Group default AP
Hi all
Recently, I got a new controller 5508 with a bunch of 3502i APs and make me all inclusive. First of all, I used autonomous APs in the past, and using the controller with LWAPs is by far a much easier approach. It's amazing to see how it is easy to provision a new AP, new SSID etc. I have it unboxed and was running within an hour. Anyway, I digress...
I noticed that when I create the SSID, they are all, by default, associated with the default AP group, and when a new access point is brought online, the default group is AP.
Is it possible to keep the points of group by default AP? I don't see any place where I can put a group I want to that they placed in. Is there some kind of authentication / filtering I can configure which will put APs in a different group? Or at least remove some SSID from the default group?
Thank you!
Hello
I can feel your happiness! It is how you explained by default 16 first SSID will sit in the group by default. To change this option, set a new AP group, and then select the access point you need! This will do the job!
Let me know if this naswered your question and please remember to note the useful messages!
Concerning
Surendra
Tags: Cisco Wireless
Similar Questions
-
Group - Here / global attributes required in ASA 9 + code for a Tunnel L2L?
Hi all
I have a core ASA that runs 8.04 code, IKE v1 only and do not have group policies for each tunnel IPSec individual L2L defined or applied under the tunnel groups. However, many of my ASA branch are code ASA 9 +. When I create a tunnel on a branch of 9 + ASA code in ASDM kernel ASA, ASA automatically configures group policy and apply it to the Group of the tunnel as a general attribute.
Question: If my heart ASA is not defined or applied to groups-tunnel group strategies, then is the group policy that is automatically created & applied on the branch of 9 + ASA code for this tunnel required? Or is it questionable because the other end is not configured/applied? If it is questionable, so I want to clean the ASA configs by removing Group Policy, but I assure you it's safe first.
Example:
Box office: Code 9 + ASA:
internal GroupPolicy_50.xxx.xx.190 group strategy
attributes of Group Policy GroupPolicy_50.xxx.xx.190
Ikev1 VPN-tunnel-Protocol
tunnel-group 50.xxx.xx.190 type ipsec-l2l
tunnel-group 50.xxx.xx.190 General-attributes
Group - default policy - GroupPolicy_50.xxx.xx.190
50.xxx.XX.190 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.Kernel: 8.04 Code ASA:
tunnel-group 12.xxx.xxx.178 type ipsec-l2l
12.xxx.xxx.178 group of tunnel ipsec-attributes
pre-shared-key *.You are required to have a site to site and RA VPN also group policy. However, if you do not set a group policy, the tunnel will default to the default group policy.
--
Please do not forget to select a correct answer and rate useful posts
-
Hello
I set up a lab for RA VPN with a version of the ASA5510 8.2 and VPN Client 5 software using digital certificates with Microsoft CA on a Windows 2003 server. I did the configuration based on this document from Cisco's Web site:
Now, the vpn works fine, but now I need to configure a tunnel-different groups so I can provide different services to different users. The problem I have now is that I don't know how to set it up for the certificate is the name of tunnel-group. If I do an ASA debug crypto isakmp I get this error message:
% ASA-713906 7: IP = 165.98.139.12, trying to find the group through OR...
% 3 ASA-713020: IP = 165.98.139.12, no group found by matching well payload ID: unknown
% ASA-713906 7: IP = 165.98.139.12, trying to find the group via IKE ID...
% 3 ASA-713020: IP = 165.98.139.12, no group found by matching well payload ID: unknown
% ASA-713906 7: IP = 165.98.139.12, trying to find the group via IP ADDR...
% ASA-713906 7: IP = 165.98.139.12, trying to find the group using default group...
% ASA-713906 7: IP = 165.98.139.12, connection landed on tunnel_group DefaultRAGroupSo, basically, when using certificates I connect always VPN RA only with the group default DefaultRAGroup. Do I have to use a model of different web registration for application for a certificate instead of the user model? How can I determine the OU on the user certificate so that match tunnel-group?
Please help me!
Kind regards
Fernando Aguirre
You can use the group certificate mapping feature to map to a specific group.
This is the configuration for your reference guide:
http://www.Cisco.com/en/us/partner/docs/security/ASA/asa82/configuration/guide/IKE.html#wp1053978
And here is the command for "map of crypto ca certificate": reference
http://www.Cisco.com/en/us/docs/security/ASA/asa80/command/reference/C5.html#wp2186685
Hope that helps.
-
Work center buyer - group choice list for the application
Hi guru,.
Application of the R12.1.3 - purchase of Super user
I'm looking for the customization of the page self service in the center of work IN. buyer for update of the application.
I wanted to list/LOV Group by choice in the requisition page self-service request header to default to "Commandeer" rather "Default".
I have not found this page self-service customization option. A body can help me in this how he requisitioned default.
Thanks in advance...
Published by: user8822881 on 24 Sep 2012 06:22Hello
You must do by profile option settings.
Configure the profile option "PO: requisition Grouping Default ' to 'Request' at the level of the site.
You have two options - "Default" and "commandeer".
Thank you
PS.
-
Requisition AutoCreate IN. - default pool
When you find some PORs and then go to the automatic creation screen, someone knows how to do grouping displayed "Requisition" instead of "Grouping" as its default setting
I see a system profile option "PO: requisition Grouping Default", but guess this refers only to imports, as I have changed this setting to 'Request', but it still shows "grouping".
Is not a big problem because it can obviously be changed manually, but with the volume of POs create our buyers, it would be much easier if they did not have to do it every time
A help much appreciated
JLCreate a customization a time new form instance.
Do not fill the condition
In action, set the VALUE of the ACTION property. GROUPING_METHOD to the REQUISITION.
Who's going to do.Hope that answers your question
Sandeep Gandhi
OMKAR Technologies Inc.
Techno-Functional consultant
513-325-9026. -
Cisco ASA 5505 VPN Site to Site
Hi all
First post on the forums. I have worked with Cisco ASA 5505 for a few months and I recently bought a 2nd ASA to implement tunnel VPN Site to Site. It seems so simple in the number of videos watched on the internet. But when I did he surprise it did work for me... I've removed the tunnels, a number of times and tried to recreate. I use the VPN Wizard in the SMA to create the tunnel. Both the asa 5505 of are and have the same firmware even etc..
I'd appreciate any help that can be directed to this problem please. Slowly losing my mind
Please see details below:
Two ADMS are 7.1
IOS
ASA 1
Nadia
:
ASA Version 9.0 (1)
!
hostname PAYBACK
activate the encrypted password of HSMurh79NVmatjY0
volatile xlate deny tcp any4 any4
volatile xlate deny tcp any4 any6
volatile xlate deny tcp any6 any4
volatile xlate deny tcp any6 any6
volatile xlate deny udp any4 any4 eq field
volatile xlate deny udp any4 any6 eq field
volatile xlate deny udp any6 any4 eq field
volatile xlate deny udp any6 any6 eq field
2KFQnbNIdI.2KYOU encrypted passwd
names of
local pool VPN1 192.168.50.1 - 192.168.50.254 255.255.255.0 IP mask
!
interface Ethernet0/0
switchport access vlan 2
Speed 100
full duplex
!
interface Ethernet0/1
link Trunk Description of SW1
switchport trunk allowed vlan 1,10,20,30,40
switchport trunk vlan 1 native
switchport mode trunk
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
No nameif
no level of security
no ip address
!
interface Vlan2
nameif outside
security-level 0
IP 92.51.193.158 255.255.255.252
!
interface Vlan10
nameif inside
security-level 100
IP 192.168.10.1 255.255.255.0
!
interface Vlan20
nameif servers
security-level 100
address 192.168.20.1 255.255.255.0
!
Vlan30 interface
nameif printers
security-level 100
192.168.30.1 IP address 255.255.255.0
!
interface Vlan40
nameif wireless
security-level 100
192.168.40.1 IP address 255.255.255.0
!
