DMVPN - PSK to Auth RSA - Sig move
Hi all
I'm moving a laboratory DMVPN config PSK has the use of certificates.
Installed root CA + certificates without problem.
I imagined it would be just a case of creating a different strategy on the hubs ISAKMP and rays and gradually introduce speaks talks about but I am receiving and error on the hub "x.x.x.x IKE message failed the validation test or is incorrect.
the problem disappears if I remove the ISAKMP policy in the hub, he returns to the original policy of the PSK. I checked the correspondence of policies a million times and the certificates are installed properly.
I have included some of the config below. Policy 10 works very well.
any help appreciated. Thank you
BA aes
md5 hash
!
crypto ISAKMP policy 10
md5 hash
preshared authentication
ISAKMP crypto key address 0.0.0.0 xxxxxxxxxxxxxxxxxx
!
!
Crypto ipsec transform-set esp-3des esp-md5-hmac hand
tunnel mode
!
define security-association life seconds 900
transformation-home game
!
!
!
!
!
!
!
interface Tunnel0
bandwidth 20480
IP x.x.x.x 255.255.255.0
no ip redirection
IP 1400 MTU
NBAR IP protocol discovery
penetration of the IP stream
IP nat inside
property intellectual PNDH authentication Auth
dynamic multicast of IP PNDH map
PNDH IP network id ID
IP virtual-reassembly in
No cutting of the ip horizon
IP tcp adjust-mss 1300
CDP enable
source of tunnel Dialer
multipoint gre tunnel mode
tunnel key X
Profile of tunnel ProfileName ipsec protection
BA aes
md5 hash
!
crypto ISAKMP policy 10
md5 hash
preshared authentication
ISAKMP crypto keys xxxxxxxxxxx address 0.0.0.0
!
!
Crypto ipsec transform-set main esp-3des esp-md5-hmac
tunnel mode
!
Profile of crypto ipsec IProfile
define security-association life seconds 900
Set main transformation game
!
!
!
!
!
!
!
interface Tunnel0
IP x.x.x.x 255.255.255.0
no ip redirection
IP 1400 MTU
IP nat inside
property intellectual PNDH authentication Auth
dynamic multicast of IP PNDH map
property intellectual PNDH card x.x.x.x where x.x.x.x
map of PNDH IP x.x.x.x multicast
PNDH IP network id X
property intellectual PNDH nhs x.x.x.x
IP virtual-reassembly in
No cutting of the ip horizon
IP tcp adjust-mss 1300
source of tunnel Dialer
multipoint gre tunnel mode
tunnel key X
Profile of tunnel Iprofile ipsec protection
Your certificates seem to be good. TGE of time is very important. Comes with service horodateurs time of the journal is your clock the ntp.
When everything is set correctly in view, I would be very interested to get all debugs them.
This question you have is based on the key or certificate not authencating together, coukd be mtu, could be something else.
Would you mind to provide all debugs them and perhaps a trace of wireshark to see what is happening. Debugs isakmp, ipsec and certificates as well.
Thank you
Tags: Cisco Security
Similar Questions
-
Authentic group with and RSA - SIG authentic without Xauth
Hello
I want to migrate my VPN-users (customer dynamics) of the OTP token authentication to certificate-based authentication.
For a while, I'll have two methods of authentication on a VPN-endpoint (PIX).
For the Office of the Prosecutor, there are Xauth against an AAA server.
Now I want my cert users are exempt from Xauth. There is no need for user separate authentic.
See my review of configuration for later use.
===========================================================
access list 101 ip allow a whole
IP pool local VPNpool 192.168.0.0 - 192.168.0.50
vpngroup address pool VPNpool VPNgp
vpngroup idle 1800 rasadmin-time
vpngroup password VPNpass rasadmin
Crypto ipsec transform-set esp-3des esp-sha-hmac VPNts
crypto dynamic-map client 5 101 correspondence address
encryption dynamic-map client game 5 transform-set VPNts
Dynamics-isakmp crypto map 1024 vpn ipsec client
crypto GANYMEDE map vpn client authentication +.
vpn outside crypto map interface
ISAKMP allows outside
part of pre authentication ISAKMP policy 10
ISAKMP policy 10 3des encryption
ISAKMP policy 10 sha hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
ISAKMP policy 20 authentication rsa - sig
ISAKMP policy 20 3des encryption
ISAKMP policy 20 chopping sha
20 2 ISAKMP policy group
ISAKMP duration strategy of life 20 86400
===========================================================
How can I exclude Xauth rsa-GIS-users (authentication of the vpn client card crypto GANYMEDE +)?
Only the Group authentication to authenticate with the user name and password in addition to the authentic pré-partagées.
In my tests it seemed to me that Xauth can be enabled or disabled for all isakmp and VPN-groups policies.
Or is it possible to deviate from the policy group, pool, or something else?
I use 6.3 (4) PIX and latest CISCO VPN Client.
Thanks for your advice
Stephan
Unfortunately, as you have understood well enough already, XAuth is enabled at the global level, not by group. If you turn it on for some users, it gets turned on for all, no way around it.
-
Phase DMVPN I fail when migration of PSK to GIPR
I'm currently is the migration process of my network key preshared certificate DMVPN. Most of the rays have developed and works without any problem, but there are several that are not past the phase I. I have included the isakmp debug of the hub and one of the rays who fail. I see that the hub goes QM_IDLE after receiving the certificate of the talks, but it looks like not to speak it never receives the cert of the hub. I suspect a problem with the ISP, but it's not as simple as filtering 500 as seem to do all messages except the cert. If I bring him talking on PSK it works fine. Has anyone seen this problem before and what is the resolution?
DMVPN Hub
7 Oct 19:38:36.213: ISAKMP: 500 local port, remote port 500
7 Oct 19:38:36.213: ISAKMP: find a dup her to the tree during the isadb_insert his 7F1AA7CC5920 = call BVA
7 Oct 19:38:36.213: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
7 Oct 19:38:36.213: ISAKMP: (0): former State = new State IKE_READY = IKE_R_MM1
7 October 19:38:36.214: ISAKMP: (0): treatment ITS payload. Message ID = 0
7 October 19:38:36.214: ISAKMP: (0): load useful vendor id of treatment
7 October 19:38:36.214: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
7 Oct 19:38:36.214: ISAKMP (0): provider ID is NAT - T RFC 3947
7 October 19:38:36.214: ISAKMP: (0): load useful vendor id of treatment
7 October 19:38:36.214: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 245
7 Oct 19:38:36.214: ISAKMP (0): provider ID is NAT - T v7
7 October 19:38:36.214: ISAKMP: (0): load useful vendor id of treatment
7 October 19:38:36.214: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 157
7 October 19:38:36.214: ISAKMP: (0): provider ID is NAT - T v3
7 October 19:38:36.214: ISAKMP: (0): load useful vendor id of treatment
7 October 19:38:36.214: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
7 October 19:38:36.214: ISAKMP: (0): provider ID is NAT - T v2
7 Oct 19:38:36.214: ISAKMP: (0): pair found pre-shared key matching 2.8.51.58
7 October 19:38:36.214: ISAKMP: (0): pre-shared key local found
7 October 19:38:36.214: ISAKMP: (0): IKE-> PKI get configured TrustPoints State (R) MM_NO_STATE (post 2.8.51.58)
7 October 19:38:36.214: ISAKMP: (0): ICP-> IKE Got set up TrustPoints State (R) MM_NO_STATE (post 2.8.51.58)
7 Oct 19:38:36.214: ISAKMP: (0): audit ISAKMP transform 1 against policy priority 5
7 Oct 19:38:36.214: ISAKMP: 3DES-CBC encryption
7 Oct 19:38:36.214: ISAKMP: MD5 hash
7 Oct 19:38:36.214: ISAKMP: default group 1
7 Oct 19:38:36.214: ISAKMP: auth RSA sig
7 Oct 19:38:36.214: ISAKMP: type of life in seconds
7 Oct 19:38:36.214: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x80
7 Oct 19:38:36.214: ISAKMP: (0): atts are acceptable. Next payload is 3
7 Oct 19:38:36.214: ISAKMP: (0): Acceptable atts: real life: 0
7 Oct 19:38:36.214: ISAKMP: (0): Acceptable atts:life: 0
7 Oct 19:38:36.214: ISAKMP: (0): fill atts in his vpi_length:4
7 Oct 19:38:36.214: ISAKMP: (0): fill atts in his life_in_seconds:86400
7 October 19:38:36.214: ISAKMP: (0): IKE-> PKI start PKI Session state (R) MM_NO_STATE (post 2.8.51.58)
7 October 19:38:36.214: ISAKMP: (0): ICP-> IKE started PKI Session state (R) MM_NO_STATE (post 2.8.51.58)
7 Oct 19:38:36.214: ISAKMP: (0): return real life: 86400
7 Oct 19:38:36.214: ISAKMP: (0): timer life Started: 86400.
7 October 19:38:36.214: ISAKMP: (0): load useful vendor id of treatment
7 October 19:38:36.214: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
7 Oct 19:38:36.214: ISAKMP (0): provider ID is NAT - T RFC 3947
7 October 19:38:36.214: ISAKMP: (0): load useful vendor id of treatment
7 October 19:38:36.214: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 245
7 Oct 19:38:36.214: ISAKMP (0): provider ID is NAT - T v7
7 October 19:38:36.214: ISAKMP: (0): load useful vendor id of treatment
7 October 19:38:36.214: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 157
7 October 19:38:36.214: ISAKMP: (0): provider ID is NAT - T v3
7 October 19:38:36.214: ISAKMP: (0): load useful vendor id of treatment
7 October 19:38:36.214: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
7 October 19:38:36.214: ISAKMP: (0): provider ID is NAT - T v2
7 Oct 19:38:36.214: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
7 Oct 19:38:36.214: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM1
7 October 19:38:36.214: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
7 October 19:38:36.214: ISAKMP: (0): lot of 2.8.51.58 sending my_port 500 peer_port 500 (R) MM_SA_SETUP
7 Oct 19:38:36.214: ISAKMP: (0): sending a packet IPv4 IKE.
7 Oct 19:38:36.214: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
7 Oct 19:38:36.214: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM2
7 Oct 19:38:36.240: ISAKMP (0): received 2.8.51.58 packet 500 Global 500 (R) sport dport MM_SA_SETUP
7 Oct 19:38:36.240: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
7 Oct 19:38:36.240: ISAKMP: (0): former State = new State IKE_R_MM2 = IKE_R_MM3
7 October 19:38:36.240: ISAKMP: (0): processing KE payload. Message ID = 0
7 October 19:38:36.242: ISAKMP: (0): processing NONCE payload. Message ID = 0
7 October 19:38:36.242: ISAKMP: (38618): payload processing CERT_REQ. Message ID = 0
7 October 19:38:36.242: ISAKMP: (38618): peer wants a cert CT_X509_SIGNATURE
7 October 19:38:36.242: ISAKMP: (38618): peer wants cert issued by cn = Tetra Pak Root CA - G1
7 October 19:38:36.242: ISAKMP: (38618): load useful vendor id of treatment
7 October 19:38:36.242: ISAKMP: (38618): provider ID is DPD
7 October 19:38:36.242: ISAKMP: (38618): load useful vendor id of treatment
7 October 19:38:36.242: ISAKMP: (38618): addressing another box of IOS!
7 October 19:38:36.242: ISAKMP: (38618): load useful vendor id of treatment
7 October 19:38:36.242: ISAKMP: (38618): provider ID seems the unit/DPD but major incompatibility of 209
7 October 19:38:36.242: ISAKMP: (38618): provider ID is XAUTH
7 Oct 19:38:36.242: ISAKMP: receives the payload type 20
7 Oct 19:38:36.242: ISAKMP (38618): sound not hash no match - this node outside NAT
7 Oct 19:38:36.242: ISAKMP: receives the payload type 20
7 Oct 19:38:36.242: ISAKMP (38618): No. NAT found for oneself or peer
7 Oct 19:38:36.242: ISAKMP: (38618): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
7 Oct 19:38:36.242: ISAKMP: (38618): former State = new State IKE_R_MM3 = IKE_R_MM3
7 October 19:38:36.243: ISAKMP: (38618): IKE-> PKI get configured TrustPoints State (R) MM_KEY_EXCH (post 2.8.51.58)
7 October 19:38:36.243: ISAKMP: (38618): ICP-> IKE Got set up TrustPoints State (R) MM_KEY_EXCH (post 2.8.51.58)
7 October 19:38:36.243: ISAKMP: (38618): IKE-> PKI obtain IssuerNames State (R) MM_KEY_EXCH (post 2.8.51.58)
7 October 19:38:36.243: ISAKMP: (38618): ICP-> IKE got IssuerNames State (R) MM_KEY_EXCH (post 2.8.51.58)
7 Oct 19:38:36.243: ISAKMP (38618): construction CERT_REQ for issuer cn = Tetra Pak issuing CA 01 - G1 n, dc = tp1, dc = ad1, dc is tetrapak, dc = com
7 October 19:38:36.243: ISAKMP: (38618): lot of 2.8.51.58 sending my_port 500 peer_port 500 (R) MM_KEY_EXCH
7 Oct 19:38:36.243: ISAKMP: (38618): sending a packet IPv4 IKE.
7 Oct 19:38:36.243: ISAKMP: (38618): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
7 Oct 19:38:36.243: ISAKMP: (38618): former State = new State IKE_R_MM3 = IKE_R_MM4
7 Oct 19:38:36.484: ISAKMP (38618): received 2.8.51.58 packet 500 Global 500 (R) sport dport MM_KEY_EXCH
7 Oct 19:38:36.484: ISAKMP: (38618): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
7 Oct 19:38:36.484: ISAKMP: (38618): former State = new State IKE_R_MM4 = IKE_R_MM5
7 October 19:38:36.484: ISAKMP: (38618): payload ID for treatment. Message ID = 0
7 Oct 19:38:36.484: ISAKMP (38618): payload ID
next payload: 6
type: 2
FULL domain name: s2s-lvrirt - 01.nvv .net .company .com
Protocol: 17
Port: 500
Length: 42
7 October 19:38:36.484: ISAKMP: (38618): processing CERT payload. Message ID = 0
7 October 19:38:36.484: ISAKMP: (38618): treatment of a cert CT_X509_SIGNATURE
7 October 19:38:36.484: ISAKMP: (38618): IKE-> certificate PKI add the peer of State (R) MM_KEY_EXCH (post 2.8.51.58)
7 October 19:38:36.485: ISAKMP: (38618): ICP-> certificate of the peer IKE Added State (R) MM_KEY_EXCH (post 2.8.51.58)
7 October 19:38:36.485: ISAKMP: (38618): IKE-> PKI get PeerCertificateChain State (R) MM_KEY_EXCH (post 2.8.51.58)
7 October 19:38:36.485: ISAKMP: (38618): ICP-> IKE got PeerCertificateChain State (R) MM_KEY_EXCH (post 2.8.51.58)
7 October 19:38:36.485: ISAKMP: (38618): pubkey from the counterpart is cached
7 October 19:38:36.485: ISAKMP: (38618): IKE-PKI > validate the chain of certificates of State (R) MM_KEY_EXCH (post 2.8.51.58)
7 October 19:38:36.485: ISAKMP: (38618): ICP-> IKE Validate string certificates of State (R) MM_KEY_EXCH (post 2.8.51.58)
7 October 19:38:36.485: ISAKMP: (38618): failed to get the certificate DN!
7 October 19:38:36.485: ISAKMP: (38618): payload processing GIS. Message ID = 0
7 Oct 19:38:36.486: ISAKMP: received payload type 17
7 October 19:38:36.486: ISAKMP: (38618): treatment protocol NOTIFIER INITIAL_CONTACT 1
SPI 0, message ID = 0, a = 0x7F1AA7CC5920
7 Oct 19:38:36.486: ISAKMP: (38618): SA authentication status:
authenticated
7 Oct 19:38:36.486: ISAKMP: (38618): SA has been authenticated with 2.8.51.58
7 Oct 19:38:36.486: ISAKMP: (38618): SA authentication status:
authenticated
7 October 19:38:36.486: ISAKMP: (38618): process of first contact.
lowering existing phase 1 and 2 with local 15.18.1.1 2.8.51.58 remote remote port 500
7 Oct 19:38:36.486: ISAKMP: (38617): received first contact, delete SA
7 Oct 19:38:36.486: ISAKMP: (38617): peer does not paranoid KeepAlive.
7 Oct 19:38:36.486: ISAKMP: (38617): deletion of 'Initial of receive Contact' State HIS reason (R) QM_IDLE (post 2.8.51.58)
