Ask about site to site VPN

Hi Experts,

We gave connectivity VPN site-to-site to our customer. They report that they are not able to access the network because of VPN downwards.

I checked on my router, it's showing to Port 4500 & down to 500.

Below, find the exit

crypto session #sh remote 152.69.248.225

Current state of the session crypto

Interface: GigabitEthernet0/0/2

The session state: UP-ACTIVE

Peer: 152.69.248.225 port 4500

IKE SA: local 3.148.197.4/4500 remote 152.69.248.225/4500 Active

FLOW IPSEC: allowed host 3.148.197.0/255.255.255.0 ip 170.69.246.2

Active sAs: 2, origin: card crypto

Interface: GigabitEthernet0/0/2

The session state: down

Peer: 152.69.248.225 port 500

FLOW IPSEC: allowed host 3.110.96.0/255.255.255.0 ip 152.69.246.2

Active sAs: 0, origin: card crypto

FLOW IPSEC: allowed host 3.110.97.0/255.255.255.0 ip 152.69.246.2

Active sAs: 0, origin: card crypto

#sh crypto session short distance 152.69.248.225

Status: A - Active, upward, D - Down, I - S - U - verse Standby, N - Idle, negotiation

K - no IKE

ivrf = (none)

I peer / group/Phase1_id F Username availability status

152.69.248.225 Gi0/0/2 10.130.132.34 01:14:49 AU

Can someone help me understand the output.

Security purpose I changed Ip addresses, so do ' t mistaken for intellectual property.

PL suggest also any document that clears my VPN concept

Thanks in advance

Surya

Hi Surya,

Please check out the common link L2L question ex below. It may not solve your problem 100%, but could help to understand the question...

http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a00807e0aca.shtml

In addition, if you can postyour device and endpoint remote end device config (if possible), it helps.

THX

MS

Tags: Cisco Security

Similar Questions

  • Ask about hub and spoke VPN between several sites

    Hello

    I currently have a 'hub' ASA 5505 that connects to 4 sites running 877 routers.

    Since the network hub, I can connect to all the sites fine but what I would do is almost to compartmentalize the different VPN links in small groups.

    The ASA 5505 hub mainly provides IP telephony via the VPN from a PBX allowing users at the other end of the VPN to make outgoing calls and receive incoming calls. However, a couple of the sites would be able to call them internally through the hub. It must obviously be allowed between their different networks of traffic.

    Currently, when you try an internal call rings, but there is no audio data anyway. I guess that's due to restrictions of access list. I don't know yet if what I'm trying to achieve is possible as I'm a bit of a rookie, but any help would be appreciated. I have attached the hub and 2 rays below.

    The ideal final result would be the interconnectivity between the two rays through the hub, it seems reading as its possible, but I do not understand my head around it! It would involve using different subnet to the hub masks?

    Any help would be greatly appreciated!

    Thank you

    Jack

    ASA "hub" VPN config

    network of the OAKOW object
    255.255.255.0 subnet 192.168.12.0
    network of the OAKIV object
    subnet 192.168.11.0 255.255.255.0

    ACL_OAKOW to access extended list ip 192.168.5.0 allow 255.255.255.0 192.168.12.0 255.255.255.0
    ACL_OAKIV to access extended list ip 192.168.5.0 allow 255.255.255.0 192.168.11.0 255.255.255.0

    interface Vlan1

    nameif inside

    security-level 100

    192.168.5.1 IP address 255.255.255.0

    Static NAT to destination for static LAN LAN OAKOW OAKOW source (indoor, outdoor)
    Static NAT to destination for static LAN LAN OAKIV OAKIV source (indoor, outdoor)

    network obj_any object
    NAT dynamic interface (indoor, outdoor)

    Access-group interface incoming outside

    Crypto ipsec transform-set esp-3des esp-sha-hmac HOSTEDTS ikev1
    card crypto HOSTEDMAP 100 corresponds to the address ACL_OAKOW
    card crypto HOSTEDMAP 100 set pfs
    card crypto HOSTEDMAP 100 peer set 4.3.2.1

    card crypto HOSTEDMAP 100 set transform-set HOSTEDTS ikev1
    card crypto HOSTEDMAP 101 corresponds to the address ACL_OAKIV
    card crypto HOSTEDMAP 101 set pfs
    HOSTEDMAP 101 peer set 5.6.7.8 crypto card
    card crypto HOSTEDMAP 101 set transform-set HOSTEDTS ikev1

    HOSTEDMAP interface card crypto outside
    crypto isakmp identity address
    No encryption isakmp nat-traversal
    Crypto ikev1 allow outside
    Crypto ikev1 am - disable

    IKEv1 crypto policy 1
    preshared authentication
    3des encryption
    sha hash
    Group 2
    lifetime 28800

    internal TBOakOW group strategy
    attributes of Group Policy TBOakOW
    Ikev1 VPN-tunnel-Protocol

    internal TBOakIV group strategy
    attributes of Group Policy TBOakIV
    Ikev1 VPN-tunnel-Protocol

    tunnel-group 4.3.2.1 type ipsec-l2l
    tunnel-group 4.3.2.1 General attributes
    Group Policy - by default-TBOakOW

    4.3.2.1 tunnel-group ipsec-attributes
    IKEv1 pre-shared-key *.

    tunnel-group 5.6.7.8 type ipsec-l2l
    tunnel-group 5.6.7.8 General attributes
    Group Policy - by default-TBOakIV
    tunnel-group 5.6.7.8 ipsec-attributes
    IKEv1 pre-shared-key *.

