CSM and existing VPN tunnels

Similar Questions

• NAT, ASA, 2 neworks and a VPN tunnel

  Hello. I have a following question. I am trying to establish a VPN tunnel to a remote network used to be connected to our via a VPN tunnel. The problem is that the previous tunnel their share has been created for the x.x.x.x our coast network which will serve no more time a month, but is currently still active and used. As I'm trying to get this VPN tunnel as soon as possible without going through all the paperwork on the other side (political, don't ask) is it possible to make NAT of the new network in the network x.x.x.x for traffic through the VPN tunnel.

  Something like this:

  new network-> policy NAT in old x.x.x.x fork on ASA-> VPN tunnel to the remote network using x.x.x.x addresses

  It is possible to add the new policy, but sometimes it can conflict with the former.

• Conflict of IPSec between IPSec and business VPN tunnels

  I crushed a 2821 current c2800nm-adventerprisek9 - mz.124 - 22.YB8 at home with 2 gre IPSec tunnels for personal use, and my office will be held that a customer based IPSec VPN to connect to the corporate VPN.  My problem is that when I want to connect to the corporate VPN, I see packages being encrypted and sent, but I would have never received the return packets.  It seems that the IPSec VPN tunnels with IPSec from my office and router packages conflict trying to decrypt and gives this error.  (I removed the public addresses for anonymity)

  CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec would be package IPSEC a bad spi to destaddr = "myaddress", prot = 50, spi = 0xDB32344E (3677500494), port = "corpvpn".

  When I remove the card encryption off-side WAN router, my Office VPN works immediately.  I can change the configuration, either on the side of the IPSec GRE tunnels, but has no way for me to change any configuration on the corporate VPN.  Does anyone know of a workaround on the cisco router?  I can provide the running configs or view orders.

  The 2821 also performs NAT overload for internet access.

  Hello, Reed.

  1. try to remove the interface crypto map and add "protection... profile ipsec tunnel." "to your VTI:

  Crypto ipsec IPSEC profile

  solid Set trans

  int g0/0

  No crypto map card

  int tu1

  Ipsec IPSEC protection tunnel profile

  int tu2

  Ipsec IPSEC protection tunnel profile

  2. try to force your corpVPN to use encapsulation UDP instead of ESP.

• GRE and IPSEC VPN tunnel over the same interface

  My client is currently connected to a service provider of call through a GRE Tunnel over IPSEC. They chose to move all connections to a VPN site-to-site traditional behind a firewall, here, to your corp office.  As the questions says, is possible for me to put in place the VPN site to site on the same router? Interface Tunnelx both ethernet have the same encryption card assigned to the destination router.  I thought that traffic could divide by identification of traffic 'interesting '.  Thanks for all the ideas, suggestions

  Ray

  Ray

  Thanks for the additional information. It takes so that the existing entries in ACL 101 remain so the existing tunnel will still work. And you have to add entries that will allow the new tunnel. Editing an ACL that is actively filtering traffic can get complicated. Here is a technique that I use sometimes.

  -create a new access list (perhaps ACL 102 assuming that 102 is not already in use).

  -Copy the entries of ACL 101 to 102 and add additional entries you need in places appropriate in the ACL.

  -Once the new version of the ACL is complete in the config, then go tho the interface and change the ip access-group to point to the new ACL.

  This provides a transition that does not affect traffic. And he made it back to the original easy - especially if something does not work as expected in the new ACL.

  If the encryption of the remote card has an entry for GRE and a separate entrance for the IPSec which is a good thing and should work. I guess card crypto for GRE entry specifies an access list that allows the GRE traffic and for IPSec crypto map entry points to a different access list that identifies the IP traffic is encrypted through the IPSec tunnel.

  HTH

  Rick

• Sleeping VPN tunnel

  Hi all

  I have an ASA 5510 with an active and functional l2l IPSEC tunnel.

  Now, I need to set up a "tunnel VPN asleep" which will have a different counterpart and is not active and no traffic is passed through this tunnel.

  Someone has done this?

  Thank you

  V

  At the end of the day only configuration phase 1 - there you have 90% common to do now, because you already have a configured existing VPN tunnel. The only difference is the Group of tunnel with a pre-shared key information.

  To be totally honest, why would you need to have only half a configured VPN tunnel - you may as well not have it be configured until you need it, then cut and paste the config all in.

  Or you could be smarter and create a tunnel only orignate - with or without a crypto acl to determine what traffic will you create/traverse the VPN, or have several tunnels with a dynamic routing protocol decide who serves - there are options, you just need to understand the problem/requirement.

