Filtering on a Site to Site VPN
I am using this doc to set up rules of filtering between two sites.
For the life of me, I can't have the rules to "stick". Once I built the ACL, then group policy, and then applied it to the tunnel-group attributes, it should work... no? See my attached ASA5505 configuration. It's the destination - I want to limit traffic from the source. What I am doing wrong? After all this, I tested it several times and traffic that is not be implicitly authorized, is still by train through.
I went through this exact just 2 weeks ago. Just bounce the tunnel and your rules will come into force. What I don't understand, is why in other cases, when you edit an ACL is immediate, and in this case the tunnel must be re-init would be. It's weird. Good luck to you!
Tags: Cisco Security
Similar Questions
-
First shot at the site to site VPN fails
This is my first attempt at establishing a VPN site-to site on ASA 5505 s. Fortunately, I'm able to do on the bench and not on the real sites. As soon as I can verify connectivity, I'll move them to the physical sites.
The two ASAs are running 8.3 (1). I tried with ASDM and I tried via CLI. I don't seem to be able to do anyway.
An ASA is configured with the address of WAN 10.1.52.1/24, address LAN 192.168.52.1. Another ASA is set up 10.1.200.1/24 WAN, LAN 192.168.200.1. Because they are on the bench (lab / whatever) there is a single cable connects the two WAN ports. I have a single workstation on each LAN to test connectivity. I CAN'T successfully ping the WAN ASA (10.1.52.1) from the workstation on 192.168.200.1 and vice versa. I'm NOT able to ping the workstation on 192.168.200.1 or of the ASA 10.1.200.1 (192.168.52.1) LAN and vice versa.
Here are the configs for the two and some recording of debug output:
ASA Version 8.3 (1)
!
MAIN host name
activate 8Ry2YjIyt7RRXU24 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
192.168.200.1 IP address 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 10.1.200.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
clock timezone CST - 6
network of the object inside
192.168.200.0 subnet 255.255.255.0
the CISC subject network
192.168.52.0 subnet 255.255.255.0
ICMP-type of object-group ICMP_ALLOWED
Description allow pings
echo ICMP-object
response to echo ICMP-object
ICMP-object has exceeded the time
Object-ICMP traceroute
ICMP-unreachable object
all permitted extended INCOMING icmp access list any object-group ICMP_ALLOWED Journal d
ebugging
VPN-2-CISC scope ip 192.168.52.0 access list allow 255.255.255.0 192.168.200
.0 255.255.255.0 debug log
VPN-2-CISC extended access list allow icmp 192.168.52.0 255.255.255.0 192.168.2
00,0% 255.255.255.0
outside_cryptomap_1 list extended access allowed object CISC object INSIDE Journal ip
debugging
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT (inside, outside) static source inside inside static destination CATC-CATC
!
network of the object inside
NAT dynamic interface (indoor, outdoor)
Access-group ENTERING into the interface outside
Route outside 0.0.0.0 0.0.0.0 10.1.52.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.1.0 255.255.255.0 inside
http 192.168.200.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
VPN-2-CATC 1 crypto card matches the address outside_cryptomap_1
card crypto VPN-2-CATC 1 set pfs
card crypto VPN-2-CATC 1 set peer 10.1.52.1
card crypto VPN-2-CATC 1 set transform-set ESP-3DES-MD5
crypto VPN-2-CISC outdoors card interface
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
Telnet 0.0.0.0 0.0.0.0 inside
Telnet timeout 10
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!
dhcpd address 192.168.200.5 - 192.168.200.99 inside
dhcpd allow inside
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
attributes of Group Policy DfltGrpPolicy
value of filter-VPN VPN-2-CISC
tunnel-group 10.1.52.1 type ipsec-l2l
IPSec-attributes tunnel-group 10.1.52.1
pre-shared-key VPN2VPN
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:53060156da27a8404adc45a01ff7324a
: end==================
ASA Version 8.3 (1)
!
