ASA5505-Site-toSite 3825

Similar Questions

• ASA5505-Site-Site & RA on the same device

  Howdy all,

  I am trying to set one up for a VPN site to site and remote access.  Site-to-site works fine, however when I connect using the Cisco client, after the password and the initial connection calls I get a State "not connected".  The log shows that a political card match is not found.  I have successfully set the unit for remote access with any site-to-site and has faced another set of issues when adding the website-site for the configuration of remote access to work, so I started during the implementation of site to site first.  I tried this through ADSM (hate) - the current configuration is a cli.  Any thoughts would be appreciated, I am sure that Miss just a piece or two.

  ASA Version 8.2 (5)
  !
  ASA5505 hostname
  activate the encrypted password of XXXXXXXXX
  passwd encrypted XXXXXXXXX
  names of
  192.168.0.0 MainOffice name
  name 192.168.251.0 RAAddresses
  name of 10.10.10.0 MainSiteIP
  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  interface Vlan1
  nameif inside
  security-level 100
  IP 192.168.1.1 255.255.255.0
  !
  interface Vlan2
  nameif outside
  security-level 0
  IP 192.168.250.147 255.255.255.0
  !
  passive FTP mode
  access-list 101 extended allow ip 192.168.1.0 255.255.255.0 255.255 MainOffice.
  255.0
  access-list 101 extended allow MainOffice 255.255.255.0 ip 192.168.1.0 255.255.
  255.0
  access-list 102 scope ip allow a whole
  access-list 102 extended allow MainOffice 255.255.255.0 ip 192.168.1.0 255.255.
  255.0
  access-list 103 extended allow ip RAAddresses 255.255.255.0 192.168.1.0 255.255
  . 255.0
  access-list 103 extended allow ip 192.168.1.0 255.255.255.0 255.255 RAAddresses
  . 255.0
  pager lines 24
  asdm of logging of information
  Within 1500 MTU
  Outside 1500 MTU
  IP pool local RAPool 192.168.251.100 - 192.168.251.120
  no failover
  ICMP unreachable rate-limit 1 burst-size 1
  don't allow no asdm history
  ARP timeout 14400
  Global 1 interface (outside)
  (Inside) NAT 0-list of access 101
  NAT (inside) - 0 103 access list
  NAT (inside) 1 0.0.0.0 0.0.0.0
  Access-group 102 in the interface inside
  Route outside 0.0.0.0 0.0.0.0 192.168.250.1 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  Enable http server
  http 192.168.1.0 255.255.255.0 inside
  MainOffice 255.255.255.0 inside http
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set esp-aes-256 CryptoSet, esp-sha-hmac
  Crypto ipsec transform-set esp-3des esp-sha-hmac RA
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  Crypto-map dynamic dyn1 1jeu transform-set RA
  correspondence address 1 card crypto outsidemap0 101
  outsidemap0 card crypto 1jeu peer MainSiteIP
  outsidemap0 card crypto 1jeu transform-set CryptoSet
  outsidemap0 interface card crypto outside
  dynamic mymap 100 dyn1 ipsec-isakmp crypto map
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  aes-256 encryption
  sha hash
  Group 2
  life 3600
  crypto ISAKMP policy 100
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 43200
  VPN-addr-assign local reuse / time 5
  Telnet 192.168.1.0 255.255.255.0 inside
  Telnet timeout 60
  SSH timeout 5
  Console timeout 0
  dhcpd outside auto_config
  !
  dhcpd address 192.168.1.5 - 192.168.1.254 inside
  dhcpd allow inside
  !

  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  WebVPN
  attributes of Group Policy DfltGrpPolicy
  value of VPN-filter 101
  encrypted user user1 password IQM/O64OATR4zXx7 name
  tunnel-group MainSiteIP type ipsec-l2l
  IPSec-attributes tunnel-group MainSiteIP
  pre-shared key *.
  type tunnel-group RAGroup remote access
  attributes global-tunnel-group RAGroup
  address pool RAPool
  IPSec-attributes tunnel-group RAGroup
  pre-shared key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  !
  global service-policy global_policy
  context of prompt hostname
  no remote anonymous reporting call
  Cryptochecksum:07120668869a94278df931162ae4d7a5
  : end

  Hello Robert,.

