Bad VPN ASA injection road on OSPF when using remote access
Has anyone ever seen the ASA by inserting a bad road in a connection that has been set up with it? I'll explain more below:
I'm using a reverse road Injection. When access remotely with IPSEC (CLIENT) connects to the camera ASA, ASA create a static route to the remote access to the closest router for the SAA to come to this remote access. This itinerary is distributed on OSPF. OK, it may be a normal situation. But, the problem is when I ask another participant of this OSPF area, which is the road to this remote access (CLIENT), the answer is the router closer to the ASA and don't have to ASA. Does anyone have a solution for this? I tried to create a roadmap but that you did not.
If I understand your question, my question for you is whether the OSPF route to the remote VPN client is source by ASA or another device?
Is the IP address in the space I wrote ASA_ROUTER_ID ASA router ID or it is the router from another device ID? What I've listed below are an example of the output of "show ip route. The value in bold must be ASA router ID, if she is from the road to the VPN client. Other OSPF routers will forward packets destined to VPN to ASA client.
#sh ip route 1.1.1.0
Routing for 1.1.1.0/24 entry
Known through the "ospf 1", metric 110, distance 310, type intra zone
Last updated on GigabitEthernet0 1.2.2.2, 2w there
Routing descriptor blocks:
* 1.2.2.2, ASA_ROUTER_ID, there is, through GigabitEthernet0 2w
Path metric is 310, number of shares of traffic 1
Tags: Cisco Security
Similar Questions
-
Service of ASA module does on 6509-E support remote access VPN?
I'm having a problem of configuration of remote access VPN (SSL, Anyconnect ect.) on the Module of ASA Service on 6509-E. It is even supported or I'm wasting my time trying to do something that won't work in a first place :) to work? Site-to-Site works without any problem.
Technical info:
6509-E current SUP 2 t SY 15.1 (2)
Module of ASA - WS-SVC-ASA-SM1 running of the image - asa912-smp-k8 & asdm-712
Licenses on ASA:
Encryption--Activated
3DES-AES-Encryption - enabled
Thank you for the support.
You run multiple context mode?
If you are, access remote VPN only is not supported in this case:
"Note several context mode only applies to the IKEv2 and IKEv1 site to another and applies not to the AnyConnect, clientless SSL VPN, the legacy Cisco VPN, native VPN client client of Apple, the VPN client from Microsoft or cTCP for IKEv1 IPsec."
-
Internal error Windows 8.1 has occurred when using web access
I've recently updated mij PC to Windows 8.1.
When I connect our departure from en Portal Web Access request I get the following error: internal error occurred.
Details:
OS: Windows 81. x 64
Connector version: 8.0.1186 from the fix 271675
I was wondering if there is a work around for this problem?
Concerning
Misha
Hello
Not bad at all. I'm happy to get it out to you guys.
Looks like Michel has just blogged about this too, which means that he is now on our main Web site and can be downloaded on https://support.quest.com/SolutionDetail.aspx?id=SOL115599 where everyone is after him.
Thank you, Andrew.
-
Mapping strategies for VPN remote access to specific accounts
I have an ASA firewall with the Anyconnect VPN configuration on it. For this VPN policies are below:
internal SSLClientPolicy group strategy
attributes of Group Policy SSLClientPolicy
value x.x.x.x DNS server
client ssl-VPN-tunnel-Protocol
by default-field x.x.x.x
the address value SSLClientPool pools
attributes of Group Policy DfltGrpPolicy
value x.x.x.x DNS server
by default-field x.x.x.x
internal GroupPolicy1 group strategy
attributes of Group Policy GroupPolicy1
Ikev1 VPN-tunnel-Protocoltype tunnel-group SSLClientProfile remote access
attributes global-tunnel-group SSLClientProfile
Group Policy - by default-SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
enable SSLVPNClient group-aliasI want to activate tunneling split for one user, but current policy restricts it. Is there a way to create a separate policy for a user and map it to him somehow? I do not see where I'd
Hello
Yes, you can create a separate group for this user name policy, and then assign this group policy under the attribute of the user. For example:
SPLIT_ACL standard access list allow X.X.X.0 255.255.255.0
internal group USER_POLICY strategy
USER_POLICY-group policy attributes
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list SPLIT_ACLusername splituser password Cisco
vpnuser username attributes
VPN-group-policy USER_POLICY -
Hello
I have 2 Cisco Pix (Pix1, Pix2) 515E (8.0.4). Between these devices exist VPN L2L, which are configured on the external interfaces. On Pix2 I configured remote access VPN on the external interface, too.
Is it possible to achieve LAN behind Pix1, by using remote access VPN on Pix2 then VPN L2L?
I don't want to set up remote access on Pix1.
Thank you very much.
Kind regards
Vladislav
NAT (outside) 1 140.40.30.0 255.255.255.0 (PAT for RA vpn to access the internet if you complete tunnel)
It is simply because I have configured tunnel RA as complete tunnel instead of split, nat (outside) 1 at the RA 140.40.30.0 pool have internet access through your firewall ASA_SITE_B and translate with global ID 1 who is your external interface of the firewall SA_SITE_B. This has nothing to do with what you are trying to accomplish, but I posted it because it was part of the very common scenario. There are some example PIX 6.3 cases where you will need split tunnel so that RA users have internet access not passing not through the encrypted tunnel code 6.0 does not feature of intra-interface support but 7.x above is of the code. Other examples are that some people configure split RA RA user tunnel will have access to their local resources in their homes as the printers network etc...
It is therefore, I need to translate 172.27.1.0/24 RA pool?
No there is no address translation in place in this scenario to work and you don't need to translate something too long, there is no of networks that overlap in one of the SITES u do not need to translate, this scenario is completely free sheep as you access lists free of nat in two firewalls for networks involved in communication in tunnels ASA_SITE_B.
Because I want to see IP addresses from PIX_SITE_A to 172.27.1.0/24, not 140.40.30.0/24. Is it possible to do it this way?
Im not clear on this issue, but if I think what it means, it's possible but you need to have political NATing but I think this will make complicated setup, I would say to make this as simple as possible.
Concerning
All helpful PLS rate valid if it helped
-
ODA IP ASA when you browse the web via remote access vpn
Hi all
I was wondering if it is possible to configure an ASA5510 in a way to allow users remote access VPN use external IP of the ASA when browsing the web. So what I'm looking for is a solution to hide my IP address and use the IP address of the ASA, when browsing.
The firmware version of the ASA is 9.1 (6)
Thanks in advance
Hello
What you want to achieve is calles u-turn.
You must enable the feature allowed same-security-traffic intra-interface
For the configuration of the asa, here's the Cisco documentation (I don't copy paste on the post):
http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...
Thank you
PS: Please do not forget to rate and score as good response if this solves your problem
-
Problem VPN ASA 5505 8.3 (1) a site
Hello
My problem is with VPN site-to-site. It's between ASA5505 8.3 (1) and Pix 501 6.3 (5). The tunnel is created between them and it's good, here you have the results to see the crypto ipsec's and isakmp his
ciscoasa # sh crypto isakmp his
ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 1
1 peer IKE: 91.X.X.57
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE
ciscoasa # sh crypto ipsec his
Interface: outside
Tag crypto map: outside_map, seq num: 1, local addr: 79.X.X.2
list of access vpn extended permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0
local ident (addr, mask, prot, port): (192.168.10.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.11.0/255.255.255.0/0/0)
current_peer: 91.X.X.57
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 3757, #pkts decrypt: 3757, #pkts check: 3757
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0
local crypto endpt. : 79.X.X.2/0, remote Start crypto. : 91.X.X.57/0
Path mtu 1500, fresh ipsec generals 74, media, mtu 1500
current outbound SPI: F1C2FD46
current inbound SPI: 1BCF8C49
SAS of the esp on arrival:
SPI: 0x1BCF8C49 (466586697)
transform: aes-256-esp esp-md5-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 376832, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (4373665/20348)
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0xFFFFFFFF to 0xFFFFFFFF
outgoing esp sas:
SPI: 0xF1C2FD46 (4056087878)
transform: aes-256-esp esp-md5-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 376832, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (4374000/20348)
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
But the problem is, as you can see in a show crypto ipsec sa, there is now traffic to a remote network of ASA
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
I have a single device on the remote network sends data to a sysloger on the local network and it works fine, all received messages but not other way to traffic.
To make sure that I go see the Nat and packet - trace entry inside tcp 192.168.10.7 1024 192.168.11.250 80 and looks like SHEEP works very well and traffic is allowed, but still once anything gets into the tunnel of local network
Results
ciscoasa # sh nat
Manual NAT policies (Section 1)
1 (one) to (all) source static sheep sheep sheep destination static sheep
translate_hits = 0, untranslate_hits = 38770
2 (inside) for the service public static obj - the source (on the outside) TCP1433 TCP1433 79.X.X.5 192.168.10.7
translate_hits = 0, untranslate_hits = 95
3 (inside) to the source (external) static obj - 192.168.10.7 interface service zzz zzz
translate_hits = 0, untranslate_hits = 19
4 (inside) of the (whole) source static obj - 10.0.0.0 obj - 10.0.0.0 destination static obj - 192.168.2.0 obj - 192.168.2.0
translate_hits = 17, untranslate_hits = 0
5 (inside) of the (whole) source static obj - obj - static 192.168.10.0 192.168.10.0 obj - obj-destination 10.1.1.1 10.1.1.1
translate_hits = 134, untranslate_hits = 0
6 (inside) to the (whole) source static obj - 10.1.1.1 obj - 10.1.1.1 destination static obj - 192.168.10.0 obj - 192.168.10.0
translate_hits = 0, untranslate_hits = 0
7 (inside) of the (whole) source static obj - 192.168.0.0 obj - 192.168.0.0 destination static obj - 192.168.2.0 obj - 192.168.2.0
translate_hits = 172, untranslate_hits = 53
Auto NAT policies (Section 2)
1 (inside) (outside) source static obj - 192.168.10.3 service TCP 3389 3389 79.X.X.5
translate_hits = 12, untranslate_hits = 4823
2 (inside) (outside) source static obj - 192.168.10.5 79.X.X.3 DNS
translate_hits = 341869, untranslate_hits = 41531
3 (inside) (outside) source static obj - 192.168.10.3 - 01 79.X.X.5 service TCP 444 444
translate_hits = 0, untranslate_hits = 0
4 (inside) to the source (external) static obj - 192.168.10.7 tcp 3389 3389 service interface
translate_hits = 21, untranslate_hits = 751
5 (inside) (outside) source static obj - 192.168.10.7 - 02 interface tcp 8080 https service
translate_hits = 0, untranslate_hits = 100
6 (inside) (outside) source static obj - 192.168.10.11 79.X.X.5 TCP smtp smtp service
translate_hits = 2, untranslate_hits = 18838
7 (inside) (outside) source static obj - 192.168.10.11 - 01 udp 443 443 service 79.X.X.5
translate_hits = 0, untranslate_hits = 0
8 (inside) (outside) source static obj - 192.168.10.11 - 02 79.X.X.5 tcp https https service
translate_hits = 221, untranslate_hits = 9770
9 (inside) (outside) source static obj - 192.168.10.11 - 03 79.X.X.5 tcp https https service
translate_hits = 0, untranslate_hits = 0
10 (inside) (outside) source static obj - 192.168.10.15 79.X.X.5 service tcp www 81
translate_hits = 0, untranslate_hits = 34
11 (inside) (outside) source static obj - 192.168.10.26 79.X.X.5 service TCP 8080 8080
translate_hits = 9, untranslate_hits = 4407
12 (inside) (outside) source static obj - 192.168.10.26 - 01 79.X.X.5 tcp 8080 www service
translate_hits = 0, untranslate_hits = 578
13 (inside) (outside) source static obj - 192.168.10.220 79.X.X.6 service TCP 3389 3389
translate_hits = 0, untranslate_hits = 41
14 (inside) (outside) source static obj - 192.168.10.220 - 1 79.X.X.6 tcp https https service
translate_hits = 0, untranslate_hits = 3
15 (inside) to the obj_any interface dynamic source (external)
translate_hits = 410005, untranslate_hits = 144489
16 (invited) to dynamic interface of the source (outside) obj_any-01
translate_hits = 19712, untranslate_hits = 4490
ciscoasa # packet - trace entry inside tcp 192.168.10.7 1024 192.168.11.250 80
Phase: 1
Type: UN - NAT
Subtype: static
Result: ALLOW
Config:
NAT (any, any) source static sheep sheep sheep destination static sheep
Additional information:
NAT divert on exit to the outside interface
Untranslate 192.168.11.250/80 to 192.168.11.250/80
Phase: 2
Type: ACCESS-LIST
Subtype: Journal
Result: ALLOW
Config:
Access-group inside_out in interface inside
access-list extended inside_out permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0
Additional information:
Direct flow from returns search rule:
ID = 0xd9886ae8, priority = 13, area = allowed, deny = false
hits = 18503, user_data = 0xd6581290, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
IP/ID=192.168.10.0 SRC, mask is 255.255.255.0, port = 0
IP/ID=192.168.11.0 DST, mask is 255.255.255.0, port = 0, dscp = 0 x 0
input_ifc = output_ifc = any to inside,
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xd80c87c8, priority = 0, sector = inspect-ip-options, deny = true
hits = 1047092, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0
input_ifc = output_ifc = any to inside,
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT (any, any) source static sheep sheep sheep destination static sheep
Additional information:
Direct flow from returns search rule:
ID = 0xd9859830, priority = 6, area = nat, deny = false
hits = 2107, user_data = 0xd83a9b48, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
IP/ID=192.168.10.0 SRC, mask is 255.255.255.0, port = 0
IP/ID=192.168.11.0 DST, mask is 255.255.255.0, port = 0, dscp = 0 x 0
input_ifc = none, output_ifc = any
Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xd8114d98, priority = 0, domain = host-limit, deny = false
hits = 674350, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0
input_ifc = output_ifc = any to inside,
Phase: 6
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xd83a9960, priority = 70, domain = encrypt, deny = false
hits = 26732, user_data = 0xce165c, cs_id = 0xd83ad0e8, reverse, flags = 0 x 0 = 0 protocol
IP/ID=192.168.10.0 SRC, mask is 255.255.255.0, port = 0
IP/ID=192.168.11.0 DST, mask is 255.255.255.0, port = 0, dscp = 0 x 0
input_ifc = none, output_ifc = external
Phase: 7
Type: NAT
Subtype: rpf check
Result: ALLOW
Config:
NAT (any, any) source static sheep sheep sheep destination static sheep
Additional information:
Direct flow from returns search rule:
ID = 0xd98d1d70, priority = 6, area = nat-reversed, deny = false
hits = 1419, user_data = 0xd83a9b48, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
IP/ID=192.168.10.0 SRC, mask is 255.255.255.0, port = 0
IP/ID=192.168.11.0 DST, mask is 255.255.255.0, port = 0, dscp = 0 x 0
input_ifc = none, output_ifc = any
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional information:
Reverse flow from returns search rule:
ID = 0xd9bda388, priority = 69 = ipsec-tunnel-flow area, deny = false
hits = 486, user_data is 0x13492cc, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
IP/ID=192.168.11.0 SRC, mask is 255.255.255.0, port = 0
IP/ID=192.168.10.0 DST, mask is 255.255.255.0, port = 0, dscp = 0 x 0
input_ifc = out, output_ifc = any
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Reverse flow from returns search rule:
ID = 0xd8192ab0, priority = 0, sector = inspect-ip-options, deny = true
hits = 1169899, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0
input_ifc = out, output_ifc = any
Phase: 10
Type: CREATING STREAMS
Subtype:
Result: ALLOW
Config:
Additional information:
New workflow created with the 1293619 id, package sent to the next module
Information module for forward flow...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Information for reverse flow...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input interface: inside
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: allow
It is a complete config for ASA
VPN
Network local 192.168.10.0/24
remote network 192.168.11.0/24
Config
:
ASA Version 8.3 (1)
!
