ASA5510 l2l to Nortel Contivity VPN

We are meet a few problems to make the upcoming tunnel completely. It seems IKE or completed Phase 1 and Phase 2 will not finish. I get a message to INVALID_ID_INFO, and the process ends and restarts. I have attached the log file. Here, any help would be greatly appreciated.

Scott

The message indicates a problem with crypto card. Make sure the peer specified on the tip of Cisco on the endpoint of the tunnel on the side of Nortel. Also make sure that the transformation matches along the local and remote proxy (ACL) identity.

Tags: Cisco Security

Similar Questions

  • ASA5510 L2L VPN

    Hello guys,.

    I had to build a VPN L2L with a client. I have configured my ASA5510 for phase 1 and 2 according to their needs, but the Tunnel is. When I try to ping the IP address I need to access on their site, the Tunnel of tryes to open but I think that Phase 1 was not completed. I have attached debug crypto isakmp 255 output. Help, please.

    Kind regards

    RVR

    Could you post your config ASA? You have a group of tunnel defined as 155.137.10.12?

  • l2l more unstable fall vpn connection ADSL line

    Hello. I have a remote site connection vpn l2l is declining daily (remote site uses pix 501 (6.3), head office use asa 5510 (v7).) The only way I found to restore the connection is to restart the 501. The ISP have diagnosed a faulty line that keeps fall occasionally, but is it not the vpn can automatically reconnect if the line falls for a significant amount of time, which I think is the problem earlier? Thank you.

    You have KeepAlive enabled for this tunnel on both ends?

  • Urgent! L2l ASA 5005 & 1841 VPN, publishes QM WSF error

    Hi all

    We are facing a problem on a l2l between Asa 5005 & 1841 router vpn connection.

    crypto ISAKMP policy 100

    BA 3des

    md5 hash

    preshared authentication

    Group 2

    ISAKMP crypto key * address aaa.aaa.aaa.aaa

    Crypto ipsec transform-set $$ _ $ $ esp-3des esp-md5-hmac

    BG 100 ipsec-isakmp crypto map

    the value of aaa.aaa.aaa.aaa peer

    Set security-association second life 28800

    the transform-set value $$ _ $$$

    set the pfs Group 2

    match address 111

    interface FastEthernet0/0.2

    encapsulation dot1Q 3338

    IP address aaa.aaa.aaa.aaa 255.255.255.252

    NAT outside IP

    IP virtual-reassembly

    card crypto BG 100

    IP nat pool nat_pool xx.xx.xx.xx xx.xx.xx.xx prefix length 29

    # NOTE: 10.70.200.0/24 is correctly exempted from NAT translation above

    access-list 101 deny ip 10.70.200.0 0.0.0.255 any

    access-list 101 permit ip 10.70.0.0 0.0.255.255 everything

    # NOTE: crypto ACL is correct

    access-list 111 allow ip 10.70.200.0 0.0.0.255 host 172.40.10.100

    I'm going to

    enjoy emergency assistance.

    Thank you.

    Your crypto acl must be exact mirror of the other.

    If your router acl is

    access-list 111 allow ip 10.70.200.0 0.0.0.255 host 172.40.10.100

    then your ASA acl should be

    outside_cryptomap_320 list extended access allowed host ip 172.40.10.100 10.70.200.0 255.255.255.0

    Just give it a shot and see if it helps.

  • L2l using routers Cisco VPN question

    I can successfully configure an L2L IPSec VPN between two ASAs but using a similar configuration on Cisco routers, I can't establish a tunnel ping to the local LAN interface on the other, but two, NY and Burlington, routers can ping each and other WAN interface. Here is the configuration of routers and a version of the show; I have attached the config files complete and the screenshot of the topology.
    I appreciate all help.
    The f

    F0/0 - ISP - F0/0 Burlington NY

    See the version

    Cisco IOS Software, software 3600 (C3640-IK9S-M), Version 12.4 (25), RELEASE SOFTWARE (fc1)
    Technical support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2010 by Cisco Systems, Inc.
    Updated Thursday, August 18, 10 06:59 by prod_rel_team

    ROM: ROMMON emulation Microcode
    ROM: 3600 Software (C3640-IK9S-M), Version 12.4 (25), RELEASE SOFTWARE (fc1)

    The availability of NY is 0 minutes
    System returned to ROM by unknown charge cause - suspect boot_data [BOOT_COUNT] 0 x 0, BOOT_COUNT 0, BOOTDATA 19
    System image file is "tftp://255.255.255.255/unknown".

    Cisco 3640 (R4700) Prozesseur (revision 0xFF) 124928K / 6144K bytes of memory.
    Card processor ID FF1045C5
    R4700 CPU at 100 MHz, 33, Rev 1.2 implementation
    2 FastEthernet interfaces
    Configuration of DRAM is wide with parity 64-bit capable.
    125K bytes of NVRAM memory.
    8192 K bytes of processor onboard flash system (read/write)

    Configuration register is 0 x 2102

    NY router

    crypto ISAKMP policy 1
    BA aes 256
    preshared authentication
    Group 2
    address of ThisIsAWeekKey key crypto isakmp 172.16.2.2
    !
    !
    Crypto ipsec transform-set esp - aes 256 esp-sha-hmac L2L
    !
    Burlington 1-isakmp ipsec crypto map
    defined peer 172.16.2.2
    game of transformation-L2L
    match address Burlington-NW
    !
    !
    interface FastEthernet0/0
    address 172.16.1.2 IP 255.255.255.252
    automatic duplex
    automatic speed
    card crypto Burlington
    !
    interface FastEthernet1/0
    IP 10.0.1.1 255.255.255.0
    automatic duplex
    automatic speed
    !
    no ip address of the http server
    no ip http secure server
    !
    IP forward-Protocol ND
    IP route 0.0.0.0 0.0.0.0 172.16.1.1
    !
    !
    Burlington-NW extended IP access list
    ip licensing 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255

    Burlington router

    crypto ISAKMP policy 1
    BA aes 256
    preshared authentication
    Group 2
    address of ThisIsAWeekKey key crypto isakmp 172.16.1.2
    !
    !
    Crypto ipsec transform-set esp - aes 256 esp-sha-hmac L2L
    !
    NY 1 ipsec-isakmp crypto map
    defined peer 172.16.1.2
    game of transformation-L2L
    match address NY - NW
    !
    !
    interface FastEthernet0/0
    IP 172.16.2.2 255.255.255.252
    automatic duplex
    automatic speed
    card crypto NY
    !
    interface FastEthernet1/0
    IP 10.0.2.1 255.255.255.0
    automatic duplex
    automatic speed
    !
    no ip address of the http server
    no ip http secure server
    !
    IP forward-Protocol ND
    IP route 0.0.0.0 0.0.0.0 172.16.2.1
    !
    !
    NY - NW extended IP access list
    IP 10.0.2.0 allow 0.0.0.255 10.0.1.0 0.0.0.255

    No problem, we learn every day

    Please kindly marks the message as answered while others can also learn from your post. Thank you.

  • L2l 1941 to ASA VPN

    Hi all

    I have a strange problem, trying to establish a VPN between my camera (1941) and a distance of ASA.

