Equivalent to define peer on ASA - tunnel alternative site L2L

Hello

On international search reports, you can specify more than one peer (peer set) for an IPSEC tunnel and in the case where one of the peers (default) descends on the other is judged.

I was wondering if the same thing is possible on a SAA? I would like an ASA branch to try the main site and in the case where the main site is not available, try to establish a tunnel to the secondary site. It's down without HSRP as secondary site can be in a different country. DPD and IPP would be also something I'd like to do ASA, roads can be re-injected dynamically in OSPF.

Thanks in advance,

Bob James

Same thing.

Federico.

Tags: Cisco Security

Similar Questions

card crypto VPN 270 defined peer 12.2.3.4 12.5.6.7

All the

Previously tunnel setup has (2) ip addresses defined in the crypto map. I was informed that one of the ip is no longer valid.

Can I remove one of the ip without losing the other?

no VPN 270 crypto card not defined peer 12.2.3.4

Yes you can.

Thank you

ASA as point endpoint l2l and route remote peer

Hello dear community support.

I need to set up the following scenario:

I managed to create the tunnels of routers to ASA, but there are 2 questions:
1. Remote local networks, I'm not able to ping inside the interface interface, apart if I use the management-access command on my inside, I don't want to.
2. Remote local networks cannot communicate with each other. Is there some routing that I should add? My Interface inside has a permit temporary icmp a whole, and I guess the ASA must bring up the appropriate routes when the tunnels appears. I have identfyed the roads properly in my Crypto Card and on my remote routers.
As my remote routers all have dynamic IP addresses assigned, they all fall into the Group of the defaultl2l Tunnel. Is this wrong?

Any ideas or suggestions would be highly appreciated

Thank you very much for your help!

Hello

The ASAs generally have a limit that you can not ICMP/PING an interface behind another interface of the ASA. command "access management" is the only way to activate the Protocol ICMP interface via another interface. And also this only applies to connections that arrive via a VPN connection.

So if you want ICMP/PING the interface 'inside' of the ASA to remote sites, you can use the command "access management" . If management connections are your worries you should limit the management as well as remote network will not be able to manage the ASA. Of course, they also know the login information to even have the option to manage the ASA?

As for your other question, there are some things you need to make the connections between the Remote LAN if you intend to do this via the central site with the ASA.
- You will need to have the command "permit same-security-traffic intra-interface" configured on the SAA. This command will allow traffic to enter and exit the same interface on the ASA. In your case, it would be the "outside" interface, which would be the only interface through which traffic between remote LANs would traverse through the ASA
- You will need to define the interesting connections VPN L2L traffic so that it includes this traffic
  - ASA l2l to a peripheral remote site VPN VPN connection must have as source address for traffic interesting the other network to remote sites.
  - The remote VPN device l2l VPN connection must have as destination address of the remote network
- You need NAT0 configurations for traffic on the remote site VPN devices
- You will need to have a configuration NAT0 on the SAA for this traffic that will flow between remote sites through the ASA. This NAT0 configuration must be configured on the 'outside' interface. The format of configuration depends on your level of Software ASA
If you mention that you are using a default VPN L2L "tunnel-group" both of the connections.

I suggest you look at this document. It would allow to the allows you to configure remote sites, so that you can set up other than "tunnel-group" for them on the SAA and accomplish what you want.

http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a0080bc7d13.shtml

Hope this helps

-Jouni

Cisco ASA 5505 VPN Site to Site

Hi all

First post on the forums. I have worked with Cisco ASA 5505 for a few months and I recently bought a 2nd ASA to implement tunnel VPN Site to Site. It seems so simple in the number of videos watched on the internet. But when I did he surprise it did work for me... I've removed the tunnels, a number of times and tried to recreate. I use the VPN Wizard in the SMA to create the tunnel. Both the asa 5505 of are and have the same firmware even etc..

I'd appreciate any help that can be directed to this problem please. Slowly losing my mind

Please see details below:

Two ADMS are 7.1

IOS

ASA 1

Nadia

:

ASA Version 9.0 (1)

!

hostname PAYBACK

activate the encrypted password of HSMurh79NVmatjY0

volatile xlate deny tcp any4 any4

volatile xlate deny tcp any4 any6

volatile xlate deny tcp any6 any4

volatile xlate deny tcp any6 any6

volatile xlate deny udp any4 any4 eq field

volatile xlate deny udp any4 any6 eq field

volatile xlate deny udp any6 any4 eq field

volatile xlate deny udp any6 any6 eq field

2KFQnbNIdI.2KYOU encrypted passwd

names of

local pool VPN1 192.168.50.1 - 192.168.50.254 255.255.255.0 IP mask

!

interface Ethernet0/0

switchport access vlan 2

Speed 100

full duplex

!

interface Ethernet0/1

link Trunk Description of SW1

switchport trunk allowed vlan 1,10,20,30,40

switchport trunk vlan 1 native

switchport mode trunk

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

No nameif

no level of security

no ip address

!

interface Vlan2

nameif outside

security-level 0

IP 92.51.193.158 255.255.255.252

!

interface Vlan10

nameif inside

security-level 100

IP 192.168.10.1 255.255.255.0

!

interface Vlan20

nameif servers

security-level 100

address 192.168.20.1 255.255.255.0

!

Vlan30 interface

nameif printers

security-level 100

192.168.30.1 IP address 255.255.255.0

!

interface Vlan40

nameif wireless

security-level 100

192.168.40.1 IP address 255.255.255.0

!