CISC hostname
activate 8Ry2YjIyt7RRXU24 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
192.168.52.1 IP address 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 10.1.52.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
network of the object inside
192.168.52.0 subnet 255.255.255.0
network of the PRINCIPAL object
192.168.200.0 subnet 255.255.255.0
ICMP-type of object-group ICMP_ALLOWED
pings Allow Description of the tests
echo ICMP-object
ICMP-object has exceeded the time
Object-ICMP traceroute
ICMP-unreachable object
response to echo ICMP-object
extended permitted INBOUND icmp access list any any ICMP_ALLOWED object-group
VPN_TO_MAIN to access extended list ip 192.168.200.0 allow 255.255.255.0 192.168.52.0 255.255.255.0
VPN_TO_MAIN list extended access allow icmp 192.168.200.0 255.255.255.0 192.168.52.0 255.255.255.0
outside_cryptomap_1 list of allowed ip extended access PRINCIPAL inside object
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT (inside, outside) static source inside MAIN destination inside static
!
network of the object inside
NAT dynamic interface (indoor, outdoor)
Access-group ENTERING into the interface outside
Route outside 0.0.0.0 0.0.0.0 10.1.200.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.52.0 255.255.255.0 inside
http 192.168.200.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto VPN_TO_MAIN 1 corresponds to the address outside_cryptomap_1
card crypto VPN_TO_MAIN 1 set pfs
card crypto VPN_TO_MAIN 1 set peer 10.1.200.1
VPN_TO_MAIN 1 transform-set ESP-3DES-MD5 crypto card game
VPN_TO_MAIN interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
Telnet 0.0.0.0 0.0.0.0 inside
Telnet timeout 10
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!
dhcpd address 192.168.52.5 - 192.168.52.99 inside
dhcpd allow inside
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
attributes of Group Policy DfltGrpPolicy
value of VPN-filter VPN_TO_MAIN
tunnel-group 10.1.200.1 type ipsec-l2l
IPSec-attributes tunnel-group 10.1.200.1
pre-shared-key VPN2VPN
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:fb0bfb4b67a8bfb2360a0d4499ce7f3d
: end
don't allow no asdm history===================
When I try to ping from the internal network of CATC, 192.168.52.0/24 to the interface internal ASA HAND 192.168.200.1, I get...
Built of outbound ICMP connection for faddr gaddr laddr 192.168.52.7/1 192.168.52.7/1 192.168.200.1/0
Connection of disassembly for faddr gaddr laddr 192.168.52.7/1 192.168.52.7/1 192.168.200.1/0 ICMP
Built of incoming UDP connection, 6669 for inside:192.168.52.7/68 (192.168.52.7/68) at identity:255.255.255.255/67 (255.255.255.255/67)
---
I also try to hit a web server address: 192.168.200.5
Built of outgoing TCP connection 6674 for outside:192.168.200.5/80 (192.168.200.5/80) at inside:192.168.52.7/50956 (192.168.52.7/50956)
TCP connection of disassembly 6674 for outside:192.168.200.5/80 to inside:192.168.52.7/50956 duration 0:00:30 bytes 0 SYN Timeout
Deny tcp src outside:192.168.200.5/1632 dst inside:192.168.52.7/80 by access-group "IN" [0 x 0 0 x 0]
I don't get denied due to the INBOUND access-group. I thought with a VPN, the traffic bypasses standard access rules.
No show session upwards in the ASDM followed of > window VPN.
View ipsec his AND show isakmp its also well translate by "there are no ipsec/isakmp sas.
