ASA5510 L2L VPN
Hello guys,.
I had to build a VPN L2L with a client. I have configured my ASA5510 for phase 1 and 2 according to their needs, but the Tunnel is. When I try to ping the IP address I need to access on their site, the Tunnel of tryes to open but I think that Phase 1 was not completed. I have attached debug crypto isakmp 255 output. Help, please.
Kind regards
RVR
Could you post your config ASA? You have a group of tunnel defined as 155.137.10.12?
Tags: Cisco Security
Similar Questions
-
Hi all
My apologies if this is a trivial question, but I spent considerable time trying to search and had no luck.
I encountered a problem trying to set up a temporary L2L VPN from a Subscriber with CISCO2911 sitting behind the router of the ISP of an ASA. ISP has informed that I can't ignore their device and complete the circuit Internet on the Cisco for a reason, so I'm stuck with it. The Setup is:
company 10.1.17.1 - y.y.y.y - router Internet - z.z.z.z - ISP - LAN - 10.x.x.2 - XXX1 - ASA - 10.1.17.2 - CISCO2911 - 10.1.15.1 LAN
where 10.x.x.x is a corporate LAN Beach private network, y.y.y.y is a public ip address assigned to the external interface of the ASA and the z.z.z.z is the public IP address of the ISP router.
I have forwarded ports 500, 4500 and ESP on the ISP router for 10.1.17.2. The 2911 config attached below, what I can't understand is what peer IP address to configure on the SAA, because if I use z.z.z.z it will be a cause of incompatibility of identity 2911 identifies himself as 10.1.17.2...
! ^ ^ ^ ISAKMP (Phase 1) ^ ^ ^!
crypto ISAKMP policy 5
BA 3des
md5 hash
preshared authentication
Group 2
lifetime 28800
isakmp encryption key * address no.-xauth y.y.y.y! ^ ^ ^ IPSEC (Phase 2) ^ ^ ^!
crymap extended IP access list
IP 10.1.15.0 allow 0.0.0.255 10.0.0.0 0.255.255.255
Crypto ipsec transform-set ESP-3DES-SHA 3rd-esp esp-sha-hmac
card crypto 1 TUNNEL VPN ipsec-isakmp
defined peer y.y.y.y
game of transformation-ESP-3DES-SHA
match the address crymapGi0/2 interface
card crypto VPN TUNNELHello
debug output, it seems he's going on IPSEC States at the tunnel of final bud QM_IDLE's.
What I noticed in your configuration of ASA box, it's that you're usig PFS but not on 2911 router.
So I suggest:
no card crypto OUTSIDE_map 4 don't set pfs <-- this="" will="" disable="" pfs="" on="" asa="">
Then try tunnel initiate.
Kind regards
Jan
-
ASA with several L2L VPN Dynamics
I have an ASA 5510 such as VPN, used for about 30 L2L - VPN concentrator.
I need also some VPN L2L with dynamic peer remote.
While the configuration for a single dyn - VPN is quite simple (as described in several examples), how can I configure the ASA in the case of many dyn - VPN?
Basically, all the VPN - dyn must use the same PSK (the DefaultL2LGroup).
But using the "aggressive" on the remote peer mode, I could use a different PSK for every dyn - VPN:
tunnel-group ipsec-attributes ABCD
pre-shared-key *.
This configuration is correct?
Best regards
Claudio
Hello
Maybe the solutions provided in the following document may also be an option to configure multiple dynamic VPN L2L connections on the SAA
http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a0080bc7d13.shtml
Hope this helps
-Jouni
-
L2l VPN tunnel is reset during the generate a new IPSec key
I have a tunnel VPN L2L that resets completely, start with Phase 1, at the expiration of the timer of the IPSec Security Association. Although there are several SAs, it always resets all of the tunnel.
