Cisco ASA VPN tunnel question - DMZ interface

Similar Questions

• Between Cisco ASA VPN tunnels with VLAN + hairpin.

  I have two Cisco ASA (5520 and 5505) both with version 9.1 (7) with Over VPN and Security Plus licenses. I try to understand all the internet a traffic tunnel strategy VLAN especially on the 5520 above the 5505 for further routing to the internet (such as a hair/u-turn hairpin). A few warnings:

  1. The 5505 has a dynamically assigned internet address.
  2. The 5505 has sometimes no device turned on behind her, bringing interfaces down to the inside (which can cause problems from site to site).
  3. The 5520 cannot be a client of ezvpn due to its current role as a server of webvpn (anyconnect).

  Let me know if I need to post my current config. Basically, I'm starting from scratch after several attempts.

  Thank you!

  1. The 5505 has a dynamically assigned internet address.

  You can use the following doc to set up the VPN and then this document to configure Hairping/U tuning

  2. the 5505 has sometimes no device turned on behind her, bringing interfaces down to the inside (which can cause problems from site to site).

  Make sure that the interface is connected to a switch so that it remains all the TIME.

  3. 5520 the may not be a ezvpn customer due to she has current as one role anyconnect webvpn ()) server.

  You can use dynamic VPN with normal static rather EZVPN tunnel.

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.

• Transfer between Cisco ASA VPN Tunnels

  Hi Experts,

  I have a situation where I need to set up the transfer between two VPN Tunnels completed in the same box ASA. A VPN Tunnel will incoming traffic and that traffic should be sent to the bottom of the other VPN Tunnel to the ASA. The two VPN Tunnels are from the Internet and speak with the same IP address of the ASA peers.

  Retail

  Tunnel A

  Source: 192.168.1.0/25

  Destination: 10.1.1.0/25

  Local counterpart: 170.252.100.20 (ASA in question)

  Remote peer: 144.36.255.254

  Tunnel B

  Source: 192.168.1.0/25

  Destination: 10.1.1.0/25

  Local peer IP: 170.252.100.20 (box of ASA in question)

  Distance from peer IP: 195.75.75.1

  Can this be achieved? what configurations are needed in the ASA apart cryptographic ACL entries?

  Thanks in advance for your time.

  Believed that, in this case your config is good, and you can avoid using routes on your asa since it must route based on its default gateway, make sure you have good sheep in place rules and the inter-to interface same-security-interface allowed return you will need.

• View of the horizon 3.5.0 and ThinApp v4.7 with Cisco ASA Smart Tunnel 9.3.3

  Hello

  The problem:

  Our technology smart tunnel doesn't seem to be forward traffic to our new customer from the view.  I wonder what kind of configuration changes must be considered to enable such a connection.  The error returned when searching for the host name goes in the direction of the hostname not found.  Error finding of intellectual property is related to the time-out.

  Background information and specifications:

  We are in the process of upgrading our servers from 5.2 to 6.2 connection.  As part of the upgrade, we want to improve our customers for the Horizon to use version 3.5.0.  To make it easier on vendors and remote computers we prefer also to our Horizon View Client with ThinApp 4.7.3 ThinApp.  We currently have a Cisco ASA, supporting a SSL VPN portal with "Smart Tunnel" technology.  The ASA is currently on firmware 9.3.3 in production, but we have access to version 9.5 in test.

  Preferred connection scenario:

  User > PC > VMware View Client (ThinApp would be) > Cisco ASA Smart Tunnel > view connection server > Virtual Office

  .exe running on the client to view ThinApp:

  It seems the ThinApp Client version view is only launching VMware - view.exe.

  .exe running from the customer view full/thickness:

  VMware - view.exe

  -ftnlsv.exe

  -vmwsprrdpwks.exe

  -ftscanmgr.exe

  There is something else to consider when the view client configuration ThinApp or thickness to work with Cisco SSL VPN Portal and the Smart Tunnel?  We should have ports configured in the client in connection with the same view Firewall works with SSL VPN Portal port redirector functionality.

