Cisco's ASA IPsec tunnel disconnects after a while

Similar Questions

• (Between Cisco and Fortigate) IPsec tunnel question

  Hi all

  Im trying to install an IPsec site-to-site between 2 different routers (Cisco 3750 and Fortigate 100a) (R1 & Fortigate100A)

  IPsec, the whole scenario works with the installation.

  But unfortunately the tunnel (between R1 & Fortigate100A) IPsec does not work.

  (Pls look at the attached jpg file)

  The message is received in routers are shown below:

  Cisco: R1:

  % CRYPTO-6-IKMP_MODE_FAILURE: fast mode processing failed with the peer to 192.168.43.75

  FortiGate 100A:

  IKE 0: none established HIS IKE for informational type of d18e1af773e658b9/192.168.43.195:500->192.168.43.75 Exchange 3 cookie d3695c6cea17475a, don't drop

  IKE 0:Cisco - P1:6899: authentication OK

  IKE 0: none established HIS IKE for informational type of d18e1af78ed17bf9/192.168.43.195:500->192.168.43.75 Exchange 3 cookie 414bd35ab92bc4ef, don't drop

  IKE 0:Cisco - P1:6899:Cisco - P2:14802: failure of negotiating quick mode due to the delay of new attempt IKE 0:Cisco - P1:6900: authentication OK

  I configured both routers as follows:

  Cisco:

  HostName:R1

  ISAKMP policy 1

  Hash: sha

  Authentication: pre-shared

  Encryption: AES128

  DH group: 2

  Life 86400

  ISAKMP Key: cisco1 address 192.168.43.75

  Crypto IPsec transform-set esp - aes and hmac-sha-esp RIGHT

  Access-list: 101 permit ip 10.0.0.0 0.0.0.255 10.10.10.0 0.0.0.255

  Map R1_to_Fortigate100A 10 IPsec-Isakmp crypto

  defined by peers: 192.168.43.75

  Mailing address 101

  The value transformset: RIGHT

  int fa # 0 / 0 Crypto map R1_to_Fortigate100A

  FortiGate:

  HostName: Fortigate100A

  Phase 1:

  Preshared key: cisco1

  The remote gateway ip address: 192.168.43.195

  mode: aggressive

  Accept any pair

  Proposal P1:

  AES 128 / SHA1

  AES 192 / SHA1

  AES192/SHA 256

  DH: 2

  Keylife: 86400

  Phase2:

  AES 128 / SHA1

  AES 192 / SHA1

  AES192/SHA 256

  Keylife:86400

  Quick mode selector:

  Source address: 10.10.10.0/24

  Destination address: 192.168.43.0/24

  I will be very very very grateful if you informed of my faults possible a solution

  Happy new year

  Ministry of education

  For some time I messed with a fortigate, but I would try first to change the remote address of the phase 2 to 10.0.0,0/24. If this is the statement "interesting traffic", it does not match what you have on the Cisco. After that, try to change the phase 1 Ike mode to something else than "aggressive."

  Sent by Cisco Support technique iPad App

• Cisco ASA - l2l IPSEC tunnel two dynamic hosts

  Hello

  I have two firewall Cisco ASA an i want to made a l2l between two ipsec tunnel, the problem is that both parties have a dynamic IP, on both sides I have configured dyndns, can I did an ipsec tunnel using dyndns name such as address peer?

  Hello

  ASA supports only the RFC compliant method for updates used with dynamic DNS, not updates HTTP, such as dyndns.org and others use.
  i.e. https://tools.cisco.com/bugsearch/bug/CSCsk25102/?reffering_site=dumpcr

  On ASA, it is not possible to configure the tunnel between two dynamic peers.
  You will need to have a static end to configure static to dynamic IP.

  For routers, you can follow this link.
  I hope this helps.

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.

• Cisco 1841 ipsec tunnel protocol down after a minute

  I have a strange problem where im manages to get a tha cisco ipsec tunnel 1841 to a RV016 linksys/cisco for about a minute and ping/encrypt the packets through the linen for about a minute before it breaks down. I tried different configuration and it all results in the tunnel for a minute then descend to come. I don't know if im hitting a bug and decide to if im doing something wrong.

  any help is appreciated paul

  RV016 firmware 2.0.18

  Cisco 1841: C1841-ADVENTERPRISEK9-M), Version 12.4 (24) T

  my config

  no default isakmp crypto policy

  !

  crypto ISAKMP policy 1

  BA 3des

  md5 hash

  preshared authentication

  Group 2

  lifetime 28800

  ISAKMP crypto key address 0.0.0.0 eaton1234 0.0.0.0

  !

  !

  Crypto ipsec transform-set esp-3des esp-sha-hmac ESSTS

  transport mode

  no default crypto ipsec transform-set

  !

  Crypto ipsec profile ipsec_profile1

  Description in the location main site to site VPN tunnel

  game of transformation-ESSTS

  PFS group2 Set

  !

  !

  !

  !

  !

  !

  !

  Tunnel1 interface

  Description of the location of the hand

  IP unnumbered Serial0/0/0

  source of tunnel Serial0/0/0

  destination 209.213.x.x tunnel

  ipv4 ipsec tunnel mode

  tunnel path-mtu-discovery

  protection of ipsec profile ipsec_profile1 tunnel

  !

  a debug output

  Apr 24 16:42:07: IPSEC (validate_proposal_request): part #1 the proposal

  Apr 24 16:42:07: IPSEC (validate_proposal_request): part #1 of the proposal

  (Eng. msg key.) Local INCOMING = 209.213.xx.46, distance = 209.213.xx.164,.

  local_proxy = 10.20.86.0/255.255.255.0/0/0 (type = 4),

  remote_proxy = 10.0.0.0/255.255.255.0/0/0 (type = 4),

  Protocol = ESP, transform = NONE (Tunnel),

  lifedur = 0 and 0kb in

  SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0

  Apr 24 16:42:07: mapdb Crypto: proxy_match

  ADR SRC: 10.20.86.0

  ADR DST: 10.0.0.0

  Protocol: 0

  SRC port: 0

  DST port: 0

  Apr 24 16:42:07: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)

  Apr 24 16:42:07: mapdb Crypto: proxy_match

  ADR SRC: 10.20.86.0

  ADR DST: 10.0.0.0

  Protocol: 0

  SRC port: 0

  DST port: 0

  Apr 24 16:42:07: IPSEC (policy_db_add_ident): src dest 10.0.0.0, 10.20.86.0, dest_port

  0

  Apr 24 16:42:07: IPSEC (create_sa): its created.

  (his) sa_dest = 209.213.xx.46, sa_proto = 50,.

  sa_spi = 0x4CF51011 (1291128849).

  sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 2045

  sa_lifetime(k/sec) = (4463729/3600)

  Apr 24 16:42:07: IPSEC (create_sa): its created.