ciscoasa hostname
domain.com domain name
activate the password * encrypted
passwd * encrypted
names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 79.X.X.2 255.255.255.248
!
interface Vlan12
prior to interface Vlan1
nameif comments
security-level 80
192.168.4.1 IP address 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 2
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 12
!
boot system Disk0: / asa831 - k8.bin
passive FTP mode
clock timezone GMT/UTC 0
summer time clock GMT/BDT recurring last Sun Mar 01:00 last Sun Oct 02:00
DNS domain-lookup outside
DNS server-group DefaultDNS
Server name 192.168.10.11
domain.com domain name
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network object obj - 192.168.0.0
Subnet 192.168.0.0 255.255.0.0
network object obj - 192.168.2.0
Subnet 192.168.2.0 255.255.255.128
network object obj - 10.0.0.0
subnet 10.0.0.0 255.0.0.0
network object obj - 192.168.10.2
host 192.168.10.2
network object obj - 192.168.10.2 - 01
host 192.168.10.2
network object obj - 192.168.10.3
host 192.168.10.3
network object obj - 192.168.10.2 - 02
host 192.168.10.2
network object obj - 192.168.10.2 - 03
host 192.168.10.2
network object obj - 192.168.10.3 - 01
Home 192.168.10.7
network object obj - 192.168.10.5
host 192.168.10.5
newserver network object
Home 192.168.10.7
New SQL Server description
network object obj - 192.168.10.7
Home 192.168.10.7
network of the A_79.X.X.6 object
Home 79.X.X.6
network of the PublicServer_NAT1 object
Home 192.168.10.7
zzz service object
service source eq 1 65535 udp syslog destination range
Syslog description
purpose of the 79.X.X.5 network
Home 79.X.X.5
service of the TCP1433 object
destination service tcp source eq 1433 1 65535 range
Description TCP1433
network object obj - 192.168.10.220
Home 192.168.10.220
network object obj - 192.168.10.220 - 1
Home 192.168.10.220
network object obj - 192.168.10.222
Home 192.168.10.222
network object obj - 192.168.10.2 - 04
host 192.168.10.2
network object obj - 192.168.10.7 - 02
Home 192.168.10.7
network object obj - 192.168.10.11
Home 192.168.10.11
network object obj - 192.168.10.11 - 01
Home 192.168.10.11
network object obj - 192.168.10.11 - 02
Home 192.168.10.11
network object obj - 192.168.10.11 - 03
Home 192.168.10.11
network object obj - 192.168.10.26
Home 192.168.10.26
network object obj - 192.168.10.26 - 01
Home 192.168.10.26
network object obj - 192.168.10.15
Home 192.168.10.15
network object obj - 192.168.10.11 - 04
Home 192.168.10.11
network object obj - 10.1.1.1
host 10.1.1.1
network object obj - 192.168.10.0
192.168.10.0 subnet 255.255.255.0
network object obj - 192.168.10.220 - 2
Home 192.168.10.220
network vpn-local object
192.168.10.0 subnet 255.255.255.0
object network vpn - ru
subnet 192.168.11.0 255.255.255.0
network obj_any object
subnet 0.0.0.0 0.0.0.0
network obj_any-01 object
subnet 0.0.0.0 0.0.0.0
object-group service syslog udp
Service Description syslog group
port-object eq syslog
object-group service udp zzzz
port-object eq syslog
object-group service sss udp
port-object eq syslog
object-group network sheep
object-network 192.168.10.0 255.255.255.0
object-network 192.168.11.0 255.255.255.0
object-network 192.168.3.0 255.255.255.0
outside_all of access allowed any ip an extended list
VPN_splitTunnelAcl list standard access allowed 192.168.0.0 255.255.0.0
VPN_splitTunnelAcl list standard access allowed 10.0.0.0 255.0.0.0
permit inside_nat0_outbound to access extended list ip 192.168.0.0 255.255.0.0 192.168.2.0 255.255.255.128
inside_nat0_outbound to access ip 10.0.0.0 scope list allow 255.0.0.0 192.168.2.0 255.255.255.128
access-list extended inside_out allow ip 192.168.11.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list extended inside_out permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0
scope of the inside_out to the list of permitted any one ip access
inside_out to the access list extended 192.168.11.0 allowed any ip 255.255.255.0
inside_out to the list of access permit tcp host 192.168.10.2 any eq smtp
inside_out to the list of access permit tcp any any eq smtp
access-list extended inside_out allow udp 192.168.10.0 255.255.255.0 host 10.1.1.1
access-list extended inside_out permit udp host 10.1.1.1 192.168.10.0 255.255.255.0
inside_out to the list of allowed extensive access icmp host 192.168.10.7 all
inside_out to the list of allowed extensive access a whole icmp
outside_zzz list of allowed ip extended access any external interface
outside_zzz list extended access permit tcp host 87.X.X.73 host 79.X.X.5 eq 1433
outside_zzz tcp extended access list refuse any host 79.X.X.5 eq 1433
outside_zzz list extended access permitted tcp 207.126.144.0 255.255.240.0 eq 79.X.X.5 the smtp host
outside_zzz tcp extended access list refuse any host 79.X.X.5 eq smtp
outside_zzz access-list extended permit ip any host 79.X.X.5
outside_zzz of access allowed any ip an extended list
permit access list extended ip 192.168.10.0 outside_in 255.255.255.0 192.168.11.0 255.255.255.0
access extensive list ip 192.168.11.0 outside_in allow 255.255.255.0 192.168.10.0 255.255.255.0
access extensive list ip 192.168.11.0 outside_in allow 255.255.255.0 any
outside_in list extended access permit tcp any host 192.168.10.15 eq 81
outside_in list extended access permit ip any host 192.168.10.5
access-list outside_in extended permit ip any host 79.X.X.4
outside_in list extended access permit tcp host 82.X.X.166 host 192.168.10.7 eq 1433
outside_in list extended access permit tcp host 84.X.X.30 host 192.168.10.7 eq 1433
outside_in list extended access tcp refuse any host 192.168.10.7 eq 1433
outside_in list extended access permit tcp any host 192.168.10.3 eq 444
outside_in list extended access permitted tcp 207.126.144.0 255.255.240.0 host 192.168.10.11 eq 444
outside_in list extended access permitted tcp 207.126.144.0 255.255.240.0 eq smtp host 192.168.10.11
outside_in list extended access permitted tcp 207.126.144.0 255.255.240.0 host 192.168.10.2 eq smtp
outside_in list extended access tcp refuse any host 192.168.10.11 eq smtp
outside_in list extended access tcp refuse any host 192.168.10.2 eq smtp
outside_in list extended access permit tcp any host 192.168.10.2 eq smtp
outside_in list extended access permit udp any host 192.168.10.2 eq 443
outside_in list extended access permit tcp any host 192.168.10.3 eq 3389
outside_in list extended access permit tcp any host 192.168.10.2 eq 4125
outside_in list extended access permit tcp any host 192.168.10.11 eq https
outside_in list extended access permit tcp any host 192.168.10.2 eq https
outside_in list extended access allowed esp all the host 91.X.X.57
outside_in list extended access permit tcp any host 192.168.10.3 eq 1433
access-list extended outside_in permit ip host 91.X.X.57 all
access-list outside_in extended permit ip any host 79.X.X.5
access-list outside_in extended permit ip any host 79.X.X.2
outside_in list extended access permit tcp any host 79.X.X.6 eq 3389
outside_in list extended access permit tcp any host 192.168.10.220 eq 3389
outside_in list extended access permit tcp any host 79.X.X.5 eq 81
access extensive list permits all ip a outside_in
outside_in list extended access permit tcp host 91.X.X.178 host 192.168.10.7 eq 1433
outside_in list extended access permit tcp host 87.X.X.73 host 192.168.10.7 eq 1433
access-list extended qnap permit ip host 192.168.10.26 all
access-list extended qnap permit ip any host 192.168.10.26
phone_bypass list extended access allowed host 10.1.1.1 ip 192.168.10.0 255.255.255.0
permit phone_bypass to access extended list ip 192.168.10.0 255.255.255.0 host 10.1.1.1
phone_bypass list extended access allowed host 10.1.1.1 ip 192.168.2.0 255.255.255.0
phone_bypass to access extended list ip 192.168.2.0 allow 255.255.255.0 host 10.1.1.1
list of access vpn extended permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0
extended vpn 192.168.11.0 ip access list allow 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
Enable logging
exploitation forest-size of the buffer 1024000
logging asdm-buffer-size 512
logging buffered information
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
Comments of MTU 1500
mask of local pool RemoteVPN 192.168.2.20 - 192.168.2.100 IP 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow all outside
ASDM image disk0: / asdm - 631.bin
enable ASDM history
ARP timeout 14400
NAT (any, any) source static sheep sheep sheep destination static sheep
NAT source service (Interior, exterior) static obj - 192.168.10.7 79.X.X.5 TCP1433 TCP1433
NAT (inside, outside) source static obj - 192.168.10.7 interface service zzz zzz
NAT (inside, all) source static obj - 10.0.0.0 obj - 10.0.0.0 destination static obj - 192.168.2.0 obj - 192.168.2.0
NAT (inside, all) source static obj - 192.168.10.0 obj - 192.168.10.0 destination static obj - 10.1.1.1 obj - 10.1.1.1
NAT (inside, all) source static obj - 10.1.1.1 obj - 10.1.1.1 destination static obj - 192.168.10.0 obj - 192.168.10.0
NAT (inside, all) source static obj - 192.168.0.0 obj - 192.168.0.0 destination static obj - 192.168.2.0 obj - 192.168.2.0
!
network object obj - 192.168.10.3
NAT (inside, outside) static service tcp 3389 3389 79.X.X.5
network object obj - 192.168.10.3 - 01
NAT (inside, outside) static 79.X.X.5 tcp 444 444 service
network object obj - 192.168.10.5
NAT (inside, outside) public static dns 79.X.X.3
network object obj - 192.168.10.7
NAT (inside, outside) interface static service tcp 3389 3389
network object obj - 192.168.10.220
NAT (inside, outside) static service tcp 3389 3389 79.X.X.6
network object obj - 192.168.10.220 - 1
NAT (inside, outside) static 79.X.X.6 tcp https https service
network object obj - 192.168.10.7 - 02
NAT (inside, outside) interface static tcp 8080 https service
network object obj - 192.168.10.11
NAT (inside, outside) static 79.X.X.5 tcp smtp smtp service
network object obj - 192.168.10.11 - 01
NAT (inside, outside) udp 443 443 service 79.X.X.5 static
network object obj - 192.168.10.11 - 02
NAT (inside, outside) static 79.X.X.5 tcp https https service
network object obj - 192.168.10.11 - 03
NAT (inside, outside) static 79.X.X.5 tcp https https service
network object obj - 192.168.10.26
NAT (inside, outside) static 79.X.X.5 8080 8080 tcp service
network object obj - 192.168.10.26 - 01
NAT (inside, outside) static 79.X.X.5 tcp 8080 www service
network object obj - 192.168.10.15
NAT (inside, outside) static 79.X.X.5 tcp 81 www service
network obj_any object
NAT dynamic interface (indoor, outdoor)
network obj_any-01 object
NAT dynamic interface (guest, outdoor)
Access-group inside_out in interface inside
Access-group outside_in in external interface
Route outside 0.0.0.0 0.0.0.0 79.X.X.1 1
Route inside 10.0.0.0 255.0.0.0 192.168.10.4 1
Route outside 10.1.1.1 255.255.255.255 192.168.10.4 1
Route outside 192.168.11.0 255.255.255.0 79.X.X.2 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
RADIUS Protocol RADIUS AAA server
reactivation impoverishment deadtime mode 1
AAA-server RADIUS (inside) host 192.168.10.7
key *.
