Cisco ASA 5520 cannot ping between VPN Tunnels
I have the main site and sites A and B. A to connect to the hand and B connects to the main. I can ping from A hand and has for main. I can ping from main to B and B to main. However, I can not ping from A to B. A and B are sonicwall 2040 and main is a 5520. The question should not be with the 5520 none allowing traffic between the two VPN Tunnels, but I can't understand why it does not work. Can someone give an idea on that? Thanks in advance.
Hello
I see that you use ASDM. Always makes my eyes bleed when I need to look at the DM_INLINE of named objects and try to make sense the CLI format
Seems to me that there are problems with the NAT.
If you don't mind a small break between the main Site and remote locations, I'd say changing some follows the NAT configuration
Remove old
no nat source (indoor, outdoor) public static DM_INLINE_NETWORK_9 DM_INLINE_NETWORK_9 DM_INLINE_NETWORK_10 DM_INLINE_NETWORK_10 non-proxy-arp-search of route static destination
no nat source (indoor, outdoor) public static DM_INLINE_NETWORK_11 DM_INLINE_NETWORK_11 DM_INLINE_NETWORK_12 DM_INLINE_NETWORK_12 non-proxy-arp-search of route static destination
Add a new
object-group network NETWORK-2790
object-network 10.217.0.0 255.255.255.0
object-network 10.217.1.0 255.255.255.0
object-group network NETWORK-3820
object-network 10.216.0.0 255.255.255.0
object-network 10.216.1.0 255.255.255.0
object-group network NETWORK-COLO
object-net 10.8.0.0 255.255.255.0
destination of NETWORK of NETWORK-2790-2790 static NAT (outside, outside) static source NETWORK - 3820 - 3820
NAT static destination of NETWORK of NETWORK-COLO-COLO (indoor, outdoor) static source NETWORK - 2790 - 2790
NAT static destination of NETWORK of NETWORK-COLO-COLO (indoor, outdoor) static source NETWORK - 3820 - 3820
The first new line of configuring NAT manages the NAT0 configuration for traffic between SiteA and SiteB. The following configurations of NAT 2 manage the NAT0 for traffic between the main Site - hand Site SiteA - SiteB
-Jouni
Tags: Cisco Security
Similar Questions
-
cannot ping between remote vpn site?
vpn l2l site A, site B is extension vpn network, connect to the same vpn device 5510 to the central office and work well. I can ping from central office for two remote sites, but I cannot ping between these two vpn sites? Tried to debug icmp, I can see the icmp side did reach central office but then disappeared! do not send B next? Help, please...
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
!
object-group network SITE-a.
object-network 192.168.42.0 255.255.255.0
!
object-group network SITE-B
object-network 192.168.46.0 255.255.255.0
!
extended OUTSIDE allowed a whole icmp access list
HOLT-VPN-ACL extended access-list allow ip object-CBO-NET object group SITE-a.
!
destination SITE-a NAT (outside, outside) static source SITE - a static SITE to SITE-B-B
!
address for correspondence card crypto VPN-card 50 HOLT-VPN-ACL
card crypto VPN-card 50 peers set *. *.56.250
card crypto VPN-card 50 set transform-set AES-256-SHA ikev1
VPN-card interface card crypto outside
!
internal strategy group to DISTANCE-NETEXTENSION
Remote CONTROL-NETEXTENSION group policy attributes
value of DNS server *. *. *. *
VPN-idle-timeout no
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value REMOTE-NET2
value by default-field *.org
allow to NEM
!
remote access of type tunnel-group to DISTANCE-NETEXTENSION
Global DISTANCE-NETEXTENSION-attributes tunnel-group
authentication-server-group (inside) LOCAL
Group Policy - by default-remote CONTROL-NETEXTENSION
IPSec-attributes tunnel-group to DISTANCE-NETEXTENSION
IKEv1 pre-shared-key *.
tunnel-group *. *.56.250 type ipsec-l2l
tunnel-group *. *.56.250 ipsec-attributes
IKEv1 pre-shared-key *.
!!
