ASA of asymmetric routing

Hi all

Having an ASA anyconnect and s2s tunnels running.

Goal: enable anyconnect to users access to resources on ipsec tunnel.

Problem: anyconnect users and s2s tunnels using the same outside the interface.

Applied configuration:

1. permit same-security-traffic intra-interface

2 strategy map configured to bypass tcp on the external interface connections

But these measures did not help. RA users may not join s2s subnet.

Please tell us how to achieve this goal.

Thanks in advance

Alex

You shouldn't have political map of workaround.

You will need a NAT exemption for the pool VPN for remote subnets. Ethan Banks has a nice article on exactly this Setup here:

http://packetpushers.NET/Cisco-ASA-8-38-4-Hairpinning-NAT-configuration/

Tags: Cisco Security

Similar Questions

ASA5505 problem of asymmetric routing? (I think)

Good evening everyone,

I'm looking for suggestions for a solutoion I met today... I am installing a new router and firewall into an existing network. The router is an Edgewater VOIP router to a cable connection with static IP. The firewall is an ASA5505 (security more). There is a third-party router in the mixture (Cisco 1841) which has a PTP connection goes to another site. I'll try to verbally explain the architecture of the network:

Unfortunately, the existing network was flattened on a 19 on which I'm not allowed to change so:

VLAN 1 = data network (they used a large 19)

VLAN 40 = voice (for VOIP phones)

Edgewater Port 4 > UNTAG 1, tag 40 > ASA5505 Port 0

Edgewater Port WAN > Cable Modem

Edgewater DHCP Server for VLAN 40

ASA5505 Port 0 > UNTAG 1, tag 40 > router Edgewater

1 port ASA5505 > UNTAG 1, tag 40 > Cisco 2950 FE0/4 (set manually vlan the native 1 2950 to work)

2 port ASA5505 > UNTAG 1, tag 40 > Cisco SG300 Gig1

Voice of ASA5505 route 0.0.0.0 0.0.0.0 VLAN40_IP_OF_EDGEWATER

ASA5505 data route 0.0.0.0 0.0.0; 0 VLAN1_IP_OF_EDGEWATER

ASA5505 DHCPD for VLAN 1 (small subnet, the rest is ready for static with a gateway from the Cisco 1841 (infrastructure))

Cisco 2950 4 > UNTAG 1, tag 40 > ASA5505 Port 1

Cisco 2950 GIg1 > UNTAG 1, tag 40 > Cisco 2950 B

DG of Cisco 2950 a = IP of Cisco 1841

Cisco 2950 B Gig1 > UNTAG 1, tag 40 > Gig1 Cisco 2950 (rising MM fiber)

Cisco 2950 B FE11 > UNTAG 1, tag 40 > Cisco 1841 FE0/0

Cisco 2950B DG = IP of Cisco 1841

Cisco 1841 FE0/0 0/0.1 dot1q native 0/0.40 dot1q 40 > FE11 Cisco 2950 B

Road to Cisco 1841 ip 0.0.0.0 0.0.0.0 firewall VLAN 1 Interface IP (Changed to ip route ip VLAN40_NETWORK VLAN40_IP_OF_EDGEWATER and VLAN1_NETWORK VLAN1_IP_TO_ASA5505)

Cisco also has internal IP routes through the private point of connection to another site...

I'm replacing out of their existing connection is a sonicwall firewall and adding a few new POE switches for VOIP phones, VOIP router and an ASA5505. I can't play nice no matter what I tried. It seems that I am running into problems of asymmetric routing (ASA send me some)

Deny TCP (no relation) on the VLAN 1 static and given dhcp VLAN40 DHCP handed the Edgewater works fine, I can browse on without any problem)...

I'm not sure what the best approach is to do this. They need to keep the 1841 for now until a connection VPN of STS can be configured with the ASA5505 to their ASA5510 at the other site (months on the road by their budget). All of their PC is statically allocated and using their default gateway as the C1841.

If you need output all configs I created so far or havy of suggestions on how to solve my problem, I'd love to hear about them. I tried everything short of re - structuring their entire network or deletion of my VOIP router that manages a large number of configurations for VOIP PBX phones.

Thank you!

Jon

Apologies, but this is a very confusing description of how it is configured. A diagram would probably help.

If the new VoIP router's DHCP server for vlan 40 where are the customers compared to this?

You have two lanes on the SAA pointing the VoIP router, what is the reasoning behind this?

Why are you the ASA to the router VoIP trunking?

The VoIP router can hand out DHCP addresses for a network, that it is not directly connected or is it why you extended vlan 40 completely out to the VoIP router?

The router VoIP must give the vlan 40 IPs.

I guess maybe it's to do with my lack of understanding as to exactly what does a VoIP router (as opposed to a normal router).

So maybe you could clarify?

Jon

Jon

Cisco SG300 / ASA 5505 intervlan routing problem

Dear all

I have a problem with the configuration correctly sg300 layer 3 behind the ASA 5505 switch (incl. license more security)

The configuration is the following:

CISCO SG300 is configured as a layer 3 switch

VLAN native 1: 192.168.1.254, default route ip address (inside interface ASA 192.168.1.1)

VLAN defined additional switch

VLAN 100 with 192.168.100.0/24, default gateway 192.168.100.254

VLAN 110 with 192.168.110.0/24, default gateway 192.168.110.254

VLAN 120 with 172.16.0.0/16, default gateway 172.16.10.254

Of the VLANS (100,110,120) different, I am able to connect to all devices on the other VIRTUAL local networks (with the exception of Native VLAN 1; is not the ping requests)

From the switch cli I can ping my firewall (192.168.1.1) and all the other gateways of VLANs and vlan (VLAN1, 100, 110, 120) devices

Asa cli I can only ping my switch (192.168.1.254) port, but no other devices in other VLAN

My question is this. What should I change or installation in the switch configuration or asa so that other VLANs to access the Internet through the ASA. I will not use the ASA as intervlan routing device, because the switch does this for me

I tried to change the asa int e0/1 in trunkport (uplink port switch also), to enable all the VLANS, but as soon as I do that, I can not ping 192.168.1.254 ASA cli more.

Any help is greatly appreciated

Concerning

Edwin

Hi Edwin, because the switch is layer 3, the only necessary behavior is to ensure that default gateways to the computer are set on the SVI interface connection to the switch to make sure that the switch is transfer traffic wished to the ASA.

The configuration between the ASA and the switch must stay true by dot1q, such as the vlan all other, unidentified native VLAN tagged.

Also, if I'm not wrong, on the SAA you must set the security level of the port to 100.

-Tom
Please evaluate the useful messages

ASA-6-110003: routing could not locate the next hop

Hello

I have a problem with our ASA firewall. I have a firewall that's inside, outside and DMZ interface. I have VPN clients that connect correctly and can access the internal network. However, for profiles that I have configured to connect via VPN to the DMZ network fails with the following messages.

ASA-6-110003: routing could not locate the next hop

&

ASA-6-302014: disassembly of the TCP connection... No contiguity valid

I have connections in the DMZ, but aren't VPN via internal and external interfaces without problem.

