Error sending VPN tunnel

Hello

I have a VPN with satellite office. The user reported that session drops with my server @ DC. User is able to reconnect to a session and pick up where they have left off. This is why it seems as if the server did not realize that they were not yet connected. Can anyone provide technical expertise on the enigmatic question?

This could be the cause of these errors?

Router # 891

crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
isakmp encryption key 6. #@ $# ^ $% @(@*#) IP (remote Peer)
!
!
Crypto ipsec transform-set MY esp-3des esp-sha-hmac
!
MY_VPN 10 ipsec-isakmp crypto map
defined by the peers (remote Peer IP)
transformation-MY game
match address ACL_MY_VPN

interface FastEthernet8
OUT of THEIR internet description
address IP (Ip address) 255.255.255.128
no ip redirection
no ip unreachable
no ip proxy-arp
automatic duplex
automatic speed
card crypto MY_VPN

ACL_MY_VPN extended IP access list
allow an ip 10.x.220.0 0.0.0.255
allow an ip 10.x.221.0 0.0.0.255
allow an ip 10.x.222.0 0.0.0.255

ROUTER891 #sh crypto ipsec his

Interface: FastEthernet8
Tag crypto map: MY_VPN, local Peer addr (address ip x.x.x.x)

protégé of the vrf: (none)
local ident (addr, mask, prot, port): (10.x.220.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (0.0.0.0/0.0.0.0/0/0)
current_peer (ip address z.z.z.z) port 500
LICENCE, flags is {origin_is_acl},
#pkts program: 887637, #pkts encrypt: 887637, #pkts digest: 887637
#pkts decaps: 992370, #pkts decrypt: 992370, #pkts check: 992370
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
    Errors in #send 8, #recv errors 0

local crypto Peer endpt. : (the ip address x.x.x.x), remote Start Peer crypto. : (ip address z.z.z.z)
Path mtu 1500, mtu 1500 ip, ip mtu BID FastEthernet8
current outbound SPI: 0xED21C8D0 (3978414288)
PFS (Y/N): N, Diffie-Hellman group: no

SAS of the esp on arrival:
SPI: 0x3FC8FC31 (1070136369)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 37, flow_id: VPN:37 on board, sibling_flags 80000046, crypto card: MY_VPN
calendar of his: service life remaining (k/s) key: (4580137/3089)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:
SPI: 0xED21C8D0 (3978414288)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 38, flow_id: VPN:38 on board, sibling_flags 80000046, crypto card: MY_VPN
calendar of his: service life remaining (k/s) key: (4580098/3089)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

outgoing ah sas:

outgoing CFP sas:

protégé of the vrf: (none)
local ident (addr, mask, prot, port): (10.x.221.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (0.0.0.0/0.0.0.0/0/0)
current_peer (ip address z.z.z.z) port 500
LICENCE, flags is {origin_is_acl},
#pkts program: 18753258, #pkts encrypt: 18753258, #pkts digest: 18753258
#pkts decaps: 16815594, #pkts decrypt: 16815594, #pkts check: 16815594
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
    #send 3438, errors #recv errors 0

local crypto Peer endpt. : (the ip address x.x.x.x), remote Start Peer crypto. : (ip address z.z.z.z)
Path mtu 1500, mtu 1500 ip, ip mtu BID FastEthernet8
current outbound SPI: 0x58A07B0 (92932016)
PFS (Y/N): N, Diffie-Hellman group: no

SAS of the esp on arrival:
SPI: 0xAE72C947 (2926758215)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 41, flow_id: VPN:41 on board, sibling_flags 80000046, crypto card: MY_VPN
calendar of his: service life remaining (k/s) key: (4398843/3128)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:
SPI: 0x58A07B0 (92932016)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 42, flow_id: VPN:42 on board, sibling_flags 80000046, crypto card: MY_VPN
calendar of his: service life remaining (k/s) key: (4398881/3128)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

outgoing ah sas:

outgoing CFP sas:

protégé of the vrf: (none)
local ident (addr, mask, prot, port): (10.x.222.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (0.0.0.0/0.0.0.0/0/0)
current_peer (ip address z.z.z.z) port 500
LICENCE, flags is {origin_is_acl},
#pkts program: 3500166, #pkts encrypt: 3500166, #pkts digest: 3500166
#pkts decaps: 3654295, #pkts decrypt: 3654295, #pkts check: 3654295
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
    Errors of #send 1565, #recv errors 0

local crypto Peer endpt. : (the ip address x.x.x.x), remote Start Peer crypto. : (ip address z.z.z.z)
Path mtu 1500, mtu 1500 ip, ip mtu BID FastEthernet8
current outbound SPI: 0xDE39F6D3 (3728340691)
PFS (Y/N): N, Diffie-Hellman group: no

SAS of the esp on arrival:
SPI: 0xDFC9D904 (3754547460)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 39, flow_id: VPN:39 on board, sibling_flags 80000046, crypto card: MY_VPN
calendar of his: service life remaining (k/s) key: (4547977/3107)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:
SPI: 0xDE39F6D3 (3728340691)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 40, flow_id: VPN:40 on board, sibling_flags 80000046, crypto card: MY_VPN
calendar of his: service life remaining (k/s) key: (4547976/3107)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

outgoing ah sas:

outgoing CFP sas:
ROUTER # 891

Send errors increase when the traffic matches a policy but IPsec SA was not yet up. I'm not aware of any other circumstances.

It's a long shot, but it is possible that there is generate a new key stage 2 don't not taking place or not quick enough which causes part of the traffic to fall while the new IPsec security association is being negotiated. What could explain what users, see but... it's a long shot.

I would look first for other reasons.

Tags: Cisco Security

Similar Questions

  • VPN tunnel stopped sending traffic

    Hello

    One of our VPN tunnels ceased to send traffic... Is there a way where we can reset the tunnel again because I know that there is no change in config on the tunnel

    THX

    Shyam

    Hi Shyam,

    To clear the tunnel, you can make one:

    PIX:

    clear the isa cry his

    delete the ipsec cry his

    IOS:

    cry clear isa

    Claire crying its

    HTH,

    Rate if this helped!

    -Kanishka

  • VPN tunnel between the concentrator 3005 and router Cisco 827

    I am trying to establish a VPN tunnel between the Central Office with VPN 3005 and controller branch Cisco 827 router.

    There is a router of perimeter with access set up in front of the 3005 list.

    I quote the ACLs on the Central perimeter router instructionsuivante to allow traffic to permit ip 3005 - acl 101 all 193.188.X.X (address of the hub)

    I get the following message appears when I try to ping a local host in the Central site.

    Can Anyoune give me the correct steps to 827 and 3005.

    Thank you

    CCNP Ansar.

    ------------------------------------------------------------------------------------------------------

    Debug crypto ISAKMP

    encryption of debugging engine

    Debug crypto his

    debug output

    ------------------

    1d20h: IPSEC (sa_request):,.

    (Eng. msg key.) Local OUTGOING = 172.22.113.41, distance = 193.188.108.165.

    local_proxy = 202.71.244.160/255.255.255.240/0/0 (type = 4),

    remote_proxy = 128.128.1.78/255.255.255.255/0/0 (type = 1),

    Protocol = ESP, transform = esp - esp-md5-hmac.

    lifedur = 3600 s and KB 4608000,

    SPI = 0x83B8AC1B (2209917979), id_conn = 0, keysize = 0, flags = 0x400D

    1d20h: ISAKMP: ke received message (1/1)

    1d20h: ISAKMP: 500 local port, remote port 500

    1d20h: ISAKMP (0:1): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

    Former State = new State IKE_READY = IKE_I_MM1

    1d20h: ISAKMP (0:1): early changes of Main Mode

    1d20h: ISAKMP (0:1): lot of 193.188.108.165 sending (I) MM_NO_STATE

    1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE...

    1d20h: ISAKMP (0:1): will increment the error counter on his: retransmit the phase 1

    1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE

    1d20h: ISAKMP (0:1): lot of 193.188.108.165 sending (I) MM_NO_STATE

    1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE...

    1d20h: ISAKMP (0:1): will increment the error counter on his: retransmit the phase 1

    1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE

    1d20h: ISAKMP (0:1): lot of 193.188.108.165 sending (I) MM_NO_STATE

    1d20h: IPSEC (key_engine): request timer shot: count = 1,.

    You must also allow the esp Protocol in your ACL.

    access-list 101 permit esp any host x.x.x.x (address of the hub)

    Hope this helps,

    -Nairi

  • ASA base S2S VPN, Tunnel establishes only when interesting traffic hits to end distance

    Dear all,

    I need your help to solve the problem mentioned below.

    VPN tunnel established between the unit two ASA.   A DEVICE and device B

    (1) if interesting traffic initiates a LAN device. traffic ACL hits. TUNEL is not coming

    (2) if interesting traffic initiates B LAN device. Tunnel will establish all the works of serivces

    (3) after the Tunnel device establishmnet B. We forced to tunnel down at both ends. Interesting again traffic initiates device a surpringly tunnel

    will go up.   After 2 or 3 days (after life expire 86400 seconds) initiated traffic of device A, tunnel will not esatblish.

    (it comes to rescue link: interesting won't be there all the time.)

    checked all parametrs, everthing seems fine. Here are the logs of attached but not more informative debugging on the balls. Please suggest.

    February 2, 2010 13:23:17: % ASA-7-713236: IP = 81.145.x.x, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 496

    February 2, 2010 13:23:18: % ASA-6-713219: IP = 81.x.x.x, KEY-ACQUIRE Queuing messages are treated when SA P1 is finished.

    February 2, 2010 13:23:18: % ASA-6-713219: IP = 81.x.x.x, KEY-ACQUIRE Queuing messages are treated when SA P1 is finished.

    February 2, 2010 13:23:23: % ASA-6-713219: IP = 81.x.x.x, KEY-ACQUIRE Queuing messages are treated when SA P1 is finished.

    February 2, 2010 13:23:25: % ASA-7-715065: IP = 81.x.x.x, history of mistake IKE MM Initiator WSF (struct & 0x1abb1e10) , : MM_DONE, EV_ERROR--> MM_WAIT_MSG2, EV_RETRY--> MM_WAIT_MSG2, EV_TIMEOUT--> MM_WAIT_MSG2 NullEvent--> MM_SND_MSG1, EV_SND_MSG--> MM_SND_MSG1, EV_START_TMR--> MM_SND_MSG1, EV_RESEND_MSG--> MM_WAIT_MSG2, EV_RETRY

    February 2, 2010 13:23:25: % ASA-7-713906: IP = 81.x.x.x, IKE SA MM:56f95c85 ending: flags 0 x 01000022, refcnt 0, tuncnt 0

    February 2, 2010 13:23:25: % ASA-7-713906: IP = 81.x.x.x, sending clear/delete with the message of reason

    February 2, 2010 13:23:25: % ASA-3-713902: IP = 81.x.x.x, counterpart of drop table counterpart, didn't match!