7 Oct 19:38:36.486: ISAKMP: (38618): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
7 Oct 19:38:36.486: ISAKMP: (38618): former State = new State IKE_R_MM5 = IKE_R_MM5
7 Oct 19:38:36.487: ISAKMP: node set 2177251913 to QM_IDLE
7 October 19:38:36.487: ISAKMP: (38617): lot of 2.8.51.58 sending my_port 500 peer_port 500 (R) QM_IDLE
7 Oct 19:38:36.487: ISAKMP: (38617): sending a packet IPv4 IKE.
7 Oct 19:38:36.487: ISAKMP: (38617): purge the node 2177251913
7 Oct 19:38:36.487: ISAKMP: (38617): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
7 Oct 19:38:36.487: ISAKMP: (38617): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA
7 October 19:38:36.487: ISAKMP: (38618): IKE-> PKI get self CertificateChain State (R) MM_KEY_EXCH (post 2.8.51.58)
7 October 19:38:36.487: ISAKMP: (38618): ICP-> IKE Got self CertificateChain State (R) MM_KEY_EXCH (post 2.8.51.58)
7 October 19:38:36.487: ISAKMP: (38618): IKE-> PKI obtain SubjectName State (R) MM_KEY_EXCH (post 2.8.51.58)
7 October 19:38:36.487: ISAKMP: (38618): ICP-> IKE got SubjectName State (R) MM_KEY_EXCH (post 2.8.51.58)
7 Oct 19:38:36.487: ISAKMP: (38618): My ID configured as IPv4 address, but Addr not in Cert!
7 Oct 19:38:36.487: ISAKMP: (38618): using domain FULL as my ID name
7 Oct 19:38:36.487: ISAKMP: (38618): ITS been RSA authentication of signature using id ID_FQDN type
7 Oct 19:38:36.487: ISAKMP (38618): payload ID
next payload: 6
type: 2
FULL domain name: dmvpn-selurt - 01.nvv .net .company .com
Protocol: 17
Port: 500
Length: 44
7 Oct 19:38:36.487: ISAKMP: (38618): the total payload length: 44
7 October 19:38:36.487: ISAKMP: (38618): IKE-> PKI is CertificateChain to be sent through peer review of State (R) MM_KEY_EXCH (post 2.8.51.58)
7 October 19:38:36.488: ISAKMP: (38618): ICP-> IKE got CertificateChain to be sent through peer review of State (R) MM_KEY_EXCH (post 2.8.51.58)
7 Oct 19:38:36.489: ISAKMP (38618): construction of CERT payload for hostname = selurt-dmvpn - 01.nvv .net .company .com, serialNumber = 4279180096
7 Oct 19:38:36.489: ISAKMP (38618): construction CERT payload for cn = Tetra Pak issuing CA 01 - G1 n, dc = tp1, dc = ad1, dc is tetrapak, dc = com
7 October 19:38:36.489: ISAKMP: (38618): using the key of the TP_NAD_CA trustpoint to sign pair
7 October 19:38:36.494: ISAKMP: (38618): lot of 2.8.51.58 sending my_port 500 peer_port 500 (R) MM_KEY_EXCH
7 Oct 19:38:36.494: ISAKMP: (38618): sending a packet IPv4 IKE.
7 Oct 19:38:36.494: ISAKMP: (38618): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
7 Oct 19:38:36.494: ISAKMP: (38618): former State = new State IKE_R_MM5 = IKE_P1_COMPLETE
7 Oct 19:38:36.494: ISAKMP: (38617): deletion of 'Initial of receive Contact' State HIS reason (R) QM_IDLE (post 2.8.51.58)
7 Oct 19:38:36.494: ISAKMP: (38617): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
7 Oct 19:38:36.494: ISAKMP: (38617): former State = new State IKE_DEST_SA = IKE_DEST_SA
7 Oct 19:38:36.494: ISAKMP: (38618): IKE_DPD is enabled, the initialization of timers
7 October 19:38:36.494: ISAKMP: (38618): IKE-> end of the PKI public PKI Session state (R) QM_IDLE (post 2.8.51.58)
7 October 19:38:36.494: ISAKMP: (38618): ICP-> IKE session completed ICP State (R) QM_IDLE (post 2.8.51.58)
7 Oct 19:38:36.494: ISAKMP: (38618): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
selurt-dmvpn-01 #.
7 Oct 19:38:36.494: ISAKMP: (38618): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE
selurt-dmvpn-01 #.
7 Oct 19:38:46.492: ISAKMP (38618): received 2.8.51.58 packet 500 Global 500 (R) sport dport QM_IDLE
7 October 19:38:46.492: ISAKMP: (38618): package of phase 1 is a duplicate of a previous package.
7 October 19:38:46.492: ISAKMP: (38618): retransmission due to phase 1 of retransmission
7 October 19:38:46.992: ISAKMP: (38618): transmit phase 1 QM_IDLE...
7 Oct 19:38:46.992: ISAKMP (38618): increment the count of errors on his, try 1 5: retransmit the phase 1
7 October 19:38:46.992: ISAKMP: (38618): transmit phase 1 QM_IDLE
7 October 19:38:46.992: ISAKMP: (38618): lot of 2.8.51.58 sending my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01 #.
7 Oct 19:38:46.992: ISAKMP: (38618): sending a packet IPv4 IKE.
selurt-dmvpn-01 #.
7 Oct 19:38:56.481: ISAKMP (38618): received 2.8.51.58 packet 500 Global 500 (R) sport dport QM_IDLE
7 October 19:38:56.481: ISAKMP: (38618): package of phase 1 is a duplicate of a previous package.
7 October 19:38:56.481: ISAKMP: (38618): retransmission due to phase 1 of retransmission
7 October 19:38:56.981: ISAKMP: (38618): transmit phase 1 QM_IDLE...
7 Oct 19:38:56.981: ISAKMP (38618): increment the count of errors on his, try 2 of 5: retransmit the phase 1
7 October 19:38:56.981: ISAKMP: (38618): transmit phase 1 QM_IDLE
7 October 19:38:56.981: ISAKMP: (38618): lot of 2.8.51.58 sending my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01 #.
7 Oct 19:38:56.981: ISAKMP: (38618): sending a packet IPv4 IKE.
selurt-dmvpn-01 #.
7 Oct 19:39:06.481: ISAKMP (38618): received 2.8.51.58 packet 500 Global 500 (R) sport dport QM_IDLE
7 October 19:39:06.481: ISAKMP: (38618): package of phase 1 is a duplicate of a previous package.
7 October 19:39:06.481: ISAKMP: (38618): retransmission due to phase 1 of retransmission
7 October 19:39:06.981: ISAKMP: (38618): transmit phase 1 QM_IDLE...
7 Oct 19:39:06.981: ISAKMP (38618): increment the count of errors on his, try 3 of 5: retransmit the phase 1
7 October 19:39:06.981: ISAKMP: (38618): transmit phase 1 QM_IDLE
7 October 19:39:06.981: ISAKMP: (38618): lot of 2.8.51.58 sending my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01 #.
7 Oct 19:39:06.981: ISAKMP: (38618): sending a packet IPv4 IKE.
selurt-dmvpn-01 #.
7 Oct 19:39:09.880: ISAKMP: (38616): serving SA., his is 7F1AA7721158, delme is 7F1AA7721158
selurt-dmvpn-01 #.
7 Oct 19:39:16.481: ISAKMP (38618): received 2.8.51.58 packet 500 Global 500 (R) sport dport QM_IDLE
7 October 19:39:16.481: ISAKMP: (38618): package of phase 1 is a duplicate of a previous package.
7 October 19:39:16.481: ISAKMP: (38618): retransmission due to phase 1 of retransmission
7 October 19:39:16.980: ISAKMP: (38618): transmit phase 1 QM_IDLE...
7 Oct 19:39:16.980: ISAKMP (38618): increment the count of errors on his, try 4 out 5: retransmit the phase 1
7 October 19:39:16.980: ISAKMP: (38618): transmit phase 1 QM_IDLE
7 October 19:39:16.980: ISAKMP: (38618): lot of 2.8.51.58 sending my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01 #.
7 Oct 19:39:16.980: ISAKMP: (38618): sending a packet IPv4 IKE.
selurt-dmvpn-01 #.
7 Oct 19:39:26.481: ISAKMP (38618): received 2.8.51.58 packet 500 Global 500 (R) sport dport QM_IDLE
7 October 19:39:26.482: ISAKMP: (38618): package of phase 1 is a duplicate of a previous package.
7 October 19:39:26.482: ISAKMP: (38618): retransmission due to phase 1 of retransmission
7 October 19:39:26.981: ISAKMP: (38618): transmit phase 1 QM_IDLE...
7 Oct 19:39:26.981: ISAKMP (38618): increment the count of errors on his, try 5 of 5: retransmit the phase 1
7 October 19:39:26.981: ISAKMP: (38618): transmit phase 1 QM_IDLE
7 October 19:39:26.981: ISAKMP: (38618): lot of 2.8.51.58 sending my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01 #.
7 Oct 19:39:26.981: ISAKMP: (38618): sending a packet IPv4 IKE.
selurt-dmvpn-01 #.
7 Oct 19:39:36.493: ISAKMP: (38617): serving SA., his is 7F1AA79AD9E0, delme is 7F1AA79AD9E0DMVPN speaks
7 October 19:38:36.181: ISAKMP: (0): profile of THE request is (NULL)
7 Oct 19:38:36.181: ISAKMP: created a struct peer 15.18.1.1, peer port 500
7 Oct 19:38:36.181: ISAKMP: new position created post = 0x2B1F480C peer_handle = 0x80001DF4
7 Oct 19:38:36.181: ISAKMP: lock struct 0x2B1F480C, refcount 1 to peer isakmp_initiator
7 Oct 19:38:36.181: ISAKMP: 500 local port, remote port 500
7 Oct 19:38:36.181: ISAKMP: set new node 0 to QM_IDLE
7 Oct 19:38:36.181: ISAKMP: find a dup her to the tree during the isadb_insert his 2B16C9FC = call BVA
7 Oct 19:38:36.181: ISAKMP: (0): cannot start aggressive mode, try the main mode.
7 Oct 19:38:36.181: ISAKMP: (0): pair found pre-shared key matching 15.18.1.1
7 October 19:38:36.181: ISAKMP: (0): IKE-> PKI get configured TrustPoints State (I) MM_NO_STATE (ext. 15.18.1.1)
7 October 19:38:36.181: ISAKMP: (0): ICP-> IKE Got set up TrustPoints State (I) MM_NO_STATE (ext. 15.18.1.1)
7 October 19:38:36.181: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
7 October 19:38:36.181: ISAKMP: (0): built the seller-07 ID NAT - t
7 October 19:38:36.181: ISAKMP: (0): built of NAT - T of the seller-03 ID
7 October 19:38:36.181: ISAKMP: (0): built the seller-02 ID NAT - t
7 Oct 19:38:36.181: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
7 Oct 19:38:36.181: ISAKMP: (0): former State = new State IKE_READY = IKE_I_MM1
7 October 19:38:36.181: ISAKMP: (0): Beginner Main Mode Exchange
7 October 19:38:36.181: ISAKMP: (0): 15.18.1.1 package sending 500 peer_port 500 (I) my_port MM_NO_STATE
7 Oct 19:38:36.181: ISAKMP: (0): sending a packet IPv4 IKE.
7 Oct 19:38:36.205: ISAKMP (0): packet received 15.18.1.1 dport 500 sport Global 500 (I) MM_NO_STATE
7 Oct 19:38:36.205: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
7 Oct 19:38:36.205: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_I_MM2
7 October 19:38:36.205: ISAKMP: (0): treatment ITS payload. Message ID = 0
7 October 19:38:36.205: ISAKMP: (0): load useful vendor id of treatment
7 October 19:38:36.205: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
7 Oct 19:38:36.205: ISAKMP (0): provider ID is NAT - T RFC 3947
7 Oct 19:38:36.205: ISAKMP: (0): pair found pre-shared key matching 15.18.1.1
7 October 19:38:36.205: ISAKMP: (0): pre-shared key local found
7 Oct 19:38:36.205: ISAKMP: analysis of the profiles for xauth...
7 October 19:38:36.205: ISAKMP: (0): IKE-> PKI get configured TrustPoints State (I) MM_NO_STATE (ext. 15.18.1.1)
7 October 19:38:36.205: ISAKMP: (0): ICP-> IKE Got set up TrustPoints State (I) MM_NO_STATE (ext. 15.18.1.1)
7 Oct 19:38:36.205: ISAKMP: (0): audit ISAKMP transform 1 against policy priority 5
7 Oct 19:38:36.205: ISAKMP: 3DES-CBC encryption
7 Oct 19:38:36.205: ISAKMP: MD5 hash
7 Oct 19:38:36.205: ISAKMP: default group 1
7 Oct 19:38:36.205: ISAKMP: auth RSA sig
7 Oct 19:38:36.205: ISAKMP: type of life in seconds
7 Oct 19:38:36.205: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x80
7 Oct 19:38:36.205: ISAKMP: (0): atts are acceptable. Next payload is 0
7 Oct 19:38:36.205: ISAKMP: (0): Acceptable atts: real life: 0
7 Oct 19:38:36.205: ISAKMP: (0): Acceptable atts:life: 0
7 Oct 19:38:36.205: ISAKMP: (0): fill atts in his vpi_length:4
7 Oct 19:38:36.205: ISAKMP: (0): fill atts in his life_in_seconds:86400
7 October 19:38:36.205: ISAKMP: (0): IKE-> PKI start PKI Session state (I) MM_NO_STATE (ext. 15.18.1.1)
7 October 19:38:36.205: ISAKMP: (0): ICP-> IKE started PKI Session state (I) MM_NO_STATE (ext. 15.18.1.1)
7 Oct 19:38:36.205: ISAKMP: (0): return real life: 86400
7 Oct 19:38:36.205: ISAKMP: (0): timer life Started: 86400.
7 October 19:38:36.205: ISAKMP: (0): load useful vendor id of treatment
7 October 19:38:36.205: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
7 Oct 19:38:36.205: ISAKMP (0): provider ID is NAT - T RFC 3947
7 Oct 19:38:36.205: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
7 Oct 19:38:36.205: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM2
7 October 19:38:36.209: ISAKMP: (0): IKE-> PKI get configured TrustPoints State (I) MM_SA_SETUP (ext. 15.18.1.1)
7 October 19:38:36.209: ISAKMP: (0): ICP-> IKE Got set up TrustPoints State (I) MM_SA_SETUP (ext. 15.18.1.1)
7 October 19:38:36.209: ISAKMP: (0): IKE-> PKI obtain IssuerNames State (I) MM_SA_SETUP (ext. 15.18.1.1)
7 October 19:38:36.209: ISAKMP: (0): ICP-> IKE got IssuerNames State (I) MM_SA_SETUP (ext. 15.18.1.1)
7 Oct 19:38:36.209: ISAKMP (0): construction CERT_REQ for issuer cn = Tetra Pak Root CA - G1
7 October 19:38:36.209: ISAKMP: (0): 15.18.1.1 package sending 500 peer_port 500 (I) my_port MM_SA_SETUP
7 Oct 19:38:36.209: ISAKMP: (0): sending a packet IPv4 IKE.
7 Oct 19:38:36.209: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
7 Oct 19:38:36.209: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM3
7 Oct 19:38:36.233: ISAKMP (0): packet received 15.18.1.1 dport 500 sport Global 500 (I) MM_SA_SETUP
7 Oct 19:38:36.233: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
7 Oct 19:38:36.233: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_I_MM4
7 October 19:38:36.233: ISAKMP: (0): processing KE payload. Message ID = 0
7 October 19:38:36.245: ISAKMP: (0): processing NONCE payload. Message ID = 0
7 October 19:38:36.245: ISAKMP: (8329): payload processing CERT_REQ. Message ID = 0
7 October 19:38:36.245: ISAKMP: (8329): peer wants a cert CT_X509_SIGNATURE
7 October 19:38:36.245: ISAKMP: (8329): peer wants cert issued by cn = Tetra Pak issuing CA 01 - G1 n, dc = tp1, dc = ad1, dc is tetrapak, dc = com
