Equivalent of Palo Alto Cisco ASA packet - trace

Similar Questions

• Select Cisco ASA to replace Palo Alto PA 500

  Hello world

  Pls suggest a Cisco ASA (equivalent or superior) 5500 series to replace the PA500. Thank you

  Palo Alto PA500

  • Firewall of 250 Mbit/s throughput (App - ID¹active)
  • 100 Mbps threat prevention throughput
  • 50 VPN IPSec Mbps throughput
  • 64 000 max sessions
  • 7 500 new sessions per second
  • Tunnels/tunnel VPN IPSec 250 interfaces
  • 100 users, SSL VPN
  • 3 virtual routers
  • Virtual systems (basic/max) N/A
  • 20 security zones
  • 1 000 maximum policies

  Hi you can opt for the Asa 5510 or Asa 5520 two of them correspond to your needs. Here is a link to their characteristics http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-serie... Aditya cordially

• Cisco ASA (8.3) - Packet trace / Multi context Classification

  Hello

  I use packet - trace for a while on and outside, with mixed results.

  I am running a firewall context multi with more than 10 of the same shared contexts outside the interface / network.

  All interfaces have obviously valid and unique IPs and also the unique MAC addresses as automatic address mac is enabled in the system context.

  It is an ASA 5550 running 8.3 (2.10) Provisional includes therefore the fix for the bug failed packet classification - draw well known.

  So in theory, with firewall settings on a shared interface ASA must use the firewall MAC address to classify incoming traffic on the correct firewall and as far as I know, only retreating to use TAR to classify if the Mac of the interface are the same. Actually on my platform, appears not to be the case and the classifier uses NAT to determine the context of destination. I see this with live traffic (that is not generated by packet - trace) in newspapers and can prove it by disabling some NAT rules (there is some overlap with the IP address behind each firewall).

  My question about packet trace is - in the scenario above with an external interface shared, tracer package uses not ALWAYS NAT to determine the context of destination? Or tracer packet search address MAC interface penetration depending on what context you run packet tracer of? It seems that packet - trace uses NAT in my case which could be just symptomatic of the potential bug I described above, rather than by design.

  I searched the forums for an answer to this and have not found one - don't know if it will be a question for developers TAC?

  See you soon

  Paul

  Hi Paul,.

  The packet - trace has no way to specify the MAC address of the simulated package, so it will always return a check of the NAT. It is currently a limiation of the feature of packet - trace in multiple context mode.

  In addition, if your NAT rules contains the 'none' keyword of the pair of the interface, you should be aware of this bug:

  CSCts07069 - ASA: packet classifier fails with "any" in the rule being NAT (fixed in 8.3.2.28)

  Hope that helps.

  -Mike

• Cannot download files from packet trace of Cisco NetaCad

  Original title: cisco netacad students

  Why can not download files from packet trace Cisco netacad

  How to solved the question above

• How to activate IP accounting or capture packets in Cisco ASA 5510 (8.2)

  Hi all

  Please help me for activation

  IP accounting packets or capture in Cisco ASA 5510 (8.2).

  Thank you

  Solene

  Hi Eric,.

  Create a list of access with the source destination ip address and/or tcp/udp ports

  can use it

  CAP_NAME access-list ACL_NAME buffer 12345bytes INT_NAME capture interface

  You can check capture

  See the capture?

  Name Capture PASSWORD

  |     Output modifiers

  Take care

  PaulC

• Can I run Cisco Packet Tracer on a Windows 8 Tablet?

  I've never owned a tablet before and I think to buy a tablet of Windows to the use of Cisco Packet Tracer but I can't find any information online if she is even able to install and it works.

  If its possible is there all of the recommendations of which tablet to get?  I'm not looking for a high-end one, just something simple with the ability to run Tracker package easily.

  I've never owned a tablet before and I think to buy a tablet of Windows to the use of Cisco Packet Tracer but I can't find any information online if she is even able to install and it works.

  If its possible is there all of the recommendations of which tablet to get?  I'm not looking for a high-end one, just something simple with the ability to run Tracker package easily.

  Windows 8 is just an OS that will run on several different tablets - so...  Find one that meets your needs.
   
  So regarding the software can run on a given device - it would be a question better posed to Cisco.  The application compatibility and essentially that it will / will not do in a given situation is determined by them - not Microsoft.
   
  The basic response would probably 'yes', if you get a Tablet 8 Standard Windows or Windows 8 Professional.  I have doubts if Windows 8 RT would work the same - but having run many thing on the RT I don't think that it would be likely to lead to (and being proven wrong) - it can even work on RT.
   
  http://answers.Microsoft.com/en-us/Windows/Forum/windows_8-performance/how-do-i-run-Cisco-packet-tracer-on-Windows-8/9f16994a-c45b-4935-90d8-cc515c88371a?msgId=724a493f-7e73-47B5-83EE-b9c8a79ef2a1

• Cisco ASA Cisco 831 routing static. help with ACL, maybe?