The routing table has a route to this network and I have a nat in place - I'm quite puzzled by the present.

Thank you

Ed

Hello Ed,

Well, Nat seems good but you can do the following for me please:

network of the DMZ_subnet object

10.1.213.0 subnet 255.255.255.0

network of the VPN_Subnet object

subnet 255.255.x.x x.x.x.x

public static DMZ_subnet DMZ_subnet destination NAT source (dmz - 2 outside) public static VPN_Subnet VPN_Subnet

Kind regards

Julio

VPN between ASA and cisco router [phase2 question]

Hi all

I have a problem with IPSEC VPN between ASA and cisco router

I think that there is a problem in the phase 2

Can you please guide me where could be the problem.
I suspect questions ACL on the router, but I cannot fix. ACL on the router is specified below

Looking forward for your help

Phase 1 is like that

Cisco_router #sh crypto isakmp his

IPv4 Crypto ISAKMP Security Association
status of DST CBC State conn-id slot
78.x.x.41 87.x.x.4 QM_IDLE 2006 0 ACTIVE

and ASA

ASA # sh crypto isakmp his

ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 1

1 peer IKE: 78.x.x.41
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE

Phase 2 on SAA

ASA # sh crypto ipsec his
Interface: Outside
Tag crypto map: Outside_map, seq num: 20, local addr: 87.x.x.4

Outside_cryptomap_20 ip 172.19.209.0 access list allow 255.255.255.0 172.
19.194.0 255.255.255.0
local ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
current_peer: 78.x.x.41

#pkts program: 8813, #pkts encrypt: 8813, #pkts digest: 8813
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 8813, model of #pkts failed: 0, #pkts Dang failed: 0
#send errors: 0, #recv errors: 0

local crypto endpt. : 87.x.x.4, remote Start crypto. : 78.x.x.41

Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: C96393AB

SAS of the esp on arrival:
SPI: 0x3E9D820B (1050509835)
transform: esp-3des esp-md5-hmac no
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 7, crypto-card: Outside_map
calendar of his: service life remaining (KB/s) key: (4275000/3025)
Size IV: 8 bytes
support for replay detection: Y
outgoing esp sas:
SPI: 0xC96393AB (3378746283)
transform: esp-3des esp-md5-hmac no
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 7, crypto-card: Outside_map
calendar of his: service life remaining (KB/s) key: (4274994/3023)
Size IV: 8 bytes
support for replay detection: Y

Phase 2 on cisco router

protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
current_peer 87.x.x.4 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors

local crypto endpt. : 78.x.x.41, remote Start crypto. : 87.x.x.4
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer0
current outbound SPI: 0x0 (0)

SAS of the esp on arrival:

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:

outgoing ah sas:

outgoing CFP sas:

protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
current_peer 87.x.x.4 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 8947, #pkts decrypt: 8947, #pkts check: 8947
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors

local crypto endpt. : 78.x.x.41, remote Start crypto. : 87.x.x.4
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer0
current outbound SPI: 0x3E9D820B (1050509835)

SAS of the esp on arrival:
SPI: 0xC96393AB (3378746283)
transform: esp-3des esp-md5-hmac.
running parameters = {Tunnel}
Conn ID: 29, flow_id: Motorola SEC 1.0:29, card crypto: mycryptomap
calendar of his: service life remaining (k/s) key: (4393981/1196)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:
SPI: 0x3E9D820B (1050509835)
transform: esp-3des esp-md5-hmac.
running parameters = {Tunnel}
Conn ID: 30, flow_id: Motorola SEC 1.0:30, card crypto: mycryptomap
calendar of his: service life remaining (k/s) key: (4394007/1196)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

outgoing ah sas:

outgoing CFP sas:

VPN configuration is less in cisco router

access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
access-list 101 permit ip 172.19.206.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
access-list 101 permit ip 172.19.203.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect
access-list 101 permit ip 172.19.209.0 0.0.0.255 172.19.194.0 0.0.0.255 connect

access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
access-list 105 deny ip 172.19.206.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
access-list 105 deny ip 172.19.203.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect
access-list 105 deny ip 172.19.209.0 0.0.0.255 172.19.194.0 0.0.0.255 connect

sheep allowed 10 route map
corresponds to the IP 105

Crypto ipsec transform-set esp-3des esp-md5-hmac mytransformset

mycryptomap 100 ipsec-isakmp crypto map
the value of 87.x.x.4 peer
Set transform-set mytransformset
match address 101

crypto ISAKMP policy 100
BA 3des
md5 hash
preshared authentication
Group 2
ISAKMP crypto key xxx2011 address 87.x.x.4

Your permit for 105 ACL statement should be down is changed to match because it is the most general ACL.

You currently have:

Extend the 105 IP access list
5 permit ip 172.19.194.0 0.0.0.255 (18585 matches)
10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect

It should be:

Extend the 105 IP access list
10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect

IP 172.19.194.0 allow 60 0.0.0.255 (18585 matches)

To remove it and add it to the bottom:

105 extended IP access list

not 5

IP 172.19.194.0 allow 60 0.0.0.255 any

Then ' delete ip nat trans. "

and it should work now.

Cisco ASA Cisco 831 routing static. help with ACL, maybe?

Hi all

What should be a simple task turns out to be difficult and I really need help.

The Cisco ASA obviously isn't a strong point on mine and could do with a point in the right direction. I hope that this will allow me to learn more about the ASA 5505.

OK so I have an ASA 5505. VLAN 1 is 192.168.254.1 and VLAN 2 DHCP of my cable modem.

I have a cisco 831 Ethernet router that will sit between my main LAN and my LAN test I want to implement for multicasting. the Cisco 831 has 1 Ethernet as 192.168.254.254 and Ethernet 0 is 10.1.1.1.

The ASA I have an interior route 10.0.0.0 255.0.0.0 192.168.254.254.

On the Cisco 831, there is a route 0.0.0.0 0.0.0.0 192.168.254.1. I can pass traffic via Cisco 831 to the ASA 5505 and internet, for example I can ping 8.8.8.8 and access everything on my main local network, but the other wan of any host inside the ASA 5505 is unable to ping anything on 10.1.1.x.

Where I'm going wrong? I did all my access to my a whole ASA, but it is still unable to do anything.

I will attached my configs with deleted passwords here and would like a good kick in the right direction. Without a doubt, it's something simple I'm missing and I'm sure it's with the ACL on the ASA 5505 like the packet tracer said that the package is abandoned due to the ACL

Thank you. :)

Thus, all traffic between these two LANs will travel on ASA, on the same interface.
Then please add this command in the global configuration of the ASA:
permit same-security-traffic intra-interface

AnyConnect VPN on ASA behind Internet router

I have script like below and that you need assistance please

Switch 10.10.1.1/30---> (10.10.1.2/30 inside the Interface) of base ASA (10.10.2.2/30 outside interface)---> public INT router (30.30.30.30/30) (10.10.2.1/30 LAN).

I have configured the VPN but it needs more setup in the router and the VPN should be the public ip address so outside users can access.

Fix.

