ASA5505 VPN Site to site and limiting access - URGENT
I'll admit knowledge limited to the front, so forgive me if I look like a fool. The company that I work began recently to hosting our application for some of our customers. to do this, we are renting rack space, connections and equipment in a data center. We must send data to our request for an application in the center of data of our customers. They have an ASA 5505.
Our data center will support VPN site-to-site and nothing else. Our client find it unacceptable, citing security and the inability to restrict access to only the small number of servers, our application needs to access. I have to be able to talk intelligently and with the facts (and, preferably, examples of configuration on hand) with their staff of the IOC and network in the next day or so.
The ASA 5505 can be configured for a VPM from site to site with our data center which limits our application server to access a limited set of IP addresses within their network? If so, this is quite easily possible? Anyone done this?
Thank you
Leighton Wingerd
Leighton,
Sounds complicated problem - but are simple actuall. Remember that a VPN ensures the transmission from site A to site B on a precarious environment - internet. For example, you can DEFINE the traffic that goes through the VPN, you also DEFINE the traffic that will launch the VPN tunnel in the first place. With these statements said - using your supposed information you would create valuable traffic as the exact traffic you want to allow through the vpn;
access-list permits datacentre_2_client tcp host 1.2.3.4 host 192.168.1.2 eq 1521
And you will use the same ACL to set which can cross traffic. However, I know for a fact that an ODBC Oracle connection uses more than one TCP port!
The confidentiality of data is something else - that your customer needs to define requirements. An SSL connection is fine and dandy - you will just be to encrypt the traffic twice!
Tags: Cisco Security
Similar Questions
-
Hello, this is not considered a regular registered sites export (I have many)... and it's a mistake.
In short, after computer out, I got the hard drive I have USB (old win 7 pro on an external drive)
How can I get my list of sites and FTP access, password etc...
they are encrypted in the registry if I'm not mistaken?
any idea?
Thank you.
(Google translation)
proceedings found:
Just do an export of the new common/site .reg file and the modifier with the values of the old and then importing, everything works
Thank you
-
PIX site to site and remote access
Dear guy
I have a PIX 515e with version 8.0 and the other side a 2811 router, the vpn site to site between these two devices is implemented, but I want some remote clients can connect to pix,.
so is this possibe two implement a site to access remote vpn on pix interface (outside)?
any clue?
Hello
Yes, it is quite possible. Please see attached the sample configuration. Note This is for pix v7.x, but it should work fine for 8.x
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00807f9a89.shtml
HTH
Jon
-
VPN Site to Site and remote access
I have ASA certified with 25 concurrent VPN connections. I want to know if I have 20 remote tunnels and 5 Site-to-Site created on the same time tunnels, and I want to establish the new Site to the other tunnel, is him Site to Site remove the remote tunnels or can not put in place. Site at tunnels have a higher priority than the remote access or they are the same. Site at tunnels are more important to me and I need them to repress the remote access tunnels.
Hello
Sorry for the confusion. No you can not set the parameter like this.
Thank you
Gilbert
-
Two tunnels from site to site and vpnclient access
I have 2 remote sites, 1 with a static ip address and 1 with a dynamic ip address, they connect to a central site that has a PIX 501. I could get 2 ipsec tunnels works well for awhile, but my client wants to just now the possibility of having workers use the vpnclient to connect to the PIX as well. The problem I have is after you have added the config of vpngroup my site with the dynamic ip address can no longer connect. I had to use the ip address they have now and install an aditional counterpart in the card crypto, but if this ip address change I have to come in and change the config.