  Hi all

  What should be a simple task turns out to be difficult and I really need help.

  The Cisco ASA obviously isn't a strong point on mine and could do with a point in the right direction. I hope that this will allow me to learn more about the ASA 5505.

  OK so I have an ASA 5505. VLAN 1 is 192.168.254.1 and VLAN 2 DHCP of my cable modem.

  I have a cisco 831 Ethernet router that will sit between my main LAN and my LAN test I want to implement for multicasting. the Cisco 831 has 1 Ethernet as 192.168.254.254 and Ethernet 0 is 10.1.1.1.

  The ASA I have an interior route 10.0.0.0 255.0.0.0 192.168.254.254.

  On the Cisco 831, there is a route 0.0.0.0 0.0.0.0 192.168.254.1. I can pass traffic via Cisco 831 to the ASA 5505 and internet, for example I can ping 8.8.8.8 and access everything on my main local network, but the other wan of any host inside the ASA 5505 is unable to ping anything on 10.1.1.x.

  Where I'm going wrong? I did all my access to my a whole ASA, but it is still unable to do anything.

  I will attached my configs with deleted passwords here and would like a good kick in the right direction. Without a doubt, it's something simple I'm missing and I'm sure it's with the ACL on the ASA 5505 like the packet tracer said that the package is abandoned due to the ACL

  Thank you. :)

  Thus, all traffic between these two LANs will travel on ASA, on the same interface.
  Then please add this command in the global configuration of the ASA:
  permit same-security-traffic intra-interface

• IPSEC not Pkts on Cisco ASA

  Hi, please I need a help.

  I have an IPSEC tunnel with my Cisco ASA and a PFsense Peer, VPN is to include phase 2.

  But I could not send pkts on this VPN.

  My internal network - 10.2.0.0/17, 172.31.2.2/32 customer network

  ==========================

  FW - counterpart of the ipsec VPN - 01 # sho 177.154.83.34
  address of the peers: 177.154.83.34
  Tag crypto map: outside_map0, seq num: 4, local addr: 200.243.146.20

  access extensive list ip 10.2.0.0 outside_cryptomap_8 allow 255.255.128.0 host 172.31.2.2
  local ident (addr, mask, prot, port): (10.2.0.0/255.255.128.0/0/0)
  Remote ident (addr, mask, prot, port): (172.31.2.2/255.255.255.255/0/0)
  current_peer: 177.154.83.34

  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
        #pkts decaps: 2957, #pkts decrypt: 2957, #pkts check: 2957
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #send errors: 0, #recv errors: 1

  local crypto endpt. : 200.243.146.20/0, remote Start crypto. : 177.154.83.34/0
  Path mtu 1500, fresh ipsec generals 74, media, mtu 1500
  current outbound SPI: C1A13463
  current inbound SPI: 5B6B0EAB

  SAS of the esp on arrival:
  SPI: 0x5B6B0EAB (1533742763)
  transform: aes-256-esp esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, PFS 2 group}
  slot: 0, id_conn: 9179136, crypto-card: outside_map0
  calendar of his: service life remaining key (s): 858
  Size IV: 16 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0xFFFFFFFF to 0xFFFFFFFF
  outgoing esp sas:
  SPI: 0xC1A13463 (3248567395)
  transform: aes-256-esp esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, PFS 2 group}
  slot: 0, id_conn: 9179136, crypto-card: outside_map0
  calendar of his: service life remaining key (s): 858
  Size IV: 16 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001

  ===========================

  Entry packet - trace FW-VPN-01 # outside icmp 10.2.110.10 1 172.31.2.2 0

  Phase: 1
  Type:-ROUTE SEARCH
  Subtype: entry
  Result: ALLOW
  Config:
  Additional information:
  in 0.0.0.0 0.0.0.0 outdoors

  Phase: 2
  Type: ACCESS-LIST
  Subtype:
  Result: DECLINE
  Config:
  Implicit rule
  Additional information:

  Result:
  input interface: outdoors
  entry status: to the top
  entry-line-status: to the top
  output interface: outside
  the status of the output: to the top
  output-line-status: to the top
  Action: drop
  Drop-reason: flow (acl-drop) is denied by the configured rule

  ===============================

  FW-VPN-01 # sho running-config | 177.154.83.34 Inc.
  outside_map0 card crypto 4 peers set 177.154.83.34
  internal GroupPolicy_177.154.83.34 group strategy
  attributes of Group Policy GroupPolicy_177.154.83.34
  tunnel-group 177.154.83.34 type ipsec-l2l
  tunnel-group 177.154.83.34 general-attributes
  Group - default policy - GroupPolicy_177.154.83.34
  IPSec-attributes tunnel-group 177.154.83.34

