Help! My 2691xm router is deaf to ISAKMP
Hello.
I'm trying to implement a DMVPN.
The configuration is the following:
1751 v is a talking - c1700-advsecurityk9 - mz.124 - 15.T14.bin
2691xm is a hub - c2691-advsecurityk9 - mz.124 - 15.T14.bin
As I said in the title, the 2691xm of my clients router is deaf to ISAKMP. It is configured as a hub for DMVPN and does not show that it receives all the VPN-based. 1751-V is, however, very noisy sends many IKE requests to the 2691xm.
I did the maintenance of 1751-V my home 1751-V with a slightly modified version of config of the 2691xm without any problems. I do not have access through the VPN quite yet, but at least they got by ISAKMP.
I activated 'debug dmvpn all' and 'term MON", but I get NO output from the 2691xm.
I also get nothing of ""isakmp crypto to show his'. "
I thought that the traffic may be blocked by the ISP. I called and asked, and it's not.
I thought that the traffic could be stopped at the firewall, so I put the ports concerned to save the traffic as evidenced by the next batter.
Router-1 #show access-list INTERNET_IN
Expand the IP INTERNET_IN access list
...
70 permit udp any any newspaper of isakmp eq (2576 matches)
80 allow accord any any newspaper
90 permits esp all any newspaper
...
So I 'm getting the traffic through the router, but my router is not react?
Below are excerpts from relevant configs.
HUBS:
Internet: int fa0/1 - T1 w / static IP via ethernet
LAN: int fa0/0 - lan 192.168.20.1
IP multicast routing
!
crypto ISAKMP policy 100
BA aes 256
preshared authentication
Group 2
lifetime 28800
!
key ABCD address 0.0.0.0 crypto ISAKMP xauth No.
!
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac TRANSFORM_1
!
Profile of crypto ipsec PROFILE_1
define security-association life seconds 600
transformation-TRANSFORM_1 game
PFS group2 Set
!
interface Tunnel0
IP pim sparse-mod
bandwidth 1536
IP 10.0.20.20 255.255.255.0
IP 1400 MTU
IP tcp adjust-mss 1360
tunnel source fa0/1
multipoint gre tunnel mode
Tunnel PROFILE_1 ipsec protection profile
dynamic multicast of IP PNDH map
PNDH network IP-20 id
property intellectual PNDH holdtime 600
property intellectual PNDH authentication ABCD duration of maintaining ip eigrp 1 35
no ip next-hop-self eigrp 1
no ip split horizon eigrp 1
!
Router eigrp 1
Network 10.0.20.0 0.0.0.255
network 192.168.20.0 0.0.0.255
No Auto-resume
!
NAT_TRAFFIC extended IP access list
deny ip 192.168.20.0 0.0.0.255 192.168.22.0 0.0.0.255
ip licensing 192.168.20.0 0.0.0.255 any
SHEEP allowed 10 route map
corresponds to the IP NAT_TRAFFIC
IP nat inside source map route SHEEP interface fa0/1 overload
SPEAKS:
Internet: int dialer0 - DSL, PPPoE, DHCP
LAN: int vlan0 - 192.168.22.1
IP multicast routing
!
crypto ISAKMP policy 100
BA aes 256
preshared authentication
Group 2
lifetime 28800
key ABCD address 0.0.0.0 crypto ISAKMP xauth No.
!
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac TRANSFORM_1
!
Profile of crypto ipsec PROFILE_1
define security-association life seconds 600
transformation-TRANSFORM_1 game
PFS group2 Set
!
interface Tunnel0
IP pim sparse-mod
bandwidth 1536
IP 10.0.20.22 255.255.255.0
IP 1400 MTU
IP tcp adjust-mss 1360
tunnel source d0
multipoint gre tunnel mode
Tunnel PROFILE_1 ipsec protection profile
property intellectual PNDH card 10.0.20.20 2691_WAN_IP
map of PNDH IP multicast 2691_WAN_IP
PNDH network IP-20 id
property intellectual PNDH holdtime 600
property intellectual PNDH nhs 10.0.20.20
property intellectual PNDH authentication ABCD duration of maintaining ip eigrp 1 35
no ip next-hop-self eigrp 1
no ip split horizon eigrp 1
!