7 Oct 19:38:36.249: choose trustpoint TP_NAD_CA as transmitter
7 October 19:38:36.249: ISAKMP: (8329): load useful vendor id of treatment
7 October 19:38:36.249: ISAKMP: (8329): provider ID is the unit
7 October 19:38:36.249: ISAKMP: (8329): load useful vendor id of treatment
7 October 19:38:36.249: ISAKMP: (8329): provider ID is DPD
7 October 19:38:36.249: ISAKMP: (8329): load useful vendor id of treatment
7 October 19:38:36.249: ISAKMP: (8329): addressing another box of IOS!
7 Oct 19:38:36.249: ISAKMP: receives the payload type 20
7 Oct 19:38:36.249: ISAKMP (8329): sound not hash no match - this node outside NAT
7 Oct 19:38:36.249: ISAKMP: receives the payload type 20
7 Oct 19:38:36.249: ISAKMP (8329): No. NAT found for oneself or peer
7 Oct 19:38:36.249: ISAKMP: (8329): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
7 Oct 19:38:36.249: ISAKMP: (8329): former State = new State IKE_I_MM4 = IKE_I_MM4
7 Oct 19:38:36.249: ISAKMP: (8329): send initial contact
7 October 19:38:36.249: ISAKMP: (8329): IKE-> PKI get self CertificateChain of State (I) MM_KEY_EXCH (ext. 15.18.1.1)
7 October 19:38:36.249: ISAKMP: (8329): ICP-> IKE Got self CertificateChain of State (I) MM_KEY_EXCH (ext. 15.18.1.1)
7 October 19:38:36.249: ISAKMP: (8329): IKE-> PKI obtain SubjectName State (I) MM_KEY_EXCH (ext. 15.18.1.1)
7 October 19:38:36.249: ISAKMP: (8329): ICP-> IKE got SubjectName State (I) MM_KEY_EXCH (ext. 15.18.1.1)
7 Oct 19:38:36.249: ISAKMP: (8329): My ID configured as IPv4 address, but Addr not in Cert!
7 Oct 19:38:36.249: ISAKMP: (8329): using domain FULL as my ID name
7 Oct 19:38:36.249: ISAKMP: (8329): ITS been RSA authentication of signature using id ID_FQDN type
7 Oct 19:38:36.249: ISAKMP (8329): payload ID
next payload: 6
type: 2
FULL domain name: s2s-lvrirt - 01.nvv .net .company .com
Protocol: 17
Port: 500
Length: 42
7 Oct 19:38:36.249: ISAKMP: (8329): the total payload length: 42
7 October 19:38:36.249: ISAKMP: (8329): IKE-> PKI is CertificateChain to send to the State peer (I) MM_KEY_EXCH (ext. 15.18.1.1)
7 October 19:38:36.253: ISAKMP: (8329): ICP-> IKE got CertificateChain to send to the State peer (I) MM_KEY_EXCH (ext. 15.18.1.1)
7 Oct 19:38:36.253: ISAKMP (8329): construction of CERT payload for hostname = s2s-lvrirt - 01.nvv .net .company .com, serialNumber = FCZ163860KW
7 October 19:38:36.253: ISKAMP: more send buffer from 1024 to 3072
7 October 19:38:36.253: ISAKMP: (8329): using the key of the TP_NAD_CA trustpoint to sign pair
7 October 19:38:36.449: ISAKMP: (8329): 15.18.1.1 package sending 500 peer_port 500 (I) my_port MM_KEY_EXCH
7 Oct 19:38:36.449: ISAKMP: (8329): sending a packet IPv4 IKE.
7 Oct 19:38:36.449: ISAKMP: (8329): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
7 Oct 19:38:36.449: ISAKMP: (8329): former State = new State IKE_I_MM4 = IKE_I_MM5
7 Oct 19:38:36.481: ISAKMP (8328): packet received 15.18.1.1 dport 500 sport Global 500 (I) MM_NO_STATE
7 October 19:38:46.449: ISAKMP: (8329): transmit phase 1 MM_KEY_EXCH...
7 Oct 19:38:46.449: ISAKMP (8329): increment the count of errors on his, try 1 5: retransmit the phase 1
7 October 19:38:46.449: ISAKMP: (8329): transmit phase 1 MM_KEY_EXCH
7 October 19:38:46.449: ISAKMP: (8329): 15.18.1.1 package sending 500 peer_port 500 (I) my_port MM_KEY_EXCH
7 Oct 19:38:46.449: ISAKMP: (8329): sending a packet IPv4 IKE.
7 Oct 19:38:54.709: ISAKMP: (8327): purge the node 1841056658
7 Oct 19:38:54.709: ISAKMP: (8327): purge the node-57107868
7 October 19:38:56.449: ISAKMP: (8329): transmit phase 1 MM_KEY_EXCH...
7 Oct 19:38:56.449: ISAKMP (8329): increment the count of errors on his, try 2 of 5: retransmit the phase 1
7 October 19:38:56.449: ISAKMP: (8329): transmit phase 1 MM_KEY_EXCH
7 October 19:38:56.449: ISAKMP: (8329): 15.18.1.1 package sending 500 peer_port 500 (I) my_port MM_KEY_EXCH
7 Oct 19:38:56.449: ISAKMP: (8329): sending a packet IPv4 IKE.
7 Oct 19:39:04.709: ISAKMP: (8327): serving SA., his is 3169E824, delme is 3169E824
7 Oct 19:39:06.181: ISAKMP: set new node 0 to QM_IDLE
7 Oct 19:39:06.181: ISAKMP: (8329): SA is still budding. Attached new request ipsec. (2.8.51.58 local, remote 15.18.1.1)
7 Oct 19:39:06.181: ISAKMP: error during the processing of HIS application: failed to initialize SA
7 Oct 19:39:06.181: ISAKMP: error while processing message KMI 0, error 2.
7 October 19:39:06.449: ISAKMP: (8329): transmit phase 1 MM_KEY_EXCH...
7 Oct 19:39:06.449: ISAKMP (8329): increment the count of errors on his, try 3 of 5: retransmit the phase 1
7 October 19:39:06.449: ISAKMP: (8329): transmit phase 1 MM_KEY_EXCH
7 October 19:39:06.449: ISAKMP: (8329): 15.18.1.1 package sending 500 peer_port 500 (I) my_port MM_KEY_EXCH
7 Oct 19:39:06.449: ISAKMP: (8329): sending a packet IPv4 IKE.
7 Oct 19:39:10.261: ISAKMP: (8328): purge the node-1445247076
7 October 19:39:16.449: ISAKMP: (8329): transmit phase 1 MM_KEY_EXCH...
7 Oct 19:39:16.449: ISAKMP (8329): increment the count of errors on his, try 4 out 5: retransmit the phase 1
7 October 19:39:16.449: ISAKMP: (8329): transmit phase 1 MM_KEY_EXCH
7 October 19:39:16.449: ISAKMP: (8329): 15.18.1.1 package sending 500 peer_port 500 (I) my_port MM_KEY_EXCH
7 Oct 19:39:16.449: ISAKMP: (8329): sending a packet IPv4 IKE.
7 Oct 19:39:20.261: ISAKMP: (8328): serving SA., his is 2AD85BD0, delme is 2AD85BD0
7 October 19:39:26.449: ISAKMP: (8329): transmit phase 1 MM_KEY_EXCH...
7 Oct 19:39:26.449: ISAKMP (8329): increment the count of errors on his, try 5 of 5: retransmit the phase 1
7 October 19:39:26.449: ISAKMP: (8329): transmit phase 1 MM_KEY_EXCH
7 October 19:39:26.449: ISAKMP: (8329): 15.18.1.1 package sending 500 peer_port 500 (I) my_port MM_KEY_EXCH
7 Oct 19:39:26.449: ISAKMP: (8329): sending a packet IPv4 IKE.
7 October 19:39:36.449: ISAKMP: (8329): transmit phase 1 MM_KEY_EXCH...
7 Oct 19:39:36.449: ISAKMP: (8329): peer does not paranoid KeepAlive.
7 Oct 19:39:36.449: ISAKMP: (8329): removal of reason ITS status of 'Death by retransmission P1' (I) MM_KEY_EXCH (ext. 15.18.1.1)
7 Oct 19:39:36.449: ISAKMP: (8329): removal of reason ITS status of 'Death by retransmission P1' (I) MM_KEY_EXCH (ext. 15.18.1.1)Mike,
Concentrator sends his cert but never spoke glow, it is usually a problem with the fragmentation of handling in transit networks.
Sniff the two end you can control and check if you are not missing any fragment on end spoke.
Could be as simple as a MTU problem on your end, or could be something in the path try reassambly.
Several ways to go, check your end if the fragments are missing in transit - begin studying with ISP (s).
M.
-
Double-Cloud DMVPN spoke Router Configuration
I have a decided to adopt an architecture dual-cloud DMVPN (1 head of network in the main office, 1 head of bed instead of DR) with the option later to go to double / hub in each of my network places.
I tried to configure each of the clouds to have its own key.
Cloud Hub 1 1:
ISAKMP crypto key KEY123 address 0.0.0.0 0.0.0.0 no.-xauth
1 2 hub cloud:
ISAKMP crypto key KEY456 address 0.0.0.0 0.0.0.0 no.-xauth
Of course, the rays I want to connect to the two clouds not would allow me to use the same simple crypto isakmp key command twice.
Several of my sites will have 2 internet connections. Given that I source a tunnel each of these Internet connections, I came up with the following solution:
talk 1:
door-key crypto X-RING
address Gig0/1 (internet connection interface 1)
preshared key address 0.0.0.0 0.0.0.0 touches 0 KEY123
door-key crypto Y-RING
address Gig0/2 (internet connection interface 2)
preshared key address 0.0.0.0 0.0.0.0 touch 0 KEY456
Crypto isakmp DMVPN_ISAKMP_X profile
X-RING keychain
function identity address 0.0.0.0
address Gig0/1
Crypto isakmp DMVPN_ISAKMP_Y profile
Y-RING keychain
function identity address 0.0.0.0
address Gig0/2
OK... to the question... the first site I tried to connect the two clouds DMVPN has only 1 internet connection!
Without changing both my DMVPN clouds to the same key (almost all of the examples have this) - how can I make sure that tunnels speaks - has spoken-star work?
Is there anything else I can match? or create on each configs speaks and hub?
I tried:
-
identity group match, but couldn't figure out how to set a group name on each of the rays - or the hub also. Also, no.-xauth wouldn't prevent it being considered? -matching fqdn does not seem to work either.
-vrf is not an option - not applicable
-telesignalisations behind the ip address do not appear to be an option and seems to complicate the issue too.Thank you very much in advance!
There is something special with ICP when seen DMVPN. PKI or preshared keys is just how isakmp authenticates the session, and there is no difference between DMVPN or Site to Site.
Basically, you'd have to do these things:
-create a CA. The basic can be created on some of your routers.
-create the Trustpoint on each DMVPN hub and spokes.
-change the type of authentication in isakmp profile of pre-shared key to rsa - SIG.
You can certainly more trustpoint then one, one for each cloud, but I highly doubt that it is necessary for the public key infrastructure.
Maybe this doc will be of little help, even if it has too much info:
http://www.Cisco.com/en/us/docs/solutions/enterprise/security/DCertPKI.html
If you need, I can bring up some full example site to site with PKI auth.
-
RSA - ENC with EPII HW Accelerator
Hi all
I need a confirmation on the following points:
-rsa - enc is not supported by EPII and modules EPII-Plus, and this is a hardware limitation, so they will not support it in the future either.
-so rsa - enc is made in the software, while all other uses of encryption is done by the "Accelerator" HW module in the router.
Thank you
Attila
Q. what cryptographic modules support the RSA encryption?
A. here is the three authentication methods currently available within the IKE policy configuration:
pre_shared key
RSA - sig (rsa signatures)
RSA-BA (nuncios rsa encrypted)
All three modes are supported on the AIM-VPN/BP, EP, HP and MP-VPN/NM.
Only the pre_shared and the rsa - sig are supported on the AIM-VPN/BPII EPII, HPII and AIM-VPN/BPII-PLUS, EPII-PLUS and HPII-PLUS. These modules do not support rsa-BA because of the incompatibility between Cisco IOS and hardware of chip crypto API. There is a workaround solution listed in the DDT CSCdv30620notes.
It is available in this FAQ document
-
How to configure IKE with RSA without this Protocol between 1760 and PIX501?
Hello
I have a question about authentication with RSA - SIG IKE between 1760 router and PIX501 without AC.
.
I found a URL between routers, but not for PIX. do I need third-party CA (public or internal) in the PIX?
http://www.Cisco.com/warp/public/707/18.html
.
Please correct me if I am wrong or the return URL.
.
Thank you
RSA - enc is available for IOS routers, PIX will support certificate or key pré-partagées, you might want to look at this example with a MS CA:
http://www.Cisco.com/warp/public/707/lan_to_lan_ipsec_pix_rtr_cert.html
-
Tunnel DMVPN is establishing is not - a wrong address PNDH
I am trying to establish a DMVPN tunnel a new router that move us in a remote location. We already have a hub and several other remote sites that work properly. I can ping everywhere on another remote site, but I do not see the correct address appears when I do a 'show dmvpn.' Also the SA does not appear when I do a "show isakmp crypto his.".
UARouter #show dmvpn
Legend: Attrb--> S - static, D - dynamic, I - incomplete
Local N - using a NAT, L-, X - no Socket
# Ent--> entries number of the PNDH with same counterpart NBMA
State of the NHS: E--> RSVPs, R--> answer, W--> waiting
UpDn time--> upward or down time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 PNDH details
Type: talk, PNDH peers: 1,.
# Ent Peer NBMA Peer Tunnel Addr add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 63.162.52.254 172.19.1.1 UP 1d10h S
Then I do a ping on a remote machine.
UARouter #ping 192.168.2.40 loopback source 5
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.2.40, wait time is 2 seconds:
Packet sent with a source address of 192.168.12.254
!!!!!
Success rate is 100 per cent (5/5), round-trip min/avg/max = 352/353/356 ms
UARouter #show dmvpn
Legend: Attrb--> S - static, D - dynamic, I - incomplete
Local N - using a NAT, L-, X - no Socket
# Ent--> entries number of the PNDH with same counterpart NBMA
State of the NHS: E--> RSVPs, R--> answer, W--> waiting
UpDn time--> upward or down time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 PNDH details
Type: talk, PNDH peers: 1,.
# Ent Peer NBMA Peer Tunnel Addr add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
2 63.162.52.254 172.19.1.1 UP 1d10h S
172.19.1.2 UP TO 00:00:32
It does not seem to resolve on the real peer NBMA Address 203.98.212.254, but rather fixed to the hub.
UARouter #show ip nh
UARouter #show ip PNDH bis
Target Via NBMA Mode claimed Intfc
172.19.1.1/32 172.19.1.1 63.162.52.254 Tu0 static< >
172.19.1.2/32 172.19.1.2 63.162.52.254 dynamic Tu0< >
UARouter #show cry isa his
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
63.162.52.254 109.237.82.114 QM_IDLE 1003 ACTIVE
Here is the result of a different router that works.
TaiwanRTR #show dmvpn
Legend: Attrb--> S - static, D - dynamic, I - incomplete
Local N - using a NAT, L-, X - no Socket
# Ent--> entries number of the PNDH with same counterpart NBMA
State of the NHS: E--> RSVPs, R--> answer
UpDn time--> upward or down time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 PNDH details
Type: talk, PNDH peers: 8.
# Ent Peer NBMA Peer Tunnel Addr add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 63.162.52.254 172.19.1.1 UP 1w4d S
1 203.98.212.254 D 1w4d 172.19.1.2
TaiwanRTR #show ip PNDH bis
Target Via NBMA Mode claimed Intfc
172.19.1.1/32 172.19.1.1 63.162.52.254 Tu0 static< >
172.19.1.2/32 172.19.1.2 203.98.212.254 dynamic Tu0< >
Here's the DMVPN configs. They are identical except for the ip address and the fact that I can not use the command no ip mroute-cache because it is not recommended on the new router because we use a newer IOS. I also use the interface directly instead of looping. The closure on the TawainRTR is a public IP address.
Router AU
interface Tunnel0
bandwidth 1000
IP 172.19.1.12 255.255.255.0
no ip redirection
IP 1400 MTU
the PNDH IP authentication
property intellectual PNDH card 172.19.1.1 63.162.52.254
map of PNDH IP multicast 63.162.52.254
PNDH 1000000 IP network ID.
property intellectual PNDH holdtime 600
property intellectual PNDH nhs 172.19.1.1
IP tcp adjust-mss 1360
delay of 1000
QoS before filing
source of tunnel GigabitEthernet0/0
multipoint gre tunnel mode
tunnel key 100000
Shared protection ipsec DMVPN tunnel profile
TaiwanRTR
interface Tunnel0
bandwidth 1000
IP 172.19.1.6 255.255.255.0
no ip redirection
IP 1400 MTU
the PNDH IP authentication
property intellectual PNDH card 172.19.1.1 63.162.52.254
map of PNDH IP multicast 63.162.52.254
PNDH 1000000 IP network ID.
property intellectual PNDH holdtime 600
property intellectual PNDH nhs 172.19.1.1
IP tcp adjust-mss 1360
no ip mroute-cache
delay of 1000
source of Loopback2 tunnel
multipoint gre tunnel mode
tunnel key 100000
Shared protection ipsec DMVPN tunnel profile
end
On both devices, we use the same crypto map parameters. We use certificates instead of pre-shared keys.
crypto ISAKMP policy 1
BA 3des
ISAKMP crypto keepalive 10
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
transport mode
!
Profile of crypto ipsec DMVPN
Set transform-set RIGHT
Does anyone have ideas, what could happen?
Here is the my DMVPN router ACL...
10 licences of everything esp (22214502 matches)
20 permit udp any any eq isakmp (375 matches)
30 permit udp any any eq non500-isakmp
40 permits all icmp (40005 matches)
Works 100% for me.
I will note, my line 20 has been ' permit udp any isakmp eq all isakmp eq ' but I found when my routers were behind the devices from the source don't would not 500 and things didn't work so I had to open it.
-
Restrictions on the IP VPN peer
Hi all
I hope that someone can help you.
I'm trying to restrict my ASA to meet the demands of the handshake any IP address outside the specified remote peer - I don't have a VPN between the HO and DC. So far I have removed the encryption card WATCH 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP I thought I would have responded to any request VPN. I also disabled the SSL VPN for good measure.
I have installed the certificates that I tried to get the rsa - sig, which was a failure - if you have a Watchguard on the other end originally do not try!