  (his) sa_dest = 209.213.xx.164, sa_proto = 50,.

  sa_spi = 0x1EB77DAF (515341743).

  sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 2046

  sa_lifetime(k/sec) = (4463729/3600)

  Apr 24 16:42:07: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, sta changed

  you to

  Apr 24 16:42:07: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)

  Apr 24 16:42:07: IPSEC (key_engine_enable_outbound): rec would notify of ISAKMP

  Apr 24 16:42:07: IPSEC (key_engine_enable_outbound): select SA with spinnaker 515341743/50

  Apr 24 16:42:07: IPSEC (update_current_outbound_sa): update peer 209.213.xx.164 curre

  NT his outgoing to SPI 1EB77DAF

  Apr 24 16:42:12: IPSEC (key_engine): request timer shot: count = 1,.

  local (identity) = 209.213.xx.46, distance = 209.213.xx.164,

  local_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4),

  remote_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4)

  Apr 24 16:42:12: IPSEC (sa_request):,.

  (Eng. msg key.) Local OUTGOING = 209.213.xx.46, distance = 209.213.xx.164,.

  local_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4),

  remote_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4),

  Protocol = ESP, transform = esp-3des esp-sha-hmac (Tunnel),

  lifedur = 3600 s and KB 4608000,

  SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0

  Apr 24 16:42:42: IPSEC (key_engine): request timer shot: count = 2,.

  local (identity) = 209.213.xx.46, distance = 209.213.xx.164,

  local_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4),

  remote_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4)

  Apr 24 16:42:42: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, sta changed

  you all the downu

  All possible debugging has been disabled

  I would try to set up a VPN Interface virtual Tunnel on the IOS router base and the value of defined transformation in tunnel mode no transport.

  In history, I have had several issues with VPN between a router IOS and the series RV.

• ASA: VPN IPSEC Tunnel from 5505(ver=8.47) to 5512 (ver = 9.23)

  Hi-

  We have connected tunnel / VPN configuration between an ASA 5505 - worm = 8.4 (7) and 5512 - worm = 9.2 (3).
  We can only ping in a sense - 5505 to the 5512, but not of vice-versa(5512 to 5505).

  Networks:

  Local: 192.168.1.0 (answering machine)
  Distance: 192.168.54.0 (initiator)

  See details below on our config:

  SH run card cry

  card crypto outside_map 2 match address outside_cryptomap_ibfw
  card crypto outside_map 2 pfs set group5
  outside_map 2 peer XX crypto card game. XX.XXX.XXX
  card crypto outside_map 2 set transform-set ESP-AES-256-SHA ikev1
  crypto map outside_map 2 set ikev2 AES256 ipsec-proposal

  outside_map interface card crypto outside

  Note:
  Getting to hit numbers below on rules/ACL...

  SH-access list. I have 54.0

  permit for access list 6 outside_access_out line scope ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0 (hitcnt = 15931) 0x01aecbcc
  permit for access list 1 outside_cryptomap_ibfw line extended ip object NETWORK_OBJ_192.168.1.0_24 object NETWORK_OBJ_192.168.54.0_24 (hitcnt = 3) 0xa75f0671
  access-list 1 permit line outside_cryptomap_ibfw extended ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0 (hitcnt = 3) 0xa75f0671

  SH run | I have access-group
  Access-group outside_access_out outside interface

  NOTE:
  WE have another working on the 5512 - VPN tunnel we use IKE peer #2 below (in BOLD)...

  HS cry his ikev1

  IKEv1 SAs:

  HIS active: 2
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 2

  1 peer IKE: XX. XX.XXX.XXX
  Type: L2L role: answering machine
  Generate a new key: no State: MM_ACTIVE
  2 IKE peers: XXX.XXX.XXX.XXX
  Type: L2L role: answering machine
  Generate a new key: no State: MM_ACTIVE

  SH run tunnel-group XX. XX.XXX.XXX
  tunnel-group XX. XX.XXX.XXX type ipsec-l2l
  tunnel-group XX. XX.XXX.XXX General-attributes
  Group - default policy - GroupPolicy_XX.XXX.XXX.XXX
  tunnel-group XX. XX.XXX.XXX ipsec-attributes
  IKEv1 pre-shared-key *.
  remote control-IKEv2 pre-shared-key authentication *.

  SH run | I have political ikev1

  ikev1 160 crypto policy
  preshared authentication
  aes-256 encryption
  Group 5
  life 86400

  SH run | I Dynamics
  NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
  NAT source auto after (indoor, outdoor) dynamic one interface

  NOTE:
  To from 5512 at 5505-, we can ping a host on the remote network of ASA local

  # ping inside the 192.168.54.20
  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 192.168.54.20, wait time is 2 seconds:
  !!!!!
  Success rate is 100 per cent (5/5), round-trip min/avg/max = 30/32/40 ms

  Determination of 192.168.1.79 - local host route to 192.168.54.20 - remote host - derivation tunnel?

  The IPSEC tunnel check - seems OK?

  SH crypto ipsec his
  Interface: outside
  Tag crypto map: outside_map, seq num: 2, local addr: XX.XXX.XXX.XXX

  outside_cryptomap_ibfw to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.54.0 255.255.255.0
  local ident (addr, mask, prot, port): (192.168.1.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.54.0/255.255.255.0/0/0)
  current_peer: XX. XX.XXX.XXX

  #pkts program: 4609, #pkts encrypt: 4609, #pkts digest: 4609
  #pkts decaps: 3851, #pkts decrypt: 3851, #pkts check: 3851
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 4609, model of #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #TFC rcvd: 0, #TFC sent: 0
  #Valid errors ICMP rcvd: 0, #Invalid ICMP errors received: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt. : XX.XXX.XXX.XXX/0, remote Start crypto. : XX. XX.XXX.XXX/0
  Path mtu 1500, ipsec 74 (44) generals, media, mtu 1500
  PMTU time remaining: 0, political of DF: copy / df
  Validation of ICMP error: disabled, TFC packets: disabled
  current outbound SPI: CDC99C9F
  current inbound SPI: 06821CBB

  SAS of the esp on arrival:
  SPI: 0x06821CBB (109190331)
  transform: aes-256-esp esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, group 5 PFS, IKEv1}
  slot: 0, id_conn: 339968, crypto-card: outside_map
  calendar of his: service life remaining (KB/s) key: (3914789/25743)
  Size IV: 16 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0xFFFFFFFF to 0xFFFFFFFF
  outgoing esp sas:
  SPI: 0xCDC99C9F (3452542111)
  transform: aes-256-esp esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, group 5 PFS, IKEv1}
  slot: 0, id_conn: 339968, crypto-card: outside_map
  calendar of his: service life remaining (KB/s) key: (3913553/25743)
  Size IV: 16 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001

  --> The local ASA 5512 - where we have questions - tried Packet Tracer... seems we receive requests/responses...