Here's the relevant info in the config:
IPSec ip 192.168.100.0 access list allow 255.255.255.0 192.168.150.0 255.255.255.0
IP 192.168.100.0 allow Access-list sheep 255.255.255.0 192.168.150.0 255.255.255.0
IP 192.168.100.0 allow Access-list sheep 255.255.255.0 192.168.125.0 255.255.255.0
IP 192.168.100.0 allow Access-list sheep 255.255.255.0 192.168.101.0 255.255.255.0
ipsec2 192.168.100.0 ip access list allow 255.255.255.0 192.168.125.0 255.255.255.0
Permitted connection ipsec sysopt
Crypto ipsec transform-set esp - esp-md5-hmac oadcset
Crypto-map dynamic oadcdynmap 30 transform-set oadcset
oadcmap 21 ipsec-isakmp crypto map
oadcmap 21 match address ipsec crypto map
oadcmap 21 crypto map set peer
card crypto oadcmap 21 transform-set oadcset
oadcmap 22 ipsec-isakmp crypto map
card crypto oadcmap 22 correspondence address ipsec2
crypto oadcmap 22 card set peer
card crypto oadcmap 22 transform-set oadcset
map oadcmap 25-isakmp ipsec crypto dynamic oadcdynmap
oadcmap interface card crypto outside
ISAKMP allows outside
ISAKMP key * address
netmask 255.255.255.255 No.-xauth-no-config-mode ISAKMP key * address
netmask 255.255.255.255 No.-xauth-no-config-mode ISAKMP identity address
part of pre authentication ISAKMP policy 21
encryption of ISAKMP policy 21
ISAKMP strategy 21 md5 hash
21 2 ISAKMP policy group
ISAKMP strategy life 21 28800
vpngroup address oadcclient pool oadcgroup
vpngroup dns 192.168.100.3 Server oadcgroup
vpngroup oadcgroup by default-field clientdomain.com
vpngroup idle 1800 oadcgroup-time
vpngroup password oadcgroup *.
Any help is appreciated,
Ken
Permitted connection ipsec sysopt
Crypto ipsec transform-set esp - esp-md5-hmac oadcset
Crypto-map dynamic oadcdynmap1 30 set transform-set oadcset
Dynamic crypto map match 30 oadcdynmap1 address ipsec2
Crypto-map dynamic oadcdynmap 30 transform-set oadcset
oadcmap 21 ipsec-isakmp crypto map
oadcmap 21 match address ipsec crypto map
oadcmap 21 crypto map set peer
card crypto oadcmap 21 transform-set oadcset
oadcmap 22 card crypto ipsec-isakmp dynamic oadcdynmap1
map oadcmap 25-isakmp ipsec crypto dynamic oadcdynmap
Try this and see if it helps. I have something similar on a router do not know if the PIX supports. Worth a try if
-
ASA5505: VPN site-to-site has stopped working
We have 2 ASA that will connect to a 2811, but for some reason, the ASA 2nd does connect more. Debugging ipsec and isakmp on the 2811 comes with all messages.
External IP address is still correct, and sites can ping each other.
Debug only on SAA for isakmp crypto arrives with messages (ipsec does not all messages).
ASDM says:
Drop table peer counterpart has failed, no match!
Error: Could not delete PeerTblEntry
I found some info on the error messages above, but these links helped enough.
Here is the debug on the SAA version:
18 September 22:06:09 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
18 September 22:06:09 [IKEv1]: IP = 64.X.X.X, KEY-ACQUIRE Queuing messages are treated when SA P1 is finished.
18 September 22:06:10 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
18 September 22:06:10 [IKEv1]: IP = 64.X.X.X, KEY-ACQUIRE Queuing messages are treated when SA P1 is finished.
18 September 22:06:13 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
18 September 22:06:13 [IKEv1]: IP = 64.X.X.X, KEY-ACQUIRE Queuing messages are treated when SA P1 is finished.
18 September 22:06:16 [IKEv1]: IP = 64.X.X.X, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 148
18 September 22:06:17 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
18 September 22:06:17 [IKEv1]: IP = 64.X.X.X, KEY-ACQUIRE Queuing messages are treated when SA P1 is finished.
18 September 22:06:18 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
18 September 22:06:18 [IKEv1]: IP = 64.X.X.X, KEY-ACQUIRE Queuing messages are treated when SA P1 is finished.
18 September 22:06:20 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
18 September 22:06:20 [IKEv1]: IP = 64.X.X.X, KEY-ACQUIRE Queuing messages are treated when SA P1 is finished.
18 September 22:06:24 [IKEv1 DEBUG]: IP = 64.X.X.X, history of mistake IKE MM Initiator WSF (struct & 0x42b0b10), : MM_DONE, EV_ERROR--> MM_WAIT_MSG2, EV_RETRY--> MM_WAIT_MSG2, EV_TIMEOUT--> MM_WAIT_MSG2 NullEvent--> MM_SND_MSG1, EV_SND_MSG--> MM_SND_MSG1, EV_START_TMR--> MM_SND_MSG1, EV_RESEND_MSG--> MM_WAIT_MSG2, EV_RETRY