    February 2, 2010 13:23:25: % ASA-4-713903: IP = 81.x.x.x, error: cannot delete PeerTblEntry

    Hi, I have a similar problem a long time ago. You can choose which set up the tunnel in your crypto card:

    card crypto bidirectional IPsec_map 1 set-type of connection

    I hope that it might help to solve your problem. Kind regards.

  • FAILURE OF VPN TUNNEL

    Hello guys,.

    I have an ASA 5505 firewall tries to create a VPN tunnel from site to site with a router of 2621 running Advanced IP services. The tunnel keeps do not and I don't know why. Below is the config.

    !
    hostname SeCuReWaLL
    domain default.domain.invalid
    activate 2KFQnbNIdI.2KYOU encrypted password
    2KFQnbNIdI.2KYOU encrypted passwd
    names of
    name 192.168.2.0 outside
    name 192.168.3.0 inside
    !
    interface Vlan1
    Description of network links extended to outside of the
    nameif outside
    security-level 0
    192.168.2.101 IP address 255.255.255.0
    !
    interface Vlan2
    Description within a private network
    nameif inside
    security-level 100
    address 192.168.3.1 IP 255.255.255.0
    !
    interface Ethernet0/0
    !
    interface Ethernet0/1
    switchport access vlan 2
    !
    interface Ethernet0/2
    Shutdown
    !
    interface Ethernet0/3
    Shutdown
    !
    interface Ethernet0/4
    Shutdown
    !
    interface Ethernet0/5
    Shutdown
    !
    interface Ethernet0/6
    Shutdown
    !
    interface Ethernet0/7
    Shutdown
    !
    boot system Disk0: / asa822 - k8.bin
    passive FTP mode
    DNS server-group DefaultDNS
    domain default.domain.invalid
    allow inside_access_in to access extended list ip inside outside 255.255.255.0 255.255.255.0
    outside_access_in list extended access permit icmp any any echo response
    site_router to access extended list ip inside 255.255.255.0 allow 192.168.5.0 255.255.255.0
    pager lines 24
    Outside 1500 MTU
    Within 1500 MTU
    ICMP unreachable rate-limit 1 burst-size 1
    ASDM image disk0: / asdm - 625.bin
    don't allow no asdm history
    ARP timeout 14400
    Global 1 interface (outside)
    NAT (inside) 0-list of access site_router
    NAT (inside) 1 inside 255.255.255.0
    Access-group outside_access_in in interface outside
    Route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
    Outdoor 192.168.5.0 255.255.255.0 192.168.2.107 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-registration DfltAccessPolicy
    Enable http server
    HTTP inside 255.255.255.0 inside
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set esp-3des esp-sha-hmac secure_set
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    peer set card crypto ipsec_map 10 192.168.2.107
    card crypto ipsec_map 10 transform-set secure_set
    ipsec_map interface card crypto outside
    crypto ISAKMP allow outside
    crypto ISAKMP policy 10
    preshared authentication
    3des encryption
    md5 hash
    Group 5
    lifetime 28800
    Telnet timeout 5
    SSH timeout 5
    Console timeout 0
    dhcpd dns 192.168.2.1
    !
    dhcpd address 192.168.3.10 - 192.168.3.40 inside
    dhcpd allow inside
    !

    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    WebVPN
    username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
    tunnel-group 192.168.2.107 type ipsec-l2l
    IPSec-attributes tunnel-group 192.168.2.107
    pre-shared key *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the netbios
    inspect the rsh
    inspect the rtsp
    inspect the skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect the tftp
    inspect the sip
    inspect xdmcp
    Review the ip options
    !
    global service-policy global_policy
    context of prompt hostname
    call-home
    Profile of CiscoTAC-1
    no active account
    http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
    email address of destination [email protected] / * /
    destination-mode http transport
    Subscribe to alert-group diagnosis
    Subscribe to alert-group environment
    Subscribe to alert-group monthly periodic inventory
    monthly periodicals to subscribe to alert-group configuration
    daily periodic subscribe to alert-group telemetry
    Cryptochecksum:a6ffc4e9572dbee8e526c3013a96a510
    : end

    !
    InternetRouter hostname
    !
    boot-start-marker
    boot-end-marker
    !
    !
    No aaa new-model
    no location network-clock-participate 1
    No network-clock-participate wic 0
    IP cef
    !
    !
    !
    !
    no ip domain search
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    crypto ISAKMP policy 10
    BA 3des
    md5 hash
    preshared authentication
    Group 5
    lifetime 28800
    key cisco address 192.168.2.101 crypto ISAKMP xauth No.
    !
    !
    Crypto ipsec transform-set esp-3des secure_set
    !
    ipsec_map 10 ipsec-isakmp crypto map
    defined peer 192.168.2.101
    Set transform-set secure_set
    match the address router_site
    !
    !
    !
    !
    interface Loopback0
    192.168.5.1 IP address 255.255.255.0
    !
    interface FastEthernet0/0
    IP 192.168.2.107 255.255.255.0
    automatic duplex
    automatic speed
    ipsec_map card crypto
    !
    interface Serial0/0
    no ip address
    Shutdown
    !
    interface FastEthernet0/1
    no ip address
    Shutdown
    automatic duplex
    automatic speed
    !
    interface Serial0/1
    no ip address
    Shutdown
    !
    IP route 192.168.3.0 255.255.255.0 192.168.2.101
    !
    !
    IP http server
    no ip http secure server
    !
    router_site extended IP access list
    ip licensing 192.168.5.0 0.0.0.255 192.168.3.0 0.0.0.255
    !
    !
    !
    !
    control plan
    !
    !
    !
    Voice-port 1/0/0
    !
    Voice-port 1/0/1
    !
    Voice-port 1/1/0
    !
    Voice-port 1/1/1
    !
    !
    !
    !
    !
    !
    !
    !
    Line con 0
    exec-timeout 0 0
    Synchronous recording
    line to 0
    line vty 0 4
    opening of session
    !
    !
    end

    InternetRouter #debug isakmp crypto
    Crypto ISAKMP debug is on
    InternetRouter #ping
    Protocol [ip]:
    Target IP address: 192.168.3.10
    Number of repetitions [5]:
    Size of datagram [100]:
    Timeout in seconds [2]:
    Extended commands [n]: y
    Address source or interface: 192.168.5.1
    Type of service [0]:
    Set the DF bit in the IP header? [None]:
    Validate the response data? [None]:
    Data model [0xABCD]:
    In bulk, Strict, Record, Timestamp, Verbose [no]:
    Scan the range of sizes [n]:
    Type to abort escape sequence.
    Send 5, echoes ICMP 100 bytes to 192.168.3.10, time-out is 2 seconds:
    Packet sent with the address source 192.168.5.1

    * 01:49:47.699 Mar 1: ISAKMP: ke received message (1/1)
    * 01:49:47.699 Mar 1: ISAKMP: (0:0:N / A:0): THE application profile is (NULL)
    * 01:49:47.699 Mar 1: ISAKMP: created a struct peer 192.168.2.101, peer port 500
    * 01:49:47.699 Mar 1: ISAKMP: new created position = 0x8553C778 peer_handle = 0 x 80000013
    * 01:49:47.699 Mar 1: ISAKMP: lock struct 0x8553C778, refcount IKE peer 1 for isakmp_initiator
    * 01:49:47.699 Mar 1: ISAKMP: 500 local port, remote port 500
    * 01:49:47.699 Mar 1: ISAKMP: set new node 0 to QM_IDLE
    * 01:49:47.703 Mar 1: insert his with his 84074CC8 = success
    * 01:49:47.703 Mar 1: ISAKMP: (0:0:N / A:0): cannot start aggressive mode, try the main mode.
    * 01:49:47.703 Mar 1: ISAKMP: (0:0:N / A:0): found peer pre-shared key matching 192.168.2.101
    * 01:49:47.703 Mar 1: ISAKMP: (0:0:N / A:0): built the seller-07 ID NAT - t
    * 01:49:47.703 Mar 1: ISAKMP: (0:0:N / A:0): built of NAT - T of the seller-03 ID
    * 01:49:47.703 Mar 1: ISAKMP: (0:0:N / A:0): built the seller-02 ID NAT - t
    * 01:49:47.703 Mar 1: ISAKMP: (0:0:N / A:0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
    * 01:49:47.707 Mar 1: ISAKMP: (0:0:N / A:0): former State = new State IKE_READY = IKE_I_MM1

    * 01:49:47.707 Mar 1: ISAKMP: (0:0:N / A:0): early changes of Main Mode
    * 01:49:47.707 Mar 1: ISAKMP: (0:0:N / A:0): send package to 192.168.2.101 my_port 500 peer_port 500 (I) MM_NO_STATE
    * 01:49:47.711 Mar 1: ISAKMP (0:0): packet received 192.168.2.101 dport 500 sport Global 500 (I) MM_NO_STATE
    * 01:49:47.711 Mar 1: ISAKMP: (0:0:N / A:0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    * 01:49:47.711 Mar 1: ISAKMP: (0:0:N / A:0): former State = new State IKE_I_MM1 = IKE_I_MM2

    * 01:49:47.715 Mar 1: ISAKMP: (0:0:N / A:0): treatment ITS payload. Message ID = 0
    * 01:49:47.715 Mar 1: ISAKMP: (0:0:N / A:0): load useful vendor id of treatment
    * 01:49:47.715 Mar 1: ISAKMP: (0:0:N / A:0): supplier code seems the unit/DPD but major incompatibilite.123
    * 01:49:47.715 Mar 1: ISAKMP: (0:0:N / A:0): provider ID is NAT - T v2
    * 01:49:47.719 Mar 1: ISAKMP: (0:0:N / A:0): load useful vendor id of treatment
    * 01:49:47.719 Mar 1: ISAKMP: (0:0:N / A:0): supplier code seems the unit/DPD but major incompatibility of 194
    * 01:49:47.719 Mar 1: ISAKMP: (0:0:N / A:0): found peer pre-shared key matching 192.168.2.101
    * 01:49:47.719 Mar 1: ISAKMP: (0:0:N / A:0): pre-shared key local found
    * 01:49:47.719 Mar 1: ISAKMP: analysis of the profiles for xauth...
    * 01:49:47.719 Mar 1: ISAKMP: (0:0:N / A:0): audit ISAKMP transform 1 against the policy of priority 10
    * 01:49:47.719 Mar 1: ISAKMP: 3DES-CBC encryption
    * 01:49:47.719 Mar 1: ISAKMP: MD5 hash
    * 01:49:47.719 Mar 1: ISAKMP: group by default 5
    * 01:49:47.719 Mar 1: ISAKMP: pre-shared key auth
    * 01:49:47.723 Mar 1: ISAKMP: type of life in seconds
    * 01:49:47.723 Mar 1: ISAKMP: life (basic) of 28800
    * 01:49:47.723 Mar 1: ISAKMP: (0:0:N / A:0): atts are acceptable. Next payload is 0
    * 1 Mar 01:49:48.119: ISAKMP:(0:1:SW:1): load useful vendor id of treatment
    * 1 Mar 01:49:48.119: ISAKMP:(0:1:SW:1): vendor ID seems the unit/DPD but major incompatibility of 123
    * 1 Mar 01:49:48.123: ISAKMP:(0:1:SW:1): vendor ID is NAT - T v2
    * 1 Mar 01:49:48.123: ISAKMP:(0:1:SW:1): load useful vendor id of treatment
    * 1 Mar 01:49:48.123: ISAKMP:(0:1:SW:1): vendor ID seems the unit/DPD but major incompatibility of 194
    * 01:49:48.123 Mar 1: ISAKMP: (0:1:SW:1): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    * 01:49:48.123 Mar 1: ISAKMP: (0:1:SW:1): former State = new State IKE_I_MM2 = IKE_I_MM2