connection line banner welcome to the Payback loyalty systems

boot system Disk0: / asa901 - k8.bin

passive FTP mode

summer time clock GMT/IDT recurring last Sun Mar 01:00 last Sun Oct 02:00

DNS domain-lookup outside

DNS lookup field inside

domain-lookup DNS servers

DNS lookup domain printers

DNS domain-lookup wireless

DNS server-group DefaultDNS

Server name 83.147.160.2

Server name 83.147.160.130

permit same-security-traffic inter-interface

network obj_any object

subnet 0.0.0.0 0.0.0.0

ftp_server network object

network of the Internal_Report_Server object

Home 192.168.20.21

Description address internal automated report server

network of the Report_Server object

Home 89.234.126.9

Description of server automated reports

service object RDP

service destination tcp 3389 eq

Description RDP to the server

network of the Host_QA_Server object

Home 89.234.126.10

Description QA host external address

network of the Internal_Host_QA object

Home 192.168.20.22

host of computer virtual Description for QA

network of the Internal_QA_Web_Server object

Home 192.168.20.23

Description Web Server in the QA environment

network of the Web_Server_QA_VM object

Home 89.234.126.11

Server Web Description in the QA environment

service object SQL_Server

destination eq 1433 tcp service

network of the Demo_Server object

Home 89.234.126.12

Description server set up for the product demo

network of the Internal_Demo_Server object

Home 192.168.20.24

Internal description of the demo server IP address

network of the NETWORK_OBJ_192.168.20.0_24 object

subnet 192.168.20.0 255.255.255.0

network of the NETWORK_OBJ_192.168.50.0_26 object

255.255.255.192 subnet 192.168.50.0

network of the NETWORK_OBJ_192.168.0.0_16 object

Subnet 192.168.0.0 255.255.0.0

service object MSSQL

destination eq 1434 tcp service

MSSQL port description

VPN network object

192.168.50.0 subnet 255.255.255.0

network of the NETWORK_OBJ_192.168.50.0_24 object

192.168.50.0 subnet 255.255.255.0

service object TS

tcp destination eq 4400 service

service of the TS_Return object

tcp source eq 4400 service

network of the External_QA_3 object

Home 89.234.126.13

network of the Internal_QA_3 object

Home 192.168.20.25

network of the Dev_WebServer object

Home 192.168.20.27

network of the External_Dev_Web object

Home 89.234.126.14

network of the CIX_Subnet object

255.255.255.0 subnet 192.168.100.0

network of the NETWORK_OBJ_192.168.10.0_24 object

192.168.10.0 subnet 255.255.255.0

network of the NETWORK_OBJ_84.39.233.50 object

Home 84.39.233.50

network of the NETWORK_OBJ_92.51.193.158 object

Home 92.51.193.158

network of the NETWORK_OBJ_192.168.100.0_24 object

255.255.255.0 subnet 192.168.100.0

network of the NETWORK_OBJ_192.168.1.0_24 object

subnet 192.168.1.0 255.255.255.0

object-group service DM_INLINE_SERVICE_1

the tcp destination eq ftp service object

the purpose of the tcp destination eq netbios-ssn service

the purpose of the tcp destination eq smtp service

service-object TS

the Payback_Internal object-group network

object-network 192.168.10.0 255.255.255.0

object-network 192.168.20.0 255.255.255.0

object-network 192.168.40.0 255.255.255.0

object-group service DM_INLINE_SERVICE_3

the purpose of the service tcp destination eq www

the purpose of the tcp destination eq https service

service-object TS

service-object, object TS_Return

object-group service DM_INLINE_SERVICE_4

service-object RDP

the purpose of the service tcp destination eq www

the purpose of the tcp destination eq https service

object-group service DM_INLINE_SERVICE_5

purpose purpose of the MSSQL service

service-object RDP

service-object TS

object-group Protocol TCPUDP

object-protocol udp

object-tcp protocol

object-group service DM_INLINE_SERVICE_6

service-object TS

service-object, object TS_Return

the purpose of the service tcp destination eq www

the purpose of the tcp destination eq https service

Note to outside_access_in to access list that this rule allows Internet the interal server.

Notice on the outside_access_in of the access-list allowed:

Comment from outside_access_in-list of FTP access

Comment from outside_access_in-RDP access list

Comment from outside_access_in-list of SMTP access

Note to outside_access_in to access list Net Bios

Comment from outside_access_in-SQL access list

Comment from outside_access_in-list to access TS - 4400

outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_1 any4 Internal_Report_Server

access host access-list outside_access_in note rule internal QA

Notice on the outside_access_in of the access-list allowed:

Comment from outside_access_in-HTTP access list

Comment from outside_access_in-RDP access list

outside_access_in list extended access permitted tcp any4 object Internal_Host_QA eq www

Notice on the outside_access_in of the access-list access to the internal Web server:

Notice on the outside_access_in of the access-list allowed:

Comment from outside_access_in-HTTP access list

Comment from outside_access_in-RDP access list

outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_3 any4 Internal_QA_Web_Server

Note to outside_access_in to access list rule allowing access to the demo server

Notice on the outside_access_in of the access-list allowed:

Comment from outside_access_in-RDP access list

Comment from outside_access_in-list to access MSSQL

outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_4 any4 Internal_Demo_Server

outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_5 any object Internal_QA_3

Note to outside_access_in access to the development Web server access list

outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_6 any object Dev_WebServer

AnyConnect_Client_Local_Print deny any4 any4 ip extended access list

AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq lpd

Note AnyConnect_Client_Local_Print of access list IPP: Internet Printing Protocol

AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq 631

print the access-list AnyConnect_Client_Local_Print Note Windows port

AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq 9100

access-list AnyConnect_Client_Local_Print mDNS Note: multicast DNS protocol

AnyConnect_Client_Local_Print list extended access permit udp host 224.0.0.251 any4 eq 5353

AnyConnect_Client_Local_Print of access list LLMNR Note: link Local Multicast Name Resolution protocol

AnyConnect_Client_Local_Print list extended access permit udp host 224.0.0.252 any4 eq 5355

Note access list TCP/NetBIOS protocol AnyConnect_Client_Local_Print

AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 EQ. 137

AnyConnect_Client_Local_Print list extended access permitted udp any4 any4 eq netbios-ns

Payback_VPN_splitTunnelAcl list standard access allowed 192.168.20.0 255.255.255.0

permit outside_cryptomap to access extended list ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0

pager lines 24

Enable logging

information recording console

asdm of logging of information

address record

[email protected] / * /.

the journaling recipient

[email protected] / * /.

level alerts

Outside 1500 MTU

Within 1500 MTU

MTU 1500 servers

MTU 1500 printers

MTU 1500 wireless

no failover

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm-711 - 52.bin

don't allow no asdm history

ARP timeout 14400

no permit-nonconnected arp

NAT (inside, outside) source Dynamics one interface

NAT (wireless, outdoors) source Dynamics one interface

NAT (servers, outside) no matter what source dynamic interface

NAT (servers, external) static source Internal_Report_Server Report_Server

NAT (servers, external) static source Internal_Host_QA Host_QA_Server

NAT (servers, external) static source Internal_QA_Web_Server Web_Server_QA_VM

NAT (servers, external) static source Internal_Demo_Server Demo_Server

NAT (servers, external) static source NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 non-proxy-arp-search of route static destination

NAT (servers, external) static source Internal_QA_3 External_QA_3

NAT (servers, external) static source Dev_WebServer External_Dev_Web

NAT (inside, outside) static source NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

NAT (inside, outside) static source NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 non-proxy-arp-search of route static destination

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 92.51.193.157 1

Timeout xlate 03:00

Pat-xlate timeout 0:00:30

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.10.0 255.255.255.0 inside
http 192.168.40.0 255.255.255.0 wireless
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 84.39.233.50
card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 5
FRP sha
second life 86400
Crypto ikev2 activate out of service the customer port 443
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 77.75.100.208 255.255.255.240 outside
SSH 192.168.10.0 255.255.255.0 inside
SSH 192.168.40.0 255.255.255.0 wireless
SSH timeout 5
Console timeout 0

dhcpd 192.168.0.1 dns
dhcpd outside auto_config
!
dhcpd address 192.168.10.21 - 192.168.10.240 inside
dhcpd dns 192.168.20.21 83.147.160.2 interface inside
paybackloyalty.com dhcpd option 15 inside ascii interface
dhcpd allow inside
!
dhcpd address 192.168.40.21 - 192.168.40.240 Wireless
dhcpd dns 192.168.20.21 83.147.160.2 wireless interface
dhcpd update dns of the wireless interface
dhcpd option 15 ascii paybackloyalty.com wireless interface
dhcpd activate wireless
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
internal Payback_VPN group strategy
attributes of Group Policy Payback_VPN
VPN - 10 concurrent connections
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Payback_VPN_splitTunnelAcl
attributes of Group Policy DfltGrpPolicy
value of 83.147.160.2 DNS server 83.147.160.130
VPN-tunnel-Protocol ikev1, ikev2 clientless ssl
internal GroupPolicy_84.39.233.50 group strategy
attributes of Group Policy GroupPolicy_84.39.233.50
VPN-tunnel-Protocol ikev1, ikev2
Noelle XB/IpvYaATP.2QYm username encrypted password
Noelle username attributes
VPN-group-policy Payback_VPN
type of remote access service
username Éanna encrypted password privilege 0 vXILR9ZZQIsd1Naw
Éanna attributes username
VPN-group-policy Payback_VPN
type of remote access service
Michael qpbleUqUEchRrgQX of encrypted password username
user name Michael attributes
VPN-group-policy Payback_VPN
type of remote access service
username, password from Danny .7fEXdzESUk6S/cC encrypted privilege 0
user name Danny attributes
VPN-group-policy Payback_VPN
type of remote access service
Aileen tytrelqvV5VRX2pz encrypted password privilege 0 username
user name Aileen attributes
VPN-group-policy Payback_VPN
type of remote access service
Aidan aDu6YH0V5XaxpEPg encrypted password privilege 0 username
Aidan username attributes
VPN-group-policy Payback_VPN
type of remote access service
username password 6e6Djaz3W/XH59zX gordon encrypted privilege 15
shane.c iqGMoWOnfO6YKXbw encrypted password username
username shane.c attributes
VPN-group-policy Payback_VPN
type of remote access service
Shane uYePLcrFadO9pBZx of encrypted password username
user name Shane attributes
VPN-group-policy Payback_VPN
type of remote access service
username, encrypted James TdYPv1pvld/hPM0d password
user name James attributes
VPN-group-policy Payback_VPN
type of remote access service
Mark yruxpddqfyNb.qFn of encrypted password username
user name brand attributes
type of service admin
username password of Mary XND5FTEiyu1L1zFD encrypted
user name Mary attributes
VPN-group-policy Payback_VPN
type of remote access service
Massimo vs65MMo4rM0l4rVu encrypted password privilege 0 username
Massimo username attributes
VPN-group-policy Payback_VPN
type of remote access service
type tunnel-group Payback_VPN remote access
attributes global-tunnel-group Payback_VPN
VPN1 address pool
Group Policy - by default-Payback_VPN
IPSec-attributes tunnel-group Payback_VPN
IKEv1 pre-shared-key *.
tunnel-group 84.39.233.50 type ipsec-l2l
tunnel-group 84.39.233.50 General-attributes
Group - default policy - GroupPolicy_84.39.233.50
IPSec-attributes tunnel-group 84.39.233.50
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
Global class-card class
match default-inspection-traffic
!
!
World-Policy policy-map
Global category
inspect the dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the pptp
inspect the rsh
inspect the rtsp
inspect the sip
inspect the snmp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect xdmcp
inspect the icmp error
inspect the icmp
!
service-policy-international policy global
192.168.20.21 SMTP server
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:d06974501eb0327a5ed229c8445f4fe1

ASA 2

ASA Version 9.0 (1)

!

