Impossible to achieve secondary with VPN tunnel

Similar Questions

• Problems with VPN tunnels after the upgrade to PIX 7.0

  It seems that Cisco has revamped the VPN process on the new Version of PIX 7.0.

  After I've upgraded, I noticed that AH (i.e. ah-sha-hmac, ah-md5-hmac) was no longer supported and all my container transformation games OH no were not converted.

  Another question, if you have enabled on Versieon 6.3, names when you upgrade, tunnel groups will be created (formerly "identity isakmp crypto, crypto key isakmp peer ') which will include a hostname (hostname of identity) instead of IP as it was to the point 6.3. Guess what... Nothing works! Having to delete and recreate it using the IP address.

  See an example...

  tunnel-group OTHER_END type ipsec-l2l

  IPSec-attributes tunnel-group OTHER_END

  pre-shared-key *.

  The above does not work... Having to recreate using the IP address mapped to OTHER_END...

  tunnel-group 2.2.2.2 type ipsec-l2l

  2.2.2.2 tunnel-group ipsec-attributes

  pre-shared-key *.

  Furthermore, I have problems with my racoon and freeswan extranet... Did someone recently updated with success and other gateways VPN provider (i.e. checkpoint, Freeswan and Racoon) work?

  We found the solution for this problem. It appeared that the perfect forward secrecy is enabled at the other side. If a 'card crypto outside_map 10 set pfs' is necessary. With the pix 6.3 version that appears not to make the difference, the vpn works even with pfs disabled on the side of pix.

• LRT224 impossible to deal simultaneously with more than one VPN tunnel?

  We have configured a client to gateway VPN tunnel group and six in the tunnels of single user gateway on a LRT224. Each unique connection works perfectly using Shrew soft client. But when we try to connect with a second tunnel, the first tunnel disconnects. It seems that the LRT224 cannot process more than one VPN tunnel at the same time? Is there any configuration, that we would have missed?

  TLR log seem to indicate that the Shrew Soft customers use all 192.168.30.0 that their IP address instead of a random IP address in this range.

  Try to set each Shrew Soft client with a specific IP address in the 192.168.30.1 - 50 rank instead of ' use virtual adapter and address randomly.

• RV042 VPN tunnel with Samsung Ubigate ibg2600 need help

  Hi all, ok before I completely remove all of my hair, I thought stop by here and ask the volume for you all with the hope that someone can track down the problem.

  In short I am configuring a 'Gateway to gateway' vpn tunnel between two sites, I don't have access to the config of the router from Samsung, but the ISPS making sure that they followed my setup - watching newspapers RV042, I don't however see the reason for the failure - im no expert vpn...

  Sorry if the log file turns on a bit, I didn't know where the beginning and the end was stupid I know... any advice would be greatly welcomed lol.

  System log
  Current time: Fri Sep 2 03:37:52 2009 all THE Log Log Log Log VPN Firewall Access system
   
