IKEv1 Site to Site VPN establishment

Similar Questions

• SBS 2008 office1 Serv2008 Office 2 need to share assets between them via a site to site VPN tunnel

  Hi all.

  I really need help on this one.

  The office 1 installer running SBS2008 Office 2 running Server 2008.

  Each firm has its own FQDN Office 1 CompanyABC 2 A_B_C of the company office.

  Each firm has its own internal IP address pool Office 1 192.168.69.xxx and office 192.168.20.xxx 2.

  Site to site VPN tunnel between 2 office routers Netgear SRX5308 1 and 2 Netgear FVS318G Office established and working.

  Each firm has its own DNS server and acts as a domain controller

  How to configure the 2 networks to see each other and be able to use assets on every network (files, printers)?

  Is it so simple that the addition of another pool internal IP for each DNS server?

  Thanks in advance for your help.

  Hello

  Your Question is beyond the scope of this community.

  I suggest that repost you your question in the Forums of SBS.

  https://social.technet.Microsoft.com/forums/en-us/home?Forum=smallbusinessserver

  "Windows Small Business Server 2011 Essentials online help"

  https://msdn.Microsoft.com/en-us/library/home-client.aspx

  TechNet Server forums.

  http://social.technet.Microsoft.com/forums/WindowsServer/en-us/home?category=WindowsServer

  See you soon.

• IPSec Site to Site VPN Solution needed?

  Hi all

  I need a solution to provide full connectivity to one of my clients. I created two IPSEC Site to Site VPN, one between the INFO and RITA and second between NIDA and RITA. I can access RITA machine that is 172.16.36.101 at the INFO and 10.0.0.5 to NIDA.

  Now, I need to give access to my customer INFORMATION to direct NIDA 10.0.0.5 without established VPN machine to NIDA 10.0.0.5 of 172.16.36.101 access.

  Could you please give me the solution how is that possible?

  Concerning

  Uzair Hussain

  Hi uzair.infotech,

  Looks like you need to set up a grouping between the 3 sites, at the end of that your topology will look like this:

  INFO - RITA - NIDA

  You can check this guide that explains step by step how to configure grouping:

  https://supportforums.Cisco.com/document/12752536/how-configure-site-sit...

  Hope this info helps!

  Note If you help!

  -JP-

• site to site VPN

  SH running-config crypto

  I have the following configuration, in order to create a site to site vpn which should not be changed in the configuration below.

  Do I need to add new card crypto?

  And what is the dynamic-map

  I need to create new ipsec transform-set or can I use the existing?

  Crypto ipsec transform-set esp-3des esp-sha-hmac ikev1 remoteaccess

  Crypto ipsec transform-set esp-3des esp-sha-hmac L2Lvpn ikev1

  Crypto ipsec kilobytes of life - safety 999608000 association

  Crypto ipsec pmtu aging infinite - the security association

  Crypto-map dynamic Test 1 set pfs Group1

  Crypto-map dynamic Test 1 set transform-set remoteaccess L2Lvpn ikev1

  Crypto-map dynamic 1jeu reverse-Road Test

  card crypto Test 1-isakmp ipsec dynamic test

  Test interface card crypto outside

  Crypto ca trustpoint _SmartCallHome_ServerCA

  Configure CRL

  Crypto ca trustpoint ASDM_TrustPoint0

  Terminal registration

  name of the object CN = TestFW

  Configure CRL

  trustpool crypto ca policy

  crypto isakmp identity address

  Crypto ikev1 allow outside

  IKEv1 crypto policy 1

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 10800

  IKEv1 crypto policy 10

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 1800

  IKEv1 crypto policy 65535

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 1800

  tunnel-group x.x.x.x type ipsec-l2l

  tunnel-group ipsec-attributes x.x.x.x

  IKEv1 pre-shared-key *.

  Thank you

  bluesea2010,

  Next step will be sending real traffic, or just run a package Tracker to ensure that traffic flows very well:

  entry Packet-trace within the icmp 192.168.15.x 8 0 172.10.10.x detail

  If all goes well, you should be good to go.

  Hope this info helps!

  Note If you help!

  -JP-

• Troubleshooting IPSec Site to Site VPN between ASA and 1841

  Hi all

  in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.

  I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).

  I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.

  It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),

  On the ASA:

  Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.

  address of the peers: 217.86.154.120
  Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.cc

  access extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
  local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
  current_peer: 217.xx.yy.zz

  #pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz

  Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
  current outbound SPI: 39135054
  current inbound SPI: B2E9E500

  SAS of the esp on arrival:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, PFS 2 group}
  slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
  calendar of his: service life remaining (KB/s) key: (4374000/1598)
  Size IV: 8 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001
  outgoing esp sas:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, PFS 2 group}
  slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
  calendar of his: service life remaining (KB/s) key: (4373976/1598)
  Size IV: 8 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001

  Output of the command: "sh crypto isakmp his."

  HIS active: 4
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 4

  IKE Peer: 217.xx.yy.zz
  Type: L2L role: initiator
  Generate a new key: no State: MM_ACTIVE

  On the 1841

  1841 crypto isakmp #sh its
  IPv4 Crypto ISAKMP Security Association
  DST CBC conn-State id
  217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE

  1841 crypto ipsec #sh its

  Interface: Dialer1
  Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
  current_peer 62.153.156.163 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
  current outbound SPI: 0xB2E9E500 (3001672960)
  PFS (Y/N): Y, Diffie-Hellman group: group2

  SAS of the esp on arrival:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505068/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505118/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  Interface: virtual Network1
  Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
  current_peer 62.153.156.163 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
  current outbound SPI: 0xB2E9E500 (3001672960)
  PFS (Y/N): Y, Diffie-Hellman group: group2

  SAS of the esp on arrival:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505068/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505118/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.

  Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto.      (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.

  I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!