Payback-CIX hostname

activate the encrypted password of HSMurh79NVmatjY0

2KFQnbNIdI.2KYOU encrypted passwd

names of

!

interface Ethernet0/0

switchport access vlan 2

Speed 100

full duplex

!

interface Ethernet0/1

Description this port connects to the local network VIRTUAL 100

switchport access vlan 100

!

interface Ethernet0/2

!

interface Ethernet0/3

switchport access vlan 100

!

interface Ethernet0/4

switchport access vlan 100

!

interface Ethernet0/5

switchport access vlan 100

!

interface Ethernet0/6

switchport access vlan 100

!

interface Ethernet0/7

switchport access vlan 100

!

interface Vlan2

nameif outside

security-level 0

IP 84.39.233.50 255.255.255.240

!

interface Vlan100

nameif inside

security-level 100

IP 192.168.100.1 address 255.255.255.0

!

banner welcome to Payback loyalty - CIX connection line

passive FTP mode

summer time clock gmt/idt recurring last Sun Mar 01:00 last Sun Oct 02:00

DNS domain-lookup outside

DNS lookup field inside

DNS server-group defaultDNS

Name-Server 8.8.8.8

Server name 8.8.4.4

permit same-security-traffic inter-interface

network obj_any object

subnet 0.0.0.0 0.0.0.0

network of the host-CIX-1 object

host 192.168.100.2

Description This is the VM server host machine

network object host-External_CIX-1

Home 84.39.233.51

Description This is the external IP address of the server the server VM host

service object RDP

source between 1-65535 destination eq 3389 tcp service

network of the Payback_Office object

Home 92.51.193.158

service object MSQL

destination eq 1433 tcp service

network of the Development_OLTP object

Home 192.168.100.10

Description for Eiresoft VM

network of the External_Development_OLTP object

Home 84.39.233.52

Description This is the external IP address for the virtual machine for Eiresoft

network of the Eiresoft object

Home 146.66.160.70

Contractor s/n description

network of the External_TMC_Web object

Home 84.39.233.53

Description Public address to the TMC Web server

network of the TMC_Webserver object

Home 192.168.100.19

Internal description address TMC Webserver

network of the External_TMC_OLTP object

Home 84.39.233.54

External targets OLTP IP description

network of the TMC_OLTP object

Home 192.168.100.18

description of the interal target IP address

network of the External_OLTP_Failover object

Home 84.39.233.55

IP failover of the OLTP Public description

network of the OLTP_Failover object

Home 192.168.100.60

Server failover OLTP description

network of the servers object

subnet 192.168.20.0 255.255.255.0

being Wired network

192.168.10.0 subnet 255.255.255.0

the subject wireless network

192.168.40.0 subnet 255.255.255.0

network of the NETWORK_OBJ_192.168.100.0_24 object

255.255.255.0 subnet 192.168.100.0

network of the NETWORK_OBJ_192.168.10.0_24 object

192.168.10.0 subnet 255.255.255.0

network of the Eiresoft_2nd object

Home 137.117.217.29

Description 2nd Eiresoft IP

network of the Dev_Test_Webserver object

Home 192.168.100.12

Description address internal to the Test Server Web Dev

network of the External_Dev_Test_Webserver object

Home 84.39.233.56

Description This is the PB Dev Test Webserver

network of the NETWORK_OBJ_192.168.1.0_24 object

subnet 192.168.1.0 255.255.255.0

object-group service DM_INLINE_SERVICE_1

service-object MSQL

service-object RDP

object-group service DM_INLINE_SERVICE_2

service-object MSQL

service-object RDP

object-group service DM_INLINE_SERVICE_3

service-object MSQL

service-object RDP

object-group service DM_INLINE_SERVICE_4

service-object MSQL

service-object RDP

the tcp destination eq ftp service object

object-group service DM_INLINE_SERVICE_5

service-object MSQL

service-object RDP

the tcp destination eq ftp service object

object-group service DM_INLINE_SERVICE_6

service-object MSQL

service-object RDP

the Payback_Intrernal object-group network

object-network servers

Wired network-object

wireless network object

object-group service DM_INLINE_SERVICE_7

service-object MSQL

service-object RDP

object-group service DM_INLINE_SERVICE_8

service-object MSQL

service-object RDP

object-group service DM_INLINE_SERVICE_9

service-object MSQL

service-object RDP

object-group service DM_INLINE_SERVICE_10

service-object MSQL

service-object RDP

the tcp destination eq ftp service object

object-group service DM_INLINE_SERVICE_11

service-object RDP

the tcp destination eq ftp service object

outside_access_in list extended access allow object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-host-1

Note to access list OLTP Development Office of recovery outside_access_in

outside_access_in list extended access allow DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP object-group

Comment from outside_access_in-access Eiresoft access list

outside_access_in list extended access allow DM_INLINE_SERVICE_3 object Eiresoft object Development_OLTP object-group

outside_access_in list extended access allow DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver object-group

Note to outside_access_in access to OLTP for target recovery Office Access list

outside_access_in list extended access allow DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP object-group

outside_access_in list extended access allow DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover object-group

Note to outside_access_in access-list that's allowing access of the Eiresoft on the failover OLTP server

outside_access_in list extended access allow DM_INLINE_SERVICE_7 object Eiresoft object OLTP_Failover object-group

Comment from outside_access_in-access list access for the 2nd period of INVESTIGATION of Eiresoft

outside_access_in list extended access allow DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP object-group

Note to outside_access_in access from the 2nd IP Eiresoft access list

outside_access_in list extended access allow DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover object-group

outside_access_in list extended access allow DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver object-group

outside_access_in list extended access allow DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP object-group

outside_cryptomap to access extended list ip 192.168.100.0 allow 255.255.255.0 192.168.10.0 255.255.255.0

pager lines 24

Enable logging

asdm of logging of information

Outside 1500 MTU

Within 1500 MTU

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

no permit-nonconnected arp

NAT (inside, outside) source Dynamics one interface

NAT (inside, outside) static source CIX-host-1 External_CIX-host-1

NAT (inside, outside) static source Development_OLTP External_Development_OLTP

NAT (inside, outside) static source TMC_Webserver External_TMC_Web

NAT (inside, outside) static source TMC_OLTP External_TMC_OLTP

NAT (inside, outside) static source OLTP_Failover External_OLTP_Failover

NAT (inside, outside) static source Dev_Test_Webserver External_Dev_Test_Webserver

NAT (inside, outside) static source NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 non-proxy-arp-search of route static destination

NAT (inside, outside) static source NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 84.39.233.49 1

Timeout xlate 03:00

Pat-xlate timeout 0:00:30

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

identity of the user by default-domain LOCAL

the ssh LOCAL console AAA authentication

Enable http server

http 92.51.193.156 255.255.255.252 outside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac

Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac

Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit

Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit

Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit

Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit

Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit

Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit

Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit

Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac

Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit

Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac

Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit

Crypto ipsec ikev2 ipsec-proposal OF

encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 92.51.193.158
card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 1jeu ikev2 AES AES192 AES256 3DES ipsec-proposal
outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 77.75.100.208 255.255.255.240 outside
SSH 92.51.193.156 255.255.255.252 outside
SSH timeout 5
Console timeout 0

dhcpd outside auto_config
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
internal GroupPolicy_92.51.193.158 group strategy
attributes of Group Policy GroupPolicy_92.51.193.158
VPN-tunnel-Protocol ikev1, ikev2
username password 6e6Djaz3W/XH59zX gordon encrypted privilege 15
tunnel-group 92.51.193.158 type ipsec-l2l
tunnel-group 92.51.193.158 General-attributes
Group - default policy - GroupPolicy_92.51.193.158
IPSec-attributes tunnel-group 92.51.193.158
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:83b2069fa311e6037163ae74f9b2bec2
: end

Hello

There are some clear problems I see on a quick glance. These are not related to the actual VPN configuration but rather the NAT configurations.