    * 1 Mar 01:49:48.127: ISAKMP:(0:1:SW:1): sending package to 192.168.2.101 my_port 500 peer_port 500 (I) MM_SA_SETUP
    * 01:49:48.127 Mar 1: ISAKMP: (0:1:SW:1): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    * 01:49:.48.131 Mar 1: ISAKMP: (0:1:SW:1): former State = new State IKE_I_MM2 = IKE_I_MM3

    * 01:49:48.383 Mar 1: ISAKMP (0:134217729): packet received 192.168.2.101 dport 500 sport Global 500 (I) MM_SA_SETUP
    * 01:49:48.383 Mar 1: ISAKMP: (0:1:SW:1): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    * 01:49:48.383 Mar 1: ISAKMP: (0:1:SW:1): former State = new State IKE_I_MM3 = IKE_I_MM4

    * 1 Mar 01:49:48.387: ISAKMP:(0:1:SW:1): processing KE payload. Message ID = 0
    * 1 Mar 01:49:48.887: ISAKMP:(0:1:SW:1): processing NONCE payload. Message ID = 0
    * 01:49:48.887 Mar 1: ISAKMP: (0:1:SW:1): found peer pre-shared key matching 192.168.2.101
    * 01:49:48.891 Mar 1: ISAKMP: (0:1:SW:1): SKEYID generated State
    * 1 Mar 01:49:48.891: ISAKMP:(0:1:SW:1): load useful vendor id of treatment
    * 1 Mar 01:49:48.891: ISAKMP:(0:1:SW:1): vendor ID is the unit
    * 1 Mar 01:49:48.891: ISAKMP:(0:1:SW:1): load useful vendor id of treatment
    * 1 Mar 01:49:48.891: ISAKMP:(0:1:SW:1): vendor ID seems the unit/DPD but major incompatibility of 145
    * 1 Mar 01:49:48.891: ISAKMP:(0:1:SW:1): vendor ID is XAUTH
    * 1 Mar 01:49:48.895: ISAKMP:(0:1:SW:1): load useful vendor id of treatment
    * 1 Mar 01:49:48.895: ISAKMP:(0:1:SW:1): speaking to another box of IOS!
    * 1 Mar 01:49:48.895: ISAKMP:(0:1:SW:1): load useful vendor id of treatment
    * 01:49:48.895 Mar 1: ISAKMP: (0:1:SW:1): supplier code seems the unit/DPD but hash mismatch
    * 01:49:48.895 Mar 1: ISAKMP: receives the payload type 20
    * 01:49:48.895 Mar 1: ISAKMP: receives the payload type 20
    * 01:49:48.895 Mar 1: ISAKMP: (0:1:SW:1): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    * 01:49:48.899 Mar 1: ISAKMP: (0:1:SW:1): former State = new State IKE_I_MM4 = IKE_I_MM4

    * 01:49:48.899 Mar 1: ISAKMP: (0:1:SW:1): send initial contact
    * 01:49:48.899 Mar 1: ISAKMP: (0:1:SW:1): ITS been pr.e using id ID_IPV4_ADDR type shared-key authentication
    * 01:49:48.899 Mar 1: ISAKMP (0:134217729): payload ID
    next payload: 8
    type: 1
    address: 192.168.2.107
    Protocol: 17
    Port: 500
    Length: 12
    * 01:49:48.903 Mar 1: ISAKMP: (0:1:SW:1): the total payload length: 12
    * 1 Mar 01:49:48.903: ISAKMP:(0:1:SW:1): sending package to 192.168.2.101 my_port 500 peer_port 500 (I) MM_KEY_EXCH
    * 01:49:48.907 Mar 1: ISAKMP: (0:1:SW:1): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    * 01:49:48.907 Mar 1: ISAKMP: (0:1:SW:1): former State = new State IKE_I_MM4 = IKE_I_MM5

    * 01:49:48.907 Mar 1: ISAKMP (0:134217729): packet received 192.168.2.101 dport 500 sport Global 500 (I) MM_KEY_EXCH
    * 1 Mar 01:49:48.911: ISAKMP:(0:1:SW:1): payload ID for treatment. Message ID = 0
    * 01:49:48.911 Mar 1: ISAKMP (0:134217729): payload ID
    next payload: 8
    type: 1
    address: 192.168.2.101
    Protocol: 17
    Port: 0
    Length: 12
    * 1 Mar 01:49:48.911: ISAKMP:(0:1:SW:1): peer games * no * profiles
    * 1 Mar 01:49:48.911: ISAKMP:(0:1:SW:1): HASH payload processing. Message ID = 0
    * 01:49:48.915 Mar 1: ISAKMP: received payload type 17
    * 1 Mar 01:49:48.915: ISAKMP:(0:1:SW:1): load useful vendor id of treatment
    * 1 Mar 01:49:48.915: ISAKMP:(0:1:SW:1): vendor ID is DPD
    * 01:49:48.915 Mar 1: ISAKMP: (0:1:SW:1): SA authentication status:
    authenticated
    * 01:49:48.915 Mar 1: ISAKMP: (0:1:SW:1): SA has been authenticated with 192.168.2.101
    * 01:49:48.915 Mar 1: ISAKMP: attempts to insert a 192.168.2.107/192.168.2.101/500/ peer and inserted 8553 778 successfully.
    * 01:49:48.919 Mar 1: ISAKMP: (0:1:SW:1): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    * 01:49:48.919 Mar 1: ISAKMP: (0:1:SW:1.): O State of LD = new State IKE_I_MM5 = IKE_I_MM6

    * 01:49:48.919 Mar 1: ISAKMP: (0:1:SW:1): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    * 01:49:48.919 Mar 1: ISAKMP: (0:1:SW:1): former State = new State IKE_I_MM6 = IKE_I_MM6

    * 01:49:48.923 Mar 1: ISAKMP: (0:1:SW:1): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    * 01:49:48.923 Mar 1: ISAKMP: (0:1:SW:1): former State = new State IKE_I_MM6 = IKE_P1_COMPLETE

    * 01:49:48.927 Mar 1: ISAKMP: (0:1:SW:1): start Quick Mode Exchange, M - ID of 590019425
    * 1 Mar 01:49:48.931: ISAKMP:(0:1:SW:1): sending package to 192.168.2.101 my_port 500 peer_port 500 (I) QM_IDLE
    * 01:49:48.931 Mar 1: ISAKMP: (0:1:SW:1): entrance, node-590019425 = IKE_MESG_INTERNAL, IKE_INIT_QM
    * 01:49:48.931 Mar 1: ISAKMP: (0:1:SW:1): former State = new State IKE_QM_READY = IKE_QM_I_QM1
    * 01:49:48.931 Mar 1: ISAKMP: (0:1:SW:1): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
    * 01:49:48.935 Mar 1: ISAKMP: (0:1:SW:1): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

    * 01:49:48.939 Mar 1: ISAKMP (0:134217729): packet received 192.168.2.101 dport 500 sport Global 500 (I) QM_IDLE
    * 01:49:48.939 Mar 1: ISAKMP: node set 330122531 to QM_IDLE
    * 1 Mar 01:49:48.943: ISAKMP:(0:1:SW:1): HASH payload processing. Message ID = 330122531
    * 1 Mar 01:49:48.943: ISAKMP:(0:1:SW:1): treatment protocol NOTIFIER INVALID_ID_INFO 1
    0, message ID SPI = 330122531, a = 84074CC8
    * 01:49:48.943 Mar 1: ISAKMP: (0:1:SW:1): the peer is not paranoid KeepAlive.

    * 01:49:48.943 Mar 1: ISAKMP: (0:1:SW:1): remove the reason for HIS "fatal Recevied of information' State (I) QM_IDLE (ext. 192.168.2.101)
    * 01:49:48.943 Mar 1: ISAKMP: (0:1:SW:1): remove error node 330122531 FALSE reason 'informational (en) st.
    Success rate is 0% (0/5)
    InternetRouter #ate 1 "
    * 01:49:48.943 Mar 1: ISAKMP: (0:1:SW:1): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
    * 01:49:48.947 Mar 1: ISAKMP: (0:1:SW:1): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

    * 01:49:48.947 Mar 1: ISAKMP (0:134217729): packet received 192.168.2.101 dport 500 sport Global 500 (I) QM_IDLE
    * 01:49:48.951 Mar 1: ISAKMP: node set-412204705 to QM_IDLE
    * 1 Mar 01:49:48.951: ISAKMP:(0:1:SW:1): sending package to 192.168.2.101 my_port 500 peer_port 500 (I) QM_IDLE
    * 01:49:48.951 Mar 1: ISAKMP: (0:1:SW:1): purge the node-412204705
    * 01:49:48.955 Mar 1: ISAKMP: (0:1:SW:1): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
    * 01:49:48.955 Mar 1: ISAKMP: (0:1:SW:1): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA

    * 01:49:48.955 Mar 1: ISAKMP: (0:1:SW:1): removal of HIS State "No reason" why (I) QM_IDLE (ext. 192.168.2.101)
    * 01:49:48.955 Mar 1: ISAKMP: Unlocking IKE struct 0x8553C778 for isadb_mark_sa_deleted(), count 0
    * 01:49:48.959 Mar 1: ISAKMP: delete peer node by peer_reap for 192.168.2.101: 8553 778
    * 01:49:48.959 Mar 1: ISAKMP: (0:1:SW:1): error in node-590019425 FALSE reason for deletion "deleted IKE."
    * 01:49:48.959 Mar 1: ISAKMP: (0:1:SW:1): node error 330122531 FALSE reason for deletion "removed IKE."
    * 01:49:48.959 Mar 1: ISAKMP: (0:1:SW:1): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    * 01:49:48.959 Mar 1: ISAKMP: (0:1:SW:1): former State = new State IKE_DEST_SA = IKE_DEST_SA

    Hello

    I gave a quick scan here for the configuration on both devices, found two or three commands are missing from the configuration of the ASA

    ASA
    ---

    card crypto ipsec_map 10 correspondence address site_router

    outside_access_in list extended access udp allowed any any eq 500
    outside_access_in list extended access udp allowed any any eq 4500
    outside_access_in list extended access allow esp a whole

    I'm assuming pre shared key defined on ASA cisco is the same on router

    On router
    ---------

    Try running the following commands: -.