Router eigrp 1
Network 10.0.20.0 0.0.0.255
network 192.168.22.0 0.0.0.255
No Auto-resume
connected EIGRP stub
!
NAT_TRAFFIC extended IP access list
deny ip 192.168.22.0 0.0.0.255 192.168.20.0 0.0.0.255
IP 192.168.22.0 allow 0.0.0.255 any
SHEEP allowed 10 route map
corresponds to the IP NAT_TRAFFIC
!
IP nat inside source overload map route SHEEP interface Dialer0
!
As I said earlier, 2691xm DO NOT REACT. Only thing I've been able to determine is the router didn't IS NOT block traffic on port UDP 500.
Here's some output from 1751-v (router spoke).
ISAKMP: define the new node 0 to QM_IDLE
ISAKMP: (0): SA is still budding. Attached new request ipsec. (local 1751_WAN_IP, distance 2691_WAN_IP)
ISAKMP: Error processing SA asks: could not initialize SA
ISAKMP: Error while processing message KMI 0, error 2.
ISAKMP: (0): transmit phase 1 MM_NO_STATE...
ISAKMP (0:0): increment the count of errors on his, try 3 of 5: retransmit the phase 1
Router-1 isakmp crypto #show her
IPv4 Crypto ISAKMP Security Association
status of DST CBC State conn-id slot
2691_WAN_IP 1751_WAN_IP MM_NO_STATE 0 0 ACTIVE
2691_WAN_IP1751_WAN_IP MM_NO_STATE 0 0 ACTIVE (deleted )
1751-v works with an another 1751-v (to some extent), but not the 2691xm I need to work with.
Please help because it drives me CRAZY!
I would appreciate ANY suggestions/comments/critisicms/assumptions/applications / ANYTHING!
-Vittorio
No crypto card means theres some sort of problem on the hub with config - try the following:
term Lun
Crypto debugging socket
protection of tunnel of debugging
conf t
opening of session
LUN debug logging
int tunnel0
close
No ipsec protection PROFILE_1 tunnel profile
Tunnel PROFILE_1 ipsec protection profile
No tap
See if that gives us all debugs.
Tags: Cisco Security
Similar Questions
-
Need help installing BEFSR41 router
Hello
I need some help configure a router BEFSR41, that I bought recently. A year ago, I got a WRT54GS router and was able to set it up to my Siemens modem DSL 4100 b without any problem. (Maybe I was just lucky before when I set up the wireless router) Now I have misery BEFSR41 to work. I tried to replace my BEFSR41 in the same position as my WRT54GS by using the same configuration. I'm reproducing the setting on my WRT54GS BEFSR41 router to the wired connection. I took the "Automatic Configuration - DHCP" on my WRT54GS, so on the BEFSR41, I choose "obtain an IP address automatically". I also activate local DHCP server from 192.168.1.100. This should configure the BEFSR41 as WRT54GS, right? But I couldn't get on the internet using BEFSR41 with this configuration.
I checked the routing table for the two router see if it makes a difference and noticed that the only thing different is that the routing table for BEFSR41, the fields of the gateway is 0.0.0.0, but they have correct values on my WRT54GS.
Another difference between the two routers is that on the screen of my WRT54GS State, he showed entry 192.168.0.1 DNS1 and DNS2 and DNS3 entries are empty. On the State of BEFSR41 screen, it showed DNS1 as 192.168.0.1, then he repeats DNS1 as 192.168.0.1, and finally another DNS1 entry is empty. How important is it that on the status of the BEFSR41 display, is to show field DNS1 3 times? (instead of DNS3 DNS1, DNS2)
Thanks in advance for any help.
I suspect that the reason the 4100 and the BEFSR41 do not play well together is that both of them use the proxy DNS servers. DNS proxy on the BEFSR41 servers run 192.168.1.1 and the DNS proxy on the 4100 servers run 192.168.0.1. My bet is that "double proxy servers" are simply not passing addresses correctly.
As to why the 4100 b works with your old router, but not with your most recent router, I'm not sure. Is your 4100 several years old? Often old modems work with older routers, but not with the newer routers.