All your configuration of NAT CLI format above are configured as manual NAT / double NAT in Section 1. This means that the appliance NAT configurations have been added to the same section of the NAT configurations and scheduling of the NAT inside this Section rules is the cause of the problem for the L2L VPN connection for some.

Here are a few suggestions on what to change

ASA1

Minimal changes

the object of the LAN network

192.168.10.0 subnet 255.255.255.0

being REMOTE-LAN network

255.255.255.0 subnet 192.168.100.0

NAT (inside, outside) 1 static source LAN LAN to static destination REMOTE - LAN LAN

no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 non-proxy-arp-search of route static destination

That means foregoing is first of all create 'object' that contain the local LAN and remote LANs. Then, it creates a NAT0 rule and adds to the top rules NAT. (number 1). It is essentially of at least one of the problems preventing the VPN operation or traffic that cross.

Finally, we remove the old rule that generated the ASDM. It would do the same thing if it has been moved to the top, but I generally find the creation of the 'object' with descriptive names easier on the eyes in the long term.

Other suggestions

These changes are not necessary with regard to the VPN L2L. Here are some suggestions how to clean a part of NAT configurations.

PAT-SOURCE network object-group

source networks internal PAT Description

object-network 192.168.10.0 255.255.255.0

object-network 192.168.20.0 255.255.255.0

object-network 192.168.40.0 255.255.255.0

NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source

No source (indoor, outdoor) nat Dynamics one interface

no nat (wireless, outdoors) source Dynamics one interface

no nat (servers, outside) no matter what source dynamic interface

The above configuration creates a "object-group" that lists all internal networks that you have dynamic PAT configured so far. It then uses the ' object-group ' in a command unique 'nat' to manage the dynamic PAT for all internal networks (with the exception of printers who had nothing at first). Then we remove the old PAT dynamic configurations.

Contains the command "nat" "car after" because it moving this "nat" configuration to the bottom of the NAT rules. For this reason its less likely to cause problems in the future.

network of the SERVERS object

subnet 192.168.20.0 255.255.255.0

network of the VPN-POOL object

192.168.50.0 subnet 255.255.255.0

NAT (servers, external) 2 static static source of destination of SERVERS SERVERS VPN-VPN-POOL

no nat (servers, external) static source NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 non-proxy-arp-search of route static destination

The above configuration is supposed to create a NAT0 configuration for traffic between the network and the pool of Client VPN server. To my knowledge the old configuration that remove us is not used because the traffic would have matched PAT rule dynamic server yet rather than this rule which is later in the NAT configurations and would not be addressed.

no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

It seems to me that network 192.168.1.0/24 is not configured from anywhere in your network. Therefore, the above 'nat' configuration seems useless, can be deleted. If I missed something and its use in then of course do not remove it.

ASA2

Minimal changes

the object of the LAN network

255.255.255.0 subnet 192.168.100.0

being REMOTE-LAN network

192.168.10.0 subnet 255.255.255.0

NAT (inside, outside) 1 static source LAN LAN to static destination REMOTE - LAN LAN

no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 non-proxy-arp-search of route static destination

That means foregoing is first of all create 'object' that contain the local LAN and remote LANs. Then, it creates a NAT0 rule and adds to the top rules NAT. (number 1). It is essentially of at least one of the problems preventing the VPN operation or traffic that cross.

Finally, we remove the old rule that generated the ASDM.

Other suggestions

PAT-SOURCE network object-group

object-network 192.168.100.0 255.255.255.0

NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source

No source (indoor, outdoor) nat Dynamics one interface

The above configuration is supposed to do the same thing with the other ASA. Although given that this network contains only a single subnet it cleans the "nat" configurations exist that much. But the order of the "nat" configurations is changed to avoid further problems with the NAT order.

no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

It seems to me that network 192.168.1.0/24 is not configured from anywhere in your network. Therefore, the above 'nat' configuration seems useless, can be deleted. If I missed something and its use in then of course do not remove it.

I suggest trying the changes related to VPN L2L first NAT0 configurations and test traffic. So who gets the work of connectivity, then you could consider changing other NAT configurations. There are other things that could be changed also in what concerns THAT static NAT servers but that probably better left for another time.

Hope this makes any sense and has helped

Remember to mark a reply as the answer if it answered your question.

Feel free to ask more if necessary

-Jouni

Tunnel VPN site to Site with 2 routers Cisco 1921

Hi all

So OK, I'm stumped. I create much s2s vpn tunnels before, but this one I just can't go there. It's just a tunnel VPN Site to Site simple using pre-shared keys. I would appreciate it if someone could take a look at our configs for both routers running and provide a comment. This is the configuration for both routers running. Thank you!

Router 1

=======

Current configuration: 4009 bytes

!

! Last configuration change at 19:01:31 UTC Wednesday, February 22, 2012 by asiuser

!

version 15.0

horodateurs service debug datetime msec

Log service timestamps datetime msec

no password encryption service

!

SJWHS-RTRSJ host name

!

boot-start-marker

boot-end-marker

!

!

No aaa new-model

!

!

!

!

No ipv6 cef

IP source-route

IP cef

!

!

DHCP excluded-address 192.168.200.1 IP 192.168.200.110

DHCP excluded-address IP 192.168.200.200 192.168.200.255

!

IP dhcp POOL SJWHS pool

network 192.168.200.0 255.255.255.0

default router 192.168.200.1

10.10.2.1 DNS server 10.10.2.2

!

!

no ip domain search

IP-name 10.10.2.1 Server

IP-name 10.10.2.2 Server

!

Authenticated MultiLink bundle-name Panel

!

!

Crypto pki trustpoint TP-self-signed-236038042

enrollment selfsigned

name of the object cn = IOS - Self - signed - certificate - 236038042

revocation checking no

rsakeypair TP-self-signed-236038042

!

!

TP-self-signed-236038042 crypto pki certificate chain

certificate self-signed 01

30820241 308201AA A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030

8B1E638A EC

quit smoking

license udi pid xxxxxxxxxx sn CISCO1921/K9

!

!

!

redundancy

!

!

!

!

crypto ISAKMP policy 10

md5 hash

preshared authentication

ISAKMP crypto key presharedkey address 112.221.44.18

!

!

Crypto ipsec transform-set esp-3des esp-md5-hmac IPSecTransformSet1

!

map CryptoMap1 10 ipsec-isakmp crypto

defined by peer 112.221.44.18

game of transformation-IPSecTransformSet1

match address 100

!

!

!

!

!

interface GigabitEthernet0/0

192.168.200.1 IP address 255.255.255.0

automatic duplex

automatic speed

!

!

interface GigabitEthernet0/1

Description wireless bridge

IP 172.17.1.2 255.255.255.0

automatic duplex

automatic speed

!

!

interface FastEthernet0/0/0

Verizon DSL description for failover of VPN

IP 171.108.63.159 255.255.255.0

automatic duplex

automatic speed

card crypto CryptoMap1

!

!

!

Router eigrp 88

network 172.17.1.0 0.0.0.255

network 192.168.200.0

redistribute static

passive-interface GigabitEthernet0/0

passive-interface FastEthernet0/0/0

!

IP forward-Protocol ND

!

no ip address of the http server

local IP http authentication

IP http secure server

!

IP route 0.0.0.0 0.0.0.0 172.17.1.1

IP route 112.221.44.18 255.255.255.255 171.108.63.1

!

access-list 100 permit ip 192.168.200.0 0.0.0.255 10.10.0.0 0.0.255.255

!

!

!

!

!

!

control plan

!

!

!

Line con 0

Synchronous recording

local connection

line to 0

line vty 0 4

exec-timeout 30 0

Synchronous recording

local connection

transport input telnet ssh

!