  ==============================

  FW-VPN-01 # sho running-config | 172.31.2.2 Inc.
  network 172.31.2.2_32 object
  Home 172.31.2.2
  access-list sheep extended 10.2.0.0 ip allow 255.255.128.0 host 172.31.2.2
  access extensive list ip 10.2.0.0 inside_access_in allow 255.255.128.0 object 172.31.2.2_32
  permit access list extended ip object 10.2.0.0_17 object 172.31.2.2_32 outside_cryptomap_5
  permit access list extended ip object 10.2.0.0_17 object 172.31.2.2_32 outside_cryptomap_8
  NAT (inside, all) source 10.2.0.0_17 destination 10.2.0.0_17 static static 172.31.2.2_32 172.31.2.2_32 non-proxy-arp-search to itinerary

  so you see the packets traverse your inside interface but no response back. Please check if you have a route to 172.31.2.2 host in your internal network pointing traffic to the ASA.

  the package shows plotter drop because you run of out-of-in and in this case, you must specifically that traffic on the acl allow external interface. When the real traffic arrives through vpn, it checks for sysopt and then the interface access list is bypassed. but when you do a package tracer, simulated package does not in reality of vpn and therefore we have that allow outside interface acl for package tarcer to enable.

• Remote access VPN Cisco ASA

  Hello!

  I have 9.1 (3) version of Cisco ASA with remote access VPN set UP on the outside interface. When the user connects to the Internet on the outside interface, it works well. My goal is to allow the connection of all other interfaces (inside the dmz and etc.) to the outside interface. Cisco ASA allows to do? Order to packet - trace output is less to:

  MSK-hq-fw1 # packet - trace entry inside tcp 10.10.10.1 14214 1.1.1.2 443

  Phase: 1

  Type:-ROUTE SEARCH

  Subtype: entry

  Result: ALLOW

  Config:

  Additional information:

  developed 1.1.1.2 255.255.255.255 identity

  Phase: 2

  Type:-ROUTE SEARCH

  Subtype: entry

  Result: ALLOW

  Config:

  Additional information:

  developed 1.1.1.2 255.255.255.255 identity

  Result:

  input interface: inside

  entry status: to the top

  entry-line-status: to the top

  the output interface: NP identity Ifc

  the status of the output: to the top

  output-line-status: to the top

  Action: drop

  Drop-reason: (headwall) No. road to host

  Hello

  Well, you can of course turn VPN on other interfaces, but to be honest, I never even tried to set up the VPN it otherwise than of multiple multiple external interfaces in the case of the ISP and in this case only for testing purposes.

  Some things related to the ASA are well known but not well documented.

  The official document that I can remember: this is the following (which only refers to this limitation regarding the ICMP)

  Note 
  For  security purposes the security appliance does not support far-end  interface ping, that is pinging the IP address of the outside interface  from the inside network.
  

  Source (old configuration guide):

  http://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa71/configuration/guide/conf_gd/trouble.html#wp1059645

  -Jouni

• Cisco ASA l2l VPN disorder

  Hello Experts from Cisco,

  I run in trouble with one of my l2l ipec vpn between an asa 5510 and 5520 cisco running version 8.2.2.

  Our existing l2l VPN are connected fine and work very well. Currently SITE a (10.10.0.0/16) connects to the SITE B (10.20.0.0/16). SITE A connects to SITE C (10.100.8.0/21). These are OK.

  What is a failure is when I try to connect SITE B to SITE C. The tunnel coming up and phase 1 and 2 complete successfully. However, even if in the course of execution: ' entry packet - trace within the icmp 10.20.8.2 8 0 detailed 10.100.8.1 ' I get the following:

  Phase: 10

  Type: VPN

  Subtype: encrypt

  Result: DECLINE

  Config:

  Additional information:

  Direct flow from returns search rule:

  ID = 0xad1c4500, priority = 70, domain = encrypt, deny = false

  hits = 609, user_data = 0 x 0, cs_id = 0xad1c2e10, reverse, flags = 0 x 0 = 0 protocol

  SRC ip = 10.20.0.0, mask is 255.255.0.0, port = 0

  DST ip = 10.100.8.0, mask is 255.255.248.0, port = 0, dscp = 0 x 0

  I noticed that when the tunnel came, the road to 10.100.8.0/21 was added in the routing table and cyrpto what ACL has not been applied on the SAA remote. I added the route manually but cannot get the cryto ACL to apply.

  Useful info:

  C SITE

  the object-group NoNatDMZ-objgrp network

  object-network 10.10.0.0 255.255.0.0

  object-network 10.10.12.0 255.255.255.0

  network-object 10.20.0.0 255.255.0.0

  access extensive list ip 10.100.8.0 outside_30_cryptomap allow 255.255.248.0 10.20.0.0 255.255.0.0