  SH cap CAP

  34 packets captured

  1: 16:41:08.120477 192.168.1.79 > 192.168.54.20: icmp: echo request
  2: 16:41:08.278138 192.168.54.20 > 192.168.1.79: icmp: echo request
  3: 16:41:08.278427 192.168.1.79 > 192.168.54.20: icmp: echo reply
  4: 16:41:09.291992 192.168.54.20 > 192.168.1.79: icmp: echo request
  5: 16:41:09.292282 192.168.1.79 > 192.168.54.20: icmp: echo reply

  --> On the ASA 5505 distance - we can ping through the 5512 to the local host (192.168.1.79)

  SH cap A2

  42 packets captured

  1: 16:56:16.136559 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
  2: 16:56:16.168860 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
  3: 16:56:17.140434 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
  4: 16:56:17.171652 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
  5: 16:56:18.154426 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
  6: 16:56:18.186178 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
  7: 16:56:19.168417 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request

  --> Package trace on 5512 does no problem... but we cannot ping from host to host?

  entry Packet-trace within the icmp 192.168.1.79 8 0 detailed 192.168.54.20

  Phase: 4
  Type: CONN-SETTINGS
  Subtype:
  Result: ALLOW
  Config:
  class-map default class
  match any
  Policy-map global_policy
  class class by default
  Decrement-ttl connection set
  global service-policy global_policy
  Additional information:
  Direct flow from returns search rule:
  ID = 0x7fffa2d0ba90, priority = 7, area = conn-set, deny = false
  hits = 4417526, user_data = 0x7fffa2d09040, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
  IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
  IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
  input_ifc = output_ifc = any to inside,

  Phase: 5
  Type: NAT
  Subtype:
  Result: ALLOW
  Config:
  NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
  Additional information:
  Definition of dynamic 192.168.1.79/0 to XX.XXX.XXX.XXX/43904
  Direct flow from returns search rule:
  ID = 0x7fffa222d130, priority = 6, area = nat, deny = false
  hits = 4341877, user_data = 0x7fffa222b970, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
  IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
  IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
  input_ifc = inside, outside = output_ifc

  ...

  Phase: 14
  Type: CREATING STREAMS
  Subtype:
  Result: ALLOW
  Config:
  Additional information:
  New workflow created with the 7422689 id, package sent to the next module
  Information module for forward flow...
  snp_fp_tracer_drop
  snp_fp_inspect_ip_options
  snp_fp_inspect_icmp
  snp_fp_translate
  snp_fp_adjacency
  snp_fp_fragment
  snp_ifc_stat

  Information for reverse flow...
  snp_fp_tracer_drop
  snp_fp_inspect_ip_options
  snp_fp_translate
  snp_fp_inspect_icmp
  snp_fp_adjacency
  snp_fp_fragment
  snp_ifc_stat

  Result:
  input interface: inside
  entry status: to the top
  entry-line-status: to the top
  output interface: outside
  the status of the output: to the top
  output-line-status: to the top
  Action: allow

  --> On remote ASA 5505 - Packet track is good and we can ping remote host very well... dunno why he "of Nations United-NAT?

  Destination - initiator:
   
  entry Packet-trace within the icmp 192.168.54.20 8 0 detailed 192.168.1.79
   
  ...
  Phase: 4
  Type: UN - NAT
  Subtype: static
  Result: ALLOW
  Config:
  NAT (inside, outside) static source NETWORK_OBJ_192.168.54.0_24 NETWORK_OBJ_192.168.54.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
  Additional information:
  NAT divert on exit to the outside interface
  Untranslate 192.168.1.79/0 to 192.168.1.79/0
  ...

  Summary:
  We "don't" ping from a host (192,168.1.79) on 5512 - within the network of the 5505 - inside the network host (192.168.54.20).
  But we can ping the 5505 - inside the network host (192.168.54.20) 5512 - inside the network host (192.168.1.79).

  Please let us know what other details we can provide to help solve, thanks for any help in advance.

  -SP

  Well, I think it is a NAT ordering the issue.

  Basically as static and this NAT rule-

  NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)

  are both in article 1 and in this article, it is done on the order of the rules so it does match the dynamic NAT rule rather than static because that seems to be higher in the order.

  To check just run a 'sh nat"and this will show you what order everthing is in.

  The ASA is working its way through the sections.

  You also have this-

  NAT source auto after (indoor, outdoor) dynamic one interface

  which does the same thing as first statement but is in section 3, it is never used.

  If you do one of two things-

  (1) configure the static NAT statement is above the dynamic NAT in section 1 that is to say. You can specify the command line

  or

  (2) remove the dynamic NAT of section 1 and then your ASA will use the entry in section 3.

  There is a very good document on this site for NAT and it is recommended to use section 3 for your general purpose NAT dynamic due precisely these questions.

  It is interesting on your ASA 5505 you duplicated your instructions of dynamic NAT again but this time with article 2 and the instructions in section 3 that is why your static NAT works because he's put in correspondence before all your dynamic rules.

  The only thing I'm not sure of is you remove the dynamic NAT statement in article 1 and rely on the statement in section 3, if she tears the current connections (sorry can't remember).

  Then you can simply try to rearrange so your static NAT is above it just to see if it works.

  Just in case you want to see the document here is the link-

  https://supportforums.Cisco.com/document/132066/ASA-NAT-83-NAT-operation-and-configuration-format-CLI

  Jon

• ASA 8.6 - l2l IPsec tunnel established - not possible to ping

  Hello world

  I have a problem of configuration of the CISCO ASA 5512-x (IOS 8.6).

  The IPsec tunnel is created between ASA and an another non-CISCO router (hereinafter "router"). I can send packets ping from router to ASA, but ASA is NOT able to meet these demands. Sending requests of ASA is also NOT possible.

  I'm trying to interconnect with the network 192.168.2.0/24 (CISCO, interface DMZ) premises and 192.168.3.0/24 (router).

  The CISCO ASA has a static public IP address. The router has a dynamic IP address, so I use the dynamic-map option...