  Time
  Type of event Message
  2 sep 03:36:01 2009 value of VPN Log [Tunnel negotiation Info] Inbound SPI = c3bdba08
  2 sep 03:36:01 2009 value of outbound SPI VPN Log [Tunnel negotiation Info] = c664c1ca
  2 sep 03:36:02 2009 VPN Log [Tunnel negotiation Info] > initiator send fast Mode 3rd package
  2 sep 03:36:02 2009 VPN Log [Tunnel negotiation Info] Quick Mode Phase 2 SA established, IPSec Tunnel connected
  2 sep 03:36:02 2009 VPN journal Dead Peer Detection start, DPD delay = timeout = 10 sec 10 sec timer
  2 sep 03:36:02 2009 VPN received log delete SA payload: ISAKMP State #627 removal
  2 sep 03:36:02 2009 VPN Log Main Mode initiator
  2 sep 03:36:02 2009 VPN Log [Tunnel negotiation Info] > Send main initiator Mode 1 package
  2 sep 03:36:02 2009 charge of VPN journal received Vendor ID Type = [Dead Peer Detection]
  2 sep 03:36:02 2009 VPN Log [Tunnel negotiation of Info]< initiator="" received="" main="" mode="" 2nd="" packet="">
  2 sep 03:36:02 2009 VPN Log [Tunnel negotiation Info] > initiator send Mode main 3rd package
  2 sep 03:36:03 2009 VPN Log [Tunnel negotiation of Info]< initiator="" received="" main="" mode="" 4th="" packet="">
  2 sep 03:36:03 2009 Log [Tunnel negotiation Info] VPN > main initiator Mode to send 5 packs
  2 sep 03:36:03 2009 Log [Tunnel negotiation Info] VPN > initiator receive hand Mode 6 Pack
  2 sep 03:36:03 2009 log VPN main mode peer ID is ID_IPV4_ADDR: '87.85.xxx.xxx '.
  2 sep 03:36:03 2009 Log [Tunnel negotiation Info] VPN Mode main Phase 1 SA established
  2 sep 03:36:03 2009 log VPN [Tunnel negotiation Info] initiator Cookies = c527 d584 595 c 2c3b
  2 sep 03:36:03 2009 log VPN [Tunnel negotiation Info] responder Cookies = b62c ca31 1a5f 673f
  2 sep 03:36:03 2009 log quick launch Mode PSK VPN + TUNNEL + PFS
  2 sep 03:36:03 2009 Log [Tunnel negotiation Info] VPN > initiator send fast Mode 1 package
  2 sep 03:36:04 2009 VPN Log [Tunnel negotiation of Info]< initiator="" received="" quick="" mode="" 2nd="" packet="">
  2 sep 03:36:04 2009 value of VPN Log [Tunnel negotiation Info] Inbound SPI = c3bdba09
  2 sep 03:36:04 2009 value of outbound SPI VPN Log [Tunnel negotiation Info] = e3da1469
  2 sep 03:36:04 2009 VPN Log [Tunnel negotiation Info] > initiator send fast Mode 3rd package
  2 sep 03:36:04 2009 VPN Log [Tunnel negotiation Info] Quick Mode Phase 2 SA established, IPSec Tunnel connected
  2 sep 03:36:04 2009 VPN journal Dead Peer Detection start, DPD delay = timeout = 10 sec 10 sec timer
  2 sep 03:36:05 2009 VPN received log delete SA payload: ISAKMP State #629 removal

  PFS - off on tada and linksys router does not support the samsung lol! connected!

• 2 separated on same ASA VPN tunnels can communicate with each other

  Here's the scenario that I have a VPN tunnel with one of my remote locations.   I also have a VPN Tunnel with a provider that supports the equipment for my organization.   I need to have my supplier able to communicate with equipment that live in my other VPN tunnel.   The two Tunnels are on the same ASA5540.

  1 is it Possible?

  2 How set it up?

  Thank you

  Follow this link for example. Enhanced spoke-to-spoke VPN, allows the two tunnels ending to your asa5540 to connect, using parameter permit intra-interface with configuration accless-list permits traffic of each endpoint of the tunnel.

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml

• VPN tunnel with U-turn

  Hello

  I am trying to understand the functioning of DNS with u-turn. I'm looking for in the configuration of VPN tunnel between ASA 5510 (main office) and PIX 506 (remote).

  Currently all the jobs in the remote offices are connected through VPN tunnel between PIX506 and VPN 3000 to a hub, so that they use the internal DNS server at the main office. I need to use u-Turn on ASA to allow remote surfing the net users. With u-Turn config, remote workstation still will use DNS server in the main office to resolve the IP addresses?

  Thank you

  LF

  Hey Forman.

  SplitDNS and Splittunneling are both used with remote access clients. In your case, that you try to configure a site to site VPN tunnel, so to 'divide' traffic you will use the crypto acl to set valuable traffic to the VPN. However, this ACL uses IP addresses in order to determine whether the traffic must be encrypted or not, this is why your DNS lookup would have to occur before the traffic is encrypted. Then, you can set the DNS server for the remote network to be the DNS through the VPN tunnel and ensure that the DNS server's IP address is part of the interesting traffic or you must ensure that the local DNS server is able to resolve names.

  In the previous case where you use u-turn, all gets automatically tunnele so you don't have to worry about your DNS queries in the tunnel.

  I hope that this explains the behavior.

  Kind regards

  ATRI.

• Help with a VPN tunnel between ASA 5510 and Juniper SSG20

  Hello

  We have a customer wanting to configure a VPN Site to Site tunnel between a new purchased 5510 of ASA located in his direction with its Juniper SSG20 Office, located in the main office. We contacted HP and they send us a Cisco professional to do the job.