  We have not been able to find any documentation on how to properly configure the smart to work with the New Horizon 3.5.2 client Tunnel.  A ticket of troubleshooting with Cisco suggests that the Smart Tunnel feature still perhaps not compatible with this new Horizon (thin or thick) client.  Currently, we are looking at other options because it is not not clear whether Cisco will be able to get us the confirmation or offer a solution without delay of our project to upgrade.  Maybe stick to the previous VMware View Client version 5.4.0 which we know work with Smart Tunnel in some situations and with the redirector port for others.

• ASA 5505 VPN easy & 3rd / DMZ interface

  We have many new and very small remote sites that need to connect via an ASA5505 via easy VPN.  Works without a problem and we have the configuration and the process nailed.

  The challenge that I received today involve non standard remote sites, where I need to set up a third interface an ASA 5505 and allow it to go directly to the Internet and do not go through the VPN.  Configuration of the third interface, assignment and configuration of the ACLS / NAT (PAT) are towards the front.

  The challenge I face and have not been able to find a direct response to is if it is possible to have the easy process of extension of VPN traffic avoidance.  Currently, traffic is down the tunnel which is not what I want.

  I'm afraid I'll have to build conventional site-to-site VPN configurations which is not a huge problem, if it breaks all the methods of maintenance/operations, process, and I have to spend time training of the support team how to detect the differences.  Either yes I can build if someone else needs the support, which means different is a problem.

  Thank you

  What version of the software you run ASA?

  I found this in the configuration guide that suggests that only the highest security level interface is encrypted by the easy VPN tunnel, if you run ASA version 7.2.3 and above:

  http://www.Cisco.com/en/us/docs/security/ASA/asa82/configuration/guide/ezvpn505.html#wp1025408

  So, if your DMZ does not have the same level of security as your inside interface, DMZ traffic does not pass through the tunnel.

  Also, do you have split tunnel configured on the easy VPN server for this easy VPN clients group?

• ASA Cisco IPSEC VPN tunnel has not managed the traffic

  Hi guys

  I am trying to set up a new connection IPSEC VPN between a Cisco ASA 5520 (verion 8.4 (4)) and Checkpoint Firewall. I managed to establish the phases IKE and IPSEC and I can see the tunnel is UP. But I can't see any traffic through the tunnel. I checked the cryptomap both ends and try to test with a contionuous ping from within the network of the SAA.

  I made a screenshot of ICMP packets but cannot see in ASA. I welcomed the icmp inside ASA interface.

  I did a package tracer and it ends with a fall of vpn - filter the packets. But can not see any configured filters...

  Your help is very appreciated...

  Thank you

  You probably need to add nat negate statements:-something like.

  object-group network OBJ-LOCAL
  Network 10.155.176.0 255.255.255.0
  object-group network OBJ / remote
  object-network 192.168.101.0 255.255.255.0
  NAT static OBJ-LOCALOBJ-LOCAL source destination (indoor, outdoor) static OBJ-REMOTE OBJ-REMOTE-no-proxy-arp

  You are running 8.4 nat 0 has been amortized

• Client VPN und Cisco asa 5505 tunnel work but no traffic

  Hi all

  I am new to this forum and Don t have a lot of experience with Cisco, so I hope I can get help from specialists.

  I have the following problem:

  I installed und konfigured ASA 5505 for use with vpn client. I would like to access the local network from outside through vpn.

  To test, I installed ASA 5505 with ADSL (pppoe) and tried to give access to the internal network.

  Of course whenever I have recive the supplier's different IP address, but it didn't is not a problem reconfigure in the vpn client.

  After the connection is established (vpn tunnel work) I can see my external network packets. But I Don t have any connection to the internal network.

  I erased my setup yesterday and tried to reconfigure ASA again. I didn t tested yesterday, because it was too late. And I know that I Don t have the authorization rule at present by the ACL. But I think I'm having the same problem again. (tunnel but no traffic).

  What I did wrong. Could someone let me know what I have to do today.

  With hope for your help Dimitri.

  ASA configuration after reset and basic configuration: works to the Internet from within the course.

  : Saved

  : Written by enable_15 to the CEDT 20:29:18.909 Sunday, August 29, 2010

  !