connection line banner welcome to the Payback loyalty systems
boot system Disk0: / asa901 - k8.bin
passive FTP mode
summer time clock GMT/IDT recurring last Sun Mar 01:00 last Sun Oct 02:00
DNS domain-lookup outside
DNS lookup field inside
domain-lookup DNS servers
DNS lookup domain printers
DNS domain-lookup wireless
DNS server-group DefaultDNS
Server name 83.147.160.2
Server name 83.147.160.130
permit same-security-traffic inter-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
ftp_server network object
network of the Internal_Report_Server object
Home 192.168.20.21
Description address internal automated report server
network of the Report_Server object
Home 89.234.126.9
Description of server automated reports
service object RDP
service destination tcp 3389 eq
Description RDP to the server
network of the Host_QA_Server object
Home 89.234.126.10
Description QA host external address
network of the Internal_Host_QA object
Home 192.168.20.22
host of computer virtual Description for QA
network of the Internal_QA_Web_Server object
Home 192.168.20.23
Description Web Server in the QA environment
network of the Web_Server_QA_VM object
Home 89.234.126.11
Server Web Description in the QA environment
service object SQL_Server
destination eq 1433 tcp service
network of the Demo_Server object
Home 89.234.126.12
Description server set up for the product demo
network of the Internal_Demo_Server object
Home 192.168.20.24
Internal description of the demo server IP address
network of the NETWORK_OBJ_192.168.20.0_24 object
subnet 192.168.20.0 255.255.255.0
network of the NETWORK_OBJ_192.168.50.0_26 object
255.255.255.192 subnet 192.168.50.0
network of the NETWORK_OBJ_192.168.0.0_16 object
Subnet 192.168.0.0 255.255.0.0
service object MSSQL
destination eq 1434 tcp service
MSSQL port description
VPN network object
192.168.50.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.50.0_24 object
192.168.50.0 subnet 255.255.255.0
service object TS
tcp destination eq 4400 service
service of the TS_Return object
tcp source eq 4400 service
network of the External_QA_3 object
Home 89.234.126.13
network of the Internal_QA_3 object
Home 192.168.20.25
network of the Dev_WebServer object
Home 192.168.20.27
network of the External_Dev_Web object
Home 89.234.126.14
network of the CIX_Subnet object
255.255.255.0 subnet 192.168.100.0
network of the NETWORK_OBJ_192.168.10.0_24 object
192.168.10.0 subnet 255.255.255.0
network of the NETWORK_OBJ_84.39.233.50 object
Home 84.39.233.50
network of the NETWORK_OBJ_92.51.193.158 object
Home 92.51.193.158
network of the NETWORK_OBJ_192.168.100.0_24 object
255.255.255.0 subnet 192.168.100.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
the tcp destination eq ftp service object
the purpose of the tcp destination eq netbios-ssn service
the purpose of the tcp destination eq smtp service
service-object TS
the Payback_Internal object-group network
object-network 192.168.10.0 255.255.255.0
object-network 192.168.20.0 255.255.255.0
object-network 192.168.40.0 255.255.255.0
object-group service DM_INLINE_SERVICE_3
the purpose of the service tcp destination eq www
the purpose of the tcp destination eq https service
service-object TS
service-object, object TS_Return
object-group service DM_INLINE_SERVICE_4
service-object RDP
the purpose of the service tcp destination eq www
the purpose of the tcp destination eq https service
object-group service DM_INLINE_SERVICE_5
purpose purpose of the MSSQL service
service-object RDP
service-object TS
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
object-group service DM_INLINE_SERVICE_6
service-object TS
service-object, object TS_Return
the purpose of the service tcp destination eq www
the purpose of the tcp destination eq https service
Note to outside_access_in to access list that this rule allows Internet the interal server.
Notice on the outside_access_in of the access-list allowed:
Comment from outside_access_in-list of FTP access
Comment from outside_access_in-RDP access list
Comment from outside_access_in-list of SMTP access
Note to outside_access_in to access list Net Bios
Comment from outside_access_in-SQL access list
Comment from outside_access_in-list to access TS - 4400
outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_1 any4 Internal_Report_Server
access host access-list outside_access_in note rule internal QA
Notice on the outside_access_in of the access-list allowed:
Comment from outside_access_in-HTTP access list
Comment from outside_access_in-RDP access list
outside_access_in list extended access permitted tcp any4 object Internal_Host_QA eq www
Notice on the outside_access_in of the access-list access to the internal Web server:
Notice on the outside_access_in of the access-list allowed:
Comment from outside_access_in-HTTP access list
Comment from outside_access_in-RDP access list
outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_3 any4 Internal_QA_Web_Server
Note to outside_access_in to access list rule allowing access to the demo server
Notice on the outside_access_in of the access-list allowed:
Comment from outside_access_in-RDP access list
Comment from outside_access_in-list to access MSSQL
outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_4 any4 Internal_Demo_Server
outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_5 any object Internal_QA_3
Note to outside_access_in access to the development Web server access list
outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_6 any object Dev_WebServer
AnyConnect_Client_Local_Print deny any4 any4 ip extended access list
AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq lpd
Note AnyConnect_Client_Local_Print of access list IPP: Internet Printing Protocol
AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq 631
print the access-list AnyConnect_Client_Local_Print Note Windows port
AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print mDNS Note: multicast DNS protocol
AnyConnect_Client_Local_Print list extended access permit udp host 224.0.0.251 any4 eq 5353
AnyConnect_Client_Local_Print of access list LLMNR Note: link Local Multicast Name Resolution protocol
AnyConnect_Client_Local_Print list extended access permit udp host 224.0.0.252 any4 eq 5355
Note access list TCP/NetBIOS protocol AnyConnect_Client_Local_Print
AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 EQ. 137
AnyConnect_Client_Local_Print list extended access permitted udp any4 any4 eq netbios-ns
Payback_VPN_splitTunnelAcl list standard access allowed 192.168.20.0 255.255.255.0
permit outside_cryptomap to access extended list ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 24
Enable logging
information recording console
asdm of logging of information
address record
the journaling recipient
level alerts
Outside 1500 MTU
Within 1500 MTU
MTU 1500 servers
MTU 1500 printers
MTU 1500 wireless
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm-711 - 52.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) source Dynamics one interface
NAT (wireless, outdoors) source Dynamics one interface
NAT (servers, outside) no matter what source dynamic interface
NAT (servers, external) static source Internal_Report_Server Report_Server
NAT (servers, external) static source Internal_Host_QA Host_QA_Server
NAT (servers, external) static source Internal_QA_Web_Server Web_Server_QA_VM
NAT (servers, external) static source Internal_Demo_Server Demo_Server
NAT (servers, external) static source NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 non-proxy-arp-search of route static destination
NAT (servers, external) static source Internal_QA_3 External_QA_3
NAT (servers, external) static source Dev_WebServer External_Dev_Web
NAT (inside, outside) static source NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
NAT (inside, outside) static source NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 non-proxy-arp-search of route static destination
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 92.51.193.157 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.10.0 255.255.255.0 inside
http 192.168.40.0 255.255.255.0 wireless
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 84.39.233.50
card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 5
FRP sha
second life 86400
Crypto ikev2 activate out of service the customer port 443
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 77.75.100.208 255.255.255.240 outside
SSH 192.168.10.0 255.255.255.0 inside
SSH 192.168.40.0 255.255.255.0 wireless
SSH timeout 5
Console timeout 0dhcpd 192.168.0.1 dns
dhcpd outside auto_config
!
dhcpd address 192.168.10.21 - 192.168.10.240 inside
dhcpd dns 192.168.20.21 83.147.160.2 interface inside
paybackloyalty.com dhcpd option 15 inside ascii interface
dhcpd allow inside
!
dhcpd address 192.168.40.21 - 192.168.40.240 Wireless
dhcpd dns 192.168.20.21 83.147.160.2 wireless interface
dhcpd update dns of the wireless interface
dhcpd option 15 ascii paybackloyalty.com wireless interface
dhcpd activate wireless
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
internal Payback_VPN group strategy
attributes of Group Policy Payback_VPN
VPN - 10 concurrent connections
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Payback_VPN_splitTunnelAcl
attributes of Group Policy DfltGrpPolicy
value of 83.147.160.2 DNS server 83.147.160.130
VPN-tunnel-Protocol ikev1, ikev2 clientless ssl
internal GroupPolicy_84.39.233.50 group strategy
attributes of Group Policy GroupPolicy_84.39.233.50
VPN-tunnel-Protocol ikev1, ikev2
Noelle XB/IpvYaATP.2QYm username encrypted password
Noelle username attributes
VPN-group-policy Payback_VPN
type of remote access service
username Éanna encrypted password privilege 0 vXILR9ZZQIsd1Naw
Éanna attributes username
VPN-group-policy Payback_VPN
type of remote access service
Michael qpbleUqUEchRrgQX of encrypted password username
user name Michael attributes
VPN-group-policy Payback_VPN
type of remote access service
username, password from Danny .7fEXdzESUk6S/cC encrypted privilege 0
user name Danny attributes
VPN-group-policy Payback_VPN
type of remote access service
Aileen tytrelqvV5VRX2pz encrypted password privilege 0 username
user name Aileen attributes
VPN-group-policy Payback_VPN
type of remote access service
Aidan aDu6YH0V5XaxpEPg encrypted password privilege 0 username
Aidan username attributes
VPN-group-policy Payback_VPN
type of remote access service
username password 6e6Djaz3W/XH59zX gordon encrypted privilege 15
shane.c iqGMoWOnfO6YKXbw encrypted password username
username shane.c attributes
VPN-group-policy Payback_VPN
type of remote access service
Shane uYePLcrFadO9pBZx of encrypted password username
user name Shane attributes
VPN-group-policy Payback_VPN
type of remote access service
username, encrypted James TdYPv1pvld/hPM0d password
user name James attributes
VPN-group-policy Payback_VPN
type of remote access service
Mark yruxpddqfyNb.qFn of encrypted password username
user name brand attributes
type of service admin
username password of Mary XND5FTEiyu1L1zFD encrypted
user name Mary attributes
VPN-group-policy Payback_VPN
type of remote access service
Massimo vs65MMo4rM0l4rVu encrypted password privilege 0 username
Massimo username attributes
VPN-group-policy Payback_VPN
type of remote access service
type tunnel-group Payback_VPN remote access
attributes global-tunnel-group Payback_VPN
VPN1 address pool
Group Policy - by default-Payback_VPN
IPSec-attributes tunnel-group Payback_VPN
IKEv1 pre-shared-key *.
tunnel-group 84.39.233.50 type ipsec-l2l
tunnel-group 84.39.233.50 General-attributes
Group - default policy - GroupPolicy_84.39.233.50
IPSec-attributes tunnel-group 84.39.233.50
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
Global class-card class
match default-inspection-traffic
!
!
World-Policy policy-map
Global category
inspect the dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the pptp
inspect the rsh
inspect the rtsp
inspect the sip
inspect the snmp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect xdmcp
inspect the icmp error
inspect the icmp
!
service-policy-international policy global
192.168.20.21 SMTP server
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:d06974501eb0327a5ed229c8445f4fe1ASA 2
ASA Version 9.0 (1)
!