Scheduler allocate 20000 1000

end

=======

Router 2

=======

Current configuration: 3719 bytes

!

! Last configuration change at 18:52:54 UTC Wednesday, February 22, 2012 by asiuser

!

version 15.0

horodateurs service debug datetime msec

Log service timestamps datetime msec

no password encryption service

!

SJWHS-RTRHQ host name

!

boot-start-marker

boot-end-marker

!

logging buffered 1000000

!

No aaa new-model

!

!

!

!

No ipv6 cef

IP source-route

IP cef

!

!

!

!

no ip domain search

!

Authenticated MultiLink bundle-name Panel

!

!

Crypto pki trustpoint TP-self-signed-3490164941

enrollment selfsigned

name of the object cn = IOS - Self - signed - certificate - 3490164941

revocation checking no

rsakeypair TP-self-signed-3490164941

!

!

TP-self-signed-3490164941 crypto pki certificate chain

certificate self-signed 01

30820243 308201AC A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030

2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30

EA1455E2 F061AA

quit smoking

license udi pid xxxxxxxxxx sn CISCO1921/K9

!

!

!

redundancy

!

!

!

!

crypto ISAKMP policy 10

md5 hash

preshared authentication

ISAKMP crypto key presharedkey address 171.108.63.159

!

86400 seconds, duration of life crypto ipsec security association

!

Crypto ipsec transform-set esp-3des esp-md5-hmac IPSecTransformSet1

!

map CryptoMap1 10 ipsec-isakmp crypto

defined by peer 171.108.63.159

game of transformation-IPSecTransformSet1

match address 100

!

!

!

!

!

interface GigabitEthernet0/0

no ip address

automatic duplex

automatic speed

!

!

interface GigabitEthernet0/0.1

encapsulation dot1Q 1 native

IP 10.10.1.6 255.255.0.0

!

interface GigabitEthernet0/1

IP 172.17.1.1 255.255.255.0

automatic duplex

automatic speed

!

!

interface FastEthernet0/0/0

IP 112.221.44.18 255.255.255.248

automatic duplex

automatic speed

card crypto CryptoMap1

!

!

!

Router eigrp 88

Network 10.10.0.0 0.0.255.255

network 172.17.1.0 0.0.0.255

redistribute static

passive-interface GigabitEthernet0/0

passive-interface GigabitEthernet0/0.1

!

IP forward-Protocol ND

!

no ip address of the http server

local IP http authentication

IP http secure server

!

IP route 0.0.0.0 0.0.0.0 112.221.44.17

!

access-list 100 permit ip 10.10.0.0 0.0.255.255 192.168.200.0 0.0.0.255

!

!

!

!

!

!

control plan

!

!

!

Line con 0

Synchronous recording

local connection

line to 0

line vty 0 4

exec-timeout 30 0

Synchronous recording

local connection

transport input telnet ssh

!

Scheduler allocate 20000 1000

end

When the GRE tunnel carries your traffic to private ip range, your ACL must contain address of the host of point to point the IPSec tunnel.

Since then, both routers are running EIGRP in the corporate network, let the EIGRP Exchange routes via GRE tunnel, which is a good practice, rather than push the ip ranges private individual through the IPSec tunnel.

Let me know, if that's what you want.

Thank you

2 tunnels vpn site-to-site location A to B

Hello

Current:

I have an ASA 5505 (8.2.x) deployed on a client site with a public ip address provided by the customer.

I have a tunnel from site to site between us (site A) and client (site B).

ASA (at the client) has been installed with 2 VLAN by default (one for outside, one for the Interior using the 2-7 ports).

Future:

The customer wants another tunnel from site to site for a separate project, but they want to use the same ASA but uses another port configured for a schema from a different ip address for this new project. (which means the same ip address public, but different vlan IP).

My Actions:

(A) my first reaction was that I could not do that, but since it's customer and I must find a way, if I can reconfigure client (site B) ASA to take a port and configure it to a vlan different (using the system of intellectual property for this project) and set up a second tunnel from site to site using this vlan?

(B) can even reconfigure a port for a third vlan on this SAA? (customer ASA 5505, 8.2.x, per seat 10 credits).

What is the best approach to accomplish this task?

Thank you...

It's a strange question - technically, you could - I think that the place where you will fall short is that it uses the same peer address at its end. I don't think that it will eventually operate favorably... never tried.

I don't really understand the need for "another site to site tunnel" however. Theoretically, I could be wrong here, there is only need a tunnel of the phase 1 of IKE. There may be several IKE tunnels phase 2, communicating through the tunnel at the same time, however.

Why not let the equal relationship as it is, expand your (and his) internal/external cryptos and go from there. 8.4 ASA supports twice nat - which could be a solution if he has questions on its end.

And to be honest, even the ASA 5505 that I helped set up were all on the remote site, and I'm sure that each of them exists only for the purposes of a single site to my organization.

Perhaps explain WHY he wants to do what he wants to do it too?

VoIP QoS for Tunnel from Site to Site

Hi all

I need help to configure QoS for VoIP between two Cisco ASA 5505 with VPN Site to Site.

There is no need for bandwidth reservation, only 46 (EF) DSCP should be higher and DSCP 26 second queue higher and rules apply only to a site to site VPN.

Usually, I try to configure the ASAs via ASDM and discovered in the documentation Cisco how configure QoS DSCP bits with a Service policy and how to configure QoS for a VPN from Site to Site (rule Service-> Match traffic strategy). But how to configure QoS for a bit DSCP applies to Tunnel from Site to Site? And how configure different priorities for both DSCP bits, this is defined by the order of political Service?

The quality of service must be activated on the two ASAs to inside interface?

Thanks in advance

Tobias

Like most-

class-map voice_traffic
match dscp ef
match dscp 26

Tunnel VPN site to Site - aggressive Mode

I searched the community for answers to this and that you have not found quite what I was looking for (or what seems logical). I have an ASA 5510 to A site with one website VPN tunnel to a SonicWall to site B. Which works very well. I need to create a tunnel for site C to site a using a tunnel of aggressive mode. I'm not quite sure how to do this. Any suggestion would be great!

NOTE: I have included the parts of the running configuration that seem relevant to me. If I missed something please let me know.

ASA Version 8.2 (1)

interface Ethernet0/0

nameif outside

security-level 0

IP 1.2.3.4 255.255.255.248

!

10.5.2.0 IP Access-list extended site_B 255.255.255.0 allow 10.205.2.0 255.255.255.128

access extensive list ip 10.5.2.0 site_C allow 255.255.255.0 10.205.2.128 255.255.255.128

dynamic-access-policy-registration DfltAccessPolicy

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set esp-3des esp-sha-hmac 3des-sha1

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

crypto VPN 30 card matches the address site_B

card crypto VPN 30 peer set 4.3.2.1

crypto VPN 30 the transform-set 3des-sha1 value card

card crypto VPN 40 corresponds to the address site_C

card crypto VPN. 40 set peer 8.7.6.5

crypto VPN. 40 the transform-set 3des-sha1 value card

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Crypto isakmp nat-traversal 30

crypto ISAKMP ipsec-over-tcp port 10000

attributes of Group Policy DfltGrpPolicy

Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn

tunnel-group 4.3.2.1 type ipsec-l2l

4.3.2.1 tunnel-group ipsec-attributes

pre-shared-key *.

tunnel-group 8.7.6.5 type ipsec-l2l

IPSec-attributes tunnel-group 8.7.6.5

pre-shared-key *.

David,

Please try this:

clear crypto ipsec its peer site_c_IP

clear configure VPN 40 crypto card

card crypto VPN 10 corresponds to the address site_C

card crypto VPN 10 set peer 8.7.6.5

crypto VPN 10 the transform-set 3des-sha1 value card

debug logging in buffered memory

capture drop all circular asp type

capture capin interface inside the match ip 10.5.2.0 255.255.255.0 10.205.2.128 255.255.255.128

After generating the traffic and INTERNAL of the machine behind the ASA:

view Journal | 10.205.2 Inc.

See the fall of cap. 10.205.2 Inc.

view Cape capin

In case it does not work:

(a) show the crypto classic table ASP.

(b) details of vpn-framework for table ASP.

(c) show cry its site_c peer ipsec

(d) entry packet - trace within the icmp 10.5.2.15 8 0 10.205.2.130 detail

(e) see the crypto ipsec his

At the same time, please.

