connect dynamic auto of site to site VPN
Hi all, I need to configure a site to site vpn (cisco asa and router), but the connection to the remote router must be set to auto.
Can someone help me?
Thank you
All have two IP addresses static or is on a dynamic ip?
Please clarify what you mean by "auto".
Tags: Cisco Security
Similar Questions
-
Cannot connect Cisco 2621 to AWS EC2 Openswan vpn site to site
Hello, I'm setting up Site to Site vpn between my Cisco 2621 router and Amazon EC2 instance running openswan.
I get on the following message on the openswan server: 'NO_PROPOSAL_CHOSEN '.
My router config Cisco 2621 and Openswan config are displayed below, I know im missing something small, but can't
understand what is :-) any help would be appreciated.Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto [28503]: "paulaga-House" #1: STATE_MAIN_I3: sent MI3, expect MR3
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto [28503]. port/protocol Phase 1 ID payload is 17/0. agreed with port_floating NAT - T
' Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto [28503]: "paulaga-House" #1: hand mode peer ID is ID_IPV4_ADDR: ' 192.168.1.253.
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto [28503]: "paulaga-House" #1: transition of State STATE_MAIN_I3 of State STATE_MAIN_I4
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto [28503]: "House paulaga" #1: STATE_MAIN_I4: ISAKMP Security Association established {auth = PRESHARED_KEY oakley_3des_cbc_192 integ = md5 = MODP1536 group = cipher}
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto [28503]: "paulaga home" #2: quick launch Mode PSK + ENCRYPT + TUNNEL + PFS + UP + IKEV1_ALLOW + IKEV2_ALLOW + SAREF_TRACK + IKE_FRAG_ALLOW {using isakmp #1 proposal of msgid:17d23abf = default pfsgroup = OAKLEY_GROUP_MODP1536}
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto [28503]: "paulaga-House" #1: regardless of the payload information NO_PROPOSAL_CHOSEN, msgid = 00000000, length = 160
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto [28503]. ISAKMP Notification payload
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto [28503]. 00 00 00 a0 0e 00 00 00 01 03 04 00
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto [28503]: "paulaga-House" #1: received and ignored the information messageThe schema looks like this:
192.168.0.0/24:FA0/1[router]FA0/0 192.168.1.253 - 192.168.1.254 [Modem] 64.231.25.93 (pub ip attributed to my modem)Cisco 2621 router configuration:
Current configuration: 2649 bytes
!
version 12.3
no cache Analyzer
no service timestamps debug uptime
no service the timestamps don't log uptime
encryption password service
!
cisco2600 hostname
!
boot-start-marker
start the system flash c2600-ik9o3s3 - mz.123 - 26.bin
boot-end-marker
!
logging buffered debugging 10000
no logging monitor
!
No aaa new-model
IP subnet zero
IP cef
!
!
name-server IP 192.168.0.10
!
Max-events of po verification IP 100
!username admin privilege 15 password 7 01100F175804
!crypto ISAKMP policy 10
BA 3des
md5 hash
preshared authentication
Group 5
ISAKMP crypto key mysecretkey address 52.39.49.77
!
life crypto ipsec security association seconds 28800
!
Crypto ipsec transform-set AMAZON-TRANSFORM-SET esp-3des esp-md5-hmac!
11 INTERNET-CRYPTO ipsec-isakmp crypto map
! Incomplete
description Amazon EC2 instance
defined by peer 52.39.49.77
transformation-AMAZON-TRANSFORM-SET game
match address 111
!
!
!
!
interface FastEthernet0/0
Connection to the Bell Modem description
IP 192.168.1.253 255.255.255.0
NAT outside IP
automatic duplex
automatic speed
crypto CRYPTO-INTERNET card
!
interface Serial0/0
no ip address
!
interface FastEthernet0/1
Description of the connection to the local network
IP 192.168.0.254 255.255.255.0
192.168.0.10 IP helper-address
IP nat inside
automatic duplex
automatic speed
No cdp enable
!
interface FastEthernet0/1.2
Service Description Vlan
encapsulation dot1Q 2
IP 10.0.0.254 255.0.0.0
192.168.0.10 IP helper-address
IP nat inside
!
IP nat inside source list ACL - NAT interface FastEthernet0/0 overload
IP nat inside source static tcp 192.168.0.47 3389 interface FastEthernet0/0 3389
IP http server
local IP http authentication
no ip http secure server
no ip classless
IP route 0.0.0.0 0.0.0.0 192.168.1.254
!
!!
!
!
extended ACL - NAT IP access list
allow an ip
allow a full tcp
allow a udp
recording of debug trap
ease check syslog
record 192.168.0.47
access-list 111 allow ip 192.168.0.0 0.0.0.255 172.31.1.0 0.0.0.255
!
!
!
Dial-peer cor custom
!
!
!
Line con 0
password 7 05080F1C2243
opening of session
line to 0
line vty 0 4
privilege level 15
local connection
transport telnet entry
telnet output transport
line vty 5 15
privilege level 15
local connection
transport telnet entry
telnet output transport
!
!
endOpenswan Configuration:
file paulaga.secrets:
64.231.25.93 192.168.1.253 52.39.49.77: PSK "mysecretkey.
file paulaga.conf:
Conn paulaga-home
left = % defaultroute
subnet # EC2 My leftsubnet=172.31.0.0/16
leftid = 52.39.49.77 # EC2 my public ip
right = 64.231.25.93 # My Home Modem public ip
rightid = router 192.168.1.253 # My Home Cisco 2621 outside interface ip
rightsubnet=192.168.0.0/24 # My Home LAN Cisco 2621
authby secret =
PFS = yes
start = autoHello
Since we are getting the following error NO_PROPOSAL_CHOSEN could you please add the following on the router policies then check :
crypto ISAKMP policy 10
BA 3des
md5 hash
preshared authentication
Group 5crypto ISAKMP policy 20
BA 3des
md5 hash
preshared authentication
Group 2crypto ISAKMP policy 30
BA 3des
sha hash
preshared authentication
Group 2crypto ISAKMP policy 40
BA aes
md5 hash
preshared authentication
Group 2Please test with the latter and keep us informed of the results.
Kind regards
Aditya
Please evaluate the useful messages and mark the correct answers.
-
a peer has dynamic IP - Site to site VPN - ASA5540
I need to configure a site to site VPN. One of the peer has dynamic IP address. The peer host name is qpmmoroc.dyndns.org. I am able to ping between the firewall, but how do I set the perr by using host name
Unfortunately not a supported configuration. You need to configure dynamic to static LAN-to-LAN tunnel according to the example configuration next:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805733df.shtml
VPN tunnel can only be initiated at the end of dynamics.
-
Connectivity between two site to site VPN
I have two remote sites that each connect to our main office using a site to site VPN. Remote offices have 831 routers. The main office has a PIX 515.
A remote office is 192.168.15.X and the other is 192.168.100.X. The main office is on a 10.X.X.X network.
Each remote office can contact the office with no problems. However, they cannot communicate with each other at all and I need this to work. I just want to be able to access the network 192.168.100.X network 192.168.15.X through the VPN tunnel that is already set up between each remote desktop.
I tried to add the other network to the ACL for the tunnel, but that did not work. I feel I'm missing something simple.