    The question is, can I say is that the IKE phase precipitates after MM6. I'm not an expert in the present, but I'll try to explain to the best of my knowledge

    Here's a cry full debugging isakmp:
    * 05:12:05.187 Jun 10: ISAKMP: (1001): serving SA., his is 3AD3BE6C, delme is 3AD3BE6C
    * Jun 10 05:12:05.259: ISAKMP: (0): profile of THE request is (NULL)
    * 05:12:05.259 Jun 10: ISAKMP: created a struct peer 41.223.4.83, peer port 500
    * 05:12:05.259 Jun 10: ISAKMP: new created position = 0x4B475724 peer_handle = 0 x 80000004
    * 05:12:05.259 Jun 10: ISAKMP: lock struct 0x4B475724, refcount 1 to peer isakmp_initiator
    * 05:12:05.259 Jun 10: ISAKMP: 500 local port, remote port 500
    * 05:12:05.263 Jun 10: ISAKMP: set new node 0 to QM_IDLE
    * 05:12:05.263 Jun 10: ISAKMP: find a dup her to the tree during the isadb_insert his 3AD3BE6C = call BVA
    * 05:12:05.263 Jun 10: ISAKMP: (0): cannot start aggressive mode, try the main mode.
    * 05:12:05.263 Jun 10: ISAKMP: (0): pair found pre-shared key matching 41.223.4.83
    * Jun 10 05:12:05.263: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
    * Jun 10 05:12:05.263: ISAKMP: (0): built the seller-07 ID NAT - t
    * Jun 10 05:12:05.263: ISAKMP: (0): built of NAT - T of the seller-03 ID
    * Jun 10 05:12:05.263: ISAKMP: (0): built the seller-02 ID NAT - t
    * 05:12:05.263 Jun 10: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
    * 05:12:05.263 Jun 10: ISAKMP: (0): former State = new State IKE_READY = IKE_I_MM1
     
    * Jun 10 05:12:05.263: ISAKMP: (0): Beginner Main Mode Exchange
    * Jun 10 05:12:05.263: ISAKMP: (0): lot of 41.223.4.83 sending my_port 500 peer_port 500 (I) MM_NO_STATE
    * 05:12:05.263 Jun 10: ISAKMP: (0): sending a packet IPv4 IKE.
    * 05:12:05.475 Jun 10: ISAKMP (0): received 41.223.4.83 packet dport 500 sport Global 500 (I) MM_NO_STATE
    * 05:12:05.475 Jun 10: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    * 05:12:05.475 Jun 10: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_I_MM2
     
    * Jun 10 05:12:05.475: ISAKMP: (0): treatment ITS payload. Message ID = 0
    * Jun 10 05:12:05.475: ISAKMP: (0): load useful vendor id of treatment
    * Jun 10 05:12:05.475: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
    * 05:12:05.475 Jun 10: ISAKMP (0): provider ID is NAT - T RFC 3947
    * Jun 10 05:12:05.475: ISAKMP: (0): load useful vendor id of treatment
    * Jun 10 05:12:05.475: ISAKMP: (0): IKE frag vendor processing id payload
    * 05:12:05.475 Jun 10: ISAKMP: (0): IKE Fragmentation support not enabled
    * 05:12:05.475 Jun 10: ISAKMP: (0): pair found pre-shared key matching 41.223.4.83
    * Jun 10 05:12:05.475: ISAKMP: (0): pre-shared key local found
    * 05:12:05.475 Jun 10: ISAKMP: analysis of the profiles for xauth...
    * 05:12:05.475 Jun 10: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1
    * 05:12:05.475 Jun 10: ISAKMP: AES - CBC encryption
    * 05:12:05.475 Jun 10: ISAKMP: keylength 256
    * 05:12:05.475 Jun 10: ISAKMP: SHA hash
    * 05:12:05.475 Jun 10: ISAKMP: group by default 2
    * 05:12:05.475 Jun 10: ISAKMP: pre-shared key auth
    * 05:12:05.475 Jun 10: ISAKMP: type of life in seconds
    * 05:12:05.475 Jun 10: ISAKMP: life (basic) of 28800
    * 05:12:05.475 Jun 10: ISAKMP: (0): atts are acceptable
    . Next payload is 0
    * 05:12:05.475 Jun 10: ISAKMP: (0): Acceptable atts: real life: 0
    * 05:12:05.475 Jun 10: ISAKMP: (0): Acceptable atts:life: 0
    * 05:12:05.475 Jun 10: ISAKMP: (0): base life_in_seconds:28800
    * 05:12:05.475 Jun 10: ISAKMP: (0): return real life: 28800
    * 05:12:05.475 Jun 10: ISAKMP: (0): timer life Started: 28800.
     
    * Jun 10 05:12:05.511: ISAKMP: (0): load useful vendor id of treatment
    * Jun 10 05:12:05.511: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
    * 05:12:05.511 Jun 10: ISAKMP (0): provider ID is NAT - T RFC 3947
    * Jun 10 05:12:05.511: ISAKMP: (0): load useful vendor id of treatment
    * Jun 10 05:12:05.511: ISAKMP: (0): IKE frag vendor processing id payload
    * 05:12:05.511 Jun 10: ISAKMP: (0): IKE Fragmentation support not enabled
    * 05:12:05.511 Jun 10: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    * 05:12:05.511 Jun 10: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM2
     
    * Jun 10 05:12:05.511: ISAKMP: (0): lot of 41.223.4.83 sending my_port 500 peer_port 500 (I) MM_SA_SETUP
    * 05:12:05.511 Jun 10: ISAKMP: (0): sending a packet IPv4 IKE.
    * 05:12:05.511 Jun 10: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    * 05:12:05.511 Jun 10: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM3
     
    * 05:12:05.727 Jun 10: ISAKMP (0): received 41.223.4.83 packet dport 500 sport Global 500 (I) MM_SA_SETUP
    * 05:12:05.727 Jun 10: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    * 05:12:05.727 Jun 10: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_I_MM4
     
    * Jun 10 05:12:05.727: ISAKMP: (0): processing KE payload. Message ID = 0
    * Jun 10 05:12:05.759: ISAKMP: (0): processing NONCE payload. Message ID = 0
    * 05:12:05.759 Jun 10: ISAKMP: (0): pair found pre-shared key matching 41.223.4.83
    * Jun 10 05:12:05.759: ISAKMP: (1003): load useful vendor id of treatment
    * Jun 10 05:12:05.759: ISAKMP: (1003): provider ID is the unit
    * Jun 10 05:12:05.759: ISAKMP: (1003): load useful vendor id of treatment
    * Jun 10 05:12:05.759: ISAKMP: (1003): provider ID seems the unit/DPD but major incompatibility of 104
    * Jun 10 05:12:05.759: ISAKMP: (1003): provider ID is XAUTH
    * Jun 10 05:12:05.759: ISAKMP: (1003): load useful vendor id of treatment
    * Jun 10 05:12:05.763: ISAKMP: (1003): addressing another box of IOS
    !
    * Jun 10 05:12:05.763: ISAKMP: (1003): load useful vendor id of treatment
    * 05:12:05.763 Jun 10: ISAKMP: (1003): vendor ID seems the unit/DPD but hash mismatch
    * 05:12:05.763 Jun 10: ISAKMP: receives the payload type 20
    * 05:12:05.763 Jun 10: ISAKMP (1003): sound not hash no match - this node outside NAT
    * 05:12:05.763 Jun 10: ISAKMP: receives the payload type 20
    * 05:12:05.763 Jun 10: ISAKMP (1003): No. NAT found for oneself or peer
    * 05:12:05.763 Jun 10: ISAKMP: (1003): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    * 05:12:05.763 Jun 10: ISAKMP: (1003): former State = new State IKE_I_MM4 = IKE_I_MM4
     
    * 05:12:05.763 Jun 10: ISAKMP: (1003): send initial contact
    * 05:12:05.763 Jun 10: ISAKMP: (1003): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
    * 05:12:05.763 Jun 10: ISAKMP (1003): payload ID
    next payload: 8
    type: 1
    address: 82.117.193.82
    Protocol: 17
    Port: 500
    Length: 12
    * 05:12:05.763 Jun 10: ISAKMP: (1003): the total payload length: 12
    * Jun 10 05:12:05.763: ISAKMP: (1003): lot of 41.223.4.83 sending my_port 500 peer_port 500 (I) MM_KEY_EXCH
    * 05:12:05.763 Jun 10: ISAKMP: (1003): sending a packet IPv4 IKE.
    * 05:12:05.763 Jun 10: ISAKMP: (1003): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    * 05:12:05.763 Jun 10: ISAKMP: (1003): former State = new State IKE_I_MM4 = IKE_I_MM5
     
