DROP in flow of the IPSec tunnel

Similar Questions

• Create the Ipsec tunnel using digital certificates

  Hello

  I try to open the IPSEC tunnel between 2 3800 of Cisco routers using additional 3800 router as a CA server.

  Before that I added the CA server all go smoothly.

  Attached is my configuration, attached debug commands from the configuration of server and router CA

  It seems that the routers does not receive the certificate of the CA (R3) router because I see the certificate is awaiting status:

  #
  R3 #.
  R3 #show cryptographic pki certificate cisco talkative
  CA
  Status: available
  Version: 3
  Certificate serial number (hex): 01
  Use of certificates: Signature
  Issuer:
  CN = cisco1. Cisco.com L\ = RTP it\ = US
  Object:
  CN = cisco1. Cisco.com L\ = RTP it\ = US
  Validity date:
  start date: 10:12:13 UTC Sep 8 2013
  end date: 10:12:13 UTC Sep 7 2016
  Subject key information:
  Public key algorithm: rsaEncryption
  RSA Public Key: (512 bits)
  Signature algorithm: MD5 with RSA encryption
  Fingerprint MD5: FAB9FFF7 87B580F3 7A65627E 56A378C9
  Fingerprint SHA1: F26CD817 91F8129D A9E46671 07E26F1E 55422DCD
  X509v3 extensions:
  X509v3 Key use: 86000000
  Digital signature
  Key Cert sign
  Signature of the CRL
  X509v3 subject Key ID: 56F091F7 7016A63F B 89, 46900 B13E6719 8B0D548E
  X509v3 Basic Constraints:
  CA: TRUE
  X509v3 Authority Key ID: 56F091F7 7016A63F B 89, 46900 B13E6719 8B0D548E
  Access to information the authority:
  Related Trustpoints: cisco
  Storage: nvram:cisco1ciscoc #4CA.cer

  R3 #.

  Appreciate your support and I will send additional if necessary evidence

  TX

  Roee

  I didn't look at your configuration, but accroding to your description, it seems that you have not approved the certificate requests pending on your router CA. Here are the commands that you need:

  To view the pending requests:

  information cryptographic pki server router 'CA '.

  To grant requests pending:

  Info Server 'CA' router cryptographic pki grant all

• Can I use private as Source IPs from a remote network IP addresses while building the IPSec tunnel?

  Can I use private as Source IPs from a remote network IP addresses while building the IPSec tunnel? If not why? If so, how?

  Your explanation is much appreciated.

  Hi Deepak,

  In such a situation, you usually NAT traffic that goes to the internet, but exempt traffic that goes through the VPN, because it will be wrapped in packages with public IP (tunnel) addresses. You can use the same IP address on your interface in the face of internet for the NAT/PAT and source of IPSEC Tunnel.

• Help: Adding to the IPsec Tunnel encryption field Questions

  Good evening everyone,

  I'm looking for help and/or advise in what concerns adding more networking in the field of encryption of an existing IPsec site-to-site tunnel.  Both sides of the tunnel are of ASA.  The client on the remote end is eager to access the networks more on my end.  They have already updated their ACL crypto map to include the new networks.  When they perform "show crypto IPsec his counterpart x.x.x.x" it shows already encap packets attempting to join my network.

  On my side, I updated my ACL crypto map to reference the new 2 networks, created the double NAT and added the ACL needed to allow the inbound access through ports they want.  When I perform a 'see the crypto IPsec his counterpart x.x.x.x' output is NOT up-to-date with the new networks added to the field of encryption.  When I run a tracer of package of supply of one of the servers in the new network, the traffic is translated as he should, but a fall when it hits the outgoing interface for the VPN tunnel.

  Am I missing something here? Can I bounce the tunnel so that the new networks must be recognized in the surveillance society?

  Thanks in advance.

  Hello

  You must bounce the tunnel when you change the interesting traffic, otherwise the new SA will not be created, is a little funny that you say that SA is already build on the remote side, SA cannot be established only on one side, is like building a new tunnel, if you don't have it on one side, it can not simply prevail and create the entry of SA. In addition, adding new networks and bounce the tunnel you need to generate traffic to trigger the ITS new or you will never see that it created. Check your no nats and routing and it should work.

