Concentrator LAN to Lan Tunnel (Group)

Similar Questions

• Established but LAN-to-Lan tunnel can not ping to a host on the inside

  We have two cisco vpn concentrator (3005).

  Behind, we use 172.20.167.0/24 (Headquarters)

  Behind, we use 172.20.184.0/24 (remote desktop)

  We are starting to do a lan-to-lan tunnel, the tunnel establishes no problem.

  the only problem is that I can ping only the inside interface of the

  hub of central administration. I can't ping (or other

  communicate to) hosts

  on each subnet.

  On each side, you must make sure that all your hosts know that the road to the other network is by the local hub or using static routes on each host, or adding routing appropriate on any device is your default gateway.

  HTH

• LAN-to-LAN tunnel between VPN 3000 and Cisco 1721

  Hello

  I have a current LAN-to-LAN tunnel configuration between VPN 3000 (3.6) and Cisco 1721 (12.2 (11) T).

  When I use the encryption = authentication and Des-56 = ESP\MD5\HMAC-128 for the IPSec Security Association, everything works fine.

  However, I would like to Turn off encryption for some time getting the speed improvements, so I changed

  Encryption = null esp (in 1721) and to "null" in VPN-3000.

  Now the tunnel is setup but I can spend only ICMP traffic. When I pass the traffic UDP\TCP the message below appears the Cisco 1721

  % C1700_EM-1-ERROR: error in packet-rx: pad size error, id 75, hen offset 0

  Has anyone seen this behavior?

  All those put in place an IPSec Tunnel with only the ESP authentication and NO encryption between VPN-3000 and Cisco 1721?

  Thanx------Naman

  Naman,

  Disable you the vpn Accelerator? "no accel crypto engine. Sure that you can't do with a null module vpn.

  Kurtis Durrett

• How can I request an ACL to a LAN-to-LAN tunnel?

  I have an ASA with an active IPSec LAN-to-LAN tunnel and I'm wanting to limit which ports and IPs my extranet partner is able to reach. How can I apply an ACL to a tunnel of LAN-to-LAN to restrict entry and exit through the tunnel?

  Thanks in advance!

  It will work the same way. You must use VPN filters. If you use 8.0, you can use the following doc:

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

• Use the client VPN tunnel to cross the LAN-to-LAN tunnel

  I have been troubleshooting an issue and cannot cross an obstacle. The ASA is running ASA running 1,0000 code 24. I am using a client VPN tunnel to connect to the ASA. The ASA has already a LAN-to-LAN tunnel, set up and operating and I need the VPN client to access the remote site over the LAN-to-LAN tunnel.

  The internal IP address of the local part is 192.168.0.0/24 and the IP address of the Remote LAN-to-LAN tunnel is 172.20.1.0/24. The clients are distributed 192.168.200.0/24 IPs. I have attached the relevant configuration for the SAA.

  When the VPN client on the network, I can access resources on the ASA network internal. On the internal network of the SAA, users can access resources through the LAN-to-LAN tunnel. Client VPN cannot access resources on the LAN-to-LAN tunnel. For the latter, there are no hits on the C-TEST access list.

  Thank you for your help.

  try adding...

  permit same-security-traffic intra-interface

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_guide_chapter09186a00806370f2.html#wp1042114

• no tunnel-Group-map enable ike - id

  why I don't receive any tunnel-Group-map enable ike - id when configuring site to site vpn. Did I miss something in the configuration?

  You use certificate-based authentication?

  Kind regards

  Sandra

• What is the difference when the IP pool is placed under the group policy and SSL tunnel-group

  Hi usually ip address pool is placed under the group policy in Anyconnect VPN, but I noticed the ip address pool is also placed under the Anyconnect VPN tunnel-group in some ASA. What is the difference between both of them? Thank you

  Both are used for the same purpose, but that under group policy always takes preference.

  Kind regards

  Sandra

  If you find the answer useful, please mark it as correct while others can benefit from the discussion.

• How to associate policies crypto with tunnel-group?

  Hi, when I review the configuration of the VPN from point to point, I have a question. The ASA has three peer-to-peer VPN configuration. So, there are also three groups of tunnel in there. My question is how each VPN to ensure encryption policy tunnel-group? In the anther Word, what encryption policy associated with tunnel-group? Thank you.

  This is the phase 1, they work from top to bottom.  When you try to negotiate the tunnel between two counterparts, in the background, they send all of your policies and according to which is first (from top to bottom) is used.

  For example.