    877 VPN "spoke 1' config '.

    VPDN enable

    crypto ISAKMP policy 1
    BA 3des
    preshared authentication
    Group 2
    lifetime 28800

    isakmp encryption key * address 1.2.3.4

    Crypto ipsec transform-set esp-3des esp-sha-hmac TB0ak

    map OakOW 10 ipsec-isakmp crypto
    defined peer 1.2.3.4
    game of transformation-TB0ak
    PFS group2 Set
    match address VPN

    interface Vlan1
    Description - LAN-
    192.168.12.1 IP address 255.255.255.0
    IP nat inside

    interface Dialer0
    card crypto OakOW

    overload of IP nat inside source list NAT interface Dialer0

    NAT extended IP access list
    refuse the 192.168.12.0 ip 0.0.0.255 192.168.5.0 0.0.0.255
    IP 192.168.12.0 allow 0.0.0.255 any
    list of IP - VPN access scope
    IP 192.168.12.0 allow 0.0.0.255 192.168.5.0 0.0.0.255

    877 config VPN "talked about 2'.

    VPDN enable

    crypto ISAKMP policy 1
    BA 3des
    preshared authentication
    Group 2
    lifetime 28800

    isakmp encryption key * address 1.2.3.4

    Crypto ipsec transform-set esp-3des esp-sha-hmac HOSTEDTS

    map TBVPNOak 10 ipsec-isakmp crypto
    defined peer 1.2.3.4

    game of transformation-HOSTEDTS
    PFS group2 Set
    match address ACL-VPN-to-ASA

    interface Vlan1
    Description internal LAN-
    192.168.11.1 IP address 255.255.255.0
    IP nat inside

    interface Dialer0
    card crypto TBVPNOak

    overload of IP nat inside source list NAT interface Dialer0

    IP extended ACL-VPN-to-ASA access list

    ip licensing 192.168.11.0 0.0.0.255 192.168.5.0 0.0.0.255

    NAT extended IP access list
    deny ip 192.168.11.0 0.0.0.255 192.168.5.0 0.0.0.255
    ip licensing 192.168.11.0 0.0.0.255 any

    You must rewrite it ACL on spoke1:

    NAT extended IP access list

    refuse the 192.168.12.0 ip 0.0.0.255 192.168.5.0 0.0.0.255

    refuse the 192.168.12.0 ip 0.0.0.255 192.168.11.0 0.0.0.255

    IP 192.168.12.0 allow 0.0.0.255 any

    list of IP - VPN access scope

    IP 192.168.12.0 allow 0.0.0.255 192.168.5.0 0.0.0.255

    IP 192.168.12.0 allow 0.0.0.255 192.168.11.0 0.0.0.255

    and talk 2:

    NAT extended IP access list

    deny ip 192.168.11.0 0.0.0.255 192.168.5.0 0.0.0.255

    deny ip 192.168.11.0 0.0.0.255 192.168.12.0 0.0.0.255

    ip licensing 192.168.11.0 0.0.0.255 any

    IP extended ACL-VPN-to-ASA access list

    ip licensing 192.168.11.0 0.0.0.255 192.168.5.0 0.0.0.255

    ip licensing 192.168.11.0 0.0.0.255 192.168.12.0 0.0.0.255

    And ACL on SAA

    ACL_OAKOW to access extended list ip 192.168.5.0 allow 255.255.255.0 192.168.12.0 255.255.255.0

    ACL_OAKOW to access extended list ip 192.168.11.0 allow 255.255.255.0 192.168.12.0 255.255.255.0

    ACL_OAKIV to access extended list ip 192.168.5.0 allow 255.255.255.0 192.168.11.0 255.255.255.0

    ACL_OAKIV to access extended list ip 192.168.12.0 allow 255.255.255.0 192.168.11.0 255.255.255.0

    You must allow the traffic of intra-interface:

    permit same-security-traffic intra-interface

    also, you can check the translation NAT nat debug command

    _____________________________________________________________________________

    Help seriously ill children all together. All information on this subject, is posted on my blog

  • Question about ACL's with the 2621 when using site to site VPN

    I set up two site to site vpn. We have an ASA at our headquarters and branches will IOS routers - one is a 1811 and the other 2621. Both are running the latest versions of IOS, respectively. The two VPN site-to-site do not work. I have a list of inbound on the external interfaces of both routers, access that allows only the IP address of the ASA IP traffic. All other traffic is denied. I put NAT overload upward in the typical form, and I use ip outgoing inspection on the same interface, to allow incoming traffic back to surfing the internet. This configuration works very well with the 1811, where all traffic is blocked except traffic IP (IPSEC) coming from the ASA. Guests at our headquarters can reach hosts behind the 1811 and vice versa.

    Here's my problem: the 2621 is processing traffic encapsulated on the external interface and block this traffic because it does not match. I know because when I turn on logging / debugging on the 2621, I see inbound traffic blocked by the ACL. Technically, I guess that it does not, but to this interface, the traffic is always encapsulated so I think it fits to this access list and then go to the Cryptography decapsulation card and be sent to the destination host. Just as it does on the 1811. I have not 'wan' t to create another line in the access list for all subnets to Headquarters. Why is not it works the same way as it does on the 1811? Is there something else I need to activate?

    ------------------------------------------------------------------------

    Config of 1811:

    !
    version 12.4
    horodateurs service debug datetime msec
    Log service timestamps datetime localtime show-timezone msec
    encryption password service
    !
    hostname BranchVPN1
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200 notifications
    !
    AAA new-model
    !
    !
    AAA authentication login default local
    activate the default AAA authentication no
    authorization AAA console
    AAA authorization exec default local
    !
    AAA - the id of the joint session
    no ip source route
    IP cef
    !
    !
    IP inspect the audit trail
    inspect the IP dns-timeout 10
    inspect the name IP internet udp timeout 30
    inspect the name IP internet tcp timeout 30
    inspect the name IP internet ftp timeout 30
    inspect the name IP internet http timeout 30
    inspect the name firewall tcp IP
    inspect the name IP firewall udp
    inspect the name IP firewall icmp
    IP inspect the dns name of the firewall
    inspect the name IP firewall ftp
    inspect the name IP firewall http
    inspect the name IP firewall https
    inspect the IP firewall name ftps
    property intellectual auth-proxy max-nodata-& 3
    property intellectual admission max-nodata-& 3
    !
    !
    IP domain name xxxx
    !
    !
    !
    !
    username xxxxxxxxxx
    !
    !
    !
    class-map correspondence vpn_traffic
    police name of group-access game
    !
    !
    VPN policy-map
    class vpn_traffic
    in line-action police 2000000 37500 pass drop exceeds-action
    !
    !
    !
    crypto ISAKMP policy 10
    BA aes 256
    preshared authentication
    Group 2
    ISAKMP crypto key address xxxx xxxxxx
    ISAKMP crypto keepalive 10
    !
    life crypto ipsec security association seconds 28800
    !
    Crypto ipsec transform-set esp - aes 256 esp-sha-hmac xxtransform
    !
    xxmap 10 ipsec-isakmp crypto map
    defined peer xxxx
    Set transform-set xxtransform
    PFS group2 Set
    match the address tunnelnetworks
    static inverse-road
    !
    !
    !
    interface Loopback0
    172.16.99.1 the IP 255.255.255.255
    !
    interface FastEthernet0/0
    Description Connection to Internet (DHCP)
    DHCP IP address
    IP access-group outside_in in
    no ip redirection
    no ip unreachable
    no ip proxy-arp
    inspect the firewall on IP
    NAT outside IP
    IP virtual-reassembly
    automatic duplex
    automatic speed
    No cdp enable
    xxmap card crypto
    !
    interface FastEthernet0/1
    Description of the connection to the local network
    address 172.20.1.1 IP 255.255.255.0
    no ip redirection
    no ip unreachable
    no ip proxy-arp
    IP nat inside
    IP virtual-reassembly
    automatic duplex
    automatic speed
    No cdp enable
    VPN service-policy input
    !
    interface Serial0/0/0
    no ip address
    Shutdown
    No cdp enable
    !
    interface Serial0/1/0
    no ip address
    Shutdown
    !
    IP forward-Protocol ND
    IP route 0.0.0.0 0.0.0.0 dhcp
    !
    no ip address of the http server
    local IP http authentication
    no ip http secure server
    IP nat inside source list nat - acl interface FastEthernet0/0 overload
    !
    IP nat - acl extended access list
    refuse any 10.0.0.0 0.255.255.255 ip
    allow an ip
    outside_in extended IP access list
    allow udp any eq bootps host 255.255.255.255 eq bootpc
    allow an ip host (ASA IPADDR)
    deny ip any any newspaper
    IP extended access list police
    deny ip host xxxx any
    deny ip any host xxxx
    IP 172.20.1.0 allow 0.0.0.255 10.0.0.0 0.255.255.255
    tunnelnetworks extended IP access list
    permit host 172.16.99.1 ip 10.0.0.0 0.255.255.255
    IP 172.20.1.0 allow 0.0.0.255 10.0.0.0 0.255.255.255
    !
    recording of debug trap
    logging source-interface Loopback0
    exploitation forest xxxx
    access-list 160 note t is
    not run cdp
    !
    !
    control plan
    !
    Banner motd ^ CC

    Authorized technician!

    ^ C
    !
    Line con 0
    line to 0
    line vty 0 4
    exec-timeout 5 0
    Synchronous recording
    entry ssh transport
    line vty 5 15
    exec-timeout 5 0
    Synchronous recording
    entry ssh transport
    !
    Scheduler allocate 20000 1000
    end

    ------------------------------------------------------------------------

    2621 Config:

    !
    version 12.3
    horodateurs service debug datetime msec
    Log service timestamps datetime localtime show-timezone msec
    encryption password service
    !
    hostname BranchVPN2
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200 notifications
    no console logging
    !
    AAA new-model
    !
    !
    AAA authentication login default local
    activate the default AAA authentication no
    authorization AAA console
    AAA authorization exec default local
    AAA - the id of the joint session
    IP subnet zero
    no ip source route
    IP cef
    !
    !
    IP domain name xxxx
    !
    IP inspect the audit trail
    inspect the IP dns-timeout 10
    inspect the name IP internet udp timeout 30
    inspect the name IP internet tcp timeout 30
    inspect the name IP internet ftp timeout 30
    inspect the name IP internet http timeout 30
    inspect the name firewall tcp IP
    inspect the name IP firewall udp
    inspect the name IP firewall icmp
    inspect the name IP firewall ftp
    inspect the name IP firewall http
    Max-events of po verification IP 100
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    username xxxxxxxxxxxx
    !
    !
    !
    class-map correspondence vpn_traffic
    police name of group-access game
    !
    !
    VPN policy-map
    class vpn_traffic
    in line-action police 2000000 37500 pass drop exceeds-action
    !
    !
    !
    crypto ISAKMP policy 10
    BA aes 256
    preshared authentication
    Group 2
    ISAKMP crypto key address xxxx xxxxx
    ISAKMP crypto keepalive 10
    !
    life crypto ipsec security association seconds 28800
    !
    Crypto ipsec transform-set esp - aes 256 esp-sha-hmac xxtransform
    !
    xxmap 10 ipsec-isakmp crypto map
    defined peer xxxx
    Set transform-set xxtransform
    PFS group2 Set
    match the address tunnelnetworks
    reverse-road remote-peer
    !
    !
    !
    !
    interface Loopback0
    172.16.99.2 the IP 255.255.255.255
    !
    interface FastEthernet0/0
    Description Connection to Internet (DHCP)
    DHCP IP address
    IP access-group outside_in in
    no ip redirection
    no ip unreachable
    no ip proxy-arp
    NAT outside IP
    inspect the firewall on IP
    automatic duplex
    automatic speed
    No cdp enable
    xxmap card crypto
    !
    interface Serial0/0
    no ip address
    Shutdown
    No cdp enable
    !
    interface FastEthernet0/1
    Description of the connection to the local network
    IP 172.20.2.1 255.255.255.0
    no ip redirection
    no ip unreachable
    no ip proxy-arp
    IP nat inside
    automatic duplex
    automatic speed
    No cdp enable
    VPN service-policy input
    !
    interface Serial0/1
    no ip address
    Shutdown
    No cdp enable
    !
    IP nat inside source list nat - acl interface FastEthernet0/0 overload
    no ip address of the http server
    local IP http authentication
    no ip http secure server
    IP classless
    IP route 0.0.0.0 0.0.0.0 dhcp
    !
    !
    !
    IP nat - acl extended access list
    refuse any 10.0.0.0 0.255.255.255 ip
    allow an ip
    outside_in extended IP access list
    allow udp any eq bootps host 255.255.255.255 eq bootpc
    allow an ip host (ASA IPADDR)
    deny ip any any newspaper
    IP extended access list police
    deny ip host xxxx any
    deny ip any host xxxx
    IP 172.20.2.0 allow 0.0.0.255 10.0.0.0 0.255.255.255
    tunnelnetworks extended IP access list
    permit host 172.16.99.2 ip 10.0.0.0 0.255.255.255
    IP 172.20.2.0 allow 0.0.0.255 10.0.0.0 0.255.255.255
    recording of debug trap
    logging source-interface Loopback0
    exploitation forest xxxx
    not run cdp
    !
    !
    !
    !
    !
    Banner motd ^ CCC

