ASA L2L Tunnel 8.3 NAT helps
I read all the messages that I could find, every bit of documentation, I could find and still cannot get my head around how I have to configure this new ASA to meet the requirements. My client's implementation of a new data center and going to migrate to this new domain controller. They currently have an old PIX-515E clocked 6.3 to their existing data center. I need to imitate the configuration on a new ASA 8.3 running. I think I got all the NAT static etc, but I'm stuck on the configuration of their two tunnels they use. The relevent to the old PIX configuration is pasted below. I don't get the ACL, etc. in full as there are a lot of old tunnels, etc. which do not pass. Only the parts that are relevant to these two tunnels are below. Also, many of the elements from the old configuration do not make sense and I don't know what is actually happening.
Global 1 interface (outside)
NAT (inside) - 0 100 access list
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
public static 172.30.6.65 (Interior, exterior) 10.0.0.130 netmask 255.255.255.255 0 0
allowed for line of the access list 100 11 ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 (hitcnt = 80740)
allowed for line of the access list 100 39 host ip 10.0.0.130 2.9.37.0 255.255.255.0 (hitcnt = 13531)
outside_cryptomap_220 list of allowed access host ip 10.0.0.130 2.9.37.0 255.255.255.0
outside_cryptomap_220 ip 172.30.6.64 access list allow 255.255.255.248 2.9.37.0 255.255.255.0
access-list 181 allow ip 10.0.0.0 255.0.0.0 10.0.26.0 255.255.255.0
gersmap 220 ipsec-isakmp crypto map
card crypto gersmap 220 correspondence address outside_cryptomap_220
peer set card crypto gersmap 220 64.87.28.38
card crypto gersmap 220-transform-set-3DES-SHA
gersmap 241 ipsec-isakmp crypto map
correspondence address card crypto gersmap 241 181
card crypto gersmap 241 counterpart set 74.238.28.7
card crypto gersmap 241 transform-set dblsecure3
gersmap interface card crypto outside
ISAKMP allows outside
Here are some configuration information that was sent to the customer to the company remote.
/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-margin : 0 ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}
Fort-ASA01 # sh crypto ipsec peer of his FLOO1
peer address: FLOO1
Tag crypto map: toVPNClients, seq num: 17, local addr: 64.87.28.38
2.9.37.0 IP Access-list extended floo1 255.255.255.0 allow 172.30.6.64 255.255.255.248
local ident (addr, mask, prot, port): (2.9.37.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.30.6.64/255.255.255.248/0/0)
current_peer: FLOO1
Thank you for any assistance in getting this set up correctly
You're absolutely perfect.
This is the correct instruction of NAT, IE: 10.0.0.130 will be coordinated to 172.30.6.65 when the destination is 2.9.37.0/24.
Tags: Cisco Security
Similar Questions
-
Move on to a different physical interface same ASA L2L tunnel
Some may describe the process to move a tunnel L2L existing since one physical interface to another?
Thank you!
Sent by Cisco Support technique iPhone App
Add the map encryption to the new interface
card crypto IPSEC interface new_outside
You will also need to add isakmp to the new interface
ISAKMP crypto enable new_outside
If you have a new public IP address, then you will need to create a new VPN Group also.
-
Making the NAT for VPN through L2L tunnel clients
Hi.I has the following situation in my network. We need for users who log on our site with the VPN clients to connect to another site via a tunnel L2L. The problem is that I need NAT addresses from the pool of VPN client in another beach before going on the L2L tunnel because on the other side, we have duplication of networks.
I tried to do NAT with little success as follows:
ACL for pool NAT of VPN:
Extended list ip 192.168.253.0 access TEST allow 255.255.255.0 192.168.0.0 255.255.255.0
Extended list ip 192.168.253.0 access TEST allow 255.255.255.0 192.168.5.0 255.255.255.0
NAT:
Global 172.20.105.1 - 172.20.105.254 15 (outdoor)
NAT (inside) 15 TEST access-list
CRYPTO ACL:
allowed ro access list extended LAN ip 255.255.0.0 192.168.0.0 255.255.255.0
allowed ro access list extended LAN ip 255.255.0.0 192.168.5.0 255.255.255.0
IP 172.20.105.0 RO allow extended access list 255.255.255.0 192.168.0.0 255.255.255.0
IP 172.20.105.0 RO allow extended access list 255.255.255.0 192.168.5.0 255.255.255.0
permit same-security-traffic intra-interface
Am I missing something here? Something like this is possible at all?
Thanks in advance for any help.
We use the ASA 5510 with software version 8.0 (3) 6.
You need nat to the outside, not the inside.
NAT (outside) 15 TEST access-list
-
I get the error message on debugging ipsec-l2l tunnel
Hello
Can someone help me understand the debug message?
I get the error message on debugging ipsec-l2l tunnelI tried to configure an ASA5520 with an ipsec-l2l to ios router 1721
= 1721 router =.
Cisco 1721 (flash: c1700-k9o3sy7 - mz.123 - 2.XC2.bin)
80.89.47.102 outside
inside 10.100.110.1 255.255.255.0Debug crypto ipsec
Debug crypto ISAKMP-config-
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
0 1234567890 128.39.189.10 crypto isakmp key address
!
!
Crypto ipsec transform-set esp-3des pix-series
!
ASA 10 ipsec-isakmp crypto map
defined by peer 128.39.189.10
transform-set pix - Set
match address 101
!
!
interface FastEthernet0Outside-interface description
IP 80.89.47.102 255.255.255.252
NAT outside IP
card crypto asa
!
interface Vlan10
Inside description
IP 10.100.110.1 255.255.255.0
IP nat inside!
!
IP nat inside source overload map route interface FastEthernet0 sheep
!
access-list 101 permit ip 10.100.110.0 0.0.0.255 10.100.4.0 0.0.3.255
!
access-list 110 deny ip 10.100.110.0 0.0.0.255 10.100.4.0 0.0.3.255
access-list 110 permit ip 10.100.110.0 0.0.0.255 any
!
sheep allowed 10 route map
corresponds to the IP 110
!= Config ASA =.
Cisco 5520 ASA Version 8.2 (1)
128.39.189.10 outside
inside 10.100.4.255 255.255.252.0Debug crypto ipsec
Debug crypto ISAKMP-Config-
!
Allow Access-list extended sheep 255.255.252.0 IP 10.100.4.0 10.100.110.0 255.255.255.0
!
access extensive list ip 10.100.4.0 outside110 allow 255.255.252.0 10.100.110.0 255.255.255.0
!Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
86400 seconds, duration of life crypto ipsec security association
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 11 match address outside110
peer set card crypto outside_map 11 80.89.47.102
card crypto outside_map 11 game of transformation-ESP-3DES-MD5
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400!
attributes of Group Policy DfltGrpPolicy
VPN-idle-timeout no
Protocol-tunnel-VPN IPSec!
tunnel-group 80.89.47.102 type ipsec-l2l
IPSec-attributes tunnel-group 80.89.47.102
pre-shared key 1234567890Concerning
TorYou have a transformation defined on the SAA named ESP-3DES-MD5? Your crypto card refers to that but I don't see it listed in the config you have posted. I don't have much experience with routers, but is MD5 hashing algoritm (and why it is not)?
