IKEv1 Site to Site VPN establishment
I am configuring a vpn site-to site IKEv1 in a lab environment. I followed the wizard in asdm at both ends, and I can see an AES256 connection when I go to monitoring-> VPN-> Sessions under the IPsec Site to Site menu. The problem is that I can't reach all the remote private network devices. What is confusing, it's that I don't see anythign in my logs when I try to ping the remote network or reach the remote network Web site however packet - trace says that everything has to go through. The only time where packet - trace fails is when tunnel IPsec site-to-site is down, but after that but fail it incites the asa to put online, I run again and it market. Here is the result of my order of packet tracer.
ASA1 (config) # entry packet - trace inside tcp 10.1.50.51 80 80 10.1.60.2 det
Phase: 1
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
in 0.0.0.0 0.0.0.0 outdoors
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xac412500, priority = 0, sector = inspect-ip-options, deny = true
hits = 103, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0
input_ifc = output_ifc = any to inside,
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT (inside, outside) static source NETWORK_OBJ_10.1.50.0_24 NETWORK_OBJ_10.1.50.0_24 NETWORK_OBJ_10.1.60.0_24 NETWORK_OBJ_10.1.60.0_24 non-proxy-arp-search of route static destination
Additional information:
Definition of static 10.1.50.51/80 to 10.1.50.51/80
Direct flow from returns search rule:
ID = 0xac47ce18, priority = 6, area = nat, deny = false
hits = 11, user_data is 0xac47a828, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
IP/ID=10.1.50.0 SRC, mask is 255.255.255.0, port = 0
IP/ID=10.1.60.0 DST, mask is 255.255.255.0, port = 0, dscp = 0 x 0
input_ifc = inside, outside = output_ifc
Phase: 4
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xac43d998, priority = 0, domain = host-limit, deny = false
hits = 11, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0
input_ifc = output_ifc = any to inside,
Phase: 5
Type: VPN
Subtype: encrypt
Result: DECLINE
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xac362ba8, priority = 70, domain = encrypt, deny = false
hits = 3, user_data = 0x0, cs_id = 0xacc24588, reverse, flags = 0 x 0 = 0 protocol
IP/ID=10.1.50.0 SRC, mask is 255.255.255.0, port = 0
IP/ID=10.1.60.0 DST, mask is 255.255.255.0, port = 0, dscp = 0 x 0
input_ifc = none, output_ifc = external
Result:
input interface: inside
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: drop
Drop-reason: flow (acl-drop) is denied by the configured rule
ASA1 (config) #.
Here it's still just once after running the command:
ASA1 (config) # entry packet - trace inside tcp 10.1.50.51 80 80 10.1.60.2 det
Phase: 1
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
in 0.0.0.0 0.0.0.0 outdoors
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xac412500, priority = 0, sector = inspect-ip-options, deny = true
hits = 105, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0
input_ifc = output_ifc = any to inside,
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT (inside, outside) static source NETWORK_OBJ_10.1.50.0_24 NETWORK_OBJ_10.1.50.0_24 NETWORK_OBJ_10.1.60.0_24 NETWORK_OBJ_10.1.60.0_24 non-proxy-arp-search of route static destination
Additional information:
Definition of static 10.1.50.51/80 to 10.1.50.51/80
Direct flow from returns search rule:
ID = 0xac47ce18, priority = 6, area = nat, deny = false
Hits = 12, user_data is 0xac47a828, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
IP/ID=10.1.50.0 SRC, mask is 255.255.255.0, port = 0
IP/ID=10.1.60.0 DST, mask is 255.255.255.0, port = 0, dscp = 0 x 0
input_ifc = inside, outside = output_ifc
Phase: 4
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xac43d998, priority = 0, domain = host-limit, deny = false
Hits = 12, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0
input_ifc = output_ifc = any to inside,
Phase: 5
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xac401b98, priority = 70, domain = encrypt, deny = false
visits = 1, user_data = 0 x 38334, cs_id = 0xacc24588, reverse, flags = 0 x 0 = 0 protocol
IP/ID=10.1.50.0 SRC, mask is 255.255.255.0, port = 0
IP/ID=10.1.60.0 DST, mask is 255.255.255.0, port = 0, dscp = 0 x 0
input_ifc = none, output_ifc = external
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional information:
Reverse flow from returns search rule:
ID = 0xa87bb8f8, priority = 69 = ipsec-tunnel-flow area, deny = false
visits = 1, user_data = 0x43c54, cs_id = 0 x 0, reverse, flags = 0x0, protocol = 0
IP/ID=10.1.60.0 SRC, mask is 255.255.255.0, port = 0
IP/ID=10.1.50.0 DST, mask is 255.255.255.0, port = 0, dscp = 0 x 0
input_ifc = out, output_ifc = any
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Reverse flow from returns search rule:
ID = 0xac439f80, priority = 0, sector = inspect-ip-options, deny = true
hits = 437, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0
input_ifc = out, output_ifc = any
Phase: 8
Type: CREATING STREAMS
Subtype:
Result: ALLOW
Config:
Additional information:
New feed created with id 443 package sent to the next module
Information module for forward flow...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Information for reverse flow...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input interface: inside
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: allow
ASA1 (config) #.
ASA1 (config) # show crypto ikev1 his
IKEv1 SAs:
HIS active: 2
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 2
1 peer IKE: 68.231.6.110
Type: user role: answering machine
Generate a new key: no State: AM_ACTIVE
2 IKE peers: 65.23.153.227
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE
Packages do not go through the ASA as hosts do not have a route to ASA inside IP address. (10.1.50.1 and 10.1.60.1)
Something like that
10.1.60.0 255.255.255.0 Gateway 10.1.50.1
and vica versa
Tags: Cisco Security
Similar Questions
-
SBS 2008 office1 Serv2008 Office 2 need to share assets between them via a site to site VPN tunnel
Hi all.
I really need help on this one.
The office 1 installer running SBS2008 Office 2 running Server 2008.
Each firm has its own FQDN Office 1 CompanyABC 2 A_B_C of the company office.
Each firm has its own internal IP address pool Office 1 192.168.69.xxx and office 192.168.20.xxx 2.