ASA - 5510 # display route. include the 192.168.42
S 192.168.42.0 255.255.255.0 [1/0] via *. *. 80.1, outside
ASA - 5510 # display route. include the 192.168.46
S 192.168.46.0 255.255.255.0 [1/0] via *. *. 80.1, outside
ASA-5510.!
Username: Laporte-don't Index: 10
Assigned IP: 192.168.46.0 public IP address: *. *.65.201
Protocol: IKEv1 IPsecOverNatT
License: Another VPN
Encryption: 3DES hash: SHA1
TX Bytes: bytes 11667685 Rx: 1604235
Group Policy: Group remote CONTROL-NETEXTENSION Tunnel: remote CONTROL-NETEXTENSION
Opening time: 08:19:12 IS Thursday, February 12, 2015
Duration: 6 h: 53 m: 29 s
Inactivity: 0 h: 00 m: 00s
Result of the NAC: unknown
Map VLANS: VLAN n/a: no
!
ASA - 5510 # display l2l vpn-sessiondbSession type: LAN-to-LAN
Connection: *. *.56.250
Index: 6 IP Addr: *. *.56.250
Protocol: IPsec IKEv1
Encryption: AES256 3DES hash: SHA1
TX Bytes: bytes 2931026707 Rx: 256715895
Connect time: 02:00:41 GMT Thursday, February 12, 2015
Duration: 13: 00: 10:00Hi Rico,
You need dynamic nat (for available IP addresses) for the two side to every subset of remote access to the other side remote subnet and so they can access every other subnet as if both from the traffic from your central location.
example:
Say, this IP (10.10.10.254) is unused IP to the central office, allowed to access remote tunnel 'A' and 'B' of the site.
object-group network SITE-a.
object-network 192.168.42.0 255.255.255.0
!
object-group network SITE-B
object-network 192.168.46.0 255.255.255.0dynamic source destination SITE-a. 10.10.10.254 NAT (outdoors, outdoor)
public static SITE SITE-B-Bdestination NAT (outdoors, outdoor) SITE-B 10.10.10.254 dynamic source
SITE static-SITE aHope this helps
Thank you
Rizwan James
-
Routing with Cisco ASA 5520 VPN
I have installed IPsec vpn remote users in the Cisco ASA 5520 using RADIUS in my main network. Works very well. I have a site to my Cisco ASA5520 tunnels going to other sites, some of the tunnels have Cisco ASA and some have SonicWalls. I wish that my users VPN remote IPSec to be able to navigate in these tunnels is a site to access remote subnets attached to these tunnels. Do I need to use a combination of routing and the ACL? Or can I just use ACL only? Or just use routing only?
Thank you
Carlos
Hello
The key to set up here is the two ACL of VPN L2L end points that determine the 'interesting' traffic to connect VPN L2L. You will also need to confirm that the connection of the VPN Client is configured so that traffic to the remote sites have sent to the connection of the VPN client. There are also other things that you should check on your ASA plant
Here most of the things you usually have to confirm
- Set up 'permit same-security-traffic intra-interface' if it is already present in your configuration
- This setting will allow connections to form between the hosts that are connected to the same interface on the ASA. In this case, applies because the VPN client users are connected to the interface 'outside' of the ASA and also remote sites are connected to the ASA to "external". If the traffic between the remote VPN Client and VPN L2L sites will be to enter and exit the same interface
- You will need to check how the customer if configured VPN connection. Split or full Tunnel tunnel
- If the connection of the VPN Client is configured as Split Tunnel then you need to add all the networks from the remote to the Split Tunnel, so that the connections between the VPN Client is transmitted to the ASA and from there connections VPN L2L
- If the connection of the VPN Client is configured as full Tunnel, then there no problem that all traffic is transferred to the Client VPN connection all its assets
- Define the VPN pool in the ACL of VPN L2L
- You should make sure that the pool network VPN Client is defined in the ACL that define 'interesting' traffic to connect VPN L2L. So, you need to add the pool VPN VPN L2L configurations on the sites of Central America and remote control
- Configure NAT0 / NAT exempt for remote VPN Client to L2L VPN Site traffic at both ends of the VPN L2L
- You must ensure that the NAT0 / exempt NAT rules exist for the VPN Client for Remote Site traffic. This will have to be configured on the SAA "outside" interface. Format of configuration varies naturally a bit on the ASA Central his software level.