For example, the following ACL initially.
Note access-list 103 IPSec rule
access-list 103 allow ip 192.168.15.0 0.0.0.255 10.0.0.0 0.255.255.255
I added this line to this LIST.
access-list 103 allow ip 192.168.15.0 0.0.0.255 192.168.100.0 0.0.0.255
But that did not help.
Thanks in advance.
Hello
What code are you running on the Pix. Talk to talk IPSEC connectivity is supported only in version 7.0 and higher.
Enhanced support has spoke-to-Spoke VPN
Version 7.0 (1) improving support communications a spoke-to-spoke (customer-to-customer) VPN, providing the ability to traffic to enter and exit the same interface. In addition, remote access to splitting tunnel connections can be completed on the external interface of the security apparatus, enabling traffic destined to the Internet for remote user VPN tunnels to leave on the same interface as it happened (after that the firewall rules have been applied).
The same-security-traffic command permits traffic to enter and exit the same interface when it is used with the keyword a spoke-to-spoke VPN using intra-interface. For more information, see the section "Allows Intra-Interface traffic" in the in the command line Configuration Guide Cisco Security Appliance.
http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_sw/v_70/70_rn/pix_70rn.htm#wp162358
Example of Configuration:
Let me know if it helps.
Kind regards
Arul
* Please note all useful messages *.
-
VPN clients connecting to the site to site VPN
Hi all
I'm currently configured my firewall outside interface VPN closing the point for two clients VPN and Cisco VPN site-to-site. What I found is that when I Client VPN, I can't access the devices on the site-to-site VPN. I think that the PIX does not allow this kind of connections, because it requires routing on the same interface. Can someone point me to some docs on ORC who can help me in this situation. Thanks in advance for your help.
the restriction has been resolved with pix v7, and the related command is "permit same-security-traffic intra-interface".
-
Multiple site to site VPN connections
Hello.
I've finally set up a site to site VPN connection and now wonder how I can configure multiple connections that are accessible by different VLAN.
So that VLAN1 use a tunnel and VLAN2 another.
Best regards Tommy Svensson
Configuration up to now:
crypto ISAKMP policy 10
BA aes 256
preshared authentication
Group 5
life 3600
vpnkey crypto isakmp key address?. 206
!
!
Crypto ipsec transform-set VPN aes - esp esp-sha-hmac
!
VPNMAP 10 ipsec-isakmp crypto map
Site 2 site description
defined by peers? 206
security-association the value of life 4000 kilobytes
game of transformation-VPN
PFS Set group5
match address 100access-list 100 permit ip 10.10.1.0 0.0.0.255 192.168.3.0 0.0.0.255
Hi Tommy
In order to complete their reviews of Marcin, something like this should help (obviously you need to change the IP addresses accordingly).
VPNMAP 10 ipsec-isakmp crypto map
Site 2 site description
defined by peers? 206
security-association the value of life 4000 kilobytes
game of transformation-VPN
PFS Set group5
match address 100!
VPNMAP 20 ipsec-isakmp crypto map
Description site-2-site n ° 2
defined by peers?
security-association the value of life 4000 kilobytes
game of transformation-VPN
PFS Set group5
match address 101access-list 100 permit ip 10.10.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 permit ip x.x.x.0 0.0.0.255 y.y.y.0 0.0.0.255
Barry
-
Site to Site VPN. pick up DfltGrpPolicy instead of Tunnel-Group
Hello
Our ASA was set by a consultant some time ago to allow connectivity SSLVPN RSA backend. I am now trying to get a Site to Site VPN working but seem to get into a lot of difficulties. I get a load of the l2l VPN-related debugging messages which I believe is set up correctly. Here's what I think is of interest
"January 24, 2009 12:13:01: % ASA-6-113009: AAA recovered in group policy by default (DfltGrpPolicy) to the user = x.x.x.x".
The user specifies the IP address of the Cisco router remote that we try to get the VPN configuration.
I have to admit that I haven't done a lot with the side things SSLVPN so this part of the config is out of my depth, that's why I post here.
If anyone can help it would be really appreciated.
Here are the relevant details (I can post more if there isn't enough). My question is, how do I get the l2l using the tunnel-group and not the default group policy?
Thanks in advance for any help.
dynamic-access-policy-registration
DfltAccessPolicy
WebVPN
list of URLS no
SVC request no svc default
RADIUS protocol AAA-server VPNAUTH
AAA-server VPNAUTH *. *. *
interval before new attempt-5
timeout 3
key *.
AAA authentication enable LOCAL console
AAA authentication http LOCAL console
LOCAL AAA authentication serial console
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
LOCAL AAA authorization command
attributes of Group Policy DfltGrpPolicy
value of DNS server! !. !. !
VPN-idle-timeout no
VPN-tunnel-Protocol webvpn
enable IP-comp
enable IPSec-udp
field default value mondomaine.fr
the address value vpnpool pools
WebVPN
enable http proxy
SVC Dungeon - install any
SVC keepalive 60
SVC generate a new method ssl key
SVC request no svc default
disable ActiveX-relays
disable file entry
exploration of the disable files
disable the input URL
tunnel-group DefaultRAGroup webvpn-attributes
message of rejection-RADIUS-
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared-key *.
tunnel-group DefaultRAGroup ppp-attributes
PAP Authentication
ms-chap-v2 authentication
attributes global-tunnel-group DefaultWEBVPNGroup
address vpnpool pool
authentication-server-group VPNAUTH
tunnel-group DefaultWEBVPNGroup webvpn-attributes
message of rejection-RADIUS-
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
pre-shared-key *.
Wayne
Do "sh run all tunnel-group" you should see the strategy of group associated with it.
for example:
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 General attributes
no accounting server group
Group Policy - by default-DfltGrpPolicy
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *.
by the peer-id-validate req
no chain
no point of trust
ISAKMP retry threshold 10 keepalive 2
Let me know if it helps.
See you soon,.
Gilbert
-
Site to site VPN works only on Cisco 881
I have 2 problems with a cisco 881. The first problem is that Vlan2 (192.168.5.xx) cannot access the internet on the outside. But I know that the router has internet, because I can ping the external ip address. The 2nd problem is that I have a set of site to another upward, but when I test the Site to site I get this error:
destination of traffic of the tunnel must be channelled through the crypto map interface. The destination following (s) doesn't have a routing entry in the routing table
192.168.2.0I copied the config form this router from another cisco 881 work, where everything works. The only difference is that this router needs a site to site vpn connection.
My question is how I can get internet on vlan2 and who can I solve the connection to site to site.
Here's the running configuration:
Building configuration...
Current configuration: 12698 bytes
!
version 15.3
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname Cisco_881
!
boot-start-marker
boot-end-marker
!
AQM-registry-fnf
!
logging buffered 51200 warnings
!
AAA new-model
!
!
AAA authentication login default local
AAA authorization exec default local
AAA authorization network default local
!
!
!
!
!
AAA - the id of the joint session
!
Crypto pki trustpoint TP-self-signed-1151531093
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 1151531093
revocation checking no
rsakeypair TP-self-signed-1151531093
!
Crypto pki trustpoint TP-self-signed-2011286623
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 2011286623
revocation checking no
rsakeypair TP-self-signed-2011286623
!