  After 2 days from 16:00 to 22:00 and error and countless hours of research online and nunerous calls, we are still unable to get traffic from the network of agencies to enter the tunnel.

  Main branch
  1.1.1.2                                 1.1.1.1
  -----                                               -----------
  192.168.8.0/24 | ASA|-----------------------------------| Juniper |    192.168.1.0/24
  -----                                               -----------
  192.168.8.254 192.168.1.254

  According to Cisco professionals, the tunnel is now in place but no traffic through. We are unable to ping anything on the network on the other side (192.168.1.0/24). We receive timeout ping all the time. The Cisco professional told us it's a routing or NAT problem and he's working on a solution!

  Through research, I came across a post on Experts-Exchange (here) [the 1st comment on the original post] which States "...". that both sides of the VPN must have a different class of LAN for the VPN to work... " Would that be our problem?

  It has become a critical issue to the point that he had to replace the Cisco ASA with a temporary Juniper SSG5 on another subnet (192.168.7.0/24) to get the tunnel upward and through traffic until the ASA VPN issue is resolved and I didn't need to say that the client is killing us!

  Help is very appreciated.

  Thank you

  1. Yes, ping package from the interface of the ASA is considered valuable traffic to the LAN of Juniper.

  SAA, need you traffic from the interface source ASA's private, because interesting to determine by crypto ACL MYLIST traffic between 192.168.8.0/24 and 192.168.1.0/24.

  You will also need to add the following configuration to be able to get the ping of the interface of the ASA:

  management-private access

  To initiate the ping of the private interface ASA:

  ping 192.168.1.254 private

  2. the default time before the next generation of new key is normally 28800 seconds, and if there is no interesting traffic flowing between 2 subnets, he'll tear the VPN tunnel down. As soon as there is interesting traffic, the VPN tunnel will be built automatically into the next generation of new key. However, if there is traffic before generating a new key, the new tunnel will be established, and VPN tunnel will remain standing and continue encrypt and decrypt traffic.

  Currently, your configuration has been defined with ITS lifetime of 3600 seconds GOLD / 4608000 kilobytes of traffic before the next generate a new key (it will be either 3600 seconds, or 4608000 kilobytes period expires first). You can certainly change it by default to 28800 seconds without configuring kilobytes. SA life is negotiated between the ASA and Juniper, and whatever is the lowest value will be used.

  Hope that helps.

• unexpected behavior with vpn, clientless ssl and smart tunnels on ASA 5510

  Hi there, hope someone can help

  I am able to set up a smart tunnel for an application and everything works fine, however...

  Without smart tunnel, the user must navigate the portal interface (because of how he encapsulates urls and basically acts as a proxy), it is too beautiful and good and expected behavior. If a user does not enter a URL in the portal URL entry (only enters the normal address bar) she takes them outside the clientless ssl vpn portal.

  Now too the point to start a smart tunnel, URL, the user types in the normal address bar is not encapsulated in the device URL, although they are still placed through our network (and note, the intelligent application of tunnel is not the browser, which is be IE). How can I know it? sites that would be blocked by a web filter are blocked with smart on but not PVD tunnels with smart tunnel.

  I need to know if this is intended behavior or not and how and why this is happening?

  Thanks in advance

  In my view, this is how it works. If you are referring to this doc:

  https://supportforums.Cisco.com/docs/doc-6172

  Smart tunnel is functioning all or nothing. Which means once you turn it on for a specific process or a specific bookmark, all your traffic for this process (and the browser you are using to open the SSL Clientless session ) will pass through the ASA.

  Example: Enable option ST for a process or bookmark #1 (which connected IE used to login). Opening a separate instance of the IE browser will be all traffic through the ASA, tunnel, if the new browser window belongs to the same process. All tabs on the movement of this browser browser will be smart tunnel, even to Favorites (ie. #2 favorite) are not specifically the chip in the tunnel. You must use a different browser (ie. (FireFox) in this case, if you want some of your traffic (ie. #2 favorite) is not to be smart tunnelees.

  I hope this helps.

• VPN tunnel with only one authorized service

  Hello

  has got a pix 520 with V 6.22. Now, I created a VPN Tunnel from our server to a

  annother company server and I only want to have ssh connection. If it works

  pretty good - but the other host, it is possible to connect on our host by

  ICMP, ftp, telnet... How can I manage configured my pix to refuse all this

  services?