Payback-CIX hostname
activate the encrypted password of HSMurh79NVmatjY0
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
Speed 100
full duplex
!
interface Ethernet0/1
Description this port connects to the local network VIRTUAL 100
switchport access vlan 100
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 100
!
interface Ethernet0/4
switchport access vlan 100
!
interface Ethernet0/5
switchport access vlan 100
!
interface Ethernet0/6
switchport access vlan 100
!
interface Ethernet0/7
switchport access vlan 100
!
interface Vlan2
nameif outside
security-level 0
IP 84.39.233.50 255.255.255.240
!
interface Vlan100
nameif inside
security-level 100
IP 192.168.100.1 address 255.255.255.0
!
banner welcome to Payback loyalty - CIX connection line
passive FTP mode
summer time clock gmt/idt recurring last Sun Mar 01:00 last Sun Oct 02:00
DNS domain-lookup outside
DNS lookup field inside
DNS server-group defaultDNS
Name-Server 8.8.8.8
Server name 8.8.4.4
permit same-security-traffic inter-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
network of the host-CIX-1 object
host 192.168.100.2
Description This is the VM server host machine
network object host-External_CIX-1
Home 84.39.233.51
Description This is the external IP address of the server the server VM host
service object RDP
source between 1-65535 destination eq 3389 tcp service
network of the Payback_Office object
Home 92.51.193.158
service object MSQL
destination eq 1433 tcp service
network of the Development_OLTP object
Home 192.168.100.10
Description for Eiresoft VM
network of the External_Development_OLTP object
Home 84.39.233.52
Description This is the external IP address for the virtual machine for Eiresoft
network of the Eiresoft object
Home 146.66.160.70
Contractor s/n description
network of the External_TMC_Web object
Home 84.39.233.53
Description Public address to the TMC Web server
network of the TMC_Webserver object
Home 192.168.100.19
Internal description address TMC Webserver
network of the External_TMC_OLTP object
Home 84.39.233.54
External targets OLTP IP description
network of the TMC_OLTP object
Home 192.168.100.18
description of the interal target IP address
network of the External_OLTP_Failover object
Home 84.39.233.55
IP failover of the OLTP Public description
network of the OLTP_Failover object
Home 192.168.100.60
Server failover OLTP description
network of the servers object
subnet 192.168.20.0 255.255.255.0
being Wired network
192.168.10.0 subnet 255.255.255.0
the subject wireless network
192.168.40.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.100.0_24 object
255.255.255.0 subnet 192.168.100.0
network of the NETWORK_OBJ_192.168.10.0_24 object
192.168.10.0 subnet 255.255.255.0
network of the Eiresoft_2nd object
Home 137.117.217.29
Description 2nd Eiresoft IP
network of the Dev_Test_Webserver object
Home 192.168.100.12
Description address internal to the Test Server Web Dev
network of the External_Dev_Test_Webserver object
Home 84.39.233.56
Description This is the PB Dev Test Webserver
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object MSQL
service-object RDP
object-group service DM_INLINE_SERVICE_2
service-object MSQL
service-object RDP
object-group service DM_INLINE_SERVICE_3
service-object MSQL
service-object RDP
object-group service DM_INLINE_SERVICE_4
service-object MSQL
service-object RDP
the tcp destination eq ftp service object
object-group service DM_INLINE_SERVICE_5
service-object MSQL
service-object RDP
the tcp destination eq ftp service object
object-group service DM_INLINE_SERVICE_6
service-object MSQL
service-object RDP
the Payback_Intrernal object-group network
object-network servers
Wired network-object
wireless network object
object-group service DM_INLINE_SERVICE_7
service-object MSQL
service-object RDP
object-group service DM_INLINE_SERVICE_8
service-object MSQL
service-object RDP
object-group service DM_INLINE_SERVICE_9
service-object MSQL
service-object RDP
object-group service DM_INLINE_SERVICE_10
service-object MSQL
service-object RDP
the tcp destination eq ftp service object
object-group service DM_INLINE_SERVICE_11
service-object RDP
the tcp destination eq ftp service object
outside_access_in list extended access allow object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-host-1
Note to access list OLTP Development Office of recovery outside_access_in
outside_access_in list extended access allow DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP object-group
Comment from outside_access_in-access Eiresoft access list
outside_access_in list extended access allow DM_INLINE_SERVICE_3 object Eiresoft object Development_OLTP object-group
outside_access_in list extended access allow DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver object-group
Note to outside_access_in access to OLTP for target recovery Office Access list
outside_access_in list extended access allow DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP object-group
outside_access_in list extended access allow DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover object-group
Note to outside_access_in access-list that's allowing access of the Eiresoft on the failover OLTP server
outside_access_in list extended access allow DM_INLINE_SERVICE_7 object Eiresoft object OLTP_Failover object-group
Comment from outside_access_in-access list access for the 2nd period of INVESTIGATION of Eiresoft
outside_access_in list extended access allow DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP object-group
Note to outside_access_in access from the 2nd IP Eiresoft access list
outside_access_in list extended access allow DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover object-group
outside_access_in list extended access allow DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver object-group
outside_access_in list extended access allow DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP object-group
outside_cryptomap to access extended list ip 192.168.100.0 allow 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) source Dynamics one interface
NAT (inside, outside) static source CIX-host-1 External_CIX-host-1
NAT (inside, outside) static source Development_OLTP External_Development_OLTP
NAT (inside, outside) static source TMC_Webserver External_TMC_Web
NAT (inside, outside) static source TMC_OLTP External_TMC_OLTP
NAT (inside, outside) static source OLTP_Failover External_OLTP_Failover
NAT (inside, outside) static source Dev_Test_Webserver External_Dev_Test_Webserver
NAT (inside, outside) static source NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 non-proxy-arp-search of route static destination
NAT (inside, outside) static source NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 84.39.233.49 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
Enable http server
http 92.51.193.156 255.255.255.252 outside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 92.51.193.158
card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 1jeu ikev2 AES AES192 AES256 3DES ipsec-proposal
outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 77.75.100.208 255.255.255.240 outside
SSH 92.51.193.156 255.255.255.252 outside
SSH timeout 5
Console timeout 0dhcpd outside auto_config
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
internal GroupPolicy_92.51.193.158 group strategy
attributes of Group Policy GroupPolicy_92.51.193.158
VPN-tunnel-Protocol ikev1, ikev2
username password 6e6Djaz3W/XH59zX gordon encrypted privilege 15
tunnel-group 92.51.193.158 type ipsec-l2l
tunnel-group 92.51.193.158 General-attributes
Group - default policy - GroupPolicy_92.51.193.158
IPSec-attributes tunnel-group 92.51.193.158
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:83b2069fa311e6037163ae74f9b2bec2
: endHello
There are some clear problems I see on a quick glance. These are not related to the actual VPN configuration but rather the NAT configurations.
All your configuration of NAT CLI format above are configured as manual NAT / double NAT in Section 1. This means that the appliance NAT configurations have been added to the same section of the NAT configurations and scheduling of the NAT inside this Section rules is the cause of the problem for the L2L VPN connection for some.
Here are a few suggestions on what to change
ASA1
Minimal changes
the object of the LAN network
192.168.10.0 subnet 255.255.255.0
being REMOTE-LAN network
255.255.255.0 subnet 192.168.100.0
NAT (inside, outside) 1 static source LAN LAN to static destination REMOTE - LAN LAN
no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 non-proxy-arp-search of route static destination
That means foregoing is first of all create 'object' that contain the local LAN and remote LANs. Then, it creates a NAT0 rule and adds to the top rules NAT. (number 1). It is essentially of at least one of the problems preventing the VPN operation or traffic that cross.
Finally, we remove the old rule that generated the ASDM. It would do the same thing if it has been moved to the top, but I generally find the creation of the 'object' with descriptive names easier on the eyes in the long term.
Other suggestions
These changes are not necessary with regard to the VPN L2L. Here are some suggestions how to clean a part of NAT configurations.
PAT-SOURCE network object-group
source networks internal PAT Description
object-network 192.168.10.0 255.255.255.0
object-network 192.168.20.0 255.255.255.0
object-network 192.168.40.0 255.255.255.0
NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source
No source (indoor, outdoor) nat Dynamics one interface
no nat (wireless, outdoors) source Dynamics one interface
no nat (servers, outside) no matter what source dynamic interface
The above configuration creates a "object-group" that lists all internal networks that you have dynamic PAT configured so far. It then uses the ' object-group ' in a command unique 'nat' to manage the dynamic PAT for all internal networks (with the exception of printers who had nothing at first). Then we remove the old PAT dynamic configurations.
Contains the command "nat" "car after" because it moving this "nat" configuration to the bottom of the NAT rules. For this reason its less likely to cause problems in the future.
network of the SERVERS object
subnet 192.168.20.0 255.255.255.0
network of the VPN-POOL object
192.168.50.0 subnet 255.255.255.0
NAT (servers, external) 2 static static source of destination of SERVERS SERVERS VPN-VPN-POOL
no nat (servers, external) static source NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 non-proxy-arp-search of route static destination
The above configuration is supposed to create a NAT0 configuration for traffic between the network and the pool of Client VPN server. To my knowledge the old configuration that remove us is not used because the traffic would have matched PAT rule dynamic server yet rather than this rule which is later in the NAT configurations and would not be addressed.
no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
It seems to me that network 192.168.1.0/24 is not configured from anywhere in your network. Therefore, the above 'nat' configuration seems useless, can be deleted. If I missed something and its use in then of course do not remove it.