--

Please do not forget to select a correct answer and rate useful posts

Log each ASA connection and router

Hello

I have a Cisco ASA 5520 and a Cisco 3825 router in my network. I want to log every connection to these devices. There are a few users who have different levels of access to these devices in n/w. I would like to connect all these users and what they actually change and to implement in the devices. Is this possible using a RADIUS server or any other method pls. I also have access to reading / writing to these devices. Thank you very much

You can do it too.

You can use auth-proxy (router) passage proxy (ASA) to have the user to authenticate to the connections he and do accounting of GBA. But I don't think you need to do this for all connections, for those who require the intervention of the user.

Let us know if that answers the question.

PK

Between asa 5510 and router VPN

Hello

I configured ASA 5510 to vpn LAN to LAN with router 17 857. and between the routers.

between vpn routers works very well.

from the local network behind the ASA I can ping the computers behind routers.

but computers behind routers, I cannot ping PSC behind ASA.

I have configured the remote access with vpn cisco 4.X client, it works well with routers, but cannot work with asa.

the asa is connected to the wan via zoom router (adsl)

Are you telnet in the firewall?

Follow these steps to display the debug output:

monitor terminal

farm forestry monitor 7 (type this config mode)

Otherwise if its console, do "logging console 7'.

can do

Debug crypto ISAKMP

Debug crypto ipsec

and then generate a ping from one device to the back of the ASA having 192.168.200.0 address towards one of the VPN subnets... and then paste the result here

Concerning

Farrukh

ASA 5512 different route by VPN Group (VRF as feature?)

Hello

Here's what I'm trying to do. I have a Nexus 7000 with several of the VRF, simplicity lets call it A VRF, VRF B, VRF C. VRF A simulates a network of management and VRF B and C are customer environments. VRF B and C VRF will be overlap of intellectual property. I have a 5512 ASA I use VPN in the environment, it also provides internet access for applications that run in A VRF, (VRF B and C do not require internet access). What I want to do is to implement three different access VPN on the SAA even, where some users will have VPN 1 group policy and have access to the VRF has, but should not have access to the VRF B or C, same VPN 2 should have access to the VRF B and 3 C VRF VPN.

My original intent was to configure the ASA with 0/0 to internet Gig, Gig 0/1 A VRF and then Gig 0/2 sub interfaced so 0/2.10 is 10.10.10.1 in VLAN 101 that connects VRF B, 0/2.11 concert would be 10.10.10.1 in 102 VLAN that connects to VRF C. However, better than I can tell ASA 5512 is not aware of VRF (or is it just a separate license, I would need?) and as such, it is not possible.

Next similar reflection, but instad configure as 0/2.10 is 10.10.10.1 in VLAN 101 that connects VRF B, 0/2.11 concert would be 10.10.11.1 in 102 VLAN that connects to VRF C. However, I throw it here, issues as the VPN 2 and 3 need access to devices with the same IP address, which is even better I can tell, the ASA is not able to make Policy based routing.

Is there another way to do this? Is there something that I am on?
I need to make sure that the 2A VPN users can access services available in the VRF B, they should not have the ability to access (intentionally or not) services on VRF A or C, nor the users VPN 1 or 3.

I have also a 5585 ASA w / context multi license, I can then creates a context by VRF (that I have), I then interfaces in each correct the VRF-related context. However, I do not think that I can terminate VPN here, best I can tell when in multi-contexte mode you can not have VPN license.

Your research led you to conclude correctly that the ASA is neither compatible with VRF nor can it be based on routing strategies. Also, you cannot terminate remote access VPN on an ASA multi-contexte.

Doing what you ask a single AAS is a bit problematic. If you had a unique internal addresses, the subinterfaces would work fine.

Because it looks like you have a virtualization infrastructure, have you considered using the low cost ASAv? You could run multiple instances, one per VRF. Everyone knows only the public address space and its respective assocated VRF.

ASA VPN missing routes

Hi and thanks for reading.

I'm trying to configure IPSec VPN on the SAA. The initial phase was successful - I applied the certificate, anyconnect images, etc. and thus can connect to the gateway. The problem I face is that I can not reach one of VLAN internal, or I can't go outside... Any tips are appreciated, as I am running out of ideas.

The ASA configuration is as follows:

ASA 9.1 Version 2
!
ASA host name
activate the password * encrypted
names of
local pool VPN_POOL 10.194.0.10 - 10.194.0.100 255.255.254.0 IP mask
!
interface GigabitEthernet0/0
nameif outside
security-level 0
IP 123.44.120.22 255.255.255.248 watch 123.44.120.21
!
interface GigabitEthernet0/1
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/1.90
VLAN 90
nameif bn_management
security-level 100
IP 10.192.0.1 255.255.255.0 watch 10.192.0.2
!
interface GigabitEthernet0/1.100
VLAN 100
main nameif
security-level 60
IP 123.45.139.254 255.255.252.0 watch 123.45.139.253
!
interface GigabitEthernet0/1,110
VLAN 110
nameif vpn
security-level 60
IP 10.194.0.1 255.255.254.0 watch 10.194.0.2
!
interface GigabitEthernet0/1.120
VLAN 120
nameif v120
security-level 70
IP 10.194.2.1 255.255.254.0 watch 10.194.2.2
!
interface GigabitEthernet0/1,130
VLAN 130
nameif v130
security-level 70
IP 10.194.4.1 255.255.254.0 watch 10.194.4.2
!
interface GigabitEthernet0/1,200
VLAN 200
nameif v200
security-level 40
IP 10.196.0.1 255.255.252.0 watch 10.196.0.2
!
interface GigabitEthernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/6
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/7
Failover LAN Interface Description
!
interface Management0/0
management only
nameif management
security level 95
IP 192.168.1.1 255.255.255.0 ensures 192.168.1.2
!
boot system Disk0: / asa912-smp - k8.bin
passive FTP mode
permit same-security-traffic inter-interface
network management_private object
10.192.0.0 subnet 255.255.255.0
network v200_public object
Home 123.44.120.19
network v200_private object
subnet 10.196.0.0 255.255.252.0
network management_services_public object
Home 123.44.120.20
service of the WWW_PORTS object
tcp destination eq https service
network v120_private object
10.194.2.0 subnet 255.255.254.0
network v130_private object
10.194.4.0 subnet 255.255.254.0
network vpn_pool object
10.194.0.0 subnet 255.255.254.0
network vpn_public object
Home 123.44.120.18
object-group network of WEB servers
host of the object-Network 123.45.136.200
host of the object-Network 123.45.136.202
the UW_SOURCE object-group network
host of the object-Network 109.74.242.9
host of the object-Network 109.74.242.11
the UW_DESTINATION object-group network
host of the object-Network 123.45.139.208
the DOMAIN_CONTROLLER object-group network
host of the object-Network 123.45.139.205
object-group service VPN_PORTS tcp - udp
port-object eq 1701
EQ port 1723 object
port-object eq 500
EQ object of port 443
port-object eq 50
port-object eq 4500
port-object eq 47
the INTERNAL_SUBNETS object-group network
Description object-group for internal subnets
object-network 10.192.0.0 255.255.255.0
network-object 10.196.0.0 255.255.252.0
network-object 10.194.2.0 255.255.254.0
network-object 10.194.4.0 255.255.254.0
object-group network the Super USERS
host of the object-Network 123.45.136.76
host of the object-Network 123.45.136.80
the v120_VLAN object-group network
network-object 10.194.2.0 255.255.254.0
the v120_SOURCES object-group network
host of the object-Network 123.45.136.24
the v130_VLAN object-group network
network-object 10.194.4.0 255.255.254.0
the v130_SOURCES object-group network
host of the object-Network 123.45.136.76
host of the object-Network 123.45.139.125
host of the object-Network 123.45.136.129
host of the object-Network 123.45.136.83
host of the object-Network 123.45.136.10
MAIN_IN list extended access allowed icmp object-group SUPER INTERNAL_SUBNETS a group of objects
MAIN_IN list extended ip access allow the SUPER object-group INTERNAL_SUBNETS group of objects
MAIN_IN list extended access permitted ip object-group v130_SOURCES-group of objects v130_VLAN
MAIN_IN list extended access permitted ip object-group v120_SOURCES-group of objects v120_VLAN
MAIN_IN list extended access deny ip any object-group INTERNAL_SUBNETS
MAIN_IN of access allowed any ip an extended list
access-list v200_IN note v200 TRAFFIC
v200_IN list extended access permit icmp any one
v200_IN list extended access permit tcp any object-group servers WEB eq www
v200_IN list extended access permit tcp any object-group eq https WEB servers
v200_IN of access allowed any ip an extended list
Allow NETFLOW_HOSTS to access extensive ip list a whole
access-list to note ALLOWED INCOMING TRAFFIC
to the allowed extended access list icmp any object-group of WEB servers
to the allowed extended access list tcp any object-group eq www WEB servers
to the allowed extended access list tcp any object-group eq https WEB servers
to allowed extended access list tcp any object-group objects VPN_PORTS DOMAIN_CONTROLLER-group
to the list of allowed extensive access udp any object-group DOMAIN_CONTROLLER-group of VPN_PORTS objects
access-list be extended permitted tcp object-group objects UW_DESTINATION eq 5000 UW_SOURCE-group
access-list be extended permitted udp object-group objects UW_DESTINATION eq 5000 UW_SOURCE-group
v130_IN of access allowed any ip an extended list
v120_IN of access allowed any ip an extended list
access-list VPN_IN note authorized vpn traffic
VPN_IN list of allowed ip extended access any external interface
VPN_IN of access allowed any ip an extended list
pager lines 24
Enable logging
timestamp of the record
information recording console
asdm of logging of information
the logging queue 0
main host 123.45.136.30 record
Debugging trace record
message 313001 debug level logging
message 713130 level of registration information
message 713257 level of registration information
registration of notifications of message 713228 level
registration of notifications of message 713184 level
flow-export destination main 123.45.136.30 2055
timeout-rate flow-export model 1
time of flow-export flow - create 60
Outside 1500 MTU
bn_management MTU 1500
MTU 1500 main
MTU 1500 VPN
V120 MTU 1500
v130 MTU 1500
V200 MTU 1500
management of MTU 1500
failover
primary failover lan unit
FAILOVER_LINK GigabitEthernet0/7 failover LAN interface
failover UI FAILOVER_LINK 172.16.0.1 ip 255.255.255.0 ensures 172.16.0.2
the interface of the monitor bn_management
the interface of the primary monitor
Monitor-interface vpn
the v120 monitor interface
the v130 monitor interface
the v200 monitor interface
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any vpn
ASDM image disk0: / asdm-731 - 101.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (bn_management, outside) source Dynamics management_private management_services_public
NAT (v200, external) source Dynamics v200_private v200_public
NAT (v120, external) source Dynamics v120_private management_services_public
NAT (v130, external) source Dynamics v130_private management_services_public
NAT (vpn, external) source Dynamics vpn_pool vpn_public
Access-group compellingly in external interface
Access-group MAIN_IN in the main interface
Access-group interface vpn VPN_IN
Access-group v120_IN in interface v120
Access-group v130_IN in interface v130
Access-group v200_IN in interface v200
Route outside 0.0.0.0 0.0.0.0 123.44.120.17 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
WebVPN
SVC request to enable default svc
AAA-server BN_AAA protocol ldap
AAA-server (main) 123.45.139.201 BN_AAA
Timeout 5
Server auto-type detection
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.1.0 255.255.255.0 management
http 10.192.0.0 255.255.255.0 bn_management
Main host community 123.45.136.30 SNMP server *.
No snmp server location
No snmp Server contact
Community SNMP-server
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
TRENDMICRO crypto ca trustpoint
Terminal registration
domain name full vpn.asa - gw.co
subject name CN = vpn.asa - gw.co, OR =, O = some, L = some, ST = some, C = GB
VPN_SERVICE key pair
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint0
Terminal registration
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint1
Terminal registration
Configure CRL
Crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
registration auto
name of the object CN = 10.192.0.1, CN = ASA
Configure CRL
trustpool crypto ca policy
TRENDMICRO crypto ca certificate chain
certificate 34cc4cb00ae501b8
308204cd...
quit smoking
certificate ca 5b469990ec759d34
30820478...
quit smoking
string encryption ca ASDM_TrustPoint0 certificates
certificate ca 272b67229745d2438bf9774186aebd
3082069c...
quit smoking
string encryption ca ASDM_TrustPoint1 certificates
certificate ca 00bb401c43f55e4fb0
308205ba...
quit smoking
string encryption ca ASDM_Launcher_Access_TrustPoint_0 certificates
certificate of 590c 2254
308202ea...
quit smoking
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 activate out of service the customer port 443
trustpoint to ikev2 crypto TRENDMICRO remote access
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 123.45.138.202 255.255.255.255 bn_management
SSH 10.192.0.0 255.255.255.0 bn_management
SSH 123.45.136.0 255.255.252.0 main
SSH 123.45.138.202 255.255.255.255 main
SSH 123.45.138.202 255.255.255.255 management
SSH timeout 10
SSH version 2
SSH group dh-Group1-sha1 key exchange
Console timeout 0
access to the administration bn_management
dhcpd dns 123.45.1.180 123.44.2.1
!
dhcpd address 10.192.0.200 - 10.192.0.230 bn_management
bn_management enable dhcpd
!
dhcpd address 10.194.3.200 - 10.194.3.230 v120
dhcpd enable v120
!
dhcpd address 10.196.0.32 - 10.196.1.31 v200
!
management of 192.168.1.3 - 192.168.1.254 addresses dhcpd
!
a basic threat threat detection
host of statistical threat detection
statistical threat detection port
Statistical threat detection Protocol
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP 123.45.1.160 Server
NTP 123.44.2.160 Server
NTP 123.45.1.164 Server
NTP 123.44.2.164 Server
SSL encryption rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1
Trust ASDM_Launcher_Access_TrustPoint_0 bn_management vpnlb-ip SSL-point
SSL-trust ASDM_Launcher_Access_TrustPoint_0 bn_management point
SSL-trust TRENDMICRO out point
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-win-3.1.05182-k9.pkg 1
AnyConnect image disk0:/anyconnect-macosx-i386-3.1.05182-k9.pkg 2
AnyConnect image disk0:/anyconnect-linux-3.1.05182-k9.pkg 3
AnyConnect profiles BN_VPN_client_profile disk0: / BN_VPN_client_profile.xml
AnyConnect enable
tunnel-group-list activate
internal GroupPolicy_BN_VPN group strategy
attributes of Group Policy GroupPolicy_BN_VPN
WINS server no
value of 123.45.1.1 DNS server 123.44.2.1
L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
value by default-domain asa - gw.co
WebVPN
AnyConnect value BN_VPN_client_profile type user profiles
admin EoGC0ChIqyj0NIb5 encrypted privilege 15 password username
rzachlod LnL.KcibQZ1OMF/d username encrypted password
type tunnel-group BN_VPN remote access
attributes global-tunnel-group BN_VPN
address VPN_POOL pool
Group Policy - by default-GroupPolicy_BN_VPN
tunnel-group BN_VPN webvpn-attributes
enable BN_VPN group-alias
!
class-map CX
match any
class-map inspection_default
match default-inspection-traffic
class-map NetFlow Traffic
corresponds to the NETFLOW_HOSTS access list
ins class-map
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error
inspect the pptp
class NetFlow Traffic
destination 123.45.136.30 flow - create a flow-export-type of event
flow-export-type of event all the destination 123.45.136.30
class CX
cxsc rescue
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:6be83997815380c8523971f8e7925de8
: end