  ASA Version 8.2 (2)

  !

  ciscoasa hostname

  activate 2KFQnbNIdI.2KYOU encrypted password

  2KFQnbNIdI.2KYOU encrypted passwd

  names of

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 192.168.1.1 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  PPPoE client vpdn group home

  IP address pppoe setroute

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  boot system Disk0: / asa822 - k8.bin

  passive FTP mode

  clock timezone THATS 1

  clock to summer time CEDT recurring last Sun Mar 02:00 last Sun Oct 03:00

  DNS domain-lookup outside

  DNS server-group DefaultDNS

  Server name 194.25.0.60

  Server name 194.25.0.68

  DM_INLINE_TCP_1 tcp service object-group

  port-object eq www

  EQ object of the https port

  inside_access_in list extended access permitted udp 192.168.1.0 255.255.255.0 no matter what eq field open a debug session

  inside_access_in list extended access permitted tcp 192.168.1.0 255.255.255.0 any object-group DM_INLINE_TCP_1 open a debug session

  inside_access_in list extended access deny ip any any debug log

  inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.0.0 255.255.0.0

  permit inside_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 192.168.10.0 255.255.255.128

  homegroup_splitTunnelAcl list standard access allowed 192.168.10.0 255.255.255.0

  pager lines 24

  Enable logging

  asdm of logging of information

  Outside 1500 MTU

  Within 1500 MTU

  IP local pool homepool 192.168.10.1 - 192.168.10.100 mask 255.255.255.0

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm-625 - 53.bin

  ASDM location 192.168.0.0 255.255.0.0 inside

  ASDM location 192.168.10.0 255.255.255.0 inside

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 1 0.0.0.0 0.0.0.0

  inside_access_in access to the interface inside group

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  dynamic-access-policy-registration DfltAccessPolicy

  Enable http server

  http 192.168.1.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  VPDN group home request dialout pppoe

  VPDN group House localname 04152886790

  VPDN group House ppp authentication PAP

  VPDN username 04152886790 password 1

  dhcpd outside auto_config

  !

  dhcpd address 192.168.1.5 - 192.168.1.36 inside

  dhcpd allow inside

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  TFTP server 192.168.1.5 inside c:/tftp-root

  WebVPN

  Group Policy inner residential group

  attributes of the strategy of group home group

  value of 192.168.1.1 DNS server

  Protocol-tunnel-VPN IPSec

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list homegroup_splitTunnelAcl

  username user01 encrypted password privilege 0 v5P40l1UGvtJa7Nn

  user01 username attributes

  VPN-strategy group home group

  tunnel-group home group type remote access

  attributes global-tunnel-group home group

  address homepool pool

  Group Policy - by default-homegroup

  tunnel-group group residential ipsec-attributes

  pre-shared-key ciscotest

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  !

  global service-policy global_policy

  context of prompt hostname

  Cryptochecksum:930e6cddf25838e47ef9633dc2f07acb

  : end

  Hello

  Normally, you want a static public IP address on the ASA to allow it to receive connections from VPN clients (avoid to change the IP address all the time).

  If you connect via VPN, check the following:

  1. the tunnel is established:

  HS cry isa his

  Must say QM_IDLE or MM_ACTIVE

  2 traffic is flowing (encrypted/decrypted):

  HS cry ips its

  3. Enter the command:

  management-access inside

  And check if you can PING the inside ASA VPN client IP.

  4. check that the default gateway for the LAN internal ASA within intellectual property (or there is a road to the ASA to send traffic to the VPN clients).

  Federico.

• Cisco ASA vpn site to site with access internet, error

  Hello

  I have two offises, Central and removed, with the external IP addresses. They are connected to the site to site vpn, LAN works fine, then NAT is disable, but then there is no internet access, then I Internet in NAT is working well, but then there is no access to the local network.
  Where would be the problem?