  IP pool local RAPool 192.168.251.100 - 192.168.251.120

  permit 192.168.1.0 ip access list No_NAT_RA 255.255.255.0 192.168.251.0 255.255.255.0

  no nat (inside) - 0 103 access list

  NAT (inside) 0-list of access No_NAT_RA

  attributes of Group Policy DfltGrpPolicy

  no value of vpn-filter 101

  access-list standard Split allow 192.168.1.0 255.255.255.0

  internal group R_A strategy

  value of group-lock RAGroup

  Protocol-tunnel-VPN IPSec

  Split-tunnel-policy tunnelspecified

  Split-tunnel-network-list value Split

  Kind regards

  Julio

• VPN access to site-toSite to servers of HO with remote site with overlapping network...

  Hi all

  I have an obligation to create a tunnel vpn site-to-site on ASA 5510 from a remote location to my HO, I have already other site to site tunnels are on the rise and running on the ASA. This is what my remote site got the network address that is part of a subnet used in HO(192.168.10.0/24). My requirement is only my need to access remote site couple of my servers in HO, who is in the subnet 192.168.200.0/24.

  Veuileez help how can I achieve this... your advice at the beginning is very appreciated...

  Thanks in advance
  Mikael

  Hi Salem,

  I think the installer at your end is a bit like this:

  

  You want the remote location to access the subnet 192.168.200.0/24 behind the ASA HQ servers. In this case, you can NAT traffic from the remote site to a different subnet when you go to 192.168.200.0/24.

  i.e. the 192.168.10.0/24 subnet resemble 192.168.51.0/24 when he goes to 192.168.200.0

  This can be done by using political based natting:

  permit access-list policy-nat ip 192.168.10.0 255.255.255.0 192.168.200.0 255.255.255.0

  public static 192.168.51.0 (inside, outside) access-l policy-nat

  In the encryption of the remote side access list, you will have:

  cryptoacl ip 192.168.51.0 access list allow 255.255.255.0 192.168.200.0 255.255.255.0 (this is because the remote side will see 192.168.51.0/24 and not the 192.168.10.0/24)

  Similarly on the end of HQ the accesslist crypto will be

  XXXXX 192.168.200.0 ip access list allow 255.255.255.0 192.168.51.0 255.255.255.0

  Please try this and let me know if it helps.

  Thank you

  Vishnu Sharma

• Problem with website Source NAT Site policy

  Dear all,

  IAM facing issue with source based nat in Site-toSite VPN configuration.

  We want to access the remote site server 10.67.1.5 from my main server 192.168.210.224, my 192.168.210.224 server need nat with 10.66.102.178 to go to the outside of the remote site. We have done below the configuration and VPN pahse1 and phase 2 sets up very well, but we are not able to access the remote server 10.67.1.5. Phase 2 set up and only the packages are not wrapping decapsulating. Remote site is seen VPN ending the router and the phase 1 and phase 2 implements.

  There is no configured nat exemption. Appreciate urgent help to identify the problem...

  We have tunnels from site to site much operational f... but not the tunnels with policy NAT

  config
  --------
  access list acl - OR line 1 permit extended ip 192.168.210.224 host 10.67.1.5 (hitcnt = 0)
  allowed to access list acl - NOR line extended to 2 ip host 10.66.102.178 10.67.1.5 (hitcnt = 2)

  NAT (inside) 2 192.168.210.224 255.255.255.255
  Global 2 10.66.102.178 (outside)

  Crypto ipsec transform-set OR esp-3des esp-sha-hmac

  card crypto ENOCMAP 22 matches the acl address - OR
  card crypto ENOCMAP 22 set counterpart x.x.x.x
  card crypto ENOCMAP 22 set transform-set
  card crypto ENOCMAP 22 defined security-association life seconds 3600
  card crypto ENOCMAP 22 set reverse-road
  ENOCMAP interface card crypto outside

  tunnel-group x.x.x.x type ipsec-l2l
  tunnel-group ipsec-attributes x.x.x.x
  pre-shared key *.

  ======================================================================

  12 peer IKE: x.x.x.x
  Type: L2L role: initiator
  Generate a new key: no State: MM_ACTIVE

  ENOCDC-FW03 # sh crypto ipsec his counterpart x.x.x.x
  peer address: x.x.x.x
  Tag crypto map: ENOCMAP, seq num: 22, local addr: x.x.x.x

  access list acl - OR extended permit ip host 10.66.102.178 10.67.1.5
  local ident (addr, mask, prot, port): (10.66.102.178/255.255.255.255/0/0)
  Remote ident (addr, mask, prot, port): (10.67.1.5/255.255.255.255/0/0)
  current_peer: x.x.x.x

  #pkts program: 2, #pkts encrypt: 2, #pkts digest: 2
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 2, comp #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #send errors: 0, #recv errors: 0

  endpt local crypto. : x.x.x.x, remote Start crypto. : x.x.x.x

  Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
  current outbound SPI: 89BAF49F
  current inbound SPI: DB36C4B6

  Hello

  Please try this nat statement below:

  policynat list extended access allowed host ip 192.168.210.224 10.67.1.5

  public static 10.66.102.178 (inside, outside) - policynat access list

  Here is some reference material for policy nat - http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html#wp1088419

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• L2l VPN between two ASA5505 works not

  Let me start who I know a thing or two about networks.  VPN not so much.