These should be the most common things to set up and confirm for traffic to flow between the VPN Client and Remote Sites
Hope this helps please rate if yes or ask more if necessary.
-Jouni
- Set up 'permit same-security-traffic intra-interface' if it is already present in your configuration
-
What VPN work as a PPTP vpn firewall CISCO-ASA-5520.
Hi all
Can you please tell me which replace the VPN I can configure PPTP on ASA 5520 firewall. What VPN work as a PPTP vpn firewall CISCO-ASA-5520.
You can use the wizard VPN of RA with ASDM and confiugre L2TP IPSEC VPN that does not need a VPN Client must be installed.
Michael
Please note all useful posts
-
Is supported PPTP vpn cisco ASA 5520 firewall?
Hi all
I'm Md.kamruzzaman. My compnay buy a firewall of cisco asa 5520 and I want to configure PPTP vpn on asa 5520 firewall. Is it possible to configure the PPTP vpn to asa firewall. If possible can you please tell me what is the procedure to configure the PPTP vpn.
Best regards
MD.kamruzzaman
Sorry, but the Cisco ASA firewall does not support PPTP VPN termination.
You may terminate IPSec and SSL VPN but not of type PPTP.
If you are new to the ASA, how best to configure the supported VPN types is via the VPN Wizard integrated into the application of management of ASSISTANT Deputy Ministers.
-
Hello!
I have a 5515 ASA with the configuration below. I have configure the ASA as remote access with anyconnect VPN server, now my problem is that I can connect but I can not ping.
ASA Version 9.1 (1)
!
ASA host name
domain xxx.xx
names of
local pool VPN_CLIENT_POOL 192.168.12.1 - 192.168.12.254 255.255.255.0 IP mask
!
interface GigabitEthernet0/0
nameif inside
security-level 100
192.168.11.1 IP address 255.255.255.0
!
interface GigabitEthernet0/1
Description Interface_to_VPN
nameif outside
security-level 0
IP 111.222.333.444 255.255.255.240
!
interface GigabitEthernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
management only
nameif management
security-level 100
192.168.5.1 IP address 255.255.255.0
!
passive FTP mode
DNS server-group DefaultDNS
www.ww domain name
permit same-security-traffic intra-interface
the object of the LAN network
subnet 192.168.11.0 255.255.255.0
LAN description
network of the SSLVPN_POOL object
255.255.255.0 subnet 192.168.12.0
VPN_CLIENT_ACL list standard access allowed 192.168.11.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
management of MTU 1500
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 711.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (exterior, Interior) static source SSLVPN_POOL SSLVPN_POOL static destination LAN LAN
Route outside 0.0.0.0 0.0.0.0 111.222.333.443 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
WebVPN
list of URLS no
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
AAA authentication http LOCAL console
LOCAL AAA authorization exec
Enable http server
http 192.168.5.0 255.255.255.0 management
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec pmtu aging infinite - the security association
Crypto ca trustpoint ASDM_TrustPoint5
Terminal registration
E-mail [email protected] / * /
name of the object CN = ASA
address-IP 111.222.333.444
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint6
Terminal registration
domain name full vpn.domain.com
E-mail [email protected] / * /
name of the object CN = vpn.domain.com
address-IP 111.222.333.444
pair of keys sslvpn
Configure CRL
trustpool crypto ca policy
string encryption ca ASDM_TrustPoint6 certificates
Telnet timeout 5
SSH 192.168.11.0 255.255.255.0 inside
SSH timeout 30
Console timeout 0
No ipv6-vpn-addr-assign aaa
no local ipv6-vpn-addr-assign
192.168.5.2 management - dhcpd addresses 192.168.5.254
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL-trust outside ASDM_TrustPoint6 point
WebVPN
allow outside
CSD image disk0:/csd_3.5.2008-k9.pkg
AnyConnect image disk0:/anyconnect-win-3.1.04066-k9.pkg 1
