I can't do FTP through IPsec Tunnel

users at the branch office (perth) cannot do FTP to a server on the internet. We simply want to change on NAT/rules to get there.

We have head office is in Sydney that this router's IPsec VPN to other areas including Melbourne, Perth,...

we want just difficulty centimeters FTP for users of Perth not on all the other branches.

All things are IPsec router to router. routers to perth and sydney, I ping address FTP (203.171.5.4) but from a client in perth, I can't ping or telnet to this IP address.

I downloaded routers routers from sydney and perth configs.

Please ask me for more picture of the environment.

Thanks in advance,

Reza

Reza,

Is because we are dealing with two different concepts of the ACL here.
160 ACL is applied to an interface (path to Ethernet0), so this ACL is permit/deny traffic).
The 150 ACL is applied to a NAT rule (you cannot delete it because you will lose Internet).

I asked remove ACL filtering which is only 160.

The test I was asking was to remove the 160 ACL or add a line like this:
access ip-list 160 allow a whole
And check if everything works.

Federico.

Tags: Cisco Security

Similar Questions

Unable to Ping hosts through IPSec Tunnel

I have a configuration of lab home with a PIX 515 running code 8.03. I've made several changes over the last week and now when I finish a VPN connection to the external interface, I'm unable to hit all internal resources. My VPN connection comes from a 10.22.254.0/24 trying to knock the internal nodes to 10.22.1.0/24, see below. When I finish a VPN connection with the inside interface works, so I guess that I'm dealing with a NAT problem? I have not idea why Phase 9 is a failure:-------. Any help would be great!

-------

IP 10.22.254.0 allow Access-list extended sheep 255.255.255.0 10.22.1.0 255.255.255.0

NAT (inside) 0 access-list sheep

-------

Global 1 interface (outside)

-------

access-list extended split allow ip 10.22.1.0 255.255.255.0 10.22.254.0 255.255.255.0

-------

Packet-trace entry inside tcp 10.22.1.15 1025 10.22.254.15 3389 detailed

Phase: 1

Type: FLOW-SEARCH

Subtype:

Result: ALLOW

Config:

Additional information:

Not found no corresponding stream, creating a new stream

Phase: 2

Type:-ROUTE SEARCH

Subtype: entry

Result: ALLOW

Config:

Additional information:

in 0.0.0.0 0.0.0.0 outdoors

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional information:

Direct flow from returns search rule:

ID = 0x2bb3450, priority = 0, sector = option-ip-enabled, deny = true

hits = 17005, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

DST ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

Phase: 4

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional information:

Direct flow from returns search rule:

ID = 0x304ae48, priority = 12, area = ipsec-tunnel-flow, deny = true

hits = 17005, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol

SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

DST ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

Phase: 5

Type: NAT-FREE

Subtype:

Result: ALLOW

Config:

NAT (inside) 0 access-list sheep

NAT-control

is the intellectual property inside 10.22.1.0 outside 10.22.254.0 255.255.255.0 255.255.255.0

Exempt from NAT

translate_hits = 6, untranslate_hits = 5

Additional information:

Direct flow from returns search rule:

ID = 0x2be2a00, priority = 6, free = area of nat, deny = false

Hits = 5, user_data is 0x2be2960, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol

SRC ip = 10.22.1.0, mask is 255.255.255.0, port = 0

DST ip = 10.22.254.0, mask is 255.255.255.0, port = 0

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside, DMZ) 10.22.1.0 10.22.1.0 netmask 255.255.255.0

NAT-control

is the intellectual property inside 10.22.1.0 255.255.255.0 DMZ all

static translation at 10.22.1.0

translate_hits = 10, untranslate_hits = 0

Additional information:

Direct flow from returns search rule:

ID = 0x2d52800, priority = 5, area = host, deny = false

hits = 21654, user_data = 0x2d51dc8, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

SRC ip = 10.22.1.0, mask is 255.255.255.0, port = 0

DST ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

Phase: 7

Type: NAT

Subtype:

Result: ALLOW

Config:

NAT (inside) 1 0.0.0.0 0.0.0.0

NAT-control

is the intellectual property inside everything outside of any

dynamic translation of hen 1 (192.168.20.20 [Interface PAT])

translate_hits = 2909, untranslate_hits = 9

Additional information:

Direct flow from returns search rule:

ID = 0x2d4a7d0, priority = 1, sector = nat, deny = false

hits = 16973, user_data = 0x2d4a730, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol

SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

DST ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

Phase: 8

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional information:

Direct flow from returns search rule:

ID = 0 x 3328000, priority = 70, domain = encrypt, deny = false

hits = 0, user_data is 0x1efa0cc, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

SRC ip = 10.22.1.0, mask is 255.255.255.0, port = 0

DST ip = 10.0.0.0, mask is 255.0.0.0, port = 0

Phase: 9

Type: ACCESS-LIST

Subtype: ipsec-user

Result: DECLINE

Config:

Additional information:

Direct flow from returns search rule:

ID = 0x3329a48, priority = 69, domain = ipsec - user, deny = true

Hits = 37, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol

SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

DST ip = 10.0.0.0, mask is 255.0.0.0, port = 0

Result:

input interface: inside

entry status: to the top

entry-line-status: to the top

output interface: outside

the status of the output: to the top

output-line-status: to the top

Action: drop

Drop-reason: flow (acl-drop) is denied by the configured rule

No, the sheep ACL requires that defining the internal network traffic to the

Pool VPN. You must remove the other entries.

Delete:

allowed to Access-list sheep line 8 extended ip 10.22.254.0 255.255.255.0 DM_INLINE_NETWORK_18 object-group
allowed to Access-list sheep line 8 extended ip 10.22.254.0 255.255.255.0 10.22.1.0 255.255.255.0

AnyConnect SSL VPN through IPSEC Tunnel

Everyone was able to set up and connect using Cisco anyconnect vpn ssl on a Cisco IPSEC's tunnel. I used this in the past from a Windows XP system in the past but its not working now. None of my users are able to cooect using the Anyconnect on IPSEC. IPSEC on its own works very well.