ASA2
Minimal changes
the object of the LAN network
255.255.255.0 subnet 192.168.100.0
being REMOTE-LAN network
192.168.10.0 subnet 255.255.255.0
NAT (inside, outside) 1 static source LAN LAN to static destination REMOTE - LAN LAN
no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 non-proxy-arp-search of route static destination
That means foregoing is first of all create 'object' that contain the local LAN and remote LANs. Then, it creates a NAT0 rule and adds to the top rules NAT. (number 1). It is essentially of at least one of the problems preventing the VPN operation or traffic that cross.
Finally, we remove the old rule that generated the ASDM.
Other suggestions
PAT-SOURCE network object-group
object-network 192.168.100.0 255.255.255.0
NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source
No source (indoor, outdoor) nat Dynamics one interface
The above configuration is supposed to do the same thing with the other ASA. Although given that this network contains only a single subnet it cleans the "nat" configurations exist that much. But the order of the "nat" configurations is changed to avoid further problems with the NAT order.
no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
It seems to me that network 192.168.1.0/24 is not configured from anywhere in your network. Therefore, the above 'nat' configuration seems useless, can be deleted. If I missed something and its use in then of course do not remove it.
I suggest trying the changes related to VPN L2L first NAT0 configurations and test traffic. So who gets the work of connectivity, then you could consider changing other NAT configurations. There are other things that could be changed also in what concerns THAT static NAT servers but that probably better left for another time.
Hope this makes any sense and has helped
Remember to mark a reply as the answer if it answered your question.
Feel free to ask more if necessary
-Jouni
-
We have added a new server running 5.2 and from 3.3 RADIUS.
I lose router access when you remove the old server IP info and orders AAA? The router is out of State and do not want to lose the access while making these changes.
Example of config:
Ganymede old router config:
AAA new-model
AAA authentication login default group Ganymede + local
AAA authentication login console_line local
authorization AAA console
AAA authorization config-commands
AAA authorization exec default group Ganymede + authenticated if
AAA authorization commands 0 default group Ganymede + local
AAA authorization commands 1 default group Ganymede + local
AAA authorization commands 15 default group Ganymede + local
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
!
AAA - the id of the joint session
Ganymede IP source-interface Loopback0
radius-server host 10.1.1.31
radius-server host 10.2.1.9
RADIUS-server application made
RADIUS-server key 7 0835185A5C1053051D080717
New configuration of router Ganymede (currently)
AAA new-model
!
!
AAA server Ganymede group + TTI_ACS_GROUP
Server 10.1.1.253
Server 10.1.1.252
Ganymede IP source-interface GigabitEthernet0/0
!
Group AAA authentication login TTI_ACS_GROUP default
the AAA authentication enable default group TTI_ACS_GROUP
Group default AAA authorization exec if authenticated TTI_ACS_GROUP
!
Ganymede IP source-interface Loopback0
radius-server host 10.1.1.253
radius-server host 10.1.1.252
RADIUS-server application made
RADIUS-server t4t5i6rocks key
Thank you!
-Nick C.
We have improved some time ago to ACS 4.2 to 5.3, I kept the router config to pretty much the same, and had a key to the Ganymede even server for all, so just added new hosts of Ganymede in the existing configuration server and then off the old server, everything was good.
don't forget if you are worried about losing the connection and then the "reload in 005" is always good to do before making any changes so if you do a config that is not loved and you lose the connection that the router will reload and as not saved config arrived with working config. "."
-
Problem with the VPN site to site for the two cisco asa 5505
Starting with cisco asa. I wanted to do a vpn site-to site of cisco. I need help. I can't ping from site A to site B and vice versa.
Cisco Config asa1
interface Ethernet0/0
switchport access vlan 1
!
interface Ethernet0/1
switchport access vlan 2
!
interface Vlan1
nameif outside
security-level 0
IP address 172.xxx.xx.4 255.255.240.0
!
interface Vlan2
nameif inside
security-level 100
IP 192.168.60.2 255.255.255.0
!
passive FTP mode
network of the Lan_Outside object
192.168.60.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.60.0_24 object
192.168.60.0 subnet 255.255.255.0
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_2
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_3
ip protocol object
icmp protocol object
Access extensive list ip 192.168.60.0 Outside_cryptomap allow 255.255.255.0 192.168.1.0 255.255.255.0
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
Inside_access_in list extended access allow DM_INLINE_PROTOCOL_2 of object-group a
network of the Lan_Outside object
NAT (inside, outside) interface dynamic dns
Access-group Outside_access_in in interface outside
Inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 172.110.xx.1 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
Enable http server
http 192.168.60.0 255.255.255.0 inside
http 96.xx.xx.222 255.255.255.255 outside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto Outside_map 1 corresponds to the address Outside_cryptomap
card crypto Outside_map 1 set peer 96.88.75.222
card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
Outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
inside access managementdhcpd address 192.168.60.50 - 192.168.60.100 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
AnyConnect essentials
internal GroupPolicy_96.xx.xx.222 group strategy
attributes of Group Policy GroupPolicy_96.xx.xx.222
VPN-tunnel-Protocol ikev1, ikev2
username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
tunnel-group 96.xx.xx.222 type ipsec-l2l
tunnel-group 96.xx.xx.222 General-attributes
Group - default policy - GroupPolicy_96.xx.xx.222
96.XX.XX.222 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Cisco ASA 2 config
interface Ethernet0/0
switchport access vlan 1
!
interface Ethernet0/1
switchport access vlan 2
!
interface Vlan1
nameif outside
security-level 0
IP address 96.xx.xx.222 255.255.255.248
!
interface Vlan2
nameif inside
security-level 100
IP 192.168.1.254 255.255.255.0
!
passive FTP mode
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network of the Lan_Outside object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.60.0_24 object
192.168.60.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_2
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_3
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_4
ip protocol object
icmp protocol object
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_2 of object-group 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
Inside_access_in list extended access allow DM_INLINE_PROTOCOL_4 of object-group a
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.60.0_24 NETWORK_OBJ_192.168.60.0_24 non-proxy-arp-search of route static destination
!
network of the Lan_Outside object
dynamic NAT (all, outside) interface
Access-group Outside_access_in in interface outside
Inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 96.xx.xx.217 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
Enable http server
http 192.168.1.0 255.255.255.0 inside
http 172.xxx.xx.4 255.255.255.255 outside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto Outside_map 1 corresponds to the address Outside_cryptomap
card crypto Outside_map 1 set peer 172.110.74.4
card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
Outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0dhcpd address 192.168.1.50 - 192.168.1.100 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
AnyConnect essentials
internal GroupPolicy_172.xxx.xx.4 group strategy
attributes of Group Policy GroupPolicy_172.xxx.xx.4
L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
tunnel-group 172.xxx.xx.4 type ipsec-l2l
tunnel-group 172.xxx.xx.4 General-attributes
Group - default policy - GroupPolicy_172.xxx.xx.4
172.xxx.XX.4 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error
inspect the httpFor IKEv2 configuration: (example config, you can change to encryption, group,...)
-You must add the declaration of exemption nat (see previous answer).
-set your encryption domain ACLs:
access-list-TRAFFIC IPSEC allowed extended LOCAL REMOTE - LAN LAN ip
-Set the Phase 1:
Crypto ikev2 allow outside
IKEv2 crypto policy 10
3des encryption
the sha md5 integrity
Group 5
FRP sha
second life 86400-Set the Phase 2:
Crypto ipsec ikev2 ipsec IKEV2-PROPOSAL
Esp aes encryption protocol
Esp integrity sha-1 protocol-set the Group of tunnel
tunnel-group REMOTE-PUBLIC-IP type ipsec-l2l
REMOTE-PUBLIC-IP tunnel-group ipsec-attributes
IKEv2 authentication remote pre-shared-key cisco123
IKEv2 authentication local pre-shared-key cisco123-Define the encryption card
address for correspondence CRYPTOMAP 10 - TRAFFIC IPSEC crypto map
card crypto CRYPTOMAP 10 peer set REMOTE-PUBLIC-IP
card crypto CRYPTOMAP 10 set ipsec ikev2-IKEV2-PROPOSAL
CRYPTOMAP interface card crypto outside
crypto isakmp identity addressOn your config, you have all these commands but on your VPN config, you mix ikev1 and ikev2. You have also defined political different ikev2. Just do a bit of cleaning and reached agreement on a 1 strategy for the two site (encryption, hash,...)
Thank you
-
I searched through some configurations of sample trying to get a better grip on the authorization. I need help to understand how the following lines.
Group default AAA authorization exec network no
Group by default 15 AAA authorization network command no
Secure group 15 AAA-authorization-controls network no
Thanks in advance for any help you can give.
Scott
default AAA authorization exec network group none tells the router to use the authorization for the exec process (essentially is the user allowed to run exec processes). The is the default authorization exec method. The main method is to go to a group identified as network. I expect that the router config identified one or more servers (radius or GANYMEDE) in the group called network. If there is no response from the servers in the network group there is no backup for the authorization method.
AAA authorization commands by default 15 network group none tells the router to use the authorization for level 15 orders (orders in privilege mode). This line sets the default permission for these commands. The router will use the network group to identify the servers that can authorize these orders. If there is no response from server there is no backup method of approval.
sure 15 AAA authorization commands group network none tells the router to use the authorization for level 15 orders (orders in privilege mode). This line defines an alternative to the default method. There must be something in the config of the router on some lines (probably the vty lines) that says secure authorization. Like other orders, this one tells the router to use the servers defined in the netgroup do authorization and if there is no response from server there is no backup method.