AnyConnect enable
tunnel-group-list activate
attributes of Group Policy DfltGrpPolicy
Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client
internal VPN_CLIENT_POLICY group policy
VPN_CLIENT_POLICY group policy attributes
WINS server no
value of server DNS 192.168.11.198
VPN - 5 concurrent connections
VPN-session-timeout 480
client ssl-VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPN_CLIENT_ACL
myComp.local value by default-field
the address value VPN_CLIENT_POOL pools
WebVPN
activate AnyConnect ssl dtls
AnyConnect Dungeon-Installer installed
AnyConnect ssl keepalive 20
time to generate a new key 30 AnyConnect ssl
AnyConnect ssl generate a new method ssl key
AnyConnect client of dpd-interval 30
dpd-interval gateway AnyConnect 30
AnyConnect dtls lzs compression
AnyConnect modules value vpngina
value of customization DfltCustomization
internal IT_POLICY group policy
IT_POLICY group policy attributes
WINS server no
value of server DNS 192.168.11.198
VPN - connections 3
VPN-session-timeout 120
Protocol-tunnel-VPN-client ssl clientless ssl
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPN_CLIENT_ACL
field default value societe.com
the address value VPN_CLIENT_POOL pools
WebVPN
activate AnyConnect ssl dtls
AnyConnect Dungeon-Installer installed
AnyConnect ssl keepalive 20
AnyConnect dtls lzs compression
value of customization DfltCustomization
username vpnuser password PA$ encrypted $WORD
vpnuser username attributes
VPN-group-policy VPN_CLIENT_POLICY
type of remote access service
Username vpnuser2 password PA$ encrypted $W
username vpnuser2 attributes
type of remote access service
username admin password ADMINPA$ $ encrypted privilege 15
VPN Tunnel-group type remote access
General-attributes of VPN Tunnel-group
address VPN_CLIENT_POOL pool
Group Policy - by default-VPN_CLIENT_POLICY
VPN Tunnel-group webvpn-attributes
the aaa authentication certificate
enable VPN_to_R group-alias
type tunnel-group IT_PROFILE remote access
attributes global-tunnel-group IT_PROFILE
address VPN_CLIENT_POOL pool
Group Policy - by default-IT_POLICY
tunnel-group IT_PROFILE webvpn-attributes
the aaa authentication certificate
enable IT Group-alias
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
: end
Help me please! Thank you!
Hello
Please set ACLs to allow ICMP between these two subnets (192.168.11.0 and 192.168.12.0) and check. It should ping. Let me know if it does not work.
Thank you
swap
-
ASA 5505 and ASA 5510 Site to Site VPN Tunnel cannot be established
Hi all experts
We are now plan to form an IPSec VPN tunnel from site to site between ASA 5505 (ASA Version 8.4) and ASA 5510 (ASA Version 8.0) but failed, would you please show me how to establish? A reference guide?
I got error syslog 713902 and 713903, how to fix?
I got the following, when I type "sh crypto isakmp his."
Type: user role: initiator
Generate a new key: no State: MM_WAIT_MSG2
Hugo
Hello
This State is reached when the policies of the phase 1 do not correspond to the two ends.
Please confirm that you have the same settings of phase 1 on both sides with the following commands:
See the isakmp crypto race
See the race ikev1 crypto
Also make sure that port UDP 500 and 4500 are open for communication between your device and the remote peer.
Finally, make sure you have a route suitable for the remote VPN endpoint device.
Hope that helps.
Kind regards
Dinesh Moudgil
-
ASA 5520 to Juniper ss505m vpn
I'm having a problem with the vpn site to site between a asa 5520 and Juniper ss 505 m. The tunnel rises, but we seem unable to pass traffic through the vpn tunnel. It appears on the remote side makes a connection to the ftp server on the Local Server, but is never prompt identification of connection information.
April 19, 2016 13:27:13 SQL-B2B-01: % ASA-4-402116: IPSEC: received a package ESP x.x (SPI = 0xD167A5E8, sequence number = 0xD).