  If your counterpart device uses (3des, md5, pre-shared key and group 2), it will not match the policy 1 and the rest of the policy will not be considered.

  Kind regards

  Sandra

• Site to Site VPN. pick up DfltGrpPolicy instead of Tunnel-Group

  Hello

  Our ASA was set by a consultant some time ago to allow connectivity SSLVPN RSA backend. I am now trying to get a Site to Site VPN working but seem to get into a lot of difficulties. I get a load of the l2l VPN-related debugging messages which I believe is set up correctly. Here's what I think is of interest

  "January 24, 2009 12:13:01: % ASA-6-113009: AAA recovered in group policy by default (DfltGrpPolicy) to the user = x.x.x.x".

  The user specifies the IP address of the Cisco router remote that we try to get the VPN configuration.

  I have to admit that I haven't done a lot with the side things SSLVPN so this part of the config is out of my depth, that's why I post here.

  If anyone can help it would be really appreciated.

  Here are the relevant details (I can post more if there isn't enough). My question is, how do I get the l2l using the tunnel-group and not the default group policy?

  Thanks in advance for any help.

  dynamic-access-policy-registration

  DfltAccessPolicy

  WebVPN

  list of URLS no

  SVC request no svc default

  RADIUS protocol AAA-server VPNAUTH

  AAA-server VPNAUTH *. *. *

  interval before new attempt-5

  timeout 3

  key *.

  AAA authentication enable LOCAL console

  AAA authentication http LOCAL console

  LOCAL AAA authentication serial console

  the ssh LOCAL console AAA authentication

  AAA authentication LOCAL telnet console

  LOCAL AAA authorization command

  attributes of Group Policy DfltGrpPolicy

  value of DNS server! !. !. !

  VPN-idle-timeout no

  VPN-tunnel-Protocol webvpn

  enable IP-comp

  enable IPSec-udp

  field default value mondomaine.fr

  the address value vpnpool pools

  WebVPN

  enable http proxy

  SVC Dungeon - install any

  SVC keepalive 60

  SVC generate a new method ssl key

  SVC request no svc default

  disable ActiveX-relays

  disable file entry

  exploration of the disable files

  disable the input URL

  tunnel-group DefaultRAGroup webvpn-attributes

  message of rejection-RADIUS-

  IPSec-attributes tunnel-group DefaultRAGroup

  pre-shared-key *.

  tunnel-group DefaultRAGroup ppp-attributes

  PAP Authentication

  ms-chap-v2 authentication

  attributes global-tunnel-group DefaultWEBVPNGroup

  address vpnpool pool

  authentication-server-group VPNAUTH

  tunnel-group DefaultWEBVPNGroup webvpn-attributes

  message of rejection-RADIUS-

  tunnel-group x.x.x.x type ipsec-l2l

  tunnel-group ipsec-attributes x.x.x.x

  pre-shared-key *.

  Wayne

  Do "sh run all tunnel-group" you should see the strategy of group associated with it.

  for example:

  tunnel-group 1.1.1.1 type ipsec-l2l

  tunnel-group 1.1.1.1 General attributes

  no accounting server group

  Group Policy - by default-DfltGrpPolicy

  tunnel-group 1.1.1.1 ipsec-attributes

  pre-shared-key *.

  by the peer-id-validate req

  no chain

  no point of trust

  ISAKMP retry threshold 10 keepalive 2

  Let me know if it helps.

  See you soon,.

  Gilbert

• Hide the tunnel-group in client anyconnect

  Hi all

  How to hide dropdown menu profiles that don't interest me not?

  see always all tunnel group set up on asa.

  in path of the cisco anyconnect client, I have preferences.xml.

  Thanks in advance for your help

  concerning

  If the group alias are configured on the SAA, no matter which user goes to the external interface to connect to the VPN will see the list.

  ASA administrator may eventually publish a URL shortcut using the "group-url" attribute when configuring the SSL VPN. Here is a link to the section of the configuration guide to do so. in this place you can browse (or point AnyConnect) directly to this URL and skip having to select from the drop-down list.

