Help with a VPN tunnel between ASA 5510 and Juniper SSG20
Hello
We have a customer wanting to configure a VPN Site to Site tunnel between a new purchased 5510 of ASA located in his direction with its Juniper SSG20 Office, located in the main office. We contacted HP and they send us a Cisco professional to do the job.
After 2 days from 16:00 to 22:00 and error and countless hours of research online and nunerous calls, we are still unable to get traffic from the network of agencies to enter the tunnel.
Main branch
1.1.1.2 1.1.1.1
----- -----------
192.168.8.0/24 | ASA|-----------------------------------| Juniper | 192.168.1.0/24
----- -----------
192.168.8.254 192.168.1.254
According to Cisco professionals, the tunnel is now in place but no traffic through. We are unable to ping anything on the network on the other side (192.168.1.0/24). We receive timeout ping all the time. The Cisco professional told us it's a routing or NAT problem and he's working on a solution!
Through research, I came across a post on Experts-Exchange (here) [the 1st comment on the original post] which States "...". that both sides of the VPN must have a different class of LAN for the VPN to work... " Would that be our problem?
It has become a critical issue to the point that he had to replace the Cisco ASA with a temporary Juniper SSG5 on another subnet (192.168.7.0/24) to get the tunnel upward and through traffic until the ASA VPN issue is resolved and I didn't need to say that the client is killing us!
Help is very appreciated.
Thank you
1. Yes, ping package from the interface of the ASA is considered valuable traffic to the LAN of Juniper.
SAA, need you traffic from the interface source ASA's private, because interesting to determine by crypto ACL MYLIST traffic between 192.168.8.0/24 and 192.168.1.0/24.
You will also need to add the following configuration to be able to get the ping of the interface of the ASA:
management-private access
To initiate the ping of the private interface ASA:
ping 192.168.1.254 private
2. the default time before the next generation of new key is normally 28800 seconds, and if there is no interesting traffic flowing between 2 subnets, he'll tear the VPN tunnel down. As soon as there is interesting traffic, the VPN tunnel will be built automatically into the next generation of new key. However, if there is traffic before generating a new key, the new tunnel will be established, and VPN tunnel will remain standing and continue encrypt and decrypt traffic.
Currently, your configuration has been defined with ITS lifetime of 3600 seconds GOLD / 4608000 kilobytes of traffic before the next generate a new key (it will be either 3600 seconds, or 4608000 kilobytes period expires first). You can certainly change it by default to 28800 seconds without configuring kilobytes. SA life is negotiated between the ASA and Juniper, and whatever is the lowest value will be used.
Hope that helps.
Tags: Cisco Security
Similar Questions
-
Between asa 5510 and router VPN
Hello
I configured ASA 5510 to vpn LAN to LAN with router 17 857. and between the routers.
between vpn routers works very well.
from the local network behind the ASA I can ping the computers behind routers.
but computers behind routers, I cannot ping PSC behind ASA.
I have configured the remote access with vpn cisco 4.X client, it works well with routers, but cannot work with asa.
the asa is connected to the wan via zoom router (adsl)
Are you telnet in the firewall?
Follow these steps to display the debug output:
monitor terminal
farm forestry monitor 7 (type this config mode)
Otherwise if its console, do "logging console 7'.
can do
Debug crypto ISAKMP
Debug crypto ipsec
and then generate a ping from one device to the back of the ASA having 192.168.200.0 address towards one of the VPN subnets... and then paste the result here
Concerning
Farrukh
-
LAN to Lan tunnel between ASA 5505 and 3030.
I am unable to build a tunnel vpn site-to-site between an ASA 5505 and our Cisco 3030. I tried all possible combinations except one that will work. I am able to ping each peer on the other site. Someone at - it a config between two tunnels of Lan to Lan to work between a 5505 and 3030 that works. Thank you
Hello
Please visit this link using config:
http://www.Cisco.com/c/en/us/support/docs/security/VPN-3000-series-conce...
Kind regards
Aditya
Please evaluate the useful messages.
-
Split tunnel with ASA 5510 and PIX506.