  Best regards, please rate.

• Outgoing PAT to the IPSec Tunnel

  Hello

  Situation is with range of IP private tunnel of 3rd party who already uses the same private beach, but not with any of the hosts that we need to connect to. All traffic from the office to the 3rd party must be secure.

  We want to configure an IPSec tunnel between the two sites (easy) and then use PAT on the PIX Office (6.3 (5)) to make all traffic office appear to be a single private address different.

  We tried to do with PDM, but it insists on having no NAT (with an exclusionary rule), or static NAT, but does not seem to allow Pat.

  I have attached a copy sanitized the office configuration. Any standard room in PIX have been removed for brevity

  I would like constructive guidance on where I'm wrong.

  See you soon

  Hello

  The PIX / ASA will make the NAT translation on the steps below. First, it will check if no no (order No. - nat) nat is configured, then it will check the static nat translation and finally, it will check the translation PAT.

  In your configuration, there is a NAT (0) command indicating not to translate any IP of 192.168.0.0 to the remote ip address range, then the PIX won't do the translation and the package is passed to the destination.

  Remove the NAT (0) command and edit list access outside_cryptomap_10 with the ip dried up to the remote ip address for this access list is responsible for interesting traffic that needs to be encrypted.

  pls control and dream of return.

• I can weight of the IPSec Tunnels between ASAs

  Hello

  Remote site: link internet NYC 150 MB/s

  Local site: link internet Baltimore 400 MB/s

  Backup site: link internet Washington 200 Mb/s

  My main site and my backup site are connected via a gigabit Ethernet circuit between the respective base site switches.  Each site has its own internet connection and my OSPF allows to switch their traffic to the backup site if the main website is down.  We are opening an office in New York with one ASA unique connected to 150 Mbps FIOS internet circuit.  We want to set up an IPSec tunnel on the main site and the backup on the remote site, but want the remote site to prefer the tunnel in Baltimore, except if it is down.

  Interesting traffic would be the same for the two tunnels

  I know that ASA cannot be a GRE endpoint.  How can I force the New York traffic through the tunnel in Baltimore as long as it works?  An IPSec tunnel can be weighted?

  Thank you

  It is not in itself weighting, but you can create up to 10 backup over LAN to LAN VPN IPsec peers.

  For each tunnel, the security apparatus tried to negotiate with the first peer in the list. If this peer does not respond, the security apparatus made his way to the bottom of the list until a peer responds, or there is no peer more in the list.

  Reference.

• How to determine the cause of the ipsec tunnel fall on ASA 5510

  Is there an easy way to determine the cause of tunnel VPN ipsec l2l fall on one asa 5510? I have enabled logging, but the buffer is full so fast, I can't find something when it is 24 hours later. I'm working on obtaining a server/aggregator syslog configuration but... until it is complete I need a temporary measure. Suggestions?

  Hi Jessica.

  For the buffering limit, you can try:

  Increase the maximum buffer size.

  limit the newspapers to the class of vpn:

  Buffered Debug class vpn connection.

  On the other hand, you can try him debugs:

  Debug crypto peer peer_address condition

  debugging cry isa 128

  debugging ipsec 128 cry

  If you lose the ssh session debugging is disabled.  Finally for the vpn tunnels usually it goes down due to:

  Idle time-out

  the dead peer detection

  remove it from the other end.

  HTH.

• NAT in the IPSec tunnel between 2 routers x IOS (877)

  Hi all

  We have a customer with 2 x 877 routers connected to the internet. These routers are configured with an IPSec tunnel (which works fine). The question is the inbound static NAT translation problems with the tunnel - port 25 is mapped to the address inside the mail server. The existing configuration works very well for incoming mail, but prevents users from access to the direct mail server (using the private IP address) on port 25.