• name of the tunnel-group

  Hello

  In the configuration below I put in place a tunnel-group name that is the same as the counterpart of VPN tunnel. Is that what you have to do, or could call you the tunnel-group what you want?

  part of pre authentication ISAKMP policy 1

  ISAKMP policy 1 3des encryption

  ISAKMP policy 1 sha hash

  Group of ISAKMP policy 1 2

  ISAKMP policy 1 life 43200

  ISAKMP allows outside

  Crypto ipsec transform-set esp-3des esp-md5-hmac FirstSet

  l2l_list to access extended list ip 192.168.100.0 allow 255.255.255.0 192.168.1.0 255.255.255.0

  tunnel-group 10.10.10.1 type ipsec-l2l

  tunnel-group 10.10.10.1 ipsec-attributes

  pre-shared key xxx

  card crypto abcmap 1 match address l2l_list

  card crypto abcmap 1 set counterpart 10.10.10.1

  card crypto abcmap 1 set of transformation-FirstSet

  abcmap interface card crypto outside

  Robert,

  The tunnekl group should be the IP address of the remote end - because it is used as ID. The only time where ever you need to use a specific name - is if you are certificate authentication.

  HTH.

• Enable ASA 9.1 problems with tunnel-group-list

  Hello!

  I try to get a working configuration where the Cisco VPN / DTLS phones VPN connect, while allowing access remotely via client AnyConnect of PCs.  I have two groups of tunnel and configured for this purpose of group policy and use Group-URL.

  Phones are connect very well, but I don't get the drop down menu to choose between the two groups of tunnel when connecting to a remote computer.

  An excerpt from the config.

  Moreover, I had the menu work previously when I used group instead of group-URL aliases.  However, the phones seem to require the URL group.  Now that I have those configured, the menu does not work.  If I get the full URL in the AnyConnect window, both URLs work, and I can connect.

  Thank you in advance for any suggestions you may have!

  Deb

  WebVPN

  allow outside

  AnyConnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

  AnyConnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2

  AnyConnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 3

  AnyConnect enable

  tunnel-group-list activate

  ABC Group-Policy internal

  ABC Group Policy attributes

  value of server WINS 10.10.16.17 10.10.16.12

  value of 10.10.16.17 DNS server 10.10.16.12

  VPN - connections 3

  SSL VPN-tunnel-Protocol l2tp ipsec client ssl clientless

  Split-tunnel-policy tunnelall

  field default value abc.com

  the address value AnyConnectPool pools

  WebVPN

  activate AnyConnect ssl dtls

  AnyConnect Dungeon-Installer installed

  time to generate a new key ssl AnyConnect 1440

  AnyConnect ssl generate a new method ssl key

  AnyConnect client of dpd-interval 5

  dpd-interval gateway AnyConnect 30

  AnyConnect ask none

  internal strategy of group ABC - STG

  ABC - STG group policy attributes

  value of server DNS 8.8.8.8

  VPN - connections 3

  SSL VPN-tunnel-Protocol l2tp ipsec client ssl clientless

  Split-tunnel-policy tunnelspecified

  Split-tunnel-network-list value Split-Tunnel-encrypt-ACL

  field default value abc.com

  the address value AnyConnectPool pools

  WebVPN

  activate AnyConnect ssl dtls

  AnyConnect Dungeon-Installer installed

  time to generate a new key ssl AnyConnect 1440

  AnyConnect ssl generate a new method ssl key

  AnyConnect client of dpd-interval 5

  dpd-interval gateway AnyConnect 30

  AnyConnect ask none

  type tunnel-group Split-Tunnel-Group remote access

  attributes global-tunnel-group Split-Tunnel-Group

  address pool AnyConnectPool

  Group Policy - by default-ABC-STG

  tunnel-group Split-Tunnel-Group webvpn-attributes

  allow group-url https://asa.abc.com/ABC-STG

  tunnel-group ABC - Tunnel - type remote access Group

  attributes global-tunnel-group ABC - Tunnel - Group

  address pool AnyConnectPool

  Group-ACTIVE DIRECTORY authentication server

  Group Policy - by default-ABC

  password-management

  ABC - Tunnel tunnel-group - webvpn-attributes Group

  allow group-url https://asa.abc.com/ABC

  Hello

  You can have group-alias and group-url at the same time in the configuration so that the phones can connnect with Group-url and users can click on the drop down menu to select the right connection profile.

  tunnel-group webvpn-attributes
  Group-alias enable
  Group-url help

  Ref:- http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.