18 September 22:06:24 [IKEv1 DEBUG]: IP = 64.X.X.X, IKE SA MM:f9f683c2 ending: flags 0 x 01000022, refcnt 0, tuncnt 0
18 September 22:06:24 [IKEv1 DEBUG]: IP = 64.X.X.X, sending clear/delete with the message of reason
18 September 22:06:24 [IKEv1]: IP = 64.X.X.X, Removing peer to peer table, didn't match!
18 September 22:06:24 [IKEv1]: IP = 64.X.X.X, error: cannot delete PeerTblEntry
18 September 22:06:24 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
18 September 22:06:24 [IKEv1]: IP = 64.X.X.X, IKE initiator: New Phase 1, Intf inside, IKE Peer 64.X.X.X local Proxy 192.168.27.0 address, address remote Proxy 10.30.18.0, Card Crypto (outside_map)
18 September 22:06:24 [IKEv1 DEBUG]: IP = 64.X.X.X, build payloads of ISAKMP security
18 September 22:06:24 [IKEv1 DEBUG]: IP = 64.X.X.X, construction of Fragmentation VID + support useful functionality
18 September 22:06:24 [IKEv1]: IP = 64.X.X.X, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 148
18 September 22:06:25 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
18 September 22:06:25 [IKEv1]: IP = 64.X.X.X, KEY-ACQUIRE Queuing messages are treated when SA P1 is finished.
18 September 22:06:32 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
18 September 22:06:32 [IKEv1]: IP = 64.X.X.X, KEY-ACQUIRE Queuing messages are treated when SA P1 is finished.I can post the configs, if neeeded.
Thank you
JAson
A few things:
(1) on the SAA, pls delete 'card crypto outside_map 2 set pfs', given that PFS is not configured on the router.
(2) on the router, your exemption of NAT ACL (104) is missing a few deny statements of some subnets and one of them also said UDP, whereas it should say IP.
Should add the following on top of the statements of permit:
deny ip 10.131.16.0 0.0.0.255 192.168.27.0 0.0.0.255
deny ip 172.21.16.0 0.0.0.255 192.168.27.0 0.0.0.255
deny ip 172.20.15.0 0.0.0.255 192.168.27.0 0.0.0.255
deny ip 10.130.15.0 0.0.0.255 192.168.27.0 0.0.0.255
deny ip 10.30.18.0 0.0.0.255 192.168.27.0 0.0.0.255
(3) should also delete "in the zone" loopback0 interface since you do not have "outside zone" applied to any interface anyway.
-
Critical auth and limited access-list
I play just with ISE 1.1.4 and auth critical, but I have a pretty locked down from the default access on ports list. Is it possible to replace a list of very restrictive access by default in the event of critical auth?
It seems as if you are relieant on DACLs to provide access for devices (closed or similar mode) auth criticism is not a viable option?
Or have I misunderstood, and perhaps "action dead event server authentication allows voice" more I waited.
I guess I'm looking for something like "event action dead access-list less-restrictiveACL server authentication."
Thank you
Gas
Why not flip it on its head and have your less-restrictive-ACL default and impose more restrictive things through dACL?
-
Filtering of VPN and local access to the remote site
Hello
I set up vpn, filtering on all my VPN l2l. I have limited access to remote resources at the local level to the specified ports. It works perfectly.
But I want to have as full access from local to remote networks (but still retain the remote access to the local level). VPN filter now works as I have two-way with a simple ACL. So is it possible to open all the traffic from the local to remote and all by limiting the remote to the local traffic?
ASA 5520 8.4 (3)
Thanks in advance
Tomasz Mowinski
Hello
Well let's say you have a filtering ACL rule when you allow http local network traffic to the remote host
LAN: 10.10.10.0/24
remote host: 192.168.10.10/32
The filter ACL rule is the following:
FILTER-ACL access-list permit tcp host 192.168.10.10 eq 80 10.10.10.0 255.255.255.0
I think that this ACL rule would mean also that until the remote host has been using source port TCP/80, it may access any port on any host tcp in your local network as long as it uses the source TCP/80 port.
I guess you could add a few ranges of ports or even service groups of objects to the ACL rules so that not all well-known ports would be accessible on the LAN. But I guess that could complicate the configurations.
We are usually management customer and completely different in ASA L2L VPN that allows us to all traffic on another filtering device and do not work in this kind of problems. But of course there are some of the situations/networks where this is not only possible and it is not a feasible option for some because of the costs of having an ASA extra.
Please indicate if you have found any useful information
-Jouni
-
Remote IPSec VPN - client Windows 7 and ASA 5505
Hello
I'm having trouble with configuring IPSec VPN with Cisco ASA 5505 and Windows 7 client native VPN remotely. My client PC Gets the VPN IP pool address and can access a remote network behind ASA, but then I lose my internet connection. I read that this should be a problem with the split tunneling, but I did as it says here and no luck.
