcp_587 object
Service tcp destination eq 587
service tcp_995 object
tcp destination eq 995 service
service of the TCP_9000 object
<--- more="" ---="">

tcp destination eq 9000 service
network of the Inside_host object
Home 192.168.6.23
service tcp_1111 object
Service tcp destination eq 1111
service tcp_7878 object
Service tcp destination eq 7878
service tcp_5060 object
SIP, service tcp destination eq
service tcp_5080 object
Service tcp destination eq 5080
network of the NETWORK_OBJ_192.168.2.0_24 object
192.168.6.0 subnet 255.255.255.0
inside_access_in list extended access allowed object SG ip everything
VPN-INTERESTING-TRAFFIC extended access list permit ip object MK SG
OUTSIDE_IN list extended access permit tcp any newspaper EQ 9000 Inside_host object
outside_cryptomap to access extended list ip 192.168.6.0 allow 255.255.255.0 object SG
pager lines 24
Enable logging
timestamp of the record
exploitation forest-size of the buffer of 30000
debug logging in buffered memory
recording of debug trap
asdm of logging of information
<--- more="" ---="">

host test 192.168.168.231 record
host test 192.168.168.203 record
Within 1500 MTU
MTU 1500 DMZ
Outside 1500 MTU
test MTU 1500
management of MTU 1500
reverse IP check management interface path
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 7221.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source MK MK static destination SG SG route no-proxy-arp-search
NAT (inside, outside) static source NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 static destination SG SG route no-proxy-arp-search
!
network of the MK object
NAT dynamic interface (indoor, outdoor)
network of the Inside_host object
NAT (inside, outside) interface static 9000 9000 tcp service
inside_access_in access to the interface inside group
Access-group OUTSIDE_IN in interface outside
Route outside 0.0.0.0 0.0.0.0 143.216.30.x 1
<--- more="" ---="">

Route inside 10.2.0.0 255.255.0.0 192.168.6.200 1
Route inside 10.6.0.0 255.255.0.0 192.168.6.200 1
Route inside 192.168.254.0 255.255.255.0 192.168.6.200 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
the ssh LOCAL console AAA authentication
Enable http server

No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 VPN-TRANSFORM esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
<--- more="" ---="">

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
<--- more="" ---="">

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec pmtu aging infinite - the security association
crypto CRYPTO - map 2 map corresponds to the address outside_cryptomap
card crypto CRYPTO-map 2 set peer 160.83.172.8
card crypto CRYPTO-map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
CRYPTO-card interface card crypto outside
trustpool crypto ca policy
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
SSH timeout 60
SSH group dh-Group1-sha1 key exchange
Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL encryption rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1
attributes of Group Policy DfltGrpPolicy
Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client
internal GroupPolicy1 group strategy
attributes of Group Policy GroupPolicy1
Ikev1 VPN-tunnel-Protocol
username, password admin eY/fQXw7Ure8Qrz7 encrypted privilege 15
username gmsadmin password HS/VyK0jtJ/PANQT encrypted privilege 15
<--- more="" ---="">

tunnel-group MK SG type ipsec-l2l
IPSec-attributes tunnel-group MK-to-SG
IKEv1 pre-shared-key *.
tunnel-group 160.83.172.8 type ipsec-l2l
tunnel-group 160.83.172.8 General-attributes
Group Policy - by default-GroupPolicy1
IPSec-attributes tunnel-group 160.83.172.8
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
<--- more="" ---="">

inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end

Good news, that VPN has been implemented!

According to the ping problem, my suggestion is to check, if some type of firewall based on host computers on both sides block ICMP requests.

Anyway, you can still use the capture of packets on the inside of the interfaces of the two ASAs, to check if the ICMP traffic is to reach the ASA.

In addition, you can try to enable ICMP inspection:

Policy-map global_policy
class inspection_default

inspect the icmp

inspect the icmp error

ASA base S2S VPN, Tunnel establishes only when interesting traffic hits to end distance

Dear all,

I need your help to solve the problem mentioned below.