The ike-scan output that runs from an address different from the peer:
[email protected] / * /: ~ $ sudo ike-scan - v - M - trans = 5, 1, 2, 5 - id = test
*. *. *. * - showbackoff
[sudo] password for ubee:
WARNING: Specify a load of identification with the option - id or - n is not
no effect except if you also specify aggressive mode with - aggressive
or - A
DEBUG: pkt len = 84 bytes, bandwidth = 56000 bps, int = 16000 we from ike-scan 1.9 1 guests
*. *. *. * Hand Mode Handshake returned
HDR = (CKY - R = 17fa18bf79c4afa5)
ITS = (Enc = 3DES Hash = SHA1 Group = 5:modp1536 Auth = LifeType PSK = seconds
LifeDuration = 28800)
VID = 4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)
IKE Backoff Patterns:
IP address no. Recv Delta time
*. *. *. * 1 1310135704.612627 0.000000
*. *. *. * 2 1310135712.610471 7.997844
*. *. *. * 3 1310135720.615189 8.004718
*. *. *. * 4 1310135728.618697 8.003508
*. *. *. * Guess implementation: Cisco VPN concentrator
Ending ike-scan 1.9: 1 hosts scanned 84,077 seconds (0.01 hosts/sec). 1 handshake returned; 0 returned warn [email protected] / * /: ~ $
ASA debugs showing ike-scan request above:
6. July 8, 2011 | 09:08:30 | 302016 | 89.243.83.209 | 54971 | *. *. *. * | 500 | Connection disassembly UDP 9928544 for outside:89.243.83.209/54971 of identity: *. *. *. * / 500 duration 0:02:24 500 bytes
6. July 8, 2011 | 09:06:06 | 302015 | 89.243.83.209 | 54971 | *. *. *. * | 500 | Built connection UDP incoming 9928544 for outside:89.243.83.209/54971 (89.243.83.209/54971) to the identity: *. *. *. * / 500 (*. *. *. * / 500)
Thanks in advance.
Damo.
Hey Damo,
Assuming that you don't need to IKE to listen to the world, but only to specific counterparts, you can possibly use the access map command option, for example as follows:
test from the list of access permit udp host 10.48.67.145 interface outside isakmp eq
extended access list test deny udp any any eq isakmp
extended list permits all ip one access test
Access-group test in interface out-of-control plan
This will prevent other hosts to reach the IKE process:
% 4 ASA-106023: Deny udp src outside:10.48.67.144/500 dst identity:10.48.67.76/500 by access-group 'test' [0xe4b28725, 0 x 0]
You can learn more about this option on the following links:
http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/access_rules.html#wp1086468
http://www.Cisco.com/en/us/docs/security/ASA/asa84/command/reference/A1.html#wp1597389
HTH
Alain
-
ASA 5505. VPN Site-to-Site does not connect!
Hello!
Already more than a week there, as we had a new channel of communication of MGTSa (Ontario terminal Sercomm RV6688BCM, who barely made in the 'bridge' - had to do the provider in order to receive our white Cisco Ip address), and now I train as well more that one week to raise between our IKEv1 IPsec Site-to-Site VPN tunnel closes offices.
Configurable and use the wizard in ASDM and handles in the CLI, the result of a year, the connection does not rise.
Cisco version 9.2 (2), the image of the Cisco asa922 - k8.bin, Security Plus license version, version 7.2 AMPS (2).
What I'll never know...
Debugging and complete configuration enclose below.
Help, which can follow any responses, please! I was completely exhausted!Config:
Output of the command: "sh run".
: Saved
:
: Serial: XXXXXXXXXXXX
: Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor
:
ASA Version 9.2 (2)
!
hostname door-71
activate the encrypted password of F6OJ0GOws7WHxeql
names of
IP local pool vpnpool 10.1.72.100 - 10.1.72.120 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 10.1.72.254 255.255.255.0
!
interface Vlan2
nameif outside_mgts
security-level 0
62.112.100.R1 255.255.255.252 IP address
!
passive FTP mode
clock timezone 3 MSK/MSD
clock to DST MSK/MDD recurring last Sun Mar 02:00 last Sun Oct 03:00
DNS lookup field inside
DNS server-group MGTS
Server name 195.34.31.50
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
network of the NET72 object
10.1.72.0 subnet 255.255.255.0
network object obj - 0.0.0.0
host 0.0.0.0
network of the Nafanya object
Home 10.1.72.5
network object obj - 10.1.72.0
10.1.72.0 subnet 255.255.255.0
network of the NET61 object
10.1.61.0 subnet 255.255.255.0
network of the NETWORK_OBJ_10.1.72.96_27 object
subnet 10.1.72.96 255.255.255.224
network of the NETT72 object
10.1.72.0 subnet 255.255.255.0
network of the NET30 object
10.1.30.0 subnet 255.255.255.0
network of the NETWORK_OBJ_10.1.72.0_24 object
10.1.72.0 subnet 255.255.255.0
object-group service OG INET
the purpose of the echo icmp message service
response to echo icmp service object
service-object icmp traceroute
service-object unreachable icmp
service-purpose tcp - udp destination eq echo
the DM_INLINE_NETWORK_1 object-group network
network-object NET30
network-object, object NET72
DM_INLINE_TCP_1 tcp service object-group
port-object eq www
EQ object of the https port
inside_access_in extended access list permit ip object NET72 object-group DM_INLINE_NETWORK_1
access extensive list ip 10.1.72.0 inside_access_in allow 255.255.255.0 any
inside_access_in extended access list permit ip object Nafanya any idle state
inside_access_in list extended access allowed object-group OG INET an entire
inside_access_in of access allowed any ip an extended list
inside_access_in list extended access deny ip any alerts on any newspaper
outside_mgts_access_in list extended access allowed object-group OG INET an entire
outside_mgts_access_in list extended access permit tcp any any DM_INLINE_TCP_1 object-group
outside_mgts_access_in list extended access deny ip any alerts on any newspaper
access extensive list ip 10.1.72.0 outside_mgts_cryptomap allow 255.255.255.0 object NET61
VPN-ST_splitTunnelAcl permit 10.1.72.0 access list standard 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
outside_mgts MTU 1500
IP check path reverse interface outside_mgts
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside outside_mgts) static source NET72 NET72 NETWORK_OBJ_10.1.72.96_27 NETWORK_OBJ_10.1.72.96_27 non-proxy-arp-search of route static destination
NAT (inside outside_mgts) static source NETWORK_OBJ_10.1.72.0_24 NETWORK_OBJ_10.1.72.0_24 NET61 NET61 non-proxy-arp-search of route static destination
!
network obj_any object
NAT (inside outside_mgts) dynamic obj - 0.0.0.0
network of the NET72 object
NAT (inside outside_mgts) interface dynamic dns
inside_access_in access to the interface inside group
Access-group outside_mgts_access_in in the outside_mgts interface
Route 0.0.0.0 outside_mgts 0.0.0.0 62.112.100.R 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
without activating the user identity
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
the ssh LOCAL console AAA authentication
Enable http server
http 10.1.72.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
card crypto outside_mgts_map 1 match address outside_mgts_cryptomap
card crypto outside_mgts_map 1 set pfs Group1
peer set card crypto outside_mgts_map 1 91.188.180.42
card crypto outside_mgts_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_mgts_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
card crypto outside_mgts_map interface outside_mgts
inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
inside crypto map inside_map interface
Crypto ca trustpoint ASDM_TrustPoint0
registration auto
E-mail [email protected] / * /
name of the object CN = door-71
Serial number
IP address 62.112.100.42
Proxy-loc-transmitter
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint1
registration auto
ASDM_TrustPoint1 key pair
Configure CRL
trustpool crypto ca policy
string encryption ca ASDM_TrustPoint0 certificates
certificate eff26954
30820395 3082027d a0030201 020204ef f2695430 0d06092a 864886f7 0d 010105
019
6460ae26 ec5f301d 0603551d 0e041604 14c9a3f2 d70e6789 38fa4b01 465d 1964
60ae26ec 5f300d06 092 has 8648 01050500 03820101 00448753 7baa5c77 86f70d01
62857b 65 d05dc91e 3edfabc6 7b3771af bbedee14 673ec67d 3d0c2de4 b7a7ac05
5f203a8c 98ab52cf 076401e5 1a2c6cb9 3f7afcba 52c617a5 644ece10 d6e1fd7d
28b57d8c aaf49023 2037527e 9fcfa218 9883191f 60b221bf a561f2be d6882091
0222b7a3 3880d6ac 49328d1f 2e085b15 6d1c1141 5f850e5c b6cb3e67 0e373591
94a 82781 44493217 and 38097952 d 003 5552 5c445f1f 92f04039 a23fba20 b9d51b13
f511f311 d1feb2bb 6d056a15 7e63cc1b 1f134677 8124c 024 3af56b97 51af8253
486844bc b1954abe 8acd7108 5e4212df db835d76 98ffdb2b 8c8ab915 193b 8167
0db3dd54 c8346b96 c4f4eff7 1e7cd576 a8b1f86e 3b868a6e 89
quit smoking
string encryption ca ASDM_TrustPoint1 certificates
certificate a39a2b54
3082025f 30820377 a0030201 020204 has 3 9a2b5430 0d06092a 864886f7 0d 010105
0500304 06035504 03130767 36313137 30120603 55040513 6174652d 3110300e b
c084dcd9 d250e194 abcb3eb8 1da93bd0 fb0dba1a b1c35b43 d547a841 5d4ee1a4
14bdb207 7dd790a4 0cd 70471 5f3a896a 07bd56dc ea01b3dd 254cde88 e1490e97
f3e54c05 551adde0 66aa3782 c85880c2 b162ec29 4e49346a df71062d 6d6d8f49
62b9de93 ba07b4f7 a50e77e1 8f54b32b 6627cb27 e982b36f a 362973, 0 88de3272
9bd6d4d2 8ca1e11f 214f20a9 78bdea95 78fdc45c d6d45674 6acb9bcb d0bd930e
638eedfe cd559ab1 e1205c48 3ee9616f e631db55 e82b623c 434ffdc1 11020301
0001 has 363 3061300f 0603551d 130101ff 0101ff30 04053003 0e060355 1d0f0101
ff040403 1f060355 02018630 230418 30168014 0cea70bf 0d0e0c4b eb34a0b1 1 d
8242 has 549 0603 551d0e04 1604140c ea70bf0d 0e0c4beb 34a0b182 301D 5183ccf9
42a 54951 010105 05000382 0101004e 7bfe054a 0d 864886f7 0d06092a 83ccf930
d434a27c 1d3dce15 529bdc5f 70a2dff1 98975de9 2a97333b 96077966 05a8e9ef
bf320cbd ecec3819 ade20a86 9aeb5bde bd129c7b 29341e4b edf91473 f2bf235d
9aaeae21 a629ccc6 3c79200b b9a89b08 bf38afb6 ea56b957 4430f692 a 4745, 411
34d71fad 588e4e18 2b2d97af b2aae6b9 b6a22350 d031615b 49ea9b9f 2fdd82e6
ebd4dccd df93c17e deceb796 f268abf1 881409b 5 89183841 f484f0e7 bd5f7b69
ebf7481c faf69d3e 9d24df6e 9c2b0791 785019f7 a0d20e95 2ef35799 66ffc819
4a77cdf2 c6fb4380 fe94c13c d4261655 7bf3d6ba 6289dc8b f9aad4e1 bd918fb7
32916fe1 477666ab c2a3d591 a84dd435 51711f6e 93e2bd84 89884c
quit smoking
crypto isakmp identity address
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 activate outside_mgts port 443 customer service
Crypto ikev2 access remote trustpoint ASDM_TrustPoint0
Crypto ikev1 allow inside
Crypto ikev1 enable outside_mgts
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
without ssh stricthostkeycheck
SSH 10.1.72.0 255.255.255.0 inside
SSH timeout 60
SSH group dh-Group1-sha1 key exchange
Console timeout 0
vpnclient Server 91.188.180.X
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
VPN - L2L vpnclient vpngroup password *.
vpnclient username aradetskayaL password *.
dhcpd auto_config outside_mgts
!
dhcpd update dns replace all two interface inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL-trust ASDM_TrustPoint0 inside point
SSL-trust ASDM_TrustPoint0 outside_mgts point
WebVPN
Select outside_mgts
internal GroupPolicy_91.188.180.X group strategy
attributes of Group Policy GroupPolicy_91.188.180.X
Ikev1 VPN-tunnel-Protocol
internal group VPN - ST strategy
attributes of group VPN - ST policy
value of 195.34.31.50 DNS Server 8.8.8.8
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value VPN-ST_splitTunnelAcl
by default no
aradetskayaL encrypted HR3qeva85hzXT6KK privilege 15 password username
tunnel-group 91.188.180.X type ipsec-l2l
attributes global-tunnel-group 91.188.180.X
Group - default policy - GroupPolicy_91.188.180.42
IPSec-attributes tunnel-group 91.188.180.X
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
remotely IKEv2 authentication certificate
pre-shared-key authentication local IKEv2 *.
remote access to tunnel-group VPN - ST type
VPN-general ST-attributes tunnel-group
address vpnpool pool
Group Policy - by default-VPN-ST
tunnel-group ipsec VPN ST-attributes
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:212e4f5035793d1c219fed57751983d8
: enddoor-71 # sh crypto ikev1 hisThere are no SAs IKEv1
door-71 # sh crypto ikev2 hisThere are no SAs IKEv2
door-71 # sh crypto ipsec his
There is no ipsec security associationsdoor-71 # sh crypto isakmpThere are no SAs IKEv1
There are no SAs IKEv2
Global statistics IKEv1
The active Tunnels: 0
Previous Tunnels: 0
In bytes: 0
In the packages: 0
In packs of fall: 0
In Notifys: 0
In the constituencies of P2: 0
In P2 invalid Exchange: 0
In P2 Exchange rejects: 0
Requests for removal in his P2: 0
Bytes: 0
Package: 0
Fall packages: 0
NOTIFYs out: 0
Exchanges of P2: 0
The Invalides Exchange P2: 0
Exchange of P2 rejects: 0
Requests to remove on P2 Sa: 0
Tunnels of the initiator: 0
Initiator fails: 0
Answering machine fails: 0
Ability system breaks down: 0
AUTH failed: 0
Decrypt failed: 0
Valid hash fails: 0
No failure his: 0IKEV1 statistics for Admission appeals
In negotiating SAs Max: 25
In negotiating SAs: 0
In negotiating SAs Highwater: 0
In negotiating SAs rejected: 0Global statistics IKEv2
The active Tunnels: 0
Previous Tunnels: 0
In bytes: 0
In the packages: 0
In packs of fall: 0
In Fragments of fall: 0
In Notifys: 0
In Exchange for the P2: 0
In P2 invalid Exchange: 0
In P2 Exchange rejects: 0
In IPSEC delete: 0
In delete IKE: 0
Bytes: 0
Package: 0
Fall packages: 0
Fragments of fall: 0
NOTIFYs out: 0
Exchange of P2: 0
The Invalides Exchange P2: 0
Exchange of P2 rejects: 0
On IPSEC delete: 0
The IKE Delete: 0
Locally launched sAs: 0
Locally launched sAs failed: 0
SAs remotely initiated: 0
SAs remotely initiated failed: 0
System capacity: 0
Authentication failures: 0
Decrypt failures: 0
Hash failures: 0
Invalid SPI: 0
In the Configs: 0
Configs: 0
In the Configs rejects: 0
Configs rejects: 0
Previous Tunnels: 0
Previous Tunnels wraps: 0
In the DPD Messages: 0
The DPD Messages: 0
The NAT KeepAlive: 0
IKE recomposition launched locally: 0
IKE returned to the remote initiated key: 0
Generate a new key CHILD initiated locally: 0
CHILD given to the remote initiated key: 0IKEV2 statistics for Admission appeals
Max active SAs: no limit
Max in negotiating SAs: 50
Challenge cookie line: never
Active sAs: 0
In negotiating SAs: 0
Incoming requests: 0
Accepted incoming requests: 0
A rejected incoming requests: 0
Out of requests: 0
Out of the applications accepted: 0
The outgoing rejected requests: 0
A rejected queries: 0
Rejected at the SA: 0 Max limit
Rejected low resources: 0
Rejected the current reboot: 0
Challenges of cookie: 0
Cookies transmitted challenges: 0
Challenges of cookie failed: 0IKEv1 global IPSec over TCP statistics
--------------------------------
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Incoming packets: 0
Inbound packets ignored: 0
Outgoing packets: 0
Outbound packets ignored: 0
The RST packets: 0
Heartbeat Recevied ACK packets: 0
Bad headers: 0
Bad trailers: 0
Chess timer: 0
Checksum errors: 0
Internal error: 0door-71 # sh statistical protocol all cryptographic
[Statistics IKEv1]
Encrypt packets of requests: 0
Encapsulate packets of requests: 0
Decrypt packets of requests: 0
Decapsulating requests for package: 0
HMAC calculation queries: 0
ITS creation queries: 0
SA asked to generate a new key: 0
Deletion requests: 0
Next phase of allocation key applications: 0
Number of random generation queries: 0
Failed requests: 0
[Statistics IKEv2]
Encrypt packets of requests: 0
Encapsulate packets of requests: 0
Decrypt packets of requests: 0
Decapsulating requests for package: 0
HMAC calculation queries: 0
ITS creation queries: 0
SA asked to generate a new key: 0
Deletion requests: 0
Next phase of allocation key applications: 0
Number of random generation queries: 0
Failed requests: 0
[IPsec statistics]
Encrypt packets of requests: 0
Encapsulate packets of requests: 0
Decrypt packets of requests: 0
Decapsulating requests for package: 0
HMAC calculation queries: 0
ITS creation queries: 0
SA asked to generate a new key: 0
Deletion requests: 0
Next phase of allocation key applications: 0
Number of random generation queries: 0
Failed requests: 0
[SSL statistics]
Encrypt packets of queries: 19331
Encapsulate packets of queries: 19331
Decrypt packets of queries: 437
Package requests decapsulating: 437
HMAC calculation queries: 19768
ITS creation queries: 178
SA asked to generate a new key: 0
Requests to remove SA: 176
Next phase of allocation key applications: 0
Number of random generation queries: 0
Failed requests: 0
[Statistical SSH are not taken in charge]
[Statistics SRTP]
Encrypt packets of requests: 0
Encapsulate packets of requests: 0
Decrypt packets of requests: 0
Decapsulating requests for package: 0
HMAC calculation queries: 0
ITS creation queries: 0
SA asked to generate a new key: 0
Deletion requests: 0
Next phase of allocation key applications: 0
Number of random generation queries: 0
Failed requests: 0
[Statistics]
Encrypt packets of requests: 0
Encapsulate packets of requests: 0
Decrypt packets of requests: 0
Decapsulating requests for package: 0
HMAC calculation queries: 6238
ITS creation queries: 0
SA asked to generate a new key: 0
Deletion requests: 0
Next phase of allocation key applications: 0
Number of queries random generation: 76
Failure of queries: 9door-71 # sh crypto ca trustpoints
Trustpoint ASDM_TrustPoint0:
Configured for the production of a self-signed certificate.Trustpoint ASDM_TrustPoint1:
Configured for the production of a self-signed certificate.If you need something more, then spread!