Site to site VPN tunnel between 2 office routers Netgear SRX5308 1 and 2 Netgear FVS318G Office established and working.
Each firm has its own DNS server and acts as a domain controller
How to configure the 2 networks to see each other and be able to use assets on every network (files, printers)?
Is it so simple that the addition of another pool internal IP for each DNS server?
Thanks in advance for your help.
Hello
Your Question is beyond the scope of this community.
I suggest that repost you your question in the Forums of SBS.
https://social.technet.Microsoft.com/forums/en-us/home?Forum=smallbusinessserver
"Windows Small Business Server 2011 Essentials online help"
https://msdn.Microsoft.com/en-us/library/home-client.aspx
TechNet Server forums.
http://social.technet.Microsoft.com/forums/WindowsServer/en-us/home?category=WindowsServer
See you soon.
-
IPSec Site to Site VPN Solution needed?
Hi all
I need a solution to provide full connectivity to one of my clients. I created two IPSEC Site to Site VPN, one between the INFO and RITA and second between NIDA and RITA. I can access RITA machine that is 172.16.36.101 at the INFO and 10.0.0.5 to NIDA.
Now, I need to give access to my customer INFORMATION to direct NIDA 10.0.0.5 without established VPN machine to NIDA 10.0.0.5 of 172.16.36.101 access.
Could you please give me the solution how is that possible?
Concerning
Uzair Hussain
Hi uzair.infotech,
Looks like you need to set up a grouping between the 3 sites, at the end of that your topology will look like this:
INFO - RITA - NIDA
You can check this guide that explains step by step how to configure grouping:
https://supportforums.Cisco.com/document/12752536/how-configure-site-sit...
Hope this info helps!
Note If you help!
-JP-
-
SH running-config crypto
I have the following configuration, in order to create a site to site vpn which should not be changed in the configuration below.
Do I need to add new card crypto?
And what is the dynamic-map
I need to create new ipsec transform-set or can I use the existing?
Crypto ipsec transform-set esp-3des esp-sha-hmac ikev1 remoteaccess
Crypto ipsec transform-set esp-3des esp-sha-hmac L2Lvpn ikev1
Crypto ipsec kilobytes of life - safety 999608000 association
Crypto ipsec pmtu aging infinite - the security association
Crypto-map dynamic Test 1 set pfs Group1
Crypto-map dynamic Test 1 set transform-set remoteaccess L2Lvpn ikev1
Crypto-map dynamic 1jeu reverse-Road Test
card crypto Test 1-isakmp ipsec dynamic test
Test interface card crypto outside
Crypto ca trustpoint _SmartCallHome_ServerCA
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint0
Terminal registration
name of the object CN = TestFW
Configure CRL
trustpool crypto ca policy
crypto isakmp identity address
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 10800
IKEv1 crypto policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 1800
IKEv1 crypto policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 1800
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
IKEv1 pre-shared-key *.
Thank you
Next step will be sending real traffic, or just run a package Tracker to ensure that traffic flows very well:
entry Packet-trace within the icmp 192.168.15.x 8 0 172.10.10.x detail
If all goes well, you should be good to go.
Hope this info helps!
Note If you help!
-JP-
-
Troubleshooting IPSec Site to Site VPN between ASA and 1841
Hi all
in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.
I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).
I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.
It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),
On the ASA:
Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.
address of the peers: 217.86.154.120
Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.ccaccess extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
current_peer: 217.xx.yy.zz#pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz
Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: 39135054
current inbound SPI: B2E9E500SAS of the esp on arrival:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4374000/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
outgoing esp sas:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4373976/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001Output of the command: "sh crypto isakmp his."
HIS active: 4
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 4IKE Peer: 217.xx.yy.zz
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVEOn the 1841
1841 crypto isakmp #sh its
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE1841 crypto ipsec #sh its
Interface: Dialer1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorslocal crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
Interface: virtual Network1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorslocal crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.
Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto. (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.
I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!
It's the running of the 1841 configuration
!
version 15.1
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
host name 1841
!
boot-start-marker
start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
boot-end-marker
!
logging buffered 51200 notifications
!
AAA new-model
!
!
AAA authentication login default local
!
AAA - the id of the joint session
!
iomem 20 memory size
clock timezone PCTime 1
PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
dot11 syslog
IP source-route
!
No dhcp use connected vrf ip
!
IP cef
no ip bootp Server
IP domain name test
name of the IP-server 194.25.2.129
name of the IP-server 194.25.2.130
name of the IP-server 194.25.2.131
name of the IP-server 194.25.2.132
name of the IP-server 194.25.2.133
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
object-group network phone
VoIP phone description
Home 172.20.2.50
Home 172.20.2.51
!
redundancy
!
!
controller LAN 0/0/0
atm mode
Annex symmetrical shdsl DSL-mode B
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
isakmp encryption key * address 62.aa.bb.cc
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
map SDM_CMAP_1 1 ipsec-isakmp crypto
Description Tunnel to62.aa.bb.cc
the value of 62.aa.bb.cc peer
game of transformation-ESP-3DES-SHA
PFS group2 Set
match address 100
!
!
!
interface FastEthernet0/0
DMZ description $ FW_OUTSIDE$
10.10.10.254 IP address 255.255.255.0
IP nat inside
IP virtual-reassembly
automatic duplex
automatic speed
!
interface FastEthernet0/1
Description $ETH - LAN$ $FW_INSIDE$
IP 172.20.2.254 255.255.255.0
IP access-group 100 to
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1412
automatic duplex
automatic speed
!
ATM0/0/0 interface
no ip address
No atm ilmi-keepalive
!
point-to-point interface ATM0/0/0.1
PVC 1/32
PPPoE-client dial-pool-number 1
!
!
interface Dialer1
Description $FW_OUTSIDE$
the negotiated IP address
IP mtu 1452
NAT outside IP
IP virtual-reassembly
encapsulation ppp
Dialer pool 1
Dialer-Group 2
PPP authentication chap callin pap
PPP chap hostname xxxxxxx
PPP chap password 7 xxxxxxx8
PPP pap sent-name of user password xxxxxxx xxxxxxx 7
map SDM_CMAP_1 crypto
!