  Here is my configuration:

  name 10.x.x.x ffmz1_is

  name 212.x.x.x conliner_os

  conliner_ssh name 192.168.0.250

  object-group network conliner

  object-network 192.168.0.0 255.255.255.0

  access list on the inside to allow icmp host ffmz1_is a

  access-list inside permit TCP host ffmz1_is any ftp eq

  access-list inside allow host ffmz1_is udp any eq smtp

  access-list inside allow host ffmz1_is host conliner_ssh eq ssh tcp

  no_nat list of allowed access host ip conliner object-group ffmz1_is

  access-list allowed conliner host ip conliner object-group ffmz1_is

  ...

  crypto VPN 30 card matches the address conliner

  card crypto VPN 30 set peer conliner_os

  ...

  Thank you very much

  The sole purpose of "ipsec sysopt connection permit" is to allow traffic through a tunnel to bypass access-groups. It is not necessary to use it, but then you must explicitly allow traffic you want through your access list.

  The command is very useful when you need to establish a vpn using the cisco customer remotely. Because you must use dynamic crypto maps and you don't know the IP address of the peer, if you didn't have the sysopt command, you will need to allow traffic from an source.

  And you don't have to open all ports for the PIX to be able to establish the tunnel with its ipsec peer.

  You need to allow udp 500 and protocol 50-51 when ipsec traffic through your firewall. Let's say you have another PIX inside who wants to establish a vpn on your main PIX with a third PIX on the outside, you must open the ports in your main PIX.

• ASA5505 with 2 VPN tunnels failing to implement the 2nd tunnel

  Hello

  I have an ASA5505 that currently connects a desktop remotely for voip and data.  I added a 2nd site VPN tunnel to a vendor site.  It's this 2nd VPN tunnel that I have problems with.  It seems that the PHASE 1 negotiates well.  However, I'm not a VPN expert!  So, any help would be greatly appreciated.  I have attached the running_config on my box, debug (ipsec & isakmp) information and information about the provider they gave me today.  They use an ASA5510.

  My existing VPN tunnel (which works) is marked 'outside_1_cryptomap '.  It has the following as interesting traffic:

  192.168.1.0/24-> 192.168.3.0/24

  192.168.2.0/24-> 192.168.3.0/24

  10.1.1.0/24-> 192.168.3.0/24

  -> 192.168.3.0/24 10.1.2.0/24

  10.1.10.0/24-> 192.168.3.0/24

  10.2.10.0/24-> 192.168.3.0/24

  The new VPN tunnel (does not work) is labeled "eInfomatics_1_cryptomap".  It has the following as interesting traffic:

  192.168.1.25/32-> 10.10.10.83/32

  192.168.1.25/32-> 10.10.10.47/32

  192.168.1.26/32-> 10.10.10.83/32

  192.168.1.26/32-> 10.10.10.47/32

  Here's the info to other VPN (copy & pasted from the config)

  permit access list extended ip 192.168.1.26 eInfomatics_1_cryptomap host 10.10.10.83

  permit access ip host 192.168.1.25 extended list eInfomatics_1_cryptomap 10.10.10.83

  permit access ip host 192.168.1.25 extended list eInfomatics_1_cryptomap 10.10.10.47

  permit access list extended ip 192.168.1.26 eInfomatics_1_cryptomap host 10.10.10.47

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  card crypto outside_map 1 match address outside_1_cryptomap

  peer set card crypto outside_map 1 24.180.14.50

  card crypto outside_map 1 set of transformation-ESP-3DES-SHA

  card crypto outside_map 2 match address eInfomatics_1_cryptomap

  peer set card crypto outside_map 2 66.193.183.170

  card crypto outside_map 2 game of transformation-ESP-3DES-SHA

  outside_map interface card crypto outside

  crypto isakmp identity address

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  tunnel-group 24.180.14.50 type ipsec-l2l

  IPSec-attributes tunnel-group 24.180.14.50

  pre-shared key *.

  tunnel-group 66.193.183.170 type ipsec-l2l

  IPSec-attributes tunnel-group 66.193.183.170

  pre-shared key *.

  Thanks in advance

  -Matt

  Hello

  The seller put a parameter group2 PFS (Perfect Forward Secrecy) of Phase 2, so that you don't have it.