Please explain why it is that I don't want to work?Hello
When the IPSEC tunnel does not come to the top, the first thing comes to my mind is to run a tracer of package from the CLI and the phases in it. Please run this command from your firewall side and share the output. I've just compiled this command with the random ip address and ports of your given range.
Packet-trace entry inside tcp 10.1.72.2 1233 10.1.61.2 443 detailed
Best regards
Amandine
-
Asymmetric encryption of the symmetric encryption
I read through a few documents and see that IPsec uses asymmetric key cryptography in Phase 1 to create SAs ike and encryption to the symmetric key for IPsec security associations that are data in bulk.
Please can someone confirm if this is true. What key (symmetric key or asymmetric) set for pre shared key counterpart specific belngs to.
Thanks in advance
Following a simple rule: whenever userdata must be protected, symmetric cryptography is used because it is built for this task and is much faster then asymmetric crypto. Asymmetric cryptography is not built to protect large amounts of data.
With this, IPsec security associations use only the symmetric algorithms to protect data.
For Phase 1, it depends on how authentication is performed.
If you are using PSK and ROUTER1 wants to authenticate ROUTER2, there are the following (slightly simplified) process:
- R1 sends a nonce to R2. It is essentially a random number.
- R2 takes this value for single use, axe with the PSK and sends the result to R1.
- R1 uses its own generated nonce and the PSK and also calculates a hash.
- If the received hash and the local calculation are the same, R1 knows that R2 has made the calculation with the Nuncio as R1 provided and used the same PSK R1: R2 is authenticated.
- In IPsec, these authentication is done each other, also R2 authenticates R1.
No asymmetric cryptography is involved when PSK is used which allows fast enough treatment.
If you use digital certificates for authentication (rsa - sig in the config method) the following happens (even simpler):
- R1 sends a nonce to R2. This single value gets axe and the hash is encrypted with the private key of R2s (here we have asymmetric cryptography). If a hash is encrypted with a private key, the result is called a digital signature.
- The signature is returned to R1.
- R1 uses the R1 certificate to prove the correctness of the signature which is again an asymmetric cryptographic operation. Prior to this, the received certificate has be validated which also has one ore more Asymmetric cryptographic operations.
- And the same thing happens the other way around.
With authentication using digital certificates we have asymmetric cryptography.
In addition, he is also asymmetric cryptography when DH calculates keymaterial for session keys.
-
Cannot access any internal IPs when you are connected by VPN to ASA5505
Hello
I was able to configure VPN to work a bit on my ASA 5505. I can connect to the VPN and ping some IP addresses within the network. But some IPs don't react, I get "Request Timed Out"
For example:
10.10.0.4 - it works
10.10.0.5 - is not word
10.10.0.10 - it works
10.10.0.11 - it works
10.10.0.13 - does not workIf I ping from the network internally, all works well.
Does anyone have recommendations on how to address the issue?
VPN is the marking of the packages in a way that would trigger a firewall block?
It is the configuration of my ASA:
VPN with the name 'VPN-Remote' is the one I use.
ASA Version 9.2(2)4 ! hostname ciscoasa enable password NuLKvvWGg.x9HEKO encrypted passwd NuLKvvWGg.x9HEKO encrypted names ip local pool RA_VPN 10.10.1.1-10.10.1.255 mask 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 10.10.0.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address dhcp setroute ipv6 enable ! boot system disk0:/asa922-4-k8.bin ftp mode passive clock timezone CST -6 clock summer-time CDT recurring same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network obj_any subnet 0.0.0.0 0.0.0.0 object network INSIDE-SUBNET object network sb-service-80 host 10.10.0.143 object network sbservicetest object network sb-service-443 host 10.10.0.143 object network dvr_web host 10.10.0.30 object service DVR-Tomcat_port service tcp source eq 8080 destination eq 8080 object network NETWORK_OBJ_10.10.1.0_24 subnet 10.10.1.0 255.255.255.0 object network dvr_mobile host 10.10.0.30 object service DVR-Mobile_port service tcp source eq 18004 destination eq 18004 object network WAN host 98.195.48.88 object service Web80 service tcp source eq www destination eq www object network NETWORK_OBJ_10.10.2.0_24 subnet 10.10.2.0 255.255.255.0 object network NETWORK_OBJ_10.10.0.0_24 subnet 10.10.0.0 255.255.255.0 object-group network sb-service network-object object sb-service-443 network-object object sb-service-80 object-group network DVR-service network-object object dvr_web network-object object dvr_mobile object-group protocol TCPUDP protocol-object udp protocol-object tcp access-list outside_access_in extended permit icmp any any access-list inside_access_in extended permit ip any any access-list inside_access_in extended permit icmp any any inactive access-list Outside_access_in extended permit tcp any object sb-service-80 eq www access-list Outside_access_in extended permit tcp any object sb-service-443 eq https log disable access-list Outside_access_in extended permit tcp any object dvr_web eq 8080 log disable access-list Outside_access_in extended permit tcp any object dvr_mobile eq 18004 log disable access-list Outside_access_in extended permit icmp any any time-exceeded access-list Outside_access_in extended permit icmp any any unreachable log warnings access-list Outside_access_in extended permit icmp any any echo-reply access-list Outside_access_in extended permit icmp any any source-quench access-list global_mpc extended permit ip any any access-list RA_VPN-ACL extended permit ip object NETWORK_OBJ_10.10.2.0_24 any access-list Remote-VPN_splitTunnelAcl standard permit 10.10.0.0 255.255.255.0 access-list AnyConnect_Client_Local_Print extended deny ip any4 any4 access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631 access-list AnyConnect_Client_Local_Print remark Windows' printing port access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100 access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353 access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355 access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137 access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns pager lines 24 logging enable logging asdm notifications no logging message 106015 no logging message 313001 no logging message 313008 no logging message 106023 no logging message 710003 no logging message 106100 no logging message 302015 no logging message 302014 no logging message 302013 no logging message 302018 no logging message 302017 no logging message 302016 no logging message 302021 no logging message 302020 flow-export destination inside 10.10.0.111 2055 mtu inside 1500 mtu outside 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-731.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (any,any) source static NETWORK_OBJ_10.10.1.0_24 NETWORK_OBJ_10.10.1.0_24 ! object network obj_any nat (inside,outside) dynamic interface object network sb-service-80 nat (inside,outside) static interface no-proxy-arp service tcp www www object network sb-service-443 nat (inside,outside) static interface no-proxy-arp service tcp https https object network dvr_web nat (inside,outside) static interface no-proxy-arp service tcp 8080 8080 object network dvr_mobile nat (inside,outside) static interface no-proxy-arp service tcp 18004 18004 ! nat (inside,outside) after-auto source dynamic any interface inactive access-group inside_access_in in interface inside access-group Outside_access_in in interface outside timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL http server enable http 10.10.0.0 255.255.255.0 inside http 0.0.0.0 0.0.0.0 outside snmp-server group snmp_g v3 auth snmp-server user snmp_u snmp_g v3 encrypted auth md5 1d:1b:67:96:29:9b:5c:49:42:d5:a4:10:13:e0:b2:ee snmp-server host inside 10.10.0.111 community ***** version 2c no snmp-server location no snmp-server contact snmp-server community ***** crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec security-association pmtu-aging infinite crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map inside_map interface inside crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0 enrollment self subject-name CN=10.10.0.1,CN=ciscoasa crl configure crypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=ciscoasa proxy-ldc-issuer crl configure crypto ca trustpool policy crypto ca certificate chain ASDM_TrustPoint0 certificate aa711054 308201af 30820159 a0030201 020204aa 71105430 0d06092a 864886f7 0d010105 0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648 86f70d01 09021608 63697363 6f617361 301e170d 31353035 32303230 34353137 5a170d32 35303531 37323034 3531375a 302c3111 300f0603 55040313 08636973 636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 7361305c 300d0609 2a864886 f70d0101 01050003 4b003048 024100bc 4278aeda 26601456 0e035bb5 6021adc5 0ac9149a 11d95e72 c5a8509b 514fd50d 7a86bdb3 a00bda84 4e6bda8d 50124c64 1179acc4 b2869092 9a742b52 f97c2302 03010001 a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06 03551d23 04183016 8014d86a b4f1585d 7d93a0c7 7a1df9dd b37b0051 18aa301d 0603551d 0e041604 14d86ab4 f1585d7d 93a0c77a 1df9ddb3 7b005118 aa300d06 092a8648 86f70d01 01050500 034100a3 f0441214 1add483b 286fa44e 3844acce 27a68b2e 54f21dce 9a917783 1ab394f7 2d87e4d4 bcfcc7ef 6b26d604 bd0ea56f 05a72d0d 6c37413a b60216f3 612e0a quit crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable outside crypto ikev1 enable outside crypto ikev1 policy 10 authentication crack encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 40 authentication crack encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 70 authentication crack encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 100 authentication crack encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 130 authentication crack encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 telnet timeout 5 ssh stricthostkeycheck ssh 10.10.0.0 255.255.255.0 inside ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 no vpn-addr-assign dhcp dhcpd auto_config outside ! dhcpd address 10.10.0.5-10.10.0.254 inside ! threat-detection basic-threat threat-detection statistics port threat-detection statistics protocol threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp server 166.70.136.41 source outside ntp server 108.166.189.70 source outside ntp server 63.245.214.136 source outside ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip webvpn enable outside group-policy DfltGrpPolicy attributes group-policy Remote-VPN internal group-policy Remote-VPN attributes dns-server value 10.10.0.201 8.8.8.8 vpn-tunnel-protocol ikev1 split-tunnel-policy tunnelspecified split-tunnel-network-list value Remote-VPN_splitTunnelAcl default-domain value local.prv username snmp_test password Ocwq862v84DTwooX encrypted username VPN_User password KgHsdRdYP0lAyeqPIXn51g== nt-encrypted privilege 15 tunnel-group DefaultRAGroup general-attributes address-pool RA_VPN tunnel-group DefaultRAGroup ipsec-attributes ikev1 pre-shared-key ***** tunnel-group Remote-VPN type remote-access tunnel-group Remote-VPN general-attributes address-pool RA_VPN default-group-policy Remote-VPN tunnel-group Remote-VPN ipsec-attributes ikev1 pre-shared-key ***** ! class-map global-class match access-list global_mpc class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect pptp inspect icmp inspect icmp error class global-class flow-export event-type all destination 10.10.0.111 ! service-policy global_policy global prompt hostname context no call-home reporting anonymous hpm topN enable Cryptochecksum:f249b6940d463cc987b9aa828d8d8282 : end
Hello
If please check windows or any of application firewall PC side. It's less likely the issue VPN or ASA.
HTH
Averroès.
-
Site to IP - sec site ASA 9.1 worm problem vs IOS
Hi all
I'm trying to set up the vpn site-to site between ASA and IOS, but unsuccessfully router,
newspapers are:
(1) this is not behind a nat device
(2) an encrypted packet received with no counterparty SA
networks are:
172.25.0.0 (inside ASA) A.A.A.A (outside of ASA) is required to connect to the address B.B.B.B router IOS with inside the network 192.168.1.0
Here are the configs:
ASA:
ASA 5505 # sh run
: Saved
:
ASA Version 9.0 (1)
!
hostname ASA 5505
KZ 1 domain name.
names of
vpn_pool_ASA-5505 192.168.172.2 mask - 255.255.255.0 IP local pool 192.168.172.100
local pool SAME_NET_ALA 172.25.66.200 - 172.25.66.210 255.255.255.0 IP mask
!
interface Ethernet0/0
switchport access vlan 2
10 speed
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 172.25.66.15 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
address IP A.A.A.A 255.255.255.252
!
passive FTP mode
clock timezone ALMST 6
summer time clock ALMDT recurring last Dim Mar 0:00 last Sun Oct 0:00
DNS server-group DefaultDNS
KZ 1 domain name.
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
network of the NETWORK_OBJ_172.25.66.0_24 object
172.25.66.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.172.0_25 object
subnet 192.168.172.0 255.255.255.128
network of the NETWORK_OBJ_172.25.66.192_27 object
subnet 172.25.66.192 255.255.255.224
network of the ALA_office object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_172.25.0.0_16 object
172.25.0.0 subnet 255.255.0.0
Standard access list SAME_NET_ALA_splitTunnelAcl allow 172.25.66.0 255.255.255.0
SAME_NET_ALA_splitTunnelAcl list standard access allowed 10.0.0.0 255.0.0.0
Standard access list SAME_NET_ALA_splitTunnelAcl allow 172.0.0.0 255.0.0.0
list access VPN-OUT-INS scope ip 192.168.172.0 255.255.255.0 allow no matter what paper
VPN-IN-INS scope any allowed ip access list no matter what paper
extended VPN OUTPUT access list permits all ip 192.168.172.0 255.255.255.0 connect
access list permit VPN OUT ALL standard any4
standard access list net172 allow 172.25.0.0 255.255.0.0
access-list standard net10 allowed 10.0.0.0 255.0.0.0
outside_cryptomap list extended access permitted ip NETWORK_OBJ_172.25.66.0_24 object ALA_office
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source NETWORK_OBJ_172.25.66.0_24 NETWORK_OBJ_172.25.66.0_24 NETWORK_OBJ_192.168.172.0_25 NETWORK_OBJ_192.168.172.0_25 non-proxy-arp-search of route static destination
NAT (inside, outside) source static obj_any obj_any NETWORK_OBJ_172.25.66.192_27 NETWORK_OBJ_172.25.66.192_27 non-proxy-arp-search of route static destination
NAT (inside, outside) static source NETWORK_OBJ_172.25.66.0_24 NETWORK_OBJ_172.25.66.0_24 ALA_office ALA_office non-proxy-arp-search of route static destination
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
!
NAT source auto after (indoor, outdoor) dynamic one interface
group-access VPN-IN-INS in the interface inside
group-access VPN-IN-INS interface inside
Route outside 0.0.0.0 0.0.0.0 88.204.136.165 1
Route inside 10.0.0.0 255.0.0.0 172.25.66.1 2
Route inside 172.0.0.0 255.0.0.0 172.25.66.1 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.1.0 255.255.255.0 inside
http 172.25.66.16 255.255.255.255 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 Alma-series esp - aes esp-sha-hmac
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto outside_map 1 match address outside_cryptomap
outside_map game 1 card crypto peer B.B.B.B
card crypto outside_map 1 set ikev1 Alma-set transform-set
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
inside crypto map inside_map interface
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
IKEv1 crypto policy 5
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 inside
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 5
Console timeout 0dhcpd outside auto_config
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
allow outside
No anyconnect essentials
internal web_access group policy
attributes of the strategy of group web_access
clientless ssl VPN tunnel-Protocol
WebVPN
the value of the URL - list PRTG
internal SAME_NET_ALA group policy
SAME_NET_ALA group policy attributes
value of server DNS 8.8.8.8
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list SAME_NET_ALA_splitTunnelAcl
internal GroupPolicy1 group strategy
attributes of Group Policy GroupPolicy1
Ikev1 VPN-tunnel-Protocol
internal GroupPolicy_to_ALA group strategy
type tunnel-group SAME_NET_ALA remote access
attributes global-tunnel-group SAME_NET_ALA
address SAME_NET_ALA pool
Group Policy - by default-SAME_NET_ALA
IPSec-attributes tunnel-group SAME_NET_ALA
IKEv1 pre-shared-key *.
type tunnel-group web_access remote access
tunnel-group web_access General-attributes
Group Policy - by default-web_access
tunnel-group B.B.B.B type ipsec-l2l
attributes global-tunnel-group B.B.B.B
Group Policy - by default-GroupPolicy1
IPSec-attributes tunnel-Group B.B.B.B
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the icmp
inspect the http
!