VPN tunnel established between the unit two ASA. A DEVICE and device B

(1) if interesting traffic initiates a LAN device. traffic ACL hits. TUNEL is not coming

(2) if interesting traffic initiates B LAN device. Tunnel will establish all the works of serivces

(3) after the Tunnel device establishmnet B. We forced to tunnel down at both ends. Interesting again traffic initiates device a surpringly tunnel

will go up. After 2 or 3 days (after life expire 86400 seconds) initiated traffic of device A, tunnel will not esatblish.

(it comes to rescue link: interesting won't be there all the time.)

checked all parametrs, everthing seems fine. Here are the logs of attached but not more informative debugging on the balls. Please suggest.

February 2, 2010 13:23:17: % ASA-7-713236: IP = 81.145.x.x, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 496

February 2, 2010 13:23:18: % ASA-6-713219: IP = 81.x.x.x, KEY-ACQUIRE Queuing messages are treated when SA P1 is finished.

February 2, 2010 13:23:18: % ASA-6-713219: IP = 81.x.x.x, KEY-ACQUIRE Queuing messages are treated when SA P1 is finished.

February 2, 2010 13:23:23: % ASA-6-713219: IP = 81.x.x.x, KEY-ACQUIRE Queuing messages are treated when SA P1 is finished.

February 2, 2010 13:23:25: % ASA-7-715065: IP = 81.x.x.x, history of mistake IKE MM Initiator WSF (struct & 0x1abb1e10) , : MM_DONE, EV_ERROR--> MM_WAIT_MSG2, EV_RETRY--> MM_WAIT_MSG2, EV_TIMEOUT--> MM_WAIT_MSG2 NullEvent--> MM_SND_MSG1, EV_SND_MSG--> MM_SND_MSG1, EV_START_TMR--> MM_SND_MSG1, EV_RESEND_MSG--> MM_WAIT_MSG2, EV_RETRY

February 2, 2010 13:23:25: % ASA-7-713906: IP = 81.x.x.x, IKE SA MM:56f95c85 ending: flags 0 x 01000022, refcnt 0, tuncnt 0

February 2, 2010 13:23:25: % ASA-7-713906: IP = 81.x.x.x, sending clear/delete with the message of reason

February 2, 2010 13:23:25: % ASA-3-713902: IP = 81.x.x.x, counterpart of drop table counterpart, didn't match!

February 2, 2010 13:23:25: % ASA-4-713903: IP = 81.x.x.x, error: cannot delete PeerTblEntry

Hi, I have a similar problem a long time ago. You can choose which set up the tunnel in your crypto card:

card crypto bidirectional IPsec_map 1 set-type of connection

I hope that it might help to solve your problem. Kind regards.

ASA to 1841 VPN Tunnel

Hello

I am trying to establish a VPN tunnel from site to site between 2 offices. An agency has a Cisco 1841 and the other a pair of ASA 5510. I get the tunnel to establish without problem. The problem is that traffic will the intended to the ASA 1841 will not encrypt to this particular tunnel. I get decaps on the session, but no program. I've reconfigured the tunnel several times but keep getting the same result:

Interface: FastEthernet0/1
The session state: UP-ACTIVE
Peer: 202.41.148.5 port fvrf 500: (none) ivrf: (none)
Phase1_id: 202.41.148.5
DESC: (none)
IKE SA: local 81.218.42.130/500 remote 202.41.148.5/500 Active
Capabilities: (None) connid:98 life time: 23:45:02
FLOW IPSEC: allowed ip 192.168.5.0/255.255.255.0 10.0.96.0/255.255.240.0
Active sAs: 2, origin: card crypto
On arrival: dec #pkts'ed 17 drop 0 life (KB/s) 4569995/2704
Outbound: #pkts enc'ed drop 0 0 life (KB/s) 4569996/2704

Any suggestions would be greatly appreciated.

Andy

Your ACL 100 is not exempt traffic 192.168.5.0-> 10.0.96.0 of the NAT process. Please add the line below above the permit statement and test again.

access-list 100 deny ip 192.168.5.0 0.0.0.255 10.0.96.0 0.0.15.255

ASA Cisco IPSEC VPN tunnel has not managed the traffic

Hi guys

I am trying to set up a new connection IPSEC VPN between a Cisco ASA 5520 (verion 8.4 (4)) and Checkpoint Firewall. I managed to establish the phases IKE and IPSEC and I can see the tunnel is UP. But I can't see any traffic through the tunnel. I checked the cryptomap both ends and try to test with a contionuous ping from within the network of the SAA.

