Certificates for IPSEC vpn in ASA 8.0 clients

Similar Questions

• Ask/dissemination of certificates for IPSEC VPN user

  Hi all

  I have therefore an ASA established the connection to an LDAP, an SSL certificate signed for the cert of the device and use IPSEC IKEv2 VPN connections that are authenticated by the LDAP username and password and X.509 certificates.

  I have a CA server root of Microsoft Windows server 2012 (State in offline mode) and a Windows server 2012 subordinate certification authority server. Both are 10-year Certification authorities.

  To generate certificates VPN I'm going to the AC Sub, go to certificates (local computer) > personal > right click on the white space > all tasks > advanced operations > ask personalized.

  I have set up my cert accordingly and enable private key export.

  I submit new request to the CERT service. authority on the CA of Sub (same machine as before). I issue the certificate, and then export the certificate with the private key. I send this to my user, then they install this certificate in the personal certificates store and access the VPN access using this cert more username and password they have been assigned (no there is no possibility for them to ask their own PC)

  Question 1: Is there an easier way to do this? Command line? Script? preconfigured with the certificate settings .ini file?

  Question 2: These certificates are only 1 year. How can I generate certificates that are longer than that. I'm jumping for 3 years.

  Thank you!

  BROKEN

  Well it's quite simple setup-wise when you chose to go down the path of the client certificate. It is generally easier to use SCEP (Simple Certificate Enrollment Protocol) Protocol to manually deploy certificates. There is an example of a configuration Definition here.

  There is also a good presentation (or several) of Cisco Live. I recommend that you take a look at this one from 2012: Practice of PKI for VPN.

  In this presentation, he you (slide 39) specifically shows how to create a new certificate template and set the validity period for the value by default 1 years.

• Problem with IPsec VPN between ASA and router Cisco - ping is not response

  Hello

  I don't know because the IPsec VPN does not work. This is my setup (IPsec VPN between ASA and R2):

  my network topology data:

  LAN 1 connect ASA - 1 (inside the LAN)

  PC - 10.0.1.3 255.255.255.0 10.0.1.1

  ASA - GigabitEthernet 1: 10.0.1.1 255.255.255.0

  -----------------------------------------------------------------

  ASA - 1 Connect (LAN outide) R1

  ASA - GigabitEthernet 0: 172.30.1.2 255.255.255.252

  R1 - FastEthernet 0/0: 172.30.1.1 255.255.255.252

  ---------------------------------------------------------------------

  R1 R2 to connect

  R1 - FastEthernet 0/1: 172.30.2.1 255.255.255.252

  R2 - FastEthernet 0/1: 172.30.2.2 255.255.255.252

  R2 for lan connection 2

  --------------------------------------------------------------------

  R2 to connect LAN2

  R2 - FastEthernet 0/0: 10.0.2.1 255.255.255.0

  PC - 10.0.2.3 255.255.255.0 10.0.2.1

  ASA configuration:

  1 GigabitEthernet interface
  nameif inside
  security-level 100
  IP 10.0.1.1 255.255.255.0
  no downtime
  interface GigabitEthernet 0
  nameif outside
  security-level 0
  IP 172.30.1.2 255.255.255.252
  no downtime
  Route outside 0.0.0.0 0.0.0.0 172.30.1.1

  ------------------------------------------------------------

  access-list scope LAN1 to LAN2 ip 10.0.1.0 allow 255.255.255.0 10.0.2.0 255.255.255.0
  object obj LAN
  subnet 10.0.1.0 255.255.255.0
  object obj remote network
  10.0.2.0 subnet 255.255.255.0
  NAT (inside, outside) 1 static source obj-local obj-local destination obj-remote control remote obj non-proxy-arp static

  -----------------------------------------------------------
  IKEv1 crypto policy 10
  preshared authentication
  aes encryption
  sha hash
  Group 2
  life 3600
  Crypto ikev1 allow outside
  crypto isakmp identity address

