ASA VPN works not
Hello
I'm trying to set up a private network virtual to another ASA. I ping the outside fo the other ASA. This VPN is just for a small site in a hub and spoke topology, my config is just for the Office spoke so he basically this office having to send all it's traffic to the hub HQ where the servers are. You see no reason why the VPN will not come to the top?
ciscoasa # sh run
: Saved
:
ASA Version 8.4 (2)
!
ciscoasa hostname
activate 8Ry2Yjyt7RRXU24 encrypted password
2KFQnbIdI.2KYOU encrypted passwd
names of
!
interface GigabitEthernet0
nameif outside
security-level 0
IP 90.174.83.202 255.255.255.252
!
interface GigabitEthernet1
nameif inside
security-level 100
IP 10.101.61.1 255.255.255.0
!
interface GigabitEthernet2
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet5
Shutdown
No nameif
no level of security
no ip address
!
passive FTP mode
internal network object - 10.101.61.0
10.101.61.0 subnet 255.255.255.0
network of the internal object - 0.0.0.0
subnet 0.0.0.0 0.0.0.0
network of the Corp object
10.100.1.0 subnet 255.255.255.0
access extensive list ip 10.101.61.0 inside_access_in allow 255.255.255.0 any
inside_access_in list extended access permit icmp any one
access extensive list ip 10.101.61.0 outside_cryptomap allow 255.255.255.0 10.100.1.0 255.255.255.0
pager lines 24
Enable logging
registration of the errors of the console
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 714.bin
don't allow no asdm history
ARP timeout 14400
!
network of the internal object - 0.0.0.0
NAT dynamic interface (indoor, outdoor)
!
NAT (inside, all) after-service automatic internal static source - 10.101.61.0 internal 10.101.61.0 static destination Corp. Corp. non-proxy-arp
inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 93.174.83.201 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication enable LOCAL console
the ssh LOCAL console AAA authentication
LOCAL AAA authorization command
LOCAL AAA authorization exec
Enable http server
http 10.101.61.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set pfs group5
peer set card crypto outside_map 1 80.171.156.66
card crypto outside_map 1 set ikev1 transform-set ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 1 define ipsec ikev2 proposals
outside_map interface card crypto outside
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 10.101.61.0 255.255.255.0 inside
SSH timeout 5
Console timeout 0
dhcpd address 10.101.61.10 - 10.101.61.254 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal GroupPolicy_80.171.156.66 group strategy
attributes of Group Policy GroupPolicy_80.171.156.66
VPN-tunnel-Protocol ikev1, ikev2
username * oiYa7C.IOflZak password encrypted privilege 15
tunnel-group 80.171.156.66 type ipsec-l2l
tunnel-group 80.171.156.66 General-attributes
Group - default policy - GroupPolicy_80.171.156.66
IPSec-attributes tunnel-group 80.171.156.66
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect sunrpc
inspect the tftp
Review the ip options
inspect the rtsp
inspect the pptp
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect esmtp
inspect sqlnet
inspect the skinny
inspect xdmcp
inspect the sip
inspect the netbios
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
crashinfo record disable
Cryptochecksum:fbebeccb487674e3d8d1c4cff0b27749
: end
ciscoasa #.
Hello
An obvious problem is scheduling of the NAT rules
network of the internal object - 0.0.0.0
NAT dynamic interface (indoor, outdoor)
!
NAT (inside, all) after-service automatic internal static source - 10.101.61.0 internal 10.101.61.0 static destination Corp. Corp. non-proxy-arp
In the configuration above Dynamics PAT configuration replaces the configuration of NAT0 means for VPN L2L
You must make this change and test again if there other problems
no nat (inside, all) after-service automatic internal static source - 10.101.61.0 internal 10.101.61.0 static destination Corp. Corp. non-proxy-arp
NAT (inside, all) internal static source - 10.101.61.0 internal 10.101.61.0 static destination Corp. Corp. non-proxy-arp
We delete "automatic termination" of the command so that the NAT0 rule is moved to the top of NAT rules before the current dynamic PAT rule to the LAN.