  I am trying to configure a Site-toSite VPN between two ASA 5505.  I am building this in a laboratory of the Office before I deploy it to the end sites.  I are the indications on this very informative forum and think I have it set up correctly.  I can see the tunnel is being built and I see same incrementation of the traffic counters.  But the real user sessions do not seem to work.  For example, ping and telnet does not work.

  An excerpt from the syslog for a ping test on a computer on the remote end.

  (10.1.10.5 is the local computer, 10.1.11.5 is the remote computer.  10.1.11.1 is the interface of the ASA remote interior)

  6. January 20, 2012 | 01:04:12 | 302021 | 10.1.11.1 | 0 | 10.1.10.5 | 1. Connection of disassembly for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.1/0 ICMP
  6. January 20, 2012 | 01:04:10 | 302020 | 10.1.10.5 | 1. 10.1.11.1 | 0 | Built of outbound ICMP connection for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.1/0
  6. January 20, 2012 | 01:04:07 | 302021 | 10.1.11.1 | 0 | 10.1.10.5 | 1. Connection of disassembly for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.1/0 ICMP
  6. January 20, 2012 | 01:04:05 | 302020 | 10.1.10.5 | 1. 10.1.11.1 | 0 | Built of outbound ICMP connection for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.1/0
  6. January 20, 2012 | 01:04:02 | 302021 | 10.1.11.1 | 0 | 10.1.10.5 | 1. Connection of disassembly for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.1/0 ICMP
  6. January 20, 2012 | 01:04:00 | 302020 | 10.1.10.5 | 1. 10.1.11.1 | 0 | Built of outbound ICMP connection for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.1/0
  6. January 20, 2012 | 01:03:57 | 302021 | 10.1.11.1 | 0 | 10.1.10.5 | 1. Connection of disassembly for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.1/0 ICMP
  6. January 20, 2012 | 01:03:55 | 302020 | 10.1.10.5 | 1. 10.1.11.1 | 0 | Built of outbound ICMP connection for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.1/0
  6. January 20, 2012 | 01:03:48 | 302021 | 10.1.11.5 | 0 | 10.1.10.5 | 1. Connection of disassembly for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.5/0 ICMP
  6. January 20, 2012 | 01:03:46 | 302020 | 10.1.10.5 | 1. 10.1.11.5 | 0 | Built of outbound ICMP connection for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.5/0
  6. January 20, 2012 | 01:03:43 | 302021 | 10.1.11.5 | 0 | 10.1.10.5 | 1. Connection of disassembly for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.5/0 ICMP
  6. January 20, 2012 | 01:03:41 | 302020 | 10.1.10.5 | 1. 10.1.11.5 | 0 | Built of outbound ICMP connection for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.5/0
  6. January 20, 2012 | 01:03:38 | 302021 | 10.1.11.5 | 0 | 10.1.10.5 | 1. Connection of disassembly for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.5/0 ICMP
  6. January 20, 2012 | 01:03:36 | 302020 | 10.1.10.5 | 1. 10.1.11.5 | 0 | Built of outbound ICMP connection for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.5/0
  5. January 20, 2012 | 01:03:32 | 713041 | IP = 192.168.24.211, initiator of IKE: New Phase 1, Intf inside, IKE Peer 192.168.24.211 address local proxy 10.1.10.0, address remote Proxy 10.1.11.0, Card Crypto (outside_map)

  This is the configuration for one of them.  The other is configured in the same way with the usual across settings.