I made a screenshot of ICMP packets but cannot see in ASA. I welcomed the icmp inside ASA interface.

I did a package tracer and it ends with a fall of vpn - filter the packets. But can not see any configured filters...

Your help is very appreciated...

Thank you

You probably need to add nat negate statements:-something like.

object-group network OBJ-LOCAL
Network 10.155.176.0 255.255.255.0
object-group network OBJ / remote
object-network 192.168.101.0 255.255.255.0
NAT static OBJ-LOCALOBJ-LOCAL source destination (indoor, outdoor) static OBJ-REMOTE OBJ-REMOTE-no-proxy-arp

You are running 8.4 nat 0 has been amortized

WCCP and ASA L2L VPN Tunnel

How L2L WCCP vpn tunnel? If there is a Web page on the otherside of the tunnel that I need access on ports 80 and 443, it goes through the process of WCCP. How will I know the traffic through the tunnel for 80 and 443 to ignore the WCCP?

Hello

I have not had to deal with WCCP on the SAA configurations as it, but to my knowledge, this could be done in the ACL that is used in configuring WCCP on the SAA.

I mean a single montage we have has an ACL that simply bypasses the WCCP for some destination addresses.

The ACL was originally for example

WCCP ip access list allow a whole

Then we had to stop it for some destination network and we would add a Deny statement at the top of the ACL

access-list 1 deny ip WCCP line any 10.10.10.0 255.255.255.0

-Jouni

Transfer between Cisco ASA VPN Tunnels

Hi Experts,

I have a situation where I need to set up the transfer between two VPN Tunnels completed in the same box ASA. A VPN Tunnel will incoming traffic and that traffic should be sent to the bottom of the other VPN Tunnel to the ASA. The two VPN Tunnels are from the Internet and speak with the same IP address of the ASA peers.

Retail

Tunnel A

Source: 192.168.1.0/25

Destination: 10.1.1.0/25

Local counterpart: 170.252.100.20 (ASA in question)

Remote peer: 144.36.255.254

Tunnel B

Source: 192.168.1.0/25

Destination: 10.1.1.0/25

Local peer IP: 170.252.100.20 (box of ASA in question)

Distance from peer IP: 195.75.75.1

Can this be achieved? what configurations are needed in the ASA apart cryptographic ACL entries?

Thanks in advance for your time.

Believed that, in this case your config is good, and you can avoid using routes on your asa since it must route based on its default gateway, make sure you have good sheep in place rules and the inter-to interface same-security-interface allowed return you will need.

Should I apply a single to several L2L VPN VPN filter, or each VPN tunnel have their own VPN on an ASA filter?

Currently, I am trying to decide if what VPN creation filters, if I just create one and apply to multiple VPN tunnels or if each must have their own VPN tunnel filter VPN. Creating a VPN filter for each VPN tunnel seems like extra work but do not know if this is the best choice. I looked through the documentation, but they never mention the VPN application filters to several tunnels.

Hello Jork,

If you add filters for each VPN tunnel group, it will be more work, but at the same, you will have more control over the external users trying to connect to your network.

I would say that you have different groups tunnel (each of them will have their own funcionallity) therefore its depends on what you're trying to implement.

If the people who are going to use X tunnel-group are the same as those who use the tunnel-group is then you can use the same than that.

I hope I understood your question.

Kind regards.

Julio

M Note all the useful po

Darkness of 8.4 (1) vpn L2L filter ASA when you specify the Protocol and port

Hi all - I've spent many hours trying to diagnose this and have read several discussions and the Cisco docs unsuccessfully...

Situation: two sites running Cisco ASA 5520 on 8.4 (1) with L2L IPsec on the public internet between each of them. The configuration of IPsec and associated routing works as it should and we are able to pass traffic between networks private behind each device as expected. The problem occurs when you try to block sessions using a vpn-filter group policy configuration.