  IP 10.100.8.0 allow Access - list extended sheep 255.255.248.0 sheep-objgrp object-group

  card crypto outside_map 30 match address outside_30_cryptomap

  card crypto outside_map 30 peers set x.x.x.x

  crypto outside_map 30 card value transform-set ESP-AES256-SHA

  crypto outside_map 30 card value reverse-road

  outside_map interface card crypto outside

  SITE B

  object-group network sheep-objgrp

  object-network 10.10.0.0 255.255.0.0

  object-network 10.21.0.0 255.255.0.0

  object-network 10.10.12.0 255.255.255.0

  network-object 10.100.8.0 255.255.248.0

  IP 10.20.0.0 allow Access - list extended sheep 255.255.0.0 sheep-objgrp object-group

  allow outside_50_cryptomap to access extended list ip 10.20.0.0 255.255.0.0 10.100.8.0 255.255.248.0

  card crypto outside_map 50 match address outside_50_cryptomap

  game card crypto outside_map 50 peers XX. XX. XX. XX

  outside_map crypto 50 card value transform-set ESP-AES256-SHA

  outside_map crypto 50 card value reverse-road

  outside_map interface card crypto outside

  I've been struggling with this these days. Any help is very appreciated!

  Thank you!!

  Follow these steps:

  no card outside_map 10-isakmp ipsec crypto dynamic outside_dyn_map

  map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

  clear crypto ipsec its SITE_B_Public peer

  Try again and attach the same outputs.

  Let me know.

  Thank you.

• VPN Cisco ASA 5540 L2L - one-way traffic only for the pair to a network

  Hello

  I'm a little confused as to which is the problem. This is the premise for the problem I have face.

  One of our big clients has a Cisco ASA5540 (8.2 (2)) failover (active / standby). Early last year, we have configured a VPN from Lan to Lan to a 3rd party site (a device of control point on their end). He worked until early this week when suddenly the connection problems.

  Only 1 of the 3 networks the / guests can access a remote network on the other side. 2 others have suddenly stopped working. We do not know of any change on our side and the remote end also insists that their end configurations are correct (and what information they sent me it seems to be correct)

  So essentially the encryption field is configured as follows:

  access-list line 1 permit extended ip 10.238.57.21 host 10.82.0.202 (hitcnt = 2)
  access-list line 2 extended permit ip 10.207.0.0 255.255.0.0 10.82.0.200 255.255.255.252 (hitcnt = 198)
  access-list line 3 extended permit ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252 (hitcnt = 173)

  Free NAT has been configured as follows (names modified interfaces):

  NAT (interface1) 0-list of access to the INTERIOR-VPN-SHEEP

  the INTERIOR-VPN-SHEEP line 1 permit access list extended ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
  permit for Access-list SHEEP-VPN-INSIDE line lengthened 2 ip host 10.238.57.21 10.82.0.202

  NAT (interface2) 0-list of access VPN-SHEEP

  VPN-SHEEP line 1 permit access list extended ip 10.207.0.0 255.255.0.0 10.82.0.200 255.255.255.252

  After the problem started only 10.207.0.0/16 network connections worked for the site remote 10.82.0.200/30. All other connections do not work.

  There has been no change made on our side and on the side remote also insists there has been no change. I also checked how long the ASAs have been upward and how long the same device has been active in the failover. Both have been at the same time (about a year)

  The main problem is that users of the 10.231.191.0/24 cant access remote network network. However, the remote user can initiate and implement the VPN on their side but usually get any return traffic. Ive also checked that the routes are configured correctly in the routers in core for the return of their connections traffic should go back to the firewall.

  Also used of "packet - trace" event raising the VPN tunnel (even if it passes the phases VPN). For my understanding "packet - trace" alone with the IP source and destination addresses must activate the VPN connection (even if it generates no traffic to the current tunnel).

  This is printing to the following command: "packet - trace entry interface1 tcp 10.231.191.100 1025 10.82.0.203 80.

  Phase: 1
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit rule
  Additional information:
  MAC access list

  Phase: 2
  Type: FLOW-SEARCH
  Subtype:
  Result: ALLOW
  Config:
  Additional information:
  Not found no corresponding stream, creating a new stream

  Phase: 3
  Type:-ROUTE SEARCH
  Subtype: entry
  Result: ALLOW
  Config:
  Additional information:
  in 10.82.0.200 255.255.255.252 outside

  Phase: 4
  Type: ACCESS-LIST
  Subtype: Journal
  Result: ALLOW
  Config:
  Access-group interface interface1
  access-list extended allow ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
  Additional information:

  Phase: 5
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional information:

  Phase: 6
  Type: INSPECT
  Subtype: np - inspect
  Result: ALLOW
  Config:
  class-map inspection_default
  match default-inspection-traffic
  Policy-map global_policy
  class inspection_default
  inspect the http
  global service-policy global_policy
  Additional information:

  Phase: 7
  Type: FOVER
  Subtype: Eve-updated
  Result: ALLOW
  Config:
  Additional information:

  Phase: 8
  Type: NAT-FREE
  Subtype:
  Result: ALLOW
  Config:
  NAT-control
  is the intellectual property inside 10.231.191.0 255.255.255.0 outside 10.82.0.200 255.255.255.252
  Exempt from NAT
  translate_hits = 32, untranslate_hits = 35251
  Additional information:

  -Phase 9 is a static nat of the problem to another network interface. Don't know why his watch to print.