AAA authentication http LOCAL console
the ssh LOCAL console AAA authentication
LOCAL AAA authorization command
http server enable 444
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outdoors
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
No vpn sysopt connection permit
Service resetoutside
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-SHA 256 - aes - esp esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic outside_dyn_map pfs set 20 Group1
Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA
card crypto outside_map 1 match for vpn
outside_map game 1 card crypto peer 91.X.X.57
card crypto outside_map 1 set of transformation-ESP-AES-SHA
outside_map map 1 lifetime of security association set seconds 28800 crypto
card crypto outside_map 1 set security-association life kilobytes 4608000
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
lifetime 28800
Crypto isakmp nat-traversal 3600
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 inside
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 30
Console timeout 0
dhcpd dns 83.X.X.8 83.X.X.10
dhcpd outside auto_config
!
dhcpd address 192.168.10.50 - 192.168.10.100 inside
dhcpd dns 83.X.X.8 83.X.X.10 interface inside
dhcpd lease interface 600 inside
dhcpd interface to domain.com domain inside
!
Reviews of dhcpd address 192.168.4.50 - 192.168.4.100
Dhcpd lease 600 interface comments
Comments enable dhcpd
!
priority queue inside
priority-queue outdoors
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP 93.170.32.1 Server
NTP 93.170.32.2 Server
NTP 89.145.68.17 Server prefer
WebVPN
allow outside
SVC image disk0:/anyconnect-win-2.4.1012-k9.pkg 1 regex 'Windows NT'
SVC image disk0:/anyconnect-wince-ARMv4I-2.4.1012-k9.pkg 2 regex "Windows CE"
enable SVC
Auto-signon allow ip 192.168.0.0 255.255.0.0 basic auth-type
internal l2l group policy
attributes of the l2l group policy
VPN-idle-timeout no
Protocol-tunnel-VPN IPSec
attributes of Group Policy DfltGrpPolicy
value of server DNS 192.168.10.11
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPN_splitTunnelAcl
value by default-field DOMAINl.local
internal VPNv group strategy
attributes of Group Policy VPNv
value of server DNS 192.168.10.11
Protocol-tunnel-VPN IPSec webvpn
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPN_splitTunnelAcl
field default value domain.com
password username test * encrypted privilege 0
username test attributes
VPN-group-policy VPNv
ID password cisco * encrypted
roger password username * encrypted privilege 15
attributes global-tunnel-group DefaultRAGroup
address pool RemoteVPN
attributes global-tunnel-group DefaultWEBVPNGroup
address pool RemoteVPN
Group-LOCAL RADIUS authentication server
type tunnel-group VPNv remote access
attributes global-tunnel-group VPNv
address pool RemoteVPN
Group-LOCAL RADIUS authentication server
Group Policy - by default-VPNv
IPSec-attributes tunnel-group VPNv
pre-shared key *.
tunnel-group testgroup type remote access
tunnel-group testgroup General attributes
management of the password password-expire-to-days 90
tunnel-group 91.X.X.57 type ipsec-l2l
IPSec-attributes tunnel-group 91.X.X.57
pre-shared key *.
!
Global class-card class
match default-inspection-traffic
class-map qnap_band
corresponds to the list of access qnap
The class-card phone
corresponds to the phone_bypass access list
!
!
Policy-map global_policy
Global category
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Policy-map qnap_access
class qnap_band
512000 64000 police entry
512000 64000 release of police
phone class
set the advanced options of the tcp-State-bypass connection
World-Policy policy-map
Global category
inspect the dns
inspect the ftp
inspect the pptp
inspect the rtsp
inspect the sip
inspect the skinny
Policy-map phone_bypass_policy
phone class
set the advanced options of the tcp-State-bypass connection
!
service-policy-international policy global
service-policy qnap_access to the inside interface
privilege level 3 mode exec cmd command perfmon
privilege level 3 mode exec cmd ping command
mode privileged exec command cmd level 3
logging of the privilege level 3 mode exec cmd commands
privilege level 3 exec command failover mode cmd
privilege level 3 mode exec command packet cmd - draw
privilege level 5 see fashion exec running-config command
order of privilege show level 3 exec mode reload
privilege level 3 exec mode control fashion show
privilege see the level 3 exec firewall command mode
privilege see the level 3 exec mode command ASP.
processor mode privileged exec command to see the level 3
privilege command shell see the level 3 exec mode
privilege show level 3 exec command clock mode
privilege exec mode level 3 dns-hosts command show
privilege see the level 3 exec command access-list mode
logging of orders privilege see the level 3 exec mode
privilege, level 3 see the exec command mode vlan
privilege show level 3 exec command ip mode
privilege, level 3 see fashion exec command ipv6
privilege, level 3 see the exec command failover mode
privilege, level 3 see fashion exec command asdm
exec mode privilege see the level 3 command arp
command routing privilege see the level 3 exec mode
privilege, level 3 see fashion exec command ospf
privilege, level 3 see the exec command in aaa-server mode
AAA mode privileged exec command to see the level 3
privilege see the level 3 exec mode command crypto
privilege, level 3 see fashion exec command vpn-sessiondb
privilege level 3 exec mode command ssh show
privilege, level 3 see fashion exec command dhcpd
privilege, level 3 see the vpnclient command exec mode
privilege, level 3 see fashion exec command vpn
privilege level see the 3 blocks from exec mode command
privilege, level 3 see fashion exec command wccp
privilege, level 3 see the exec command in webvpn mode
privilege control module see the level 3 exec mode
privilege, level 3 see fashion exec command uauth
privilege see the level 3 exec command compression mode
level 3 for the show privilege mode configure the command interface
level 3 for the show privilege mode set clock command
level 3 for the show privilege mode configure the access-list command
level 3 for the show privilege mode set up the registration of the order
level 3 for the show privilege mode configure ip command
level 3 for the show privilege mode configure command failover
level 5 mode see the privilege set up command asdm
level 3 for the show privilege mode configure arp command
level 3 for the show privilege mode configure the command routing
level 3 for the show privilege mode configure aaa-order server
level mode 3 privilege see the command configure aaa
level 3 for the show privilege mode configure command crypto
level 3 for the show privilege mode configure ssh command
level 3 for the show privilege mode configure command dhcpd
level 5 mode see the privilege set privilege to command
privilege level clear 3 mode exec command dns host
logging of the privilege clear level 3 exec mode commands
clear level 3 arp command mode privileged exec
AAA-server of privilege clear level 3 exec mode command
privilege clear level 3 exec mode command crypto
level 3 for the privilege cmd mode configure command failover
clear level 3 privilege mode set the logging of command
privilege mode clear level 3 Configure arp command
clear level 3 privilege mode configure command crypto
clear level 3 privilege mode configure aaa-order server
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Thanks in advance for any help.
Wojciech salvation,
Based on this info, I think that you can run in CSCtb53186, this bug has affected many versions before 8.3 and when fixed DEVs they were always be some details in waiting, and they created CSCtd36473 to these outstanding issues. CSCtd36473 is fixed on 8.3.1.1 intermediate version however is not fixed on 8.3.1 so I suggest you spend at least 8.3.2
Read this:
Interface: outside
Tag crypto map: outside_map, seq num: 1, local addr: 79.X.X.2list of access vpn extended permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0
local ident (addr, mask, prot, port): (192.168.10.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.11.0/255.255.255.0/0/0)
current_peer: 91.Y.Y.57#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 502, #pkts decrypt: 502, #pkts check: 502
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0outgoing esp sas:
SPI: 0xDE50E6EA (3729843946)
transform: aes-256-esp esp-md5-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 425984, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (4374000/28234)
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
VPN CTX = 0x015F913C
By peer IP = 192.168.11.0
Pointer = 0xD98CACD0
State = upwards
Flags = BA + ESP
ITS = 0X019235E7
SPI = 0xDE50E6EA
Group = 0
Pkts = 0
Pkts bad = 0
Incorrect SPI = 0
Parody = 0
Bad crypto = 0
Redial Pkt = 0
Call redial = 0
VPN = filterhits = 0, user_data is0x15f913c, cs_id = 0xd83ad0e8, reverse, flags = 0 x 0 = 0 protocol
IP/ID=192.168.10.0 SRC, mask is 255.255.255.0, port = 0
IP/ID=192.168.11.0 DST, mask is 255.255.255.0, port = 0, dscp = 0 x 0hits = 44437, user_data is0xce165c, cs_id = 0xd83ad0e8, reverse, flags = 0 x 0 = 0 protocol
IP/ID=192.168.10.0 SRC, mask is 255.255.255.0, port = 0
IP/ID=192.168.11.0 DST, mask is 255.255.255.0, port = 0, dscp = 0 x 0As you can see above we are a different context to encrypt the traffic (not used with the spi of the sh cry ipsec his)
If you do the same packet tracer, but this time with the details of the key words at the end probs you will get to see that we use 0xce165c.
Just looked at your configuration again and before you do the upgrade please correct this:
list of access vpn extended permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0
extended vpn 192.168.11.0 ip access list allow 255.255.255.0 192.168.10.0 255.255.255.0
Just remove the second line:
no -access extended vpn ip 192.168.11.0 list allow 255.255.255.0 192.168.10.0 255.255.255.0
Also:
No outside_map interface card crypto outside
and then:
outside_map interface card crypto outside
See if that helps before perforrming upgrade,
Kind regards.
-
I have problems to access the resources within the network when connecting with the Cisco VPN client for a version of 8.4 (3) operation of the IOS Cisco ASA 5510. I tried all new NAT 8.4 orders but cannot access the network interior. I can see traffic in newspapers when ping. I can only assume I have NAT evil or it's because the inside interface of the ASA is on the 24th of the same subnet as the network interior? Please see config below, any suggestion would be appreciated. I configured a VPN site to another in this same 5510 and it works well
Thank you
interface Ethernet0/0
Speed 100
full duplex
nameif outside
security-level 0
IP x.x.x.x 255.255.255.240
!
interface Ethernet0/1
Speed 100
full duplex
nameif inside
security-level 100
IP 10.88.10.254 255.255.255.0
!
interface Management0/0
Shutdown
nameif management
security-level 0
no ip address
!
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network of the PAT_to_Outside_ClassA object
10.88.0.0 subnet 255.255.0.0
network of the PAT_to_Outside_ClassB object
subnet 172.16.0.0 255.240.0.0
network of the PAT_to_Outside_ClassC object
Subnet 192.168.0.0 255.255.240.0
network of the LocalNetwork object
10.88.0.0 subnet 255.255.0.0
network of the RemoteNetwork1 object
Subnet 192.168.0.0 255.255.0.0
network of the RemoteNetwork2 object
172.16.10.0 subnet 255.255.255.0
network of the RemoteNetwork3 object
10.86.0.0 subnet 255.255.0.0
network of the RemoteNetwork4 object
10.250.1.0 subnet 255.255.255.0
network of the NatExempt object
10.88.10.0 subnet 255.255.255.0
the Site_to_SiteVPN1 object-group network
object-network 192.168.4.0 255.255.254.0
object-network 172.16.10.0 255.255.255.0
object-network 10.0.0.0 255.0.0.0
outside_access_in deny ip extended access list a whole
inside_access_in of access allowed any ip an extended list
11 extended access-list allow ip 10.250.1.0 255.255.255.0 any
outside_1_cryptomap to access extended list ip 10.88.0.0 255.255.0.0 allow object-group Site_to_SiteVPN1
mask 10.250.1.1 - 10.250.1.254 255.255.255.0 IP local pool Admin_Pool
NAT static NatExempt NatExempt of the source (indoor, outdoor)
NAT (inside, outside) static source any any static destination RemoteNetwork4 RemoteNetwork4-route search
NAT static LocalNetwork LocalNetwork destination (indoor, outdoor) static source RemoteNetwork1 RemoteNetwork1
NAT static LocalNetwork LocalNetwork destination (indoor, outdoor) static source RemoteNetwork2 RemoteNetwork2
NAT static LocalNetwork LocalNetwork destination (indoor, outdoor) static source RemoteNetwork3 RemoteNetwork3
NAT (inside, outside) static source LocalNetwork LocalNetwork static destination RemoteNetwork4 RemoteNetwork4-route search
!
network of the PAT_to_Outside_ClassA object
NAT dynamic interface (indoor, outdoor)
network of the PAT_to_Outside_ClassB object
NAT dynamic interface (indoor, outdoor)
network of the PAT_to_Outside_ClassC object
NAT dynamic interface (indoor, outdoor)
Access-group outside_access_in in interface outside
inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
dynamic-access-policy-registration DfltAccessPolicy
Sysopt connection timewait
Service resetoutside
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-ikev1 esp-md5-hmac bh-series
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto-map dynamic dynmap 10 set pfs
Crypto-map dynamic dynmap 10 set transform-set bh - set ikev1
life together - the association of security crypto dynamic-map dynmap 10 28800 seconds
Crypto-map dynamic dynmap 10 kilobytes of life together - the association of safety 4608000
Crypto-map dynamic dynmap 10 the value reverse-road
card crypto mymap 1 match address outside_1_cryptomap
card crypto mymap 1 set counterpart x.x.x.x
card crypto mymap 1 set transform-set ESP-AES-256-SHA ikev1
card crypto mymap 86400 seconds, 1 lifetime of security association set
map mymap 1 set security-association life crypto kilobytes 4608000
map mymap 100-isakmp ipsec crypto dynamic dynmap
mymap outside crypto map interface
crypto isakmp identity address
Crypto isakmp nat-traversal 30
Crypto ikev1 allow outside
IKEv1 crypto ipsec-over-tcp port 10000
IKEv1 crypto policy 5
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 1
life 86400
IKEv1 crypto policy 50
preshared authentication
the Encryption
md5 hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
preshared authentication
aes-256 encryption
sha hash
Group 1
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
Telnet timeout 5
Console timeout 0
management-access inside
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal BACKDOORVPN group policy
BACKDOORVPN group policy attributes
value of VPN-filter 11
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelall
BH.UK value by default-field
type tunnel-group BACKDOORVPN remote access
attributes global-tunnel-group BACKDOORVPN
address pool Admin_Pool
Group Policy - by default-BACKDOORVPN
IPSec-attributes tunnel-group BACKDOORVPN
IKEv1 pre-shared-key *.