The Anyconnect is also able to create the connection to its ASA firewall however its not able to route all traffic through. Do you have any suggestions?

Thanks for the update.

How to troubleshoot an IPSec tunnel GRE?

Hello

My topology includes two firewalls connected through the Internet "" (router) and behind each firewall, there is a router.

The routers I configured a GRE tunnel that is successful, then I configured an IPsec tunnel on the firewall.

I does not change the mode to transport mode in the transform-set configuration.

Everything works; If I connect a PC to the router, it can ping another PC on the other router. However if I change mode of transport mode that they cannot.

I was wondering how can I ensure that the IPSec tunnel WILL really works? How can I fix it or package tracking?

Thank you.

I was wondering how can I ensure that the IPSec tunnel WILL really works? How can I fix it or package tracking?

To verify that the VPN tunnel works well, check the output of
ISAKMP crypto to show his
Crypto ipsec to show his

Here are the commands of debug
Debug condition crypto x.x.x.x, where x.x.x.x IP = peer peer
Debug crypto isakmp 200
Debug crypto ipsec 200

You will see ACTIVE int the first output and program non-zero and decaps on the output of the latter.

For the GRE tunnel.
check the condition of the tunnel via "int ip see the brief.

In addition, you can configure keepalive via the command:

Router # configure terminal
Router (config) #interface tunnel0
Router(Config-if) 5 4 #keepalive

and then run "debug keepalive tunnel" to see packets hello tunnel going and coming from the router.

Kind regards
Dinesh Moudgil

PS Please rate helpful messages.

How can I bypass ipsec tunnel when do ftp?

Hello

I would like to make an IPsec VPN tunnel between my breanch and Headquarters Office (VPN router). I do FTP specific ip on the Internet without IPsec tunnel. This should be happenning on my website. then when users try to ftp://125.7.123.46 it should work around the tunnel and connect directly?

Can any one give me a heads up how do I do this on my router?

Thanks in advance,

Reza

Reza,

In order to achieve this the 192.168.10.0/24 network server, here's what you need:

##########################################

access-list 150 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 150 permit ip 192.168.10.0 0.0.0.255 any

overload of IP nat inside source list 150 interface Dialer0

interface Ethernet0

IP nat inside

interface Dialer0

NAT outside IP

#########################################

With the above configuration you have access to Internet in the 192.168.10.0/24 network without disturbing the IPsec traffic.

You have this double threat?

Federico.

Intercept-dhcp works to tunnel L2TP through IPsec ASA?

Hello

Is there anyone in the world operating a tunnel L2TP through IPsec on Cisco ASA for the native Windows clients and a Tunnel Split Configuration fully functional?

I created a tunnel L2TP through IPsec on the ASA 5520 9.1 (6) Version of the software running. My configuration is:

mask 172.23.32.1 - 172.23.33.255 255.255.252.0 IP local pool VPN_Users

ROUTING_SPLIT list standard access allowed 192.168.0.0 255.255.0.0
ROUTING_SPLIT list standard access allowed 172.16.0.0 255.248.0.0

Crypto ipsec transform-set esp-aes-256 WIN10, esp-sha-hmac ikev1
transport mode encryption ipsec transform-set WIN10 ikev1
Crypto ipsec transform-set esp-3des esp-sha-hmac WIN7 ikev1
Crypto ipsec transform-set transport WIN7 using ikev1
Dynamic crypto map DYNMAP 10 set transform-set WIN10 WIN7 ikev1
Crypto dynamic-map DYNMAP 10 the value reverse-road
card crypto CMAP 99-isakmp dynamic ipsec DYNMAP
CMAP interface ipsec crypto map

Crypto isakmp nat-traversal 29
crypto ISAKMP disconnect - notify
Ikev1 enable ipsec crypto
IKEv1 crypto policy 10
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
output
IKEv1 crypto policy 20
preshared authentication
3des encryption
sha hash
Group 2
life 86400
output

internal EIK_USERS_RA group policy
EIK_USERS_RA group policy attributes
value of 12.34.56.7 DNS Server 12.34.56.8
VPN - connections 2
L2TP ipsec VPN-tunnel-Protocol ikev1
disable the password-storage
enable IP-comp
enable PFS
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list ROUTING_SPLIT
ad.NYME.Hu value by default-field
Intercept-dhcp enable
the authentication of the user activation
the address value VPN_Users pools
output

attributes global-tunnel-group DefaultRAGroup
authentication-server-group challenger
accounting-server-group challenger
Group Policy - by default-EIK_USERS_RA
IPSec-attributes tunnel-group DefaultRAGroup
IKEv1 pre-shared-key *.
tunnel-group DefaultRAGroup ppp-attributes
No chap authentication
no authentication ms-chap-v1
ms-chap-v2 authentication
output

Now, the native Windows clients can connect using this group of tunnel:

our - asa # show remote vpn-sessiondb

Session type: IKEv1 IPsec

User name: w10vpn Index: 1
Assigned IP: 172.23.32.2 public IP address: 12.34.56.9
Protocol: IKEv1 IPsecOverNatT L2TPOverIPsecOverNatT
License: Another VPN
Encryption: IKEv1: (1) 3DES IPsecOverNatT: (1) L2TPOverIPsecOverNatT AES256: (1) no
Hash: IKEv1: (1) IPsecOverNatT SHA1: (1) L2TPOverIPsecOverNatT SHA1: (1) no
TX Bytes: 1233 bytes Rx: 10698
Group Policy: Group EIK_USERS_RA Tunnel: DefaultRAGroup
Connect time: 15:12:29 UTC Friday, April 8, 2016
Duration: 0: 00: 01:00
Inactivity: 0 h: 00 m: 00s
Result of the NAC: unknown
Map VLANS: VLAN n/a: no

However, real communication takes place above the tunnel if I 'Gateway on remote network use default'. If I disable this option among the preferences of the IPv4 of the virtual interface of VPN in Control Panel as described in the section 'Configuration of Tunnel of Split' of This DOCUMENT then Windows sends all packets through the channel, because it fails to extract from the ASA routing table. Split routing works perfectly when using legacy Cisco VPN Client with the same group policy, but does not work with L2TP over IPsec.