  Phase: 9
  Type: NAT
  Subtype: host-limits
  Result: ALLOW
  Config:
  static (interface1, interface3) 10.231.0.0 10.231.0.0 255.255.0.0 subnet mask
  NAT-control
  is the intellectual property inside 10.231.0.0 255.255.0.0 interface3 all
  static translation at 10.231.0.0
  translate_hits = 153954, untranslate_hits = 88
  Additional information:

  -Phase 10 seems to be the default NAT for the local network configuration when traffic is to the Internet

  Phase: 10
  Type: NAT
  Subtype:
  Result: ALLOW
  Config:
  NAT (interface1) 5 10.231.191.0 255.255.255.0
  NAT-control
  is the intellectual property inside 10.231.191.0 255.255.255.0 outside of any
  dynamic translation of hen 5 (y.y.y.y)
  translate_hits = 3048900, untranslate_hits = 77195
  Additional information:

  Phase: 11
  Type: VPN
  Subtype: encrypt
  Result: ALLOW
  Config:
  Additional information:

  Phase: 12
  Type: VPN
  Subtype: ipsec-tunnel-flow
  Result: ALLOW
  Config:
  Additional information:

  Phase: 13
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional information:

  Phase: 14
  Type: CREATING STREAMS
  Subtype:
  Result: ALLOW
  Config:
  Additional information:
  New workflow created with the 1047981896 id, package sent to the next module

  Result:
  input interface: interface1
  entry status: to the top
  entry-line-status: to the top
  output interface: outside
  the status of the output: to the top
  output-line-status: to the top
  Action: allow

  So, basically, the connection should properly go to connect VPN L2L but yet is not. I tried to generate customer traffic of base (with the source IP address of the client network and I see the connection on the firewall, but yet there is absolutely no encapsulated packets when I check "crypto ipsec to show his" regarding this connection VPN L2L.) Its almost as if the firewall only transfers the packets on the external interface instead of encapsulating for VPN?

  And as I said, at the same time the remote end can activate the connection between these 2 networks very well, but just won't get any traffic back to their echo ICMP messages.

  access-list extended allow ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
  local ident (addr, mask, prot, port): (10.231.191.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (10.82.0.200/255.255.255.252/0/0)
  current_peer: y.y.y.y

  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 131, #pkts decrypt: 131, #pkts check: 131
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #send errors: 0, #recv errors: 0

  If it was just a routing problem it would be a simple thing to fix, but it is not because I can see the connection I have to confirm it by the router base on the firewall, but they don't just get passed on to the VPN connection.

  Could this happen due to a bug in the Software ASA? Would this be something with Checkpoint VPN device? (I have absolutely no experience with devices of control point)

  If there is any essential information that I can give, please ask.

  -Jouni

  Jouni,

  8.2.4.1 is the minimum - 8.2.4 had some issues (including TCP proxy).

  If this does not resolve the problem - I suggest open TAC box to get to the bottom of this ;-)

  Marcin

• Cisco ASA 5510 VPN Site to Site with Sonicwall

  I am trying to configure a tunnel between a Cisco ASA 5510 VPN (Version 8.2 (2)) and TZ200 Sonicwall. I rose tunnel and go and I am able to ping the internal IP address of Cisco ASA of the Sonicwall LAN but nothing work. When I try to ping a host behind the Cisco ASA of the Sonicwall LAN I get the following message "rules asymmetrical NAT matched for flows forward and backward; Connection for tcp src outside:10.20.10.x/xxxx dst inside:10.20.2.x/xxxx refused due to failure of reverse path of NAT"on the SAA

  Googling the error above shows the problems with version 8.3 or later that resembled the nat commands have been changed SAA, train is still on 8.2 but I another common question does not add an exemption of NAT I have double-triple checked that I did add an exception rule of NAT of the hosts on the network from cisco for the guests of the Sonicwall network. Looks like I hit a road block so any help would be appreciated. Thank you

  Here are a few excertps of the config file (10.20.2.0 behind the cisco) and 10.20.10.0 behind the sonicwall

  NAT (inside) 0 access-list sheep

  ..

  IP 10.20.2.0 allow Access-list extended sheep 255.255.255.0 10.20.10.0 255.255.255.0

  access extensive list ip 10.20.2.0 outside_1_cryptomap allow 255.255.255.0 10.20.10.0 255.255.255.0

  ..

  card crypto outside_map 1 match address outside_1_cryptomap

  card crypto outside_map 1 set counterpart x.x.x.x

  card crypto outside_map 1 set of transformation-ESP-3DES-SHA

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map interface card crypto outside

  ..

  crypto ISAKMP allow outside

  crypto ISAKMP policy 5

  preshared authentication

  3des encryption

  sha hash

  Group 2

  lifetime 28800

  ..

  internal SiteToSitePolicy group strategy

  attributes of Group Policy SiteToSitePolicy

  VPN-idle-timeout no

  Protocol-tunnel-VPN IPSec

  Split-tunnel-network-list no

  ..

  tunnel-group x.x.x.x type ipsec-l2l

  tunnel-group x.x.x.x General attributes

  Group Policy - by default-SiteToSitePolicy

  tunnel-group ipsec-attributes x.x.x.x

  pre-shared key *.