IP forward-Protocol ND
IP http server
local IP http authentication
IP http secure server
!
!
The dns server IP
IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
!
logging trap notifications
Note category of access list 1 = 2 CCP_ACL
access-list 1 permit 172.20.2.0 0.0.0.255
Note access-list category 2 CCP_ACL = 2
access-list 2 allow 10.10.10.0 0.0.0.255
Note access-list 100 category CCP_ACL = 4
Note access-list 100 IPSec rule
access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
Note CCP_ACL the access list 101 = 2 category
Note access-list 101 IPSec rule
access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 101 permit ip 172.20.2.0 0.0.0.255 any
Note access-list 102 CCP_ACL category = 2
Note access-list 102 IPSec rule
access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
!!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 101
!
allowed SDM_RMAP_2 1 route map
corresponds to the IP 102
!
!
control plan
!
!
Line con 0
line to 0
line vty 0 4
length 0
transport input telnet ssh
!
Scheduler allocate 20000 1000
NTP-Calendar Update
NTP 172.20.2.250 Server prefer
endAs I mentioned previously: suspicion is much appreciated!
Best regards
Joerg
Joerg,
ASA receives not all VPN packages because IOS does not send anything.
Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)
The problem seems so on the side of the router.
I think that is a routing problem, but you only have one default gateway (no other channels on the router).
The ACL 100 is set to encrypt the traffic between the two subnets.
It seems that the ACL 101 is also bypassing NAT for VPN traffic.
Follow these steps:
Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.
I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.
Federico.
-
site to site vpn - internal network even on both sides of the tunnel
Hi all
I have the following questions about the Site Site VPN using ASA 5510 and 5505
Scenerio is
1. we have five branches & headquarters
2. we want to establish a vpn between branches & Head Office (VPN from Site to Site)
3. all branches & head office using the same internal network (192.168.150.0 255.255.255.0)
My question is
How can I configure VPN site-to-site between branches & head office with the same internal network (192.168.150.0/24)
Please help me with the configuration steps & explanation
I have experience on setting up vpn site to site between branches with differnet internal network (for example: 192.168.1.0/24 and 192.168.2.0/24)
Waiting for your valuable response
Hello
Here are a few links on policy nat
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a008046f31a.shtml#T10
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00807d2874.shtml
Concerning
-
Site to site VPN works only on Cisco 881
I have 2 problems with a cisco 881. The first problem is that Vlan2 (192.168.5.xx) cannot access the internet on the outside. But I know that the router has internet, because I can ping the external ip address. The 2nd problem is that I have a set of site to another upward, but when I test the Site to site I get this error:
destination of traffic of the tunnel must be channelled through the crypto map interface. The destination following (s) doesn't have a routing entry in the routing table
192.168.2.0I copied the config form this router from another cisco 881 work, where everything works. The only difference is that this router needs a site to site vpn connection.
My question is how I can get internet on vlan2 and who can I solve the connection to site to site.
Here's the running configuration:
Building configuration...
Current configuration: 12698 bytes
!
version 15.3
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname Cisco_881
!
boot-start-marker
boot-end-marker
!
AQM-registry-fnf
!
logging buffered 51200 warnings
!
AAA new-model
!
!
AAA authentication login default local
AAA authorization exec default local
AAA authorization network default local
!
!
!
!
!
AAA - the id of the joint session
!
Crypto pki trustpoint TP-self-signed-1151531093
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 1151531093
revocation checking no
rsakeypair TP-self-signed-1151531093
!
Crypto pki trustpoint TP-self-signed-2011286623
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 2011286623
revocation checking no
rsakeypair TP-self-signed-2011286623
!
!
TP-self-signed-1151531093 crypto pki certificate chain
certificate self-signed 01
3082022B 30820194 02020101 300 D 0609 2A 864886 F70D0101 05050030 A0030201
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
69666963 31313531 35333130 6174652D 3933301E 170 3135 30343031 31363230
34315A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 31353135 65642D
33313039 3330819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
8100AC6E E7FA8AFD 9D4E206C 2B23DFC1 990AFDB3 98CD84A7 37697253 A7EF2520
0C45190E 298B6E9F E2711580 80DCFBFB 05A6A0BA 347B960B D9DA17FC B1543B9D
FBC048F3 063EBBC5 02391432 F0232A73 EAC7278E 8CB83005 D13A1D47 BEF18198
A 547469, 2 F65ED0E6 249BF517 1E74117D C94BE542 46EE487D A3843F12 364639B 4
0B 090203 010001 HAS 3 53305130 1 130101 FF040530 030101FF 301F0603 0F060355
551 2304 18301680 147996F4 3E6D0EE2 2D9065BB D726137C 2DF42ABE 01301D 06
03551D0E 04160414 7996F43E 6D0EE22D 9065BBD7 26137C2D F42ABE01 300 D 0609
2A 864886 F70D0101 8181002A 05050003 677B9BE6 CB60D188 73227C4B 2DC33101
BD448017 EDEF0296 FF7438A3 4C46519B 144C775F 1429CF06 7DB29F2D EB16EE75
22100B 63 0D75511A 98DC57DC EF87BED2 1C1635C8 B5352706 3963037A 4E9B739A
3A1EC9BE 8431BD70 116D3B31 E4A2AC4C 0F934B3F 196AF829 AD537005 6935B 451
EB31DB3F A9BA6D70 65B70D19 D00158
quit smoking
TP-self-signed-2011286623 crypto pki certificate chain
no ip source route
!
!
!
!!
DHCP excluded-address IP 10.10.10.1
DHCP excluded-address IP 192.168.5.1 192.168.5.49
DHCP excluded-address IP 192.168.5.150 192.168.5.254
!
DHCP IP CCP-pool
import all
Network 10.10.10.0 255.255.255.248
default router 10.10.10.1
Rental 2 0
!
IP dhcp Internet pool
network 192.168.5.0 255.255.255.0
router by default - 192.168.5.254
DNS-Server 64.59.135.133 64.59.128.120
lease 6 0
!
!