  ------------------------------------------------------------
  tunnel-group 172.30.2.2 type ipsec-l2l
  tunnel-group 172.30.2.2 ipsec-attributes
  IKEv1 pre-shared-key cisco123
  Crypto ipsec transform-set esp-aes-192 ASA1TS, esp-sha-hmac ikev1

  -------------------------------------------------------------
  card crypto ASA1VPN 10 is the LAN1 to LAN2 address
  card crypto ASA1VPN 10 set peer 172.30.2.2
  card crypto ASA1VPN 10 set transform-set ASA1TS ikev1
  card crypto ASA1VPN set 10 security-association life seconds 3600
  ASA1VPN interface card crypto outside

  R2 configuration:

  interface fastEthernet 0/0
  IP 10.0.2.1 255.255.255.0
  no downtime
  interface fastEthernet 0/1
  IP 172.30.2.2 255.255.255.252
  no downtime

  -----------------------------------------------------

  router RIP
  version 2
  Network 10.0.2.0
  network 172.30.2.0

  ------------------------------------------------------
  access-list 102 permit ahp 172.30.1.2 host 172.30.2.2
  access-list 102 permit esp 172.30.1.2 host 172.30.2.2
  access-list 102 permit udp host 172.30.1.2 host 172.30.2.2 eq isakmp
  interface fastEthernet 0/1
  IP access-group 102 to

  ------------------------------------------------------
  crypto ISAKMP policy 110
  preshared authentication
  aes encryption
  sha hash
  Group 2
  life 42300

  ------------------------------------------------------
  ISAKMP crypto key cisco123 address 172.30.1.2

  -----------------------------------------------------
  Crypto ipsec transform-set esp - aes 128 R2TS

  ------------------------------------------------------

  access-list 101 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255

  ------------------------------------------------------

  R2VPN 10 ipsec-isakmp crypto map
  match address 101
  defined by peer 172.30.1.2
  PFS Group1 Set
  R2TS transformation game
  86400 seconds, life of security association set
  interface fastEthernet 0/1
  card crypto R2VPN

  I don't know what the problem

  Thank you

  If the RIP is not absolutely necessary for you, try adding the default route to R2:

  IP route 0.0.0.0 0.0.0.0 172.16.2.1

  If you want to use RIP much, add permissions ACL 102:

  access-list 102 permit udp any any eq 520

• IPSec vpn cisco asa and acs 5.1

  We have configured authentication ipsec vpn cisco asa acs 5.1:

  Here is the config in cisco vpn 5580:

  standard access list acltest allow 10.10.30.0 255.255.255.0

  RADIUS protocol AAA-server Gserver

  AAA-server host 10.1.8.10 Gserver (inside)

  Cisco key

  AAA-server host 10.1.8.11 Gserver (inside)

  Cisco key

  internal group gpTest strategy

  gpTest group policy attributes

  Protocol-tunnel-VPN IPSec

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list acltest

  type tunnel-group test remote access

  tunnel-group test general attributes

  address localpool pool

  Group Policy - by default-gpTest

  authentication-server-group LOCAL Gserver

  authorization-server-group Gserver

  accounting-server-group Gserver

  IPSec-attributes of tunnel-group test

  pre-shared-key cisco123

  GBA, we config user group: VPN users. all VPN users in this group. ACS can visit his political profile: If the user in the 'VPN users' group, access ACS.

  When we connect from a VPN Client to the server, all users connect to success. When you see the parser in ACS journal, each user success connect also get

  error:

  22040 wrong password or invalid shared secret

  (pls see picture to attach it)

  the system still works, but I don't know why, we get the error log.

  Thanks for any help you can provide!

  Duyen

  Hello Duyen,

  I think I've narrowed the issue. When remote access VPN using RADIUS authentication we must keep in mind that authentication and authorization are included on the same package.