Each site has 3 private subnets that are able to communicate correctly without the vpn-filter configuration. We want to restrict access to specific protocols, hosts, and ports between each network.

SITE A: 10.10.0.0/18, 10.10.64.0/18, 10.10.128.0/18

SITE B: 10.20.0.0/18, 10.20.64.0/18, 10.20.128.0/18

When we apply a filter-vpn configuration which restricted access only two guests, as follows...

SITE A: vpn_acl_x_x_x_x list extended access permit ip host 10.20.0.1 host 10.10.0.1

SITE b: the ip host 10.10.0.1 allowed extended access list vpn_acl_x_x_x_x host 10.20.0.1

... the configuration works correctly. However, when we try to lock the configuration more far and specify the protocols and ports, as follows...

SITE A: vpn_acl_x_x_x_x list extended access permit tcp host 10.20.0.1 host 10.10.0.1 eq 22

SITE b: vpn_acl_x_x_x_x to the list of access permit tcp host 10.10.0.1 host 10.20.0.1 eq 22

... and then try to establish a SSH connection between 10.10.0.1 and 10.20.0.1 or vice versa, the package is stopped on the side of the SOURCE. ..

Mar 22 11:58:01 x.x.x.x 22 March 2011 14:34:56: % ASA-4-106103: vpn_acl_x_x_x_x of the access list refused tcp to the user "" inside-data/10.10.0.1(59112)-> outside-iptrans/10.20.0.1(22) hit - cnt 1 first success [0xd8d1c1b4, 0 x 0]

I would really appreciate it if someone could shed some light on what is wrong with this Setup.

SOLUTION

The ACE must be implemented on the source and the end of the tunnel destination to facilitate this configuration.

EXAMPLE 1: allow SSH two-way communication between hosts on each network (SITE A can connect to SITE B, SITE B can connect to SITE A)...
```
SITE A:
access-list vpn_acl_x_x_x_x extended permit tcp host 10.20.0.1 host 10.10.0.1 eq 22
access-list vpn_acl_x_x_x_x extended permit tcp host 10.20.0.1 eq 22 host 10.10.0.1
SITE B:
access-list vpn_acl_x_x_x_x extended permit tcp host 10.10.0.1 host 10.20.0.1 eq 22
access-list vpn_acl_x_x_x_x extended permit tcp host 10.10.0.1 eq 22 host 10.20.0.1
```
EXAMPLE 2: allow communication one-way SSH between hosts on each network (SITE A can connect to SITE B, SITE B is unable to connect to SITE A)...
```
SITE A:
access-list vpn_acl_x_x_x_x extended permit tcp host 10.20.0.1 eq 22 host 10.10.0.1
SITE B:
access-list vpn_acl_x_x_x_x extended permit tcp host 10.10.0.1 host 10.20.0.1 eq 22
```
Very good and thank you for this post. Please kindly marks the message as answered while others may learn from your post. I think that you have started a very good discussion on vpn-filter for tunnel L2L.

ASA L2L VPN UP with incoming traffic

Hello

I need help with this one, I have two identical VPN tunnel with two different customers who need access to one of our internal server, one of them (customer) works well, but the other (CustomerB) I can only see traffic from the remote peer (ok, RX but no TX). I put a sniffer on ports where the ASA and the server are connected and saw that traffic is to reach the server and traffic to reach the ASA of the server then nothing...

See the result of sh crypto ipsec his below and part of the config for both clients

------------------

address:

local peer 100.100.100.178

local network 10.10.10.0 / 24

local server they need access to the 10.10.10.10

Customer counterpart remote 200.200.200.200

Customer remote network 172.16.200.0 / 20

CustomerB peer remote 160.160.143.4

CustomerB remote network 10.15.160.0 / 21

---------------------------

Output of the command: "SH crypto ipsec its peer 160.160.143.4 det".

address of the peers: 160.160.143.4
Tag crypto map: outside_map, seq num: 3, local addr: 100.100.100.178

outside_cryptomap list of allowed access host ip 10.10.10.10 10.15.160.0 255.255.248.0
local ident (addr, mask, prot, port): (10.10.10.10/255.255.255.255/0/0)
Remote ident (addr, mask, prot, port): (10.15.160.0/255.255.248.0/0/0)
current_peer: 160.160.143.4