Windows VPN Client settings, if I uncheck "use default gateway on remote network" I have an internet connection (given that the customer is using a local gateway), but then I can't ping remote network.
In the log, I see the warnings of this type:
TCP connection of disassembly 256 for outside:192.168.150.1/49562 to outside:213.199.181.90/80 duration 0: 00:00 0 stream bytes is a loopback (cisco)
I have attached my configuration file (without configuring split tunneling, I tried). If you need additional newspapers, I'll send them right away.
Thank you for your help.
Petar Koraca
That's what you would have needed on versions 8.3 and earlier versions:
permit same-security-traffic intra-interface
Global 1 interface (outside)
NAT (outside) 1 192.168.150.0 255.255.255.0
However I see that you are running 8.4 so I think that all you need is this (I never did on 8.4 so it may not be accurate)
permit same-security-traffic intra-interface
network of the NETWORK_OBJ_192.168.150.0_24 object
dynamic NAT interface (outdoors, outdoor)
Give it a shot and let me know how it goes.
-
Site to Site and together on ASA 5505 VPN remote access
Hello
I tried to set up a VPN Site again on an ASA5505 where there already is a VPN remote on it.
After you add the new configuration lines, I received the following message when I debug:
04 Nov 07:06:06 [IKEv1]: group =
, IP = , error QM WSF (P2 struct & 0xd91a4d10, mess id 0xeac05ec0). 04 Nov 07:04:36 [IKEv1]: group =
, IP = , peer of drop table Correlator has failed, no match! Someone knows what's the problem? And what to change in the config?
Thanks in advance,
Ruben
Hello
If the ASA had a remote access VPN and you add a new Site-to-Site you must make sure that the priority for the card encryption is weaker for the new Site-to - added Site.This is because otherwise traffic will always try to match the access tunnel at distance. You can check it with the command "sh run card cry"
Federico.
-
remote VPN and vpn site to site vpn remote users unable to access the local network
As per below config remote vpn and vpn site to site vpn remote users unable to access the local network please suggest me a required config
The local 192.168.215.4 not able ping server IP this server connectivity remote vpn works fine but not able to ping to the local network vpn users.
ASA Version 8.2 (2)
!
host name
domain kunchevrolet
activate r8xwsBuKsSP7kABz encrypted password
r8xwsBuKsSP7kABz encrypted passwd
names of
!
interface Ethernet0/0
nameif outside
security-level 0
PPPoE client vpdn group dataone
IP address pppoe
!
interface Ethernet0/1
nameif inside
security-level 50
IP 192.168.215.2 255.255.255.0
!
interface Ethernet0/2
nameif Internet
security-level 0
IP address dhcp setroute
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
No nameif
no level of security
no ip address
management only
!
passive FTP mode
clock timezone IST 5 30
DNS server-group DefaultDNS
domain kunchevrolet
permit same-security-traffic intra-interface
object-group network GM-DC-VPN-Gateway
object-group, net-LAN
access extensive list ip 192.168.215.0 sptnl allow 255.255.255.0 192.168.2.0 255.255.255.0
192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0
tunnel of splitting allowed access list standard 192.168.215.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
MTU 1500 Internet
IP local pool VPN_Users 192.168.2.1 - 192.168.2.250 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
enable ASDM history
ARP timeout 14400
NAT-control
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 59.90.214.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
AAA authentication http LOCAL console
AAA authentication enable LOCAL console
LOCAL AAA authentication serial console
Enable http server
x.x.x.x 255.255.255.252 out http
http 192.168.215.0 255.255.255.252 inside
http 192.168.215.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic dynmap 65500 transform-set RIGHT
card crypto 10 VPN ipsec-isakmp dynamic dynmap
card crypto VPN outside interface
card crypto 10 ASA-01 set peer 221.135.138.130
card crypto 10 ASA - 01 the transform-set RIGHT value
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 65535
preshared authentication
the Encryption
sha hash
Group 2
lifetime 28800
Telnet 192.168.215.0 255.255.255.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 5
Console timeout 0
management-access inside
VPDN group dataone request dialout pppoe
VPDN group dataone localname bb4027654187_scdrid
VPDN group dataone ppp authentication chap
VPDN username bb4027654187_scdrid password * local store
interface for identifying DHCP-client Internet customer
dhcpd dns 218.248.255.141 218.248.245.1
!