Hope this helps
-Jouni
Tags: Cisco Security
Similar Questions
-
ASA 5520 8.0 (4) port depending on the ACLs vpn works not
Hi all
I have a problem with an ASA (5520 8.0 (4)) for lack of working with a port based acl for remote clients. I have a simple acl from a single line to split traffic, if I allowed the tunnel IP works fine, if I lock it up to TCP 3389 rdp will not work. I don't see anything in the logs and debug output, I did have a problem with a similar configuration (5510 8.0 (4) and I'm at a loss to explain it.)
Everyone knows about this problem before? I have nat exclusions etc and as I said, the tunnel only works if the acl permits all IP traffic between client and server.
THX in advance
Split-tunnel list cannot IP, if you want to restrict which ports are are sent via the tunnel vpn for your clients vpn, you need to use VPN filters under Group Policy:
-
Split DNS on ASA 5510 access remote vpn works not
I connect successfully to the tunnel and can ping hosts remotely by IP but am unable to browse the internet from the VPN client. Also, the resolution of host name on the remote end does not work... can only connect through the IP address. Ideas? Thanks again!
Your group policy will SUFFER a good split tunneling and divide the dns settings. But I think that you are awarded the DfltGrpPolicy rather than your group policy will SUFFER because group policy is not set in your group of tunnel, nor be transmitted from authentication.
Make a vpn-sessiondb distance 'show' to confirm what group policy is assigned to fix it, assign your group policy will BE to your group of tunnel as follows:
global-tunnel-group attributes
Will BE by default-group-policy
-heather
-
Hello
I can't get my work vpn site-to-site. Not only that but I am unable to get an internet connection through my ASA. I need to use the IP address public for my local network provided by IPS = 99.143.97.186 - 190 = 255.255.255.248 subnet mask
I followed this tutorial: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-nex...
can someone please take a look at my settings and help out me? Very much appreciated. Thank you.
See the ciscoasa config (config) #.
: Saved
: Written by enable_15 at 01:12:15.869 UTC Thu Sep 4 2008
!
ASA Version 8.2 (5)
!
ciscoasa hostname
activate 8Ry2YjIyt7RRXU24 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 99.143.97.186 255.255.255.248
!
interface Vlan2
nameif outside
security-level 0
IP 192.168.1.84 255.255.255.0
!
interface Vlan3
No nameif
no level of security
no ip address
!
passive FTP mode
access-list extended 100 permit ip 99.143.97.184 255.255.255.248 host 206.127.20.63
99.143.97.184 IP Access-list extended sheep 255.255.255.248 allow host 206.127.20.63
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0 access-list sheep
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 206.127.20.63 255.255.255.255 192.168.1.254 1
Route outside 206.127.21.3 255.255.255.255 192.168.1.254 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 99.143.97.184 255.255.255.248 inside
http 99.143.97.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
correspondence address card crypto outside_map 20 100
peer set card crypto outside_map 20 206.127.21.3
card crypto outside_map 20 transform-set RIGHT
outside_map interface card crypto outside
Crypto ca trustpoint _SmartCallHome_ServerCA
Configure CRL
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!
dhcpd address 99.143.97.187 - 99.143.97.190 inside
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
tunnel-group 206.127.21.3 type ipsec-l2l
IPSec-attributes tunnel-group 206.127.21.3
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
anonymous reporting remote call
Cryptochecksum:0ab759de3926ddb63f79f18a8422409eciscoasa (config) # show crypto isakmp his
There is no isakmp sas
ciscoasa (config) # show ip performance
!
interface Vlan1
nameif inside
security-level 100
IP 99.143.97.186 255.255.255.248
!
interface Vlan2
nameif outside
security-level 0
IP 192.168.1.84 255.255.255.0
!You have an interface incorrect configuration: -.
Add these lines and share how it rates:
interface Vlan1
no address ip 99.143.97.186 255.255.255.248
IP 192.168.1.84 255.255.255.0interface Vlan2
no address ip 192.168.1.84 255.255.255.0
IP 99.143.97.186 255.255.255.248Kind regards
Dinesh MoudgilPS Please rate helpful messages.
-
Conncetion VPN works not-Tecra A8 / WXP
Hello
I have a Toshiba Tecra A8 (3 years) with Windows XP / SP3.
Everything works fine (network cable or wireless; Bluetooth too), with when I tried to configure a VPN connection to my company's server, it does not work.The router in my house works well, as well the firewall in the work of the company.
I know that because the other Win XP or Win 7 PC and laptop can connect to the company.