#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 827, #pkts decrypt: 827, #pkts check: 827
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#pkts not his (send): 0, invalid #pkts his (RRs): 0
#pkts program failed (send): 0, #pkts decaps failed (RRs): 0
#pkts invalid prot (RRs): 0, #pkts check failed: 0
invalid identity #pkts (RRs): 0, #pkts invalid len (RRs): 0
#pkts incorrect key (RRs): 0,
#pkts invalid ip version (RRs): 0,
replay reversal (send) #pkts: 0, #pkts replay reversal (RRs): 0
#pkts replay failed (RRs): 0
#pkts min frag mtu failed (send): bad frag offset 0, #pkts (RRs): 0
#pkts internal err (send): 0, #pkts internal err (RRs): 0

local crypto endpt. : 100.100.100.178, remote Start crypto. : 160.160.143.4

Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: C2AC8AAE

SAS of the esp on arrival:
SPI: 0xD88DC8A9 (3633170601)
transform: esp-3des esp-md5-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 5517312, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (4373959/20144)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0xFFFFFFFF to 0xFFFFFFFF
outgoing esp sas:
SPI: 0xC2AC8AAE (3266087598)
transform: esp-3des esp-md5-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 5517312, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (4374000/20144)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001

-The configuration framework

ASA Version 8.2 (1)

!

172.16.200.0 customer name

name 10.15.160.0 CustomerB

!

interface Ethernet0/0

nameif outside

security-level 0

IP 100.100.100.178 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

10.10.10.0 IP address 255.255.255.0

!

outside_1_cryptomap list extended access allowed host ip 10.10.10.10 customer 255.255.240.0

inside_nat0_outbound_1 list extended access allowed host ip 10.10.10.10 customer 255.255.240.0

inside_nat0_outbound_1 list extended access allowed host ip 10.10.10.10 CustomerB 255.255.248.0

outside_cryptomap list extended access allowed host ip 10.10.10.10 CustomerB 255.255.248.0

NAT-control

Overall 101 (external) interface

NAT (inside) 0-list of access inside_nat0_outbound_1

NAT (inside) 101 0.0.0.0 0.0.0.0

Route outside 0.0.0.0 0.0.0.0 100.100.100.177

Route inside 10.10.10.0 255.255.255.0 10.10.10.254 1

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

card crypto outside_map 1 match address outside_1_cryptomap

card crypto outside_map 1 set pfs

peer set card crypto outside_map 1 200.200.200.200

card crypto outside_map 1 set of transformation-ESP-3DES-SHA

card crypto outside_map 3 match address outside_cryptomap

peer set card crypto outside_map 3 160.160.143.4

card crypto outside_map 3 game of transformation-ESP-3DES-MD5

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

md5 hash

Group 2

life 86400

crypto ISAKMP policy 20

preshared authentication

3des encryption

sha hash

Group 2

life 86400

crypto ISAKMP ipsec-over-tcp port 10000

attributes of Group Policy DfltGrpPolicy

Protocol-tunnel-VPN IPSec svc

internal customer group strategy

Customer group policy attributes

Protocol-tunnel-VPN IPSec svc

internal CustomerB group strategy

attributes of Group Policy CustomerB

Protocol-tunnel-VPN IPSec

tunnel-group 160.160.143.4 type ipsec-l2l

tunnel-group 160.160.143.4 General-attributes

Group Policy - by default-CustomerB

IPSec-attributes tunnel-group 160.160.143.4

pre-shared key xxx

tunnel-group 200.200.200.200 type ipsec-l2l

tunnel-group 200.200.200.200 General attributes

Customer by default-group-policy

IPSec-attributes tunnel-group 200.200.200.200

pre-shared key yyy

Thank you

A.

Hello

It seems that the ASA is not Encrypting traffic to the second peer (However there is no problem of routing).

I saw this 7.x code behaviors not on code 8.x

However you can do a test?

