interesting question of the vpn site to site NAT/PAT traffic config
I have an ASA 8.4.2 running code and am just checking the Site to site configs before migration of tunnel. more precisely if the NAT/PAT and ACL is correct. Phase 1 is already defined and work, as well as cryptographic maps and tunnel groups.
When you set the traffic interesting in the ACL are you using NAT or the real IP? The order of the ACL is correct?
First of all:
The vedor network is a 192.168.1.10 and must be coordinated to 10.1.0.2
name 5.6.7.8 VendorName object-group network VendorName-R network-object host 192.168.1.10 object-group network VendorName-NAT-R network-object host 10.1.0.2 object-group network VendorName-L network-object host 10.1.1.3 access-list VendorName-crypto extended permit ip object-group VendorName-L object-group VendorName-NAT-R nat (inside,outside) 1 source static VendorName-L VendorName-NAT-R destination static VendorName-R VendorName-R
Second:
Sellers network is 192.168.1.0 to 192.168.2.0, these must be PATed 10.1.0.2 and 10.1.0.3
192.168.1.20 and 168.1.21 must be staticly using a NAT 10.1.0.4 and 10.1.0.5
Name the SupplierName 5.6.7.8
object-group network VendorName-R-1
network-object subnet 192.168.1.0 255.255.255.0
object-group network VendorName-R-2
network-object subnet 192.168.2.0 255.255.255.0
object-group network VendorName-R-3
network-object host 192.168.1.20
object-group network VendorName-R-4
network-object host 192.168.1.21
object-group network VendorName-NAT-R-1
network-object host 10.1.0.2
object-group network VendorName-NAT-R-2
network-object host 10.1.0.3
object-group network VendorName-NAT-R-3
network-object host 10.1.0.4
object-group network VendorName-NAT-R-4
network-object host 10.1.0.5
object-group network VendorName-R
network-object VendorName-NAT-R-1
network-object VendorName-NAT-R-2
network-object VendorName-NAT-R-3
network-object VendorName-NAT-R-4
object-group network VendorName-L
network-object host 10.1.1.3
the object-Network 10.1.1.6 host
VendorName-crypto allowed extended ip access-list object-VendorName-L Group VendorName-R
NAT (inside, outside) 1 dynamic source VendorName-l VendorName-NAT-R-1 static destination VendorName-R-1 VendorName-R-1
NAT (inside, outside) 1 dynamic source VendorName-l VendorName-NAT-R-2 static destination VendorName-R-2 VendorName-R-2
NAT (inside, outside) 1 static source VendorName-l VendorName-NAT-R-3 of destination VendorName-R-3 static VendorName-R-3
NAT (inside, outside) 1 static source VendorName-l VendorName-NAT-R-4 static destination VendorName-R-4 VendorName-R-4
Your valuable traffic acl MUST be the IP NAT address.
Tags: Cisco Security
Similar Questions
-
Configure the Cisco VPN client to pass through the VPN site-to-site (GUI)
Hello
I say hat the chain and responses I've seen to achieve this goal have been great...
https://supportforums.Cisco.com/discussion/12234631/Cisco-ASA-5505-VPN-p...
and
https://supportforums.Cisco.com/document/12191196/AnyConnect-client-site...
My question is "we will get this configuration by using the graphical user interface for someone who is not notified about the command line?"
Thank you
Of course, all this can be configured via ASDM.
Looking at the second example you posted above, they point you first change:
ACL split of the tunnel for the AnyConnect customer
This Configuration > remote access VPN > network (Client) access > AnyConnect connection profile > (chose the profile and select Edit) > (choose "Manage" next to group policy) > Edit > advanced > Split Tunneling > ensure that the policy does not "Inherit" but rather "Tunnel network list below" > Unselect "Inherit" next to the network list, then 'manage '. Enter your networks you want in the GUI in this dialog box. Click OK all the way back to the main window ASDM and click on apply.
You then change:
Crypto ACL for the tunnel from Site to Site
To do this, go to Configuration > VPN Site-to_site > connection profiles > (choose your profile and select edit) > add the VPN client address pool to the list of local network between protect networks. Yet once, click OK all the way back to the main window ASDM and click on apply.
Then, allow the
ASA to redirect back on the same interface traffic it receives
.. is defined under Configuration > Device Setup > Interfaces. (check the box at the bottom of this screen). Click on apply
Finally, there is the NAT exemption. For which go to Configuration > firewall > rules NAT. Add a NAT device rule before rules network object with Interface Source out, Source address your address pool VPN, the Destination address to include remote subnets and Action is Static Source NAT type source address and destination address remaining as original (i.e. without NAT). Once on OK all the way back to the main window ASDM and click on apply. Save and test.
Good luck. Don't forget to note the brand and posts useful when your question is answered.
-
Next hop for the static route on the VPN site to site ASA?
Hi all
I would be grateful if someone could help me with my problem ASA/misunderstanding. I have a VPN site-to site on a SAA. I want to add a floating static route to point to the VPN on the ASA. Note that the traffic in this way is not with in subnets cryptographic ACL that is used to bring up the VPN. This VPN is used only as a backup.