!
no ip domain search
"yourdomain.com" of the IP domain name
name of the IP-Server 64.59.135.133
name of the IP-Server 64.59.128.120
IP cef
No ipv6 cef
!
!
!
!
!
Authenticated MultiLink bundle-name Panel
!
!
!
!
!
!
!
udi pid C881-K9 sn FTX18438503 standard license
!
!
Archives
The config log
hidekeys
username * privilege 15 secret 5 $1$IBY.$X5/iqYy47a5vAWWuG4/Oa/
username * secret 5 $1$ 17 ST$ QzJMvQnZ9Q.1y7u0rYXFa0
username * secret 5 $1$ L4W9$ zBKpawZ3i5nXxwyS9H6Lf1
!
!
!
!
!
no passive ftp ip
!
!
crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 2
!
crypto ISAKMP policy 2
BA 3des
preshared authentication
Group 2
isakmp encryption key * address 208.98.212.xx
!
Configuration group crypto isakmp MPE client
key *.
pool VPN_IP_POOL
ACL 100
include-local-lan
10 Max-users
netmask 255.255.255.0
banner ^ practive entered the fieldThis area is reserved for administrators of control systems.
If you are here by mistake, please disconnect immediately.
You have full access to 192.168.125.0 / 0.0.0.255
Support on continue to start your session. ^ C
!
Configuration group customer crypto isakmp PALL
key *.
pool VPN_IP_POOL_PALL
ACL 101
include-local-lan
Max - 1 users
netmask 255.255.255.0
banner ^ practive entered the fieldThis area is limited to the PALL access only.
If you are here by mistake, please disconnect immediately.
You have full access to 192.168.125.0 / 0.0.0.255
Support on continue to start your session. ^ C
ISAKMP crypto profile vpn_isakmp_profile
game of identity EMT group
client authentication list default
Default ISAKMP authorization list
client configuration address respond
virtual-model 1
ISAKMP crypto profile vpn_isakmp_profile_2
match of group identity PALL
client authentication list default
Default ISAKMP authorization list
client configuration address respond
virtual-model 2
!
!
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac VPN_TRANSFORM
tunnel mode
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
tunnel mode
!
Profile of crypto ipsec VPN_PROFILE_MPE
Set the security association idle time 3600
game of transformation-VPN_TRANSFORM
vpn_isakmp_profile Set isakmp-profile
!
Profile of crypto ipsec VPN_PROFILE_PALL
Set the security association idle time 1800
game of transformation-VPN_TRANSFORM
vpn_isakmp_profile_2 Set isakmp-profile
!
!
!
map SDM_CMAP_1 1 ipsec-isakmp crypto
Description Tunnel to208.98.212.xx
the value of 208.98.212.xx peer
game of transformation-ESP-3DES-SHA
match address 102
!
!
!
!
!
!
interface Loopback0
IP 192.168.40.254 255.255.255.0
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
switchport access vlan 2
no ip address
!
interface FastEthernet3
switchport access vlan 2
no ip address
!
interface FastEthernet4
IP address 208.98.213.xx 255.255.255.224
IP access-group 111 to
NAT outside IP
IP virtual-reassembly in
automatic duplex
automatic speed
map SDM_CMAP_1 crypto
!
type of interface virtual-Template1 tunnel
IP unnumbered Loopback0
ipv4 ipsec tunnel mode
Tunnel VPN_PROFILE_MPE ipsec protection profile
!
tunnel type of interface virtual-Template2
IP unnumbered Loopback0
ipv4 ipsec tunnel mode
Tunnel VPN_PROFILE_PALL ipsec protection profile
!
interface Vlan1
Description of control network
IP 192.168.125.254 255.255.255.0
IP access-group CONTROL_IN in
IP access-group out CONTROL_OUT
IP nat inside
IP virtual-reassembly in
IP tcp adjust-mss 1452
!
interface Vlan2
Description Internet network
IP 192.168.5.254 255.255.255.0
IP access-group INTERNET_IN in
IP access-group out INTERNET_OUT
IP nat inside
IP virtual-reassembly in
!
local IP VPN_IP_POOL 192.168.40.100 pool 192.168.40.150
local IP VPN_IP_POOL_PALL 192.168.40.151 pool 192.168.40.152
IP forward-Protocol ND
IP http server
23 class IP http access
local IP http authentication
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
!
IP nat inside source static tcp 192.168.125.2 25000 25000 FastEthernet4 interface
IP nat inside source overload map route SDM_RMAP_1 interface FastEthernet4
IP route 0.0.0.0 0.0.0.0 FastEthernet4 permanent 208.98.236.xx
!
CONTROL_IN extended IP access list
Note the access control
Note the category CCP_ACL = 17
allow any host 192.168.125.254 eq non500-isakmp udp
allow any host 192.168.125.254 eq isakmp udp
allow any host 192.168.125.254 esp
allow any host 192.168.125.254 ahp
IP 192.168.125.0 allow 0.0.0.255 192.168.125.0 0.0.0.255
Note the VPN access
IP 192.168.125.0 allow 0.0.0.255 192.168.40.0 0.0.0.255
Note Access VNC
permit tcp host 192.168.125.2 eq 25000 one
Comment by e-mail to WIN911
permit tcp host 192.168.125.2 any eq smtp
Note DNS traffic
permit udp host 192.168.125.2 host 64.59.135.133 eq field
permit udp host 192.168.125.2 host 64.59.128.120 eq field
Note Everything Else block
refuse an entire ip
CONTROL_OUT extended IP access list
Note the access control
IP 192.168.125.0 allow 0.0.0.255 192.168.125.0 0.0.0.255
Note the VPN access
ip permit 192.168.40.0 0.0.0.255 192.168.125.0 0.0.0.255
Note Access VNC
allow any host 192.168.125.2 eq 25000 tcp
Comment by e-mail to WIN911
allow any host 192.168.125.2 eq smtp tcp
Note DNS responses
allowed from any host domain eq 192.168.125.2 udp
Note deny all other traffic
refuse an entire ip
INTERNET_IN extended IP access list
Note Access VNC on VLAN
allow any host 192.168.125.2 eq 25000 tcp
Note block all other controls and VPN
deny ip any 192.168.125.0 0.0.0.255
deny ip any 192.168.40.0 0.0.0.255
Note leave all other traffic
allow an ip
INTERNET_OUT extended IP access list
Note a complete outbound Internet access
allow an ip
WAN_IN extended IP access list
allow an ip host 207.229.14.xx
Note PERMIT ESTABLISHED TCP connections
allow any tcp smtp created everything eq
Note ALLOW of DOMAIN CONNECTIONS
permit udp host 64.59.135.133 eq field all
permit udp host 64.59.128.120 eq field all
Note ALLOW ICMP WARNING RETURNS
allow all all unreachable icmp
permit any any icmp parameter problem
allow icmp all a package-too-big
allow a whole icmp administratively prohibited
permit icmp any any source-quench
allow icmp all once exceed
refuse a whole icmp
allow an ip
!