James
-
ASA L2L VPN UP with incoming traffic
Hello
I need help with this one, I have two identical VPN tunnel with two different customers who need access to one of our internal server, one of them (customer) works well, but the other (CustomerB) I can only see traffic from the remote peer (ok, RX but no TX). I put a sniffer on ports where the ASA and the server are connected and saw that traffic is to reach the server and traffic to reach the ASA of the server then nothing...
See the result of sh crypto ipsec his below and part of the config for both clients
------------------
address:
local peer 100.100.100.178
local network 10.10.10.0 / 24
local server they need access to the 10.10.10.10
Customer counterpart remote 200.200.200.200
Customer remote network 172.16.200.0 / 20
CustomerB peer remote 160.160.143.4
CustomerB remote network 10.15.160.0 / 21
---------------------------
Output of the command: "SH crypto ipsec its peer 160.160.143.4 det".
address of the peers: 160.160.143.4
Tag crypto map: outside_map, seq num: 3, local addr: 100.100.100.178outside_cryptomap list of allowed access host ip 10.10.10.10 10.15.160.0 255.255.248.0
local ident (addr, mask, prot, port): (10.10.10.10/255.255.255.255/0/0)
Remote ident (addr, mask, prot, port): (10.15.160.0/255.255.248.0/0/0)
current_peer: 160.160.143.4#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 827, #pkts decrypt: 827, #pkts check: 827
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#pkts not his (send): 0, invalid #pkts his (RRs): 0
#pkts program failed (send): 0, #pkts decaps failed (RRs): 0
#pkts invalid prot (RRs): 0, #pkts check failed: 0
invalid identity #pkts (RRs): 0, #pkts invalid len (RRs): 0
#pkts incorrect key (RRs): 0,
#pkts invalid ip version (RRs): 0,
replay reversal (send) #pkts: 0, #pkts replay reversal (RRs): 0
#pkts replay failed (RRs): 0
#pkts min frag mtu failed (send): bad frag offset 0, #pkts (RRs): 0
#pkts internal err (send): 0, #pkts internal err (RRs): 0local crypto endpt. : 100.100.100.178, remote Start crypto. : 160.160.143.4
Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: C2AC8AAESAS of the esp on arrival:
SPI: 0xD88DC8A9 (3633170601)
transform: esp-3des esp-md5-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 5517312, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (4373959/20144)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0xFFFFFFFF to 0xFFFFFFFF
outgoing esp sas:
SPI: 0xC2AC8AAE (3266087598)
transform: esp-3des esp-md5-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 5517312, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (4374000/20144)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001-The configuration framework
ASA Version 8.2 (1)
!
172.16.200.0 customer name
name 10.15.160.0 CustomerB
!
interface Ethernet0/0
nameif outside
security-level 0
IP 100.100.100.178 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
10.10.10.0 IP address 255.255.255.0
!
outside_1_cryptomap list extended access allowed host ip 10.10.10.10 customer 255.255.240.0
inside_nat0_outbound_1 list extended access allowed host ip 10.10.10.10 customer 255.255.240.0
inside_nat0_outbound_1 list extended access allowed host ip 10.10.10.10 CustomerB 255.255.248.0
outside_cryptomap list extended access allowed host ip 10.10.10.10 CustomerB 255.255.248.0
NAT-control
Overall 101 (external) interface
NAT (inside) 0-list of access inside_nat0_outbound_1
NAT (inside) 101 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 100.100.100.177
Route inside 10.10.10.0 255.255.255.0 10.10.10.254 1
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 200.200.200.200
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
card crypto outside_map 3 match address outside_cryptomap
peer set card crypto outside_map 3 160.160.143.4
card crypto outside_map 3 game of transformation-ESP-3DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 20
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP ipsec-over-tcp port 10000
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec svc
internal customer group strategy
Customer group policy attributes
Protocol-tunnel-VPN IPSec svc
internal CustomerB group strategy
attributes of Group Policy CustomerB
Protocol-tunnel-VPN IPSec
tunnel-group 160.160.143.4 type ipsec-l2l
tunnel-group 160.160.143.4 General-attributes
Group Policy - by default-CustomerB
IPSec-attributes tunnel-group 160.160.143.4
pre-shared key xxx
tunnel-group 200.200.200.200 type ipsec-l2l
tunnel-group 200.200.200.200 General attributes
Customer by default-group-policy
IPSec-attributes tunnel-group 200.200.200.200
pre-shared key yyy
Thank you
A.
Hello
It seems that the ASA is not Encrypting traffic to the second peer (However there is no problem of routing).
I saw this 7.x code behaviors not on code 8.x
However you can do a test?
You can change the order of cryptographic cards?
card crypto outside_map 1 match address outside_cryptomap
peer set card crypto outside_map 1 160.160.143.4
map outside_map 1 set of transformation-ESP-3DES-MD5 crypto
card crypto outside_map 3 match address outside_1_cryptomap
card crypto outside_map 3 set pfs
peer set card crypto outside_map 3 200.200.200.200
card crypto outside_map 3 game of transformation-ESP-3DES-SHA
I just want to see if by setting the peer nonworking time to be the first, it works...
I know it should work the way you have it, I just want to see if this is the same behavior I've seen.
Thank you.
Federico.
-
Strange problem in IPSec Tunnel - 8.4 NAT (2)
Helloo all,.
This must be the strangest question I've seen since the year last on my ASA.
I have an ASA 5540, who runs the code of 8.4 (2) without any problem until I ran into this problem last week and I spent sleepless nights with no resolution! Then, take a deep breath and here is a brief description of my setup and the problem:
A Simple IPSEC tunnel between my 8.4 (2) ASA 5540 and a Juniper SSG 140 6.3.0r9.0 (road OS based VPN) screen
The tunnel rises without any problem but the ASA refused to encrypt the traffic but it decrypts with GLORY!