I think that it is best to place your 4100 b in Bridge mode. It would like to convert it to a real modem. It therefore would not have an IP address, or make your PPPoE connection. This would be "Not used PPPoE" (on the modem).
Your BEFSR41 would have to be configured to your PPPoE connection.
-
need help with wifi router & ipos touch 5
Hi pretty new to this, bought an ipod touch 5, said I need wifi, buy a mofinetwork 3G Router wants to connect my ipod to itunes store continues by saying that I am not connected, but my computer shows me that I am, also keep getting a message to trouble shoot is as follows-Windows could not automatically detect this proxy networks , detected a settings (image of a triangle of yellow color with a slash in the Center)?, also when I go to my Control Panel Setup-devices & systems my computer is constantly with the symbol of the triangle warning sign on this also when I connest to the symbol of mofinetwork there is the same symbol?, please help crazy me
Hello
"you want to connect my ipod to itunes store".
iPod is Apple hardware and iTunes is a software from Apple.
Contact Apple support for help on this issue.
See you soon.
-
Need help Configureing Netgear router so I can connect to Playstation Network.
My playstation 3 says "Failure of Type NAT" and will not sign into the playstation network. I have a router Netgrear that connect PS3 to Internet, but times out when you try to connect to the PS network. How can I configure the router? I use a wired connection.
Hello
I suggest you to contact the manufacturer of the playstation for assistance on this issue.
Thanks and greetings
Umesh P - Microsoft technical support.Visit our Microsoft answers feedback Forum and let us know what you think.
[If this post can help solve your problem, please click the 'Mark as answer' or 'Useful' at the top of this message.] [Marking a post as answer, or relatively useful, you help others find the answer more quickly.] -
Help! Static route between two router WRT160NL
Hi all
I have my internet connection to connect to my main router from Linksys WRT160NL (192.168.1.1) with 192.168.1.x.
My 2nd Linksys router to connect to the first gateway as well.
The 2nd router has the ip 192.168.1.100 WAN and it's a local subnet as 192.168.2.x.My 192.168.2.x machines can access the internet and connect to all the machines in the network 192.168.1.x.
However, the 1.x network cannot access the machines on the network of the 2. And because of that, I can't share or print between two networks.
I try to add static routes on my main router (192.168.1.1) with the road: 192.168.2.0 mask 255.255.255.0 and default gateway 192.168.1.100
However, the road does not work yet.
in any case to ensure that the 1.x network able to access the network 2.x and 2.x access 1.x file and print sharing.
Thanks for your help!
Gateway of the router does NAT who made the side inaccessible side LAN WAN, unless you configure port forwarding automatic or similar. If she would not make your LAN 192.168.1 would be accessible from the internet. Static routing will not change that.
You will need to disable NAT (aka switch to router mode) on the second router. You must configure a static route on the main router then. However, most likely your network 192.168.2 * will not have Internet more because the main router will NAT for 192.168.1. * and no 192.168.2. *.
If possible set up the second router as access point only and run a LAN.
-
Router Cisco 1941 - crypto isakmp policy command missing - IPSEC VPN
Hi all
I was looking around and I can't find the command 'crypto isakmp policy' on this router Cisco 1941. I wanted to just a regular Lan IPSEC to surprise and Lan installation tunnel, the command isn't here. Have I not IOS bad? I thought that a picture of K9 would do the trick.
Any suggestions are appreciated
That's what I get:
Router (config) #crypto?
CA Certification Authority
main activities key long-term
public key PKI componentsSEE THE WORM
Cisco IOS software, software C1900 (C1900-UNIVERSALK9-M), Version 15.0 (1) M2, VERSION of the SOFTWARE (fc2)
Technical support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Updated Thursday, March 10, 10 22:27 by prod_rel_teamROM: System Bootstrap, Version 15.0 M6 (1r), RELEASE SOFTWARE (fc1)
The availability of router is 52 minutes
System returned to ROM by reload at 02:43:40 UTC Thursday, April 21, 2011
System image file is "flash0:c1900 - universalk9-mz.» Spa. 150 - 1.M2.bin.
Last reload type: normal charging
Reload last reason: reload commandThis product contains cryptographic features...