I see the following in the log errors when this happens:
03/06/2013 12:54:41 Local7.Notice ipRemoved June 3, 2013 12:54:41 LKM-NVP-L2L-01: % 713050-5-ASA: Group = ipRemoved, IP = ipRemoved, completed for the ipRemoved peer connection. Reason: Peer terminate Proxy remote n/a, Proxy Local n/a
03/06/2013 12:54:41 Local7.Notice ipRemoved June 3, 2013 12:54:41 LKM-NVP-L2L-01: % 713259-5-ASA: Group = ipRemoved, IP = ipRemoved, Session is be demolished. Reason: The user has requested
03/06/2013 12:54:41 Local7.Warning ipRemoved June 3, 2013 12:54:41 LKM-NVP-L2L-01: % ASA-4-113019: Group = ipRemoved username = ipRemoved, IP = ipRemoved, disconnected Session. Session type: IKE, duration: 4 h: 00 m: 06 s, xmt bytes: 260129, RRs bytes: 223018, reason: the user has requested
03/06/2013 12:55:33 Local7.Notice ipRemoved June 3, 2013 12:55:33 LKM-NVP-L2L-01: % 713041-5-ASA: IP = ipRemoved, IKE initiator: New Phase 1, Intf inside, IKE Peer ipRemoved local Proxy 204.139.127.24 address, address remote Proxy 156.30.21.200, Card Crypto (L2LVPN)
03/06/2013 12:55:33 Local7.Notice ipRemoved June 3, 2013 12:55:33 LKM-NVP-L2L-01: % 713119-5-ASA: Group = ipRemoved, IP = ipRemoved, PHASE 1 COMPLETED
Local7.Notice ipRemoved June 3, 2013 03/06/2013-12:55:33 12:55:33 LKM-NVP-L2L-01: % 713049-5-ASA: Group = ipRemoved, IP = ipRemoved, the security negotiation is complete for LAN - to - LAN Group (ipRemoved) initiator, Inbound SPI = 0x9213bdc9, outbound SPI = 0x1799a099
03/06/2013 12:55:33 Local7.Notice ipRemoved June 3, 2013 12:55:33 LKM-NVP-L2L-01: % 713120-5-ASA: Group = ipRemoved, IP = ipRemoved, PHASE 2 COMPLETED (msgid = b8a47603)
03/06/2013 13:02:11 Local7.Notice ipRemoved June 3, 2013 13:02:11 LKM-NVP-L2L-01: % 713041-5-ASA: Group = ipRemoved, IP = ipRemoved, IKE initiator: New Phase 2, Intf inside, IKE Peer ipRemoved local Proxy 204.139.127.71 address, address remote Proxy 156.30.21.200, Card Crypto (L2LVPN)
Local7.Notice ipRemoved June 3, 2013 03/06/2013-13:02:11 13:02:11 LKM-NVP-L2L-01: % 713049-5-ASA: Group = ipRemoved, IP = ipRemoved, the security negotiation is complete for LAN - to - LAN Group (ipRemoved) initiator, Inbound SPI = 0x93f9be6c, outbound SPI = 0x1799a16d
03/06/2013 13:02:11 Local7.Notice ipRemoved June 3, 2013 13:02:11 LKM-NVP-L2L-01: % 713120-5-ASA: Group = ipRemoved, IP = ipRemoved, PHASE 2 COMPLETED (msgid = 1f6c9acd)
Any thoughts on why she would do that?
Thank you.
Jason
Hello
Both the log messages seems to suggest that the remote end is closed/compensation connection.
Is this a new connection that suffer from this problem or has it started on an existing connection?
The Cisco documentation associated with the Syslog messages does really not all useful information about these log messages.
I guess that your problem is that TCP by L2L VPN connections suffer from the complete renegotiations of the L2L VPN.
I wonder if the following configuration can help even if this situation persists
Sysopt preserve-vpn-flow of connection
Here is a link to the order of the ASA reference (8, 4-8, 6 software) with a better explanation of this configuration.
http://www.Cisco.com/en/us/docs/security/ASA/asa84/command/reference/S8.html#wp1538395
It is not enabled by default on the SAA.
Hope this helps
-Jouni
-
Hello Experts from Cisco,
I run in trouble with one of my l2l ipec vpn between an asa 5510 and 5520 cisco running version 8.2.2.
Our existing l2l VPN are connected fine and work very well. Currently SITE a (10.10.0.0/16) connects to the SITE B (10.20.0.0/16). SITE A connects to SITE C (10.100.8.0/21). These are OK.