  It's the running of the 1841 configuration

  !
  version 15.1
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  encryption password service
  !
  host name 1841
  !
  boot-start-marker
  start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
  boot-end-marker
  !
  logging buffered 51200 notifications
  !
  AAA new-model
  !
  !
  AAA authentication login default local
  !
  AAA - the id of the joint session
  !
  iomem 20 memory size
  clock timezone PCTime 1
  PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
  dot11 syslog
  IP source-route
  !
  No dhcp use connected vrf ip
  !
  IP cef
  no ip bootp Server
  IP domain name test
  name of the IP-server 194.25.2.129
  name of the IP-server 194.25.2.130
  name of the IP-server 194.25.2.131
  name of the IP-server 194.25.2.132
  name of the IP-server 194.25.2.133
  No ipv6 cef
  !
  Authenticated MultiLink bundle-name Panel
  !
  !
  object-group network phone
  VoIP phone description
  Home 172.20.2.50
  Home 172.20.2.51
  !
  redundancy
  !
  !
  controller LAN 0/0/0
  atm mode
  Annex symmetrical shdsl DSL-mode B
  !
  !
  crypto ISAKMP policy 1
  BA 3des
  preshared authentication
  Group 2
  isakmp encryption key * address 62.aa.bb.cc
  !
  !
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  !
  map SDM_CMAP_1 1 ipsec-isakmp crypto
  Description Tunnel to62.aa.bb.cc
  the value of 62.aa.bb.cc peer
  game of transformation-ESP-3DES-SHA
  PFS group2 Set
  match address 100
  !
  !
  !
  interface FastEthernet0/0
  DMZ description $ FW_OUTSIDE$
  10.10.10.254 IP address 255.255.255.0
  IP nat inside
  IP virtual-reassembly
  automatic duplex
  automatic speed
  !
  interface FastEthernet0/1
  Description $ETH - LAN$ $FW_INSIDE$
  IP 172.20.2.254 255.255.255.0
  IP access-group 100 to
  IP nat inside
  IP virtual-reassembly
  IP tcp adjust-mss 1412
  automatic duplex
  automatic speed
  !
  ATM0/0/0 interface
  no ip address
  No atm ilmi-keepalive
  !
  point-to-point interface ATM0/0/0.1
  PVC 1/32
  PPPoE-client dial-pool-number 1
  !
  !
  interface Dialer1
  Description $FW_OUTSIDE$
  the negotiated IP address
  IP mtu 1452
  NAT outside IP
  IP virtual-reassembly
  encapsulation ppp
  Dialer pool 1
  Dialer-Group 2
  PPP authentication chap callin pap
  PPP chap hostname xxxxxxx
  PPP chap password 7 xxxxxxx8
  PPP pap sent-name of user password xxxxxxx xxxxxxx 7
  map SDM_CMAP_1 crypto
  !
  IP forward-Protocol ND
  IP http server
  local IP http authentication
  IP http secure server
  !
  !
  The dns server IP
  IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
  IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
  IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
  IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
  IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
  !
  logging trap notifications
  Note category of access list 1 = 2 CCP_ACL
  access-list 1 permit 172.20.2.0 0.0.0.255
  Note access-list category 2 CCP_ACL = 2
  access-list 2 allow 10.10.10.0 0.0.0.255
  Note access-list 100 category CCP_ACL = 4
  Note access-list 100 IPSec rule
  access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  Note CCP_ACL the access list 101 = 2 category
  Note access-list 101 IPSec rule
  access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  access-list 101 permit ip 172.20.2.0 0.0.0.255 any
  Note access-list 102 CCP_ACL category = 2
  Note access-list 102 IPSec rule
  access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  access-list 102 permit ip 10.10.10.0 0.0.0.255 any
  !

  !
  allowed SDM_RMAP_1 1 route map
  corresponds to the IP 101
  !
  allowed SDM_RMAP_2 1 route map
  corresponds to the IP 102
  !
  !
  control plan
  !
  !
  Line con 0
  line to 0
  line vty 0 4
  length 0
  transport input telnet ssh
  !
  Scheduler allocate 20000 1000
  NTP-Calendar Update
  NTP 172.20.2.250 Server prefer
  end

  As I mentioned previously: suspicion is much appreciated!

  Best regards

  Joerg

  Joerg,

  ASA receives not all VPN packages because IOS does not send anything.

  Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)

  The problem seems so on the side of the router.

  I think that is a routing problem, but you only have one default gateway (no other channels on the router).

  The ACL 100 is set to encrypt the traffic between the two subnets.

  It seems that the ACL 101 is also bypassing NAT for VPN traffic.

  Follow these steps:

  Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.

  I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.

  Federico.

• site to site vpn - internal network even on both sides of the tunnel

  Hi all

  I have the following questions about the Site Site VPN using ASA 5510 and 5505

  Scenerio is

  1. we have five branches & headquarters

  2. we want to establish a vpn between branches & Head Office (VPN from Site to Site)

  3. all branches & head office using the same internal network (192.168.150.0 255.255.255.0)

  My question is

  How can I configure VPN site-to-site between branches & head office with the same internal network (192.168.150.0/24)

  Please help me with the configuration steps & explanation

  I have experience on setting up vpn site to site between branches with differnet internal network (for example: 192.168.1.0/24 and 192.168.2.0/24)

  Waiting for your valuable response

  Hello

  Here are a few links on policy nat

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a008046f31a.shtml#T10

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00807d2874.shtml

  Concerning

• Site to site VPN works only on Cisco 881

  I have 2 problems with a cisco 881. The first problem is that Vlan2 (192.168.5.xx) cannot access the internet on the outside. But I know that the router has internet, because I can ping the external ip address. The 2nd problem is that I have a set of site to another upward, but when I test the Site to site I get this error:

  destination of traffic of the tunnel must be channelled through the crypto map interface. The destination following (s) doesn't have a routing entry in the routing table
  192.168.2.0

  I copied the config form this router from another cisco 881 work, where everything works. The only difference is that this router needs a site to site vpn connection.

  My question is how I can get internet on vlan2 and who can I solve the connection to site to site.

  Here's the running configuration:

  Building configuration...