  ASA Version 8.2 (1)
  !
  hostname ASATWDS
  !

  names of
  name 10.1.11.0 remote control-network
  !
  interface Vlan1
  nameif inside
  security-level 100
  IP 10.1.10.1 255.255.255.0
  !
  interface Vlan2
  nameif outside
  security-level 0
  IP 192.168.24.210 255.255.255.0
  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  passive FTP mode
  access extensive list ip 10.1.10.0 outside_1_cryptomap allow 255.255.255.0 255.255.255.0 network-remote control
  access extensive list ip 10.1.10.0 inside_nat0_outbound allow 255.255.255.0 255.255.255.0 network-remote control
  pager lines 24
  Enable logging
  asdm of logging of information
  Within 1500 MTU
  Outside 1500 MTU
  ICMP unreachable rate-limit 1 burst-size 1
  don't allow no asdm history
  ARP timeout 14400
  Global 1 interface (outside)
  NAT (inside) 0-list of access inside_nat0_outbound
  NAT (inside) 1 0.0.0.0 0.0.0.0
  Route outside 0.0.0.0 0.0.0.0 192.168.24.1 1
  course outside remote control-network 255.255.255.0 192.168.24.1 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-registration DfltAccessPolicy
  Enable http server
  http 10.1.10.0 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  card crypto outside_map 1 match address outside_1_cryptomap
  card crypto outside_map 1 set pfs
  peer set card crypto outside_map 1 192.168.24.211
  card crypto outside_map 1 set of transformation-ESP-3DES-SHA
  card crypto outside_map 1 phase 1-mode of aggressive setting
  card crypto outside_map 1 the value reverse-road
  outside_map interface card crypto outside
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH timeout 5
  Console timeout 0
  dhcpd outside auto_config
  !
  dhcpd address 10.1.10.5 - 10.1.10.36 inside
  dhcpd dns 209.18.47.61 209.18.47.62 interface inside
  dhcpd allow inside
  !

  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  WebVPN
  tunnel-group 192.168.24.211 type ipsec-l2l
  IPSec-attributes tunnel-group 192.168.24.211
  pre-shared-key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  inspect the icmp
  !
  global service-policy global_policy
  context of prompt hostname
  Cryptochecksum:b4bea5393489da3aa83f281d3107a32e

  The Configuration looks good to me, but I think that you don't need next: -.

  card crypto outside_map 1 phase 1-mode of aggressive setting

  card crypto outside_map 1 the value reverse-road

  Anyway,.

  1 > can you please check if the computer you are trying to Ping or Telnet isn't the Machine based Firewall or anti-virus or iptables (Linux)?

  2 > dough out of the

  a > sh crypto ipsec his

  b > sh crypto isakmp his

  Manish

• Problem of double Nic VPN access

  Here's how the network looks like:

  192.168.16.0-SBS2003- 192.168.2.0 -ASA5505- Site-to-Site VPN -ASA5505- 192.168.1.0 -RT-N66U- 192.168.3.0

  Œuvres VPN

  I can access everything from 16.0 to 3.0, and vice versa.

  I need to access 3.0 since the SBS2003. But it does not work most likely due to the situation of dual nic and using the external address of 2.x.

  I could do to make this work? Windows or the ASA settings I could change without playing with the configuration of the global network? Any help would be greatly appreciated.

  Thank you.

  Make sure you incldue 192.168.2.0/24 in the areas of crypto and this should work.

• Configuration VPN from Site to Site on two ASA5505

  I have two ASA5505 ver 8.4 (6) and ver 9.0 (2) configured for a laboratory site to site vpn, but without success.  I could do everything outside address from two ASA ping, but could not ping the LAN on the other end of the ASA.  Here is the error message when you try to check if the VPN tunnel is established. For reference, the configurations are provided below.  Any help is very appreciated.

  ASA1 # show crypto isakmp his

  There are no SAs IKEv1

  There are no SAs IKEv2

  ASA1 # show crypto ipsec his

  There is no ipsec security associations

  ASA1:

  crypto ISAKMP allow outside

  the local object of net network

  subnet 192.168.1.0 255.255.255.0

  net remote object network

  Subnet 192.168.2.0 255.255.255.0

  !

  outside_1_cryptomap list of allowed ip object local net net access / remote

  tunnel-group 200.200.200.1 type ipsec-l2l

  IPSec-attributes tunnel-group 200.200.200.1

  pre-shared-key pass1234

  ISAKMP retry threshold 10 keepalive 2

  !

  part of pre authentication isakmp crypto policy 10

  crypto ISAKMP policy 10 3des encryption

  crypto ISAKMP policy 10 sha hash

  10 crypto isakmp policy group 2

  crypto ISAKMP policy life 10 86400

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  card crypto outside_map 1 match address outside_1_cryptomap

  card crypto outside_map 1 set pfs Group1

  peer set card crypto outside_map 1 200.200.200.1

  card crypto outside_map 1 set of transformation-ESP-3DES-SHA

  outside_map interface card crypto outside

  !