  So you can probalby try adding the following

  card crypto outside_map 2 pfs group2 set

  I think he'll simply enter as

  card crypto outside_map 2 set pfs

  Given that the 'group 2' is the default

  -Jouni

• Easy VPN with the Tunnel Interface virtual IPSec dynamic

  Hi all

  I configured easy vpn remote on a cisco 1841 and dynamic server easy vpn with virtual tunnel interface on the server (cisco 7200, 12.4.15T14)

  http://www.Cisco.com/en/us/partner/prod/collateral/iosswrel/ps6537/ps6586/ps6635/prod_white_paper0900aecd803645b5.html

  It works with easy vpn remote to the client mode and mode network-extesión, but it doesn't seem to work when I configure mode plus network on the client of the cpe, or when I try to have TWO inside the ez crypto interfaces. On the customer's site, I see two associations of security, but on the server PE site only security SA!

  Without virtual dynamic tunnel interface, dynamic map configuration is ok... This is a limitation of the virtual tunnnel dynamic interface?

  Federica

  If one side is DVTI and the other uses a dynamic map, it does support only 1 SA. If the two end uses DVTI or the two end uses dynamic card then it supports several SAs.

  Here is the note of documentation for your reference:

  Note: Multiple inside interfaces are supported only when the Cisco Easy VPN server and the Cisco Easy VPN client have the same type of Easy VPN configuration. In other words, both must use a Legacy Easy VPN configuration, or both must use a DVTI configuration.
  
  

  Here's the URL:

  http://www.Cisco.com/en/us/docs/iOS/sec_secure_connectivity/configuration/guide/sec_easy_vpn_rem_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1046365

  Hope that answers your question.

• VPN tunnel between 2 ASA 5505 with the same default gateway

  Hello

  Is it possible to create a vpn ipsec site to site (laboratory environment) between two 5505 (ASA IOS 8.2 (5) & asdm-645-206) with the same default gateway. That is a VPN tunnel or a back to back-to-one site that I have to deploy a router and hang each 5505 out a different interface? We have a lot of public IP but only one gateway our ISP (Internet). Any suggestions or recommendations are very appeciated!

  d

  Yes - you can even do it with a xover cable and a 30 ip on both external interfaces.

• With NAT VPN tunnels

  I have read on several posts on the topic and still think I'm missing something, I'm looking for help.

  Basically, I'm now implementing multiple VPN tunnels for external connections. We strive to keep the external "private addresses" our basic using NAT network.

  I can get the Tunnel to work without problems using the ACL SHEEP; However, this technique requires that our internal network is aware of their external addresses "private." Our goal is to enter an address on the inside that is NAT to the external address 'private' and then shipped via the VPN tunnel. Basically to hide the external address 'private' of our internal systems that they would appear as thought the connection was one of our own networks.

  The reverse is true coming from their external 'private' network. Any information of "their" private network external origin would result in our 'private' on arrival address space.

  Is this possible? I am attaching a schema, which could help.

  Hello

  Yes, this should be possible. Lets say you allocate 10.112.2.250 as the address that you use to present the external server 192.168.10.10.

  On your ASA device

  public static 10.112.2.250 (exterior, Interior) 192.168.10.10 netmask 255.255.255.255

  You will need to make sure that when the system tries to connect to 10.112.2.250 it is routed to the device of the SAA.

  HTH

  Jon

• Impossible to pass traffic through the VPN tunnel

  I have an ASA 5505 9.1 running.   I have the VPN tunnel connection, but I am not able to pass traffic. through the tunnel. Ping through the internet works fine.

