ASA L2L VPN UP with incoming traffic

Similar Questions

• ASA: S2S Tunnel stops with higher traffic

  Hello

  I have no idea where I have to start solving our problem:

  Site A: ASA 5520/9.2 (4) 5 ~ 20 IPsec tunnels

  Site b: ASA 5505/9.2 (4) 5

  When I do a SSH (or HTTP or any other TCP) session from Site A to any Linux on Site B server, I can connect, but when I do something as a "dmesg" or long "ls - al", the session hooked after 10 to 20 lines. Also HTTP sessions (as a site to set up a printer), smaller Web sites are okay (but slow), more big sites stops with a browser timeout.

  This only happens on one site, all other sites work very well (which have the same config, same OS ASA).

  Just to test, I opened the ssh port to the external IP address on the external interface and it works very well, as well as with the traffic through the tunnel going something wrong.

  Any idea, where do I start debugging?

  Gruss ivo

  PS: How is stupid cloudflare, they check this text and do not allow to write the ls command linux less al, but ls space space space less al works!

  You can twist on the SAA mss using this doc and empty the outside df bit as well. Follow the steps described in the section "VPN encryption error."

  Crypto ipsec df - bit clear-df outdoors

  Let us know how it rates.

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.

• Cisco ASA l2l VPN disorder

  Hello Experts from Cisco,

  I run in trouble with one of my l2l ipec vpn between an asa 5510 and 5520 cisco running version 8.2.2.

  Our existing l2l VPN are connected fine and work very well. Currently SITE a (10.10.0.0/16) connects to the SITE B (10.20.0.0/16). SITE A connects to SITE C (10.100.8.0/21). These are OK.

  What is a failure is when I try to connect SITE B to SITE C. The tunnel coming up and phase 1 and 2 complete successfully. However, even if in the course of execution: ' entry packet - trace within the icmp 10.20.8.2 8 0 detailed 10.100.8.1 ' I get the following:

  Phase: 10

  Type: VPN

  Subtype: encrypt

  Result: DECLINE

  Config:

  Additional information:

  Direct flow from returns search rule:

  ID = 0xad1c4500, priority = 70, domain = encrypt, deny = false

  hits = 609, user_data = 0 x 0, cs_id = 0xad1c2e10, reverse, flags = 0 x 0 = 0 protocol

  SRC ip = 10.20.0.0, mask is 255.255.0.0, port = 0

  DST ip = 10.100.8.0, mask is 255.255.248.0, port = 0, dscp = 0 x 0

  I noticed that when the tunnel came, the road to 10.100.8.0/21 was added in the routing table and cyrpto what ACL has not been applied on the SAA remote. I added the route manually but cannot get the cryto ACL to apply.

  Useful info:

  C SITE

  the object-group NoNatDMZ-objgrp network

  object-network 10.10.0.0 255.255.0.0

  object-network 10.10.12.0 255.255.255.0

  network-object 10.20.0.0 255.255.0.0

  access extensive list ip 10.100.8.0 outside_30_cryptomap allow 255.255.248.0 10.20.0.0 255.255.0.0

  IP 10.100.8.0 allow Access - list extended sheep 255.255.248.0 sheep-objgrp object-group

  card crypto outside_map 30 match address outside_30_cryptomap

  card crypto outside_map 30 peers set x.x.x.x

  crypto outside_map 30 card value transform-set ESP-AES256-SHA

  crypto outside_map 30 card value reverse-road

  outside_map interface card crypto outside

  SITE B

  object-group network sheep-objgrp

  object-network 10.10.0.0 255.255.0.0

  object-network 10.21.0.0 255.255.0.0

  object-network 10.10.12.0 255.255.255.0

  network-object 10.100.8.0 255.255.248.0

  IP 10.20.0.0 allow Access - list extended sheep 255.255.0.0 sheep-objgrp object-group

  allow outside_50_cryptomap to access extended list ip 10.20.0.0 255.255.0.0 10.100.8.0 255.255.248.0

  card crypto outside_map 50 match address outside_50_cryptomap

  game card crypto outside_map 50 peers XX. XX. XX. XX

  outside_map crypto 50 card value transform-set ESP-AES256-SHA

  outside_map crypto 50 card value reverse-road

  outside_map interface card crypto outside

  I've been struggling with this these days. Any help is very appreciated!

  Thank you!!

  Follow these steps:

  no card outside_map 10-isakmp ipsec crypto dynamic outside_dyn_map

  map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

  clear crypto ipsec its SITE_B_Public peer

  Try again and attach the same outputs.