  Here is the Config NAT:

  nat INET_POOL netmask 255.255.255.252 IP pool

  IP nat inside source map route INET_NAT pool INET_POOL overload

  IP nat inside source static tcp 10.10.0.8 25 25 expandable

  IP nat inside source static tcp 10.10.0.8 80 80 extensible

  IP nat inside source static tcp 10.10.0.8 443 443 extensible

  IP nat inside source static tcp 10.10.0.7 1433 1433 extensible

  IP nat inside source static tcp 10.10.0.7 extensible 3389 3389

  allowed INET_NAT 1 route map

  corresponds to the IP 101

  access-list 101 deny ip 10.10.0.0 0.0.0.255 192.168.1.0 0.0.0.255

  access-list 101 permit ip 10.10.0.0 0.0.0.255 any

  On the SAA, I would setup a NAT exemption, but how do I get the same thing in the IOS?

  See you soon,.

  Luke

  Take a look at this link:

  http://www.Cisco.com/en/us/docs/iOS/12_2t/12_2t4/feature/guide/ftnatrt.html

  Concerning

  Farrukh

• force the IPSec tunnel to stay in place even if no traffic

  Hello

  We had exactly the same problem, as already described here;

  https://supportforums.Cisco.com/discussion/11666661/can-we-automatically...

  We actually run ASA 9.1 and the remote peer is a Fortigate. There is a new feature that has been introduced since the post on the forum above or fact creating an sla is the only way to follow IPsec tunnel.

  Concerning

  Nothing new was built in the SAA to take account of this requirement.

  I also had good results a script running on an internal host to send a "tcp" ping to a remote host, thus making sure traffic interesting was often enough to maintain the tunnel.

• packet loss on the ipsec tunnel

  I currently have 2 routers (one at each site). The two are running 12.3 (9th). A router is a 2621 and the other is a 2611XM.

  This is the relevant config:

  Router

  crypto ISAKMP policy 10

  BA 3des

  preshared authentication

  isakmp encryption key * address x.x.x.98 No.-xauth

  !

  !

  Crypto ipsec transform-set farm-jc-ts esp-3des esp-md5-hmac

  !

  farm-jc 10 ipsec-isakmp crypto map

  the value of x.x.x.98 peer

  the value of the transform-set farm-jc-ts

  address acl_farm-jc-tunnel to match

  !

  !

  interface FastEthernet0/0

  DHCP IP address

  NAT outside IP

  automatic duplex

  automatic speed

  card crypto farm-jc

  !

  interface FastEthernet0/1

  192.168.4.1 IP address 255.255.255.0

  IP nat inside

  automatic duplex

  automatic speed

  !

  IP nat Stateful IDs 11

  overload of IP nat inside source list acl_nat interface FastEthernet0/0

  IP classless

  IP route 0.0.0.0 0.0.0.0 FastEthernet0/0

  Route IP 10.1.1.0 255.255.255.0 FastEthernet0/0

  tunnel-jc-acl_farm extended IP access list

  allow icmp 192.168.4.0 0.0.0.255 10.1.0.0 0.0.255.255

  permit tcp 192.168.4.0 0.0.0.255 10.1.1.0 0.0.0.255 eq www

  permit tcp 192.168.4.0 0.0.0.255 10.1.1.0 0.0.0.255 eq 443

  permit tcp 192.168.4.0 0.0.0.255 10.1.1.0 0.0.0.255 eq 22

  acl_nat extended IP access list

  refuse the 192.168.4.0 ip 0.0.0.255 10.1.1.0 0.0.0.255

  ip licensing 192.168.4.0 0.0.0.255 any

  Router b:

  crypto ISAKMP policy 10

  BA 3des

  preshared authentication

  isakmp encryption key * address x.x.x.199 No.-xauth

  !

  !

  Crypto ipsec transform-set BC-farm-ts esp-3des esp-md5-hmac

  !

  JC-farm-10 ipsec-isakmp crypto map

  the value of x.x.x.199 peer

  the value of the transform-set BC-farm-ts

  address acl_jc-farm-tunnel to match

  !

  !

  !