auto discovering IP sla
not run cdp
!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 103
!
access-list 1 remark out to WAN routing
Note CCP_ACL the access list 1 = 16 category
access-list 1 permit 192.168.125.2
access-list 1 permit 192.168.5.0 0.0.0.255
Note access-list 23 SSH and HTTP access permissions
access-list 23 permit 192.168.125.0 0.0.0.255
access-list 23 permit 192.168.40.0 0.0.0.255
access-list 23 allow one
Note access-list 100 VPN traffic
access-list 100 permit ip 192.168.125.0 0.0.0.255 any
access-list 100 permit ip 192.168.40.0 0.0.0.255 any
Note access-list 101 for PALL VPN traffic
access-list 101 permit ip 192.168.125.0 0.0.0.255 any
Note access-list 102 CCP_ACL category = 4
Note access-list 102 IPSec rule
access-list 102 permit ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.1.255
Note access-list 103 CCP_ACL category = 2
Note access-list 103 IPSec rule
access-list 103 deny ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.1.255
access-list 103 allow ip 192.168.5.0 0.0.0.255 any
access-list 103 allow the host ip 192.168.125.2 all
Note access-list 111 CCP_ACL category = 17
access-list 111 permit udp any host 208.98.213.xx eq non500-isakmp
access-list 111 permit udp any host 208.98.213.xx eq isakmp
access-list 111 allow esp any host 208.98.213.xx
access-list 111 allow ahp any host 208.98.213.xx
Note access-list 111 IPSec rule
access-list 111 permit ip 192.168.2.0 0.0.1.255 192.168.5.0 0.0.0.255
Note access-list 111 IPSec rule
access-list 111 permit ip 192.168.2.0 0.0.1.255 192.168.4.0 0.0.1.255
access-list 111 permit udp host 208.98.212.xx host 208.98.213.xx eq non500-isakmp
access-list 111 permit udp host 208.92.12.xx host 208.92.13.xx eq isakmp
access-list 111 allow esp host 208.92.12.xx host 208.92.13.xx
access-list 111 allow ahp host 208.92.12.xx host 208.92.13.xx
access-list 111 permit icmp any host 208.92.13.xx
access-list 111 permit tcp any host 208.92.13.xx eq 25000
access-list 111 permit tcp any host 208.92.13.xx eq 22
access-list 111 permit tcp any host 208.92.13.xx eq telnet
access-list 111 permit tcp any host 208.92.13.xx eq www
!
!
!
control plan
!
!
!
MGCP behavior considered range tgcp only
MGCP comedia-role behavior no
disable the behavior MGCP comedia-check-media-src
disable the behavior of MGCP comedia-sdp-force
!
profile MGCP default
!
!
!
!
exec banner ^ C
% Warning of password expiration.
-----------------------------------------------------------------------Unplug IMMEDIATELY if you are not an authorized user
^ C
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
access-class 23 in
password *.
transport input telnet ssh
transportation out all
line vty 5 15
access-class 160 in
password *.
transport of entry all
transportation out all
!
max-task-time 5000 Planner
Scheduler allocate 20000 1000
!
endThank you.
It seems that DNS has failed, because it is indeed happened to internet, but it does not work when internet DNS resolution.
Go ahead and try to ping this 157.166.226.25, and it's on the browser http://157.166.226.25/, CNN.com. Let's try those. Also just in case where to configure a DNS SERVER on your router.
- http://www.cisco.com/c/en/us/support/docs/ip/domain-name-system-dns/2418...
Disable any ZBF just in case.
David Castro,
Kind regards
-
fall of site to site vpn icmp packets
Hello
I test site to site vpn between ASA and cisco router with GNS3, topology is base the tunnel is up but the question when the remote host ping from both sides it is drops icmp, see router command and ASA do not include droppings. Here is a sample output from ping when I try to remote client ping. any help is appreciated :)
Instant topology is attached, also configs
Thank you
84 bytes from 10.20.20.5 icmp_seq = 59 ttl = 63 times = 79,004 ms
10.20.20.5 icmp_seq = timeout 60
84 bytes from 10.20.20.5 icmp_seq = 61 = ttl 63 times = 70,004 ms
10.20.20.5 icmp_seq = timeout 62
84 bytes from 10.20.20.5 icmp_seq = ttl 63 time = 63 = 59,004 ms
10.20.20.5 icmp_seq = 64 timeout
84 bytes from 10.20.20.5 icmp_seq = 65 = ttl 63 times = 50,003 ms
10.20.20.5 icmp_seq = timeout 66
84 bytes from 10.20.20.5 icmp_seq = 67 ttl = 63 times = 59,003 ms
10.20.20.5 icmp_seq = timeout 68
84 bytes from 10.20.20.5 icmp_seq = 69 = ttl 63 times = 50,003 ms
10.20.20.5 icmp_seq = timeout 70
84 bytes from 10.20.20.5 icmp_seq = 71 ttl = 63 times = 58,003 ms
10.20.20.5 icmp_seq = timeout 72
84 bytes from 10.20.20.5 icmp_seq = 73 = ttl 63 times = 50,003 ms
10.20.20.5 icmp_seq = timeout 74
84 bytes from 10.20.20.5 icmp_seq = 75 ttl = 63 times = 69,004 ms
10.20.20.5 icmp_seq = timeout 76
84 bytes from 10.20.20.5 icmp_seq = 77 ttl = 63 times = 237,013 ms
10.20.20.5 icmp_seq = timeout 78R1 ipsec crypto #sh her
Interface: FastEthernet0/0
Tag crypto map: map, local addr 100.100.100.2protégé of the vrf: (none)
local ident (addr, mask, prot, port): (10.20.20.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (10.20.10.0/255.255.255.0/0/0)
current_peer 100.100.100.1 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: 14, #pkts encrypt: 14, #pkts digest: 14
decaps #pkts: 28, #pkts decrypt: 28, #pkts check: 28
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorsciscoasa # sh crypto isakmp stats
Global statistics IKEv1
The active Tunnels: 1
Previous Tunnels: 1
In bytes: 1384
In the packages: 12
In packs of fall: 0
In Notifys: 8
In the constituencies of P2: 0
In P2 invalid Exchange: 0
In P2 Exchange rejects: 0
Requests for removal in his P2: 0
Bytes: 1576
Packet: 13
Fall packages: 0
NOTIFYs out: 16
Exchanges of P2: 1
The Invalides Exchange P2: 0
Exchange of P2 rejects: 0
Requests to remove on P2 Sa: 0
Tunnels of the initiator: 1
Initiator fails: 0
Answering machine fails: 0
Ability system breaks down: 0
AUTH failed: 0
Decrypt failed: 0
Valid hash fails: 0
No failure his: 0Hello
On router R1, you gave the default route as output interface. Instead of using the output interface replace the IP address of the next hop. It will solve the issue of the reduction of ping.