Hello
I have the production between Asa 5510 (main office) and Pix 506 VPN tunnel. It is configured so that all traffic is encrypted and moves through the tunnel. This includes remote users behind Pix Internet traffic. I would like to use split tunnel and direct Internet traffic hitting the web directly from Pix instead of going through the tunnel. How can I do this safely? Please see current config Pix below:
:
6.3 (5) PIX version
interface ethernet0 car
interface ethernet1 10baset
ethernet0 nameif outside security0
nameif ethernet1 inside the security100clock timezone EDT - 5
clock to summer time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 02:00
No fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
No fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
no correction protocol tftp 69
names of
allow VPN 192.x.x.x 255.255.255.0 ip access list one
LocalNet ip access list allow a whole
pager lines 20
opening of session
monitor debug logging
logging warnings put in buffered memory
logging trap warnings
Outside 1500 MTU
Within 1500 MTU
IP address outside 24.x.x.x 255.255.255.0
IP address inside192.x.x.x 255.255.255.0
IP audit name Outside_Attack attack action alarm down reset
IP audit name Outside_Recon info action alarm down reset
interface IP outside the Outside_Recon check
interface IP outside the Outside_Attack check
alarm action IP verification of information
reset the IP audit attack alarm drop action
disable signing verification IP 2000
disable signing verification IP 2001
disable signing verification IP 2004
disable signing verification IP 2005
disable signing verification IP 2150
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0 access-list LocalNet
Route outside 0.0.0.0 0.0.0.0 24.x.x.x
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-server local LOCAL Protocol
Enable http server
enable floodguard
Permitted connection ipsec sysopt
Crypto ipsec transform-set esp-3des esp-md5-hmac AMC
map UrgentCare 10 ipsec-isakmp crypto
card crypto UrgentCare 10 corresponds to the VPN address
card crypto UrgentCare 10 set counterpart x.x.x.x
card crypto UrgentCare 10 value transform-set AMC
UrgentCare interface card crypto outside
ISAKMP allows outside
ISAKMP key * address x.x.x.x 255.255.255.255 netmask
ISAKMP identity address
part of pre authentication ISAKMP policy 20
ISAKMP policy 20 3des encryption
ISAKMP policy 20 md5 hash
20 2 ISAKMP policy group
ISAKMP duration strategy of life 20 86400
SSH timeout 15
Console timeout 0
Terminal width 80
Cryptochecksum:9701c306b05151471c437f29695ffdbd
: endI would do something by changing the acl that applies to your crypto card. You want to know what you want to support above the tunnel and then deny other networks.
If you have:
192.168.3.0/24
192.168.4.0/24
10.10.10.0/24
172.16.0.0/16
Do something like:
VPN access list allow 192.x.x.x ip 255.255.255.0 192.168.3.0 255.255.255.0
VPN access list allow 192.x.x.x ip 255.255.255.0 192.168.4.0 255.255.255.0
VPN access list allow 192.x.x.x ip 255.255.255.0 10.10.10.0 255.255.255.0
VPN access list allow 192.x.x.x 255.255.255.0 ip 172.16.0.0 255.255.0.0
Then when the traffic is destined for something other than these networks, it will go not to the ISP instead of the tunnel.
HTH,
John
-
VPN site to Site ASA 5510 and 871 w / dynamic IP
What is the best method of creating a VPN site-to site between an ASA 5510 and a router 871 where the 5510 has a static IP address and has 871, a dynamic IP address?
My ASA is running ASA software version 7.0 (5) and I can't find how to create a tunnel for a dynamic IP address via the ASDM. I have currently a tunnel between these two arrangements in place, but it was done by specifying the remote IP address, even if it is dynamic.
Any suggestions or pointers would be * very * appreciated.
-Adam
This can help but it does not show ASDM.
-
VPN tunnel between the concentrator 3005 and router Cisco 827
I am trying to establish a VPN tunnel between the Central Office with VPN 3005 and controller branch Cisco 827 router.
There is a router of perimeter with access set up in front of the 3005 list.
I quote the ACLs on the Central perimeter router instructionsuivante to allow traffic to permit ip 3005 - acl 101 all 193.188.X.X (address of the hub)
I get the following message appears when I try to ping a local host in the Central site.
Can Anyoune give me the correct steps to 827 and 3005.
Thank you
CCNP Ansar.
------------------------------------------------------------------------------------------------------
Debug crypto ISAKMP
encryption of debugging engine
Debug crypto his
debug output
------------------
1d20h: IPSEC (sa_request):,.
