Dynamic IP address of the remote VPN L2L ASA sites

Similar Questions

• QuickVPN - could not do a ping the remote VPN router!

  Hello

  I have a RV042 (VPN router) and I have some problems to run properly using the QuickVPN client.

  Here is the Log of the QuickVPN client.

  2008-10-15 20:14:38 [STATUS] a network interface detected with 192.168.0.104 IP address
  2008-10-15 20:14:38 [STATUS] connection...
  2008-10-15 20:14:38 [STATUS] connection to a remote gateway with IP address: 96.20.174.84
  2008-10-15 20:14:38 [WARNING] server certificate does not exist on your local computer.
  2008-10-15 20:14:44 remote gateway [STATE] has been reached with https...
  2008-10-15 20:14:44 [STATUS] commissioning...
  2008-10-15 20:14:51 [STATUS] Tunnel is connected successfully.
  2008-10-15 20:14:51 [STATUS] verification of network...
  2008-10-15 20:14:55 [WARNING] failed to do a ping the remote VPN router!
  2008-10-15 20:14:58 [WARNING] failed to do a ping the remote VPN router!
  2008-10-15 20:15:01 [WARNING] failed to do a ping the remote VPN router!
  2008-10-15 20:15:05 [WARNING] failed to do a ping the remote VPN router!
  2008-10-15 20:15:08 [WARNING] failed to do a ping the remote VPN router!
  2008-10-15 20:15:11 [WARNING] Ping has been blocked, which can be caused by an unexpected disconnection.
  2008-10-15 20:15:19 [STATUS] disconnection...
  2008-10-15 20:15:25 [STATUS] Tunnel is disconnected successfully.

  I don't know how it is implemented, but if WuickVPN wait a form ping my router, it will not happen. I was never able to ping my router ouside of my ISP network.

  There is a way to disable the Ping process and continue with the VPN connection?

  QuickVPN try ping on the router via the VPN tunnel to check the connection. It should work without worrying about whether your ISP filters ICMP messages or not. The tunnel is encrypted your ISP won't know what you're doing.

  Please post the corresponding on the RV042 VPN log. That is expected to see how far you get.

  You have a firewall running on the computer? I think that some firewalls have difficulty with the traffic of ESP.

  What is the router that is connected to the computer? How is it that is configured?

• Connectivity to the remote VPN site adjacent networks

  Star topology with Corporate office which acts as hub (192.168.1.x) and remote sites connected by relay frames, except for another network (172.16.x.x) in the building served by 3560 switch company.

  On my remote site vpn (10.0.1.x) I can ping network 172.16.x.x, but not the 192.168.1.x network. What I'm trying to do is to allow the network traffic remote 10.0.1.x (which connects directly via the VPN network 172.16.x.x) to reach the network 192.168.1.x and vice versa.

  I'm sure its a combination of NAT/routing issue I forget.

  I'm new to PIX / ASA in general and it's the first vpn L2L I install. If someone can point me in the right direction, I would appreciate it.

  Thank you.

  It looks like this?

  10.0.1.x->-> Corp. ASA L2L tunnel - >->-> 192.168.1.x 3560 172.16.x.x

  and that you can currently communicate via the tunnel between 10.0 and 172.16? In order to communicate between 10.0 and 192.168.1, you will need to define this interesting traffic and add it to your crypto and nat exemption acl.

  Corp site

  extended access-list allow ip 192.168.1.0 255.255.255.0 10.0.1.0 255.255.255.0

  extended access-list allow ip 192.168.1.0 255.255.255.0 10.0.1.0 255.255.255.0

  NAT (inside) - 0 access list

  Remote site

  access-list extended ip 10.0.1.0 allow 255.255.255.0 192.168.1.0 255.255.255.0

  access-list extended ip 10.0.1.0 allow 255.255.255.0 192.168.1.0 255.255.255.0

  NAT (inside) - 0 access list

• Design of VPN L2L ASA question

  We expect to have more than 10,000 remote VPN L2L clients.

  I see that each crypto card needs a statement of 'same game' and the IP address is the address of the remote peer VPN L2L.

  :

  EX:

  card encryption UNI-POP 3 set peer 172.23.0.3

  : . . .

  card crypto UNI-POP 10000 set peer 172.26.0.250

  :

  I already feel that this will be a VERY long config, maybe too big to save/read/from memory.

  :

  Anyone would be a better approach?

  Thank you

  Frank

  Frank,

  If the remote end will run only from time to time, you should not have set peer statements and normally it would suffice to have a dynamic encryption card.

