ASA VPN on physical IP address only?
Hello
Is it possible to set up a virtual IP address dedicated to endpoint on ASA VPN version 8.3 and later?
I don't want to use the physical IP address on my external interface.
Thank you
No problem. Mark pls kindly responded to this post like so that others may learn from your post. Thank you.
Tags: Cisco Security
Similar Questions
-
ASA VPN - how much IP address?
If anyone can help on this configuration of the DMZ? This is taken from the book. If the firewall of the ASA has a public IP (209.165.201.225) on the external interface, then on my router? This means that I need 3 public ip address? ISP-(adsl with public ip) [b] ROUTER [/ b] (fa0/0 209.165.201.226)---(outside=209.165.201.225)[b]ASA5505[/b](inside=192.168.1.1) the router route providing the PUBLIC ip address of the ASA outside intellectual property (how one translation)? I know by ASA will need a translation of outside DMZ and with an access list to allow traffic. Right now, my company only has a public IP address. How can I make this work? Thank you!.
Hello
If you have a public IP address unique usable, you can have this IP address on the router (internet gateway) and have a segment between the router and ASA.
By port forwarding, you can have incoming traffic sent to the ASA by the router (such as VPNS, for example).
The ASA will not need a public IP address that is configured on the external interface as long as the device with the public IP (router) can redirect traffic to private IP assigned to the WAN of the ASA interface.
Hope that makes sense.
Federico.
-
Assign the static IP address by ISE, ASA VPN clients
We will integrate the remote access ASA VPN service with a new 1.2 ISE.
Authentication is performed in Active directory. After authentication, can address assigned to a specific user of VPN by ISE IP?
This means that the same VPN user will always get the same IP address. Thank you.
Daniel,
You can override the IETF-RADIUS-Framed-IP-Address in the authorization policy.
However if I may make a suggestion:
Unless you have only a handful of users to do so, it may be appropriate to assign the address of ISE pool or perform the mapping of LDAP attributes on ASA itself.
In the latter case, the IP addresses are kept on the server as LDAP attributes and ASA will map the IP address. You don't want to keep address IP DB in several places.
M.
-
My ASA cannot ping the lan address
I use ASA built ezvpn. I can access the ASA and ping inside port address successfully. But in my ping to the address of interconnection 10.100.255.2 window7 cant. I don't know how to solve the problem. If all goes well, can help me. Thank you...
set it up
ASA5520 # sh run
: Saved
:
ASA Version 7.2 (3)
!
asa5520-host name
sxng domain name
activate the encrypted password of DOAXe2w/ilkXwCIz
names of
DNS-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
IP x.x.x.x 255.255.255.248
!
interface GigabitEthernet0/1
nameif inside
security-level 100
IP 10.100.255.254 255.255.255.0
!
interface GigabitEthernet0/2
nameif dmz
security-level 50
IP x.x.x.x 255.255.255.0
!
interface GigabitEthernet0/3
nameif wireless
security-level 10
IP x.x.x.x 255.255.255.0
!
interface Management0/0
Shutdown
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
2KFQnbNIdI.2KYOU encrypted passwd
Disk0: / pix723.bin starting system
passive FTP mode
DNS server-group DefaultDNS
sxng domain name
dmz_access_in of access allowed any ip an extended list
dmz_access_in list extended access permit icmp any one
tunnel of splitting allowed access list standard 10.0.0.0 255.0.0.0
inside_nat0_outbound list of allowed ip extended access all 10.100.254.0 255.255.255.0
inside_nat0_outbound to access ip 10.0.0.0 scope list allow 255.0.0.0 10.100.254.0 255.255.255.0
outside_cryptomap_dyn_20 list of allowed ip extended access all 10.100.254.0 255.255.255.0
acl_out list extended access permit icmp any one
acl_out list extended access permit tcp any host x.x.x.x eq www
acl_out list extended access permit tcp any host x.x.x.x eq 9000
acl_out list extended access permit udp any host x.x.x.x eq 9000
........