    No crypto ipsec transform-set esp-3des secure_set
    Crypto ipsec transform-set esp-3des esp-sha-hmac secure_set

    At the time of the opening of the tunnel, please gather at the debug crypto isa 127 output and debug crypto ipsec 127 of ASA

    You can also check the configuration below document link

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805e8c80.shtml

    Ignore the map route on router configuration contained in the above document *.

    HTH...

    Kind regards
    Mohit

  • Creation of VPN Tunnel / no connection is established

    Hello

    It's my first post on the Forums of Cisco, I hope you can help me with my problem. I'm trying to connecto to the network using a VPN from Site to Site connection using a router Cisco 1841 and Cisco PIX 515E. But for some reason, I couldn't connect the devices using a VPN configuration. Below I will list the device information of each:

    PIX

    Material: PIX-515E, 64 MB RAM, Pentium II 433 MHz processor
    Flash E28F128J3 @ 0xfff00000, 16 MB
    BIOS Flash AM29F400B @ 0xfffd8000, 32 KB

    0: Ext: Ethernet0: the address is 0017.9514.5a3c, irq 10
    1: Ext: Ethernet1: the address is 0017.9514.5a3d, irq 11
    2: Ext: Ethernet2: the address is 000e.0caa.eaa0, irq 11

    The devices allowed for this platform:
    The maximum physical Interfaces: 3
    VLAN maximum: 10
    Internal hosts: unlimited
    Failover: disabled
    VPN - A: enabled
    VPN-3DES-AES: disabled
    Cut - through Proxy: enabled
    Guardians: enabled
    URL filtering: enabled
    Security contexts: 0
    GTP/GPRS: disabled
    VPN peers: unlimited

    This platform includes a restricted license (R).

    Router

    Cisco 1841 (revision 7.0) with 116736 14336 K/K bytes of memory.
    Card processor ID FTX1137W00L
    2 FastEthernet interfaces
    1 Serial interface (sync/async)
    1 module of virtual private network (VPN)
    Configuration of DRAM is 64 bits wide with disabled parity.
    191K bytes of NVRAM memory.
    31360K bytes of ATA CompactFlash (read/write)

    Here is the configuration of the router

    'VPN_TO_PIX' 10-isakmp ipsec crypto map
    By the peers = A.A.A.A
    Expand the IP 110 access list
    access-list 110 permit ip 192.168.2.0 0.0.0.255 10.10.0.0 0.0.0.255
    Current counterpart: A.A.A.A
    Life safety association: 4608000 Kbytes / 3600 seconds
    PFS (Y/N): N
    Transform sets = {}
    PIX_CRYPTSET,
    }
    Interfaces using crypto card VPN_TO_PIX:
    FastEthernet0/0

    World IKE policy
    Priority protection Suite 10
    encryption algorithm: - Data Encryption STANDARD (56-bit keys).
    hash algorithm: Secure Hash Standard
    authentication method: pre-shared Key
    Diffie-Hellman group: #1 (768 bits)
    lifetime: 86400 seconds, no volume limit
    Default protection suite
    encryption algorithm: - Data Encryption STANDARD (56-bit keys).
    hash algorithm: Secure Hash Standard
    authentication method: Rivest-Shamir-Adleman Signature
    Diffie-Hellman group: #1 (768 bits)
    lifetime: 86400 seconds, no volume limit

    crypto ISAKMP policy 10
    preshared authentication
    ISAKMP crypto key PIX_VPN_2010 address A.A.A.A

    Crypto ipsec transform-set esp - esp-sha-hmac PIX_CRYPTSET
    !
    VPN_TO_PIX 10 ipsec-isakmp crypto map
    defined by peer A.A.A.A
    game of transformation-PIX_CRYPTSET
    match address 110

    Configuration of the PIX

    NAT (inside) 8 access-list VPN_TUNNEL

    VPN_TUNNEL to access extended list ip 10.10.0.0 allow 255.255.255.0 192.168.2.0 255.255.255.0

    Crypto ipsec transform-set esp - esp-sha-hmac PIX_CRYPTSET
    Crypto dynamic-map PIX_CRYPTSET_PIX 1 game of transformation-PIX_CRYPTSET
    card crypto VPN_TUNNEL_MAP 20 set peer B.B.B.B
    crypto VPN_TUNNEL_MAP 20 the transform-set PIX_CRYPTSET value card
    card crypto VPN_TUNNEL_MAP 30-isakmp dynamic ipsec PIX_CRYPTSET_PIX
    VPN_TUNNEL_MAP interface card crypto outside
    crypto isakmp identity address
    crypto ISAKMP allow outside
    crypto ISAKMP policy 1
    preshared authentication
    the Encryption
    md5 hash
    Group 2
    life 86400
    crypto ISAKMP policy 30
    preshared authentication
    the Encryption
    sha hash
    Group 2

    life 86400

    After you run the status of devices and this is the results:

    PIX

    SH crypto ipsec stat

    IPsec statistics
    -----------------------
    The active tunnels: 0
    Previous tunnels: 0
    Incoming traffic
    Bytes: 0
    Decompressed bytes: 0
    Package: 0
    Packet ignored: 0
    Review of failures: 0
    Authentications: 0
    Authentication failures: 0
    Decryptions: 0
    Decryption failures: 0
    Fragments of decapsules who need reassembly: 0
    Outgoing
    Bytes: 0
    Uncompressed bytes: 0
    Package: 0
    Packet ignored: 0
    Authentications: 0
    Authentication failures: 0
    Encryption: 0
    Encryption failures: 0
    Success of fragmentation: 0
    Fragmentation before successses: 0
    After fragmentation success stories: 0
    Fragmentation failures: 0
    Prior fragmentation failures: 0
    Fragmentation failures after: 0
    Fragments created: 0
    PMTUs sent: 0
    PMTUs rcvd: 0
    Protocol of failures: 0
    Missing chess SA: 0
    System capacity: 0

    SH crypto ipsec stat

    IPsec statistics
    -----------------------
    The active tunnels: 0
    Previous tunnels: 0
    Incoming traffic
    Bytes: 0
    Decompressed bytes: 0
    Package: 0
    Packet ignored: 0
    Review of failures: 0
    Authentications: 0
    Authentication failures: 0
    Decryptions: 0
    Decryption failures: 0
    Fragments of decapsules who need reassembly: 0
    Outgoing
    Bytes: 0
    Uncompressed bytes: 0
    Package: 0
    Packet ignored: 0
    Authentications: 0
    Authentication failures: 0
    Encryption: 0
    Encryption failures: 0
    Success of fragmentation: 0
    Fragmentation before successses: 0
    After fragmentation success stories: 0
    Fragmentation failures: 0
    Prior fragmentation failures: 0
    Fragmentation failures after: 0
    Fragments created: 0
    PMTUs sent: 0
    PMTUs rcvd: 0
    Protocol of failures: 0
    Missing chess SA: 0
    System capacity: 0

    Router

    Current state of the session crypto

    Interface: FastEthernet0/0
    The session state: down
    Peer: Port A.A.A.A 500
    FLOW IPSEC: allowed ip 192.168.2.0/255.255.255.0 10.10.0.0/255.255.255.0
    Active sAs: 0, origin: card crypto

    SH crypto ipsec his

    Interface: FastEthernet0/0
    Tag crypto map: VPN_TO_PIX, local addr A.A.A.A

    protégé of the vrf: (none)
    local ident (addr, mask, prot, port): (192.168.2.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (10.10.0.0/255.255.255.0/0/0)
    current_peer 190.111.31.129 port 500
    LICENCE, flags is {origin_is_acl},
    #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    Errors #send 0, #recv 0 errors

    local crypto endpt. : 190.120.2.82, remote Start crypto. : 190.111.31.129
    Path mtu 1500, ip mtu 1500
    current outbound SPI: 0x0 (0)

    SAS of the esp on arrival:

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:

    outgoing ah sas:

    outgoing CFP sas:

    Any ideas, why is not made connection?, maybe a license restriction?

    Help, please.

    Best regards

    ASA pre-shared key is not configured through the command "isakmp crypto key.

    It would be by virtue of the following:

    IPSec-attributes tunnel-Group B.B.B.B

    pre-shared key

    On the router, NAT exemption access list is incorrect. The following ACL:

    access-list 111 deny ip 10.10.0.0 0.0.0.255 192.168.2.0 0.0.0.255
    access-list 111 allow ip 10.10.0.0 0.0.0.255 any

    Need to replace:

    access-list 111 deny ip 192.168.2.0 0.0.0.255 10.10.0.0 0.0.0.255
    access-list 111 permit ip 192.168.2.0 0.0.0.255 any

    Then the 'ip nat inside' and 'ip nat outside' is the reverse. You have configured the following:

    interface FastEthernet0/0
    IP nat inside

    interface FastEthernet0/1
    NAT outside IP

    It must be as follows:

    interface FastEthernet0/0
    NAT outside IP

    interface FastEthernet0/1
    IP nat inside

  • Help with a VPN tunnel between ASA 5510 and Juniper SSG20

    Hello

    We have a customer wanting to configure a VPN Site to Site tunnel between a new purchased 5510 of ASA located in his direction with its Juniper SSG20 Office, located in the main office. We contacted HP and they send us a Cisco professional to do the job.

    After 2 days from 16:00 to 22:00 and error and countless hours of research online and nunerous calls, we are still unable to get traffic from the network of agencies to enter the tunnel.

    Main branch
    1.1.1.2                                 1.1.1.1
    -----                                               -----------
    192.168.8.0/24 | ASA|-----------------------------------| Juniper |    192.168.1.0/24
    -----                                               -----------
    192.168.8.254 192.168.1.254

    According to Cisco professionals, the tunnel is now in place but no traffic through. We are unable to ping anything on the network on the other side (192.168.1.0/24). We receive timeout ping all the time. The Cisco professional told us it's a routing or NAT problem and he's working on a solution!

    Through research, I came across a post on Experts-Exchange (here) [the 1st comment on the original post] which States "...". that both sides of the VPN must have a different class of LAN for the VPN to work... " Would that be our problem?

    It has become a critical issue to the point that he had to replace the Cisco ASA with a temporary Juniper SSG5 on another subnet (192.168.7.0/24) to get the tunnel upward and through traffic until the ASA VPN issue is resolved and I didn't need to say that the client is killing us!

    Help is very appreciated.

    Thank you

    1. Yes, ping package from the interface of the ASA is considered valuable traffic to the LAN of Juniper.

    SAA, need you traffic from the interface source ASA's private, because interesting to determine by crypto ACL MYLIST traffic between 192.168.8.0/24 and 192.168.1.0/24.

    You will also need to add the following configuration to be able to get the ping of the interface of the ASA:

    management-private access

    To initiate the ping of the private interface ASA:

    ping 192.168.1.254 private

    2. the default time before the next generation of new key is normally 28800 seconds, and if there is no interesting traffic flowing between 2 subnets, he'll tear the VPN tunnel down. As soon as there is interesting traffic, the VPN tunnel will be built automatically into the next generation of new key. However, if there is traffic before generating a new key, the new tunnel will be established, and VPN tunnel will remain standing and continue encrypt and decrypt traffic.