Here are a few outputs debug, see the output and a package tracer output that also has an explanation of my problem of NAT WEIRD:
my setup - (I won't get into the details of encryption tunnel as my tunnel negotiations are perfect and returns from the outset when the ASA is configured as response only)
CISCO ASA - IPSec network details
LAN - 10.2.4.0/28
REMOTE NETWORK - 192.168.171.8/32
JUNIPER SSG 140 - IPSec networks details
ID OF THE PROXY:
LAN - 192.168.171.8/32
REMOTE NETWORK - 10.2.4.0/28
Name host # sh cry counterpart his ipsec
peer address:
Tag crypto map: outside_map, seq num: 5, local addr:
outside_cryptomap_4 to access extended list ip 10.2.4.0 allow 255.255.255.240 host 192.168.171.8
local ident (addr, mask, prot, port): (10.2.4.0/255.255.255.240/0/0)
Remote ident (addr, mask, prot, port): (192.168.171.8/255.255.255.255/0/0)
current_peer:
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 72, #pkts decrypt: 72, #pkts check: 72
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0
local crypto endpt. :
0, remote Start. crypto: 0 Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: 5041C19F
current inbound SPI: 0EC13558
SAS of the esp on arrival:
SPI: 0x0EC13558 (247543128)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 22040576, crypto-card: outside_map
calendar of his: service life remaining key (s): 3232
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0xFFFFFFFF to 0xFFFFFFFF
outgoing esp sas:
SPI: 0x5041C19F (1346486687)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 22040576, crypto-card: outside_map
calendar of his: service life remaining key (s): 3232
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
CONTEXTS for this IPSEC VPN tunnel:
# Sh asp table det vpn context host name
VPN CTX = 0x0742E6BC
By peer IP = 192.168.171.8
Pointer = 0x78C94BF8
State = upwards
Flags = BA + ESP
ITS = 0X9C28B633
SPI = 0x5041C19D
Group = 0
Pkts = 0
Pkts bad = 0
Incorrect SPI = 0
Parody = 0
Bad crypto = 0
Redial Pkt = 0
Call redial = 0
VPN = filter
VPN CTX = 0x07430D3C
By peer IP = 192.168.1.8
Pointer = 0x78F62018
State = upwards
Flags = DECR + ESP
ITS = 0X9C286E3D
SPI = 0x9B6910C5
Group = 1
Pkts = 297
Pkts bad = 0
Incorrect SPI = 0
Parody = 0
Bad crypto = 0
Redial Pkt = 0
Call redial = 0
VPN = filter
outside_cryptomap_4 to access extended list ip 10.2.4.0 allow 255.255.255.240 host 192.168.171.8
NAT (inside, outside) static source Ren - Ren - about destination static counterpart-host peer to route non-proxy-arp-search
network of the Ren - around object
subnet 10.2.4.0 255.255.255.240
network of the host object counterpart
Home 192.168.171.8
HS cry ipsec his
IKE Peer:
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE
output packet tracer extracted a packet transmitted by the network of 10.2.4.0/28 to 192.168.171.8 host
Phase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0x7789d788, priority = 70, domain = encrypt, deny = false
Hits = 2, user_data is0x742e6bc, cs_id = 0x7ba38680, reverse, flags = 0 x 0 = 0 protocol
IP/ID=10.2.4.0 SRC, mask is 255.255.255.240, port = 0
IP/ID=192.168.171.8 DST, mask is 255.255.255.255, port = 0, dscp = 0 x 0
input_ifc = none, output_ifc = external
VPN settings corresponding to the encrytpion + encapsulation and the hits here increment only when I run a test of tracer from my host on the remote peer inside package.
A tracer complete package out for a packet of the 10.2.4.1 255.255.255.255 network to host 192.168.171.8:
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit rule
Additional information:
Direct flow from returns search rule:
ID = 0x77ebd1b0, priority = 1, domain = allowed, deny = false
hits = 3037156, user_data = 0 x 0, cs_id = 0 x 0, l3_type = 0 x 8
Mac SRC = 0000.0000.0000, mask is 0000.0000.0000
DST = 0000.0000.0000 Mac, mask is 0100.0000.0000
input_ifc = output_ifc = any to inside,
Phase: 2
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
in 192.168.171.0 255.255.255.0 outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0x77ec1030, priority = 0, sector = inspect-ip-options, deny = true
hits = 212950, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0
input_ifc = output_ifc = any to inside,
Phase: 4
Type:
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0x7c12cb18, priority = 18, area = import-export flows, deny = false
hits = 172188, user_data = 0x78b1f438, cs_id = 0 x 0, use_real_addr, flags = 0 x 0,
IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0
input_ifc = output_ifc = any to inside,
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT (inside, outside) static source Ren - Ren - about destination static counterpart-host peer to route non-proxy-arp-search
Additional information:
Definition of static 10.2.4.1/2700 to 10.2.4.1/2700
Direct flow from returns search rule:
ID = 0x77e0a878, priority = 6, area = nat, deny = false
hits = 9, user_data is 0x7b7360a8, cs_id = 0 x 0, use_real_addr, flags = 0 x 0, proto
IP/ID=10.2.4.1 SRC, mask is 255.255.255.240, port = 0
IP/ID=192.168.171.8 DST, mask is 255.255.255.255, port = 0, dscp = 0 x 0
input_ifc = inside, outside = output_ifc
(it's the weird NAT problem I see. I see the number of hits is increment only when I run the packet tracer understands even I have pings (traffic) the 192.168.171.8 constant welcomes the 10.2.4.1/28)-s'il please see the package I pasted after the capture section)
Phase: 6
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0x7b8751f8, priority = 70, domain = encrypt, deny = false
hits = 3, user_data = 0x7432b74, cs_id = 0x7ba38680, reverse, flags = 0 x 0, proto
IP/ID=10.2.4.1 SRC, mask is 255.255.255.240, port = 0
IP/ID=192.168.171.8 DST, mask is 255.255.255.255, port = 0, dscp = 0 x 0
input_ifc = none, output_ifc = external
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional information:
Reverse flow from returns search rule:
ID = 0x78b0c280, priority = 69 = ipsec-tunnel-flow area, deny = false
hits = 154, user_data is 0x7435f94, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
IP/ID=192.168.171.8 SRC, mask is 255.255.255.255, port = 0
IP/ID=10.2.4.1 DST, mask is 255.255.255.240, port = 0, dscp = 0 x 0
input_ifc = out, output_ifc = any
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Reverse flow from returns search rule:
ID = 0x77e7a510, priority = 0, sector = inspect-ip-options, deny = true
hits = 184556, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0
input_ifc = out, output_ifc = any
Phase: 9
Type: CREATING STREAMS
Subtype:
Result: ALLOW
Config:
Additional information:
New workflow created with the 119880921 id, package sent to the next module
Information module for forward flow...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Information for reverse flow...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input interface: inside
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: allow
Hostname # sh Cap A1
8 packets captured
1: 12:26:53.376033 192.168.10.252 > 10.2.4.1: icmp: echo request
2: 12:26:53.376597 10.2.4.1 > 192.168.10.252: icmp: echo reply
3: 12:26:56.487905 192.168.171.8 > 10.2.4.1: icmp: echo request
4: 12:27:01.489217 192.168.171.8 > 10.2.4.1: icmp: echo request
5: 12:27:03.378245 192.168.10.252 > 10.2.4.1: icmp: echo request
6: 12:27:03.378825 10.2.4.1 > 192.168.10.252: icmp: echo reply
7: 12:27:06.491597 192.168.171.8 > 10.2.4.1: icmp: echo request
8: 12:27:11.491856 192.168.171.8 > 10.2.4.1: icmp: echo request
8 packets shown
As you can see, there is no echo response packet at all because the package may not be wrapped while he was sent to.