Comment I'd have is related to any parameter, which explains that each order authorization has no backup method. I think it's a little dangerous. If there was a situation where you have lost communication with the server you could basically be locked on the router because it would not be something that could allow access. When I configure permission on routers for guests, I usually use the authenticated case backup method that says that if the router cannot allow with the server to allow access if the user has been properly authenticated (which could be through line passwords, or definitions in a local user database).
So to sum up, the first line indicates the router to check the permission when any user tries to start an exec session.
The second line shows the router to check the permission when a user tries to use a command to level 15.
The third line is a more specific version of the second. For some specific lines on the router, where the second is for another with a session on the router any line, they are logically associated.
HTH
Rick
-
ASA 5505. VPN Site-to-Site does not connect!
Hello!
Already more than a week there, as we had a new channel of communication of MGTSa (Ontario terminal Sercomm RV6688BCM, who barely made in the 'bridge' - had to do the provider in order to receive our white Cisco Ip address), and now I train as well more that one week to raise between our IKEv1 IPsec Site-to-Site VPN tunnel closes offices.
Configurable and use the wizard in ASDM and handles in the CLI, the result of a year, the connection does not rise.
Cisco version 9.2 (2), the image of the Cisco asa922 - k8.bin, Security Plus license version, version 7.2 AMPS (2).
What I'll never know...
Debugging and complete configuration enclose below.
Help, which can follow any responses, please! I was completely exhausted!Config:
Output of the command: "sh run".
: Saved
:
: Serial: XXXXXXXXXXXX
: Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor
:
ASA Version 9.2 (2)
!
hostname door-71
activate the encrypted password of F6OJ0GOws7WHxeql
names of
IP local pool vpnpool 10.1.72.100 - 10.1.72.120 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 10.1.72.254 255.255.255.0
!
interface Vlan2
nameif outside_mgts
security-level 0
62.112.100.R1 255.255.255.252 IP address
!
passive FTP mode
clock timezone 3 MSK/MSD
clock to DST MSK/MDD recurring last Sun Mar 02:00 last Sun Oct 03:00
DNS lookup field inside
DNS server-group MGTS
Server name 195.34.31.50
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
network of the NET72 object
10.1.72.0 subnet 255.255.255.0
network object obj - 0.0.0.0
host 0.0.0.0
network of the Nafanya object
Home 10.1.72.5
network object obj - 10.1.72.0
10.1.72.0 subnet 255.255.255.0
network of the NET61 object
10.1.61.0 subnet 255.255.255.0
network of the NETWORK_OBJ_10.1.72.96_27 object
subnet 10.1.72.96 255.255.255.224
network of the NETT72 object
10.1.72.0 subnet 255.255.255.0
network of the NET30 object
10.1.30.0 subnet 255.255.255.0
network of the NETWORK_OBJ_10.1.72.0_24 object
10.1.72.0 subnet 255.255.255.0
object-group service OG INET
the purpose of the echo icmp message service
response to echo icmp service object
service-object icmp traceroute
service-object unreachable icmp
service-purpose tcp - udp destination eq echo
the DM_INLINE_NETWORK_1 object-group network
network-object NET30
network-object, object NET72
DM_INLINE_TCP_1 tcp service object-group
port-object eq www
EQ object of the https port
inside_access_in extended access list permit ip object NET72 object-group DM_INLINE_NETWORK_1
access extensive list ip 10.1.72.0 inside_access_in allow 255.255.255.0 any
inside_access_in extended access list permit ip object Nafanya any idle state
inside_access_in list extended access allowed object-group OG INET an entire
inside_access_in of access allowed any ip an extended list
inside_access_in list extended access deny ip any alerts on any newspaper
outside_mgts_access_in list extended access allowed object-group OG INET an entire
outside_mgts_access_in list extended access permit tcp any any DM_INLINE_TCP_1 object-group
outside_mgts_access_in list extended access deny ip any alerts on any newspaper
access extensive list ip 10.1.72.0 outside_mgts_cryptomap allow 255.255.255.0 object NET61
VPN-ST_splitTunnelAcl permit 10.1.72.0 access list standard 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
outside_mgts MTU 1500
IP check path reverse interface outside_mgts
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside outside_mgts) static source NET72 NET72 NETWORK_OBJ_10.1.72.96_27 NETWORK_OBJ_10.1.72.96_27 non-proxy-arp-search of route static destination
NAT (inside outside_mgts) static source NETWORK_OBJ_10.1.72.0_24 NETWORK_OBJ_10.1.72.0_24 NET61 NET61 non-proxy-arp-search of route static destination
!
network obj_any object
NAT (inside outside_mgts) dynamic obj - 0.0.0.0
network of the NET72 object
NAT (inside outside_mgts) interface dynamic dns
inside_access_in access to the interface inside group
Access-group outside_mgts_access_in in the outside_mgts interface
Route 0.0.0.0 outside_mgts 0.0.0.0 62.112.100.R 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
without activating the user identity
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
the ssh LOCAL console AAA authentication
Enable http server
http 10.1.72.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
card crypto outside_mgts_map 1 match address outside_mgts_cryptomap
card crypto outside_mgts_map 1 set pfs Group1
peer set card crypto outside_mgts_map 1 91.188.180.42
card crypto outside_mgts_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_mgts_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
card crypto outside_mgts_map interface outside_mgts
inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
inside crypto map inside_map interface
Crypto ca trustpoint ASDM_TrustPoint0
registration auto
E-mail [email protected] / * /
name of the object CN = door-71
Serial number
IP address 62.112.100.42
Proxy-loc-transmitter
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint1
registration auto
ASDM_TrustPoint1 key pair
Configure CRL
trustpool crypto ca policy
string encryption ca ASDM_TrustPoint0 certificates
certificate eff26954
30820395 3082027d a0030201 020204ef f2695430 0d06092a 864886f7 0d 010105
019
6460ae26 ec5f301d 0603551d 0e041604 14c9a3f2 d70e6789 38fa4b01 465d 1964
60ae26ec 5f300d06 092 has 8648 01050500 03820101 00448753 7baa5c77 86f70d01
62857b 65 d05dc91e 3edfabc6 7b3771af bbedee14 673ec67d 3d0c2de4 b7a7ac05
5f203a8c 98ab52cf 076401e5 1a2c6cb9 3f7afcba 52c617a5 644ece10 d6e1fd7d
28b57d8c aaf49023 2037527e 9fcfa218 9883191f 60b221bf a561f2be d6882091
0222b7a3 3880d6ac 49328d1f 2e085b15 6d1c1141 5f850e5c b6cb3e67 0e373591
94a 82781 44493217 and 38097952 d 003 5552 5c445f1f 92f04039 a23fba20 b9d51b13
f511f311 d1feb2bb 6d056a15 7e63cc1b 1f134677 8124c 024 3af56b97 51af8253
486844bc b1954abe 8acd7108 5e4212df db835d76 98ffdb2b 8c8ab915 193b 8167
0db3dd54 c8346b96 c4f4eff7 1e7cd576 a8b1f86e 3b868a6e 89
quit smoking
string encryption ca ASDM_TrustPoint1 certificates
certificate a39a2b54
3082025f 30820377 a0030201 020204 has 3 9a2b5430 0d06092a 864886f7 0d 010105
0500304 06035504 03130767 36313137 30120603 55040513 6174652d 3110300e b
c084dcd9 d250e194 abcb3eb8 1da93bd0 fb0dba1a b1c35b43 d547a841 5d4ee1a4
14bdb207 7dd790a4 0cd 70471 5f3a896a 07bd56dc ea01b3dd 254cde88 e1490e97
f3e54c05 551adde0 66aa3782 c85880c2 b162ec29 4e49346a df71062d 6d6d8f49
62b9de93 ba07b4f7 a50e77e1 8f54b32b 6627cb27 e982b36f a 362973, 0 88de3272
9bd6d4d2 8ca1e11f 214f20a9 78bdea95 78fdc45c d6d45674 6acb9bcb d0bd930e
638eedfe cd559ab1 e1205c48 3ee9616f e631db55 e82b623c 434ffdc1 11020301
0001 has 363 3061300f 0603551d 130101ff 0101ff30 04053003 0e060355 1d0f0101
ff040403 1f060355 02018630 230418 30168014 0cea70bf 0d0e0c4b eb34a0b1 1 d
8242 has 549 0603 551d0e04 1604140c ea70bf0d 0e0c4beb 34a0b182 301D 5183ccf9
42a 54951 010105 05000382 0101004e 7bfe054a 0d 864886f7 0d06092a 83ccf930
d434a27c 1d3dce15 529bdc5f 70a2dff1 98975de9 2a97333b 96077966 05a8e9ef
bf320cbd ecec3819 ade20a86 9aeb5bde bd129c7b 29341e4b edf91473 f2bf235d
9aaeae21 a629ccc6 3c79200b b9a89b08 bf38afb6 ea56b957 4430f692 a 4745, 411
34d71fad 588e4e18 2b2d97af b2aae6b9 b6a22350 d031615b 49ea9b9f 2fdd82e6
ebd4dccd df93c17e deceb796 f268abf1 881409b 5 89183841 f484f0e7 bd5f7b69
ebf7481c faf69d3e 9d24df6e 9c2b0791 785019f7 a0d20e95 2ef35799 66ffc819
4a77cdf2 c6fb4380 fe94c13c d4261655 7bf3d6ba 6289dc8b f9aad4e1 bd918fb7
32916fe1 477666ab c2a3d591 a84dd435 51711f6e 93e2bd84 89884c
quit smoking
crypto isakmp identity address
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 activate outside_mgts port 443 customer service
Crypto ikev2 access remote trustpoint ASDM_TrustPoint0
Crypto ikev1 allow inside
Crypto ikev1 enable outside_mgts
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
without ssh stricthostkeycheck
SSH 10.1.72.0 255.255.255.0 inside
SSH timeout 60
SSH group dh-Group1-sha1 key exchange
Console timeout 0
vpnclient Server 91.188.180.X
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
VPN - L2L vpnclient vpngroup password *.