As far as I can see, the 'intercept-dhcp' option is inefficient somehow. I even managed to intercept packets of the PPP virtual machine Windows XP interface, and I saw that windows sends its DHCP INFORM requests, but the ASA does not. My question is why?

-J' made a mistake in the above configuration?

-Can there be one option somewhere else in my config running that defuses intercept-dhcp?

- Or is there a software bug in my version of firmware ASA? (BTW, I tried with several versions of different software without success?

Hi, I have the same problem you have, but I was lucky enough to be able to install version 9.2 (4) on which this feature works very well. I'm suspecting that it is a bug, but I need to dig a little deeper. If I find something interesting I'll share it here.

I can weight of the IPSec Tunnels between ASAs

Hello

Remote site: link internet NYC 150 MB/s

Local site: link internet Baltimore 400 MB/s

Backup site: link internet Washington 200 Mb/s

My main site and my backup site are connected via a gigabit Ethernet circuit between the respective base site switches. Each site has its own internet connection and my OSPF allows to switch their traffic to the backup site if the main website is down. We are opening an office in New York with one ASA unique connected to 150 Mbps FIOS internet circuit. We want to set up an IPSec tunnel on the main site and the backup on the remote site, but want the remote site to prefer the tunnel in Baltimore, except if it is down.

Interesting traffic would be the same for the two tunnels

I know that ASA cannot be a GRE endpoint. How can I force the New York traffic through the tunnel in Baltimore as long as it works? An IPSec tunnel can be weighted?

Thank you

It is not in itself weighting, but you can create up to 10 backup over LAN to LAN VPN IPsec peers.

For each tunnel, the security apparatus tried to negotiate with the first peer in the list. If this peer does not respond, the security apparatus made his way to the bottom of the list until a peer responds, or there is no peer more in the list.

Reference.

Site VPN to IPsec with PAT through the tunnel configuration example

Hello

as I read a lot about vpn connections site-2-site
and pass by PAT through it I still haven't found an example configuration for it on e ASA 55xx.

now, I got suite facility with two locations A and B.

192.168.0.0/24 Site has - ipsec - Site B 192.168.200.0/24
172.16.16.0/24 Site has

---------------------------------------------------------------------------

Host--> participated in IP 192.168.0.4: 192.168.0.3-> to 192.168.200.20
Host 192.168.0.127--> participated in IP: 192.168.0.3-> to 192.168.200.20
Host 192.168.0.129--> participated in IP: 192.168.0.3-> to 192.168.200.20
Host 192.168.0.253--> participated in IP: 192.168.0.3-> to 192.168.200.20

Host 172.16.16.127--> participated in IP: 192.168.0.3-> to 192.168.200.20
Host 172.16.16.253--> participated in IP: 192.168.0.3-> to 192.168.200.20

---------------------------------------------------------------------------

Now that I have guests autour within networks 172.16.16.0 like 192.168.0.0,
witch need to access a server terminal server on the SITE b.

As I have no influence on where and when guests pop up in my Site.
I would like to hide them behind a single ip address to SITE B.

If in the event that a new hosts need access, or old hosts can be deleted,
its as simple as the ACL or conviniently inlet remove the object from the network.

so I guess that the acl looks like this:

---------------------------------------------------------------------------

access VPN-PARTICIPATED-HOSTS list allow ip 192.168.0.4 host 192.168.200.20
VPN-PARTICIPATED-HOSTS access list permit ip host 192.168.0.127 192.168.200.20
VPN-PARTICIPATED-HOSTS access list permit ip host 192.168.0.129 192.168.200.20
access VPN-PARTICIPATED-HOSTS list allow ip 192.168.0.253 host 192.168.200.20
VPN-PARTICIPATED-HOSTS access list permit ip host 172.16.16.127 192.168.200.20
VPN-PARTICIPATED-HOSTS access list permit ip host 172.16.16.253 192.168.200.20

---------------------------------------------------------------------------

But, now, my big question is, how do I said the asa to use: 192.168.0.3 as the
address for the translation of PAT?

something like this he will say, it must be treated according to the policy:

NAT (1-access VPN INVOLVED-HOST internal list)

Now how do I do that?
The rest of the config, I guess that will be quite normal as follows:

card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set of AA peers. ABM CC. DD
card crypto outside_map 1 set of transformation-ESP-AES-256-SHA
outside_map card crypto 1 lifetime of security set association, 3600 seconds

permit access list extended ip 192.168.0.3 outside_1_cryptomap host 192.168.200.20

---------------------------------------------------------------------------

On SITE B

the config is pretty simple:

card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set of peer SITE has IP
card crypto outside_map 1 set of transformation-ESP-AES-256-SHA
outside_map card crypto 1 lifetime of security set association, 3600 seconds

outside_1_cryptomap list extended access allowed host host 192.168.200.20 IP 192.168.0.3

inside_nat0_outbound list extended access allowed host host 192.168.200.20 IP 192.168.0.3

---------------------------------------------------------------------------

Thank you for you're extra eyes and precious time!