    * 05:12:05.975 Jun 10: ISAKMP (1003): received 41.223.4.83 packet dport 500 sport Global 500 (I) MM_KEY_EXCH
    * Jun 10 05:12:05.975: ISAKMP: (1003): payload ID for treatment. Message ID = 0
    * 05:12:05.975 Jun 10: ISAKMP (1003): payload ID
    next payload: 8
    type: 1
    address: 41.223.4.83
    Protocol: 17
    Port: 0
    Length: 12
    * Jun 10 05:12:05.975: ISAKMP: (0): peer games * no * profiles
    * Jun 10 05:12:05.975: ISAKMP: (1003): HASH payload processing
    . Message ID = 0
    * 05:12:05.975 Jun 10: ISAKMP: received payload type 17
    * 05:12:05.979 Jun 10: ISAKMP: (1003): SA authentication status:
    authenticated
    * 05:12:05.979 Jun 10: ISAKMP: (1003): SA has been authenticated with 41.223.4.83
    * 05:12:05.979 Jun 10: ISAKMP: try to insert a 82.117.193.82/41.223.4.83/500/peer and inserted 4 B 475724 successfully.
    * 05:12:05.979 Jun 10: ISAKMP: (1003): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    * 05:12:05.979 Jun 10: ISAKMP: (1003): former State = new State IKE_I_MM5 = IKE_I_MM6
     
    * 05:12:05.979 Jun 10: ISAKMP: (1003): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    * 05:12:05.979 Jun 10: ISAKMP: (1003): former State = new State IKE_I_MM6 = IKE_I_MM6
     
    * 05:12:05.979 Jun 10: ISAKMP: (1003): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    * 05:12:05.979 Jun 10: ISAKMP: (1003): former State = new State IKE_I_MM6 = IKE_P1_COMPLETE
     
    * 05:12:05.979 Jun 10: ISAKMP: (1003): start Quick Mode Exchange, M - ID 2434392874
    * 05:12:05.979 Jun 10: ISAKMP: (1003): initiator QM gets spi
    * Jun 10 05:12:05.979: ISAKMP: (1003): lot of 41.223.4.83 sending my_port 500 peer_port 500 (I) QM_IDLE
    * 05:12:05.979 Jun 10: ISAKMP: (1003): sending a packet IPv4 IKE.
    * 05:12:05.979 Jun 10: ISAKMP: (1003): entrance, node 2434392874 = IKE_MESG_INTERNAL, IKE_INIT_QM
    * 05:12:05.979 Jun 10: ISAKMP: (1003): former State = new State IKE_QM_READY = IKE_QM_I_QM1
    * 05:12:05.979 Jun 10: ISAKMP: (1003): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
    * 05:12:05.979 Jun 10: ISAKMP: (1003): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE
     
    * 05:12:06.195 Jun 10: ISAKMP (1003): received 41.223.4.83 packet dport 500 sport Global 500 (I) QM_IDLE
    * 05:12:06.195 Jun 10: ISAKMP: node set 169965215 to QM_IDLE
    * Jun 10 05:12:06.195: ISAKMP: (1003): HASH payload processing
    . Message ID = 169965215
    * Jun 10 05:12:06.195: ISAKMP: (1003): treatment protocol NOTIFIER PROPOSAL_NOT_CHOSEN 3
    0, message ID SPI = 169965215, a = 0x3AD3BE6C
    * 05:12:06.199 Jun 10: ISAKMP: (1003): error suppression node 169965215 FALSE reason 'informational (en) State 1.
    * 05:12:06.199 Jun 10: ISAKMP: (1003): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
    * 05:12:06.199 Jun 10: ISAKMP: (1003): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE
     
    * 05:12:06.199 Jun 10: ISAKMP (1003): received 41.223.4.83 packet dport 500 sport Global 500 (I) QM_IDLE
    * 05:12:06.199 Jun 10: ISAKMP: node set 1149953416 to QM_IDLE
    * Jun 10 05:12:06.199: ISAKMP: (1003): HASH payload processing. Message ID = 1149953416
    * Jun 10 05:12:06.199: ISAKMP: (1003): treatment of payload to DELETE
    . Message ID = 1149953416
    * 05:12:06.199 Jun 10: ISAKMP: (1003): peer does not paranoid KeepAlive.
     
    * 05:12:06.199 Jun 10: ISAKMP: (1003): removal of HIS State "No reason" why (I) QM_IDLE (post 41.223.4.83)
    * 05:12:06.199 Jun 10: ISAKMP: (1003): error suppression node 1149953416 FALSE reason 'informational (en) State 1.
    * 05:12:06.199 Jun 10: ISAKMP: node set 613686650 to QM_IDLE
    * Jun 10 05:12:06.199: ISAKMP: (1003): lot of 41.223.4.83 sending my_port 500 peer_port 500 (I) QM_IDLE
    * 05:12:06.199 Jun 10: ISAKMP: (1003): sending a packet IPv4 IKE.
    * 05:12:06.199 Jun 10: ISAKMP: (1003): purge the node 613686650
    * 05:12:06.199 Jun 10: ISAKMP: (1003): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
    * 05:12:06.199 Jun 10: ISAKMP: (1003): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA
     
    * 05:12:06.199 Jun 10: ISAKMP: (1003): removal of HIS State "No reason" why (I) QM_IDLE (post 41.223.4.83)
    * 05:12:06.199 Jun 10: ISAKMP: Unlocking counterpart struct 0x4B475724 for isadb_mark_sa_deleted(), count 0
    * 05:12:06.199 Jun 10: ISAKMP: delete peer node by peer_reap for 41.223.4.83: 4 B 475724
    * 05:12:06.203 Jun 10: ISAKMP: (1003): node-1860574422 error suppression FALSE reason 'IKE deleted.
    * 05:12:06.203 Jun 10: ISAKMP: (1003): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    * 05:12:06.203 Jun 10: ISAKMP: (1003): former State = new State IKE_DEST_SA = IKE_DEST_SA
     
    * 05:12:25.187 Jun 10: ISAKMP: (1002): purge the node 1140237073

    Installed IOS is c1900-universalk9-mz. Spa. 154 - 3.M5.bin

    Before that, I had 15.3, same thing.

    BGPR1 # running sho
    Building configuration...
     