    Authorized technician!

    ^ C
    !
    Line con 0
    line to 0
    line vty 0 4
    exec-timeout 5 0
    Synchronous recording
    entry ssh transport
    line vty 5 15
    exec-timeout 5 0
    Synchronous recording
    entry ssh transport
    !
    !
    end

    Please check if this helps:

    http://www.Cisco.com/en/us/docs/iOS/12_3t/12_3t8/feature/guide/gt_crpks.html

    Federico.

  • Order of operations NAT on Site to Site VPN Cisco ASA

    Hello

    I have a question about the order of operations NAT on Site to Site VPN Cisco ASA 8.2.x. I have a scenario where the internal IP address of the range 10.17.128.x are NATTED IP public 31.10.10.x. below is the config:

    Tunnel normally passes traffic to dmz - 31.10.11.10, 31.10.11.11 servers.

    But the servers NATTED (10.17.128.x <->31.10.10.x) does not work.

    inside_map crypto 50 card value transform-set ESP-3DES-SHA

    tunnel-group 100.1.1.1 type ipsec-l2l

    tunnel-group 100.1.1.1 General-attributes

    Group Policy - by default-PHX_HK

    IPSec-attributes tunnel-group 100.1.1.1

    pre-shared key *.

    internal PHX_HK group policy

    PHX_HK group policy attributes

    VPN-filter no

    Protocol-tunnel-VPN IPSec svc webvpn

    card crypto inside_map 50 match address outside_cryptomap_50

    peer set card crypto inside_map 50 100.1.1.1

    inside_map crypto 50 card value transform-set ESP-3DES-SHA

    inside_map crypto 50 card value reverse-road

    the PHX_Local object-group network

    host of the object-Network 31.10.11.10

    host of the object-Network 31.10.11.11

    host of the object-Network 31.10.10.10

    host of the object-Network 31.10.10.11

    host of the object-Network 31.10.10.12

    host of the object-Network 31.10.10.13

    host of the object-Network 10.17.128.20

    host of the object-Network 10.17.128.21

    host of the object-Network 10.17.128.22

    host of the object-Network 10.17.128.23

    the HK_Remote object-group network

    host of the object-Network 102.1.1.10

    inside_nat0_outbound list extended access permitted ip object-group PHX_Local-group of objects HK_Remote

    ACL_INSIDE list extended access permitted ip object-group PHX_Local-group of objects HK_Remote

    ACL_OUTSIDE list extended access permitted ip object-group HK_Remote-group of objects PHX_Local

    outside_cryptomap_50 list extended access permitted ip object-group PHX_Local-group of objects HK_Remote

    Route outside 102.1.1.10 255.255.255.255 30.1.1.1 1

    public static 31.10.10.10 (Interior, exterior) 10.17.128.20 netmask 255.255.255.255

    public static 31.10.10.11 (Interior, exterior) 10.17.128.21 netmask 255.255.255.255

    public static 31.10.10.12 (Interior, exterior) 10.17.128.22 netmask 255.255.255.255

    public static 31.10.10.13 (Interior, exterior) 10.17.128.23 netmask 255.255.255.255

    He started to work when I did another group of object by name PHX_Local1 and added to the list of access inside_nat0_outbound, instead of the object group PHX_Local, as below:

    the PHX_Local1 object-group network

    host of the object-Network 31.10.10.10

    host of the object-Network 31.10.10.11

    host of the object-Network 31.10.10.12

    host of the object-Network 31.10.10.13

    No inside_nat0_outbound access list extended only to allowed ip object-group PHX_Local-group of objects HK_Remote

    inside_nat0_outbound list extended access permitted ip object-group PHX_Local1-group of objects HK_Remote

    Can you please help me understand why group object PHX_Local failed with access-list inside_nat0_outbound, but he began to work with the Group of objects PHX_Local1.

    Also, if you could tell me the order of operations to NAT via VPN Site to Site, it would be useful.

    Thank you

    Kind regards

    Thomas

    Hello

    I think you could have said the original question in a way that could be missleading. In other words, if I understand now.

    From what I understand now, you have the DMZ set up the server that are measured with a public IP address on the real servers. And for those that you have configured NAT0.

    Then you have other servers that do not have public IP addresses themselves, but they are translated on the SAA.

    If this is the case, then the next question would be. The server with the NAT should attend the L2L VPN connection with their real IP or address IP NAT.