Colin

You want to PAT the traffic that goes through the tunnel?

list of access allowed PAT ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.255.0

PAT 172.16.16.0 permit ip access list 255.255.255.0 192.168.200.0 255.255.255.0

NAT (inside) 1 access list PAT

Global (outside) 1 192.168.0.3 255.255.255.255

Then, the VPN ACL applied to the card encryption:

list of access allowed vpn host ip 192.168.0.3 192.168.200.0 255.255.255.0

Thus, all traffic from Site A will be PATed when you remotely 192.168.200.0/24

The interesting thing is that traffic can only be activated from your end.

The remote end cannot initialize traffic to 192.168.0.3 if there is not a version of dynamic translation on your side.

Is that what you are looking for?

Federico.

Any traffic sent through my IPsec tunnel

Hi support community,

I've been struggling for days which is - I guess - something very basic.

I have a router that I want to connect to my ASA via the VPN. This router has a dynamic IP, so I managed to make it appear the tunnel with a dynamic crypto map, and the router falls into the DefaultL2LGroup (I guess I have no choice anyway, at me if I'm wrong). So that part is OK now, the tunnel is UP.

However, SAA, I can see packets entering the tunnel but no package is removed from the ASA to the router.

ASA is a private network router and 192.168.250.0/24 has 192.168.242.0/24.

And here is the : configuration

Allow OPT_cryptomap_2 to access extended list ip 192.168.242.0 255.255.255.0

Dynamic crypto map CIPAC-ENERGY-VALE3 2 match address OPT_cryptomap_2

map OPT_map 2-isakmp dynamic ipsec CIPAC-ENERGY-VALE3 crypto

I do not understand what Miss me. I can not ping to the interface on the ASA (I have a permit icmp any one on the interface), but without success.

This means that packets are decpasulated and do not yet reach the virtual interface on the ASA?

Tunnel is UP:

Show the details of its crypto isakmp

IKE Peer: 180.214.xx.102

Type: L2L role: answering machine

Generate a new key: no State: MM_ACTIVE

Encryption: aes - 256 Hash: SHA

AUTH: preshared Lifetime: 86400

See the crypto

address of the peers: 180.214.xx.102

Tag crypto map: CIPAC-ENERGY-VALE3, seq num: 2, local addr: 202.xxx.xx.14

Access extensive list ip 192.168.250.0 OPT_cryptomap_2 allow 255.255.255.0 192.168.242.0 255.255.255.0

local ident (addr, mask, prot, port): (192.168.250.0/255.255.255.0/0/0)

Remote ident (addr, mask, prot, port): (192.168.242.0/255.255.255.0/0/0)

current_peer: 180.214.xx.102

#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

#pkts decaps: 90, #pkts decrypt: 80, #pkts check: 10

compressed #pkts: 0, unzipped #pkts: 0

#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0

success #frag before: 0, failures before #frag: 0, #fragments created: 0

Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0

#pkts not his (send): 0, invalid #pkts his (RRs): 0

#pkts program failed (send): 0, #pkts decaps failed (RRs): 0

#pkts invalid prot (RRs): 0, #pkts check failed: 0

invalid identity #pkts (RRs): #pkts invalid len (RRs), 5: 0

#pkts incorrect key (RRs): 0,

#pkts invalid ip version (RRs): 0,

replay reversal (send) #pkts: 0, #pkts replay reversal (RRs): 0

#pkts replay failed (RRs): 0

#pkts min frag mtu failed (send): bad frag offset 0, #pkts (RRs): 0

#pkts internal err (send): 0, #pkts internal err (RRs): 0

local crypto endpt. : 202.xxx.xx.14/0, remote Start crypto. : 180.214.xx.102/0

Path mtu 1500, fresh ipsec generals 74, media, mtu 1500

current outbound SPI: B30EBC2B

current inbound SPI: 52DD8189

Ping from the ASA interface to the router:

# Ping ASA001

TCP Ping [n]:

Interface: CLT-CIPAC-VALE (192.168.250.1)

Target IP address: 192.168.242.254

County of repeat: [5]

Datagram size: [100]

Timeout in seconds: [2]

Extended commands [n]:

Scan the range of sizes [n]:

Type to abort escape sequence.

Send 5, echoes ICMP 100 bytes to 192.168.242.254, wait time is 2 seconds:

?????

Success rate is 0% (0/5)

And still no traffic sent through the tunnel.

As I'm not familiar with IPSEC to help or guidelines of troubleshhot would be really appreciated, I've been through a lot of documentation (forums, guides for cisco and other items).

Best regards

Florian

If you try to ping the inside interface try 'management-access to inside' and see if it works.

Thank you

Tarik Admani
* Please note the useful messages *.

external access through ipsec site-to-site tunnel

Hi all

I configured n/b site VPN ipsec Cisco ASA5510 router (site1) and router sonicwall (site2). I can access two LAN subnets.

But what I need is, routing traffic from site2 to a public ip specific to ipsec tunnel and then to internet through router cisco.

I updated the IPSec in sonicwall, so that traffic to this ip address will be routed to ipsec and all other traffic will go through the default gateway (sonicwall).

Then, I watched the packets on ASA5510 router Cisco ASDM and found that the packets intended for that particular ip address reached router cisco.

But still I can't access that intellectual property of site2. I think there must be some rules to allow that IP. And also I do not know it is possible to

access to the internet through the ipsec tunnel. ? I searched a lot and could not find useful advice. And I don't want all internet traffic to ipsec.

Thank you

Hans

It is what some similar to the only difference in the example below, it is the clients vpn access must be provided for users, but in your EAC, internet access is for some ip of an asite at the tunnel site

you will be interested in cross section

http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805734ae.shtml

to give a brief idea

NAT (outside) 1

Global 1 interface (outside)

permit same-security-traffic intra interface

Can I use private as Source IPs from a remote network IP addresses while building the IPSec tunnel?