  Depending on your configuration, the ACS is defined as a server RADIUS (Gserver Protocol radius aaa server) and becomes the VPN Tunnel authenticated and 'authorized' on this server group:

  authentication-server-group LOCAL Gserver

  authorization-server-group Gserver

  As noted above, the RADIUS of request/response includes authentication and authorization on the same package. This seems to be a problem of incorrect configuration that we should not set up the 'permission' in the Tunnel of the group.

  Please remove the authorization under the Tunnel of Group:

  No authorization-server-group Gserver

  Please test the connection again and check the logs of the ACS. At this point there are only sucessful newspaper reported on the side of the ACS.

  Is 'Permission-server-group' LDAP permission when authenticating to a LDAP server so to retrieve the attributes of permission on the server. RAY doesn't have the command as explained above.

  I hope this helps.

  Kind regards.

• Is availble for IPsec VPN FOS 6.3 support stateful failover

  Is availble for IPsec VPN FOS 6.3 support stateful failover

  SAJ

  Hello Saj,

  Unfortunately not... stateful failover replica information such as:

  Table of connection TCP, udp xlate table ports, h.323, PAT port allocation table...

  they replicate data such as:

  user authentication (uauth) table

  Table ISAKMP / IPSEC SA

  ARP table

  Routing information

  Therefore, in the case where the main breaks down, the IPSEC vpn will be reformed for the failover... Meanwhile, the user will not be able to access the applications...

  I hope this helps... all the best... the rate of responses if deemed useful...

  REDA

• IPSec VPN between ASAs with same subnet for disaster recovery

  Hello

  I need some clarification from you guys.

  To do disaster EasyVPN tunnels for the Cisco ASA 5505 firewall recovery site. Now, there is only one main site and 3 remote sites.

  Dr., must use the same subnet that it is on the main site because virtual machines Vmware will be replicated to DR.

  For the DR we use Double-Take software.

  What is the best solution for this? I think we could use NAT of Destination on ASAs. Other sites (HQ and remote control) will be directed to only address NAT of the

  DR and not real which is the same as on the main site.

  So guys, will this work? We are using IPSec VPN? In packet - trace on ASA, I see that the package is the first using a NAT, and then encrypted, so it should work, Yes?

  I hope someone can confirm this.

  I can confirm that this will work certainly,

  for prior type natting see 8.3:

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080b37d0b.shtml#diag

  for 8.3 and later it is also achievable.

• IPSec VPN to asa 5520

  Hello

  First I must admit that I am not very versed in Cisco equipment or in general IPSEC connections so my apologies if I'm doing something really good obviously stupid, but I checked through any kind of things that I could find on the internet on the configuration of IPSEC VPN.

  The setup I have is an asa 5520 (o/s 8.2) firewall which, for now, is connected to a temporary connection beautiful style home broadband for testing purposes. The netopia router is configured to allow ipsec passthrough and redirect 62515 UDP, TCP 10000, 4500 UDP, UDP 500 ports in the asa 5520.

  I'm trying to connein out of a laptop with disabled windows firewall and vpn cisco 5.0.02.0090 client version.

  I ran several attempts through the ipsec configuration wizard options. most of the time that nothing comes in the newspaper to show that a connection was attempted, but there is a way I can set up product options the following on the firewall log:

  4. Sep 24 2010 | 13: 54:29 | 713903 | Group = VPNtest9, IP = 86.44.x.x, error: cannot delete PeerTblEntry

  5: Sep 24 2010 | 13: 54:29 | 713902 | Group = VPNtest9, IP = 86.44.x.x, drop table homologous counterpart does not, no match!

  6. Sep 24 2010 | 13: 54:21 | 713905 | Group VPNtest9, IP = 86.44.x.x, P1 = relay msg sent to AM WSF

  3: Sep 24 2010 | 13: 54:21 | 713201 | Group = VPNtest9, IP = 86.44.x.x, double-Phase 1 detected package. Retransmit the last packet.