(Eng. msg key.) Local OUTGOING = 172.22.113.41, distance = 193.188.108.165.
local_proxy = 202.71.244.160/255.255.255.240/0/0 (type = 4),
remote_proxy = 128.128.1.78/255.255.255.255/0/0 (type = 1),
Protocol = ESP, transform = esp - esp-md5-hmac.
lifedur = 3600 s and KB 4608000,
SPI = 0x83B8AC1B (2209917979), id_conn = 0, keysize = 0, flags = 0x400D
1d20h: ISAKMP: ke received message (1/1)
1d20h: ISAKMP: 500 local port, remote port 500
1d20h: ISAKMP (0:1): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Former State = new State IKE_READY = IKE_I_MM1
1d20h: ISAKMP (0:1): early changes of Main Mode
1d20h: ISAKMP (0:1): lot of 193.188.108.165 sending (I) MM_NO_STATE
1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE...
1d20h: ISAKMP (0:1): will increment the error counter on his: retransmit the phase 1
1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE
1d20h: ISAKMP (0:1): lot of 193.188.108.165 sending (I) MM_NO_STATE
1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE...
1d20h: ISAKMP (0:1): will increment the error counter on his: retransmit the phase 1
1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE
1d20h: ISAKMP (0:1): lot of 193.188.108.165 sending (I) MM_NO_STATE
1d20h: IPSEC (key_engine): request timer shot: count = 1,.
You must also allow the esp Protocol in your ACL.
access-list 101 permit esp any host x.x.x.x (address of the hub)
Hope this helps,
-Nairi
-
2 VPN tunnels on ASA common; A PRI a BKP at the same address-end peer
Hi all
I have an ASA 5505 branch that has 2 circuits ISP. I have a data center ASA who has 1 ISP circuit. I have a VPN tunnel between the primary circuit ASA branch and the ASA circuit data center. I would like to implement the ASA branch for the redundancy of the SLA so I can use primary and backup circuits, but two configs tunnel going to the same address-end peer, since the data center has only 1 ASA. I read that an ASA cannot have several tunnels to the same peer address because the ASA may have 1 SA by peer address.
However, if I have my branch ASA configured for redundancy of the SLA, then only 1 tunnel would at once, which I think would affect the requirement of SA above.
Can someone tell me if this is possible?
Thank you.
Hi Dean,
You're right about things als because only link will be active at a time.
On the ASA branch, you can apply the same encryption card to two primary and secondary circuit. You use just ALS to determine how this ASA branch will reach the address of peer card crypto (IP addr of ASA Data Center).
I wrote an article about a similar scenario here: http://resources.intenseschool.com/using-vpn-tunnels-as-backup-links-primary-and-backup-vpn-tunnels-on-cisco-asa/
-
Expertise of expensive
Recently we hava configured vpn tunnel between two locations. Want to create a tunnel vpn on a third location. What configuration will be valid on the version of firewall cisco PIX 501 6.3.4.
Please see thr existing pix config at two location.
Please post the latest config?
-
NEED HELP WITH SERVICE PACK 3. After downloading and the computer goes into rebooting mode I get the screen to restart with three options, network security safe mode and the other thing. , but it of although he gets, he keeps countdown to restart and reboots and restarts, over and over again, never reboots, same screen. my computer won't let me out this screen even after I turned off the computer and turn it back on, I get the same screen. the only way I can get out of this is to erase my computer everything and bring it back to factory, right out of the box, this big headaches. Thanks for anyone who can help me. PS. Keep the answers in simple terms please.
Hi BSRC$, in stock
- You have security software installed on the computer?
- You receive an error message when you restart the computer?
Reinstalling Windows XP to the factory setting would not be the first option.
It is possible that some third-party programs or the services installed on the computer interfere with the installation of service pack 3.
I suggest that you try to uninstall service pack 3 from the computer by using the recovery console and subsequently ask the article below for what to do before installing the service pack 3on the computer.
How to remove Windows XP Service Pack 3 from your computer
http://support.Microsoft.com/kb/950249
Steps to take before you install Windows XP Service Pack 3
-
unexpected behavior with vpn, clientless ssl and smart tunnels on ASA 5510
Hi there, hope someone can help
I am able to set up a smart tunnel for an application and everything works fine, however...
Without smart tunnel, the user must navigate the portal interface (because of how he encapsulates urls and basically acts as a proxy), it is too beautiful and good and expected behavior. If a user does not enter a URL in the portal URL entry (only enters the normal address bar) she takes them outside the clientless ssl vpn portal.