  Here is the output of "show run":

  ---------------------------------------------------------------------------------------------------------------------------------------------

  ASA 1.0000 Version 2

  !

  ciscoasa hostname

  activate oBGOJTSctBcCGoTh encrypted password

  2KFQnbNIdI.2KYOU encrypted passwd

  names of

  !

  interface GigabitEthernet0/0

  nameif outside

  security-level 0

  address IP X.X.X.X 255.255.255.0

  !

  interface GigabitEthernet0/1

  nameif inside

  security-level 100

  the IP 192.168.0.1 255.255.255.0

  !

  interface GigabitEthernet0/2

  nameif DMZ

  security-level 50

  IP 192.168.2.1 255.255.255.0

  !

  interface GigabitEthernet0/3

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface GigabitEthernet0/4

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface GigabitEthernet0/5

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Management0/0

  nameif management

  security-level 100

  IP 192.168.1.1 255.255.255.0

  management only

  !

  passive FTP mode

  internal subnet object-

  192.168.0.0 subnet 255.255.255.0

  object Web Server external network-ip

  host Y.Y.Y.Y

  Network Web server object

  Home 192.168.2.100

  network vpn-local object - 192.168.2.0

  Subnet 192.168.2.0 255.255.255.0

  network vpn-remote object - 192.168.3.0

  subnet 192.168.3.0 255.255.255.0

  outside_acl list extended access permit tcp any object Web server

  outside_acl list extended access permit tcp any object webserver eq www

  access-list l2l-extensive list allowed ip, vpn-local - 192.168.2.0 vpn-remote object - 192.168.3.0

  dmz_acl access list extended icmp permitted an echo

  pager lines 24

  asdm of logging of information

  Outside 1500 MTU

  Within 1500 MTU

  MTU 1500 DMZ

  management of MTU 1500

  ICMP unreachable rate-limit 1 burst-size 1

  don't allow no asdm history

  ARP timeout 14400

  NAT (DMZ, outside) static static vpn-local destination - 192.168.2.0 vpn-local - 192.168.2.0, 192.168.3.0 - remote control-vpn vpn-remote control - 192.168.3.0

  !

  internal subnet object-

  NAT dynamic interface (indoor, outdoor)

  Network Web server object

  NAT (DMZ, outside) Web-external-ip static tcp www www Server service

  Access-Group global dmz_acl

  Route outside 0.0.0.0 0.0.0.0 Z.Z.Z.Z 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  identity of the user by default-domain LOCAL

  Enable http server

  http 192.168.1.0 255.255.255.0 management

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

  IKEv1 crypto ipsec transform-set ikev1-trans-set esp-3des esp-md5-hmac

  Crypto ipsec ikev2 proposal ipsec 3des-GNAT

  Esp 3des encryption protocol

  Esp integrity md5 Protocol

  Crypto dynamic-map dynMidgeMap 1 match l2l-address list

  Crypto dynamic-map dynMidgeMap 1 set pfs

  Crypto dynamic-map dynMidgeMap 1 set ikev1 ikev1-trans-set transform-set

  Crypto dynamic-map dynMidgeMap 1 set ikev2 ipsec-proposal 3des-GNAT

  Crypto dynamic-map dynMidgeMap 1 life span of seconds set association security 28800

  Crypto dynamic-map dynMidgeMap 1 the value reverse-road

  midgeMap 1 card crypto ipsec-isakmp dynamic dynMidgeMap

  midgeMap interface card crypto outside

  ISAKMP crypto identity hostname

  IKEv2 crypto policy 1

  3des encryption

  the md5 integrity

  Group 2

  FRP md5

  second life 86400

  Crypto ikev2 allow outside

  Crypto ikev1 allow outside

  IKEv1 crypto policy 1

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  management of 192.168.1.2 - dhcpd address 192.168.1.254

  enable dhcpd management

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  WebVPN

  internal midgeTrialPol group policy

  attributes of the strategy of group midgeTrialPol

  L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2

  enable IPSec-udp

  tunnel-group midgeVpn type ipsec-l2l

  tunnel-group midgeVpn General-attributes

  Group Policy - by default-midgeTrialPol

  midgeVpn group of tunnel ipsec-attributes

  IKEv1 pre-shared-key *.

  remote control-IKEv2 pre-shared-key authentication *.

  pre-shared-key authentication local IKEv2 *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  !

  global service-policy global_policy

  context of prompt hostname

  no remote anonymous reporting call

  Cryptochecksum:fa02572f9ff8add7bbfe622a4801e606

  : end

  ------------------------------------------------------------------------------------------------------------------------------

  X.X.X.X - ASA public IP

  Y.Y.Y.Y - a web server

  Z.Z.Z.Z - default gateway

  -------------------------------------------------------------------------------------------------------------------------------

  ASA PING:

  ciscoasa # ping DMZ 192.168.3.1

  Type to abort escape sequence.

  Send 5, echoes ICMP 100 bytes to 192.168.3.1, time-out is 2 seconds:

  ?????

  Success rate is 0% (0/5)

  PING from router (debug on CISCO):

  NAT ciscoasa #: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0

  NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0

  NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0

  Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 0 len = 40

  Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 1 len = 40

  Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 2 len = 40

  Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = len 3 = 40

  -------------------------------------------------------------------------------------------------------------------------------

  ciscoasa # show the road outside

  Code: C - connected, S - static, RIP, M - mobile - IGRP, R - I, B - BGP

  D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone

  N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2

  E1 - OSPF external type 1, E2 - external OSPF of type 2, E - EGP

  i - IS - L1 - IS - IS level 1, L2 - IS - IS IS level 2, AI - IS inter zone

  * - candidate by default, U - static route by user, o - ODR

  P periodical downloaded static route

  Gateway of last resort is Z.Z.Z.Z to network 0.0.0.0

  C Z.Z.Z.0 255.255.255.0 is directly connected to the outside of the

  S 192.168.3.0 255.255.255.0 [1/0] via Z.Z.Z.Z, outdoors

  S * 0.0.0.0 0.0.0.0 [1/0] via Z.Z.Z.Z, outdoors

  -------------------------------------------------------------------------------------------------------------------------------

  Do you have an idea that I am wrong? Probably some bad NAT/ACL I suppose, but I could always find something only for 8.4 iOS and not 8.6... Perhaps and no doubt I already missed the configuration with the unwanted controls, but I've tried various things...

  Please, if you have an idea, let me know! Thank you very much!

  Hello

  I've never used "global" option in ACL, but it looks to be the origin of the problem. Cisco doc.

  "The global access rules are defined as a special ACL that is processed for each interface on the device for incoming traffic in the interface. Thus, although the ACL is configured once on the device, it acts as an ACL defined for Management In secondary interface-specific. (Global rules are always in the direction of In, never Out Management). "

  You ACL: access-list extended dmz_acl to any any icmp echo

  For example, when you launch the ASA, there is an echo response from the router on the external interface--> global can block.

  Then to initiate router, the ASA Launches echo-reply being blocked again.

  Try to add permit-response to echo as well.

  In addition, you can use both "inspect icmp" in world politics than the ACL.

  If none does not work, you can run another t-shoot with control packet - trace on SAA.

  THX

  MS

• ASA ASA from Site to Site VPN IPSec Tunnel

  Any help would be greatly appreciated...

  I have two devices Cisco ASA with a Site for the configuration of the tunnel VPN IPSec Site as follows: -.

  Site #1 - Cisco ASA running version 8.2 (1) with an internal range of 10.0.0.x/24

  Site #2 - Cisco ASA running version 8.2 (1) with an internal range of 10.1.1.x/24

  Site #1 is simple and has a dynamic NAT rule which translates all of the inside and the outside (public IP) of the SAA.