  Let me know.

  Thank you.

• ASA at the ASA L2L VPN Firewall

  Hi experts,

  I currently have problems establishing a VPN site-to-site easy. It's my first time at this meeting and I am pulling my hair out for this issue.

  Currently, the installation program below is a typical topology (using ASDM):

  An ASA IP (1.1.1.2) of the site <-->(ISP) <-->Site B (ASA IP 2.2.2.2)

  All ASA IPs are the external interface connecting directly to their respective suppliers. Site has existing VPN tunnels to other networks, but Site B is a new network configuration (one can imagine Site A as a hub and the rest are rays). Site B outside interface opened ports IP 50 ESP, UDP 500 and UDP 4500 on the interface of all sources to connect to the external interface (besides us has allowed all the IP protocol for the external interface for troubleshooting). However, we have issues that phase 1 upward. We have carefully matched and double checked IKEv1 all the settings are correct and the same for the two parties, including the PSK. However Site A can ping IP of the Site B and Site B is not able to ping to the Site A IP.

  We also checked with our Internet service providers and they confirmed that they do not block 3 ports we need for the VPN. Is there more ideas or points that we missed?

  Oh, activation of debugging are not returned all the papers, but will help generate some 'interesting' traffic such as internal ping subnet of Site A of the Site B?

  Hello

  Instead of launching the plotter of the interface IP packets use all other inside IP, I see a failure of ifc interface.

  Also is it possible for you to take the UDP 500 captures on the external interfaces on the SAA?

  This would answer a lot of questions.

  Kind regards

  Aditya

  Please evaluate the useful messages and mark the correct answers.

• ASA L2L VPN NAT

  We have a partner that we set up a VPN L2L with.  Their internal host IP infringes on our internal IP range.  Unfortunately, they are not offer NAT on their side.  Is it possible on the SAA to configure a NAT device for my internal hosts will say 1.1.1.1 and ASA changes the internal address of the remote end overlapping?

  If this is the scenario

  192.168.5.0 ASA1 <---> <-- internet="" --="">ASA2<-->

  ASA1 (NAT will be applied)

  ASA2 (without nat will be applied)

  You want to do something like that on ASA1

  Change your source host or network to be 192.168.7.0 when communicating with the remote network. Change the remote network to come as long as 192.168.8.0 coming to your network on the SAA.

  ACL soccer match:!-match-list ACLaccess acl_match_VPN ip 192.168.7.0 allow 255.255.255.0 192.168.5.0 255.255.255.0

  ! - NAT ACL

  vpn_nat 192.168.5.0 ip access list allow 255.255.255.0 192.168.8.0 255.255.255.0

  ! - Translations

  public static 192.168.7.0 (exterior, Interior) 192.168.5.0 netmask 255.255.255.0 0 0

  static (inside, outside) 192.168.8.0 public - access policy-nat list

  Complete the VPN configuration using acl_match_VPN as the ACL match. Your inside host will have to use the 192.168.7.0 network when you talk to the remote end.

  I hope this helps.

• WCCP and ASA L2L VPN Tunnel

  How L2L WCCP vpn tunnel? If there is a Web page on the otherside of the tunnel that I need access on ports 80 and 443, it goes through the process of WCCP. How will I know the traffic through the tunnel for 80 and 443 to ignore the WCCP?

  Hello

  I have not had to deal with WCCP on the SAA configurations as it, but to my knowledge, this could be done in the ACL that is used in configuring WCCP on the SAA.

  I mean a single montage we have has an ACL that simply bypasses the WCCP for some destination addresses.

  The ACL was originally for example

  WCCP ip access list allow a whole

  Then we had to stop it for some destination network and we would add a Deny statement at the top of the ACL

  access-list 1 deny ip WCCP line any 10.10.10.0 255.255.255.0

  -Jouni

• VPN gateway with the traffic filtering

  I work in his laboratory on a configuration on a small scale in which client PC establishes an IPSEC VPN with Cisco 1921 router, I have two questions in this regard.

  (1) for wireless PC clients, uses an IPSEC VPN Client the best option or should I prefer other options. wireless clients also use Radius Server for authentication.

  (2) I want to make sure no other traffic can reach or pass the interface of local network other than the VPN Client traffic, I need to set up on the router to make sure that no other traffic cannot pass other than traffic APV.