In addition,
In the constituencies of P2: 1997
In P2 invalid Exchange: 0
In P2 Exchange rejects: 1997
Requests for removal in his P2: 0
Exchanges of P2: 360
The Invalides Exchange P2: 0
Exchange of P2 rejects: 0
Requests to remove on P2 Sa: 360
=========================
I would like to eventually run the occasional http via this VPN traffic, but it will primarily serve to connect our two IP phone systems
Thank you all,
Laner
Hi Laner,
I created a configuration depending on your configuration: Please see the newsletter:
SITE 1
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
tunnel-group 10.1.52.1 type ipsec-l2l
IPSec-attributes tunnel-group 10.1.52.1
pre-shared-key VPN2VPNnetwork of the object inside
192.168.200.0 subnet 255.255.255.0
the CISC subject network
192.168.52.0 subnet 255.255.255.0outside_cryptomap_1 extended access list permit ip object INSIDE object CISC
NAT (inside, outside) static source inside static destination CATC-CATC No.-PROXY-ARP ROUTE-LOOK insideVPN-2-CATC 1 crypto card matches the address outside_cryptomap_1
card crypto VPN-2-CATC 1 set pfs
card crypto VPN-2-CATC 1 set peer 10.1.52.1
card crypto VPN-2-CATC 1 set transform-set ESP-3DES-MD5This configuration is not necessary because you specify IP as the Protocol and it will allow all through the tunnel
VPN-2-CISC scope ip 192.168.52.0 access list allow 255.255.255.0 192.168.200.0 255.255.255.0
attributes of Group Policy DfltGrpPolicy
value of filter-VPN VPN-2-CISC//
SITE 2
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400tunnel-group 10.1.200.1 type ipsec-l2l
IPSec-attributes tunnel-group 10.1.200.1
pre-shared-key VPN2VPNnetwork of the object inside
192.168.52.0 subnet 255.255.255.0
network of the PRINCIPAL object
192.168.200.0 subnet 255.255.255.0outside_cryptomap_1 list extended access permitted ip object INSIDE PRINCIPAL object
NAT (inside, outside) static source inside MAIN destination inside static route no-proxy-arp-searchcard crypto VPN_TO_MAIN 1 corresponds to the address outside_cryptomap_1
card crypto VPN_TO_MAIN 1 set pfs
card crypto VPN_TO_MAIN 1 set peer 10.1.200.1
VPN_TO_MAIN 1 transform-set ESP-3DES-MD5 crypto card gameThis configuration is not necessary because you specify IP as the Protocol and it will allow all through the tunnel
VPN_TO_MAIN to access extended list ip 192.168.200.0 allow 255.255.255.0 192.168.52.0 255.255.255.0
VPN_TO_MAIN list extended access allow icmp 192.168.200.0 255.255.255.0 192.168.52.0 255.255.255.0attributes of Group Policy DfltGrpPolicy
value of VPN-filter VPN_TO_MAIN//
Match your configuration with my setup and make changes. Filters VPN are not allowed because you are not filtering anything. Remove the filter VPN at both ends, and then try to ping through the VPN. Also if you ping forms inside the interface inside the interface of the other device, and then make sure that access management is enabled on both interfaces, it will not respond to ping requests.
How to check if access to administration are enabled or not is by running the command:
See the human race
If you get anything enter command 'inside man' and then run ping.
Let me know if it helps.
Vishnu
-
IPsec site to Site VPN on Wi - Fi router
Hello!
Can someone tell me if there is a router Netgear Wi - Fi that can form IPsec Site to Site VPN connection between 2 Wi - Fi routers via the WAN connection?
I know that this feature exists on the Netgear firewall, but can you have the same function on any Wi - Fi router?
See you soon!
Michael
I suspect that.
Thank you very much for the reply.
See you soon!
-
Site to site VPN, I need all internet traffic to exit the site.
I have 2 sites connected via a pair of SRX5308
A = 192.168.1.0/24
IP WAN = 1.1.1.1
B = 192.168.2.0/24
IP WAN = 2.2.2.2
Now what I need to do, is to have all traffic from B to go to the site one even traffic destined to the internet. That is, I need internet traffic out of our network with the IP 1.1.1.1, even if it is from the network B.
On my I have set up a route 1.1.1.1 of the ISP, then a value by default 0/0 to 192.168.1.1 it ASA knows how to get to the peer VPN is a more specific route, but sends everything above the tunnel, at the remote end which then hairpin of ASA routes internet outside its own WAN port traffic.
I can understand though not how to so the same thing on the pair of SRX5308 they either don't raise the tunnel or internet route to the local site address B.
Anyone have any ideas?
I need to do this because we are logging and monitoring of internet traffic to A site via tapping from upstream to various IDS solutions and will not (cannot) reproduce this to all our remote sites.
Thank you
Dave.
After some more thought and testing I came up with a workable solution to my own problem. I'll share it here in case it can help others.