• How to match tunnel-group with auth ASA 8.2 and IPSec VPN Client using digital certificates with Microsoft CA

  Hello

  I set up a lab for RA VPN with a version of the ASA5510 8.2 and VPN Client 5 software using digital certificates with Microsoft CA on a Windows 2003 server. I did the configuration based on this document from Cisco's Web site:

  http://www.Cisco.com/en/us/partner/products/ps6120/products_configuration_example09186a0080930f21.shtml

  Now, the vpn works fine, but now I need to configure a tunnel-different groups so I can provide different services to different users. The problem I have now is that I don't know how to set it up for the certificate is the name of tunnel-group. If I do an ASA debug crypto isakmp I get this error message:

  % ASA-713906 7: IP = 165.98.139.12, trying to find the group through OR...
  % 3 ASA-713020: IP = 165.98.139.12, no group found by matching well payload ID: unknown
  % ASA-713906 7: IP = 165.98.139.12, trying to find the group via IKE ID...
  % 3 ASA-713020: IP = 165.98.139.12, no group found by matching well payload ID: unknown
  % ASA-713906 7: IP = 165.98.139.12, trying to find the group via IP ADDR...
  % ASA-713906 7: IP = 165.98.139.12, trying to find the group using default group...
  % ASA-713906 7: IP = 165.98.139.12, connection landed on tunnel_group DefaultRAGroup

  So, basically, when using certificates I connect always VPN RA only with the group default DefaultRAGroup. Do I have to use a model of different web registration for application for a certificate instead of the user model? How can I determine the OU on the user certificate so that match tunnel-group?

  Please help me!

  Kind regards

  Fernando Aguirre

  You can use the group certificate mapping feature to map to a specific group.

  This is the configuration for your reference guide:

  http://www.Cisco.com/en/us/partner/docs/security/ASA/asa82/configuration/guide/IKE.html#wp1053978

  And here is the command for "map of crypto ca certificate": reference

  http://www.Cisco.com/en/us/docs/security/ASA/asa80/command/reference/C5.html#wp2186685

  Hope that helps.

• Select the Tunnel-Group based on OS devices

  Hello

  having an ASA5512x is possible to have anyconnect-dial-in-PC-users asking their IDs AND also a one-time-password

  Whereas smartphone users only need to provide their username and a password without the need to manually select the profile?

  I've set up two groups of tunnel:

  (1) requires an LDAP server for authentication

  (2) is in contact with a RADIUS server running the software One Time Password.

  Is it possible to have the asa affect smartphone users (based on their OS) that it automatically uses the first profile (which has limited access to the resources of the intranet) and Anyconnect-PC-users pinned to the second category of tunnel? Dynamic access policies seem to be able to differentiate only ' in' a tunnel-group.

  Thank you very much!

  Kind regards

  David

  I never tried this way, but if it does not (as I suspect) there is a solution:

  1. Point your customers on the two different groups of tunnel with the help of tunnel-group-URL.
  2. Later in the DAP impose that the customer does not use the wrong tunnel-group.

• Profile VPN (tunnel group) under the same IP pool

  Hello

  I have on my clients VPN from Cisco ASA 5510 works perfectly. The thing is that now I want to create a new profile or a tunnel in order to create the new cause of ACL I want to restrict only to certain hosts. But I don't know if I can do it under the same IP pool. If the answer is yes how could bind the new tunnel group to the correct ACL.

  This is my config:

  vpnxxxx list of allowed ip extended access all 192.168.125.0 255.255.255.0

  IP local pool ippool 192.168.125.10 - 192.168.125.254

  NAT (outside) 1 192.168.125.0 255.255.255.0

  NAT (inside) 0-list of access vpnxxxx

  RADIUS Protocol RADIUS AAA server

  RADIUS protocol AAA-server partnerauth

  AAA-server partnerauth (inside) host xxxx.xxxx.xxxx.xxxx

  key xxxx

  Crypto-map dynamic dynmap1 20 set transform-set Myset1

  lifespan 20 set security-association crypto dynamic-map dynmap1 seconds 28800

  Crypto-map dynamic dynmap1 20 kilobytes of life together - the association of safety 4608000

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  internal group RA - VPN strategy

  attributes of RA-VPN-group policy

  Server DNS 172.16.1.100 value

  VPN-idle-timeout 30

  Protocol-tunnel-VPN IPSec l2tp ipsec webvpn

  Split-tunnel-policy tunnelspecified

  type tunnel-group RA - VPN remote access

  General-attributes of RA - VPN Tunnel-group

  ippool address pool

  authentication-server-group (outside partnerauth)

  Group Policy - by default-RA-VPN

  tunnel-group RA - VPN ipsec-attributes

  pre-shared-key *.

  Thank you

  The command is "vpn-filter" in the Group Policy section.

  Define a group policy for each group of tunnel and select it with 'by default-group-policy' in the section of the tunnel.