IP route 0.0.0.0 0.0.0.0 FastEthernet0/0
IP route 0.0.0.0 0.0.0.0 100.100.100.1
HTH
"Please note the useful messages and mark the correct answer if it solves the problem."
-
Site to Site VPN configuration does not
Hello
I just tried to set up a test site to site VPN. Diagram of arrangement is attached. Router R2 is supposed to act as the 'Internet' to allow connectivity between the two networks.
My VPN on ASA1 and ASA2 configs are below:
ASA1
Note to outside_cryptomap_1 to access list VPN traffic to encrypt
outside_cryptomap_1 to access extended list ip 10.10.10.0 allow 255.255.255.0 172.16.10.0 255.225.255.0Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
aes-256 encryption
sha hash
Group 5
life 86400tunnel-group 11.11.11.2 type ipsec-l2l
IPSec-attributes tunnel-Group 11.11.11.2
Cisco pre-shared key IKEv1Crypto ipsec transform-set ikev1 AES - SHA esp-aes-256 esp-sha-hmac
card crypto outside_map 1 match address outside_cryptomap_1
peer set card crypto outside_map 1 11.11.11.2
card crypto outside_map 1 set of transformation-AES-SHA
outside_map interface card crypto outsideASA2
Note to outside_cryptomap_1 to access list VPN traffic to encrypt
permit access list extended ip 172.16.10.0 outside_cryptomap_1 255.255.255.0 10.10.10.0 255.225.255.0Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
aes-256 encryption
sha hash
Group 5
life 86400tunnel-group 12.12.12.2 type ipsec-l2l
IPSec-attributes tunnel-group 12.12.12.2
Cisco pre-shared key IKEv1Crypto ipsec transform-set ikev1 AES - SHA esp-aes-256 esp-sha-hmac
card crypto outside_map 1 match address outside_cryptomap_1
peer set card crypto outside_map 1 12.12.12.2
card crypto outside_map 1 set of transformation-AES-SHA
outside_map interface card crypto outsideI can ping with the ASA2 ASA1, but when I try to test the VPN trying from one PC to another, I get nothing.
I tried a few commands show and they came out absolutely empty... as I have not configured:
SH in detail its crypto isakmp
There are no SAs IKEv1
There are no SAs IKEv2
SH crypto ipsec his
There is no ipsec security associations
Anyone have any ideas?
Hi martin,
Your configs are quite right. I tried your script, its works really well. Here's the configs & outputs.
What I mentioned in the previous note follow this.--------------------
ASA1
ASA1 (config) # sh run
: Saved
:
ASA Version 8.0 (2)
!
hostname ASA1
activate 8Ry2YjIyt7RRXU24 encrypted password
names of
!
interface Ethernet0/0
nameif outside
security-level 0
IP 12.12.12.2 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
10.10.10.2 IP address 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/5
Shutdown
No nameif
no level of security
no ip address
!
2KFQnbNIdI.2KYOU encrypted passwd
passive FTP mode
extended vpn 10.10.10.0 ip access list allow 255.255.255.0 172.16.10.0 255.255.255.0
pager lines 24
Within 1500 MTU
Outside 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Route outside 0.0.0.0 0.0.0.0 12.12.12.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac tset
card crypto cmap 1 match for vpn
card crypto cmap 1 set peer 11.11.11.2
card crypto cmap 1 transform-set tset
cmap outside crypto map interface
crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
md5 hash
Group 5
life 86400
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
!
!
tunnel-group 11.11.11.2 type ipsec-l2l
IPSec-attributes tunnel-Group 11.11.11.2
pre-shared-key *.
context of prompt hostname
Cryptochecksum:00000000000000000000000000000000
: end
ASA1 (config) #.
---------------------ASA2 (config) # sh run
: Saved
:
ASA Version 8.0 (2)
!
hostname ASA2
activate 8Ry2YjIyt7RRXU24 encrypted password
names of
!
interface Ethernet0/0
nameif outside
security-level 0
IP 11.11.11.2 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
IP 172.16.10.2 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/5
Shutdown
No nameif
no level of security
no ip address
!
2KFQnbNIdI.2KYOU encrypted passwd
passive FTP mode
extended vpn 172.16.10.0 ip access list allow 255.255.255.0 10.10.10.0 255.255.255.0
pager lines 24
Outside 1500 MTU
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Route outside 0.0.0.0 0.0.0.0 11.11.11.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac tset
card crypto cmap 1 match for vpn
card crypto cmap 1 set peer 12.12.12.2
card crypto cmap 1 transform-set tset
cmap outside crypto map interface
crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
md5 hash
Group 5
life 86400
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
!