  !

  interface FastEthernet0/0

  10.1.1.5 IP address 255.255.255.0

  IP nat inside

  automatic duplex

  automatic speed

  !

  interface FastEthernet0/1

  IP address x.x.x.98 255.255.255.224

  NAT outside IP

  automatic speed

  full-duplex

  card crypto jc-farm

  !

  overload of IP nat inside source list acl_nat interface FastEthernet0/1

  IP classless

  IP route 0.0.0.0 0.0.0.0

  IP route 10.1.0.0 255.255.0.0 FastEthernet0/0

  IP route 192.168.4.0 255.255.255.0 FastEthernet0/1

  !

  tunnel-farm-acl_jc extended IP access list

  allow icmp 10.1.0.0 0.0.255.255 192.168.4.0 0.0.0.255

  permit tcp 10.1.1.0 0.0.0.255 192.168.4.0 0.0.0.255 eq www

  permit tcp 10.1.1.0 0.0.0.255 192.168.4.0 0.0.0.255 eq 443

  permit tcp 10.1.1.0 0.0.0.255 192.168.4.0 0.0.0.255 eq 22

  acl_nat extended IP access list

  refuse the 10.1.1.0 ip 0.0.0.255 192.168.4.0 0.0.0.255

  ip licensing 10.1.1.0 0.0.0.255 any

  IP 10.1.2.0 allow 0.0.0.255 any

  10.1.3.0 IP allow 0.0.0.255 any

  IP 10.1.4.0 allow 0.0.0.255 any

  IP 10.1.5.0 allow 0.0.0.255 any

  I can ping in front of each private LAN to others, but its about 50% packet losses.

  out of HS cry is that his watch QM_IDLE on both sides.

  Hello

  Try the following commands on the interfaces:

  no ip route cache

  no ip mroute-cache

  no ip-cache cef route

  no ip route-cache flow

  And global:

  no ip cef

  Please rate if this helped.

  Kind regards

  Daniel

• IPSec Tunnel permanent between two ASA

  Hello

  I configured a VPN IPSec tunnel between two ASA 5505 firewall. I want to assure you as the IPSec tunnel (this is why the security association) is permanent and do not drop due to the idle state.

  What should I do?

  Thanks for any help

  Yves

  Disables keepalive IKE processing, which is enabled by default.

  (config) #tunnel - 10.165.205.222 group ipsec-attributes

  KeepAlive (ipsec-tunnel-config) #isakmp disable

  Set a maximum time for VPN connections with the command of vpn-session-timeout in group policy configuration mode or username configuration mode:

  attributes of hostname (config) #-Group Policy DfltGrpPolicy
  hostname (Group Policy-config) #vpn - idle - timeout no

  attributes of hostname (config) #-Group Policy DfltGrpPolicy
  hostname (Group Policy-config) #vpn - session - timeout no

  Thank you

  Ajay

• ASA: VPN IPSEC Tunnel from 5505(ver=8.47) to 5512 (ver = 9.23)

  Hi-

  We have connected tunnel / VPN configuration between an ASA 5505 - worm = 8.4 (7) and 5512 - worm = 9.2 (3).
  We can only ping in a sense - 5505 to the 5512, but not of vice-versa(5512 to 5505).

  Networks:

  Local: 192.168.1.0 (answering machine)
  Distance: 192.168.54.0 (initiator)

  See details below on our config:

  SH run card cry

  card crypto outside_map 2 match address outside_cryptomap_ibfw
  card crypto outside_map 2 pfs set group5
  outside_map 2 peer XX crypto card game. XX.XXX.XXX
  card crypto outside_map 2 set transform-set ESP-AES-256-SHA ikev1
  crypto map outside_map 2 set ikev2 AES256 ipsec-proposal

  outside_map interface card crypto outside

  Note:
  Getting to hit numbers below on rules/ACL...

  SH-access list. I have 54.0

  permit for access list 6 outside_access_out line scope ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0 (hitcnt = 15931) 0x01aecbcc
  permit for access list 1 outside_cryptomap_ibfw line extended ip object NETWORK_OBJ_192.168.1.0_24 object NETWORK_OBJ_192.168.54.0_24 (hitcnt = 3) 0xa75f0671
  access-list 1 permit line outside_cryptomap_ibfw extended ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0 (hitcnt = 3) 0xa75f0671

  SH run | I have access-group
  Access-group outside_access_out outside interface

  NOTE:
  WE have another working on the 5512 - VPN tunnel we use IKE peer #2 below (in BOLD)...