!
TP-self-signed-1151531093 crypto pki certificate chain
certificate self-signed 01
3082022B 30820194 02020101 300 D 0609 2A 864886 F70D0101 05050030 A0030201
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
69666963 31313531 35333130 6174652D 3933301E 170 3135 30343031 31363230
34315A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 31353135 65642D
33313039 3330819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
8100AC6E E7FA8AFD 9D4E206C 2B23DFC1 990AFDB3 98CD84A7 37697253 A7EF2520
0C45190E 298B6E9F E2711580 80DCFBFB 05A6A0BA 347B960B D9DA17FC B1543B9D
FBC048F3 063EBBC5 02391432 F0232A73 EAC7278E 8CB83005 D13A1D47 BEF18198
A 547469, 2 F65ED0E6 249BF517 1E74117D C94BE542 46EE487D A3843F12 364639B 4
0B 090203 010001 HAS 3 53305130 1 130101 FF040530 030101FF 301F0603 0F060355
551 2304 18301680 147996F4 3E6D0EE2 2D9065BB D726137C 2DF42ABE 01301D 06
03551D0E 04160414 7996F43E 6D0EE22D 9065BBD7 26137C2D F42ABE01 300 D 0609
2A 864886 F70D0101 8181002A 05050003 677B9BE6 CB60D188 73227C4B 2DC33101
BD448017 EDEF0296 FF7438A3 4C46519B 144C775F 1429CF06 7DB29F2D EB16EE75
22100B 63 0D75511A 98DC57DC EF87BED2 1C1635C8 B5352706 3963037A 4E9B739A
3A1EC9BE 8431BD70 116D3B31 E4A2AC4C 0F934B3F 196AF829 AD537005 6935B 451
EB31DB3F A9BA6D70 65B70D19 D00158
quit smoking
TP-self-signed-2011286623 crypto pki certificate chain
no ip source route
!
!
!
!!
DHCP excluded-address IP 10.10.10.1
DHCP excluded-address IP 192.168.5.1 192.168.5.49
DHCP excluded-address IP 192.168.5.150 192.168.5.254
!
DHCP IP CCP-pool
import all
Network 10.10.10.0 255.255.255.248
default router 10.10.10.1
Rental 2 0
!
IP dhcp Internet pool
network 192.168.5.0 255.255.255.0
router by default - 192.168.5.254
DNS-Server 64.59.135.133 64.59.128.120
lease 6 0
!
!
!
no ip domain search
"yourdomain.com" of the IP domain name
name of the IP-Server 64.59.135.133
name of the IP-Server 64.59.128.120
IP cef
No ipv6 cef
!
!
!
!
!
Authenticated MultiLink bundle-name Panel
!
!
!
!
!
!
!
udi pid C881-K9 sn FTX18438503 standard license
!
!
Archives
The config log
hidekeys
username * privilege 15 secret 5 $1$IBY.$X5/iqYy47a5vAWWuG4/Oa/
username * secret 5 $1$ 17 ST$ QzJMvQnZ9Q.1y7u0rYXFa0
username * secret 5 $1$ L4W9$ zBKpawZ3i5nXxwyS9H6Lf1
!
!
!
!
!
no passive ftp ip
!
!
crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 2
!
crypto ISAKMP policy 2
BA 3des
preshared authentication
Group 2
isakmp encryption key * address 208.98.212.xx
!
Configuration group crypto isakmp MPE client
key *.
pool VPN_IP_POOL
ACL 100
include-local-lan
10 Max-users
netmask 255.255.255.0
banner ^ practive entered the fieldThis area is reserved for administrators of control systems.
If you are here by mistake, please disconnect immediately.
You have full access to 192.168.125.0 / 0.0.0.255
Support on continue to start your session. ^ C
!
Configuration group customer crypto isakmp PALL
key *.
pool VPN_IP_POOL_PALL
ACL 101
include-local-lan
Max - 1 users
netmask 255.255.255.0
banner ^ practive entered the fieldThis area is limited to the PALL access only.
If you are here by mistake, please disconnect immediately.
You have full access to 192.168.125.0 / 0.0.0.255
Support on continue to start your session. ^ C
ISAKMP crypto profile vpn_isakmp_profile
game of identity EMT group
client authentication list default
Default ISAKMP authorization list
client configuration address respond
virtual-model 1
ISAKMP crypto profile vpn_isakmp_profile_2
match of group identity PALL
client authentication list default
Default ISAKMP authorization list
client configuration address respond
virtual-model 2
!
!
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac VPN_TRANSFORM
tunnel mode
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
tunnel mode
!
Profile of crypto ipsec VPN_PROFILE_MPE
Set the security association idle time 3600
game of transformation-VPN_TRANSFORM
vpn_isakmp_profile Set isakmp-profile
!
Profile of crypto ipsec VPN_PROFILE_PALL
Set the security association idle time 1800
game of transformation-VPN_TRANSFORM
vpn_isakmp_profile_2 Set isakmp-profile
!
!
!
map SDM_CMAP_1 1 ipsec-isakmp crypto
Description Tunnel to208.98.212.xx
the value of 208.98.212.xx peer
game of transformation-ESP-3DES-SHA
match address 102
!
!
!
!
!
!
interface Loopback0
IP 192.168.40.254 255.255.255.0
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
switchport access vlan 2
no ip address
!
interface FastEthernet3
switchport access vlan 2
no ip address
!
interface FastEthernet4
IP address 208.98.213.xx 255.255.255.224
IP access-group 111 to
NAT outside IP
IP virtual-reassembly in
automatic duplex
automatic speed
map SDM_CMAP_1 crypto
!
type of interface virtual-Template1 tunnel
IP unnumbered Loopback0
ipv4 ipsec tunnel mode
Tunnel VPN_PROFILE_MPE ipsec protection profile
!
tunnel type of interface virtual-Template2
IP unnumbered Loopback0
ipv4 ipsec tunnel mode
Tunnel VPN_PROFILE_PALL ipsec protection profile
!
interface Vlan1
Description of control network
IP 192.168.125.254 255.255.255.0
IP access-group CONTROL_IN in
IP access-group out CONTROL_OUT
IP nat inside
IP virtual-reassembly in
IP tcp adjust-mss 1452
!
interface Vlan2
Description Internet network
IP 192.168.5.254 255.255.255.0
IP access-group INTERNET_IN in
IP access-group out INTERNET_OUT
IP nat inside
IP virtual-reassembly in
!
local IP VPN_IP_POOL 192.168.40.100 pool 192.168.40.150
local IP VPN_IP_POOL_PALL 192.168.40.151 pool 192.168.40.152
IP forward-Protocol ND
IP http server
23 class IP http access
local IP http authentication
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
!
IP nat inside source static tcp 192.168.125.2 25000 25000 FastEthernet4 interface
IP nat inside source overload map route SDM_RMAP_1 interface FastEthernet4
IP route 0.0.0.0 0.0.0.0 FastEthernet4 permanent 208.98.236.xx
!