  Current configuration: 12698 bytes
  !
  version 15.3
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  no password encryption service
  !
  hostname Cisco_881
  !
  boot-start-marker
  boot-end-marker
  !
  AQM-registry-fnf
  !
  logging buffered 51200 warnings
  !
  AAA new-model
  !
  !
  AAA authentication login default local
  AAA authorization exec default local
  AAA authorization network default local
  !
  !
  !
  !
  !
  AAA - the id of the joint session
  !
  Crypto pki trustpoint TP-self-signed-1151531093
  enrollment selfsigned
  name of the object cn = IOS - Self - signed - certificate - 1151531093
  revocation checking no
  rsakeypair TP-self-signed-1151531093
  !
  Crypto pki trustpoint TP-self-signed-2011286623
  enrollment selfsigned
  name of the object cn = IOS - Self - signed - certificate - 2011286623
  revocation checking no
  rsakeypair TP-self-signed-2011286623
  !
  !
  TP-self-signed-1151531093 crypto pki certificate chain
  certificate self-signed 01
  3082022B 30820194 02020101 300 D 0609 2A 864886 F70D0101 05050030 A0030201
  2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
  69666963 31313531 35333130 6174652D 3933301E 170 3135 30343031 31363230
  34315A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
  4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 31353135 65642D
  33313039 3330819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
  8100AC6E E7FA8AFD 9D4E206C 2B23DFC1 990AFDB3 98CD84A7 37697253 A7EF2520
  0C45190E 298B6E9F E2711580 80DCFBFB 05A6A0BA 347B960B D9DA17FC B1543B9D
  FBC048F3 063EBBC5 02391432 F0232A73 EAC7278E 8CB83005 D13A1D47 BEF18198
  A 547469, 2 F65ED0E6 249BF517 1E74117D C94BE542 46EE487D A3843F12 364639B 4
  0B 090203 010001 HAS 3 53305130 1 130101 FF040530 030101FF 301F0603 0F060355
  551 2304 18301680 147996F4 3E6D0EE2 2D9065BB D726137C 2DF42ABE 01301D 06
  03551D0E 04160414 7996F43E 6D0EE22D 9065BBD7 26137C2D F42ABE01 300 D 0609
  2A 864886 F70D0101 8181002A 05050003 677B9BE6 CB60D188 73227C4B 2DC33101
  BD448017 EDEF0296 FF7438A3 4C46519B 144C775F 1429CF06 7DB29F2D EB16EE75
  22100B 63 0D75511A 98DC57DC EF87BED2 1C1635C8 B5352706 3963037A 4E9B739A
  3A1EC9BE 8431BD70 116D3B31 E4A2AC4C 0F934B3F 196AF829 AD537005 6935B 451
  EB31DB3F A9BA6D70 65B70D19 D00158
  quit smoking
  TP-self-signed-2011286623 crypto pki certificate chain
  no ip source route
  !
  !
  !
  !

  !
  DHCP excluded-address IP 10.10.10.1
  DHCP excluded-address IP 192.168.5.1 192.168.5.49
  DHCP excluded-address IP 192.168.5.150 192.168.5.254
  !
  DHCP IP CCP-pool
  import all
  Network 10.10.10.0 255.255.255.248
  default router 10.10.10.1
  Rental 2 0
  !
  IP dhcp Internet pool
  network 192.168.5.0 255.255.255.0
  router by default - 192.168.5.254
  DNS-Server 64.59.135.133 64.59.128.120
  lease 6 0
  !
  !
  !
  no ip domain search
  "yourdomain.com" of the IP domain name
  name of the IP-Server 64.59.135.133
  name of the IP-Server 64.59.128.120
  IP cef
  No ipv6 cef
  !
  !
  !
  !
  !
  Authenticated MultiLink bundle-name Panel
  !
  !
  !
  !
  !
  !
  !
  udi pid C881-K9 sn FTX18438503 standard license
  !
  !
  Archives
  The config log
  hidekeys
  username * privilege 15 secret 5 $1$IBY.$X5/iqYy47a5vAWWuG4/Oa/
  username * secret 5 $1$ 17 ST$ QzJMvQnZ9Q.1y7u0rYXFa0
  username * secret 5 $1$ L4W9$ zBKpawZ3i5nXxwyS9H6Lf1
  !
  !
  !
  !
  !
  no passive ftp ip
  !
  !
  crypto ISAKMP policy 1
  BA aes 256
  preshared authentication
  Group 2
  !
  crypto ISAKMP policy 2
  BA 3des
  preshared authentication
  Group 2
  isakmp encryption key * address 208.98.212.xx
  !
  Configuration group crypto isakmp MPE client
  key *.
  pool VPN_IP_POOL
  ACL 100
  include-local-lan
  10 Max-users
  netmask 255.255.255.0
  banner ^ practive entered the field

  This area is reserved for administrators of control systems.

  If you are here by mistake, please disconnect immediately.

  You have full access to 192.168.125.0 / 0.0.0.255

  Support on continue to start your session.              ^ C
  !
  Configuration group customer crypto isakmp PALL
  key *.
  pool VPN_IP_POOL_PALL
  ACL 101
  include-local-lan
  Max - 1 users
  netmask 255.255.255.0
  banner ^ practive entered the field

  This area is limited to the PALL access only.

  If you are here by mistake, please disconnect immediately.