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
Excellent.
Evaluate the useful ticket.
Thank you
Rizwan James
-
Hello!
I have 9.1 (3) version of Cisco ASA with remote access VPN set UP on the outside interface. When the user connects to the Internet on the outside interface, it works well. My goal is to allow the connection of all other interfaces (inside the dmz and etc.) to the outside interface. Cisco ASA allows to do? Order to packet - trace output is less to:
MSK-hq-fw1 # packet - trace entry inside tcp 10.10.10.1 14214 1.1.1.2 443
Phase: 1
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
developed 1.1.1.2 255.255.255.255 identity
Phase: 2
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
developed 1.1.1.2 255.255.255.255 identity
Result:
input interface: inside
entry status: to the top
entry-line-status: to the top
the output interface: NP identity Ifc
the status of the output: to the top
output-line-status: to the top
Action: drop
Drop-reason: (headwall) No. road to host
Hello
Well, you can of course turn VPN on other interfaces, but to be honest, I never even tried to set up the VPN it otherwise than of multiple multiple external interfaces in the case of the ISP and in this case only for testing purposes.
Some things related to the ASA are well known but not well documented.
The official document that I can remember: this is the following (which only refers to this limitation regarding the ICMP)
Note
For security purposes the security appliance does not support far-end interface ping, that is pinging the IP address of the outside interface from the inside network.
Source (old configuration guide):
-Jouni
-
Problem with ASA 5505 VPN remote access
After about 1 year to have the VPN Client from Cisco connection to an ASA 5505 with no problems, all of a sudden one day it stops working. The customer is able to get a connection to the ASA and browse the local network for only about 30 seconds after the connection. After that, no access is available to the network behind the ASA. I have tried everything I can think of to try to solve the problem, but at this point, I'm just banging my head against a wall. Anyone know what could cause this?
Here is the cfg running of the ASA
----------------------------------------------------------------------------------------
: Saved
:
ASA Version 8.4 (1)
!
hostname NCHCO
enable encrypted password xxxxxxxxxxxxxxx
xxxxxxxxxxx encrypted passwd
names of
description of NCHCO name 192.168.2.0 City offices
name 192.168.2.80 VPN_End
name 192.168.2.70 VPN_Start
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address **. ***. 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
Speed 100
full duplex
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system Disk0: / asa841 - k8.bin
passive FTP mode
network of the NCHCO object
Subnet 192.168.2.0 255.255.255.0
network object obj - 192.168.1.0
subnet 192.168.1.0 255.255.255.0
network object obj - 192.168.2.64
subnet 192.168.2.64 255.255.255.224
network object obj - 0.0.0.0
subnet 0.0.0.0 255.255.255.0
network obj_any object
subnet 0.0.0.0 0.0.0.0
the Web server object network
the FINX object network
Home 192.168.2.11
rdp service object
source between 1-65535 destination eq 3389 tcp service
Rdp description
outside_nat0_outbound extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0
outside_nat0_outbound extended access list permit ip object NCHCO 192.168.2.0 255.255.255.0
inside_nat0_outbound extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0
inside_nat0_outbound list of allowed ip extended access all 192.168.2.64 255.255.255.224
permit access list extended ip 0.0.0.0 inside_nat0_outbound 255.255.255.0 192.168.2.64 255.255.255.224
outside_1_cryptomap extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0
outside_1_cryptomap_1 extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0
LAN_Access list standard access allowed 192.168.2.0 255.255.255.0
LAN_Access list standard access allowed 0.0.0.0 255.255.255.0
NCHCO_splitTunnelAcl_1 list standard access allowed 192.168.2.0 255.255.255.0
AnyConnect_Client_Local_Print deny ip extended access list a whole
AnyConnect_Client_Local_Print list extended access permit tcp any any eq lpd
Note AnyConnect_Client_Local_Print of access list IPP: Internet Printing Protocol
AnyConnect_Client_Local_Print list extended access permit tcp any any eq 631
print the access-list AnyConnect_Client_Local_Print Note Windows port
AnyConnect_Client_Local_Print list extended access permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print mDNS Note: multicast DNS protocol
AnyConnect_Client_Local_Print list extended access permit udp any host 224.0.0.251 eq 5353
AnyConnect_Client_Local_Print of access list LLMNR Note: link Local Multicast Name Resolution protocol
AnyConnect_Client_Local_Print list extended access permit udp any host 224.0.0.252 eq 5355
Note access list TCP/NetBIOS protocol AnyConnect_Client_Local_Print
AnyConnect_Client_Local_Print list extended access permit tcp any any eq 137
AnyConnect_Client_Local_Print list extended access udp allowed any any eq netbios-ns
outside_access_in list extended access permit tcp any object FINX eq 3389
outside_access_in_1 list extended access allowed object rdp any object FINX
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
mask of VPN_Pool VPN_Start VPN_End of local pool IP 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 649.bin
don't allow no asdm history
ARP timeout 14400
NAT (inside, all) static source NCHCO destination NCHCO static obj - 192.168.1.0 obj - 192.168.1.0
NAT (inside, all) static source any any destination static obj - 192.168.2.64 obj - 192.168.2.64
NAT (inside, all) source static obj - 0.0.0.0 0.0.0.0 - obj destination static obj - 192.168.2.64 obj - 192.168.2.64
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
the FINX object network
NAT (inside, outside) interface static service tcp 3389 3389
Access-group outside_access_in_1 in interface outside
Route outside 0.0.0.0 0.0.0.0 69.61.228.177 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
network-acl outside_nat0_outbound
WebVPN
SVC request to enable default svc
Enable http server
http 192.168.1.0 255.255.255.0 inside
http *. **. ***. 255.255.255.255 outside
http *. **. ***. 255.255.255.255 outside
http NCHCO 255.255.255.0 inside
http 96.11.251.186 255.255.255.255 outside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac ikev1 l2tp-transform
IKEv1 crypto ipsec transform-set l2tp-transformation mode transit
Crypto ipsec transform-set vpn-transform ikev1 esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA ikev1
transport mode encryption ipsec transform-set TRANS_ESP_3DES_SHA ikev1
Crypto ipsec transform-set esp-3des esp-md5-hmac TRANS_ESP_3DES_MD5 ikev1
transport mode encryption ipsec transform-set TRANS_ESP_3DES_MD5 ikev1
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map dyn-map 10 set pfs Group1
crypto dynamic-map dyn-map 10 set transform-set l2tp vpn-transform processing ikev1
dynamic-map encryption dyn-map 10 value reverse-road
Crypto-map dynamic outside_dyn_map 20 set transform-set ESP-3DES-SHA ikev1
Crypto-map dynamic outside_dyn_map 20 the value reverse-road
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs Group1
peer set card crypto outside_map 1 74.219.208.50
card crypto outside_map 1 set transform-set ESP-3DES-SHA ikev1
map outside_map 20-isakmp ipsec crypto dynamic outside_dyn_map
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
inside crypto map inside_map interface
card crypto vpn-map 1 match address outside_1_cryptomap_1
card crypto vpn-card 1 set pfs Group1
set vpn-card crypto map peer 1 74.219.208.50
card crypto 1 set transform-set ESP-3DES-SHA ikev1 vpn-map
dynamic vpn-map 10 dyn-map ipsec isakmp crypto map
crypto isakmp identity address
Crypto ikev1 allow inside
Crypto ikev1 allow outside
IKEv1 crypto ipsec-over-tcp port 10000
IKEv1 crypto policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
IKEv1 crypto policy 15
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 35
preshared authentication
3des encryption
sha hash
Group 2
life 86400
enable client-implementation to date
Telnet 192.168.1.0 255.255.255.0 inside
Telnet NCHCO 255.255.255.0 inside
Telnet timeout 5
SSH 192.168.1.0 255.255.255.0 inside
SSH NCHCO 255.255.255.0 inside
SSH timeout 5
Console timeout 0
dhcpd address 192.168.2.150 - 192.168.2.225 inside
dhcpd dns 216.68.4.10 216.68.5.10 interface inside
lease interface 64000 dhcpd inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal DefaultRAGroup group strategy
attributes of Group Policy DefaultRAGroup
value of server DNS 192.168.2.1
L2TP ipsec VPN-tunnel-Protocol ikev1
nchco.local value by default-field
attributes of Group Policy DfltGrpPolicy
value of server DNS 192.168.2.1
L2TP ipsec VPN-tunnel-Protocol ikev1 ssl-clientless ssl-client
allow password-storage
enable IPSec-udp
enable dhcp Intercept 255.255.255.0
the address value VPN_Pool pools
internal NCHCO group policy
NCHCO group policy attributes
value of 192.168.2.1 DNS Server 8.8.8.8
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list NCHCO_splitTunnelAcl_1
value by default-field NCHCO.local
admin LbMiJuAJjDaFb2uw encrypted privilege 15 password username
username privilege 15 encrypted password yB1lHEVmHZGj5C2Z 8njferg
username NCHvpn99 password dhn. JzttvRmMbHsP encrypted
attributes global-tunnel-group DefaultRAGroup
address (inside) VPN_Pool pool
address pool VPN_Pool
authentication-server-group (inside) LOCAL
authentication-server-group (outside LOCAL)
LOCAL authority-server-group
authorization-server-group (inside) LOCAL
authorization-server-group (outside LOCAL)
Group Policy - by default-DefaultRAGroup
band-Kingdom
band-band
IPSec-attributes tunnel-group DefaultRAGroup
IKEv1 pre-shared-key *.
NOCHECK Peer-id-validate
tunnel-group DefaultRAGroup ppp-attributes
No chap authentication
no authentication ms-chap-v1
ms-chap-v2 authentication
tunnel-group DefaultWEBVPNGroup ppp-attributes
PAP Authentication
ms-chap-v2 authentication
tunnel-group 74.219.208.50 type ipsec-l2l
IPSec-attributes tunnel-group 74.219.208.50
IKEv1 pre-shared-key *.
type tunnel-group NCHCO remote access
attributes global-tunnel-group NCHCO
address pool VPN_Pool
Group Policy - by default-NCHCO
IPSec-attributes tunnel-group NCHCO
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:a2110206e1af06974c858fb40c6de2fc
: end
ASDM image disk0: / asdm - 649.bin
ASDM VPN_Start 255.255.255.255 inside location
ASDM VPN_End 255.255.255.255 inside location
don't allow no asdm history
---------------------------------------------------------------------------------------------------------------
And here are the logs of the Cisco VPN Client when sailing, then is unable to browse the network behind the ASA:
---------------------------------------------------------------------------------------------------------------
Cisco Systems VPN Client Version 5.0.07.0440
Copyright (C) 1998-2010 Cisco Systems, Inc.. All rights reserved.
Customer type: Windows, Windows NT
Running: 6.1.7601 Service Pack 1
Config files directory: C:\Program Files (x 86) \Cisco Systems\VPN Client\
1 09:44:55.677 01/10/13 Sev = Info/6 CERT / 0 x 63600026
Try to find a certificate using hash Serial.
2 09:44:55.677 01/10/13 Sev = Info/6 CERT / 0 x 63600027
Found a certificate using hash Serial.
3 09:44:55.693 01/10/13 Sev = Info/6 GUI/0x63B00011
RELOADED successfully certificates in all certificate stores.
4 09:45:02.802 10/01/13 Sev = Info/4 CM / 0 x 63100002
Start the login process
5 09:45:02.802 01/10/13 Sev = Info/4 CM / 0 x 63100004
Establish a secure connection
6 09:45:02.802 01/10/13 Sev = Info/4 CM / 0 x 63100024
Attempt to connect with the server "*." **. ***. *** »
7 09:45:02.802 10/01/13 Sev = Info/6 IKE/0x6300003B
Try to establish a connection with *. **. ***. ***.
8 09:45:02.818 10/01/13 Sev = Info/4 IKE / 0 x 63000001
From IKE Phase 1 negotiation
9 09:45:02.865 10/01/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) to *. **. ***. ***
10 09:45:02.896 10/01/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
11 09:45:02.896 10/01/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" ag="" (sa,="" ke,="" non,="" id,="" hash,="" vid(unity),="" vid(xauth),="" vid(dpd),="" vid(nat-t),="" nat-d,="" nat-d,="" vid(frag),="" vid(?))="" from="">
12 09:45:02.896 10/01/13 Sev = Info/5 IKE / 0 x 63000001
Peer is a compatible peer Cisco-Unity
13 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001
Peer supports XAUTH
14 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001
Peer supports the DPD
15 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001
Peer supports NAT - T
16 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001
Peer supports fragmentation IKE payloads
17 09:45:02.927 01/10/13 Sev = Info/6 IKE / 0 x 63000001
IOS Vendor ID successful construction
18 09:45:02.927 01/10/13 Sev = Info/4 IKE / 0 x 63000013
SENDING > ISAKMP OAK AG * (HASH, NOTIFY: NAT - D, NAT - D, VID (?), STATUS_INITIAL_CONTACT, VID (Unity)) to *. **. ***. ***
19 09:45:02.927 01/10/13 Sev = Info/4 IKE / 0 x 63000083
IKE port in use - Local Port = 0xDD3B, Remote Port = 0x01F4
20 09:45:02.927 01/10/13 Sev = Info/5 IKE / 0 x 63000072
Automatic NAT detection status:
Remote endpoint is NOT behind a NAT device
This effect is NOT behind a NAT device
21 09:45:02.927 01/10/13 Sev = Info/4 CM/0x6310000E
ITS established Phase 1. 1 crypto IKE Active SA, 0 IKE SA authenticated user in the system
22 09:45:02.943 10/01/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
23 09:45:02.943 01/10/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">
24 09:45:02.943 01/10/13 Sev = Info/4 CM / 0 x 63100015
Launch application xAuth
25 09:45:03.037 01/10/13 Sev = Info/6 GUI/0x63B00012
Attributes of the authentication request is 6: 00.