  NAT (inside, outside) 1 local static source net net-local destination static remote net net / remote

  output

  ASA2:

  crypto ISAKMP allow outside

  the local object of net network

  Subnet 192.168.2.0 255.255.255.0

  net remote object network

  subnet 192.168.1.0 255.255.255.0

  !

  outside_1_cryptomap list of allowed ip object local net net access / remote

  tunnel-group 100.100.100.1 type ipsec-l2l

  IPSec-attributes tunnel-group 100.100.100.1

  pre-shared-key pass1234

  ISAKMP retry threshold 10 keepalive 2

  !

  part of pre authentication isakmp crypto policy 10

  crypto ISAKMP policy 10 3des encryption

  crypto ISAKMP policy 10 sha hash

  10 crypto isakmp policy group 2

  crypto ISAKMP policy life 10 86400

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  card crypto outside_map 1 match address outside_1_cryptomap

  card crypto outside_map 1 set pfs Group1

  peer set card crypto outside_map 1 100.100.100.1

  card crypto outside_map 1 set of transformation-ESP-3DES-SHA

  outside_map interface card crypto outside

  !

  NAT (inside, outside) 1 local static source net net-local destination static remote net net / remote

  output

  ASA1 # sh run int

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 192.168.1.1 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP address dhcp setroute

  ASA1 #.

  ASA1 # ping 192.168.2.1

  Type to abort escape sequence.

  Send 5, echoes ICMP 100 bytes 192.168.2.1, time-out is 2 seconds:

  ?????

  Success rate is 0% (0/5)

  ASA1 # ping google.com

  Type to abort escape sequence.

  Send 5, echoes ICMP 100 bytes to 173.194.46.71, wait time is 2 seconds:

  !!!!!

  Success rate is 100 per cent (5/5), round-trip min/avg/max = 12/10/20 ms

  ASA1 #.

  ASA2 # sh run int

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  Shutdown

  !

  interface Ethernet0/3

  Shutdown

  !

  interface Ethernet0/4

  Shutdown

  !

  interface Ethernet0/5

  Shutdown

  !

  interface Ethernet0/6

  Shutdown

  !

  interface Ethernet0/7

  Shutdown

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 192.168.2.1 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP address dhcp setroute

  ASA2 # ping 192.168.1.1

  Type to abort escape sequence.

  Send 5, echoes ICMP 100 bytes to 192.168.1.1, time-out is 2 seconds:

  ?????

  Success rate is 0% (0/5)

  !

  ASA2 # ping google.com

  Type to abort escape sequence.

  Send 5, echoes ICMP 100 bytes to 173.194.46.64, wait time is 2 seconds:

  !!!!!

  Success rate is 100 per cent (5/5), round-trip min/avg/max = 14/10/20 ms

  ASA2 #.

  If you see any debugs the SAA, there is no encryption of any kind negoiations.

  The problem may be that you need to generate an interesting to match the ACL traffic.  I don't know if you on a physical laboratory or on GNS3.  If you use a physical laboratory, attach a laptop computer inside the interface and configure an IP address for this subnet.  You may need to do this for the other ASA.  Then iniatiate a ping to the other network.

• Site to site VPN router-ASA5505

  Hello

  I have a problem with the VPN between ASA5505 and 3825 router.

  behind the ASA, we have a server that serves the specific port. If for any reason any link is disconnected assets if the VPN will become not we do not generate traffic to this server. After generating even a ping VPN immediately become active and communication starts. another case is when you reboot ASA the VPn is not created without ping server behind this ASA.

  How we could solve this problem without sending a traffing who serve?

  How remote access to this ASA, I can access internal interface? If I open access on port 443 on the external interface of asa could I access it? or I must also exclude this traffic VPN

  I used the VPN Wizard to configure on asa and CLI on router

  some troubleshootingand configuration commands, if this is not enough please let me know what you otherwise.

  Thanks in advance for your help

  ciscoasa # sh crypto isakmp his

  ITS enabled: 1
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 1

  1 peer IKE: 10.10.10.1
  Type: L2L role: initiator
  Generate a new key: no State: AM_ACTIVE

  Configuration of the SAA.