  You have full access to 192.168.125.0 / 0.0.0.255

  Support on continue to start your session.            ^ C
  ISAKMP crypto profile vpn_isakmp_profile
  game of identity EMT group
  client authentication list default
  Default ISAKMP authorization list
  client configuration address respond
  virtual-model 1
  ISAKMP crypto profile vpn_isakmp_profile_2
  match of group identity PALL
  client authentication list default
  Default ISAKMP authorization list
  client configuration address respond
  virtual-model 2
  !
  !
  Crypto ipsec transform-set esp - aes 256 esp-sha-hmac VPN_TRANSFORM
  tunnel mode
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  tunnel mode
  !
  Profile of crypto ipsec VPN_PROFILE_MPE
  Set the security association idle time 3600
  game of transformation-VPN_TRANSFORM
  vpn_isakmp_profile Set isakmp-profile
  !
  Profile of crypto ipsec VPN_PROFILE_PALL
  Set the security association idle time 1800
  game of transformation-VPN_TRANSFORM
  vpn_isakmp_profile_2 Set isakmp-profile
  !
  !
  !
  map SDM_CMAP_1 1 ipsec-isakmp crypto
  Description Tunnel to208.98.212.xx
  the value of 208.98.212.xx peer
  game of transformation-ESP-3DES-SHA
  match address 102
  !
  !
  !
  !
  !
  !
  interface Loopback0
  IP 192.168.40.254 255.255.255.0
  !
  interface FastEthernet0
  no ip address
  !
  interface FastEthernet1
  no ip address
  !
  interface FastEthernet2
  switchport access vlan 2
  no ip address
  !
  interface FastEthernet3
  switchport access vlan 2
  no ip address
  !
  interface FastEthernet4
  IP address 208.98.213.xx 255.255.255.224
  IP access-group 111 to
  NAT outside IP
  IP virtual-reassembly in
  automatic duplex
  automatic speed
  map SDM_CMAP_1 crypto
  !
  type of interface virtual-Template1 tunnel
  IP unnumbered Loopback0
  ipv4 ipsec tunnel mode
  Tunnel VPN_PROFILE_MPE ipsec protection profile
  !
  tunnel type of interface virtual-Template2
  IP unnumbered Loopback0
  ipv4 ipsec tunnel mode
  Tunnel VPN_PROFILE_PALL ipsec protection profile
  !
  interface Vlan1
  Description of control network
  IP 192.168.125.254 255.255.255.0
  IP access-group CONTROL_IN in
  IP access-group out CONTROL_OUT
  IP nat inside
  IP virtual-reassembly in
  IP tcp adjust-mss 1452
  !
  interface Vlan2
  Description Internet network
  IP 192.168.5.254 255.255.255.0
  IP access-group INTERNET_IN in
  IP access-group out INTERNET_OUT
  IP nat inside
  IP virtual-reassembly in
  !
  local IP VPN_IP_POOL 192.168.40.100 pool 192.168.40.150
  local IP VPN_IP_POOL_PALL 192.168.40.151 pool 192.168.40.152
  IP forward-Protocol ND
  IP http server
  23 class IP http access
  local IP http authentication
  IP http secure server
  IP http timeout policy slowed down 60 life 86400 request 10000
  !
  !
  IP nat inside source static tcp 192.168.125.2 25000 25000 FastEthernet4 interface
  IP nat inside source overload map route SDM_RMAP_1 interface FastEthernet4
  IP route 0.0.0.0 0.0.0.0 FastEthernet4 permanent 208.98.236.xx
  !
  CONTROL_IN extended IP access list
  Note the access control
  Note the category CCP_ACL = 17
  allow any host 192.168.125.254 eq non500-isakmp udp
  allow any host 192.168.125.254 eq isakmp udp
  allow any host 192.168.125.254 esp
  allow any host 192.168.125.254 ahp
  IP 192.168.125.0 allow 0.0.0.255 192.168.125.0 0.0.0.255
  Note the VPN access
  IP 192.168.125.0 allow 0.0.0.255 192.168.40.0 0.0.0.255
  Note Access VNC
  permit tcp host 192.168.125.2 eq 25000 one
  Comment by e-mail to WIN911
  permit tcp host 192.168.125.2 any eq smtp
  Note DNS traffic
  permit udp host 192.168.125.2 host 64.59.135.133 eq field
  permit udp host 192.168.125.2 host 64.59.128.120 eq field
  Note Everything Else block
  refuse an entire ip
  CONTROL_OUT extended IP access list
  Note the access control
  IP 192.168.125.0 allow 0.0.0.255 192.168.125.0 0.0.0.255
  Note the VPN access
  ip permit 192.168.40.0 0.0.0.255 192.168.125.0 0.0.0.255
  Note Access VNC
  allow any host 192.168.125.2 eq 25000 tcp
  Comment by e-mail to WIN911
  allow any host 192.168.125.2 eq smtp tcp
  Note DNS responses
  allowed from any host domain eq 192.168.125.2 udp
  Note deny all other traffic
  refuse an entire ip
  INTERNET_IN extended IP access list
  Note Access VNC on VLAN
  allow any host 192.168.125.2 eq 25000 tcp
  Note block all other controls and VPN
  deny ip any 192.168.125.0 0.0.0.255
  deny ip any 192.168.40.0 0.0.0.255
  Note leave all other traffic
  allow an ip
  INTERNET_OUT extended IP access list
  Note a complete outbound Internet access
  allow an ip
  WAN_IN extended IP access list
  allow an ip host 207.229.14.xx
  Note PERMIT ESTABLISHED TCP connections
  allow any tcp smtp created everything eq
  Note ALLOW of DOMAIN CONNECTIONS
  permit udp host 64.59.135.133 eq field all
  permit udp host 64.59.128.120 eq field all
  Note ALLOW ICMP WARNING RETURNS
  allow all all unreachable icmp
  permit any any icmp parameter problem
  allow icmp all a package-too-big
  allow a whole icmp administratively prohibited
  permit icmp any any source-quench
  allow icmp all once exceed
  refuse a whole icmp
  allow an ip
  !
  auto discovering IP sla
  not run cdp
  !
  allowed SDM_RMAP_1 1 route map
  corresponds to the IP 103
  !
  access-list 1 remark out to WAN routing
  Note CCP_ACL the access list 1 = 16 category
  access-list 1 permit 192.168.125.2
  access-list 1 permit 192.168.5.0 0.0.0.255
  Note access-list 23 SSH and HTTP access permissions
  access-list 23 permit 192.168.125.0 0.0.0.255
  access-list 23 permit 192.168.40.0 0.0.0.255
  access-list 23 allow one
  Note access-list 100 VPN traffic
  access-list 100 permit ip 192.168.125.0 0.0.0.255 any
  access-list 100 permit ip 192.168.40.0 0.0.0.255 any
  Note access-list 101 for PALL VPN traffic
  access-list 101 permit ip 192.168.125.0 0.0.0.255 any
  Note access-list 102 CCP_ACL category = 4
  Note access-list 102 IPSec rule
  access-list 102 permit ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.1.255
  Note access-list 103 CCP_ACL category = 2
  Note access-list 103 IPSec rule
  access-list 103 deny ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.1.255
  access-list 103 allow ip 192.168.5.0 0.0.0.255 any
  access-list 103 allow the host ip 192.168.125.2 all
  Note access-list 111 CCP_ACL category = 17
  access-list 111 permit udp any host 208.98.213.xx eq non500-isakmp
  access-list 111 permit udp any host 208.98.213.xx eq isakmp
  access-list 111 allow esp any host 208.98.213.xx
  access-list 111 allow ahp any host 208.98.213.xx
  Note access-list 111 IPSec rule
  access-list 111 permit ip 192.168.2.0 0.0.1.255 192.168.5.0 0.0.0.255
  Note access-list 111 IPSec rule
  access-list 111 permit ip 192.168.2.0 0.0.1.255 192.168.4.0 0.0.1.255
  access-list 111 permit udp host 208.98.212.xx host 208.98.213.xx eq non500-isakmp
  access-list 111 permit udp host 208.92.12.xx host 208.92.13.xx eq isakmp
  access-list 111 allow esp host 208.92.12.xx host 208.92.13.xx
  access-list 111 allow ahp host 208.92.12.xx host 208.92.13.xx
  access-list 111 permit icmp any host 208.92.13.xx
  access-list 111 permit tcp any host 208.92.13.xx eq 25000
  access-list 111 permit tcp any host 208.92.13.xx eq 22
  access-list 111 permit tcp any host 208.92.13.xx eq telnet
  access-list 111 permit tcp any host 208.92.13.xx eq www
  !
  !
  !
  control plan
  !
  !
  !
  MGCP behavior considered range tgcp only
  MGCP comedia-role behavior no
  disable the behavior MGCP comedia-check-media-src
  disable the behavior of MGCP comedia-sdp-force
  !
  profile MGCP default
  !
  !
  !
  !
  exec banner ^ C
  % Warning of password expiration.
  -----------------------------------------------------------------------