    Current configuration: 5339 bytes
    !
    ! Last configuration change at 05:19:14 UTC Friday, June 10, 2016 by boris
    !
    version 15.4
    horodateurs service debug datetime msec
    Log service timestamps datetime msec
    encryption password service
    !
    hostname BGPR1
    !
    boot-start-marker
    start the system flash0:c1900 - universalk9-mz. Spa. 154 - 3.M5.bin
    boot-end-marker
    !
    !
    logging buffered 51200 warnings
    !
    No aaa new-model
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    IP flow-cache timeout active 1
    IP cef
    No ipv6 cef
    !
    Authenticated MultiLink bundle-name Panel
    !
    CTS verbose logging
    !
    Crypto pki trustpoint TP-self-signed-
    enrollment selfsigned
    name of the object cn = IOS-Self-signed-certificate-
    revocation checking no
    rsakeypair TP-self-signed-3992366821
    !
    !
    chain pki crypto TP-self-signed certificates.
    certificate self-signed 01
    quit smoking
    udi pid CISCO1941/K9 sn CF license
    !
    !
    username
    username
    !
    redundancy
    !
    !
    !
    No crypto ikev2 does diagnosis error
    !
    !
    !
    !
    crypto ISAKMP policy 1
    BA aes 256
    preshared authentication
    Group 2
    lifetime 28800
    isakmp encryption key * address 41.223.4.83
    !
    !
    Crypto ipsec transform-set Meridian ah-sha-hmac esp - aes 256
    tunnel mode
    !
    !
    !
    Meridian 10 map ipsec-isakmp crypto
    VODACOM VPN description
    defined by peer 41.223.4.83
    86400 seconds, life of security association set
    the transform-set Meridian value
    match address 100
    !
    !
    !
    !
    !
    the Embedded-Service-Engine0/0 interface
    no ip address
    Shutdown
    !
    interface GigabitEthernet0/0
    Description peer na Telekom
    IP 79.101.96.6 255.255.255.252
    penetration of the IP stream
    stream IP output
    automatic duplex
    automatic speed
    No cdp enable
    !
    interface GigabitEthernet0/1
    Description peer na SBB
    IP 82.117.193.82 255.255.255.252
    penetration of the IP stream
    stream IP output
    automatic duplex
    automatic speed
    No cdp enable
    Meridian of the crypto map
    !
    interface FastEthernet0/0/0
    no ip address
    !
    interface FastEthernet0/0/1
    no ip address
    !
    interface FastEthernet0/0/2
    no ip address
    !
    interface FastEthernet0/0/3
    switchport access vlan 103
    no ip address
    !
    interface Vlan1
    IP 37.18.184.1 255.255.255.0
    penetration of the IP stream
    stream IP output
    !
    interface Vlan103
    IP 10.10.10.1 255.255.255.0
    !
    router bgp 198370
    The log-neighbor BGP-changes
    37.18.184.0 netmask 255.255.255.0
    10.10.10.2 neighbor remote - as 201047
    map of route-neighbor T-OUT 10.10.10.2 out
    neighbour 79.101.96.5 distance - 8400
    neighbor 79.101.96.5 fall-over
    neighbor 79.101.96.5 LOCALPREF route map in
    79.101.96.5 T-OUT out neighbor-route map
    neighbour 82.117.193.81 distance - as 31042
    neighbor 82.117.193.81 fall-over
    neighbor 82.117.193.81 route LocalOnly outside map
    !
    IP forward-Protocol ND
    !
    IP as path access list 10 permit ^ $
    IP as path access list 20 permits ^ $ 31042
    no ip address of the http server
    local IP http authentication
    no ip http secure server
    IP http timeout policy slowed down 60 life 86400 request 10000
    IP flow-export Vlan1 source
    peer of IP flow-export version 5 - as
    37.18.184.8 IP flow-export destination 2055
    !
    IP route 37.18.184.0 255.255.255.0 Null0
    IP route 104.28.15.63 255.255.255.255 79.101.96.5
    IP route 217.26.67.79 255.255.255.255 79.101.96.5
    !
    !
    IP-list of prefixes Filter_IN_Telekom seq 10 permit 0.0.0.0/0
    !
    T-OUT route map permit 10
    match 10 way
    !
    route allowed LOCALPREF 10 map
    set local preference 90
    !
    SBBOnly allowed 10 route map
    20 as path game
    !
    LocalOnly allowed 10 route map
    match 10 way
    !
    !
    m3r1d1an RO SNMP-server community
    Server SNMP ifindex persist
    access-list 100 permit ip host 37.18.184.4 41.217.203.234
    access-list 100 permit ip host 37.18.184.169 41.217.203.234
    !
    control plan
    !
    !
    !
    Line con 0
    Synchronous recording
    local connection
    line to 0
    line 2
    no activation-character
    No exec
    preferred no transport
    transport output pad rlogin lapb - your MOP v120 udptn ssh telnet
    StopBits 1
    line vty 0 4
    privilege level 15
    local connection
    entry ssh transport
    line vty 5 15
    privilege level 15
    local connection
    entry ssh transport
    !
    Scheduler allocate 20000 1000
    !
    end
     
    BGPR1 #.

    BGPR1 #sho cry isa his

    IPv4 Crypto ISAKMP Security Association

    DST CBC conn-State id

    41.223.4.83 82.117.193.82 MM_NO_STATE 1106 ACTIVE (deleted)

    41.223.4.83 82.117.193.82 MM_NO_STATE 1105 ACTIVE (deleted)

    For "sho cry ipsec his" I get only a lot of mistakes to send.

    For the other end, I had all the settings, I have no access to this device, they insist that this is a simple installation and that any problem is on my side.

    I tried to juggle the order of the access list, life card crypto security association and all "googlable" solutions, that I could find.

    Any input appreciated.

    Corresponds to the phase 2 double-checking on the SAA, including PFS.

    crypto ipsec transform-set meridian ah-sha-hmac esp-aes 256  mode tunnel

  • PIX of VPN Contivity problem

    I have a vpn between a firewall Cisco PIX 525 and a Nortel Contivity 1700. VPN stands up without problem, but through this application, connectivity is established only in a sense, IE, there is no two-way connectivity.

    Contivity to PIX, there is connectivity to the application.

    PIX to Contivity, there is no connection of the application.

    Sound to me that you forgot to put in a nat (inside) 0 on the PIX for traffic that must be encrypted. Remember the order to operate within the PIX. First the Routing and translation takes place and later, encryption (search for "operation order" on CCO and you can find documents about this).

    But why I say this?

    Well, that is your internal network 10.0.0.0/8, and you have the following config:

    NAT (inside) 1 10.0.0.0 255.0.0.0

    Global 1 interface (outside)

    Then you have a configured encryption card and within the crypto map command points "address" to the access list 101. If the server you are trying to achieve through the VPN has IP 192.168.1.1 (it's just an example), the access list 101 would look like:

    access-list 101 permit 10.0.0.0 255.0.0.0 host 192.168.1.1

    What will happen if you configure it only in this way. Well, obvious, your tunnel is configured correctly, cause you receive traffic from the other peer. But the problem is on your site. Looking at the example: traffic is received on the inside interface is going to be translated first because of the nat and global declarations, so your source addresses are translated to your address of interfaces. This translated traffic then hit 101 access list to see if this traffic must be encrypted or not. The PIX sees traffic with the source of your interface and destination 192.168.1.1 address and that is NOT 101 access list so the PIX don't crypt not traffic, but just forward them to the external interface (assuming that routing is correctly configured)

    The traffic that comes the VPN is first put in the encryption engine, where is is decrypted in de-sealed, so it's to send within interfaces.

    If this is the case, then the solution is very simple. Just put in the following:

    (Inside) NAT 0-list of access 101

    Note1: the access list bound to nat (inside) 0 must be the same as that which defines your VPN traffic

    NOTE2: If you are already using a nat (inside) command 0 for other reasons then, then you must change it on the existing access list.

    I hope this helps. In case we need more help, you can always send me a message if you wish. You could also post your complete config (first remove the passwords) and we could have a look.

    Kind regards

    Leo

  • VPN on ASA5510

    We have 2 sites with ASA5510 and want to configure VPN tunnel for data.  At this moment we have mpls that we love to get rid of.

    I see in our configuration, there are already configured VPN tunnels, but it does not work.  Because we have stoped mpls and data between both parties cease to operate.

    Here's the configs et among the ASA5510, please let me know if you see VPN configured... I'm new on the firewall...

    Help, please...