You can change the order of cryptographic cards?

card crypto outside_map 1 match address outside_cryptomap

peer set card crypto outside_map 1 160.160.143.4

map outside_map 1 set of transformation-ESP-3DES-MD5 crypto

card crypto outside_map 3 match address outside_1_cryptomap

card crypto outside_map 3 set pfs

peer set card crypto outside_map 3 200.200.200.200

card crypto outside_map 3 game of transformation-ESP-3DES-SHA

I just want to see if by setting the peer nonworking time to be the first, it works...

I know it should work the way you have it, I just want to see if this is the same behavior I've seen.

Thank you.

Federico.

Unable to pass traffic between ASA Site to Site VPN Tunnel

Hello

I have problems passing traffic between two ASA firewall. The VPN tunnel is up with a dynamic IP and static IP address. I have attached a diagram of the VPN connection. I'm not sure where the problem lies and what to check next. I think I have all the roads and in the access lists are needed.

I've also attached the ASA5505 config and the ASA5510.

This is the first time that I've set up a VPN connection any guidance would be greatly appreciated.

Thank you

Adam

Hello

Regarding your opinion of configuration Remote Site ASA that you have not added the internal networks of the Central Site VPN L2L configurations at all so the traffic does not pass through the VPN.
```
 access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.0.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.170.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.172.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 140.15.0.0 255.255.*.* 
```
Take a look at ACL configurations above. The 'exempt' ACL is used in configurations NAT0 and tells the ASA what traffic of exempting from NAT. "outside_1_cryptomap" ACL is used to tell the traffic between the subnets should be using the L2L VPN connection.

So in short on the Remote Site ASA these ACLs should be identical. Make additions to the LIST of VPN L2L, then try again.

I would also like to point out that to ensure that the Central ASAs L2L VPN ACL Site contains the same networks. The ACL on the Central Site will, of course, its internal subnets as the source and the site LAN remote destination.

THW out of ' crypto ipsec to show his " shows you that only the SA between binding Site Central network and the Remote Site LAN was established. Others have not formed as the configuration is lacking at LEAST on the Remote Site ASA. Can also be the Central Site.

-Jouni

Disconnecting from the VPN ASA L2L - CheckPoint

Hello...

Please your help...

I configured a L2L VPN between an ASA5505 and CP2070.

The tunnel is working, we have conectivity between sites, but the tunnel is disconnect periodically.

When the tunnel fails, we have a 'clear crypto isakmp his "to retrieve the connection."

I tested changing the parameters of life expectancy in IKE and IPSec configurations, but the problems persist.

Any suggestion?

The ASA configuration file is attached.

Hello

If solve you the problem by disabling the tunnel on the side of the ASA, I think that there is a loss of connectivity on the side of control point when this happens?

I mean... the ASA still belives the tunnel is mounted, but it is not because that is not upward on the side of the checkpoint.

Once you have disabled the SAs on the SAA, the tunnel to renegotiate and restores.

There are DPD packets that can be sent to monitor the health of the peer VPN and KeepAlive, but they work a lot between Cisco devices. (I don't know if there are problems of incompatibility with other brands).

Can you verify if this is the problem?

In addition, is the ISAKMP phase 1 and phase 2 lives the same value two units?

Federico.

Site to Site VPN tunnel between two ASA

I use the Site Wizard to Site on an ASA 5520, and ASA 5505 of the ADSM. Both are using 8.4 (5). When you create configurations. You follow the wizard configurations with manual what ACL s to allow the traffic of every subnet connected to talk to each other? Or they are automatically generated in the configuration file? Have not been to school yet to understand how to create the CLI VPN tunnels and what to look for.

Thank you

Carlos

Hello

First, I would like to say that I don't personally use ASDM for the configuration.

But you should be able to configure all the necessary elements for a connection VPN L2L base through the wizard.

I guess that typical problems to do so could relate to the lack of configuration NAT exempt or might not choose the setting "Bypass Interface Access List" that would mean you would allow traffic from the remote site in the 'external' ACL of ASA local interface. Like all other traffic coming from behind the 'outer' interface

If you share format CLI configurations and say what networks must be able to connect via VPN L2L then I could give the required CLI format configurations.