    Of course if you configure static NAT for the same servers and NAT0 the NAT0 will always win.

    You have these guests who were not able to use the VPN L2L

    31.10.10.10 10.17.128.20

    31.10.10.11 10.17.128.21

    31.10.10.12 10.17.128.22

    31.10.10.13 10.17.128.23

    IF you want them to go to the VPN L2L with their original IP address then you must configure

    object-group, LAN

    host of the object-Network 10.17.128.20

    host of the object-Network 10.17.128.21

    host of the object-Network 10.17.128.22

    host of the object-Network 10.17.128.23

    object-group, REMOTE network

    host of the object-Network 102.1.1.10

    inside_nat0_outbound list extended access allowed ip-group of objects LOCAL object-group remote

    outside_cryptomap_50 list extended access allowed ip-group of objects LOCAL object-group remote

    IF you want to use the L2L VPN with the public IP address, then you must configure

    object-group, LAN

    host of the object-Network 31.10.10.10

    host of the object-Network 31.10.10.11

    host of the object-Network 31.10.10.12

    host of the object-Network 31.10.10.13

    object-group, REMOTE network

    host of the object-Network 102.1.1.10

    outside_cryptomap_50 list extended access allowed ip-group of objects LOCAL object-group remote

    EDIT: in this case you naturally do not configure any NAT0 for actual IP addresses we want precisely the IP addresses to be visible to the L2L VPN with the IP NAT address.

    Or you can of course use the same "object-group" as currently but change the content in an appropriate manner

    Be sure to mark it as answered if it was answered.

    Ask more if necessary

    -Jouni

  • Site to Site VPN issues

    Hello

    I have created a new site to site vpn connection and can't know why it does not work.

    All other VPN site-to-site work properly. The news, the problem is MATCHJLS. Could anyone recommend measures to correct?

    !

    vpn hostname

    domain name

    activate the encrypted password of Pp6RUfdBBUU

    ucU7iJnNlZ passwd / encrypted

    names of

    DNS-guard

    !

    interface Ethernet0/0

    nameif outside

    security-level 0

    IP address 87.117.xxx.xx 255.255.255.252

    !

    interface Ethernet0/1

    nameif inside

    security-level 100

    IP address 78.129.xxx.x 255.255.255.128

    !

    interface Ethernet0/2

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    interface Ethernet0/3

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    interface Management0/0

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    boot system Disk0: / asa822 - k8.bin

    passive FTP mode

    DNS server-group DefaultDNS

    domain msiuk.com

    permit same-security-traffic inter-interface

    DM_INLINE_TCP_1 tcp service object-group

    EQ port 3389 object

    EQ object of port 8080

    port-object eq www

    EQ object of the https port

    Http81 tcp service object-group

    port-object eq 81

    DM_INLINE_TCP_3 tcp service object-group

    port-object eq 81

    port-object eq www

    the DM_INLINE_NETWORK_1 object-group network

    host of the object-Network 172.19.60.52

    host of the object-Network 172.19.60.53

    host of the object-Network 172.19.60.68

    host of the object-Network 172.19.60.69

    host of the object-Network 172.19.60.84

    host of the object-Network 172.19.60.85

    host of the object-Network 172.19.60.86

    access-list extended basic permit icmp any any echo response

    access-list extended basic permit icmp any one time exceed

    access-list extended basic permit tcp any host 78.129.xxx.xx eq 8731

    access-list extended basic permit tcp any host 78.129.xxx.xx eq www

    access-list extended basic permit tcp any host 78.129.xxx.xx DM_INLINE_TCP_3 object-group

    access-list extended basic permit tcp any host 78.129.xxx.xx eq www

    access-list extended basic permit tcp any host 78.129.xxx.xx eq www

    access-list extended basic permit tcp any host 78.129.xxx.xx eq www inactive

    access-list extended basic permit tcp any host 78.129.xxx.xx eq www

    access-list extended basic permit tcp any host 78.129.xxx.xx eq https

    access-list extended basic permit tcp any host 78.129.xxx.xx eq https

    access-list extended basic permit tcp any host 78.129.xxx.xx

    permit access-list extended basic host tcp 94.128.xxx.xx 78.129.xxx.xx 255.255.255.128 DM_INLINE_TCP_1 object-group

    access-list extended SHEEP allowed ip 10.1.1.0 255.255.255.0 10.255.255.0 255.255.255.0

    Standard access list SPLITTUN allow 78.129.xxx.xx 255.255.255.128

    SPLITTUN list standard access allowed 10.1.1.0 255.255.255.0

    access list allow extended permit ip any one

    MATCHVPN1 list extended access permit ip host host 78.129.xxx.xx 212.118.157.203

    MATCHVPN2 list of allowed ip extended access all 212.118.xxx.xx 255.255.255.0

    SMTP-NAT extended permit tcp host 78.129.xxx.xx access list any eq smtp

    MATCHVPN3 list extended access permitted ip 78.129.xxx.xx 255.255.255.224 host 10.180.xxx.xx

    MATCHVPN3 list extended access permitted ip 78.129.xxx.xx 255.255.255.224 host 10.180.xxx.xx

    MATCHVPN3 list extended access permitted ip 78.129.xxx.xx 255.255.255.224 host 10.180.xxx.xx

    MATCHVPN4 list extended access permit ip host 78.129.xxx.xx host 172.16.xxx.xx

    MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.16.xxx.xx

    MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.17.xxx.xx

    MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.16.xxx.xx

    MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.16.xxx.xx

    Access list extended ip 78.129.151.0 MATCHJLS allow 255.255.255.128 DM_INLINE_NETWORK_1 object-group

    pager lines 24

    Enable logging

    asdm of logging of information

    Outside 1500 MTU

    Within 1500 MTU

    local IP LOCPOOL 10.255.255.1 pool - 10.255.255.254

    ICMP unreachable rate-limit 1 burst-size 1

    ASDM image disk0: / asdm-625 - 53.bin

    don't allow no asdm history

    ARP timeout 14400

    Global (1 interface external)