Let me know how it goes.

Thank you

Portu.

Please note all useful posts

Remote VPN users cannot access tunnel from site to site

Cisco ASA5505.

I have a tunnel of site-to-site set up from our office to our Amazon AWS VPC. I'm not a network engineer and have spent way too much time just to get to this point.

It works very well since within the office, but users remote VPN can not access the tunnel from site to site. All other remote access looks very good.

The current configuration is here: https://gist.github.com/pmac72/f483ea8c7c8c8c254626

Any help or advice would be greatly appreciated. It is probably super simple for someone who knows what they're doing to see the question.

Hi Paul.

Looking at your configuration:

Remote access:

internal RA_GROUP group policy
RA_GROUP group policy attributes
value of server DNS 8.8.8.8 8.8.4.4
Protocol-tunnel-VPN IPSec
value of Split-tunnel-network-list Split_Tunnel_List

permit same-security-traffic intra-interface

type tunnel-group RA_GROUP remote access
attributes global-tunnel-group RA_GROUP
address RA_VPN_POOL pool
Group Policy - by default-RA_GROUP
IPSec-attributes tunnel-group RA_GROUP
pre-shared key *.

local pool RA_VPN_POOL 10.0.0.10 - 255.255.255.0 IP 10.0.0.50 mask

Site to site:
```
  
```
card crypto outside_map 1 match address acl-amzn

card crypto outside_map 1 set pfs

peer set card crypto outside_map 1 AWS_TUNNEL_1_IP AWS_TUNNEL_2_IP

card crypto outside_map 1 set of transformation transformation-amzn

I recommend you to use a local IP address pool with a different IP address that deals with the inside interface uses, now you are missing NAT are removed from the IP local pool to the destination of the site to site:

NAT_EXEMPT list of ip 10.0.0.0 access allow 255.255.255.0 172.17.0.0 255.255.0.0

NAT (outside) 0-list of access NAT_EXEMPT

Now, there's a dynamically a NAT exempt allowing traffic to go out and are not translated.

I would like to know how it works!

Please don't forget to rate and score as correct the helpful post!

Kind regards

David Castro,

Tunnel from site to site VPN that overlap within the network

Hi all

I need to connect 2 networks via a tunnel VPN site to site. On the one hand, there is a 506th PIX by the termination of the VPN. The other side, I'm not too sure yet.

However, what I know, is that both sides of the tunnel using the exact same IP subnet 192.168.1.0/24.

This creates a problem when I need to define the Routing and the others when it comes to VPN and what traffic should be secure etc.

However, read a lot for the review of CERT. Adv. Cisco PIX and noticed that outside NAT can solve my 'small' problem.

That's all it is said, but I'd really like to see an example of configuration of this or hear from someone who has implemented it.

Anyone?

Steffen

How is it then?

http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a00800949f1.shtml

Difficult to complete phase 1 of the tunnel from site to site.

I have a 1921 Cisco (config) and between an ASA 5505 (config) that I am trying to establish a tunnel from site to site.

I think I should be able to see the tunnel when I type isakmp crypto to show its, but it is not at all.

Cisco 1921 outside intellectual property:
ASA 5505 outside intellectual property:

I tried to ping from the inside network to the ASA, inside network on 1921. It is not bring up the tunnel.

How is the tunnel is not complete the phase 1?

Can you please send the information about the configuration? Crypto maps, ACL, etc.

VPN clients hairpining through a tunnel from site to site

I have a 8.2 (5) ASA 5510 in Site1 and a 8.2 (1) ASA 5505 Site2 they are configured with a tunnel from site to site.

Each site has VPN clients that connect and I would like to allow customers to access on both sides across the site-to-site tunnel servers.

I enabled same-security-traffic permit intra-interface I also added the remote networks to access list who made the split tunneling.

I think I'm doing something wrong with nat, but I don't know, any help would be greatly appreciated.

Site1 Clients1 (172.17.2.0/24) (10.0.254.0/24)

ASA Version 8.2 (5)

!

hostname site1

names of

DNS-guard

!

interface Ethernet0/0

nameif outside

security-level 0

IP address site1 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

IP 172.17.2.1 255.255.255.0

!

interface Ethernet0/2

Shutdown

nameif DMZ

security-level 0

IP 10.10.10.1 255.255.255.0

!

interface Ethernet0/3

Shutdown

No nameif

no level of security

no ip address

!

interface Management0/0

nameif management

security-level 0

IP 192.168.1.1 255.255.255.0

management only

!

passive FTP mode

permit same-security-traffic intra-interface

VPN - UK wide ip 172.17.2.0 access list allow 255.255.255.0 172.18.2.0 255.255.255.0

access extensive list ip 172.17.2.0 inside_nat0_outbound allow 255.255.255.0 192.168.123.0 255.255.255.0

access extensive list ip 172.17.2.0 inside_nat0_outbound allow 255.255.255.0 172.18.2.0 255.255.255.0

access extensive list ip 172.17.2.0 inside_nat0_outbound allow 255.255.255.0 10.0.254.0 255.255.255.0

Notice of inside_nat0_outbound access-list us Client Server UK

access extensive list ip 10.0.254.0 inside_nat0_outbound allow 255.255.255.0 172.18.2.0 255.255.255.0

access extensive list ip 192.168.123.0 inside_nat0_outbound allow 255.255.255.0 10.0.254.0 255.255.255.0

access extensive list ip 172.18.2.0 inside_nat0_outbound allow 255.255.255.0 10.0.254.0 255.255.255.0

Standard access list Split_Tunnel_List allow 172.17.2.0 255.255.255.0

Standard access list Split_Tunnel_List allow 172.18.2.0 255.255.255.0

Split_Tunnel_List list standard access allowed 192.168.123.0 255.255.255.0

Split_Tunnel_List of access note list UK VPN Client pool

Standard access list Split_Tunnel_List allow 172.255.2.0 255.255.255.0

outside-2 extended access list permit tcp any any eq smtp

outside-2 extended access list permit tcp any any eq 82

outside-2 extended access list permit tcp any any eq 81

outside-2 extended access list permit tcp everything any https eq

outside-2 extended access list permit tcp any any eq imap4

outside-2 extended access list permit tcp any any eq ldaps

outside-2 extended access list permit tcp any any eq pop3

outside-2 extended access list permit tcp any any eq www

outside-2 extended access list permit tcp any any eq 5963

outside-2 extended access list permit tcp any any eq ftp

outside-2 allowed extended access list tcp any any eq ftp - data

outside-2 extended access list permit tcp any any eq 3389

list of access outside-2 extended tcp refuse any any newspaper

2-outside access list extended deny ip any any newspaper

outside-2 extended access list deny udp any any newspaper

allow VPN CLIENTS to access extended list ip 172.17.2.0 255.255.255.0 10.0.254.0 255.255.255.0

allow VPN CLIENTS to access extended list ip 172.18.2.0 255.255.255.0 10.0.254.0 255.255.255.0

allow VPN CLIENTS to access extended list 192.168.123.0 ip 255.255.255.0 10.0.254.0 255.255.255.0

Standard access list VPNClient_splittunnel allow 172.17.2.0 255.255.255.0

Standard access list VPNClient_splittunnel allow 172.18.2.0 255.255.255.0

VPNClient_splittunnel list standard access allowed 192.168.123.0 255.255.255.0

VPNClient_splittunnel of access note list UK VPN Client pool

Standard access list VPNClient_splittunnel allow 172.255.2.0 255.255.255.0

VPN-Northwoods extended ip 172.17.2.0 access list allow 255.255.255.0 192.168.123.0 255.255.255.0

Note to outside_nat0_outbound to access list AD 01/05/13

access extensive list ip 10.0.254.0 outside_nat0_outbound allow 255.255.255.0 172.18.2.0 255.255.255.0

pager lines 24

Enable logging

debug logging in buffered memory

asdm of logging of information

Outside 1500 MTU

Within 1500 MTU

MTU 1500 DMZ

management of MTU 1500

mask 10.0.254.25 - 10.0.254.45 255.255.255.0 IP local pool VPNUserPool

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

NAT-control

Global 1 interface (outside)

