Cisco ASA 5520 cannot ping between VPN Tunnels

Similar Questions

• cannot ping between remote vpn site?

  vpn l2l site A, site B is extension vpn network, connect to the same vpn device 5510 to the central office and work well.  I can ping from central office for two remote sites, but I cannot ping between these two vpn sites?  Tried to debug icmp, I can see the icmp side did reach central office but then disappeared! do not send B next?  Help, please...

  permit same-security-traffic inter-interface
  permit same-security-traffic intra-interface
  !
  object-group network SITE-a.
  object-network 192.168.42.0 255.255.255.0
  !
  object-group network SITE-B
  object-network 192.168.46.0 255.255.255.0
  !
  extended OUTSIDE allowed a whole icmp access list
  HOLT-VPN-ACL extended access-list allow ip object-CBO-NET object group SITE-a.
  !
  destination SITE-a NAT (outside, outside) static source SITE - a static SITE to SITE-B-B
  !
  address for correspondence card crypto VPN-card 50 HOLT-VPN-ACL
  card crypto VPN-card 50 peers set *. *.56.250
  card crypto VPN-card 50 set transform-set AES-256-SHA ikev1
  VPN-card interface card crypto outside
  !
  internal strategy group to DISTANCE-NETEXTENSION
  Remote CONTROL-NETEXTENSION group policy attributes
  value of DNS server *. *. *. *
  VPN-idle-timeout no
  Ikev1 VPN-tunnel-Protocol
  Split-tunnel-policy tunnelspecified
  Split-tunnel-network-list value REMOTE-NET2
  value by default-field *.org
  allow to NEM
  !
  remote access of type tunnel-group to DISTANCE-NETEXTENSION
  Global DISTANCE-NETEXTENSION-attributes tunnel-group
  authentication-server-group (inside) LOCAL
  Group Policy - by default-remote CONTROL-NETEXTENSION
  IPSec-attributes tunnel-group to DISTANCE-NETEXTENSION
  IKEv1 pre-shared-key *.
  tunnel-group *. *.56.250 type ipsec-l2l
  tunnel-group *. *.56.250 ipsec-attributes
  IKEv1 pre-shared-key *.
  !

  !

  ASA - 5510 # display route. include the 192.168.42
  S 192.168.42.0 255.255.255.0 [1/0] via *. *. 80.1, outside
  ASA - 5510 # display route. include the 192.168.46
  S 192.168.46.0 255.255.255.0 [1/0] via *. *. 80.1, outside
  ASA-5510.

  !
  Username: Laporte-don't Index: 10
  Assigned IP: 192.168.46.0 public IP address: *. *.65.201
  Protocol: IKEv1 IPsecOverNatT
  License: Another VPN
  Encryption: 3DES hash: SHA1
  TX Bytes: bytes 11667685 Rx: 1604235
  Group Policy: Group remote CONTROL-NETEXTENSION Tunnel: remote CONTROL-NETEXTENSION
  Opening time: 08:19:12 IS Thursday, February 12, 2015
  Duration: 6 h: 53 m: 29 s
  Inactivity: 0 h: 00 m: 00s
  Result of the NAC: unknown
  Map VLANS: VLAN n/a: no
  !
  ASA - 5510 # display l2l vpn-sessiondb

  Session type: LAN-to-LAN

  Connection: *. *.56.250
  Index: 6 IP Addr: *. *.56.250
  Protocol: IPsec IKEv1
  Encryption: AES256 3DES hash: SHA1
  TX Bytes: bytes 2931026707 Rx: 256715895
  Connect time: 02:00:41 GMT Thursday, February 12, 2015
  Duration: 13: 00: 10:00

  Hi Rico,

  You need dynamic nat (for available IP addresses) for the two side to every subset of remote access to the other side remote subnet and so they can access every other subnet as if both from the traffic from your central location.

  example:

  Say, this IP (10.10.10.254) is unused IP to the central office, allowed to access remote tunnel 'A' and 'B' of the site.