    Currently, your configuration has been defined with ITS lifetime of 3600 seconds GOLD / 4608000 kilobytes of traffic before the next generate a new key (it will be either 3600 seconds, or 4608000 kilobytes period expires first). You can certainly change it by default to 28800 seconds without configuring kilobytes. SA life is negotiated between the ASA and Juniper, and whatever is the lowest value will be used.

    Hope that helps.

  • No traffic through the VPN tunnel but at the same time

    Hey everybody,

    Good enough at the end of my VPN configuration but I have a question. The VPN connection is established and the remote computer can set up a VPN with my router (phases 1 and 2 are ok) but I can't ping all devices on both sides. I think it might be something about the acl. I created an acl that I linked with my group of vpn, what should I do something with the card?

    Here is the configuration of the router

    AAA new-model

    !

    !

    local AuthentVPN AAA authentication login

    local AuthorizVPN AAA authorization network

    !

    AAA - the id of the joint session

    clock timezone GMT 1 0

    clock summer-time recurring GMT

    !

    IP cef

    !

    DHCP excluded-address IP 192.168.0.1 192.168.0.99

    !

    Authenticated MultiLink bundle-name Panel

    !

    VPDN enable

    !

    VPDN-group MyGroup

    !

    !

    model virtual Network1

    !

    username admin privilege 15 secret 4 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    !

    redundancy

    !

    crypto ISAKMP policy 1

    BA aes 256

    preshared authentication

    Group 2

    life 3600

    !

    ISAKMP crypto client configuration group myVPN

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx key

    DNS 192.168.0.254

    pool IPPoolVPN

    ACL 100

    !

    !

    Crypto ipsec transform-set esp - aes esp-sha-hmac T1

    tunnel mode

    !

    !

    !

    crypto dynamic-map 10 DynMap

    game of transformation-T1

    market arriere-route

    !

    !

    list of authentication of crypto client myMap AuthentVPN map

    card crypto myMap AuthorizVPN isakmp authorization list

    client configuration address map myMap crypto answer

    card crypto myMap 100-isakmp dynamic ipsec DynMap

    !

    the Embedded-Service-Engine0/0 interface

    no ip address

    Shutdown

    !

    interface GigabitEthernet0/0

    no ip address

    automatic duplex

    automatic speed

    PPPoE enable global group

    PPPoE-client dial-pool-number 1

    No mop enabled

    !

    interface GigabitEthernet0/1

    LAN description

    no ip address

    automatic duplex

    automatic speed

    No mop enabled

    !

    interface GigabitEthernet0/1.1

    LAN description

    encapsulation dot1Q 1 native

    IP 192.168.0.254 255.255.255.0

    IP nat inside

    IP virtual-reassembly in

    IP tcp adjust-mss 1452

    !

    interface Dialer1

    MTU 1492

    the negotiated IP address

    IP access-group RESTRICT_ENTRY_INTERNET in

    NAT outside IP

    IP virtual-reassembly in

    encapsulation ppp

    Dialer pool 1

    Dialer-Group 1

    PPP authentication pap callin

    PPP chap hostname xxxx

    PPP chap password 0 xxxx

    PPP pap sent-name of user password xxxxx xxxx 0

    crypto myMap map

    !

    IP pool local IPPoolVPN 192.168.10.0 192.168.10.100

    IP forward-Protocol ND

    !

    IP http server

    23 class IP http access

    local IP http authentication

    IP http secure server

    IP http timeout policy slowed down 60 life 86400 request 10000

    !

    The dns server IP

    IP dns primary GVA. SOA INTRA NS. GUAM INTRA [email protected] / * / 21600 900 7776000 86400

    IP nat inside source list 10 interface Dialer1 overload

    overload of IP nat inside source list 11 interface Dialer1

    overload of IP nat inside source list 20 interface Dialer1

    overload of IP nat inside source list 30 interface Dialer1

    overload of IP nat inside source list 110 interface Dialer1

    IP route 0.0.0.0 0.0.0.0 Dialer1

    Route IP 192.168.0.0 255.255.255.0 GigabitEthernet0/1.1

    IP route 192.168.1.0 255.255.255.0 GigabitEthernet0/1.2

    !

    RESTRICT_ENTRY_INTERNET extended IP access list

    TCP refuse any any eq telnet

    TCP refuse any any eq 22

    TCP refuse any any eq www

    TCP refuse any any eq 443

    TCP refuse any any eq field

    allow udp any any eq 50

    allow an ip

    !

    Dialer-list 1 ip protocol allow

    !

    !

    SNMP - server RO G community

    public RO SNMP-server community

    entity-sensor threshold traps SNMP-server enable

    access-list 10 permit 192.168.0.0 0.0.0.255

    access-list 11 permit 192.168.1.0 0.0.0.255

    access-list 20 allow 192.168.2.0 0.0.0.255

    access-list 30 allow 192.168.3.0 0.0.0.255

    access-list 100 permit ip 0.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255

    access-list 110 deny ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255

    access ip-list 110 permit a whole

    I don't know if it useful, but here is the view the crypto ipsec command his:

    Interface: Dialer1

    Tag crypto map: myMap, local addr 213.3.1.13

    protégé of the vrf: (none)

    local ident (addr, mask, prot, port): (0.0.0.0/0.0.0.0/0/0)

    Remote ident (addr, mask, prot, port): (192.168.10.12/255.255.255.255/0/0)

    current_peer 109.164.161.35 port 49170

    LICENCE, flags is {}

    #pkts program: 5, #pkts encrypt: 5, #pkts digest: 5

    #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

    compressed #pkts: 0, unzipped #pkts: 0

    #pkts uncompressed: 0, #pkts compr. has failed: 0

    #pkts not unpacked: 0, #pkts decompress failed: 0

    Errors #send 0, #recv 0 errors

    local crypto endpt. : 213.3.1.13, remote Start crypto. : 109.164.161.35

    Path mtu 1492 mtu 1492 ip, ip mtu BID Dialer1

    current outbound SPI: 0x54631F8B (1415782283)

    PFS (Y/N): N, Diffie-Hellman group: no

    SAS of the esp on arrival:

    SPI: 0x8C432353 (2353210195)

    transform: aes - esp esp-sha-hmac.

    running parameters = {Tunnel UDP-program}

    Conn ID: 2033, flow_id: VPN:33 on board, sibling_flags 80000040, crypto card: myMap

    calendar of his: service life remaining (k/s) key: (4212355/1423)

    Size IV: 16 bytes

    support for replay detection: Y

    Status: ACTIVE (ACTIVE)

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:

    SPI: 0x54631F8B (1415782283)

    transform: aes - esp esp-sha-hmac.

    running parameters = {Tunnel UDP-program}

    Conn ID: 2034, flow_id: VPN:34 on board, sibling_flags 80000040, crypto card: myMap

    calendar of his: service life remaining (k/s) key: (4212354/1423)

    Size IV: 16 bytes

    support for replay detection: Y

    Status: ACTIVE (ACTIVE)

    outgoing ah sas:

    outgoing CFP sas:

    And on the side of the customer, when I go to the status of--> statistics, all packages have been circumvented, nobody is encrypted

    Thanks for your help!

    Sylvain,

    Let me explain again:

    IP nat inside source list 10 interface Dialer1 overload

    overload of IP nat inside source list 110 interface Dialer1

    Here you are from two ACL, but they are the same with the difference, that NAT 10 110 also but WITHOUT user VPN and everything inside. Problem is that 10 matches first, if the connection will not work. You can disable entry NAT with 10 110 because that will also:

    no nat ip inside the source list 10 interface Dialer1 overload

    That should be enough.

    Michael

    Please note all useful posts

  • RV042 VPN tunnel with Samsung Ubigate ibg2600 need help

    Hi all, ok before I completely remove all of my hair, I thought stop by here and ask the volume for you all with the hope that someone can track down the problem.

    In short I am configuring a 'Gateway to gateway' vpn tunnel between two sites, I don't have access to the config of the router from Samsung, but the ISPS making sure that they followed my setup - watching newspapers RV042, I don't however see the reason for the failure - im no expert vpn...

    Sorry if the log file turns on a bit, I didn't know where the beginning and the end was stupid I know... any advice would be greatly welcomed lol.

    System log
    Current time: Fri Sep 2 03:37:52 2009 all THE Log Log Log Log VPN Firewall Access system
     
    Time
    Type of event Message
    2 sep 03:36:01 2009 value of VPN Log [Tunnel negotiation Info] Inbound SPI = c3bdba08
    2 sep 03:36:01 2009 value of outbound SPI VPN Log [Tunnel negotiation Info] = c664c1ca
    2 sep 03:36:02 2009 VPN Log [Tunnel negotiation Info] > initiator send fast Mode 3rd package
    2 sep 03:36:02 2009 VPN Log [Tunnel negotiation Info] Quick Mode Phase 2 SA established, IPSec Tunnel connected
    2 sep 03:36:02 2009 VPN journal Dead Peer Detection start, DPD delay = timeout = 10 sec 10 sec timer
    2 sep 03:36:02 2009 VPN received log delete SA payload: ISAKMP State #627 removal
    2 sep 03:36:02 2009 VPN Log Main Mode initiator
    2 sep 03:36:02 2009 VPN Log [Tunnel negotiation Info] > Send main initiator Mode 1 package
    2 sep 03:36:02 2009 charge of VPN journal received Vendor ID Type = [Dead Peer Detection]
    2 sep 03:36:02 2009 VPN Log [Tunnel negotiation of Info]< initiator="" received="" main="" mode="" 2nd="" packet="">
    2 sep 03:36:02 2009 VPN Log [Tunnel negotiation Info] > initiator send Mode main 3rd package
    2 sep 03:36:03 2009 VPN Log [Tunnel negotiation of Info]< initiator="" received="" main="" mode="" 4th="" packet="">
    2 sep 03:36:03 2009 Log [Tunnel negotiation Info] VPN > main initiator Mode to send 5 packs
    2 sep 03:36:03 2009 Log [Tunnel negotiation Info] VPN > initiator receive hand Mode 6 Pack
    2 sep 03:36:03 2009 log VPN main mode peer ID is ID_IPV4_ADDR: '87.85.xxx.xxx '.
    2 sep 03:36:03 2009 Log [Tunnel negotiation Info] VPN Mode main Phase 1 SA established
    2 sep 03:36:03 2009 log VPN [Tunnel negotiation Info] initiator Cookies = c527 d584 595 c 2c3b
    2 sep 03:36:03 2009 log VPN [Tunnel negotiation Info] responder Cookies = b62c ca31 1a5f 673f
    2 sep 03:36:03 2009 log quick launch Mode PSK VPN + TUNNEL + PFS
    2 sep 03:36:03 2009 Log [Tunnel negotiation Info] VPN > initiator send fast Mode 1 package
    2 sep 03:36:04 2009 VPN Log [Tunnel negotiation of Info]< initiator="" received="" quick="" mode="" 2nd="" packet="">
    2 sep 03:36:04 2009 value of VPN Log [Tunnel negotiation Info] Inbound SPI = c3bdba09
    2 sep 03:36:04 2009 value of outbound SPI VPN Log [Tunnel negotiation Info] = e3da1469
    2 sep 03:36:04 2009 VPN Log [Tunnel negotiation Info] > initiator send fast Mode 3rd package
    2 sep 03:36:04 2009 VPN Log [Tunnel negotiation Info] Quick Mode Phase 2 SA established, IPSec Tunnel connected
    2 sep 03:36:04 2009 VPN journal Dead Peer Detection start, DPD delay = timeout = 10 sec 10 sec timer
    2 sep 03:36:05 2009 VPN received log delete SA payload: ISAKMP State #629 removal

    PFS - off on tada and linksys router does not support the samsung lol! connected!