  If the remote ends do not support certificates, it is possible to land on defaultl2l tunnel-group.

  bsns-asa5505-19# sh run all tunnel-group
  tunnel-group DefaultL2LGroup type ipsec-l2l
  tunnel-group DefaultL2LGroup general-attributes
  (...)
  

  You need to test yourself to see if it will work.

  I also agree in terms of more than one firewall. With devices for two in the load balancing or if possible 2pairs of devices in the failover cluster could be great way to have a decent charge by machine and equipment redundancy (ideal circumstances]);. I suggest you ping your system engineer for sure any deployment involving 5585, guys can usually give good advice (and discounts;]).

  Marcin

• The remote VPN Clients and Internet access

  I apologize in advance if this question has already been addressed. I am currently using a PIX Firewall Version 6.1 520 (2) running. I have several remote users that VPN for the PIX. Once the VPN tunnel is started, they are more able to connect to internet from their local computers. Is there a configuation on the PIX that allows remote users to have access to the internet when you are connected to the PIX.

  TIA,

  Jeff Gulick

  The Pix does not allow traffic enter and exit on the same interface. Therefore, a VPN user cannot access the Internet through the tunnel. If you use the Cisco client, enable tunneling split so that all traffic through the tunnel.

  If you use PPTP, you can turn off the option that makes the remote network, the default gateway. However, local routes should be added to these clients when they connect.

  Or you can use an additional interface on the firewall. One that puts an end to VPN tunnels and another providing for Internet connectivity. In this way the traffic is not enter/leave on the same interface.

  Of course, it is preferable if the customer Internet traffic does not go through the tunnel. It wastes your bandwidth and has security problems as well. I suggest you use the client to Cisco and the split tunneling.

• What are the addresses of the IP VPN IT Microsoft to set up?

  * Original title: address of MS IT VPN

  Hi all

  We have a MS IT VPN connectivity configuration that is behind a firewall, need to know what are the addresses IP of Microsoft IT VPN to be permitted in my firewall for users to the BRIM in.

  Thanks in advance.

  Kind regards

  S Roumeliotis

  This issue is beyond the scope of this site (for consumers) and to be sure, you get the best (and fastest) reply, we have to ask either on Technet (for IT Pro) or MSDN (for developers)

  *

  http://social.technet.Microsoft.com/forums/en-us/home s/fr-U.S./Accueil
  http://social.msdn.Microsoft.com/Forum

• ASA AnyConnect client is unable to obtain the IP address of the remote DHCP server

  I and ASA with 10 client AnyConnect profiles set up to get their IP address of my Windows DHCP server.

  It was working fine yesterday.

  I saved the config and rebooted the device.

  Now it won't deliver to my vpn clients intellectual property.

  I don't understand what is happening.

  If I change the profiles to use a local pool he assigns an IP address and works very well.

  But I can't use the local pools.  I have to use the DHCP server on the local network.

  The ONLY thing that was made was that a license allowing the AnyConnect Essentials has been installed recently.

  I get this in debugging:

  6 August 30, 2011 10:44:39 DAP: test49, Addr 107.44.142.20 user, connection AnyConnect: following DAP records were selected for this connection: DfltAccessPolicy

  6 August 30, 2011 10:44:39 group user IP <107.44.142.20>AnyConnect parent session began.

  7 August 30, 2011 10:44:39 IPAA: received message 'UTL_IP_ [IKE_] ADDR_REQ.

  6 August 30, 2011 10:44:39 IPAA: attempt to query DHCP 1 successful

  6 August 30, 2011 10:44:39 IPAA: DHCP configured, the request succeeded for tunnel-group "MCSO-mobile."

  6 August 30, 2011 10:44:39 172.18.4.7 67 172.18.1.46 67 Built UDP outgoing connection 30957 for Internal:172.18.1.46/67 (172.18.1.46/67) at identity:172.18.4.7/67 (172.18.4.7/67)

  7 August 30, 2011 10:44:39 192.168.6.1 built ISP1:192.168.6.1 local-home

  6 August 30, 2011 10:44:39 172.18.1.46 1 192.168.6.1 0 built outgoing ICMP connection for faddr gaddr laddr 172.18.1.46/1 172.18.1.46/1 192.168.6.1/0

  6 August 30, 2011 10:44:41 172.18.1.46 67 192.168.6.0 67 Built UDP outgoing connection 30960 for ISP1:192.168.6.0/67 (192.168.6.0/67) at Internal:172.18.1.46/67 (172.18.1.46/67)

  6 August 30, 2011 10:44:42 192.168.6.1 0 172.18.1.46 1 connection disassembly ICMP for faddr gaddr laddr 172.18.1.46/1 172.18.1.46/1 192.168.6.1/0

  7 August 30, 2011 10:44:52 IPAA: message received 'UTL_IP_DHCP_INVALID_ADDR '.

  4 August 30, 2011 10:44:52 IPAA: could not get the address of the local strategy group or tunnel-group pools

  Well, your config looks good. You also upgrade the operating system? Maybe you hit a new bug.