  object-group network SITE-a.
  object-network 192.168.42.0 255.255.255.0
  !
  object-group network SITE-B
  object-network 192.168.46.0 255.255.255.0

  dynamic source destination SITE-a. 10.10.10.254 NAT (outdoors, outdoor)
  public static SITE SITE-B-B

  destination NAT (outdoors, outdoor) SITE-B 10.10.10.254 dynamic source
  SITE static-SITE a

  Hope this helps

  Thank you

  Rizwan James

• Routing with Cisco ASA 5520 VPN

  I have installed IPsec vpn remote users in the Cisco ASA 5520 using RADIUS in my main network. Works very well. I have a site to my Cisco ASA5520 tunnels going to other sites, some of the tunnels have Cisco ASA and some have SonicWalls. I wish that my users VPN remote IPSec to be able to navigate in these tunnels is a site to access remote subnets attached to these tunnels. Do I need to use a combination of routing and the ACL? Or can I just use ACL only? Or just use routing only?

  Thank you

  Carlos

  Hello

  The key to set up here is the two ACL of VPN L2L end points that determine the 'interesting' traffic to connect VPN L2L. You will also need to confirm that the connection of the VPN Client is configured so that traffic to the remote sites have sent to the connection of the VPN client. There are also other things that you should check on your ASA plant

  Here most of the things you usually have to confirm

  • Set up 'permit same-security-traffic intra-interface' if it is already present in your configuration
    • This setting will allow connections to form between the hosts that are connected to the same interface on the ASA. In this case, applies because the VPN client users are connected to the interface 'outside' of the ASA and also remote sites are connected to the ASA to "external". If the traffic between the remote VPN Client and VPN L2L sites will be to enter and exit the same interface
  • You will need to check how the customer if configured VPN connection. Split or full Tunnel tunnel
    • If the connection of the VPN Client is configured as Split Tunnel then you need to add all the networks from the remote to the Split Tunnel, so that the connections between the VPN Client is transmitted to the ASA and from there connections VPN L2L
    • If the connection of the VPN Client is configured as full Tunnel, then there no problem that all traffic is transferred to the Client VPN connection all its assets
  • Define the VPN pool in the ACL of VPN L2L
    • You should make sure that the pool network VPN Client is defined in the ACL that define 'interesting' traffic to connect VPN L2L. So, you need to add the pool VPN VPN L2L configurations on the sites of Central America and remote control
  • Configure NAT0 / NAT exempt for remote VPN Client to L2L VPN Site traffic at both ends of the VPN L2L
    • You must ensure that the NAT0 / exempt NAT rules exist for the VPN Client for Remote Site traffic. This will have to be configured on the SAA "outside" interface. Format of configuration varies naturally a bit on the ASA Central his software level.

  These should be the most common things to set up and confirm for traffic to flow between the VPN Client and Remote Sites

  Hope this helps please rate if yes or ask more if necessary.

  -Jouni

• What VPN work as a PPTP vpn firewall CISCO-ASA-5520.

  Hi all

  Can you please tell me which replace the VPN I can configure PPTP on ASA 5520 firewall. What VPN work as a PPTP vpn firewall CISCO-ASA-5520.

  You can use the wizard VPN of RA with ASDM and confiugre L2TP IPSEC VPN that does not need a VPN Client must be installed.

  Michael

  Please note all useful posts

• Is supported PPTP vpn cisco ASA 5520 firewall?

  Hi all

  I'm Md.kamruzzaman. My compnay buy a firewall of cisco asa 5520 and I want to configure PPTP vpn on asa 5520 firewall. Is it possible to configure the PPTP vpn to asa firewall. If possible can you please tell me what is the procedure to configure the PPTP vpn.

  Best regards

  MD.kamruzzaman

  Sorry, but the Cisco ASA firewall does not support PPTP VPN termination.

  You may terminate IPSec and SSL VPN but not of type PPTP.

  If you are new to the ASA, how best to configure the supported VPN types is via the VPN Wizard integrated into the application of management of ASSISTANT Deputy Ministers.

• Cisco ASA 5515 - Anyconnect users can connect to ASA, but cannot ping inside the local IP address

  Hello!