  • ASA Syslog via a VPN Tunnel

    Hi all

    I have a little problem concerning ASA and syslogs. I have a tunnel from site to site between a local ASA and ASA distance. Behind the ASA local, I have a central syslog server (which has no ASA as default gateway) which collects messages from all network devices and I want to get messages from the ASA remote as well.

    The tunnel protects traffic between local networks behind each ASA, which includes ASA inside remote interface as well. The problem is that if I specify on the SAA distance my syslog server it does not pass through the VPN tunnel. The ASA remote sees my server syslog as being 'outside' so he's using the external IP address as the source-interface for the syslog message. Which of course does not pass through the tunnel. As much as I know there is no way to configure the interface source for logging under the SAA, that you can do on a normal IOS router.

    I've found a few documents explaining this Setup on CCO, but they all imply I have extend the list for interesting traffic to access allow remote UDP/514 of the PIX traffic outside my local syslog server interface. This isn't something I want to do what I would get in routing complication in my LAN with a public IP address of the ASA remote.

    Any suggestions? I thought I could use some sort of NAT on the ASA remote so that all traffic for my local network a source the remote PIX is translated on the inside interface, which in theory should pass the package via the tunnel. I did not go so far.

    Any help is appreciated.

    Best regards

    Stefan

    You can define the interface that the ASA will use to send the newspapers "syslog_ip host record.

    Make sure you also do "access management".

    Then the SAA should source the syslogs from inside the interface, which is probably encrypted with the crypto ACL.

    I hope it helps.

    PK

  • Site to site VPN tunnel - cannot ping the second interface of the firewall peer inside2

    I have two ASA 5505 firewall each with a basic license: FWa and FWb. currently there is a VPN tunnel between them work. I added a second (inside2) interface to the firewall, FWb, but I can't ping firewall FWa, so that I can ping the inside interface of FWa.

    I can ping the FWb inside interface 192.168.20.1 from the FWa inside 172.16.1.1 interface, but I can not ping to the 10.52.100.10 of the FWa FWb inside2 interface. I can not ping the gateway host FWa 10.52.100.1.

    I show the essential configuration of two firewalls as well as the debug icmp output on the two firewalls that I ping the internal interfaces and of FWa FWb inside2.
    =========================================================

    Here is a skeleton of the FWa configuration:

    name 172.16.1.0 network-inside
    name 192.168.20.0 HprCnc Thesys
    name 10.52.100.0 ring52-network
    name 10.53.100.0 ring53-network
    name S.S.S.S outside-interface

    interface Vlan1
    nameif inside
    security-level 100
    IP 172.16.1.1 255.255.255.0
    !
    interface Vlan2
    Description Connection to 777 VLAN to work around static Comast external Modem and IP address.
    nameif outside
    security-level 0
    outside interface IP address 255.255.255.240

    the DM_INLINE_NETWORK_5 object-group network
    network-object HprCnc Thesys 255.255.255.0
    ring52-network 255.255.255.0 network-object
    ring53-network 255.255.255.0 network-object

    the DM_INLINE_NETWORK_3 object-group network
    ring52-network 255.255.255.0 network-object
    network-object HprCnc Thesys 255.255.255.0
    ring53-network 255.255.255.0 network-object

    outside-interface of the access-list extended permitted Outside_5_cryptomap ip host object-group DM_INLINE_NETWORK_3
    inside_nat_outbound list extended access allowed inside-network ip, 255.255.255.0 DM_INLINE_NETWORK_5 object-group
    permit access list extended ip host 173.162.149.72 Outside_nat0_outbound aus_asx_uat 255.255.255.0

    NAT (inside) 0 access-list sheep
    NAT (inside) 101-list of access inside_nat_outbound
    NAT (inside) 101 0.0.0.0 0.0.0.0
    NAT (outside) 0-list of access Outside_nat0_outbound

    card crypto VPN 5 corresponds to the address Outside_5_cryptomap
    card crypto VPN 5 set pfs Group1
    VPN 5 set peer D.D.D.D crypto card
    VPN 5 value transform-set VPN crypto card
    tunnel-group D.D.D.D type ipsec-l2l
    IPSec-attributes tunnel-Group D.D.D.D
    pre-shared key *.

    =========================================================

    FWb:

    name 10.52.100.0 ring52-network
    name 10.53.100.0 ring53-network
    name 10.51.100.0 ring51-network
    name 10.54.100.0 ring54-network

    interface Vlan1
    nameif inside
    security-level 100
    address 192.168.20.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    address IP D.D.D.D 255.255.255.240
    !
    interface Vlan52
    prior to interface Vlan1
    nameif inside2
    security-level 100
    IP 10.52.100.10 255.255.255.0

    the DM_INLINE_NETWORK_3 object-group network
    ring52-network 255.255.255.0 network-object
    ring53-network 255.255.255.0 network-object

    the DM_INLINE_NETWORK_2 object-group network
    ring52-network 255.255.255.0 network-object
    object-network 192.168.20.0 255.255.255.0
    ring53-network 255.255.255.0 network-object

    inside_nat0_outbound to access extended list ip 192.168.20.0 allow 255.255.255.0 host S.S.S.S
    inside2_nat0_outbound list extended access allowed object-group DM_INLINE_NETWORK_3 S.S.S.S ip host

    outside_1_cryptomap list extended access allowed object-group DM_INLINE_NETWORK_2 S.S.S.S ip host

    NAT (inside) 0-list of access inside_nat0_outbound
    NAT (inside) 1 0.0.0.0 0.0.0.0
    inside2_nat0_outbound (inside2) NAT 0 access list
    NAT (inside2) 1 0.0.0.0 0.0.0.0

    Route inside2 network ring51 255.255.255.0 10.52.100.1 1
    Route inside2 network ring53 255.255.255.0 10.52.100.1 1
    Route inside2 network ring54 255.255.255.0 10.52.100.1 1

    card crypto outside_map 1 match address outside_1_cryptomap
    card crypto outside_map 1 set pfs Group1
    outside_map game 1 card crypto peer S.S.S.S
    card crypto outside_map 1 set of transformation-ESP-3DES-SHA
    outside_map interface card crypto outside

    tunnel-group S.S.S.S type ipsec-l2l
    IPSec-attributes tunnel-group S.S.S.S
    pre-shared key *.

    =========================================================================
    I'm Tournai on icmp trace debugging on both firewalls and could see the traffic arriving at the inside2 interface, but never return to FWa.

    Ping Successul FWa inside the interface on FWb

    FWa # ping 192.168.20.1
    Type to abort escape sequence.
    Send 5, echoes ICMP 100 bytes to 192.168.20.1, time-out is 2 seconds:
    Echo request ICMP from outside-interface to 192.168.20.1 ID = 32068 seq = 23510 len = 72
    ! ICMP echo reply to 192.168.20.1 in outside-interface ID = 32068 seq = 23510 len = 72
    ....

    FWb #.
    Echo ICMP of S.S.S.S to 192.168.20.1 ID request = 32068 seq = 23510 len = 72
    ICMP echo reply 192.168.20.1 S.S.S.S ID = 32068 seq = 23510 len = 72
    ==============================================================================
    Successful ping of Fwa on a host connected to the inside interface on FWb

    FWa # ping 192.168.20.15
    Type to abort escape sequence.
    Send 5, echoes ICMP 100 bytes to 192.168.20.15, wait time is 2 seconds:
    Echo request ICMP from outside-interface to 192.168.20.15 ID = seq 50862 = 18608 len = 72
    ! ICMP echo reply to 192.168.20.15 in outside-interface ID = seq 50862 = 18608 len = 72
    ...

    FWb #.
    Inside outside:S.S.S.S ICMP echo request: 192.168.20.15 ID = seq 50862 = 18608 len = 72
    ICMP echo reply to Interior: 192.168.20.15 outside:S.S.S.S ID = seq 50862 = 18608 len = 72

    ===========================
    Unsuccessful ping of FWa to inside2 on FWb interface

    FWa # ping 10.52.100.10
    Send 5, echoes ICMP 100 bytes to 10.52.100.10, wait time is 2 seconds:
    Echo request ICMP from outside-interface to 10.52.100.10 ID = 19752 seq = 63173 len = 72
    ? Echo request ICMP from outside-interface to 10.52.100.10 ID = 19752 seq = 63173 len = 72
    ...

    FWb #.
    10.52.100.10 ID of S.S.S.S ICMP echo request = 19752 seq = 63173 len = 72
    10.52.100.10 ID of S.S.S.S ICMP echo request = 19752 seq = 63173 len = 72
    ....

    ==================================================================================

    Unsuccessful ping of Fwa to a host of related UI inside2 on FWb

    FWa # ping 10.52.100.1
    Type to abort escape sequence.
    Send 5, echoes ICMP 100 bytes to 10.52.100.1, wait time is 2 seconds:
    Echo request ICMP from outside-interface to 10.52.100.1 ID = 11842 seq = 15799 len = 72

    FWb #.
    Echo request ICMP outside:S.S.S.S to inside2:10.52.100.1 ID = 11842 seq = 15799 len = 72
    Echo request ICMP outside:S.S.S.S to inside2:10.52.100.1 ID = 11842 seq = 15799 len = 72

    =======================

    Thank you

    Hi odelaporte2,

    Is very probably the "access management" command is not applied in the second inside, only inside primary (see the race management) which will confirm.

    This command can be applied to an interface at a time, for example, if the law is now applied to the inside, it can not be applied to the inside2 at the same time.

    It may be useful

    -Randy-

  • How to limit the bandwidth in the VPN Tunnels in RV082?

    Hello

    It is possible to limit the bandwidth of the IPSEC VPN Tunnels or the traffic that goes through the tunnels?

    Use IP addresses or port numbers the same way and clients when limiting bandwidth to clients in the local network?

    Thank you very much

    Oliver

    There is a way to solve internal IP addresses, protocols or ports and specify the bandwidth

    I send you the links to access information on how to set it up.

    http://www6.nohold.NET/Cisco2/GetArticle.aspx?docid=3c09b393e3744ffd98330fd0031a4aa2_4228.XML&PID=80&converted=0

  • RV016 split support VPN tunnel?