  ..

  Added some excerpts from the configuration file

  Hello Manjitriat,

  Okay, detected IPSEC parody is normal, that means you are trying to send unencrypted on a line of encrypted packets.

  Now, if you see on the plotter of package that traffic will hollow the VPN channel all its fine in your site.

  Now the packet tracer must be something like this:

  entrance to Packet-trace inside private_ip_lan destination_private_ip_lan 1025 tcp 80

  Please provide us with the result of the following instructions after you run the packet tracer.

  See the crypto Isakamp SA

  See the crypto Ipsec SA

  Kind regards

  Julio

• L2l vpn with Firewall Palo Alto

  I'm setting up a tunnel of l2l with a firewall of palo alto and evil.  It is a fairly simple installation, we are traffic encryption public to the public for download of the side sftp asa.  Here are the parts relevant to the config and various outputs...  Remote admin side asserts that the phase 1 pass and we have a timeout of waiting for phase 2.  Any help would be appreciated.

  1.1.1.1 (customer2 destination address)
  1.1.1.2 (customer2 vpn gateway)
  2.2.2.0 (space local public ip)

  description of CustomerVPN2 name 1.1.1.1 customer VPN2

  Inside_nat0_outbound to access extended list ip 2.2.2.0 allow 255.255.255.240 host CustomerVPN2
  Outside_4_cryptomap to access extended list ip 2.2.2.0 allow 255.255.255.240 host CustomerVPN2

  card crypto Outside_map 4 corresponds to the address Outside_4_cryptomap
  crypto map Outside_map 4 set type of connection are created only
  card crypto Outside_map 4 set peer 1.1.1.2
  card crypto Outside_map 4 the value transform-set ESP-AES-256-SHA

  crypto ISAKMP policy 50
  preshared authentication
  aes-256 encryption
  sha hash
  Group 2
  life 86400

  tunnel-group 1.1.1.2 type ipsec-l2l
  1.1.1.2 tunnel-group ipsec-attributes
  pre-shared-key *.

  SH crypto isakmp (reviews listed as type: user)

  8 peer IKE: 1.1.1.2
  Type: user role: initiator
  Generate a new key: no State: MM_WAIT_MSG2

  Debug crypto ipsec (looks like he's trying all cryptographic cards except one)

  IPSec (crypto_map_check): crypto Outside_map 1 hole card no match for ACL Outside_1_cryptomap.

  IPSec (crypto_map_check): card crypto Outside_map 2 do not match for ACL Outside_2_cryptomap hole.

  IPSec (crypto_map_check): card crypto Outside_map 3 hole not correspond to ACL Outside_3_cryptomap.

  IPSec (crypto_map_check): card crypto Outside_map 3 hole not correspond to ACL OO_temp_Outside_map3.

  and finally.

  03 Oct 10:39:09 [IKEv1]: IP = 1.1.1.2, removing counterpart peer table faile
  d, no match!
  03 Oct 10:39:09 [IKEv1]: IP = 1.1.1.2, error: cannot delete PeerTblEntr

  Hey Evo,

  You asa public interface is the same as the public ip address that you are trying to encrypt?

  I think you need to create a Nat policy that can be a private ip address as well and then use it as your side of interesting traffic, because the Admin in Palo Alto is right about the vpn route accordingly.

  Here are some links for policy based Nat & paloalto side vpn screenshots and explanations.

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00807d2874.shtml

  http://www.danielelonghi.com/wp-content/uploads/2011/05/Howto-create-VPN-connection-between-JUNOS-and-paloalto.PDF

  http://netsecinfo.blogspot.com/2008/02/route-based-VPNs-explained.html

  Manish

• Cisco asa active multiple interfaces on a single switch without configuration of vlan switch.

  I was wondering if there is a work around on cisco asa to have 2 interfaces vlan on a switch. The reason I ask I have a cisco asa 5505 and a dell switch that does not support the configuration of VLANs. I set up 2 interface vlan on a cisco asa and when two interfaces are active my internet drops frequently. I was wondering if there is nothing to configure the asa cisco to make this thing work. Thanks in advance...

  Assuming that Dell switch at least linking several interfaces of the ASA to the Dell should translate all media spanning tree protocols, but a bet covering the tree blocking State to avoid a tree covering loop.

  If the Dell does not support tree covering weight then you would be in very bad shape each broadcast packet would be will loop indefinitely and cause what we call a 'broadcast storm. "

  One way is not good and the other real harm.

• EzVPN between Cisco ASA 5505 (with NEM mode) and Ciscoo 881 Roure

  Hi friends,

  I configured the Cisco ASA 5505 and Cisco router with DMVPN 881. 3 offices works very well but one office remains failure. I did the same configuration for all facilities but this router does not work. Any ideas?