  I have a 5515 ASA with the configuration below. I have configure the ASA as remote access with anyconnect VPN server, now my problem is that I can connect but I can not ping.

  ASA Version 9.1 (1)

  !

  ASA host name

  domain xxx.xx

  names of

  local pool VPN_CLIENT_POOL 192.168.12.1 - 192.168.12.254 255.255.255.0 IP mask

  !

  interface GigabitEthernet0/0

  nameif inside

  security-level 100

  192.168.11.1 IP address 255.255.255.0

  !

  interface GigabitEthernet0/1

  Description Interface_to_VPN

  nameif outside

  security-level 0

  IP 111.222.333.444 255.255.255.240

  !

  interface GigabitEthernet0/2

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface GigabitEthernet0/3

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface GigabitEthernet0/4

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface GigabitEthernet0/5

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Management0/0

  management only

  nameif management

  security-level 100

  192.168.5.1 IP address 255.255.255.0

  !

  passive FTP mode

  DNS server-group DefaultDNS

  www.ww domain name

  permit same-security-traffic intra-interface

  the object of the LAN network

  subnet 192.168.11.0 255.255.255.0

  LAN description

  network of the SSLVPN_POOL object

  255.255.255.0 subnet 192.168.12.0

  VPN_CLIENT_ACL list standard access allowed 192.168.11.0 255.255.255.0

  pager lines 24

  Enable logging

  asdm of logging of information

  Within 1500 MTU

  Outside 1500 MTU

  management of MTU 1500

  no failover

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm - 711.bin

  don't allow no asdm history

  ARP timeout 14400

  no permit-nonconnected arp

  NAT (exterior, Interior) static source SSLVPN_POOL SSLVPN_POOL static destination LAN LAN

  Route outside 0.0.0.0 0.0.0.0 111.222.333.443 1

  Timeout xlate 03:00

  Pat-xlate timeout 0:00:30

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  WebVPN

  list of URLS no

  identity of the user by default-domain LOCAL

  the ssh LOCAL console AAA authentication

  AAA authentication http LOCAL console

  LOCAL AAA authorization exec

  Enable http server

  http 192.168.5.0 255.255.255.0 management

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

  Crypto ipsec pmtu aging infinite - the security association

  Crypto ca trustpoint ASDM_TrustPoint5

  Terminal registration

  E-mail [email protected] / * /

  name of the object CN = ASA

  address-IP 111.222.333.444

  Configure CRL

  Crypto ca trustpoint ASDM_TrustPoint6

  Terminal registration

  domain name full vpn.domain.com

  E-mail [email protected] / * /

  name of the object CN = vpn.domain.com

  address-IP 111.222.333.444

  pair of keys sslvpn

  Configure CRL

  trustpool crypto ca policy

  string encryption ca ASDM_TrustPoint6 certificates

  Telnet timeout 5

  SSH 192.168.11.0 255.255.255.0 inside

  SSH timeout 30

  Console timeout 0

  No ipv6-vpn-addr-assign aaa

  no local ipv6-vpn-addr-assign

  192.168.5.2 management - dhcpd addresses 192.168.5.254

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  SSL-trust outside ASDM_TrustPoint6 point