  HS cry his ikev1

  IKEv1 SAs:

  HIS active: 2
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 2

  1 peer IKE: XX. XX.XXX.XXX
  Type: L2L role: answering machine
  Generate a new key: no State: MM_ACTIVE
  2 IKE peers: XXX.XXX.XXX.XXX
  Type: L2L role: answering machine
  Generate a new key: no State: MM_ACTIVE

  SH run tunnel-group XX. XX.XXX.XXX
  tunnel-group XX. XX.XXX.XXX type ipsec-l2l
  tunnel-group XX. XX.XXX.XXX General-attributes
  Group - default policy - GroupPolicy_XX.XXX.XXX.XXX
  tunnel-group XX. XX.XXX.XXX ipsec-attributes
  IKEv1 pre-shared-key *.
  remote control-IKEv2 pre-shared-key authentication *.

  SH run | I have political ikev1

  ikev1 160 crypto policy
  preshared authentication
  aes-256 encryption
  Group 5
  life 86400

  SH run | I Dynamics
  NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
  NAT source auto after (indoor, outdoor) dynamic one interface

  NOTE:
  To from 5512 at 5505-, we can ping a host on the remote network of ASA local

  # ping inside the 192.168.54.20
  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 192.168.54.20, wait time is 2 seconds:
  !!!!!
  Success rate is 100 per cent (5/5), round-trip min/avg/max = 30/32/40 ms

  Determination of 192.168.1.79 - local host route to 192.168.54.20 - remote host - derivation tunnel?

  The IPSEC tunnel check - seems OK?

  SH crypto ipsec his
  Interface: outside
  Tag crypto map: outside_map, seq num: 2, local addr: XX.XXX.XXX.XXX

  outside_cryptomap_ibfw to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.54.0 255.255.255.0
  local ident (addr, mask, prot, port): (192.168.1.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.54.0/255.255.255.0/0/0)
  current_peer: XX. XX.XXX.XXX

  #pkts program: 4609, #pkts encrypt: 4609, #pkts digest: 4609
  #pkts decaps: 3851, #pkts decrypt: 3851, #pkts check: 3851
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 4609, model of #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #TFC rcvd: 0, #TFC sent: 0
  #Valid errors ICMP rcvd: 0, #Invalid ICMP errors received: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt. : XX.XXX.XXX.XXX/0, remote Start crypto. : XX. XX.XXX.XXX/0
  Path mtu 1500, ipsec 74 (44) generals, media, mtu 1500
  PMTU time remaining: 0, political of DF: copy / df
  Validation of ICMP error: disabled, TFC packets: disabled
  current outbound SPI: CDC99C9F
  current inbound SPI: 06821CBB

  SAS of the esp on arrival:
  SPI: 0x06821CBB (109190331)
  transform: aes-256-esp esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, group 5 PFS, IKEv1}
  slot: 0, id_conn: 339968, crypto-card: outside_map
  calendar of his: service life remaining (KB/s) key: (3914789/25743)
  Size IV: 16 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0xFFFFFFFF to 0xFFFFFFFF
  outgoing esp sas:
  SPI: 0xCDC99C9F (3452542111)
  transform: aes-256-esp esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, group 5 PFS, IKEv1}
  slot: 0, id_conn: 339968, crypto-card: outside_map
  calendar of his: service life remaining (KB/s) key: (3913553/25743)
  Size IV: 16 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001

  --> The local ASA 5512 - where we have questions - tried Packet Tracer... seems we receive requests/responses...

  SH cap CAP

  34 packets captured

  1: 16:41:08.120477 192.168.1.79 > 192.168.54.20: icmp: echo request
  2: 16:41:08.278138 192.168.54.20 > 192.168.1.79: icmp: echo request
  3: 16:41:08.278427 192.168.1.79 > 192.168.54.20: icmp: echo reply
  4: 16:41:09.291992 192.168.54.20 > 192.168.1.79: icmp: echo request
  5: 16:41:09.292282 192.168.1.79 > 192.168.54.20: icmp: echo reply

  --> On the ASA 5505 distance - we can ping through the 5512 to the local host (192.168.1.79)