dhcpd address 192.168.215.11 - 192.168.215.254 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
Des-sha1 encryption SSL
WebVPN
allow outside
tunnel-group-list activate
internal kun group policy
kun group policy attributes
VPN - connections 8
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value split tunnel
kunchevrolet value by default-field
test P4ttSyrm33SV8TYp encrypted password username
username kunauto password bSHrKTGl8PUbvus / encrypted privilege 15
username kunauto attributes
Strategy Group-VPN-kun
Protocol-tunnel-VPN IPSec
tunnel-group vpngroup type remote access
tunnel-group vpngroup General attributes
address pool VPN_Users
Group Policy - by default-kun
tunnel-group vpngroup webvpn-attributes
the vpngroup group alias activation
vpngroup group tunnel ipsec-attributes
pre-shared key *.
type tunnel-group test remote access
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:0d2497e1280e41ab3875e77c6b184cf8
: end
kunauto #.Hello
Looking at the configuration, there is an access list this nat exemption: -.
192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0
But it is not applied in the States of nat.
Send the following command to the nat exemption to apply: -.
NAT (inside) 0 access-list sheep
Kind regards
Dinesh Moudgil
P.S. Please mark this message as 'Responded' If you find this information useful so that it brings goodness to other users of the community
-
Site to Site VPN and remote access on PIX 6.3 (3)
Hello
I have a vpn site-to site to remote access configured on the pix device. Everything works like a charm until I decide to perform authentication of the local client for remote vpn clients using the same card encryption from site to site. Thus, the tunnel from site to site is broken because that is trying to authenticate the local user.
Is it possible to use the authentication of the remote local user for vpn clients on PIX without breaking other tunnels that use the same cryptomap?
If the answer is to use separate crypro card so how can I assign the other encryption to use outside of the interface card, if only a single encryption card can be assigned to any given interface?
When you configure the isakmp key, use the command
ISAKMP KeyString keys by the peer-address [mask netmask] [No.-xauth] [No.-config-mode]
No.-xauth will tell the isakmp won't the isakmp xauth for L2L and non-config-mode does not distribute the ip address of the peer L2L.
Let us know if it works
-Vikas
-
Problem with VPN Site-to-Site between RV215W and ASA5510
The RV215W is intended to connect a new branch via 3G, but fail.
But when connected to the internet via a cable modem VPN works.
I have set up with the FULL domain name and remote ip address.
Please help me soon as soon as you can.
Thaks a lot.
Henriux2412.
Dear Henry;
Thank you to the small community of Support Business.
I doubt that this VPN site-to-site is compatible with the USB modem broadband Mobile 3 G, but I have when even suggest to verify that the Status field of the map will show your mobile card is connected (status > Mobile network). I've seen a similar problem with a Verizon USB modem where the solution was to change a few settings in their access Manager software ("NDIS Mode - connect manually" has been selected and change this option to "Modem Mode - connect manually fixed), but if this is not your case then I suggest you to check with your service provider about supported VPN site to site on the WAN configuration.
Except that I advise you to contact the Small Business Support Center for more information on this subject, although I don't think they will support
https://supportforums.Cisco.com/community/NetPro/small-business/sbcountrysupport
Do not hesitate to contact me if there is anything I can help you with in the meantime.
Kind regards
Jeffrey Rodriguez S... : | :. : | :.
Support Engineer Cisco client* Please rate the Post so other will know when an answer has been found.
-
Cisco VPN Site to Site with a static and dynamic does not
Hello
I have ASA 5510 in Headquarters with static, IP and ASA 5505 in the remote site behind ADSL router trying to establish VPN, but its failure in phase 1
Config of the headquarters
interface Ethernet0/0
Description link to router LeaseLine
nameif outside
security-level 0
IP x.x.x.x 255.255.255.248
!