  WebVPN

  allow outside

  CSD image disk0:/csd_3.5.2008-k9.pkg

  AnyConnect image disk0:/anyconnect-win-3.1.04066-k9.pkg 1

  AnyConnect enable

  tunnel-group-list activate

  attributes of Group Policy DfltGrpPolicy

  Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client

  internal VPN_CLIENT_POLICY group policy

  VPN_CLIENT_POLICY group policy attributes

  WINS server no

  value of server DNS 192.168.11.198

  VPN - 5 concurrent connections

  VPN-session-timeout 480

  client ssl-VPN-tunnel-Protocol

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list VPN_CLIENT_ACL

  myComp.local value by default-field

  the address value VPN_CLIENT_POOL pools

  WebVPN

  activate AnyConnect ssl dtls

  AnyConnect Dungeon-Installer installed

  AnyConnect ssl keepalive 20

  time to generate a new key 30 AnyConnect ssl

  AnyConnect ssl generate a new method ssl key

  AnyConnect client of dpd-interval 30

  dpd-interval gateway AnyConnect 30

  AnyConnect dtls lzs compression

  AnyConnect modules value vpngina

  value of customization DfltCustomization

  internal IT_POLICY group policy

  IT_POLICY group policy attributes

  WINS server no

  value of server DNS 192.168.11.198

  VPN - connections 3

  VPN-session-timeout 120

  Protocol-tunnel-VPN-client ssl clientless ssl

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list VPN_CLIENT_ACL

  field default value societe.com

  the address value VPN_CLIENT_POOL pools

  WebVPN

  activate AnyConnect ssl dtls

  AnyConnect Dungeon-Installer installed

  AnyConnect ssl keepalive 20

  AnyConnect dtls lzs compression

  value of customization DfltCustomization

  username vpnuser password PA$ encrypted $WORD

  vpnuser username attributes

  VPN-group-policy VPN_CLIENT_POLICY

  type of remote access service

  Username vpnuser2 password PA$ encrypted $W

  username vpnuser2 attributes

  type of remote access service

  username admin password ADMINPA$ $ encrypted privilege 15

  VPN Tunnel-group type remote access

  General-attributes of VPN Tunnel-group

  address VPN_CLIENT_POOL pool

  Group Policy - by default-VPN_CLIENT_POLICY

  VPN Tunnel-group webvpn-attributes

  the aaa authentication certificate

  enable VPN_to_R group-alias

  type tunnel-group IT_PROFILE remote access

  attributes global-tunnel-group IT_PROFILE

  address VPN_CLIENT_POOL pool

  Group Policy - by default-IT_POLICY

  tunnel-group IT_PROFILE webvpn-attributes

  the aaa authentication certificate

  enable IT Group-alias

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  inspect the icmp

  !

  global service-policy global_policy

  context of prompt hostname

  no remote anonymous reporting call

  : end

  Help me please! Thank you!

  Hello

  Please set ACLs to allow ICMP between these two subnets (192.168.11.0 and 192.168.12.0) and check. It should ping. Let me know if it does not work.

  Thank you

  swap

• ASA 5505 and ASA 5510 Site to Site VPN Tunnel cannot be established

  Hi all experts

  We are now plan to form an IPSec VPN tunnel from site to site between ASA 5505 (ASA Version 8.4) and ASA 5510 (ASA Version 8.0) but failed, would you please show me how to establish? A reference guide?

  I got error syslog 713902 and 713903, how to fix?

  I got the following, when I type "sh crypto isakmp his."

  Type: user role: initiator

  Generate a new key: no State: MM_WAIT_MSG2

  Hugo

  Hello

  This State is reached when the policies of the phase 1 do not correspond to the two ends.

  Please confirm that you have the same settings of phase 1 on both sides with the following commands:

  See the isakmp crypto race

  See the race ikev1 crypto

  Also make sure that port UDP 500 and 4500 are open for communication between your device and the remote peer.

  Finally, make sure you have a route suitable for the remote VPN endpoint device.

  Hope that helps.

  Kind regards

  Dinesh Moudgil

• ASA 5520 to Juniper ss505m vpn

  I'm having a problem with the vpn site to site between a asa 5520 and Juniper ss 505 m. The tunnel rises, but we seem unable to pass traffic through the vpn tunnel.  It appears on the remote side makes a connection to the ftp server on the Local Server, but is never prompt identification of connection information.

  April 19, 2016 13:27:13 SQL-B2B-01: % ASA-4-402116: IPSEC: received a package ESP x.x (SPI = 0xD167A5E8, sequence number = 0xD).