  Unplug IMMEDIATELY if you are not an authorized user
  ^ C
  !
  Line con 0
  no activation of the modem
  line to 0
  line vty 0 4
  access-class 23 in
  password *.
  transport input telnet ssh
  transportation out all
  line vty 5 15
  access-class 160 in
  password *.
  transport of entry all
  transportation out all
  !
  max-task-time 5000 Planner
  Scheduler allocate 20000 1000
  !
  end

  Thank you.

  It seems that DNS has failed, because it is indeed happened to internet, but it does not work when internet DNS resolution.

  Go ahead and try to ping this 157.166.226.25, and it's on the browser http://157.166.226.25/, CNN.com. Let's try those. Also just in case where to configure a DNS SERVER on your router.

  - http://www.cisco.com/c/en/us/support/docs/ip/domain-name-system-dns/2418...

  Disable any ZBF just in case.

  David Castro,

  Kind regards

• fall of site to site vpn icmp packets

  Hello

  I test site to site vpn between ASA and cisco router with GNS3, topology is base the tunnel is up but the question when the remote host ping from both sides it is drops icmp, see router command and ASA do not include droppings. Here is a sample output from ping when I try to remote client ping. any help is appreciated :)

  Instant topology is attached, also configs

  Thank you

  84 bytes from 10.20.20.5 icmp_seq = 59 ttl = 63 times = 79,004 ms
  10.20.20.5 icmp_seq = timeout 60
  84 bytes from 10.20.20.5 icmp_seq = 61 = ttl 63 times = 70,004 ms
  10.20.20.5 icmp_seq = timeout 62
  84 bytes from 10.20.20.5 icmp_seq = ttl 63 time = 63 = 59,004 ms
  10.20.20.5 icmp_seq = 64 timeout
  84 bytes from 10.20.20.5 icmp_seq = 65 = ttl 63 times = 50,003 ms
  10.20.20.5 icmp_seq = timeout 66
  84 bytes from 10.20.20.5 icmp_seq = 67 ttl = 63 times = 59,003 ms
  10.20.20.5 icmp_seq = timeout 68
  84 bytes from 10.20.20.5 icmp_seq = 69 = ttl 63 times = 50,003 ms
  10.20.20.5 icmp_seq = timeout 70
  84 bytes from 10.20.20.5 icmp_seq = 71 ttl = 63 times = 58,003 ms
  10.20.20.5 icmp_seq = timeout 72
  84 bytes from 10.20.20.5 icmp_seq = 73 = ttl 63 times = 50,003 ms
  10.20.20.5 icmp_seq = timeout 74
  84 bytes from 10.20.20.5 icmp_seq = 75 ttl = 63 times = 69,004 ms
  10.20.20.5 icmp_seq = timeout 76
  84 bytes from 10.20.20.5 icmp_seq = 77 ttl = 63 times = 237,013 ms
  10.20.20.5 icmp_seq = timeout 78

  R1 ipsec crypto #sh her

  Interface: FastEthernet0/0
  Tag crypto map: map, local addr 100.100.100.2

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (10.20.20.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (10.20.10.0/255.255.255.0/0/0)
  current_peer 100.100.100.1 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: 14, #pkts encrypt: 14, #pkts digest: 14
  decaps #pkts: 28, #pkts decrypt: 28, #pkts check: 28
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  ciscoasa # sh crypto isakmp stats

  Global statistics IKEv1
  The active Tunnels: 1
  Previous Tunnels: 1
  In bytes: 1384
  In the packages: 12
  In packs of fall: 0
  In Notifys: 8
  In the constituencies of P2: 0
  In P2 invalid Exchange: 0
  In P2 Exchange rejects: 0
  Requests for removal in his P2: 0
  Bytes: 1576
  Packet: 13
  Fall packages: 0
  NOTIFYs out: 16
  Exchanges of P2: 1
  The Invalides Exchange P2: 0
  Exchange of P2 rejects: 0
  Requests to remove on P2 Sa: 0
  Tunnels of the initiator: 1
  Initiator fails: 0
  Answering machine fails: 0
  Ability system breaks down: 0
  AUTH failed: 0
  Decrypt failed: 0
  Valid hash fails: 0
  No failure his: 0

  Hello

  On router R1, you gave the default route as output interface. Instead of using the output interface replace the IP address of the next hop. It will solve the issue of the reduction of ping.