26 09:45:03.037 01/10/13 Sev = Info/4 CM / 0 x 63100017
xAuth application returned
27 09:45:03.037 10/01/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***
28 09:45:03.037 10/01/13 Sev = Info/4 IPSEC / 0 x 63700008
IPSec driver started successfully
29 09:45:03.037 01/10/13 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
30 09:45:03.083 01/10/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
31 09:45:03.083 01/10/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">
32 09:45:03.083 01/10/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***
33 09:45:03.083 01/10/13 Sev = Info/4 CM/0x6310000E
ITS established Phase 1. 1 crypto IKE Active SA, 1 IKE SA authenticated user in the system
34 09:45:03.083 01/10/13 Sev = Info/5 IKE/0x6300005E
Customer address a request from firewall to hub
35 09:45:03.083 01/10/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***
36 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
37 09:45:03.146 01/10/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="" **.**.***.***="" isakmp="" oak="" trans="" *(hash,="" attr)="" from="">
38 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS:, value = 192.168.2.70
39 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK:, value = 255.255.255.0
40 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (1):, value = 192.168.2.1
41 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (2):, value = 8.8.8.8
42 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD:, value = 0x00000001
43 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001
44 09:45:03.146 10/01/13 Sev = Info/5 IKE/0x6300000F
SPLIT_NET #1
= 192.168.2.0 subnet
mask = 255.255.255.0
Protocol = 0
SRC port = 0
port dest = 0
45 09:45:03.146 10/01/13 Sev = Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN:, value = NCHCO.local
46 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_UDP_NAT_PORT, value = 0 x 00002710
47 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS:, value = 0x00000000
48 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = 8.4 (1) Cisco systems, Inc. ASA5505 Version built by manufacturers on Tuesday, January 31, 11 02:11
49 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT:, value = 0x00000001
50 09:45:03.146 01/10/13 Sev = Info/4 CM / 0 x 63100019
Data in mode Config received
51 09:45:03.146 01/10/13 Sev = Info/4 IKE / 0 x 63000056
Received a request from key driver: local IP = 192.168.2.70, GW IP = *. **. ***. remote IP address = 0.0.0.0
52 09:45:03.146 01/10/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK QM * (HASH, SA, NO, ID, ID) to *. **. ***. ***
53 09:45:03.177 01/10/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
54 09:45:03.177 01/10/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:status_resp_lifetime)="" from="">
55 09:45:03.177 01/10/13 Sev = Info/5 IKE / 0 x 63000045
Answering MACHINE-LIFE notify has value of 86400 seconds
56 09:45:03.177 01/10/13 Sev = Info/5 IKE / 0 x 63000047
This SA was already alive for 1 second, expiration of adjustment to 86399 seconds now
57 09:45:03.193 01/10/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
58 09:45:03.193 01/10/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" qm="" *(hash,="" sa,="" non,="" id,="" id,="" notify:status_resp_lifetime)="" from="">
59 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000045
Answering MACHINE-LIFE notify is set to 28800 seconds
60 09:45:03.193 01/10/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK QM * (HASH) to *. **. ***. ***
61 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000059
IPsec Security Association of loading (MsgID = SPI OUTBOUND SPI INCOMING = 0x3EBEBFC5 0xAAAF4C1C = 967A3C93)
62 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000025
OUTGOING ESP SPI support: 0xAAAF4C1C
63 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000026
Charges INBOUND ESP SPI: 0x3EBEBFC5
64 09:45:03.193 01/10/13 Sev = Info/5 CVPND / 0 x 63400013
Destination mask subnet Gateway Interface metric
0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261
96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261
96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261
96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306
127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306
127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261
192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261
192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261
224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306
224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261
224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261
255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261
255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261
65 09:45:03.521 01/10/13 Sev = Info/6 CVPND / 0 x 63400001
Launch VAInst64 for controlling IPSec virtual card
66 09:45:03.896 01/10/13 Sev = Info/4 CM / 0 x 63100034
The virtual card has been activated:
IP=192.168.2.70/255.255.255.0
DNS = 192.168.2.1, 8.8.8.8
WINS = 0.0.0.0 0.0.0.0
Domain = NCHCO.local
Split = DNS names
67 09:45:03.912 01/10/13 Sev = Info/5 CVPND / 0 x 63400013
Destination mask subnet Gateway Interface metric
0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261
96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261
96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261
96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306
127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306
127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261
192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261
192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261
224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306
224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261
224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261
224.0.0.0 240.0.0.0 0.0.0.0 0.0.0.0 261
255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261
255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261
255.255.255.255 255.255.255.255 0.0.0.0 0.0.0.0 261
68 09:45:07.912 01/10/13 Sev = Info/4 CM / 0 x 63100038
Were saved successfully road to file changes.
69 09:45:07.912 01/10/13 Sev = Info/5 CVPND / 0 x 63400013
Destination mask subnet Gateway Interface metric
0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261
**. **. ***. 255.255.255.255 96.11.251.1 96.11.251.149 100
96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261
96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261
96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306
127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306
127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261
192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261
192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261
192.168.2.0 255.255.255.0 192.168.2.70 192.168.2.70 261
192.168.2.0 255.255.255.0 192.168.2.1 192.168.2.70 100
192.168.2.70 255.255.255.255 192.168.2.70 192.168.2.70 261
192.168.2.255 255.255.255.255 192.168.2.70 192.168.2.70 261
224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306
224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261
224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261
224.0.0.0 240.0.0.0 192.168.2.70 192.168.2.70 261
255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261
255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261
255.255.255.255 255.255.255.255 192.168.2.70 192.168.2.70 261
70 09:45:07.912 01/10/13 Sev = Info/6 CM / 0 x 63100036
The routing table has been updated for the virtual card
71 09:45:07.912 01/10/13 Sev = Info/4 CM/0x6310001A
A secure connection established
72 09:45:07.943 01/10/13 Sev = Info/4 CM/0x6310003B
Look at address added to 96.11.251.149. Current host name: psaserver, current address (s): 192.168.2.70, 96.11.251.149, 192.168.1.3.
73 09:45:07.943 01/10/13 Sev = Info/4 CM/0x6310003B
Look at address added to 192.168.2.70. Current host name: psaserver, current address (s): 192.168.2.70, 96.11.251.149, 192.168.1.3.
74 09:45:07.943 01/10/13 Sev = Info/5 CM / 0 x 63100001
Did not find the smart card to watch for removal
75 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
76 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700010
Creates a new key structure
77 09:45:07.943 01/10/13 Sev = Info/4 IPSEC/0x6370000F
Adding key with SPI = 0x1c4cafaa in the list of keys
78 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700010
Creates a new key structure
79 09:45:07.943 01/10/13 Sev = Info/4 IPSEC/0x6370000F
Adding key with SPI = 0xc5bfbe3e in the list of keys
80 09:45:07.943 01/10/13 Sev = Info/4 IPSEC/0x6370002F
Assigned WILL interface private addr 192.168.2.70
81 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700037
Configure the public interface: 96.11.251.149. SG: **.**.***.***
82 09:45:07.943 10/01/13 Sev = Info/6 CM / 0 x 63100046
Define indicator tunnel set up in the registry to 1.
83 09:45:13.459 01/10/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to *. **. ***. ***
84 09:45:13.459 01/10/13 Sev = Info/6 IKE/0x6300003D
Upon request of the DPD to *. **. ***. , our seq # = 107205276
85 09:45:13.474 01/10/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
86 09:45:13.474 01/10/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">
87 09:45:13.474 01/10/13 Sev = Info/5 IKE / 0 x 63000040
Receipt of DPO ACK to *. **. ***. seq # receipt = 107205276, seq # expected is 107205276
88 09:45:15.959 01/10/13 Sev = Info/4 IPSEC / 0 x 63700019
Activate key dating SPI = 0x1c4cafaa key with SPI = 0xc5bfbe3e
89 09:46:00.947 10/01/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to *. **. ***. ***
90 09:46:00.947 01/10/13 Sev = Info/6 IKE/0x6300003D
Upon request of the DPD to *. **. ***. , our seq # = 107205277
91 09:46:01.529 01/10/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
92 09:46:01.529 01/10/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">
93 09:46:01.529 01/10/13 Sev = Info/5 IKE / 0 x 63000040
Receipt of DPO ACK to *. **. ***. seq # receipt = 107205277, seq # expected is 107205277
94 09:46:11.952 01/10/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to *. **. ***. ***
95 09:46:11.952 01/10/13 Sev = Info/6 IKE/0x6300003D
Upon request of the DPD to *. **. ***. , our seq # = 107205278
96 09:46:11.979 01/10/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
97 09:46:11.979 01/10/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">
98 09:46:11.979 01/10/13 Sev = Info/5 IKE / 0 x 63000040
Receipt of DPO ACK to *. **. ***. seq # receipt = 107205278, seq # expected is 107205278
---------------------------------------------------------------------------------------------------------------
Any help would be appreciated, thanks!
try to refuse the ACL (access-list AnyConnect_Client_Local_Print extended deny ip any one) at the end of the ACL.
-
Hi all
I read the http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5505/quick/guide/rem_acc.html and following the steps to create a remote access VPN. At the end of this post is delivered to the FW config.
I test the connection on a Cisco VPN Client for Windows Remote with plans on the migration of the profile to my Linux laptop. What I see is an error message when you run 'debug cryptop isa 129' of
Dec 09 10:10:03 [IKEv1]: Group = DefaultRAGroup, IP = 83.109.134.21, Removing peer to peer table does not, no match!
Dec 09 10:10:03 [IKEv1]: Group = DefaultRAGroup, IP = 83.109.134.21, error: cannot delete PeerTblEntryWhat seems strange to me, is that I have a group policy and a configured connection IPSec 'RemoteHome' profile, but it is not referenced in the debug output. I searched through my config for DefaultRAGroup, but nothing helped. However I found it in the ASDM under IPSec connection profiles.
I configured the FW to use LOCAL authentication and have configured the VPN Client with the right user name and password.
So, basically, I'm at a loss on how to correct my mistake. Any help much appreciated.
After the config FW is the power output of debug crypto isa 129.
See you soon,.
Conor
RemoteHome_splitTunnelAcl list standard access allowed host 10.2.2.2
RemoteHome_splitTunnelAcl list standard access allowed 172.16.0.0 255.255.0.0
RemoteHome_splitTunnelAcl standard access list allow 10.3.3.0 255.255.255.0
RemoteHome_splitTunnelAcl list standard access allowed 192.168.2.0 255.255.255.0
access-list 1 permit line INSIDE_nat0_outbound extended ip host 10.2.2.2 192.168.2.64 255.255.255.192
allowed to Access - list INSIDE_nat0_outbound line 2 extended ip 172.16.0.0 255.255.0.0 192.168.2.64 255.255.255.192
permit for access list 3 INSIDE_nat0_outbound line scope ip 10.3.3.0 255.255.255.0 192.168.2.64 255.255.255.192
allowed to Access - list INSIDE_nat0_outbound line 4 extended ip 192.168.2.0 255.255.255.0 192.168.2.64 255.255.255.192
local pool VPN_REMOTE_POOL 192.168.2.90 - 192.168.2.99 255.255.255.0 IP mask
internal RemoteHome group strategy
Group Policy attributes RemoteHome
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list RemoteHome_splitTunnelAcl
value of DNS server *.
cunningtek.com value by default-field
tunnel-group RemoteHome type remote access
attributes global-tunnel-group RemoteHome
Group Policy - by default-RemoteHome
address VPN_REMOTE_POOL pool
IPSec-attributes tunnel-group RemoteHome
pre-shared key *.
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
NAT (INSIDE) 0 access-list INSIDE_nat0_outbound tcp udp 0 0 0Firewall # Dec 09 10:10:03 [IKEv1]: IP = 83.109.134.21, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR (4) SA (1) + KE + NUNCIO (10) + ID (5) the SELLER (13) + the SELLER (13) + SOLD
OR (13) of the SELLER (13) + the SELLER (13) + (0) NONE total length: 849
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, SA payload processing
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, processing ke payload
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, payload processing ISA_KE
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, nonce payload processing
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, payload processing ID
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, payload processing VID
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, received xauth V6 VID
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, payload processing VID
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, DPD received VID
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, payload processing VID
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, received Fragmentation VID
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, IKE Peer included IKE fragmentation capability flags: Main Mode: real aggressive Mode: false
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, payload processing VID
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, received NAT-Traversal worm 02 VID
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, payload processing VID
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, the customer has received Cisco Unity VID
Dec 09 10:10:03 [IKEv1]: IP = 83.109.134.21, message received ISAKMP Aggressive Mode 1 with the name of Group of unknown tunnel "conor".