interface Ethernet0/1
Description link to LAN internal
nameif inside
security-level 100
IP 172.17.1.15 255.255.255.0
access extensive list ip 172.17.1.0 inside_nat0_outbound_1 allow 255.255.255.0 172.20.1.0 255.255.255.0
access extensive list ip 172.17.1.0 inside_nat0_outbound_1 allow 255.255.255.0 172.19.1.0 255.255.255.0
access extensive list ip 172.17.1.0 vpn_to_remote allow 255.255.255.0 172.19.1.0 255.255.255.0
extended VPN ip 172.17.1.0 access list allow 255.255.255.0 172.20.1.0 255.255.255.0
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound_1
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
Crypto ipsec transform-set esp-aes-256-md5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
correspondence address 1 crypto dynamic-map cisco VPN
Crypto dynamic-map cisco 1 set of transformation-ESP-AES-256-SHA
card crypto outside_map 10 correspondence address vpn_to_remote
card crypto outside_map 10 set pfs
card crypto outside_map 10 peers set y.y.y.y
card crypto outside_map 10 transform-set esp-aes-256-md5
outside_map crypto 10 card value reverse-road
dynamic outside_map 30-isakmp ipsec crypto map Cisco
outside_map interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
aes-256 encryption
md5 hash
Group 5
life 86400
crypto ISAKMP policy 20
preshared authentication
aes encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
Crypto isakmp nat-traversal 20
tunnel-group y.y.y.y type ipsec-l2l
tunnel-group ipsec-attributes y.y.y.y
pre-shared-key *.
tunnel-group parkplace type ipsec-l2l
tunnel-group ipsec-attributes parkplace
pre-shared-key *.
The Remote Site configuration
interface Vlan1
nameif inside
security-level 100
address 172.20.1.1 IP 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 192.168.1.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
ICMP list extended access permit icmp any one
access-list SHEEP extended ip 172.20.1.0 allow 255.255.255.0 172.17.1.0 255.255.255.0
extended VPN 172.20.1.0 ip access list allow 255.255.255.0 172.17.1.0 255.255.255.0
Global 1 interface (outside)
NAT (inside) 0 access-list SHEEP
NAT (inside) 1 0.0.0.0 0.0.0.0 outdoors
Access-group ICMP in interface outside
Route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
crypto map outside_map 1 is the VPN address
peer set card crypto outside_map 1 83.111.252.242
card crypto outside_map 1 set of transformation-ESP-AES-256-SHA
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
Crypto isakmp nat-traversal 20
tunnel-group fairmount type ipsec-l2l
tunnel-group fairmount ipsec-attributes
pre-shared-key *.
Best regards / Asfar
Hello
Have you tried to replace the names of 'tunnel-group' entry with Ip address on both ends... ?
Thank you
MS
-
Problem on site to site and between router vpn client series 2,800
Hello
I need a little help.
I have 2 office of connection with a site to site vpn
Each site has a dry - k9 router 800 series.
Each router has actually client ipsec vpn active and all users can connect by using the client vpn with no problems.
I added the lines for the vpn site to another, but the tunnel is still down.
Here the sh run and sh encryption session 2 routers:
OFFICE A
version 15.3
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
OFFICE-A-DG host name
!
boot-start-marker
boot-end-marker
!
AQM-registry-fnf
!
!
AAA new-model
!
!
AAA authentication login default local
AAA authentication login xauthlist local
AAA authorization exec default local
AAA authorization exec vty group xauthlocal
AAA authorization exec defaultlocal group bdbusers
AAA authorization groupauthor LAN
!
!
!
!
!
AAA - the id of the joint session
!
Crypto pki trustpoint TP-self-signed-220561722
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 220561722
revocation checking no
rsakeypair TP-self-signed-220561722
!
!
TP-self-signed-220561722 crypto pki certificate chain
certificate self-signed 01
quit smoking
!
!
!
!!
!
dhcp WIRED IP pool
Network 10.0.0.0 255.255.255.0
router by default - 10.0.0.254
Server DNS 10.0.0.100
!
!
!
8.8.8.8 IP name-server
no ip cef
No ipv6 cef
!
!
!
!
!
Authenticated MultiLink bundle-name Panel
!
!
!
!
!
!
!!
!
!
!
!
VDSL controller 0
!
property intellectual ssh rsa ssh key pair name
property intellectual ssh version 2
property intellectual ssh pubkey-string
!
!
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 20
md5 hash
preshared authentication
OFFICE-B-IP address ISAKMP crypto key XXXXX
!
ISAKMP crypto client configuration group remoteusers
key XXXX
DNS 10.0.0.100
WINS 10.0.0.100
domain.ofc field
pool ippool
ACL 101
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
tunnel mode
Crypto ipsec transform-set esp - esp-md5-hmac xauathtransform
tunnel mode
!
!
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
Crypto-map dynamic dynmap 20
Set transform-set RIGHT
!
!
map clientmap client to authenticate crypto list userathen
card crypto clientmap isakmp authorization list groupauthor
client configuration address map clientmap crypto answer
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
20 ipsec-isakmp crypto map clientmap
defined OFFICE-B-IP peer
Set transform-set RIGHT
match address 115
!