    ASA Version 8.0 (3)
    !
    host House name
    domain none.com
    names of

    name 10.10.10.10 Exchange2010
    1.1.1.1.1 Exchange2010outside name
    DNS-guard
    !
    interface Ethernet0/0
    Speed 100
    full duplex
    nameif outside
    security-level 0
    address IP Exchange2010outside 255.255.255.248
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    IP 10.10.10.2255.255.255.0
    !
    interface Ethernet0/2
    nameif mpls
    security-level 100
    10.10.10.2 IP address 255.255.255.240
    !
    interface Ethernet0/3
    nameif temp
    security-level 0
    no ip address
    !
    interface Management0/0
    Shutdown
    nameif management
    security-level 100
    no ip address
    management only
    !

    passive FTP mode
    DNS server-group DefaultDNS
    domain none.com
    permit same-security-traffic inter-interface
    object-group Protocol TCPUDP
    object-protocol udp
    object-tcp protocol
    access-list 101 extended permit icmp any any echo response
    access-list 101 extended permit icmp any any source-quench
    access-list 101 extended allow all unreachable icmp
    access-list 101 extended permit icmp any one time exceed
    access-list 101 extended allow tcp no matter what interface outside eq 3390
    access-list 101 extended allow tcp no matter what interface outside eq 3391
    access-list 101 extended allow tcp no matter what interface outside eq 3392
    access-list 101 extended allow tcp no matter what interface outside eq 3393
    access-list 101 extended allow tcp no matter what interface outside eq 3394
    access-list 101 extended allow tcp no matter what external interface Equalizer 3395
    access-list 101 extended allow tcp no matter what interface outside eq 3396
    access-list 101 extended allow tcp no matter what interface outside eq 3397
    access-list 101 extended allow tcp no matter what interface outside eq 3398
    access-list 101 extended allow tcp no matter what interface outside eq 3399
    Note access-list 101 OWA 2010
    access-list 101 extended permit tcp any host Exchange2010outside eq 3389
    access-list 101 extended permit tcp any host Exchange2010outside eq www
    access-list 101 extended permit tcp host 64.92.220.155 Exchange2010outside
    EQ smtp
    access-list 101 extended permit tcp host 64.92.220.156 Exchange2010outside
    EQ smtp
    access-list 101 extended permit tcp host 64.92.220.157 Exchange2010outside
    EQ smtp
    access-list 101 extended permit tcp host 64.92.220.158 Exchange2010outside
    EQ smtp
    access-list 101 extended permit tcp host 64.92.220.159 Exchange2010outside
    EQ smtp
    access-list 101 extended permit tcp host 64.92.220.160 Exchange2010outside
    EQ smtp
    access-list 101 extended permit tcp host 64.92.220.161 Exchange2010outside
    EQ smtp
    access-list 101 extended permit tcp host 64.92.220.162 Exchange2010outside
    EQ smtp
    access-list 101 extended permit tcp host 64.92.220.163 Exchange2010outside
    EQ smtp
    access-list 101 extended permit tcp host 64.92.220.164 Exchange2010outside
    EQ smtp
    access-list 101 extended permit tcp host 64.92.220.165 Exchange2010outside
    EQ smtp
    access-list 101 extended permit tcp host 64.92.220.166 Exchange2010outside
    EQ smtp
    access-list 101 extended permit tcp host 208.82.145.85 Exchange2010outside
    EQ smtp
    access-list 101 extended permit tcp host 208.82.145.86 Exchange2010outside
    EQ smtp
    access-list 101 extended permit tcp host 208.82.145.87 Exchange2010outside
    EQ smtp
    access-list 101 extended permit tcp host 208.82.145.88 Exchange2010outside
    EQ smtp
    access-list 101 extended permit tcp host 208.82.145.89 Exchange2010outside
    EQ smtp
    access-list 101 extended permit tcp host 208.82.145.90 Exchange2010outside
    EQ smtp
    access-list 101 extended permit tcp host 208.82.145.91 Exchange2010outside
    EQ smtp
    access-list 101 extended permit tcp host 208.82.145.92 Exchange2010outside
    EQ smtp
    access-list 101 extended permit tcp host 208.78.240.245 Exchange2010outside
    EQ smtp
    access-list 101 extended permit tcp host 208.78.240.246 Exchange2010outside
    EQ smtp
    access-list 101 extended permit tcp host 208.78.240.247 Exchange2010outside
    EQ smtp
    access-list 101 extended permit tcp host 208.78.240.248 Exchange2010outside
    EQ smtp
    access-list 101 extended permit tcp host 208.78.240.249 Exchange2010outside
    EQ smtp
    access-list 101 extended permit tcp host 208.78.240.250 Exchange2010outside
    EQ smtp
    access-list 101 extended permit tcp host 208.78.240.251 Exchange2010outside
    EQ smtp
    access-list 101 extended permit tcp host 208.78.240.252 Exchange2010outside
    EQ smtp
    access-list 101 extended permit tcp 64.18.0.0 255.255.240.0 host Exchange2010out
    on the side of eq smtp
    access-list 101 extended permit tcp any host Exchange2010outside eq https
    access-list 101 extended allow object-group TCPUDP any host Exchange2010 eq www

    Home-list of allowed remote access ip 10.10.10.0 255.255.255.0 10.10.11.0 255.255
    . 255.0
    Home-list of allowed remote access ip 10.10.10.0 255.255.255.0 10.10.12.0 255.255
    . 255.0
    Home-list of allowed remote access ip 10.10.10.0 255.255.255.0 10.10.13.0 255.255
    . 255.0
    Home-list of allowed remote access ip 10.10.10.0 255.255.255.0 10.10.14.0 255.255
    . 255.0
    course access-list extended permit tcp any eq 3391 everything
    course access-list extended permit tcp any eq 3394 everything
    Home-remoteNONAT extended 10.10.10.0 ip access list allow 255.255.255.0 10.10.11.0 25
    5.255.255.0
    Home-remoteNONAT extended 10.10.10.0 ip access list allow 255.255.255.0 10.10.12.0 25
    5.255.255.0
    Home-RemoteNONAT access list extended 10.10.10.0 allowed ip 255.255.255.0 10.10.13.0 25
    5.255.255.0
    Home-RemoteNONAT access list extended 10.10.10.0 allowed ip 255.255.255.0 10.10.14.0 25
    5.255.255.0
    access-list extended plastique1 permit tcp any any eq smtp
    pager lines 24
    Enable logging
    asdm of logging of information
    Outside 1500 MTU
    Within 1500 MTU
    MPLS MTU 1500
    temp of MTU 1500
    management of MTU 1500
    no failover
    ICMP unreachable rate-limit 1 burst-size 1
    ASDM image disk0: / asdm - 613.bin
    don't allow no asdm history
    ARP timeout 14400
    Global 1 interface (outside)
    NAT (inside) 0 list access home-RemoteNONAT
    NAT (inside) 1 10.10.1.0 255.255.255.0 50 20 tcp
    NAT (inside) 1 10.10.2.0 255.255.255.0 50 20 tcp
    NAT (inside) 1 10.10.3.0 255.255.255.0 50 20 tcp
    NAT (inside) 1 10.10.4.0 255.255.255.0 50 20 tcp
    NAT (inside) 1 10.10.5.0 255.255.255.0 50 20 tcp
    NAT (inside) 1 10.10.6.0 255.255.255.0 50 20 tcp
    NAT (inside) 1 10.10.7.0 255.255.255.0 50 20 tcp
    NAT (inside) 1 10.10.8.0 255.255.255.0 50 20 tcp
    NAT (inside) 1 10.10.9.0 255.255.255.0 50 20 tcp
    NAT (inside) 1 10.10.10.0 255.255.255.0 50 20 tcp

    public static (inside, outside) tcp smtp smtp Exchange2010 netmask 255.255.255 interface

    .255
    public static tcp (indoor, outdoor) interface https Exchange2010 https netmask 255.255.2
    55.255