  There's config:

  ASA Version 8.4(4)1
!
hostname SalSK-ASA
domain-name ld.lt
enable password xxx encrypted
passwd xxx encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 81.X.X.X 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.204.254 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone EET 2
dns server-group DefaultDNS
 domain-name lietuvosdujos.lt
object network LAN
 subnet 192.168.204.0 255.255.255.0
 description Local Area Network
object network LD_Lanai
 subnet 192.168.0.0 255.255.0.0
 description LD lanai
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list vpn extended permit ip any 192.168.204.0 255.255.255.0
access-list vpn extended permit ip 192.168.204.0 255.255.255.0 any
access-list vpn extended permit ip object LD_Lanai 192.168.204.0 255.255.255.0
access-list vpn extended permit ip 192.168.204.0 255.255.255.0 object LD_Lanai
access-list outside_cryptomap_1 extended permit ip object LAN any
access-list outside extended permit ip any any
pager lines 24
logging enable
logging list VPN_events level informational class auth
logging list VPN_events level informational class vpdn
logging list VPN_events level informational class vpn
logging list VPN_events level informational class vpnc
logging list VPN_events_ID message 713120
logging list VPN_events_ID message 713167
logging list VPN_events_ID message 602303
logging list VPN_events_ID message 713228
logging list VPN_events_ID message 113012
logging list VPN_events_ID message 113015
logging list VPN_events_ID message 713184
logging list VPN_events_ID message 713119
logging list VPN_events_ID message 602304
logging monitor debugging
logging buffered debugging
logging trap VPN_events_ID
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic LAN interface inactive
access-group outside in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 81.7.77.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ISE protocol radius
aaa-server ISE (inside) host 192.168.200.48
 key *****
user-identity default-domain LOCAL
aaa authentication enable console ISE LOCAL
aaa authentication http console ISE LOCAL
aaa authentication serial console ISE LOCAL
aaa authentication ssh console ISE LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set tripledes esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer 213.X.X.X
crypto map outside_map 1 set ikev1 transform-set tripledes
crypto map outside_map interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.201.200 source inside prefer
webvpn
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec
group-policy SalGP internal
group-policy SalGP attributes
 vpn-filter value vpn
 vpn-tunnel-protocol ikev1 l2tp-ipsec
username Admin password LVPpyc4ATztEAWtq encrypted privilege 15
tunnel-group 213.X.X.X type ipsec-l2l
tunnel-group 213.X.X.X general-attributes
 default-group-policy SalGP
tunnel-group 213.X.X.X ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global-policy
 class global-class
  inspect dns
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect sip 
  inspect skinny 
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect icmp
 class class-default
  user-statistics accounting
!
service-policy global-policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]/* */
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d8c29755eff807b1530e38b9ead9edd5
: end

  Two things are here according to you needs.

  First you encrypt all the traffic on the network 192.168.204.0/24... do you intend to send all traffic on that subnet via the VPN? If this isn't the case, specify the remote subnet instead of using all the crypto ACL.

  object network LAN
 subnet 192.168.204.0 255.255.255.0access-list outside_cryptomap_1 extended permit ip object LAN any

  Second, you have not an exempt statement NAT so that encrypted traffic should not be translated.  This statement would look like the following:
  the object of the LAN network
  192.168.204.0 subnet 255.255.255.0

  being REMOTE-LAN network
  255.255.255.0 subnet 192.168.100.0

  Static NAT LAN LAN (inside, outside) destination static REMOTE - LAN LAN

  --

  Please do not forget to choose a good response and the rate

• Allowing ports through a VPN tunnel question

  I have a VPN tunnel established and I can ping above but my application fails and I think its because I encouraged not 2 ports (ports TCP 19813 and 19814) through. I'm not clear how should I do for allowing these ports through. I need to add a statement to permit to access my list 'sheep' or what I need to add a statement of license to my list of access interface "external"?

  Remote users have an IP address of 172.16.5.x 24 and they're trying to connect to users on the 192.168.200.x 24 192.168.201.x 24. I can't do a ping of the 24 192.168.200.x to the 172.16.5.0/24.

  The commands below are what I currently have in my PIX.

  My current sheep-access list:

  IP 192.168.201.0 allow Access-list sheep 255.255.255.0 172.16.5.0 255.255.255.0

  IP 192.168.200.0 allow Access-list sheep 255.255.255.0 172.16.5.0 255.255.255.0

  My current outside of the access-list interface:

  acl_inbound list access permit tcp any host xx.xx.xx.xx eq smtp

  acl_inbound list access permit tcp any host xx.xx.xx.xx eq - ica citrix

  acl_inbound list access permit tcp any host xx.xx.xx.xx eq www

  acl_inbound list access permit tcp any host xx.xx.xx.xx eq www

  acl_inbound list access permit tcp any host xx.xx.xx.xx eq www

  acl_inbound list access permit tcp any host xx.xx.xx.xx eq 500

  acl_inbound esp allowed access list any host xx.xx.xx.xx

  acl_inbound list access permit icmp any any echo response

  access-list acl_inbound allow icmp all once exceed

  acl_inbound list all permitted access all unreachable icmp

  acl_inbound list access permit tcp any host xx.xx.xx.xx eq www

  acl_inbound list access permit tcp any host xx.xx.xx.xx eq https

  first of all, you disable the commnad "sysopt connection permit-ipsec" on the pix? with this enabled command, which is enabled by default, the pix will ignore any ACLs for encrypted traffic. so if you have Hell no this command, then the acl that you applied on the outside int won't make a difference.

  However, if "sysopt connection permit-ipsec" is always on, and then all the port/protocol should be allowed.

  you said you could do a ping of 192.168.200.0 to 172.16.5.0. How about you 172.16.5.0 to 192.168.200.0 and 192.168.201.0?

  also, just wondering if the vpn lan-to-lan or access remote vpn (i.e. using the cisco vpn client).

• Problem Cisco ASA VPN/ACL

  All,

  The situation is that I'm trying to initiates a connection outside a Firewall ASA, to a destination IP address that is on the remote end of a VPN tunnel looked SAA even on the external interface. So logically slow traffic is outside to outside.

  The SAA is to deny the traffic that the conversation shows the source as the destination and the outside outside.

  Is there something smart, that I can do on the SAA to solve this problem?

  Thank you

  D

  Hello

  Use the following command on the ASA:

  permit same-security-traffic intra-interface

  Kind regards

  Aditya

  Please evaluate the useful messages and mark the correct answers.

• the Cisco asa vpn processing error payload: payload ID: 1

  Hello

  I set up vpn L2TP by using ASDM and now I am not able to connect my Cisco ASA 5505.

  It is showing the error message

  3

  July 7, 2011

  18:57:38

  IP = *. *. *. *, payload processing error: ID payload: 1

  Please suggest me how to solve this problem (by using ASDM)

  Thank you

  Hi Nikhil,

  Your config seems incomplete, command 'IPSec l2tp ipsec vpn-tunnel-Protocol' is missing, what is needed to connect L2tp try to reconfigure your firewall using the link:-

  http://www.Cisco.com/en/us/customer/docs/security/ASA/asa80/configuration/guide/l2tp_ips.html

  Hope this helps,

  Parminder Sian

• 2 separated on same ASA VPN tunnels can communicate with each other

  Here's the scenario that I have a VPN tunnel with one of my remote locations.   I also have a VPN Tunnel with a provider that supports the equipment for my organization.   I need to have my supplier able to communicate with equipment that live in my other VPN tunnel.   The two Tunnels are on the same ASA5540.

  1 is it Possible?

  2 How set it up?

  Thank you

  Follow this link for example. Enhanced spoke-to-spoke VPN, allows the two tunnels ending to your asa5540 to connect, using parameter permit intra-interface with configuration accless-list permits traffic of each endpoint of the tunnel.

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml

• Cisco ASA VPN session reflect a public IP of different source

  Hi all

  I tested and managed to successfully establish the vpn on my cisco asa 5520.

  On my syslog, I can see "parent anyconnect session has begun" during my setting up vpn and "webvpn session is over" at the end of my vpn session

  where public ip used to establish the vpn address is reflected. However after the line "webvpn session is over", I can see other lines in my syslog example "group = vpngroup, username = test, ip = x.x.x.x, disconnected session, session type: anyconnect parent, duration 0 h: 00m23s, xmt bytes: 0, rcv:0 bytes, reason: requested user" where x.x.x.x is not the ip address used to establish my vpn for remote access, it is not related to my vpn ip address below. I am very sure that the x.x.x.x ip failed any vpn for my cisco asa5520. So why it is reflected in my logs to asa cisco? Pls advise, TIA!

  Hello

  Think I remember some display on a similar question in the past. Did some research on google and the next BugID was mentioned in the discussion.

  113019 syslog reports an invalid address when the VPN client disconnects.
  CSCub72545
   

  Description

• VPN Tunnel problem. external interface has private IP

  Hi all

  I don't know if it is wired or not!