  Here is my config

  LN-BLF-ASA5505 > en
  Password: *.
  ASA5505-BLF-LN # sho run
  : Saved
  :
  : Serial number: JMX1216Z0SM
  : Material: ASA5505, 256 MB RAM, 500 MHz Geode Processor
  :
  ASA 5,0000 Version 21
  !
  LN-BLF-ASA5505 hostname
  domain lopeznegrete.com
  activate the password
  volatile xlate deny tcp any4 any4
  volatile xlate deny tcp any4 any6
  volatile xlate deny tcp any6 any4
  volatile xlate deny tcp any6 any6
  volatile xlate deny udp any4 any4 eq field
  volatile xlate deny udp any4 any6 eq field
  volatile xlate deny udp any6 any4 eq field
  volatile xlate deny udp any6 any6 eq field
  passwd
  names of
  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  interface Vlan1
  nameif inside
  security-level 100
  IP 192.168.116.254 255.255.255.0
  OSPF cost 10
  !
  interface Vlan2
  nameif outside
  security-level 0
  IP 50.201.218.69 255.255.255.224
  OSPF cost 10
  !
  boot system Disk0: / asa915-21 - k8.bin
  passive FTP mode
  DNS server-group DefaultDNS
  domain lopeznegrete.com
  network obj_any object
  subnet 0.0.0.0 0.0.0.0
  the LNC_Local_TX_Nets object-group network
  Description of internal networks Negrete Lopez (Texas)
  object-network 192.168.1.0 255.255.255.0
  object-network 192.168.2.0 255.255.255.0
  object-network 192.168.3.0 255.255.255.0
  object-network 192.168.4.0 255.255.255.0
  object-network 192.168.5.0 255.255.255.0
  object-network 192.168.51.0 255.255.255.0
  object-network 192.168.55.0 255.255.255.0
  object-network 192.168.52.0 255.255.255.0
  object-network 192.168.20.0 255.255.255.0
  object-network 192.168.56.0 255.255.255.0
  object-network 192.168.59.0 255.255.255.0
  object-network 10.111.14.0 255.255.255.0
  object-network 10.111.19.0 255.255.255.0
  the LNC_Blueleaf_Nets object-group network
  object-network 192.168.116.0 255.255.255.0
  access outside the permitted scope icmp any4 any4 list
  extended outdoor access allowed icmp a whole list
  outside_1_cryptomap list extended access permitted ip object-group LNC_Blueleaf_Nets-group of objects LNC_Local_TX_Nets
  inside_nat0_outbound list extended access permitted ip object-group LNC_Blueleaf_Nets-group of objects LNC_Local_TX_Nets
  LNC_BLF_HOU_VPN list extended access permitted ip object-group LNC_Blueleaf_Nets-group of objects LNC_Local_TX_Nets
  pager lines 24
  Enable logging
  asdm of logging of information
  Within 1500 MTU
  Outside 1500 MTU
  no failover
  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image disk0: / asdm - 741.bin
  don't allow no asdm history
  ARP timeout 14400
  no permit-nonconnected arp
  !
  network obj_any object
  NAT dynamic interface (indoor, outdoor)
  outside access-group in external interface
  !
  router ospf 1
  255.255.255.255 network 192.168.116.254 area 0
  Journal-adj-changes
  default-information originate always
  !
  Route outside 0.0.0.0 0.0.0.0 50.201.218.94 1
  Timeout xlate 03:00
  Pat-xlate timeout 0:00:30
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  identity of the user by default-domain LOCAL
  the ssh LOCAL console AAA authentication
  AAA authentication enable LOCAL console
  Enable http server
  http 192.168.2.0 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
  Crypto ipsec pmtu aging infinite - the security association
  card crypto outside_map 1 match address outside_1_cryptomap
  peer set card crypto outside_map 1 50.201.218.93
  card crypto outside_map 1 set transform-set ESP-3DES-SHA ikev1
  outside_map interface card crypto outside
  Crypto ca trustpoint _SmartCallHome_ServerCA
  no use of validation
  Configure CRL
  trustpool crypto ca policy
  Crypto ca certificate chain _SmartCallHome_ServerCA
  certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
  308204 4 a0030201 d 308205ec 0202106e cc7aa5a7 032009b 8 cebcf4e9 52d 49130
  010105 05003081 09060355 04061302 55533117 ca310b30 0d 864886f7 0d06092a
  30150603 55040 has 13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
  13165665 72695369 676e2054 72757374 204e6574 776f726b 313 has 3038 06035504
  0b 133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
  20617574 7a 656420 75736520 6f6e6c79 31453043 06035504 03133c 56 686f7269
  65726953 69676e20 436c 6173 73203320 5075626c 69632050 72696 72792043 61 d
  65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
  30303230 38303030 3030305a 170d 3230 30323037 32333539 35395a 30 81b5310b
  30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
  496e632e 311f301d 06035504 0b 131656 65726953 69676e20 54727573 74204e65
  74776f72 6b313b30 5465726d 20757365 20617420 73206f66 39060355 040b 1332
  68747470 7777772e 733a2f2f 76657269 7369676e 2e636f6d 2f727061 20286329
  302d 0603 55040313 26566572 69536967 61737320 33205365 6e20436c 3130312f
  63757265 20536572 76657220 20473330 82012230 0d06092a 864886f7 4341202d
  010101 05000382 010f0030 82010 0d has 02 b187841f 82010100 c20c45f5 bcab2597
  a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
  9c688b2e 957b899b 13cae234 34c1f35b f3497b62 d188786c 83488174 0253f9bc
  7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
  15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
  1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8 63cd
  18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
  4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
  81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 01 has 38201 02030100 df308201
  082b 0601 05050701 01042830 26302406 082 b 0601 db303406 05050730 01861868
  7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1 d 130101
  ff040830 02010030 70060355 b 200469 30673065 060, 6086 480186f8 1 d 060101ff
  45010717 03305630 2806082b 06010505 07020116 1 c 687474 70733a2f 2f777777
  2e766572 69736967 6e2e636f 6d2f6370 73302 has 06 082 b 0601 05050702 02301e1a
  1 c 687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
  03551d1f 042d302b 3029 has 027 a0258623 68747470 3a2f2f63 726c2e76 65726973
  69676e2e 636f6d2f 2d67352e 70636133 63726c 30 0e060355 1d0f0101 ff040403
  02010630 6d06082b 06010505 07010c 59305730 55160969 5da05b30 04 61305fa1
  6 d 616765 2f676966 3021301f 2b0e0302 30070605 1a04148f e5d31a86 ac8d8e6b
  c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
  69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
  1 b 311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301D 0603
  445 1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355 c 1604140d 551d0e04
  1 230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300 d 0609 d
  2a 864886 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80 f70d0101
  4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
  b2227055 d9203340 3307c 265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
  99 c 71928 8705 404167d 1 273aeddc 866d 24f78526 a2bed877 7d494aca 6decd018
  481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
  b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
  5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
  6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
  6c2527b9 deb78458 c61f381e a4c4cb66
  quit smoking
  crypto isakmp identity address
  Crypto isakmp nat-traversal 1500
  Crypto ikev1 allow outside
  IKEv1 crypto policy 10
  preshared authentication
  aes-256 encryption
  sha hash
  Group 5
  life 86400
  IKEv1 crypto policy 65535
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH stricthostkeycheck
  SSH 0.0.0.0 0.0.0.0 inside
  SSH 0.0.0.0 0.0.0.0 outdoors
  SSH timeout 5
  SSH version 2
  SSH group dh-Group1-sha1 key exchange
  Console timeout 0
  management-access inside

