How to establish a tunnel vpn ipsec using DNS with ASA 5505?

Hello

I m get a dynamic IP address public and what I m trying to do is establish a tunnnel remote vpn using IPSec, which I realize my provider but each time resets of sessions or ASA 5505 reset, I get a new public IP and I need to put the new IP address on the remote client, so I can establish the vpn...

How can I establish a vpn ipsec using DNS?  For this scenario, the remote client vpn is a vpn phone, but it could be any vpn client.

Private private Public IP IP IP

PBX - Telephone (LAN) - ASA 5505-(Internet)-(router) Remote Site-(LAN) VPN-

Kind regards!

Ah ok I see, Yes in this case there is no that you can do other than request a static IP address from your ISP.

Kind regards.

PS: Don't forget to mark this question as answered. Thank you!

Tags: Cisco Security

Similar Questions

  • Installation of site to site VPN IPSec using PIX and ASA

    / * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-margin : 0 ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}

    I am a site configuration to site IPSec VPN using a PIX515E to site A and ASA5520 to Site B.

    I have attached the lab diagram. Consider PIX and ASA are in default configuration, which means that nothing is configured on both devices.

    According to the scheme

    ASA5520

    External interface is the level of security 11.11.10.1/248 0

    The inside interface is 172.16.9.2/24 security level 100

    Default route is 0.0.0.0 0.0.0.0 11.11.10.2 1

    PIX515E

    External interface is the level of security 123.123.10.2/248 0

    The inside interface is 172.16.10.1/24 security level 100

    Default route is 0.0.0.0 0.0.0.0 123.123.10.1 1

    / * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-margin : 0 ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}

    Could someone tell me how to set up this configuration? I tried but didn't workout. Here is the IKE protocol I have used.

    IKE information:

    IKE Encrytion OF

    MD5 authentication method

    Diffie Helman Group 2

    Failure to life

    IPSEC information:

    IPsec encryption OF

    MD5 authentication method

    Failure to life

    Please enter the following command

    on asa

    Sysopt connection permit VPN

    on pix not sure of the syntax, I think it is

    Permitted connection ipsec sysopt

    What we are trying to do here is basically allowing vpn opening ports

    Alternatively you can open udp 500 and esp (or port ip 50) out to in on the two firewalls

  • Impossible to establish vpn site to site between asa 5505 5510 year

    Hi all experts

    We are now plan to form an IPSec VPN tunnel from site to site between ASA 5505 (ASA Version 8.4) and ASA 5510 (ASA Version 8.0) but failed, would you please show me how to establish? A reference guide?

    Hugo

    Here are the links to the guides-cisco config:

    http://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/site2sit.html

    http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/vpn_site2site.html

    In addition to VPN, you need to consider in NAT exemption:

    http://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/cfgnat.html#wp1043541

    http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/nat_overview.html#wpxref25608

    http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/nat_rules.html#wp1232160

    And many examples:

    http://www.Cisco.com/en/us/products/ps6120/prod_configuration_examples_list.html

    --
    Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
    http://www.Kiva.org/invitedBy/karsteni

  • No Internet connectivity with ASA 5505 VPN remote access

    Hello

    I configured ASA 5505 for remote access VPN to allow a remote user to connect to the Remote LAN officce. VPN works well, users can access Office Resource of LAN with sahred etc., but once they have connected to the VPN, they are unable to browse the internet?

    Internet navigation stop working as soon as their customer VPN connect with ASA 5505 t, once they are disconnected from VPN, once again they can browse the internet.

    Not ASA 5505 blocking browsing the internet for users of VPN? Is there anything else that I need congfure to ensure that VPN users can browse the internet?

    I have to configure Split Tunnleing, NATing or routing for VPN users? or something else.

    Thank you very much for you help.

    Concerning

    Salman

    Salman

    What you run into is a default behavior of the ASA in which she will not route traffic back on the same interface on which he arrived. So if the VPN traffic arrived on the external interface the ASA does not want to send back on the external interface for Internet access.

    You have at least 2 options:

    -You can configure split tunneling, as you mention, and this would surf the Internet to continue during the use of VPN.

    -You can set an option on the ASA to allow traffic back on the same interface (this is sometimes called crossed). Use the command

    permit same-security-traffic intra-interface

    HTH

    Rick

  • Implementation of the remote access VPN IPSec using SRI 2801

    Hello

    I tried to set up a VPN for remote access using 2801 SRI. I've been able to establish my house vpn tunnel using the DSL (behind a NAT) connection, give it SRI the IP address that is in the ip pool I configured on safety. The problem I have right now is that it does not reach the company LAN network.

    DIAGRAM:

    MODEM PC (VPN CLIENT) ADSL - ROUTER SOHO - INTERNET - ISR2801 - LAN---(10.10.0.27&192.168.0.9) COMPANY

    PC: 172.16.10.122

    SOHO ROUTER LAN IP: 172.16.10.254

    SOHO ROUTER WAN IP: Dynamically assigned by ISP

    ISR2801 WAN IP: x.x.x.5/224

    IP LAN ISR2801: 10.10.0.50/24

    The CORPORATE LAN subnet: 10.10.0.0/24 and 192.168.0.9/24

    2801 SRI CONFIGURATION:

    AAA new-model

    !

    !

    connection of AAA NOCAUTHEN group local RADIUS authentication

    local NOCAUTHOR AAA authorization network

    !

    !

    IP domain name xxxxx.com

    !

    !

    !

    username root password 7 120B551806095F01386A

    !

    !

    crypto ISAKMP policy 3

    BA 3des

    preshared authentication

    Group 2

    ISAKMP crypto 5 40 keepalive

    ISAKMP crypto nat keepalive 20

    !

    Configuration group isakmp crypto-GROUP NOC client

    touch [email protected]/ * /! ~ $ 9876 qwerty

    DNS 192.168.0.9

    192.168.0.9 victories

    xxxxx.com field

    LWOP-pool

    include-local-lan

    netmask 255.255.255.0

    !

    !

    Crypto ipsec transform-set AC - SET esp-3des esp-sha-hmac

    !

    dynamic-map crypto NOC-DYNAMICMAP 10

    transformation-LWOP-SET game

    !

    !

    list of crypto AC-customer card NOCAUTHEN card authentication

    list of crypto isakmp NOCAUTHOR AC-card card authorization

    crypto map CNP-map client configuration address respond

    Crypto map AC - map 10-isakmp dynamic ipsec AC-DYNAMICMAP

    !

    !

    !

    !

    interface FastEthernet0/0

    IP address x.x.x.5 255.255.255.224

    Speed 100

    full-duplex

    card crypto AC-map

    !

    interface FastEthernet0/1

    IP 10.10.0.50 255.255.255.0

    Speed 100

    full-duplex

    !

    local IP NOC-POOL 192.168.250.101 pool 192.168.250.110

    IP route 0.0.0.0 0.0.0.0 XXX1

    IP route 10.10.0.0 255.255.255.0 10.10.0.10

    IP route 172.16.10.0 255.255.255.0 FastEthernet0/0

    Route IP 192.168.0.0 255.255.255.0 10.10.0.10

    IP route 192.168.250.0 255.255.255.0 FastEthernet0/0

    !

    I have attached a few screenshots. My goal here is to have access to my LAN to the company (10.10.0.0/24 and 192.168.0.9/24). I don't know what is missing here.

    No, we don't need not NAT. wanted to confirm if NAT could cause this problem.

    The config looks good. Can you ping routers ip internal interface the client LAN once it connects?

    Are correct, w.r.t. transatlantic lines reaching pool behind router VPN?

    If so, I would like to take a look at the exits following when a client is connected.

    See the crypto eli

    ISAKMP crypto to show his

    Crypto ipsec to show his

    SPSP

  • Blocks VIRTUAL local network access to a tunnel VPN IPSec on WRV200?

    I have two identical WRV200 wireless routers which are connected by a VPN IPSec tunnel.  This goes to my LAN LAN of my parents.  Everything works well.

    But I also have my WRV200 configured for two VLANS.  Vlan1 for my network and secure wireless access.  VLAN2 for a WiFi not secure for customers.

    My problem is that my guest on VLAN2 slips through the VPN devices and access on LAN of my parents.  I'm looking for a way to block to do this.

    I use the version of the software on the two routers (v1.0.39).

    For what it's worth, I know that my receive an IP address in the range 192.168.x.101 DHCP - 199.  I could assign a different range if that helps.  I thought that I could block this beach on the remote router firewall, but I see there is blocking a single IP address at the time, maximum of 8.  Am I missing something?

    Or could I put something weird in the routing tables somewhere to get the IPs guest out of lala land?

    Any suggestions are appreciated.  I can't be the only one in this boat.

    Steve

    Try to check local and remote, vpn under safe group settings if you change the ip address range subnet. Don't include the range of ip addresses of the computers wireless comments so that it will not pass through the vpn tunnel. If there is no ip range option, you must to the subnet of the network in order to control the ip address you want to allow on the vpn tunnel.

  • Tunnel VPN IPSEC Gre of the router in the branch office by Pix to the router HQ

    Hi all

    I tried to get this scenario to work before I put implement but am getting the error on router B.

    01:05:38: % CRYPTO-6-IKMP_MODE_FAILURE: fast processing mode failed with the peer to 83.1.16.1

    Here are the following details for networks

    Router B

    Address series 82.12.45.1/30

    fast ethernet 192.168.20.1/24 address

    PIX

    outside the 83.1.16.1/30 interface eth0

    inside 192.168.50.1/30 eth1 interface

    Router

    Fast ethernet (with Pix) 192.168.50.2/30 address

    Loopback (A network) 192.168.100.1/24 address

    Loopback (Network B) 192.168.200.1/24 address

    Loopback (Network C) 192.168.300.1/24 address

    Is could someone please tell me where im going wrong as I read the explanation of the error and it points to political unmaching. This has confused me like the two counterparts seem to have the same settings.