  First: The real IPsec VPN client is the AnyConnect. The VPN-config for AnyConnect (especially for IPsec) gateway on the router IOS is much more difficult, so it's on the SAA. If you still have the possibility of changing the front doors, then go for a SAA. It is also much cheaper from a perspective of license given that no license of AnyConnect Essentials for the router. The Cisco VPN Client to the traditional address is EOL and should not begin a new deployment on this basis.

  Your questions:

  (1) all VPN - users should be authenticated in some way. Send the request to a central directory authentication is a best practice and usually done with RADIUS. In addition to authentication, you can also perform an authorization to control what rights Gets a VPN user.

  (2) If you only want to allow IPsec traffic, you must configure an access list, a permit for UDP/500, UDP/4500 and IP/50 of your router IP. With this config, all other traffic will be dropped.

• ASA 5505 VPN Probs with IPhone 4

  Hi all

  my boss has a problem with the phone 4. When he is @Home he use his WLAN to download emails from the Exchange Server to the phone. It works without problem. When he's on the road he establish a VPN Tunnel but it cannot download, emails or something else. With the monitor of the ASDM, I see the connection, but no data flow when it use HSDPA, 3G, Edge or GPRS. Has anyone an idea to solve this problem?

  The ASA config:

  If the VPN works wirelessly, it should also work via GPRS, etc. This means that the configuration of the SAA is correct.

  Since iPhone Client VPN is not a Cisco VPN Client, but built Apple VPN Client, please contact Apple for more support on that.

  Here are the URL of Cisco, which said that for your reference:

  http://www.Cisco.com/en/us/docs/security/vpn_client/cisco_vpn_client/iPhone/2.0/connectivity/guide/iPhone.html

  Hope this helps your new.

• ASA SSL VPN problem with 8.2 (2)

  Hello everyone,

  I have a couple of ASA 5520 image 8.2 (1) running in active failover mode / standby.

  A few months ago, I downloaded the 8.2 (2) on the cisco website and charge to the ASA.
  After loading the new image, they called me for problems
  functioning of the application of webvpn.

  The web app seems to work, but in a mode of read-only, because you could not

  change the content of the files.

  I couldn't find a way to make it work, so I decided to downgrade to 8.2 (1).
  and as I loaded it the old image, the problem disappeared.

  Now I see that it is available the image 8.2 (3).
  To avoid the risk of hard work I tetsted on a piece of spare 5510, and with the disappoint, I found
  the problem was the same.

  Everyone is facing such a problem or can suggest me how to solve?

  Thanks in advance.

  Marco.

  Can you please provide more details about what application does not work through WebVPN interface without client?  Have you tried to activate Smart Tunneling for this application?

• Block incoming traffic not requested by VPN L2L on ASA5505

  I have an L2L work between two locations. Location A and B.

  Location A: 172.16.16.0/24

  B location: 192.168.0.0/24

  I would like to block any incoming pitch A b location which is not initiated from A location. The block must be done on the ASA5505 location a. location B uses a router ISR G2.

  that is A location can start an SSH session to a server at the point B

  Location B cannot start an SSH session to a server in A location

  I tried to use a VPN on the ASA5505 filter but is not dynamic, I can not pass any traffic during its use.

  Config on my ASA:

  vpn-circulation 172.16.16.0 ip access list allow 255.255.255.0 192.168.0.0 255.255.255.0

  access vpn-local block list extended deny ip 192.168.0.0 255.255.255.0 172.16.16.0 255.255.255.0

  access vpn-local block list extended ip allowed any one

  crypto vpn 100 match address vpn-traffic map

  card crypto 100 counterpart set location-public-IP vpn

  card crypto vpn 100 transform-set esp-aes256-sha

  vpn outside crypto map interface

  Group internal vpn-local-political block policy

  bloc-vpn-a-locales-strategie-strategie of group attributes

  VPN-filter block vpn-local value

  Protocol-tunnel-VPN IPSec

  type of tunnel-group location-public-IP-ipsec-l2l

  attributes global-tunnel-group location-public-IP

  strategy-group-by default-vpn-to-local-blocking strategy

  tunnel-group location-public-IP-ipsec-attributes

  pre-shared key *.

  I also have an AnyConnect VPN for the ASA5505 configuration and it runs 8.2 (5). Any tips?

  Hello

  Unless you already have a lot of VPN connections to use theres also another option other than VPN filter ACL.

  You can globally change the "sysopt permit vpn connection" setting (the default is that this option is enabled)

  If you change this setting to "no sysopt permit vpn connection" every connection from remote site will require an ACL rule on the ACL interface that end the VPN. And it's usually the 'outer' interface

  I find its rules in a way easy and clear of the ACL rules for construction VPN connections also although the 'outside' ACL would now include VPN traffic and Internet. It still beats the use of VPN filter ACL if you ask me.