Can I use private as Source IPs from a remote network IP addresses while building the IPSec tunnel? If not why? If so, how?

Your explanation is much appreciated.

Hi Deepak,

In such a situation, you usually NAT traffic that goes to the internet, but exempt traffic that goes through the VPN, because it will be wrapped in packages with public IP (tunnel) addresses. You can use the same IP address on your interface in the face of internet for the NAT/PAT and source of IPSEC Tunnel.

GRE over IPSec tunnel cannot pass traffic through it

I am trying to configure a GRE over IPSec tunnel between sites, we use the router cisco 7613 SUP720 (IOS: s72033-advipservicesk9_wan - mz.122 - 18.SXF15a.bin) and 3845 router (IOS:c3845 - advsecurityk9 - mz.124 - 25c.bin), we are facing problems when we use the tunnel because traffic is not passing through it. the configuration was working when we were using two routers cisco 3845 (IOS:c3845 - advsecurityk9 - mz.124 - 25c.bin), but for some reason, it doesn't work anymore when I paste the configuration on the new 7613 router.

Head office

crypto ISAKMP policy 10
BA aes
preshared authentication
Group 5
ISAKMP crypto key T3ST001 address 0.0.0.0 0.0.0.0
!
!
Crypto ipsec transform-set IPSec_PLC aes - esp esp-sha-hmac
transport mode
!
map PLC - CUM 10 ipsec-isakmp crypto
defined by peer 167.134.216.89
game of transformation-IPSec_PLC
match address 100
!
!
!
Tunnel1 interface
bandwidth 1984
IP 167.134.216.94 255.255.255.252
Mtu 1476 IP
load-interval 30
source of tunnel Serial0/1/0:0
tunnel destination 167.134.216.89

interface Serial0/1/0:0
IP 167.134.216.90 255.255.255.252
card crypto PLC - CUM

access-list 100 permit gre 167.134.216.90 host 167.134.216.8

Router eigrp 100
network 167.134.216.92 0.0.0.3

Directorate-General of the

crypto ISAKMP policy 10
BA aes
preshared authentication
Group 5
ISAKMP crypto key T3ST001 address 0.0.0.0 0.0.0.0
!
!
Crypto ipsec transform-set IPSec_PLC aes - esp esp-sha-hmac
transport mode
!
map PLC - CUM 10 ipsec-isakmp crypto
defined by peer 167.134.216.90
game of transformation-IPSec_PLC
match address 100

Tunnel1 interface
bandwidth 1984
IP 167.134.216.93 255.255.255.252
Mtu 1476 IP
load-interval 30
source of tunnel Serial1/0/0:1
tunnel destination 167.134.216.90

interface Serial1/0/0:1
bandwidth 1984
IP 167.134.216.89 255.255.255.252
IP access-group 101 in
load-interval 30
no fair queue
card crypto PLC - CUM

access-list 100 permit gre 167.134.216.89 host 167.134.216.90

ER-7600 #sh crypto isakmp his
conn-id State DST CBC slot
167.134.216.89 167.134.216.90 QM_IDLE 3 0

ER-3845 #sh crypto isakmp his
status of DST CBC State conn-id slot
167.134.216.89 167.134.216.90 QM_IDLE 3 0 ACTIVE

ER-3845 #sh active cryptographic engine connections

Algorithm of address State IP Interface ID encrypt decrypt
3 Serial0/1/0: 167.134.216.90 0 HMAC_SHA + AES_CBC 0 0 value
3001 Serial0/1/0: 167.134.216.90 0 set AES + SHA 0 0
3002 Serial0/1/0: 167.134.216.90 0 set AES + SHA 61 0

ER-7600 #sh active cryptographic engine connections

Algorithm of address State IP Interface ID encrypt decrypt
3 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + AES_CBC 0 0
2000 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + 0 66 AES_CBC
2001 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + AES_CBC 0 0

I had this error on the er-3845: % CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd package not an IPSEC packet and this one on the IPSEC (epa_des_crypt) UH-7600: decrypted packet has no control of his identity

Please help, it's so frustrating...

Thanks in advance

Oscar

Here is a document from cisco, mentioning clearly for a card encryption on the two physical as tunnel interface well.

http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a008009438e.shtml

It may be useful

Manish

Cannot reach the destination of an IPSec tunnel through another IPSec tunnel

Hi all

I have a PIX 515E version 8.0 (2).

I have two remote sites connected to this PIX via IPSec tunnels.

Each remote site can reach local networks behind the PIX, but I can't reach remoteSiteB remoteSiteA.

Thus,.

SiteA <----- ipsec="" -----="">PIX1 SiteX <---------------->10.0.8.1 10.30.8.254

SiteB <----- ipsec="" -----="">PIX1 SiteX <---------------->10.0.8.1 10.138.34.21

SiteA can ping SiteX

SiteB can ping SiteX

SiteA cannot ping SiteB

SiteB cannot ping SiteA

If I do not show crypto isakmp ipsec his I see appropriate subnets:

Tag crypto map: CRYPTO-MAP, seq num: 4, local addr: 203.166.1.1

permit access-list ACLVPN-TO_SITEA ip 10.138.34.16 255.255.255.240 host 10.30.8.254

local ident (addr, mask, prot, port): (10.138.34.16/255.255.255.240/0/0)

Remote ident (addr, mask, prot, port): (10.30.8.254/255.255.255.255/0/0)

current_peer: 104.86.2.4

Tag crypto map: CRYPTO-MAP, seq num: 5, local addr: 203.166.1.1

access-list ACLVPN-TO_SITEB allowed host ip 10.30.8.254 10.138.34.16 255.255.255.240

local ident (addr, mask, prot, port): (10.30.8.254/255.255.255.255/0/0)

Remote ident (addr, mask, prot, port): (10.138.34.16/255.255.255.240/0/0)

current_peer: 216.178.200.200

Journal messages that seem to point to the problem...