I'm Karen with it. In addition, he is a firewall multi-tenant live production with no problems at all outside this for a Juniper ipsec tunnel!
Also, the 192.168.10.0/24 is another remote network of IPSec tunnel to this network of 10.2.4.0/28 and this IPSEC tunnel has a similar Juniper SSG 140 screen os 6.3.0r9.0 at the remote end and this woks like a charm with no problems, but the 171 is not be encrypted by the ASA at all.
If someone could help me, that would be greatt and greatly appreciated!
Thanks heaps. !
Perfect! Now you must find something else inside for tomorrow--> forecast rain again
Please kindly marks the message as answered while others may learn from it. Thank you.
-
Hi all!
I have a question about L2L VPN and NAT.
Can I set up the VPN tunnel between two ASAs or routers using the NAT translation from within the private IP addresses to a single public IP address outside the interface and then implement interesting crypto with the source of the public IP address and the destination of the remote private network on the other end (also ASA). For example, I want to translate a private network to the public ip address at one end and use the VPN tunnel with a public IP address as the source. Policy-NAT is not an option, because we really do not want to provide any IP address to the remote end, and IP addresses of the remote end can overlap with our end.
Thank you!
Hello
You can definitely set up an IPSec tunnel between two devices in the translation of your subnet in a single public IP address. You just create the translation and as you mentioned define interesting traffic using the public IP address.
This is exactly what we call political NAT, I don't understand why you say that NAT policy is not an option. Perhapps you misunderstood concept NAT policy or I misunderstood your question.
For example, assuming that the LAN private at your side is 172.16.1.0/24, the remote subnet is 192.168.150.0/24, and that the public IP address that you want to use is 200.200.200.200 your NAT config should look like this:
access-list 199 permit ip 172.16.1.0 255.255.252.0 192.168.150.0 255.255.255.0
Global (outside) 6 200.200.200.200
NAT (inside) 6 access-L199
Which would be NAT traffic to the public IP address only when the traffic matches the ACL.
Your ACL crypto should then be something like
cryptomap list of allowed access host ip 200.200.200.200 192.168.150.0 255.255.255.0
That would hide your address real and all they see is the public IP address you give them. Note that since the NAT takes place on your side your side will be able to raise the tunnel.
I hope this helps.
Raga
-
Problem with tunnel IPSEC with NAT
Hello
I had an ipsec tunnel between a former Cisco router at a remote site. I'm the config 887 to an ASA migration. The remote site cannot establish the tunnel. This is the only site having problems. There are one number of other sites remote connection back without problem.
The Setup is
192.168.1.x (main site inside) - ASA - 86.x.x.x (outside) - Internet - 159.x.x.x (side remote outdoors) - Firewall - 10.10.10.x
The remote site will not accept the 192.168.1.x range so I'm NATing 192.168.50.x which is what they want to see
The config I have is
network of the NAT_TO_Remote1 object
192.168.50.0 subnet 255.255.255.0
network of the Remote1 object
subnet 10.10.10.0 255.255.252.0NAT NAT_TO_Remote1 (Interior, exterior) destination 192.168.1.0 source static static Remote1 Remote1
IKEv1 crypto policy 30
preshared authentication
3des encryption
sha hash
Group 2
life 86400Crypto ipsec transform-set esp-3des esp-sha-hmac ikev1 3DES-SHA1
card crypto Outside_map 10 corresponds to the address Qualcom_VPN
card crypto Outside_map 10 set peer 159.x.x.x
card crypto Outside_map 10 set transform-set 3DES-SHA1 ikev1
card crypto Outside_map 10 set pfs Group1
Outside_map interface card crypto outsideRemoteSite_VPN list extended access allowed host ip 192.168.50.20 10.10.10.0 255.255.252.0
RemoteSite_VPN list extended access allowed host ip 192.168.50.30 10.10.10.0 255.255.252.0
RemoteSite_VPN list extended access allowed host ip 192.168.50.40 10.10.10.0 255.255.252.0tunnel-group 159.x.x.x type ipsec-l2l
tunnel-group 159.x.x.x General-attributes
Group Policy - by default-RemoteSites
159.x.x.x group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.I was wondering if I'm missing something obvious here.
Hello
You must check the IPSEC transform set and see if they have enabled PFS group or not?
card crypto Outside_map 10 set pfs Group1
Try using group2, or turn it off.
Kind regards
Aditya
Please evaluate the useful messages and mark the correct answers.
-
ASA L2L IKEv1 5520 no information of its crypto isakmp
Here is the config... and show isa scream his
----------------------------------------------------------------------------------------
Dathomir - ASA (config) # see the isa scream his
There are no SAs IKEv1
There are no SAs IKEv2
Dathomir - ASA (config) #.----------------------------------------------------------------------------------------
Manual NAT policies (Section 1)
1 (inside) to the static (external) source inside static destination inside DAN DAN-NETWORK-route search
translate_hits = 0, untranslate_hits = 0Manual NAT policies (Section 3)
1 (inside) to the dynamics of the source (on the outside) no matter what interface
translate_hits = 661, untranslate_hits = 0
Dathomir - ASA (config) #.----------------------------------------------------------------------------------------
!
Dathomir - ASA host namenames of
!
interface GigabitEthernet0/0
nameif outside
security-level 0
IP address dhcp setroute
!
interface GigabitEthernet0/1
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/2
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/3
nameif inside
security-level 100
IP 192.168.75.1 255.255.255.0
!
interface Management0/0
Shutdown
No nameif
no level of security
no ip address
!
passive FTP mode
DNS server-group DefaultDNS
SW - domain name. Demers.com
network of the DAN - PUB object
host 1.1.1.1
the NATE-INSIDE object network
Home 192.168.75.5
network a group of objects inside
object-network 192.168.75.0 255.255.255.0
object-group network-DAN
object-network 192.168.75.0 255.255.255.0
list of permitted access to the INSIDE-IN scope ip any any newspaper
the INSIDE-IN access list extended deny ip any any newspaper
access OUTSIDE list / allowed extended inside host log 192.168.75.5 ip object DAN - PUB
VPN - DAN 192.168.75.0 ip extended access list allow 255.255.255.0 192.168.200.0 255.255.255.0
pager lines 24
Enable logging
timestamp of the record
exploitation forest buffer-size 10000
recording of debug console
debug logging in buffered memory
Outside 1500 MTU
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 743.bin
don't allow no asdm history
ARP timeout 14400
NAT (inside, outside) static source inside static destination inside DAN DAN-NETWORK-route search
!