    Config router B

    ======================

    name of host B
    !
    Select the 5 secret goat.
    !
    username 7 privilege 15 password badger badger
    iomem 15 memory size
    IP subnet zero
    !
    !
    no ip domain-lookup
    IP - test.local domain name
    !
    property intellectual ssh delay 30
    property intellectual ssh authentication-2 retries
    !
    crypto ISAKMP policy 5
    md5 hash
    preshared authentication
    Group 2
    ISAKMP crypto key VPN2VPN address 83.1.16.1
    !
    86400 seconds, duration of life crypto ipsec security association
    !
    Crypto ipsec transform-set esp - esp-md5-hmac VPN
    !
    crypto map 5 VPN ipsec-isakmp
    defined by peer 83.1.16.1
    PFS group2 Set
    match address VPN
    !
    call the rsvp-sync
    !
    interface Loopback10
    20.0.2.2 the IP 255.255.255.255
    !
    interface Tunnel0
    bandwidth 1544000
    20.0.0.1 IP address 255.255.255.0
    source of Loopback10 tunnel
    tunnel destination 20.0.2.1
    !
    interface FastEthernet0/0
    Description * inside the LAN CONNECTION *.
    address 192.168.20.1 255.255.255.0
    IP nat inside
    automatic duplex
    automatic speed
    !
    interface Serial0/0
    Description * INTERNET ACCESS *.
    IP 88.12.45.1 255.255.255.252
    NAT outside IP
    VPN crypto card
    !
    interface FastEthernet0/1
    no ip address
    Shutdown
    automatic duplex
    automatic speed
    !
    Router eigrp 1
    network 20.0.0.0
    No Auto-resume
    !
    overload of IP nat inside source list NAT interface Serial0/0
    IP classless
    IP route 0.0.0.0 0.0.0.0 Serial0/0
    no ip address of the http server
    !
    !
    NAT extended IP access list
    deny ip 192.168.20.0 0.0.0.255 192.168.200.0 0.0.0.255
    deny ip 192.168.20.0 0.0.0.255 192.168.300.0 0.0.0.255
    deny ip 192.168.20.0 0.0.0.255 192.168.100.0 0.0.0.255
    ip licensing 192.168.20.0 0.0.0.255 any
    list of IP - VPN access scope
    permit ip host 20.0.2.2 20.0.2.1
    !

    Config PIX

    ====================

    PIX Version 7.2 (4)
    !
    pixfirewall hostname
    names of
    name 20.0.2.2 B_LOOP
    name 88.12.45.1 B_WANIP
    !
    interface Ethernet0
    Description * LINK to ISP *.
    nameif outside
    security-level 0
    IP 83.1.16.1 255.255.255.252
    !
    interface Ethernet1
    Description * LINK TO LAN *.
    nameif inside
    security-level 100
    IP 192.168.50.1 255.255.255.252
    !
    passive FTP mode
    the ROUTER_LOOPS object-group network
    network-object 20.0.2.0 255.255.255.252
    access allowed extended VPN ip host 20.0.2.1 B_LOOP list
    access-list extended SHEEP permit ip host 20.0.2.1 ROUTER_LOOPS object-group
    Access ip allowed any one extended list ACL_OUT
    pager lines 24
    Outside 1500 MTU
    Within 1500 MTU
    no failover
    ICMP unreachable rate-limit 1 burst-size 1
    don't allow no asdm history
    ARP timeout 14400
    Global (1 interface external)
    NAT (inside) 0 access-list SHEEP
    NAT (inside) 1 192.168.50.0 255.255.255.252
    NAT (inside) 1 192.168.50.0 255.255.255.0
    Access to the interface inside group ACL_OUT
    Route outside 0.0.0.0 0.0.0.0 83.1.16.2 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set esp - esp-md5-hmac VPN
    86400 seconds, duration of life crypto ipsec security association
    VPN 5 crypto card matches the VPN address
    card crypto VPN 5 set pfs
    card crypto VPN 5 set peer B_WANIP
    VPN 5 value transform-set VPN crypto card
    card crypto VPN 5 defined security-association life seconds 28800
    card crypto VPN outside interface
    crypto isakmp identity address
    crypto ISAKMP allow outside
    crypto ISAKMP policy 5
    preshared authentication
    the Encryption
    md5 hash
    Group 2
    life 86400
    Telnet timeout 5
    SSH timeout 5
    Console timeout 0
    tunnel-group 88.12.45.1 type ipsec-l2l
    IPSec-attributes tunnel-group 88.12.45.1
    pre-shared-key *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !

    When you create a GRE tunnel between two routers, there should be a routing decision to reach the Remote LAN through local (rather than exit directly the physical interface) tunnel interface.

    This could be accomplished by EIGRP, but you can check if the adjacency is built.

    As a test, what happens if you add a static route saying (reach remote LAN, sending traffic to the tunnel interface).

    Check if the GRE tunnel comes up with sh interface tunnel

    Federico.

  • Site to Site VPN IPSEC for multisite with dual ISP failover

    Hello world

    I have total 6 ASA 5505, I already built failover with double tis. Now, I want to configure site 2 site VPN for all 3 sites. Each site has 2 firewall.

    I just built a config for 2 a site WHAT VPN here is the config for a single site.

    local ip address: 172.16.100.0

    IP of the pubis: 10.5.1.101, 10.6.1.101

    Remote local ip: 172.16.101.0

    Remote public ip: 10.3.1.101, 10.4.1.101

    Remote local ip: 192.168.0.0

    Remote public ip: 10.1.1.101, 10.2.1.101

    the tunnel on the first 2 firewall configuration:

    IP 172.16.100.0 allow Access-list vpn1 255.255.255.0 172.16.101.0 255.255.255.0

    backupvpn1 ip 172.16.100.0 access list allow 255.255.255.0 172.16.101.0 255.255.255.0

    ip 172.16.100.0 access VPN2 list allow 255.255.255.0 192.168.0.0 255.255.255.0

    backupvpn2 ip 172.16.100.0 access list allow 255.255.255.0 192.168.0.0 255.255.255.0

    IP 172.16.100.0 allow Access-list sheep 255.255.255.0 172.16.101.0 255.255.255.0

    172.16.100.0 IP Access-list sheep 255.255.255.0 allow 192.168.0.0 255.255.255.0

    !

    !

    NAT (inside) 0 access-list sheep

    NAT (inside) 1 0.0.0.0 0.0.0.0

    !

    !

    !

    crypto ISAKMP allow outside

    ISAKMP crypto enable backup

    crypto ISAKMP policy 10

    preshared authentication

    3des encryption

    sha hash

    !

    !

    !

    Crypto ipsec transform-set esp-3des esp-sha-hmac my-set1

    card crypto outside_map 1 match for vpn1

    peer set card crypto outside_map 1 10.3.1.101

    My outside_map 1 transform-set-set1 crypto card

    outside_map interface card crypto outside

    !

    !

    card crypto outside_map 2 match address backupvpn1

    peer set card crypto outside_map 2 10.4.1.101

    My outside_map 2 transform-set-set1 crypto card

    backup of crypto outside_map interface card

    !

    !

    !

    Crypto ipsec transform-set esp-3des esp-sha-hmac my-set2

    crypto outside_map 3 game card address vpn2

    peer set card crypto outside_map 3 10.1.1.101

    My outside_map 3 transform-set-set2 crypto card

    outside_map interface card crypto outside

    !

    !

    card crypto 4 correspondence address backupvpn2 outside_map

    peer set card crypto outside_map 4 10.2.1.101

    My outside_map 4 transform-set-set2 crypto card

    backup of crypto outside_map interface card

    !

    !

    !

    tunnel-group 10.3.1.101 type ipsec-l2l

    IPSec-attribute Tunnel-Group 10.3.1.101

    pre-shared key cisco

    ISAKMP keepalive retry 20 3 threshold

    !

    !

    tunnel-group 10.4.1.101 type ipsec-l2l

    IPSec-attribute Tunnel-Group 10.4.1.101

    pre-shared key cisco

    ISAKMP keepalive retry 20 3 threshold

    !

    !

    tunnel-group 10.1.1.101 type ipsec-l2l

    IPSec-attribute Tunnel-Group 10.1.1.101

    pre-shared key cisco

    ISAKMP keepalive retry 20 3 threshold

    !

    !

    tunnel-group 10.2.1.101 type ipsec-l2l

    IPSec-attribute Tunnel-Group 10.2.1.101

    pre-shared key cisco

    ISAKMP keepalive retry 20 3 threshold

    !

    !

    backup of MTU 1500

    If this correct what should I configure other side that I want to finish in front of it. Is my address name vpn1 crypto card must match on the other side or not?

    any suggestion is good...

    Thank you...

    What I mean with the routing is a routing protocol or static routes the SAA can choose between interfaces to establish the tunnel.

    If the ASA has the card encryption applied to two interfaces, then one should be used as primary and the other as backup.

    How will be the ASA choose which is better? Via the routing.

    If you use a routing protocol, the ASA will be known which interface to send packets every time, but if using static routes, you need to change the metric and configuring IP SLA.

    Federico.

  • Remote IPSec VPN - client Windows 7 and ASA 5505

    Hello

    I'm having trouble with configuring IPSec VPN with Cisco ASA 5505 and Windows 7 client native VPN remotely. My client PC Gets the VPN IP pool address and can access a remote network behind ASA, but then I lose my internet connection. I read that this should be a problem with the split tunneling, but I did as it says here and no luck.

    Windows VPN Client settings, if I uncheck "use default gateway on remote network" I have an internet connection (given that the customer is using a local gateway), but then I can't ping remote network.

    In the log, I see the warnings of this type:

    TCP connection of disassembly 256 for outside:192.168.150.1/49562 to outside:213.199.181.90/80 duration 0: 00:00 0 stream bytes is a loopback (cisco)

    I have attached my configuration file (without configuring split tunneling, I tried). If you need additional newspapers, I'll send them right away.

    Thank you for your help.