    I read a rumor that the RV016 does not support split VPN tunnels.

    See here:

    http://www.SmallNetBuilder.com/lanwan/lanwan-reviews/31525-Cisco-RV082-and-RV016-v3-VPN-routers-reviewed

    My understanding is that on my router RV042 VPN tunnels will send internet traffic to the local gateway and send the traffic through the VPN tunnel only if they are intended for the remote subnet.  It is my understanding of the "split tunnel".

    Is it not true with the RV016?

    Your understanding on split tunnel is correct. RV016 behaves like RV042 in this regard.

  • Cisco ASA 5515 two asa firewall ipsec vpn tunnel is not coming

    HelloW everyone.

    I configured ipsec vpn tunnel between Singapore and Malaysia with asa firewall.

    but the vpn does not come to the top. can someone tell me what can be the root cause?

    Here is the configuration of twa asa: (I changed the ip address all the)

    Singapore:

    See the race
    ASA 2.0000 Version 4
    !
    ASA5515-SSG520M hostname
    activate the encrypted password of PVSASRJovmamnVkD
    names of
    !
    interface GigabitEthernet0/0
    nameif inside
    security-level 100
    IP 192.168.15.4 255.255.255.0
    !
    interface GigabitEthernet0/1
    nameif DMZ
    security-level 50
    IP 192.168.5.3 255.255.255.0
    !
    interface GigabitEthernet0/2
    nameif outside
    security-level 0
    IP 160.83.172.8 255.255.255.224
    <--- more="" ---="">
                  
    !
    <--- more="" ---="">
                  
    interface GigabitEthernet0/3
    <--- more="" ---="">
                  
    Shutdown
    <--- more="" ---="">
                  
    No nameif
    <--- more="" ---="">
                  
    no level of security
    <--- more="" ---="">
                  
    no ip address
    !
    interface GigabitEthernet0/4
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface GigabitEthernet0/5
    nameif test
    security-level 100
    IP 192.168.168.219 255.255.255.0
    !
    interface Management0/0
    management only
    nameif management
    security-level 100
    IP 192.168.1.1 255.255.255.0
    !
    connection of the banner ^ C please disconnect if you are unauthorized access ^ C
    connection of the banner please disconnect if you are unauthorized access
    boot system Disk0: / asa922-4-smp - k8.bin
    passive FTP mode
    network of the SG object
    <--- more="" ---="">
                  
    192.168.15.0 subnet 255.255.255.0
    network of the MK object
    192.168.6.0 subnet 255.255.255.0
    service of the TCP_5938 object
    Service tcp destination eq 5938
    Team Viewer description
    service tcp_3306 object
    Service tcp destination eq 3306
    service tcp_465 object
    tcp destination eq 465 service
    service tcp_587 object
    Service tcp destination eq 587
    service tcp_995 object
    tcp destination eq 995 service
    service of the TCP_9000 object
    tcp destination eq 9000 service
    network of the Inside_host object
    Home 192.168.15.202
    service tcp_1111 object
    Service tcp destination eq 1111
    service tcp_7878 object
    Service tcp destination eq 7878
    service tcp_5060 object
    SIP, service tcp destination eq
    <--- more="" ---="">
                  
    service tcp_5080 object
    Service tcp destination eq 5080
    network of the NETWORK_OBJ_192.168.15.0_24 object
    192.168.15.0 subnet 255.255.255.0
    inside_access_in list extended access allowed object SG ip everything
    OUTSIDE_IN list extended access permit tcp any newspaper EQ 9000 Inside_host object
    access extensive list ip 192.168.15.0 outside_cryptomap allow 255.255.255.0 object MK
    pager lines 24
    Enable logging
    timestamp of the record
    exploitation forest-size of the buffer of 30000
    debug logging in buffered memory
    recording of debug trap
    debugging in the history record
    asdm of logging of information
    host test 192.168.168.231 record
    host test 192.168.168.203 record
    Within 1500 MTU
    MTU 1500 DMZ
    Outside 1500 MTU
    test MTU 1500
    management of MTU 1500
    no failover
    <--- more="" ---="">
                  
    ICMP unreachable rate-limit 1 burst-size 1
    ASDM image disk0: / asdm - 7221.bin
    don't allow no asdm history
    ARP timeout 14400
    no permit-nonconnected arp
    NAT (inside, outside) static source SG SG static destination MK MK non-proxy-arp-search to itinerary
    !
    network of the SG object
    NAT dynamic interface (indoor, outdoor)
    network of the Inside_host object
    NAT (inside, outside) interface static 9000 9000 tcp service
    inside_access_in access to the interface inside group
    Access-group OUTSIDE_IN in interface outside
    Route outside 0.0.0.0 0.0.0.0 160.83.172.x 1
    Route inside 10.0.1.0 255.255.255.0 192.168.15.199 1
    Route inside 10.0.2.0 255.255.255.0 192.168.15.199 1
    Route inside 10.0.11.0 255.255.255.0 192.168.15.199 1
    Route inside 10.1.0.0 255.255.0.0 192.168.15.199 1
    Route inside 10.8.0.0 255.255.0.0 192.168.15.199 1
    Route inside 10.104.0.0 255.255.0.0 192.168.15.199 1
    Route inside 192.168.8.0 255.255.255.0 192.168.15.199 1
    Timeout xlate 03:00
    Pat-xlate timeout 0:00:30
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    <--- more="" ---="">
                  
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    Floating conn timeout 0:00:00
    dynamic-access-policy-registration DfltAccessPolicy
    identity of the user by default-domain LOCAL
    the ssh LOCAL console AAA authentication
    Enable http server

    Community trap SNMP-server host test 192.168.168.231 *.
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps syslog
    Crypto ipsec transform-set ikev1 VPN-TRANSFORM esp-aes-256 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
    <--- more="" ---="">
                  
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
    <--- more="" ---="">
                  
    Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
    Crypto ipsec pmtu aging infinite - the security association
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
    crypto CRYPTO - map 2 map corresponds to the address outside_cryptomap
    card crypto CRYPTO-map 2 set peer 103.246.3.54
    card crypto CRYPTO-map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
    card crypto CRYPTO-map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
    CRYPTO-card interface card crypto outside
    trustpool crypto ca policy
    Crypto ikev1 allow outside
    IKEv1 crypto policy 10
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    life 86400

    Console timeout 0
    management of 192.168.1.2 - dhcpd address 192.168.1.254
    enable dhcpd management
    !
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    SSL encryption rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1
    internal GroupPolicy1 group strategy
    attributes of Group Policy GroupPolicy1
    Ikev1 VPN-tunnel-Protocol
    username, password admin eY/fQXw7Ure8Qrz7 encrypted privilege 15
    username gmsadmin password HS/VyK0jtJ/PANQT encrypted privilege 15
    tunnel-group 143.216.30.7 type ipsec-l2l
    tunnel-group 143.216.30.7 General-attributes
    Group Policy - by default-GroupPolicy1
    <--- more="" ---="">
                  
    IPSec-attributes tunnel-group 143.216.30.7
    IKEv1 pre-shared-key *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    Overall description
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    <--- more="" ---="">
                  
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    Review the ip options
    !
    global service-policy global_policy
    context of prompt hostname
    no remote anonymous reporting call
    Cryptochecksum:ccce9a600b491c8db30143590825c01d
    : end

    Malaysia:

    :
    ASA 2.0000 Version 4
    !
    hostname ASA5515-SSG5-MK
    activate the encrypted password of PVSASRJovmamnVkD
    names of
    !
    interface GigabitEthernet0/0
    nameif inside
    security-level 100
    IP 192.168.6.70 255.255.255.0
    !
    interface GigabitEthernet0/1
    nameif DMZ
    security-level 50
    IP 192.168.12.2 255.255.255.0
    !
    interface GigabitEthernet0/2
    nameif outside
    security-level 0
    IP 143.216.30.7 255.255.255.248
    <--- more="" ---="">
                  
    !
    interface GigabitEthernet0/3
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface GigabitEthernet0/4
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface GigabitEthernet0/5
    nameif test
    security-level 100
    IP 192.168.168.218 255.255.255.0
    !
    interface Management0/0
    management only
    nameif management
    security-level 100
    IP 192.168.1.1 255.255.255.0
    !
    <--- more="" ---="">
                  
    Interface Port - Channel 1
    No nameif
    no level of security
    IP 1.1.1.1 255.255.255.0
    !
    boot system Disk0: / asa922-4-smp - k8.bin
    passive FTP mode
    clock timezone GMT + 8 8
    network of the SG object
    192.168.15.0 subnet 255.255.255.0
    network of the MK object
    192.168.6.0 subnet 255.255.255.0
    service of the TCP_5938 object
    Service tcp destination eq 5938
    Team Viewer description
    service tcp_3306 object
    Service tcp destination eq 3306
    service tcp_465 object
    tcp destination eq 465 service
    service tcp_587 object
    Service tcp destination eq 587
    service tcp_995 object
    tcp destination eq 995 service
    service of the TCP_9000 object
    <--- more="" ---="">
                  
    tcp destination eq 9000 service
    network of the Inside_host object
    Home 192.168.6.23
    service tcp_1111 object
    Service tcp destination eq 1111
    service tcp_7878 object
    Service tcp destination eq 7878
    service tcp_5060 object
    SIP, service tcp destination eq
    service tcp_5080 object
    Service tcp destination eq 5080
    network of the NETWORK_OBJ_192.168.2.0_24 object
    192.168.6.0 subnet 255.255.255.0
    inside_access_in list extended access allowed object SG ip everything
    VPN-INTERESTING-TRAFFIC extended access list permit ip object MK SG
    OUTSIDE_IN list extended access permit tcp any newspaper EQ 9000 Inside_host object
    outside_cryptomap to access extended list ip 192.168.6.0 allow 255.255.255.0 object SG
    pager lines 24
    Enable logging
    timestamp of the record
    exploitation forest-size of the buffer of 30000
    debug logging in buffered memory
    recording of debug trap
    asdm of logging of information
    <--- more="" ---="">
                  
    host test 192.168.168.231 record
    host test 192.168.168.203 record
    Within 1500 MTU
    MTU 1500 DMZ
    Outside 1500 MTU
    test MTU 1500
    management of MTU 1500
    reverse IP check management interface path
    no failover
    ICMP unreachable rate-limit 1 burst-size 1
    ASDM image disk0: / asdm - 7221.bin
    don't allow no asdm history
    ARP timeout 14400
    no permit-nonconnected arp
    NAT (inside, outside) static source MK MK static destination SG SG route no-proxy-arp-search
    NAT (inside, outside) static source NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 static destination SG SG route no-proxy-arp-search
    !
    network of the MK object
    NAT dynamic interface (indoor, outdoor)
    network of the Inside_host object
    NAT (inside, outside) interface static 9000 9000 tcp service
    inside_access_in access to the interface inside group
    Access-group OUTSIDE_IN in interface outside
    Route outside 0.0.0.0 0.0.0.0 143.216.30.x 1
    <--- more="" ---="">
                  