-Jouni

NAT before going on a VPN Tunnel Cisco ASA or SA520

I have a friend who asked me to try to help. We are established VPN site to site with a customer. Our camp is a Cisco sa520 and side there is a control point. The tunnel is up, we checked the phase 1 and 2 are good. The question is through the tunnel to traffic, our LAN ip address are private addresses 10.10.1.0/24 but the client says must have a public IP address for our local network in order to access that server on local network there. So, in all forums, I see that you cannot NAT before crossing the VPN tunnel, but our problem is that our site has only 6 assigned IP addresses and the comcast router, on the side of the firewall SA520 WAN. So we were wondering was there a way we can use the WAN on the SA520 interface or use another available 6 who were assigned to the NAT traffic and passes through the tunnel. That sounds confusing to you? Sorry, but it's rarely have I a customer say that I must have a public IP address on my side of the LAN. Now, I say this is a SA520 firewall, but if it is not possible to do with who he is a way were able with an ASA5505?

Help or direction would be very useful.

Hello

I guess I could quickly write a basic configuration. Can't be sure I remember all correctly. But should be the biggest part of it.

Some of the course settings may be different depending on the type of VPN L2L connection settings, you have chosen.

Naturally, there are also a lot of the basic configuration which is not mentioned below.

For example
- Configurations management and AAA
- DHCP for LAN
- Logging
- Interface "nonstop."
- etc.
Information for parameters below
- x.x.x.x = ASA 'outside' of the public IP interface
- y.y.y.y = ASA "outside" network mask
- z.z.z.z = ASA "outside" IP address of the default gateway
- a.a.a.a = the address of the remote site VPN L2L network
- b.b.b.b = mask of network to the remote site VPN L2L
- c.c.c.c = IP address of the public peer device VPN VPN L2L remote site
- PSK = The Pre Shared Key to connect VPN L2L
Interfaces - Default - Access-list Route

interface Vlan2

WAN description

nameif outside

security-level 0

Add IP x.x.x.x y.y.y.y

Route outside 0.0.0.0 0.0.0.0 z.z.z.z

interface Ethernet0

Description WAN access

switchport access vlan 2
- All interfaces are on default Vlan1 so their ' switchport access vlan x "will not need to be configured
interface Vlan1

LAN description

nameif inside

security-level 100

10.10.1.0 add IP 255.255.255.0

Note to access the INSIDE-IN list allow all local network traffic

access to the INTERIOR-IN ip 10.10.1.0 list allow 255.255.255.0 any

group-access INTERIOR-IN in the interface inside

Configuring NAT and VPN L2L - ASA 8.2 software and versions prior

Global 1 interface (outside)