Cisco CISCO1941/K9 (revision 1.0) with 487424K / 36864K bytes of memory.
Card processor ID FTX142281F4
2 gigabit Ethernet interfaces
2 interfaces Serial (sync/async)
Configuration of DRAM is 64 bits wide with disabled parity.
255K bytes of non-volatile configuration memory.
254464K bytes of system CompactFlash ATA 0 (read/write)License info:
License IDU:
-------------------------------------------------
Device SN # PID
-------------------------------------------------
* 0 FTX142281F4 CISCO1941/K9Technology for the Module package license information: "c1900".
----------------------------------------------------------------
Technology-technology-package technology
Course Type next reboot
-----------------------------------------------------------------
IPBase ipbasek9 ipbasek9 Permanent
security, none none none
given none none noneConfiguration register is 0 x 2102
You need get the license of security feature to configure the IPSec VPN.
Currently, you have 'none' for the security feature:
----------------------------------------------------------------
Technology-technology-package technology
Course Type next reboot
-----------------------------------------------------------------
IPBase ipbasek9 ipbasek9 Permanent
security, none none none
given none none noneHere is the information about the licenses on router 1900 series:
-
Hi need some help on this router cisco 1921 complete, auto &; half duplex
We have this old 1841 router series and we change in 1921, I still put the same settings, but this two-sided thing is having problem (I think).
We are supposedly to have 20mbps up & download speed using this 1841, and if we use 1921 20down / 10upload speed.
When I put gi0/1 on full-duplex it will descend to the bottom. But if I set auto duplex, it register under the/s and half-duplex and the internet works but only 10 Mbps upload. See below
igabitEthernet0/1 is up, line protocol is up
Material is CN Gigabit Ethernet, the address is 0000000
Description: "connected to this."
The Internet address is 000000
MTU 1500 bytes, BW 100000 Kbit/s, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 13/255
Encapsulation ARPA, loopback not set
KeepAlive set (10 sec)
Half-Duplex, 100 Mbps, media type is RJ45
control output stream is not supported, control of input stream is not supported
Type of the ARP: ARPA, ARP Timeout 04:00
Last entry of 00:00:00, 00:00:00 exit, exit hang never
Final cleaning of "show interface" counters never
Input queue: 0, 75, 14, 10242 (size/max/drops/dumps); Total output drops: 79729
Strategy of queues: fifo
Output queue: 0/40 (size/max)
5 minute input rate 5400000 bps, packets/s 546
5 minute output rate 719000 bps, 390 packets/s
170608043 package, 1963069286 bytes, 79501 no input buffer
Received 477 broadcasts (0 of IP multicasts)
0 Runts, 0 giants, 4 controllers
entry 0, 0 CRC errors, frame 0, saturation 0, 0 ignored
Watchdog 0, multicast 0, break 0 comments
160510262 packets output, 1965851816 bytes, 0 underruns
0 output errors, 4095435 collisions, 0 resets interface
unknown protocol 0 drops
0 babbles, collision end 0, 0 deferred
carrier, 0 no carrier, lost 0 0 interrupt output
output buffer, the output buffers 0 permuted 0 failuresI really appreciate your comments and thank you
It is very likely that the provider has configured its device for 100 Mbps, which was compatible with the interface of your FE 1841. If you configure the 1921 at a fixed speed of 100 Mbps and full-duplex, it should probably work.
-
need help with natted routing networks
Hello
1 VMWorkstation on the 192.168.1.0 network
2. virtual machines on natted 10.0.0.0 255.255.0.0 Gateway 10.0.0.1
I have 2003 domain on this network. I have DC, Exchange and work station.
I have no problem with access for network 10.0.0.0 192...
But I can't ping 10.0.0.0... from 192.0.0.0 machines, beside the host 192.168.1.130.
Yes, I can ping the host virtual.
I added the road to 10.0.0.0 on one of the 192... machines, it can't do on 10.0.0.0 machine
What does take to ping network 10...
THX.
Michael.
If 10.0.0.0 is your virtual network of NAT (VMnet8) you cannot ping it because it is hidden to the outside (because it's NAT). You can only join in this network of specific port forwarding, but packages must go to the IP address of the host (and then they are redirected to the virtual prompt appropriate depending on the configuration of port forwarding).