(1) use the wizard at both ends to implement a normal VPN that connects the two segments of network 192.168.1.0 and 192.168.2.0
(2) go to site VPN - VPN policy remote router192.168.2.1 and click Edit
(a) disable Netbios
(b) select "None" from the drop-down list the remote IP address.
(c) to apply the change
3) go to the VPN-> VPN policy on the head end site (192.168.1.1) and click Edit
(a) disable Netbios
(b) select "None" from the drop-down list the local IP address
(c) to apply the change
Now all the traffic wil go down the VPN tunnel and exit to the internet on the site of head end. Hope this helps others with the same question.
-
I have a VPN site-to-site existing on Azure and Azure a new subnet created on the local network that must be able to reach.
I added the new subnet within azure for the VPN and add a static route on the RRAS server win 2012 for routing.
On the initial installation of a RRAS-Site VPN site (I didn't configure it) I think the interesting traffic specified must be sent through the VPN Tunnel, but I knew how to specify the new subnet via RRAS, I don't want to delete and re-create the VPN Site to Site.
Y at - there anyone who can help please.
Thank you
Philippe
Hello
Your question is beyond the scope of this community.
I suggest that repost you on the Azure MSDN Forums:
https://social.msdn.Microsoft.com/forums/azure/en-us/home?category=windowsazureplatform
TechNet forums Azure:
https://social.technet.Microsoft.com/forums/azure/en-us/home?category=windowsazureplatform
TechNet Server forums.
http://social.technet.Microsoft.com/forums/WindowsServer/en-us/home?category=WindowsServer
TechNet forums:
https://social.technet.Microsoft.com/forums/en-us/home
MSDN forums:
https://social.msdn.Microsoft.com/forums/en-us/home
See you soon.
-
SBS 2008 office1 Serv2008 Office 2 need to share assets between them via a site to site VPN tunnel
Hi all.
I really need help on this one.
The office 1 installer running SBS2008 Office 2 running Server 2008.
Each firm has its own FQDN Office 1 CompanyABC 2 A_B_C of the company office.
Each firm has its own internal IP address pool Office 1 192.168.69.xxx and office 192.168.20.xxx 2.
Site to site VPN tunnel between 2 office routers Netgear SRX5308 1 and 2 Netgear FVS318G Office established and working.
Each firm has its own DNS server and acts as a domain controller
How to configure the 2 networks to see each other and be able to use assets on every network (files, printers)?
Is it so simple that the addition of another pool internal IP for each DNS server?
Thanks in advance for your help.
Hello
Your Question is beyond the scope of this community.
I suggest that repost you your question in the Forums of SBS.
https://social.technet.Microsoft.com/forums/en-us/home?Forum=smallbusinessserver
"Windows Small Business Server 2011 Essentials online help"
https://msdn.Microsoft.com/en-us/library/home-client.aspx
TechNet Server forums.
http://social.technet.Microsoft.com/forums/WindowsServer/en-us/home?category=WindowsServer
See you soon.
-
site to site vpn configuration
I have windows server with two sites in different locations and that you want to configure a site to site vpn, how to configure
Here is the Vista Forums.
http://TechNet.Microsoft.com/en-us/WindowsServer/default.aspx
Try server communities.
See you soon.
Mick Murphy - Microsoft partner
-
IPSec Site to Site VPN Solution needed?
Hi all
I need a solution to provide full connectivity to one of my clients. I created two IPSEC Site to Site VPN, one between the INFO and RITA and second between NIDA and RITA. I can access RITA machine that is 172.16.36.101 at the INFO and 10.0.0.5 to NIDA.
Now, I need to give access to my customer INFORMATION to direct NIDA 10.0.0.5 without established VPN machine to NIDA 10.0.0.5 of 172.16.36.101 access.
Could you please give me the solution how is that possible?
Concerning
Uzair Hussain
Hi uzair.infotech,
Looks like you need to set up a grouping between the 3 sites, at the end of that your topology will look like this:
INFO - RITA - NIDA
You can check this guide that explains step by step how to configure grouping:
https://supportforums.Cisco.com/document/12752536/how-configure-site-sit...