• ASA5505 with 2 VPN tunnels failing to implement the 2nd tunnel

  Hello

  I have an ASA5505 that currently connects a desktop remotely for voip and data.  I added a 2nd site VPN tunnel to a vendor site.  It's this 2nd VPN tunnel that I have problems with.  It seems that the PHASE 1 negotiates well.  However, I'm not a VPN expert!  So, any help would be greatly appreciated.  I have attached the running_config on my box, debug (ipsec & isakmp) information and information about the provider they gave me today.  They use an ASA5510.

  My existing VPN tunnel (which works) is marked 'outside_1_cryptomap '.  It has the following as interesting traffic:

  192.168.1.0/24-> 192.168.3.0/24

  192.168.2.0/24-> 192.168.3.0/24

  10.1.1.0/24-> 192.168.3.0/24

  -> 192.168.3.0/24 10.1.2.0/24

  10.1.10.0/24-> 192.168.3.0/24

  10.2.10.0/24-> 192.168.3.0/24

  The new VPN tunnel (does not work) is labeled "eInfomatics_1_cryptomap".  It has the following as interesting traffic:

  192.168.1.25/32-> 10.10.10.83/32

  192.168.1.25/32-> 10.10.10.47/32

  192.168.1.26/32-> 10.10.10.83/32

  192.168.1.26/32-> 10.10.10.47/32

  Here's the info to other VPN (copy & pasted from the config)

  permit access list extended ip 192.168.1.26 eInfomatics_1_cryptomap host 10.10.10.83

  permit access ip host 192.168.1.25 extended list eInfomatics_1_cryptomap 10.10.10.83

  permit access ip host 192.168.1.25 extended list eInfomatics_1_cryptomap 10.10.10.47

  permit access list extended ip 192.168.1.26 eInfomatics_1_cryptomap host 10.10.10.47

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  card crypto outside_map 1 match address outside_1_cryptomap

  peer set card crypto outside_map 1 24.180.14.50

  card crypto outside_map 1 set of transformation-ESP-3DES-SHA

  card crypto outside_map 2 match address eInfomatics_1_cryptomap

  peer set card crypto outside_map 2 66.193.183.170

  card crypto outside_map 2 game of transformation-ESP-3DES-SHA

  outside_map interface card crypto outside

  crypto isakmp identity address

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  tunnel-group 24.180.14.50 type ipsec-l2l

  IPSec-attributes tunnel-group 24.180.14.50

  pre-shared key *.

  tunnel-group 66.193.183.170 type ipsec-l2l

  IPSec-attributes tunnel-group 66.193.183.170

  pre-shared key *.

  Thanks in advance

  -Matt

  Hello

  The seller put a parameter group2 PFS (Perfect Forward Secrecy) of Phase 2, so that you don't have it.

  So you can probalby try adding the following

  card crypto outside_map 2 pfs group2 set

  I think he'll simply enter as

  card crypto outside_map 2 set pfs

  Given that the 'group 2' is the default

  -Jouni

• 2 VPN tunnels on ASA common; A PRI a BKP at the same address-end peer

  Hi all

  I have an ASA 5505 branch that has 2 circuits ISP.  I have a data center ASA who has 1 ISP circuit. I have a VPN tunnel between the primary circuit ASA branch and the ASA circuit data center.  I would like to implement the ASA branch for the redundancy of the SLA so I can use primary and backup circuits, but two configs tunnel going to the same address-end peer, since the data center has only 1 ASA. I read that an ASA cannot have several tunnels to the same peer address because the ASA may have 1 SA by peer address.

  However, if I have my branch ASA configured for redundancy of the SLA, then only 1 tunnel would at once, which I think would affect the requirement of SA above.

  Can someone tell me if this is possible?

  Thank you.

  Hi Dean,

  You're right about things als because only link will be active at a time.

  On the ASA branch, you can apply the same encryption card to two primary and secondary circuit. You use just ALS to determine how this ASA branch will reach the address of peer card crypto (IP addr of ASA Data Center).

  I wrote an article about a similar scenario here: http://resources.intenseschool.com/using-vpn-tunnels-as-backup-links-primary-and-backup-vpn-tunnels-on-cisco-asa/

• ASA5505: Configure the ASA for IPSec and SSL VPN?

  Hello-

  I currently have my 5505 for SSL AnyConnect VPN connections Setup.  Is it possible to set up also the 5505 for IPSec VPN connections?