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, IKE SA payload processing
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, IKE SA proposal # 1, transform # 5 entry overall IKE acceptable matches # 1
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, build the payloads of ISAKMP security
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, building ke payload
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, building nonce payload
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, Generating keys for answering machine...
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, construction of payload ID
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, build payloads of hash
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, calculation of hash for ISAKMP
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, build payloads of Cisco Unity VID
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, constructing payload V6 VID xauth
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, constructing the payload of the NAT-Traversal VID ver 02
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, NAT-discovery payload construction
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, NAT discovery hash calculation
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, NAT-discovery payload construction
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, NAT discovery hash calculation
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, construction of Fragmentation VID + load useful functionality
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, build payloads VID
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Dec 09 10:10:03 [IKEv1]: IP = 83.109.134.21, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR (4) SA (1) + KE + NUNCIO (10) + ID (5) + HASH (8) the SELLER (13) + the SELLER (13) + SOLD
OR (13) NAT - D (130) + NAT - D (130) of the SELLER (13) + the seller (13) + (0) NONE total length: 424
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, case of mistaken IKE AM Responder WSF (struct & 0xd8d3bed8), : AM_DONE, EV_ERROR--> AM_SND_MSG2, EV_
SND_MSG--> AM_SND_MSG2, EV_START_TMR--> AM_BLD_MSG2, EV_BLD_MSG2_TRL--> AM_BLD_MSG2, EV_SKEYID_OK--> AM_BLD_MSG2, NullEvent--> AM_BLD_MSG2, EV_GEN_SKEYID--> AM_BLD_MSG2, EV_BLD_MSG2_HDR
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, IKE SA AM:7ff48db9 ending: 0x0104c001, refcnt flags 0, tuncnt 0
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, sending clear/delete with the message of reason
Dec 09 10:10:03 [IKEv1]: Group = DefaultRAGroup, IP = 83.109.134.21, Removing peer to peer table does not, no match!
Dec 09 10:10:03 [IKEv1]: Group = DefaultRAGroup, IP = 83.109.134.21, error: cannot delete PeerTblEntryI think this is the beginning of your question.
Message received ISAKMP aggressive Mode 1 with the name of the unknown group tunnel "conor".
In the vpn client, you must enter the name of the group, RemoteHome and pre shared key, NOT your username. You will be asked your username after login.
As the name conor group does not exist, it is failing in the DefaultRAGroup
-
Road of default remote access VPN session
ASA version 8.2.2
How do you assign remote access VPN sessions a single default route? Other than the default route assigned to ASA. For example, my VPN ASA (handles vpn sessions), defaults to the Internet. I wish that sessions VPN for remote access by default internal network first, then follow the default route to the Internet on another firewall.
The SAA outside the IP address of the interface is a public. Inside is a private 10.x.x.x. VPN clients receive 172.17.x.x.
Thank you
After the command 'road' added keyword "tunnel".
in the tunnel
Specifies the route as the default gateway of tunnel for the VPN traffic.
http://www.Cisco.com/en/us/docs/security/ASA/asa80/command/reference/QR.html#wp1767323
-
S2S VPN Asa 5510 to 5505 no traffic passing (hair Pulling)
I have one site to another configured between a 5505 and ASA 5510, the tunnel is in place but can not pass any traffic one way or another. A 5510, 8.4.3 while the 5505 was 8.2. I find the version 8.2 the less confusing when configure the VPN. The new NAT throws me for a loop on the 5510. I have 1 tunnel upward and will already and it works fine. But when I do a new online, it won't pass any traffic.
The traffic I'm EFS is 5510 (192.168.180.0/24, 172.25.11.0/24)<-------> 5505 (192.168.197.0/24) many thanks in advance!
Here's the configs for the two.
main site of 5510
ASA Version 8.4(3) ! hostname ASA5510 domain-name fphc.us enable password dmbm8Lq9pBST.0kk encrypted passwd dmbm8Lq9pBST.0kk encrypted names ! interface Ethernet0/0 nameif Outside security-level 0 ip address x.x.x.130 255.255.255.240 ! interface Ethernet0/1 nameif Inside security-level 100 ip address 192.168.180.253 255.255.254.0 ! interface Ethernet0/2 speed 100 duplex full shutdown no nameif no security-level no ip address ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 no ip address management-only ! boot system disk0:/asa843-k8.bin ftp mode passive clock timezone CST -6 clock summer-time CDT recurring dns domain-lookup Inside dns server-group DefaultDNS name-server 192.168.180.231 name-server 192.168.180.232 name-server 192.168.180.233 domain-name fphc.us same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network obj-192.168.180.0 subnet 192.168.180.0 255.255.254.0 object network obj-192.168.188.0 subnet 192.168.188.0 255.255.255.0 object network obj-216.86.7.128 subnet x.x.x.128 255.255.255.240 object network Mobile_Unit subnet 192.168.193.0 255.255.255.0 object network obj-172.27.0.0 subnet 172.27.0.0 255.255.255.0 object network obj_any subnet 0.0.0.0 0.0.0.0 object network obj-172.25.11.0 subnet 172.25.11.0 255.255.255.0 object network obj-172.35.0.0 subnet 172.35.0.0 255.255.254.0 object network SpamBox_1 host 192.168.180.244 object network SpamBox_2 host 192.168.180.248 object network Exchange host 192.168.180.235 object network PMG subnet 192.168.178.0 255.255.255.0 object network Outside_Gateway host x.x.x.129 object network AHCCN subnet 172.35.0.0 255.255.254.0 object network MM subnet 10.90.254.0 255.255.255.0 object network NETWORK_OBJ_172.27.0.0_25 subnet 172.27.0.0 255.255.255.128 object network NETWORK_OBJ_172.27.0.0_26 subnet 172.27.0.0 255.255.255.192 object network obj-172.35.1.199 host 172.35.1.199 object network obj-192.168.51.5 host 192.168.51.5 object service 6004 service udp destination eq 6004 object network AT_Remote subnet 192.168.197.0 255.255.255.0 object-group service DM_INLINE_SERVICE_2 service-object icmp echo service-object icmp echo-reply service-object tcp-udp destination eq domain service-object tcp-udp destination eq www object-group network DM_INLINE_NETWORK_1 network-object object obj-172.25.11.0 network-object object obj-172.35.0.0 network-object object obj-192.168.180.0 object-group network DM_INLINE_NETWORK_2 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 object-group network DM_INLINE_NETWORK_3 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 object-group network DM_INLINE_NETWORK_16 network-object object MM network-object object obj-172.25.11.0 network-object object obj-172.35.0.0 network-object object obj-192.168.180.0 object-group protocol TCPUDP protocol-object udp protocol-object tcp object-group icmp-type DM_INLINE_ICMP_1 icmp-object echo icmp-object source-quench object-group network DM_INLINE_NETWORK_5 network-object object AHCCN network-object object MM network-object object obj-172.25.11.0 network-object object obj-172.35.0.0 network-object object obj-192.168.180.0 object-group network DM_INLINE_NETWORK_6 network-object object obj-172.25.11.0 network-object object obj-172.35.0.0 network-object object obj-192.168.180.0 object-group service DM_INLINE_SERVICE_4 service-object icmp service-object icmp echo service-object icmp echo-reply object-group service DM_INLINE_SERVICE_5 service-object tcp-udp destination eq domain service-object tcp destination eq smtp service-object tcp destination eq ssh service-object icmp echo service-object icmp echo-reply service-object udp destination eq ntp service-object udp destination eq time object-group service DM_INLINE_SERVICE_6 service-object tcp-udp destination eq domain service-object tcp destination eq smtp service-object tcp destination eq ssh service-object icmp echo service-object icmp echo-reply service-object udp destination eq ntp service-object udp destination eq time object-group service DM_INLINE_SERVICE_0 service-object icmp echo service-object icmp echo-reply service-object tcp destination eq www service-object tcp destination eq https service-object tcp destination eq smtp service-object tcp-udp destination eq domain service-object object 6004 object-group network DM_INLINE_NETWORK_7 network-object object MM network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 network-object object obj-172.35.0.0 object-group network DM_INLINE_NETWORK_8 network-object 172.25.11.0 255.255.255.0 network-object 172.35.0.0 255.255.254.0 object-group service DM_INLINE_SERVICE_7 service-object tcp-udp destination eq domain service-object object 6004 service-object icmp echo service-object icmp echo-reply service-object tcp destination eq www service-object tcp destination eq https service-object tcp destination eq smtp object-group network DM_INLINE_NETWORK_10 network-object 172.25.11.0 255.255.255.0 network-object 172.35.0.0 255.255.254.0 object-group network DM_INLINE_NETWORK_9 network-object object obj-172.25.11.0 network-object object obj-172.35.0.0 object-group network DM_INLINE_NETWORK_11 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 object-group service DM_INLINE_SERVICE_1 service-object tcp-udp destination eq domain service-object tcp destination eq smtp service-object udp destination eq ntp object-group network DM_INLINE_NETWORK_13 network-object object AHCCN network-object object obj-172.25.11.0 object-group network DM_INLINE_NETWORK_14 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 object-group network DM_INLINE_NETWORK_12 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 object-group service DM_INLINE_SERVICE_3 service-object tcp-udp destination eq domain service-object tcp destination eq smtp service-object udp destination eq ntp object-group service DM_INLINE_SERVICE_8 service-object tcp-udp destination eq domain service-object tcp destination eq smtp service-object udp destination eq ntp object-group service Exchange-6001 udp port-object range 6001 6004 object-group network DM_INLINE_NETWORK_15 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 object-group service DM_INLINE_SERVICE_10 service-object ip service-object icmp echo service-object icmp echo-reply object-group service DM_INLINE_SERVICE_9 service-object ip service-object icmp echo service-object icmp echo-reply service-object tcp-udp destination eq domain service-object tcp destination eq citrix-ica service-object tcp destination eq www service-object tcp destination eq https object-group network DM_INLINE_NETWORK_18 network-object object AHCCN network-object object obj-172.25.11.0 object-group network DM_INLINE_NETWORK_19 network-object object obj-172.25.11.0 network-object object obj-172.35.0.0 network-object object obj-192.168.180.0 object-group network DM_INLINE_NETWORK_20 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 object-group network DM_INLINE_NETWORK_17 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_10 object PMG access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1 192.168.188.0 255.255.255.0 access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_7 object obj-172.27.0.0 access-list Outside_1_cryptomap extended permit ip 192.168.188.0 255.255.255.0 object-group DM_INLINE_NETWORK_14 access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_9 object AT_Remote object-group DM_INLINE_NETWORK_15 access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any any access-list Outside_access_in extended permit ip object Mobile_Unit object-group DM_INLINE_NETWORK_12 log debugging access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_7 object PMG object-group DM_INLINE_NETWORK_8 access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_0 any object Exchange access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_5 any object SpamBox_1 access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_6 any object SpamBox_2 access-list Outside_access_in extended permit ip 192.168.188.0 255.255.255.0 object-group DM_INLINE_NETWORK_2 access-list Outside_access_in extended deny ip 127.0.0.0 255.255.255.0 any log access-list Outside_access_in extended deny ip 10.0.0.0 255.255.255.0 any log access-list Outside_access_in extended deny ip 169.254.0.0 255.255.0.0 any log access-list Outside_access_in extended deny ip 224.0.0.0 255.0.0.0 any log access-list Outside_access_in extended deny ip 239.0.0.0 255.0.0.0 any log access-list Outside_access_in extended deny ip 173.0.0.0 255.0.0.0 any log debugging access-list Outside_access_in extended deny ip 224.0.0.0 255.255.255.31 any access-list Outside_access_in extended deny ip 192.168.0.0 255.255.0.0 any access-list Outside_access_in extended deny ip any any access-list global_mpc extended permit ip any any access-list global_access extended permit udp object obj-172.35.1.199 any eq snmp log disable access-list global_access extended permit ip object obj-172.27.0.0 any access-list splitTunnelAcl standard permit 192.168.180.0 255.255.254.0 access-list splitTunnelAcl standard permit 172.35.0.0 255.255.254.0 access-list splitTunnelAcl standard permit 172.25.11.0 255.255.255.0 access-list splitTunnelAcl standard permit 10.90.254.0 255.255.255.0 access-list Outside_cryptomap_1 extended permit ip object PMG object-group DM_INLINE_NETWORK_13 access-list Inside_access_in extended permit ip object obj_any any access-list Inside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1 log disable access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_8 object Exchange any log access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_1 object SpamBox_1 any log access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_3 object SpamBox_2 any log access-list Inside_access_in extended deny ip any any access-list Outside_cryptomap_2 extended permit ip object-group DM_INLINE_NETWORK_17 object AT_Remote access-list Outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_18 object PMG log access-list Outside_cryptomap_4 extended permit ip object-group DM_INLINE_NETWORK_3 object Mobile_Unit pager lines 24 logging enable logging timestamp logging emblem logging rate-limit unlimited level 1 logging rate-limit unlimited level 6 logging rate-limit unlimited level 7 mtu Outside 1500 mtu Inside 1500 mtu management 1500 ip local pool Client_Pool 172.27.0.50-172.27.0.100 mask 255.255.255.0 ip local pool RA_POOL 172.27.0.1-172.27.0.49 mask 255.255.255.0 ip verify reverse-path interface Outside ip verify reverse-path interface Inside no failover icmp unreachable rate-limit 1 burst-size 1 icmp permit any Outside icmp permit any Inside asdm history enable arp timeout 14400 nat (Inside,Outside) source static DM_INLINE_NETWORK_9 DM_INLINE_NETWORK_9 destination static PMG PMG no-proxy-arp route-lookup nat (Inside,Outside) source static DM_INLINE_NETWORK_20 DM_INLINE_NETWORK_20 destination static AT_Remote AT_Remote no-proxy-arp route-lookup nat (Inside,Outside) source static DM_INLINE_NETWORK_5 DM_INLINE_NETWORK_5 destination static NETWORK_OBJ_172.27.0.0_25 NETWORK_OBJ_172.27.0.0_25 no-proxy-arp route-lookup nat (Inside,Outside) source static DM_INLINE_NETWORK_16 DM_INLINE_NETWORK_16 destination static NETWORK_OBJ_172.27.0.0_26 NETWORK_OBJ_172.27.0.0_26 no-proxy-arp route-lookup nat (Inside,Outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static obj-192.168.188.0 obj-192.168.188.0 no-proxy-arp nat (Inside,Outside) source static DM_INLINE_NETWORK_19 DM_INLINE_NETWORK_19 destination static Mobile_Unit Mobile_Unit no-proxy-arp route-lookup nat (Inside,Outside) source static DM_INLINE_NETWORK_11 DM_INLINE_NETWORK_11 destination static AT_Remote AT_Remote no-proxy-arp route-lookup ! object network obj_any nat (Inside,Outside) dynamic interface object network SpamBox_1 nat (Inside,Outside) static x.x.x.132 object network SpamBox_2 nat (Inside,Outside) static x.x.x.133 object network Exchange nat (Inside,Outside) static x.x.x.131 dns access-group Outside_access_in in interface Outside access-group Inside_access_in in interface Inside access-group global_access global route Outside 0.0.0.0 0.0.0.0 x.x.x..129 1 route Inside 10.90.254.0 255.255.255.0 192.168.180.1 1 route Inside 172.16.200.0 255.255.255.0 192.168.180.200 1 route Inside 172.25.10.0 255.255.255.0 192.168.180.200 1 route Inside 172.25.11.0 255.255.255.0 192.168.180.200 1 route Inside 172.25.12.0 255.255.255.0 192.168.180.200 1 route Inside 172.27.0.0 255.255.255.0 192.168.180.200 1 route Inside 172.29.0.0 255.255.0.0 192.168.180.200 1 route Inside 172.35.0.0 255.255.254.0 192.168.180.200 1 route Inside 192.168.182.