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:932099620805dc22d9e48a5e04314887
: endand router IOS:
R1921_center #sh run
Building configuration...Current configuration: 6881 bytes
!
! Last configuration change to 12:22:45 UTC Friday, August 29, 2014 by yerzhan
version 15.2
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname R1921_center
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
AAA new-model
!
!
AAA authentication login userauthen local
AAA authorization groupauthor LAN
!
!
!
!
!
AAA - the id of the joint session
!
IP cef
!
!
!
!!
!
!
!
"yourdomain.com" of the IP domain name
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
Crypto pki trustpoint TP-self-signed-260502430
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 260502430
revocation checking no
rsakeypair TP-self-signed-260502430
!
!
TP-self-signed-260502430 crypto pki certificate chain
certificate self-signed 01
30820229 30820192 A0030201 02020101 300 D 0609 2A 864886 F70D0101 05050030
2 060355 04031325 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 30312E30
69666963 32363035 30323433 30301E17 313331 31323630 35343131 0D 6174652D
355A170D 2E302C06 1325494F 03550403 32303031 30313030 30303030 5A 303031
532D 5365 6C662D53 69676E65 642D 4365 72746966 69636174 652 3236 30353032
06092A 86 4886F70D 01010105 34333030 819F300D 00308189 02818100 0003818D
C178A16C 26637 HAS 32 E2FE6EB2 DE63FC5D 2F4096D2 1A223CAF 52A122A1 F152F0E0
D2305008 FA312D36 E055D09C 487A01D5 629F8DE4 42FF0444 4B3B107A 730111B 6
F6439BA2 970EFE71 C9127F72 F93603E0 11B3F622 73DB1D7C 1889D57C 88C3B141
ED39B0EA 377CE1F7 610F9C76 FC9C843F A81AEFFE 07917A4B 2946032B 207160B 9
02030100 01A 35330 03551 D 13 51300F06 0101FF04 05300301 01FF301F 0603551D
23041830 1680146B B9F671FA BDD822DF 76802EEA 161D18D6 1 060355 9B8C4030
1D0E0416 04146BB9 F671FABD D822DF76 802EEA16 1D18D69B 8C40300D A 06092, 86
01010505 00038181 00B0C56F F1F4F85C 5FE7BF24 27D1DF41 7E9BB9CE 4886F70D
0447910A E780FA0D 07209827 3A969CD0 14AAA496 12929830 0D17F684 7F841261
56365D9C AA15019C ABC74D0A 3CD4E002 F63AA181 B3CC4461 4E56E58D C8237899
29F48CFA 67C4B84B 95D456C3 F0CF858D 43C758C3 C285FEF1 C002E2C5 DCFB9A8A
6A1DF7E3 EE675EAF 7A608FB7 88
quit smoking
license udi pid CISCO1921/K9 sn FCZ1748C14U
!
redundancy
!
!
!
!
!
!
!
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
!
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 5
BA aes 256
preshared authentication
Group 2
PSK - KEY key crypto isakmp A.A.A.A address
PSK - KEY crypto isakmp key address 6 0.0.0.0
!
Configuration group crypto isakmp ALA-EMP-VPN client
key *. *. *. *
DNS 8.8.8.8
domain cisco.com
pool ippool
ACL 101
netmask 255.255.255.0
!
!
Crypto ipsec transform-set esp-3des esp-md5-hmac dmvpn_alad
transport mode
Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
tunnel mode
Crypto ipsec transform-set esp-3des esp-md5-hmac TRIPSECMAX
transport mode
Crypto ipsec transform-set AES - SHA aes - esp esp-sha-hmac
tunnel mode
!
Profile of crypto ipsec MAXPROFILE
game of transformation-TRIPSECMAX
!
!
Crypto ipsec profile dmvpn_profile
Set transform-set dmvpn_alad
!
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
market arriere-route
!
!
!
map clientmap client to authenticate crypto list userauthen
card crypto clientmap isakmp authorization list groupauthor
client configuration address map clientmap crypto answer
20 ipsec-isakmp crypto map clientmap
defined by peer A.A.A.A
game of transformation-AES-SHA
match address VPN_ASA_PAV
!
!
!
!
!
interface Loopback1
IP 10.10.10.10 address 255.255.255.255
!interface tunnels2
IP 192.168.101.1 255.255.255.240
no ip redirection
authentication of the PNDH IP NHRPMAX
dynamic multicast of IP PNDH map
PNDH id network IP-4679
dissemination of IP ospf network
IP ospf hello-interval 30
IP ospf priority 10
source of tunnel GigabitEthernet0/1
multipoint gre tunnel mode
tunnel key 4679
!
the Embedded-Service-Engine0/0 interface
no ip address
Shutdown
!
interface GigabitEthernet0/0
Description to_LAN
IP 192.168.1.253 255.255.255.0
IP nat inside
IP virtual-reassembly in
automatic duplex
automatic speed
!
interface GigabitEthernet0/1
Description to_ISP
address IP B.B.B.B 255.255.255.252
NAT outside IP
IP virtual-reassembly in
automatic duplex
automatic speed
clientmap card crypto
!
router ospf 100
Auto-cout reference-bandwidth 1000
0 message digest authentication box
area 192.168.1.0 digest authentication message
redistribute static subnets
passive-interface default
no passive-interface Tunnel1
network of 10.10.10.10 0.0.0.0 area 192.168.1.0
network 192.168.1.0 0.0.0.255 area 192.168.1.0
192.168.222.0 network 0.0.0.15 area 0
!
router ospf 1
router ID 1.1.1.1
redistribute static subnets
passive-interface default
no passive-interface tunnels2
network of 10.10.10.10 0.0.0.0 area 192.168.1.0
network 192.168.1.0 0.0.0.255 area 192.168.1.0
192.168.101.0 network 0.0.0.15 area 0
!
IP local pool ippool 192.168.33.1 192.168.33.20
IP forward-Protocol ND
!
IP http server
23 class IP http access
local IP http authentication
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
overload of IP nat inside source list 111 interface GigabitEthernet0/1
IP nat inside source static tcp 192.168.1.11 22 Expandable 8022 B.B.B.B
IP route 0.0.0.0 0.0.0.0 B.B.B.C
!
extended ACL - NAT IP access list
deny ip 192.168.1.0 0.0.0.255 172.25.0.0 0.0.255.255
allow an ip
IP extended ACL - VPN access list
ip permit 192.168.1.0 0.0.0.255 172.25.0.0 0.0.255.255
VPN_ASA_PAV extended IP access list
ip permit 192.168.1.0 0.0.0.255 172.25.66.0 0.0.0.255
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.33.0 0.0.0.255
access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.33.0 0.0.0.255
access ip-list 111 allow a whole
!
!
!
!
!
control plan
!
!
!
Line con 0
line to 0
line 2
no activation-character
No exec
preferred no transport
transport output pad rlogin lapb - your MOP v120 udptn ssh telnet
StopBits 1
line vty 0 4
exec-timeout 0 0
privilege level 15
transport input telnet ssh
line vty 5 15
exec-timeout 0 0
privilege level 15
transport input telnet ssh
!
Scheduler allocate 20000 1000
!
endThe biggest problem is the incompatibility in the VPN access lists.
The ASA said
outside_cryptomap list extended access permitted ip NETWORK_OBJ_172.25.66.0_24 object ALA_office
The router said
ip permit 192.168.1.0 0.0.0.255 172.25.0.0 0.0.255.255
Match them. If it still does not work then please post the revised configurations.
HTH
Rick
-
Hello everyone
I have setup a VPN connection, which I can connect to. For all customers of connection, I want to give them an IP (from a subnet maybe) and let them use this IP address for all that they do.
Therefore, this:
and not current:
My inside is 192.168.1.0
My VPN IP pool is 192.168.30.5 - 200
My server (DNS, files, Web site) is 192.168.1.222Here's my setup. I scored what I thought might have something to do with it:
ASA Version 9.2 (1)
!
ciscoasa hostname
activate 8Ry2YjIyt7RRXU24 encrypted password
volatile xlate deny tcp any4 any4
volatile xlate deny tcp any4 any6
volatile xlate deny tcp any6 any4
volatile xlate deny tcp any6 any6
volatile xlate deny udp any4 any4 eq field
volatile xlate deny udp any4 any6 eq field
volatile xlate deny udp any6 any4 eq field
volatile xlate deny udp any6 any6 eq field
2KFQnbNIdI.2KYOU encrypted passwd
names of
pool of IP local IP-pool 192.168.30.5 - 192.168.30.200 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.253 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address dhcp setroute
!
boot system Disk0: / asa921 - k8.bin
passive FTP mode
permit same-security-traffic intra-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
network of the object Server-25
Home 192.168.1.222
Description of the test server
network of the object server-80
Home 192.168.1.222
Description of the test server
network of the object server-443
Home 192.168.1.222
Description of the test server
network of the object server-2525
Home 192.168.1.222
Description of the test server
network of the object server-993
Home 192.168.1.222
Description of the test server
network of the object server-6001
Home 192.168.1.222
Description of the test server
network of the object server-6002
Home 192.168.1.222
Description of the test server
network of the object server-6003
Home 192.168.1.222
Description of the test server
network of the object server-6004
Home 192.168.1.222
Description of the test server
network of the VPN HOST object
192.168.30.0 subnet 255.255.255.0
the object to the Interior-net network
host 192.168.1.0
the VPN server object network
Home 192.168.1.222
outside_access_in list extended access permit tcp any object Server-25 eq smtp
outside_access_in list extended access permit tcp any object server-2525 2525 eq
outside_access_in list extended access permit tcp any object server-80 eq www
outside_access_in list extended access permit tcp any object server-443 https eq
outside_access_in list extended access permit tcp any object server-993 993 eq
outside_access_in list extended access permit tcp any object server-6001 eq 6001
outside_access_in list extended access permit tcp any object server-6002 6002 eq
outside_access_in list extended access permit tcp any object server-6003 eq 6003
outside_access_in list extended access permit tcp any object server-6004 eq 6004
outside_access_in to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.30.0 255.255.255.0
permit access-list Split-Tunnel-ACL standard 192.168.30.0 255.255.255.0
no pager
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 721.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (indoor, outdoor) Interior-net Interior-NET static source static destination HOST-VPN-VPN-HOST
NAT VPN VPN-server destination (indoor, outdoor) static static source HOST-VPN-VPN-HOST
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
network of the object Server-25
NAT (inside, outside) interface static tcp smtp smtp service
network of the object server-80
NAT (inside, outside) interface static tcp www www service
network of the object server-443
NAT (inside, outside) interface static tcp https https service
network of the object server-2525
NAT (inside, outside) interface static 2525 2525 tcp service
network of the object server-993
NAT (inside, outside) interface static tcp 993 993 service
network of the object server-6001
NAT (inside, outside) interface static tcp 6001 6001 service
network of the object server-6002
NAT (inside, outside) interface static tcp 6002 6002 service
network of the object server-6003
NAT (inside, outside) interface static 6003 6003 tcp service
network of the object server-6004
NAT (inside, outside) interface static service tcp 6004 6004
Access-group outside_access_in in interface outside
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
RADIUS AAA server HSS-auth-server protocol
allow only
AAA-server HSS-auth-server (inside) host 192.168.1.222
Timeout 5
key *.
identity of the user by default-domain LOCAL
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec pmtu aging infinite - the security association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
trustpool crypto ca policy
Crypto isakmp nat-traversal 30
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0interface ID client DHCP-client to the outside
dhcpd outside auto_config
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
internal HSSvpn group strategy
attributes of Group Policy HSSvpn
value of server WINS 192.168.1.222
value of server DNS 192.168.1.222
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelall
Split-tunnel-network-list value Split-Tunnel-ACL
HSS.dk value by default-field
activate dns split-tunnel-all
type tunnel-group HSSvpn remote access
attributes global-tunnel-group HSSvpn
address IP-pool pool
HSS-auth-server authentication-server-group
Group Policy - by default-HSSvpn
password-management
IPSec-attributes tunnel-group HSSvpn
IKEv1 pre-shared-key *.
tunnel-group HSSvpn ppp-attributes
No chap authentication
no authentication ms-chap-v1
ms-chap-v2 authentication
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:c85ff8bf61669bef56b4dad704a4930a
: endHello
Change Split Tunnel VPN in full Tunnel VPN, you have really do much in your configuration.
Seems that have already changed you the 'tunnelspecified' 'tunnelall' in configurations of the 'group policy' . You can delete the setup but that defines the ACL of Split Tunnel
attributes of Group Policy HSSvpn
No split-tunnel-network-list value Split-Tunnel-ACLSeems that you use an internal AAA server to manage authentication rather than on the SAA. I guess if you want to assign a specific IP address for VPN user/username, then it must be done on the side Server?
If you had the "username" on the SAA configurations you can set it up under its framework which "username" IP address gets when he or she connects with the VPN Client.
As naturally as you start using the complete Tunnel and all traffic from the VPN Client starts to get in the tunnel to the ASA you will need a NAT for VPN Client users Internet traffic. You can configure this NAT like this for example:
network of the VPN-POOL object
192.168.30.0 subnet 255.255.255.0interface of VPN-POOL dynamic NAT (outside, outside) after auto source
Note that this is a manual of NAT / double NAT statement real "nat" IS NOT inserted under the 'object' , but the 'object' is rather created it can be used in the "nat" command. I see that your other dynamic PAT configurations are configured with NAT Auto / object NAT network. You can do this like that too if you wish. Personally I do like that.
But as I said before, it seems that you have already configured the VPN to be full of Tunnel. It is perhaps not as it is? While it is connected with VPN, you should be able to check the secure routes (or something like that) section to see if it says "0.0.0.0" If Yes, then it should be tunneling all traffic.
Hope this helps :)
-Jouni
-
Remote VPN cannot access devices LAN or internet
So I have a server and a computer inside that I can access through an ASA 5505 with ASA 9.2 (1) and ASDM 7.2 (1)
The computer on 192.168.1.110 via port 8080 can show me a demo site.
The server on 192.168.1.222 got my DNS, HTTP, FTP, mail and more about it.
Outside, I got a computer (by outside, I hear from the firewall and the cable directly into the computer) on 192.168.20.2 and firewall outside being 192.168.20.1
From the outside I can access the 8080 without problem (and I guess as well with the server, but it is on another default gateway and are not accessible right now). -When I connect through my VPN I am assigned 192.168.30.5 but unable to connect inside the computer through 192.168.1.110:8080.
This will return the error: asymmetrical NAT rules matched for before and back flow; Connection for udp src outdoors: 192.168.30.5/49608 (...) dst inside: 192.168.1.222/53 refused because of the failure of the path reverse NAT.
Somewhere, I had a conflict or a non-created access rule. Anyone who wants to take a shot?