What is a failure is when I try to connect SITE B to SITE C. The tunnel coming up and phase 1 and 2 complete successfully. However, even if in the course of execution: ' entry packet - trace within the icmp 10.20.8.2 8 0 detailed 10.100.8.1 ' I get the following:
Phase: 10
Type: VPN
Subtype: encrypt
Result: DECLINE
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xad1c4500, priority = 70, domain = encrypt, deny = false
hits = 609, user_data = 0 x 0, cs_id = 0xad1c2e10, reverse, flags = 0 x 0 = 0 protocol
SRC ip = 10.20.0.0, mask is 255.255.0.0, port = 0
DST ip = 10.100.8.0, mask is 255.255.248.0, port = 0, dscp = 0 x 0
I noticed that when the tunnel came, the road to 10.100.8.0/21 was added in the routing table and cyrpto what ACL has not been applied on the SAA remote. I added the route manually but cannot get the cryto ACL to apply.
Useful info:
C SITE
the object-group NoNatDMZ-objgrp network
object-network 10.10.0.0 255.255.0.0
object-network 10.10.12.0 255.255.255.0
network-object 10.20.0.0 255.255.0.0
access extensive list ip 10.100.8.0 outside_30_cryptomap allow 255.255.248.0 10.20.0.0 255.255.0.0
IP 10.100.8.0 allow Access - list extended sheep 255.255.248.0 sheep-objgrp object-group
card crypto outside_map 30 match address outside_30_cryptomap
card crypto outside_map 30 peers set x.x.x.x
crypto outside_map 30 card value transform-set ESP-AES256-SHA
crypto outside_map 30 card value reverse-road
outside_map interface card crypto outside
SITE B
object-group network sheep-objgrp
object-network 10.10.0.0 255.255.0.0
object-network 10.21.0.0 255.255.0.0
object-network 10.10.12.0 255.255.255.0
network-object 10.100.8.0 255.255.248.0
IP 10.20.0.0 allow Access - list extended sheep 255.255.0.0 sheep-objgrp object-group
allow outside_50_cryptomap to access extended list ip 10.20.0.0 255.255.0.0 10.100.8.0 255.255.248.0
card crypto outside_map 50 match address outside_50_cryptomap
game card crypto outside_map 50 peers XX. XX. XX. XX
outside_map crypto 50 card value transform-set ESP-AES256-SHA
outside_map crypto 50 card value reverse-road
outside_map interface card crypto outside
I've been struggling with this these days. Any help is very appreciated!
Thank you!!
Follow these steps:
no card outside_map 10-isakmp ipsec crypto dynamic outside_dyn_map
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
clear crypto ipsec its SITE_B_Public peer
Try again and attach the same outputs.
Let me know.
Thank you.
-
Hi all!
I have a question about L2L VPN and NAT.
Can I set up the VPN tunnel between two ASAs or routers using the NAT translation from within the private IP addresses to a single public IP address outside the interface and then implement interesting crypto with the source of the public IP address and the destination of the remote private network on the other end (also ASA). For example, I want to translate a private network to the public ip address at one end and use the VPN tunnel with a public IP address as the source. Policy-NAT is not an option, because we really do not want to provide any IP address to the remote end, and IP addresses of the remote end can overlap with our end.
Thank you!
Hello
You can definitely set up an IPSec tunnel between two devices in the translation of your subnet in a single public IP address. You just create the translation and as you mentioned define interesting traffic using the public IP address.
This is exactly what we call political NAT, I don't understand why you say that NAT policy is not an option. Perhapps you misunderstood concept NAT policy or I misunderstood your question.
For example, assuming that the LAN private at your side is 172.16.1.0/24, the remote subnet is 192.168.150.0/24, and that the public IP address that you want to use is 200.200.200.200 your NAT config should look like this:
access-list 199 permit ip 172.16.1.0 255.255.252.0 192.168.150.0 255.255.255.0
Global (outside) 6 200.200.200.200
NAT (inside) 6 access-L199
Which would be NAT traffic to the public IP address only when the traffic matches the ACL.
Your ACL crypto should then be something like
cryptomap list of allowed access host ip 200.200.200.200 192.168.150.0 255.255.255.0
That would hide your address real and all they see is the public IP address you give them. Note that since the NAT takes place on your side your side will be able to raise the tunnel.
I hope this helps.