241.90 (user = X.X.241.90) at X.X.167.230. Inside the package décapsulés does not match policy negotiated in the SA. The
package specifies its destination as its Protocol TCP, its source such as X.X.2.68 and X.X.167.233. SA specifies its loc
proxy of Al X.X.167.233/255.255.255.255/tcp/5376 and his remote_proxy as X.X.2.68/255.255.255.255/tcp/5376.
list of remote ip-group of objects allowed extended West Local Group object
NAT static Local_Pub Local destination (indoor, outdoor) static source Remote
Crypto ipsec ikev1 transform-set esp-aes-256 Remote esp-sha-hmac
West-map 95 crypto card is the Remote address
card crypto West-map 95 set peer X.X.241.90
map West-map 95 set transform-set Remote ikev1 crypto
card crypto West-map 95 defined security-association life seconds 28800Juniper-
"Remote-ftp" X.X.167.233 255.255.255.255
Gateway proposal P1 preshare "[email protected]/ * /" proposal "pre-g2-aes256-sha-28800.
P2-proposal "no-pfs-esp-aes256-sha-28800" No. - pfs esp aes256 sha-1 second 28800
----------------------
the top of the policy of "Trust" to "Untrust" "X.X.2.68/32" "Remote-ftp' 'ftp' vpn"Remote-vpn"tunnel log
put on top of the "Untrust" policy to the "Trust" "Remote-ftp' 'X.X.2.68/32' 'ftp' vpn"SonoraQ-vpn"tunnel sign
I do not know Juniper, but it seems that it is trying to negotiate the use of only 5376/tcp on the tunnel, when it should be negotiated just Protocol "ip".
-
Installation of ASA EasyVPN - cannot ping loopback on router CME
Hello
I don't know if it is a problem of firewall or something on my router, so I thought I would start here. I have an ASA 5505 at home that I use as a client for the purpose of connecting a Cisco IP phone to a CME No. 2851 router EasyVPN. At the office, I have an ASA 5510, which acts as the EasyVPN server. The CME router loopback address is 10.1.254.254, and the router's ethernet interfaces are 10.2.100.50 and 10.1.100.1. The customer EasyVPN receives an address 192.168.100.1 the EasyVPN server.
In my house, if I connect a computer to my ASA 5505 VPN is based and I can ping all my hosts interns (at the office), and I can ping both interfaces of the router. If I try to ping the router loopback address I get nothing. If I start the router and work my way to the EasyVPN (ASA 5510) Server I can ping the loopback address of the router to the power switch and then the ASA5510. I think it's a problem of firewall because of the capture, I install both inside the ASA interfaces:
If I ping 10.2.100.50 or 10.1.100.1, I see the echo and echo on the ASA5505 responses, and I see them on the ASA5510 - successfully running through the VPN tunnel.
If I ping 10.1.254.254, I see the echo to the ASA5505 request, but I don't see anything on the ASA5510.
I checked my nat_exemption on the ASA5510 and I have an entry like this:
nat_exemption list of allowed ip extended access any 192.168.100.0 255.255.255.128
I can provide more if necessary configs, but anybody have any ideas where I'm wrong?
Thanks in advance,
Brandon
Brandon,
I would like to start showing us "crypto ipsec to show its" on your home 5505.
Then the station we would need:
--------
See the establishment of performance-crypto
See running nat setting
See the global race
See the static race
See the tunnel-group race
---------
Ideally I would allow newspapers on informqtional level on headboard and ASA local.
Run the ping command and check:
-------
Show logg. I have 10.1.254.254
-------
We are looking for connections being built or any "deny" messages.
Marcin
-
routing of traffic between vpn tunnels
Hello
I have a scenario like that.
There are two branch office vpn tunnels to the headquarters. I want to load balance the traffic on this two links using EIGRP.
in this way, another branch offic is also connected to the head office. now, I want to ensure the communication between two branch of the office through seat over these vpn tunnels.
Concerning
skrao
Hello
Here is a great link that describes a similar setup to yours:
http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a008009438e.shtml
Good reading and after return if there is anything that you are not clear.
PLS, don't forget to rate messages.
Paresh
-
ASA 5520 customize logo in vpn without customer portal
Hello world:
I, m set up the clientless vpn functionality in my asa 5520 version 8.2. Now I m trying to customize the clientless vpn portal. I want to change the logo of Cisco in the portal of a corporate logo but I find the option of the Don t. In addition, I want to change the language of the Help menu.