!
!
!
!
!
!
ATM0 interface
no ip address
No atm ilmi-keepalive
PVC 8/35
aal5mux encapsulation ppp Dialer
Dialer pool-member 1
!
!
interface Ethernet0
no ip address
Shutdown
!
interface FastEthernet0
INTERNAL description
switchport access vlan 10
no ip address
!
interface FastEthernet1
no ip address
Shutdown
!
interface FastEthernet2
switchport access vlan 10
no ip address
!
interface FastEthernet3
switchport access vlan 10
no ip address
!
interface Vlan1
no ip address
Shutdown
!
interface Vlan10
IP 10.0.0.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
interface Dialer0
the negotiated IP address
NAT outside IP
IP virtual-reassembly in
encapsulation ppp
Dialer pool 1
Authentication callin PPP chap Protocol
PPP pap sent-name of user password xxx xxx 0
clientmap card crypto
!
router RIP
version 2
10.0.0.0 network
network 192.168.1.0
!
IP local pool ippool 10.16.20.1 10.16.20.200
IP forward-Protocol ND
no ip address of the http server
no ip http secure server
!
!
the IP nat inside source 1 interface Dialer0 overload list
overload of IP nat inside source list 101 interface Dialer0
IP route 0.0.0.0 0.0.0.0 Dialer0
!
!
access-list 22 allow 10.16.20.0
access-list 22 permit 10.16.20.0 0.0.0.255
Note access-list 101 * ACL SHEEP *.
access-list 101 deny ip 10.0.0.0 0.0.0.255 10.16.20.0 0.0.0.255
access-list 101 permit ip 10.0.0.0 0.0.0.255 any
access-list 115 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
control plan
!
!
!
MGCP behavior considered range tgcp only
MGCP comedia-role behavior no
disable the behavior MGCP comedia-check-media-src
disable the behavior of MGCP comedia-sdp-force
!
profile MGCP default
!
!
!
!
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
exec-timeout 0 0
preferred transport ssh
transport input telnet ssh
!
Scheduler allocate 20000 1000
!
endOFFICE B
OFFICE-B-DG host name
!
boot-start-marker
boot-end-marker
!
AQM-registry-fnf!
AAA new-model
!
!
AAA authentication login default local
AAA authentication login xauthlist local
AAA authorization exec default local
AAA authorization exec vty group xauthlocal
AAA authorization exec defaultlocal group bdbusers
AAA authorization groupauthor LAN
!
!
!
!
!
AAA - the id of the joint session
!
Crypto pki trustpoint TP-self-signed-1514396900
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 1514396900
revocation checking no
rsakeypair TP-self-signed-1514396900
!
!
TP-self-signed-1514396900 crypto pki certificate chain
certificate self-signed 01
quit smoking!
!
8.8.8.8 IP name-server
no ip cef
No ipv6 cef
!
!
!
!
!
Authenticated MultiLink bundle-name Panel
!
!
!
!
!
!
!
license udi pid C887VAM-K9 sn FCZ191362Q7
!
!!
!
!
!
VDSL controller 0
!
property intellectual ssh rsa SSH key pair name
!
!
crypto ISAKMP policy 1
md5 hash
preshared authentication
!
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 20
md5 hash
preshared authentication
encryption XXXX isakmp key address IP-OFFICE-A!
ISAKMP crypto client configuration group remoteusers
key xxxx
DNS 192.168.1.10
WINS 192.168.1.10
rete.loc field
pool ippool
ACL 101
!
!
Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
tunnel mode
Crypto ipsec transform-set esp - esp-md5-hmac xauathtransform
tunnel mode
Crypto ipsec transform-set esp - esp-md5-hmac rtpset
tunnel mode
!
!
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
Crypto-map dynamic dynmap 20
Set transform-set RIGHT
!
!
map clientmap client to authenticate crypto list userathen
card crypto clientmap isakmp authorization list groupauthor
client configuration address map clientmap crypto answer
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
20 ipsec-isakmp crypto map clientmap
peer IP-OFFICE-A value
Set transform-set RIGHT
match address 115
!
!
!
!
!
!
!
interface Loopback1
no ip address
!
ATM0 interface
no ip address
No atm ilmi-keepalive
PVC 8/35
aal5mux encapsulation ppp Dialer
Dialer pool-member 1
!