  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  attributes of Group Policy DfltGrpPolicy
  Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client
  username
  username
  tunnel-group 50.201.218.93 type ipsec-l2l
  IPSec-attributes tunnel-group 50.201.218.93
  IKEv1 pre-shared-key *.
  NOCHECK Peer-id-validate
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the netbios
  inspect the rsh
  inspect the rtsp
  inspect the skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect the tftp
  inspect the sip
  inspect xdmcp
  Review the ip options
  !
  global service-policy global_policy
  context of prompt hostname
  call-home service
  anonymous reporting remote call
  call-home
  contact-email-addr [email protected] / * /
  Profile of CiscoTAC-1
  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
  email address of destination [email protected] / * /
  destination-mode http transport
  Subscribe to alert-group diagnosis
  Subscribe to alert-group environment
  Subscribe to alert-group monthly periodic inventory
  monthly periodicals to subscribe to alert-group configuration
  daily periodic subscribe to alert-group telemetry
  Cryptochecksum:e519f212867755f697101394f40d9ed7
  : end
  LN-BLF-ASA5505 #.

  Assuming that you have an active IPSEC security association (i.e. "show crypto ipsec his" shows the tunnel is up), please perform a packet trace to see why it's a failure:

   packet-tracer input inside tcp 192.168.116.1 1025 192.168.1.1 80 detail

  (simulating a hypothetical customer of blue LNC tries to navigate to a hypothetical LNC TX Local site server)

• Question regarding full mesh with ASA5505 vpn tunnels.

  I have 5 remote sites, all of which are connected to the internet through different Internet service providers. My plan was to do a VPN tunnels on each ASA L2L going to other sites (4 tunnels on each SAA). I was wondering if it's the best way to go about this or if I do something else? A full mesh is necessary in this case.

  Thank you!

  Jason

  We don't know enough about your environment to give really good advice on what is best. But according to the description you provided I'd say a VPN L2L of each ASA to all other ASAs would be a very reasonable thing to do.

  HTH

  Rick