......
acl_out allowed ip extended access list any 10.1.1.0 255.255.255.0
inside_access_in list extended access permitted tcp 10.1.10.0 255.255.255.0 any eq 5000
acl_inside of access allowed any ip an extended list
acl_inside list extended access permit icmp any one
wireless_access_in of access allowed any ip an extended list
wireless_access_in list extended access permit icmp any one
pager lines 24
Enable logging
timestamp of the record
emergency list vpn-event logging level
log message 109001-109028 vpn-event list
log message 113001-113019 vpn-event list
exploitation forest-size of the buffer 5000
information recording console
debug logging in buffered memory
recording of debug trap
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
MTU 1500 dmz
MTU 1500 wireless
management of MTU 1500
IP local pool vpnpool 10.100.254.1 - 10.100.254.250 mask 255.255.255.0
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow all outside
ICMP allow any inside
ASDM image disk0: / asdm - 507.bin
don't allow no asdm history
ARP timeout 14400
Global (outside) 1 x.x.x.x
Global (dmz) 1 10.100.253.101 - 10.100.253.200 netmask 255.255.255.0
Global (wireless) 1 172.16.255.101 - 172.16.255.200 netmask 255.255.255.0
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 10.1.1.14 255.255.255.255
NAT (inside) 1 10.1.13.100 255.255.255.255
NAT (wireless) 1 172.16.0.0 255.255.0.0
static (dmz, outside) tcp x.x.x.x www 10.100.253.1 www netmask 255.255.255.255
.......
.........
static (inside, dmz) 10.1.1.11 10.1.1.11 netmask 255.255.255.255
static (inside, dmz) 10.1.1.16 10.1.1.16 netmask 255.255.255.255
static (dmz, external) 10.100.253.20 x.x.x.x 255.255.255.255 netmask
static (dmz, external) 10.100.253.32 x.x.x.x 255.255.255.255 netmask
Access-group acl_out in interface outside
acl_inside access to the interface inside group
Access-group interface inside acl_inside
Access-group dmz_access_in in dmz interface
Route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
Route inside 10.0.0.0 255.0.0.0 10.100.255.1 1
Route inside 10.0.0.0 255.0.0.0 10.100.255.2 1
Route wireless 172.16.0.0 255.255.0.0 172.16.255.1 1
!
router ospf 1
255.255.255.255 network 10.67.180.0 area 0
network 0.0.0.0 0.0.0.0 area 1
Journal-adj-changes
!
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.1.0 255.255.255.0 management
http 10.0.0.0 255.0.0.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA
Crypto outside-dyn-map Dynamics-plan 20 reverse-drive value
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Crypto isakmp nat-traversal 20
Telnet 0.0.0.0 0.0.0.0 outdoors
Telnet 10.0.0.0 255.0.0.0 inside
Telnet 10.100.0.0 255.255.0.0 inside
Telnet 10.100.255.0 255.255.255.0 inside
Telnet 0.0.0.0 0.0.0.0 wireless
Telnet timeout 10
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 30
Console timeout 0
dhcpd x.x.x.x dns
!
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
Policy-map global_policy
class inspection_default
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the icmp
!
global service-policy global_policy
internal sxnggroup group policy
attributes of the strategy of group sxnggroup
value of server DNS 202.99.192.68
enable IP-comp
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value split tunnel
username password sxtrq Y6cwK1wOhbhJ6YI / encrypted
maboai R6eu6P1iKIwFIFjS username encrypted password
winet FwZ0ghxvIpXOepvf username encrypted password
tunnel-group sxnggroup type ipsec-ra
tunnel-group sxnggroup General-attributes
address vpnpool pool
Group Policy - by default-sxnggroup
sxnggroup group of tunnel ipsec-attributes
pre-shared-key *.