April 18, 2013 13:27:35: % PIX-4-402116: IPSEC: received a package of ESP (SPI = 0xD51BB13A, sequence number = 0x21A) 104.86.2.4 (user = 104.86.2.4) at 203.166.1.1. Inside the package décapsulés does not match policy negotiated in the SA. The package indicates its destination as 10.138.34.21, its source as 10.30.8.254 and its Protocol 6. SA specifies its local proxy like 10.0.8.0/255.255.255.0/0/0 and his remote_proxy as 10.30.8.254/255.255.255.255/0/0

My question is really what I have to do something funky to allow traffic to pass between the two tunnels?

Hello

This could be much easier if we have seen the real configurations.

But here are some things to be confirmed in the configurations (some of them you mentioned above, but I still quote once again)
- Make sure that each firewall, you set the appropriate VPN L2L ACL
- Make sure that you have configured NAT0 on the central PIX "outside" interface for the Site A and Site B
- Make sure the Central PIX has "same-security-traffic permit intra-interface" configured. This will allow the Site traffic to enter the Central PIX 'outside' interface and head back on the same interface to Site B. And vice versa.
To view some actual configurations that may be required provided everything else is ok. (I assume that all devices are Cisco)

Central PIX

permit same-security-traffic intra-interface

A connection to the site

SITE-A-CRYPTOMAP of the 10.0.8.0 ip access list allow 255.255.255.0 host 10.30.8.254

SITE-A-CRYPTOMAP of the 10.138.34.16 ip access list allow 255.255.255.240 host 10.30.8.254

Site B connection

SITE-B-CRYPTOMAP of the 10.0.8.0 ip access list allow 255.255.255.0 10.138.34.16 255.255.255.240

SITE-B-CRYPTOMAP to the list of allowed access host ip 10.30.8.254 10.138.34.16 255.255.255.240

NAT0

access list for the INTERIOR-NAT0 allowed ip 10.0.8.0 255.255.255.0 host 10.30.8.254

access list for the INTERIOR-NAT0 allowed ip 10.0.8.0 255.255.255.0 10.138.34.16 255.255.255.240

NAT (inside) 0-list of access to the INTERIOR-NAT0

OUTSIDE-NAT0 allowed host ip 10.30.8.254 access list 10.138.34.16 255.255.255.240

OUTSIDE-NAT0 allowed ip 10.138.34.16 access list 255.255.255.240 host 10.30.8.254

NAT (outside) 0-list of access OUTSIDE-NAT0

Site has

CENTRAL-SITE-CRYPTOMAP to the list of allowed access host ip 10.30.8.254 10.0.8.0 255.255.255.0

CENTRAL-SITE-CRYPTOMAP to the list of allowed access host ip 10.30.8.254 10.138.34.16 255.255.255.240

the INTERIOR-NAT0 allowed host ip 10.30.8.254 access list 10.0.8.0 255.255.255.0

the INTERIOR-NAT0 allowed host ip 10.30.8.254 access list 10.138.34.16 255.255.255.240

NAT (inside) 0-list of access to the INTERIOR-NAT0

Site B

CENTRAL-SITE-CRYPTOMAP of the 10.138.34.16 ip access list allow 255.255.255.240 10.0.8.0 255.255.255.0

CENTRAL-SITE-CRYPTOMAP of the 10.138.34.16 ip access list allow 255.255.255.240 host 10.30.8.254

the INTERIOR-NAT0 allowed host ip 10.138.34.16 access list 255.255.255.240 10.0.8.0 255.255.255.0

the INTERIOR-NAT0 allowed host ip 10.138.34.16 access list 255.255.255.240 host 10.30.8.254

NAT (inside) 0-list of access to the INTERIOR-NAT0

Hope this helps

-Jouni

Road by default from version 6.3 PIX IPsec tunnel

We have a PIX 501 running IOS version 6.3.1.

There are currently 3 tunnels IPsec active as described below.

What we would like is to have all traffic by default (0.0.0.0 0.0.0.0) range out through the tunnel of the middle line so that traffic can be protected by a firewall on the other side of the tunnel. Since ICF is a Sonicwall what would be needed to be changed in the configuration on the PIX to get there?

Thank you

6.3 (1) version PIX

interface ethernet0 10baset

interface ethernet1 100full

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

activate the 86AZXXmRLxfv/oUQ encrypted password

86AZXXmRLxfv/oUQ encrypted passwd

Site A hostname

domain default.int

clock timezone STD - 7

fixup protocol dns-length maximum 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol they 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol 2000 skinny

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names of

name 75.75.75.2 CovadHub

name 75.48.25.12 Sonicwall

access-list 101 permit ip 10.10.5.0 255.255.255.0 10.10.1.0 255.255.255.0

access-list 101 permit ip 10.10.5.0 255.255.255.0 10.10.2.0 255.255.255.0

access-list 101 permit ip 10.10.5.0 255.255.255.0 10.10.3.0 255.255.255.0

access-list 101 permit icmp any any echo response

access-list 101 permit icmp any any echo

access-list 102 permit ip 10.10.5.0 255.255.255.0 10.10.2.0 255.255.255.0

access-list 103 allow ip 10.10.5.0 255.255.255.0 10.10.1.0 255.255.255.0

access-list 104. allow ip 10.10.5.0 255.255.255.0 10.10.3.0 255.255.255.0

pager lines 24

opening of session

monitor debug logging

logging warnings put in buffered memory

ICMP allow 10.10.5.0 255.255.255.0 inside

Outside 1500 MTU

Within 1500 MTU

external IP 75.25.14.2 255.255.255.0

IP address inside 10.10.5.1 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

location of PDM 10.10.5.0 255.255.255.0 inside

PDM logging 100 information

history of PDM activate

ARP timeout 14400

Global 1 interface (outside)