Can someone help me?
Thank you.
Concerning
Hello
Please see the bulletin:
http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a008094abcb.shtml#logo
Thank you!
-Jason
-
Cisco ASA: Redundancy of double ISP VPN...
Hello, if it anyway to configure vpn site to site redundancy using a cisco asa. I know that I can configure the redundancy using two ISP on my cisco ASA, pointing to the same peer, but what if I need to point to different peers but to protect the same networks...
I know it's possible in routers using tunnels gre + ipsec or VTI, but if there of still something similar using cisco ASA?
Any help will be appreciated! Thank you!
Hello
Yes, Nagiswaren is right. For example, you have this:
Based on the image above and your answers, you need to configure something like this:
Subnet mask IP address name interface method
Ethernet0/0 outsideVPN 10.198.16.143 255.255.255.224 manual
Ethernet0/1 inside 172.31.255.1 255.255.255.0 Manual
Ethernet0/2 outside-VPN2 10.198.29.21 255.255.255.224 manualEthernet0/3 INTERNET 12.12.12.12 255.255.255.224 manual
155 extended access-list allow ip 10.0.20.0 255.255.255.0 10.0.10.0 255.255.255.0
IP 10.0.20.0 allow Access-list extended sheep 255.255.255.0 10.0.10.0 255.255.255.0NAT (inside) 0 access-list sheep
Crypto ipsec transform-set esp-3des esp-md5-hmac 3DES-MD5
correspondence address card crypto mymap 10 155
map mymap 10 set peer 1.1.1.1 crypto 2.2.2.2
mymap 10 transform-set 3DES-MD5 crypto card
card crypto mymap interface outsideVPN
crypto interface outside-VPN2 mymap map
ISAKMP crypto enable outsideVPN
ISAKMP crypto enable outside-VPN2crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key cisco123tunnel-group 2.2.2.2 type ipsec-l2l
2.2.2.2 tunnel-group ipsec-attributes
pre-shared-key cisco123=============================================================================================
FOLLOW-UP OF THE OBJECT
Track 100 rtr 10 accessibility
ALS 10 monitor
type echo protocol ipIcmpEcho 4.2.2.2 interface outsideVPN
NUM-package of 3
frequency 10
Annex monitor SLA 10 life never start-time nowcourse INTERNET 0.0.0.0 0.0.0.0 12.12.12.1 1
Route outsideVPN 1.1.1.1 255.255.255.255 10.198.16.129 1 followed by 100
Route outsideVPN 2.2.2.2 255.255.255.255 10.198.16.129 1 followed by 100
Route outsideVPN 10.0.10.0 255.255.255.0 10.198.16.129 1 followed by 100
Route outsideVPN 4.2.2.2 255.255.255.255 10.198.16.129 1Route outside-VPN2 1.1.1.1 255.255.255.255 10.198.29.1 254
Route outside-VPN2 2.2.2.2 255.255.255.255 10.198.29.1 254Route outside-VPN2 10.0.10.0 255.255.255.0 10.198.29.1 254
I used 4.2.2.2 but you can use the isps1 IP address.
==========================ROUTER===================================================================
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2access-list 133 allow ip 10.0.10.0 0.0.0.255 10.0.20.0 0.0.0.255
ISAKMP crypto key cisco123 address 10.198.16.143 No.-xauth
ISAKMP crypto key cisco123 address 10.198.29.21 No.-xauth
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
primary-card 10 map ipsec-isakmp crypto
defined by peer 10.198.16.143defined by peer 10.198.29.21
game of transformation-ESP-3DES-SHA
match address 133secondary-card 10 map ipsec-isakmp crypto
defined by peer 10.198.16.143defined by peer 10.198.29.21
game of transformation-ESP-3DES-SHA
match address 133interface FastEthernet0
IP 1.1.1.1 255.255.255.0
crypto primer-card cardinterface FastEthernet1
IP address 2.2.2.2 255.255.255.0
card crypto high school-mapInterface Vlan1 * inside the interface *.