Hope this info helps!
Note If you help!
-JP-
-
SH running-config crypto
I have the following configuration, in order to create a site to site vpn which should not be changed in the configuration below.
Do I need to add new card crypto?
And what is the dynamic-map
I need to create new ipsec transform-set or can I use the existing?
Crypto ipsec transform-set esp-3des esp-sha-hmac ikev1 remoteaccess
Crypto ipsec transform-set esp-3des esp-sha-hmac L2Lvpn ikev1
Crypto ipsec kilobytes of life - safety 999608000 association
Crypto ipsec pmtu aging infinite - the security association
Crypto-map dynamic Test 1 set pfs Group1
Crypto-map dynamic Test 1 set transform-set remoteaccess L2Lvpn ikev1
Crypto-map dynamic 1jeu reverse-Road Test
card crypto Test 1-isakmp ipsec dynamic test
Test interface card crypto outside
Crypto ca trustpoint _SmartCallHome_ServerCA
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint0
Terminal registration
name of the object CN = TestFW
Configure CRL
trustpool crypto ca policy
crypto isakmp identity address
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 10800
IKEv1 crypto policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 1800
IKEv1 crypto policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 1800
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
IKEv1 pre-shared-key *.
Thank you
Next step will be sending real traffic, or just run a package Tracker to ensure that traffic flows very well:
entry Packet-trace within the icmp 192.168.15.x 8 0 172.10.10.x detail
If all goes well, you should be good to go.
Hope this info helps!
Note If you help!
-JP-
-
Improve SA540 site to site VPN perforamce
Site has SA540: 50 M / 50 M DSL (country A) (15 users)
Site B SA540: 2 M / 520KB ADSL (country B) (10 users)
MTU: 1464 (Test on frame of ping)
We custom applications and server work on port 80 of services, it comes to legacy applications and need to call the java prompt back.
We do server on Site A and alos configuration port front of WAN custome application server.
I find the Site B use direct http services over the Wan just need 5-10 seconds to launch the applaciton
On the same machine, we use the site to site VPN to connect to the application, that it will take about 15 ~ 20 seconds or more, alos sometimes cannot load success via VPN enforcement, how can I improve it? Or participate in any suggestion that I have to pay?
Thank you
Hi yururuhgftdy, your vpn is only as good as the slowest connections. If you want to improve performance, update the connection from the other end.
-Tom
Please mark replied messages useful -
Troubleshooting IPSec Site to Site VPN between ASA and 1841
Hi all
in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.
I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).
I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.
It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),
On the ASA:
Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.
address of the peers: 217.86.154.120
Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.ccaccess extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
current_peer: 217.xx.yy.zz#pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz
Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: 39135054
current inbound SPI: B2E9E500SAS of the esp on arrival:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4374000/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
outgoing esp sas:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4373976/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001Output of the command: "sh crypto isakmp his."
HIS active: 4
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 4IKE Peer: 217.xx.yy.zz
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVEOn the 1841
1841 crypto isakmp #sh its
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE1841 crypto ipsec #sh its
Interface: Dialer1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorslocal crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
Interface: virtual Network1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorslocal crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.
Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto. (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.
I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!
It's the running of the 1841 configuration
!
version 15.1
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
host name 1841
!
boot-start-marker
start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
boot-end-marker
!
logging buffered 51200 notifications
!
AAA new-model
!
!
AAA authentication login default local
!
AAA - the id of the joint session
!
iomem 20 memory size
clock timezone PCTime 1
PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
dot11 syslog
IP source-route
!
No dhcp use connected vrf ip
!
IP cef
no ip bootp Server
IP domain name test
name of the IP-server 194.25.2.129
name of the IP-server 194.25.2.130
name of the IP-server 194.25.2.131
name of the IP-server 194.25.2.132
name of the IP-server 194.25.2.133
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
object-group network phone
VoIP phone description
Home 172.20.2.50
Home 172.20.2.51
!
redundancy
!