context of prompt hostname
Cryptochecksum:119ae137eef5ed97d38b4e2f90ed46d7
: end
ASA5520 # route sh
Code: C - connected, S - static, RIP, M - mobile - IGRP, R - I, B - BGP
D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone
N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2
E1 - OSPF external type 1, E2 - external OSPF of type 2, E - EGP
i - IS - L1 - IS - IS level 1, L2 - IS - IS IS level 2, AI - IS inter zone
* - candidate by default, U - static route by user, o - ODR
P periodical downloaded static route
Gateway of last resort is 202.97.158.177 to network 0.0.0.0
C x.x.x.x 255.255.255.248 is directly connected to the outside of the
C 172.16.255.0 255.255.255.0 is directly connected, wireless
S 172.16.0.0 255.255.0.0 [1/0] via 172.16.255.1, wireless
S 10.0.0.0 255.0.0.0 [1/0] via 10.100.255.1, inside
[1/0] via 10.100.255.2, inside
C 10.100.255.0 255.255.255.0 is directly connected to the inside
S 10.100.254.2 255.255.255.255 [1/0] via x.x.x.x, outdoor
C 10.100.253.0 255.255.255.0 is directly connected, dmz
S * 0.0.0.0 0.0.0.0 [1/0] via x.x.x.x, outdoor
ASA5520 # sh arp
outside 00d0.d0c6.9181 x.x.x.x
outside 00d0.d0c6.9181 x.x.x.x
outside 224.0.0.5 0100.5e00.0005
inside 224.0.0.5 0100.5e00.0005
inside the 10.100.255.1 0000.0c07.acff
inside the 10.100.255.2 001c.b0cb.5ec0
DMZ 10.100.253.20 60a4.4c23.3032
DMZ 224.0.0.5 0100.5e00.0005
DMZ 10.100.253.1 001a.6436.6df6
224.0.0.5 wireless 0100.5e00.0005
Wireless 172.16.255.1 0026.98c6.41c8
Try to use the "crypto ipsec to show his ' command to watch the program and decaps packages, I hope this isn't too fast increment. You should be able to see the two increase when you successfully and only one side increase when it fails. Check both sides of the vpn, and this should give you an idea where the problem is. If the program packages are multiplying on the ASA local to your PC Win7 and Decaps multiply on the ASA Remote and the program is not so, then the question is with packets from the remote side. I hope this will help you determine the location of the problem and then you can focus your search here.
-
All,
The situation is that I'm trying to initiates a connection outside a Firewall ASA, to a destination IP address that is on the remote end of a VPN tunnel looked SAA even on the external interface. So logically slow traffic is outside to outside.
The SAA is to deny the traffic that the conversation shows the source as the destination and the outside outside.
Is there something smart, that I can do on the SAA to solve this problem?
Thank you
D
Hello
Use the following command on the ASA:
permit same-security-traffic intra-interface
Kind regards
Aditya
Please evaluate the useful messages and mark the correct answers.
-
Device behind a Firewall other, ASA VPN
I have a client who wants to put their VPN / behind the ASA ASA main connected to the Internet. Both devices have an inside leg for the internal network, but the ASA VPN connects directly to the Internet ASA.
Topology:
Outisde FW: Internet transfer Procedure > ASA/FW > leg DMZ to ASA/VPN
ASA VPN: Outside the L3 Interface interface DMZ of ASA/FW link
On the outside NAT FW I would be the external address of the VPN / ASA outside the public IP address is available and I have a rule that allows all IP from outside to outside the private IP VPN. Inside = 192.168.254.1 outside = public IP address.
Configured on the VPN / ASA, ASA standard SSL Remote Access.
When I hit the NAT public IP address, nothing happens. I've run packet - trace on the FW outside, and everything seems good.
Someone at - it a sampling plan / config for a similar topology? Internet > ASA/FW > dmz-leg > ASA/VPN
Thanks in advance,
BobCan share you your NAT and routing configuration? Of these two ASAs
-
ASDM conc (ASA) VPN access
I have the script like this:
an ASA, which is the FW, TR making static NAT from the public to the private IP and private IP address add is add conc (another ASA) VPN. I am accessing these devices via the VPN client and I get the address IP of VPN pool set on VPN conc. VPN conc. is in a DMZ VLAN, but it also has connection to the local network segment. Purposes of mgmt, I connect to this VPN through SSH conc via a switch in the local network segment. To use the http access, I have to be on one of the servers that are in the local network segment. Since then, when I set up the VPN connection, I'm sure VPN conc., what can do to access http directly from my PC?
This sets up on the conc VPN:
management-access inside
After that you should be able to use ASDM over the VPN tunnel, by connecting to its inside ip address.
hth
Herbert
(note, I assume the name of the interface connected to the LAN is named "inside", if not adapt at will ) -
So, I am looking to add one of my spare 5510 firewall to my secondary network as a vpn connection.
All I want this new ASA to do is handle my site anyconnect VPN connections. I'm pretty new to ASAs if any help would be great. I know how to create a new access VPN on my ASA and I added a NAT for my inside and outside traffic to my new Pool of IP VPN.
My question is, since it's only for the VPN and I want all my current internal traffic to continue to the asa 5510 existing routing, do I have to enter the ACL to my new single AAS of VPN? ACLs are used for VPN traffic and do I need them to traffic the route via VPN?
I'll put up inside interface of connection to one of my main Cisco switches and the outside interface connects to my DMZ switch on the new ASA only VPN.
Thank you
I don't know if I am how you connect to the external interface of single ASA VPN. Normally, in this type of installation, we would see the ASA VPN "in parallel" with the perimeter firewall.