  Please find below the exit of 881 router Cisco:

  YF2_Tbilisi_router #.
  * 4 August 09:31:26.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:31:26.793 4 August: ISAKMP (0): increment the count of errors on his, try 4 out 5: retransmit the phase 1
  * 4 August 09:31:26.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:31:26.793: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:31:26.793 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 4 August 09:31:36.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:31:36.793 4 August: ISAKMP (0): increment the count of errors on his, try 5 of 5: retransmit the phase 1
  * 4 August 09:31:36.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:31:36.793: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:31:36.793 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 09:31:44.929 4 August: ISAKMP: (0): serving SA., its is 88961 B 34, delme is 88961 B 34
  * 4 August 09:31:46.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:31:46.793 4 August: ISAKMP: (0): the peer is not paranoid KeepAlive.

  * 09:31:46.793 4 August: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) AG_INIT_EXCH (peer 1.1.1.1)
  * 09:31:46.793 4 August: % CRYPTO-6-EZVPN_CONNECTION_DOWN: user (customer) = group = Youth_Facility_2 Server_public_addr = 1.1.1.1
  * 4 August 09:31:46.793: ISAKMP:isadb_key_addr_delete: no key for address 1.1.1.1 (root NULL)
  * 09:31:46.793 4 August: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) AG_INIT_EXCH (peer 1.1.1.1)
  * 09:31:46.793 4 August: ISAKMP: Unlocking counterpart struct 0x8AA90C50 for isadb_mark_sa_deleted(), count 0
  * 09:31:46.793 4 August: ISAKMP: delete peer node by peer_reap for 1.1.1.1: 8AA90C50
  * 09:31:46.793 4 August: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
  * 09:31:46.793 4 August: ISAKMP: (0): former State = new State IKE_I_AM1 = IKE_DEST_SA

  * 4 August 09:31:47.805: del_node 2.2.2.2 src dst 1.1.1.1:500 fvrf 0 x 0, ivrf 0 x 0
  * 09:31:47.805 4 August: ISAKMP: (0): the peer is not paranoid KeepAlive.

  * 4 August 09:31:47.805: ISAKMP: (0): profile of THE request is (NULL)
  * 09:31:47.805 4 August: ISAKMP: created a struct peer 1.1.1.1, peer port 500
  * 09:31:47.805 4 August: ISAKMP: new created position = 0x8AA90C50 peer_handle = 0 x 80004819
  * 09:31:47.805 4 August: ISAKMP: lock struct 0x8AA90C50, refcount 1 to peer isakmp_initiator
  * 09:31:47.805 4 August: ISAKMP: (0): client configuration parameters 87531228 adjustment
  * 09:31:47.805 4 August: ISAKMP: 500 local port, remote port 500
  * 09:31:47.805 4 August: ISAKMP: find a dup her to the tree during his B 88961, 34 = isadb_insert call BVA
  * 4 August 09:31:47.805: ISAKMP: (0): set up client mode.
  * 4 August 09:31:47.805: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
  * 4 August 09:31:47.805: ISAKMP: (0): built the seller-07 ID NAT - t
  * 4 August 09:31:47.805: ISAKMP: (0): built of NAT - T of the seller-03 ID
  * 4 August 09:31:47.805: ISAKMP: (0): built the seller-02 ID NAT - t
  * 4 August 09:31:47.805: ISKAMP: more send buffer from 1024 to 3072
  * 09:31:47.805 4 August: ISAKMP: (0): ITS been pre-shared key and XAUTH authentication using id ID_KEY_ID type
  * 09:31:47.805 4 August: ISAKMP (0): payload ID
  next payload: 13
  type: 11
  Group ID: Youth_Facility_2
  Protocol: 17
  Port: 0
  Length: 24
  * 09:31:47.805 4 August: ISAKMP: (0): the total payload length: 24
  * 09:31:47.809 4 August: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
  * 09:31:47.809 4 August: ISAKMP: (0): former State = new State IKE_READY = IKE_I_AM1

  * 4 August 09:31:47.809: ISAKMP: (0): Beginner aggressive Mode Exchange
  * 4 August 09:31:47.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:31:47.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 4 August 09:31:57.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:31:57.809 4 August: ISAKMP (0): increment the count of errors on his, try 1 5: retransmit the phase 1
  * 4 August 09:31:57.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:31:57.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:31:57.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 4 August 09:32:07.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:32:07.809 4 August: ISAKMP (0): increment the count of errors on his, try 2 of 5: retransmit the phase 1
  * 4 August 09:32:07.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:32:07.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:32:07.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 4 August 09:32:17.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:32:17.809 4 August: ISAKMP (0): increment the count of errors on his, try 3 of 5: retransmit the phase 1
  * 4 August 09:32:17.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:32:17.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:32:17.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 4 August 09:32:27.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:32:27.809 4 August: ISAKMP (0): increment the count of errors on his, try 4 out 5: retransmit the phase 1
  * 4 August 09:32:27.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:32:27.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:32:27.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 4 August 09:32:37.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:32:37.809 4 August: ISAKMP (0): increment the count of errors on his, try 5 of 5: retransmit the phase 1
  * 4 August 09:32:37.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:32:37.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:32:37.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 09:32:46.793 4 August: ISAKMP: (0): serving SA., his is 872E1504, delme is 872E1504
  * 4 August 09:32:47.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:32:47.809 4 August: ISAKMP: (0): the peer is not paranoid KeepAlive.