  SH cap A2

  42 packets captured

  1: 16:56:16.136559 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
  2: 16:56:16.168860 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
  3: 16:56:17.140434 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
  4: 16:56:17.171652 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
  5: 16:56:18.154426 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
  6: 16:56:18.186178 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
  7: 16:56:19.168417 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request

  --> Package trace on 5512 does no problem... but we cannot ping from host to host?

  entry Packet-trace within the icmp 192.168.1.79 8 0 detailed 192.168.54.20

  Phase: 4
  Type: CONN-SETTINGS
  Subtype:
  Result: ALLOW
  Config:
  class-map default class
  match any
  Policy-map global_policy
  class class by default
  Decrement-ttl connection set
  global service-policy global_policy
  Additional information:
  Direct flow from returns search rule:
  ID = 0x7fffa2d0ba90, priority = 7, area = conn-set, deny = false
  hits = 4417526, user_data = 0x7fffa2d09040, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
  IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
  IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
  input_ifc = output_ifc = any to inside,

  Phase: 5
  Type: NAT
  Subtype:
  Result: ALLOW
  Config:
  NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
  Additional information:
  Definition of dynamic 192.168.1.79/0 to XX.XXX.XXX.XXX/43904
  Direct flow from returns search rule:
  ID = 0x7fffa222d130, priority = 6, area = nat, deny = false
  hits = 4341877, user_data = 0x7fffa222b970, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
  IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
  IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
  input_ifc = inside, outside = output_ifc

  ...

  Phase: 14
  Type: CREATING STREAMS
  Subtype:
  Result: ALLOW
  Config:
  Additional information:
  New workflow created with the 7422689 id, package sent to the next module
  Information module for forward flow...
  snp_fp_tracer_drop
  snp_fp_inspect_ip_options
  snp_fp_inspect_icmp
  snp_fp_translate
  snp_fp_adjacency
  snp_fp_fragment
  snp_ifc_stat

  Information for reverse flow...
  snp_fp_tracer_drop
  snp_fp_inspect_ip_options
  snp_fp_translate
  snp_fp_inspect_icmp
  snp_fp_adjacency
  snp_fp_fragment
  snp_ifc_stat

  Result:
  input interface: inside
  entry status: to the top
  entry-line-status: to the top
  output interface: outside
  the status of the output: to the top
  output-line-status: to the top
  Action: allow

  --> On remote ASA 5505 - Packet track is good and we can ping remote host very well... dunno why he "of Nations United-NAT?

  Destination - initiator:
   
  entry Packet-trace within the icmp 192.168.54.20 8 0 detailed 192.168.1.79
   
  ...
  Phase: 4
  Type: UN - NAT
  Subtype: static
  Result: ALLOW
  Config:
  NAT (inside, outside) static source NETWORK_OBJ_192.168.54.0_24 NETWORK_OBJ_192.168.54.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
  Additional information:
  NAT divert on exit to the outside interface
  Untranslate 192.168.1.79/0 to 192.168.1.79/0
  ...

  Summary:
  We "don't" ping from a host (192,168.1.79) on 5512 - within the network of the 5505 - inside the network host (192.168.54.20).
  But we can ping the 5505 - inside the network host (192.168.54.20) 5512 - inside the network host (192.168.1.79).

  Please let us know what other details we can provide to help solve, thanks for any help in advance.

  -SP

  Well, I think it is a NAT ordering the issue.

  Basically as static and this NAT rule-

  NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)

  are both in article 1 and in this article, it is done on the order of the rules so it does match the dynamic NAT rule rather than static because that seems to be higher in the order.

  To check just run a 'sh nat"and this will show you what order everthing is in.

  The ASA is working its way through the sections.

  You also have this-

  NAT source auto after (indoor, outdoor) dynamic one interface

  which does the same thing as first statement but is in section 3, it is never used.

  If you do one of two things-

  (1) configure the static NAT statement is above the dynamic NAT in section 1 that is to say. You can specify the command line

  or

  (2) remove the dynamic NAT of section 1 and then your ASA will use the entry in section 3.

  There is a very good document on this site for NAT and it is recommended to use section 3 for your general purpose NAT dynamic due precisely these questions.

  It is interesting on your ASA 5505 you duplicated your instructions of dynamic NAT again but this time with article 2 and the instructions in section 3 that is why your static NAT works because he's put in correspondence before all your dynamic rules.