  I heard no problems after the installation of a license, but it might be interesting to open a TAC case and learn if you hit a bug.

• static ip address to the remote client asa 5500

  Hi all

  I am trying to configure static ip on the remote client side of the user, I use the following as an example doc, but I don't get the ip address which I am mentiong the user.

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080a7afb2.shtml

  my version of the asa is 8.2 (1)

  Thank you

  Cyril

  Great to hear. Pls kindly marks the message as answered while others may learn from your post. Thank you...

• How to check if the remote VPN failover is configured

  Hello world

  We have two sites and have both remote access VPN configured.

  IF a VPN site fails users automatically fail over to another site.

  Need to know what that orders can I run on ASA to check if remote VPN failover is there?

  Also what lines by running config shhould I seek?

  Thank you

  Mahesh

  Based on your configuration, it can vary, below link has someVPN failover configurations, you can find a few commands to check redundancy on your network:

  http://www.Cisco.com/en/us/docs/iOS/12_2/12_2y/12_2yx11/feature/guide/ft_vpnha.html#wp1093554

  What you should look at your config running is also based on your configuration, it should be something like: main, standby or emergency.

  HTH

• Divide access remote vpn tunnel ASA 5520

  Hello

  I'm setting up a vpn for remote access with split tunnel, but I use an acl extended to match a host and http to destination port, but does not work.

  Scenario of

  Distance access(10.0.0.122/24)--internet---Cisco ASA(inside:192.168.10.1/24)---ip = 192.168.10.6 - C6509 - 10.0.0.254/24---hote = 10.0.0.31/24

  The plot is when I activate the IP service connection or flow ICMP worked. Does anyone have an idea what is the problem? Thank you

  Concerning

  Split tunneling does not take into account the port information you specify in the ACL, he doesn't care the ip address/network you defined.

  If you want to restrict access to ports and IP, you must define your split tunneling with only ip addresses and using a vpn-filter acl in group policy to restrict following the specific ports that you want:

  split_acl ip access list allow

  access-list allowed filter_acl ip eq

  attributes of group-pol

  Split-tunnel-pol tunnelspecified

  value of Split-tunnel-net split_acl

  VPN-filter value filter_acl

  -heather

• VPN L2L ASA with NAT

  Hello, I was hoping someone might have an example of a site to site VPN configuration where the ASA is statically NATting its internal network. Basically the same configuration like this, but instead of "not nat", the ASA is NATting. So instead of the remote site, connect to the local network 10.10.10.0/24, ASA would be NAT at 172.16.17.0/24 for example.

  http://www.Cisco.com/en/us/products/ps9422/products_configuration_example09186a0080b4ae61.shtml

  Thank you.

  Mike

  It's not very complicated, just keep in mind that NAT is done before the encryption.

  So if you your network 10.10.10.0/24 nat internal to 172.16.17.0/24:

  public static 172.16.17.0 (Interior, exterior) 10.10.10.0 netmask 255.255.255.0

  You can use the address translated into your crypto-ACL:

  REMOTE VPN ip 172.16.17.0 access list allow REMOTE-NET 255.255.255.0 255.255.255.0

  I suppose that you run ASA v8.3 + that you referred to an older document. If you have a more recent software, the logic is the same but the NAT commands differ.

  Sent by Cisco Support technique iPad App

• enabling remote vpn Cisco asa

  Dear team,

  I have a Cisco asa firewall, I would enable remote vpn (ssl vpn or customer).

  Please check the joint view version and suggest which are missing or need to enable them.

  Therefore, I will obtain concrete results and enable VPN.

  concerning

  SecIT

  With the license and the software version you have, you can only run the existing IPsec VPN client.

  To run AnyConnect SSL VPN client-based, you must acquire a license AnyConnect Essentials. For your platform that would be L-ASA-AC-E -5550=. (Clientless SSL VPN would be a different reference number.)

  I also suggest upgrading your system beyond 8.2 software (2) the current recommended release would be 9.0 (3). (9.1 (5) is the last on the 5550.)

• Unable to access the remote VPN LAN

  My VPN ends very well, but cannot access the local network. The warning is the LAN is a public good 24 subnet.  I'm not sure how to NAT the LAN to access the VPN subnet and not to disturb any other functionality.  I have attached the configuration.