NAT (outside) 0-list of access outside_nat0_outbound

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 1 172.17.2.0 255.255.255.0

public static tcp (indoor, outdoor) interface smtp 172.17.2.200 smtp netmask 255.255.255.255

public static tcp (indoor, outdoor) interface 82 172.17.2.253 82 netmask 255.255.255.255

public static tcp (indoor, outdoor) interface 81 192.168.123.253 81 netmask 255.255.255.255

public static tcp (indoor, outdoor) interface https 172.17.2.10 https netmask 255.255.255.255

public static tcp (indoor, outdoor) interface 172.17.2.10 imap4 imap4 netmask 255.255.255.255

public static tcp (indoor, outdoor) interface ldaps 172.17.2.10 ldaps netmask 255.255.255.255

public static tcp (indoor, outdoor) interface 172.17.2.10 pop3 pop3 netmask 255.255.255.255

public static tcp (indoor, outdoor) interface www 172.17.2.19 www netmask 255.255.255.255

public static tcp (indoor, outdoor) interface 5963 172.17.2.108 5963 netmask 255.255.255.255

public static tcp (indoor, outdoor) interface ftp 172.17.2.7 ftp netmask 255.255.255.255

public static tcp (indoor, outdoor) interface ftp - data 172.17.2.7 ftp - data netmask 255.255.255.255

static (inside, outside) tcp 3389 172.17.2.29 interface 3389 netmask 255.255.255.255

Access-group 2-outside-inside in external interface

Route outside 0.0.0.0 0.0.0.0 74.213.51.129 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

RADIUS protocol AAA-server DCSI_Auth

AAA-server host 172.17.2.29 DCSI_Auth (inside)

key *.

AAA-server protocol nt AD

AAA-server AD (inside) host 172.16.1.211

AAA-server AD (inside) host 172.17.2.29

the ssh LOCAL console AAA authentication

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp - esp-sha-hmac trans_set

Crypto ipsec transform-set VPN-Client-esp-3des esp-sha-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

Crypto dynamic-map DYN_MAP 20 the value reverse-road

Crypto-map dynamic outside_dyn_map 20 game of transformation-VPN-Client

address for correspondence outside_map 20 card crypto VPN - UK

card crypto outside_map 20 peers set site2

card crypto outside_map 20 transform-set trans_set

address for correspondence outside_map 30 card crypto VPN-Northwoods

card crypto outside_map 30 peers set othersite

trans_set outside_map 30 transform-set card crypto

map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

outside_map interface card crypto outside

Crypto ca trustpoint _SmartCallHome_ServerCA

Configure CRL

crypto isakmp identity address

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

the Encryption

sha hash

Group 2

lifetime 28800

crypto ISAKMP policy 20

preshared authentication

the Encryption

md5 hash

Group 2

lifetime 28800

Telnet timeout 5

SSH timeout 60

Console timeout 0

management of 192.168.1.2 - dhcpd address 192.168.1.254

enable dhcpd management

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

internal Clients_vpn group strategy

attributes of strategy of group Clients_vpn

value of server DNS 10.0.1.30

Protocol-tunnel-VPN IPSec

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list VPNClient_splittunnel

domain.local value by default-field

the authentication of the user activation

tunnel-group VPNclient type remote access

tunnel-group VPNclient-global attributes

address pool VPNUserPool

authentication-server-group DCSI_Auth

strategy - by default-group Clients_vpn

tunnel-group VPNclient ipsec-attributes

pre-shared key *.

tunnel-group othersite type ipsec-l2l

othersite group tunnel ipsec-attributes

pre-shared key *.

tunnel-group site2 type ipsec-l2l

tunnel-group ipsec-attributes site2

pre-shared key *.

!

class-map inspection_default

match default-inspection-traffic

class-map imblock

match any

class-map p2p

game port tcp eq www

class-map P2P

game port tcp eq www

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

type of policy-map inspect im bine

parameters

msn - im yahoo im Protocol game

drop connection

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

inspect the pptp

type of policy-card inspect http P2P_HTTP

parameters

matches the query uri regex _default_gator

Journal of the drop connection

football match request uri regex _default_x-kazaa-network

Journal of the drop connection

Policy-map IM_P2P

class imblock

inspect the im bine

class P2P

inspect the http P2P_HTTP

!

global service-policy global_policy

IM_P2P service-policy inside interface

context of prompt hostname

no remote anonymous reporting call

Cryptochecksum:7717a11f5f2dce11af0f35cee7b4c893

: end

Site2 Clients1 (172.18.2.0/24) (172.255.2.0/24)

ASA Version 8.2 (1)

!

names of

name 172.18.2.2 UKserver

!

interface Vlan1

nameif inside

security-level 100

IP 172.18.2.1 255.255.255.0

!

interface Vlan2

nameif GuestWiFi

security-level 0

IP 192.168.2.1 255.255.255.0

!

interface Vlan3

nameif outside

security-level 0

IP address site2 255.255.255.252

!

interface Ethernet0/0

switchport access vlan 3

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport trunk allowed vlan 1-2

switchport vlan trunk native 2

switchport mode trunk

Speed 100

full duplex

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passive FTP mode

permit same-security-traffic intra-interface

Access extensive list ip 172.18.2.0 USER_VPN allow 255.255.255.0 172.255.2.0 255.255.255.0

Access extensive list ip 172.17.2.0 USER_VPN allow 255.255.255.0 172.255.2.0 255.255.255.0

Standard access list VPNClient_splittunnel allow 172.18.2.0 255.255.255.0

Standard access list VPNClient_splittunnel allow 172.17.2.0 255.255.255.0

Standard access list VPNClient_splittunnel allow 172.255.2.0 255.255.255.0

Outside_2_Inside list extended access permit tcp any host otherhost eq smtp

Outside_2_Inside list extended access permit tcp any host otherhost eq pop3

Outside_2_Inside list extended access permit tcp any host otherhost eq imap4

Outside_2_Inside list extended access permit tcp any host otherhost eq www

Outside_2_Inside list extended access permit tcp any host otherhost eq https

Outside_2_Inside list extended access permit tcp any host otherhost eq ldap

Outside_2_Inside list extended access permit tcp any host otherhost eq ldaps

Outside_2_Inside list extended access permit tcp any host otherhost eq nntp

Outside_2_Inside list extended access permit tcp any host otherhost eq 135

Outside_2_Inside list extended access permit tcp any host otherhost eq 102

Outside_2_Inside list extended access permit tcp any host otherhost eq 390

Outside_2_Inside list extended access permit tcp any host otherhost eq 3268

Outside_2_Inside list extended access permit tcp any host otherhost eq 3269

Outside_2_Inside list extended access permit tcp any host otherhost eq 993

Outside_2_Inside list extended access permit tcp any host otherhost eq 995

Outside_2_Inside list extended access permit tcp any host otherhost eq 563

Outside_2_Inside list extended access permit tcp any host otherhost eq 465

Outside_2_Inside list extended access permit tcp any host otherhost eq 691

Outside_2_Inside list extended access permit tcp any host otherhost eq 6667

Outside_2_Inside list extended access permit tcp any host otherhost eq 994

Outside_2_Inside access list extended icmp permitted an echo

Outside_2_Inside list extended access permit icmp any any echo response

Outside_2_Inside list extended access permit tcp any host site2 eq smtp

Outside_2_Inside list extended access permit tcp any host site2 eq pop3

Outside_2_Inside list extended access permit tcp any host site2 eq imap4

Outside_2_Inside list extended access permit tcp any host site2 eq www

Outside_2_Inside list extended access permit tcp any host site2 eq https

Outside_2_Inside list extended access permit tcp any host site2 eq ldap

Outside_2_Inside list extended access permit tcp any host site2 eq ldaps

Outside_2_Inside list extended access permit tcp any host site2 eq nntp

Outside_2_Inside list extended access permit tcp any host site2 eq 135

Outside_2_Inside list extended access permit tcp any host site2 eq 102

Outside_2_Inside list extended access permit tcp any host site2 eq 390

Outside_2_Inside list extended access permit tcp any host site2 eq 3268

Outside_2_Inside list extended access permit tcp any host site2 eq 3269

Outside_2_Inside list extended access permit tcp any host site2 eq 993

Outside_2_Inside list extended access permit tcp any host site2 eq 995

Outside_2_Inside list extended access permit tcp any host site2 eq 563

Outside_2_Inside list extended access permit tcp any host site2 eq 465

Outside_2_Inside list extended access permit tcp any host site2 eq 691

Outside_2_Inside list extended access permit tcp any host site2 eq 6667

Outside_2_Inside list extended access permit tcp any host site2 eq 994

Outside_2_Inside list extended access permit tcp any SIP EQ host site2

Outside_2_Inside list extended access permit tcp any range of 8000-8005 host site2