  Internet access works very well in all workstations of this site.  A static route is configured to redirect all traffic to a public router upstream.

  Site #2 is slightly more complicated; the Cisco ASA is configured with 10.1.1.254/24 as its interior IP address and 10.1.2.254/24 as its external IP address.  A dynamic NAT rule is configured to translate everything inside as the 10.1.2.254 (outside) address of the ASA.  A default static route is then configured to redirect all traffic to a Draytek device on 10.1.2.253.  This device then performs its own private Public NAT.  Again the Internet works fine all hosts inside the Cisco ASA (10.1.1.x)

  The IPSec tunnel is created with the networks local and remote endpoint as above (10.0.0.x/24) and (10.1.1.x/24).  The Draytek at the Site #2 device is configured with a form of DMZ that allows essentially ALL traffic toward the front directly on the external interface of the ASA (10.1.2.254).  The Phase 1 and Phase 2 negotiation of the tunnel ends correctly, and the tunnel is formed without any problem.  However, all traffic passing on networks ICMP does not end and the Syslog reports the following-

  Site #1-

  6

  January 19, 2011

  15:27:21

  302020

  ZEFF-SB-01_LAN

  1

  10.1.1.51

  0

  Built of outbound ICMP connection for faddr 10.1.1.51/0 gaddr ZEFF-SB-01_LAN/1 laddr ZEFF-SB-01_LAN/1

  6

  January 19, 2011

  15:27:23

  302021

  10.1.1.51

  0

  ZEFF-SB-01_LAN

  1

  Connection of ICMP disassembly for faddr 10.1.1.51/0 gaddr ZEFF-SB-01_LAN/1 laddr ZEFF-SB-01_LAN/1

  Site #2-

  6

  January 19, 2011

  15:24:47

  302020

  10.1.1.51

  0

  10.0.0.30

  1

  Built of outbound ICMP connection for faddr gaddr laddr 10.1.1.51/0 10.1.1.51/0 10.0.0.30/1

  6

  January 19, 2011

  15:24:49

  302021

  10.0.0.30

  1

  10.1.1.51

  0

  Connection of disassembly for faddr gaddr laddr 10.1.1.51/0 10.1.1.51/0 10.0.0.30/1 ICMP

  It's the same for any form of traffic passing over the tunnel.  The ACL is configured to allow segments of LAN out to any destination.  At this point, I left scratching my head, as my original theory was to blame the Draytek, but after reading the documentation given to the DMZ host configuration, it appears this parameter is configured all traffic is simply forwarded to the IP address (in this case, the Cisco ASA interface outside).

  Anyone can shed light on a possible cause of this problem?

  Thank you

  Nick

  did you bypass the vpn traffic between 10.0.0 and 10.1.1 to be NAT - ed on the two ASA?

  Please provide the following information

  -set up the tunnel

  -show the isa cry his

  -show the ipsec cry his

  -ping of the site 1 site 2 via tunnel

  -capture "crypto ipsec to show his" once again

  -ping from site 2 to 1 by the tunnel of the site

  -capture "crypto ipsec to show his" once again

  -two ASA configuration.

• IPSec Tunnel between Cisco 2801 and Netscren 50 with NAT and static

  Hello

  My problem isn't really the IPSec connection between two devices (it is already done...) But my problem is that I have a mail server on the site of Cisco, who have a static NAT from inside to outside. Due to the static NAT, I do not see the server in the VPN tunnel. I found a document that almost describes the problem:

  "Configuration of a router IPSEC Tunnel private-to-private network with NAT and static" (Document ID 14144)

  NAT takes place before the encryption verification!

  In this document, the solution is 'routing policy' using the loopback interface. But, how can I handle this with the Netscreen firewall. Someone has an idea?

  Thanks for any help

  Best regards

  Heiko

  Hello

  Try to change your static NAT with static NAT based policy.

  That is to say the static NAT should not be applicable for VPN traffic

  permissible static route map 1

  corresponds to the IP 104

  access-list 104 refuse host ip 10.1.110.10 10.1.0.0 255.255.0.0

  access-list 104 allow the host ip 10.1.110.10 all

  IP nat inside source static 10.1.110.10 81.222.33.90 map of static route

  HTH

  Kind regards

  GE.

• IPSec Tunnel permanent between two ASA

  Hello

  I configured a VPN IPSec tunnel between two ASA 5505 firewall. I want to assure you as the IPSec tunnel (this is why the security association) is permanent and do not drop due to the idle state.

  What should I do?

  Thanks for any help

  Yves

  Disables keepalive IKE processing, which is enabled by default.

  (config) #tunnel - 10.165.205.222 group ipsec-attributes

  KeepAlive (ipsec-tunnel-config) #isakmp disable

  Set a maximum time for VPN connections with the command of vpn-session-timeout in group policy configuration mode or username configuration mode:

  attributes of hostname (config) #-Group Policy DfltGrpPolicy
  hostname (Group Policy-config) #vpn - idle - timeout no

  attributes of hostname (config) #-Group Policy DfltGrpPolicy
  hostname (Group Policy-config) #vpn - session - timeout no

  Thank you

  Ajay

• Problem on the establishment of a GRE/IPsec tunnel between 2 cisco routers

  Hello world

  I am trying to establish a GRE IPsec tunnel between two cisco routers (2620XM and a 836).

  I created a tunnel interfaces on both routers as follows.

  2620XM

  interface Tunnel0

  IP 10.1.5.2 255.255.255.252

  tunnel source x.x.x.x

  tunnel destination y.y.y.y

  end

  836

  interface Tunnel0

  IP 10.1.5.1 255.255.255.252

  tunnel source y.y.y.y

  tunnel destination x.x.x.x

  end

  and configuration of isakmp/ipsec as follows,

  2620XM

  crypto ISAKMP policy 10

  md5 hash

  preshared authentication

  ISAKMP crypto key {keys} address y.y.y.y no.-xauth

  !

  !

  Crypto ipsec transform-set esp - esp-md5-hmac to_melissia

  !

  myvpn 9 ipsec-isakmp crypto map

  defined peer y.y.y.y

  Set transform-set to_melissia

  match address 101

  2620XM-router #sh ip access list 101

  Expand the access IP 101 list

  10 permit host x.x.x.x y.y.y.y host will

  836

  crypto ISAKMP policy 10

  md5 hash

  preshared authentication

  ISAKMP crypto key {keys} address x.x.x.x No.-xauth

  !

  !

  Crypto ipsec transform-set esp - esp-md5-hmac to_metamorfosi

  !

  myvpn 10 ipsec-isakmp crypto map

  defined peer x.x.x.x

  Set transform-set to_metamorfosi

  match address 101

  836-router #sh access list 101

  Expand the access IP 101 list

  10 licences will host host x.x.x.x y.y.y.y

  Unfortunately I had no isakmp security associations at all and when I enter the debugging to this output.