AWo
VCP / VMware vEXPERT 2009= Due to a lack of employees, human beings humans are working here. -Treat it with care, they are rare. =
-
DMVPN router behind ASA - need help please.
Hello
After reading many other discussions on this topic, it appears with the correct IOS and NAT - T active router, you bring up DMVPN behind a NAT device.
I tried to perform this task, but I can not even phase 1 going to the DMVPN. The routing was checked and I can ping the routers DMVPN public IP. I'm sure that the configurations for routers are good, but asked if any additional NAT is required on the ASA.
Here is the topology:
Plate rotating DMVPN > ASA > Internet > ASA > DMVPN Branch
The SAA on the side of the hub is in our data center and in production with several site-to-site and traffic to DMZ. Devices DMVPN is a Cisco 2921 and 1921. When I run a "debug crypto isakmp" on both routers, I see ISAKMP messages are sent on the branch DMVPN router. Nothing in the hub and no hits on the ASA ACL. I tried both the public IP address and the private IP address of the ACL on the ASA.
I have attached the relevant training and can post more if necessary.
Thank you
Brandon
Hello
I finally had time to laboratory it.
I used this topology:
I have
ASA (config) # sh run nat
NAT (INSIDE, OUTSIDE) static source HUB-ROUTER-REAL-IP interface service udp-eq-4500 udp-eq-4500
NAT (INSIDE, OUTSIDE) static source HUB-ROUTER-REAL-IP interface service udp-eq-500 udp-eq-500
!
object network HUB
dynamic NAT interface (INSIDE, OUTSIDE)ASA (config) # sh run access-list
extended OUTSIDE permitted udp access list any HUB-ROUTER-REAL-IP eq isakmp object
list access extended OUTSIDE permitted udp any eq HUB-ROUTER-REAL-IP 4500R2 #sh run inter t0
interface Tunnel0
172.16.0.1 IP address 255.255.255.0
no ip redirection
no ip next-hop-self eigrp 1
no ip split horizon eigrp 1
dynamic multicast of IP PNDH map
PNDH id network IP-99
source of tunnel FastEthernet0/0
multipoint gre tunnel mode
tunnel key 100000
Tunnel ipsec DMVPN-IPSEC-PROFILE protection profileSo it should be the same configuration that you use.
The only thing is that I had to ' stop/no shut' tunnel interface and removing some config that I also need to clear the connection on the ASA using "clear conn."
R2 #sh dmvpn
Legend: Attrb--> S - static, D - dynamic, I - incomplete
Local N - using a NAT, L-, X - no Socket
# Ent--> entries number of the PNDH with same counterpart NBMA
State of the NHS: E--> RSVPs, R--> answer, W--> waiting
UpDn time--> upward or down time for a Tunnel
==========================================================================Interface: Tunnel0, IPv4 PNDH details
Type: hub, PNDH peers: 2,.# Ent Peer NBMA Peer Tunnel Addr add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 200.20.0.10 172.16.0.2 UNTIL 00:11:28
1 200.30.0.10 172.16.0.3 AT 00:11:22R2 #.
-
How to disable the default ISAKMP on Cisco 2800 router policy
I'll have a check point asking me to disable or delete the policy by default ISAKMP on my router. I tried to do, but I got an error that the command is not supported as below:
If this is not possible on my router that has a version of IOS:
So, is it possible to upgrade my router IOS to the latest version to solve this problem, which is:
"c2800nm-advsecurityk9 - mz.151 - 4.M6.
If that does not solve my problem, I have an official document from CISCO, which on my router, which is not supported "Disabling the default ISAKMP policy.
I would really appreciate your reply guys.
Thanks in advance,
Hi Ebrahim,
Version 15.1 (4) M6 supported by the command "no default crypto isakmp policy."
Before you run 'no default crypto isakmp policy. "
:
Router #sh cry default isakmp policy
IKE default policy
Default priority protection suite 65507
encryption algorithm: AES - Advanced Encryption Standard (128-bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default priority protection suite 65508
encryption algorithm: AES - Advanced Encryption Standard (128-bit keys).
hash algorithm: Secure Hash Standard
authentication method: pre-shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
.