I got the Error Message "721" (from component VPN) which could also be a network adapter error (unsupported protocol or if)- but there might be another reason too.I tried to update the network adapter driver, but did not find a more recent software.
And currently, I am unwilling to upgrade to Windows 7 without knowing it, the error seems too.Any ideas? Advice and links to possible answers, I would like to say thank you in advance.
Concerning
PeterDon't know if this problem of card s really a LAN as described above; the network administrator must check everything first and determine if this problem of client for s (VPN) software.
-
I have a windows VPN (PPTP) Server behimd my Nighthawk R7000 router but the router does not allow for VPN passthrough? Any ideas?
I have port 47 GRE TCP/UDP and TCP 1723/UDP sent to my IP address of the VPN server. Am I missing something? It be a checkbox to enable VPN passthrough but I don't see on the R7000 nighthawk? Its not me to VPN in my network. Help, please. Once again it is for Windows VPN not the customer to Open VPN (that I don't want to use)
Yes, I have forwarded manually and yes I have chosen pptp vpn in the drop down menu. I managed to solve the problem though! I just removed the pptp vpn service from the drop down and added service pptp again and now everything works fine.
-
I just upgraded my ASA from 7 to 8 and now, my remote access VPN working properly. The tunnels connect and I can ping anything, but I can't browse network shares or connect to Exchange.
No idea as to what I'm missing?
Thank you
Dan
IPSec VPN packets are removed when compression is enabled, when you configure the enable command ip-comp under Group Policy, then large packages that are eligible for compression are deleted in silence by the security apparatus. VPN compression is only useful for very slow Internet connections, so we suggest you disable compression (ip-comp disable). Alternatively, you can move on to build interim 8.0 (4.16) or later. (CSCsu26649)
Release notes for Cisco 8.0.4.
-
What VPN work as a PPTP vpn firewall CISCO-ASA-5520.
Hi all
Can you please tell me which replace the VPN I can configure PPTP on ASA 5520 firewall. What VPN work as a PPTP vpn firewall CISCO-ASA-5520.
You can use the wizard VPN of RA with ASDM and confiugre L2TP IPSEC VPN that does not need a VPN Client must be installed.
Michael
Please note all useful posts
-
prospects for bt infinity
I recently changed my home to infinity of BT broadband. Now I can't access my email works through outlook over a VPN. The signin VPN works ok, I can see my network co., but can not use outlook. I get the following error at startup of outlook.
Task 'Microsoft Exchange Server' reported an error (0 x 80040115): ' the connection to the Microsoft Exchange Server is unavailable. Outlook must be online or connected to complete this action. »
Anyone have any ideas?
Allan M
Hello
Your question of Windows 7 is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for the IT Pro TechNet public. Please post your question in the TechNet Windows 7 networking forum.
Ramata Thakur
-
After the upgrade yesterday from Vista to Windows 7, now my Cisco VPN does not work and I get an error message titled: grounds 440 driver fault. Any ideas to fix this?
This was the solution! The works of vpn as $ 1 million now. I followed the instructions above to enter the uninstall program and selecting the repair option. I rebooted the machine, then used the troubleshooting on vpn software compatibility option. Selected Windows windows xp (service pack 2) as the correct software and cisco vpn client started right up.
Thanks, Nick!
Rick
-
Site to Site VPN working without Crypto Card (ASA 8.2 (1))
Hi all
Find a strange situation on our firewall to ASA5540:
We have a few Site to Site VPN and also activate on the ASA VPN cleint, all are working properly. But finding that a VPN from Site to Site is running without crypto map configuration. Is this possible?
I tried to erase isa his and claire ipsec his then VPN came once again. Tested too, it's the ping requests to a remote site through the VPN.
I saw there are config tunnel-group for VPN but saw no card crypto and ACL.
How is the firewall knows what traffic should be encrypted for this VPN tunnel without crypto card?
This is the bug?
Thanks in advance,
It can be an easy vpn configuration.
Could you post output config operation remove any sensitive information. This could help us answer your question more specifically.
-
IPSec sequence numbers not working not for the multi VPN
a site at a single site VPN works no problem, but when I add the second peer in the concentrator, router it does not connect. There is no routing in place that all routers are connected to the same switch, and with no crypto card they can all two ping 192.168.2.1. With crypto card only 192.168.2.2 can ping 192.168.2.1. I'm at a loss as to what I'm doing wrong, it seems simple I just add the Test input with a different number, but it won't work.