You mention the DMZ switch that threw me a little. If you are in France through your main firewall and go to single ASA VPN via the DMZ then Yes you will need to allow several open ports (protocol 50, udp/500, tcp/443 among others) and may have to do some other techniques (NAT - T, etc.) depending on the type of remote you are implementing. That's why we rarely see this configuration used - it adds a good dose of complexity without significant benefit.
When the old facility is used, you need to switch internal to know to route traffic to the pool VPN through the only ASA VPN inside the interface. A static route is more often used, although you can use OSPF or EIGRP if you wanted to.
Should generally not be any access list that VPN traffic around the Bank access lists incoming interface. Back to remote clients traffic is coming from inside and out through (and is usually part of anestablished connection) so no access list is necessary inside.
-
Hello people!
I still have the problem with VPN... Laughing out loud
I have to create a new VPN site to site between ASA 5510 (8.42 IOS) and Fortgate, but something is very strange, Don t VPN came and I see in the debug crypto 10 ikev1 the newspaper to follow:
[IKEv1] phase 1 default: incompatibility of types of attributes of class Gr OUP Description: RRs would be: Cfg 1 group would be: Group 2
But if I ask the other peer to change in Group 2, the msg in the SAA is:
[IKEv1] phase 1 default: incompatibility of types of attributes of class Gr OUP Description: RRs would be: Group 2 GCF: Group 1
Fortgate is possible to activate the two specific groups of VPN 1 and 2, and I would ask the other peer left this way and the ASA show:
[IKEv1] phase 1 default: incompatibility of types of attributes of class Gr OUP Description: RRs would be: Group 2 GCF: Group 1
[IKEv1] phase 1 default: incompatibility of types of attributes of class Gr OUP Description: RRs would be: Cfg 1 group would be: Group 2The show isakmp his:
9 counterpart IKE: 179.124.32.181
Type: user role: answering machine
Generate a new key: no State: MM_WAIT_MSG3I have delete and creat VPN 3 x and the same error occurs.
Everyone has seen this kind of problem?
Is it using Fortigate version 5 by chance?
I saw Cisco ASA VPN problems repeatedly with this code Fortigate, but above all it has been a problem of Phase 2 and defining KB life maximally on the side of the ASA has solved it... However this seems not to be your problem here.
The first thing in your config I see you have PFS enabled - have you insured it is located on the side of Fortinet or tried to turn it off on the side of Cisco to see if it happens?
Be stuck at MM_WAIT_MSG3 means that you sent your return policy, but then you have not received the third package in the ISAKMP riding so either the Fortigate is unhappy with something or there's a routing problem (however unlikely given that you have already had communication)
Try on the side of the ASA:
debug crypto isakmp 7
You can also confrm your external interface is 'outside1 '? You can see this "see intellectual property." -
ASA VPN - allow user based on LDAP Group
Hello friends
I have create a configuration to allow connection based on LDAP Group.
I m not specialize in the firewall and I tried to follow the links above, but both seem old, commanded several is not available.
http://www.tunnelsup.com/Cisco-ASA-VPN-authorize-user-based-on-LDAP-group
http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...
Anyone know how I can do?
Thank you
Marcio
I like to use the Protocol DAP (dynamic access policies) to control this. Follow this guide:
https://supportforums.Cisco.com/document/7691/ASA-8X-dynamic-access-policies-DAP-deployment-guide
-
ASA VPN positive = SSL VPN?
Hello
I have a pair of FO, I need to exchange an ASA5520 who owns a license of VPN over 750
Can I use an ASA5520 with ASA5500-SSL-750 instead
Regards Tony
Yes, it is always available on order. Part number: ASA5520-VPN-PL =
In addition, this more ASA VPN would be much much cheaper than the SSL VPN license.
Thank you
Kiran
-
ASA Vpn load balancing and failover
Hi all.
We have two asa5520 configured as main unit and emergency in failover configuration, and everything works fine.
Is it possible with this configuration (switch), configure the vpn load balancing/grouping?
Thank you
Daniele
Hi Daniele,
You cannot run two of them on two firewalls ASA, VPN feature load balancing or failover functionality.