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  card crypto outside_map 1 match address outside_1_cryptomap
  card crypto outside_map 1 set pfs Group1
  card crypto outside_map 1 set counterpart 10.10.10.1
  map outside_map 1 set of transformation-ESP-DES-MD5 crypto
  outside_map interface card crypto outside
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  the Encryption
  sha hash
  Group 2
  life 86400
  crypto ISAKMP policy 30
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400

  the main router configuration

  crypto ISAKMP policy 1
  preshared authentication
  !
  crypto ISAKMP policy 5
  BA 3des
  preshared authentication
  Group 2
  !
  crypto ISAKMP policy 10
  preshared authentication
  Group 2
  crypto ISAKMP key 6 _JQfe [BeRGNBCGfbGxxxxxxxxx address 10.10.10.10

  Crypto ipsec transform-set esp - esp-md5-hmac xxxxx

  ETH0 2696 ipsec-isakmp crypto map
  defined peer 10.10.10.10
  Set transform-set xxxxx
  match address 2001

  access-list 2001 permit ip any 192.168.26.96 0.0.0.7

  Post edited by: adriatikb
  I just read somewhere that might change the type VPN "bi-direcitonal' two 'initiator' or 'answering machine' could help me but I test and no results.

  I had the same problem last week, and told the TAC engineer on our service ticket downgrade from IOS 8.2 (3) 8.2 (1).  Since then, it works fine.

• Is there one GUI, other than Assistant Deputy Ministers, and the CSM for test site vpn to ipsec tunnels on an asa5505/asa5510?

  Is there a GUI, other than the Assistant Deputy Ministers and the Security Manager cisco IPSec of Cisco ASA5505/5510 test site to vpn tunnels. I usually go through the steps listed in here in the link below in the terminal window, but it sucks when you have several tunnels to keep abreast of.

  http://www.nwdump.com/troubleshooting-IPSec-VPN-on-ASA/

  I would have preferred one that works with Freebsd or LInux, as the cisco security manager CSM v4.1 is limited to only current running on windows server 2008 ent.

  Thank you

  Jason

  No, for troubleshooting the best way is to use the CLI that will give you debug output on where it is lacking.

  For configuration, outside the CLI, ASDM and CSM, unfortunately there is no other tool that works on Linux/Freebsd because it is more specific orders of the ASA and only limited to the CLI, ASDM, or CSM.

• VPN site-to-site does not not between PIX515e and ASA5505

  Hello

  I was hoping that someone could help me to get this vpn to work. IPSec tunnels are not and I noticed the error:

  3

  August 9, 2011

  05:13:26

  IP = 39.188.41.188, error during load processing: payload ID: 1

  Read on this it seems that this could be a problem of IKE, but I am struggling to find the cause (not helped by the News 8.4 orders).

  The configuration is as follows: -.

  Head office

  PIX515e v6.3 (4)

  IP LAN 10.0.160.254/24

  Branch

  ASA5505 v8.4 (1)

  IP LAN 192.168.47.254/24

  I have attached the configs - can someone help me with this?

  See you soon,.

  Huw

  Huw,

  1. you do not have an ISAKMP policy that corresponds to the remote site (BTW, you do not have a lot of policies of serving, you may want to consider cleaning your config before adding a new policy)

  HQ you have this:

  part of pre authentication ISAKMP policy 20

  ISAKMP policy 20 3des encryption

  ISAKMP policy 20 md5 hash

  20 2 ISAKMP policy group

  ISAKMP duration strategy of life 20 86400

  You need this on remote sites:

  IKEv1 crypto policy xx

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  2. your interesting traffic is not appropriate:

  At the remote sites, you must

  the DM_INLINE_NETWORK_1 object-group network

  object-network 10.0.160.0 255.255.255.0

  object-network 192.168.1.0 255.255.255.0

  access extensive list ip 192.168.47.0 outside_cryptomap allow 255.255.255.0 DM_INLINE_NETWORK_1 object-group

  On the AC:

  name 10.0.160.0 ENO_LAN

  name 192.168.47.0 EASTMOORS_LAN

  outside_cryptomap_20 ENO_LAN 255.255.255.0 ip access list allow EASTMOORS_LAN 255.255.255.0

  Need to add this:

  inside_outbound_nat0_acl ENO_DMZ 255.255.255.0 ip access list allow EASTMOORS_LAN 255.255.255.0

  Once you have applied these changes try to ping through the tunnel. If this still does not please take a show crypto isa's and see the crypto ipsec its on both sites.

  Thank you.

  Raga

• ASA5505: VPN site-to-site has stopped working

  We have 2 ASA that will connect to a 2811, but for some reason, the ASA 2nd does connect more. Debugging ipsec and isakmp on the 2811 comes with all messages.

  External IP address is still correct, and sites can ping each other.

  Debug only on SAA for isakmp crypto arrives with messages (ipsec does not all messages).

  ASDM says:

  Drop table peer counterpart has failed, no match!

  Error: Could not delete PeerTblEntry

  I found some info on the error messages above, but these links helped enough.