I marked with "BOLD" for what I thought that may be the cause.
ciscoasa (config) # sh running-config
: Saved
:
ASA Version 9.2 (1)
!
ciscoasa hostname
activate 8Ry2YjIyt7RRXU24 encrypted password
volatile xlate deny tcp any4 any4
volatile xlate deny tcp any4 any6
volatile xlate deny tcp any6 any4
volatile xlate deny tcp any6 any6
volatile xlate deny udp any4 any4 eq field
volatile xlate deny udp any4 any6 eq field
volatile xlate deny udp any6 any4 eq field
volatile xlate deny udp any6 any6 eq field
2KFQnbNIdI.2KYOU encrypted passwd
names of
192.168.30.5 mask - 192.168.30.200 local pool Pool of IP IP 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
address 192.168.20.1 255.255.255.0
!
boot system Disk0: / asa921 - k8.bin
passive FTP mode
permit same-security-traffic intra-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
object network testServer-8080
host 192.168.1.110
Description of the test server
network of the object server-21
Home 192.168.1.222
Description of the test server
network of the object Server-25
Home 192.168.1.222
Description of the test server
network of the object Server-53
Home 192.168.1.222
Description of the test server
network of the object server-80
Home 192.168.1.222
Description of the test server
network of the object server-443
Home 192.168.1.222
Description of the test server
network of the object server-2525
Home 192.168.1.222
Description of the test server
network of the object server-993
Home 192.168.1.222
Description of the test server
network of the object server-6001
Home 192.168.1.222
Description of the test server
network of the object server-6002
Home 192.168.1.222
Description of the test server
network of the object server-6003
Home 192.168.1.222
Description of the test server
network of the object server-6004
Home 192.168.1.222
Description of the test server
network of the VPN HOST object
192.168.30.0 subnet 255.255.255.0
network of the object inside
host 192.168.1.0
the vpn server object network
Home 192.168.1.222
outside_access_in list extended access permit tcp any object testServer-8080 eq 8080
outside_access_in list extended access permit tcp any object server-21 eq ftp
outside_access_in list extended access permit tcp any object Server-25 eq smtp
outside_access_in list extended access permit tcp any object server-2525 2525 eq
outside_access_in list extended access permit udp any object server-53 eq inactive field
outside_access_in list extended access permit tcp any object server-80 eq www
outside_access_in list extended access permit tcp any object server-443 https eq
outside_access_in list extended access permit tcp any object server-993 993 eq
outside_access_in list extended access permit tcp any object server-6001 eq 6001
outside_access_in list extended access permit tcp any object server-6002 6002 eq
outside_access_in list extended access permit tcp any object server-6003 eq 6003
outside_access_in list extended access permit tcp any object server-6004 eq 6004
outside_access_in to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.30.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 721.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) VPN-dynamic HOSTS within static destination to source Server VPN - vpn server
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
object network testServer-8080
NAT (inside, outside) interface static 8080 8080 tcp service
network of the object server-21
NAT static (inside, inside) of the service ftp ftp tcp interface
network of the object Server-25
NAT (inside, outside) interface static tcp smtp smtp service
network of the object Server-53
NAT static (inside, inside) interface tcp service area
network of the object server-80
NAT (inside, outside) interface static tcp www www service
network of the object server-443
NAT (inside, outside) interface static tcp https https service
network of the object server-2525
NAT (inside, outside) interface static 2525 2525 tcp service
network of the object server-993
NAT (inside, outside) interface static tcp 993 993 service
network of the object server-6001
NAT (inside, outside) interface static tcp 6001 6001 service
network of the object server-6002
NAT (inside, outside) interface static tcp 6002 6002 service
network of the object server-6003
NAT (inside, outside) interface static 6003 6003 tcp service
network of the object server-6004
NAT (inside, outside) interface static service tcp 6004 6004
Access-group outside_access_in in interface outside
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
RADIUS AAA server HSS-auth-server protocol
allow only
AAA-server HSS-auth-server (inside) host 192.168.1.222
Timeout 5
key *.
identity of the user by default-domain LOCAL
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec pmtu aging infinite - the security association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
trustpool crypto ca policy
Crypto isakmp nat-traversal 30
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0dhcpd outside auto_config
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
internal HSSvpn group strategy
attributes of Group Policy HSSvpn
value of server DNS 192.168.1.222
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value outside_access_in ! This value was its own name earlier
HSS.dk value by default-field
type tunnel-group HSSvpn remote access
attributes global-tunnel-group HSSvpn
address IP-pool pool
HSS-auth-server authentication-server-group
Group Policy - by default-HSSvpn
password-management
IPSec-attributes tunnel-group HSSvpn
IKEv1 pre-shared-key *.
tunnel-group HSSvpn ppp-attributes
No chap authentication
no authentication ms-chap-v1
ms-chap-v2 authentication
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:9859258e11364180cf9b3e21173b3f2f
: endHello
"Nat" bold configuration is incorrect, as you would expect.
Replace it with something like this
the object of the LAN network
subnet 192.168.1.0 255.255.255.0NAT (inside, outside) 1 static source LAN LAN to static destination HOST-VPN-VPN-HOST
I also suggest using a separate access the ACL of the Tunnel from Split 'standard' list.
For example
standard SPLIT-TUNNEL access list permit 192.168.1.0 255.255.255.0
Naturally, you must pass the ACL above to used "group policy" .
In addition, if you want to control the incoming connections to VPN users in 'outside_access_in' ACL, then you could change the default settings on the SAA by running the command
No vpn sysopt connection permit
If you need to return back then just to deliver without 'no' in front. Then back to its default value. This does not show in the running configuration by the way.
With this setting all connections from VPN connections should be allowed on the interface ACL interface that ends the VPN connection. If in your case that would be the ACL attached to the 'outside' interface.
Hope this helps :)
-Jouni
-
S2S VPN Asa 5510 to 5505 no traffic passing (hair Pulling)
I have one site to another configured between a 5505 and ASA 5510, the tunnel is in place but can not pass any traffic one way or another. A 5510, 8.4.3 while the 5505 was 8.2. I find the version 8.2 the less confusing when configure the VPN. The new NAT throws me for a loop on the 5510. I have 1 tunnel upward and will already and it works fine. But when I do a new online, it won't pass any traffic.
The traffic I'm EFS is 5510 (192.168.180.0/24, 172.25.11.0/24)<-------> 5505 (192.168.197.0/24) many thanks in advance!
Here's the configs for the two.
main site of 5510
ASA Version 8.4(3) ! hostname ASA5510 domain-name fphc.us enable password dmbm8Lq9pBST.0kk encrypted passwd dmbm8Lq9pBST.0kk encrypted names ! interface Ethernet0/0 nameif Outside security-level 0 ip address x.x.x.130 255.255.255.240 ! interface Ethernet0/1 nameif Inside security-level 100 ip address 192.168.180.253 255.255.254.0 ! interface Ethernet0/2 speed 100 duplex full shutdown no nameif no security-level no ip address ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 no ip address management-only ! boot system disk0:/asa843-k8.bin ftp mode passive clock timezone CST -6 clock summer-time CDT recurring dns domain-lookup Inside dns server-group DefaultDNS name-server 192.168.180.231 name-server 192.168.180.232 name-server 192.168.180.233 domain-name fphc.us same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network obj-192.168.180.0 subnet 192.168.180.0 255.255.254.0 object network obj-192.168.188.0 subnet 192.168.188.0 255.255.255.0 object network obj-216.86.7.128 subnet x.x.x.128 255.255.255.240 object network Mobile_Unit subnet 192.168.193.0 255.255.255.0 object network obj-172.27.0.0 subnet 172.27.0.0 255.255.255.0 object network obj_any subnet 0.0.0.0 0.0.0.0 object network obj-172.25.11.0 subnet 172.25.11.0 255.255.255.0 object network obj-172.35.0.0 subnet 172.35.0.0 255.255.254.0 object network SpamBox_1 host 192.168.180.244 object network SpamBox_2 host 192.168.180.248 object network Exchange host 192.168.180.235 object network PMG subnet 192.168.178.0 255.255.255.0 object network Outside_Gateway host x.x.x.129 object network AHCCN subnet 172.35.0.0 255.255.254.0 object network MM subnet 10.90.254.0 255.255.255.0 object network NETWORK_OBJ_172.27.0.0_25 subnet 172.27.0.0 255.255.255.128 object network NETWORK_OBJ_172.27.0.0_26 subnet 172.27.0.0 255.255.255.192 object network obj-172.35.1.199 host 172.35.1.199 object network obj-192.168.51.5 host 192.168.51.5 object service 6004 service udp destination eq 6004 object network AT_Remote subnet 192.168.197.0 255.255.255.0 object-group service DM_INLINE_SERVICE_2 service-object icmp echo service-object icmp echo-reply service-object tcp-udp destination eq domain service-object tcp-udp destination eq www object-group network DM_INLINE_NETWORK_1 network-object object obj-172.25.11.0 network-object object obj-172.35.0.0 network-object object obj-192.168.180.0 object-group network DM_INLINE_NETWORK_2 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 object-group network DM_INLINE_NETWORK_3 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 object-group network DM_INLINE_NETWORK_16 network-object object MM network-object object obj-172.25.11.0 network-object object obj-172.35.0.0 network-object object obj-192.168.180.0 object-group protocol TCPUDP protocol-object udp protocol-object tcp object-group icmp-type DM_INLINE_ICMP_1 icmp-object echo icmp-object source-quench object-group network DM_INLINE_NETWORK_5 network-object object AHCCN network-object object MM network-object object obj-172.25.11.0 network-object object obj-172.35.0.0 network-object object obj-192.168.180.0 object-group network DM_INLINE_NETWORK_6 network-object object obj-172.25.11.0 network-object object obj-172.35.0.0 network-object object obj-192.168.180.0 object-group service DM_INLINE_SERVICE_4 service-object icmp service-object icmp echo service-object icmp echo-reply object-group service DM_INLINE_SERVICE_5 service-object tcp-udp destination eq domain service-object tcp destination eq smtp service-object tcp destination eq ssh service-object icmp echo service-object icmp echo-reply service-object udp destination eq ntp service-object udp destination eq time object-group service DM_INLINE_SERVICE_6 service-object tcp-udp destination eq domain service-object tcp destination eq smtp service-object tcp destination eq ssh service-object icmp echo service-object icmp echo-reply service-object udp destination eq ntp service-object udp destination eq time object-group service DM_INLINE_SERVICE_0 service-object icmp echo service-object icmp echo-reply service-object tcp destination eq www service-object tcp destination eq https service-object tcp destination eq smtp service-object tcp-udp destination eq domain service-object object 6004 object-group network DM_INLINE_NETWORK_7 network-object object MM network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 network-object object obj-172.35.0.0 object-group network DM_INLINE_NETWORK_8 network-object 172.25.11.0 255.255.255.0 network-object 172.35.0.0 255.255.254.0 object-group service DM_INLINE_SERVICE_7 service-object tcp-udp destination eq domain service-object object 6004 service-object icmp echo service-object icmp echo-reply service-object tcp destination eq www service-object tcp destination eq https service-object tcp destination eq smtp object-group network DM_INLINE_NETWORK_10 network-object 172.25.11.0 255.255.255.0 network-object 172.35.0.0 255.255.254.0 object-group network DM_INLINE_NETWORK_9 network-object object obj-172.25.11.0 network-object object obj-172.35.0.0 object-group network DM_INLINE_NETWORK_11 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 object-group service DM_INLINE_SERVICE_1 service-object tcp-udp destination eq domain service-object tcp destination eq smtp service-object udp destination eq ntp object-group network DM_INLINE_NETWORK_13 network-object object AHCCN network-object object obj-172.25.11.0 object-group network DM_INLINE_NETWORK_14 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 object-group network DM_INLINE_NETWORK_12 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 object-group service DM_INLINE_SERVICE_3 service-object tcp-udp destination eq domain service-object tcp destination eq smtp service-object udp destination eq ntp object-group service DM_INLINE_SERVICE_8 service-object tcp-udp destination eq domain service-object tcp destination eq smtp service-object udp destination eq ntp object-group service Exchange-6001 udp port-object range 6001 6004 object-group network DM_INLINE_NETWORK_15 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 object-group service DM_INLINE_SERVICE_10 service-object ip service-object icmp echo service-object icmp echo-reply object-group service DM_INLINE_SERVICE_9 service-object ip service-object icmp echo service-object icmp echo-reply service-object tcp-udp destination eq domain service-object tcp destination eq citrix-ica service-object tcp destination eq www service-object tcp destination eq https object-group network DM_INLINE_NETWORK_18 network-object object AHCCN network-object object obj-172.25.11.0 object-group network DM_INLINE_NETWORK_19 network-object object obj-172.25.11.0 network-object object obj-172.35.0.0 network-object object obj-192.168.180.0 object-group network DM_INLINE_NETWORK_20 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 object-group network DM_INLINE_NETWORK_17 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_10 object PMG access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1 192.168.188.0 255.255.255.0 access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_7 object obj-172.27.0.0 access-list Outside_1_cryptomap extended permit ip 192.168.188.0 255.255.255.0 object-group DM_INLINE_NETWORK_14 access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_9 object AT_Remote object-group DM_INLINE_NETWORK_15 access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any any access-list Outside_access_in extended permit ip object Mobile_Unit object-group DM_INLINE_NETWORK_12 log debugging access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_7 object PMG object-group DM_INLINE_NETWORK_8 access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_0 any object Exchange access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_5 any object SpamBox_1 access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_6 any object SpamBox_2 access-list Outside_access_in extended permit ip 192.168.188.0 255.255.255.0 object-group DM_INLINE_NETWORK_2 access-list Outside_access_in extended deny ip 127.0.0.0 255.255.255.0 any log access-list Outside_access_in extended deny ip 10.0.0.0 255.255.255.0 any log access-list Outside_access_in extended deny ip 169.254.0.0 255.255.0.0 any log access-list Outside_access_in extended deny ip 224.0.0.0 255.0.0.0 any log access-list Outside_access_in extended deny ip 239.0.0.0 255.0.0.0 any log access-list Outside_access_in extended deny ip 173.0.0.0 255.0.0.0 any log debugging access-list Outside_access_in extended deny ip 224.0.0.0 255.255.255.31 any access-list Outside_access_in extended deny ip 192.168.0.0 255.255.0.0 any access-list Outside_access_in extended deny ip any any access-list global_mpc extended permit ip any any access-list global_access extended permit udp object obj-172.35.1.199 any eq snmp log disable access-list global_access extended permit ip object obj-172.27.0.0 any access-list splitTunnelAcl standard permit 192.168.180.0 255.255.254.0 access-list splitTunnelAcl standard permit 172.35.0.0 255.255.254.0 access-list splitTunnelAcl standard permit 172.25.11.0 255.255.255.0 access-list splitTunnelAcl standard permit 10.90.254.0 255.255.255.0 access-list Outside_cryptomap_1 extended permit ip object PMG object-group DM_INLINE_NETWORK_13 access-list Inside_access_in extended permit ip object obj_any any access-list Inside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1 log disable access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_8 object Exchange any log access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_1 object SpamBox_1 any log access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_3 object SpamBox_2 any log access-list Inside_access_in extended deny ip any any access-list Outside_cryptomap_2 extended permit ip object-group DM_INLINE_NETWORK_17 object AT_Remote access-list Outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_18 object PMG log access-list Outside_cryptomap_4 extended permit ip object-group DM_INLINE_NETWORK_3 object Mobile_Unit pager lines 24 logging enable logging timestamp logging emblem logging rate-limit unlimited level 1 logging rate-limit unlimited level 6 logging rate-limit unlimited level 7 mtu Outside 1500 mtu Inside 1500 mtu management 1500 ip local pool Client_Pool 172.27.0.50-172.27.0.100 mask 255.255.255.0 ip local pool RA_POOL 172.27.0.1-172.27.0.49 mask 255.255.255.0 ip verify reverse-path interface Outside ip verify reverse-path interface Inside no failover icmp unreachable rate-limit 1 burst-size 1 icmp permit any Outside icmp permit any Inside asdm history enable arp timeout 14400 nat (Inside,Outside) source static DM_INLINE_NETWORK_9 DM_INLINE_NETWORK_9 destination static PMG PMG no-proxy-arp route-lookup nat (Inside,Outside) source static DM_INLINE_NETWORK_20 DM_INLINE_NETWORK_20 destination static AT_Remote AT_Remote no-proxy-arp route-lookup nat (Inside,Outside) source static DM_INLINE_NETWORK_5 DM_INLINE_NETWORK_5 destination static NETWORK_OBJ_172.27.0.0_25 NETWORK_OBJ_172.27.0.0_25 no-proxy-arp route-lookup nat (Inside,Outside) source static DM_INLINE_NETWORK_16 DM_INLINE_NETWORK_16 destination static NETWORK_OBJ_172.27.0.0_26 NETWORK_OBJ_172.27.0.0_26 no-proxy-arp route-lookup nat (Inside,Outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static obj-192.168.188.0 obj-192.168.188.0 no-proxy-arp nat (Inside,Outside) source static DM_INLINE_NETWORK_19 DM_INLINE_NETWORK_19 destination static Mobile_Unit Mobile_Unit no-proxy-arp route-lookup nat (Inside,Outside) source static DM_INLINE_NETWORK_11 DM_INLINE_NETWORK_11 destination static AT_Remote AT_Remote no-proxy-arp route-lookup ! object network obj_any nat (Inside,Outside) dynamic interface object network SpamBox_1 nat (Inside,Outside) static x.x.x.132 object network SpamBox_2 nat (Inside,Outside) static x.x.x.133 object network Exchange nat (Inside,Outside) static x.x.x.131 dns access-group Outside_access_in in interface Outside access-group Inside_access_in in interface Inside access-group global_access global route Outside 0.0.0.0 0.0.0.0 x.x.x..129 1 route Inside 10.90.254.0 255.255.255.0 192.168.180.1 1 route Inside 172.16.200.0 255.255.255.0 192.168.180.200 1 route Inside 172.25.10.0 255.255.255.0 192.168.180.200 1 route Inside 172.25.11.0 255.255.255.0 192.168.180.200 1 route Inside 172.25.12.0 255.255.255.0 192.168.180.200 1 route Inside 172.27.0.0 255.255.255.0 192.168.180.200 1 route Inside 172.29.0.0 255.255.0.0 192.168.180.200 1 route Inside 172.35.0.0 255.255.254.0 192.168.180.200 1 route Inside 192.168.182.