  The only thing I'm not sure of is you remove the dynamic NAT statement in article 1 and rely on the statement in section 3, if she tears the current connections (sorry can't remember).

  Then you can simply try to rearrange so your static NAT is above it just to see if it works.

  Just in case you want to see the document here is the link-

  https://supportforums.Cisco.com/document/132066/ASA-NAT-83-NAT-operation-and-configuration-format-CLI

  Jon

• The GRE Tunnel descends?

  So here's my setup:

  Internal router (2821) > Cluster internal DMZ ASA > router DMZ (2821) > external DMZ Checkpoint Cluster > Branch Office router (877)

  Internal Cluster ASA a configured PAT production internal then all the VLANS.

  The router in the DMZ has an interior interface configured on the internal DMZ and an external interface configured on the external DMZ. The DMZ router has two interfaces configured loopback.

  The external control point is configured with NAT for the incoming and outgoing traffic.

  The branch is a DSL router with a static IP address.

  The first requirement is to configure a GRE IPSec tunnel between the DMZ router and the branch office router.

  The second condition is to configure a GRE IPSec tunnel between the internal router and the router in the DMZ.

  The third requirement is to allow routing between the internal router and the branch through the router in the DMZ, because it is ultimately the connection between the head office and branch of live backup.

  I configured a Contract by the IPSec Tunnel between the router in the DMZ and routers of Management Office successfully.

  I can also set up a GRE Tunnel (without IPSec) between the internal router and the router in the DMZ.

  However, whenever the GRE Tunnel establishes between internal and DMZ routers and a neighbouring forms EIGRP, EIGRP neighborhood between the router in the DMZ and the branch drops! See following the DMZ router log file:

  1 = to branch tunnel

  Tunnel of 100 = internal

  002885:. 3 Mar 22:32:57.013: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed State to
  002886:. 3 Mar 22:33:06.029: % DUAL-5-NBRCHANGE: IPv4 EIGRP 1: neighbor 172.17.205.61 (Tunnel1) is on the rise: new adjacency
  002889:. 3 Mar 22:33:58.434: % LINK-3-UPDOWN: Interface Tunnel100, changed State to
  002890.: 3 Mar 22:33:58.438: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel100, changed State to
  002891:. 3 Mar 22:34:15.370: % DUAL-5-NBRCHANGE: IPv4 EIGRP 1: neighbor 192.168.5.66 (Tunnel100) is on the rise: new adjacency
  002892:. 22:34:30.551 3 Mar: % DUAL-5-NBRCHANGE: 1 IPv4 EIGRP: neighbour 172.17.205.61 (Tunnel1) is falling: expiry of hold time
  002893:. 3 Mar 22:34:47.015: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, state change downstairs

  The IPSec tunnel, for the branch remains in place throughout.

  Can anyone help!?

  The problem was that whenever the GRE Tunnel established between internal and DMZ routers and a forms of EIGRP neighbor branch was learning the next hop to the destination of tunnel from a different device.

  This is how the branch was to learn the route to the tunnel destination:

  Tunnel1 interface

  Tandragee Sub Station router VPN Tunnel description

  bandwidth 64

  IP 172.17.205.62 255.255.255.252

  no ip-cache cef route

  delay of 20000

  KeepAlive 10 3

  source of tunnel Loopback1

  tunnel destination 172.17.255.23

  be-idz-vpn-01 #sh ip route 172.17.255.23

  Routing for 172.17.255.23/32 entry

  Through the 'static', the metric distance 1 0 known

  Routing descriptor blocks:

  * 172.17.252.129

  Path metric is 0, number of shares of traffic 1

  be-idz-vpn-01 #sh ip route 172.17.252.129

  Routing for 172.17.252.128/25 entry

  Known via 'connected', distance 0, metric 0 (connected, via the interface)

  Routing descriptor blocks:

  * directly connected by GigabitEthernet0/1

  Path metric is 0, number of shares of traffic 1

  be-idz-vpn-01 #.