!
controller LAN 0/0/0
atm mode
Annex symmetrical shdsl DSL-mode B
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
isakmp encryption key * address 62.aa.bb.cc
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
map SDM_CMAP_1 1 ipsec-isakmp crypto
Description Tunnel to62.aa.bb.cc
the value of 62.aa.bb.cc peer
game of transformation-ESP-3DES-SHA
PFS group2 Set
match address 100
!
!
!
interface FastEthernet0/0
DMZ description $ FW_OUTSIDE$
10.10.10.254 IP address 255.255.255.0
IP nat inside
IP virtual-reassembly
automatic duplex
automatic speed
!
interface FastEthernet0/1
Description $ETH - LAN$ $FW_INSIDE$
IP 172.20.2.254 255.255.255.0
IP access-group 100 to
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1412
automatic duplex
automatic speed
!
ATM0/0/0 interface
no ip address
No atm ilmi-keepalive
!
point-to-point interface ATM0/0/0.1
PVC 1/32
PPPoE-client dial-pool-number 1
!
!
interface Dialer1
Description $FW_OUTSIDE$
the negotiated IP address
IP mtu 1452
NAT outside IP
IP virtual-reassembly
encapsulation ppp
Dialer pool 1
Dialer-Group 2
PPP authentication chap callin pap
PPP chap hostname xxxxxxx
PPP chap password 7 xxxxxxx8
PPP pap sent-name of user password xxxxxxx xxxxxxx 7
map SDM_CMAP_1 crypto
!
IP forward-Protocol ND
IP http server
local IP http authentication
IP http secure server
!
!
The dns server IP
IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
!
logging trap notifications
Note category of access list 1 = 2 CCP_ACL
access-list 1 permit 172.20.2.0 0.0.0.255
Note access-list category 2 CCP_ACL = 2
access-list 2 allow 10.10.10.0 0.0.0.255
Note access-list 100 category CCP_ACL = 4
Note access-list 100 IPSec rule
access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
Note CCP_ACL the access list 101 = 2 category
Note access-list 101 IPSec rule
access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 101 permit ip 172.20.2.0 0.0.0.255 any
Note access-list 102 CCP_ACL category = 2
Note access-list 102 IPSec rule
access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
!!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 101
!
allowed SDM_RMAP_2 1 route map
corresponds to the IP 102
!
!
control plan
!
!
Line con 0
line to 0
line vty 0 4
length 0
transport input telnet ssh
!
Scheduler allocate 20000 1000
NTP-Calendar Update
NTP 172.20.2.250 Server prefer
endAs I mentioned previously: suspicion is much appreciated!
Best regards
Joerg
Joerg,
ASA receives not all VPN packages because IOS does not send anything.
Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)
The problem seems so on the side of the router.
I think that is a routing problem, but you only have one default gateway (no other channels on the router).
The ACL 100 is set to encrypt the traffic between the two subnets.
It seems that the ACL 101 is also bypassing NAT for VPN traffic.
Follow these steps:
Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.
I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.
Federico.
-
Remote monitoring Pix on IPSEC site to site VPN
I have a few 501 s PIX that connect through the VPN site-to site. We use Orion NPM and I can't add monitoring. I was able to add remote routers that connect through site-to-site VPNs. I guess that the rules of the Pix security/NAT prevent that. The configuration of the remote Pix is attached.
You need on the 2800...
access-list 131 permit ip host 172.16.30.19 24.172.234.126
-
Cisco 3640 to the PIX 501 site 2 site VPN performance specifications.
I intend on creating a site-2-site VPN in Star configuration with a Cisco 3640 as the hub and PIX 501 at the remote sites. My question is around the plug that I read.
.
The specifications for a PIX-501-BUN-K9 tell PIX 501 3DES Bundle (chassis, SW, 10 users, 3DES).
.
A question is what really "10 users. Which is the limit of the number of concurrent sessions, I have on the VPN at a given time, or that it means something else?
.
I also read the specs say that the Maximum number of VPN tunnels that can support a PIX 501 is 5. Because I'm not going to make a tunnel between the PIX 501 at the remote site and the 3640 on the central site, I think I would be OK. Is that correct or is the max value talk the maximum number of concurrent sessions on the tunnel tunnels?
.
Thank you.