NAT source auto after (indoor, outdoor) dynamic one interface
Access-group OUTSIDE / inside interface outside
group-access INTERIOR-IN in the interface inside
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.75.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 TS_ESP_AES256_SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
address for correspondence mymap 10 card crypto VPN - DAN
mymap 10 peer set 2.2.2.2 crypto card
mymap 10 set transform-set TS_ESP_AES256_SHA ikev1 crypto card
card crypto mymap 10 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
crypto mymap 10 card value reverse-road
address for correspondence mymap 20 card crypto VPN - DAN
card crypto mymap 20 peers set 1.1.1.1
mymap 20 set transform-set TS_ESP_AES256_SHA ikev1 crypto card
crypto mymap 20 card value reverse-road
mymap outside crypto map interface
IKEv2 crypto policy 5
aes encryption
integrity sha
Group 2
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
aes encryption
sha hash
Group 5
life 86400
Telnet timeout 5
SSH 192.168.75.0 255.255.255.0 inside
SSH timeout 20
SSH version 2
SSH group dh-Group1-sha1 key exchange
Console timeout 0
dhcpd dns 8.8.8.8 4.4.2.2
dhcpd lease 3000
!
dhcpd address 192.168.75.5 - 192.168.75.5 inside
dhcpd dns 8.8.8.8 4.4.2.2 interface inside
dhcpd ip interface 192.168.75.1 option 3 inside
dhcpd 6 8.8.8.8 ip option 4.4.2.2 interface inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
attributes of Group Policy DfltGrpPolicy
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value VPN - DAN
user name password using a NAT L3LhK0WEjivHU8Xd encrypted privilege 15
tunnel-group 2.2.2.2 type ipsec-l2l
2.2.2.2 tunnel-group ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the http
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
aes encryption password
Cryptochecksum:5398307065bcf53ecaf5884259f1ea71
: end-----------------------------------------------------------------------------------------------
DEBUG CRYPTO 255 IKEV1
RECV 73.206.149.11 PACKAGE
ISAKMP header
Initiator COOKIE: 30 42 fb 1 4 d fc be 9f
Responder COOKIE: 00 00 00 00 00 00 00 00
Next payload: Security Association
Version: 1.0
Exchange type: Protection of identity (Main Mode)
Indicators: (none)
MessageID: 00000000
Length: 172
Payload security association
Next payload: Vendor ID
Booked: 00
Payload length: 60
DOI: IPsec
Situation: (SIT_IDENTITY_ONLY)
Proposal of payload
Next payload: no
Booked: 00
Payload length: 48
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI size: 0
number of transformations: 1
Transformation of the payload
Next payload: no
Booked: 00
Payload length: 40
Transform #: 1
Transform-Id: KEY_IKE
Reserved2: 0000
Description of the Group: Group 5
Encryption algorithm: AES - CBC
Key length: 256
Hash algorithm: SHA1
Authentication method: pre-shared key
Type of life: seconds
Life (Hex): 00 01 51 80
Vendor ID payload
Next payload: Vendor ID
Booked: 00
Payload length: 20
Data (in hexadecimal):
cb 80 91 3rd bb 69 90 6 08 63 81 b5 this 42 7 b 1f
Vendor ID payload
Next payload: Vendor ID
Booked: 00
Payload length: 20
Data (in hexadecimal):
94 19 53 10 ca 6f 17 a6 7 d 2C9 d 92 15 52 9 d 56
Vendor ID payload
Next payload: Vendor ID
Booked: 00
Payload length: 20
Data (in hexadecimal):
4 a 13 1 c 81 07 03 58 45 57 28 95 45 2f 0e f2 5 c
Vendor ID payload
Next payload: no
Booked: 00
Payload length: 24
Data (in hexadecimal):
40 48 b7 d5 6th e8 85 25 e7 7f 00 c2 d3 d6 bc
C0 00 00 00
August 11 at 08:14:40 [IKEv1] IP = 73.206.149.11, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + SA (1) the SELLER (13) + the SELLER (13) + the SELLER (13), SELLER (13) + (0) NONE total length: 172
11 August at 08:14:40 [IKEv1 DEBUG] IP = 73.206.149.11, SA payload processing
August 11 at 08:14:40 [IKEv1] IP = 73.206.149.11, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + NOTIFY (11) + (0) NONE total length: 100ISAKMP header
Initiator COOKIE: 30 42 fb 1 4 d fc be 9f
Responder COOKIE: 0 d 4 c df a2 6 has 57 24
Next payload: Notification
Version: 1.0
Exchange Type: information
Indicators: (none)
MessageID: 00000000
Length: 100
August 11 at 08:14:40 [IKEv1 DEBUG] IP = 73.206.149.11, proposals of all SA found unacceptable
August 11 at 08:14:40 [IKEv1] IP = 73.206.149.11, error during load processing: payload ID: 1
August 11 at 08:14:40 [IKEv1 DEBUG] IP = 73.206.149.11, case of mistaken IKE MM Responder WSF (struct & 0xcefbce48), : MM_DONE, EV_ERROR--> MM_START, EV_RCV_MSG--> MM_START, EV_START_MM--> MM_START, EV_START_MM--> MM_START, EV_START_MM--> MM_START, EV_START_MM--> MM_START, EV_START_MM--> MM_START, EV_START_MM
August 11 at 08:14:40 [IKEv1 DEBUG] IP = 73.206.149.11, IKE SA MM:a2df0c4d ending: flags 0 x 01000002, refcnt 0, tuncnt 0
11 August at 08:14:40 [IKEv1 DEBUG] IP = 73.206.149.11, sending clear/delete with the message of reasonHello
Your police ikev1 is
IKEv1 crypto policy 10
preshared authentication
aes encryption
sha hash
Group 5And you found this peer
Description of the Group: Group 5
Encryption algorithm: AES - CBC
Key length: 256
Hash algorithm: SHA1
Authentication method: pre-shared keyIf you have found the algorithm of encryption AES 256 of peers and you like AES
HTH
Averroès.
-
Hi all
I have an obligation to set up a private network virtual of our network for a developer with the following basic topology:
Our private subnet - ASA (WAN IP) - VPN - end developer audience - protected Developer Public IPs point
If the developer has a bunch of public IPs protected behind a single endpoint, so that we can have access, we have our external IP to establish a VPN to this endpoint.
I understand that we will not use NAT as internal IP addresses will be PAT behind the external IP - traffic to the IPs developer audience then will bring up the VPN tunnel and everything works as expected (I think?)
Here is the config to base on the top of my head, is - this correct or I get very confused?
network of the DEVELOP1 object
host 2.2.2.2
object OUR - WAN network
host 1.1.1.1
the object of OUR LAN network
192.168.10.0 subnet 255.255.255.0
!
NAT (vlan10, outside) after the automatic termination of dynamic source OUR - OUR - WAN LAN
!
outside_cryptomap extended access list allow OUR WAN ip object DEVELOP1
!
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
!
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set counterpart 5.5.5.5
card crypto outside_map 1 set transform-set ESP-3DES-SHA ikev1
!
outside_map interface card crypto outside
!
IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 2
lifetime 28800
!
internal GroupPolicy_5.5.5.5 group strategy
attributes of Group Policy GroupPolicy_5.5.5.5
Ikev1 VPN-tunnel-Protocol
tunnel-group 5.5.5.5 type ipsec-l2l
tunnel-group 5.5.5.5 General attributes
Group - default policy - GroupPolicy_5.5.5.5
IPSec-attributes tunnel-group 5.5.5.5
IKEv1 pre-shared-key thepasswordHello
You can have communication with the public IP to L2L tunnel stack... What you need is NAT/PAT at both ends and your statement of cryptomap should be with your NAT or PAT... instead of... private LAN address by looking at your config, it seems to be okay... I also hope that your LAN users only launch the right of movement?
Because to get out, you can have a generic Pat... but when the other end accepts traffic be tone should have a dedicated static NAT or direct public IP of the servers to an end... or at least King of thing port forwarding, they should have done on their end... If both ends have a generic pat then it won't work.
Concerning
Knockaert
-
Dynamic L2L Tunnel - the Tunnel is up, will not pass the LAN traffic
Hello everyone. I am repurposing an ASA for my business at a remote site and must use a dynamic Configuration of L2L with Split tunneling active. We used these in the past and they work a lot, and I've referenced Cisco official documentation for the implementation. Currently, I am having a problem where I am unable to pass traffic on the local remote network over the VPN tunnel (it does even not raise the tunnel of form). However, if I run the following command in the ASA remote:
Ping inside the 192.168.9.1
I receive the ICMP responses. In addition, this traffic causes the VPN Tunnel to be created as indicated by show ISA SA:
1 peer IKE: xx.xx.xx.xx
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE
Here is the IP addressing scheme:
Network remotely (with the ASA problem): 192.168.12.0/24
Basic network (Hub): 192.168.9.0/24
Other rays: 192.168.0.0/16
Config:
ASA Version 8.2 (1)
!
hostname xxxxxxxxx
domain xxxxxxxxxxx.local
activate the xxxxxxxx password
passwd xxxxxxxxx
names of
!
interface Vlan1
nameif inside
security-level 100
192.168.12.1 IP address 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
clock timezone CST - 6
clock to summer time recurring CDT
DNS server-group DefaultDNS
domain xxxxxxxx.local
permit same-security-traffic intra-interface
to_hq to access extended list ip 192.168.12.0 allow 255.255.255.0 192.168.0.0 255.255.0.0
inside_nat0_outbound to access extended list ip 192.168.12.0 allow 255.255.255.0 192.168.0.0 255.255.0.0
pager lines 24
Within 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.0.0 255.255.0.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 10 correspondence address to_hq
crypto outside_map 10 card game CORE peers. ASA. WAN. INTELLECTUAL PROPERTY
outside_map crypto 10 card value transform-set ESP-3DES-SHA
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet 192.168.0.0 255.255.0.0 inside
Telnet timeout 5
SSH timeout 5
Console timeout 0
management-access inside
dhcpd 192.168.9.2 dns 208.67.222.222
!
dhcpd address 192.168.12.101 - 192.168.12.131 inside
rental contract interface 86400 dhcpd inside
dhcpd xxxxxxxxx.local area inside interface
dhcpd ip interface 192.168.9.50 option 66 inside
dhcpd allow inside
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
tunnel-group basis. ASA. WAN. Type of IP ipsec-l2l
tunnel-group basis. ASA. WAN. IPSec-attributes of intellectual property
pre-shared key xxxxxxxxxxxx
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the icmp
!
global service-policy global_policy
context of prompt hostnameOnce the tunnel is in place, LAN to the Remote Site traffic won't pass through the VPN Tunnel any upward. On the side of ASA Core, I was able to Telnet in the ASA distance very well, but could not ping the Remote Access Point.
Someone at - it a glimpse of my problem?
Hello
Add:
NAT (inside) 0-list of access inside_nat0_outbound
-
L2l Tunnel upward, without traffic transits
Two 5505 ASA s for the main site of a customer and a local office. I have the tunnel upward. But I am unable to pass traffic through it. I thought I got it, but it turns out I was wrong so I'll let the pros have to him. Thank you!
Main site:
ASA Version 7.2 (4)
!
City of hostname
activate iNbSyJZ1ffmb9kn1 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.100.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address 24.x.x.97 255.255.255.248
!
interface Vlan3
prior to interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
DNS server-group DefaultDNS
outside_in list extended access permit tcp any host 24.x.x.98 eq 3389
outside_in list extended access permit udp any host 24.x.x.98 eq 1194
outside_in list extended access permit tcp any host 24.x.x.98 eq www
extended vpn 192.168.100.0 ip access list allow 255.255.255.0 192.168.199.0 255.255.255.0
extended vpn 192.168.100.0 ip access list allow 255.255.255.0 192.168.1.0 255.255.255.0
outside_1_cryptomap to access extended list ip 192.168.100.0 allow 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
Enable logging
timestamp of the record
exploitation forest-size of the buffer of 100000
recording of debug console
debug logging in buffered memory
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
MTU 1500 dmz
IP local pool vpnpool 192.168.199.10 - 192.168.199.20
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 524.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access vpn
NAT (inside) 1 192.168.100.0 255.255.255.0
public static 24.x.x.98 (Interior, exterior) 192.168.100.3 netmask 255.255.255.255
Access-group outside_in in external interface
Route outside 0.0.0.0 0.0.0.0 24.x.x.102 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
AAA authentication enable LOCAL console
AAA authentication http LOCAL console
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.100.0 255.255.255.0 inside
http 192.168.100.50 255.255.255.255 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs
card crypto outside_map 1 set 24.x.x.54 counterpart
map outside_map 1 set of transformation-ESP-3DES-MD5 crypto
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 20
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
md5 hash
Group 1
life 86400
Telnet 0.0.0.0 0.0.0.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 inside
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 60
Console timeout 0
attributes of Group Policy DfltGrpPolicy
No banner
WINS server no
DNS server no
DHCP-network-scope no
VPN-access-hour no
VPN - connections 3
VPN-idle-timeout 30
VPN-session-timeout no
VPN-filter no
Protocol-tunnel-VPN IPSec l2tp ipsec webvpn
disable the password-storage
disable the IP-comp
Re-xauth disable
Group-lock no
enable PFS
IPSec-udp disable
IPSec-udp-port 10000
Split-tunnel-policy tunnelall
Split-tunnel-network-list no
by default no
Split-dns no
Disable dhcp Intercept 255.255.255.255
disable secure authentication unit
disable authentication of the user
user-authentication-idle-timeout 30
disable the IP-phone-bypass
disable the leap-bypass
disable the NEM
Dungeon-client-config backup servers
MSIE proxy server no
MSIE-proxy method non - change
Internet Explorer proxy except list - no
Disable Internet Explorer-proxy local-bypass
disable the NAC
NAC-sq-period 300
NAC-reval-period 36000
NAC-by default-acl no
address pools no
enable Smartcard-Removal-disconnect
the firewall client no
rule of access-client-none
WebVPN
url-entry functions
HTML-content-filter none
Home page no
4 Keep-alive-ignore
gzip http-comp
no filter
list of URLS no
value of customization DfltCustomization
port - forward, no
port-forward-name value access to applications
SSO-Server no
value of deny message connection succeeded, but because some criteria have not been met, or because of a specific group policy, you are not allowed to use the VPN features. Contact your administrator for more information
SVC no
SVC Dungeon-Installer installed
SVC keepalive no
generate a new key SVC time no
method to generate a new key of SVC no
client of dpd-interval SVC no
dpd-interval SVC bridge no
deflate compression of SVC