Where you need to use the two feature, you must use more than three ASA firewall, two first ASAs will work as the failover and the ASA third will work as cluster VPN for them, the following example uses four firewalls:
ASA1 (active FO) - ASA2 (TF Standby)
(VPN virtual master)
|
|
|
|
(Backup VPN device)
ASA3 (active FO) - ASA4 (TF Standby)
Kind regards
Wajih
-
VPN Cisco ASA 5540 L2L - one-way traffic only for the pair to a network
Hello
I'm a little confused as to which is the problem. This is the premise for the problem I have face.
One of our big clients has a Cisco ASA5540 (8.2 (2)) failover (active / standby). Early last year, we have configured a VPN from Lan to Lan to a 3rd party site (a device of control point on their end). He worked until early this week when suddenly the connection problems.
Only 1 of the 3 networks the / guests can access a remote network on the other side. 2 others have suddenly stopped working. We do not know of any change on our side and the remote end also insists that their end configurations are correct (and what information they sent me it seems to be correct)
So essentially the encryption field is configured as follows:
access-list
line 1 permit extended ip 10.238.57.21 host 10.82.0.202 (hitcnt = 2)
access-listline 2 extended permit ip 10.207.0.0 255.255.0.0 10.82.0.200 255.255.255.252 (hitcnt = 198)
access-listline 3 extended permit ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252 (hitcnt = 173) Free NAT has been configured as follows (names modified interfaces):
NAT (interface1) 0-list of access to the INTERIOR-VPN-SHEEP
the INTERIOR-VPN-SHEEP line 1 permit access list extended ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
permit for Access-list SHEEP-VPN-INSIDE line lengthened 2 ip host 10.238.57.21 10.82.0.202NAT (interface2) 0-list of access VPN-SHEEP
VPN-SHEEP line 1 permit access list extended ip 10.207.0.0 255.255.0.0 10.82.0.200 255.255.255.252
After the problem started only 10.207.0.0/16 network connections worked for the site remote 10.82.0.200/30. All other connections do not work.
There has been no change made on our side and on the side remote also insists there has been no change. I also checked how long the ASAs have been upward and how long the same device has been active in the failover. Both have been at the same time (about a year)
The main problem is that users of the 10.231.191.0/24 cant access remote network network. However, the remote user can initiate and implement the VPN on their side but usually get any return traffic. Ive also checked that the routes are configured correctly in the routers in core for the return of their connections traffic should go back to the firewall.
Also used of "packet - trace" event raising the VPN tunnel (even if it passes the phases VPN). For my understanding "packet - trace" alone with the IP source and destination addresses must activate the VPN connection (even if it generates no traffic to the current tunnel).
This is printing to the following command: "packet - trace entry interface1 tcp 10.231.191.100 1025 10.82.0.203 80.
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit rule
Additional information:
MAC access listPhase: 2
Type: FLOW-SEARCH
Subtype:
Result: ALLOW
Config:
Additional information:
Not found no corresponding stream, creating a new streamPhase: 3
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
in 10.82.0.200 255.255.255.252 outsidePhase: 4
Type: ACCESS-LIST
Subtype: Journal
Result: ALLOW
Config:Access-group interface interface1
access-list extendedallow ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
Additional information:Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:Phase: 6
Type: INSPECT
Subtype: np - inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
Policy-map global_policy
class inspection_default
inspect the http
global service-policy global_policy
Additional information:Phase: 7
Type: FOVER
Subtype: Eve-updated
Result: ALLOW
Config:
Additional information:Phase: 8
Type: NAT-FREE
Subtype:
Result: ALLOW
Config:
NAT-control
is the intellectual property inside 10.231.191.0 255.255.255.0 outside 10.82.0.200 255.255.255.252
Exempt from NAT
translate_hits = 32, untranslate_hits = 35251
Additional information:-Phase 9 is a static nat of the problem to another network interface. Don't know why his watch to print.
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (interface1, interface3) 10.231.0.0 10.231.0.0 255.255.0.0 subnet mask
NAT-control
is the intellectual property inside 10.231.0.0 255.255.0.0 interface3 all
static translation at 10.231.0.0
translate_hits = 153954, untranslate_hits = 88
Additional information:-Phase 10 seems to be the default NAT for the local network configuration when traffic is to the Internet
Phase: 10
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT (interface1) 5 10.231.191.0 255.255.255.0
NAT-control
is the intellectual property inside 10.231.191.0 255.255.255.0 outside of any
dynamic translation of hen 5 (y.y.y.y)
translate_hits = 3048900, untranslate_hits = 77195
Additional information:Phase: 11
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional information:Phase: 12
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional information:Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:Phase: 14
Type: CREATING STREAMS
Subtype:
Result: ALLOW
Config:
Additional information:
New workflow created with the 1047981896 id, package sent to the next moduleResult:
input interface: interface1
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: allowSo, basically, the connection should properly go to connect VPN L2L but yet is not. I tried to generate customer traffic of base (with the source IP address of the client network and I see the connection on the firewall, but yet there is absolutely no encapsulated packets when I check "crypto ipsec to show his" regarding this connection VPN L2L.) Its almost as if the firewall only transfers the packets on the external interface instead of encapsulating for VPN?