  This is how the next hop as learned GRE Tunnel between internal and DMZ routers

  be-idz-vpn-01 #sh ip route 172.17.252.129

  Routing for 172.17.252.128/27 entry

  By the intermediary of "eigrp 1", the known distance 170, metric 40258816, type external

  Redistribution via eigrp 1

  Last updated on Tunnel100 192.168.5.66, ago 00:07:25

  Routing descriptor blocks:

  * 192.168.5.66, 192.168.5.66, there is, through Tunnel100 00:07:25

  Path metric is 40258816, 1/number of shares of traffic is

  Time total is 10110 microseconds, minimum bandwidth 64 Kbps

  Reliability 255/255, MTU minimum 1476 bytes

  Loading 1/255, 2 hops

  We can see how the next hop to the destination of tunnel 172.17.255.23 changed from known via 'connected' via GigabitEthernet0/1 known via "eigrp 1" through Tunnel100.

  This case causes the Tunnel 1 drops.

  The reason for this behavior was because the road to reach the next hop was acquired with a longest match through tunnel interface so that he won the race to the routing table.

  The solution we applied:

  Created a list of distribution on the branch office router in order to remove this specific route Tunnel 100 updates.

  Router eigrp 1

  distribute-list 1

  Network 10.10.10.0 0.0.0.3

  network 172.17.203.56 0.0.0.3

  network 172.17.203.60 0.0.0.3

  network 172.17.205.60 0.0.0.3

  network 172.19.98.18 0.0.0.0

  network 192.168.5.64 0.0.0.3

  passive-interface Loopback1

  be-idz-vpn-01 #sh access-list 1

  IP access list standard 1

  10 deny 172.17.252.128, wildcard bits 0.0.0.127 (1 match)

  20 permit (1230 matches)

  be-idz-vpn-01 #.

  Once this has been applied, we could have the GRE Tunnel established between internal and DMZ routers with the tunneld ACCORD between the branch and the router in the DMZ.

• How to troubleshoot an IPSec tunnel GRE?

  Hello

  My topology includes two firewalls connected through the Internet "" (router) and behind each firewall, there is a router.

  The routers I configured a GRE tunnel that is successful, then I configured an IPsec tunnel on the firewall.

  I does not change the mode to transport mode in the transform-set configuration.

  Everything works; If I connect a PC to the router, it can ping another PC on the other router. However if I change mode of transport mode that they cannot.

  I was wondering how can I ensure that the IPSec tunnel WILL really works? How can I fix it or package tracking?

  Thank you.

  I was wondering how can I ensure that the IPSec tunnel WILL really works? How can I fix it or package tracking?

  To verify that the VPN tunnel works well, check the output of
  ISAKMP crypto to show his
  Crypto ipsec to show his

  Here are the commands of debug
  Debug condition crypto x.x.x.x, where x.x.x.x IP = peer peer
  Debug crypto isakmp 200
  Debug crypto ipsec 200

  You will see ACTIVE int the first output and program non-zero and decaps on the output of the latter.

  For the GRE tunnel.
  check the condition of the tunnel via "int ip see the brief.

  In addition, you can configure keepalive via the command:

  Router # configure terminal
  Router (config) #interface tunnel0
  Router(Config-if) 5 4 #keepalive

  and then run "debug keepalive tunnel" to see packets hello tunnel going and coming from the router.

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.

• RV180 dhcp via IPSEC Tunnel

  Hello

  I have set up an ipsec tunnel between rv180 (site A) and asa5520 (site B) successful. The dhcp server to clients is on the B site. The dhcp clients request going through the tunnel, they leave the rv180 on the wan interface and arrive at site B with the wan-ipaddress from site A. The configured dhcp-relay on the website match the remote network (site B), configured in the on site A ipsec tunnel. Is there anyway that all traffic pass through the ipsec tunnel? We want it for security reasons.

  Any help is greatly appreciated.

  Ralf

  Dear Ralf,

  Thank you to reach small business support community.

  Unfortunately the relay DHCP Relay not of DHCP request to the IPSec VPN tunnel.  I hope that this answer to your question and do not hesitate to contact me if there is any additional help with what I can help you.

  Kind regards

  Jeffrey Rodriguez S... : | :. : | :.
  Support Engineer Cisco client

  * Please rate the Post so other will know when an answer has been found.