CONTROL_IN extended IP access list
Note the access control
Note the category CCP_ACL = 17
allow any host 192.168.125.254 eq non500-isakmp udp
allow any host 192.168.125.254 eq isakmp udp
allow any host 192.168.125.254 esp
allow any host 192.168.125.254 ahp
IP 192.168.125.0 allow 0.0.0.255 192.168.125.0 0.0.0.255
Note the VPN access
IP 192.168.125.0 allow 0.0.0.255 192.168.40.0 0.0.0.255
Note Access VNC
permit tcp host 192.168.125.2 eq 25000 one
Comment by e-mail to WIN911
permit tcp host 192.168.125.2 any eq smtp
Note DNS traffic
permit udp host 192.168.125.2 host 64.59.135.133 eq field
permit udp host 192.168.125.2 host 64.59.128.120 eq field
Note Everything Else block
refuse an entire ip
CONTROL_OUT extended IP access list
Note the access control
IP 192.168.125.0 allow 0.0.0.255 192.168.125.0 0.0.0.255
Note the VPN access
ip permit 192.168.40.0 0.0.0.255 192.168.125.0 0.0.0.255
Note Access VNC
allow any host 192.168.125.2 eq 25000 tcp
Comment by e-mail to WIN911
allow any host 192.168.125.2 eq smtp tcp
Note DNS responses
allowed from any host domain eq 192.168.125.2 udp
Note deny all other traffic
refuse an entire ip
INTERNET_IN extended IP access list
Note Access VNC on VLAN
allow any host 192.168.125.2 eq 25000 tcp
Note block all other controls and VPN
deny ip any 192.168.125.0 0.0.0.255
deny ip any 192.168.40.0 0.0.0.255
Note leave all other traffic
allow an ip
INTERNET_OUT extended IP access list
Note a complete outbound Internet access
allow an ip
WAN_IN extended IP access list
allow an ip host 207.229.14.xx
Note PERMIT ESTABLISHED TCP connections
allow any tcp smtp created everything eq
Note ALLOW of DOMAIN CONNECTIONS
permit udp host 64.59.135.133 eq field all
permit udp host 64.59.128.120 eq field all
Note ALLOW ICMP WARNING RETURNS
allow all all unreachable icmp
permit any any icmp parameter problem
allow icmp all a package-too-big
allow a whole icmp administratively prohibited
permit icmp any any source-quench
allow icmp all once exceed
refuse a whole icmp
allow an ip
!
auto discovering IP sla
not run cdp
!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 103
!
access-list 1 remark out to WAN routing
Note CCP_ACL the access list 1 = 16 category
access-list 1 permit 192.168.125.2
access-list 1 permit 192.168.5.0 0.0.0.255
Note access-list 23 SSH and HTTP access permissions
access-list 23 permit 192.168.125.0 0.0.0.255
access-list 23 permit 192.168.40.0 0.0.0.255
access-list 23 allow one
Note access-list 100 VPN traffic
access-list 100 permit ip 192.168.125.0 0.0.0.255 any
access-list 100 permit ip 192.168.40.0 0.0.0.255 any
Note access-list 101 for PALL VPN traffic
access-list 101 permit ip 192.168.125.0 0.0.0.255 any
Note access-list 102 CCP_ACL category = 4
Note access-list 102 IPSec rule
access-list 102 permit ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.1.255
Note access-list 103 CCP_ACL category = 2
Note access-list 103 IPSec rule
access-list 103 deny ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.1.255
access-list 103 allow ip 192.168.5.0 0.0.0.255 any
access-list 103 allow the host ip 192.168.125.2 all
Note access-list 111 CCP_ACL category = 17
access-list 111 permit udp any host 208.98.213.xx eq non500-isakmp
access-list 111 permit udp any host 208.98.213.xx eq isakmp
access-list 111 allow esp any host 208.98.213.xx
access-list 111 allow ahp any host 208.98.213.xx
Note access-list 111 IPSec rule
access-list 111 permit ip 192.168.2.0 0.0.1.255 192.168.5.0 0.0.0.255
Note access-list 111 IPSec rule
access-list 111 permit ip 192.168.2.0 0.0.1.255 192.168.4.0 0.0.1.255
access-list 111 permit udp host 208.98.212.xx host 208.98.213.xx eq non500-isakmp
access-list 111 permit udp host 208.92.12.xx host 208.92.13.xx eq isakmp
access-list 111 allow esp host 208.92.12.xx host 208.92.13.xx
access-list 111 allow ahp host 208.92.12.xx host 208.92.13.xx
access-list 111 permit icmp any host 208.92.13.xx
access-list 111 permit tcp any host 208.92.13.xx eq 25000
access-list 111 permit tcp any host 208.92.13.xx eq 22
access-list 111 permit tcp any host 208.92.13.xx eq telnet
access-list 111 permit tcp any host 208.92.13.xx eq www
!
!
!
control plan
!
!
!
MGCP behavior considered range tgcp only
MGCP comedia-role behavior no
disable the behavior MGCP comedia-check-media-src
disable the behavior of MGCP comedia-sdp-force
!
profile MGCP default
!
!
!
!
exec banner ^ C
% Warning of password expiration.
-----------------------------------------------------------------------Unplug IMMEDIATELY if you are not an authorized user
^ C
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
access-class 23 in
password *.
transport input telnet ssh
transportation out all
line vty 5 15
access-class 160 in
password *.
transport of entry all
transportation out all
!
max-task-time 5000 Planner
Scheduler allocate 20000 1000
!
endThank you.
It seems that DNS has failed, because it is indeed happened to internet, but it does not work when internet DNS resolution.
Go ahead and try to ping this 157.166.226.25, and it's on the browser http://157.166.226.25/, CNN.com. Let's try those. Also just in case where to configure a DNS SERVER on your router.
- http://www.cisco.com/c/en/us/support/docs/ip/domain-name-system-dns/2418...
Disable any ZBF just in case.
David Castro,
Kind regards
-
Site to site VPN with router IOS
I want to create a VPN site-to site on the Internet. On the remote site, aside from the VPN to the head office, there should be no traffic not allowed in internal from the Internet to the network and that there should be no traffic from the internal network to the Internet allowed. The internal network will run a private 192.168.x.x address range.
I'm going to use a Cisco 2811 router integrated of services on the remote site and this will last an IPSec VPN that will end a hub at Headquarters. I understand that this router has an IOS and IPS firewall built in.
Would I be right in thinking that because I don't want to have access to the Internet (except VPN) or should I configure IOS firewall features on the router? And there is no point in the configuration of the features IPS wouldn't?
My thought is that only an entry in list of unique access to deny pi a whole applied inbound to the interface that connects to the Internet would be the best strategy. I think that the command "sysopt connection permit-ipsec" should allow the VPN to form even with the ip address to deny any any ACL (or is it just a Pix command? If Yes, then I have to allow ESP and UDP 500 (ISAKMP) from the public address of the hub at Headquarters to allow the VPN to form wouldn't I?).
Think I'll probably expand slightly the access list to allow the icmp Protocol, ssh and https traffic from the IP address of firewall seat outside so that I can monitor the remote site and access it safely if the fail VPN.
And I wouldn't need one access list on the interface connected to the internal network I would like because the range of addresses would be not routable, so they would not be able to initiate connections to the Internet (all the trffic to the remote site is specified under a valuable traffic to bring up the VPN)
Use one of the IOS Firewall inspect commands or the IPS would be useless and have no effect in this case wouldn't it?