    NAT (inside) 0 access-list SHEEP

    Access SMTP-NAT NAT (inside) 1 list

    NAT (inside) 1 10.1.1.0 255.255.255.0

    NAT (inside) 1 10.2.2.0 255.255.255.0

    Access-group basic in external interface

    Access-group allow external interface

    Access-group allow the interface inside

    Access-group allow the interface inside

    Route outside 0.0.0.0 0.0.0.0 87.117.213.65 1

    Route inside 10.1.1.0 255.255.255.0 78.129.151.2 1

    Route inside 10.2.2.0 255.255.255.0 78.129.151.2 1

    Route inside 10.33.67.0 255.255.255.0 78.129.151.26 1

    Route 172.20.xxx.xx 255.255.255.0 inside 78.129.xxx.xx 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    dynamic-access-policy-registration DfltAccessPolicy

    AAA authentication enable LOCAL console

    the ssh LOCAL console AAA authentication

    Enable http server

    http 0.0.0.0 0.0.0.0 outdoors

    No snmp server location

    No snmp Server contact

    Crypto ipsec transform-set esp-3des esp-md5-hmac VPN3DES

    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set esp-3des esp-sha-hmac asa2transform

    Crypto ipsec transform-set esp-3des esp-md5-hmac kwset

    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    Crypto ipsec transform-set esp-3des esp-sha-hmac jlstransformset

    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    set of 10 DYNOMAP crypto dynamic-map transform-set VPN3DES

    card crypto VPNPEER 1 corresponds to the address MATCHJLS

    card crypto VPNPEER 1 set peer 94.128.xxx.xx

    card crypto VPNPEER 1 the value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

    card crypto VPNPEER 10 corresponds to the address MATCHVPN3

    card crypto VPNPEER 10 set peer 94.128.xxx.xx

    crypto VPNPEER 10 the transform-set jlstransformset value card

    card crypto VPNPEER 10 set nat-t-disable

    card crypto VPNPEER 30 corresponds to the address MATCHVPN2

    card crypto VPNPEER 30 212.118.xxx.xx peer value

    card crypto VPNPEER 30 value transform-set ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

    crypto VPNPEER 30 the value reverse-road map

    card crypto VPNPEER 40 corresponds to the address MATCHVPN4

    VPNPEER 40 crypto map set peer 94.128.xxx.xx

    crypto VPNPEER 40 the transform-set kwset value card

    card crypto VPNPEER 50 corresponds to the address MATCHVPN3

    card crypto VPNPEER 50 set pfs

    card crypto VPNPEER 50 set peer 94.128.xxx.xx

    card crypto VPNPEER 50 set ESP ESP-3DES-SHA transform-set kwset DES-ESP-MD5-DES-SHA

    card crypto VPNPEER 50 set nat-t-disable

    card crypto VPNPEER 100-isakmp dynamic ipsec DYNOMAP

    VPNPEER interface card crypto outside

    crypto ISAKMP allow outside

    crypto ISAKMP policy 1

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 3600

    Crypto isakmp nat-traversal 3600

    crypto ISAKMP disconnect - notify

    Telnet timeout 5

    SSH 0.0.0.0 0.0.0.0 outdoors

    SSH 0.0.0.0 0.0.0.0 inside

    SSH timeout 60

    SSH version 2

    Console timeout 0

    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    WebVPN

    internal GroupPolicy1 group strategy

    attributes of Group Policy GroupPolicy1

    value of VPN-filter MATCHKW

    Protocol-tunnel-VPN IPSec l2tp ipsec

    internal CLIENTGROUP group policy

    CLIENTGROUP group policy attributes

    value of server DNS 10.1.1.10 10.1.1.2

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list SPLITTUN

    msiuk.local value by default-field

    Username admin privilege 15 encrypted password 9RG9xAvynJRd.Q

    tunnel-group msi type remote access

    msi General attributes tunnel-group

    address LOCPOOL pool

    Group Policy - by default-CLIENTGROUP

    MSI group tunnel ipsec-attributes

    pre-shared key *.

    tunnel-group msi ppp-attributes

    ms-chap-v2 authentication

    tunnel-group 212.118.xxx.xx type ipsec-l2l

    212.118.xxx.XX group of tunnel ipsec-attributes

    pre-shared key *.

    tunnel-group 94.128.xxx.xx type ipsec-l2l

    94.128.xxx.XX group of tunnel ipsec-attributes

    pre-shared key *.

    tunnel-group 94.128.xxx.xx type ipsec-l2l

    94.128.xxx.XX group of tunnel ipsec-attributes

    pre-shared key *.

    tunnel-group 94.128.xxx.xx type ipsec-l2l

    94.128.xxx.XX group of tunnel ipsec-attributes

    pre-shared key *.

    !

    class-map ftpdefault

    match default-inspection-traffic

    class-map default inspection

    !

    !

    Policy-map global_policy

    !

    global service-policy global_policy

    context of prompt hostname

    call-home

    Profile of CiscoTAC-1

    no active account

    http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

    email address of destination [email protected] / * /

    destination-mode http transport

    Subscribe to alert-group diagnosis

    Subscribe to alert-group environment

    Subscribe to alert-group monthly periodic inventory

    monthly periodicals to subscribe to alert-group configuration

    daily periodic subscribe to alert-group telemetry

    Cryptochecksum:b251877ef24a1dc161b594dc052c44

    : end

    ASDM image disk0: / asdm-625 - 53.bin

    don't allow no asdm history

    Hello

    OK, given the above information, I would say that the VPN L2L your part should probably be fine for traffic you are trying with the packet - trace.