    Petar Koraca

    That's what you would have needed on versions 8.3 and earlier versions:

    permit same-security-traffic intra-interface

    Global 1 interface (outside)

    NAT (outside) 1 192.168.150.0 255.255.255.0

    However I see that you are running 8.4 so I think that all you need is this (I never did on 8.4 so it may not be accurate)

    permit same-security-traffic intra-interface

    network of the NETWORK_OBJ_192.168.150.0_24 object

    dynamic NAT interface (outdoors, outdoor)

    Give it a shot and let me know how it goes.

  • Tunnel VPN site to Site with 2 routers Cisco 1921

    Hi all

    So OK, I'm stumped. I create much s2s vpn tunnels before, but this one I just can't go there. It's just a tunnel VPN Site to Site simple using pre-shared keys. I would appreciate it if someone could take a look at our configs for both routers running and provide a comment. This is the configuration for both routers running. Thank you!

    Router 1

    =======

    Current configuration: 4009 bytes

    !

    ! Last configuration change at 19:01:31 UTC Wednesday, February 22, 2012 by asiuser

    !

    version 15.0

    horodateurs service debug datetime msec

    Log service timestamps datetime msec

    no password encryption service

    !

    SJWHS-RTRSJ host name

    !

    boot-start-marker

    boot-end-marker

    !

    !

    No aaa new-model

    !

    !

    !

    !

    No ipv6 cef

    IP source-route

    IP cef

    !

    !

    DHCP excluded-address 192.168.200.1 IP 192.168.200.110

    DHCP excluded-address IP 192.168.200.200 192.168.200.255

    !

    IP dhcp POOL SJWHS pool

    network 192.168.200.0 255.255.255.0

    default router 192.168.200.1

    10.10.2.1 DNS server 10.10.2.2

    !

    !

    no ip domain search

    IP-name 10.10.2.1 Server

    IP-name 10.10.2.2 Server

    !

    Authenticated MultiLink bundle-name Panel

    !

    !

    Crypto pki trustpoint TP-self-signed-236038042

    enrollment selfsigned

    name of the object cn = IOS - Self - signed - certificate - 236038042

    revocation checking no

    rsakeypair TP-self-signed-236038042

    !

    !

    TP-self-signed-236038042 crypto pki certificate chain

    certificate self-signed 01

    30820241 308201AA A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030

    8B1E638A EC

    quit smoking

    license udi pid xxxxxxxxxx sn CISCO1921/K9

    !

    !

    !

    redundancy

    !

    !

    !

    !

    crypto ISAKMP policy 10

    md5 hash

    preshared authentication

    ISAKMP crypto key presharedkey address 112.221.44.18

    !

    !

    Crypto ipsec transform-set esp-3des esp-md5-hmac IPSecTransformSet1

    !

    map CryptoMap1 10 ipsec-isakmp crypto

    defined by peer 112.221.44.18

    game of transformation-IPSecTransformSet1

    match address 100

    !

    !

    !

    !

    !

    interface GigabitEthernet0/0

    192.168.200.1 IP address 255.255.255.0

    automatic duplex

    automatic speed

    !

    !

    interface GigabitEthernet0/1

    Description wireless bridge

    IP 172.17.1.2 255.255.255.0

    automatic duplex

    automatic speed

    !

    !

    interface FastEthernet0/0/0

    Verizon DSL description for failover of VPN

    IP 171.108.63.159 255.255.255.0

    automatic duplex

    automatic speed

    card crypto CryptoMap1

    !

    !

    !

    Router eigrp 88

    network 172.17.1.0 0.0.0.255

    network 192.168.200.0

    redistribute static

    passive-interface GigabitEthernet0/0

    passive-interface FastEthernet0/0/0

    !

    IP forward-Protocol ND

    !

    no ip address of the http server

    local IP http authentication

    IP http secure server

    !

    IP route 0.0.0.0 0.0.0.0 172.17.1.1

    IP route 112.221.44.18 255.255.255.255 171.108.63.1

    !

    access-list 100 permit ip 192.168.200.0 0.0.0.255 10.10.0.0 0.0.255.255

    !

    !

    !

    !

    !

    !

    control plan

    !

    !

    !

    Line con 0

    Synchronous recording

    local connection

    line to 0

    line vty 0 4

    exec-timeout 30 0

    Synchronous recording

    local connection

    transport input telnet ssh

    !

    Scheduler allocate 20000 1000

    end

    =======

    Router 2

    =======

    Current configuration: 3719 bytes

    !

    ! Last configuration change at 18:52:54 UTC Wednesday, February 22, 2012 by asiuser

    !

    version 15.0

    horodateurs service debug datetime msec

    Log service timestamps datetime msec

    no password encryption service

    !

    SJWHS-RTRHQ host name

    !

    boot-start-marker

    boot-end-marker

    !

    logging buffered 1000000

    !

    No aaa new-model

    !

    !

    !

    !

    No ipv6 cef

    IP source-route

    IP cef

    !

    !

    !

    !

    no ip domain search

    !

    Authenticated MultiLink bundle-name Panel

    !

    !

    Crypto pki trustpoint TP-self-signed-3490164941

    enrollment selfsigned

    name of the object cn = IOS - Self - signed - certificate - 3490164941

    revocation checking no

    rsakeypair TP-self-signed-3490164941

    !

    !

    TP-self-signed-3490164941 crypto pki certificate chain

    certificate self-signed 01

    30820243 308201AC A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030

    2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30

    EA1455E2 F061AA

    quit smoking

    license udi pid xxxxxxxxxx sn CISCO1921/K9

    !

    !

    !

    redundancy

    !

    !

    !

    !

    crypto ISAKMP policy 10

    md5 hash

    preshared authentication

    ISAKMP crypto key presharedkey address 171.108.63.159

    !

    86400 seconds, duration of life crypto ipsec security association

    !

    Crypto ipsec transform-set esp-3des esp-md5-hmac IPSecTransformSet1

    !

    map CryptoMap1 10 ipsec-isakmp crypto

    defined by peer 171.108.63.159

    game of transformation-IPSecTransformSet1

    match address 100

    !

    !

    !

    !

    !

    interface GigabitEthernet0/0

    no ip address

    automatic duplex

    automatic speed

    !

    !

    interface GigabitEthernet0/0.1

    encapsulation dot1Q 1 native

    IP 10.10.1.6 255.255.0.0

    !

    interface GigabitEthernet0/1

    IP 172.17.1.1 255.255.255.0

    automatic duplex

    automatic speed

    !

    !

    interface FastEthernet0/0/0

    IP 112.221.44.18 255.255.255.248

    automatic duplex

    automatic speed

    card crypto CryptoMap1

    !

    !

    !

    Router eigrp 88

    Network 10.10.0.0 0.0.255.255

    network 172.17.1.0 0.0.0.255

    redistribute static

    passive-interface GigabitEthernet0/0

    passive-interface GigabitEthernet0/0.1

    !

    IP forward-Protocol ND

    !

    no ip address of the http server

    local IP http authentication

    IP http secure server

    !

    IP route 0.0.0.0 0.0.0.0 112.221.44.17

    !

    access-list 100 permit ip 10.10.0.0 0.0.255.255 192.168.200.0 0.0.0.255

    !

    !

    !

    !

    !

    !

    control plan

    !

    !

    !

    Line con 0

    Synchronous recording

    local connection

    line to 0

    line vty 0 4

    exec-timeout 30 0

    Synchronous recording

    local connection

    transport input telnet ssh

    !

    Scheduler allocate 20000 1000

    end

    When the GRE tunnel carries your traffic to private ip range, your ACL must contain address of the host of point to point the IPSec tunnel.

    Since then, both routers are running EIGRP in the corporate network, let the EIGRP Exchange routes via GRE tunnel, which is a good practice, rather than push the ip ranges private individual through the IPSec tunnel.

    Let me know, if that's what you want.

    Thank you

  • What permits are required to allow IPSec using 8.4 ASA?

    In my lab, I built a tunnel between two ASAs IPsec successfully.  There is a router in the middle to simulate the internet.

    The tunnel only works when I have let echo ICMP message.

    Allowing ICMP 3.4 does not appear to matter.

    I did not allow for ESP or udp 4500 and udp 500 in the access list, only to echo ICMP message.  They are now allowed by default?

    Which contradicts what I've read in textbooks.

    Can someone tell me what are the allowances by default for v8.4 and above?  and what I leave in my ACL?

    Thank you.

    You are welcome.

    You have to have a football game on the crypto ACL to trigger the tunnel, icmp, or whatever, but not necessarily the icmp traffic, example:

    Cess-list allowed extended VPN ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
    or
    list of access VPN extended permitted tcp 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 eq 80
    or
    extended VPN access list allow icmp 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

    Basically all traffic matching would establish the tunnel.

    If you still not clear, thanks for posting your ACL crypto for review.

    Kind regards

    Aref

  • Problem with ASA 5505 VPN remote access

    After about 1 year to have the VPN Client from Cisco connection to an ASA 5505 with no problems, all of a sudden one day it stops working. The customer is able to get a connection to the ASA and browse the local network for only about 30 seconds after the connection. After that, no access is available to the network behind the ASA. I have tried everything I can think of to try to solve the problem, but at this point, I'm just banging my head against a wall. Anyone know what could cause this?