  IP route 0.0.0.0 0.0.0.0 FastEthernet0/0

  IP route 0.0.0.0 0.0.0.0 100.100.100.1

  HTH

  "Please note the useful messages and mark the correct answer if it solves the problem."

• Site to Site VPN configuration does not

  Hello

  I just tried to set up a test site to site VPN. Diagram of arrangement is attached. Router R2 is supposed to act as the 'Internet' to allow connectivity between the two networks.

  My VPN on ASA1 and ASA2 configs are below:

  ASA1

  Note to outside_cryptomap_1 to access list VPN traffic to encrypt
  outside_cryptomap_1 to access extended list ip 10.10.10.0 allow 255.255.255.0 172.16.10.0 255.225.255.0

  Crypto ikev1 allow outside
  IKEv1 crypto policy 1
  preshared authentication
  aes-256 encryption
  sha hash
  Group 5
  life 86400

  tunnel-group 11.11.11.2 type ipsec-l2l
  IPSec-attributes tunnel-Group 11.11.11.2
  Cisco pre-shared key IKEv1

  Crypto ipsec transform-set ikev1 AES - SHA esp-aes-256 esp-sha-hmac
  card crypto outside_map 1 match address outside_cryptomap_1
  peer set card crypto outside_map 1 11.11.11.2
  card crypto outside_map 1 set of transformation-AES-SHA
  outside_map interface card crypto outside

  ASA2

  Note to outside_cryptomap_1 to access list VPN traffic to encrypt
  permit access list extended ip 172.16.10.0 outside_cryptomap_1 255.255.255.0 10.10.10.0 255.225.255.0

  Crypto ikev1 allow outside
  IKEv1 crypto policy 1
  preshared authentication
  aes-256 encryption
  sha hash
  Group 5
  life 86400

  tunnel-group 12.12.12.2 type ipsec-l2l
  IPSec-attributes tunnel-group 12.12.12.2
  Cisco pre-shared key IKEv1

  Crypto ipsec transform-set ikev1 AES - SHA esp-aes-256 esp-sha-hmac
  card crypto outside_map 1 match address outside_cryptomap_1
  peer set card crypto outside_map 1 12.12.12.2
  card crypto outside_map 1 set of transformation-AES-SHA
  outside_map interface card crypto outside

  I can ping with the ASA2 ASA1, but when I try to test the VPN trying from one PC to another, I get nothing.

  I tried a few commands show and they came out absolutely empty... as I have not configured:

  SH in detail its crypto isakmp

  There are no SAs IKEv1

  There are no SAs IKEv2

  SH crypto ipsec his

  There is no ipsec security associations

  Anyone have any ideas?

  Hi martin,

  Your configs are quite right. I tried your script, its works really well. Here's the configs & outputs.
  What I mentioned in the previous note follow this.

  --------------------

  ASA1

  ASA1 (config) # sh run
  : Saved
  :
  ASA Version 8.0 (2)
  !
  hostname ASA1
  activate 8Ry2YjIyt7RRXU24 encrypted password
  names of
  !
  interface Ethernet0/0
  nameif outside
  security-level 0
  IP 12.12.12.2 255.255.255.0
  !
  interface Ethernet0/1
  nameif inside
  security-level 100
  10.10.10.2 IP address 255.255.255.0
  !
  interface Ethernet0/2
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Ethernet0/3
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Ethernet0/4
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Ethernet0/4
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Ethernet0/5
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  2KFQnbNIdI.2KYOU encrypted passwd
  passive FTP mode
  extended vpn 10.10.10.0 ip access list allow 255.255.255.0 172.16.10.0 255.255.255.0
  pager lines 24
  Within 1500 MTU
  Outside 1500 MTU
  no failover
  ICMP unreachable rate-limit 1 burst-size 1
  don't allow no asdm history
  ARP timeout 14400
  Route outside 0.0.0.0 0.0.0.0 12.12.12.1 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout, uauth 0:05:00 absolute
  dynamic-access-policy-registration DfltAccessPolicy
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set esp-3des esp-sha-hmac tset
  card crypto cmap 1 match for vpn
  card crypto cmap 1 set peer 11.11.11.2
  card crypto cmap 1 transform-set tset
  cmap outside crypto map interface
  crypto ISAKMP allow outside
  crypto ISAKMP policy 1
  preshared authentication
  3des encryption
  md5 hash
  Group 5
  life 86400
  crypto ISAKMP policy 65535
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH timeout 5
  Console timeout 0
  a basic threat threat detection
  Statistics-list of access threat detection
  !
  !
  tunnel-group 11.11.11.2 type ipsec-l2l
  IPSec-attributes tunnel-Group 11.11.11.2
  pre-shared-key *.
  context of prompt hostname
  Cryptochecksum:00000000000000000000000000000000
  : end
  ASA1 (config) #.
  ---------------------

  ASA2 (config) # sh run
  : Saved
  :
  ASA Version 8.0 (2)
  !
  hostname ASA2
  activate 8Ry2YjIyt7RRXU24 encrypted password
  names of
  !
  interface Ethernet0/0
  nameif outside
  security-level 0
  IP 11.11.11.2 255.255.255.0
  !
  interface Ethernet0/1
  nameif inside
  security-level 100
  IP 172.16.10.2 255.255.255.0
  !
  interface Ethernet0/2
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Ethernet0/3
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Ethernet0/4
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Ethernet0/5
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  2KFQnbNIdI.2KYOU encrypted passwd
  passive FTP mode
  extended vpn 172.16.10.0 ip access list allow 255.255.255.0 10.10.10.0 255.255.255.0
  pager lines 24
  Outside 1500 MTU
  Within 1500 MTU
  no failover
  ICMP unreachable rate-limit 1 burst-size 1
  don't allow no asdm history
  ARP timeout 14400
  Route outside 0.0.0.0 0.0.0.0 11.11.11.1 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout, uauth 0:05:00 absolute
  dynamic-access-policy-registration DfltAccessPolicy
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set esp-3des esp-sha-hmac tset
  card crypto cmap 1 match for vpn
  card crypto cmap 1 set peer 12.12.12.2
  card crypto cmap 1 transform-set tset
  cmap outside crypto map interface
  crypto ISAKMP allow outside
  crypto ISAKMP policy 1
  preshared authentication
  3des encryption
  md5 hash
  Group 5
  life 86400
  crypto ISAKMP policy 65535
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH timeout 5
  Console timeout 0
  a basic threat threat detection
  Statistics-list of access threat detection
  !
  !
  !
  tunnel-group 12.12.12.2 type ipsec-l2l
  IPSec-attributes tunnel-group 12.12.12.2
  pre-shared-key *.
  context of prompt hostname
  Cryptochecksum:00000000000000000000000000000000
  : end
  ASA2 (config) #.