The static route with the next hop add local public address or the remote public address of the VPN? The next break maybe local ASA isp internet facing interface? I intend to do on the ASDM. I'm sorry if it's a simple question but I found no material that explains this?
Concerning
Ahh, ok, makes sense.
The next hop should be the next jump to the interface that ends the VPN connection, essentially the same as your Internet connection / outside the next hop interface.
Example of topology:
Site B (outside interface - 1.1.1.1) - (next hop: 1.1.1.2) Internet
The static route must tell:
outdoor 10.2.2.2 255.255.255.255 1.1.1.2 200
I hope this helps.
-
Problem with the VPN site to site for the two cisco asa 5505
Starting with cisco asa. I wanted to do a vpn site-to site of cisco. I need help. I can't ping from site A to site B and vice versa.
Cisco Config asa1
interface Ethernet0/0
switchport access vlan 1
!
interface Ethernet0/1
switchport access vlan 2
!
interface Vlan1
nameif outside
security-level 0
IP address 172.xxx.xx.4 255.255.240.0
!
interface Vlan2
nameif inside
security-level 100
IP 192.168.60.2 255.255.255.0
!
passive FTP mode
network of the Lan_Outside object
192.168.60.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.60.0_24 object
192.168.60.0 subnet 255.255.255.0
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_2
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_3
ip protocol object
icmp protocol object
Access extensive list ip 192.168.60.0 Outside_cryptomap allow 255.255.255.0 192.168.1.0 255.255.255.0
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
Inside_access_in list extended access allow DM_INLINE_PROTOCOL_2 of object-group a
network of the Lan_Outside object
NAT (inside, outside) interface dynamic dns
Access-group Outside_access_in in interface outside
Inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 172.110.xx.1 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
Enable http server
http 192.168.60.0 255.255.255.0 inside
http 96.xx.xx.222 255.255.255.255 outside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto Outside_map 1 corresponds to the address Outside_cryptomap
card crypto Outside_map 1 set peer 96.88.75.222
card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
Outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
inside access managementdhcpd address 192.168.60.50 - 192.168.60.100 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
AnyConnect essentials
internal GroupPolicy_96.xx.xx.222 group strategy
attributes of Group Policy GroupPolicy_96.xx.xx.222
VPN-tunnel-Protocol ikev1, ikev2
username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
tunnel-group 96.xx.xx.222 type ipsec-l2l
tunnel-group 96.xx.xx.222 General-attributes
Group - default policy - GroupPolicy_96.xx.xx.222
96.XX.XX.222 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Cisco ASA 2 config
interface Ethernet0/0
switchport access vlan 1
!
interface Ethernet0/1
switchport access vlan 2
!
interface Vlan1
nameif outside
security-level 0
IP address 96.xx.xx.222 255.255.255.248
!
interface Vlan2
nameif inside
security-level 100
IP 192.168.1.254 255.255.255.0
!
passive FTP mode
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network of the Lan_Outside object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.60.0_24 object
192.168.60.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_2
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_3
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_4
ip protocol object
icmp protocol object
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_2 of object-group 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
Inside_access_in list extended access allow DM_INLINE_PROTOCOL_4 of object-group a
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.60.0_24 NETWORK_OBJ_192.168.60.0_24 non-proxy-arp-search of route static destination
!
network of the Lan_Outside object
dynamic NAT (all, outside) interface
Access-group Outside_access_in in interface outside
Inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 96.xx.xx.217 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
Enable http server
http 192.168.1.0 255.255.255.0 inside
http 172.xxx.xx.4 255.255.255.255 outside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto Outside_map 1 corresponds to the address Outside_cryptomap
card crypto Outside_map 1 set peer 172.110.74.4
card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
Outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0dhcpd address 192.168.1.50 - 192.168.1.100 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
AnyConnect essentials
internal GroupPolicy_172.xxx.xx.4 group strategy
attributes of Group Policy GroupPolicy_172.xxx.xx.4
L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
tunnel-group 172.xxx.xx.4 type ipsec-l2l
tunnel-group 172.xxx.xx.4 General-attributes
Group - default policy - GroupPolicy_172.xxx.xx.4
172.xxx.XX.4 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error
inspect the httpFor IKEv2 configuration: (example config, you can change to encryption, group,...)
-You must add the declaration of exemption nat (see previous answer).