I really just need to know if the ip address to deny any any ACL on the external interface on the remote site is the best solution (and the simplest), and whether it will be safe.
We used to use fiewalls Pix for remote VPN site to site, Amazon refuse incoming connections on the external interface by default but now I have been informed that these series 2800 routers will be used later, so I would get my thoughts straight and be able to build safe to do the same work all existing PIX are doing (they are all installed for just the VPN at Headquarters as in) the first paragraph).
I would like any advice or thoughts on the subject. I don't know there must be a ton of people who put routers for the same purpose.
Thank you in advance.
Pete.
Pete
I did a lot of implementations site VPN to another using IOS routers. They work very well. Based on my experience I offer these comments and I hope that they will help you:
-you don't want a list of incoming access on the external interface, but you want more in it than simply refuse an ip. There is no permit-ipsec sysopt connection in IOS so you want to certainly allowed ISAKMP and IPSec/ESP. I suggest that you also want to allow SSH. I would like to allow ICMP but only starting from the address space of the network head end. I do not allow HTTPS since I generally do not allow the http server on the router. If you want HTTPS then certainly enable it. To facilitate the ping and traceroute on the remote I frequently allow icmp echo-reply, timeout and unreachable port from any source.
-I want to put an inside interface access list. There are certain types of traffic that I don't want to send from the Remote LAN. I have usually refuse any trap SNMP or snmp for LAN devices and refuse out of the local network icmp redirects. I also often configure RPF controls inside interface to catch any device which is misconfigured.
-If you want to allow SSH when the VPN is not active (and I highly recommend that you do) then you will probably need to configure at least 1 (and maybe more) users and password of the router ID. And you want to configure authentication on the vty use local authentication if the head end authentication server is not available.
-I'm not clear from your description if you plan to run a dynamic routing via the VPN Protocol. I wish I had a dynamic routing protocol because I want to announce a default route to the remote control via the VPN. I do not locally configure a default route on the remote router. This way if the VPN tunnel is up there is a default route pointing to the tunnel and if the VPN tunnel is not up then there is no local route by default and users on the remote database can not access the Internet. It is a simple and very effective method to ensure that all user traffic must pass through the central site.
-regarding the routes defined on the remote router, my approach is that I define a static route for the endpoint of the tunnel to allow the tunnel to implement and I set up static routes for the subnet to the head of line I can SSH. And I do not configure other static routes the on the remote router.
-You probably want to disable cdp on the external interface and also to disable the proxy-arp (and I don't make any ip unreachable).
-There is frequently a problem when using VPN site-to-site with fragmentation. If a device on the local network sends a frame of maximum size, and then the router needs to add additional headers for IPSec, then the frame is too large and requires fragmentation. I like to use tcp adjust-mss ip to control the chunk size for TCP traffic and avoid any problems with fragmentation.
-I don't think you want to set up the firewall or IPS from the features of IOS on the 2811.
I hope that your application is fine and that my suggestions could be useful.
[edit] after posting my response, I read through your post again and realize that you make to a VPN concentrator. The approach I have proposed on the execution of a routing protocol works for me because I usually have a router IOS in mind. It would not work to connect to a hub.
HTH
Rick
-
Site to Site VPN configuration does not
Hello
I just tried to set up a test site to site VPN. Diagram of arrangement is attached. Router R2 is supposed to act as the 'Internet' to allow connectivity between the two networks.
My VPN on ASA1 and ASA2 configs are below:
ASA1
Note to outside_cryptomap_1 to access list VPN traffic to encrypt
outside_cryptomap_1 to access extended list ip 10.10.10.0 allow 255.255.255.0 172.16.10.0 255.225.255.0Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
aes-256 encryption
sha hash
Group 5
life 86400tunnel-group 11.11.11.2 type ipsec-l2l
IPSec-attributes tunnel-Group 11.11.11.2
Cisco pre-shared key IKEv1Crypto ipsec transform-set ikev1 AES - SHA esp-aes-256 esp-sha-hmac
card crypto outside_map 1 match address outside_cryptomap_1
peer set card crypto outside_map 1 11.11.11.2
card crypto outside_map 1 set of transformation-AES-SHA
outside_map interface card crypto outsideASA2
Note to outside_cryptomap_1 to access list VPN traffic to encrypt
permit access list extended ip 172.16.10.0 outside_cryptomap_1 255.255.255.0 10.10.10.0 255.225.255.0Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
aes-256 encryption
sha hash
Group 5
life 86400tunnel-group 12.12.12.2 type ipsec-l2l
IPSec-attributes tunnel-group 12.12.12.2
Cisco pre-shared key IKEv1Crypto ipsec transform-set ikev1 AES - SHA esp-aes-256 esp-sha-hmac
card crypto outside_map 1 match address outside_cryptomap_1
peer set card crypto outside_map 1 12.12.12.2
card crypto outside_map 1 set of transformation-AES-SHA
outside_map interface card crypto outsideI can ping with the ASA2 ASA1, but when I try to test the VPN trying from one PC to another, I get nothing.
I tried a few commands show and they came out absolutely empty... as I have not configured:
SH in detail its crypto isakmp
There are no SAs IKEv1
There are no SAs IKEv2
SH crypto ipsec his
There is no ipsec security associations
Anyone have any ideas?
Hi martin,
Your configs are quite right. I tried your script, its works really well. Here's the configs & outputs.
What I mentioned in the previous note follow this.--------------------
ASA1
ASA1 (config) # sh run
: Saved
:
ASA Version 8.0 (2)
!
hostname ASA1
activate 8Ry2YjIyt7RRXU24 encrypted password
names of
!
interface Ethernet0/0
nameif outside
security-level 0
IP 12.12.12.2 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
10.10.10.2 IP address 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/5
Shutdown
No nameif
no level of security
no ip address
!
2KFQnbNIdI.2KYOU encrypted passwd
passive FTP mode
extended vpn 10.10.10.0 ip access list allow 255.255.255.0 172.16.10.0 255.255.255.0
pager lines 24
Within 1500 MTU
Outside 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Route outside 0.0.0.0 0.0.0.0 12.12.12.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac tset
card crypto cmap 1 match for vpn
card crypto cmap 1 set peer 11.11.11.2
card crypto cmap 1 transform-set tset
cmap outside crypto map interface
crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
md5 hash
Group 5
life 86400
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
!
!
tunnel-group 11.11.11.2 type ipsec-l2l
IPSec-attributes tunnel-Group 11.11.11.2
pre-shared-key *.
context of prompt hostname
Cryptochecksum:00000000000000000000000000000000
: end
ASA1 (config) #.
---------------------ASA2 (config) # sh run
: Saved
:
ASA Version 8.0 (2)
!
hostname ASA2
activate 8Ry2YjIyt7RRXU24 encrypted password
names of
!
interface Ethernet0/0
nameif outside
security-level 0
IP 11.11.11.2 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
IP 172.16.10.2 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/5
Shutdown
No nameif
no level of security
no ip address
!