Raga
-
ASA5510 l2l to Nortel Contivity VPN
We are meet a few problems to make the upcoming tunnel completely. It seems IKE or completed Phase 1 and Phase 2 will not finish. I get a message to INVALID_ID_INFO, and the process ends and restarts. I have attached the log file. Here, any help would be greatly appreciated.
Scott
The message indicates a problem with crypto card. Make sure the peer specified on the tip of Cisco on the endpoint of the tunnel on the side of Nortel. Also make sure that the transformation matches along the local and remote proxy (ACL) identity.
-
ASA5510 + Sonicwall VPN site-to site does not
We tried to connect VPN of Sonicwall PRO2040 to an ASA5510 without success. I get the following errors on the ASA:
/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-marge-top : 0 ; mso-para-marge-droit : 0 ; mso-para-marge-bas : 10.0pt ; mso-para-marge-left : 0 ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}
where x.x.x.x is the IP address of the Sonicwall, y.y.y.y is the ASA
6 March 19, 2010 15:44:06 302015 x.x.x.x y.y.y.y 500 500 built inbound connection UDP 48318039 for outside:x.x.x.x/500 (x.x.x.x 500) at identity:y.y.y.y/500 (y.y.y.y 500)
4 March 19, 2010 15:44:29 713903 IP = x.x.x.x, Invalid Cookie message received on HIS non-existent
4 March 19, 2010 15:44:29 113019 group = x.x.x.x, Username = x.x.x.x, IP = x.x.x.x, disconnected Session. Session type: IKE, duration: 0 h: 00 m: 23s, xmt bytes: 0, RRs bytes: 0, right: Service lost
3, 19 March 2010 15:44:29 713123 group = x.x.x.x, IP = x.x.x.x, IKE has lost contact with the remote peer, removal of connection (type keepalive: DPD)
4 March 19, 2010 15:44:27 group 713903 = x.x.x.x, IP = x.x.x.x, treatment of the Information Exchange has failed
5 March 19, 2010 15:44:27 group 713904 = x.x.x.x, IP = x.x.x.x, received a unencrypted INVALID_COOKIE notify message, drop
4 March 19, 2010 15:44:25 group 713903 = x.x.x.x, IP = x.x.x.x, treatment of the Information Exchange has failed
5 March 19, 2010 15:44:25 713904 = x.x.x.x, IP = x.x.x.x group, received a unencrypted INVALID_COOKIE notify message, drop
4 March 19, 2010 15:44:23 group 713903 = x.x.x.x, IP = x.x.x.x, treatment of the Information Exchange has failed
5 March 19, 2010 15:44:23 group 713904 = x.x.x.x, IP = x.x.x.x, received a unencrypted INVALID_COOKIE notify message, drop
5 March 19, 2010 15:44:06 group 713068 = x.x.x.x, IP = x.x.x.x, no routine received Notify message: info ID not valid (18)
5 March 19, 2010 15:44:06 group 713119 = x.x.x.x, IP = x.x.x.x, PHASE 1 COMPLETED
6 March 19, 2010 15:44:06 113009 AAA retrieved by default group policy (DfltGrpPolicy) to the user = x.x.x.x
6 March 19, 2010 15:44:06 302015 x.x.x.x y.y.y.y 500 500 built connection UDP incoming 48318039 for outside:x.x.x.x/500 (x.x.x.x/500) to the identity: y.y.y.y 500 (500 y.y.y.y)
and here's the conf on the ASA:
/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-margin : 0 ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define security association lifetime 28800 seconds
cryptographic kilobytes 4608000 life of the set - the association of security of the 65535 SYSTEM_DEFAULT_CRYPTO_MAP of the dynamic-map
card crypto outside_map 2 match address outside_cryptomap
card crypto outside_map 2 peers set x.x.x.x
card crypto outside_map 2 game of transformation-ESP-AES-256-SHA
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
ISAKMP crypto identity hostname
crypto ISAKMP allow outside
crypto ISAKMP allow inside
crypto ISAKMP policy 10
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
pre-shared-key *.
!
Can anyone help please? We checked on the Sonicwall and it seems that everything is appropriate.
As you use the ip address, you must configure "isakmp crypto identity address" instead of "crypto isakmp identity hostname.
