fall of site to site vpn icmp packets

Hello

I test site to site vpn between ASA and cisco router with GNS3, topology is base the tunnel is up but the question when the remote host ping from both sides it is drops icmp, see router command and ASA do not include droppings. Here is a sample output from ping when I try to remote client ping. any help is appreciated :)

Instant topology is attached, also configs

Thank you

84 bytes from 10.20.20.5 icmp_seq = 59 ttl = 63 times = 79,004 ms
10.20.20.5 icmp_seq = timeout 60
84 bytes from 10.20.20.5 icmp_seq = 61 = ttl 63 times = 70,004 ms
10.20.20.5 icmp_seq = timeout 62
84 bytes from 10.20.20.5 icmp_seq = ttl 63 time = 63 = 59,004 ms
10.20.20.5 icmp_seq = 64 timeout
84 bytes from 10.20.20.5 icmp_seq = 65 = ttl 63 times = 50,003 ms
10.20.20.5 icmp_seq = timeout 66
84 bytes from 10.20.20.5 icmp_seq = 67 ttl = 63 times = 59,003 ms
10.20.20.5 icmp_seq = timeout 68
84 bytes from 10.20.20.5 icmp_seq = 69 = ttl 63 times = 50,003 ms
10.20.20.5 icmp_seq = timeout 70
84 bytes from 10.20.20.5 icmp_seq = 71 ttl = 63 times = 58,003 ms
10.20.20.5 icmp_seq = timeout 72
84 bytes from 10.20.20.5 icmp_seq = 73 = ttl 63 times = 50,003 ms
10.20.20.5 icmp_seq = timeout 74
84 bytes from 10.20.20.5 icmp_seq = 75 ttl = 63 times = 69,004 ms
10.20.20.5 icmp_seq = timeout 76
84 bytes from 10.20.20.5 icmp_seq = 77 ttl = 63 times = 237,013 ms
10.20.20.5 icmp_seq = timeout 78

R1 ipsec crypto #sh her

Interface: FastEthernet0/0
Tag crypto map: map, local addr 100.100.100.2

protégé of the vrf: (none)
local ident (addr, mask, prot, port): (10.20.20.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (10.20.10.0/255.255.255.0/0/0)
current_peer 100.100.100.1 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: 14, #pkts encrypt: 14, #pkts digest: 14
decaps #pkts: 28, #pkts decrypt: 28, #pkts check: 28
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors

ciscoasa # sh crypto isakmp stats

Global statistics IKEv1
The active Tunnels: 1
Previous Tunnels: 1
In bytes: 1384
In the packages: 12
In packs of fall: 0
In Notifys: 8
In the constituencies of P2: 0
In P2 invalid Exchange: 0
In P2 Exchange rejects: 0
Requests for removal in his P2: 0
Bytes: 1576
Packet: 13
Fall packages: 0
NOTIFYs out: 16
Exchanges of P2: 1
The Invalides Exchange P2: 0
Exchange of P2 rejects: 0
Requests to remove on P2 Sa: 0
Tunnels of the initiator: 1
Initiator fails: 0
Answering machine fails: 0
Ability system breaks down: 0
AUTH failed: 0
Decrypt failed: 0
Valid hash fails: 0
No failure his: 0

Hello

On router R1, you gave the default route as output interface. Instead of using the output interface replace the IP address of the next hop. It will solve the issue of the reduction of ping.

IP route 0.0.0.0 0.0.0.0 FastEthernet0/0

IP route 0.0.0.0 0.0.0.0 100.100.100.1

HTH

"Please note the useful messages and mark the correct answer if it solves the problem."

Tags: Cisco Security

Similar Questions

  • ICMP is required for the site to site VPN

    Hello

    I'm trying to set up a connection VPN site to site with a Cisco with the AIM-VPN-SSL-1 module 1841 and a NEC IX2015. We use a GRE with IPSec tunnel

    The problem we have is the will of router NEC not repsond to ICMP packets (and it is not a way to get a reaction). This will cause problems with the tunnel?

    Thank you!

    Paul

    Do not think that it will cause no problem. The more you can not do is not able to ping to test connectivity. Other than that, the IPSec LAN-to-LAN tunnel should work just fine.

  • Site-to-Site VPN IPSEC falls intermittently

    Site-to-Site VPN IPSEC falls intermittently

    I am currently having a problem with a VPN from Site to Site traffic not only not intermittently. When the problem occurs, I can't Ping the remote site to the AC Site. But I can solve the problem by Pinging from HQ at the Remote Site. My network is currently configured as follows

    -------HQ------

    7.0 (4) version of pix 515 with card Ethernet 4 ports.

    Outside of the interface connected to the Broadband DSL link.

    Outside2 Interface connected to the second link DSL broadband

    -Distance-

    I have 4 Remote Sites. 2 sites connect you to each connection to wide band at HQ to spread the load to HQ

    6.3 (5) pix 501 version

    # The problem #.

    All VPN establishes successfully to the HQ Pix

    Intermittently, a remote site will report that they cannot connect to servers/services in the HQ. When I do a show crypto ipsec's and see the crypto isakmp his headquarters there is no entry for the remote site. However when I do the same on the remote site there is an entry for the HQ. With debugging on the remote site pix I try to ping from a pc to the HQ server and I get the following (see below). If I do a "ipsec Isakmp security association claire crypto ' and ' clear crypto ipsec his ' on the pix of remote site, then I can successfully ping all servers in headquarters.

    This problem seems to have taken place only when I upgraded the pix of a 501 to 515 and added another 2 remote sites and a second broadband, as described above. I'm afraid that there is a problem with software version 7 Pix. Any advice would be greatly appreciated.

    Console record Carrick-PIX01 (config) # 7

    Carrick-PIX01 (config) # ter Lun

    Output Carrick-PIX01 (config) #.

    Carrick-PIX01 # debug crypto ipsec

    Carrick-PIX01 # debug crypto isakmp

    Carrick-PIX01 #.

    ISAKMP (0:0): sending of NAT - T vendor ID - rev 2 & 3

    ISAKMP (0): early changes of Main Mode

    ISAKMP (0): retransmission of the phase 1 (0)...

    ISAKMP (0): retransmission of the phase 1 (1)...

    ISAKMP (0): retransmission of the phase 1 (2)...

    Carrick-PIX01 #.

    Carrick-PIX01 #.

    ISAKMP (0): retransmission of the phase 1 (3)...

    Carrick-PIX01 #.

    Carrick-PIX01 #.

    ISAKMP (0): retransmission of the phase 1 (4)... IPSec (key_engine): request timer shot: count = 1,.

    (identity) local = OUTER-IP, distance = 86.43.74.16,.

    local_proxy = LAN-OFFICE/255.255.255.0/0/0 (type = 4),

    remote_proxy = 194.x.x.x.x.255.0/0/0 (type = 4)

    ISAKMP (0): delete SA: CBC EXTERNAL IP, dst 86.43.74.16

    ISADB: Reaper checking HIS 0x10c167c, id_conn = 0 DELETE IT!

    Peer VPN: ISAKMP: Peer Info for 86.43.74.16/500 not found - peer: 1

    ISADB: Reaper checking HIS 0x10ca914, id_conn = 0

    Can force you the ISAKMP Keepalive, value from IPSec Security Association idle time and on the other. The problem should be solved

    ISAKMP crypto keepalive 30

    Crypto ipsec security association temps_inactivite 60

    Let me know if it helps

  • site to site VPN

    SH running-config crypto

    I have the following configuration, in order to create a site to site vpn which should not be changed in the configuration below.

    Do I need to add new card crypto?

    And what is the dynamic-map

    I need to create new ipsec transform-set or can I use the existing?

    Crypto ipsec transform-set esp-3des esp-sha-hmac ikev1 remoteaccess

    Crypto ipsec transform-set esp-3des esp-sha-hmac L2Lvpn ikev1

    Crypto ipsec kilobytes of life - safety 999608000 association

    Crypto ipsec pmtu aging infinite - the security association

    Crypto-map dynamic Test 1 set pfs Group1

    Crypto-map dynamic Test 1 set transform-set remoteaccess L2Lvpn ikev1

    Crypto-map dynamic 1jeu reverse-Road Test

    card crypto Test 1-isakmp ipsec dynamic test

    Test interface card crypto outside

    Crypto ca trustpoint _SmartCallHome_ServerCA

    Configure CRL

    Crypto ca trustpoint ASDM_TrustPoint0

    Terminal registration

    name of the object CN = TestFW

    Configure CRL

    trustpool crypto ca policy

    crypto isakmp identity address

    Crypto ikev1 allow outside

    IKEv1 crypto policy 1

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 10800

    IKEv1 crypto policy 10

    preshared authentication

    3des encryption

    md5 hash

    Group 2

    life 1800

    IKEv1 crypto policy 65535

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 1800

    tunnel-group x.x.x.x type ipsec-l2l

    tunnel-group ipsec-attributes x.x.x.x

    IKEv1 pre-shared-key *.