    Access-group 101 in external interface
    Route outside 0.0.0.0 0.0.0.0 111.111.11.111 1 (note side 111.111.11.111 seems gateway isp)
    Route inside 10.10.4.0 255.255.255.0 10.10.4.1 1
    Route inside 10.10.5.0 255.255.255.0 10.10.5.1 1
    Route inside 10.10.6.0 255.255.255.0 10.10.6.1 1
    Route inside 10.10.7.0 255.255.255.0 10.10.7.1 1
    Route inside 10.10.8.0 255.255.255.0 10.10.8.1 1
    Route inside 10.10.9.0 255.255.255.0 10.10.9.1 1
    Mpls route 10.10.11.0 255.255.255.0 10.10.20.1 1
    Mpls route 10.10.12.0 255.255.255.0 10.10.20.1 1
    Mpls route 10.10.13.0 255.255.255.0 10.10.20.1 1
    Mpls route 10.10.14.0 255.255.255.0 10.10.20.1 1
    Mpls route 10.10.21.0 255.255.255.0 10.10.20.1 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout, uauth 0:05:00 absolute
    dynamic-access-policy-registration DfltAccessPolicy
    Enable http server
    http 0.0.0.0 0.0.0.0 outdoors
    http 10.10.11.0 255.255.255.0 inside
    http 10.10.10.0 255.255.255.0 inside
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set esp-aes-256 Home_Tunnel, esp-sha-hmac
    maptoREMOTE card crypto 10 matches the home address / remote
    card crypto maptoREMOTE 10 game of transformation-Home_Tunnel
    maptoREMOTE interface card crypto outside
    crypto isakmp identity address
    crypto ISAKMP allow outside
    crypto ISAKMP policy 11
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    lifetime 28800
    crypto ISAKMP policy 30
    preshared authentication
    aes encryption
    sha hash
    Group 2
    life 86400
    Crypto isakmp nat-traversal 30
    Telnet 10.10.10.0 255.255.255.0 inside
    Telnet 10.10.11.0 255.255.255.0 inside
    Telnet timeout 60
    SSH 0.0.0.0 0.0.0.0 outdoors
    SSH 0.0.0.0 0.0.0.0 inside
    SSH timeout 60
    Console timeout 0
    a basic threat threat detection
    threat detection statistics
    username admin privilege 15 encrypted password id6XqXzHqVdjWpuR
    tunnel-group 38.1.1.1 type ipsec-l2l (note aside it's remote ip address asa)
    IPSec-attributes tunnel-group 38.1.1.1 (note aside it's remote ip address asa)
    pre-shared-key *.
    !
    class-map inspection_default
    match default-inspection-traffic
    class-map-port pptp
    match eq pptp tcp port
    !
    !
    type of policy-card inspect dns migrated_dns_map_1
    parameters
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the migrated_dns_map_1 dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    Policy-map pptp_policy
    class-port pptp
    inspect the pptp
    pptp-policy policy-map
    class-port pptp
    inspect the pptp
    !
    global service-policy global_policy
    service-policy pptp_policy outside interface
    context of prompt hostname

    Hi Gurpreet,

    Yes, depending on the vpn configuration will work:

    card crypto outside_map 20 set pfs
    peer set card crypto outside_map 20 64.1.1.1

    tunnel-group 64.1.1.1 type ipsec-l2l
    IPSec-attributes tunnel-group 64.1.1.1
    pre-shared-key *.

    -Now in the above configuration, we are missing remote vpn access list defines interesting traffic, for this you need to identify the interesting traffic (probably) by checking the configuration of endpoint, and it applies here. We must apply the encryption card interface. So the complete vpn config should look like this:

    outside_map card crypto 20 is the address

    card crypto outside_map 20 set pfs
    peer set card crypto outside_map 20 64.1.1.1

    tunnel-group 64.1.1.1 type ipsec-l2l

    IPSec-attributes tunnel-group 64.1.1.1

    pre-shared key

    outside_map interface card crypto outside

    See you soon,.

    Christian V

  • ASA 8.4. (1) VPN L2L can only be established through default gateway

    Hi all!

    We have an ASA 5510, with two internet connections. A destined for VPN l2l and the other to access inet users in general.

    On asa 8.04, I configured the encryption on inteface "VPNAccess" card and a static route on the remote peer L2L with access internet VPN, the default rotue pointed the router General inet.

    We bought a new firewall with 8.4.1 and now asa only tries to open the remote if peer traffic is on the default gateway.

    It does not take into account routes more specific (I mean longer masks) and always tries to use the gateway by default, but only for VPN, if I do a trace to that peer route, it uses the routing table correctly.

    Any advice?

    Thank you!

    Well well, (any, any) certainly does not help.

    You need to be more specific, otherwise, even once, as suggested earlier, he does not know which interface to use because you don't have specify it.

    In addition, you must also be precise with the source network and destination. Otherwise, the firewall will not know which interface the subnet should be connected to.

    More precise best for NAT statement.

    NAT (, PublicTESAVPNBackup) source static static destination

  • IP Sec VPN problem

    All, Hy

    I have a problem with IPSec VPN established between a PIX 515e and a Nortel contivity 1010. I do the configuration of the tunnel on both sides and it works correctly, but I can't do the communication between the two LANs.

    In the PIX log, I show this:

    2010-03-18 08:57:52 Local7.info 172.17.1.250 : 18 Mar 08:57:52 WEST: % PIX-6-602302: SA deletion, (his) sa_dest = 62.48.238.3, sa_prot = 50, sa_spi = 0x3fcc692a (1070360874) sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 4

    2010-03-18 08:57:52 Local7.info 172.17.1.250 : 18 Mar 08:57:52 WEST: % PIX-6-602302: SA deletion, (his) sa_dest = 213.223.214.52, sa_prot = 50, sa_spi = 0x1f7f65 (2064229), esp-3des esp-sha-hmac = sa_trans, sa_conn_id = 3

    This line is delivered every 2 minutes... Is it possible that it may be causing my problem? and what is that message?

    I show you my pix configuration:

    For me, this configuration is fine, but it's not work very well!

    Can you help me please?

    Kind regards

    In fact, it corresponds to the following:

    local ident (addr, mask, prot, port): (AENOR_ALL/255.255.0.0/0/0)

    Remote ident (addr, mask, prot, port): (192.168.9.0/255.255.255.0/0/0)

    current_peer: 213.223.214.52:500

    LICENCE, flags is {origin_is_acl},

    #pkts program: 0, #pkts encrypt: 0, #pkts 0 digest

    #pkts decaps: 60, #pkts decrypt: 60, #pkts check 60

    compressed #pkts: 0, unzipped #pkts: 0

    #pkts uncompressed: 0, #pkts compr. has failed: 0, #pkts decompress failed: 0

    Errors #send 0, #recv 0 errors

    So the packets are received and décapsulés, however, no response to be encapsulated.

    Please set 'error fixup protocol icmp' for the icmp inspection.

    Please check on the 172.17.1.7 the host itself to see if the default gateway is configured to be 172.17.1.250, and the host has no other specific channels configured. If it is a windows host, you can check "route print" at the DOS prompt.

    Please also check if it allows the incoming RDP session? Are you able to RDP from in-house?

    Are you able to Telnet on port 3389, from the DOS command prompt (telnet 172.17.1.7 3389)? What have you found?

  • ASA5505 with 2 VPN tunnels failing to implement the 2nd tunnel

    Hello

    I have an ASA5505 that currently connects a desktop remotely for voip and data.  I added a 2nd site VPN tunnel to a vendor site.  It's this 2nd VPN tunnel that I have problems with.  It seems that the PHASE 1 negotiates well.  However, I'm not a VPN expert!  So, any help would be greatly appreciated.  I have attached the running_config on my box, debug (ipsec & isakmp) information and information about the provider they gave me today.  They use an ASA5510.