Please share debug output while trying to establish VPN:
-debug crypto isakmp
-debug crypto ipsec
See also, the exit after:
-show crypto isa his
-show crypto ipsec his
If you can share the ASA configuration that would be great. Thank you.
-
The L2L VPN Tunnels on several external Interfaces ISP
Due to special circumstances, we have 2 links on an ASA5510 ISP. I'm trying to put an end to some VPN L2L tunnels on a link and others on the second link of Internet service provider, for example below:
LOCAL FIREWALL
card crypto outside-map_isp1 20 corresponds to the address VPN_ACL_A
set outside-map_isp1 20 crypto map peer 1.1.1.1
outside-map_isp1 20 game card crypto transform-set TS-genericcard crypto outside-map_isp2 30 corresponds to the address VPN_ACL_B
peer set card crypto outside-map_isp2 30 3.3.3.3
card crypto outside-map_isp2 30 value transform-set TS-genericcrypto map interface outside-map-isps1 ISP_1
outside-map-isp2 interface card crypto ISP_2ISAKMP crypto enable ISP_1
ISAKMP crypto enable ISP_2Route 0.0.0.0 ISP_1 0.0.0.0 1.1.1.254
Route ISP_2 3.3.3.3 255.255.255.255 2.2.2.254Establishing the VPN tunnels in both directions when using ISP_1 works very well establshing in both directions of remote access users and several tunnels L2L (only showing a for example).
On ISP_2
1. peer device 3.3.3.3 establishes a VPN tunnel, but the return traffic does NOT get back to devices 3.3.3.3 tunnel.
2. the local firewall does NOT establish a VPN tunnel to 3.3.3.3
It suggests that the problems lies with this firewall multihomed do not direct traffic properly on back down and VPN tunnel of workbenches (point1) or to trigger a tunnel if there is (point 2).
Reconfiguration of the VPN tunnel to 3.3.3.3 counterpart to be on the local firewall, all the springs in the life ISP_1! All ideas, there are enough license etc...
Another way you need is the subnet of destination on VPN_ACL_B to be routed to ISP_2 as well.
So you must send the address of peers (in your case 3.3.3.3) and the remote subnet (in your destination subnet case VPN_ACL_B) at 2.2.2.254
-
We have a partner that we set up a VPN L2L with. Their internal host IP infringes on our internal IP range. Unfortunately, they are not offer NAT on their side. Is it possible on the SAA to configure a NAT device for my internal hosts will say 1.1.1.1 and ASA changes the internal address of the remote end overlapping?
If this is the scenario
192.168.5.0 ASA1 <---> <-- internet="" --="">ASA2<-->
ASA1 (NAT will be applied)
ASA2 (without nat will be applied)
You want to do something like that on ASA1
Change your source host or network to be 192.168.7.0 when communicating with the remote network. Change the remote network to come as long as 192.168.8.0 coming to your network on the SAA.
ACL soccer match:!-match-list ACLaccess acl_match_VPN ip 192.168.7.0 allow 255.255.255.0 192.168.5.0 255.255.255.0
! - NAT ACL
vpn_nat 192.168.5.0 ip access list allow 255.255.255.0 192.168.8.0 255.255.255.0
! - Translations
public static 192.168.7.0 (exterior, Interior) 192.168.5.0 netmask 255.255.255.0 0 0
static (inside, outside) 192.168.8.0 public - access policy-nat list
Complete the VPN configuration using acl_match_VPN as the ACL match. Your inside host will have to use the 192.168.7.0 network when you talk to the remote end.
I hope this helps.
-
I want to configure the ASA IOS Version 8.0 to connect to Juniper Netscreen with below configuration using VPN L2L.
The peer of the IP 78.93.0.7
The IP address of the host 213.184.187.200
Pre-shared key: ciscoVPN
Phase 1: preg2-3des-md5
phase 2: nopfs-esp-3des-md5
Thanks in advance.
Add "crypto isakmp identity address."
And check with the remote end on the settings of the phase 1 & psk
-
ASA L2L VPN UP with incoming traffic
Hello
I need help with this one, I have two identical VPN tunnel with two different customers who need access to one of our internal server, one of them (customer) works well, but the other (CustomerB) I can only see traffic from the remote peer (ok, RX but no TX). I put a sniffer on ports where the ASA and the server are connected and saw that traffic is to reach the server and traffic to reach the ASA of the server then nothing...