    Thank you

    bluesea2010,

    Next step will be sending real traffic, or just run a package Tracker to ensure that traffic flows very well:

    entry Packet-trace within the icmp 192.168.15.x 8 0 172.10.10.x detail

    If all goes well, you should be good to go.

    Hope this info helps!

    Note If you help!

    -JP-

  • Site to Site VPN issues

    Hello

    I have created a new site to site vpn connection and can't know why it does not work.

    All other VPN site-to-site work properly. The news, the problem is MATCHJLS. Could anyone recommend measures to correct?

    !

    vpn hostname

    domain name

    activate the encrypted password of Pp6RUfdBBUU

    ucU7iJnNlZ passwd / encrypted

    names of

    DNS-guard

    !

    interface Ethernet0/0

    nameif outside

    security-level 0

    IP address 87.117.xxx.xx 255.255.255.252

    !

    interface Ethernet0/1

    nameif inside

    security-level 100

    IP address 78.129.xxx.x 255.255.255.128

    !

    interface Ethernet0/2

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    interface Ethernet0/3

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    interface Management0/0

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    boot system Disk0: / asa822 - k8.bin

    passive FTP mode

    DNS server-group DefaultDNS

    domain msiuk.com

    permit same-security-traffic inter-interface

    DM_INLINE_TCP_1 tcp service object-group

    EQ port 3389 object

    EQ object of port 8080

    port-object eq www

    EQ object of the https port

    Http81 tcp service object-group

    port-object eq 81

    DM_INLINE_TCP_3 tcp service object-group

    port-object eq 81

    port-object eq www

    the DM_INLINE_NETWORK_1 object-group network

    host of the object-Network 172.19.60.52

    host of the object-Network 172.19.60.53

    host of the object-Network 172.19.60.68

    host of the object-Network 172.19.60.69

    host of the object-Network 172.19.60.84

    host of the object-Network 172.19.60.85

    host of the object-Network 172.19.60.86

    access-list extended basic permit icmp any any echo response

    access-list extended basic permit icmp any one time exceed

    access-list extended basic permit tcp any host 78.129.xxx.xx eq 8731

    access-list extended basic permit tcp any host 78.129.xxx.xx eq www

    access-list extended basic permit tcp any host 78.129.xxx.xx DM_INLINE_TCP_3 object-group

    access-list extended basic permit tcp any host 78.129.xxx.xx eq www

    access-list extended basic permit tcp any host 78.129.xxx.xx eq www

    access-list extended basic permit tcp any host 78.129.xxx.xx eq www inactive

    access-list extended basic permit tcp any host 78.129.xxx.xx eq www

    access-list extended basic permit tcp any host 78.129.xxx.xx eq https

    access-list extended basic permit tcp any host 78.129.xxx.xx eq https

    access-list extended basic permit tcp any host 78.129.xxx.xx

    permit access-list extended basic host tcp 94.128.xxx.xx 78.129.xxx.xx 255.255.255.128 DM_INLINE_TCP_1 object-group

    access-list extended SHEEP allowed ip 10.1.1.0 255.255.255.0 10.255.255.0 255.255.255.0

    Standard access list SPLITTUN allow 78.129.xxx.xx 255.255.255.128

    SPLITTUN list standard access allowed 10.1.1.0 255.255.255.0

    access list allow extended permit ip any one

    MATCHVPN1 list extended access permit ip host host 78.129.xxx.xx 212.118.157.203

    MATCHVPN2 list of allowed ip extended access all 212.118.xxx.xx 255.255.255.0

    SMTP-NAT extended permit tcp host 78.129.xxx.xx access list any eq smtp

    MATCHVPN3 list extended access permitted ip 78.129.xxx.xx 255.255.255.224 host 10.180.xxx.xx

    MATCHVPN3 list extended access permitted ip 78.129.xxx.xx 255.255.255.224 host 10.180.xxx.xx

    MATCHVPN3 list extended access permitted ip 78.129.xxx.xx 255.255.255.224 host 10.180.xxx.xx

    MATCHVPN4 list extended access permit ip host 78.129.xxx.xx host 172.16.xxx.xx

    MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.16.xxx.xx

    MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.17.xxx.xx

    MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.16.xxx.xx

    MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.16.xxx.xx

    Access list extended ip 78.129.151.0 MATCHJLS allow 255.255.255.128 DM_INLINE_NETWORK_1 object-group

    pager lines 24

    Enable logging

    asdm of logging of information

    Outside 1500 MTU

    Within 1500 MTU

    local IP LOCPOOL 10.255.255.1 pool - 10.255.255.254

    ICMP unreachable rate-limit 1 burst-size 1

    ASDM image disk0: / asdm-625 - 53.bin

    don't allow no asdm history

    ARP timeout 14400

    Global (1 interface external)

    NAT (inside) 0 access-list SHEEP

    Access SMTP-NAT NAT (inside) 1 list

    NAT (inside) 1 10.1.1.0 255.255.255.0

    NAT (inside) 1 10.2.2.0 255.255.255.0

    Access-group basic in external interface

    Access-group allow external interface

    Access-group allow the interface inside

    Access-group allow the interface inside

    Route outside 0.0.0.0 0.0.0.0 87.117.213.65 1

    Route inside 10.1.1.0 255.255.255.0 78.129.151.2 1

    Route inside 10.2.2.0 255.255.255.0 78.129.151.2 1

    Route inside 10.33.67.0 255.255.255.0 78.129.151.26 1

    Route 172.20.xxx.xx 255.255.255.0 inside 78.129.xxx.xx 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    dynamic-access-policy-registration DfltAccessPolicy

    AAA authentication enable LOCAL console

    the ssh LOCAL console AAA authentication

    Enable http server

    http 0.0.0.0 0.0.0.0 outdoors

    No snmp server location

    No snmp Server contact

    Crypto ipsec transform-set esp-3des esp-md5-hmac VPN3DES

    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set esp-3des esp-sha-hmac asa2transform

    Crypto ipsec transform-set esp-3des esp-md5-hmac kwset

    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    Crypto ipsec transform-set esp-3des esp-sha-hmac jlstransformset

    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    set of 10 DYNOMAP crypto dynamic-map transform-set VPN3DES

    card crypto VPNPEER 1 corresponds to the address MATCHJLS

    card crypto VPNPEER 1 set peer 94.128.xxx.xx

    card crypto VPNPEER 1 the value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

    card crypto VPNPEER 10 corresponds to the address MATCHVPN3

    card crypto VPNPEER 10 set peer 94.128.xxx.xx

    crypto VPNPEER 10 the transform-set jlstransformset value card

    card crypto VPNPEER 10 set nat-t-disable

    card crypto VPNPEER 30 corresponds to the address MATCHVPN2

    card crypto VPNPEER 30 212.118.xxx.xx peer value

    card crypto VPNPEER 30 value transform-set ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

    crypto VPNPEER 30 the value reverse-road map

    card crypto VPNPEER 40 corresponds to the address MATCHVPN4

    VPNPEER 40 crypto map set peer 94.128.xxx.xx

    crypto VPNPEER 40 the transform-set kwset value card

    card crypto VPNPEER 50 corresponds to the address MATCHVPN3

    card crypto VPNPEER 50 set pfs

    card crypto VPNPEER 50 set peer 94.128.xxx.xx

    card crypto VPNPEER 50 set ESP ESP-3DES-SHA transform-set kwset DES-ESP-MD5-DES-SHA

    card crypto VPNPEER 50 set nat-t-disable

    card crypto VPNPEER 100-isakmp dynamic ipsec DYNOMAP

    VPNPEER interface card crypto outside

    crypto ISAKMP allow outside

    crypto ISAKMP policy 1

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 3600

    Crypto isakmp nat-traversal 3600

    crypto ISAKMP disconnect - notify

    Telnet timeout 5

    SSH 0.0.0.0 0.0.0.0 outdoors

    SSH 0.0.0.0 0.0.0.0 inside

    SSH timeout 60

    SSH version 2

    Console timeout 0

    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    WebVPN

    internal GroupPolicy1 group strategy

    attributes of Group Policy GroupPolicy1

    value of VPN-filter MATCHKW

    Protocol-tunnel-VPN IPSec l2tp ipsec

    internal CLIENTGROUP group policy

    CLIENTGROUP group policy attributes

    value of server DNS 10.1.1.10 10.1.1.2

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list SPLITTUN

    msiuk.local value by default-field

    Username admin privilege 15 encrypted password 9RG9xAvynJRd.Q

    tunnel-group msi type remote access

    msi General attributes tunnel-group

    address LOCPOOL pool

    Group Policy - by default-CLIENTGROUP

    MSI group tunnel ipsec-attributes

    pre-shared key *.

    tunnel-group msi ppp-attributes

    ms-chap-v2 authentication

    tunnel-group 212.118.xxx.xx type ipsec-l2l

    212.118.xxx.XX group of tunnel ipsec-attributes

    pre-shared key *.

    tunnel-group 94.128.xxx.xx type ipsec-l2l

    94.128.xxx.XX group of tunnel ipsec-attributes

    pre-shared key *.

    tunnel-group 94.128.xxx.xx type ipsec-l2l

    94.128.xxx.XX group of tunnel ipsec-attributes

    pre-shared key *.

    tunnel-group 94.128.xxx.xx type ipsec-l2l

    94.128.xxx.XX group of tunnel ipsec-attributes

    pre-shared key *.