  Here is the debug on the SAA version:

  18 September 22:06:09 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
  18 September 22:06:09 [IKEv1]: IP = 64.X.X.X, KEY-ACQUIRE Queuing messages are treated when SA P1 is finished.
  18 September 22:06:10 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
  18 September 22:06:10 [IKEv1]: IP = 64.X.X.X, KEY-ACQUIRE Queuing messages are treated when SA P1 is finished.
  18 September 22:06:13 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
  18 September 22:06:13 [IKEv1]: IP = 64.X.X.X, KEY-ACQUIRE Queuing messages are treated when SA P1 is finished.
  18 September 22:06:16 [IKEv1]: IP = 64.X.X.X, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 148
  18 September 22:06:17 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
  18 September 22:06:17 [IKEv1]: IP = 64.X.X.X, KEY-ACQUIRE Queuing messages are treated when SA P1 is finished.
  18 September 22:06:18 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
  18 September 22:06:18 [IKEv1]: IP = 64.X.X.X, KEY-ACQUIRE Queuing messages are treated when SA P1 is finished.
  18 September 22:06:20 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
  18 September 22:06:20 [IKEv1]: IP = 64.X.X.X, KEY-ACQUIRE Queuing messages are treated when SA P1 is finished.
  18 September 22:06:24 [IKEv1 DEBUG]: IP = 64.X.X.X, history of mistake IKE MM Initiator WSF (struct & 0x42b0b10) , : MM_DONE, EV_ERROR--> MM_WAIT_MSG2, EV_RETRY--> MM_WAIT_MSG2, EV_TIMEOUT--> MM_WAIT_MSG2 NullEvent--> MM_SND_MSG1, EV_SND_MSG--> MM_SND_MSG1, EV_START_TMR--> MM_SND_MSG1, EV_RESEND_MSG--> MM_WAIT_MSG2, EV_RETRY
  18 September 22:06:24 [IKEv1 DEBUG]: IP = 64.X.X.X, IKE SA MM:f9f683c2 ending: flags 0 x 01000022, refcnt 0, tuncnt 0
  18 September 22:06:24 [IKEv1 DEBUG]: IP = 64.X.X.X, sending clear/delete with the message of reason
  18 September 22:06:24 [IKEv1]: IP = 64.X.X.X, Removing peer to peer table, didn't match!
  18 September 22:06:24 [IKEv1]: IP = 64.X.X.X, error: cannot delete PeerTblEntry
  18 September 22:06:24 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
  18 September 22:06:24 [IKEv1]: IP = 64.X.X.X, IKE initiator: New Phase 1, Intf inside, IKE Peer 64.X.X.X local Proxy 192.168.27.0 address, address remote Proxy 10.30.18.0, Card Crypto (outside_map)
  18 September 22:06:24 [IKEv1 DEBUG]: IP = 64.X.X.X, build payloads of ISAKMP security
  18 September 22:06:24 [IKEv1 DEBUG]: IP = 64.X.X.X, construction of Fragmentation VID + support useful functionality
  18 September 22:06:24 [IKEv1]: IP = 64.X.X.X, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 148
  18 September 22:06:25 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
  18 September 22:06:25 [IKEv1]: IP = 64.X.X.X, KEY-ACQUIRE Queuing messages are treated when SA P1 is finished.
  18 September 22:06:32 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
  18 September 22:06:32 [IKEv1]: IP = 64.X.X.X, KEY-ACQUIRE Queuing messages are treated when SA P1 is finished.

  I can post the configs, if neeeded.

  Thank you

  JAson

  A few things:

  (1) on the SAA, pls delete 'card crypto outside_map 2 set pfs', given that PFS is not configured on the router.

  (2) on the router, your exemption of NAT ACL (104) is missing a few deny statements of some subnets and one of them also said UDP, whereas it should say IP.

  Should add the following on top of the statements of permit:

  deny ip 10.131.16.0 0.0.0.255 192.168.27.0 0.0.0.255

  deny ip 172.21.16.0 0.0.0.255 192.168.27.0 0.0.0.255

  deny ip 172.20.15.0 0.0.0.255 192.168.27.0 0.0.0.255

  deny ip 10.130.15.0 0.0.0.255 192.168.27.0 0.0.0.255

  deny ip 10.30.18.0 0.0.0.255 192.168.27.0 0.0.0.255

  (3) should also delete "in the zone" loopback0 interface since you do not have "outside zone" applied to any interface anyway.