  241.90 (user = X.X.241.90) at X.X.167.230.  Inside the package décapsulés does not match policy negotiated in the SA.  The

  package specifies its destination as its Protocol TCP, its source such as X.X.2.68 and X.X.167.233.  SA specifies its loc

  proxy of Al X.X.167.233/255.255.255.255/tcp/5376 and his remote_proxy as X.X.2.68/255.255.255.255/tcp/5376.

  list of remote ip-group of objects allowed extended West Local Group object

  NAT static Local_Pub Local destination (indoor, outdoor) static source Remote

  Crypto ipsec ikev1 transform-set esp-aes-256 Remote esp-sha-hmac

  West-map 95 crypto card is the Remote address
  card crypto West-map 95 set peer X.X.241.90
  map West-map 95 set transform-set Remote ikev1 crypto
  card crypto West-map 95 defined security-association life seconds 28800

  Juniper-

  "Remote-ftp" X.X.167.233 255.255.255.255

  Gateway proposal P1 preshare "[email protected]/ * /" proposal "pre-g2-aes256-sha-28800.

  P2-proposal "no-pfs-esp-aes256-sha-28800" No. - pfs esp aes256 sha-1 second 28800

  ----------------------

  the top of the policy of "Trust" to "Untrust" "X.X.2.68/32" "Remote-ftp' 'ftp' vpn"Remote-vpn"tunnel log

  put on top of the "Untrust" policy to the "Trust" "Remote-ftp' 'X.X.2.68/32' 'ftp' vpn"SonoraQ-vpn"tunnel sign

  I do not know Juniper, but it seems that it is trying to negotiate the use of only 5376/tcp on the tunnel, when it should be negotiated just Protocol "ip".

• Installation of ASA EasyVPN - cannot ping loopback on router CME

  Hello

  I don't know if it is a problem of firewall or something on my router, so I thought I would start here.  I have an ASA 5505 at home that I use as a client for the purpose of connecting a Cisco IP phone to a CME No. 2851 router EasyVPN.  At the office, I have an ASA 5510, which acts as the EasyVPN server.  The CME router loopback address is 10.1.254.254, and the router's ethernet interfaces are 10.2.100.50 and 10.1.100.1.  The customer EasyVPN receives an address 192.168.100.1 the EasyVPN server.

  In my house, if I connect a computer to my ASA 5505 VPN is based and I can ping all my hosts interns (at the office), and I can ping both interfaces of the router.  If I try to ping the router loopback address I get nothing.   If I start the router and work my way to the EasyVPN (ASA 5510) Server I can ping the loopback address of the router to the power switch and then the ASA5510. I think it's a problem of firewall because of the capture, I install both inside the ASA interfaces:

  If I ping 10.2.100.50 or 10.1.100.1, I see the echo and echo on the ASA5505 responses, and I see them on the ASA5510 - successfully running through the VPN tunnel.

  If I ping 10.1.254.254, I see the echo to the ASA5505 request, but I don't see anything on the ASA5510.

  I checked my nat_exemption on the ASA5510 and I have an entry like this:

  nat_exemption list of allowed ip extended access any 192.168.100.0 255.255.255.128

  I can provide more if necessary configs, but anybody have any ideas where I'm wrong?

  Thanks in advance,

  Brandon

  Brandon,

  I would like to start showing us "crypto ipsec to show its" on your home 5505.

  Then the station we would need:

  --------

  See the establishment of performance-crypto

  See running nat setting

  See the global race

  See the static race

  See the tunnel-group race

  ---------

  Ideally I would allow newspapers on informqtional level on headboard and ASA local.

  Run the ping command and check:

  -------

  Show logg. I have 10.1.254.254

  -------

  We are looking for connections being built or any "deny" messages.

  Marcin

• routing of traffic between vpn tunnels

  Hello

  I have a scenario like that.

  There are two branch office vpn tunnels to the headquarters. I want to load balance the traffic on this two links using EIGRP.

  in this way, another branch offic is also connected to the head office. now, I want to ensure the communication between two branch of the office through seat over these vpn tunnels.

  Concerning

  skrao

  Hello

  Here is a great link that describes a similar setup to yours:

  http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a008009438e.shtml

  Good reading and after return if there is anything that you are not clear.

  PLS, don't forget to rate messages.