See the result of sh crypto ipsec his below and part of the config for both clients
------------------
address:
local peer 100.100.100.178
local network 10.10.10.0 / 24
local server they need access to the 10.10.10.10
Customer counterpart remote 200.200.200.200
Customer remote network 172.16.200.0 / 20
CustomerB peer remote 160.160.143.4
CustomerB remote network 10.15.160.0 / 21
---------------------------
Output of the command: "SH crypto ipsec its peer 160.160.143.4 det".
address of the peers: 160.160.143.4
Tag crypto map: outside_map, seq num: 3, local addr: 100.100.100.178outside_cryptomap list of allowed access host ip 10.10.10.10 10.15.160.0 255.255.248.0
local ident (addr, mask, prot, port): (10.10.10.10/255.255.255.255/0/0)
Remote ident (addr, mask, prot, port): (10.15.160.0/255.255.248.0/0/0)
current_peer: 160.160.143.4#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 827, #pkts decrypt: 827, #pkts check: 827
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#pkts not his (send): 0, invalid #pkts his (RRs): 0
#pkts program failed (send): 0, #pkts decaps failed (RRs): 0
#pkts invalid prot (RRs): 0, #pkts check failed: 0
invalid identity #pkts (RRs): 0, #pkts invalid len (RRs): 0
#pkts incorrect key (RRs): 0,
#pkts invalid ip version (RRs): 0,
replay reversal (send) #pkts: 0, #pkts replay reversal (RRs): 0
#pkts replay failed (RRs): 0
#pkts min frag mtu failed (send): bad frag offset 0, #pkts (RRs): 0
#pkts internal err (send): 0, #pkts internal err (RRs): 0local crypto endpt. : 100.100.100.178, remote Start crypto. : 160.160.143.4
Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: C2AC8AAESAS of the esp on arrival:
SPI: 0xD88DC8A9 (3633170601)
transform: esp-3des esp-md5-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 5517312, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (4373959/20144)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0xFFFFFFFF to 0xFFFFFFFF
outgoing esp sas:
SPI: 0xC2AC8AAE (3266087598)
transform: esp-3des esp-md5-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 5517312, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (4374000/20144)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001-The configuration framework
ASA Version 8.2 (1)
!
172.16.200.0 customer name
name 10.15.160.0 CustomerB
!
interface Ethernet0/0
nameif outside
security-level 0
IP 100.100.100.178 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
10.10.10.0 IP address 255.255.255.0
!
outside_1_cryptomap list extended access allowed host ip 10.10.10.10 customer 255.255.240.0
inside_nat0_outbound_1 list extended access allowed host ip 10.10.10.10 customer 255.255.240.0
inside_nat0_outbound_1 list extended access allowed host ip 10.10.10.10 CustomerB 255.255.248.0
outside_cryptomap list extended access allowed host ip 10.10.10.10 CustomerB 255.255.248.0
NAT-control
Overall 101 (external) interface
NAT (inside) 0-list of access inside_nat0_outbound_1
NAT (inside) 101 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 100.100.100.177
Route inside 10.10.10.0 255.255.255.0 10.10.10.254 1
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 200.200.200.200
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
card crypto outside_map 3 match address outside_cryptomap
peer set card crypto outside_map 3 160.160.143.4
card crypto outside_map 3 game of transformation-ESP-3DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 20
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP ipsec-over-tcp port 10000
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec svc
internal customer group strategy
Customer group policy attributes
Protocol-tunnel-VPN IPSec svc
internal CustomerB group strategy
attributes of Group Policy CustomerB
Protocol-tunnel-VPN IPSec
tunnel-group 160.160.143.4 type ipsec-l2l
tunnel-group 160.160.143.4 General-attributes
Group Policy - by default-CustomerB
IPSec-attributes tunnel-group 160.160.143.4
pre-shared key xxx
tunnel-group 200.200.200.200 type ipsec-l2l
tunnel-group 200.200.200.200 General attributes
Customer by default-group-policy
IPSec-attributes tunnel-group 200.200.200.200
pre-shared key yyy
Thank you
A.
Hello
It seems that the ASA is not Encrypting traffic to the second peer (However there is no problem of routing).
I saw this 7.x code behaviors not on code 8.x
However you can do a test?