Ask any other question you can think of. I followed the same controls on both spoke routers so that it seems that it would be in the hub, router, but he beat me as to why.
Thanks for the help.
Concentrator, router:
----------------------------------------------------------------------------------------------------------------------------------------------
R1 #sh card crypto
1 test card crypto ipsec-isakmp
Peer = 192.168.2.2
Expand the IP 110 access list
access ip-list 110 permit a whole
Current counterpart: 192.168.2.2
Life safety association: 4608000 kilobytes / 86400 seconds
PFS (Y/N): N
Transform sets = {}
Test,
}
Interfaces using crypto sheet test:
FastEthernet0/0
2 ipsec-isakmp crypto map test
Peer = 192.168.2.3
Expand the IP 110 access list
access ip-list 110 permit a whole
Current counterpart: 192.168.2.3
Life safety association: 4608000 kilobytes / 86400 seconds
PFS (Y/N): N
Transform sets = {}
Test,
}
Interfaces using crypto sheet test:
FastEthernet0/0
---------------------------------------------------------------------------------------------------------------------------------------------
R2 #sh card crypto
1 test card crypto ipsec-isakmp
Peer = 192.168.2.1
Expand the IP 110 access list
access ip-list 110 permit a whole
Current counterpart: 192.168.2.1
Life safety association: 4608000 kilobytes / 86400 seconds
PFS (Y/N): N
Transform sets = {}
Test,
}
Interfaces using crypto sheet test:
FastEthernet0/0
----------------------------------------------------------------------------------------------------------------------------------------------
R3 #sh card crypto
1 test card crypto ipsec-isakmp
Peer = 192.168.2.1
Expand the IP 110 access list
access ip-list 110 permit a whole
Current counterpart: 192.168.2.1
Life safety association: 4608000 kilobytes / 86400 seconds
PFS (Y/N): N
Transform sets = {}
Test,
}
Interfaces using crypto sheet test:
FastEthernet0/0
There is a typing error in the IP for the PSK on R3.
--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni -
Hello
I have a question concerning the VPN, is it possible to configure the two IPsec VPN site-to-site and remote access vpn on the same ASA and working at the same time, does require one or two different public ip addresses?
I have cisco ASA 5540 - version 9.1
Best regards
Hello
Yes, you can with 1 single public ip address. You need to activate the same-security-traffic allow intra-interface functionality to allow a customer vpn site-to-site vpn access if you need.
Take a look at the Cisco documentation;
http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...
Thank you
PS: Please do not forget to rate and score as good response if this solves your problem
-
Hi-
We have connected tunnel / VPN configuration between an ASA 5505 - worm = 8.4 (7) and 5512 - worm = 9.2 (3).
We can only ping in a sense - 5505 to the 5512, but not of vice-versa(5512 to 5505).Networks:
Local: 192.168.1.0 (answering machine)
Distance: 192.168.54.0 (initiator)See details below on our config:
SH run card cry
card crypto outside_map 2 match address outside_cryptomap_ibfw
card crypto outside_map 2 pfs set group5
outside_map 2 peer XX crypto card game. XX.XXX.XXX
card crypto outside_map 2 set transform-set ESP-AES-256-SHA ikev1
crypto map outside_map 2 set ikev2 AES256 ipsec-proposaloutside_map interface card crypto outside
Note:
Getting to hit numbers below on rules/ACL...SH-access list. I have 54.0
permit for access list 6 outside_access_out line scope ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0 (hitcnt = 15931) 0x01aecbcc
permit for access list 1 outside_cryptomap_ibfw line extended ip object NETWORK_OBJ_192.168.1.0_24 object NETWORK_OBJ_192.168.54.0_24 (hitcnt = 3) 0xa75f0671
access-list 1 permit line outside_cryptomap_ibfw extended ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0 (hitcnt = 3) 0xa75f0671SH run | I have access-group
Access-group outside_access_out outside interfaceNOTE:
WE have another working on the 5512 - VPN tunnel we use IKE peer #2 below (in BOLD)...HS cry his ikev1
IKEv1 SAs:
HIS active: 2
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 21 peer IKE: XX. XX.XXX.XXX
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE
2 IKE peers: XXX.XXX.XXX.XXX
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVESH run tunnel-group XX. XX.XXX.XXX
tunnel-group XX. XX.XXX.XXX type ipsec-l2l
tunnel-group XX. XX.XXX.XXX General-attributes
Group - default policy - GroupPolicy_XX.XXX.XXX.XXX
tunnel-group XX. XX.XXX.XXX ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.SH run | I have political ikev1
ikev1 160 crypto policy
preshared authentication
aes-256 encryption
Group 5
life 86400SH run | I Dynamics
NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
NAT source auto after (indoor, outdoor) dynamic one interfaceNOTE:
To from 5512 at 5505-, we can ping a host on the remote network of ASA local# ping inside the 192.168.54.20
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.54.20, wait time is 2 seconds:
!!!!!