Now too the point to start a smart tunnel, URL, the user types in the normal address bar is not encapsulated in the device URL, although they are still placed through our network (and note, the intelligent application of tunnel is not the browser, which is be IE). How can I know it? sites that would be blocked by a web filter are blocked with smart on but not PVD tunnels with smart tunnel.
I need to know if this is intended behavior or not and how and why this is happening?
Thanks in advance
In my view, this is how it works. If you are referring to this doc:
https://supportforums.Cisco.com/docs/doc-6172
Smart tunnel is functioning all or nothing. Which means once you turn it on for a specific process or a specific bookmark, all your traffic for this process (and the browser you are using to open the SSL Clientless session ) will pass through the ASA.
Example: Enable option ST for a process or bookmark #1 (which connected IE used to login). Opening a separate instance of the IE browser will be all traffic through the ASA, tunnel, if the new browser window belongs to the same process. All tabs on the movement of this browser browser will be smart tunnel, even to Favorites (ie. #2 favorite) are not specifically the chip in the tunnel. You must use a different browser (ie. (FireFox) in this case, if you want some of your traffic (ie. #2 favorite) is not to be smart tunnelees.
I hope this helps.
-
VPN tunnel between 2 ASA 5505 with the same default gateway
Hello
Is it possible to create a vpn ipsec site to site (laboratory environment) between two 5505 (ASA IOS 8.2 (5) & asdm-645-206) with the same default gateway. That is a VPN tunnel or a back to back-to-one site that I have to deploy a router and hang each 5505 out a different interface? We have a lot of public IP but only one gateway our ISP (Internet). Any suggestions or recommendations are very appeciated!
d
Yes - you can even do it with a xover cable and a 30 ip on both external interfaces.
-
Site to Site VPN tunnel between two ASA
I use the Site Wizard to Site on an ASA 5520, and ASA 5505 of the ADSM. Both are using 8.4 (5). When you create configurations. You follow the wizard configurations with manual what ACL s to allow the traffic of every subnet connected to talk to each other? Or they are automatically generated in the configuration file? Have not been to school yet to understand how to create the CLI VPN tunnels and what to look for.
Thank you
Carlos
Hello
First, I would like to say that I don't personally use ASDM for the configuration.
But you should be able to configure all the necessary elements for a connection VPN L2L base through the wizard.
I guess that typical problems to do so could relate to the lack of configuration NAT exempt or might not choose the setting "Bypass Interface Access List" that would mean you would allow traffic from the remote site in the 'external' ACL of ASA local interface. Like all other traffic coming from behind the 'outer' interface
If you share format CLI configurations and say what networks must be able to connect via VPN L2L then I could give the required CLI format configurations.
-Jouni
-
Need help with Config VPN on ASA5505
Our client has a seller who needs to establish a VPN tunnel to their own router that sits behind our firewall.
Concentrator VPN (seller) ASA5505 customer (7.2) <------> <------->3750 Switch <------->VPN router (Vendor)
Here is the implementation of information:
ASA outside Interface - 208.64.1x.x4 DG - 208.64.1x.x3
ASA inside the Interface - 172.20.58.13/30
3750 switch Interface connected to ASA - DG - 172.20.58.13 and 172.20.58.14/30
3750 switch Interface connected to router VPN - 172.20.58.21
The Interface of the VPN router connected to the 3750 - 172.20.58.22/30 DG - 172.20.58.21
I have also attached a Visio for that and the current configuration of execution of ASA and 3750. We have no access to the router VPN TNS.
Our responsibility is to everything just to make sure that the tunnel rises.
You kindly help me with this?
Here is what I intend to do:
(1) create a static NAT on the ASA Public Private IP Address of the VPN router
Public - 208.64.1x.x5 / 28
Private - 172.20.58.21 / 30
Will be the ASA automatically ARP for this address or do we I have to configure another interface on the ASA with this public IP address?
(2) what would the access on the ASA list?
(3) the customer gave us some config to copy the stuff on the SAA so that they can create the tunnel but I couldn't put these commands in the SAA. How this would apply and which interface?
Access to firewall: the information below is about access between the VPN router and the
VPN concentrator. If a firewall/router is present in front of the VPN services must be
permit:
allow a host 208.224.x.x esp
allow a host 208.224.x.x gre
permit any isakmp udp host 208.224.x.x eq
permit any eq non500-isakmp udp host 208.224.x.x
allow a host 204.8.x.x esp
allow a host 204.8.x.x gre
permit any isakmp udp host 204.8.x.x eq
permit any eq non500-isakmp udp host 204.8.x.x
permit tcp 206.x.x.0 0.0.0.255 any eq 22
permit tcp 206.x.x.0 0.0.0.255 any eq telnet
allow a udp host 208.224.x.x
allow a udp host 208.224.x.x
Can someone help me with the commands I need to run it on the ASA? The 5505 running 7.2 code (4).