    Here is the cfg running of the ASA

    ----------------------------------------------------------------------------------------

    : Saved

    :

    ASA Version 8.4 (1)

    !

    hostname NCHCO

    enable encrypted password xxxxxxxxxxxxxxx

    xxxxxxxxxxx encrypted passwd

    names of

    description of NCHCO name 192.168.2.0 City offices

    name 192.168.2.80 VPN_End

    name 192.168.2.70 VPN_Start

    !

    interface Vlan1

    nameif inside

    security-level 100

    IP 192.168.2.1 255.255.255.0

    !

    interface Vlan2

    nameif outside

    security-level 0

    IP address **. ***. 255.255.255.248

    !

    interface Ethernet0/0

    switchport access vlan 2

    Speed 100

    full duplex

    !

    interface Ethernet0/1

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    !

    interface Ethernet0/4

    !

    interface Ethernet0/5

    !

    interface Ethernet0/6

    !

    interface Ethernet0/7

    !

    boot system Disk0: / asa841 - k8.bin

    passive FTP mode

    network of the NCHCO object

    Subnet 192.168.2.0 255.255.255.0

    network object obj - 192.168.1.0

    subnet 192.168.1.0 255.255.255.0

    network object obj - 192.168.2.64

    subnet 192.168.2.64 255.255.255.224

    network object obj - 0.0.0.0

    subnet 0.0.0.0 255.255.255.0

    network obj_any object

    subnet 0.0.0.0 0.0.0.0

    the Web server object network

    the FINX object network

    Home 192.168.2.11

    rdp service object

    source between 1-65535 destination eq 3389 tcp service

    Rdp description

    outside_nat0_outbound extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0

    outside_nat0_outbound extended access list permit ip object NCHCO 192.168.2.0 255.255.255.0

    inside_nat0_outbound extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0

    inside_nat0_outbound list of allowed ip extended access all 192.168.2.64 255.255.255.224

    permit access list extended ip 0.0.0.0 inside_nat0_outbound 255.255.255.0 192.168.2.64 255.255.255.224

    outside_1_cryptomap extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0

    outside_1_cryptomap_1 extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0

    LAN_Access list standard access allowed 192.168.2.0 255.255.255.0

    LAN_Access list standard access allowed 0.0.0.0 255.255.255.0

    NCHCO_splitTunnelAcl_1 list standard access allowed 192.168.2.0 255.255.255.0

    AnyConnect_Client_Local_Print deny ip extended access list a whole

    AnyConnect_Client_Local_Print list extended access permit tcp any any eq lpd

    Note AnyConnect_Client_Local_Print of access list IPP: Internet Printing Protocol

    AnyConnect_Client_Local_Print list extended access permit tcp any any eq 631

    print the access-list AnyConnect_Client_Local_Print Note Windows port

    AnyConnect_Client_Local_Print list extended access permit tcp any any eq 9100

    access-list AnyConnect_Client_Local_Print mDNS Note: multicast DNS protocol

    AnyConnect_Client_Local_Print list extended access permit udp any host 224.0.0.251 eq 5353

    AnyConnect_Client_Local_Print of access list LLMNR Note: link Local Multicast Name Resolution protocol

    AnyConnect_Client_Local_Print list extended access permit udp any host 224.0.0.252 eq 5355

    Note access list TCP/NetBIOS protocol AnyConnect_Client_Local_Print

    AnyConnect_Client_Local_Print list extended access permit tcp any any eq 137

    AnyConnect_Client_Local_Print list extended access udp allowed any any eq netbios-ns

    outside_access_in list extended access permit tcp any object FINX eq 3389

    outside_access_in_1 list extended access allowed object rdp any object FINX

    pager lines 24

    Enable logging

    asdm of logging of information

    Within 1500 MTU

    Outside 1500 MTU

    mask of VPN_Pool VPN_Start VPN_End of local pool IP 255.255.255.0

    ICMP unreachable rate-limit 1 burst-size 1

    ASDM image disk0: / asdm - 649.bin

    don't allow no asdm history

    ARP timeout 14400

    NAT (inside, all) static source NCHCO destination NCHCO static obj - 192.168.1.0 obj - 192.168.1.0

    NAT (inside, all) static source any any destination static obj - 192.168.2.64 obj - 192.168.2.64

    NAT (inside, all) source static obj - 0.0.0.0 0.0.0.0 - obj destination static obj - 192.168.2.64 obj - 192.168.2.64

    !

    network obj_any object

    NAT dynamic interface (indoor, outdoor)

    the FINX object network

    NAT (inside, outside) interface static service tcp 3389 3389

    Access-group outside_access_in_1 in interface outside

    Route outside 0.0.0.0 0.0.0.0 69.61.228.177 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    dynamic-access-policy-registration DfltAccessPolicy

    network-acl outside_nat0_outbound

    WebVPN

    SVC request to enable default svc

    Enable http server

    http 192.168.1.0 255.255.255.0 inside

    http *. **. ***. 255.255.255.255 outside

    http *. **. ***. 255.255.255.255 outside

    http NCHCO 255.255.255.0 inside

    http 96.11.251.186 255.255.255.255 outside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

    Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

    Crypto ipsec transform-set esp-3des esp-sha-hmac ikev1 l2tp-transform

    IKEv1 crypto ipsec transform-set l2tp-transformation mode transit

    Crypto ipsec transform-set vpn-transform ikev1 esp-aes-256 esp-sha-hmac

    Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA ikev1

    transport mode encryption ipsec transform-set TRANS_ESP_3DES_SHA ikev1

    Crypto ipsec transform-set esp-3des esp-md5-hmac TRANS_ESP_3DES_MD5 ikev1

    transport mode encryption ipsec transform-set TRANS_ESP_3DES_MD5 ikev1

    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

    crypto dynamic-map dyn-map 10 set pfs Group1

    crypto dynamic-map dyn-map 10 set transform-set l2tp vpn-transform processing ikev1

    dynamic-map encryption dyn-map 10 value reverse-road

    Crypto-map dynamic outside_dyn_map 20 set transform-set ESP-3DES-SHA ikev1

    Crypto-map dynamic outside_dyn_map 20 the value reverse-road

    card crypto outside_map 1 match address outside_1_cryptomap

    card crypto outside_map 1 set pfs Group1

    peer set card crypto outside_map 1 74.219.208.50

    card crypto outside_map 1 set transform-set ESP-3DES-SHA ikev1

    map outside_map 20-isakmp ipsec crypto dynamic outside_dyn_map

    outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

    outside_map interface card crypto outside

    inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

    inside crypto map inside_map interface

    card crypto vpn-map 1 match address outside_1_cryptomap_1

    card crypto vpn-card 1 set pfs Group1

    set vpn-card crypto map peer 1 74.219.208.50

    card crypto 1 set transform-set ESP-3DES-SHA ikev1 vpn-map

    dynamic vpn-map 10 dyn-map ipsec isakmp crypto map

    crypto isakmp identity address

    Crypto ikev1 allow inside

    Crypto ikev1 allow outside

    IKEv1 crypto ipsec-over-tcp port 10000

    IKEv1 crypto policy 10

    preshared authentication

    3des encryption

    md5 hash

    Group 2

    life 86400

    IKEv1 crypto policy 15

    preshared authentication

    aes-256 encryption

    sha hash

    Group 2

    life 86400

    IKEv1 crypto policy 35

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    enable client-implementation to date

    Telnet 192.168.1.0 255.255.255.0 inside

    Telnet NCHCO 255.255.255.0 inside

    Telnet timeout 5

    SSH 192.168.1.0 255.255.255.0 inside

    SSH NCHCO 255.255.255.0 inside

    SSH timeout 5

    Console timeout 0

    dhcpd address 192.168.2.150 - 192.168.2.225 inside

    dhcpd dns 216.68.4.10 216.68.5.10 interface inside

    lease interface 64000 dhcpd inside

    !

    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    WebVPN

    internal DefaultRAGroup group strategy

    attributes of Group Policy DefaultRAGroup

    value of server DNS 192.168.2.1

    L2TP ipsec VPN-tunnel-Protocol ikev1

    nchco.local value by default-field

    attributes of Group Policy DfltGrpPolicy

    value of server DNS 192.168.2.1

    L2TP ipsec VPN-tunnel-Protocol ikev1 ssl-clientless ssl-client

    allow password-storage

    enable IPSec-udp

    enable dhcp Intercept 255.255.255.0

    the address value VPN_Pool pools

    internal NCHCO group policy

    NCHCO group policy attributes

    value of 192.168.2.1 DNS Server 8.8.8.8

    Ikev1 VPN-tunnel-Protocol

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list NCHCO_splitTunnelAcl_1

    value by default-field NCHCO.local

    admin LbMiJuAJjDaFb2uw encrypted privilege 15 password username

    username privilege 15 encrypted password yB1lHEVmHZGj5C2Z 8njferg

    username NCHvpn99 password dhn. JzttvRmMbHsP encrypted

    attributes global-tunnel-group DefaultRAGroup

    address (inside) VPN_Pool pool

    address pool VPN_Pool

    authentication-server-group (inside) LOCAL

    authentication-server-group (outside LOCAL)

    LOCAL authority-server-group

    authorization-server-group (inside) LOCAL

    authorization-server-group (outside LOCAL)

    Group Policy - by default-DefaultRAGroup

    band-Kingdom

    band-band

    IPSec-attributes tunnel-group DefaultRAGroup

    IKEv1 pre-shared-key *.

    NOCHECK Peer-id-validate

    tunnel-group DefaultRAGroup ppp-attributes

    No chap authentication

    no authentication ms-chap-v1

    ms-chap-v2 authentication

    tunnel-group DefaultWEBVPNGroup ppp-attributes

    PAP Authentication

    ms-chap-v2 authentication

    tunnel-group 74.219.208.50 type ipsec-l2l

    IPSec-attributes tunnel-group 74.219.208.50

    IKEv1 pre-shared-key *.

    type tunnel-group NCHCO remote access

    attributes global-tunnel-group NCHCO

    address pool VPN_Pool

    Group Policy - by default-NCHCO

    IPSec-attributes tunnel-group NCHCO

    IKEv1 pre-shared-key *.

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    maximum message length automatic of customer

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the rsh

    inspect the rtsp

    inspect esmtp

    inspect sqlnet

    inspect the skinny

    inspect sunrpc

    inspect xdmcp

    inspect the sip

    inspect the netbios

    inspect the tftp

    Review the ip options

    !

    global service-policy global_policy

    context of prompt hostname

    call-home

    Profile of CiscoTAC-1

    no active account

    http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

    email address of destination [email protected] / * /

    destination-mode http transport

    Subscribe to alert-group diagnosis

    Subscribe to alert-group environment

    Subscribe to alert-group monthly periodic inventory

    monthly periodicals to subscribe to alert-group configuration

    daily periodic subscribe to alert-group telemetry

    Cryptochecksum:a2110206e1af06974c858fb40c6de2fc

    : end

    ASDM image disk0: / asdm - 649.bin

    ASDM VPN_Start 255.255.255.255 inside location

    ASDM VPN_End 255.255.255.255 inside location

    don't allow no asdm history

    ---------------------------------------------------------------------------------------------------------------

    And here are the logs of the Cisco VPN Client when sailing, then is unable to browse the network behind the ASA:

    ---------------------------------------------------------------------------------------------------------------

    Cisco Systems VPN Client Version 5.0.07.0440

    Copyright (C) 1998-2010 Cisco Systems, Inc.. All rights reserved.