2KFQnbNIdI.2KYOU encrypted passwd
passive FTP mode
extended vpn 172.16.10.0 ip access list allow 255.255.255.0 10.10.10.0 255.255.255.0
pager lines 24
Outside 1500 MTU
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Route outside 0.0.0.0 0.0.0.0 11.11.11.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac tset
card crypto cmap 1 match for vpn
card crypto cmap 1 set peer 12.12.12.2
card crypto cmap 1 transform-set tset
cmap outside crypto map interface
crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
md5 hash
Group 5
life 86400
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
!
!
!
tunnel-group 12.12.12.2 type ipsec-l2l
IPSec-attributes tunnel-group 12.12.12.2
pre-shared-key *.
context of prompt hostname
Cryptochecksum:00000000000000000000000000000000
: end
ASA2 (config) #.-------------------------
OUTPUTS:*********************
ASA1 (config) # sh crypto isakmp his
ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 11 peer IKE: 11.11.11.2
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE---------------------
ASA1 (config) # sh crypto ipsec his
Interface: outside
Tag crypto map: cmap, seq num: 1, local addr: 12.12.12.2access vpn ip 10.10.10.0 list allow 255.255.255.0 172.16.10.0 255.255.255.0
local ident (addr, mask, prot, port): (10.10.10.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.16.10.0/255.255.255.0/0/0)
current_peer: 11.11.11.2#pkts program: 50, #pkts encrypt: 50, #pkts digest: 50
#pkts decaps: 49, #pkts decrypt: 49, #pkts check: 49
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 50, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0local crypto endpt. : 12.12.12.2, remote Start crypto. : 11.11.11.2
------------------------
ASA2 (config) # sh crypto isakmp hisITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 11 peer IKE: 12.12.12.2
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE------------------------
ASA2 (config) # sh crypto ipsec his
Interface: outside
Tag crypto map: cmap, seq num: 1, local addr: 11.11.11.2access vpn ip 172.16.10.0 list allow 255.255.255.0 10.10.10.0 255.255.255.0
local ident (addr, mask, prot, port): (172.16.10.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (10.10.10.0/255.255.255.0/0/0)
current_peer: 12.12.12.2#pkts program: 49, #pkts encrypt: 49, #pkts digest: 49
#pkts decaps: 50, #pkts decrypt: 50, #pkts check: 50
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 49, #pkts comp failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0local crypto endpt. : 11.11.11.2, remote Start crypto. : 12.12.12.2
------------------------- -
You try to run a Site to site VPN and remote VPN from the same IP remotely
We currently have a site to site VPN configuration between our offices call center and a 3rd party that allows them to access our training to their employees to use environment while being trained on our systems. This tunnel is running between our ASA and their ASA without problem; However, when we have managers come out to the call center, they are unable to use remote VPN to access our office.
Apparently the same IP peer remote that we use for our site to the other tunnel is the same IP that our managers use to access the internet when they are on-site with the customer. When I look at the logs it shows the VPN attempt and then I get treatment Information Exchange has failed. So from what I can understand when our managers are trying to connect to our firewall from the same IP address as the counterpart of site to site it automatically tries to create a tunnel, according to the information of the site to the other tunnel. If our managers are anywhere else, they can connect through remote VPN with no problems.
My question is if anyone knows of a way to make the firewall allow VPN site to site and remote connections with the same remote IP address.
Hi John,.
Basically, in older versions, when you hit a static encryption card and you does not match this static encryption completely map the connection continues until the dynamic encryption card. For this reason, you can connect your IPSec clients before. A bug has been opened on this vulnerability.
CSCuc75090 Details of bug
The crypto IPSec Security Association are created by dynamic crypto map to static peers
Symptom:
When a static VPN peer adds all traffic to the ACL crypto, a surveillance society is based even if the pair IP is not allowed in the acl to the main façade encryption. Are these SA finally put in correspondence and commissioning the dynamic crypto map instance.
Conditions:
It was a planned design since the first day that allowed customers to fall through in the case of static crypto map did not provide a necessary cryptographic services.
The SA must be made from a peer configured statically and a dynamic crypto map instance must be configured on the receiving end.
Workaround solution:
N/A
Some possible workarounds are:
Configure a static nat device when you try to use the remote VPN if the firewall remotely will be hit with a different public IP address. It would be a good solution, but it will depend on how many ip addresses public you have available, if you really want one of these ip addresses for that access.
Also, I thought you could use AnyConnect instead of the IPSec VPN client. I don't know how many users need to connect from your PC to the remote site, but the ASA has 2 licenses SSL available that you could use. Because Anyconnect uses the SSL protocol, it won't have a problem on your environment.
Below some information:
Hope this helps,
Luis.
-
Unable to pass traffic between ASA Site to Site VPN Tunnel
Hello
I have problems passing traffic between two ASA firewall. The VPN tunnel is up with a dynamic IP and static IP address. I have attached a diagram of the VPN connection. I'm not sure where the problem lies and what to check next. I think I have all the roads and in the access lists are needed.
I've also attached the ASA5505 config and the ASA5510.
This is the first time that I've set up a VPN connection any guidance would be greatly appreciated.
Thank you
Adam
Hello
Regarding your opinion of configuration Remote Site ASA that you have not added the internal networks of the Central Site VPN L2L configurations at all so the traffic does not pass through the VPN.
access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.0.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.170.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.172.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 140.15.0.0 255.255.*.*
Take a look at ACL configurations above. The 'exempt' ACL is used in configurations NAT0 and tells the ASA what traffic of exempting from NAT. "outside_1_cryptomap" ACL is used to tell the traffic between the subnets should be using the L2L VPN connection.
So in short on the Remote Site ASA these ACLs should be identical. Make additions to the LIST of VPN L2L, then try again.
I would also like to point out that to ensure that the Central ASAs L2L VPN ACL Site contains the same networks. The ACL on the Central Site will, of course, its internal subnets as the source and the site LAN remote destination.
THW out of ' crypto ipsec to show his " shows you that only the SA between binding Site Central network and the Remote Site LAN was established. Others have not formed as the configuration is lacking at LEAST on the Remote Site ASA. Can also be the Central Site.
-Jouni
-
EIGRP via IPSec site to site VPN
having trouble getting to work through an IOS EIGRP (2ea. 2811 s) connection of the site to site VPN IPSec peer. IPSec VPN works with route directions static tunnel. By using the IPSec policy basis and VTI interface:
crypto ISAKMP policy 1
preshared authentication
Group 2
ISAKMP crypto key "" address 192.168.x.66
!
Crypto ipsec transform-set esp-3des esp-sha-hmac vpn
Crypto ipsec df - game
!
static-crypt 6 map ipsec-isakmp crypto
the value of 192.168.x.66 peer
Set transform-set vpn
match address 101
!
tunnel1 interface
IP address 1xx.33.20.226 255.255.255.252
no ip redirection
IP 1400 MTU
IP tcp adjust-mss 1360
QoS before filing
source of tunnel FastEthernet 0/0
destination 192.168.x.66 tunnel
crypto static crypto map
!
interface FastEthernet 0/0
Add an IP...
crypto static crypto map
!
Router eigrp 10
passive-interface default
no passive-interface FastEthernet 0/1
no passive-interface Tunnel1
network...
network...
No Auto-resume
!