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.183.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.184.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.185.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.186.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.187.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.189.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.190.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.191.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.192.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.194.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.195.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.196.0 255.255.255.0 192.168.180.200 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy aaa-server DC's protocol radius max-failed-attempts 5 aaa-server DC's (Inside) host 192.168.180.231 timeout 5 key ***** user-identity default-domain LOCAL http server enable http 192.168.180.0 255.255.255.0 Inside http 0.0.0.0 0.0.0.0 Inside http 172.27.0.0 255.255.255.0 Outside http 172.27.0.0 255.255.255.0 Inside snmp-server group Authentication&Encryption v3 priv snmp-server user trap Authentication&Encryption v3 encrypted auth md5 87:1d:3a:bd:50:49:7d:dc:45:89:a0:dc:c9:66:ed:78 priv 3des 87:1d:3a:bd:50:49:7d:dc:45:89:a0:dc:c9:66:ed:78:08:c6:ef:b2:7e:89:45:f2:6f:78:b5:01:33:47:68:c9 snmp-server host Inside 172.35.1.199 community ***** version 2c snmp-server host Inside 192.168.180.7 community ***** version 2c snmp-server location MLK snmp-server contact xxxxxxxx snmp-server community ***** snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart snmp-server enable traps syslog snmp-server enable traps ipsec start stop snmp-server enable traps entity config-change fru-insert fru-remove snmp-server enable traps remote-access session-threshold-exceeded snmp-server enable traps cpu threshold rising snmp-server enable traps ikev2 start no sysopt connection reclassify-vpn sysopt connection preserve-vpn-flows crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec security-association lifetime seconds 43200 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map Outside_map 1 match address Outside_1_cryptomap crypto map Outside_map 1 set peer 173.10.204.46 crypto map Outside_map 1 set ikev1 phase1-mode aggressive crypto map Outside_map 1 set ikev1 transform-set ESP-3DES-SHA crypto map Outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256 crypto map Outside_map 1 set ikev2 pre-shared-key ***** crypto map Outside_map 1 set security-association lifetime seconds 460800 crypto map Outside_map 4 match address Outside_cryptomap_1 crypto map Outside_map 4 set peer 207.190.237.254 crypto map Outside_map 4 set ikev1 phase1-mode aggressive group5 crypto map Outside_map 4 set ikev1 transform-set ESP-AES-128-SHA crypto map Outside_map 4 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256 crypto map Outside_map 4 set security-association lifetime seconds 460800 crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map 1 match address Outside_cryptomap_2 crypto map outside_map 1 set peer x.x.x.201 crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 2 match address Outside_cryptomap crypto map outside_map 2 set peer x.x.x.254 crypto map outside_map 2 set ikev1 phase1-mode aggressive group5 crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 2 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256 crypto map outside_map 3 match address Outside_cryptomap_4 crypto map outside_map 3 set peer x.x.216.130 crypto map outside_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface Outside crypto ca trustpoint LOCAL-CA-SERVER keypair LOCAL-CA-SERVER crl configure crypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=FPHC-ASA serial-number keypair LOCAL-CA-SERVER crl configure crypto ca server shutdown crypto ca certificate chain LOCAL-CA-SERVER certificate ca 01 308201ff 30820168 a0030201 02020101 300d0609 2a864886 f70d0101 05050030 13311130 0f060355 04031308 46504843 2d415341 301e170d 31323039 32303232 34393034 5a170d31 35303932 30323234 3930345a 30133111 300f0603 55040313 08465048 432d4153 4130819f 300d0609 2a864886 f70d0101 01050003 818d0030 81890281 8100e841 eeca425c 20c47a19 3b335924 30281111 cff571d7 0bb63dd8 5f3194f5 59d99cb1 60269694 aa13c591 505e0575 2de5ebb1 92d7c931 807f807b 6e84ee54 1da4ccaf 1f109f53 94c6e567 a8064e27 e27f3ea0 94f7bf32 2fe6064c c2bbcd0d 7b0f8806 8614fcf9 80c6e4e1 83da75c5 080c7117 09e1d574 f17de8ac 1da4f2f9 f6e10203 010001a3 63306130 0f060355 1d130101 ff040530 030101ff 300e0603 551d0f01 01ff0404 03020186 301f0603 551d2304 18301680 144cb3da 6b6a5a14 c4b78674 49609b6b 8e58ea5f a3301d06 03551d0e 04160414 4cb3da6b 6a5a14c4 b7867449 609b6b8e 58ea5fa3 300d0609 2a864886 f70d0101 05050003 818100e0 7c9e15c3 13068614 788ff4d3 f282a4f4 fde72b00 3b05748f 0a4f68ec 6a7eb5fb 40c6d505 b1c35372 87102173 bb017e4b 2697c8f5 b66395f2 1418c77c 3e959343 84674b96 33558a08 629336c8 39c742bf 6b727b00 388a7102 8619cb5a e4227aaf b58e267c 9e8b23d6 94cdc789 eb29cd96 1e579770 a2aa58ab 40694bb9 12888d quit crypto ca certificate chain ASDM_TrustPoint0 certificate bd555b50 308201f7 30820160 a0030201 020204bd 555b5030 0d06092a 864886f7 0d010105 05003040 3111300f 06035504 03130846 5048432d 41534131 2b301206 03550405 130b4a4d 58313632 33583130 51301506 092a8648 86f70d01 09021608 46504843 2d415341 301e170d 31323039 32303232 35383434 5a170d32 32303931 38323235 3834345a 30403111 300f0603 55040313 08465048 432d4153 41312b30 12060355 0405130b 4a4d5831 36323358 31305130 1506092a 864886f7 0d010902 16084650 48432d41 53413081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100e8 41eeca42 5c20c47a 193b3359 24302811 11cff571 d70bb63d d85f3194 f559d99c b1602696 94aa13c5 91505e05 752de5eb b192d7c9 31807f80 7b6e84ee 541da4cc af1f109f 5394c6e5 67a8064e 27e27f3e a094f7bf 322fe606 4cc2bbcd 0d7b0f88 068614fc f980c6e4 e183da75 c5080c71 1709e1d5 74f17de8 ac1da4f2 f9f6e102 03010001 300d0609 2a864886 f70d0101 05050003 8181008b c7a3e119 f1c6f60c 56ab7fd4 5096cfdf abb44331 fe3a0249 7f5fe79b 38a044c2 9a8b907d 12feba5d 6298a414 c4973369 040585b8 26b8b29e dfe7e226 0b10d08e 03658648 2fb0233e 27204339 c5a1c270 a0fec5b4 834340ac 9afefe75 4f802cb6 fb21b89c 9016e32c 2e772c00 191d23e0 036c4321 93a43b48 a6b682af 5dd5c0 quit crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable Outside crypto ikev1 enable Outside crypto ikev1 enable management crypto ikev1 policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet 192.168.180.0 255.255.255.0 Inside telnet 172.27.0.0 255.255.255.0 Inside telnet timeout 10 ssh 192.168.180.0 255.255.255.0 Inside ssh 172.27.0.0 255.255.255.0 Inside ssh timeout 20 console timeout 0 management-access Inside vpn load-balancing interface lbpublic Outside interface lbprivate Inside threat-detection basic-threat threat-detection scanning-threat threat-detection statistics host threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp authenticate ntp server 50.77.217.185 source Outside prefer ntp server 216.171.120.36 source Outside webvpn group-policy "S2S-RA-Group Policy" internal group-policy "S2S-RA-Group Policy" attributes vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client group-policy DfltGrpPolicy attributes vpn-filter value Inside_nat0_outbound vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless group-policy GroupPolicy_x.x.x.46 internal group-policy GroupPolicy_x.x.x.46 attributes vpn-filter value Outside_1_cryptomap vpn-tunnel-protocol ikev1 ikev2 group-policy GroupPolicy_x.x.x.254 internal group-policy GroupPolicy_x.x.x.254 attributes vpn-filter value Outside_cryptomap_1 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec group-policy GroupPolicy_x.x.x.201 internal group-policy GroupPolicy_x.x.x.201 attributes vpn-filter value Outside_cryptomap_2 vpn-tunnel-protocol ikev1 group-policy GroupPolicy_x.x.216.130 internal group-policy GroupPolicy_x.x.216.130 attributes vpn-tunnel-protocol ikev1 group-policy VPN-GROUP2 internal group-policy VPN-GROUP2 attributes dns-server value 192.168.180.231 192.168.180.232 vpn-tunnel-protocol ikev1 split-tunnel-policy tunnelspecified split-tunnel-network-list value splitTunnelAcl default-domain value fphc.us group-policy VPN-GROUP internal group-policy VPN-GROUP attributes dns-server value 192.168.180.231 192.168.180.232 vpn-filter value splitTunnelAcl vpn-tunnel-protocol ikev1 l2tp-ipsec split-tunnel-policy tunnelspecified split-tunnel-network-list value splitTunnelAcl default-domain value fphc.us username mark password YTp0IwzeNwb5kS8J encrypted privilege 15 tunnel-group DefaultRAGroup general-attributes default-group-policy VPN-GROUP tunnel-group x.x.x.46 type ipsec-l2l tunnel-group x.x.x.46 general-attributes default-group-policy GroupPolicy_x.x.x.46 tunnel-group x.x.x.46 ipsec-attributes ikev1 pre-shared-key ***** ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** tunnel-group x.x.x.201 type ipsec-l2l tunnel-group x.x.x.201 general-attributes default-group-policy GroupPolicy_x.x.x.201 tunnel-group x.x.x.201 ipsec-attributes ikev1 pre-shared-key ***** tunnel-group VPN-GROUP type remote-access tunnel-group VPN-GROUP general-attributes address-pool Client_Pool authentication-server-group DC's default-group-policy VPN-GROUP tunnel-group VPN-GROUP ipsec-attributes ikev1 pre-shared-key ***** tunnel-group x.x.x.254 type ipsec-l2l tunnel-group x.x.x.254 general-attributes default-group-policy GroupPolicy_x.x.x.254 tunnel-group x.x.x.254 ipsec-attributes ikev1 pre-shared-key ***** ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** tunnel-group VPN-GROUP2 type remote-access tunnel-group VPN-GROUP2 general-attributes address-pool RA_POOL authentication-server-group DC's default-group-policy VPN-GROUP2 tunnel-group VPN-GROUP2 ipsec-attributes ikev1 pre-shared-key ***** tunnel-group x.x.x.130 type ipsec-l2l tunnel-group x.x.x.130 general-attributes default-group-policy GroupPolicy_x.x.x.130 tunnel-group x.x.x.130 ipsec-attributes ikev1 pre-shared-key ***** tunnel-group PMG type ipsec-l2l tunnel-group PMG general-attributes default-group-policy GroupPolicy_x.x.x.254 tunnel-group PMG ipsec-attributes ikev1 pre-shared-key ***** ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** tunnel-group-map default-group DefaultL2LGroup ! class-map global-class match access-list global_mpc class-map inspection_default match default-inspection-traffic class-map http_https description http_https match access-list Outside_access_in ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options class global-class user-statistics accounting policy-map http_https class http_https set connection timeout idle 1:15:00 reset user-statistics accounting ! service-policy global_policy global service-policy http_https interface Outside smtp-server 192.168.180.235 prompt hostname context no call-home reporting anonymous Cryptochecksum:fcb4c2d9a982c11054c31ee4db778012 : end
5505 remote site
ASA Version 8.2(5) ! hostname AT-Remote domain-name fphc.us enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names name 172.35.0.0 AHCCN name 172.25.11.0 AHCCN-1 name 192.168.180.0 FPHC ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 switchport trunk allowed vlan 1,30 switchport trunk native vlan 1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.197.250 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address x.x.x.201 255.255.255.252 ! ! boot system disk0:/asa825-k8.bin ftp mode passive dns domain-lookup inside dns domain-lookup outside dns server-group DefaultDNS name-server 68.87.68.162 name-server 68.87.74.162 domain-name fphc.us dns server-group DNS_Internal name-server 192.168.180.231 name-server 192.168.180.232 domain-name fphc.us same-security-traffic permit inter-interface same-security-traffic permit intra-interface object-group network obj_any object-group network 172.25.11.0 object-group network 172.35.0.0 object-group network 192.168.180.0 object-group network ASA-FW object-group network Comcast_Outside object-group network AT_Local object-group network NETWORK_OBJ_192.168.197.0_24 object-group icmp-type DM_INLINE_ICMP_1 icmp-object echo icmp-object echo-reply object-group service DM_INLINE_SERVICE_3 service-object ip service-object icmp echo service-object icmp echo-reply object-group service DM_INLINE_SERVICE_2 service-object ip service-object icmp object-group network obj_remote object-group network Franklin_Remote network-object AHCCN-1 255.255.255.0 network-object AHCCN 255.255.254.0 network-object FPHC 255.255.254.0 access-list outside_access_in extended permit ip object-group Franklin_Remote 192.168.197.0 255.255.255.0 access-list outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1 log debugging access-list inside_access_in extended permit ip any any log access-list inside_access_in extended permit icmp any any echo log access-list outside_1_cryptomap extended permit ip 192.168.197.0 255.255.255.0 object-group Franklin_Remote access-list inside_nat0_outbound extended permit ip 192.168.197.0 255.255.255.0 object-group Franklin_Remote access-list inside_nat_outbound extended permit ip any interface outside pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 mtu dmz 1500 no failover icmp unreachable rate-limit 1 burst-size 1 icmp permit any outside asdm image disk0:/asdm-645.bin no asdm history enable arp timeout 14400 global (outside) 101 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 101 access-list inside_nat_outbound access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 x.x.x.202 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy http server enable http 0.0.0.0 0.0.0.0 inside http 192.168.197.