!
!
tunnel-group 12.12.12.2 type ipsec-l2l
IPSec-attributes tunnel-group 12.12.12.2
pre-shared-key *.
context of prompt hostname
Cryptochecksum:00000000000000000000000000000000
: end
ASA2 (config) #.-------------------------
OUTPUTS:*********************
ASA1 (config) # sh crypto isakmp his
ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 11 peer IKE: 11.11.11.2
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE---------------------
ASA1 (config) # sh crypto ipsec his
Interface: outside
Tag crypto map: cmap, seq num: 1, local addr: 12.12.12.2access vpn ip 10.10.10.0 list allow 255.255.255.0 172.16.10.0 255.255.255.0
local ident (addr, mask, prot, port): (10.10.10.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.16.10.0/255.255.255.0/0/0)
current_peer: 11.11.11.2#pkts program: 50, #pkts encrypt: 50, #pkts digest: 50
#pkts decaps: 49, #pkts decrypt: 49, #pkts check: 49
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 50, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0local crypto endpt. : 12.12.12.2, remote Start crypto. : 11.11.11.2
------------------------
ASA2 (config) # sh crypto isakmp hisITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 11 peer IKE: 12.12.12.2
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE------------------------
ASA2 (config) # sh crypto ipsec his
Interface: outside
Tag crypto map: cmap, seq num: 1, local addr: 11.11.11.2access vpn ip 172.16.10.0 list allow 255.255.255.0 10.10.10.0 255.255.255.0
local ident (addr, mask, prot, port): (172.16.10.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (10.10.10.0/255.255.255.0/0/0)
current_peer: 12.12.12.2#pkts program: 49, #pkts encrypt: 49, #pkts digest: 49
#pkts decaps: 50, #pkts decrypt: 50, #pkts check: 50
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 49, #pkts comp failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0local crypto endpt. : 11.11.11.2, remote Start crypto. : 12.12.12.2
------------------------- -
Site to Site VPN Cisco IOS 1941 15.0 (1) M1
Hello
I am currently developing a Site VPN site between an ASA and a router in 1941. Configuring VPN on the SAA seems to be ok, because it works without problem with router 1841 with IOS 12.4 to the other site. The same VPN configuration on the new router in 1941 with M1 IOS 15.0 (1) does not work. It seems that the access to the crypto map list is the problem. The router never start the VPN connection. When the ASA attempts to establish the VPN, the debugging of the router log shows:
...
* 14:37:52.263 may 5: ISAKMP: (1007): proposal of IPSec checking 1
* 14:37:52.263 may 5: ISAKMP: turn 1, ESP_3DES
* 14:37:52.263 may 5: ISAKMP: attributes of transformation:
* 14:37:52.263 may 5: ISAKMP: type of life in seconds
* 14:37:52.263 may 5: ISAKMP: life of HIS (basic) of 28800
* 14:37:52.263 may 5: ISAKMP: type of life in kilobytes
* 14:37:52.263 may 5: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
* 14:37:52.263 may 5: ISAKMP: program is 1 (Tunnel)
* 14:37:52.263 may 5: ISAKMP: authenticator is HMAC-SHA
* 14:37:52.263 may 5: ISAKMP: group is 2
* 14:37:52.263 may 5: ISAKMP: (1007): atts are acceptable.
* 5 May 14:37:52.263: ISAKMP: (1007): IPSec policy invalidated proposal with error 32
* 5 May 14:37:52.263: ISAKMP: (1007): politics of ITS phase 2 is not acceptable! (local... remote control...)...
Any clue?
Concerning
Claudia
The configuration of the router:
version 15.0
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname Cisco1941
!
No aaa new-model
!
No ipv6 cef
no ip source route
IP cef
!
IP domain name xyz.de
!
Authenticated MultiLink bundle-name Panel
!
Crypto pki trustpoint TP-self-signature-...
!
TP-self-signature-... crypto pki certificate chain
quit smoking
license udi pid CISCO1941/K9 sn...
!
username privilege 15 secret 5 xyz $1$...
!
redundancy
!
session of crypto consignment
!
crypto ISAKMP policy 10
BA 3des
preshared authentication
Group 2
ISAKMP crypto key... address 1.2.3.4
invalid-spi-recovery crypto ISAKMP
!
Crypto ipsec transform-set esp-3des esp-sha-hmac tsAsa
!
ASA 10 ipsec-isakmp crypto map
defined peer 1.2.3.4
Set transform-set tsAsa
PFS group2 Set
match address 100
!
interface GigabitEthernet0/0
Description * inside *.
IP 10.100.100.1 255.255.255.0
automatic duplex
automatic speed
!
!
interface GigabitEthernet0/1
IP 5.6.7.8 255.255.255.240
IP access-group 111 to
no ip-cache cef route
no ip route cache
automatic duplex
automatic speed
card crypto asa
!
!
ATM0/0/0 interface
no ip address
Shutdown
No atm ilmi-keepalive
!
!
IP forward-Protocol ND
!
IP route 0.0.0.0 0.0.0.0 1.2.3.5
!
access-list 100 permit ip 10.100.100.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 111 allow esp 1.2.3.4 host 5.6.7.8
access-list 111 permit udp host 1.2.3.4 host 5.6.7.8 eq isakmp
access-list 111 allow ahp host 1.2.3.4 5.6.7.8
access-list 111 deny ip any any newspaper....
end
Try to do this:
IP route 10.10.10.0 255.255.255.0 interface Ge0/1
Route IP 1.2.3.4 255.255.255.255 by default-gateway-to-Ge0/1
The rest of your config looks very good.
-
Unable to pass traffic between ASA Site to Site VPN Tunnel
Hello
I have problems passing traffic between two ASA firewall. The VPN tunnel is up with a dynamic IP and static IP address. I have attached a diagram of the VPN connection. I'm not sure where the problem lies and what to check next. I think I have all the roads and in the access lists are needed.
I've also attached the ASA5505 config and the ASA5510.