The mention of VPN in the ACL refers to L2TP running on a Windows Server - I intend to replace this existing solution with IPSec to the ASA.

The "details of the itinerary"on AnyConnect only shows the route 0.0.0.0/0. " After connecting to the ASA, I essentially ends in a black hole. I have the problem is with NAT, but after trying to sort on, I'm still stuck...

My plan is to get VPN to work in the first instance and later to create a super users group, which allows access to the management of VLAN etc. I hope it's something trivial that I forgot, that I have set up the VPN to ASA in the past and doesn't not meet problems :/

As always, tips are greatly appreciated!

You can use an IP address for this traffic if you wish. And you can combine the NAT statements in a single statement. The config might look like this:
```
 object network PAT-OUTSIDE host a.b.c.23 nat (any,outside) after-auto source dynamic any PAT-OUTSIDE 
```

Cannot find the next jump - ASA 5505 VPN routing l2l

We have a 5505 (soon to be replaced by two 5515-x) firewall with two VPN l2l.

"Were trying to allow a remote site traffic flow through the other remote site but the syslog shows."

10.5.25.4

172.16.10.10

Could not locate the next hop for ICMP outside:10.5.25.4/1 to inside:172.16.10.10/0 routing

Config is less than

ASA Version 8.4 (3)

names of

interface Ethernet0/0

switchport access vlan 2

Speed 100

full duplex

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

<--- more="" ---="">

interface Ethernet0/7

switchport access vlan 10

interface Vlan1

nameif inside

security-level 100

allow-ssc-mgmt

IP 10.5.19.254 255.255.255.0

interface Vlan2

WIMAX Interface Description

nameif outside

security-level 0

IP address x.247.x.18 255.255.255.248

passive FTP mode

clock timezone GMT 1

permit same-security-traffic inter-interface

permit same-security-traffic intra-interface

network obj_any object

subnet 0.0.0.0 0.0.0.0

network guestwifi object

10.1.110.0 subnet 255.255.255.0

<--- more="" ---="">

network of the NETWORK_OBJ_10.5.19.0_24 object

10.5.19.0 subnet 255.255.255.0

network of the NETWORK_OBJ_10.5.31.0_24 object

10.5.31.0 subnet 255.255.255.0

network of the NETWORK_OBJ_172.16.0.0_16 object

subnet 172.16.0.0 255.255.0.0

the object DS365-Cloud network

172.16.10.0 subnet 255.255.255.0

Description DS365-Cloud

network of the object to the inside-network-16

10.5.0.0 subnet 255.255.0.0

atanta network object

10.5.16.0 subnet 255.255.255.0

Atanta description

network guest_dyn_nat object

10.5.29.0 subnet 255.255.255.0

network of the NETWORK_OBJ_172.16.254.0_25 object

subnet 172.16.254.0 255.255.255.128

network of the NETWORK_OBJ_10.5.16.0_20 object

subnet 10.5.16.0 255.255.240.0

network of the NETWORK_OBJ_10.5.16.0_26 object

255.255.255.192 subnet 10.5.16.0

network of the LDAP_DC7 object

Home 10.5.21.1

<--- more="" ---="">

LDAP description

network c2si object

range 10.5.21.180 10.5.21.200

network of the NETWORK_OBJ_10.5.25.0_24 object

10.5.25.0 subnet 255.255.255.0

object-group network rfc1918

object-network 192.168.0.0 255.255.0.0

object-network 172.16.0.0 255.255.240.0

object-network 10.0.0.0 255.0.0.0

the DM_INLINE_NETWORK_1 object-group network

object-network 10.5.19.0 255.255.255.0

network-object 10.5.20.0 255.255.254.0

object-network 10.5.22.0 255.255.255.0

object-network 10.5.30.0 255.255.255.0

object-network 192.168.100.0 255.255.255.0

the Sure_Signal object-group network

network-object x.183.x.128 255.255.255.192

network-host x.183.133.177 object

network-host x.183.133.178 object

network-host x.183.133.179 object

network-host x.183.133.181 object

network-host x.183.133.182 object

the LDAP_source_networks object-group network

network-object 135.196.24.192 255.255.255.240

<--- more="" ---="">

object-network 195.130.x.0 255.255.255.0

network-object x.2.3.128 255.255.255.192

network-object 213.235.63.64 255.255.255.192

object-network 91.220.42.0 255.255.255.0

object-network 94.x.240.0 255.255.255.0

object-network 94.x.x.0 255.255.255.0

the c2si_Allow object-group network

host of the object-Network 10.5.16.1

host of the object-Network 10.5.21.1

network-object object c2si

the DM_INLINE_NETWORK_2 object-group network

network-object 10.5.20.0 255.255.254.0

object-network 10.5.21.0 255.255.255.0

object-network 10.5.22.0 255.255.255.0

object-network 10.5.29.0 255.255.255.0

network-object, object NETWORK_OBJ_10.5.19.0_24

the DM_INLINE_NETWORK_3 object-group network

object-network 10.5.19.0 255.255.255.0

network-object 10.5.20.0 255.255.254.0

object-network 10.5.21.0 255.255.255.0

object-network 10.5.22.0 255.255.255.0

atanta network-object

the DM_INLINE_NETWORK_4 object-group network

network-object 10.5.20.0 255.255.254.0

<--- more="" ---="">

object-network 10.5.21.0 255.255.255.0

object-network 10.5.22.0 255.255.255.0

object-network 10.5.23.0 255.255.255.0

object-network 10.5.30.0 255.255.255.0

network-object, object NETWORK_OBJ_10.5.19.0_24

atanta network-object

network-object DS365-Cloud

inside_access_in list extended access permit tcp any eq 50 Sure_Signal object-group

inside_access_in list extended access permit tcp any object-group Sure_Signal eq pptp

inside_access_in list extended access permits will all object-group Sure_Signal

inside_access_in list extended access permit udp any eq ntp Sure_Signal object-group

inside_access_in access list extended icmp permitted no echo of Sure_Signal object-group

inside_access_in list extended access permit udp any eq 50 Sure_Signal object-group

inside_access_in list extended access permit udp any eq Sure_Signal object-group 4500

inside_access_in list extended access permit udp any eq isakmp Sure_Signal object-group

inside_access_in of access allowed any ip an extended list

255.255.0.0 allow access list extended ip 10.5.0.0 clientvpn 10.5.30.0 255.255.255.0

access-list extended BerkeleyAdmin-clientvpn ip 10.5.0.0 allow 255.255.0.0 10.5.30.0 255.255.255.0