  * 09:32:47.809 4 August: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) AG_INIT_EXCH (peer 1.1.1.1)
  * 09:32:47.809 4 August: % CRYPTO-6-EZVPN_CONNECTION_DOWN: user (customer) = group = Youth_Facility_2 Server_public_addr = 1.1.1.1
  * 4 August 09:32:47.809: ISAKMP:isadb_key_addr_delete: no key for address 1.1.1.1 (root NULL)
  * 09:32:47.809 4 August: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) AG_INIT_EXCH (peer 1.1.1.1)
  * 09:32:47.809 4 August: ISAKMP: Unlocking counterpart struct 0x8AA90C50 for isadb_mark_sa_deleted(), count 0
  * 09:32:47.809 4 August: ISAKMP: delete peer node by peer_reap for 1.1.1.1: 8AA90C50
  * 09:32:47.809 4 August: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
  * 09:32:47.809 4 August: ISAKMP: (0): former State = new State IKE_I_AM1 = IKE_DEST_SA

  * 4 August 09:32:48.909: del_node src 2.2.2.2:500 dst 1.1.1.1:500 fvrf 0 x 0, ivrf 0 x 0
  * 09:32:48.909 4 August: ISAKMP: (0): the peer is not paranoid KeepAlive.

  * 4 August 09:32:48.909: ISAKMP: (0): profile of THE request is (NULL)
  * 09:32:48.909 4 August: ISAKMP: created a struct peer 1.1.1.1, peer port 500
  * 09:32:48.909 4 August: ISAKMP: new created position = 0x8AA90C50 peer_handle = 0 x 80004818
  * 09:32:48.909 4 August: ISAKMP: lock struct 0x8AA90C50, refcount 1 to peer isakmp_initiator
  * 09:32:48.909 4 August: ISAKMP: (0): client setting Configuration parameters 88C05A48
  * 09:32:48.909 4 August: ISAKMP: 500 local port, remote port 500
  * 09:32:48.909 4 August: ISAKMP: find a dup her to the tree during the isadb_insert his 87B57D38 = call BVA
  * 4 August 09:32:48.909: ISAKMP: (0): set up client mode.
  * 4 August 09:32:48.909: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
  * 4 August 09:32:48.909: ISAKMP: (0): built the seller-07 ID NAT - t
  * 4 August 09:32:48.909: ISAKMP: (0): built of NAT - T of the seller-03 ID
  * 4 August 09:32:48.909: ISAKMP: (0): built the seller-02 ID NAT - t
  * 4 August 09:32:48.909: ISKAMP: more send buffer from 1024 to 3072
  * 09:32:48.913 4 August: ISAKMP: (0): ITS been pre-shared key and XAUTH authentication using id ID_KEY_ID type
  * 09:32:48.913 4 August: ISAKMP (0): payload ID
  next payload: 13
  type: 11
  Group ID: Youth_Facility_2
  Protocol: 17
  Port: 0
  Length: 24
  * 09:32:48.913 4 August: ISAKMP: (0): the total payload length: 24
  * 09:32:48.913 4 August: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
  * 09:32:48.913 4 August: ISAKMP: (0): former State = new State IKE_READY = IKE_I_AM1

  * 4 August 09:32:48.913: ISAKMP: (0): Beginner aggressive Mode Exchange
  * 4 August 09:32:48.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:32:48.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 4 August 09:32:58.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:32:58.913 4 August: ISAKMP (0): increment the count of errors on his, try 1 5: retransmit the phase 1
  * 4 August 09:32:58.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:32:58.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:32:58.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 4 August 09:33:08.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:33:08.913 4 August: ISAKMP (0): increment the count of errors on his, try 2 of 5: retransmit the phase 1
  * 4 August 09:33:08.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:33:08.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:33:08.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 4 August 09:33:18.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:33:18.913 4 August: ISAKMP (0): increment the count of errors on his, try 3 of 5: retransmit the phase 1
  * 4 August 09:33:18.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:33:18.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:33:18.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 4 August 09:33:28.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:33:28.913 4 August: ISAKMP (0): increment the count of errors on his, try 4 out 5: retransmit the phase 1
  * 4 August 09:33:28.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:33:28.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:33:28.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.

  There is no DMVPN on the SAA. All that you have configured, is not compatible with the ASA or something another DMVPN then. At least debugging shows that there are some EzVPN involved.

  The debug version, it seems that there is no communication on UDP/500 possible between devices. Maybe something is blocking who?