And as I said, at the same time the remote end can activate the connection between these 2 networks very well, but just won't get any traffic back to their echo ICMP messages.
access-list extended
allow ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
local ident (addr, mask, prot, port): (10.231.191.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (10.82.0.200/255.255.255.252/0/0)
current_peer: y.y.y.y#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 131, #pkts decrypt: 131, #pkts check: 131
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0If it was just a routing problem it would be a simple thing to fix, but it is not because I can see the connection I have to confirm it by the router base on the firewall, but they don't just get passed on to the VPN connection.
Could this happen due to a bug in the Software ASA? Would this be something with Checkpoint VPN device? (I have absolutely no experience with devices of control point)
If there is any essential information that I can give, please ask.
-Jouni
Jouni,
8.2.4.1 is the minimum - 8.2.4 had some issues (including TCP proxy).
If this does not resolve the problem - I suggest open TAC box to get to the bottom of this ;-)
Marcin
-
LAN to Lan VPN on ASA - than a single public address...
Hello, I need to find a way to work around this problem.
We have an ASA 5510 8.3, we need to use to terminate a VPN IPSEC in LAN to LAN running.
Problem is that we have only a single public address available for having set up the link between the ASA and the Internet router on private addresses.
Is it possible to NAT the public facing the inside or to the outside interface of the ASA and terminate the VPN on this interface?
If this isn't the case, I have other options?
Thanks in advance!
Rob
No, you can't NAT, the IP address of the ASA on the SAA itself, which is not supported.
You can also terminate the VPN tunnel through the interface on the ASA.
How and where you currently do NAT for internet access? You cannot configure NAT on the same device where you are currently configuring your NAT?
-
VPN site to Site if a distance ASA has a dynamic IP address outside
Hello
I always try to find the right commands for dynamic VPN to VPN from Site to Site.
I found something on the set by the peers command, but is exactly what I want to do?
Static IP on both ASA (asa5505 and asa5510):
peer set card crypto outside_map 1 192.168.178.230<== that="" ist="" for="" a="" static="" if="" i="" know="" the="">==>
A (asa5510) static and dynamic (asa5505) IP:
by default dynamic value of the card crypto-outside_map 1-set peer asa5505<== is="" that="" the="" right="" set="">==>
If the ASA remote called asa5505 and he has a dynamic IP address?
Kind regards
Hans-Jürgen Guenter
Yes, you need not the 3 lines above in the configuration. Those who are kept on the static end to accept the connection from the dynamic counterpart.
You need not order 'set by the peers' you don't have a static ip address for the dynamics of the end.
Maybe you are looking for
-
iMessage suddenly decides to stop working
iMessage works fine on my iPhone 6 and iPad, but all of a sudden on my Mac, it will not be activated. It worked fine on the Mac until 15:00 yesterday. At home, opened my Mac and it suddenly stopped working with FaceTime. I keep trying to enter my cre
-
Using a Macbook with an external hard drive and CD player
I think buy a MacBook, because these devices do not have a CD-ROM drive or huge hard drives, I would like to know if running on ports 2 USB external drives could run iTunes as my Acer Aspire now.
-
Satellite P300 - poor sound quality using the Dynadock
I have a laptop Satellite P300, Vista and a * Dynadock VBI * port replicator.Except for the audio part of the dynadock works very well.I can edit on 2 screens. However, the sound is horrible. You can hear only fragments distorted healthy eating and a
-
C4795: Won't print black
I have 3 HP printers, including the C4795 above - none of them no longer print in black. This is just twisted. I tried the alignment, cleaning heads and everything recommended. Gray is at least print on the C4795, others nothing print. HP Officejet 4
-
Catalyst Control Center does not (HP 2000-2d62SR)
Hello and sorry for the bad English. I tried to switch between GPUS for instructions, I found this site, but CCC, I have no option (it was a the most recent drivers for the AMD site). Then I tried to install the drivers from the HP site for my lapto