    Customer type: Windows, Windows NT

    Running: 6.1.7601 Service Pack 1

    Config files directory: C:\Program Files (x 86) \Cisco Systems\VPN Client\

    1 09:44:55.677 01/10/13 Sev = Info/6 CERT / 0 x 63600026

    Try to find a certificate using hash Serial.

    2 09:44:55.677 01/10/13 Sev = Info/6 CERT / 0 x 63600027

    Found a certificate using hash Serial.

    3 09:44:55.693 01/10/13 Sev = Info/6 GUI/0x63B00011

    RELOADED successfully certificates in all certificate stores.

    4 09:45:02.802 10/01/13 Sev = Info/4 CM / 0 x 63100002

    Start the login process

    5 09:45:02.802 01/10/13 Sev = Info/4 CM / 0 x 63100004

    Establish a secure connection

    6 09:45:02.802 01/10/13 Sev = Info/4 CM / 0 x 63100024

    Attempt to connect with the server "*." **. ***. *** »

    7 09:45:02.802 10/01/13 Sev = Info/6 IKE/0x6300003B

    Try to establish a connection with *. **. ***. ***.

    8 09:45:02.818 10/01/13 Sev = Info/4 IKE / 0 x 63000001

    From IKE Phase 1 negotiation

    9 09:45:02.865 10/01/13 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) to *. **. ***. ***

    10 09:45:02.896 10/01/13 Sev = Info/5 IKE/0x6300002F

    Received packet of ISAKMP: peer = *. **. ***. ***

    11 09:45:02.896 10/01/13 Sev = Info/4 IKE / 0 x 63000014

    RECEIVING< isakmp="" oak="" ag="" (sa,="" ke,="" non,="" id,="" hash,="" vid(unity),="" vid(xauth),="" vid(dpd),="" vid(nat-t),="" nat-d,="" nat-d,="" vid(frag),="" vid(?))="" from="">

    12 09:45:02.896 10/01/13 Sev = Info/5 IKE / 0 x 63000001

    Peer is a compatible peer Cisco-Unity

    13 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001

    Peer supports XAUTH

    14 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001

    Peer supports the DPD

    15 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001

    Peer supports NAT - T

    16 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001

    Peer supports fragmentation IKE payloads

    17 09:45:02.927 01/10/13 Sev = Info/6 IKE / 0 x 63000001

    IOS Vendor ID successful construction

    18 09:45:02.927 01/10/13 Sev = Info/4 IKE / 0 x 63000013

    SENDING > ISAKMP OAK AG * (HASH, NOTIFY: NAT - D, NAT - D, VID (?), STATUS_INITIAL_CONTACT, VID (Unity)) to *. **. ***. ***

    19 09:45:02.927 01/10/13 Sev = Info/4 IKE / 0 x 63000083

    IKE port in use - Local Port = 0xDD3B, Remote Port = 0x01F4

    20 09:45:02.927 01/10/13 Sev = Info/5 IKE / 0 x 63000072

    Automatic NAT detection status:

    Remote endpoint is NOT behind a NAT device

    This effect is NOT behind a NAT device

    21 09:45:02.927 01/10/13 Sev = Info/4 CM/0x6310000E

    ITS established Phase 1.  1 crypto IKE Active SA, 0 IKE SA authenticated user in the system

    22 09:45:02.943 10/01/13 Sev = Info/5 IKE/0x6300002F

    Received packet of ISAKMP: peer = *. **. ***. ***

    23 09:45:02.943 01/10/13 Sev = Info/4 IKE / 0 x 63000014

    RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">

    24 09:45:02.943 01/10/13 Sev = Info/4 CM / 0 x 63100015

    Launch application xAuth

    25 09:45:03.037 01/10/13 Sev = Info/6 GUI/0x63B00012

    Attributes of the authentication request is 6: 00.

    26 09:45:03.037 01/10/13 Sev = Info/4 CM / 0 x 63100017

    xAuth application returned

    27 09:45:03.037 10/01/13 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***

    28 09:45:03.037 10/01/13 Sev = Info/4 IPSEC / 0 x 63700008

    IPSec driver started successfully

    29 09:45:03.037 01/10/13 Sev = Info/4 IPSEC / 0 x 63700014

    Remove all keys

    30 09:45:03.083 01/10/13 Sev = Info/5 IKE/0x6300002F

    Received packet of ISAKMP: peer = *. **. ***. ***

    31 09:45:03.083 01/10/13 Sev = Info/4 IKE / 0 x 63000014

    RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">

    32 09:45:03.083 01/10/13 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***

    33 09:45:03.083 01/10/13 Sev = Info/4 CM/0x6310000E

    ITS established Phase 1.  1 crypto IKE Active SA, 1 IKE SA authenticated user in the system

    34 09:45:03.083 01/10/13 Sev = Info/5 IKE/0x6300005E

    Customer address a request from firewall to hub

    35 09:45:03.083 01/10/13 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***

    36 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300002F

    Received packet of ISAKMP: peer = *. **. ***. ***

    37 09:45:03.146 01/10/13 Sev = Info/4 IKE / 0 x 63000014

    RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="" **.**.***.***="" isakmp="" oak="" trans="" *(hash,="" attr)="" from="">

    38 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010

    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS:, value = 192.168.2.70

    39 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010

    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK:, value = 255.255.255.0

    40 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010

    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (1):, value = 192.168.2.1

    41 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010

    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (2):, value = 8.8.8.8

    42 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D

    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD:, value = 0x00000001

    43 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D

    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001

    44 09:45:03.146 10/01/13 Sev = Info/5 IKE/0x6300000F

    SPLIT_NET #1

    = 192.168.2.0 subnet

    mask = 255.255.255.0

    Protocol = 0

    SRC port = 0

    port dest = 0

    45 09:45:03.146 10/01/13 Sev = Info/5 IKE/0x6300000E

    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN:, value = NCHCO.local

    46 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D

    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_UDP_NAT_PORT, value = 0 x 00002710

    47 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D

    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS:, value = 0x00000000

    48 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000E

    MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = 8.4 (1) Cisco systems, Inc. ASA5505 Version built by manufacturers on Tuesday, January 31, 11 02:11

    49 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D

    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT:, value = 0x00000001

    50 09:45:03.146 01/10/13 Sev = Info/4 CM / 0 x 63100019

    Data in mode Config received

    51 09:45:03.146 01/10/13 Sev = Info/4 IKE / 0 x 63000056

    Received a request from key driver: local IP = 192.168.2.70, GW IP = *. **. ***. remote IP address = 0.0.0.0

    52 09:45:03.146 01/10/13 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK QM * (HASH, SA, NO, ID, ID) to *. **. ***. ***

    53 09:45:03.177 01/10/13 Sev = Info/5 IKE/0x6300002F

    Received packet of ISAKMP: peer = *. **. ***. ***

    54 09:45:03.177 01/10/13 Sev = Info/4 IKE / 0 x 63000014

    RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:status_resp_lifetime)="" from="">

    55 09:45:03.177 01/10/13 Sev = Info/5 IKE / 0 x 63000045

    Answering MACHINE-LIFE notify has value of 86400 seconds

    56 09:45:03.177 01/10/13 Sev = Info/5 IKE / 0 x 63000047

    This SA was already alive for 1 second, expiration of adjustment to 86399 seconds now

    57 09:45:03.193 01/10/13 Sev = Info/5 IKE/0x6300002F

    Received packet of ISAKMP: peer = *. **. ***. ***

    58 09:45:03.193 01/10/13 Sev = Info/4 IKE / 0 x 63000014

    RECEIVING< isakmp="" oak="" qm="" *(hash,="" sa,="" non,="" id,="" id,="" notify:status_resp_lifetime)="" from="">

    59 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000045

    Answering MACHINE-LIFE notify is set to 28800 seconds

    60 09:45:03.193 01/10/13 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK QM * (HASH) to *. **. ***. ***

    61 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000059

    IPsec Security Association of loading (MsgID = SPI OUTBOUND SPI INCOMING = 0x3EBEBFC5 0xAAAF4C1C = 967A3C93)

    62 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000025

    OUTGOING ESP SPI support: 0xAAAF4C1C

    63 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000026

    Charges INBOUND ESP SPI: 0x3EBEBFC5

    64 09:45:03.193 01/10/13 Sev = Info/5 CVPND / 0 x 63400013

    Destination mask subnet Gateway Interface metric

    0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261

    96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261

    96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261

    96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261

    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306

    127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306

    127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306

    192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261

    192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261

    192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261

    224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306

    224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261

    224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261

    255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306

    255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261

    255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261

    65 09:45:03.521 01/10/13 Sev = Info/6 CVPND / 0 x 63400001

    Launch VAInst64 for controlling IPSec virtual card

    66 09:45:03.896 01/10/13 Sev = Info/4 CM / 0 x 63100034

    The virtual card has been activated:

    IP=192.168.2.70/255.255.255.0

    DNS = 192.168.2.1, 8.8.8.8

    WINS = 0.0.0.0 0.0.0.0

    Domain = NCHCO.local

    Split = DNS names

    67 09:45:03.912 01/10/13 Sev = Info/5 CVPND / 0 x 63400013

    Destination mask subnet Gateway Interface metric

    0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261

    96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261

    96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261

    96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261

    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306

    127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306

    127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306

    192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261

    192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261

    192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261

    224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306

    224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261

    224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261

    224.0.0.0 240.0.0.0 0.0.0.0 0.0.0.0 261

    255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306

    255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261

    255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261

    255.255.255.255 255.255.255.255 0.0.0.0 0.0.0.0 261

    68 09:45:07.912 01/10/13 Sev = Info/4 CM / 0 x 63100038

    Were saved successfully road to file changes.