Success rate is 100 per cent (5/5), round-trip min/avg/max = 30/32/40 msDetermination of 192.168.1.79 - local host route to 192.168.54.20 - remote host - derivation tunnel?
The IPSEC tunnel check - seems OK?
SH crypto ipsec his
Interface: outside
Tag crypto map: outside_map, seq num: 2, local addr: XX.XXX.XXX.XXXoutside_cryptomap_ibfw to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.54.0 255.255.255.0
local ident (addr, mask, prot, port): (192.168.1.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.54.0/255.255.255.0/0/0)
current_peer: XX. XX.XXX.XXX#pkts program: 4609, #pkts encrypt: 4609, #pkts digest: 4609
#pkts decaps: 3851, #pkts decrypt: 3851, #pkts check: 3851
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 4609, model of #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid errors ICMP rcvd: 0, #Invalid ICMP errors received: 0
#send errors: 0, #recv errors: 0local crypto endpt. : XX.XXX.XXX.XXX/0, remote Start crypto. : XX. XX.XXX.XXX/0
Path mtu 1500, ipsec 74 (44) generals, media, mtu 1500
PMTU time remaining: 0, political of DF: copy / df
Validation of ICMP error: disabled, TFC packets: disabled
current outbound SPI: CDC99C9F
current inbound SPI: 06821CBBSAS of the esp on arrival:
SPI: 0x06821CBB (109190331)
transform: aes-256-esp esp-sha-hmac no compression
running parameters = {L2L, Tunnel, group 5 PFS, IKEv1}
slot: 0, id_conn: 339968, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (3914789/25743)
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0xFFFFFFFF to 0xFFFFFFFF
outgoing esp sas:
SPI: 0xCDC99C9F (3452542111)
transform: aes-256-esp esp-sha-hmac no compression
running parameters = {L2L, Tunnel, group 5 PFS, IKEv1}
slot: 0, id_conn: 339968, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (3913553/25743)
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001--> The local ASA 5512 - where we have questions - tried Packet Tracer... seems we receive requests/responses...
SH cap CAP
34 packets captured
1: 16:41:08.120477 192.168.1.79 > 192.168.54.20: icmp: echo request
2: 16:41:08.278138 192.168.54.20 > 192.168.1.79: icmp: echo request
3: 16:41:08.278427 192.168.1.79 > 192.168.54.20: icmp: echo reply
4: 16:41:09.291992 192.168.54.20 > 192.168.1.79: icmp: echo request
5: 16:41:09.292282 192.168.1.79 > 192.168.54.20: icmp: echo reply--> On the ASA 5505 distance - we can ping through the 5512 to the local host (192.168.1.79)
SH cap A2
42 packets captured
1: 16:56:16.136559 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
2: 16:56:16.168860 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
3: 16:56:17.140434 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
4: 16:56:17.171652 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
5: 16:56:18.154426 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
6: 16:56:18.186178 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
7: 16:56:19.168417 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request--> Package trace on 5512 does no problem... but we cannot ping from host to host?
entry Packet-trace within the icmp 192.168.1.79 8 0 detailed 192.168.54.20
Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map default class
match any
Policy-map global_policy
class class by default
Decrement-ttl connection set
global service-policy global_policy
Additional information:
Direct flow from returns search rule:
ID = 0x7fffa2d0ba90, priority = 7, area = conn-set, deny = false
hits = 4417526, user_data = 0x7fffa2d09040, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = output_ifc = any to inside,Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
Additional information:
Definition of dynamic 192.168.1.79/0 to XX.XXX.XXX.XXX/43904
Direct flow from returns search rule:
ID = 0x7fffa222d130, priority = 6, area = nat, deny = false
hits = 4341877, user_data = 0x7fffa222b970, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = inside, outside = output_ifc...