    Route inside 10.2.0.0 255.255.0.0 192.168.6.200 1
    Route inside 10.6.0.0 255.255.0.0 192.168.6.200 1
    Route inside 192.168.254.0 255.255.255.0 192.168.6.200 1
    Timeout xlate 03:00
    Pat-xlate timeout 0:00:30
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    Floating conn timeout 0:00:00
    dynamic-access-policy-registration DfltAccessPolicy
    identity of the user by default-domain LOCAL
    AAA authentication http LOCAL console
    the ssh LOCAL console AAA authentication
    Enable http server

    No snmp server location
    No snmp Server contact
    Crypto ipsec transform-set ikev1 VPN-TRANSFORM esp-aes-256 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
    <--- more="" ---="">
                  
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
    <--- more="" ---="">
                  
    Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
    Crypto ipsec pmtu aging infinite - the security association
    crypto CRYPTO - map 2 map corresponds to the address outside_cryptomap
    card crypto CRYPTO-map 2 set peer 160.83.172.8
    card crypto CRYPTO-map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
    CRYPTO-card interface card crypto outside
    trustpool crypto ca policy
    Crypto ikev1 allow outside
    IKEv1 crypto policy 10
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    SSH timeout 60
    SSH group dh-Group1-sha1 key exchange
    Console timeout 0
    management of 192.168.1.2 - dhcpd address 192.168.1.254
    enable dhcpd management
    !
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    SSL encryption rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1
    attributes of Group Policy DfltGrpPolicy
    Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client
    internal GroupPolicy1 group strategy
    attributes of Group Policy GroupPolicy1
    Ikev1 VPN-tunnel-Protocol
    username, password admin eY/fQXw7Ure8Qrz7 encrypted privilege 15
    username gmsadmin password HS/VyK0jtJ/PANQT encrypted privilege 15
    <--- more="" ---="">
                  
    tunnel-group MK SG type ipsec-l2l
    IPSec-attributes tunnel-group MK-to-SG
    IKEv1 pre-shared-key *.
    tunnel-group 160.83.172.8 type ipsec-l2l
    tunnel-group 160.83.172.8 General-attributes
    Group Policy - by default-GroupPolicy1
    IPSec-attributes tunnel-group 160.83.172.8
    IKEv1 pre-shared-key *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    <--- more="" ---="">
                  
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    Review the ip options
    !
    global service-policy global_policy
    context of prompt hostname
    no remote anonymous reporting call
    Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
    : end

    Good news, that VPN has been implemented!

    According to the ping problem, my suggestion is to check, if some type of firewall based on host computers on both sides block ICMP requests.

    Anyway, you can still use the capture of packets on the inside of the interfaces of the two ASAs, to check if the ICMP traffic is to reach the ASA.

    In addition, you can try to enable ICMP inspection:

    Policy-map global_policy
    class inspection_default

    inspect the icmp

    inspect the icmp error

  • VPN Tunnel access to several subnets ASA 5505

    Greetings,

    We spent a little time trying to configure our ASA 5505 in order to TUNNEL into several different subnets.  Subnets include 192.168.1.0 / 192.168.2.0 / 192.168.10.0

    Someone is about to review this setup running and indicate where we have gone wrong.   When I connect via the VPN Client, I can access the 192.168.1.0 network, no problem.  But fail to reach the other two.   Thank you very much.

    Output from the command: 'show running-config '.

    : Saved

    :

    ASA Version 8.2 (5)

    !

    hostname BakerLofts

    activate kn7RHw13Elw2W2eU encrypted password

    2KFQnbNIdI.2KYOU encrypted passwd

    names of

    !

    interface Ethernet0/0

    switchport access vlan 2

    !

    interface Ethernet0/1

    !

    interface Ethernet0/2

    switchport access vlan 12

    !

    interface Ethernet0/3

    !

    interface Ethernet0/4

    !

    interface Ethernet0/5

    !

    interface Ethernet0/6

    !

    interface Ethernet0/7

    !

    interface Vlan1

    nameif inside

    security-level 100

    IP 192.168.1.254 255.255.255.0

    !

    interface Vlan2

    nameif outside

    security-level 0

    IP 74.204.54.4 255.255.255.248

    !

    interface Vlan12

    nameif Inside2

    security-level 100

    IP address 192.168.10.254 255.255.255.0

    !

    passive FTP mode

    permit same-security-traffic inter-interface

    permit same-security-traffic intra-interface

    vpn_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0

    outside_access_in of access allowed any ip an extended list

    inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.3.0 255.255.255.0

    Inside2_access_in of access allowed any ip an extended list

    permit Inside2_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0

    pager lines 24

    Enable logging

    asdm of logging of information

    Within 1500 MTU

    Outside 1500 MTU

    MTU 1500 Inside2

    IP local pool vpn 192.168.3.1 - 192.168.3.254 mask 255.255.255.0

    no failover

    ICMP unreachable rate-limit 1 burst-size 1

    don't allow no asdm history

    ARP timeout 14400

    Global 1 interface (outside)

    NAT (inside) 0-list of access inside_nat0_outbound

    NAT (inside) 1 0.0.0.0 0.0.0.0

    NAT (outside) 0 192.168.3.0 255.255.255.0 outside

    NAT (Inside2) 0-list of access Inside2_nat0_outbound

    NAT (Inside2) 1 0.0.0.0 0.0.0.0

    Access-group outside_access_in in interface outside

    Access-group Inside2_access_in in the interface Inside2

    Route outside 0.0.0.0 0.0.0.0 74.204.54.1 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    Floating conn timeout 0:00:00

    dynamic-access-policy-registration DfltAccessPolicy

    AAA authentication enable LOCAL console

    AAA authentication LOCAL telnet console

    Enable http server

    http 192.168.1.0 255.255.255.0 inside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

    Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

    outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

    outside_map interface card crypto outside

    Crypto ca trustpoint _SmartCallHome_ServerCA

    Configure CRL

    Crypto ca certificate chain _SmartCallHome_ServerCA

    certificate ca 6ecc7aa5a7032009b8cebcf4e952d491

    308204 4 a0030201 d 308205ec 0202106e cc7aa5a7 032009b 8 cebcf4e9 52d 49130

    010105 05003081 09060355 04061302 55533117 ca310b30 0d 864886f7 0d06092a

    30150603 55040 has 13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b

    13165665 72695369 676e2054 72757374 204e6574 776f726b 313 has 3038 06035504

    0b 133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72

    20617574 7a 656420 75736520 6f6e6c79 31453043 06035504 03133c 56 686f7269

    65726953 69676e20 436c 6173 73203320 5075626c 69632050 72696 72792043 61 d

    65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31

    30303230 38303030 3030305a 170d 3230 30323037 32333539 35395a 30 81b5310b

    30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20

    496e632e 311f301d 06035504 0b 131656 65726953 69676e20 54727573 74204e65

    74776f72 6b313b30 5465726d 20757365 20617420 73206f66 39060355 040b 1332

    68747470 7777772e 733a2f2f 76657269 7369676e 2e636f6d 2f727061 20286329

    302d 0603 55040313 26566572 69536967 61737320 33205365 6e20436c 3130312f

    63757265 20536572 76657220 20473330 82012230 0d06092a 864886f7 4341202d

    010101 05000382 010f0030 82010 0d has 02 b187841f 82010100 c20c45f5 bcab2597

    a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10

    9c688b2e 957b899b 13cae234 34c1f35b f3497b62 d188786c 83488174 0253f9bc

    7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b

    15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845

    1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8 63cd

    18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced

    4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f

    81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 01 has 38201 02030100 df308201

    082b 0601 05050701 01042830 26302406 082 b 0601 db303406 05050730 01861868

    7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1 d 130101

    ff040830 02010030 70060355 b 200469 30673065 060, 6086 480186f8 1 d 060101ff

    45010717 03305630 2806082b 06010505 07020116 1 c 687474 70733a2f 2f777777

    2e766572 69736967 6e2e636f 6d2f6370 73302 has 06 082 b 0601 05050702 02301e1a

    1 c 687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406

    03551d1f 042d302b 3029 has 027 a0258623 68747470 3a2f2f63 726c2e76 65726973

    69676e2e 636f6d2f 2d67352e 70636133 63726c 30 0e060355 1d0f0101 ff040403

    02010630 6d06082b 06010505 07010c 59305730 55160969 5da05b30 04 61305fa1

    6 d 616765 2f676966 3021301f 2b0e0302 30070605 1a04148f e5d31a86 ac8d8e6b

    c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973

    69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30

    1 b 311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301D 0603

    445 1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355 c 1604140d 551d0e04

    1 230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300 d 0609 d

    2a 864886 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80 f70d0101

    4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e

    b2227055 d9203340 3307c 265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a

    99 c 71928 8705 404167d 1 273aeddc 866d 24f78526 a2bed877 7d494aca 6decd018

    481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16

    b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0

    5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8

    6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28

    6c2527b9 deb78458 c61f381e a4c4cb66

    quit smoking

    crypto ISAKMP allow outside

    crypto ISAKMP policy 10

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    Telnet 192.168.1.0 255.255.255.0 inside

    Telnet timeout 5

    SSH timeout 5

    Console timeout 0

    dhcpd outside auto_config

    !

    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    WebVPN

    internal vpn group policy

    attributes of vpn group policy

    value of server DNS 8.8.8.8

    Protocol-tunnel-VPN IPSec

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list vpn_splitTunnelAcl

    username, password samn aXJbUl92B77AGcc. encrypted privilege 0

    samn attributes username

    Strategy-Group-VPN vpn

    username password encrypted QUe2MihLFbj2.Iw0 privilege 0 jmulwa

    username jmulwa attributes

    Strategy-Group-VPN vpn

    jangus Uixpk4uuyEDOu9eu username encrypted password

    username jangus attributes

    Strategy-Group-VPN vpn

    vpn tunnel-group type remote access

    VPN tunnel-group general attributes

    vpn address pool

    Group Policy - by default-vpn

    Tunnel vpn ipsec-attributes group

    pre-shared key *.

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    maximum message length automatic of customer

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the rsh

    inspect the rtsp

    inspect esmtp

    inspect sqlnet

    inspect the skinny

    inspect sunrpc

    inspect xdmcp

    inspect the sip

    inspect the netbios

    inspect the tftp

    Review the ip options

    !

    global service-policy global_policy

    context of prompt hostname

    anonymous reporting remote call

    Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e

    : end

    I see two problems:

    1. your ASA has not an interior road to the Incas inside networks. You must add:

    Route inside 192.168.2.0 255.255.255.0

    Route inside 192.168.10.0 255.255.255.0

    .. .specifying your gateway address of these networks.

    2. the statement "access-list standard vpn_splitTunnelAcl permit 192.168.1.0 255.255.255.0" sends only a route for 192.168.1.0/24 to your customer. You need to add entries for the other two networks.

Maybe you are looking for