    69 09:45:07.912 01/10/13 Sev = Info/5 CVPND / 0 x 63400013

    Destination mask subnet Gateway Interface metric

    0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261

    **. **. ***. 255.255.255.255 96.11.251.1 96.11.251.149 100

    96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261

    96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261

    96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261

    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306

    127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306

    127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306

    192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261

    192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261

    192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261

    192.168.2.0 255.255.255.0 192.168.2.70 192.168.2.70 261

    192.168.2.0 255.255.255.0 192.168.2.1 192.168.2.70 100

    192.168.2.70 255.255.255.255 192.168.2.70 192.168.2.70 261

    192.168.2.255 255.255.255.255 192.168.2.70 192.168.2.70 261

    224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306

    224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261

    224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261

    224.0.0.0 240.0.0.0 192.168.2.70 192.168.2.70 261

    255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306

    255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261

    255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261

    255.255.255.255 255.255.255.255 192.168.2.70 192.168.2.70 261

    70 09:45:07.912 01/10/13 Sev = Info/6 CM / 0 x 63100036

    The routing table has been updated for the virtual card

    71 09:45:07.912 01/10/13 Sev = Info/4 CM/0x6310001A

    A secure connection established

    72 09:45:07.943 01/10/13 Sev = Info/4 CM/0x6310003B

    Look at address added to 96.11.251.149.  Current host name: psaserver, current address (s): 192.168.2.70, 96.11.251.149, 192.168.1.3.

    73 09:45:07.943 01/10/13 Sev = Info/4 CM/0x6310003B

    Look at address added to 192.168.2.70.  Current host name: psaserver, current address (s): 192.168.2.70, 96.11.251.149, 192.168.1.3.

    74 09:45:07.943 01/10/13 Sev = Info/5 CM / 0 x 63100001

    Did not find the smart card to watch for removal

    75 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700014

    Remove all keys

    76 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700010

    Creates a new key structure

    77 09:45:07.943 01/10/13 Sev = Info/4 IPSEC/0x6370000F

    Adding key with SPI = 0x1c4cafaa in the list of keys

    78 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700010

    Creates a new key structure

    79 09:45:07.943 01/10/13 Sev = Info/4 IPSEC/0x6370000F

    Adding key with SPI = 0xc5bfbe3e in the list of keys

    80 09:45:07.943 01/10/13 Sev = Info/4 IPSEC/0x6370002F

    Assigned WILL interface private addr 192.168.2.70

    81 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700037

    Configure the public interface: 96.11.251.149. SG: **.**.***.***

    82 09:45:07.943 10/01/13 Sev = Info/6 CM / 0 x 63100046

    Define indicator tunnel set up in the registry to 1.

    83 09:45:13.459 01/10/13 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to *. **. ***. ***

    84 09:45:13.459 01/10/13 Sev = Info/6 IKE/0x6300003D

    Upon request of the DPD to *. **. ***. , our seq # = 107205276

    85 09:45:13.474 01/10/13 Sev = Info/5 IKE/0x6300002F

    Received packet of ISAKMP: peer = *. **. ***. ***

    86 09:45:13.474 01/10/13 Sev = Info/4 IKE / 0 x 63000014

    RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">

    87 09:45:13.474 01/10/13 Sev = Info/5 IKE / 0 x 63000040

    Receipt of DPO ACK to *. **. ***. seq # receipt = 107205276, seq # expected is 107205276

    88 09:45:15.959 01/10/13 Sev = Info/4 IPSEC / 0 x 63700019

    Activate key dating SPI = 0x1c4cafaa key with SPI = 0xc5bfbe3e

    89 09:46:00.947 10/01/13 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to *. **. ***. ***

    90 09:46:00.947 01/10/13 Sev = Info/6 IKE/0x6300003D

    Upon request of the DPD to *. **. ***. , our seq # = 107205277

    91 09:46:01.529 01/10/13 Sev = Info/5 IKE/0x6300002F

    Received packet of ISAKMP: peer = *. **. ***. ***

    92 09:46:01.529 01/10/13 Sev = Info/4 IKE / 0 x 63000014

    RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">

    93 09:46:01.529 01/10/13 Sev = Info/5 IKE / 0 x 63000040

    Receipt of DPO ACK to *. **. ***. seq # receipt = 107205277, seq # expected is 107205277

    94 09:46:11.952 01/10/13 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to *. **. ***. ***

    95 09:46:11.952 01/10/13 Sev = Info/6 IKE/0x6300003D

    Upon request of the DPD to *. **. ***. , our seq # = 107205278

    96 09:46:11.979 01/10/13 Sev = Info/5 IKE/0x6300002F

    Received packet of ISAKMP: peer = *. **. ***. ***

    97 09:46:11.979 01/10/13 Sev = Info/4 IKE / 0 x 63000014

    RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">

    98 09:46:11.979 01/10/13 Sev = Info/5 IKE / 0 x 63000040

    Receipt of DPO ACK to *. **. ***. seq # receipt = 107205278, seq # expected is 107205278

    ---------------------------------------------------------------------------------------------------------------

    Any help would be appreciated, thanks!

    try to refuse the ACL (access-list AnyConnect_Client_Local_Print extended deny ip any one) at the end of the ACL.

  • VPN from Site to Site ASA 5505 booting do not

    I have two ASA 5505 running 8.4 and I tried using the VPN Wizard and the CLI, but I'm not able to get peers to initialze.  I watched other configs do not see what is missing. I tried followed the package through the ASDM and its not even seen the VPN tunnel and continues to try to go to the internet.  I have attached two configs for assistance.

    I'm glad you thought the problem and it's gotten the tunnel to initialize. Thanks for posting to the forum and stating what you have found the problem and how you fixed it. It is a good reminder of the importance of ensuring that encryption card corresponds to both ends. Maybe now, you can mark this as resolved issue and this would leave other readers know that there is a solution to this problem here.

    HTH

    Rick

  • VPN site-to-site between ASA 5505 and 2911

    Hi all

    I'm trying to setup VPN S2S. A.a.a.a of ip for the router 2911 office, remote office ASA 5505 8.4 (3) with ip b.b.b.b, but no luck.

    2911 config:

    !

    version 15.2

    horodateurs service debug datetime msec

    Log service timestamps datetime msec

    encryption password service

    !

    host name 2911

    !

    boot-start-marker

    Boot system flash c2900-universalk9-mz. Spa. 152 - 2.T.bin

    boot-end-marker

    !

    !

    Min-length 10 Security passwords

    logging buffered 51200 warnings

    !

    No aaa new-model

    !

    !

    min-threshold queue spd IPv6 62

    Max-threshold queue spd IPv6 63

    No ipv6 cef

    the 5 IP auth-proxy max-login-attempts

    max-login-attempts of the IP 5 admission

    !

    !

    !

    DHCP excluded-address IP 192.168.10.1 192.168.10.99

    DHCP excluded-address IP 192.168.22.1 192.168.22.99

    DHCP excluded-address IP 192.168.33.1 192.168.33.99

    DHCP excluded-address IP 192.168.44.1 192.168.44.99

    DHCP excluded-address IP 192.168.55.1 192.168.55.99

    192.168.10.240 IP dhcp excluded-address 192.168.10.254

    DHCP excluded-address IP 192.168.22.240 192.168.22.254

    DHCP excluded-address IP 192.168.33.240 192.168.33.254

    DHCP excluded-address IP 192.168.44.240 192.168.44.254

    DHCP excluded-address IP 192.168.55.240 192.168.55.254

    !

    desktop IP dhcp pool

    import all

    network 192.168.33.0 255.255.255.0

    router by default - 192.168.33.254

    192.168.10.10 DNS server 202.50.246.41 202.50.246.42

    local domain name

    -192.168.10.10 NetBIOS name server

    h-node NetBIOS node type

    !

    wi - fi IP dhcp pool

    import all

    network 192.168.44.0 255.255.255.0

    192.168.10.10 DNS server 202.50.246.41 202.50.246.42

    local domain name

    router by default - 192.168.44.254

    -192.168.10.10 NetBIOS name server

    h-node NetBIOS node type

    !

    DMZ IP dhcp pool

    import all

    network 192.168.55.0 255.255.255.0

    192.168.10.10 DNS server 202.50.246.41 202.50.246.42

    local domain name

    router by default - 192.168.55.254

    -192.168.10.10 NetBIOS name server

    h-node NetBIOS node type

    !

    IP dhcp pool voip

    import all

    network 192.168.22.0 255.255.255.0

    192.168.10.10 DNS server 202.50.246.41 202.50.246.42

    local domain name

    router by default - 192.168.22.254

    -192.168.10.10 NetBIOS name server

    h-node NetBIOS node type

    !

    IP dhcp pool servers

    import all

    network 192.168.10.0 255.255.255.0

    default router 192.168.10.254

    192.168.10.10 DNS server 202.50.246.41 202.50.246.42

    local domain name

    -192.168.10.10 NetBIOS name server

    h-node NetBIOS node type

    !

    !

    IP domain name of domain

    name-server IP 192.168.10.10

    IP cef

    connection-for block 180 tent 3-180

    Timeout 10

    VLAN ifdescr detail

    !

    Authenticated MultiLink bundle-name Panel

    !

    !

    Crypto pki token removal timeout default 0

    !

    Crypto pki trustpoint TP-self-signed-3956567439

    enrollment selfsigned

    name of the object cn = IOS - Self - signed - certificate - 3956567439

    revocation checking no

    rsakeypair TP-self-signed-3956567439

    !

    !

    TP-self-signed-3956567439 crypto pki certificate chain

    certificate self-signed 01 nvram:IOS - Self-Sig #1.cer

    license udi pid sn CISCO2911/K9

    !