    It seems that you get no traffic back from the remote end

    This could mean one of the following things

    • Remote site may not login either in their VPN appliance, firewall or the firewall of the real server (which I doubt since were talking about web service)
    • Remote site has not configured routing properly for your source IP address / network. For example, your connection attempt can reach the remote server, but the return traffic could get transferred to the wrong place on the remote site. It is more likely when the remote end manages Internet traffic and VPN traffic on separate devices
    • Remote site has not activated the service on the real server (which is still little provided this isn't a service only serve on the server you through this VPN L2L)
    • etc.

    As I said look it seems so VPN L2L is fine. Its place and running, but you can't get traffic back on the L2L VPN that suggest that the problem is at the remote site.

    If you go ask about this since the admins of the remote site, let us know how to do the thing.

    If you found this information useful, please note the answer/answers and naturally ask more if necessary

    -Jouni

  • Improve SA540 site to site VPN perforamce

    Site has SA540: 50 M / 50 M DSL (country A) (15 users)

    Site B SA540: 2 M / 520KB ADSL (country B) (10 users)

    MTU: 1464 (Test on frame of ping)

    We custom applications and server work on port 80 of services, it comes to legacy applications and need to call the java prompt back.

    We do server on Site A and alos configuration port front of WAN custome application server.

    I find the Site B use direct http services over the Wan just need 5-10 seconds to launch the applaciton

    On the same machine, we use the site to site VPN to connect to the application, that it will take about 15 ~ 20 seconds or more, alos sometimes cannot load success via VPN enforcement, how can I improve it? Or participate in any suggestion that I have to pay?

    Thank you

    Hi yururuhgftdy, your vpn is only as good as the slowest connections. If you want to improve performance, update the connection from the other end.

    -Tom
    Please mark replied messages useful

  • 887VDSL2 IPSec site to site vpn does NOT use the easy vpn

    Much of community support.

    as I'm looking through the config Guide about 870 router series, only to find information about the config with eazy vpn.

    is there a classic way, about 870 Series site 2 site without eazy vpn IPSec configuration?

    Have a classic way if a tunnel? Have the 870 is not as a vpn client?

    Thank you

    Of course, here's example of Site to Site VPN configuration for your reference:

    http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080194650.shtml

    http://www.Cisco.com/en/us/products/HW/routers/ps221/products_configuration_example09186a008073e078.shtml

    Hope that helps.

  • site to site vpn - internal network even on both sides of the tunnel

    Hi all

    I have the following questions about the Site Site VPN using ASA 5510 and 5505

    Scenerio is

    1. we have five branches & headquarters

    2. we want to establish a vpn between branches & Head Office (VPN from Site to Site)

    3. all branches & head office using the same internal network (192.168.150.0 255.255.255.0)

    My question is

    How can I configure VPN site-to-site between branches & head office with the same internal network (192.168.150.0/24)

    Please help me with the configuration steps & explanation

    I have experience on setting up vpn site to site between branches with differnet internal network (for example: 192.168.1.0/24 and 192.168.2.0/24)

    Waiting for your valuable response

    Hello

    Here are a few links on policy nat

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a008046f31a.shtml#T10

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00807d2874.shtml

    Concerning

  • Using the same set processing on several site to site VPN tunnels

    Hi all. I have a rather strange situation about site-to-site VPN tunnel.

    On the one hand, I have a PIX 501 and on the other end an ASA5505 and a tunnel set up between them.

    The problem is that on the side of the PIX, I can't establish a tunnel, but when the traffic starts on the side of the ASA the tunnel established as usual.

    I checked the configurations on both ends and keys, passwords, mirror that LCD seems OK. The only thing that comes to my attention, it's that I have the same set of transformation used for 2 different tunnel on the side of PIX.

    Can I use the same set of transformation on several tunnels or should I set a different transformation for each tunnel? Could be the source of the problem?

    Use it on PIX

    card crypto set pfs group2

    Or on ASA, use:

    card crypto set pfs Group1

  • Site to site vpn user name?

    For several years I have implemented no - DMVPN IPSEC VPN.  At the time, it was 515 s Pix.  If I remember correctly, I could set up is a site to site vpn (in which the phase I and phase II card was entered, PSK, etc.) a user remote vpn (where meanings would be implemented with XAUTH for the user credentials, and I think security settings of group for different users). It comes before DMVPN, who simplified a lot of it.

    Anyway, now I have a colleague who bought a RVS4000 with a view to setting up a vpn site-to site with BeeVPN, a site that allows him to work around his ISP followed.  When he asked BeeVPN sheet on how to set up his RVS4000 as one endpoint of IPSEC for site to site vpn, they responded with prison to enter his user name and password as the group name.  What's a sense?  Shouldn't an address of peers, encryption/auth/various-hellman, settings etc. and PSK everything that is required for a vpn site-to site?

    Furthermore, I realize that he may have another problem with his dynamic ip address.  But I was hoping I could get help on the basics first.

    Thank you very much

    You are right.

  • Routing multiple subnets on a site to site VPN

    What is the recommended solution to deliver several subnets on a site to site vpn? Each subnet requires its own policy or a policy can be used for one or more subnets if the remote site has several subnets? In addition, if the remote router has only two fastethernet interfaces, it'll work if one of the interfaces of subinterface configuration or router on a stick?

    If you talk about static routing, you can simply add the routes and change the ACL for encrypted as a result traffic.

    If you want to run a dynamic routing. you will then need to IPSEC VTI.  Here is the link

    http://www.Cisco.com/en/us/docs/iOS/12_3t/12_3t14/feature/guide/gtIPSctm.html#wp1063136

    and although I did not use of subinterfaces for IPSEC VTI. but according to me, it will work.

  • Is site to site VPN with sufficiently secure router?

    Hello

    I have a question about the site to site VPN with router.

    Internet <> router <> LAN

    If I have a VPN site-to-site configured on the router above with another site. I configured to block incoming Internet connections with the exception of VPN to access list. What are the risks of the LAN is exposed to threats from the Internet? Recommend that you put in a firewall between the router and the LAN, or replace the router with a firewall?