    !

    class-map ftpdefault

    match default-inspection-traffic

    class-map default inspection

    !

    !

    Policy-map global_policy

    !

    global service-policy global_policy

    context of prompt hostname

    call-home

    Profile of CiscoTAC-1

    no active account

    http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

    email address of destination [email protected] / * /

    destination-mode http transport

    Subscribe to alert-group diagnosis

    Subscribe to alert-group environment

    Subscribe to alert-group monthly periodic inventory

    monthly periodicals to subscribe to alert-group configuration

    daily periodic subscribe to alert-group telemetry

    Cryptochecksum:b251877ef24a1dc161b594dc052c44

    : end

    ASDM image disk0: / asdm-625 - 53.bin

    don't allow no asdm history

    Hello

    OK, given the above information, I would say that the VPN L2L your part should probably be fine for traffic you are trying with the packet - trace.

    It seems that you get no traffic back from the remote end

    This could mean one of the following things

    • Remote site may not login either in their VPN appliance, firewall or the firewall of the real server (which I doubt since were talking about web service)
    • Remote site has not configured routing properly for your source IP address / network. For example, your connection attempt can reach the remote server, but the return traffic could get transferred to the wrong place on the remote site. It is more likely when the remote end manages Internet traffic and VPN traffic on separate devices
    • Remote site has not activated the service on the real server (which is still little provided this isn't a service only serve on the server you through this VPN L2L)
    • etc.

    As I said look it seems so VPN L2L is fine. Its place and running, but you can't get traffic back on the L2L VPN that suggest that the problem is at the remote site.

    If you go ask about this since the admins of the remote site, let us know how to do the thing.

    If you found this information useful, please note the answer/answers and naturally ask more if necessary

    -Jouni

  • Site to Site VPN ASA 5510

    OK my forehead is painful to all keyboard strokes that I know that it must be something simple, but I am brand new to the SAA.  I had a site to site VPN configuration via routers 1751 that worked very well, but we're looking to add some more remote field offices, and I felt that it would be easier to maintain several sites is on the ASA 5510.  I have the VPN configured on the SAA and he said that the tunnel is up.  I can telnet to the ASA and ping the remote gateway on the even side of VPN and it pings fine.  If I try to ping on a local computer, I get a "Request timed out".  If I makes no changes apart from go to the computer room and replace the network cable the 1751 and then through the 1751 I can now ping the remote door way to my computer.  The remote router works obviously very well, my statement of route on my router for vpn push through the ASA (same ip address) IP traffic that has been used by the 1751 works obviously. It seems so just like ASA is not being pushed in the ethernet0/0 VPN traffic or at least it is not encrypted.  I also noticed that the ACL for NAT seems to increase in number of access either it seems, there is really just one small thing missing to make the ASA except and encrypt incoming traffic on ethernet0/0:

    My network is not configured with a DMZ is something like that, the ASA ethernet0/0 and my local network on the same subnet:

    Router (Cisco 2811)

    |

    Layer switch 2 (ProCurve)

    |                                      |

    ASA5510 LAN computers

    I'm trying to except both sides of the VPN in and out on Ethernet0/0 traffic I saw there was a framework for this "permit communication between VPN peers connected to the same interface' and I've activated this option.

    In short, I need to understand why the VPN tunnel shows that upward and I can ping the remote of the SAA, but peripheral gateway on my network can not ping to the remote gateway through the int Ethernet0/0 on the SAA.

    From the console of the ASA, I get this:

    ASA5510 # ping 192.52.128.1
    Send 5, echoes ICMP 100 bytes to 192.52.128.1, wait time is 2 seconds:
    !!!!!
    Success rate is 100 per cent (5/5), round-trip min/avg/max = 100/108/120 ms

    ASA5510 # show crypto ipsec his
    Interface: *.
    Tag crypto map: * _map, local addr: 10.52.120.23

    local ident (addr, mask, prot, port): (10.52.120.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (192.52.128.0/255.255.255.0/0/0)
    current_peer: x.x.x.204

    program #pkts: 9, #pkts encrypt: 9, #pkts digest: 9
    decaps #pkts: 9, #pkts decrypt: 9, #pkts check: 9
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 9, #pkts comp failed: 0, #pkts Dang failed: 0
    #send errors: 0, #recv errors: 0

    local crypto endpt. : 10.52.120.23, remote Start crypto. : x.x.x.204

    Path mtu 1500, fresh ipsec generals 60, media, mtu 1500
    current outbound SPI: C49EF75F

    SAS of the esp on arrival:
    SPI: 0x21FDBB9D (570276765)
    transform: esp-3des esp-md5-hmac
    running parameters = {L2L, Tunnel}
    slot: 0, id_conn: 1, crypto-map: * _map
    calendar of his: service life remaining (KB/s) key: (3824999/3529)
    Size IV: 8 bytes
    support for replay detection: Y
    outgoing esp sas:
    SPI: 0xC49EF75F (3298752351)
    transform: esp-3des esp-md5-hmac
    running parameters = {L2L, Tunnel}
    slot: 0, id_conn: 1, crypto-map: * _map
    calendar of his: service life remaining (KB/s) key: (3824999/3527)
    Size IV: 8 bytes
    support for replay detection: Y

    From my office on the 10.52.120.0 even the etherenet0/0 interface on the ASA network I get this:

    C:\Users\***>ping 192.52.128.1

    Ping 192.52.128.1 with 32 bytes of data:
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.

    Ping statistics for 192.52.128.1:
    Packets: Sent = 4, received = 0, lost = 4 (100% loss)

    C:\Users\***>ping 10.52.120.23

    Ping 10.52.120.23 with 32 bytes of data:
    Reply from 10.52.120.23: bytes = 32 time = 5ms TTL = 255
    Reply from 10.52.120.23: bytes = 32 time = 3ms TTL = 255
    Reply from 10.52.120.23: bytes = 32 time = 1ms TTL = 255
    Reply from 10.52.120.23: bytes = 32 time = 1ms TTL = 255

    Ping statistics for 10.52.120.23:
    Packets: Sent = 4, received = 4, lost = 0 (0% loss),
    Time approximate round trip in milli-seconds:
    Minimum = 1ms, Maximum = 5ms, average = 2ms

    Count on VPN Tunnel ACL does not increase when I try to ping the address of the remote gateway.

    Here is the running of the ASA configuration:

    ASA Version 7.0 (2)
    names of
    !
    interface Ethernet0/0
    nameif InsideNetwork
    security-level 100
    IP 10.52.120.23 255.255.255.0
    !
    interface Ethernet0/1
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface Ethernet0/2
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface Management0/0
    Shutdown
    nameif management
    security-level 100
    IP 192.168.1.1 255.255.255.0
    management only
    !
    activate the encrypted password of XXXXXXXXXXXXXXXX
    passwd encrypted XXXXXXXXXXXXXXXXXXX
    ciscoasa hostname
    domain default.domain.invalid
    passive FTP mode
    permit same-security-traffic intra-interface
    Access extensive list ip 10.52.120.0 InsideNetwork_nat0_outbound allow 255.255.25
    5.0 192.52.128.0 255.255.255.0
    Access extensive list ip 10.52.120.0 InsideNetwork_cryptomap_20 allow 255.255.255
    .0 192.52.128.0 255.255.255.0
    pager lines 24
    asdm of logging of information
    management of MTU 1500
    MTU 1500 InsideNetwork
    management of the interface of the monitor
    the interface of the monitor InsideNetwork
    ASDM image disk0: / asdm - 502.bin
    don't allow no asdm history
    ARP timeout 14400
    NAT (InsideNetwork) 0-list of access InsideNetwork_nat0_outbound
    Route InsideNetwork 0.0.0.0 0.0.0.0 10.52.120.1 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00
    Timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
    Timeout, uauth 0:05:00 absolute
    Enable http server
    http 192.168.1.0 255.255.255.0 management
    http 10.52.120.0 255.255.255.0 InsideNetwork
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp
    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
    card crypto InsideNetwork_map 20 corresponds to the address InsideNetwork_cryptomap_20
    card crypto InsideNetwork_map 20 set peer x.x.x.204
    InsideNetwork_map 20 transform-set ESP-3DES-MD5 crypto card game
    InsideNetwork_map InsideNetwork crypto map interface
    ISAKMP enable InsideNetwork
    part of pre authentication ISAKMP policy 10
    ISAKMP policy 10 3des encryption
    ISAKMP policy 10 md5 hash
    10 2 ISAKMP policy group
    ISAKMP life duration strategy 10 86400
    Telnet 10.52.120.0 255.255.255.0 InsideNetwork
    Telnet timeout 5
    SSH timeout 5
    Console timeout 0
    management of 192.168.1.2 - dhcpd address 192.168.1.254
    dhcpd lease 3600
    dhcpd ping_timeout 50
    enable dhcpd management
    tunnel-group x.x.x.204 type ipsec-l2l
    x.x.x.204 group of tunnel ipsec-attributes
    pre-shared-key *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    Policy-map global_policy
    class inspection_default
    inspect the dns-length maximum 512
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    !
    global service-policy global_policy
    Cryptochecksum:7e478b60b3e406091de466675c52eaaa
    : end

    I haven't added anything to the config except what seemed necessary to get the job of VPN tunnel.  It should be fairly clean.