  So, basically my ASA will be able to perform SSL and IPSec VPN tunnels, at the same time.

  Thank you!

  Kim,

  Yes, you can configure your ASA to support the AnyConnect VPN IPSec connections and at the same time.  In short, for the configuration of IPSec, you should configure at least a strategy ISAKMP, a set of IPSEC, encryption, tunnel group card processing and associated group policy.

  Matt

• How to change an existing in ASDM VPN tunnel?

  I currently have a VPN tunnel together upwards, but to change some of the configurations as making ikev2, replacing the SHA512 hash and change it in the DH group 14. I intend to do this in ASDM. I already created a group of tunnel ikev2 that I put the tunnel and created a Card Crypto that is configured with the right proposal ikev2 IPSec and Diffie-Hellman group. All other configurations such as the IP of Peer address and subnets configured and I'll work with the engineers at the other end of the tunnel to ensure that configurations are, I want to just make sure I'm not missing anything. Someone at - he never comes to change the configuration of an existing ASDM so tunnel, and it worked correctly? Here are the steps that I have will be taken as well as those I've already mentioned:

  -Edit the connection profile so that the name of group policy use the correct tunnel that was created for ikev2

  -Enter the pre-shared key local and remote pre-shared key ikev2 tab

  -Change the IKE Policy so that it uses the ikev2 policy that was created to use SHA512

  -Modify the IPSEC proposal so that it uses AES256-SHA512

  -THE CRYPTO MAP IS ALREADY CREATED

  -Change the secret of transfer perfect in group 14

  Hello

  Let me go through your questions to clarify this double:

  1. If I have a Crypto map applied to my external interface with a proposal of IPSec of ikev1 can I just add a proposal ikev2 in this Crypto map as well?

  If you have a card encryption applied to different peers outside and 3 with different order number, you will need to replace the proposal for the peer using IKEv2: IKEv2 IKEv1, the others must continue to use their IKEv1 IPSec proposal.

  2. so can I add an ikev2 with AES256 SHA512 hash proposal to my 123.123.123.456 tunnel group and continue to have all three tunnel groups always pass traffic? What happens if I add the proposal ikev2, but REMOVE the ikev1 this group of tunnel proposal because I don't want this group of tunnel use one other than AES256-SHA512 hash?

  123.123.123.456 - ikev2 - AES256-SHA512

  I would like to expand this a little more, if her counterpart 123.123.123.456, must use IKEv2, you need to declare the IKEv2 in the tunnel group and add the relevant "Local and remote PSK"--> is for phase 1, and this means that it will use the IKEv2 defined policy before, and IPSec IKEv2 proposal is on phase 2, where the encryption card is you will need to replace the IKEv1 and use IPSec IKEv2 proposal. That way it will use for the phase 1 of the policy of IKEv2, that you set and defined transformation IKEv2, by making this change make sure that both sides are mirrored with IKEv2 and IPSec policy projects, as well as the tunnel will remain and will come with the new proposals.

  This custom affect no matter what another tunnel, as long as you change the settings to the correct tunnel group and do not delete all the proposals, simply remove the profile connection, those employees.

  3. you know what I mean? All groups of three tunnels on that off interface use different cryptographic cards, with only two of the three using ikev1 as a proposal of IPSec. Which will work?

  You can only have one card encryption applied by interface, and 3 tunnels using different sequence number with the same crypto map name, you cannot 2 tunnels on the same card encryption using IKEV1, and always in the same encryption card have the third tunnel using IKEv2 (different transformation defined using IKEv2). This custom cause no problem. 

  4. what Group Policy DfltGrpPolicy? Currently use all my groups of tunnel, but it is configured for ikev1. I'm not really sure what role is in everything it can so I simply add ikev2?

  Default group policy is added by default to all your groups of tunnel (connection profile), whenever create you one default group policy is inherited him by default, you can change to group policy that you can create, group policy is a set of attributes that will be used to define something or limit , for example, for a site, you can configure a VPN filter (filters the traffic that goes through the tunnel), now back to your topic, you define the protocols that will be negotiated as for an L2L IKEv1 or IKEv2, Anyconnect SSL or IKEv2, on default group policy, and so on, it is therefore important that you add the IKEv2 , so trading will be permitted, or both to create a new group policy and add the IKEv2 Protocol; and in the tunnel group, add the group policy relevant, that you just created.

  I hope that this is precisely, keep me posted!