You can change the order of cryptographic cards?
card crypto outside_map 1 match address outside_cryptomap
peer set card crypto outside_map 1 160.160.143.4
map outside_map 1 set of transformation-ESP-3DES-MD5 crypto
card crypto outside_map 3 match address outside_1_cryptomap
card crypto outside_map 3 set pfs
peer set card crypto outside_map 3 200.200.200.200
card crypto outside_map 3 game of transformation-ESP-3DES-SHA
I just want to see if by setting the peer nonworking time to be the first, it works...
I know it should work the way you have it, I just want to see if this is the same behavior I've seen.
Thank you.
Federico.
-
Hi all
I'm quite inexperienced in this subject and would appreciate advice on this
I need to create a VPN tunnel between our site and a remote site.
On our site, we are a network 192.168.0.X our external ip address is 12.53.150.100
We need to connect to the site is 69.144.38.48
We need to move from host to host meaning 192.168.0.97--> 69.144.38.50 and they want our ip to translate to 10.9.250.1
Thanks in advance
Jason
Are you familiar with the establishment of a regular L2L tunnel? In addition to this, you just create a nat policy:
access-list extended 100 permit ip host 192.168.0.97 69.144.38.50
public static 10.9.250.1 (inside, outside) - access list 100
When you define your ACL crypto, you specify 10.9.250.1 as the source instead of 192.168.0.97.
Let me know if you need help most.
-
L2l VPN using Dynamic IP - question
Dear all,
I have several sites with dynamic IP address.
HO, I have a cisco router with dynamic IP, in which internet VPN and terminated on SAA configured port forwarding.
I have 40 branches will be all dynamic ip. all L2L tunnels are running.
My problem is that of creates a branch to HO communication is perfect but to HO, I'm not able to access the ants of branch resources.
could someone help me solve this problem... Config is attached.
AHA!
I understand a little better Setup.
It seems that your routers are destination NAT, so all the tunnels seem to come from the subnet "172.16.40.0/23."
And indeed your hypothesis is correct problem seems to be related to the lack of correct roads pointing outward. (at least it seems that Yes for now).
However, reverse route injection should take care of it.
Speaking of which I noticed your field of tunnels on
Crypto dynamic-map alfa and not the default system.
Please add "crypto dynamic-map alfa 1 set reverse" and restart one of the tunnels (do not speak it, simply identify isakmp and ipsec for this session).
We'll see from there.
Marcin
-
Cisco ASA (site A) with 2 L2L-VLNs (call the Site B and Site C)
I need "inbound nat' Site-C network.
Let me explain better:
-Site-B (10.14.63.0/24) accepts only traffic between the local network of the site-A (10.1.6.0/24), and I can't change the VPN.
-Now, I've logged on the Site-A site-C, and this must also communicate with site-B
-So I thought I have nat, the network of Site-C (10.168.3.0/24) in order to present with an IP of A Site.
Possible?
And how to configure the ASA at the Site-A?
Thank you
Claudio
Hello
What is the level of software on the Site to ASA?
-Jouni
Maybe you are looking for
-
Toshiba 47L6453DB Smart TV connects to the local network
I recently bought this TV. I plugged in my local network and Smart TV cannot connect. I get a message asking me to check the network settings. I tested the ethernet cable and the plug with a laptop and they both work very well. I use a broadband of B
-
How can I protect my iMac of Anti theft on the internet?
I had a report of Trusteer installed from my Bank, but it does not open, this product stops anti-theft from my Bank, but I have Eset Cyber Security installed, but, because it's El Capitan will not work, I'm at my wits end of concern please help
-
Hello the following segment isn' work. I tried it in QML with the same results, so instead tried to do in C++, but I get the following error? > InvocationPrivate:nQueryResolved: no matching result query, no armed signal sent. Here's the code sniplet
-
Hello world I am completely new to QML and waterfalls, and I know it's probably a really simple solution but I can't seem to find an answer. I'm trying to get a TabbedPane coming out of the left side, and when you click on one of these tabs, it show
-
Friends of the phone Hello... friends, It's not the game of the francs of the this is the room for driver... That's what wonder looks like another: I have 5 SDA correspondent one of 5 different service standards. For these 5 standards the customer ha