(Inside) NAT 0-list of access 101

NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

allow icmp a conduit

Route outside 0.0.0.0 0.0.0.0 75.25.14.1 1

Timeout xlate 0:05:00

Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

RADIUS Protocol RADIUS AAA server

AAA-server local LOCAL Protocol

NTP server 132.163.4.102 source outdoors

NTP server 129.7.1.66 source outdoors

Enable http server

http 10.10.1.0 255.255.255.0 inside

http 10.10.5.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

enable floodguard

Permitted connection ipsec sysopt

Crypto ipsec transform-set esp - esp-md5-hmac pix11

peer11 card crypto ipsec-isakmp 10

correspondence address 10 card crypto peer11 102

peer11 card crypto 10 peers set 75.95.21.41

peer11 card crypto 10 set transform-set pix11

11 peer11 of ipsec-isakmp crypto map

correspondence address 11 card crypto peer11 103

11 peer11 peer Sonicwall crypto card game

card crypto peer11 11 set transform-set pix11

12 peer11 of ipsec-isakmp crypto map

correspondence address 12 card crypto peer11 104

card crypto peer11 12 set peer 75.62.58.28

card crypto peer11 12 set transform-set pix11

peer11 interface card crypto outside

ISAKMP allows outside

ISAKMP key * address 75.62.58.28 netmask 255.255.255.240

ISAKMP key * address netmask 255.255.255.224 Sonicwall

ISAKMP key * address 75.95.21.41 netmask 255.255.255.252

ISAKMP identity address

ISAKMP keepalive 10

ISAKMP nat-traversal 20

part of pre authentication ISAKMP policy 10

encryption of ISAKMP policy 10

ISAKMP policy 10 md5 hash

10 2 ISAKMP policy group

ISAKMP life duration strategy 10 86400

part of pre authentication ISAKMP policy 11

encryption of ISAKMP policy 11

ISAKMP policy 11 md5 hash

11 2 ISAKMP policy group

ISAKMP duration strategy of life 11 28800

part of pre authentication ISAKMP policy 12

encryption of ISAKMP policy 12

ISAKMP policy 12 md5 hash

12 2 ISAKMP policy group

ISAKMP duration strategy of life 12 36000

Telnet 10.10.5.0 255.255.255.0 inside

Telnet 0.0.0.0 0.0.0.0 inside

Telnet timeout 5

SSH 0.0.0.0 0.0.0.0 outdoors

SSH 0.0.0.0 0.0.0.0 inside

SSH timeout 60

Console timeout 0

dhcpd address 10.10.5.70 - 10.10.5.101 inside

dhcpd dns 10.10.1.214

dhcpd rental 43200

dhcpd ping_timeout 750

dhcpd field default.int

dhcpd outside auto_config

dhcpd allow inside

Terminal width 80

Cryptochecksum:36d2c26afa8

03957d 3659

868d9219f8

2

: end

Hello

You do not configure really any type of default route for the VPN L2L. You match rather traffic with 'everything' destination on configuring VPN L2L. Basically you would like to configure the VPN L2L ACL encryption with the 'whole' destination map

I guess in your case it would be the ACL named "103".

access-list 103 allow ip 10.10.5.0 255.255.255.0 any

IP 10.10.5.0 doesn't allow any access list 103 255.255.255.0 10.10.1.0 255.255.255.0

Naturally, your NAT0 ACL configuration should also reflect this change. I guess the end remote Sonicwall'd private NAT to public Internet access in this case whereas. I guess that in this case, the ACL NAT0 might even be just this one rule ACL

access-list 101 permit ip 10.10.5.0 255.255.255.0 any

BUT what I was asking however for now mainly is the fact it has a priority of '11' in the 'crypto map' which has between 2 other L2L VPN connections.

peer11 card crypto ipsec-isakmp 10

correspondence address 10 card crypto peer11 102

peer11 card crypto 10 peers set 75.95.21.41

peer11 card crypto 10 set transform-set pix11

11 peer11 of ipsec-isakmp crypto map

correspondence address 11 card crypto peer11 103

11 peer11 peer Sonicwall crypto card game

card crypto peer11 11 set transform-set pix11

12 peer11 of ipsec-isakmp crypto map

correspondence address 12 card crypto peer11 104

card crypto peer11 12 set peer 75.62.58.28

card crypto peer11 12 set transform-set pix11

If you have changed the destination address of '103' crypto VPN L2L ACL at "" I guess that would probably cause so that the last connection VPN L2L with "12" priority may stop working since the previous connection already corresponds to 'all' your network 'inside' destination address.

The solution might be to delete the current configuration of the '11' priority and add it with '13' for example, so that the other 2 connections VPN L2L could continue to work and all the rest of the traffic would be passed to the connection VPN L2L with Sonicwall as the remote peer.

No crypto map ipsec-isakmp 11 peer11

no correspondence address 11 card crypto peer11 103

no set of 11 peer11 card crypto don't peer Sonicwall

No peer11 11 set transform-set pix11 crypto card

13 peer11 of ipsec-isakmp crypto map

correspondence address 13 card crypto peer11 103

13 card crypto peer Sonicwall peer11 game

card crypto peer11 13 pix11 transform-set game

I have to say that this is how I expect it should work. I worked with VPN L2L that have been configured in this way but its quite rare.

If you want to try something like that, of course, be ready to return to the old configuration with your admins of the remote peer, if things do not work. I guess more difficult configurations changes must be made on the remote end while your configuration of the ends should be fairly simple.

Hope this helps

-Jouni

Cisco's ASA IPsec tunnel disconnects after a while

Hi all

I've set up an IPsec tunnel between sonicwall pro road and cisco ASA 5510. The well established tunnel and two subnets can access each other.