  Please go to the note, and mark it as correct this post and the previous that it helped you!

  David Castro,

• VPN AND REMOTE NETWORKS TUNNELS

  Having problems become place SEW to connect you to the location of the SERVER @ HOM

  I think ideally the RVS4000 should be at location HOM

  I tried to configure static routes to HOM sewing, but they never show in the Routing Table

  I tried to enable RIP on all 3 routers

  Here is my set up

  CDM - SBS 2008 accommodation location
  RVL200LAN 192.168.0.1 - no DHCP
  VPN for GROUND location

  GROUND location
  RVS4000LAN 192.168.1.1 - DHCP
  SEW the VPN for HOM location and location

  SEW the location

  RVL200 192.168.2.1 - DHCP

  VPN for GROUND location

  Any help would be great

  Configure a VPN between SEW and HOM tunnel.

  These routers implement regular IPSec tunnels. IPSec tunnels only packages that exactly match the remote and local security groups. You cannot route packets to SEW by GROUND HOM. A package of SEW HOM has source IP * 192.168.2 and destination IP address 192.168.0. *. This does not match your VPN tunnel between 192.168.2. * and 192.168.1. *. So your access attempt is also sent in the clear on the internet.

  You must configure a VPN tunnel. There's no other choice. These IPSec tunnels do not have routable interfaces.

• Tunnels of router that support s multiple VPN IPsec AND SSL VPN

  I have a main office and an office, each with a RVL200 connected via the IPSec VPN tunnel. We grow faster than we thought and add 2 more branches. Is there a router that is similar to the RVL200 can I put in my main office in support of multiple IPSec tunnels connected to RVL200 in branches, but also keep the SSL VPN?

  It seems that the Cisco ASA 5505 will do.

• VPN tunnel between the concentrator 3005 and router Cisco 827

  I am trying to establish a VPN tunnel between the Central Office with VPN 3005 and controller branch Cisco 827 router.

  There is a router of perimeter with access set up in front of the 3005 list.

  I quote the ACLs on the Central perimeter router instructionsuivante to allow traffic to permit ip 3005 - acl 101 all 193.188.X.X (address of the hub)

  I get the following message appears when I try to ping a local host in the Central site.

  Can Anyoune give me the correct steps to 827 and 3005.

  Thank you

  CCNP Ansar.

  ------------------------------------------------------------------------------------------------------

  Debug crypto ISAKMP

  encryption of debugging engine

  Debug crypto his

  debug output

  ------------------

  1d20h: IPSEC (sa_request):,.

  (Eng. msg key.) Local OUTGOING = 172.22.113.41, distance = 193.188.108.165.

  local_proxy = 202.71.244.160/255.255.255.240/0/0 (type = 4),

  remote_proxy = 128.128.1.78/255.255.255.255/0/0 (type = 1),

  Protocol = ESP, transform = esp - esp-md5-hmac.

  lifedur = 3600 s and KB 4608000,

  SPI = 0x83B8AC1B (2209917979), id_conn = 0, keysize = 0, flags = 0x400D

  1d20h: ISAKMP: ke received message (1/1)

  1d20h: ISAKMP: 500 local port, remote port 500

  1d20h: ISAKMP (0:1): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

  Former State = new State IKE_READY = IKE_I_MM1

  1d20h: ISAKMP (0:1): early changes of Main Mode

  1d20h: ISAKMP (0:1): lot of 193.188.108.165 sending (I) MM_NO_STATE

  1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE...

  1d20h: ISAKMP (0:1): will increment the error counter on his: retransmit the phase 1

  1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE

  1d20h: ISAKMP (0:1): lot of 193.188.108.165 sending (I) MM_NO_STATE

  1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE...

  1d20h: ISAKMP (0:1): will increment the error counter on his: retransmit the phase 1

  1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE

  1d20h: ISAKMP (0:1): lot of 193.188.108.165 sending (I) MM_NO_STATE

  1d20h: IPSEC (key_engine): request timer shot: count = 1,.

  You must also allow the esp Protocol in your ACL.

  access-list 101 permit esp any host x.x.x.x (address of the hub)

  Hope this helps,

  -Nairi

• NAT VPN tunnel and still access Internet traffic

  Hello

  Thank you in advance for any help you can provide.

  I have a server with the IP 192.168.1.9 that needs to access a subnet remote from 192.168.50.0/24, through the Internet.  However, before the server can access the remote subnet, the server IP must be NAT'ed to 10.1.0.1 because the VPN gateway remote (which is not under my control) allows access to other customers who have the same subnet address that we do on our local network.