    My existing VPN tunnel (which works) is marked 'outside_1_cryptomap '.  It has the following as interesting traffic:

    192.168.1.0/24-> 192.168.3.0/24

    192.168.2.0/24-> 192.168.3.0/24

    10.1.1.0/24-> 192.168.3.0/24

    -> 192.168.3.0/24 10.1.2.0/24

    10.1.10.0/24-> 192.168.3.0/24

    10.2.10.0/24-> 192.168.3.0/24

    The new VPN tunnel (does not work) is labeled "eInfomatics_1_cryptomap".  It has the following as interesting traffic:

    192.168.1.25/32-> 10.10.10.83/32

    192.168.1.25/32-> 10.10.10.47/32

    192.168.1.26/32-> 10.10.10.83/32

    192.168.1.26/32-> 10.10.10.47/32

    Here's the info to other VPN (copy & pasted from the config)

    permit access list extended ip 192.168.1.26 eInfomatics_1_cryptomap host 10.10.10.83

    permit access ip host 192.168.1.25 extended list eInfomatics_1_cryptomap 10.10.10.83

    permit access ip host 192.168.1.25 extended list eInfomatics_1_cryptomap 10.10.10.47

    permit access list extended ip 192.168.1.26 eInfomatics_1_cryptomap host 10.10.10.47

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    card crypto outside_map 1 match address outside_1_cryptomap

    peer set card crypto outside_map 1 24.180.14.50

    card crypto outside_map 1 set of transformation-ESP-3DES-SHA

    card crypto outside_map 2 match address eInfomatics_1_cryptomap

    peer set card crypto outside_map 2 66.193.183.170

    card crypto outside_map 2 game of transformation-ESP-3DES-SHA

    outside_map interface card crypto outside

    crypto isakmp identity address

    crypto ISAKMP allow outside

    crypto ISAKMP policy 10

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    tunnel-group 24.180.14.50 type ipsec-l2l

    IPSec-attributes tunnel-group 24.180.14.50

    pre-shared key *.

    tunnel-group 66.193.183.170 type ipsec-l2l

    IPSec-attributes tunnel-group 66.193.183.170

    pre-shared key *.

    Thanks in advance

    -Matt

    Hello

    The seller put a parameter group2 PFS (Perfect Forward Secrecy) of Phase 2, so that you don't have it.

    So you can probalby try adding the following

    card crypto outside_map 2 pfs group2 set

    I think he'll simply enter as

    card crypto outside_map 2 set pfs

    Given that the 'group 2' is the default

    -Jouni

  • Remote VPN site to site vpn on ASA?

    Hello

    I would like to know if it is possible to have this configuration with an ASA5510:

    (1) - remote access VPN (access by the external interface)

    (2) - site to site VPN (same access interface)

    The goal: users of vpn (1) can access the server remote vpn (2) and vice versa.

    Is it possible? and what is the best practice to do?

    Thank you very much!

    J.

    Yes, you can do it.

    Same-security-traffic command traffic to enter and leave the interface even when used with the

    keyword intra-interface, that allows the VPN support has spoke-to-spoke.

    Here are a few examples.

    http://www.Cisco.com/en/us/products/ps6120/prod_configuration_examples_list.html

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00807f9a89.shtml

    PIX / ASA 7.X: Add a new Tunnel or remote access to an existing L2L VPN

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

    PIX / ASA 7.x enhanced has spoken-to-Client VPN with the example of setting up authentication GANYMEDE +.

  • ASA - upgrade to 8.4, impossible to ping inside the interface via IPSec VPN

    We have configured a site 5, site to site VPN scenario.   Last week, we have upgraded 2 devices ASA 5505 to 8.4.2.   Before the upgrade, our monitoring software would ping the inside interface from remote devices to confirm VPN tunnels were established, as well as the addresses of remote devices and the outside of the ASA.   While we were on 8.2, remote equipment successfully ping the inside interface.   After that we went to 8.4.2 we can do a ping to this interface.   We looked at the newspapers and we see the ICMP traffic that is listed in the newspaper, but the remote equipment does not receive back icmp traffic.   We can ping successfully from local hardware interface inside and the external interface of remote devices successfully.  In addition, we can ping material behind the two devices in both directions successfully.

    We are unable to remotely manage the device through the VPN tunnel

    Net is:

    ASA #1 inside 10.168.107.1 (running ASA 8.2)

    ASA #2 inside 10.168.101.1 (running ASA 8,4)

    Server 1 (behind the ASA #1) 10.168.107.34

    Server 2 (behind the ASA #2) 10.168.101.14

    Can ping server 1 Server 2

    Can ping server 1 to 1 of the SAA

    Can ping server 2-ASA 2

    Can ping server 2 to server 1

    Can ping server 2 ASA 1

    Can ping ASA 2 ASA 1

    can not ping ASA 1 and 2 of the ASA

    can not ping server 1 and 2 of the ASA

    cannot access the ASA 2 https for management interface, nor can the ASDM software

    Here is the config on ASA (attached) 2.

    Any thoughts would be appreciated.

    Hey Joseph,.

    Most likely, you hit this bug:

    CSCtr16184            Details of bug
    To-the-box traffic switches vpn hosts after upgrade to 8.4.2.
    Symptom:
    After the upgrade of the ASA to 8.4.2 all management traffic to employment (including the)
    ICMP/telnet/ssh/ASDM) hosts via the VPN (L2L or remote access VPN) can
    fail the IP access address to the administration. Conditionsof :
    1. the problem occurs if ASA is on 8.4.2. Not been seen on 8.4.1.
    2. the user directly logged in the face of internal interfaces no problem with
    ICMP/telnet/ssh/AMPS in their respective interfaces. Workaround:
    The problem goes back to a Manual NAT statement that straddles the
    address IP-access to the administration. The NAT must have both the
    source areas and destination. Add the keyword "research route" at the end of
    the statement by NAT solves the problem. Ex:
    IP address access to the administration Interface of the ASA is 192.168.1.1. ! Statement by NAT overlapping:
    NAT obj destination - 192.168.1.0 obj - 192.168.1.0 Shared source (indoor, outdoor)
    VPN-vpn-obj static obj! New declaration:
    NAT obj destination - 192.168.1.0 obj - 192.168.1.0 Shared source (indoor, outdoor)
    public static obj - vpn vpn-obj-research route

    http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtr16184

    HTH,

    Raga

  • Urgent issue: remote vpn users cannot reach server dmz

    Hi all

    I have an asa5510 firewall in which remote vpn client users can connect but they cannot ping or access the dmz (192.168.3.5) Server

    They also can't ping the out interface (192.168.2.10), below is the show run, please help.