.
.skipped output
After:
Router (config) #no cry isakmp policy default
default router #sh policy cry isakmp
Router #sh crying political isa
World IKE policy
*****
If you are upgrading, you should be ale to delete default isakmp policy.
Thank you
Shakur
-
Hi guys,.
I would like to create a VPN site-to site between my ASA and a remote router in China.
On the router, when I typed ""crypto isakmp enable ' command I know that isakmp is not present. "
What can I do, where is the problem? License, ios image,...? !
error type:
Router (config) #crypto enable isakmp
^
Invalid entry % detected at ' ^' marker.
Router (config) #crypto?
CA Certification Authority
main activities key long-term
public key PKI components
commissioning Secure Device Provisioning
Wui Crypto HTTP configuration interfaces
News of the router:
Cisco CISCO2811C/K9
Version 12.4 (13r) T13, RELEASE SOFTWARE (fc1)
c2800nmc-spservicesk9 - mz.150 - 1.M7.bin
Thank you very much.
Luca
To configure the site to site VPN, or any other VPN, you need advanced business picture, advanced security or Advanced IP Services.
-
For statement: isakmp nat - t
What is it, or in what circumstances, should it be used?
Thank you for helping.
Scott
the command "isakmp nat-traversal" should be applied to the vpn server when the vpn client is behind a nat/pat device.
the reason being nat/pat on the client side will result in the ip original source to the IP (public) own peripheral nat/pat. When the vpn server receives, decrypts, and analysis package, it's going to come back with a mistake as the original source ip does not correspond to the
for example
Remote vpn client implements a remote vpn router and the client remote vpn is behind a nat/pat device, such as a router or pix.
-
IPSec VPN with private WAN address... Help!
I am trying to establish an IPSec Site to Site VPN to my company network. I use a Cisco 2811. If I plug a Public IP WAN connection my tunnel past traffic without problem, but if I tell a router in the middle where the 2811 pulls a private IP address of the home router I no longer get a tunnel a success. Any suggestion?
I have the following instructions.
FA 0/0
DHCP IP ADDRESS
CRYPTO MAP AESMAPVLAN 1
IP ADDRESS XX. XX. XX. XX 255.255.255.240 (public IP)IP ROUTE 0.0.0.0 0.0.0.0 FA 0/0
If this can help clerify the "router" is a CradlePoint (CRT500) that takes the Mobile 3 G and send it to an ethernet port on the WAN port on my router. The installation remains mobile and I rarely get the chance to have a public IP address for my WAN. Currently I use a SonicWall TX 100 router that allows me to VPN to my network of companies. We hope to move all of our mobile kits to the cisco product, but need to find a solution before change can occur.
If I do 'Show IP Crypto ISAKMP SA' it shows: XX. XX. XX. XX (PUBLIC) <> Active 192.168.0.1.
My thoughts are that my TCP 500 traffic to the VPN router and when the VPN router sends traffic to the address there SA with it's no the case because it is an ip address private. Limited my knowledge of the works of the VPN, I think only in Phase 1, two addresses must "bind" and NAT cannot be used with VPN? But I keep out hope that this might be a somewhat common question and there is a procedure in place to get around, or maybe I'm just a bad configuration or IP road...
When I disable card crypto on the FA 0/0 and add NAT to the FA 0/0 and 1 VLAN more change my IP Route to "0.0.0.0 0.0.0.0 192.168.0.1" I get non - vpn connectivity. Also, I put the address that gets my FA 0/0 in the DMZ of the Cradlepoint.
Thanks for any help anyone can provide!
Brandon,
NAT - T is designed to overcome the problems of NAT/PAT, known in the world of IPv4.
The big problem is that if you have a public IPv4 address, you will need to run PAT. Packages ESP / AH do not have a port number so that they cannot be PATed. To do this, we enacapsulate IPsec payload inside udp/4500 packages.
That being said, some providers overcome this problem differently, but it's not THE standard way.
Your head should see you as PublicIP facig of internet device.