tunnel-group 24.x.x.54 type ipsec-l2l
24.x.x.54 group of tunnel ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:5180fc35fcb77dbf007b34bc2159c21b
: end
# Sh crypto isa city its
ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 1
1 peer IKE: 24.x.x.54
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE
# Sh crypto ipsec city its
Interface: outside
Tag crypto map: outside_map, seq num: 1, local addr: 24.x.x.97
outside_1_cryptomap 192.168.100.0 ip access list allow 255.255.255.0 192.168.1.0 255.255.255.0
local ident (addr, mask, prot, port): (192.168.100.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 24.x.x.54
#pkts program: 56, #pkts encrypt: 56, #pkts digest: 56
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 56, #pkts comp failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0
local crypto endpt. : 24.x.x.97, remote Start crypto. : 24.x.x.54
Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: 16409623
SAS of the esp on arrival:
SPI: 0xFC3F0652 (4231988818)
transform: esp-3des esp-md5-hmac no
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 21, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (4275000/28514)
Size IV: 8 bytes
support for replay detection: Y
outgoing esp sas:
SPI: 0 x 16409623 (373331491)
transform: esp-3des esp-md5-hmac no
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 21, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (4274996/28514)
Size IV: 8 bytes
support for replay detection: Y
Remote Desktop:
ASA Version 8.2 (5)
!
water host name
activate rAAeK7vz0gtMeIgU encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
name 192.168.100.0 City City LAN description
DNS-guard
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address 24.x.x.54 255.255.255.248
!
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
DNS server-group DefaultDNS
outside_1_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 255.255.255.0 city
inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 255.255.255.0 city
pager lines 24
Enable logging
timestamp of the record
exploitation forest-size of the buffer of 32768
logging asdm-buffer-size 512
Monitor logging notifications
debug logging in buffered memory
logging trap notifications
notifications of logging asdm
Within 1500 MTU
Outside 1500 MTU
IP local pool water 192.168.1.15 - 192.168.1.20 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT (inside) 0-list of access inside_nat0_outbound
Route outside 0.0.0.0 0.0.0.0 24.x.x.49 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
AAA authentication LOCAL telnet console
the ssh LOCAL console AAA authentication
AAA authentication enable LOCAL console
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs
card crypto outside_map 1 set 24.x.x.97 counterpart
map outside_map 1 set of transformation-ESP-3DES-MD5 crypto
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
Crypto ca trustpoint _SmartCallHome_ServerCA
Configure CRL
Crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
308204 4 a0030201 d 308205ec 0202106e cc7aa5a7 032009b 8 cebcf4e9 52d 49130
010105 05003081 09060355 04061302 55533117 ca310b30 0d 864886f7 0d06092a
30150603 55040 has 13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313 has 3038 06035504
0b 133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 7a 656420 75736520 6f6e6c79 31453043 06035504 03133c 56 686f7269
65726953 69676e20 436c 6173 73203320 5075626c 69632050 72696 72792043 61 d
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
30303230 38303030 3030305a 170d 3230 30323037 32333539 35395a 30 81b5310b
30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
496e632e 311f301d 06035504 0b 131656 65726953 69676e20 54727573 74204e65
74776f72 6b313b30 5465726d 20757365 20617420 73206f66 39060355 040b 1332
68747470 7777772e 733a2f2f 76657269 7369676e 2e636f6d 2f727061 20286329
302d 0603 55040313 26566572 69536967 61737320 33205365 6e20436c 3130312f
63757265 20536572 76657220 20473330 82012230 0d06092a 864886f7 4341202d
010101 05000382 010f0030 82010 0d has 02 b187841f 82010100 c20c45f5 bcab2597
a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
9c688b2e 957b899b 13cae234 34c1f35b f3497b62 d188786c 83488174 0253f9bc
7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8 63cd
18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 01 has 38201 02030100 df308201
082b 0601 05050701 01042830 26302406 082 b 0601 db303406 05050730 01861868
7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1 d 130101
ff040830 02010030 70060355 b 200469 30673065 060, 6086 480186f8 1 d 060101ff
45010717 03305630 2806082b 06010505 07020116 1 c 687474 70733a2f 2f777777
2e766572 69736967 6e2e636f 6d2f6370 73302 has 06 082 b 0601 05050702 02301e1a
1 c 687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
03551d1f 042d302b 3029 has 027 a0258623 68747470 3a2f2f63 726c2e76 65726973
69676e2e 636f6d2f 2d67352e 70636133 63726c 30 0e060355 1d0f0101 ff040403
02010630 6d06082b 06010505 07010c 59305730 55160969 5da05b30 04 61305fa1
6 d 616765 2f676966 3021301f 2b0e0302 30070605 1a04148f e5d31a86 ac8d8e6b
c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
1 b 311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301D 0603
445 1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355 c 1604140d 551d0e04
1 230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300 d 0609 d
2a 864886 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80 f70d0101
4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
b2227055 d9203340 3307c 265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
99 c 71928 8705 404167d 1 273aeddc 866d 24f78526 a2bed877 7d494aca 6decd018
481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
6c2527b9 deb78458 c61f381e a4c4cb66
quit smoking
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 20
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
md5 hash
Group 1
life 86400
No encryption isakmp nat-traversal
Telnet 192.168.1.0 255.255.255.0 inside
Telnet timeout 60
SSH 192.168.1.0 255.255.255.0 inside
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
attributes of Group Policy DfltGrpPolicy
Group internal water policy
attributes of group water policy
value of 192.168.1.1 DNS server
VPN-idle-timeout no
VPN-session-timeout no
Protocol-tunnel-VPN IPSec
attributes of Registrar username
VPN-group-policy DfltGrpPolicy
type water tunnel-group remote access
water General attributes tunnel-group
water of the pool address
Group Policy - by default-water
DHCP server 192.168.1.1
water ipsec-attributes tunnel-group
pre-shared key *.
tunnel-group 24.x.x.97 type ipsec-l2l
24.x.x.97 group of tunnel ipsec-attributes
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
anonymous reporting remote call
Cryptochecksum:06bda38461d2419b3e5c4904333b62e7
: end
# sh crypto isa water his
ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 1
1 peer IKE: 24.x.x.97
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE
water # sh crypto ipsec his
Interface: outside
Tag crypto map: outside_map, seq num: 1, local addr: 24.x.x.54
outside_1_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.100.0 255.255.255.0
local ident (addr, mask, prot, port): (192.168.1.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (Town/255.255.255.0/0/0)
current_peer: 24.x.x.97
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 78, #pkts decrypt: 78, #pkts check: 78
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0
local crypto endpt. : 24.x.x.54, remote Start crypto. : 24.x.x.97
Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: FC3F0652
current inbound SPI: 16409623
SAS of the esp on arrival:
SPI: 0 x 16409623 (373331491)
transform: esp-3des esp-md5-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 126976, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (3914995/28408)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0xFFFFFFFF to 0xFFFFFFFF
outgoing esp sas:
SPI: 0xFC3F0652 (4231988818)
transform: esp-3des esp-md5-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 126976, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (3915000/28408)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
Thanks again!