  Paresh

• ASA 5520 customize logo in vpn without customer portal

  Hello world:

  I, m set up the clientless vpn functionality in my asa 5520 version 8.2. Now I m trying to customize the clientless vpn portal. I want to change the logo of Cisco in the portal of a corporate logo but I find the option of the Don t. In addition, I want to change the language of the Help menu.

  Can someone help me?

  Thank you.

  Concerning

  Hello

  Please see the bulletin:

  http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a008094abcb.shtml#logo

  Thank you!

  -Jason

• Cisco ASA: Redundancy of double ISP VPN...

  Hello, if it anyway to configure vpn site to site redundancy using a cisco asa. I know that I can configure the redundancy using two ISP on my cisco ASA, pointing to the same peer, but what if I need to point to different peers but to protect the same networks...

  I know it's possible in routers using tunnels gre + ipsec or VTI, but if there of still something similar using cisco ASA?

  Any help will be appreciated! Thank you!

  

  Hello

  Yes, Nagiswaren is right. For example, you have this:

  Based on the image above and your answers, you need to configure something like this:

  Subnet mask IP address name interface method
  Ethernet0/0 outsideVPN 10.198.16.143 255.255.255.224 manual
  Ethernet0/1 inside 172.31.255.1 255.255.255.0 Manual
  Ethernet0/2 outside-VPN2 10.198.29.21 255.255.255.224 manual

  Ethernet0/3 INTERNET 12.12.12.12 255.255.255.224 manual

  155 extended access-list allow ip 10.0.20.0 255.255.255.0 10.0.10.0 255.255.255.0
  IP 10.0.20.0 allow Access-list extended sheep 255.255.255.0 10.0.10.0 255.255.255.0

  NAT (inside) 0 access-list sheep

  Crypto ipsec transform-set esp-3des esp-md5-hmac 3DES-MD5

  correspondence address card crypto mymap 10 155
  map mymap 10 set peer 1.1.1.1 crypto 2.2.2.2
  mymap 10 transform-set 3DES-MD5 crypto card
  card crypto mymap interface outsideVPN
  crypto interface outside-VPN2 mymap map
  ISAKMP crypto enable outsideVPN
  ISAKMP crypto enable outside-VPN2

  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  md5 hash
  Group 2
  life 86400

  tunnel-group 1.1.1.1 type ipsec-l2l
  tunnel-group 1.1.1.1 ipsec-attributes
  pre-shared-key cisco123

  tunnel-group 2.2.2.2 type ipsec-l2l
  2.2.2.2 tunnel-group ipsec-attributes
  pre-shared-key cisco123

  =============================================================================================

  FOLLOW-UP OF THE OBJECT

  Track 100 rtr 10 accessibility
  ALS 10 monitor
  type echo protocol ipIcmpEcho 4.2.2.2 interface outsideVPN
  NUM-package of 3
  frequency 10
  Annex monitor SLA 10 life never start-time now

  course INTERNET 0.0.0.0 0.0.0.0 12.12.12.1 1

  Route outsideVPN 1.1.1.1 255.255.255.255 10.198.16.129 1 followed by 100

  Route outsideVPN 2.2.2.2 255.255.255.255 10.198.16.129 1 followed by 100

  Route outsideVPN 10.0.10.0 255.255.255.0 10.198.16.129 1 followed by 100
  Route outsideVPN 4.2.2.2 255.255.255.255 10.198.16.129 1

  Route outside-VPN2 1.1.1.1 255.255.255.255 10.198.29.1 254
  Route outside-VPN2 2.2.2.2 255.255.255.255 10.198.29.1 254

  Route outside-VPN2 10.0.10.0 255.255.255.0 10.198.29.1 254

  I used 4.2.2.2 but you can use the isps1 IP address.