I then added a static route to a public ip address on the sonicwall ipsec policy, so that all traffic to this ip address will go through the IPsec tunnel. It also works very well.

But the problem is aftre tunnel Ipsec sometimes breaks down, and then I need to renegotiate the ipsec on sonicwall to restore the tunnel.

This happens twice a day. I'm whther fear that this behavior is because of problems with config. I'm pasting my ASA running Setup here. Plese give some advice.

SonicWALL publicip 1.1.1.2 192.168.10.0 subnet

Cisco ASA publicip 1.1.1.1 subnet 192.168.5.0

ciscoasa # sh run
: Saved
:
ASA Version 8.2 (1)
!
ciscoasa hostname
domain default.domain.invalid
activate 8Ry2YjIyt7RRXU24 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
Speed 100
full duplex
nameif outside
security-level 0
IP 1.1.1.1 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
192.168.5.1 IP address 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
passive FTP mode
DNS domain-lookup outside
DNS lookup field inside
DNS server-group DefaultDNS
Server name 66.28.0.45
Server name 66.28.0.61
domain default.domain.invalid
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
object-group service rdp tcp
EQ port 3389 object
object-group service tcp OpenVPN
port-object eq 1194
access list outside extended permit icmp any any echo response
access list outside extended permit tcp any host # eq pptp
outside allowed extended access will list any host #.
list of extended outside access permit udp any any eq 1701
extended outdoor access allowed icmp a whole list
access list outside extended permit tcp any host # eq ftp
access list outside extended permit tcp any host # eq ssh
list of extended outside access permit tcp any host # object - group rdp
turn off journal
access list outside extended permit tcp any host 1.1.1.1 object - group Open
VPN
access-list sheep extended ip 192.168.5.0 allow 255.255.255.0 192.168.5.0 255
. 255.255.0
access-list sheep extended ip 192.168.5.0 allow 255.255.255.0 192.168.10.0 255
. 255.255.0
L2L 192.168.5.0 ip extended access-list allow 255.255.255.0 192.168.10.0 255.2
55.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
management of MTU 1500
IP local pool ippool 192.168.5.131 - 192.168.5.151 mask 255.255.255.0
IP local pool l2tppool 192.168.5.155 - 192.168.5.200 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 621.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (outside) 1 192.168.10.0 255.255.255.0
NAT (outside) 1 192.168.5.0 255.255.255.0
NAT (inside) 0 access-list sheep
NAT (inside) 1 192.168.5.0 255.255.255.0
outside access-group in external interface
Route outside 0.0.0.0 0.0.0.0 38.106.51.121 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
Enable http server
http 192.168.1.0 255.255.255.0 management
http 192.168.5.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic dynmap 5 the value reverse-road
Crypto easyvpn dynamic-map 10 transform-set RIGHT
Crypto-map dynamic easyvpn 10 reverse-drive value
card crypto mymap 10 correspondence address l2l
card crypto mymap 10 set peer 1.1.1.2
card crypto mymap 10 transform-set RIGHT
map mymap 30000-isakmp ipsec crypto dynamic easyvpn
mymap outside crypto map interface
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 20
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Crypto isakmp nat-traversal 3600
Telnet 192.168.5.0 255.255.255.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 5
Console timeout 0
Hello to tunnel L2TP 10
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal DefaultRAGroup group strategy
attributes of Group Policy DefaultRAGroup
value of 66.28.0.45 DNS server 66.28.0.61
Protocol-tunnel-VPN IPSec l2tp ipsec
field default value cisco.com
attributes of Group Policy DfltGrpPolicy
internal band easyvpn strategy
attributes of the strategy of band easyvpn
value of 66.28.0.45 DNS server 66.28.0.61
Protocol-tunnel-VPN IPSec
enable IPSec-udp
Split-tunnel-policy tunnelall
the address value ippool pools
VPN-group-policy DefaultRAGroup
attributes global-tunnel-group DefaultRAGroup
address l2tppool pool
Group Policy - by default-DefaultRAGroup
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared-key *.
tunnel-group DefaultRAGroup ppp-attributes
No chap authentication
ms-chap-v2 authentication
tunnel-group 1.1.1.2 type ipsec-l2l
1.1.1.2 tunnel-group ipsec-attributes
pre-shared-key *.
tunnel-group easyvpn type remote access
tunnel-group easyvpn General attributes
Group Policy - by default-easyvpn
easyvpn group tunnel ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the netbios
inspect the tftp
inspect the pptp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:5542615c178d2803f764c9b8f104732b
: end

I guess you have typo in the configuration of the ASA?

L2L 192.168.5.0 ip extended access-list allow 255.255.255.0 192.168.10.0 255.255.255.0
list access extended extended permitted host ip voip pubic ip 192.168.10.0 255.255.255.0

Can you confirm that you have configured instead the following:

access-list l2l extended permitted host ip voip pubic ip 192.168.10.0 255.255.255.0

Moreover, even if the crypto map tag says easyvpn; peer address is correct to point 1.1.1.2

In addition, don't know why you have the following configuration (but if it is not necessary I suggest to be removed and 'clear xlate' after the withdrawal):

NAT (outside) 1 192.168.10.0 255.255.255.0

Finally, pls turn off keepalive to SonicWall.

If the foregoing still don't resolve the issue, can you try to remove the card dynamic encryption of the ASA (no map mymap 30000-isakmp ipsec crypto dynamic easyvpn), release the tunnel and try to open the tunnel between the ASA and SonicWall and take the exit of "show the isa cry his ' and ' show cry ipsec his» I'm curious to see why he is always referred to the easyvpn crypto map. When you remove the dynamic encryption card, dynamic vpn lan-to-lan of remote access client does not work.

I can't do FTP through IPsec Tunnel

Similar Questions

Maybe you are looking for