  6. Sep 24 2010 | 13: 54:16 | 713905 | Group VPNtest9, IP = 86.44.x.x, P1 = relay msg sent to AM WSF

  3: Sep 24 2010 | 13: 54:16 | 713201 | Group = VPNtest9, IP = 86.44.x.x, double-Phase 1 detected package. Retransmit the last packet.

  6. Sep 24 2010 | 13: 54:11 | 713905 | Group VPNtest9, IP = 86.44.x.x, P1 = relay msg sent to AM WSF

  3: Sep 24 2010 | 13: 54:11 | 713201 | Group = VPNtest9, IP = 86.44.x.x, double-Phase 1 detected package. Retransmit the last packet.

  3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

  3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

  3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

  3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

  3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

  3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

  3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

  3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

  3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

  3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

  6. Sep 24 2010 | 13: 54:06 | 302015 | 86.44.x.x | 51905 | 192.168.0.27 | 500 | Built UDP inbound connection 7487 for Internet:86.44.x.x/51905 (86.44.x.x/51905) at identity:192.168.0.27/500 (192.168.0.27/500)

  and this, in the journal of customer:

  Cisco Systems VPN Client Version 5.0.02.0090

  Copyright (C) 1998-2007 Cisco Systems, Inc.. All rights reserved.

  Customer type: Windows, Windows NT

  Running: 5.1.2600 Service Pack 3

  24 13:54:08.250 24/09/10 Sev = Info/4 CM / 0 x 63100002

  Start the login process

  25 13:54:08.265 24/09/10 Sev = Info/4 CM / 0 x 63100004

  Establish a secure connection

  26 13:54:08.265 24/09/10 Sev = Info/4 CM / 0 x 63100024

  Attempt to connect with the server "213.94.x.x".

  27 13:54:08.437 24/09/10 Sev = Info/6 IKE/0x6300003B

  Attempts to establish a connection with 213.94.x.x.

  28 13:54:08.437 24/09/10 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) at 213.94.x.x

  29 13:54:08.484 24/09/10 Sev = Info/4 IPSEC / 0 x 63700008

  IPSec driver started successfully

  30 13:54:08.484 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014

  Remove all keys

  31 13:54:13.484 24/09/10 Sev = Info/4 IKE / 0 x 63000021

  Retransmit the last package!

  32 13:54:13.484 24/09/10 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK AG (Retransmission) to 213.94.x.x

  33 13:54:18.484 24/09/10 Sev = Info/4 IKE / 0 x 63000021

  Retransmit the last package!

  34 13:54:18.484 24/09/10 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK AG (Retransmission) to 213.94.x.x

  35 13:54:23.484 24/09/10 Sev = Info/4 IKE / 0 x 63000021

  Retransmit the last package!

  36 13:54:23.484 24/09/10 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK AG (Retransmission) to 213.94.x.x

  37 13:54:28.484 24/09/10 Sev = Info/4 IKE / 0 x 63000017

  Marking of IKE SA delete (I_Cookie = 36C50ACCE984B0B0 R_Cookie = 0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

  38 13:54:28.984 24/09/10 Sev = Info/4 IKE/0x6300004B

  IKE negotiation to throw HIS (I_Cookie = 36C50ACCE984B0B0 R_Cookie = 0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

  39 13:54:28.984 24/09/10 Sev = Info/4 CM / 0 x 63100014

  Could not establish the Phase 1 SA with the server '213.94.x.x' due to the 'DEL_REASON_PEER_NOT_RESPONDING '.

  40 13:54:28.984 24/09/10 Sev = Info/5 CM / 0 x 63100025

  Initializing CVPNDrv

  41 13:54:28.984 24/09/10 Sev = Info/6 CM / 0 x 63100046

  Set indicator established tunnel to register to 0.