IP 10.5.21.0 allow to Access-list BerkeleyUser-clientvpn extended 255.255.255.0 10.5.30.0 255.255.255.0

outside_cryptomap extended access list permit ip object inside-network-16 10.5.25.0 255.255.255.0

access extensive list ip 10.5.29.0 guest_access_in allow 255.255.255.0 any

state_bypass allowed extended access list tcp 192.168.100.0 255.255.255.0 10.5.30.0 255.255.255.0 connect

state_bypass allowed extended access list tcp 10.5.30.0 255.255.255.0 192.168.100.0 255.255.255.0 connect

state_bypass allowed extended access list tcp 10.5.29.0 255.255.255.0 10.5.30.0 255.255.255.0 connect

<--- more="" ---="">

state_bypass allowed extended access list tcp 10.5.30.0 255.255.255.0 10.5.29.0 255.255.255.0 connect

outside_access_in list extended access permit icmp any one

access extensive list ip 10.5.16.0 outside_cryptomap_1 allow 255.255.240.0 10.5.16.0 255.255.255.192

access-list extended global_access permitted tcp object-group LDAP_source_networks host 10.5.21.1 eq ldap

access extensive list 10.5.0.0 ip outside_cryptomap_2 255.255.0.0 allow object DS365-Cloud

outside_cryptomap_3 list extended access allowed object-group ip DM_INLINE_NETWORK_4 10.5.25.0 255.255.255.0

pager lines 24

Enable logging

exploitation forest-size of the buffer of 100000

recording of debug console

debug logging in buffered memory

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

IP local pool clientvpn 10.5.30.1 - 10.5.30.100

mask 172.16.254.1 - 172.16.254.100 255.255.255.0 IP local pool VPN_IP_Pool

no failover

ICMP unreachable rate-limit 1 burst-size 1

ICMP allow any inside

ICMP allow all outside

don't allow no asdm history

ARP timeout 14400

NAT (inside, outside) source static rfc1918 rfc1918 destination rfc1918 static rfc1918

NAT (inside, outside) static source NETWORK_OBJ_10.5.19.0_24 NETWORK_OBJ_10.5.19.0_24 NETWORK_OBJ_10.5.31.0_24 NETWORK_OBJ_10.5.31.0_24 non-proxy-arp-search of route static destination

<--- more="" ---="">

NAT (inside, outside) static source NETWORK_OBJ_10.5.19.0_24 NETWORK_OBJ_10.5.19.0_24 NETWORK_OBJ_10.5.19.0_24 NETWORK_OBJ_10.5.19.0_24 non-proxy-arp-search of route static destination

NAT (inside, outside) static source to the static inside-network-16 inside-network-16 destination DS365-DS365-cloud no-proxy-arp-route search

NAT (inside, outside) static source DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 NETWORK_OBJ_172.16.254.0_25 NETWORK_OBJ_172.16.254.0_25 non-proxy-arp-search of route static destination

NAT (inside, outside) static source NETWORK_OBJ_10.5.16.0_20 NETWORK_OBJ_10.5.16.0_20 NETWORK_OBJ_10.5.16.0_26 NETWORK_OBJ_10.5.16.0_26 non-proxy-arp-search of route static destination

NAT (inside, outside) source static c2si_Allow c2si_Allow NETWORK_OBJ_172.16.254.0_25 NETWORK_OBJ_172.16.254.0_25 non-proxy-arp-search of route static destination

NAT (inside, outside) source static atanta atanta static destination NETWORK_OBJ_10.5.25.0_24 NETWORK_OBJ_10.5.25.0_24 non-proxy-arp-search to itinerary

NAT (inside, outside) static source DS365-DS365-cloud static destination NETWORK_OBJ_10.5.25.0_24 NETWORK_OBJ_10.5.25.0_24 non-proxy-arp-search to itinerary

NAT (inside, outside) static source DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 NETWORK_OBJ_10.5.25.0_24 NETWORK_OBJ_10.5.25.0_24 non-proxy-arp-search of route static destination

NAT (inside, outside) static source NETWORK_OBJ_10.5.25.0_24 NETWORK_OBJ_10.5.25.0_24 static destination DS365-DS365-cloud no-proxy-arp-route search

NAT (inside, outside) static source DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 static destination DS365-DS365-cloud no-proxy-arp-route search

NAT (inside, outside) static source to the inside-network-16 inside-network-16 destination static NETWORK_OBJ_10.5.25.0_24 NETWORK_OBJ_10.5.25.0_24 non-proxy-arp-search to itinerary

NAT (inside, outside) static source DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 NETWORK_OBJ_10.5.25.0_24 NETWORK_OBJ_10.5.25.0_24 non-proxy-arp-search of route static destination

network obj_any object

NAT dynamic interface (indoor, outdoor)

network of the LDAP_DC7 object

NAT 194.247.x.19 static (inside, outside) tcp ldap ldap service

inside_access_in access to the interface inside group

Access-group outside_access_in in interface outside

Access-Group global global_access

Router eigrp 143

No Auto-resume

Network 10.5.19.0 255.255.255.0

<--- more="" ---="">

Network 10.5.29.0 255.255.255.0

Network 10.5.30.0 255.255.255.0

redistribute static

Route outside 0.0.0.0 0.0.0.0 194.247.x.17 1 track 1

Route inside 10.5.16.0 255.255.255.0 10.5.19.252 1

Timeout xlate 03:00

Pat-xlate timeout 0:00:30

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

RADIUS protocol for AAA-server group

AAA (inside) 10.5.21.1 host server group

key *.