  We have a 2801 Cisco (running c2801-advsecurityk9 - mz.124 - 15.T9.bin) set up to make the NAT.  It is the only gateway on our network.

  I have configured the Cisco 2801 with the following statements of NAT and the relevant access lists:

  access-list 106 allow host ip 192.168.1.9 192.168.50.0 0.0.0.255

  NAT extended IP access list
  refuse the host ip 192.168.1.9 192.168.50.0 0.0.0.255
  deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
  ip permit 192.168.1.0 0.0.0.255 any

  route allowed ISP 10 map
  corresponds to the IP NAT

  IP nat EMDVPN 10.1.0.1 pool 10.1.0.1 netmask 255.255.255.0
  IP nat inside source list 106 pool EMDVPN
  IP nat inside source map route ISP interface FastEthernet0/1 overload

  When the server (192.168.1.9) attempts to ping on the subnet of 192.168.50.0/24 devices, the VPN tunnel is established successfully.  However, after that, the server is no longer able to access the Internet because the NAT translation for 192.168.1.9 has changed since the external IP address of the router (FastEthernet0/1) at 10.1.0.1.

  The documentation I've seen on the site of Cisco says that this type of Setup allows only host subnet communication.  Internet access is not possible.  However, maybe I missed something, or one of you experts can help me.  Is it possible to configure the NAT router traffic destined to the VPN tunnel and still access the Internet by using the dynamic NAT on FastEthernet0/1?

  Once again, thank you for any help you can give.

  Alex

  Hello

  Rather than use a pool for NAT

  192.168.1.9 - 10.1.0.1 > 192.168.50.x

  ACL 102 permit ip 192.168.1.9 host 192.168.50.0 0.0.0.255

  RM-STATIC-NAT route map permit 10
  corresponds to the IP 102

  IP nat inside source static 192.168.1.9 10.1.0.1 card expandable RM-STATIC-NAT route

  ACL 101 deny host ip 192.168.1.9 192.168.50.0 0.0.0.255
  ACL 101 by ip 192.168.1.0 0.0.0.255 any
  overload of IP nat inside source list 101 interface FastEthernet0/1

  VPN access list will use the source as 10.1.0.1... *.

  Let me know if it works.

  Concerning

  M

• Using VPN L2L static and dynamic dedicated tunnels

  We have an ASA 5510 running 8.0 at our company headquarters. We have remote sites who need to create VPN L2L at the HQ ASA tunnels. Some remote sites have static IP addresses and others have dynamic IP addresses.

  I found documentation Cisco L2L static IP VPN tunnels and make them work. I found another Cisco documentation for static IP dynamic L2L VPN tunnels using the tunnel-group "DefaultL2LGroup".

  My question is, can you have two types of tunnels on the same ASA L2L? If so, simply by using the definitions of "DefaultL2LGroup" tunnel-group and of tunnel-group work? Is there a reason to not do? Is better technology (ASA HQ and a combination of ASA 5505 and 1861 at remote sites) available?

  Yes, you can have both types of tunnels L2L. If you use a PSK - remember that the IP address of the remote site is used to 'validate' to connect to Headquarters. As long as you use a sure PSK = 64 characters and all with upper/lower case alpha numeric - you should be OK.

  A better way to do it - is to get the static IP addresses for the site that currently have DHCP from ISP.

  HTH >

• Internet access with VPN Client to ASA and full effect tunnel

  I'm trying to migrate our concentrator at our new 5520 s ASA. The concentrator has been used only for VPN Client connections, and I have not the easiest road. However, I, for some reason, can't access to internet through our business network when I've got profiles with lots of tunneling.

  I've included the configuration file, with many public IP information and omitted site-to-site tunnels. I left all the relevant stuff on tunnel-groups and group strategies concerning connectivity of VPN clients. The range of addresses that I use for VPN clients is 172.16.254.0/24. The group, with what I'm trying to access the internet "adsmgt" and the complete tunnel to our network part is fine.

  As always, any help is appreciated. Thank you!

  Hüseyin... good to see you come back.. bud, yes try these Hüseyin sugesstiong... If we looked to be ok, we'll try a different approach...

  IM thinking too, because complete tunnel is (no separation) Jim ASA has to go back for the outbound traffic from the internet, a permit same-security-traffic intra-interface, instruction should be able to do it... but Jim start by Hüseyin suggestions.

  Rgds

  Jorge