Phase: 14
Type: CREATING STREAMS
Subtype:
Result: ALLOW
Config:
Additional information:
New workflow created with the 7422689 id, package sent to the next module
Information module for forward flow...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_statInformation for reverse flow...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_statResult:
input interface: inside
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: allow--> On remote ASA 5505 - Packet track is good and we can ping remote host very well... dunno why he "of Nations United-NAT?
Destination - initiator:
entry Packet-trace within the icmp 192.168.54.20 8 0 detailed 192.168.1.79
...
Phase: 4
Type: UN - NAT
Subtype: static
Result: ALLOW
Config:
NAT (inside, outside) static source NETWORK_OBJ_192.168.54.0_24 NETWORK_OBJ_192.168.54.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
Additional information:
NAT divert on exit to the outside interface
Untranslate 192.168.1.79/0 to 192.168.1.79/0
...Summary:
We "don't" ping from a host (192,168.1.79) on 5512 - within the network of the 5505 - inside the network host (192.168.54.20).
But we can ping the 5505 - inside the network host (192.168.54.20) 5512 - inside the network host (192.168.1.79).Please let us know what other details we can provide to help solve, thanks for any help in advance.
-SP
Well, I think it is a NAT ordering the issue.
Basically as static and this NAT rule-
NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
are both in article 1 and in this article, it is done on the order of the rules so it does match the dynamic NAT rule rather than static because that seems to be higher in the order.
To check just run a 'sh nat"and this will show you what order everthing is in.
The ASA is working its way through the sections.
You also have this-
NAT source auto after (indoor, outdoor) dynamic one interface
which does the same thing as first statement but is in section 3, it is never used.
If you do one of two things-
(1) configure the static NAT statement is above the dynamic NAT in section 1 that is to say. You can specify the command line
or
(2) remove the dynamic NAT of section 1 and then your ASA will use the entry in section 3.
There is a very good document on this site for NAT and it is recommended to use section 3 for your general purpose NAT dynamic due precisely these questions.
It is interesting on your ASA 5505 you duplicated your instructions of dynamic NAT again but this time with article 2 and the instructions in section 3 that is why your static NAT works because he's put in correspondence before all your dynamic rules.
The only thing I'm not sure of is you remove the dynamic NAT statement in article 1 and rely on the statement in section 3, if she tears the current connections (sorry can't remember).
Then you can simply try to rearrange so your static NAT is above it just to see if it works.
Just in case you want to see the document here is the link-
Jon
-
Site to Site between ASA VPN connection and router 2800
I'm trying to get a L2L VPN working between a ASA code 8.4 and a 2800 on 12.4.
I first saw the following errors in the debug logs on the side of the ASA:
Error message % PIX | ASA-6-713219: KEY-GAIN message queues to deal with when
ITS P1 is complete.I see the following on the end of 2800:
ISAKMP: (0): treatment charge useful vendor id
ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 157
ISAKMP: (0): provider ID is NAT - T v3
ISAKMP: (0): treatment charge useful vendor id
ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
ISAKMP (0): provider ID is NAT - T RFC 3947
ISAKMP: (0): treatment charge useful vendor id
ISAKMP: (0): treatment of frag vendor id IKE payload
ISAKMP: (0): IKE Fragmentation support not enabled
ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM1ISAKMP: (0): built NAT - T of the seller-rfc3947 ID
ISAKMP: (0): send package to x.x.x.x my_port 500 peer_po0 (R) MM_SA_SETUP
ISAKMP: (0): sending a packet IPv4 IKE.
ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM2ISAKMP (0): packet received from x.x.x.x dport 500 sports global (R)
MM_SA_SETUP
ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP: (0): former State = new State IKE_R_MM2 = IKE_R_MM3ISAKMP: (0): processing KE payload. Message ID = 0
ISAKMP: (0): processing NONCE payload. Message ID = 0
ISAKMP: (0): found peer pre-shared key x.x.x.x corresponding
ISAKMP: (2345): treatment charge useful vendor id
ISAKMP: (2345): provider ID is the unit
ISAKMP: (2345): treatment charge useful vendor id
ISAKMP: (2345): provider ID seems the unit/DPD but major incompatibility of 54
ISAKMP: (2345): provider ID is XAUTH
ISAKMP: (2345): treatment charge useful vendor id
ISAKMP: (2345): addressing another box of IOS!