Thanks in advance.
HS
Your steps are correct, you need to configure static NAT and the list of access to allow access.
Static NAT would be as follows:
static (inside, outside) 208.64.1x.x5 172.20.58.21 netmask 255.255.255.255
You also need a road inside interface-oriented join 172.20.58.21:
Route inside 172.20.58.21 255.255.255.255 172.20.58.14
You have already access list on the external interface? If you have, then just add in the existing access list, if you don't have it, and then add the following:
access list outside-acl permit udp any host 208.64.1x.x5 eq 500
access list outside-acl permit udp any host 208.64.1x.x5 eq 4500
access list outside-acl allow esp any host 208.64.1x.x5
Access-group acl outside in external interface
If you also have an inside interface access list, you must also allow passing traffic by as follows:
access-list allow host 172.20.58.21 udp any eq 500
access-list allow host 172.20.58.21 udp any eq 4500
access-list allow host esp 172.20.58.21 all
If you have not had any access inside the interface list, then you don't need to configure it.
Hope that helps.
-
IPSec Tunnel between Cisco 2801 and Netscren 50 with NAT and static
Hello
My problem isn't really the IPSec connection between two devices (it is already done...) But my problem is that I have a mail server on the site of Cisco, who have a static NAT from inside to outside. Due to the static NAT, I do not see the server in the VPN tunnel. I found a document that almost describes the problem:
"Configuration of a router IPSEC Tunnel private-to-private network with NAT and static" (Document ID 14144)
NAT takes place before the encryption verification!
In this document, the solution is 'routing policy' using the loopback interface. But, how can I handle this with the Netscreen firewall. Someone has an idea?
Thanks for any help
Best regards
Heiko
Hello
Try to change your static NAT with static NAT based policy.
That is to say the static NAT should not be applicable for VPN traffic
permissible static route map 1
corresponds to the IP 104
access-list 104 refuse host ip 10.1.110.10 10.1.0.0 255.255.0.0
access-list 104 allow the host ip 10.1.110.10 all
IP nat inside source static 10.1.110.10 81.222.33.90 map of static route
HTH
Kind regards
GE.
-
Remote RDP client VPN access on ASA 5510
Hello.
We have configured the VPN tunnel from site of offshore to the location of the customer using ASA5510 and access to RDP to the location of the customer. Also been configured remote VPN access in offshore location. But using the remote VPN client, we are able to get the RDP of officeshore location but not able to access to the location of the RDP client. Are there any additional changes required?
Thank you
Hi Salsrinivas,
so to summarize:
the VPN client connects to the ASA offshore
the VPN client can successfully RDP on a server at the offshore location
the VPN client cannot NOT RDP on a server at the location of the customer
offshore and the location of the customer are connected by a tunnel L2L
(and between the 2 sites RDP works very well)
is that correct?
Things to check:
-the vpn in the ACL crypto pool?
-you're exemption nat for traffic between the vpn pool and 'customer' LAN? is the exemption outside (vpn clients are coming from the outside)?
-you have "same-security-traffic permitted intra-interface" enabled (traffic will appear outside and go back outside)?
If you need help more could you put a config (sterilized) Please?
HTH
Herbert
Maybe you are looking for
-
Is the phone number and alarm warning screen I saw a scam?
Just got a very a screen red background on my computer and a strong voice message, saying that the malware was attempting to invade my computer. He pretended to be Mozilla Firefox and told me to call 844-338-4651 for an easy solution to this problem.
-
As I moved the cursor (arrow) from left to right and up and down the font size has become smaller and I could not restore it to its proper size
-
9.3 iOS installs on iPad generation 3
My iPad gen 3 shows ios9.3 is downloaded, but when I try to install it tells me that I am no longer connected to the internet, which I am. at this point, I've removed for applications with value NULL name and I deleted ios9.3.
-
my computer has slowed down to a stall; m how to fix
-
Hello Im trying to make a public Server Terminal Server from outside. I have a SonicWall firewall, but I can't connect to the DMZ server. I used the Connection Wizard to give public access to the terminal server, I changed the Port TS on the server a