NAT (inside) 1 10.10.1.0 255.255.255.0

Crypto ipsec transform-set AES-256 aes-256-esp esp-sha-hmac

crypto ISAKMP policy 10

preshared authentication

aes-256 encryption

sha hash

Group 2

lifetime 28800

L2L-VPN-CRYPTOMAP of the access list allow ip x.x.x.x a.a.a.a b.b.b.b host

card crypto WAN-CRYPTOMAP 10 matches L2L-VPN-CRYPTOMAP address

card crypto WAN-CRYPTOMAP 10 set peer c.c.c.c

card crypto WAN-CRYPTOMAP 10 the value transform-set AES-256

card crypto WAN-CRYPTOMAP 10 set security-association second life 3600

CRYPTOMAP WAN interface card crypto outside

crypto isakmp identity address

crypto ISAKMP allow outside

tunnel-group c.c.c.c type ipsec-l2l

tunnel-group c.c.c.c ipsec-attributes

pre-shared key, PSK

NAT and VPN L2L - ASA 8.3 software configuration and after

NAT source auto after (indoor, outdoor) dynamic one interface

Crypto ipsec transform-set ikev1 AES-256 aes-256-esp esp-sha-hmac

IKEv1 crypto policy 10

preshared authentication

aes-256 encryption

sha hash

Group 2

lifetime 28800

L2L-VPN-CRYPTOMAP of the access list allow ip x.x.x.x a.a.a.a b.b.b.b host

card crypto WAN-CRYPTOMAP 10 matches L2L-VPN-CRYPTOMAP address

card crypto WAN-CRYPTOMAP 10 set peer c.c.c.c

card crypto WAN-CRYPTOMAP 10 set transform-set AES-256 ikev1

card crypto WAN-CRYPTOMAP 10 set security-association second life 3600

CRYPTOMAP WAN interface card crypto outside

crypto isakmp identity address

Crypto ikev1 allow outside

tunnel-group c.c.c.c type ipsec-l2l

tunnel-group c.c.c.c ipsec-attributes

IKEv1 pre-shared key, PSK

I hope that the above information was useful please note if you found it useful

If it boils down to the configuration of the connection with the ASA5505 and does not cut the above configuration, feel free to ask for more

-Jouni

Cisco ASA l2l VPN disorder

Hello Experts from Cisco,

I run in trouble with one of my l2l ipec vpn between an asa 5510 and 5520 cisco running version 8.2.2.

Our existing l2l VPN are connected fine and work very well. Currently SITE a (10.10.0.0/16) connects to the SITE B (10.20.0.0/16). SITE A connects to SITE C (10.100.8.0/21). These are OK.

What is a failure is when I try to connect SITE B to SITE C. The tunnel coming up and phase 1 and 2 complete successfully. However, even if in the course of execution: ' entry packet - trace within the icmp 10.20.8.2 8 0 detailed 10.100.8.1 ' I get the following:

Phase: 10

Type: VPN

Subtype: encrypt

Result: DECLINE

Config:

Additional information:

Direct flow from returns search rule:

ID = 0xad1c4500, priority = 70, domain = encrypt, deny = false

hits = 609, user_data = 0 x 0, cs_id = 0xad1c2e10, reverse, flags = 0 x 0 = 0 protocol

SRC ip = 10.20.0.0, mask is 255.255.0.0, port = 0

DST ip = 10.100.8.0, mask is 255.255.248.0, port = 0, dscp = 0 x 0

I noticed that when the tunnel came, the road to 10.100.8.0/21 was added in the routing table and cyrpto what ACL has not been applied on the SAA remote. I added the route manually but cannot get the cryto ACL to apply.

Useful info:

C SITE

the object-group NoNatDMZ-objgrp network

object-network 10.10.0.0 255.255.0.0

object-network 10.10.12.0 255.255.255.0

network-object 10.20.0.0 255.255.0.0

access extensive list ip 10.100.8.0 outside_30_cryptomap allow 255.255.248.0 10.20.0.0 255.255.0.0

IP 10.100.8.0 allow Access - list extended sheep 255.255.248.0 sheep-objgrp object-group

card crypto outside_map 30 match address outside_30_cryptomap

card crypto outside_map 30 peers set x.x.x.x

crypto outside_map 30 card value transform-set ESP-AES256-SHA

crypto outside_map 30 card value reverse-road

outside_map interface card crypto outside

SITE B

object-group network sheep-objgrp

object-network 10.10.0.0 255.255.0.0

object-network 10.21.0.0 255.255.0.0

object-network 10.10.12.0 255.255.255.0

network-object 10.100.8.0 255.255.248.0

IP 10.20.0.0 allow Access - list extended sheep 255.255.0.0 sheep-objgrp object-group

allow outside_50_cryptomap to access extended list ip 10.20.0.0 255.255.0.0 10.100.8.0 255.255.248.0

card crypto outside_map 50 match address outside_50_cryptomap

game card crypto outside_map 50 peers XX. XX. XX. XX

outside_map crypto 50 card value transform-set ESP-AES256-SHA

outside_map crypto 50 card value reverse-road

outside_map interface card crypto outside

I've been struggling with this these days. Any help is very appreciated!

Thank you!!

Follow these steps:

no card outside_map 10-isakmp ipsec crypto dynamic outside_dyn_map

map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

clear crypto ipsec its SITE_B_Public peer

Try again and attach the same outputs.

Let me know.

Thank you.

ASA L2L filter-VPN Tunnels

Similar Questions

Maybe you are looking for