I agree, that both sonicwall and IOS should work with other IOS. At the same time, it is difficult to say what is happening in the middle.
I would say that if possible, connect you to a case of TAC, the guys will be able to view your configs and able to solve the problem when it's there. These types of discussions on the forums can go for very long ;-)
Marcin
-
Site to site VPN router-ASA5505
Hello
I have a problem with the VPN between ASA5505 and 3825 router.
behind the ASA, we have a server that serves the specific port. If for any reason any link is disconnected assets if the VPN will become not we do not generate traffic to this server. After generating even a ping VPN immediately become active and communication starts. another case is when you reboot ASA the VPn is not created without ping server behind this ASA.
How we could solve this problem without sending a traffing who serve?
How remote access to this ASA, I can access internal interface? If I open access on port 443 on the external interface of asa could I access it? or I must also exclude this traffic VPN
I used the VPN Wizard to configure on asa and CLI on router
some troubleshootingand configuration commands, if this is not enough please let me know what you otherwise.
Thanks in advance for your help
ciscoasa # sh crypto isakmp his
ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 11 peer IKE: 10.10.10.1
Type: L2L role: initiator
Generate a new key: no State: AM_ACTIVEConfiguration of the SAA.
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs Group1
card crypto outside_map 1 set counterpart 10.10.10.1
map outside_map 1 set of transformation-ESP-DES-MD5 crypto
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
the Encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
sha hash
Group 2
life 86400the main router configuration
crypto ISAKMP policy 1
preshared authentication
!
crypto ISAKMP policy 5
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 10
preshared authentication
Group 2
crypto ISAKMP key 6 _JQfe [BeRGNBCGfbGxxxxxxxxx address 10.10.10.10Crypto ipsec transform-set esp - esp-md5-hmac xxxxx
ETH0 2696 ipsec-isakmp crypto map
defined peer 10.10.10.10
Set transform-set xxxxx
match address 2001access-list 2001 permit ip any 192.168.26.96 0.0.0.7
Post edited by: adriatikb
I just read somewhere that might change the type VPN "bi-direcitonal' two 'initiator' or 'answering machine' could help me but I test and no results.I had the same problem last week, and told the TAC engineer on our service ticket downgrade from IOS 8.2 (3) 8.2 (1). Since then, it works fine.
-
Site to site VPN routing via ASA
Need help setting up routing through the tunnel. We have a bunch of remote sites in the 192.168.0.0 16 passing through a central site 192.168.137.0
How can I get all the traffic goes 192.168.0.0 to cross the tunnel. I have the tunnel upward, but no traffic passes through. Here is the config.
XXXX # show run
: Saved
:
ASA Version 8.2 (1)
!
xxxxx host name
xxxx.xxx domain name
activate the xxxxxxxx password
passwd xxxxxxxxxxxxx
names of
!
interface Vlan1
Description =-= - on the INSIDE of the INTERFACE =-=-
nameif inside
security-level 100
192.168.33.1 IP address 255.255.255.0
!
interface Vlan2
Description =-= - CABLE EXTERNAL INTERFACE =-=-
nameif outside
security-level 0
IP address aaa.bbb.ccc.202 255.255.255.252
!
interface Ethernet0/0
Description =-= - CABLE EXTERNAL INTERFACE =-=-
switchport access vlan 2
!
interface Ethernet0/1
Description =-= - on the INSIDE of the INTERFACE =-=-
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system Disk0: / asa821 - k8.bin
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
DNS domain-lookup outside
DNS server-group DefaultDNS
Server name 24.92.226.12
Server name 24.92.226.11
Domain xxxxxx.xxx
object-group NETWORK-OUR network
object-network 10.254.1.0 255.255.255.0
network-object 172.22.0.0 255.255.0.0
object-network 192.168.0.0 255.255.0.0
access-list SHEEP note-=-=-= = =-=-=-= -
access-list SHEEP note is-ACCESS LIST for EXEMPTION NAT =-=-
access-list SHEEP note-=-=-= = =-=-=-= -
IP 192.168.33.0 allow Access - list extended SHEEP 255.255.255.0 object-group NETWORK-OUR
access INTERESTING list Remarque-=-=-=-=-=-= = =-=-=-=-=-=-=-=-= -.
access list INTERESTING note is-ACCESS LIST for INTERESTING TRAFFIC =-=-
access INTERESTING list Remarque-=-=-=-=-=-= = =-=-=-=-=-=-=-=-= -.