  CRYPTO: IPSEC (crypto_map_check_encrypt_core): CRYPTO: removed package as currently being created cryptomap.

  Any ideas why I get this result? Any help will be a great help

  Thank you!!!

  I think it's possible. It seems to me that you are assuming that the address of the interface where goes the card encryption is peering address. While this is the default action, it is possible to configure it differently.

  As you have discovered the card encryption must be on the physical output interface. If you want the peering address to have a different value of the physical interface address outgoing, then you can add this command to your crypto card:

  card crypto-address

  so if you put loopback0 as the id_interface then he would use loopback0 as peering address even if the card encryption may be affected on serial0/0 or another physical interface.

  HTH

  Rick

• I can weight of the IPSec Tunnels between ASAs

  Hello

  Remote site: link internet NYC 150 MB/s

  Local site: link internet Baltimore 400 MB/s

  Backup site: link internet Washington 200 Mb/s

  My main site and my backup site are connected via a gigabit Ethernet circuit between the respective base site switches.  Each site has its own internet connection and my OSPF allows to switch their traffic to the backup site if the main website is down.  We are opening an office in New York with one ASA unique connected to 150 Mbps FIOS internet circuit.  We want to set up an IPSec tunnel on the main site and the backup on the remote site, but want the remote site to prefer the tunnel in Baltimore, except if it is down.

  Interesting traffic would be the same for the two tunnels

  I know that ASA cannot be a GRE endpoint.  How can I force the New York traffic through the tunnel in Baltimore as long as it works?  An IPSec tunnel can be weighted?

  Thank you

  It is not in itself weighting, but you can create up to 10 backup over LAN to LAN VPN IPsec peers.

  For each tunnel, the security apparatus tried to negotiate with the first peer in the list. If this peer does not respond, the security apparatus made his way to the bottom of the list until a peer responds, or there is no peer more in the list.

  Reference.

• How to disable a particular IPSec tunnel on Cisco router

  Hi guys,.

  Someone knows a way to termporarily disable an IPSec tunnel on a Cisco router provided individual:

  -No configuration changes

  -Without affecting the other IPSec tunnels running

  -GRE is not used, so there is no tunnel interface to close

  Or in any event nearest to you to meet the requirement above?

  Thank you

  Andrew

  Andrew,

  There is no way to 'turn off' the tunnel without changing the config.

  I think the easiest would be to get the card crypto for this particular tunnel and remove the peer or the ACL:

  for example:

  labmap 10 ipsec-isakmp crypto map

  no counterpart set 10.0.0.1

  labmap 10 ipsec-isakmp crypto map

  no correspondence address 100

  or you can remove the key isakmp for this tunnel, that would, for example:

  No cisco123 key crypto isakmp 10.0.0.1 address

  That would prevent the tunnel to come without affecting the other tunnels.

  I hope this helps.

  Raga

• View of the horizon 3.5.0 and ThinApp v4.7 with Cisco ASA Smart Tunnel 9.3.3

  Hello

  The problem:

  Our technology smart tunnel doesn't seem to be forward traffic to our new customer from the view.  I wonder what kind of configuration changes must be considered to enable such a connection.  The error returned when searching for the host name goes in the direction of the hostname not found.  Error finding of intellectual property is related to the time-out.

  Background information and specifications:

  We are in the process of upgrading our servers from 5.2 to 6.2 connection.  As part of the upgrade, we want to improve our customers for the Horizon to use version 3.5.0.  To make it easier on vendors and remote computers we prefer also to our Horizon View Client with ThinApp 4.7.3 ThinApp.  We currently have a Cisco ASA, supporting a SSL VPN portal with "Smart Tunnel" technology.  The ASA is currently on firmware 9.3.3 in production, but we have access to version 9.5 in test.

  Preferred connection scenario:

  User > PC > VMware View Client (ThinApp would be) > Cisco ASA Smart Tunnel > view connection server > Virtual Office

  .exe running on the client to view ThinApp:

  It seems the ThinApp Client version view is only launching VMware - view.exe.

  .exe running from the customer view full/thickness:

  VMware - view.exe

  -ftnlsv.exe

  -vmwsprrdpwks.exe

  -ftscanmgr.exe

  There is something else to consider when the view client configuration ThinApp or thickness to work with Cisco SSL VPN Portal and the Smart Tunnel?  We should have ports configured in the client in connection with the same view Firewall works with SSL VPN Portal port redirector functionality.

  We have not been able to find any documentation on how to properly configure the smart to work with the New Horizon 3.5.2 client Tunnel.  A ticket of troubleshooting with Cisco suggests that the Smart Tunnel feature still perhaps not compatible with this new Horizon (thin or thick) client.  Currently, we are looking at other options because it is not not clear whether Cisco will be able to get us the confirmation or offer a solution without delay of our project to upgrade.  Maybe stick to the previous VMware View Client version 5.4.0 which we know work with Smart Tunnel in some situations and with the redirector port for others.

• Public static IPsec tunnel between two routers cisco [VRF aware]

  Hi all

  I am trying to configure static IPsec tunnel between two routers. Router R1 has [no VRF] only global routing table.

  Router R2 has two routing tables:

  * vrf INET - used for internet connectivity

  * global routing table - used for VPN connections

  Here are the basic configs:

  R1

  crypto ISAKMP policy 1
  BA 3des
  md5 hash
  preshared authentication
  Group 2
  ISAKMP crypto key 7V7u841k2D3Q7v98d6Y4z0zF address 203.0.0.3
  invalid-spi-recovery crypto ISAKMP
  !
  Crypto ipsec transform-set esp - aes 256 esp-sha-hmac TRSET_AES-256_SHA
  transport mode
  !
  Crypto ipsec TUNNEL-IPSEC-PROTECTION profile
  game of transformation-TRSET_AES-256_SHA
  !
  interface Loopback0
  10.0.1.1 IP address 255.255.255.255
  IP ospf 1 zone 0
  !
  interface Tunnel0
  IP 192.168.255.34 255.255.255.252
  IP ospf 1 zone 0
  source of tunnel FastEthernet0/0
  tunnel destination 203.0.0.3
  ipv4 ipsec tunnel mode
  Ipsec TUNNEL-IPSEC-PROTEC protection tunnel profile
  !
  interface FastEthernet0/0
  IP 102.0.0.1 255.255.255.0

  !