  Thank you in advance.

  ciscoasa # sh run
  : Saved
  :
  ASA Version 8.2 (2)
  !
  ciscoasa hostname
  activate the encrypted Anuj/1RTcTy/SmZO password
  2KFQnbNIdI.2KYOU encrypted passwd
  names of
  !
  interface Vlan1
  nameif inside
  security-level 100
  IP address .149.200 255.255.255.0
  !
  interface Vlan2
  nameif outside
  security-level 0
  IP address *.165.37.131 255.255.255.248
  !
  interface Vlan5
  No nameif
  security-level 50
  IP 10.10.10.1 255.255.255.0
  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  switchport access vlan 5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  passive FTP mode
  clock timezone GMT 0
  standard permit access list MASTERPWRTRANS_splitTunnelAcl *. . 149.0 255.255.255.0
  allow inside_nat0_outbound to access extensive ip list *. . 149.0 255.255.255.0 172.30.110.0 255.255.255.224
  pager lines 24
  Enable logging
  asdm of logging of information
  Within 1500 MTU
  Outside 1500 MTU
  local pool POOL1 172.30.110.1 - 172.30.110.30 IP 255.255.255.224 mask
  ICMP unreachable rate-limit 1 burst-size 1
  don't allow no asdm history
  ARP timeout 14400
  Global 1 interface (outside)
  Global (outside) 2 *.165.37.132
  NAT (inside) 0-list of access inside_nat0_outbound
  NAT (inside) 2 *. .149.199 255.255.255.255
  NAT (inside) 1 0.0.0.0 0.0.0.0
  static (exterior, Interior) *. .149.199 *.165.37.132 netmask 255.255.255.255
  Route outside 0.0.0.0 0.0.0.0 * 1.165.37.134
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-registration DfltAccessPolicy
  RADIUS protocol Server AAA MPT
  AAA server MPT (inside) host .149.210
  Timeout 5
  key *.
  AAA authentication enable LOCAL console
  the ssh LOCAL console AAA authentication
  Enable http server
  http 0.0.0.0 0.0.0.0 inside
  http 0.0.0.0 0.0.0.0 outdoors
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
  outside_map interface card crypto outside
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  md5 hash
  Group 2
  life 86400
  Telnet *. . 149.0 255.255.255.0 inside
  Telnet timeout 5
  SSH 0.0.0.0 0.0.0.0 outdoors
  SSH timeout 5
  Console timeout 0
  management-access inside

  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  WebVPN
  internal MASTERPWRTRANS group policy
  MASTERPWRTRANS group policy attributes
  value of DNS server *. . 149.10 *. . 149.11
  Protocol-tunnel-VPN IPSec
  Split-tunnel-policy tunnelspecified
  value of Split-tunnel-network-list MASTERPWRTRANS_splitTunnelAcl
  MCI.local value by default-field
  ptiadmin encrypted BtOLil2gR0VaUjfX privilege 15 password username
  mptadmin U2T.1fmOIe772zE username password / encrypted
  type tunnel-group MASTERPWRTRANS remote access
  attributes global-tunnel-group MASTERPWRTRANS
  POOL1 address pool
  TPM authentication server group
  Group Policy - by default-MASTERPWRTRANS
  IPSec-attributes tunnel-group MASTERPWRTRANS
  pre-shared key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  !
  global service-policy global_policy
  context of prompt hostname
  Cryptochecksum:820529ed70de923a8375694004b2544c
  : end
  ciscoasa #.

  The 2821 should have a route pointing to the ASA for the VPN address pool (because the ASA is not the default gateway for the LAN).

  That should do it.

  Federico.

• IP address of the IPSec VPN client did not get distributed via EIGRP

  We use an ASA for VPN remote access. He is running EIGRP redistribute static routes. When a client Anyconnect SSL connects, the SAA creates a static route for this client, and it gets redistributed via EIGRP. When an IPSec VPN client connects, the SAA creates a static route for this customer, but he isn't redisributed via EIGRP and so the client can not achieve anything. Why he would distribute a static created by an IPSec client?

  Thank you

  Have you set up IPP on dynamic Cryptography?

• Spend 3000 Concentrator VPN L2L ASA

  Hello

  We migrate an ASA5500 450 LAN to LAN VPN a VPN concentrator. Is there a reasonable way to do it? If I remember correctly, the configuration file for the VPN concentrator is in XML is not trivial to even read the config for each VPN. If it took say 15 minutes a VPN which is estimated at about three weeks of the working man!

  Patrick,

  I hope the post below helps.

  http://Forum.Cisco.com/eForum/servlet/NetProf?page=NetProf&Forum=virtual%20Private%20Networks&topic=security&TopicId=.ee6b2b8&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40^1%40%40.2cc1b2c5/6#selected_message

  Kind regards

  Arul

  * Please note all useful messages *.