INTERESTING list extended ip access 192.168.33.0 allow 255.255.255.0 object-group NETWORK-OUR
access-list ICMP note =--= =-= = =-=-=-= -
access-list ICMP note is - to ALLOW ICMP to the OUTSIDE INTERFACE =-=-
access-list ICMP note =--= =-= = =-=-=-= -
ICMP access list extended icmp permitted no echo of aaa.bbb.ccc.201 host
no pager
Enable logging
timestamp of the record
exploitation forest-size of the buffer 38400
logging buffered stored alerts
logging of debug asdm
Within 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 621.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0 access-list SHEEP
NAT (inside) 1 0.0.0.0 0.0.0.0
Access-group ICMP in interface outside
Route outside 0.0.0.0 0.0.0.0 aaa.bbb.ccc.201 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
LOCAL AAA authentication serial console
AAA authentication http LOCAL console
Enable http server
http xx.xx.xx.xx 255.255.255.0 outside
xxx.xxx.xxx.xxx http 255.255.192.0 outside
http xxx.xxx.0.0 255.255.0.0 inside
xxx.xxx.xxx.xxx http 255.255.255.255 outside
Server SNMP location xxxxxx
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-HMAC-SHA-ESP-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
86400 seconds, duration of life crypto ipsec security association
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto L2LMAP 10 INTERESTING address correspondence
card crypto L2LMAP 10 set pfs
card crypto L2LMAP 10 set peer ddd.eee.fff.32
10 L2LMAP transform-set ESP-3DES-MD5 crypto card game
card crypto L2LMAP set 10 security-association life seconds 86400
card crypto L2LMAP 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
L2LMAP interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
Telnet timeout 5
SSH enable ibou
SSH xxx.xxx.0.0 255.255.0.0 inside
SSH xxx.xxx.0.0 255.255.0.0 outside
SSH xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx outside
SSH timeout 60
Console timeout 0
management-access inside
dhcpd dns 192.168.137.225 24.92.226.12
dhcpd field arc.com
dhcpd outside auto_config
dhcpd option 150 ip 172.22.137.5
!
dhcpd address 192.168.33.2 - 192.168.33.33 inside
dhcpd allow inside
!a basic threat threat detection
statistical threat detection port
Statistical threat detection Protocol
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP server 206.246.122.250 source outdoors
NTP server 96.47.67.105 prefer external source
WebVPN
xxxx xxxx password username
IPSec-attributes tunnel-group DefaultL2LGroup
pre-shared-key *.
tunnel-group ddd.eee.fff.32 type ipsec-l2l
ddd.EEE.fff.32 group of tunnel ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
context of prompt hostnameThank you
Mike
As I suspected unmatched.
Remote side is set to 3des/sha. You are set to 3des/md5.
change the following:
10 L2LMAP transform-set ESP-3DES-MD5 crypto card game
TO
10 L2LMAP transform-set ESP-3DES-SHA crypto card game
Assuming that the things ACL match should be fine.
Let me know.
Maybe you are looking for
-
Cannot find the release date of a film that I pre-ordered.
I can't find the release date of a film that I pre-ordered.
-
ATI drivers for Satellite A200 - 1 M 8 on XP
-ATI driver I downloaded from the support site works well, be aware though if I can update on the ATI web site or this card a special driver developed by ATI and Toshiba?(can't seam to find anywhere tecniques for this computer...) -dose anyone know h
-
I need a new installation disc
I need a new installation of Windows Vista Home Premium disk for my computer. Since his arrival, I lost it and need a new. I have a legitimate serial number for Vista, I just need the disk to install it that I don't have. (Do not know if I put this i
-
Good day to you all I am Mohammed Ali, and I am doing my final project. I would like to have your help and your support to complete my project. in fact I build a mobile application on Blackberry JDE with UI contained Student ID and password it suppos
-
How can I get through it or otherwise. What is a program that I can use to share files I'll power b.