  -------------------------
  OUTPUTS:

  *********************

  ASA1 (config) # sh crypto isakmp his

  ITS enabled: 1
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 1

  1 peer IKE: 11.11.11.2
  Type: L2L role: initiator
  Generate a new key: no State: MM_ACTIVE

  ---------------------

  ASA1 (config) # sh crypto ipsec his
  Interface: outside
  Tag crypto map: cmap, seq num: 1, local addr: 12.12.12.2

  access vpn ip 10.10.10.0 list allow 255.255.255.0 172.16.10.0 255.255.255.0
  local ident (addr, mask, prot, port): (10.10.10.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (172.16.10.0/255.255.255.0/0/0)
  current_peer: 11.11.11.2

  #pkts program: 50, #pkts encrypt: 50, #pkts digest: 50
  #pkts decaps: 49, #pkts decrypt: 49, #pkts check: 49
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 50, comp #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt. : 12.12.12.2, remote Start crypto. : 11.11.11.2

  ------------------------
  ASA2 (config) # sh crypto isakmp his

  ITS enabled: 1
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 1

  1 peer IKE: 12.12.12.2
  Type: L2L role: answering machine
  Generate a new key: no State: MM_ACTIVE

  ------------------------

  ASA2 (config) # sh crypto ipsec his
  Interface: outside
  Tag crypto map: cmap, seq num: 1, local addr: 11.11.11.2

  access vpn ip 172.16.10.0 list allow 255.255.255.0 10.10.10.0 255.255.255.0
  local ident (addr, mask, prot, port): (172.16.10.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (10.10.10.0/255.255.255.0/0/0)
  current_peer: 12.12.12.2

  #pkts program: 49, #pkts encrypt: 49, #pkts digest: 49
  #pkts decaps: 50, #pkts decrypt: 50, #pkts check: 50
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 49, #pkts comp failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt. : 11.11.11.2, remote Start crypto. : 12.12.12.2
  -------------------------

• Site to Site VPN Cisco IOS 1941 15.0 (1) M1

  Hello

  I am currently developing a Site VPN site between an ASA and a router in 1941. Configuring VPN on the SAA seems to be ok, because it works without problem with router 1841 with IOS 12.4 to the other site. The same VPN configuration on the new router in 1941 with M1 IOS 15.0 (1) does not work. It seems that the access to the crypto map list is the problem. The router never start the VPN connection. When the ASA attempts to establish the VPN, the debugging of the router log shows:

  ...

  * 14:37:52.263 may 5: ISAKMP: (1007): proposal of IPSec checking 1
  * 14:37:52.263 may 5: ISAKMP: turn 1, ESP_3DES
  * 14:37:52.263 may 5: ISAKMP: attributes of transformation:
  * 14:37:52.263 may 5: ISAKMP: type of life in seconds
  * 14:37:52.263 may 5: ISAKMP: life of HIS (basic) of 28800
  * 14:37:52.263 may 5: ISAKMP: type of life in kilobytes
  * 14:37:52.263 may 5: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
  * 14:37:52.263 may 5: ISAKMP: program is 1 (Tunnel)
  * 14:37:52.263 may 5: ISAKMP: authenticator is HMAC-SHA
  * 14:37:52.263 may 5: ISAKMP: group is 2
  * 14:37:52.263 may 5: ISAKMP: (1007): atts are acceptable.
  * 5 May 14:37:52.263: ISAKMP: (1007): IPSec policy invalidated proposal with error 32
  * 5 May 14:37:52.263: ISAKMP: (1007): politics of ITS phase 2 is not acceptable! (local... remote control...)

  ...

  Any clue?

  Concerning

  Claudia

  The configuration of the router:

  version 15.0
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  no password encryption service
  !
  hostname Cisco1941
  !
  No aaa new-model
  !
  No ipv6 cef
  no ip source route
  IP cef
  !
  IP domain name xyz.de
  !
  Authenticated MultiLink bundle-name Panel
  !
  Crypto pki trustpoint TP-self-signature-...
  !
  TP-self-signature-... crypto pki certificate chain
  quit smoking
  license udi pid CISCO1941/K9 sn...
  !
  username privilege 15 secret 5 xyz $1$...
  !
  redundancy
  !
  session of crypto consignment
  !
  crypto ISAKMP policy 10
  BA 3des
  preshared authentication
  Group 2
  ISAKMP crypto key... address 1.2.3.4
  invalid-spi-recovery crypto ISAKMP
  !
  Crypto ipsec transform-set esp-3des esp-sha-hmac tsAsa
  !
  ASA 10 ipsec-isakmp crypto map
  defined peer 1.2.3.4
  Set transform-set tsAsa
  PFS group2 Set
  match address 100
  !
  interface GigabitEthernet0/0
  Description * inside *.
  IP 10.100.100.1 255.255.255.0
  automatic duplex
  automatic speed
  !
  !
  interface GigabitEthernet0/1
  IP 5.6.7.8 255.255.255.240
  IP access-group 111 to
  no ip-cache cef route
  no ip route cache
  automatic duplex
  automatic speed
  card crypto asa
  !
  !
  ATM0/0/0 interface
  no ip address
  Shutdown
  No atm ilmi-keepalive
  !
  !
  IP forward-Protocol ND
  !
  IP route 0.0.0.0 0.0.0.0 1.2.3.5
  !
  access-list 100 permit ip 10.100.100.0 0.0.0.255 10.10.10.0 0.0.0.255
  access-list 111 allow esp 1.2.3.4 host 5.6.7.8
  access-list 111 permit udp host 1.2.3.4 host 5.6.7.8 eq isakmp
  access-list 111 allow ahp host 1.2.3.4 5.6.7.8
  access-list 111 deny ip any any newspaper

  ....

  end

  Try to do this:

  IP route 10.10.10.0 255.255.255.0 interface Ge0/1

  Route IP 1.2.3.4 255.255.255.255 by default-gateway-to-Ge0/1

  The rest of your config looks very good.