vpnclient username aradetskayaL password *.
dhcpd auto_config outside_mgts
!
dhcpd update dns replace all two interface inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL-trust ASDM_TrustPoint0 inside point
SSL-trust ASDM_TrustPoint0 outside_mgts point
WebVPN
Select outside_mgts
internal GroupPolicy_91.188.180.X group strategy
attributes of Group Policy GroupPolicy_91.188.180.X
Ikev1 VPN-tunnel-Protocol
internal group VPN - ST strategy
attributes of group VPN - ST policy
value of 195.34.31.50 DNS Server 8.8.8.8
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value VPN-ST_splitTunnelAcl
by default no
aradetskayaL encrypted HR3qeva85hzXT6KK privilege 15 password username
tunnel-group 91.188.180.X type ipsec-l2l
attributes global-tunnel-group 91.188.180.X
Group - default policy - GroupPolicy_91.188.180.42
IPSec-attributes tunnel-group 91.188.180.X
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
remotely IKEv2 authentication certificate
pre-shared-key authentication local IKEv2 *.
remote access to tunnel-group VPN - ST type
VPN-general ST-attributes tunnel-group
address vpnpool pool
Group Policy - by default-VPN-ST
tunnel-group ipsec VPN ST-attributes
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:212e4f5035793d1c219fed57751983d8
: enddoor-71 # sh crypto ikev1 hisThere are no SAs IKEv1
door-71 # sh crypto ikev2 hisThere are no SAs IKEv2
door-71 # sh crypto ipsec his
There is no ipsec security associationsdoor-71 # sh crypto isakmpThere are no SAs IKEv1
There are no SAs IKEv2
Global statistics IKEv1
The active Tunnels: 0
Previous Tunnels: 0
In bytes: 0
In the packages: 0
In packs of fall: 0
In Notifys: 0
In the constituencies of P2: 0
In P2 invalid Exchange: 0
In P2 Exchange rejects: 0
Requests for removal in his P2: 0
Bytes: 0
Package: 0
Fall packages: 0
NOTIFYs out: 0
Exchanges of P2: 0
The Invalides Exchange P2: 0
Exchange of P2 rejects: 0
Requests to remove on P2 Sa: 0
Tunnels of the initiator: 0
Initiator fails: 0
Answering machine fails: 0
Ability system breaks down: 0
AUTH failed: 0
Decrypt failed: 0
Valid hash fails: 0
No failure his: 0IKEV1 statistics for Admission appeals
In negotiating SAs Max: 25
In negotiating SAs: 0
In negotiating SAs Highwater: 0
In negotiating SAs rejected: 0Global statistics IKEv2
The active Tunnels: 0
Previous Tunnels: 0
In bytes: 0
In the packages: 0
In packs of fall: 0
In Fragments of fall: 0
In Notifys: 0
In Exchange for the P2: 0
In P2 invalid Exchange: 0
In P2 Exchange rejects: 0
In IPSEC delete: 0
In delete IKE: 0
Bytes: 0
Package: 0
Fall packages: 0
Fragments of fall: 0
NOTIFYs out: 0
Exchange of P2: 0
The Invalides Exchange P2: 0
Exchange of P2 rejects: 0
On IPSEC delete: 0
The IKE Delete: 0
Locally launched sAs: 0
Locally launched sAs failed: 0
SAs remotely initiated: 0
SAs remotely initiated failed: 0
System capacity: 0
Authentication failures: 0
Decrypt failures: 0
Hash failures: 0
Invalid SPI: 0
In the Configs: 0
Configs: 0
In the Configs rejects: 0
Configs rejects: 0
Previous Tunnels: 0
Previous Tunnels wraps: 0
In the DPD Messages: 0
The DPD Messages: 0
The NAT KeepAlive: 0
IKE recomposition launched locally: 0
IKE returned to the remote initiated key: 0
Generate a new key CHILD initiated locally: 0
CHILD given to the remote initiated key: 0IKEV2 statistics for Admission appeals
Max active SAs: no limit
Max in negotiating SAs: 50
Challenge cookie line: never
Active sAs: 0
In negotiating SAs: 0
Incoming requests: 0
Accepted incoming requests: 0
A rejected incoming requests: 0
Out of requests: 0
Out of the applications accepted: 0
The outgoing rejected requests: 0
A rejected queries: 0
Rejected at the SA: 0 Max limit
Rejected low resources: 0
Rejected the current reboot: 0
Challenges of cookie: 0
Cookies transmitted challenges: 0
Challenges of cookie failed: 0IKEv1 global IPSec over TCP statistics
--------------------------------
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Incoming packets: 0
Inbound packets ignored: 0
Outgoing packets: 0
Outbound packets ignored: 0
The RST packets: 0
Heartbeat Recevied ACK packets: 0
Bad headers: 0
Bad trailers: 0
Chess timer: 0
Checksum errors: 0
Internal error: 0door-71 # sh statistical protocol all cryptographic
[Statistics IKEv1]
Encrypt packets of requests: 0
Encapsulate packets of requests: 0
Decrypt packets of requests: 0
Decapsulating requests for package: 0
HMAC calculation queries: 0
ITS creation queries: 0
SA asked to generate a new key: 0
Deletion requests: 0
Next phase of allocation key applications: 0
Number of random generation queries: 0
Failed requests: 0
[Statistics IKEv2]
Encrypt packets of requests: 0
Encapsulate packets of requests: 0
Decrypt packets of requests: 0
Decapsulating requests for package: 0
HMAC calculation queries: 0
ITS creation queries: 0
SA asked to generate a new key: 0
Deletion requests: 0
Next phase of allocation key applications: 0
Number of random generation queries: 0
Failed requests: 0
[IPsec statistics]
Encrypt packets of requests: 0
Encapsulate packets of requests: 0
Decrypt packets of requests: 0
Decapsulating requests for package: 0
HMAC calculation queries: 0
ITS creation queries: 0
SA asked to generate a new key: 0
Deletion requests: 0
Next phase of allocation key applications: 0
Number of random generation queries: 0
Failed requests: 0
[SSL statistics]
Encrypt packets of queries: 19331
Encapsulate packets of queries: 19331
Decrypt packets of queries: 437
Package requests decapsulating: 437
HMAC calculation queries: 19768
ITS creation queries: 178
SA asked to generate a new key: 0
Requests to remove SA: 176
Next phase of allocation key applications: 0
Number of random generation queries: 0
Failed requests: 0
[Statistical SSH are not taken in charge]
[Statistics SRTP]
Encrypt packets of requests: 0
Encapsulate packets of requests: 0
Decrypt packets of requests: 0
Decapsulating requests for package: 0
HMAC calculation queries: 0
ITS creation queries: 0
SA asked to generate a new key: 0
Deletion requests: 0
Next phase of allocation key applications: 0
Number of random generation queries: 0
Failed requests: 0
[Statistics]
Encrypt packets of requests: 0
Encapsulate packets of requests: 0
Decrypt packets of requests: 0
Decapsulating requests for package: 0
HMAC calculation queries: 6238
ITS creation queries: 0
SA asked to generate a new key: 0
Deletion requests: 0
Next phase of allocation key applications: 0
Number of queries random generation: 76
Failure of queries: 9door-71 # sh crypto ca trustpoints
Trustpoint ASDM_TrustPoint0:
Configured for the production of a self-signed certificate.Trustpoint ASDM_TrustPoint1:
Configured for the production of a self-signed certificate.If you need something more, then spread!
Please explain why it is that I don't want to work?Hello
When the IPSEC tunnel does not come to the top, the first thing comes to my mind is to run a tracer of package from the CLI and the phases in it. Please run this command from your firewall side and share the output. I've just compiled this command with the random ip address and ports of your given range.
Packet-trace entry inside tcp 10.1.72.2 1233 10.1.61.2 443 detailed
Best regards
Amandine
-
AAA GANYMEDE + accounting - CLI question by user not appear in the report of the ACS.
Can I know why CLI cancelled by the user does not show on GANYMEDE ACS accounting report. The length of time is displayed, but I also wanted to connect what is the commands issued by the user.
WHA is missing here?
enable AAA authentication login VTY P1_ACS local group
Group default AAA authorization exec local P1_ACS authenticated by FIS
AAA authorization exec CONSOLE none
AAA exec by default start-stop accounting P1_ACS group
AAA commands 5 default start-stop accounting P1_ACS group
AAA commands 15 arrhythmic default accounting P1_ACS group
Accounting logs command is stroed in the newspapers of the administration of Ganymede.
There is also a known issue on ver 4.1.1 and we must
apply the ACS 4.1.1.23.5 patch to fix the problem.
Patch for the unit is available on
http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-Soleng-3DES
The patch name: ACS SE 4.1.1.23.5 rollup
Acs hotfix for windows is available on
http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-win-3DES
The patch name: ACS 4.1.1.23.5 rollup
CCIE Security
-
Dear all,
I have two servers and ACS 4.2, main one installed on each of them is well configured and all AAA clients authenticated successfully from it, also of database replication works very well between two servers, the question is when the primary one goes down the AAA clients not authenticated that secondary.