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.183.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.184.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.185.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.186.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.187.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.189.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.190.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.191.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.192.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.194.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.195.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.196.0 255.255.255.0 192.168.180.200 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy aaa-server DC's protocol radius max-failed-attempts 5 aaa-server DC's (Inside) host 192.168.180.231 timeout 5 key ***** user-identity default-domain LOCAL http server enable http 192.168.180.0 255.255.255.0 Inside http 0.0.0.0 0.0.0.0 Inside http 172.27.0.0 255.255.255.0 Outside http 172.27.0.0 255.255.255.0 Inside snmp-server group Authentication&Encryption v3 priv snmp-server user trap Authentication&Encryption v3 encrypted auth md5 87:1d:3a:bd:50:49:7d:dc:45:89:a0:dc:c9:66:ed:78 priv 3des 87:1d:3a:bd:50:49:7d:dc:45:89:a0:dc:c9:66:ed:78:08:c6:ef:b2:7e:89:45:f2:6f:78:b5:01:33:47:68:c9 snmp-server host Inside 172.35.1.199 community ***** version 2c snmp-server host Inside 192.168.180.7 community ***** version 2c snmp-server location MLK snmp-server contact xxxxxxxx snmp-server community ***** snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart snmp-server enable traps syslog snmp-server enable traps ipsec start stop snmp-server enable traps entity config-change fru-insert fru-remove snmp-server enable traps remote-access session-threshold-exceeded snmp-server enable traps cpu threshold rising snmp-server enable traps ikev2 start no sysopt connection reclassify-vpn sysopt connection preserve-vpn-flows crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec security-association lifetime seconds 43200 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map Outside_map 1 match address Outside_1_cryptomap crypto map Outside_map 1 set peer 173.10.204.46 crypto map Outside_map 1 set ikev1 phase1-mode aggressive crypto map Outside_map 1 set ikev1 transform-set ESP-3DES-SHA crypto map Outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256 crypto map Outside_map 1 set ikev2 pre-shared-key ***** crypto map Outside_map 1 set security-association lifetime seconds 460800 crypto map Outside_map 4 match address Outside_cryptomap_1 crypto map Outside_map 4 set peer 207.190.237.254 crypto map Outside_map 4 set ikev1 phase1-mode aggressive group5 crypto map Outside_map 4 set ikev1 transform-set ESP-AES-128-SHA crypto map Outside_map 4 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256 crypto map Outside_map 4 set security-association lifetime seconds 460800 crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map 1 match address Outside_cryptomap_2 crypto map outside_map 1 set peer x.x.x.201 crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 2 match address Outside_cryptomap crypto map outside_map 2 set peer x.x.x.254 crypto map outside_map 2 set ikev1 phase1-mode aggressive group5 crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 2 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256 crypto map outside_map 3 match address Outside_cryptomap_4 crypto map outside_map 3 set peer x.x.216.130 crypto map outside_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface Outside crypto ca trustpoint LOCAL-CA-SERVER keypair LOCAL-CA-SERVER crl configure crypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=FPHC-ASA serial-number keypair LOCAL-CA-SERVER crl configure crypto ca server shutdown crypto ca certificate chain LOCAL-CA-SERVER certificate ca 01 308201ff 30820168 a0030201 02020101 300d0609 2a864886 f70d0101 05050030 13311130 0f060355 04031308 46504843 2d415341 301e170d 31323039 32303232 34393034 5a170d31 35303932 30323234 3930345a 30133111 300f0603 55040313 08465048 432d4153 4130819f 300d0609 2a864886 f70d0101 01050003 818d0030 81890281 8100e841 eeca425c 20c47a19 3b335924 30281111 cff571d7 0bb63dd8 5f3194f5 59d99cb1 60269694 aa13c591 505e0575 2de5ebb1 92d7c931 807f807b 6e84ee54 1da4ccaf 1f109f53 94c6e567 a8064e27 e27f3ea0 94f7bf32 2fe6064c c2bbcd0d 7b0f8806 8614fcf9 80c6e4e1 83da75c5 080c7117 09e1d574 f17de8ac 1da4f2f9 f6e10203 010001a3 63306130 0f060355 1d130101 ff040530 030101ff 300e0603 551d0f01 01ff0404 03020186 301f0603 551d2304 18301680 144cb3da 6b6a5a14 c4b78674 49609b6b 8e58ea5f a3301d06 03551d0e 04160414 4cb3da6b 6a5a14c4 b7867449 609b6b8e 58ea5fa3 300d0609 2a864886 f70d0101 05050003 818100e0 7c9e15c3 13068614 788ff4d3 f282a4f4 fde72b00 3b05748f 0a4f68ec 6a7eb5fb 40c6d505 b1c35372 87102173 bb017e4b 2697c8f5 b66395f2 1418c77c 3e959343 84674b96 33558a08 629336c8 39c742bf 6b727b00 388a7102 8619cb5a e4227aaf b58e267c 9e8b23d6 94cdc789 eb29cd96 1e579770 a2aa58ab 40694bb9 12888d quit crypto ca certificate chain ASDM_TrustPoint0 certificate bd555b50 308201f7 30820160 a0030201 020204bd 555b5030 0d06092a 864886f7 0d010105 05003040 3111300f 06035504 03130846 5048432d 41534131 2b301206 03550405 130b4a4d 58313632 33583130 51301506 092a8648 86f70d01 09021608 46504843 2d415341 301e170d 31323039 32303232 35383434 5a170d32 32303931 38323235 3834345a 30403111 300f0603 55040313 08465048 432d4153 41312b30 12060355 0405130b 4a4d5831 36323358 31305130 1506092a 864886f7 0d010902 16084650 48432d41 53413081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100e8 41eeca42 5c20c47a 193b3359 24302811 11cff571 d70bb63d d85f3194 f559d99c b1602696 94aa13c5 91505e05 752de5eb b192d7c9 31807f80 7b6e84ee 541da4cc af1f109f 5394c6e5 67a8064e 27e27f3e a094f7bf 322fe606 4cc2bbcd 0d7b0f88 068614fc f980c6e4 e183da75 c5080c71 1709e1d5 74f17de8 ac1da4f2 f9f6e102 03010001 300d0609 2a864886 f70d0101 05050003 8181008b c7a3e119 f1c6f60c 56ab7fd4 5096cfdf abb44331 fe3a0249 7f5fe79b 38a044c2 9a8b907d 12feba5d 6298a414 c4973369 040585b8 26b8b29e dfe7e226 0b10d08e 03658648 2fb0233e 27204339 c5a1c270 a0fec5b4 834340ac 9afefe75 4f802cb6 fb21b89c 9016e32c 2e772c00 191d23e0 036c4321 93a43b48 a6b682af 5dd5c0 quit crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable Outside crypto ikev1 enable Outside crypto ikev1 enable management crypto ikev1 policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet 192.168.180.0 255.255.255.0 Inside telnet 172.27.0.0 255.255.255.0 Inside telnet timeout 10 ssh 192.168.180.0 255.255.255.0 Inside ssh 172.27.0.0 255.255.255.0 Inside ssh timeout 20 console timeout 0 management-access Inside vpn load-balancing interface lbpublic Outside interface lbprivate Inside threat-detection basic-threat threat-detection scanning-threat threat-detection statistics host threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp authenticate ntp server 50.77.217.185 source Outside prefer ntp server 216.171.120.36 source Outside webvpn group-policy "S2S-RA-Group Policy" internal group-policy "S2S-RA-Group Policy" attributes vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client group-policy DfltGrpPolicy attributes vpn-filter value Inside_nat0_outbound vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless group-policy GroupPolicy_x.x.x.46 internal group-policy GroupPolicy_x.x.x.46 attributes vpn-filter value Outside_1_cryptomap vpn-tunnel-protocol ikev1 ikev2 group-policy GroupPolicy_x.x.x.254 internal group-policy GroupPolicy_x.x.x.254 attributes vpn-filter value Outside_cryptomap_1 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec group-policy GroupPolicy_x.x.x.201 internal group-policy GroupPolicy_x.x.x.201 attributes vpn-filter value Outside_cryptomap_2 vpn-tunnel-protocol ikev1 group-policy GroupPolicy_x.x.216.130 internal group-policy GroupPolicy_x.x.216.130 attributes vpn-tunnel-protocol ikev1 group-policy VPN-GROUP2 internal group-policy VPN-GROUP2 attributes dns-server value 192.168.180.231 192.168.180.232 vpn-tunnel-protocol ikev1 split-tunnel-policy tunnelspecified split-tunnel-network-list value splitTunnelAcl default-domain value fphc.us group-policy VPN-GROUP internal group-policy VPN-GROUP attributes dns-server value 192.168.180.231 192.168.180.232 vpn-filter value splitTunnelAcl vpn-tunnel-protocol ikev1 l2tp-ipsec split-tunnel-policy tunnelspecified split-tunnel-network-list value splitTunnelAcl default-domain value fphc.us username mark password YTp0IwzeNwb5kS8J encrypted privilege 15 tunnel-group DefaultRAGroup general-attributes default-group-policy VPN-GROUP tunnel-group x.x.x.46 type ipsec-l2l tunnel-group x.x.x.46 general-attributes default-group-policy GroupPolicy_x.x.x.46 tunnel-group x.x.x.46 ipsec-attributes ikev1 pre-shared-key ***** ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** tunnel-group x.x.x.201 type ipsec-l2l tunnel-group x.x.x.201 general-attributes default-group-policy GroupPolicy_x.x.x.201 tunnel-group x.x.x.201 ipsec-attributes ikev1 pre-shared-key ***** tunnel-group VPN-GROUP type remote-access tunnel-group VPN-GROUP general-attributes address-pool Client_Pool authentication-server-group DC's default-group-policy VPN-GROUP tunnel-group VPN-GROUP ipsec-attributes ikev1 pre-shared-key ***** tunnel-group x.x.x.254 type ipsec-l2l tunnel-group x.x.x.254 general-attributes default-group-policy GroupPolicy_x.x.x.254 tunnel-group x.x.x.254 ipsec-attributes ikev1 pre-shared-key ***** ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** tunnel-group VPN-GROUP2 type remote-access tunnel-group VPN-GROUP2 general-attributes address-pool RA_POOL authentication-server-group DC's default-group-policy VPN-GROUP2 tunnel-group VPN-GROUP2 ipsec-attributes ikev1 pre-shared-key ***** tunnel-group x.x.x.130 type ipsec-l2l tunnel-group x.x.x.130 general-attributes default-group-policy GroupPolicy_x.x.x.130 tunnel-group x.x.x.130 ipsec-attributes ikev1 pre-shared-key ***** tunnel-group PMG type ipsec-l2l tunnel-group PMG general-attributes default-group-policy GroupPolicy_x.x.x.254 tunnel-group PMG ipsec-attributes ikev1 pre-shared-key ***** ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** tunnel-group-map default-group DefaultL2LGroup ! class-map global-class match access-list global_mpc class-map inspection_default match default-inspection-traffic class-map http_https description http_https match access-list Outside_access_in ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options class global-class user-statistics accounting policy-map http_https class http_https set connection timeout idle 1:15:00 reset user-statistics accounting ! service-policy global_policy global service-policy http_https interface Outside smtp-server 192.168.180.235 prompt hostname context no call-home reporting anonymous Cryptochecksum:fcb4c2d9a982c11054c31ee4db778012 : end
5505 remote site
ASA Version 8.2(5) ! hostname AT-Remote domain-name fphc.us enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names name 172.35.0.0 AHCCN name 172.25.11.0 AHCCN-1 name 192.168.180.0 FPHC ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 switchport trunk allowed vlan 1,30 switchport trunk native vlan 1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.197.250 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address x.x.x.201 255.255.255.252 ! ! boot system disk0:/asa825-k8.bin ftp mode passive dns domain-lookup inside dns domain-lookup outside dns server-group DefaultDNS name-server 68.87.68.162 name-server 68.87.74.162 domain-name fphc.us dns server-group DNS_Internal name-server 192.168.180.231 name-server 192.168.180.232 domain-name fphc.us same-security-traffic permit inter-interface same-security-traffic permit intra-interface object-group network obj_any object-group network 172.25.11.0 object-group network 172.35.0.0 object-group network 192.168.180.0 object-group network ASA-FW object-group network Comcast_Outside object-group network AT_Local object-group network NETWORK_OBJ_192.168.197.0_24 object-group icmp-type DM_INLINE_ICMP_1 icmp-object echo icmp-object echo-reply object-group service DM_INLINE_SERVICE_3 service-object ip service-object icmp echo service-object icmp echo-reply object-group service DM_INLINE_SERVICE_2 service-object ip service-object icmp object-group network obj_remote object-group network Franklin_Remote network-object AHCCN-1 255.255.255.0 network-object AHCCN 255.255.254.0 network-object FPHC 255.255.254.0 access-list outside_access_in extended permit ip object-group Franklin_Remote 192.168.197.0 255.255.255.0 access-list outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1 log debugging access-list inside_access_in extended permit ip any any log access-list inside_access_in extended permit icmp any any echo log access-list outside_1_cryptomap extended permit ip 192.168.197.0 255.255.255.0 object-group Franklin_Remote access-list inside_nat0_outbound extended permit ip 192.168.197.0 255.255.255.0 object-group Franklin_Remote access-list inside_nat_outbound extended permit ip any interface outside pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 mtu dmz 1500 no failover icmp unreachable rate-limit 1 burst-size 1 icmp permit any outside asdm image disk0:/asdm-645.bin no asdm history enable arp timeout 14400 global (outside) 101 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 101 access-list inside_nat_outbound access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 x.x.x.202 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy http server enable http 0.0.0.0 0.0.0.0 inside http 192.168.197.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart sysopt connection preserve-vpn-flows sysopt noproxyarp inside sysopt noproxyarp dmz crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 43200 crypto ipsec security-association lifetime kilobytes 4608000 crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set peer 216.86.7.130 crypto map outside_map 1 set transform-set ESP-3DES-SHA crypto map outside_map interface outside crypto ca trustpoint _SmartCallHome_ServerCA crl configure crypto ca certificate chain _SmartCallHome_ServerCA certificate ca 6ecc7aa5a7032009b8cebcf4e952d491 308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130 0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117 30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b 13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504 0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72 20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56 65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043 65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31 30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b 30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20 496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65 74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420 68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329 3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365 63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7 0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597 a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10 9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc 7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b 15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845 63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8 18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced 4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f 81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201 db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868 7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101 ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8 45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a 1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406 03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973 69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403 02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969 6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973 69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30 1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603 551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355 1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609 2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80 4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a 6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc 481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16 b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0 5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8 6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28 6c2527b9 deb78458 c61f381e a4c4cb66 quit crypto isakmp enable outside crypto isakmp policy 10 authentication crack encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 40 authentication crack encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 70 authentication crack encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 100 authentication crack encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 130 authentication crack encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 telnet 0.0.0.0 0.0.0.0 inside telnet x.x.x.130 255.255.255.255 outside telnet timeout 5 ssh timeout 5 console timeout 0 management-access inside dhcpd address 192.168.197.25-192.168.197.100 inside dhcpd dns 192.168.180.232 68.87.74.162 interface inside dhcpd domain fphc.us interface inside dhcpd enable inside ! dhcprelay timeout 60 threat-detection basic-threat threat-detection statistics host threat-detection statistics protocol threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn group-policy DfltGrpPolicy attributes vpn-filter value outside_1_cryptomap group-policy GroupPolicy_216.86.7.130 internal group-policy GroupPolicy_216.86.7.130 attributes vpn-filter value inside_nat0_outbound vpn-tunnel-protocol IPSec l2tp-ipsec tunnel-group x.x.x.130 type ipsec-l2l tunnel-group x.x.x.130 general-attributes default-group-policy GroupPolicy_216.86.7.130 tunnel-group x.x.x.130 ipsec-attributes pre-shared-key ***** tunnel-group-map default-group DefaultL2LGroup ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect dns ! service-policy global_policy global prompt hostname context : end
Hello
The reason for the DECLINE suggests that the ASA has still attached to the L2L VPN VPN filter configuration that prevents traffic.
Check the configuration and remove atleast VPN filter temporarily for testing purposes.
-Jouni
Maybe you are looking for
-
Hello. I have a project that I am obliged to deliver to the following form: MXF / Codec: XD - CAM HD 4:2:2, 50Mbits, 1080i25; Farbe A1 + A2: Stereo PGM When I try to export my movie from Final Cut X the XD - CAM is not available as an option. Only th
-
Satellite L40 - 14N - RAM who do I take for an upgrade?
Hello, I have a Satellite L40 - 14N with 1 GB of RAM, and I'm using Vista. I have been informed that a bit more RAM would be better so I think to upgrade. On the Toshiba product page, it says that the maximum is 2 GB, and now I'm wondering if it is b
-
Compaq 6000 pro: hdmi graphics card
Work of XFX AMD Radeon HD 5450 graphics in my little Compaq 6000 pro cards form factor pc?
-
What kind of ports are on the top a h8 - 1320t? None of them is a usb 3.0?
What kind of ports are on the top a h8 - 1320t? None of them is a usb 3.0?
-
How can I add a new folder to "my network places"?
I have several folders on my local network that appear when I click on "my network places". I need to add another folder for the documents in 2011 and don't know how to do it.