ISAKMP: (2345): treatment charge useful vendor id
ISAKMP: (2345): vendor ID seems the unit/DPD but hash mismatch
ISAKMP: receives the payload type 20
ISAKMP (2345): sound not hash no match - this node outside NAT
ISAKMP: receives the payload type 20
ISAKMP (2345): no NAT found for oneself or peer
ISAKMP: (2345): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP: (2345): former State = new State IKE_R_MM3 = IKE_R_MM3ISAKMP: (2345): sending package x.x.x.x my_port Exchange 500 500 (R)
MM_KEY_EXCH
----------
This is part of the configuration of the ASA:
network of the ABCD object
10.20.30.0 subnet 255.255.255.0
network of the ABCD-Net object
172.16.10.0 subnet 255.255.255.0
cry-map-77-ip object-group XXXX object abc-site_Network allowed extended access list
access list abc-site extended permitted ip object-group XXXX object abc-site_Network
ip access list of abc-site allowed extended object abc-site_Network object-group XXXX-60
NAT (any, any) static source 20 XXXX XXXX-20 destination static abc-site_Network abc-site_Network
NAT (any, any) static source 20 XXXX XXXX-20 destination static abc-site_Network abc-site_Network
XXXX-20
object-group network XXXX-20
ABCD-Net network object
object-abcd-Int-Net Group
XXXX_127
object-group network XXXX-20
ABCD-Net network object
object-abcd-Int-Net Group
ip access list of abc-site allowed extended object abc-site_Network object-group XXXX-60
Crypto card off-map-44 11 match address cry-map-77
card crypto out-map-44 11 counterpart set 62.73.52.xxx
card crypto out-map-44 11 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5cry-map-77-ip object-group XXXX object abc-site_Network allowed extended access list
Crypto card off-map-44 11 match address cry-map-77
card crypto out-map-44 11 counterpart set 62.73.52.xxx
card crypto out-map-44 11 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5card crypto out-map-44 11 set transform-set ESP-3DES-SHA ikev1
object-group network XXXX
ABCD-Net network object
object-abcd-Int-Net Group------------------------
Here is a part of the 2800:
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
ISAKMP crypto key r2374923 address 72.15.21.xxx
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
card crypto cry-map-1 1 ipsec-isakmp
the value of 72.15.21.xxx peer
game of transformation-ESP-3DES-SHA
match address VPN
!
type of class-card inspect match class-map-vpn
game group-access 100
type of class-card inspect cm-inspect-1 correspondence
group-access name inside-out game
type of class-card inspect correspondence cm-inspect-2
match the name of group-access outside
!
!
type of policy-card inspect policy-map-inspect
class type inspect cm-inspect-1
inspect
class class by default
drop
type of policy-card inspect policy-map-inspect-2
class type inspect class-map-vpn
inspect
class type inspect cm-inspect-2
class class by default
drop
!!
interface FastEthernet0
IP address 74.25.89.xxx 255.255.255.252
NAT outside IP
IP virtual-reassembly
security of the outside Member area
automatic duplex
automatic speed
crypto cry-card-1 card
!
interface FastEthernet1
no ip address
Shutdown
automatic duplex
automatic speed
!
IP nat inside source overload map route route-map-1 interface FastEthernet0
!