  42 13:54:28.984 24/09/10 Sev = Info/4 IKE / 0 x 63000001

  Signal received IKE to complete the VPN connection

  43 13:54:29.187 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014

  Remove all keys

  44 13:54:29.187 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014

  Remove all keys

  45 13:54:29.187 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014

  Remove all keys

  46 13:54:29.187 24/09/10 Sev = Info/4 IPSEC/0x6370000A

  IPSec driver successfully stopped

  I have connectivity full http from the internet to a machine inside the asa 5520 so I think that the static routing and NAT'ing should be ok, but I am pleased to provide you with all the details.

  Can you see what I'm doing wrong?

  Thank you

  Sam

  Pls add the following policy:

  crypto ISAKMP policy 10

  preshared authentication

  the Encryption

  md5 hash

  Group 2

  You can also run debug on the ASA:

  debugging cry isa

  debugging ipsec cry

  and retrieve debug output after trying to connect.

• Install two the separate IPSec VPNS on ASA 5505

  Hello

  I'll have set up a second tunnel IPSec VPN on my Cisco ASA 5505 to another office.  I was able to configure one without problem through the ASDM, but were not able to get the second.

  The IPSec tunnel connects to a WRVS4400N router to the other office.  I tried the debug crypto isakmp and ipsec crypto, but I get nothing.  Here is the config.  Something seems wrong on my end?   I've also attached a screenshot of the configuration settings on the remote router.

  Output of the command: "show run".

  : Saved
  :
  ASA Version 8.2 (5)
  !
  hostname WayneASA

  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  interface Vlan1
  nameif inside
  security-level 100
  IP 192.168.1.1 255.255.255.0
  !
  interface Vlan2
  nameif outside
  security-level 0
  IP 70.91.18.205 255.255.255.252
  !
  interface Vlan5
  Shutdown
  No nameif
  security-level 50
  IP 192.168.10.1 255.255.255.0
  !
  passive FTP mode
  clock timezone IS - 5
  clock to summer time EDT recurring
  DNS lookup field inside
  DNS domain-lookup outside
  DNS server-group DefaultDNS
  75.75.75.75 server name
  75.75.76.76 server name
  domain 3gtms.com
  object-group Protocol TCPUDP
  object-protocol udp
  object-tcp protocol
  inside_access_in of access allowed any ip an extended list
  IPSec_Access to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.2.0 255.255.255.0
  inside_nat0 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.10.0 255.255.255.224
  inside_nat0 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.2.0 255.255.255.0
  inside_nat0 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.5.0 255.255.255.0
  TunnelSplit1 list standard access allowed 192.168.10.0 255.255.255.224
  TunnelSplit1 list standard access allowed 192.168.1.0 255.255.255.0
  outside_1_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.2.0 255.255.255.0
  outside_2_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.5.0 255.255.255.0
  outside_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.5.0 255.255.255.0
  RemoteTunnel_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0
  RemoteTunnel_splitTunnelAcl_1 list standard access allowed 192.168.1.0 255.255.255.0

  pager lines 24
  Enable logging
  Within 1500 MTU
  Outside 1500 MTU
  IP mask 255.255.255.224 local pool VPNPool 192.168.10.1 - 192.168.10.30
  ICMP unreachable rate-limit 1 burst-size 1
  don't allow no asdm history
  ARP timeout 14400
  Global 1 interface (outside)
  NAT (inside) 0-list of access inside_nat0
  NAT (inside) 1 0.0.0.0 0.0.0.0

  inside_access_in access to the interface inside group
  Access-group out_access_in in interface outside
  Route outside 0.0.0.0 0.0.0.0 70.91.18.206 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  the ssh LOCAL console AAA authentication
  Enable http server
  http 0.0.0.0 0.0.0.0 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  Crypto ipsec transform-set esp-3des esp-md5-hmac VPNTransformSet
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
  card crypto IPSec_map 1 corresponds to the address IPSec_Access
  card crypto IPSec_map 1 set peer 50.199.234.229
  card crypto IPSec_map 1 the transform-set VPNTransformSet value
  card crypto IPSec_map 2 corresponds to the address outside_2_cryptomap
  card crypto IPSec_map 2 set pfs Group1
  card crypto IPSec_map 2 set peer 98.101.139.210
  card crypto IPSec_map 2 the transform-set VPNTransformSet value
  card crypto IPSec_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
  IPSec_map interface card crypto outside
  card crypto outside_map 1 match address outside_1_cryptomap
  peer set card crypto outside_map 1 50.199.234.229