Here is the configuration on all devices:
AAA new-model
!
!
AAA server Ganymede group + CISCO
192.168.2.100 Server
192.168.2.101 Server
!
Group AAA authentication login default local CISCO
Group default CISCO AAA authorization authenticated by FIS
!
!
5. host 192.168.2.100 GANYMEDE-server timeout key
5. host 192.168.2.101 GANYMEDE-server timeout key
!
line vty 0 15by default the authentication of connection
!
Hi Hassan,.
Since you're using the Ganymede group +, no need for the lines below.
5. host 192.168.2.100 GANYMEDE-server timeout key
5. host 192.168.2.101 GANYMEDE-server timeout keyAnother option to make sure that your secondary acs works fine, you can delete the primary acs from your definition of ACS group.
HTH
Kind regards
Chris
-
Hi, please I need a help.
I have an IPSEC tunnel with my Cisco ASA and a PFsense Peer, VPN is to include phase 2.
But I could not send pkts on this VPN.
My internal network - 10.2.0.0/17, 172.31.2.2/32 customer network
==========================
FW - counterpart of the ipsec VPN - 01 # sho 177.154.83.34
address of the peers: 177.154.83.34
Tag crypto map: outside_map0, seq num: 4, local addr: 200.243.146.20access extensive list ip 10.2.0.0 outside_cryptomap_8 allow 255.255.128.0 host 172.31.2.2
local ident (addr, mask, prot, port): (10.2.0.0/255.255.128.0/0/0)
Remote ident (addr, mask, prot, port): (172.31.2.2/255.255.255.255/0/0)
current_peer: 177.154.83.34#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 2957, #pkts decrypt: 2957, #pkts check: 2957
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 1local crypto endpt. : 200.243.146.20/0, remote Start crypto. : 177.154.83.34/0
Path mtu 1500, fresh ipsec generals 74, media, mtu 1500
current outbound SPI: C1A13463
current inbound SPI: 5B6B0EABSAS of the esp on arrival:
SPI: 0x5B6B0EAB (1533742763)
transform: aes-256-esp esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 9179136, crypto-card: outside_map0
calendar of his: service life remaining key (s): 858
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0xFFFFFFFF to 0xFFFFFFFF
outgoing esp sas:
SPI: 0xC1A13463 (3248567395)
transform: aes-256-esp esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 9179136, crypto-card: outside_map0
calendar of his: service life remaining key (s): 858
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001===========================
Entry packet - trace FW-VPN-01 # outside icmp 10.2.110.10 1 172.31.2.2 0
Phase: 1
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
in 0.0.0.0 0.0.0.0 outdoorsPhase: 2
Type: ACCESS-LIST
Subtype:
Result: DECLINE
Config:
Implicit rule
Additional information:Result:
input interface: outdoors
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: drop
Drop-reason: flow (acl-drop) is denied by the configured rule===============================
FW-VPN-01 # sho running-config | 177.154.83.34 Inc.
outside_map0 card crypto 4 peers set 177.154.83.34
internal GroupPolicy_177.154.83.34 group strategy
attributes of Group Policy GroupPolicy_177.154.83.34
tunnel-group 177.154.83.34 type ipsec-l2l
tunnel-group 177.154.83.34 general-attributes
Group - default policy - GroupPolicy_177.154.83.34
IPSec-attributes tunnel-group 177.154.83.34==============================
FW-VPN-01 # sho running-config | 172.31.2.2 Inc.
network 172.31.2.2_32 object
Home 172.31.2.2
access-list sheep extended 10.2.0.0 ip allow 255.255.128.0 host 172.31.2.2
access extensive list ip 10.2.0.0 inside_access_in allow 255.255.128.0 object 172.31.2.2_32
permit access list extended ip object 10.2.0.0_17 object 172.31.2.2_32 outside_cryptomap_5
permit access list extended ip object 10.2.0.0_17 object 172.31.2.2_32 outside_cryptomap_8
NAT (inside, all) source 10.2.0.0_17 destination 10.2.0.0_17 static static 172.31.2.2_32 172.31.2.2_32 non-proxy-arp-search to itineraryso you see the packets traverse your inside interface but no response back. Please check if you have a route to 172.31.2.2 host in your internal network pointing traffic to the ASA.
the package shows plotter drop because you run of out-of-in and in this case, you must specifically that traffic on the acl allow external interface. When the real traffic arrives through vpn, it checks for sysopt and then the interface access list is bypassed. but when you do a package tracer, simulated package does not in reality of vpn and therefore we have that allow outside interface acl for package tarcer to enable.
-
ASA: VPN IPSEC Tunnel from 5505(ver=8.47) to 5512 (ver = 9.23)
Hi-
We have connected tunnel / VPN configuration between an ASA 5505 - worm = 8.4 (7) and 5512 - worm = 9.2 (3).
We can only ping in a sense - 5505 to the 5512, but not of vice-versa(5512 to 5505).Networks:
Local: 192.168.1.0 (answering machine)
Distance: 192.168.54.0 (initiator)See details below on our config:
SH run card cry
card crypto outside_map 2 match address outside_cryptomap_ibfw
card crypto outside_map 2 pfs set group5
outside_map 2 peer XX crypto card game. XX.XXX.XXX
card crypto outside_map 2 set transform-set ESP-AES-256-SHA ikev1
crypto map outside_map 2 set ikev2 AES256 ipsec-proposaloutside_map interface card crypto outside
Note:
Getting to hit numbers below on rules/ACL...SH-access list. I have 54.0
permit for access list 6 outside_access_out line scope ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0 (hitcnt = 15931) 0x01aecbcc
permit for access list 1 outside_cryptomap_ibfw line extended ip object NETWORK_OBJ_192.168.1.0_24 object NETWORK_OBJ_192.168.54.0_24 (hitcnt = 3) 0xa75f0671
access-list 1 permit line outside_cryptomap_ibfw extended ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0 (hitcnt = 3) 0xa75f0671SH run | I have access-group
Access-group outside_access_out outside interfaceNOTE:
WE have another working on the 5512 - VPN tunnel we use IKE peer #2 below (in BOLD)...HS cry his ikev1
IKEv1 SAs:
HIS active: 2
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 21 peer IKE: XX. XX.XXX.XXX
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE
2 IKE peers: XXX.XXX.XXX.XXX
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVESH run tunnel-group XX. XX.XXX.XXX
tunnel-group XX. XX.XXX.XXX type ipsec-l2l
tunnel-group XX. XX.XXX.XXX General-attributes
Group - default policy - GroupPolicy_XX.XXX.XXX.XXX
tunnel-group XX. XX.XXX.XXX ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.SH run | I have political ikev1
ikev1 160 crypto policy
preshared authentication
aes-256 encryption
Group 5
life 86400SH run | I Dynamics
NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
NAT source auto after (indoor, outdoor) dynamic one interfaceNOTE:
To from 5512 at 5505-, we can ping a host on the remote network of ASA local# ping inside the 192.168.54.20
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.54.20, wait time is 2 seconds:
!!!!!
Success rate is 100 per cent (5/5), round-trip min/avg/max = 30/32/40 msDetermination of 192.168.1.79 - local host route to 192.168.54.20 - remote host - derivation tunnel?
The IPSEC tunnel check - seems OK?
SH crypto ipsec his
Interface: outside
Tag crypto map: outside_map, seq num: 2, local addr: XX.XXX.XXX.XXXoutside_cryptomap_ibfw to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.54.0 255.255.255.0
local ident (addr, mask, prot, port): (192.168.1.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.54.0/255.255.255.0/0/0)
current_peer: XX. XX.XXX.XXX#pkts program: 4609, #pkts encrypt: 4609, #pkts digest: 4609
#pkts decaps: 3851, #pkts decrypt: 3851, #pkts check: 3851
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 4609, model of #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid errors ICMP rcvd: 0, #Invalid ICMP errors received: 0
#send errors: 0, #recv errors: 0local crypto endpt. : XX.XXX.XXX.XXX/0, remote Start crypto. : XX. XX.XXX.XXX/0
Path mtu 1500, ipsec 74 (44) generals, media, mtu 1500
PMTU time remaining: 0, political of DF: copy / df
Validation of ICMP error: disabled, TFC packets: disabled
current outbound SPI: CDC99C9F
current inbound SPI: 06821CBBSAS of the esp on arrival:
SPI: 0x06821CBB (109190331)
transform: aes-256-esp esp-sha-hmac no compression
running parameters = {L2L, Tunnel, group 5 PFS, IKEv1}
slot: 0, id_conn: 339968, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (3914789/25743)
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0xFFFFFFFF to 0xFFFFFFFF
outgoing esp sas:
SPI: 0xCDC99C9F (3452542111)
transform: aes-256-esp esp-sha-hmac no compression
running parameters = {L2L, Tunnel, group 5 PFS, IKEv1}
slot: 0, id_conn: 339968, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (3913553/25743)
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001--> The local ASA 5512 - where we have questions - tried Packet Tracer... seems we receive requests/responses...