  ==========================ROUTER===================================================================
  crypto ISAKMP policy 1
  BA 3des
  preshared authentication
  Group 2

  access-list 133 allow ip 10.0.10.0 0.0.0.255 10.0.20.0 0.0.0.255

  ISAKMP crypto key cisco123 address 10.198.16.143 No.-xauth

  ISAKMP crypto key cisco123 address 10.198.29.21 No.-xauth

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  primary-card 10 map ipsec-isakmp crypto
  defined by peer 10.198.16.143

  defined by peer 10.198.29.21
  game of transformation-ESP-3DES-SHA
  match address 133

  secondary-card 10 map ipsec-isakmp crypto
  defined by peer 10.198.16.143

  defined by peer 10.198.29.21
  game of transformation-ESP-3DES-SHA
  match address 133

  interface FastEthernet0
  IP 1.1.1.1 255.255.255.0
  crypto primer-card card

  interface FastEthernet1
  IP address 2.2.2.2 255.255.255.0
  card crypto high school-map

  Interface Vlan1 * inside the interface *.
  IP 10.0.10.1 255.255.255.0

  1 IP sla monitor
  Protocol type echo 4.2.2.2 ipIcmpEcho
  timeout of 1000
  frequency 3
  threshold 2

  IP sla monitor Appendix 1 point of life to always start-time now
  accessibility of rtr 1 track 123

  IP route 4.2.2.2 255.255.255.255 1.1.1.254 permanent
  IP route 10.198.16.143 255.255.255.255 1.1.1.254 1 follow 123

  IP route 10.198.29.21 255.255.255.255 1.1.1.254 1 follow 123

  IP route 10.0.20.0 255.255.255.0 1.1.1.254 1 follow 123

  IP route 10.198.16.143 255.255.255.255 2.2.2.254 200

  IP route 10.198.29.21 255.255.255.255 2.2.2.254 200

  IP route 10.0.20.0 255.255.255.0 2.2.2.254 200

  -josemed

• Cisco ASA 5510 multiple dynamic config VPN L2L necessary

  Hello

  We have a Cisco asa 5510 with static IP address. Also, we have a remote office with a dynamic IP address. We now have a dynamic to static VPN configured L2L. And now, we must add new tunnel to another site with a dynamic IP address. Is this possible? Does anyone have an example of woking, or manual?

  Oleg Kobelev

  The config only you need in the ASA is: -.

  (1) set of crypto processing

  (2) political ISAKMP

  (3) dynamic Crypto map

  (4) default group L2L & PSK

  (5) Config RRI (reverse Route Injection)

  HTH >

• ASA 5540 - cannot ping inside the interface

  Hi all. We have recently upgraded PIX to ASA5540 and we saw a strange thing going. In a Word, we can ping the inside interface of the ASA from any beach on our 6500 network (which is connected directly behind the ASA on the inside), but one where our monitoring tools are placed. Inside there is an ACL that allows all of our core networks, but it does not help that the interface is really strange.

  In the ASDM, I see messages like this:

  ID ICMP echo request: 2004 x.x.x.x y.y.y.y on the inside interface to. I don't think that's the problem, but I could be wrong.

  This is also the configuration of the interface VLAN VIRTUAL local area network from which we cannot ping inside the interface we can ping to and since this VLAN and machines without problem. The only problem is ping the inside interface of the ASA.

  interface Vlanx

  IP x.x.x.x 255.255.255.0

  IP broadcast directed to 199

  IP accounting output-packets

  IP pim sparse - dense mode

  route IP cache flow

  load-interval 30

  Has anyone experiences the problem like this before? Thanks in advance for any help.

  Can you post the output of the following on the ASA:-

  display the route

  And the output of your base layer diverter: -.

  show ip route<>

  HTH >

• NAT, ASA, 2 neworks and a VPN tunnel

  Hello. I have a following question. I am trying to establish a VPN tunnel to a remote network used to be connected to our via a VPN tunnel. The problem is that the previous tunnel their share has been created for the x.x.x.x our coast network which will serve no more time a month, but is currently still active and used. As I'm trying to get this VPN tunnel as soon as possible without going through all the paperwork on the other side (political, don't ask) is it possible to make NAT of the new network in the network x.x.x.x for traffic through the VPN tunnel.

  Something like this:

  new network-> policy NAT in old x.x.x.x fork on ASA-> VPN tunnel to the remote network using x.x.x.x addresses

  It is possible to add the new policy, but sometimes it can conflict with the former.