    !

    the FULL_NET object-group network

    full range of the network Description

    192.168.10.0 255.255.255.0

    192.168.11.0 255.255.255.0

    192.168.22.0 255.255.255.0

    192.168.33.0 255.255.255.0

    192.168.44.0 255.255.255.0

    !

    object-group network limited

    description without servers and router network

    192.168.22.0 255.255.255.0

    192.168.33.0 255.255.255.0

    192.168.44.0 255.255.255.0

    !

    VTP version 2

    password username admin privilege 0 password 7

    !

    redundancy

    !

    !

    !

    !

    !

    no passive ftp ip

    !

    !

    crypto ISAKMP policy 10

    BA aes 256

    sha512 hash

    preshared authentication

    ISAKMP crypto key admin address b.b.b.b

    invalid-spi-recovery crypto ISAKMP

    !

    !

    Crypto ipsec transform-set esp - aes esp-sha-hmac SET

    !

    !

    !

    10 map ipsec-isakmp crypto map

    the value of b.b.b.b peer

    Set transform-set

    match address 160

    !

    !

    !

    !

    !

    Interface Port - Channel 1

    no ip address

    waiting-150 to

    !

    Interface Port - channel1.1

    encapsulation dot1Q 1 native

    IP 192.168.11.254 255.255.255.0

    IP nat inside

    IP virtual-reassembly in

    !

    Interface Port - channel1.10

    encapsulation dot1Q 10

    IP address 192.168.10.254 255.255.255.0

    IP nat inside

    IP virtual-reassembly in

    !

    Interface Port - channel1.22

    encapsulation dot1Q 22

    IP 192.168.22.254 255.255.255.0

    IP nat inside

    IP virtual-reassembly in

    !

    Interface Port - channel1.33

    encapsulation dot1Q 33

    IP 192.168.33.254 255.255.255.0

    IP nat inside

    IP virtual-reassembly in

    !

    Interface Port - channel1.44

    encapsulation dot1Q 44

    IP 192.168.44.254 255.255.255.0

    IP nat inside

    IP virtual-reassembly in

    !

    Interface Port - channel1.55

    encapsulation dot1Q 55

    IP 192.168.55.254 255.255.255.0

    IP nat inside

    IP virtual-reassembly in

    !

    the Embedded-Service-Engine0/0 interface

    no ip address

    Shutdown

    !

    interface GigabitEthernet0/0

    Description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE $ 0/0

    no ip address

    Shutdown

    automatic duplex

    automatic speed

    !

    interface GigabitEthernet0/1

    no ip address

    automatic duplex

    automatic speed

    channel-group 1

    !

    interface GigabitEthernet0/2

    Description $ES_LAN$

    no ip address

    automatic duplex

    automatic speed

    channel-group 1

    !

    interface GigabitEthernet0/0/0

    IP address a.a.a.a 255.255.255.224

    NAT outside IP

    IP virtual-reassembly in

    automatic duplex

    automatic speed

    crypto map

    !

    IP forward-Protocol ND

    !

    no ip address of the http server

    23 class IP http access

    local IP http authentication

    IP http secure server

    IP http timeout policy slowed down 60 life 86400 request 10000

    !

    overload of IP nat inside source list NAT_INTERNET interface GigabitEthernet0/0/0

    IP nat inside source udp 500 interface GigabitEthernet0/0/0 500 a.a.a.a static

    IP route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx

    !

    NAT_INTERNET extended IP access list

    refuse the object-group ip FULL_NET 192.168.17.0 0.0.0.255

    refuse the object-group ip FULL_NET 192.168.1.0 0.0.0.255

    permit ip FULL_NET object-group everything

    !

    access-list 1 permit 192.168.44.100

    access-list 23 allow 192.168.10.7

    access-list 23 permit 192.168.44.0 0.0.0.255

    access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255

    access-list 160 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255

    !

    !

    !

    control plan

    !

    !

    !

    Line con 0

    password password 7

    opening of session

    line to 0

    line 2

    no activation-character

    No exec

    preferred no transport

    transport of entry all

    transport output pad rlogin lapb - your MOP v120 udptn ssh telnet

    StopBits 1

    line vty 0 4

    access-class 23 in

    privilege level 15

    local connection

    entry ssh transport

    line vty 5 15

    access-class 23 in

    privilege level 15

    local connection

    entry ssh transport

    !

    Scheduler allocate 20000 1000

    !

    end

    The ASA config:

    : Saved : ASA Version 8.4(3) ! hostname C domain-name domain enable password password encrypted passwd passwd encrypted names ! interface Ethernet0/0 ! interface Ethernet0/1 shutdown ! interface Ethernet0/2 shutdown ! interface Ethernet0/3 shutdown ! interface Ethernet0/4 shutdown ! interface Ethernet0/5 switchport access vlan 100 ! interface Ethernet0/6 switchport trunk allowed vlan 2,6 switchport mode trunk ! interface Ethernet0/7 shutdown ! interface Vlan1 description INTERNET mac-address 1234.5678.0001 nameif WAN security-level 0 ip address b.b.b.b 255.255.255.248 standby c.c.c.c ospf cost 10 ! interface Vlan2 description OLD-PRIVATE mac-address 1234.5678.0102 nameif OLD-Private security-level 100 ip address 192.168.17.2 255.255.255.0 standby 192.168.17.3 ospf cost 10 ! interface Vlan6 description MANAGEMENT mac-address 1234.5678.0106 nameif Management security-level 100 ip address 192.168.1.2 255.255.255.0 standby 192.168.1.3 ospf cost 10 ! interface Vlan100 description LAN Failover Interface ! boot system disk0:/asa843-k8.bin ftp mode passive clock timezone NZST 12 clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 2:00 dns domain-lookup WAN dns server-group DefaultDNS name-server 208.67.222.222 domain-name domain same-security-traffic permit intra-interface object network obj-192.168.17.0 subnet 192.168.17.0 255.255.255.0 object network obj-192.168.10.0 subnet 192.168.10.0 255.255.255.0 object network obj-192.168.2.0 subnet 192.168.2.0 255.255.255.0 object network obj-192.168.9.0 subnet 192.168.9.0 255.255.255.0 object network obj-192.168.33.0 subnet 192.168.33.0 255.255.255.0 object network obj-192.168.44.0 subnet 192.168.44.0 255.255.255.0 object network obj_any object network obj_any-01 object network NETWORK_OBJ_192.168.10.0_24 subnet 192.168.10.0 255.255.255.0 object network NETWORK_OBJ_192.168.17.0_24 subnet 192.168.17.0 255.255.255.0 object network subnet-00 subnet 0.0.0.0 0.0.0.0 object-group protocol TCPUDP protocol-object udp protocol-object tcp object-group service RDP tcp description RDP port-object eq 3389 object-group network DM_INLINE_NETWORK_1 network-object 192.168.17.0 255.255.255.0 network-object 192.168.10.0 255.255.255.0 network-object 192.168.33.0 255.255.255.0 network-object 192.168.44.0 255.255.255.0 object-group network DM_INLINE_NETWORK_2 network-object 192.168.10.0 255.255.255.0 network-object 192.168.33.0 255.255.255.0 network-object 192.168.44.0 255.255.255.0 object-group network subnet-17 network-object 192.168.17.0 255.255.255.0 object-group network subnet-2 network-object 192.168.2.0 255.255.255.0 object-group network subnet-9 network-object 192.168.9.0 255.255.255.0 object-group network subnet-10 network-object 192.168.10.0 255.255.255.0 access-list LAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list LAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list LAN_IP standard permit 192.168.17.0 255.255.255.0 access-list WAN_access_in extended permit ip any any log debugging access-list WAN_access_in extended permit tcp any object-group RDP any object-group RDP log debugging access-list WAN_access_in extended permit icmp x.x.x.x 255.255.255.248 192.168.10.0 255.255.255.0 access-list MANAGEMENT_access_in extended permit ip any any log debugging access-list OLD-PRIVATE_access_in extended permit ip any any log debugging access-list OLD-PRIVATE_access_in extended permit icmp any object-group DM_INLINE_NETWORK_1 access-list 101 extended permit tcp host 192.168.10.7 any eq 3389 log debugging access-list WAN_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list WAN_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list CiscoVPNClient_splitTunnelAcl standard permit 192.168.17.0 255.255.255.0 access-list LAN_access_in extended permit ip any any log debugging access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list WAN_2_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list WAN_2_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list LAN_IP_inbound standard permit 192.168.10.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0 access-list vpnusers_splitTunnelAcl extended permit ip 192.168.17.0 255.255.255.0 any access-list nonat-in extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0 pager lines 24 logging enable logging buffer-size 52000 logging monitor informational logging trap informational logging asdm informational logging from-address syslog logging recipient-address admin level errors logging host OLD-Private 192.168.17.110 format emblem logging debug-trace logging permit-hostdown mtu WAN 1500 mtu OLD-Private 1500 mtu Management 1500 ip local pool VPN_Admin_IP 192.168.1.150-192.168.1.199 mask 255.255.255.0 ip local pool vpnclient 192.168.2.1-192.168.2.5 mask 255.255.255.0 failover failover lan unit primary failover lan interface failover Vlan100 failover polltime interface 15 holdtime 75 failover key ***** failover interface ip failover 192.168.100.1 255.255.255.0 standby 192.168.100.2 icmp unreachable rate-limit 1 burst-size 1 icmp permit 192.168.10.0 255.255.255.0 WAN icmp permit host x.x.x.x WAN icmp permit 192.168.17.0 255.255.255.0 WAN icmp permit host c.c.c.c WAN icmp permit host a.a.a.a WAN icmp deny any WAN icmp permit 192.168.10.0 255.255.255.0 OLD-Private icmp permit 192.168.17.0 255.255.255.0 OLD-Private icmp permit host a.a.a.a OLD-Private icmp permit host 192.168.10.0 Management icmp permit host 192.168.17.138 Management icmp permit 192.168.1.0 255.255.255.0 Management icmp permit host 192.168.1.26 Management icmp permit host a.a.a.a Management asdm image disk0:/asdm-647.bin no asdm history enable arp timeout 14400 nat (OLD-Private,any) source static subnet-17 subnet-17 destination static subnet-10 subnet-10 no-proxy-arp nat (OLD-Private,any) source static subnet-17 subnet-17 destination static subnet-2 subnet-2 no-proxy-arp nat (OLD-Private,any) source static subnet-17 subnet-17 destination static subnet-9 subnet-9 no-proxy-arp nat (Management,WAN) source static NETWORK_OBJ_192.168.17.0_24 NETWORK_OBJ_192.168.17.0_24 destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 no-proxy-arp route-lookup ! object network subnet-00 nat (OLD-Private,WAN) dynamic interface access-group WAN_access_in in interface WAN access-group OLD-PRIVATE_access_in in interface OLD-Private access-group MANAGEMENT_access_in in interface Management route WAN 0.0.0.0 0.0.0.0 x.x.x.x 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL aaa local authentication attempts max-fail 10 http server enable http b.b.b.b 255.255.255.255 WAN http 0.0.0.0 0.0.0.0 WAN no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart service resetoutside crypto ipsec ikev1 transform-set OFFICE esp-aes esp-sha-hmac crypto map WAN_map 1 match address WAN_1_cryptomap crypto map WAN_map 1 set pfs crypto map WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map Office 2 match address WAN_1_cryptomap crypto map Office 2 set peer a.a.a.a crypto map Office interface WAN crypto map MAP 10 set peer a.a.a.a crypto map MAP 10 set ikev1 transform-set OFFICE crypto ikev2 enable WAN crypto ikev1 enable WAN crypto ikev1 policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption des hash sha group 1 lifetime 86400 telnet timeout 5 ssh a.a.a.a 255.255.255.255 WAN ssh timeout 30 ssh version 2 console timeout 0 dhcpd auto_config OLD-Private ! threat-detection basic-threat threat-detection statistics host threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp server 129.6.15.28 source WAN prefer webvpn group-policy DfltGrpPolicy attributes vpn-tunnel-protocol ikev1 ssl-client ssl-clientless group-policy admin internal group-policy admin attributes dns-server value 208.67.222.222 156.154.70.1 vpn-tunnel-protocol ikev1 group-policy GroupPolicy_a.a.a.a internal group-policy GroupPolicy_a.a.a.a attributes vpn-tunnel-protocol ikev1 ikev2 group-policy CiscoVPNClient internal group-policy CiscoVPNClient attributes vpn-idle-timeout 30 vpn-session-timeout none vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless split-tunnel-policy tunnelspecified split-tunnel-network-list value CiscoVPNClient_splitTunnelAcl username admin password password encrypted privilege 15 tunnel-group admin type remote-access tunnel-group admin general-attributes address-pool vpnclient authorization-server-group LOCAL default-group-policy admin tunnel-group a.a.a.a type ipsec-l2l tunnel-group a.a.a.a general-attributes default-group-policy GroupPolicy_a.a.a.a tunnel-group a.a.a.a ipsec-attributes ikev1 pre-shared-key ***** ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** tunnel-group CiscoVPNClient type remote-access tunnel-group CiscoVPNClient general-attributes address-pool vpnclient default-group-policy CiscoVPNClient tunnel-group CiscoVPNClient ipsec-attributes ikev1 pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters   message-length maximum client auto   message-length maximum 512 policy-map global_policy class inspection_default   inspect dns preset_dns_map   inspect ftp   inspect h323 h225   inspect h323 ras   inspect rsh   inspect rtsp   inspect esmtp   inspect sqlnet   inspect skinny    inspect sunrpc   inspect xdmcp   inspect sip    inspect netbios   inspect tftp   inspect ip-options   inspect icmp ! service-policy global_policy global smtp-server 192.168.17.10 prompt hostname context no call-home reporting anonymous call-home contact-email-addr admin contact-name admin profile CiscoTAC-1   no active : end asdm image disk0:/asdm-647.bin asdm location c.c.c.c 255.255.255.255 WAN asdm location 192.168.17.2 255.255.255.255 WAN asdm location a.a.a.a 255.255.255.255 OLD-Private no asdm history enable 