SH cap CAP
34 packets captured
1: 16:41:08.120477 192.168.1.79 > 192.168.54.20: icmp: echo request
2: 16:41:08.278138 192.168.54.20 > 192.168.1.79: icmp: echo request
3: 16:41:08.278427 192.168.1.79 > 192.168.54.20: icmp: echo reply
4: 16:41:09.291992 192.168.54.20 > 192.168.1.79: icmp: echo request
5: 16:41:09.292282 192.168.1.79 > 192.168.54.20: icmp: echo reply--> On the ASA 5505 distance - we can ping through the 5512 to the local host (192.168.1.79)
SH cap A2
42 packets captured
1: 16:56:16.136559 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
2: 16:56:16.168860 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
3: 16:56:17.140434 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
4: 16:56:17.171652 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
5: 16:56:18.154426 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
6: 16:56:18.186178 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
7: 16:56:19.168417 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request--> Package trace on 5512 does no problem... but we cannot ping from host to host?
entry Packet-trace within the icmp 192.168.1.79 8 0 detailed 192.168.54.20
Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map default class
match any
Policy-map global_policy
class class by default
Decrement-ttl connection set
global service-policy global_policy
Additional information:
Direct flow from returns search rule:
ID = 0x7fffa2d0ba90, priority = 7, area = conn-set, deny = false
hits = 4417526, user_data = 0x7fffa2d09040, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = output_ifc = any to inside,Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
Additional information:
Definition of dynamic 192.168.1.79/0 to XX.XXX.XXX.XXX/43904
Direct flow from returns search rule:
ID = 0x7fffa222d130, priority = 6, area = nat, deny = false
hits = 4341877, user_data = 0x7fffa222b970, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = inside, outside = output_ifc...
Phase: 14
Type: CREATING STREAMS
Subtype:
Result: ALLOW
Config:
Additional information:
New workflow created with the 7422689 id, package sent to the next module
Information module for forward flow...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_statInformation for reverse flow...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_statResult:
input interface: inside
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: allow--> On remote ASA 5505 - Packet track is good and we can ping remote host very well... dunno why he "of Nations United-NAT?
Destination - initiator:
entry Packet-trace within the icmp 192.168.54.20 8 0 detailed 192.168.1.79
...
Phase: 4
Type: UN - NAT
Subtype: static
Result: ALLOW
Config:
NAT (inside, outside) static source NETWORK_OBJ_192.168.54.0_24 NETWORK_OBJ_192.168.54.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
Additional information:
NAT divert on exit to the outside interface
Untranslate 192.168.1.79/0 to 192.168.1.79/0
...Summary:
We "don't" ping from a host (192,168.1.79) on 5512 - within the network of the 5505 - inside the network host (192.168.54.20).
But we can ping the 5505 - inside the network host (192.168.54.20) 5512 - inside the network host (192.168.1.79).Please let us know what other details we can provide to help solve, thanks for any help in advance.
-SP
Well, I think it is a NAT ordering the issue.
Basically as static and this NAT rule-
NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
are both in article 1 and in this article, it is done on the order of the rules so it does match the dynamic NAT rule rather than static because that seems to be higher in the order.
To check just run a 'sh nat"and this will show you what order everthing is in.
The ASA is working its way through the sections.
You also have this-
NAT source auto after (indoor, outdoor) dynamic one interface
which does the same thing as first statement but is in section 3, it is never used.
If you do one of two things-
(1) configure the static NAT statement is above the dynamic NAT in section 1 that is to say. You can specify the command line
or
(2) remove the dynamic NAT of section 1 and then your ASA will use the entry in section 3.
There is a very good document on this site for NAT and it is recommended to use section 3 for your general purpose NAT dynamic due precisely these questions.
It is interesting on your ASA 5505 you duplicated your instructions of dynamic NAT again but this time with article 2 and the instructions in section 3 that is why your static NAT works because he's put in correspondence before all your dynamic rules.
The only thing I'm not sure of is you remove the dynamic NAT statement in article 1 and rely on the statement in section 3, if she tears the current connections (sorry can't remember).
Then you can simply try to rearrange so your static NAT is above it just to see if it works.
Just in case you want to see the document here is the link-
Jon
-
Problem of static-dynamic ASA5505 L2L
The two ASA5505 using version 9.2.3 tried ikev1 and ikev2, it worked before, but I don't know what the problem is now...
I can read dynamic end tunnel ASA (default behavior), I mean that I have to ping asa (DynASA (config) # ping inside the 172.22.82.5).
When I try to ping resources or access for all clients behind DynamicASA to StaticASA, it appears in the log:
6 June 25, 2015 21:40:50 302020 192.168.11.7 1 172.22.22.21 0 Built of outbound ICMP connection for faddr gaddr laddr 192.168.11.7/1 88.114.6.163/1 172.22.82.21/0 After the tunnel is mounted I can connect clients behind StaticASA to resources behind DynamicASA, but not the other way around (clients behind DynamicASA behind StaticASA, a little two-way remedies does not?)
I tried with DefaultL2L and DYNL2L-policies and both work in a sense...
StaticASA config
interface Vlan1
nameif outside
security-level 0
IP 1.2.3.4 address 255.255.255.0
!
interface Vlan2
nameif inside
security-level 100
IP 172.22.22.1 255.255.255.0
!network of the ASA2_LAN object
subnet 192.168.11.0 255.255.255.0
network of the ASA1_LAN object
172.22.22.0 subnet 255.255.255.0access-list tunneli-ASA2 allowed extended ip ASA1_LAN object ASA2_LAN
NAT (inside, outside) static source ASA1_LAN ASA1_LAN ASA2_LAN ASA2_LAN non-proxy-arp-search of route static destinationDynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-256-SHA trans1 ikev1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev2 AES256 ipsec-proposal
Crypto than dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 the value reverse-road
DYNL2L-ASA2 4 crypto dynamic-map correspondence address tunneli-ASA2
Crypto dynamic-map DYNL2L-ASA2 4 set transform-set ESP-AES-256-SHA ikev1
Crypto dynamic-map DYNL2L-ASA2 4 set DYNL2L VPN-ipsec-ikev2 proposal
Crypto dynamic-map DYNL2L-ASA2 4 the value reverse-road
card crypto OUTSIDE_MAP 65534-isakmp dynamic ipsec DYNL2L-ASA2
card crypto OUTSIDE_MAP 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
OUTSIDE_MAP interface card crypto outside
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAPinternal GroupPolicy_ASA2 group strategy
attributes of Group Policy GroupPolicy_ASA2
VPN-tunnel-Protocol ikev1, ikev2IPSec-attributes tunnel-group DefaultL2LGroup
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.IPSec-l2l type tunnel-group DYNL2L-ASA2
attributes global-tunnel-group DYNL2L-ASA2
Group Policy - by default-GroupPolicy_ASA2
IPSec-attributes tunnel-group DYNL2L-ASA2
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.DynamicASA config
interface Vlan1
nameif inside
security-level 100
192.168.11.1 IP address 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address dhcp setroutenetwork of the ASA1_LAN object
172.22.22.0 subnet 255.255.255.0
network of the ASA2_LAN object
subnet 192.168.11.0 255.255.255.0access-list tunneli-ASA1 allowed extended ip ASA2_LAN object ASA1_LAN
NAT (inside, outside) source Dynamics one interface
NAT (inside, outside) static source ASA2_LAN ASA2_LAN ASA1_LAN ASA1_LAN non-proxy-arp-search of route static destinationcard crypto mymap 10 correspondence address tunneli-ASA1
card crypto mymap 10 peer set 1.2.3.4
card crypto mymap 10 set transform-set ESP-AES-256-SHA ikev1
card crypto mymap 10 set ikev2 AES256 AES192 AES OF DYNL2L-VPN-3DES ipsec-proposal
crypto mymap 10 card value reverse-roadinternal GroupPolicy_1.2.3.4 group strategy
attributes of Group Policy GroupPolicy_1.2.3.4
VPN-tunnel-Protocol ikev1, ikev2
tunnel-group 1.2.3.4 type ipsec-l2l
tunnel-group 1.2.3.4 General attributes
Group - default policy - GroupPolicy_1.2.3.4
tunnel-group 1.2.3.4 ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!WBR,
Mr.O
Hello
Looks like you have dynamic nat above static nat exempt on-side dynamic IP ASA
NAT (inside, outside) source Dynamics one interface
NAT (inside, outside) static source ASA2_LAN ASA2_LAN ASA1_LAN ASA1_LAN non-proxy-arp-search of route static destinationchange the order to move the static nat over the dynamic nat
no nat source (indoor, outdoor) public static ASA2_LAN ASA2_LAN ASA1_LAN ASA1_LAN non-proxy-arp-search of route static destination
NAT (inside, outside) 1 static source ASA2_LAN ASA2_LAN ASA1_LAN ASA1_LAN non-proxy-arp-search of route static destination
HTH
Averroès.
Maybe you are looking for
-
How to delete a playlist from the iphone 6
How to delete a playlist from the iphone 6
-
Renaming of mouse and wireless keyboard
I bought a used A1314 and Magic Mouse apple wireless keyboard to use with a Power Mac G5. Both are discoverable and paired and working very well but when I go into the preferences system and then select keyboard and mouse in the status area that open
-
Cannot remove iCloud backup of my old iphone
I upgraded from an iPhone 4 to a 6 s iPhone yesterday. Activation and downloading my settings and applications from the iCloud went perfectly. I am now trying to delete the backup of the iPhone 4 on the iCloud, so I can have enough space to save my i
-
Bug when I press the < TAB > key
How to reproduce this bug: In new VI, create a Boolean value and control on a tab on the front panel control. On the block diagram-> insert this control in while loop. Right click-> properties-> navigation key boolean Control-> click on "ignore this
-
I recently bought a new PC which has Vista 64-bit home premium on it. I'm having a problem changing the default program for DVD playback. Although the program is installed and I want to watch DVDs, I have to do it manually every time. When I try t