• ASA5505 VPN Site to site and limiting access - URGENT

  I'll admit knowledge limited to the front, so forgive me if I look like a fool.  The company that I work began recently to hosting our application for some of our customers. to do this, we are renting rack space, connections and equipment in a data center.  We must send data to our request for an application in the center of data of our customers.  They have an ASA 5505.

  Our data center will support VPN site-to-site and nothing else.  Our client find it unacceptable, citing security and the inability to restrict access to only the small number of servers, our application needs to access.  I have to be able to talk intelligently and with the facts (and, preferably, examples of configuration on hand) with their staff of the IOC and network in the next day or so.

  The ASA 5505 can be configured for a VPM from site to site with our data center which limits our application server to access a limited set of IP addresses within their network?  If so, this is quite easily possible?  Anyone done this?

  Thank you

  Leighton Wingerd

  Leighton,

  Sounds complicated problem - but are simple actuall.  Remember that a VPN ensures the transmission from site A to site B on a precarious environment - internet.  For example, you can DEFINE the traffic that goes through the VPN, you also DEFINE the traffic that will launch the VPN tunnel in the first place.  With these statements said - using your supposed information you would create valuable traffic as the exact traffic you want to allow through the vpn;

  access-list permits datacentre_2_client tcp host 1.2.3.4 host 192.168.1.2 eq 1521

  And you will use the same ACL to set which can cross traffic.  However, I know for a fact that an ODBC Oracle connection uses more than one TCP port!

  The confidentiality of data is something else - that your customer needs to define requirements.  An SSL connection is fine and dandy - you will just be to encrypt the traffic twice!

• VPN site to Site if a distance ASA has a dynamic IP address outside

  Hello

  I always try to find the right commands for dynamic VPN to VPN from Site to Site.

  I found something on the set by the peers command, but is exactly what I want to do?

  Static IP on both ASA (asa5505 and asa5510):

  peer set card crypto outside_map 1 192.168.178.230<== that="" ist="" for="" a="" static="" if="" i="" know="" the="">

  A (asa5510) static and dynamic (asa5505) IP:

  by default dynamic value of the card crypto-outside_map 1-set peer asa5505<== is="" that="" the="" right="" set="">

  If the ASA remote called asa5505 and he has a dynamic IP address?

  Kind regards

  Hans-Jürgen Guenter

  Yes, you need not the 3 lines above in the configuration. Those who are kept on the static end to accept the connection from the dynamic counterpart.

  You need not order 'set by the peers' you don't have a static ip address for the dynamics of the end.

• Very confused! Mac OS El Capitan and Cisco WLC5508/Aironet3702i some sites won't load is not on wifi

  All,

  A strange behavior.

  Worked for the last great 9 months, but here is the story.

  Environment:

  ASA5516-X, ASA5505, ASA5510

  * A tried all three, thinking that it was a firewall issue.

  WLC5508 and AP3702i 17

  Catalyst2960 switches

  Recently, my Mac cannot access some sites like aol.com, cisco.com, apple.com and paychex.com of a wired connection (adapter Thunderbolt) my catalyst switch. Wifi, cannot access some sites like google and yahoo and not those listed above. Portable windows can access all the websites all the time over wireless connections or wired my computers?

  We have 5 macs in the building and they all have the same problem. Him are wired for now, but I'd like to be able to solve this problem.

  Also I used to be able to telnet to my switch and firewall on wifi it will connect, but no data appears to indicate that I am in the prompt of cisco device.

  Any ideas on what could happen?

  I even restored my original config back to the first date that everything was fine.

  Thank you

  Nate

  Hello

  I have a problem quite identical to this step-by-step helped: (for some users it did not work)

  http://techrumours.weebly.com/tech-solutions/some-website-not-loading-up...

  When you're connected via wifi, rather than access Web sites via safari or chrome, have you tried their ping via terminal to check the dns configuration.

  If the ping of through terminal host name does not work then resolve ip on a windows and try to ping ip to ensure that Internet accessibility.

  Mac and windows are connecting even though she ssid and get the same authorization?

  Thank you

  PS: Please do not forget to rate and score as good response if this solves your problem

• IPSEC VPN on ASA5505

  Hello, hope you can help me:

  I need to configure an IPSEC VPN on an ASA5505, with one. PFX certificate to authenticate with the VPN endpoint. I can install the certificate as a certificate authority, but when I use the VPN Site - to - Site Wizard, I put the IP address peer, afterI try to select the certificate that is downloaded, but when I click on the name of the certificate, there is no certificate

  I don't I can solve this problem?

  Thanks to all in advance

  Hello

  Do you see the certificate imported as cert ID? If so, you can follow this guide

  http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

  HTH

  Averroès.