IP 10.0.10.1 255.255.255.01 IP sla monitor
Protocol type echo 4.2.2.2 ipIcmpEcho
timeout of 1000
frequency 3
threshold 2IP sla monitor Appendix 1 point of life to always start-time now
accessibility of rtr 1 track 123IP route 4.2.2.2 255.255.255.255 1.1.1.254 permanent
IP route 10.198.16.143 255.255.255.255 1.1.1.254 1 follow 123IP route 10.198.29.21 255.255.255.255 1.1.1.254 1 follow 123
IP route 10.0.20.0 255.255.255.0 1.1.1.254 1 follow 123
IP route 10.198.16.143 255.255.255.255 2.2.2.254 200
IP route 10.198.29.21 255.255.255.255 2.2.2.254 200
IP route 10.0.20.0 255.255.255.0 2.2.2.254 200
-josemed
-
Cisco ASA 5510 multiple dynamic config VPN L2L necessary
Hello
We have a Cisco asa 5510 with static IP address. Also, we have a remote office with a dynamic IP address. We now have a dynamic to static VPN configured L2L. And now, we must add new tunnel to another site with a dynamic IP address. Is this possible? Does anyone have an example of woking, or manual?
Oleg Kobelev
The config only you need in the ASA is: -.
(1) set of crypto processing
(2) political ISAKMP
(3) dynamic Crypto map
(4) default group L2L & PSK
(5) Config RRI (reverse Route Injection)
HTH >
-
ASA 5540 - cannot ping inside the interface
Hi all. We have recently upgraded PIX to ASA5540 and we saw a strange thing going. In a Word, we can ping the inside interface of the ASA from any beach on our 6500 network (which is connected directly behind the ASA on the inside), but one where our monitoring tools are placed. Inside there is an ACL that allows all of our core networks, but it does not help that the interface is really strange.
In the ASDM, I see messages like this:
ID ICMP echo request: 2004 x.x.x.x y.y.y.y on the inside interface to. I don't think that's the problem, but I could be wrong.
This is also the configuration of the interface VLAN VIRTUAL local area network from which we cannot ping inside the interface we can ping to and since this VLAN and machines without problem. The only problem is ping the inside interface of the ASA.
interface Vlanx
IP x.x.x.x 255.255.255.0
IP broadcast directed to 199
IP accounting output-packets
IP pim sparse - dense mode
route IP cache flow
load-interval 30
Has anyone experiences the problem like this before? Thanks in advance for any help.
Can you post the output of the following on the ASA:-
display the route
And the output of your base layer diverter: -.
show ip route<>
HTH >
-
NAT, ASA, 2 neworks and a VPN tunnel
Hello. I have a following question. I am trying to establish a VPN tunnel to a remote network used to be connected to our via a VPN tunnel. The problem is that the previous tunnel their share has been created for the x.x.x.x our coast network which will serve no more time a month, but is currently still active and used. As I'm trying to get this VPN tunnel as soon as possible without going through all the paperwork on the other side (political, don't ask) is it possible to make NAT of the new network in the network x.x.x.x for traffic through the VPN tunnel.
Something like this:
new network-> policy NAT in old x.x.x.x fork on ASA-> VPN tunnel to the remote network using x.x.x.x addresses
It is possible to add the new policy, but sometimes it can conflict with the former.
Maybe you are looking for
-
Is it possible to change the recovery CD?
My question is used, I can change the contents of the recovery CD as I wish? I'm not happy with the recovery CD as it is full of tiny applications that do that my slower Tablet (even if I uninstalled software and tools, the registry will be always fu
-
Safari, stop suddenly and does not reopen
I use McAir with OSX Version 10.9.5. Safari has been upgrade 9.0.2 since 31 dec/15. A few days ago, when I opened my computer from sleep mode, I saw an error message advising me that an error has occurred and Safari stops unexpectedly. Since then
-
My desktop HP Pavilion P7-1074 4.5 years computer dropped last week. Planed to get a replacement on Black Friday or the day after Christmas. But I have to run some programs inside hard drve to the desktop computer. So I have attatched hard disk dive
-
Problem in battery saver mode.
Whenever I am trying to switch to battery saver mode in settings > battery, it will power off automatically.Could someone suggest a solution for it... Please ?