• Unable to pass traffic between ASA Site to Site VPN Tunnel

  Hello

  I have problems passing traffic between two ASA firewall. The VPN tunnel is up with a dynamic IP and static IP address. I have attached a diagram of the VPN connection. I'm not sure where the problem lies and what to check next. I think I have all the roads and in the access lists are needed.

  I've also attached the ASA5505 config and the ASA5510.

  This is the first time that I've set up a VPN connection any guidance would be greatly appreciated.

  Thank you

  Adam

  Hello

  Regarding your opinion of configuration Remote Site ASA that you have not added the internal networks of the Central Site VPN L2L configurations at all so the traffic does not pass through the VPN.

   access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.0.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.170.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.172.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 140.15.0.0 255.255.*.* 

  Take a look at ACL configurations above. The 'exempt' ACL is used in configurations NAT0 and tells the ASA what traffic of exempting from NAT. "outside_1_cryptomap" ACL is used to tell the traffic between the subnets should be using the L2L VPN connection.

  So in short on the Remote Site ASA these ACLs should be identical. Make additions to the LIST of VPN L2L, then try again.

  I would also like to point out that to ensure that the Central ASAs L2L VPN ACL Site contains the same networks. The ACL on the Central Site will, of course, its internal subnets as the source and the site LAN remote destination.

  THW out of ' crypto ipsec to show his " shows you that only the SA between binding Site Central network and the Remote Site LAN was established. Others have not formed as the configuration is lacking at LEAST on the Remote Site ASA. Can also be the Central Site.

  -Jouni

• Using the same set processing on several site to site VPN tunnels

  Hi all. I have a rather strange situation about site-to-site VPN tunnel.

  On the one hand, I have a PIX 501 and on the other end an ASA5505 and a tunnel set up between them.

  The problem is that on the side of the PIX, I can't establish a tunnel, but when the traffic starts on the side of the ASA the tunnel established as usual.

  I checked the configurations on both ends and keys, passwords, mirror that LCD seems OK. The only thing that comes to my attention, it's that I have the same set of transformation used for 2 different tunnel on the side of PIX.

  Can I use the same set of transformation on several tunnels or should I set a different transformation for each tunnel? Could be the source of the problem?

  Use it on PIX

  card crypto set pfs group2

  Or on ASA, use:

  card crypto set pfs Group1

• 887 site to Site VPN

  Hi all

  After you follow the guides on the site to site VPN and NAT I am very close with this, but suspect a minor error here. It was difficult to apply some of the examples of cisco worked the additional complexity here (VLANS, routing to an address static IP), as well as due to inexperience with some routing commands.

  Requirements:

  -Provide internet access for three local networks (10.10.10.0/29 for the management of the router, 192.168.1.0/24 for the most of the PC, 172.22.81.160/28 for a PC for VPN and wireless)

  -Set up a VPN site-to site between 172.22.81.160 and a remote VPN router to 194.73. ***. ***

  -Transfer all 172.22.81.160 traffic destined to the 195.218 IP only. ***. (cited to me as 195.218.***.***/32) over the site to site VPN

  MBM may be confusing that 195.218. ***. is a public IP address, where I would normally expect a private IP address. This has been checked and confirmed. It's certainly accessible only via the VPN tunnel. So far, everything works as expected, except for the VPN. Cisco diagnosis report that everything is going well except for the tunnel are declining and no traffic going back 195.218. ***. ***

  I have not spotted the error, help appreciated!

  My next step would be to simplify the config by removing unnecessary commands one by one and then check again against examples and manual. Attached config.

  Kind regards

  John

  References:

  http://www.Cisco.com/c/en/us/support/docs/security-VPN/IPSec-negotiation...

  http://www.Cisco.com/c/en/us/support/docs/security-VPN/IPSec-negotiation...

  Requirements of VPN:

  IKE Phase 1
  Diffie-Hellman group: 2
  Version of IKE: IKEv1
  IKE Lifetime: 86400
  Aggressive mode: No.
  Encryption: AES 256
  Integrity: SHA2-256
  Authetication method: pre-shared

  IKE Phase 2
  PFS: Yes
  PFS DH group: 2
  Life: 3600
  Encryption: AES 256
  Integrity: SHA2-256

  Good things! Happy that you guessed it sorted.

• Question creating a site to site vpn

  I am trying to configure a site to site vpn to test and through http://www.ciscosecrets.info/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml still unable to establish a connection.  I have attached the config for both the 5520's that I use.   What Miss me.

  Try this if you are pinging from the ASA

  management-access inside

• Site to site VPN question: passing a public IP with IPSEC

  Hi all

  I need to create a VPN tunnel site to site using IPSEC between two offices on the Internet. The offices belong to two different companies.

  They gave me a series of 16 public IP addresses. One of these IP addresses is used on the ISP router and this is the next hop for my router. Another IP in the range is used on my router? s external interface (which is a Cisco 851) and he is also my site VPN endpoint. So far so good...

  Here's my problem: the IP source of encrypted traffic, is a public address from within the IPs public 16 I (not the one on my router interface). The actual application that needs to send the encrypted data is a server in my local network, and it has a private IP address. The other site, expects to receive data, however, the public IP address. I used NAT between the private IP address of the server and its public IP address, but no data goes through the tunnel. Moreover, the tunnel between the two end points established without problem. The problem is that the source of my encrypted data is the public IP address and I don't know how to get through the tunnel. I enclose my router configuration.

  Any help is appreciated.

  The access list "natted-traffic" should say:

  extended traffic natted IP access list

  deny ip host 192.168.0.160 BB. ABM ABM BD

  deny ip host 192.168.0.160 BB. ABM BB.BE

  output

  I hope this helps.

  -Kanishka