    ASA:

    # show crypto ipsec his

    There is no ipsec security associations

    # show crypto isakmp his

    There are no SAs IKEv1

    There are no SAs IKEv2

    2911:

    #show crypto ipsec his

    Interface: GigabitEthernet0/0/0

    Tag crypto map: map, addr a.a.a.a local

    protégé of the vrf: (none)

    local ident (addr, mask, prot, port): (192.168.10.0/255.255.255.0/0/0)

    Remote ident (addr, mask, prot, port): (192.168.17.0/255.255.255.0/0/0)

    current_peer b.b.b.b port 500

    LICENCE, flags is {origin_is_acl},

    #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

    compressed #pkts: 0, unzipped #pkts: 0

    #pkts uncompressed: 0, #pkts compr. has failed: 0

    #pkts not unpacked: 0, #pkts decompress failed: 0

    Errors of #send 4, #recv errors 0

    local crypto endpt. : a.a.a.a, remote Start crypto. : b.b.b.b

    Path mtu 1500, mtu 1500 ip, ip mtu IDB GigabitEthernet0/0/0

    current outbound SPI: 0x0 (0)

    PFS (Y/N): N, Diffie-Hellman group: no

    SAS of the esp on arrival:

    -Other - arrival ah sas:

    -More-

    -More - CFP sas on arrival:

    -More-

    -More - outgoing esp sas:

    -More-

    -More - out ah sas:

    -More-

    -More - out CFP sas:

    Thanks for your time,

    Nick

    Please add

    map Office 2 set transform-set OFFICE ikev1 crypto

    If it is not helpful, please enable debug crypto ipsec 255 and paste here.

    HTH. Please rate if it was helpful. "Correct answer" will be also pleasant.

  • VPN between 878 router and ASA 5505

    Hello world

    I struggled for a few days now to get a VPN connection works.

    The situation

    Two offices needs to be connected to eachother with a VPN. The two parties have a WAN connection.

    The tunnel between locations rises very well but the communication fails in almost any way.

    The host cannot ping each other and also the inside of the router and ASA pings fail.

    The only ping works is from inside Site2 to the inside interface of the router side 1 (192.168.1.100 to 192.168.0.250)

    NAT works very well on both sites behind the router / asa.

    I think I'm doing something wrong with the roads or access lists but after 7 days, many refills, restores, driving from one end of the State to the other to reset stupid moves break and resolder my cable from the console and things completely with default start for 10 times, I'm through, I honestly don't know where to look for more...

    Tech Specs:

    Site1: has a cable modem that gives a WAN IP with DHCP address

    This modem connects to the Cisco 878 (Fastethernet0) router

    The router acts as a DHCP server and NAT gateway for the office and offers vpn connectivity to the other office

    Site2: has a cable-modem/router (Cisco 3925), which made the NAT, this modem/router gives an IP private class-C (192.168.178.x)

    This modem/router connects to a Cisco ASA 5505 (Fastethernet0)

    The ASA also server as a DHCP server and NAT gateway for the office and offers vpn connectivity to the other office.

    Online, it looks like this:

    Office 1--> Cisco878--> WAN Cloud<---cablemodemrouter><--- asa5505=""><--- office="">

    IP address ranges:

    Office 1

    Network 192.168.0.0

    Subnet mask 255.255.255.0

    Gateway 192.168.0.250

    IP WAN XXXX

    Office 2

    Network 192.168.1.0

    Subnetmak 255.255.255.0

    Gateway 192.168.1.1

    IP WAN XXXX

    On the location of office 2, there is a NAT between ASA and WAN router. between 192.168.178.x 255.255.255.0

    The modemrouter is a Cisco 3925, on which IPSEC passthrough is enabled.

    Configs:

    Site 1:

    CISCO 878 router

    Site 2

    ASA 5505

    I hope someone has a chance to look through my config and tell me what I did wrong this week

    Even if you can not help me but still read here: Thank YOU!

    (As my problem has been resolved, I removed the configs of this post. If for any reason, you want to work for these devices configuration, please send me a PM)

    Post edited by: taaa lijf - reason: problem solved, removed configs and stuff private for obvious reasons ;)

    Hello

    Ping client customer site 1 site2 and make sh crypto isakmp his and sh crypto ipsec his on the router.

    If sh crypto isakmp gives QM_Idle and ping fails and you have no package in the HS cypto ipsec his and then do a debug crypto ipsec

    If sh crypto isakmp gives MM_NoState can do a debug crypto isakmp

    One note however, you should have ip addresses static at least on the side, initiating the tunnel, otherwise it will not work when ip address changes.

    Kind regards.

    Alain.

Maybe you are looking for

  • latest version of the OS for Macbook Pro 7.1

    Dear users: My MackBook Pro 7.1 (Intel Core 2 Duo 2. 4 GHz, 4 GB RAM) works with 10.6.8 Snow Leopard OS, so, I can't put Java to its new version 1.7 or 1.8. This limits the compatibility with access to bank account and tax return to the Brazil softwa

  • Frozen laptop to "install updates 1 of 1.

    I have a laptop Acer 5542 6 months old. In the last month, I got the blue screen twice, and I have no idea why. The laptop has been hot, is it possible that? I have now bought a laptop to computer has hope that was the least of my problems. Apparentl

  • How can I fix an error message that appears when starting near the top of my laptop?

    C;\Users\Buck\AppData\Local\ezocepexomi.dll

  • Application of re-signature Code

    Hello I want to ask you about the blackberry of RIM signing process. Once I have sign the request and then I need to change the .cod file to include some fields or status message.do should I sign the app again? What do I have to pay $ 20 more to re-s

  • Out an application successfully

    Hello I'm writing an ExitApplicationAction that would exit with success my application when it is called. This action can be invoked from the menu or at the click of a button. I use full SCREEN as the basis for the entire application screen. I tried