  IP route 203.0.0.3 255.255.255.255 FastEthernet0/0 102.0.0.2

  #######################################################

  R2

  IP vrf INET
  RD 1:1
  !
  Keyring cryptographic test vrf INET
  address of pre-shared-key 102.0.0.1 key 7V7u841k2D3Q7v98d6Y4z0zF
  !
  crypto ISAKMP policy 1
  BA 3des
  md5 hash
  preshared authentication
  Group 2
  invalid-spi-recovery crypto ISAKMP
  crypto isakmp profile test
  door-key test
  function identity address 102.0.0.1 255.255.255.255
  !
  Crypto ipsec transform-set esp - aes 256 esp-sha-hmac TRSET_AES-256_SHA
  transport mode
  !
  Crypto ipsec TUNNEL-IPSEC-PROTECTION profile
  game of transformation-TRSET_AES-256_SHA
  Test Set isakmp-profile
  !
  interface Loopback0
  IP 10.0.2.2 255.255.255.255
  IP ospf 1 zone 0
  !
  interface Tunnel0
  IP 192.168.255.33 255.255.255.252
  IP ospf 1 zone 0
  source of tunnel FastEthernet0/0
  tunnel destination 102.0.0.1
  ipv4 ipsec tunnel mode
  tunnel vrf INET
  Ipsec TUNNEL-IPSEC-PROTEC protection tunnel profile
  !
  interface FastEthernet0/0
  IP vrf forwarding INET
  IP 203.0.0.3 255.255.255.0

  !

  IP route 102.0.0.1 255.255.255.255 FastEthernet0/0 203.0.0.2

  #######################################################

  There is a router between R1 and R2, it is used only for connectivity:

  interface FastEthernet0/0
  IP 102.0.0.2 255.255.255.0
  !
  interface FastEthernet0/1
  IP 203.0.0.2 255.255.255.0

  The problem that the tunnel is not coming, I can't pass through phase I.

  The IPsec VPN are not my strength. So if someone could show me what mistake I make, I'd appreciate it really.

  I joined ouptup #debug R2 crypto isakmp

  Source and destination Tunnel0 is belong to VRF INET, the static route need to be updated.

  IP route vrf INET 102.0.0.1 255.255.255.255 FastEthernet0/0 203.0.0.2

  crypto isakmp profile test

  VRF INET

  door-key test
  function identity address 102.0.0.1 255.255.255.255

• Strange problem in IPSec Tunnel - 8.4 NAT (2)

  Helloo all,.

  This must be the strangest question I've seen since the year last on my ASA.

  I have an ASA 5540, who runs the code of 8.4 (2) without any problem until I ran into this problem last week and I spent sleepless nights with no resolution! Then, take a deep breath and here is a brief description of my setup and the problem:

  A Simple IPSEC tunnel between my 8.4 (2) ASA 5540 and a Juniper SSG 140 6.3.0r9.0 (road OS based VPN) screen

  The tunnel rises without any problem but the ASA refused to encrypt the traffic but it decrypts with GLORY!

  Here are a few outputs debug, see the output and a package tracer output that also has an explanation of my problem of NAT WEIRD:

  my setup - (I won't get into the details of encryption tunnel as my tunnel negotiations are perfect and returns from the outset when the ASA is configured as response only)

  CISCO ASA - IPSec network details

  LAN - 10.2.4.0/28

  REMOTE NETWORK - 192.168.171.8/32

  JUNIPER SSG 140 - IPSec networks details

  ID OF THE PROXY:

  LAN - 192.168.171.8/32

  REMOTE NETWORK - 10.2.4.0/28

  Name host # sh cry counterpart his ipsec

  peer address:

  Tag crypto map: outside_map, seq num: 5, local addr:

  outside_cryptomap_4 to access extended list ip 10.2.4.0 allow 255.255.255.240 host 192.168.171.8

  local ident (addr, mask, prot, port): (10.2.4.0/255.255.255.240/0/0)

  Remote ident (addr, mask, prot, port): (192.168.171.8/255.255.255.255/0/0)

  current_peer:

  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

  #pkts decaps: 72, #pkts decrypt: 72, #pkts check: 72

  compressed #pkts: 0, unzipped #pkts: 0

  #pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0

  success #frag before: 0, failures before #frag: 0, #fragments created: 0

  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0

  #send errors: 0, #recv errors: 0

  local crypto endpt. : 0, remote Start. crypto: 0

  Path mtu 1500, fresh ipsec generals 58, media, mtu 1500

  current outbound SPI: 5041C19F

  current inbound SPI: 0EC13558

  SAS of the esp on arrival:

  SPI: 0x0EC13558 (247543128)

  transform: esp-3des esp-sha-hmac no compression

  running parameters = {L2L, Tunnel}

  slot: 0, id_conn: 22040576, crypto-card: outside_map

  calendar of his: service life remaining key (s): 3232

  Size IV: 8 bytes

  support for replay detection: Y

  Anti-replay bitmap:

  0xFFFFFFFF to 0xFFFFFFFF

  outgoing esp sas:

  SPI: 0x5041C19F (1346486687)

  transform: esp-3des esp-sha-hmac no compression

  running parameters = {L2L, Tunnel}

  slot: 0, id_conn: 22040576, crypto-card: outside_map

  calendar of his: service life remaining key (s): 3232

  Size IV: 8 bytes

  support for replay detection: Y

  Anti-replay bitmap:

  0x00000000 0x00000001

  CONTEXTS for this IPSEC VPN tunnel:

  # Sh asp table det vpn context host name

  VPN CTX = 0x0742E6BC

  By peer IP = 192.168.171.8

  Pointer = 0x78C94BF8

  State = upwards

  Flags = BA + ESP

  ITS = 0X9C28B633

  SPI = 0x5041C19D

  Group = 0

  Pkts = 0

  Pkts bad = 0

  Incorrect SPI = 0

  Parody = 0

  Bad crypto = 0

  Redial Pkt = 0

  Call redial = 0

  VPN = filter

  VPN CTX = 0x07430D3C

  By peer IP = 192.168.1.8

  Pointer = 0x78F62018

  State = upwards

  Flags = DECR + ESP

  ITS = 0X9C286E3D

  SPI = 0x9B6910C5

  Group = 1

  Pkts = 297

  Pkts bad = 0

  Incorrect SPI = 0

  Parody = 0

  Bad crypto = 0

  Redial Pkt = 0

  Call redial = 0

  VPN = filter

  outside_cryptomap_4 to access extended list ip 10.2.4.0 allow 255.255.255.240 host 192.168.171.8

  NAT (inside, outside) static source Ren - Ren - about destination static counterpart-host peer to route non-proxy-arp-search

  network of the Ren - around object

  subnet 10.2.4.0 255.255.255.240

  network of the host object counterpart

  Home 192.168.171.8

  HS cry ipsec his

  IKE Peer:

  Type: L2L role: answering machine

  Generate a new key: no State: MM_ACTIVE

  output packet tracer extracted a packet transmitted by the network of 10.2.4.0/28 to 192.168.171.8 host

  Phase: 7

  Type: VPN

  Subtype: encrypt

  Result: ALLOW

  Config:

  Additional information:

  Direct flow from returns search rule:

  ID = 0x7789d788, priority = 70, domain = encrypt, deny = false

  Hits = 2, user_data is0x742e6bc, cs_id = 0x7ba38680, reverse, flags = 0 x 0 = 0 protocol

  IP/ID=10.2.4.0 SRC, mask is 255.255.255.240, port = 0

  IP/ID=192.168.171.8 DST, mask is 255.255.255.255, port = 0, dscp = 0 x 0

  input_ifc = none, output_ifc = external

  VPN settings corresponding to the encrytpion + encapsulation and the hits here increment only when I run a test of tracer from my host on the remote peer inside package.