IP route 0.0.0.0 0.0.0.0 Tunnel1
IP route 0.0.0.0 0.0.0.0 146.33.20.225<-- peer's="" default-gateway="" is="" vpn="" peer="" router="" on="" other="" side="" of="" satelite="">-->
must be something simple, but I can't.
Thank you, kevin
Unfamiliar with the VTI, but I think you are missing:
ipv4 ipsec tunnel mode
Profile of tunnel ipsec protection
Also don't think that you need crypto card in the tunnel because it is already on fa0/0. What looks like the access-list 101? Take a look at this doc:
http://www.ciscosystems.com/en/us/docs/iOS/12_3t/12_3t14/feature/guide/gtIPSctm.html
-
remote VPN and vpn site to site vpn remote users unable to access the local network
As per below config remote vpn and vpn site to site vpn remote users unable to access the local network please suggest me a required config
The local 192.168.215.4 not able ping server IP this server connectivity remote vpn works fine but not able to ping to the local network vpn users.
ASA Version 8.2 (2)
!
host name
domain kunchevrolet
activate r8xwsBuKsSP7kABz encrypted password
r8xwsBuKsSP7kABz encrypted passwd
names of
!
interface Ethernet0/0
nameif outside
security-level 0
PPPoE client vpdn group dataone
IP address pppoe
!
interface Ethernet0/1
nameif inside
security-level 50
IP 192.168.215.2 255.255.255.0
!
interface Ethernet0/2
nameif Internet
security-level 0
IP address dhcp setroute
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
No nameif
no level of security
no ip address
management only
!
passive FTP mode
clock timezone IST 5 30
DNS server-group DefaultDNS
domain kunchevrolet
permit same-security-traffic intra-interface
object-group network GM-DC-VPN-Gateway
object-group, net-LAN
access extensive list ip 192.168.215.0 sptnl allow 255.255.255.0 192.168.2.0 255.255.255.0
192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0
tunnel of splitting allowed access list standard 192.168.215.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
MTU 1500 Internet
IP local pool VPN_Users 192.168.2.1 - 192.168.2.250 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
enable ASDM history
ARP timeout 14400
NAT-control
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 59.90.214.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
AAA authentication http LOCAL console
AAA authentication enable LOCAL console
LOCAL AAA authentication serial console
Enable http server
x.x.x.x 255.255.255.252 out http
http 192.168.215.0 255.255.255.252 inside
http 192.168.215.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic dynmap 65500 transform-set RIGHT
card crypto 10 VPN ipsec-isakmp dynamic dynmap
card crypto VPN outside interface
card crypto 10 ASA-01 set peer 221.135.138.130
card crypto 10 ASA - 01 the transform-set RIGHT value
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 65535
preshared authentication
the Encryption
sha hash
Group 2
lifetime 28800
Telnet 192.168.215.0 255.255.255.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 5
Console timeout 0
management-access inside
VPDN group dataone request dialout pppoe
VPDN group dataone localname bb4027654187_scdrid
VPDN group dataone ppp authentication chap
VPDN username bb4027654187_scdrid password * local store
interface for identifying DHCP-client Internet customer
dhcpd dns 218.248.255.141 218.248.245.1
!
dhcpd address 192.168.215.11 - 192.168.215.254 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
Des-sha1 encryption SSL
WebVPN
allow outside
tunnel-group-list activate
internal kun group policy
kun group policy attributes
VPN - connections 8
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value split tunnel
kunchevrolet value by default-field
test P4ttSyrm33SV8TYp encrypted password username
username kunauto password bSHrKTGl8PUbvus / encrypted privilege 15
username kunauto attributes
Strategy Group-VPN-kun
Protocol-tunnel-VPN IPSec
tunnel-group vpngroup type remote access
tunnel-group vpngroup General attributes
address pool VPN_Users
Group Policy - by default-kun
tunnel-group vpngroup webvpn-attributes
the vpngroup group alias activation
vpngroup group tunnel ipsec-attributes
pre-shared key *.
type tunnel-group test remote access
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:0d2497e1280e41ab3875e77c6b184cf8
: end
kunauto #.Hello
Looking at the configuration, there is an access list this nat exemption: -.
192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0
But it is not applied in the States of nat.
Send the following command to the nat exemption to apply: -.
NAT (inside) 0 access-list sheep
Kind regards
Dinesh Moudgil
P.S. Please mark this message as 'Responded' If you find this information useful so that it brings goodness to other users of the community
-
Hello
I have created a new site to site vpn connection and can't know why it does not work.
All other VPN site-to-site work properly. The news, the problem is MATCHJLS. Could anyone recommend measures to correct?
!
vpn hostname
domain name
activate the encrypted password of Pp6RUfdBBUU
ucU7iJnNlZ passwd / encrypted
names of
DNS-guard
!
interface Ethernet0/0
nameif outside
security-level 0
IP address 87.117.xxx.xx 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
IP address 78.129.xxx.x 255.255.255.128
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
No nameif
no level of security
no ip address
!
boot system Disk0: / asa822 - k8.bin
passive FTP mode
DNS server-group DefaultDNS
domain msiuk.com
permit same-security-traffic inter-interface
DM_INLINE_TCP_1 tcp service object-group
EQ port 3389 object
EQ object of port 8080
port-object eq www
EQ object of the https port
Http81 tcp service object-group
port-object eq 81
DM_INLINE_TCP_3 tcp service object-group
port-object eq 81
port-object eq www
the DM_INLINE_NETWORK_1 object-group network
host of the object-Network 172.19.60.52
host of the object-Network 172.19.60.53
host of the object-Network 172.19.60.68
host of the object-Network 172.19.60.69
host of the object-Network 172.19.60.84
host of the object-Network 172.19.60.85
host of the object-Network 172.19.60.86
access-list extended basic permit icmp any any echo response
access-list extended basic permit icmp any one time exceed
access-list extended basic permit tcp any host 78.129.xxx.xx eq 8731
access-list extended basic permit tcp any host 78.129.xxx.xx eq www
access-list extended basic permit tcp any host 78.129.xxx.xx DM_INLINE_TCP_3 object-group
access-list extended basic permit tcp any host 78.129.xxx.xx eq www
access-list extended basic permit tcp any host 78.129.xxx.xx eq www
access-list extended basic permit tcp any host 78.129.xxx.xx eq www inactive
access-list extended basic permit tcp any host 78.129.xxx.xx eq www
access-list extended basic permit tcp any host 78.129.xxx.xx eq https
access-list extended basic permit tcp any host 78.129.xxx.xx eq https
access-list extended basic permit tcp any host 78.129.xxx.xx
permit access-list extended basic host tcp 94.128.xxx.xx 78.129.xxx.xx 255.255.255.128 DM_INLINE_TCP_1 object-group
access-list extended SHEEP allowed ip 10.1.1.0 255.255.255.0 10.255.255.0 255.255.255.0
Standard access list SPLITTUN allow 78.129.xxx.xx 255.255.255.128
SPLITTUN list standard access allowed 10.1.1.0 255.255.255.0
access list allow extended permit ip any one
MATCHVPN1 list extended access permit ip host host 78.129.xxx.xx 212.118.157.203
MATCHVPN2 list of allowed ip extended access all 212.118.xxx.xx 255.255.255.0