    Thank you

    Hi Amanda,.

    Assuming your L2L looks like this:

    LAN - router - INTERNET - Router_Remote - LAN

    |-------------------------------------------------------------------------------|

    L2L

    Traffic between the two local area networks is protected by the VPN tunnel. It is recommended to use the recommended security (strong encryption settings) to ensure that the encrypted traffic would not be compromised through the Internet.

    On the other hand, if you talk about outbound plaintext to the Internet, as when a user acceses google.com, then you just make out traffic, but never allow all incoming connections.

    If you want to protect your network with advanced security as a FW features, you can consider ZBF, which is the available in IOS Firewall/set function:

    Design of the area Guide of Application and firewall policies

    If you consider that this is not enough, check the ASA5500 series.

    HTH.

    Portu.

    Please note all useful posts

  • Cisco ASA Site to Site VPN IPSEC and NAT question

    Hi people,

    I have a question about the two Site to Site VPN IPSEC and NAT. basically what I want to achieve is to do the following:

    ASA2 is at HQ and ASA1 is a remote site. I have no problem setting a static static is a Site to IPSEC VPN between sites. Guests residing in 10.1.0.0/16 are able to communicate with hosts in 192.168.1.0/24, but what I want is to configure the NAT with IPSEC VPN for this host to 10.1.0.0/16 will communicate with hosts in 192.168.1.0/24 with translated addresses

    Just an example:

    N2 host (10.1.0.1/16) contacted N1 192.168.1.5 with destination host say 10.23.1.5 No 192.168.1.5 (notice the last byte is the same in the present case,.5)

    The translation still for the rest of the communication (host pings ip destination host 10.23.1.6 N3 N2 not 192.168.1.6 new last byte is the same)

    It sounds a bit confusing to me, but I've seen this type of configuration before when I worked for the supplier of managed services where we have given our customers (Ipsec Site to Site VPN with NAT, don't know how it was setup)

    Basically we contact the customer via site-to-site VPN hosts but their real address were hidden and we used as translated address more high 10.23.1.0/24 instead of (real) 192.168.1.0/24, last byte must be the same.

    Grateful if someone can shed some light on this subject.

    Hello

    OK so went with the old format of NAT configuration

    It seems to me that you could do the following:

    • Configure the ASA1 with static NAT strategy

      • access-list L2LVPN-POLICYNAT allowed ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
      • public static 10.23.1.0 (inside, outside) access-list L2LVPN-POLICYNAT
    • Because the above is a static NAT of the policy, this means that the translation will be made only when the destination network is 10.1.0.0/16
    • If you have for example a PAT basic configuration to inside-> external traffic, the above NAT configuration and the custom of the actual configuration of PAT interfere with eachother
    • ASA2 side, you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
      • Note of the INTERIOR-SHEEP access-list SHEEP L2LVPN
      • the permitted INSIDE SHEEP 10.1.0.0 ip access list 255.255.0.0 10.23.1.0 255.255.255.0
      • NAT (inside) 0-list of access to the INTERIOR-SHEEP
    • You will need to consider that your access-list defining the VPN encrypted L2L traffic must reflect the new NAT network
      • ASA1: allowed to access-list L2LVPN-ENCRYPTIONDOMAIN ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
      • ASA2: list L2LVPN-ENCRYPTIONDOMAIN allowed ip 10.1.0.0 access 255.255.0.0 10.23.1.0 255.255.255.0

    I could test this configuration to work tomorrow but I would like to know if it works.

    Please rate if this was helpful

    -Jouni

  • IPsec site to Site VPN on Wi - Fi router

    Hello!

    Can someone tell me if there is a router Netgear Wi - Fi that can form IPsec Site to Site VPN connection between 2 Wi - Fi routers via the WAN connection?

    I know that this feature exists on the Netgear firewall, but can you have the same function on any Wi - Fi router?

    See you soon!

    Michael

    I suspect that.

    Thank you very much for the reply.

    See you soon!

  • Site to site VPN, I need all internet traffic to exit the site.

    I have 2 sites connected via a pair of SRX5308

    A = 192.168.1.0/24

    IP WAN = 1.1.1.1

    B = 192.168.2.0/24

    IP WAN = 2.2.2.2

    Now what I need to do, is to have all traffic from B to go to the site one even traffic destined to the internet. That is, I need internet traffic out of our network with the IP 1.1.1.1, even if it is from the network B.

    On my I have set up a route 1.1.1.1 of the ISP, then a value by default 0/0 to 192.168.1.1 it ASA knows how to get to the peer VPN is a more specific route, but sends everything above the tunnel, at the remote end which then hairpin of ASA routes internet outside its own WAN port traffic.

    I can understand though not how to so the same thing on the pair of SRX5308 they either don't raise the tunnel or internet route to the local site address B.

    Anyone have any ideas?

    I need to do this because we are logging and monitoring of internet traffic to A site via tapping from upstream to various IDS solutions and will not (cannot) reproduce this to all our remote sites.

    Thank you

    Dave.

    After some more thought and testing I came up with a workable solution to my own problem. I'll share it here in case it can help others.

    (1) use the wizard at both ends to implement a normal VPN that connects the two segments of network 192.168.1.0 and 192.168.2.0

    (2) go to site VPN - VPN policy remote router192.168.2.1 and click Edit

    (a) disable Netbios

    (b) select "None" from the drop-down list the remote IP address.

    (c) to apply the change

    3) go to the VPN-> VPN policy on the head end site (192.168.1.1) and click Edit

    (a) disable Netbios

    (b) select "None" from the drop-down list the local IP address

    (c) to apply the change

    Now all the traffic wil go down the VPN tunnel and exit to the internet on the site of head end. Hope this helps others with the same question.

Maybe you are looking for