    SH run

    ASA5510 (config) # sh run
    : Saved
    :
    : Serial number: JMX1243L2BE
    : Material: ASA5510, 256 MB RAM, Pentium 4 Celeron 1599 MHz processor
    :
    ASA 5,0000 Version 55
    !
    Majed hostname
    activate the encrypted password of UFWSxxKWdnx8am8f
    2KFQnbNIdI.2KYOU encrypted passwd
    names of
    DNS-guard
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    IP 192.168.2.10 255.255.255.0
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    192.168.1.10 IP address 255.255.255.0
    !
    interface Ethernet0/2
    nameif servers
    security-level 90
    192.168.3.10 IP address 255.255.255.0
    !
    interface Ethernet0/3
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface Management0/0
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    boot system Disk0: / asa825-55 - k8.bin
    passive FTP mode
    permit same-security-traffic inter-interface
    permit same-security-traffic intra-interface
    acl_outside to access extended list ip 192.168.5.0 allow 255.255.255.0 192.168.1.0 255.255.255.0
    acl_outside list extended access allow icmp 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0
    acl_outside of access allowed any ip an extended list
    acl_outside list extended access permit icmp any one
    acl_inside list extended access allowed host ip 192.168.1.150 192.168.5.0 255.255.255.0
    acl_inside list extended access allowed host icmp 192.168.1.150 192.168.5.0 255.255.255.0
    acl_inside list extended access allowed host ip 192.168.1.200 192.168.5.0 255.255.255.0
    acl_inside list extended access allowed host icmp 192.168.1.200 192.168.5.0 255.255.255.0
    acl_inside list extended access allowed host ip 192.168.1.13 192.168.5.0 255.255.255.0
    acl_inside list extended access allowed host icmp 192.168.1.13 192.168.5.0 255.255.255.0
    acl_inside to access ip 192.168.1.0 scope list allow 255.255.255.0 host 192.168.3.5
    acl_inside list extended access allow icmp 192.168.1.0 255.255.255.0 host 192.168.3.5
    acl_inside list extended access deny ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
    acl_inside list extended access deny icmp 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
    acl_inside of access allowed any ip an extended list
    acl_inside list extended access permit icmp any one
    acl_server of access allowed any ip an extended list
    acl_server list extended access permit icmp any one
    Local_LAN_Access list standard access allowed 10.0.0.0 255.0.0.0
    Local_LAN_Access list standard access allowed 172.16.0.0 255.240.0.0
    Local_LAN_Access list standard access allowed 192.168.0.0 255.255.0.0
    access-list nat0 extended ip 192.168.0.0 allow 255.255.0.0 192.168.0.0 255.255.0.0
    allow acl_servers to access extensive ip list a whole
    acl_servers list extended access allow icmp a whole
    pager lines 24
    Outside 1500 MTU
    Within 1500 MTU
    MTU 1500 servers
    IP local pool 192.168.5.1 - 192.168.5.100 mask 255.255.255.0 vpnpool
    ICMP unreachable rate-limit 1 burst-size 1
    ASDM image disk0: / asdm - 621.bin
    don't allow no asdm history
    ARP timeout 14400
    Global 1 interface (outside)
    interface of global (servers) 1
    NAT (inside) 0 access-list nat0
    NAT (inside) 1 192.168.1.4 255.255.255.255
    NAT (inside) 1 192.168.1.9 255.255.255.255
    NAT (inside) 1 192.168.1.27 255.255.255.255
    NAT (inside) 1 192.168.1.56 255.255.255.255
    NAT (inside) 1 192.168.1.150 255.255.255.255
    NAT (inside) 1 192.168.1.200 255.255.255.255
    NAT (inside) 1 192.168.2.5 255.255.255.255
    NAT (inside) 1 192.168.1.0 255.255.255.0
    NAT (inside) 1 192.168.1.96 192.168.1.96
    NAT (servers) - access list 0 nat0
    NAT (servers) 1 192.168.3.5 255.255.255.255
    static (inside, servers) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
    static (servers, inside) 192.168.3.5 192.168.3.5 netmask 255.255.255.255
    Access-group acl_outside in interface outside
    Access-group acl_servers in the servers of the interface
    Route outside 0.0.0.0 0.0.0.0 192.168.2.15 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    Floating conn timeout 0:00:00
    dynamic-access-policy-registration DfltAccessPolicy
    Enable http server
    http 192.168.1.0 255.255.255.0 inside
    http 192.168.3.5 255.255.255.255 servers
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    Crypto-map dynamic outside_dyn_map 10 the value transform-set ESP-3DES-SHA
    Crypto-map dynamic outside_dyn_map 10 set security-association life seconds288000
    Crypto-map dynamic outside_dyn_map 10 kilobytes of life together - the association of safety 4608000
    Crypto-map dynamic outside_dyn_map 10 the value reverse-road
    map Outside_map 10-isakmp ipsec crypto dynamic outside_dyn_map
    Outside_map interface card crypto outside
    ISAKMP crypto identity hostname
    crypto ISAKMP allow outside
    crypto ISAKMP policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    crypto ISAKMP policy 65535
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    No encryption isakmp nat-traversal
    Telnet 192.168.2.0 255.255.255.0 outside
    Telnet 192.168.1.0 255.255.255.0 inside
    Telnet 192.168.3.0 255.255.255.0 servers
    Telnet 192.168.38.0 255.255.255.0 servers
    Telnet timeout 5
    SSH timeout 5
    Console timeout 0
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    WebVPN
    internal vpn group policy
    attributes of vpn group policy
    Protocol-tunnel-VPN IPSec
    Split-tunnel-policy tunnelspecified
    value of Split-tunnel-network-list Local_LAN_Access
    allow to NEM
    password encrypted qaedah Ipsf4W9G6cGueuSu user name
    password encrypted moneef FLlCyoJakDnWMxSQ user name
    chayma X7ESmrqNBIo5eQO9 username encrypted password
    sanaa2 zHa8FdVVTkIgfomY encrypted password username
    sanaa x5fVXsDxboIhq68A encrypted password username
    sanaa1 x5fVXsDxboIhq68A encrypted password username
    bajel encrypted DygNLmMkXoZQ3.DX privilege 15 password username
    daris BgGTY7d1Rfi8P2zH username encrypted password
    taiz Ip3HNgc.pYhYGaQT username encrypted password
    damt gz1OUfAq9Ro2NJoR encrypted privilege 15 password username
    aden MDmCEhcRe64OxrQv username encrypted password
    username hodaidah encrypted password of IYcjP/rqPitKHgyc
    username yareem encrypted password ctC9wXl2EwdhH2XY
    AMMD ZwYsE3.Hs2/vAChB username encrypted password
    haja Q25wF61GjmyJRkjS username encrypted password
    cisco 3USUcOPFUiMCO4Jk encrypted password username
    ibbmr CNnADp0CvQzcjBY5 username encrypted password
    IBBR oJNIDNCT0fBV3OSi encrypted password username
    ibbr 2Mx3uA4acAbE8UOp encrypted password username
    ibbr1 wiq4lRSHUb3geBaN encrypted password username
    password username: TORBA C0eUqr.qWxsD5WNj encrypted
    username, password shibam xJaTjWRZyXM34ou. encrypted
    ibbreef 2Mx3uA4acAbE8UOp encrypted password username
    username torbah encrypted password r3IGnotSy1cddNer
    thamar 1JatoqUxf3q9ivcu encrypted password username
    dhamar pJdo55.oSunKSvIO encrypted password username
    main jsQQRH/5GU772TkF encrypted password username
    main1 ef7y88xzPo6o9m1E encrypted password username
    password username Moussa encrypted OYXnAYHuV80bB0TH
    majed 7I3uhzgJNvIwi2qS encrypted password username
    lahj qOAZDON5RwD6GbnI encrypted password username
    vpn tunnel-group type remote access
    VPN tunnel-group general attributes
    address vpnpool pool
    Group Policy - by default-vpn
    Tunnel vpn ipsec-attributes group
    pre-shared key *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !

    Hello brother Mohammed.

    "my asa5510 to work easy as Server & client vpn at the same time.?

    Yes, it can work as a client and a server at the same time.

    I have never seen anyone do it but many years of my understanding, I have no reason to think why it may be because the two configurations (client/server) are independent of each other.

    Your ASA function as server uses the "DefaultL2LGroup" or it uses standard group policy and tunnel-group are mapped to the remote clients ASA?

    Thank you

  • ASA, VPN Site-to-Site

    Hello

    I would like to VPN site-to-site using ASA 5520 and I have some question if you don't mind:

    Site A:

    Peer IP address: aaa.aaa.aaa.aaa/32

    Local network: bbb.bbb.bbb.bbb/32

    Site b:

    Peer IP address: xxx.xxx.xxx.xxx/32

    Local network: yyy.yyy.yyy.yyy/32

    on the site to site vpn Wizard (site B), the network of peers should be site A and the LAN must be site B and remote network must be the site one right?

    the IP address of the local network should be not be used right by other devices on the right? I can use use a unique IP address instead of the beach of network on the LAN and remotely? from the client on site give me a unique IP address?

    can I allow on site A browse only a single IP address on my site B and allowing only ports 80 and 443, please can you give me example I prefer ASDM.

    Thank you and waiting for your help.

    Hello

    I can only really give an example of this using the CLI (or I rather do as I do not use ASDM almost at all)

    You have all already existing L2L / Site to Site VPN connections on the SAA?

    Could you share your current configuration (delete all sensitive information) so we can take into account all existing configurations you have

    Did you agree on what will be the settings phase 1 VPN L2L and Phase2 with the other sites technical contact who will set up their side of the L2L VPN?

    -Jouni

Maybe you are looking for