    Thanks in advance for any help... I really hope that it is something really simple as a recruit ASA just forgot

    Strange, but good news. Thanks for the update. I'm glad everything is working.

    THX

    MS

  • Troubleshooting IPSec Site to Site VPN between ASA and 1841

    Hi all

    in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.

    I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).

    I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.

    It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),

    On the ASA:

    Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.

    address of the peers: 217.86.154.120
    Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.cc

    access extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
    local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
    current_peer: 217.xx.yy.zz

    #pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
    #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
    success #frag before: 0, failures before #frag: 0, #fragments created: 0
    Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
    #send errors: 0, #recv errors: 0

    local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz

    Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
    current outbound SPI: 39135054
    current inbound SPI: B2E9E500

    SAS of the esp on arrival:
    SPI: 0xB2E9E500 (3001672960)
    transform: esp-3des esp-sha-hmac no compression
    running parameters = {L2L, Tunnel, PFS 2 group}
    slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
    calendar of his: service life remaining (KB/s) key: (4374000/1598)
    Size IV: 8 bytes
    support for replay detection: Y
    Anti-replay bitmap:
    0x00000000 0x00000001
    outgoing esp sas:
    SPI: 0 x 39135054 (957567060)
    transform: esp-3des esp-sha-hmac no compression
    running parameters = {L2L, Tunnel, PFS 2 group}
    slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
    calendar of his: service life remaining (KB/s) key: (4373976/1598)
    Size IV: 8 bytes
    support for replay detection: Y
    Anti-replay bitmap:
    0x00000000 0x00000001

    Output of the command: "sh crypto isakmp his."

    HIS active: 4
    Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
    Total SA IKE: 4

    IKE Peer: 217.xx.yy.zz
    Type: L2L role: initiator
    Generate a new key: no State: MM_ACTIVE

    On the 1841

    1841 crypto isakmp #sh its
    IPv4 Crypto ISAKMP Security Association
    DST CBC conn-State id
    217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE

    1841 crypto ipsec #sh its

    Interface: Dialer1
    Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

    protégé of the vrf: (none)
    local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
    current_peer 62.153.156.163 port 500
    LICENCE, flags is {origin_is_acl},
    #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
    #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    Errors #send 0, #recv 0 errors

    local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
    Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
    current outbound SPI: 0xB2E9E500 (3001672960)
    PFS (Y/N): Y, Diffie-Hellman group: group2

    SAS of the esp on arrival:
    SPI: 0 x 39135054 (957567060)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
    calendar of his: service life remaining (k/s) key: (4505068/1306)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:
    SPI: 0xB2E9E500 (3001672960)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
    calendar of his: service life remaining (k/s) key: (4505118/1306)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    outgoing ah sas:

    outgoing CFP sas:

    Interface: virtual Network1
    Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

    protégé of the vrf: (none)
    local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
    current_peer 62.153.156.163 port 500
    LICENCE, flags is {origin_is_acl},
    #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
    #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    Errors #send 0, #recv 0 errors

    local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
    Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
    current outbound SPI: 0xB2E9E500 (3001672960)
    PFS (Y/N): Y, Diffie-Hellman group: group2

    SAS of the esp on arrival:
    SPI: 0 x 39135054 (957567060)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
    calendar of his: service life remaining (k/s) key: (4505068/1306)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:
    SPI: 0xB2E9E500 (3001672960)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
    calendar of his: service life remaining (k/s) key: (4505118/1306)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    outgoing ah sas:

    outgoing CFP sas:

    It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.

    Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto.      (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.

    I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!

    It's the running of the 1841 configuration

    !
    version 15.1
    horodateurs service debug datetime msec
    Log service timestamps datetime msec
    encryption password service
    !
    host name 1841
    !
    boot-start-marker
    start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
    boot-end-marker
    !
    logging buffered 51200 notifications
    !
    AAA new-model
    !
    !
    AAA authentication login default local
    !
    AAA - the id of the joint session
    !
    iomem 20 memory size
    clock timezone PCTime 1
    PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
    dot11 syslog
    IP source-route
    !
    No dhcp use connected vrf ip
    !
    IP cef
    no ip bootp Server
    IP domain name test
    name of the IP-server 194.25.2.129
    name of the IP-server 194.25.2.130
    name of the IP-server 194.25.2.131
    name of the IP-server 194.25.2.132
    name of the IP-server 194.25.2.133
    No ipv6 cef
    !
    Authenticated MultiLink bundle-name Panel
    !
    !
    object-group network phone
    VoIP phone description
    Home 172.20.2.50
    Home 172.20.2.51
    !
    redundancy
    !
    !
    controller LAN 0/0/0
    atm mode
    Annex symmetrical shdsl DSL-mode B
    !
    !
    crypto ISAKMP policy 1
    BA 3des
    preshared authentication
    Group 2
    isakmp encryption key * address 62.aa.bb.cc
    !
    !
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    !
    map SDM_CMAP_1 1 ipsec-isakmp crypto
    Description Tunnel to62.aa.bb.cc
    the value of 62.aa.bb.cc peer
    game of transformation-ESP-3DES-SHA
    PFS group2 Set
    match address 100
    !
    !
    !
    interface FastEthernet0/0
    DMZ description $ FW_OUTSIDE$
    10.10.10.254 IP address 255.255.255.0
    IP nat inside
    IP virtual-reassembly
    automatic duplex
    automatic speed
    !
    interface FastEthernet0/1
    Description $ETH - LAN$ $FW_INSIDE$
    IP 172.20.2.254 255.255.255.0
    IP access-group 100 to
    IP nat inside
    IP virtual-reassembly
    IP tcp adjust-mss 1412
    automatic duplex
    automatic speed
    !
    ATM0/0/0 interface
    no ip address
    No atm ilmi-keepalive
    !
    point-to-point interface ATM0/0/0.1
    PVC 1/32
    PPPoE-client dial-pool-number 1
    !
    !
    interface Dialer1
    Description $FW_OUTSIDE$
    the negotiated IP address
    IP mtu 1452
    NAT outside IP
    IP virtual-reassembly
    encapsulation ppp
    Dialer pool 1
    Dialer-Group 2
    PPP authentication chap callin pap
    PPP chap hostname xxxxxxx
    PPP chap password 7 xxxxxxx8
    PPP pap sent-name of user password xxxxxxx xxxxxxx 7
    map SDM_CMAP_1 crypto
    !
    IP forward-Protocol ND
    IP http server
    local IP http authentication
    IP http secure server
    !
    !
    The dns server IP
    IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
    IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
    IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
    IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
    IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
    !
    logging trap notifications
    Note category of access list 1 = 2 CCP_ACL
    access-list 1 permit 172.20.2.0 0.0.0.255
    Note access-list category 2 CCP_ACL = 2
    access-list 2 allow 10.10.10.0 0.0.0.255
    Note access-list 100 category CCP_ACL = 4
    Note access-list 100 IPSec rule
    access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
    Note CCP_ACL the access list 101 = 2 category
    Note access-list 101 IPSec rule
    access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
    access-list 101 permit ip 172.20.2.0 0.0.0.255 any
    Note access-list 102 CCP_ACL category = 2
    Note access-list 102 IPSec rule
    access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
    access-list 102 permit ip 10.10.10.0 0.0.0.255 any
    !

    !
    allowed SDM_RMAP_1 1 route map
    corresponds to the IP 101
    !
    allowed SDM_RMAP_2 1 route map
    corresponds to the IP 102
    !
    !
    control plan
    !
    !
    Line con 0
    line to 0
    line vty 0 4
    length 0
    transport input telnet ssh
    !
    Scheduler allocate 20000 1000
    NTP-Calendar Update
    NTP 172.20.2.250 Server prefer
    end

    As I mentioned previously: suspicion is much appreciated!

    Best regards

    Joerg

    Joerg,

    ASA receives not all VPN packages because IOS does not send anything.

    Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)

    The problem seems so on the side of the router.

    I think that is a routing problem, but you only have one default gateway (no other channels on the router).

    The ACL 100 is set to encrypt the traffic between the two subnets.

    It seems that the ACL 101 is also bypassing NAT for VPN traffic.

    Follow these steps:

    Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.