IP access-list extended inside-out
IP 172.16.10.0 allow 0.0.0.255 any
IP nat - acl extended access list
deny ip 192.168.0.0 0.0.255.255 172.16.10.0 0.0.0.255
deny ip 10.200.0.0 0.0.255.255 172.16.10.0 0.0.0.255
deny ip 192.168.0.0 0.0.255.255 172.16.10.0 0.0.0.255
deny ip 0.0.255.255 28.20.14.xxx.0.0 172.16.10.0 0.0.0.255
refuse the 10.10.10.0 ip 0.0.0.255 172.16.10.0 0.0.0.255
refuse the 172.16.10.0 ip 0.0.0.255 192.168.0.0 0.0.255.255
refuse the 172.16.10.0 ip 0.0.0.255 10.200.0.0 0.0.255.255
refuse the 172.16.10.0 ip 0.0.0.255 192.168.0.0 0.0.255.255
refuse the 172.16.10.0 ip 0.0.0.255 28.20.14.xxx.0.0 0.0.255.255
refuse the 172.16.10.0 ip 0.0.0.255 10.10.10.0 0.0.0.255
allow an ip
outside extended IP access list
allow an ip
list of IP - VPN access scope
IP 172.16.10.0 allow 0.0.0.255 192.168.0.0 0.0.255.255
IP 172.16.10.0 allow 0.0.0.255 10.200.0.0 0.0.255.255
IP 172.16.10.0 allow 0.0.0.255 192.168.0.0 0.0.255.255
IP 172.16.10.0 allow 0.0.0.255 28.20.14.xxx.0.0 0.0.255.255
IP 172.16.10.0 allow 0.0.0.255 10.10.10.0 0.0.0.255
IP 192.168.0.0 allow 0.0.255.255 172.16.10.0 0.0.0.255
IP 10.200.0.0 allow 0.0.255.255 172.16.10.0 0.0.0.255
IP 192.168.0.0 allow 0.0.255.255 172.16.10.0 0.0.0.255
28.20.14.xxx.0.0 0.0.255.255 ip permit 172.16.10.0 0.0.0.255
ip licensing 10.10.10.0 0.0.0.255 172.16.10.0 0.0.0.255access-list 23 allow 192.168.0.0 0.0.255.255
access-list 23 allow 10.200.0.0 0.0.255.255
access-list 23 allow 172.16.10.0 0.0.0.255
access-list 123 note category class-map-LCA-4 = 0
access-list 123 allow ip 192.168.0.0 0.0.255.255 172.16.10.0 0.0.0.255
access-list 123 allow ip 10.200.0.0 0.0.255.255 172.16.10.0 0.0.0.255
access-list 123 allow ip 192.168.0.0 0.0.255.255 172.16.10.0 0.0.0.255
access-list 123 allow ip 0.0.255.255 28.20.14.xxx.0.0 172.16.10.0 0.0.0.255
access-list 123 allow ip 10.10.10.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 123 allow ip 172.16.10.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 123 allow ip 172.16.10.0 0.0.0.255 10.200.0.0 0.0.255.255
access-list 123 allow ip 172.16.10.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 123 allow ip 172.16.10.0 0.0.0.255 28.20.14.xxx.0.0 0.0.255.255
access-list 123 allow ip 172.16.10.0 0.0.0.255 10.10.10.0 0.0.0.255
!
!
!!
route-map-1 allowed route map 1
match the IP nat - acl
!Hello
I quickly browsed your config and I could notice is
your game of transformation (iskamp) on SAA and router are not the same, try to configure the same on both sides.
in the statement of the ASA NAT you gave (any, any) try to give the name of the interface instead of a whole.
Maybe you are looking for
-
Monitor Mein gibt mir alle paar Sekunden eine citizens NHI breast bzw. DAS Menu Art und nach ein paar Minuten von allein weg geht wieder auf. Stort weil DAS are exactly in der Mitte aufleuchtet, wie kann ich das beheben? Fur eine Lösung danke ich im
-
Error code 8007041D__
Remember - this is a public forum so never post private information such as numbers of mail or telephone! Ideas: You have problems with programs Error messages Recent changes to your computer What you have already tried to solve the problem
-
The hard drive failed on my HP laptop. I bought a new hard drive (not HP) and loaded the HP recovery disks, but a screen will appear that says it is not compatible. Can I use this new hard drive, or should I buy a hard drive for HP? I looked at a f
-
Can I connect to the Deskjet 3050 wireless and LAN?
I have connected to a new deskjet 3050 by WiFi. My laptop and iPhone worked well. I have an old desk top that has no WiFi. Can I also connect it to the 3050 by LAN? The office is connected to the router by LAN so it mails to my hpeprint but I would l
-
Getting the error "Graphics Accelerator can be disabled.
Original title: I had to do a full install of windows 7 on a purchased new ASUS Eee PC because of no real prodThis computer was bought abroad with a non-genuine software, after installing software genuine windows, games that came with it will not wor