  crypto ISAKMP allow outside
  crypto ISAKMP policy 1
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 43200
  Telnet 192.168.1.0 255.255.255.0 inside
  Telnet timeout 5
  SSH 0.0.0.0 0.0.0.0 inside
  SSH timeout 60
  Console timeout 0
  management-access inside
  dhcpd outside auto_config
  !
  dhcpd address 192.168.1.100 - 192.168.1.199 inside
  dhcpd dns 75.75.75.75 75.75.76.76 interface inside
  dhcpd allow inside
  !

  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  WebVPN
  internal RemoteTunnel group strategy
  attributes of Group Policy RemoteTunnel
  value of server DNS 75.75.75.75 75.75.76.76
  Protocol-tunnel-VPN IPSec
  Split-tunnel-policy tunnelspecified
  value of Split-tunnel-network-list RemoteTunnel_splitTunnelAcl_1
  3gtms.com value by default-field
  eric 0vcSd5J/TLsFy7nU password user name encrypted privilege 15
  username password encrypted URsSXKLozQMSeCBk privilege 5 lestofts
  username lestofts attributes
  type of remote access service
  algobel lBWy5eNbHMCDPzuL encrypted password username
  username algobel attributes
  type of remote access service
  type tunnel-group RemoteTunnel remote access
  attributes global-tunnel-group RemoteTunnel
  address pool VPNPool
  Group Policy - by default-RemoteTunnel
  IPSec-attributes tunnel-group RemoteTunnel
  pre-shared key *.
  tunnel-group 50.199.234.229 type ipsec-l2l
  IPSec-attributes tunnel-group 50.199.234.229
  pre-shared key *.
  tunnel-group 98.101.139.210 type ipsec-l2l
  IPSec-attributes tunnel-group 98.101.139.210
  pre-shared key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the icmp
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the netbios
  inspect the tftp
  Review the ip options
  inspect the dns
  inspect the pptp
  inspect the sip
  !
  global service-policy global_policy
  context of prompt hostname
  anonymous reporting remote call
  Cryptochecksum:a86adc4b23977672679b6fb72d0bc187
  : end

  You are also missing the NAT0 rule

  inside_nat0 to access extended list ip 192.168.2.0 allow 255.255.255.0 192.168.5.0 255.255.255.0

  -Jouni

• ASA - 5540 used for IPSec VPN only - I can do away with Nat 0?

  I'll use an ASA 5540 as our head of VPN endpoint only - and not as a firewall.

  Also, we have a class for our company internal address space routable B address, so we don't need NAT. I would like to disable the function NAT 0 if I can so I always add NAT 0 to ensure that the 5540 does not NAT.

  Y at - it an easy way to disable the need using NAT 0?

  Are there any of the draw to do that?

  You can disable the use of nat 0 disabling the nat control.

  To achieve this, go to the global configuration mode and use this command:

  no nat control

  To check whether you have it turned on, you can check it with:

  SH run nat-control

  See you soon!

  -Butterfly

• ASA static IP Addressing for IPSec VPN Client

  Hello guys.

  I use a Cisco ASA 5540 with version 8.4.
  I need to assign a static IP address to a VPN client. I saw in the documentation Cisco that this can be done to validate the user against the local ASA and in the user account database, you assign a dedicated IP address, or using the vpn-framed-ip-address CLI command.
  The problem is that the customer never gets this address and it always gets one of the pool in the political group. If I delete this pool, the client can't get any address.
  No idea on how to fix this or how can I give this static IP address to a specific VPN client?
  Thank you.

  Your welcome please check the response as correct and mark.