UDP traffic always creates a session in the PIX so that the return traffic will be allowed in. The UDP timeout is 2 minutes but IIRC. If you go around NAT with a statement of "nat 0" should not create an xlate I think.
The real time is hard to say really, probably around 2 minutes for a UDP-only user, you would probably make a few 'local sho' orders on the PIX to really see for sure however.
-
SA520w routing through site-to-site VPN tunnels
I have several offices that are connected using site-to-site VPN tunnels and all will use the SA520W (firmware 2.1.18). I currently have 3 routers in place, router tunnels created for the router B and c of router. I need assistance with the configuration to allow the guests to router site B get to the router site C. I have attempted to add a static route, but get a destination unreachable host trying to ping. Also, if I connect to the router site has via the Cisco VPN client, I'm not able to get resources on each site, B, or C.
A - the site 10.10.0.0/24
Site B - 10.0.0.0/24
Site of the C - 10.25.0.0/24
Any help is greatly appreciated.
So, that's what you have configured correctly?
RTR_A
||
_____________ || ___________
|| ||
RTR_B RTR_C
Since there is no tunnel between B and C there is no way for us past that traffic through RTR_A for two reasons. The most important reason is that subnet 10.25.0.0/24 (rtr_c) is not allowed to pass through the IPSec tunnel (it's okay to IPSec?) of rtr_a ==> rtr_b. You can't just add a statement of road because your addresses are not routable which is the reason why it fails.
Your only option is to create another tunnel between rtr_b and rtr_c. This may not be the ONLY option, but you should get what you need.
I hope this helps.
-
I've set up a site to site VPN and I can't seem to get the VPN filter works. I've followed this document:
http://www.Cisco.com/image/gif/paws/99103/PIX-ASA-VPN-filter.PDF
I created an ACL and created an ACE with only traffic I want to allow. Then, I went to the site to site group policy and apply this filter. However, I can still ping remote network from a customer who should not be allowed. Remote network is 192.168.2.0/24.Here is my partial config:
permit Test access extended list ip 192.168.2.0 255.255.255.0 192.168.1.2 host
Trying to deny a range ip extended access listGroup Policy internal Test
Test group policy attributes
value of VPN-Filter Testtunnel-group Test_tunnel type ipsec-l2l
attributes global-tunnel-group Test_tunnel
Group Policy - by default-TestHello
First of all I would like to clarify that the group name used for one site to the other tunnel tunnel must be the ip address of the host "at least for the tunnels l2l static" it's tunnel-g were you must apply this "Test" group policy, configuring the filter seems perfect, but you must make sure that you apply the strategy of Group accordingly. Now, once you apply group policy to the correct you have to bounce the tunnel tunnel-g otherwise the new filter will not take effect, you can use the command "erase the crypto ipsec his counterpart x.x.x.x" generate some traffic and bring up the tunnel is again he should have the filter.
If you apply correctly and bounce the tunnel it will work.
You can check if the filter is applied with the command "show vpn-sessiondb detail l2l" and find the name of the ACL
Best regards, please rate.
Maybe you are looking for
-
Can record data on a partition of time machine?
I am able to put things on a partition that is used for time machine without screwing something up? As the partition that has the "Backups.backupdb" folder which I assume has the stuff of time machine in it. Can I copy other files in the partition (b
-
So, today, I found this thing RPCNET software on my computer... Since its completely installed, fresh and without internet until the Symanctec was running... It must come from toshiba themselves. I read many things on this subject on the internet, se
-
Doesn't let me change the Cpu fan!
Hey guys,. My cpu hp craped out fan and I tried to buy another fan I removed the old an and replace now the new fan will only work 830 RPM compared to the former which took place in 1800 as soon as the computer I tired about three different fans, it
-
Cannot print on officejet 6500 E709a of computer network
Today I tried to reinstall my software to print several times and I still can't to the printer. "Print Test page fails." The printer itself works fine on the computer, it is connected to a USB key. It works very well in my second network computer whe
-
opener restoring default zip file
I downloaded the "zipfix_vista" registry repair and tried to merge following the instructions and just opened in Notepad. What I'm doing wrong or should do next? He recorded on my download folder and I right click their get the merge command.