SMTP-NAT extended permit tcp host 78.129.xxx.xx access list any eq smtp
MATCHVPN3 list extended access permitted ip 78.129.xxx.xx 255.255.255.224 host 10.180.xxx.xx
MATCHVPN3 list extended access permitted ip 78.129.xxx.xx 255.255.255.224 host 10.180.xxx.xx
MATCHVPN3 list extended access permitted ip 78.129.xxx.xx 255.255.255.224 host 10.180.xxx.xx
MATCHVPN4 list extended access permit ip host 78.129.xxx.xx host 172.16.xxx.xx
MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.16.xxx.xx
MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.17.xxx.xx
MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.16.xxx.xx
MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.16.xxx.xx
Access list extended ip 78.129.151.0 MATCHJLS allow 255.255.255.128 DM_INLINE_NETWORK_1 object-group
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
local IP LOCPOOL 10.255.255.1 pool - 10.255.255.254
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm-625 - 53.bin
don't allow no asdm history
ARP timeout 14400
Global (1 interface external)
NAT (inside) 0 access-list SHEEP
Access SMTP-NAT NAT (inside) 1 list
NAT (inside) 1 10.1.1.0 255.255.255.0
NAT (inside) 1 10.2.2.0 255.255.255.0
Access-group basic in external interface
Access-group allow external interface
Access-group allow the interface inside
Access-group allow the interface inside
Route outside 0.0.0.0 0.0.0.0 87.117.213.65 1
Route inside 10.1.1.0 255.255.255.0 78.129.151.2 1
Route inside 10.2.2.0 255.255.255.0 78.129.151.2 1
Route inside 10.33.67.0 255.255.255.0 78.129.151.26 1
Route 172.20.xxx.xx 255.255.255.0 inside 78.129.xxx.xx 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
AAA authentication enable LOCAL console
the ssh LOCAL console AAA authentication
Enable http server
http 0.0.0.0 0.0.0.0 outdoors
No snmp server location
No snmp Server contact
Crypto ipsec transform-set esp-3des esp-md5-hmac VPN3DES
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac asa2transform
Crypto ipsec transform-set esp-3des esp-md5-hmac kwset
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac jlstransformset
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
set of 10 DYNOMAP crypto dynamic-map transform-set VPN3DES
card crypto VPNPEER 1 corresponds to the address MATCHJLS
card crypto VPNPEER 1 set peer 94.128.xxx.xx
card crypto VPNPEER 1 the value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto VPNPEER 10 corresponds to the address MATCHVPN3
card crypto VPNPEER 10 set peer 94.128.xxx.xx
crypto VPNPEER 10 the transform-set jlstransformset value card
card crypto VPNPEER 10 set nat-t-disable
card crypto VPNPEER 30 corresponds to the address MATCHVPN2
card crypto VPNPEER 30 212.118.xxx.xx peer value
card crypto VPNPEER 30 value transform-set ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto VPNPEER 30 the value reverse-road map
card crypto VPNPEER 40 corresponds to the address MATCHVPN4
VPNPEER 40 crypto map set peer 94.128.xxx.xx
crypto VPNPEER 40 the transform-set kwset value card
card crypto VPNPEER 50 corresponds to the address MATCHVPN3
card crypto VPNPEER 50 set pfs
card crypto VPNPEER 50 set peer 94.128.xxx.xx
card crypto VPNPEER 50 set ESP ESP-3DES-SHA transform-set kwset DES-ESP-MD5-DES-SHA
card crypto VPNPEER 50 set nat-t-disable
card crypto VPNPEER 100-isakmp dynamic ipsec DYNOMAP
VPNPEER interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 3600
Crypto isakmp nat-traversal 3600
crypto ISAKMP disconnect - notify
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH 0.0.0.0 0.0.0.0 inside
SSH timeout 60
SSH version 2
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal GroupPolicy1 group strategy
attributes of Group Policy GroupPolicy1
value of VPN-filter MATCHKW
Protocol-tunnel-VPN IPSec l2tp ipsec
internal CLIENTGROUP group policy
CLIENTGROUP group policy attributes
value of server DNS 10.1.1.10 10.1.1.2
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list SPLITTUN
msiuk.local value by default-field
Username admin privilege 15 encrypted password 9RG9xAvynJRd.Q
tunnel-group msi type remote access
msi General attributes tunnel-group
address LOCPOOL pool
Group Policy - by default-CLIENTGROUP
MSI group tunnel ipsec-attributes
pre-shared key *.
tunnel-group msi ppp-attributes
ms-chap-v2 authentication
tunnel-group 212.118.xxx.xx type ipsec-l2l
212.118.xxx.XX group of tunnel ipsec-attributes
pre-shared key *.
tunnel-group 94.128.xxx.xx type ipsec-l2l
94.128.xxx.XX group of tunnel ipsec-attributes
pre-shared key *.
tunnel-group 94.128.xxx.xx type ipsec-l2l
94.128.xxx.XX group of tunnel ipsec-attributes
pre-shared key *.
tunnel-group 94.128.xxx.xx type ipsec-l2l
94.128.xxx.XX group of tunnel ipsec-attributes
pre-shared key *.
!
class-map ftpdefault
match default-inspection-traffic
class-map default inspection
!
!
Policy-map global_policy
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:b251877ef24a1dc161b594dc052c44
: end
ASDM image disk0: / asdm-625 - 53.bin
don't allow no asdm history
Hello
OK, given the above information, I would say that the VPN L2L your part should probably be fine for traffic you are trying with the packet - trace.
It seems that you get no traffic back from the remote end
This could mean one of the following things
- Remote site may not login either in their VPN appliance, firewall or the firewall of the real server (which I doubt since were talking about web service)
- Remote site has not configured routing properly for your source IP address / network. For example, your connection attempt can reach the remote server, but the return traffic could get transferred to the wrong place on the remote site. It is more likely when the remote end manages Internet traffic and VPN traffic on separate devices
- Remote site has not activated the service on the real server (which is still little provided this isn't a service only serve on the server you through this VPN L2L)
- etc.
As I said look it seems so VPN L2L is fine. Its place and running, but you can't get traffic back on the L2L VPN that suggest that the problem is at the remote site.
If you go ask about this since the admins of the remote site, let us know how to do the thing.
If you found this information useful, please note the answer/answers and naturally ask more if necessary
-Jouni
Maybe you are looking for
-
I tried several Chargers, but all have failed to charge my phone but they charge my friends.
-
When connecting to internet using Firefox, when I type in the first letter of my e-mail address, it evokes the entire address that I click on a TI fills the void. On my laptop at this point when he informs the e-mail address it automatically fills my
-
When I use internet firefox setup 3.6.8.exe keeps popping up asking me if I want to save the file. I tried to install it and it comes to install Firefox again, then when I opened firefox it asked me if I wanted to save the file or not yet.
-
Can't close my account why?
I phoned your service to try to close my account, they can do that, why? Also, I tried online doing the same thing, why this will not work? My contact details are * address email is removed from the privacy * Phone number 01612249483 ID is 0006400095
-
Want to know how to start a blog.
Original title: Articles Hello world I wanted to start a Blog. Anyone can shoot me in the direction of a Web site where I can learn to make and implement? Thanks for any help you can give, Binner