  The downside activating this later is the fact that if you have no restrections between VPN and LAN connections, you would now determine which must be open before you can change the global settings so that connections don't stop working.

  Here is the section of the overview of ASA 8.2 for the order parameter controls / I do not speak of

  http://www.Cisco.com/en/us/docs/security/ASA/asa82/command/reference/S8.html#wp1517364

  If you want to go with VPN filter ACL then follow the earlier instructions of messages while strengthening the ACL rules.

  -Jouni

• VPN Site to Site ASA (only happens with interesting traffic)

  Is anyway to get an ASA to VPN site-to-site ASA addition interesting traffic?  I need to keep this tunnel independently of traffic is anyway to do this?

  Unfortunately, no such feature has been developed on the SAA. You need to deceive the ASA with a host located in the "interesting" part of the network to constantly generate interesting traffic. Here are a few suggestions:

  -Use the IP SLA on a Cisco device

  -Perform a host TCP ping

  -Setting up a host of the site has press site B as a NTP source ASA

  Thank you for evaluating useful messages!

• L2l VPN between ASA with the IP address public and CISCO2911 behind the ISP router with port forwarding

  Hi all

  My apologies if this is a trivial question, but I spent considerable time trying to search and had no luck.

  I encountered a problem trying to set up a temporary L2L VPN from a Subscriber with CISCO2911 sitting behind the router of the ISP of an ASA. ISP has informed that I can't ignore their device and complete the circuit Internet on the Cisco for a reason, so I'm stuck with it. The Setup is:

  company 10.1.17.1 - y.y.y.y - router Internet - z.z.z.z - ISP - LAN - 10.x.x.2 - XXX1 - ASA - 10.1.17.2 - CISCO2911 - 10.1.15.1 LAN

  where 10.x.x.x is a corporate LAN Beach private network, y.y.y.y is a public ip address assigned to the external interface of the ASA and the z.z.z.z is the public IP address of the ISP router.

  I have forwarded ports 500, 4500 and ESP on the ISP router for 10.1.17.2. The 2911 config attached below, what I can't understand is what peer IP address to configure on the SAA, because if I use z.z.z.z it will be a cause of incompatibility of identity 2911 identifies himself as 10.1.17.2...

  ! ^ ^ ^ ISAKMP (Phase 1) ^ ^ ^!
  crypto ISAKMP policy 5
  BA 3des
  md5 hash
  preshared authentication
  Group 2
  lifetime 28800
  isakmp encryption key * address no.-xauth y.y.y.y

  ! ^ ^ ^ IPSEC (Phase 2) ^ ^ ^!
  crymap extended IP access list
  IP 10.1.15.0 allow 0.0.0.255 10.0.0.0 0.255.255.255
  Crypto ipsec transform-set ESP-3DES-SHA 3rd-esp esp-sha-hmac
  card crypto 1 TUNNEL VPN ipsec-isakmp
  defined peer y.y.y.y
  game of transformation-ESP-3DES-SHA
  match the address crymap

  Gi0/2 interface
  card crypto VPN TUNNEL

  Hello

  debug output, it seems he's going on IPSEC States at the tunnel of final bud QM_IDLE's.

  What I noticed in your configuration of ASA box, it's that you're usig PFS but not on 2911 router.

  So I suggest:

  no card crypto OUTSIDE_map 4 don't set pfs <-- this="" will="" disable="" pfs="" on="" asa="">

  Then try tunnel initiate.

  Kind regards

  Jan

• ASA with several L2L VPN Dynamics

  I have an ASA 5510 such as VPN, used for about 30 L2L - VPN concentrator.

  I need also some VPN L2L with dynamic peer remote.

  While the configuration for a single dyn - VPN is quite simple (as described in several examples), how can I configure the ASA in the case of many dyn - VPN?

  Basically, all the VPN - dyn must use the same PSK (the DefaultL2LGroup).

  But using the "aggressive" on the remote peer mode, I could use a different PSK for every dyn - VPN:

  tunnel-group ipsec-attributes ABCD

  pre-shared-key *.

  This configuration is correct?