AAA (inside) 10.5.16.1 host server group

key *.

identity of the user by default-domain LOCAL

the ssh LOCAL console AAA authentication

AAA authentication LOCAL telnet console

Enable http server

<--- more="" ---="">

http 192.168.1.0 255.255.255.0 inside

http 10.5.16.0 255.255.240.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

Sysopt connection tcpmss 1350

SLA 1 monitor

type echo protocol ipIcmpEcho 8.8.4.4 outside interface

SLA monitor Appendix 1 point of life to always start-time now

Crypto ipsec transform-set ikev1 strong-comp esp-aes-256 esp-sha-hmac

Crypto ipsec ikev1 transform-set strong aes-256-esp esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

Crypto ipsec ikev2 strong ipsec proposal

Protocol esp encryption aes-256

Esp integrity sha-1 protocol

<--- more="" ---="">

Crypto ipsec ikev2 AES256 ipsec-proposal

Protocol esp encryption aes-256

Esp integrity sha - 1, md5 Protocol

Crypto ipsec ikev2 ipsec-proposal AES192

Protocol esp encryption aes-192

Esp integrity sha - 1, md5 Protocol

Crypto ipsec ikev2 ipsec-proposal AES

Esp aes encryption protocol

Esp integrity sha - 1, md5 Protocol

Crypto ipsec ikev2 proposal ipsec 3DES

Esp 3des encryption protocol

Esp integrity sha - 1, md5 Protocol

Crypto ipsec ikev2 ipsec-proposal OF

encryption protocol esp

Esp integrity sha - 1, md5 Protocol

Crypto-map dynamic dyn1 1 set transform-set ikev1 strong

1 correspondence address outside_cryptomap_1 outside crypto map

crypto card outside pfs set 1

1 set 83.x.172.68 counterpart outside crypto map

Crypto card outside 1 set transform-set ESP-AES-256-SHA ikev1

1 set ikev2 AES256 ipsec-proposal outside crypto map

card crypto off game 2 address outside_cryptomap_3

map external crypto 2 peers set 23.100.x.177

card external crypto 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5

<--- more="" ---="">

map external crypto 2 set AES256 AES192 AES strong proposal ipsec ikev2

Crypto card outside 2 kilobytes of life of security association set 102400000

card crypto outside match 3 address outside_cryptomap_2

3 set pfs outside crypto map

map external crypto 3 peers set 91.x.3.39

crypto card outside ikev1 set 3 transform-set ESP-3DES-SHA

map external crypto 3 3DES ipsec-ikev2 set proposal

dynamic outdoor 100 dyn1 ipsec-isakmp crypto map

card crypto outside interface outside

Crypto ca trustpoint _SmartCallHome_ServerCA

Configure CRL

IKEv2 crypto policy 1

aes-256 encryption

integrity sha

Group 2

FRP sha

second life 86400

IKEv2 crypto policy 10

aes-192 encryption

integrity sha

Group 2 of 5

FRP sha

second life 86400

IKEv2 crypto policy 20

aes encryption

integrity sha

Group 2 of 5

FRP sha

second life 86400

IKEv2 crypto policy 30

3des encryption

integrity sha

Group 2 of 5

FRP sha

second life 86400

IKEv2 crypto policy 40

the Encryption

integrity sha

Group 2 of 5

FRP sha

second life 86400

Crypto ikev2 allow outside

Crypto ikev1 allow outside

IKEv1 crypto policy 1

preshared authentication

aes-256 encryption

sha hash

Group 2

lifetime 28800

IKEv1 crypto policy 2

preshared authentication

3des encryption

sha hash

Group 2

life 86400

track 1 rtr 1 accessibility

Telnet 10.5.16.0 255.255.240.0 inside

Telnet timeout 5

SSH 83.x.x.90 255.255.255.255 outside

SSH timeout 5

Console timeout 0

dhcpd outside auto_config

dhcprelay Server 10.5.21.1 on the inside

time-out of 60 dhcprelay

a basic threat threat detection

statistical threat detection port

<--- more="" ---="">

Statistical threat detection Protocol

Statistics-list of access threat detection

no statistical threat detection tcp-interception

NTP 10.5.19.253 Server prefer

WebVPN

allow outside

AnyConnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

AnyConnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 2

AnyConnect enable

tunnel-group-list activate

attributes of Group Policy DfltGrpPolicy

Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client

internal GroupPolicy_c2si group strategy

attributes of Group Policy GroupPolicy_c2si

WINS server no

value of 10.5.16.1 DNS server 10.5.21.1

client ssl-VPN-tunnel-Protocol

by default no

internal GroupPolicy_91.x.3.39 group strategy

attributes of Group Policy GroupPolicy_91.x.3.39

VPN-tunnel-Protocol ikev1, ikev2

internal GroupPolicy_83.x.172.68 group strategy

attributes of Group Policy GroupPolicy_83.x.172.68

VPN-tunnel-Protocol ikev1, ikev2

<--- more="" ---="">

internal GroupPolicy_23.100.x.177 group strategy

attributes of Group Policy GroupPolicy_23.100.x.177

VPN-tunnel-Protocol ikev1, ikev2

internal GroupPolicy_user group strategy

attributes of Group Policy GroupPolicy_user

WINS server no

value of 10.5.21.1 DNS server 10.5.16.1

client ssl-VPN-tunnel-Protocol

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value BerkeleyAdmin-clientvpn

myberkeley.local value by default-field

internal GroupPolicy_23.101.x.122 group strategy

attributes of Group Policy GroupPolicy_23.101.x.122

VPN-tunnel-Protocol ikev1, ikev2

internal GroupPolicy1 group strategy

attributes of Group Policy GroupPolicy1

VPN-tunnel-Protocol ikev1, ikev2

internal BerkeleyUser group strategy

attributes of Group Policy BerkeleyUser

value of 10.5.21.1 DNS server 10.5.16.1

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value BerkeleyUser-clientvpn

myberkeley.local value by default-field

internal DS365 group policy

<--- more="" ---="">

DS365 group policy attributes

VPN-idle-timeout no

VPN-filter no

IPv6-vpn-filter no

VPN-tunnel-Protocol ikev1, ikev2

internal BerkeleyAdmin group strategy

attributes of Group Policy BerkeleyAdmin

value of 10.5.21.1 DNS server 10.5.16.1

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value BerkeleyAdmin-clientvpn

myberkeley.local value by default-field

acsadmin encrypted V6hUzNl366K37eiV privilege 15 password username

atlanta uxelpvEvM3I7tw.Z encrypted privilege 15 password username

username of berkeley Kj.RBvUp5dtyLw5T encrypted password

type tunnel-group BerkeleyUser remote access

attributes global-tunnel-group BerkeleyUser

address clientvpn pool

authentication-server-group

Group Policy - by default-BerkeleyUser

IPSec-attributes tunnel-group BerkeleyUser

IKEv1 pre-shared-key *.

type tunnel-group BerkeleyAdmin remote access

attributes global-tunnel-group BerkeleyAdmin

address clientvpn pool

<--- more="" ---="">

authentication-server-group

Group Policy - by default-BerkeleyAdmin

IPSec-attributes tunnel-group BerkeleyAdmin

IKEv1 pre-shared-key *.

type tunnel-group user remote access

tunnel-group user General attributes

address pool VPN_IP_Pool

authentication-server-group

Group Policy - by default-GroupPolicy_user

tunnel-group user webvpn-attributes

enable-alias of user group

type tunnel-group c2si remote access

tunnel-group c2si-global attributes

address pool VPN_IP_Pool

authentication-server-group

Group Policy - by default-GroupPolicy_c2si

tunnel-group c2si webvpn-attributes

Group-alias c2si enable

tunnel-group 83.x.172.68 type ipsec-l2l

tunnel-group 83.x.172.68 General-attributes

Group - default policy - GroupPolicy_83.x.172.68

83.x.172.68 group of tunnel ipsec-attributes

IKEv1 pre-shared-key *.

remote control-IKEv2 pre-shared-key authentication *.