In addition,
Now that I actually think...
The original ICMP you did would go as follows
- 192.168.100.x send ICMP messages to echo
- Happens on ASA local
- Gets sent through the VPN L2L connection
- Arrives on the ASA remote
- ASA forwards traffic on the LAN Host 192.168.1.x
- LAN forward host to respond to its default gateway 192.168.1.1 (NOT ASA)
- ICMP Echo traffic gets lost because of no real route for the return traffic
- Therefore, you see no encapsulated traffic to destination, ASA, decapsules only traffic that origin of the host that sends the ICMP messages to echo through the VPN L2L
-Jouni
-
L2l Tunnel between 2POIGNEES: general query on ACL sheep/crypto
Hi all
For the L2L tunnel between 2POIGNEES work very well, we configure normally same network to network - sheep & cryptos ACL on both ends of the SAA. My question is...
It will work without any problem, if on one end of the ASA, the ACL sheep & crypto are combined to form the group object (to limit the ASA configs) and on the other end address net net address ACL sheep & crypto still exists (not consolidated in the Group of objects)... ? If it works, it works even if the tunnel is between ASA--> router.
Thanks in advance
MS
MS, it will work if the other side does not use the same scenario of acl consolidated using groups of objects. ACLs and groups of objects are significant locally on the device.
You can consolidate the ACLs on the ASA/PIX using TCP or UDP-groups of objects or groups of objects network and that your acl to the respective object-group, they always have the same effect as when they have been configured individually line by line.
This works even if the tunnel is between ASA--> router
Yes
HTH
Jorge
-
View of the horizon 3.5.0 and ThinApp v4.7 with Cisco ASA Smart Tunnel 9.3.3
Hello
The problem:
Our technology smart tunnel doesn't seem to be forward traffic to our new customer from the view. I wonder what kind of configuration changes must be considered to enable such a connection. The error returned when searching for the host name goes in the direction of the hostname not found. Error finding of intellectual property is related to the time-out.
Background information and specifications:
We are in the process of upgrading our servers from 5.2 to 6.2 connection. As part of the upgrade, we want to improve our customers for the Horizon to use version 3.5.0. To make it easier on vendors and remote computers we prefer also to our Horizon View Client with ThinApp 4.7.3 ThinApp. We currently have a Cisco ASA, supporting a SSL VPN portal with "Smart Tunnel" technology. The ASA is currently on firmware 9.3.3 in production, but we have access to version 9.5 in test.
Preferred connection scenario:
User > PC > VMware View Client (ThinApp would be) > Cisco ASA Smart Tunnel > view connection server > Virtual Office
.exe running on the client to view ThinApp:
It seems the ThinApp Client version view is only launching VMware - view.exe.
.exe running from the customer view full/thickness:
VMware - view.exe
-ftnlsv.exe
-vmwsprrdpwks.exe
-ftscanmgr.exe
There is something else to consider when the view client configuration ThinApp or thickness to work with Cisco SSL VPN Portal and the Smart Tunnel? We should have ports configured in the client in connection with the same view Firewall works with SSL VPN Portal port redirector functionality.
We have not been able to find any documentation on how to properly configure the smart to work with the New Horizon 3.5.2 client Tunnel. A ticket of troubleshooting with Cisco suggests that the Smart Tunnel feature still perhaps not compatible with this new Horizon (thin or thick) client. Currently, we are looking at other options because it is not not clear whether Cisco will be able to get us the confirmation or offer a solution without delay of our project to upgrade. Maybe stick to the previous VMware View Client version 5.4.0 which we know work with Smart Tunnel in some situations and with the redirector port for others.
-
We have a partner that we set up a VPN L2L with. Their internal host IP infringes on our internal IP range. Unfortunately, they are not offer NAT on their side. Is it possible on the SAA to configure a NAT device for my internal hosts will say 1.1.1.1 and ASA changes the internal address of the remote end overlapping?
If this is the scenario
192.168.5.0 ASA1 <---> <-- internet="" --="">ASA2<-->
ASA1 (NAT will be applied)
ASA2 (without nat will be applied)
You want to do something like that on ASA1
Change your source host or network to be 192.168.7.0 when communicating with the remote network. Change the remote network to come as long as 192.168.8.0 coming to your network on the SAA.
ACL soccer match:!-match-list ACLaccess acl_match_VPN ip 192.168.7.0 allow 255.255.255.0 192.168.5.0 255.255.255.0
! - NAT ACL
vpn_nat 192.168.5.0 ip access list allow 255.255.255.0 192.168.8.0 255.255.255.0
! - Translations
public static 192.168.7.0 (exterior, Interior) 192.168.5.0 netmask 255.255.255.0 0 0
static (inside, outside) 192.168.8.0 public - access policy-nat list
Complete the VPN configuration using acl_match_VPN as the ACL match. Your inside host will have to use the 192.168.7.0 network when you talk to the remote end.
I hope this helps.
Maybe you are looking for
-
My MacBook 15 "display only the grey bg
I use 15 "MacBook, OS X Lion mountain. My MacBook has n weird screen that I forced shut down eventually. Then, I started later than my MacBook had a start of his "gift", grey of background with the Apple logo in the Center. But after 1, 2... mins, th
-
Is there an update of how a credit card expired in the pay of Apple?
A couple of credit in my wallet cards have expired and I want to update the expiration date and CCV code. Is there a way to do or what I have to enter the new card?
-
Sound went out on a Dell desk top.
Sound went out of my Dell desk top and does not know why. Troubleshooting says it all right, but I don't hear anything more. Help, please.
-
Why my pc does not work no matter what .exe? I couldn't even run diagnostics
Why my pc does not work no matter what .exe? I couldn't even run diagnostics
-
WMP screen darkens when expansion screen to full size in the video courses
Case of extension of the screen in full-screen videos to turn much darker, so dark as often the video is very bad. When the screen size is reduced to the smallest size the video returns to normal brightness. Using Windows 7 and WMP 12.