Outside_2_Inside list extended access permit udp any range of 8000-8005 host site2

Outside_2_Inside list extended access udp allowed any SIP EQ host site2

Outside_2_Inside tcp extended access list deny any any newspaper

Outside_2_Inside list extended access deny udp any any newspaper

VPN - USA 172.255.2.0 ip extended access list allow 255.255.255.0 172.17.2.0 255.255.255.0

access extensive list ip 172.18.2.0 inside_nat0_outbound allow 255.255.255.0 172.17.2.0 255.255.255.0

access extensive list ip 172.18.2.0 inside_nat0_outbound allow 255.255.255.0 172.255.2.0 255.255.255.0

access extensive list ip 172.255.2.0 inside_nat0_outbound allow 255.255.255.0 172.17.2.0 255.255.255.0

Comment by Split_Tunnel_List-list of access networks to allow via VPN

Standard access list Split_Tunnel_List allow 172.18.2.0 255.255.255.0

Standard access list Split_Tunnel_List allow 172.17.2.0 255.255.255.0

Standard access list Split_Tunnel_List allow 172.255.2.0 255.255.255.0

Standard access list Split_Tunnel_List allow 10.0.254.0 255.255.255.0

pager lines 20

Enable logging

monitor debug logging

debug logging in buffered memory

asdm of logging of information

Debugging trace record

Within 1500 MTU

MTU 1500 GuestWiFi

Outside 1500 MTU

IP pool local ClientVPN 172.255.2.100 - 172.255.2.124

no failover

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm - 621.bin

don't allow no asdm history

ARP timeout 14400

NAT-control

Global 1 interface (outside)

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 1 172.18.2.0 255.255.255.0

NAT (GuestWiFi) 2 192.168.2.0 255.255.255.0

public static tcp (indoor, outdoor) interface smtp smtp UKserver netmask 255.255.255.255

public static tcp (indoor, outdoor) UKserver netmask 255.255.255.255 pop3 pop3 interface

public static tcp (indoor, outdoor) interface imap4 imap4 netmask 255.255.255.255 UKserver

public static tcp (indoor, outdoor) interface www UKserver www netmask 255.255.255.255

public static tcp (indoor, outdoor) https UKserver netmask 255.255.255.255 https interface

public static tcp (indoor, outdoor) interface ldap UKserver ldap netmask 255.255.255.255

public static tcp (indoor, outdoor) interface ldaps ldaps netmask 255.255.255.255 UKserver

public static tcp (indoor, outdoor) interface nntp nntp netmask 255.255.255.255 UKserver

public static 135 135 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)

public static 102 102 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)

public static 390 390 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)

public static 3268 3268 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)

public static 3269 3269 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)

public static UKserver netmask 255.255.255.255 993 993 interface tcp (indoor, outdoor)

public static UKserver 995 netmask 255.255.255.255 995 interface tcp (indoor, outdoor)

public static 563 563 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)

public static 465 465 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)

public static 691 691 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)

public static 6667 UKserver 6667 netmask 255.255.255.255 interface tcp (indoor, outdoor)

public static 994 994 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)

Access-group Outside_2_Inside in interface outside

Route outside 0.0.0.0 0.0.0.0 87.224.93.53 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-registration DfltAccessPolicy

Ray of AAA-server vpn Protocol

AAA-server vpn (inside) host UKserver

key DCSI_vpn_Key07

the ssh LOCAL console AAA authentication

Enable http server

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp - esp-sha-hmac trans_set

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

Crypto-map dynamic outside_dyn_map 20 transform-set trans_set

Crypto dynamic-map DYN_MAP 20 the value reverse-road

address for correspondence outside_map 20 card crypto VPN - USA

card crypto outside_map 20 peers set othersite2 site1

card crypto outside_map 20 transform-set trans_set

map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

outside_map interface card crypto outside

crypto isakmp identity address

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

the Encryption

sha hash

Group 2

lifetime 28800

crypto ISAKMP policy 20

preshared authentication

the Encryption

md5 hash

Group 2

lifetime 28800

Telnet timeout 5

SSH timeout 25

Console timeout 0

dhcpd dns 8.8.8.8 UKserver

!

dhcpd address 172.18.2.100 - 172.18.2.149 inside

dhcpd allow inside

!

dhcpd address 192.168.2.50 - 192.168.2.74 GuestWiFi

enable GuestWiFi dhcpd

!

no basic threat threat detection

no statistical access list - a threat detection

no statistical threat detection tcp-interception

WebVPN

internal USER_VPN group policy

USER_VPN group policy attributes

Protocol-tunnel-VPN IPSec

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list Split_Tunnel_List

the authentication of the user activation

tunnel-group othersite2 type ipsec-l2l

othersite2 group of tunnel ipsec-attributes

pre-shared-key *.

type tunnel-group USER_VPN remote access

attributes global-tunnel-group USER_VPN

address pool ClientVPN

Authentication-server group (external vpn)

Group Policy - by default-USER_VPN

IPSec-attributes tunnel-group USER_VPN

pre-shared-key *.

tunnel-group site1 type ipsec-l2l

tunnel-group ipsec-attributes site1

pre-shared-key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect the rsh

inspect the rtsp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the tftp

!

global service-policy global_policy

context of prompt hostname

Cryptochecksum:d000c75c8864547dfabaf3652d81be71

: end

Hello

The output seems to say that traffic is indeed transmitted to connect VPN L2L

Can you PING from hosts on the network 172.18.2.0/24 to the hosts on the network 172.17.2.0/24?

Have you tried several different target hosts on the network you are trying to ping while might exclude us actual devices are not just meeting the specifications these PINGs?

-Jouni

How to restrict the tunnel VPN Site to site traffic thrue

Hello

I have a tunnel from site to site, where Site 1 is the local site and main site. and 2 the site is the remote site.

How to limit the traffic of site 2, so that they can only reach a few IPS on the lokal site.

But since the lokal site all IP addresses must be able to reach all of the IP addresses to site 2 (remotely).

an access list to the 'inside' interface does not work, since all the acl is bypassed for the interfaces for IPSEC traffic.

Then, I tried to make a political group where I only allow traffic to servers specifik, but site 2 can still reach everything on the lokal site.

Am I missing here?

Best regards

Erik

Hi Erik,

Unfortunately, the only options that we have are VPN filters that are two-way and disabling the sysopt feature.

If you have a core switch/router we can block traffic on this device by using the access list or null routes.

See you soon,.

Nash.

How to install the VPN Client and the tunnel from site to site on Cisco 831

How can I configure a Cisco 831 router (Branch Office) so that it will accept incoming VPN Client connections and initiate tunneling IPSec site to site on our hub site that uses a VPN 3005 concentrator? I could get the tunnel to work by configuring it in a dynamic encryption card, but interesting traffic side Cisco 831 would not bring the tunnel upward. I could only put on the side of the hub. If I use a static encryption card and apply it to the external interface of the 831 I can get this working but then I couldn't get the VPN Client to work.

Thank you.

The dynamic map is called clientmap
The static map is called mymap

You should have:

no card crypto not outmap 10-isakmp ipsec dynamic dynmap
map mymap 10-isakmp ipsec crypto dynamic clientmap

interface Ethernet1
crypto mymap map

Federico.

tunnel from site to site between 836 with IP dyn and pix

Hi netpros,.

can you point me to documentation to implement a tunnel vpn site-to-site between cisco 836 router (dyn IP, pppoe) firewall cisco pix 515 favorite simple configuration (psk etc.). Can't find anything useful on cisco.com.

any help appreciated.

Thanks in advance,

Jürgen Bauer

http://www.Cisco.com/warp/public/471/pix_router_dyn.html

Equivalent to define peer on ASA - tunnel alternative site L2L

Similar Questions

Maybe you are looking for