!
interface Ethernet0
no ip address
Shutdown
!
interface FastEthernet0
switchport access vlan 30
no ip address
!
interface FastEthernet1
switchport access vlan 30
no ip address
!
interface FastEthernet2
switchport access vlan 20
no ip address
!
interface FastEthernet3
switchport access vlan 10
no ip address
!
interface Vlan1
no ip address
Shutdown
!
Vlan30 interface
IP 192.168.1.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
interface Dialer0
the negotiated IP address
NAT outside IP
IP virtual-reassembly in
encapsulation ppp
Dialer pool 1
Authentication callin PPP chap Protocol
PPP pap sent-name to user
clientmap card crypto
!
router RIP
version 2
10.0.0.0 network
network 192.168.1.0
!
IP local pool ippool 10.16.20.201 10.16.20.250
IP forward-Protocol ND
no ip address of the http server
no ip http secure server
!
!
the IP nat inside source 1 interface Dialer0 overload list
overload of IP nat inside source list 101 interface Dialer0
IP nat inside source static tcp 192.168.1.100 5060 interface Dialer0 5060
IP nat inside source static tcp 192.168.1.100 5061 interface Dialer0 5061
IP nat inside source static tcp 192.168.1.100 5062 interface Dialer0 5062
IP nat inside source static tcp 192.168.1.100 5063 5063 Dialer0 interface
IP nat inside source static tcp 192.168.1.100 5064 interface Dialer0 5064
IP nat inside source static udp 192.168.1.100 5060 interface Dialer0 5060
IP nat inside source static udp 192.168.1.100 5061 interface Dialer0 5061
IP nat inside source static udp 192.168.1.100 5062 interface Dialer0 5062
IP nat inside source static udp 192.168.1.100 5063 5063 Dialer0 interface
IP nat inside source static udp 192.168.1.100 5064 interface Dialer0 5064
IP nat inside source static tcp 192.168.1.100 3541 interface Dialer0 3541
IP nat inside source static udp 192.168.1.100 3541 interface Dialer0 3541
IP route 0.0.0.0 0.0.0.0 Dialer0
!
!
sheep allowed 10 route map
corresponds to the IP 150 101
!
access-list 22 allow 10.16.20.0
access-list 22 permit 10.16.20.0 0.0.0.255
access list 101 deny ip 192.168.1.0 0.0.0.255 10.16.20.0 0.0.0.255
ACCESS-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 115 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
!
!
!
control plan
!
!
!
MGCP behavior considered range tgcp only
MGCP comedia-role behavior no
disable the behavior MGCP comedia-check-media-src
disable the behavior of MGCP comedia-sdp-force
!
profile MGCP default
!
!
!
!
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
exec-timeout 0 0
password Password02
preferred transport ssh
transport input telnet ssh
!
Scheduler allocate 20000 1000
!
endThanks in advance for any help :)
the site at the other tunnel is mounted, but it does not pass traffic; What is the source and destination ip on the router that you are trying to ping the address
whenever you try to open the traffic from router A to router B, you must to the source of the traffic.
for ex,.
Router A-->10.1.1.1--fa0/0
Router B - 172.168.1.100
source of ping 172.168.1.100 router # 10.1.1.1
After doing the pings, send the output of the show counterpart of its crypto ipsec
at both ends
Maybe you are looking for
-
With release installed 31.5.0 today I no longer can connect to the pop server
After the installation of the 31.5.0 version 2/25 I am more able to send or receive emails, I get the following message when you try to send an email (I have attached a picture of the screen of this species and the error console) "The message sending
-
Apple music not even on iMac iPhone
In music from Apple on the iPhone, you can select an album you own and the next screen is the music you have and options to follow this artist and also see this artists albums, songs, etc. I don't get this screen on iTunes on my iMac. I just get t
-
Satellite A135-S2286 - USB ports does not work after BIOS update
I recently had the dreaded BIOS password prompt problem. I checked online to the toshiba support site and took the laptop to a toshiba authorized service center and is fixed by getting the updated BIOS updated to 1.60, but after update BIOS, none of
-
Add programmatically to the annotation point by point to XY-Graph
Hello I drew a picture of X and Y values in an XY graph continously .and I'd like the chart automatically write the value of Y beside the plotted points. Is it still possible to the XY graph? Concerning
-
Office Jet Pro 8600: Black Line on my 8600 Pro JO
Im having the same problem as many have had over the years. I was getting several lines back when I scanned and copied files (not when you printing from the computer, seems to only happen when I use the feed. I did what others said and it disconnecte