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart sysopt connection preserve-vpn-flows sysopt noproxyarp inside sysopt noproxyarp dmz crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 43200 crypto ipsec security-association lifetime kilobytes 4608000 crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set peer 216.86.7.130 crypto map outside_map 1 set transform-set ESP-3DES-SHA crypto map outside_map interface outside crypto ca trustpoint _SmartCallHome_ServerCA crl configure crypto ca certificate chain _SmartCallHome_ServerCA certificate ca 6ecc7aa5a7032009b8cebcf4e952d491 308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130 0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117 30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b 13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504 0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72 20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56 65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043 65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31 30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b 30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20 496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65 74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420 68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329 3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365 63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7 0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597 a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10 9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc 7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b 15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845 63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8 18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced 4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f 81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201 db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868 7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101 ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8 45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a 1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406 03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973 69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403 02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969 6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973 69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30 1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603 551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355 1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609 2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80 4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a 6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc 481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16 b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0 5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8 6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28 6c2527b9 deb78458 c61f381e a4c4cb66 quit crypto isakmp enable outside crypto isakmp policy 10 authentication crack encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 40 authentication crack encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 70 authentication crack encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 100 authentication crack encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 130 authentication crack encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 telnet 0.0.0.0 0.0.0.0 inside telnet x.x.x.130 255.255.255.255 outside telnet timeout 5 ssh timeout 5 console timeout 0 management-access inside dhcpd address 192.168.197.25-192.168.197.100 inside dhcpd dns 192.168.180.232 68.87.74.162 interface inside dhcpd domain fphc.us interface inside dhcpd enable inside ! dhcprelay timeout 60 threat-detection basic-threat threat-detection statistics host threat-detection statistics protocol threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn group-policy DfltGrpPolicy attributes vpn-filter value outside_1_cryptomap group-policy GroupPolicy_216.86.7.130 internal group-policy GroupPolicy_216.86.7.130 attributes vpn-filter value inside_nat0_outbound vpn-tunnel-protocol IPSec l2tp-ipsec tunnel-group x.x.x.130 type ipsec-l2l tunnel-group x.x.x.130 general-attributes default-group-policy GroupPolicy_216.86.7.130 tunnel-group x.x.x.130 ipsec-attributes pre-shared-key ***** tunnel-group-map default-group DefaultL2LGroup ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect dns ! service-policy global_policy global prompt hostname context : end
Hello
The reason for the DECLINE suggests that the ASA has still attached to the L2L VPN VPN filter configuration that prevents traffic.
Check the configuration and remove atleast VPN filter temporarily for testing purposes.
-Jouni
-------> -
Site to Site and together on ASA 5505 VPN remote access
Hello
I tried to set up a VPN Site again on an ASA5505 where there already is a VPN remote on it.
After you add the new configuration lines, I received the following message when I debug:
04 Nov 07:06:06 [IKEv1]: group =
, IP = , error QM WSF (P2 struct & 0xd91a4d10, mess id 0xeac05ec0). 04 Nov 07:04:36 [IKEv1]: group =
, IP = , peer of drop table Correlator has failed, no match! Someone knows what's the problem? And what to change in the config?
Thanks in advance,
Ruben
Hello
If the ASA had a remote access VPN and you add a new Site-to-Site you must make sure that the priority for the card encryption is weaker for the new Site-to - added Site.This is because otherwise traffic will always try to match the access tunnel at distance. You can check it with the command "sh run card cry"
Federico.
-
Remote access VPN with ASA 5510 by using the DHCP server
Hello
Can someone please share your knowledge to help me find out why I'm not able to receive an IP address on the remote access VPN connection so that I can get an IP local pool DHCP?
I'm trying to set up remote access VPN with ASA 5510. It works with dhcp local pool but does not seem to work when I tried to use an existing DHCP server. It is tested in an internal network as follows:
!
ASA Version 8.2 (5)
!
interface Ethernet0/1
nameif inside
security-level 100
IP 10.6.0.12 255.255.254.0
!
IP local pool testpool 10.6.240.150 - 10.6.240.159 a mask of 255.255.248.0. (worked with it)
!
Route inside 0.0.0.0 0.0.0.0 10.6.0.1 1
!
Crypto ipsec transform-set esp-3des esp-md5-hmac FirstSet
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic dyn1 1jeu transform-set FirstSet
dynamic mymap 1 dyn1 ipsec-isakmp crypto map
mymap map crypto inside interface
crypto ISAKMP allow inside
crypto ISAKMP policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 43200
!
VPN-addr-assign aaa
VPN-addr-assign dhcp
!
internal group testgroup strategy
testgroup group policy attributes
DHCP-network-scope 10.6.192.1
enable IPSec-udp
IPSec-udp-port 10000
!
username testlay password * encrypted
!
tunnel-group testgroup type remote access
tunnel-group testgroup General attributes
strategy-group-by default testgroup
DHCP-server 10.6.20.3
testgroup group tunnel ipsec-attributes
pre-shared key *.
!
I got following output when I test connect to the ASA with Cisco VPN client 5.0
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: (4) SA (1) + KE + NUNCIO (10) + ID (5), HDR + VENDO
4024 bytesR copied in 3,41 0 seconds (1341 by(tes/sec) 13) of the SELLER (13) seller (13) + the SELLER (13), as well as the SELLER (13) ++ (0) NONE total length: 853
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, SA payload processing
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ke payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing ISA_KE
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, nonce payload processing
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing ID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received xauth V6 VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, DPD received VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received Fragmentation VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, IKE Peer included IKE fragmentation capability flags: Main Mode: real aggressive Mode: false
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received NAT-Traversal worm 02 VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, the customer has received Cisco Unity VID
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, connection landed on tunnel_group testgroup
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA payload processing
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA proposal # 1, turn # 9 entry overall IKE acceptable matches # 1
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build the payloads of ISAKMP security
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building ke payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building nonce payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Generating keys for answering machine...
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, construction of payload ID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash for ISAKMP
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of Cisco Unity VID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing payload V6 VID xauth
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building dpd vid payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing the payload of the NAT-Traversal VID ver 02
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, NAT-discovery payload construction
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, NAT-discovery payload construction
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, construction of Fragmentation VID + load useful functionality
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads VID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR SA (1) KE (4) NUNCIO (10) + ID (5) + HASH (8) + SELLER (13) + the SELLER (13) + the SELLER (13) + the SELLER (13) NAT - D (130) + NAT - D (130) of the SELLER (13) + the seller (13) + NONE (0) total length: 440
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + HASH (8) + NOTIFY (11) + NAT - D (130) + NAT - D (130) of the SELLER (13) + the seller (13) + NONE (0) overall length: 168
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash for ISAKMP
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing notify payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload NAT-discovery of treatment
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload NAT-discovery of treatment
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, useful treatment IOS/PIX Vendor ID (version: 1.0.0 capabilities: 00000408)
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, the customer has received Cisco Unity VID
Jan 16 15:39:21 [IKEv1]: Group = testgroup, I
[OK]
KenS-mgmt-012 # P = 10.15.200.108, status of automatic NAT detection: remote end is NOT behind a NAT device this end is NOT behind a NAT device
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, empty building hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of hash qm
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = d4ca48e4) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 72
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = d4ca48e4) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 87
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, process_attr(): enter!
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, transformation MODE_CFG response attributes.
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary DNS = authorized
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary DNS = authorized
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: = authorized primary WINS
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: = authorized secondary WINS
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Compression IP = disabled
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Split Tunneling political = disabled
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: setting Proxy browser = no - modify
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: browser Local Proxy bypass = disable
Jan 16 15:39:26 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, (testlay) the authenticated user.
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, empty building hash payload
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, build payloads of hash qm
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 6b1b471) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 64
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 6b1b471) with payloads: HDR + HASH (8) + ATTR (14) + NONE (0) overall length: 60
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): enter!
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, cfg ACK processing attributes
Jan 16 15:39:27 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 49ae1bb8) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 182
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): enter!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, treatment cfg request attributes
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the IPV4 address!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the IPV4 network mask!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for DNS server address.
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the address of the WINS server.
Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, transaction mode attribute unhandled received: 5
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the banner!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for setting save PW!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: receipt of request for default domain name!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for Split-Tunnel list!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for split DNS!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for PFS setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the Proxy Client browser setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the list of backup peer ip - sec!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for setting disconnect from the Client Smartcard Removal!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the Version of the Application.
Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Type of Client: Windows NT Client Application Version: 5.0.07.0440
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for FWTYPE!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: request received for the DHCP for DDNS hostname is: DEC20128!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the UDP Port!
Jan 16 15:39:32 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, in double Phase 2 detected packets. No last packet retransmit.
Jan 16 15:39:37 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = b04e830f) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing hash payload
Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing notify payload
Jan 16 15:39:37 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, in double Phase 2 detected packets. No last packet retransmit.
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE has received the response from type [] at the request of the utility of IP address
Jan 16 15:39:39 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, cannot get an IP address for the remote peer
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, case of mistaken IKE TM V6 WSF (struct & 0xd8030048)
, : TM_DONE, EV_ERROR--> TM_BLD_REPLY, EV_IP_FAIL--> TM_BLD_REPLY NullEvent--> TM_BLD_REPLY, EV_GET_IP--> TM_BLD_REPLY, EV_NEED_IP--> TM_WAIT_REQ, EV_PROC_MSG--> TM_WAIT_REQ, EV_HASH_OK--> TM_WAIT_REQ, NullEvent Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, case of mistaken IKE AM Responder WSF (struct & 0xd82b6740)
, : AM_DONE, EV_ERROR--> AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL--> AM_TM_INIT_MODECFG_V6H NullEvent--> AM_TM_INIT_MODECFG, EV_WAIT--> AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG--> AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK--> AM_TM_INIT_XAUTH_V6H NullEvent--> AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE SA AM:bd3a9a4b ending: 0x0945c001, refcnt flags 0, tuncnt 0
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, sending clear/delete with the message of reason
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, empty building hash payload
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing the payload to delete IKE
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, build payloads of hash qm
Jan 16 15:39:39 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 9de30522) with payloads: HDR HASH (8) + DELETE (12) + (0) NONE total length: 80
Kind regards
Lay
For the RADIUS, you need a definition of server-aaa:
Protocol AAA - NPS RADIUS server RADIUS
AAA-server RADIUS NPS (inside) host 10.10.18.12
key *.
authentication port 1812
accounting-port 1813
and tell your tunnel-group for this server:
General-attributes of VPN Tunnel-group
Group-NPS LOCAL RADIUS authentication server
--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni
Maybe you are looking for
-
I'm on fire FTP, if I update I will be able to use it?
33.0.2 running now with 'Fire FTP', if I update will I use it? I have another post to work with the latest installation and fire FTP is not a plugin option? Please let me know as we like fire FTP you have as a plug-in. Thank you
-
Dear Apple Support. I had trouble with my wifi macbook. Symbol of my wifi still "search network". Shortly, it was 'ON' and then replaced by "searching for networks. Keep it continue like that: on and looking for... I don't know why? Could you help me
-
Hi all I am trying to create a program that allows the user to draw a series of Kings (lines and rectangles) on a sample image, and then generate histograms etc for each of the Kings drawn and line profiles. I know that you can use CTRL + mouse down
-
I get a 0x800707B4 error code when I try to update Windows Defender KB915597
-
Can a "uninstalled" Vista Upgrade be installed on another machine?
For various reasons of Dingo, I want to update a computer XP MCE to Vista. Best price on the upgrade of Vista in my area is a copy that has been installed and then uninstalled. My question is, the software still allows to update * my * machine? It