  Best regards

  Claudio

  Hello

  Maybe the solutions provided in the following document may also be an option to configure multiple dynamic VPN L2L connections on the SAA

  http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a0080bc7d13.shtml

  Hope this helps

  -Jouni

• Cisco ASA 5510 VPN Site to Site with Sonicwall

  I am trying to configure a tunnel between a Cisco ASA 5510 VPN (Version 8.2 (2)) and TZ200 Sonicwall. I rose tunnel and go and I am able to ping the internal IP address of Cisco ASA of the Sonicwall LAN but nothing work. When I try to ping a host behind the Cisco ASA of the Sonicwall LAN I get the following message "rules asymmetrical NAT matched for flows forward and backward; Connection for tcp src outside:10.20.10.x/xxxx dst inside:10.20.2.x/xxxx refused due to failure of reverse path of NAT"on the SAA

  Googling the error above shows the problems with version 8.3 or later that resembled the nat commands have been changed SAA, train is still on 8.2 but I another common question does not add an exemption of NAT I have double-triple checked that I did add an exception rule of NAT of the hosts on the network from cisco for the guests of the Sonicwall network. Looks like I hit a road block so any help would be appreciated. Thank you

  Here are a few excertps of the config file (10.20.2.0 behind the cisco) and 10.20.10.0 behind the sonicwall

  NAT (inside) 0 access-list sheep

  ..

  IP 10.20.2.0 allow Access-list extended sheep 255.255.255.0 10.20.10.0 255.255.255.0

  access extensive list ip 10.20.2.0 outside_1_cryptomap allow 255.255.255.0 10.20.10.0 255.255.255.0

  ..

  card crypto outside_map 1 match address outside_1_cryptomap

  card crypto outside_map 1 set counterpart x.x.x.x

  card crypto outside_map 1 set of transformation-ESP-3DES-SHA

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map interface card crypto outside

  ..

  crypto ISAKMP allow outside

  crypto ISAKMP policy 5

  preshared authentication

  3des encryption

  sha hash

  Group 2

  lifetime 28800

  ..

  internal SiteToSitePolicy group strategy

  attributes of Group Policy SiteToSitePolicy

  VPN-idle-timeout no

  Protocol-tunnel-VPN IPSec

  Split-tunnel-network-list no

  ..

  tunnel-group x.x.x.x type ipsec-l2l

  tunnel-group x.x.x.x General attributes

  Group Policy - by default-SiteToSitePolicy

  tunnel-group ipsec-attributes x.x.x.x

  pre-shared key *.

  ..

  Added some excerpts from the configuration file

  Hello Manjitriat,

  Okay, detected IPSEC parody is normal, that means you are trying to send unencrypted on a line of encrypted packets.

  Now, if you see on the plotter of package that traffic will hollow the VPN channel all its fine in your site.

  Now the packet tracer must be something like this:

  entrance to Packet-trace inside private_ip_lan destination_private_ip_lan 1025 tcp 80

  Please provide us with the result of the following instructions after you run the packet tracer.

  See the crypto Isakamp SA

  See the crypto Ipsec SA

  Kind regards

  Julio

• L2l VPN with IPSEC NAT

  Hi all!

  I have a question about L2L VPN and NAT.

  Can I set up the VPN tunnel between two ASAs or routers using the NAT translation from within the private IP addresses to a single public IP address outside the interface and then implement interesting crypto with the source of the public IP address and the destination of the remote private network on the other end (also ASA). For example, I want to translate a private network to the public ip address at one end and use the VPN tunnel with a public IP address as the source. Policy-NAT is not an option, because we really do not want to provide any IP address to the remote end, and IP addresses of the remote end can overlap with our end.

  Thank you!

  Hello

  You can definitely set up an IPSec tunnel between two devices in the translation of your subnet in a single public IP address. You just create the translation and as you mentioned define interesting traffic using the public IP address.

  This is exactly what we call political NAT, I don't understand why you say that NAT policy is not an option. Perhapps you misunderstood concept NAT policy or I misunderstood your question.

  For example, assuming that the LAN private at your side is 172.16.1.0/24, the remote subnet is 192.168.150.0/24, and that the public IP address that you want to use is 200.200.200.200 your NAT config should look like this:

  access-list 199 permit ip 172.16.1.0 255.255.252.0 192.168.150.0 255.255.255.0

  Global (outside) 6 200.200.200.200

  NAT (inside) 6 access-L199

  Which would be NAT traffic to the public IP address only when the traffic matches the ACL.

  Your ACL crypto should then be something like

  cryptomap list of allowed access host ip 200.200.200.200 192.168.150.0 255.255.255.0

  That would hide your address real and all they see is the public IP address you give them. Note that since the NAT takes place on your side your side will be able to raise the tunnel.

  I hope this helps.

  Raga