    I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.

    Federico.

  • Site to site VPN works only on Cisco 881

    I have 2 problems with a cisco 881. The first problem is that Vlan2 (192.168.5.xx) cannot access the internet on the outside. But I know that the router has internet, because I can ping the external ip address. The 2nd problem is that I have a set of site to another upward, but when I test the Site to site I get this error:

    destination of traffic of the tunnel must be channelled through the crypto map interface. The destination following (s) doesn't have a routing entry in the routing table
    192.168.2.0

    I copied the config form this router from another cisco 881 work, where everything works. The only difference is that this router needs a site to site vpn connection.

    My question is how I can get internet on vlan2 and who can I solve the connection to site to site.

    Here's the running configuration:

    Building configuration...

    Current configuration: 12698 bytes
    !
    version 15.3
    horodateurs service debug datetime msec
    Log service timestamps datetime msec
    no password encryption service
    !
    hostname Cisco_881
    !
    boot-start-marker
    boot-end-marker
    !
    AQM-registry-fnf
    !
    logging buffered 51200 warnings
    !
    AAA new-model
    !
    !
    AAA authentication login default local
    AAA authorization exec default local
    AAA authorization network default local
    !
    !
    !
    !
    !
    AAA - the id of the joint session
    !
    Crypto pki trustpoint TP-self-signed-1151531093
    enrollment selfsigned
    name of the object cn = IOS - Self - signed - certificate - 1151531093
    revocation checking no
    rsakeypair TP-self-signed-1151531093
    !
    Crypto pki trustpoint TP-self-signed-2011286623
    enrollment selfsigned
    name of the object cn = IOS - Self - signed - certificate - 2011286623
    revocation checking no
    rsakeypair TP-self-signed-2011286623
    !
    !
    TP-self-signed-1151531093 crypto pki certificate chain
    certificate self-signed 01
    3082022B 30820194 02020101 300 D 0609 2A 864886 F70D0101 05050030 A0030201
    2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
    69666963 31313531 35333130 6174652D 3933301E 170 3135 30343031 31363230
    34315A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
    4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 31353135 65642D
    33313039 3330819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
    8100AC6E E7FA8AFD 9D4E206C 2B23DFC1 990AFDB3 98CD84A7 37697253 A7EF2520
    0C45190E 298B6E9F E2711580 80DCFBFB 05A6A0BA 347B960B D9DA17FC B1543B9D
    FBC048F3 063EBBC5 02391432 F0232A73 EAC7278E 8CB83005 D13A1D47 BEF18198
    A 547469, 2 F65ED0E6 249BF517 1E74117D C94BE542 46EE487D A3843F12 364639B 4
    0B 090203 010001 HAS 3 53305130 1 130101 FF040530 030101FF 301F0603 0F060355
    551 2304 18301680 147996F4 3E6D0EE2 2D9065BB D726137C 2DF42ABE 01301D 06
    03551D0E 04160414 7996F43E 6D0EE22D 9065BBD7 26137C2D F42ABE01 300 D 0609
    2A 864886 F70D0101 8181002A 05050003 677B9BE6 CB60D188 73227C4B 2DC33101
    BD448017 EDEF0296 FF7438A3 4C46519B 144C775F 1429CF06 7DB29F2D EB16EE75
    22100B 63 0D75511A 98DC57DC EF87BED2 1C1635C8 B5352706 3963037A 4E9B739A
    3A1EC9BE 8431BD70 116D3B31 E4A2AC4C 0F934B3F 196AF829 AD537005 6935B 451
    EB31DB3F A9BA6D70 65B70D19 D00158
    quit smoking
    TP-self-signed-2011286623 crypto pki certificate chain
    no ip source route
    !
    !
    !
    !

    !
    DHCP excluded-address IP 10.10.10.1
    DHCP excluded-address IP 192.168.5.1 192.168.5.49
    DHCP excluded-address IP 192.168.5.150 192.168.5.254
    !
    DHCP IP CCP-pool
    import all
    Network 10.10.10.0 255.255.255.248
    default router 10.10.10.1
    Rental 2 0
    !
    IP dhcp Internet pool
    network 192.168.5.0 255.255.255.0
    router by default - 192.168.5.254
    DNS-Server 64.59.135.133 64.59.128.120
    lease 6 0
    !
    !
    !
    no ip domain search
    "yourdomain.com" of the IP domain name
    name of the IP-Server 64.59.135.133
    name of the IP-Server 64.59.128.120
    IP cef
    No ipv6 cef
    !
    !
    !
    !
    !
    Authenticated MultiLink bundle-name Panel
    !
    !
    !
    !
    !
    !
    !
    udi pid C881-K9 sn FTX18438503 standard license
    !
    !
    Archives
    The config log
    hidekeys
    username * privilege 15 secret 5 $1$IBY.$X5/iqYy47a5vAWWuG4/Oa/
    username * secret 5 $1$ 17 ST$ QzJMvQnZ9Q.1y7u0rYXFa0
    username * secret 5 $1$ L4W9$ zBKpawZ3i5nXxwyS9H6Lf1
    !
    !
    !
    !
    !
    no passive ftp ip
    !
    !
    crypto ISAKMP policy 1
    BA aes 256
    preshared authentication
    Group 2
    !
    crypto ISAKMP policy 2
    BA 3des
    preshared authentication
    Group 2
    isakmp encryption key * address 208.98.212.xx
    !
    Configuration group crypto isakmp MPE client
    key *.
    pool VPN_IP_POOL
    ACL 100
    include-local-lan
    10 Max-users
    netmask 255.255.255.0
    banner ^ practive entered the field

    This area is reserved for administrators of control systems.

    If you are here by mistake, please disconnect immediately.

    You have full access to 192.168.125.0 / 0.0.0.255

    Support on continue to start your session.              ^ C
    !
    Configuration group customer crypto isakmp PALL
    key *.
    pool VPN_IP_POOL_PALL
    ACL 101
    include-local-lan
    Max - 1 users
    netmask 255.255.255.0
    banner ^ practive entered the field

    This area is limited to the PALL access only.

    If you are here by mistake, please disconnect immediately.