  See you soon

• "ITS creation failed" problem for IPSec VPN

  An ASA 5100 is used to provide VPN access for my business. The configuration was made by a permeable man who has been missing for some time, and the configuration used to be OK until this morning. This morning, some users reported that their VPN would have fallen once got connected. I checked the ASA and ASDM, I see every time when user deletes, it IPSec tunnel is always action. Furthermore, I faked the problem and got the newspaper of errors such as:

  1 11:14:45.898 12/06/07 Sev = WARNING/3 IKE/0xE3000065 could not find an IKE SA for 10.2.1.8. Abandoned KEY_REQ.

  2 11:14:45.898 12/06/07 Sev = WARNING/2 IKE/0xE3000099 could not open the P2 generate a new key: error detected(Initiate:176)

  3 11:14:45.898 12/06/07 Sev = WARNING/2 IKE/0xE3000099 cannot open the QM (IKE_MAIN:458)

  On the side of the AS I did "debug crypto isakmp" and 'debug crypto ipsec' and I got the following errors:

  iscoasa # ERROR IPSEC: expiration of the timer of the asynchronous operation, SPI: 0x114CA5B6, user: roeladmin, peer: 202.x.x.70, time: 2 seconds, ctm_ipsec_create_sa:856

  IPSEC ERROR: Material outside ITS create command failed, SPI: 0x114CA5B6, error code: 0 x 17

  IPSEC ERROR: Asynchronous Operation timeout expired, SPI: 0x61BE2022, user: roeladmin, peer: 202.x.x.70, time: 2 seconds, ctm_ipsec_create_sa:856

  IPSEC ERROR: Cannot add a user auth, SPI input: 0x61BE2022, user: roeladmin, peer: 202.172.62.70

  IPSEC ERROR: Cannot create an inbound SA SPI: 0x61BE2022 document

  IPSEC ERROR: Unable to complete the command of IKE UPDATE

  12 June at 14:25:13 [IKEv1]: Group = LANWORKS, Username = roeladmin, IP = 202.172.62.70, error QM WSF (P2 struct & 0 x 4699058, mess id 0xf37ec6f4).

  12 June at 14:25:13 [IKEv1]: Group = LANWORKS, Username = roeladmin, IP = 202.172.62.70, peer table correlator Removing failed, no match!

  IPSEC ERROR: Material Inbound ITS create command failed, SPI: 0x61BE2022, error code: 0 x 17

  It shows that ITS creation has failed. But I can't find the problem with the configuration. Can someone help me on this? Thank you

  Outgoing material ITS create command failed, SPI: 0x114CA5B6, error code: 0 x 17

  It is a hardware problem, reset the firewall and it will work, I saw 4 times in different ASAs

  Please hate the post if help.

• IP Phone/Android IPSEC VPN to ASA using AnyConnect

  With course of Blackberry support in our Organization, we are eager to implement, configure, and deploy a vpn to access remote ipsec Ikev2 of our ASA 5540 9.1 (5) 19 (license Premium VPN) for the iphone and android.

  Was so fair to ask is - it possible, if it is possible, what is the best approach to take, and if someone has a recommended best practices?

  And do we need to purchase several licenses for AnyConnect for Mobile?

  As looked at loads of documentation, but have I just more confused.

  So, any help much appreciated.

  Thank you

  NESSIE

  Hi Nessie,

  Please visit the link for more details below:

  http://www.Cisco.com/c/en/us/TD/docs/security/vpn_client/AnyConnect/ANYC...

  Link below shows the license you need for ASA for anyconnect on mobile devices.

  http://www.Cisco.com/c/en/us/support/docs/security/Adaptive-Security-app...

  Kind regards

  Kanwal

  Note: Please check if they are useful.

• Need help for IPSEC VPN configuration.

  Hello

  I'm trying to implement a VPN IPSEC connection in my GNS3 lab and all show commands and debugs does not seem to give me clues of what is wrong or missing... can someone please help me in my troubleshooting VPN config. Here is the config for Router 1

  R1 #sh run

  crypto ISAKMP policy 1

  preshared authentication

  Group 2

  ISAKMP crypto key 6 cisco123 address 200.20.1.1

  !