  A tracer complete package out for a packet of the 10.2.4.1 255.255.255.255 network to host 192.168.171.8:

  Phase: 1

  Type: ACCESS-LIST

  Subtype:

  Result: ALLOW

  Config:

  Implicit rule

  Additional information:

  Direct flow from returns search rule:

  ID = 0x77ebd1b0, priority = 1, domain = allowed, deny = false

  hits = 3037156, user_data = 0 x 0, cs_id = 0 x 0, l3_type = 0 x 8

  Mac SRC = 0000.0000.0000, mask is 0000.0000.0000

  DST = 0000.0000.0000 Mac, mask is 0100.0000.0000

  input_ifc = output_ifc = any to inside,

  Phase: 2

  Type:-ROUTE SEARCH

  Subtype: entry

  Result: ALLOW

  Config:

  Additional information:

  in 192.168.171.0 255.255.255.0 outside

  Phase: 3

  Type: IP-OPTIONS

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  Direct flow from returns search rule:

  ID = 0x77ec1030, priority = 0, sector = inspect-ip-options, deny = true

  hits = 212950, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

  IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0

  IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0

  input_ifc = output_ifc = any to inside,

  Phase: 4

  Type:

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  Direct flow from returns search rule:

  ID = 0x7c12cb18, priority = 18, area = import-export flows, deny = false

  hits = 172188, user_data = 0x78b1f438, cs_id = 0 x 0, use_real_addr, flags = 0 x 0,

  IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0

  IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0

  input_ifc = output_ifc = any to inside,

  Phase: 5

  Type: NAT

  Subtype:

  Result: ALLOW

  Config:

  NAT (inside, outside) static source Ren - Ren - about destination static counterpart-host peer to route non-proxy-arp-search

  Additional information:

  Definition of static 10.2.4.1/2700 to 10.2.4.1/2700

  Direct flow from returns search rule:

  ID = 0x77e0a878, priority = 6, area = nat, deny = false

  hits = 9, user_data is 0x7b7360a8, cs_id = 0 x 0, use_real_addr, flags = 0 x 0, proto

  IP/ID=10.2.4.1 SRC, mask is 255.255.255.240, port = 0

  IP/ID=192.168.171.8 DST, mask is 255.255.255.255, port = 0, dscp = 0 x 0

  input_ifc = inside, outside = output_ifc

  
  

  (it's the weird NAT problem I see. I see the number of hits is increment only when I run the packet tracer understands even I have pings (traffic) the 192.168.171.8 constant welcomes the 10.2.4.1/28)-s'il please see the package I pasted after the capture section)

  Phase: 6

  Type: VPN

  Subtype: encrypt

  Result: ALLOW

  Config:

  Additional information:

  Direct flow from returns search rule:

  ID = 0x7b8751f8, priority = 70, domain = encrypt, deny = false

  hits = 3, user_data = 0x7432b74, cs_id = 0x7ba38680, reverse, flags = 0 x 0, proto

  IP/ID=10.2.4.1 SRC, mask is 255.255.255.240, port = 0

  IP/ID=192.168.171.8 DST, mask is 255.255.255.255, port = 0, dscp = 0 x 0

  input_ifc = none, output_ifc = external

  Phase: 7

  Type: VPN

  Subtype: ipsec-tunnel-flow

  Result: ALLOW

  Config:

  Additional information:

  Reverse flow from returns search rule:

  ID = 0x78b0c280, priority = 69 = ipsec-tunnel-flow area, deny = false

  hits = 154, user_data is 0x7435f94, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

  IP/ID=192.168.171.8 SRC, mask is 255.255.255.255, port = 0

  IP/ID=10.2.4.1 DST, mask is 255.255.255.240, port = 0, dscp = 0 x 0

  input_ifc = out, output_ifc = any

  Phase: 8

  Type: IP-OPTIONS

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  Reverse flow from returns search rule:

  ID = 0x77e7a510, priority = 0, sector = inspect-ip-options, deny = true

  hits = 184556, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

  IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0

  IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0

  input_ifc = out, output_ifc = any

  Phase: 9

  Type: CREATING STREAMS

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  New workflow created with the 119880921 id, package sent to the next module

  Information module for forward flow...

  snp_fp_tracer_drop

  snp_fp_inspect_ip_options

  snp_fp_tcp_normalizer

  snp_fp_translate

  snp_fp_adjacency

  snp_fp_encrypt

  snp_fp_fragment

  snp_ifc_stat

  Information for reverse flow...

  snp_fp_tracer_drop

  snp_fp_inspect_ip_options

  snp_fp_ipsec_tunnel_flow

  snp_fp_translate

  snp_fp_tcp_normalizer

  snp_fp_adjacency

  snp_fp_fragment

  snp_ifc_stat

  Result:

  input interface: inside

  entry status: to the top

  entry-line-status: to the top

  output interface: outside

  the status of the output: to the top

  output-line-status: to the top

  Action: allow

  Hostname # sh Cap A1

  8 packets captured

  1: 12:26:53.376033 192.168.10.252 > 10.2.4.1: icmp: echo request

  2: 12:26:53.376597 10.2.4.1 > 192.168.10.252: icmp: echo reply

  3: 12:26:56.487905 192.168.171.8 > 10.2.4.1: icmp: echo request

  4: 12:27:01.489217 192.168.171.8 > 10.2.4.1: icmp: echo request

  5: 12:27:03.378245 192.168.10.252 > 10.2.4.1: icmp: echo request

  6: 12:27:03.378825 10.2.4.1 > 192.168.10.252: icmp: echo reply

  7: 12:27:06.491597 192.168.171.8 > 10.2.4.1: icmp: echo request

  8: 12:27:11.491856 192.168.171.8 > 10.2.4.1: icmp: echo request

  8 packets shown

  As you can see, there is no echo response packet at all because the package may not be wrapped while he was sent to.

  I'm Karen with it. In addition, he is a firewall multi-tenant live production with no problems at all outside this for a Juniper ipsec tunnel!

  Also, the 192.168.10.0/24 is another remote network of IPSec tunnel to this network of 10.2.4.0/28 and this IPSEC tunnel has a similar Juniper SSG 140 screen os 6.3.0r9.0 at the remote end and this woks like a charm with no problems, but the 171 is not be encrypted by the ASA at all.

  If someone could help me, that would be greatt and greatly appreciated!

  Thanks heaps. !

  Perfect! Now you must find something else inside for tomorrow--> forecast rain again

  Please kindly marks the message as answered while others may learn from it. Thank you.