    You have full access to 192.168.125.0 / 0.0.0.255

    Support on continue to start your session.            ^ C
    ISAKMP crypto profile vpn_isakmp_profile
    game of identity EMT group
    client authentication list default
    Default ISAKMP authorization list
    client configuration address respond
    virtual-model 1
    ISAKMP crypto profile vpn_isakmp_profile_2
    match of group identity PALL
    client authentication list default
    Default ISAKMP authorization list
    client configuration address respond
    virtual-model 2
    !
    !
    Crypto ipsec transform-set esp - aes 256 esp-sha-hmac VPN_TRANSFORM
    tunnel mode
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    tunnel mode
    !
    Profile of crypto ipsec VPN_PROFILE_MPE
    Set the security association idle time 3600
    game of transformation-VPN_TRANSFORM
    vpn_isakmp_profile Set isakmp-profile
    !
    Profile of crypto ipsec VPN_PROFILE_PALL
    Set the security association idle time 1800
    game of transformation-VPN_TRANSFORM
    vpn_isakmp_profile_2 Set isakmp-profile
    !
    !
    !
    map SDM_CMAP_1 1 ipsec-isakmp crypto
    Description Tunnel to208.98.212.xx
    the value of 208.98.212.xx peer
    game of transformation-ESP-3DES-SHA
    match address 102
    !
    !
    !
    !
    !
    !
    interface Loopback0
    IP 192.168.40.254 255.255.255.0
    !
    interface FastEthernet0
    no ip address
    !
    interface FastEthernet1
    no ip address
    !
    interface FastEthernet2
    switchport access vlan 2
    no ip address
    !
    interface FastEthernet3
    switchport access vlan 2
    no ip address
    !
    interface FastEthernet4
    IP address 208.98.213.xx 255.255.255.224
    IP access-group 111 to
    NAT outside IP
    IP virtual-reassembly in
    automatic duplex
    automatic speed
    map SDM_CMAP_1 crypto
    !
    type of interface virtual-Template1 tunnel
    IP unnumbered Loopback0
    ipv4 ipsec tunnel mode
    Tunnel VPN_PROFILE_MPE ipsec protection profile
    !
    tunnel type of interface virtual-Template2
    IP unnumbered Loopback0
    ipv4 ipsec tunnel mode
    Tunnel VPN_PROFILE_PALL ipsec protection profile
    !
    interface Vlan1
    Description of control network
    IP 192.168.125.254 255.255.255.0
    IP access-group CONTROL_IN in
    IP access-group out CONTROL_OUT
    IP nat inside
    IP virtual-reassembly in
    IP tcp adjust-mss 1452
    !
    interface Vlan2
    Description Internet network
    IP 192.168.5.254 255.255.255.0
    IP access-group INTERNET_IN in
    IP access-group out INTERNET_OUT
    IP nat inside
    IP virtual-reassembly in
    !
    local IP VPN_IP_POOL 192.168.40.100 pool 192.168.40.150
    local IP VPN_IP_POOL_PALL 192.168.40.151 pool 192.168.40.152
    IP forward-Protocol ND
    IP http server
    23 class IP http access
    local IP http authentication
    IP http secure server
    IP http timeout policy slowed down 60 life 86400 request 10000
    !
    !
    IP nat inside source static tcp 192.168.125.2 25000 25000 FastEthernet4 interface
    IP nat inside source overload map route SDM_RMAP_1 interface FastEthernet4
    IP route 0.0.0.0 0.0.0.0 FastEthernet4 permanent 208.98.236.xx
    !
    CONTROL_IN extended IP access list
    Note the access control
    Note the category CCP_ACL = 17
    allow any host 192.168.125.254 eq non500-isakmp udp
    allow any host 192.168.125.254 eq isakmp udp
    allow any host 192.168.125.254 esp
    allow any host 192.168.125.254 ahp
    IP 192.168.125.0 allow 0.0.0.255 192.168.125.0 0.0.0.255
    Note the VPN access
    IP 192.168.125.0 allow 0.0.0.255 192.168.40.0 0.0.0.255
    Note Access VNC
    permit tcp host 192.168.125.2 eq 25000 one
    Comment by e-mail to WIN911
    permit tcp host 192.168.125.2 any eq smtp
    Note DNS traffic
    permit udp host 192.168.125.2 host 64.59.135.133 eq field
    permit udp host 192.168.125.2 host 64.59.128.120 eq field
    Note Everything Else block
    refuse an entire ip
    CONTROL_OUT extended IP access list
    Note the access control
    IP 192.168.125.0 allow 0.0.0.255 192.168.125.0 0.0.0.255
    Note the VPN access
    ip permit 192.168.40.0 0.0.0.255 192.168.125.0 0.0.0.255
    Note Access VNC
    allow any host 192.168.125.2 eq 25000 tcp
    Comment by e-mail to WIN911
    allow any host 192.168.125.2 eq smtp tcp
    Note DNS responses
    allowed from any host domain eq 192.168.125.2 udp
    Note deny all other traffic
    refuse an entire ip
    INTERNET_IN extended IP access list
    Note Access VNC on VLAN
    allow any host 192.168.125.2 eq 25000 tcp
    Note block all other controls and VPN
    deny ip any 192.168.125.0 0.0.0.255
    deny ip any 192.168.40.0 0.0.0.255
    Note leave all other traffic
    allow an ip
    INTERNET_OUT extended IP access list
    Note a complete outbound Internet access
    allow an ip
    WAN_IN extended IP access list
    allow an ip host 207.229.14.xx
    Note PERMIT ESTABLISHED TCP connections
    allow any tcp smtp created everything eq
    Note ALLOW of DOMAIN CONNECTIONS
    permit udp host 64.59.135.133 eq field all
    permit udp host 64.59.128.120 eq field all
    Note ALLOW ICMP WARNING RETURNS
    allow all all unreachable icmp
    permit any any icmp parameter problem
    allow icmp all a package-too-big
    allow a whole icmp administratively prohibited
    permit icmp any any source-quench
    allow icmp all once exceed
    refuse a whole icmp
    allow an ip
    !
    auto discovering IP sla
    not run cdp
    !
    allowed SDM_RMAP_1 1 route map
    corresponds to the IP 103
    !
    access-list 1 remark out to WAN routing
    Note CCP_ACL the access list 1 = 16 category
    access-list 1 permit 192.168.125.2
    access-list 1 permit 192.168.5.0 0.0.0.255
    Note access-list 23 SSH and HTTP access permissions
    access-list 23 permit 192.168.125.0 0.0.0.255
    access-list 23 permit 192.168.40.0 0.0.0.255
    access-list 23 allow one
    Note access-list 100 VPN traffic
    access-list 100 permit ip 192.168.125.0 0.0.0.255 any
    access-list 100 permit ip 192.168.40.0 0.0.0.255 any
    Note access-list 101 for PALL VPN traffic
    access-list 101 permit ip 192.168.125.0 0.0.0.255 any
    Note access-list 102 CCP_ACL category = 4
    Note access-list 102 IPSec rule
    access-list 102 permit ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.1.255
    Note access-list 103 CCP_ACL category = 2
    Note access-list 103 IPSec rule
    access-list 103 deny ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.1.255
    access-list 103 allow ip 192.168.5.0 0.0.0.255 any
    access-list 103 allow the host ip 192.168.125.2 all
    Note access-list 111 CCP_ACL category = 17
    access-list 111 permit udp any host 208.98.213.xx eq non500-isakmp
    access-list 111 permit udp any host 208.98.213.xx eq isakmp
    access-list 111 allow esp any host 208.98.213.xx
    access-list 111 allow ahp any host 208.98.213.xx
    Note access-list 111 IPSec rule
    access-list 111 permit ip 192.168.2.0 0.0.1.255 192.168.5.0 0.0.0.255
    Note access-list 111 IPSec rule
    access-list 111 permit ip 192.168.2.0 0.0.1.255 192.168.4.0 0.0.1.255
    access-list 111 permit udp host 208.98.212.xx host 208.98.213.xx eq non500-isakmp
    access-list 111 permit udp host 208.92.12.xx host 208.92.13.xx eq isakmp
    access-list 111 allow esp host 208.92.12.xx host 208.92.13.xx
    access-list 111 allow ahp host 208.92.12.xx host 208.92.13.xx
    access-list 111 permit icmp any host 208.92.13.xx
    access-list 111 permit tcp any host 208.92.13.xx eq 25000
    access-list 111 permit tcp any host 208.92.13.xx eq 22
    access-list 111 permit tcp any host 208.92.13.xx eq telnet
    access-list 111 permit tcp any host 208.92.13.xx eq www
    !
    !
    !
    control plan
    !
    !
    !
    MGCP behavior considered range tgcp only
    MGCP comedia-role behavior no
    disable the behavior MGCP comedia-check-media-src
    disable the behavior of MGCP comedia-sdp-force
    !
    profile MGCP default
    !
    !
    !
    !
    exec banner ^ C
    % Warning of password expiration.
    -----------------------------------------------------------------------

    Unplug IMMEDIATELY if you are not an authorized user
    ^ C
    !
    Line con 0
    no activation of the modem
    line to 0
    line vty 0 4
    access-class 23 in
    password *.
    transport input telnet ssh
    transportation out all
    line vty 5 15
    access-class 160 in
    password *.
    transport of entry all
    transportation out all
    !
    max-task-time 5000 Planner
    Scheduler allocate 20000 1000
    !
    end

    Thank you.

    It seems that DNS has failed, because it is indeed happened to internet, but it does not work when internet DNS resolution.

    Go ahead and try to ping this 157.166.226.25, and it's on the browser http://157.166.226.25/, CNN.com. Let's try those. Also just in case where to configure a DNS SERVER on your router.

    - http://www.cisco.com/c/en/us/support/docs/ip/domain-name-system-dns/2418...

    Disable any ZBF just in case.

    David Castro,

    Kind regards

  • problem of site 2 site vpn

    Greetings. We have a site 2 site vpn 2 asa5510-based work. The two sites are accessible internel network hosts, but we are unable to access all the services (such as the TFTP or CA)? or even ping hosts in the remote site of our local asa5510 network. It seems that ASA attempts to send packets directly through the default gw, bypasing the vpn tunnel. Any help would be very appreciate.

    PS We checked the ACLs on both devices, so more than likely, this is not the problem.

    Hello

    Since you did not include public ip address of the external interface in the Crypto ACL, it's why he's not going in the tunnel.

    Add Crypto ACL a statement where qualify you this statement outside the public ip address of the interface source and mirror image in the remote device.

    HTH

    Sangaré

    Pls rate helpful messages

  • Site to site VPN with router IOS

    I want to create a VPN site-to site on the Internet. On the remote site, aside from the VPN to the head office, there should be no traffic not allowed in internal from the Internet to the network and that there should be no traffic from the internal network to the Internet allowed. The internal network will run a private 192.168.x.x address range.

    I'm going to use a Cisco 2811 router integrated of services on the remote site and this will last an IPSec VPN that will end a hub at Headquarters. I understand that this router has an IOS and IPS firewall built in.

    Would I be right in thinking that because I don't want to have access to the Internet (except VPN) or should I configure IOS firewall features on the router? And there is no point in the configuration of the features IPS wouldn't?

    My thought is that only an entry in list of unique access to deny pi a whole applied inbound to the interface that connects to the Internet would be the best strategy. I think that the command "sysopt connection permit-ipsec" should allow the VPN to form even with the ip address to deny any any ACL (or is it just a Pix command? If Yes, then I have to allow ESP and UDP 500 (ISAKMP) from the public address of the hub at Headquarters to allow the VPN to form wouldn't I?).

    Think I'll probably expand slightly the access list to allow the icmp Protocol, ssh and https traffic from the IP address of firewall seat outside so that I can monitor the remote site and access it safely if the fail VPN.