  !

  Crypto ipsec transform-set esp - esp-sha-hmac CISCO_SET

  !

  map VPN_map 10 ipsec-isakmp crypto

  ! Incomplete

  defined by peer 200.20.1.1

  Set security-association second life 190

  game of transformation-CISCO_SET

  match address INT_TRAFFIC

  !

  !

  interface Loopback1

  IP 172.16.1.1 255.255.255.255

  !

  interface Loopback2

  172.16.1.2 IP address 255.255.255.255

  !

  interface FastEthernet0/0

  IP 200.11.1.1 255.255.255.252

  IP ospf 1 zone 0

  automatic duplex

  automatic speed

  card crypto VPN_map

  !

  router ospf 1

  Log-adjacency-changes

  network 172.16.0.0 0.0.255.255 area 0

  !

  router bgp 65001

  no synchronization

  The log-neighbor BGP-changes

  200.11.1.0 netmask 255.255.255.252

  neighbour 200.11.1.2 distance - as 65030

  No Auto-resume

  !

  IP forward-Protocol ND

  !

  !

  IP http server

  no ip http secure server

  !

  INT_TRAFFFIC extended IP access list

  IP address 172.16.0.0 allow 0.0.255.255 192.168.0.0 0.0.255.255

  IP address 172.16.0.0 allow 0.0.255.255 192.168.0.0 0.0.255.255 connect

  end

  R1 #sh crypto isakmp his

  IPv4 Crypto ISAKMP Security Association

  status of DST CBC State conn-id slot

  IPv6 Crypto ISAKMP Security Association

  R1 ipsec crypto #show her

  Nill...

  R1 #sh debugging

  Encryption subsystem:

  Crypto ISAKMP debug is on

  Engine debug crypto is on

  Crypto IPSEC debugging is on

  Regulation:

  memory tracking is enabled

  R1 #sh ip route

  Gateway of last resort is not set

  200.20.1.0/30 is divided into subnets, subnets 1

  B 200.20.1.0 [20/0] via 200.11.1.2, 01:28:21

  200.11.1.0/30 is divided into subnets, subnets 1

  C 200.11.1.0 is directly connected, FastEthernet0/0

  172.16.0.0/32 is divided into subnets, 2 subnets

  C 172.16.1.1 is directly connected, Loopback1

  C 172.16.1.2 is directly connected, Loopback2

  R1 #ping 200.20.1.1

  Type to abort escape sequence.

  Send 5, echoes ICMP 100 bytes to 200.20.1.1, wait time is 2 seconds:

  !!!!!

  See you soon,.

  Fabio

  Nice Catch. The key word 'Incomplete!' should have reported it.

  Please close the issue as resolved - user error

  Thank you
  Brian

• ASA5505 for configuration VPN Failover ASA-5510

  the best way to configure a second VPN tunnel by another carrier, to fail.  The two tunnels would go to the same network a Remote Site.   Is it possible to apply a metric or monitor the tunnel so that if the choice we're unavailable two choice would resume.   Can you point me to the example configuration preferably with ADSM?

  Hi Stewart,

  Please visit this link for the same thing:

  https://supportforums.Cisco.com/blog/150001

  Kind regards

  Aditya

  Please evaluate the useful messages and mark the correct answers.

• Unique remote IP for IPSec VPN router to router

  Hi, I am setting up a virtual private network to another company, and they provided a routable IP address to be peers and their local internal system we need access to.  Can I use the address of the remote peer in the crypto ACL?  I think that they need to provide a second IP NAT for their internal system, if not for their peers IPSec traffic will hit the ACL crypto.  What do you think?  Thank you!

  As long as only 1 end of the peer uses the peer IPSec (destination ip address) in the ACL crypto, it's OK. You can't have two ends as being the ACL crypto.