  When our ISP provide us an Internet connection our real IP is configured on the ethernet interface, while the serial interfaces have a private IP address.

  The problem here is when I'm trying to configure a VPN tunnel to another router.

  Anything in the configuration is smooth, except for the part where I put the serial interface is my outside.

  The tunnel is still low coz the IP address will be my private (serial interface) during the configuration on the router counterpart is my public IP address.

  So I am woundering is there a way I can force the VPN tunnel to take the IP address configured on the side LAN? Or any other work around?

  Building configuration...

  Current configuration: 2372 bytes

  !

  version 12.4

  horodateurs service debug datetime msec

  Log service timestamps datetime msec

  no password encryption service

  !

  boot-start-marker

  start the flash c1841-advsecurityk9 - mz.124 - 23.bin system

  boot-end-marker

  !

  property intellectual auth-proxy max-nodata-& 3

  property intellectual admission max-nodata-& 3

  !

  crypto ISAKMP policy 1

  BA 3des

  preshared authentication

  Group 2

  !

  crypto ISAKMP policy 2

  BA 3des

  md5 hash

  preshared authentication

  Group 2

  isakmp encryption key * address 144.254.x.y

  !

  !

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  !

  map SDM_CMAP_1 1 ipsec-isakmp crypto

  Description Tunnel to144.254.x.y

  the value of 144.254.x.y peer

  game of transformation-ESP-3DES-SHA

  match address VPN_Traffic

  !

  !

  !

  interface FastEthernet0/0

  address IP 10.55.218.1 255.255.255.0 secondary (My internal subnet)

  IP address 196.219.a.b 255.255.255.224 (my public IP)

  IP nat inside

  IP virtual-reassembly

  automatic duplex

  automatic speed

  No keepalive

  !

  interface FastEthernet0/1

  no ip address

  automatic duplex

  automatic speed

  !

  interface Serial0/0/0

  no ip address

  frame relay IETF encapsulation

  frame-relay lmi-type q933a

  !

  point-to-point interface Serial0/0/0.16

  IP 172.16.133.2 255.255.255.252

  NAT outside IP

  IP virtual-reassembly

  SNMP trap-the link status

  dlci 16 frame relay interface

  map SDM_CMAP_1 crypto

  !

  interface Serial0/0/1

  no ip address

  frame relay IETF encapsulation

  ignore the dcd

  frame-relay lmi-type q933a

  !

  point-to-point interface Serial0/0/1.16

  IP 172.16.134.2 255.255.255.252

  NAT outside IP

  IP virtual-reassembly

  SNMP trap-the link status

  dlci 16 frame relay interface

  map SDM_CMAP_1 crypto

  !

  IP forward-Protocol ND

  IP route 0.0.0.0 0.0.0.0 Serial0/0/1.16

  IP route 0.0.0.0 0.0.0.0 Serial0/0/0.16

  !

  VPN_Traffic extended IP access list

  Note Protect traffic Local to any Destination subnet

  Remark SDM_ACL = 4 category

  IP 10.55.218.0 allow 0.0.0.255 any

  !

  Scheduler allocate 20000 1000

  end

  This should do the trick.

  map SDM_CMAP_1 crypto local-address FastEthernet0/0

  See you soon

• Configure Cisco ASA VPN client

  I did some research and the answers it was supposed to be possible, but no info on how to do it.  I wonder if it is possible to configure a Cisco ASA 5505/10/20 to be a customer to an existing (in this case) cisco vpn client.  The reasons why are complicated (and irrelevant IMO), but basically, I need to be able to make a small network that may be on this vpn rather than on individual computers.

  The vpn client is a Basic IPSec over UDP Cisco VPN to an ASA5505.

  So, how to set up an another ASA to connect to it as if it were a client?

  Hello

  Here is a document from Cisco on the configuration, the easy ASA of VPN server and Client

  Although in this case, they use a PIX firewall as a client.

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805c5ad9.shtml

  Here's another site with instructions related to this installation program

  http://www.petenetlive.com/kb/article/0000337.htm

  I imagine that the site of Cisco ASA Configuration Guide documents will also give instructions how to configure it.

  -Jouni