    And I wouldn't need one access list on the interface connected to the internal network I would like because the range of addresses would be not routable, so they would not be able to initiate connections to the Internet (all the trffic to the remote site is specified under a valuable traffic to bring up the VPN)

    Use one of the IOS Firewall inspect commands or the IPS would be useless and have no effect in this case wouldn't it?

    I really just need to know if the ip address to deny any any ACL on the external interface on the remote site is the best solution (and the simplest), and whether it will be safe.

    We used to use fiewalls Pix for remote VPN site to site, Amazon refuse incoming connections on the external interface by default but now I have been informed that these series 2800 routers will be used later, so I would get my thoughts straight and be able to build safe to do the same work all existing PIX are doing (they are all installed for just the VPN at Headquarters as in) the first paragraph).

    I would like any advice or thoughts on the subject. I don't know there must be a ton of people who put routers for the same purpose.

    Thank you in advance.

    Pete.

    Pete

    I did a lot of implementations site VPN to another using IOS routers. They work very well. Based on my experience I offer these comments and I hope that they will help you:

    -you don't want a list of incoming access on the external interface, but you want more in it than simply refuse an ip. There is no permit-ipsec sysopt connection in IOS so you want to certainly allowed ISAKMP and IPSec/ESP. I suggest that you also want to allow SSH. I would like to allow ICMP but only starting from the address space of the network head end. I do not allow HTTPS since I generally do not allow the http server on the router. If you want HTTPS then certainly enable it. To facilitate the ping and traceroute on the remote I frequently allow icmp echo-reply, timeout and unreachable port from any source.

    -I want to put an inside interface access list. There are certain types of traffic that I don't want to send from the Remote LAN. I have usually refuse any trap SNMP or snmp for LAN devices and refuse out of the local network icmp redirects. I also often configure RPF controls inside interface to catch any device which is misconfigured.

    -If you want to allow SSH when the VPN is not active (and I highly recommend that you do) then you will probably need to configure at least 1 (and maybe more) users and password of the router ID. And you want to configure authentication on the vty use local authentication if the head end authentication server is not available.

    -I'm not clear from your description if you plan to run a dynamic routing via the VPN Protocol. I wish I had a dynamic routing protocol because I want to announce a default route to the remote control via the VPN. I do not locally configure a default route on the remote router. This way if the VPN tunnel is up there is a default route pointing to the tunnel and if the VPN tunnel is not up then there is no local route by default and users on the remote database can not access the Internet. It is a simple and very effective method to ensure that all user traffic must pass through the central site.

    -regarding the routes defined on the remote router, my approach is that I define a static route for the endpoint of the tunnel to allow the tunnel to implement and I set up static routes for the subnet to the head of line I can SSH. And I do not configure other static routes the on the remote router.

    -You probably want to disable cdp on the external interface and also to disable the proxy-arp (and I don't make any ip unreachable).

    -There is frequently a problem when using VPN site-to-site with fragmentation. If a device on the local network sends a frame of maximum size, and then the router needs to add additional headers for IPSec, then the frame is too large and requires fragmentation. I like to use tcp adjust-mss ip to control the chunk size for TCP traffic and avoid any problems with fragmentation.

    -I don't think you want to set up the firewall or IPS from the features of IOS on the 2811.

    I hope that your application is fine and that my suggestions could be useful.

    [edit] after posting my response, I read through your post again and realize that you make to a VPN concentrator. The approach I have proposed on the execution of a routing protocol works for me because I usually have a router IOS in mind. It would not work to connect to a hub.

    HTH

    Rick

  • Site to Site VPN configuration does not

    Hello

    I just tried to set up a test site to site VPN. Diagram of arrangement is attached. Router R2 is supposed to act as the 'Internet' to allow connectivity between the two networks.

    My VPN on ASA1 and ASA2 configs are below:

    ASA1

    Note to outside_cryptomap_1 to access list VPN traffic to encrypt
    outside_cryptomap_1 to access extended list ip 10.10.10.0 allow 255.255.255.0 172.16.10.0 255.225.255.0

    Crypto ikev1 allow outside
    IKEv1 crypto policy 1
    preshared authentication
    aes-256 encryption
    sha hash
    Group 5
    life 86400

    tunnel-group 11.11.11.2 type ipsec-l2l
    IPSec-attributes tunnel-Group 11.11.11.2
    Cisco pre-shared key IKEv1

    Crypto ipsec transform-set ikev1 AES - SHA esp-aes-256 esp-sha-hmac
    card crypto outside_map 1 match address outside_cryptomap_1
    peer set card crypto outside_map 1 11.11.11.2
    card crypto outside_map 1 set of transformation-AES-SHA
    outside_map interface card crypto outside

    ASA2

    Note to outside_cryptomap_1 to access list VPN traffic to encrypt
    permit access list extended ip 172.16.10.0 outside_cryptomap_1 255.255.255.0 10.10.10.0 255.225.255.0

    Crypto ikev1 allow outside
    IKEv1 crypto policy 1
    preshared authentication
    aes-256 encryption
    sha hash
    Group 5
    life 86400

    tunnel-group 12.12.12.2 type ipsec-l2l
    IPSec-attributes tunnel-group 12.12.12.2
    Cisco pre-shared key IKEv1

    Crypto ipsec transform-set ikev1 AES - SHA esp-aes-256 esp-sha-hmac
    card crypto outside_map 1 match address outside_cryptomap_1
    peer set card crypto outside_map 1 12.12.12.2
    card crypto outside_map 1 set of transformation-AES-SHA
    outside_map interface card crypto outside

    I can ping with the ASA2 ASA1, but when I try to test the VPN trying from one PC to another, I get nothing.

    I tried a few commands show and they came out absolutely empty... as I have not configured:

    SH in detail its crypto isakmp

    There are no SAs IKEv1

    There are no SAs IKEv2

    SH crypto ipsec his

    There is no ipsec security associations

    Anyone have any ideas?

    Hi martin,

    Your configs are quite right. I tried your script, its works really well. Here's the configs & outputs.
    What I mentioned in the previous note follow this.

    --------------------

    ASA1

    ASA1 (config) # sh run
    : Saved
    :
    ASA Version 8.0 (2)
    !
    hostname ASA1
    activate 8Ry2YjIyt7RRXU24 encrypted password
    names of
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    IP 12.12.12.2 255.255.255.0
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    10.10.10.2 IP address 255.255.255.0
    !
    interface Ethernet0/2
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface Ethernet0/3
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface Ethernet0/4
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface Ethernet0/4
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface Ethernet0/5
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    2KFQnbNIdI.2KYOU encrypted passwd
    passive FTP mode
    extended vpn 10.10.10.0 ip access list allow 255.255.255.0 172.16.10.0 255.255.255.0
    pager lines 24
    Within 1500 MTU
    Outside 1500 MTU
    no failover
    ICMP unreachable rate-limit 1 burst-size 1
    don't allow no asdm history
    ARP timeout 14400
    Route outside 0.0.0.0 0.0.0.0 12.12.12.1 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout, uauth 0:05:00 absolute
    dynamic-access-policy-registration DfltAccessPolicy
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set esp-3des esp-sha-hmac tset
    card crypto cmap 1 match for vpn
    card crypto cmap 1 set peer 11.11.11.2
    card crypto cmap 1 transform-set tset
    cmap outside crypto map interface
    crypto ISAKMP allow outside
    crypto ISAKMP policy 1
    preshared authentication
    3des encryption
    md5 hash
    Group 5
    life 86400
    crypto ISAKMP policy 65535
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    Telnet timeout 5
    SSH timeout 5
    Console timeout 0
    a basic threat threat detection
    Statistics-list of access threat detection
    !
    !
    tunnel-group 11.11.11.2 type ipsec-l2l
    IPSec-attributes tunnel-Group 11.11.11.2
    pre-shared-key *.
    context of prompt hostname
    Cryptochecksum:00000000000000000000000000000000
    : end
    ASA1 (config) #.
    ---------------------

    ASA2 (config) # sh run
    : Saved
    :
    ASA Version 8.0 (2)
    !
    hostname ASA2
    activate 8Ry2YjIyt7RRXU24 encrypted password
    names of
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    IP 11.11.11.2 255.255.255.0
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    IP 172.16.10.2 255.255.255.0
    !
    interface Ethernet0/2
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface Ethernet0/3
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface Ethernet0/4
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface Ethernet0/5
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    2KFQnbNIdI.2KYOU encrypted passwd
    passive FTP mode
    extended vpn 172.16.10.0 ip access list allow 255.255.255.0 10.10.10.0 255.255.255.0
    pager lines 24
    Outside 1500 MTU
    Within 1500 MTU
    no failover
    ICMP unreachable rate-limit 1 burst-size 1
    don't allow no asdm history
    ARP timeout 14400
    Route outside 0.0.0.0 0.0.0.0 11.11.11.1 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout, uauth 0:05:00 absolute
    dynamic-access-policy-registration DfltAccessPolicy
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set esp-3des esp-sha-hmac tset
    card crypto cmap 1 match for vpn
    card crypto cmap 1 set peer 12.12.12.2
    card crypto cmap 1 transform-set tset
    cmap outside crypto map interface
    crypto ISAKMP allow outside
    crypto ISAKMP policy 1
    preshared authentication
    3des encryption
    md5 hash
    Group 5
    life 86400
    crypto ISAKMP policy 65535
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    Telnet timeout 5
    SSH timeout 5
    Console timeout 0
    a basic threat threat detection
    Statistics-list of access threat detection
    !
    !
    !
    tunnel-group 12.12.12.2 type ipsec-l2l
    IPSec-attributes tunnel-group 12.12.12.2
    pre-shared-key *.
    context of prompt hostname
    Cryptochecksum:00000000000000000000000000000000
    : end
    ASA2 (config) #.