<--- more="" ---="">

pre-shared-key authentication local IKEv2 *.

tunnel-group 23.101.x.122 type ipsec-l2l

tunnel-group 23.101.x.122 General-attributes

Group - default policy - GroupPolicy_23.101.x.122

23.101.x.122 group of tunnel ipsec-attributes

IKEv1 pre-shared-key *.

remote control-IKEv2 pre-shared-key authentication *.

pre-shared-key authentication local IKEv2 *.

tunnel-group 91.x.3.39 type ipsec-l2l

tunnel-group 91.x.3.39 general-attributes

Group - default policy - GroupPolicy_91.x.3.39

91.x.3.39 group of tunnel ipsec-attributes

IKEv1 pre-shared-key *.

remote control-IKEv2 pre-shared-key authentication *.

pre-shared-key authentication local IKEv2 *.

tunnel-group 23.100.x.177 type ipsec-l2l

tunnel-group 23.100.x.177 General-attributes

Group - default policy - GroupPolicy_23.100.63.177

23.100.x.177 group of tunnel ipsec-attributes

IKEv1 pre-shared-key *.

remote control-IKEv2 pre-shared-key authentication *.

pre-shared-key authentication local IKEv2 *.

class-map state_bypass

corresponds to the state_bypass access list

Policy-map state_bypass_policy

class state_bypass

set the advanced options of the tcp-State-bypass connection

service-policy state_bypass_policy to the inside interface

context of prompt hostname

anonymous reporting remote call

Cryptochecksum:bbc6f2ec2db9b09a1b6eb90270ddfeea

: end

PTB-ch-asa5505 #.

Ah OK I see now.

Your cryptomap for the cloud of DS365 is:

access extensive list 10.5.0.0 ip outside_cryptomap_2 255.255.0.0 allow object DS365-Cloud

so, which covers interesting traffic.

However, your NAT statement is:

NAT (inside, outside) static source NETWORK_OBJ_10.5.25.0_24 NETWORK_OBJ_10.5.25.0_24 static destination DS365-DS365-cloud no-proxy-arp-route search

Network 10.5.25.0 is remote, then it will actually appear to be an "outside" network so I think you need this statement to begin "nat (outside, outside).

problem setting up vpn site-to-site between asa and 1811 router

I get the following error.

3. January 8, 2008 | 15: 47:31 | 710003 | 192.168.0.45 | 192.168.0.50. TCP access denied by ACL to 192.168.0.45/3698 to LAN:192.168.0.50/80

3. January 8, 2008 | 15:47:28 | 710003 | 192.168.0.45 | 192.168.0.50. TCP access denied by ACL to 192.168.0.45/3698 to LAN:192.168.0.50/80

6. January 8, 2008 | 15:47:28 | 302021 | 192.168.0.45 | 192.168.0.50. Connection of disassembly for faddr gaddr laddr 192.168.0.50/0 192.168.0.50/0 192.168.0.45/1024 ICMP

6. January 8, 2008 | 15:47:28 | 302020 | 192.168.0.45 | 192.168.0.50. Built of ICMP incoming connections for faddr gaddr laddr 192.168.0.50/0 192.168.0.50/0 192.168.0.45/1024

5. January 8, 2008 | 15: 47:03 | 713904 | IP = public IP address, encrypted packet received with any HIS correspondent, drop

4. January 8, 2008 | 15: 47:03 | 113019 | Group = public IP address, Username = public IP address, IP = IP address public, disconnected Session. Session type: IPSecLAN2LAN, duration: 0 h: 00 m: 00s, xmt bytes: 0, RRs bytes: 0, right: Phase 2 Mismatch

3. January 8, 2008 | 15: 47:03 | 713902 | Group = public IP address, IP = public IP address, peer table correlator withdrawal failed, no match!

3. January 8, 2008 | 15: 47:03 | 713902 | Group = public IP address, IP = IP address public, error QM WSF (P2 struct & 0x4969c90, mess id 0xf3d044e8).

5. January 8, 2008 | 15: 47:03 | 713904 | Group = public IP address, IP = IP proposals public, IPSec Security Association all found unacceptable.

3. January 8, 2008 | 15: 47:03 | 713119 | Group = public IP address, IP = IP address public, PHASE 1 COMPLETED

6. January 8, 2008 | 15: 47:03 | 113009 | AAA recovered in group policy by default (DfltGrpPolicy) to the user = public IP address

4. January 8, 2008 | 15: 47:03 | 713903 | Group = public IP address, IP = IP address public, previously allocated memory release for authorization-dn-attributes

I do not think that because of the incompatibility of encryption. Any help is appreciated.

Thank you

Nilesh

You have PFS (Perfect Forward Secrecy) configured on the ASA and not the router. This could be one of the reasons why the tunnel fails in Phase 2.

If you do not need a PFS, can you not make a 'no encryption card WAN_map 1 set pfs' the configuration of the ASA and make appear the tunnel.

Kind regards

Arul

Issue of ASA NAT and routing

Hello

I have a question about NAT and routing on the SAA. I'm relatively new to ASA and don't know if it works or not. I have a pool of public IP (209.x.x.x/28) that routes my ISP to the external interface of my ASA. IP was assigned address for the outside of the ASA is an address of 206.x.x.2/24 with a default GW of 206.x.x.1. I intend using NAT to allow my web/mail servers on the DMZ (192.168.x.x) use 209.x.x.x addresses. However, I do know how to make it work since I'm not arping on any interface for 209.x.x.x addresses as they will be sent to the 206.x.x.2 address by the ISP. Can I just set up a translation NAT (on the external interface?) of the 209.x.x.x on 192.168.x.x address and the ASA will figure it out?

Thanks for the help.

Todd

The ASa will figure it out, he will answer ARP queries for all that he has set up in a "static" command As long as th PSIA routes 209.x.x.x directly to the ASA addresses then it should all work fine.

You just need to add lines like the following:

static (dmz, external) 209.x.x.x netmask 255.255.255.255 192.168.x.x

for each of your internal servers in the DMZ. Then an access-list to allow only HTTP/SMTP/etc through these addresses 209.x.x.x.

list of allowed inbound tcp access any host 209.x.x.x eq smtp

list of allowed inbound tcp access any host 209.y.y.y eq http

Access-group interface incoming outside

Please give index on configuring vpn site to site on 881 to ASA 5505 cisco router

Earlier my boss asked me to prepare to implement the VPN site-to site on router Cisco 881 Integrated Services to ASA 5505 router, which is now running on the side of HQ. Someone please give me a hint. I am now learning the pdf file from Cisco that mention how to configure VPN site to site between 1812 Cisco IOS router and router of the ASA 5505 using ASDM V6.1 and SDM V2.5. Cannot find the book for the Cisco 881 device.

Someone please please suggest me something as soon as POSSIBLE.

Thank you

CLI version:

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml

ASDM and SDM Version:

http://www.Cisco.com/en/us/partner/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml

ASA of asymmetric routing

Similar Questions

Maybe you are looking for