This is the first time that I've set up a VPN connection any guidance would be greatly appreciated.
Thank you
Adam
Hello
Regarding your opinion of configuration Remote Site ASA that you have not added the internal networks of the Central Site VPN L2L configurations at all so the traffic does not pass through the VPN.
access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.0.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.170.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.172.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 140.15.0.0 255.255.*.*
Take a look at ACL configurations above. The 'exempt' ACL is used in configurations NAT0 and tells the ASA what traffic of exempting from NAT. "outside_1_cryptomap" ACL is used to tell the traffic between the subnets should be using the L2L VPN connection.
So in short on the Remote Site ASA these ACLs should be identical. Make additions to the LIST of VPN L2L, then try again.
I would also like to point out that to ensure that the Central ASAs L2L VPN ACL Site contains the same networks. The ACL on the Central Site will, of course, its internal subnets as the source and the site LAN remote destination.
THW out of ' crypto ipsec to show his " shows you that only the SA between binding Site Central network and the Remote Site LAN was established. Others have not formed as the configuration is lacking at LEAST on the Remote Site ASA. Can also be the Central Site.
-Jouni
-
Using the same set processing on several site to site VPN tunnels
Hi all. I have a rather strange situation about site-to-site VPN tunnel.
On the one hand, I have a PIX 501 and on the other end an ASA5505 and a tunnel set up between them.
The problem is that on the side of the PIX, I can't establish a tunnel, but when the traffic starts on the side of the ASA the tunnel established as usual.
I checked the configurations on both ends and keys, passwords, mirror that LCD seems OK. The only thing that comes to my attention, it's that I have the same set of transformation used for 2 different tunnel on the side of PIX.
Can I use the same set of transformation on several tunnels or should I set a different transformation for each tunnel? Could be the source of the problem?
Use it on PIX
card crypto set pfs group2
Or on ASA, use:
card crypto set pfs Group1
-
Hi all
After you follow the guides on the site to site VPN and NAT I am very close with this, but suspect a minor error here. It was difficult to apply some of the examples of cisco worked the additional complexity here (VLANS, routing to an address static IP), as well as due to inexperience with some routing commands.
Requirements:
-Provide internet access for three local networks (10.10.10.0/29 for the management of the router, 192.168.1.0/24 for the most of the PC, 172.22.81.160/28 for a PC for VPN and wireless)
-Set up a VPN site-to site between 172.22.81.160 and a remote VPN router to 194.73. ***. ***
-Transfer all 172.22.81.160 traffic destined to the 195.218 IP only. ***. (cited to me as 195.218.***.***/32) over the site to site VPN
MBM may be confusing that 195.218. ***. is a public IP address, where I would normally expect a private IP address. This has been checked and confirmed. It's certainly accessible only via the VPN tunnel. So far, everything works as expected, except for the VPN. Cisco diagnosis report that everything is going well except for the tunnel are declining and no traffic going back 195.218. ***. ***
I have not spotted the error, help appreciated!
My next step would be to simplify the config by removing unnecessary commands one by one and then check again against examples and manual. Attached config.
Kind regards
John
References:
http://www.Cisco.com/c/en/us/support/docs/security-VPN/IPSec-negotiation...
http://www.Cisco.com/c/en/us/support/docs/security-VPN/IPSec-negotiation...
Requirements of VPN:
IKE Phase 1
Diffie-Hellman group: 2
Version of IKE: IKEv1
IKE Lifetime: 86400
Aggressive mode: No.
Encryption: AES 256
Integrity: SHA2-256
Authetication method: pre-sharedIKE Phase 2
PFS: Yes
PFS DH group: 2
Life: 3600
Encryption: AES 256
Integrity: SHA2-256Good things! Happy that you guessed it sorted.
-
Question creating a site to site vpn
I am trying to configure a site to site vpn to test and through http://www.ciscosecrets.info/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml still unable to establish a connection. I have attached the config for both the 5520's that I use. What Miss me.
Try this if you are pinging from the ASA
management-access inside
-
Site to site VPN question: passing a public IP with IPSEC
Hi all
I need to create a VPN tunnel site to site using IPSEC between two offices on the Internet. The offices belong to two different companies.
They gave me a series of 16 public IP addresses. One of these IP addresses is used on the ISP router and this is the next hop for my router. Another IP in the range is used on my router? s external interface (which is a Cisco 851) and he is also my site VPN endpoint. So far so good...
Here's my problem: the IP source of encrypted traffic, is a public address from within the IPs public 16 I (not the one on my router interface). The actual application that needs to send the encrypted data is a server in my local network, and it has a private IP address. The other site, expects to receive data, however, the public IP address. I used NAT between the private IP address of the server and its public IP address, but no data goes through the tunnel. Moreover, the tunnel between the two end points established without problem. The problem is that the source of my encrypted data is the public IP address and I don't know how to get through the tunnel. I enclose my router configuration.
Any help is appreciated.
The access list "natted-traffic" should say:
extended traffic natted IP access list
deny ip host 192.168.0.160 BB. ABM ABM BD
deny ip host 192.168.0.160 BB. ABM BB.BE
output
I hope this helps.
-Kanishka
Maybe you are looking for
-
How can I stop Firefox telling me to update?
I keep getting pop up windows to update Firefox 3.6.18 for mac os x. The problem is that the new version does not open when I try to get a glimpse of a web page in Dreamweaver. Firefox has not always have this problem. The latest version of Firefox w
-
15 - p030nr: Boot Device not found
Need help on how to fix a problem where it says "boot device not found." He worked to find one day and the next time I turned on the computer, she appeared with this error message. After reading some things, it seems that it is a right of common mist
-
How to recover my contacts and emails from Vista?
Windows 7
-
How to ping computer workgroupe of the computer from the domain
Server can ping computer workgroupe and field computers can ping server server ip 10.0.0.1 computer in domain ip 10.0.0.5 computer in workgroupe 10.0.0.6 no firewall for
-
I tried to re - install twice, as suggested on a large number of the threads I have read, but get the same message. Tried to erase errors registry and other things, but no luck. I use Windows 10 as well as a Chrome browser to update. I took a scr