    -------------------------
    OUTPUTS:

    *********************

    ASA1 (config) # sh crypto isakmp his

    ITS enabled: 1
    Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
    Total SA IKE: 1

    1 peer IKE: 11.11.11.2
    Type: L2L role: initiator
    Generate a new key: no State: MM_ACTIVE

    ---------------------

    ASA1 (config) # sh crypto ipsec his
    Interface: outside
    Tag crypto map: cmap, seq num: 1, local addr: 12.12.12.2

    access vpn ip 10.10.10.0 list allow 255.255.255.0 172.16.10.0 255.255.255.0
    local ident (addr, mask, prot, port): (10.10.10.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (172.16.10.0/255.255.255.0/0/0)
    current_peer: 11.11.11.2

    #pkts program: 50, #pkts encrypt: 50, #pkts digest: 50
    #pkts decaps: 49, #pkts decrypt: 49, #pkts check: 49
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 50, comp #pkts failed: 0, #pkts Dang failed: 0
    success #frag before: 0, failures before #frag: 0, #fragments created: 0
    Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
    #send errors: 0, #recv errors: 0

    local crypto endpt. : 12.12.12.2, remote Start crypto. : 11.11.11.2

    ------------------------
    ASA2 (config) # sh crypto isakmp his

    ITS enabled: 1
    Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
    Total SA IKE: 1

    1 peer IKE: 12.12.12.2
    Type: L2L role: answering machine
    Generate a new key: no State: MM_ACTIVE

    ------------------------

    ASA2 (config) # sh crypto ipsec his
    Interface: outside
    Tag crypto map: cmap, seq num: 1, local addr: 11.11.11.2

    access vpn ip 172.16.10.0 list allow 255.255.255.0 10.10.10.0 255.255.255.0
    local ident (addr, mask, prot, port): (172.16.10.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (10.10.10.0/255.255.255.0/0/0)
    current_peer: 12.12.12.2

    #pkts program: 49, #pkts encrypt: 49, #pkts digest: 49
    #pkts decaps: 50, #pkts decrypt: 50, #pkts check: 50
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 49, #pkts comp failed: 0, #pkts Dang failed: 0
    success #frag before: 0, failures before #frag: 0, #fragments created: 0
    Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
    #send errors: 0, #recv errors: 0

    local crypto endpt. : 11.11.11.2, remote Start crypto. : 12.12.12.2
    -------------------------

  • You try to run a Site to site VPN and remote VPN from the same IP remotely

    We currently have a site to site VPN configuration between our offices call center and a 3rd party that allows them to access our training to their employees to use environment while being trained on our systems. This tunnel is running between our ASA and their ASA without problem; However, when we have managers come out to the call center, they are unable to use remote VPN to access our office.

    Apparently the same IP peer remote that we use for our site to the other tunnel is the same IP that our managers use to access the internet when they are on-site with the customer. When I look at the logs it shows the VPN attempt and then I get treatment Information Exchange has failed. So from what I can understand when our managers are trying to connect to our firewall from the same IP address as the counterpart of site to site it automatically tries to create a tunnel, according to the information of the site to the other tunnel. If our managers are anywhere else, they can connect through remote VPN with no problems.

    My question is if anyone knows of a way to make the firewall allow VPN site to site and remote connections with the same remote IP address.

    Hi John,.

    Basically, in older versions, when you hit a static encryption card and you does not match this static encryption completely map the connection continues until the dynamic encryption card. For this reason, you can connect your IPSec clients before. A bug has been opened on this vulnerability.

    CSCuc75090  Details of bug

    The crypto IPSec Security Association are created by dynamic crypto map to static peers

    Symptom:

    When a static VPN peer adds all traffic to the ACL crypto, a surveillance society is based even if the pair IP is not allowed in the acl to the main façade encryption. Are these SA finally put in correspondence and commissioning the dynamic crypto map instance.

    Conditions:

    It was a planned design since the first day that allowed customers to fall through in the case of static crypto map did not provide a necessary cryptographic services.

    The SA must be made from a peer configured statically and a dynamic crypto map instance must be configured on the receiving end.

    Workaround solution:

    N/A

    Some possible workarounds are:

    Configure a static nat device when you try to use the remote VPN if the firewall remotely will be hit with a different public IP address. It would be a good solution, but it will depend on how many ip addresses public you have available, if you really want one of these ip addresses for that access.

    Also, I thought you could use AnyConnect instead of the IPSec VPN client. I don't know how many users need to connect from your PC to the remote site, but the ASA has 2 licenses SSL available that you could use. Because Anyconnect uses the SSL protocol, it won't have a problem on your environment.

    Below some information:

    http://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa84/configuration/guide/asa_84_cli_config/vpn_anyconnect.html

    Hope this helps,

    Luis.

  • Site to Site VPN - cannot ping remote subnet

    Hi all.

    I have a site to site VPN IPSEC between a 5510 (HQ) and 5505 (Remote). Everything works on the tunnel. Crypto cards and ACL is symmetrical. I see that the tunnel is in place for the required subnets. However, I can not ping of internal subnets inside 5510 to Remote LAN inside 5505 and vice versa. I have other rays VPN 5510 where I can ping within remote LAN successfully x.x.x.x. Can figure out what I'm missing. I can ping internet points, but cannot ping HQ.

    Any suggestions?

    I'm also an instant learn the ASAs, so I'm not an expert.  I know that I encouraged outside ICMP. My statement SHEEP and crypto are running off of the same group of objects that lists subnets of HQ.

    Thanks in advance.

    5505 lack the command:

    management-access inside

    Federico.

  • Detection of site to Site VPN DPD

    Hello everyone

    We need your help with our VPN Site to Site

    We have a connection from site to site VPN that customer remote has implemented the DPD on their side and requesting that do us the same thing on our Cisco ASA 5505 firewall.

    My Question; is recommended by Cisco otherwise please give a full reason why, we can the top of the senior management for review

    Can you help me with the command/syntax to add to our firewall Cisco ASA 5505 running IOS version 8.45; This will bring the tunnel down while we configure this DPD?

    Thank you

    Hello

    It has advantages but also disadvantages.

    Advantage is that it detects that the tunnel goes down well before the scenario by default.

    Downside is if the other end behind the protected fw or device that blocks packets DPD customers creates a problem. But in your scenario, you should not have this kind of problems.

    tunnel-group 10.90.244.26 type ipsec-l2l
    IPSec-attributes tunnel-group 10.90.244.26
    ISAKMP keepalive retry threshold 10 5

    = This measure of the DPD... every 10 seconds it tries to detect the keepalive messages and try again initiates after 5 seconds...

    Make sure that patterns must match at both ends.

    http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

    Concerning

    Knockaert

  • Site to Site VPN number

    Hello

    I am facing a problem in my site to site VPN configuration, router management site gets the address public IP of the DHCP server as I have built a dynamic crypto map on the router HQ

    First phase ISAKMP is operational running, I am trying to ping the LAN 192.168.85.0 for the HQ 172.16.12.0 LAN but it won't go through and when I check the ipsec security associations I can see that packets are encrypted on the side of the branch and decrypted on the side of HQ but the HQ router no PING response at all and he saw not encrypted packets

    I have attached my configurations, I had to hide some information just for safety

    Help, please!

    Mostafa

    Hello Mustafa,

    Havinf a glance at your config, it seems you have not correctly configured on your HQ NAT exemption.

     ip access-list extended NAT deny ip 172.16.12.0 0.0.0.255 192.168.75.0 0.0.0.255 deny ip 172.16.12.0 0.0.0.255 172.16.20.0 0.0.0.255 permit ip 172.16.12.0 0.0.0.255 any deny ip 172.16.12.0 0.0.0.255 192.168.85.0 0.0.0.255

    In this interesting ACL traffic is refused in the last. So it is not exempted from NAT, as ACL are processed in top-down, your valuable traffic is already matching permit statement in NAT ACL therefore subject to NAT on HQ. Refuse the declaration of exemption, interesting traffic NAT should precede the statement of license.

    HTH

    "Please note useful posts.

Maybe you are looking for