-set your encryption domain ACLs:
access-list-TRAFFIC IPSEC allowed extended LOCAL REMOTE - LAN LAN ip
-Set the Phase 1:
Crypto ikev2 allow outside
IKEv2 crypto policy 10
3des encryption
the sha md5 integrity
Group 5
FRP sha
second life 86400-Set the Phase 2:
Crypto ipsec ikev2 ipsec IKEV2-PROPOSAL
Esp aes encryption protocol
Esp integrity sha-1 protocol-set the Group of tunnel
tunnel-group REMOTE-PUBLIC-IP type ipsec-l2l
REMOTE-PUBLIC-IP tunnel-group ipsec-attributes
IKEv2 authentication remote pre-shared-key cisco123
IKEv2 authentication local pre-shared-key cisco123-Define the encryption card
address for correspondence CRYPTOMAP 10 - TRAFFIC IPSEC crypto map
card crypto CRYPTOMAP 10 peer set REMOTE-PUBLIC-IP
card crypto CRYPTOMAP 10 set ipsec ikev2-IKEV2-PROPOSAL
CRYPTOMAP interface card crypto outside
crypto isakmp identity addressOn your config, you have all these commands but on your VPN config, you mix ikev1 and ikev2. You have also defined political different ikev2. Just do a bit of cleaning and reached agreement on a 1 strategy for the two site (encryption, hash,...)
Thank you
-
Site of the error of phase 2 for the VPN site
Dear all,
We have a VPN site to site with a partner, we need to access three different hosts on the network of partners. Phase 1 came but there is problem with the guests of the three phase 2 we can only connected with a host of others are not connected, and they all share the same settings.
Below is show access ip list matching packages shown but connection to host failed
With the crypto ipsec to see his I saw send error and I don't know what could be responsible.
Any body who could be wrong please help me to am exhausted.
access-list
10 permit ip host 4.2.3.1 4.2.6.22 (647594 matches)
20 permit ip host 4.2.3.14 4.2.6.64 (47794 matches)
30 permit ip host 41.2.3.37 41.2.6.76 (581720 matches)Crypto ipsec to show his
local ident (addr, mask, prot, port): (41.2.3.37/255.255.255.255/0/0)
Remote ident (addr, mask, prot, port): (4.2.6.76/255.255.255.255/0/0)
current_peer 4.2.6.24 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 198, #recv errors 0local crypto endpt. : 4.2.3.16, remote Start crypto. : 4.2.6.24
clearly, mtu 1500, path mtu 1500, mtu 1500 ip mtu IDB FastEthernet4 ip
current outbound SPI: 0x0 (0)
PFS (Y/N): N, Diffie-Hellman group: noSAS of the esp on arrival:
the arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
outgoing ah sas:
outgoing CFP sas:
local ident (addr, mask, prot, port): (4.2.3.14/255.255.255.255/0/0)
Remote ident (addr, mask, prot, port): (4.2.6.64/255.255.255.255/0/0)
current_peer 4.2.6.24 port 500
PERMITS, flags = {origin_is_acl, ipsec_sa_request_sent}
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 508, #recv errors 0local crypto endpt. : 4.2.3.16, remote Start crypto. : 4.2.6.24
clearly, mtu 1500, path mtu 1500, mtu 1500 ip mtu IDB FastEthernet4 ip
current outbound SPI: 0x0 (0)
PFS (Y/N): N, Diffie-Hellman group: noSAS of the esp on arrival:
the arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
outgoing ah sas:
outgoing CFP sas:
Edit: can you put the configuration on both sides of the tunnel? Otherwise re - check once more the configs on both sides
-
local host to access the vpn site to site with nat static configured
I have two 881 routers with vpn site to site between them. I have a static nat on the router for a Web server that is accessible from the internet. I can't access the Web server through the vpn. All other traffic is fine its VPN. I think that there is a problem with the NAT. Here are the relevant configuration lines.
IP nat inside source overload map route SDM_RMAP_1 interface FastEthernet4
IP nat inside source static 192.168.150.2 bonnefin map route SDM_RMAP_1allowed SDM_RMAP_1 1 route map
corresponds to the IP 100access-list 100 deny ip 192.168.150.0 0.0.0.255 192.168.123.0 0.0.0.255
access-list 100 permit ip 192.168.150.0 0.0.0.255 anyYou should be able to access the web server with its IP private (192.168.150.2) through the VPN connection.
If you just add the VPN and the road map, try to clear the existing translation and see if you can access it via its private of the Remote LAN VPN ip address.
-
Order to check the ability or the bandwidth between the VPN Site-to-Site Tunnel
Hello
How can we verify capacity/bandwidth between the end of the B-end of the site-to-site VPN tunnel.
You can't very easily. The capacity and bandwidth dependent not only on your devices, but on a lot of devices and paths between them that you have no control or visibility.
You can "show traffic" or common report on the use of interface using any performance management tool (cactus, which is gold, SolarWinds NPM, Cisco first LMS, etc..). Those usually do not distinguish between overall traffic interface and that due to virtual private networks. If you export the ASA Netflow data, you can break it down by remote IP address and which derive the use VPN. NetFlow records must be exported in tool like ntop, SolarWinds NTA or first LMS or Infrastructure to be useful.
Cisco Security Manager will query the VPN statistics periodically and you Beach individual VPN or users to gather a bunch of queries, as it does on an ongoing basis.
-
Convert the VPN Site-to-Site of PIX to ASA 8.2
I worked on the conversion of a config above a PIX an ASA 8.2 but I am running into trouble with the site to site vpn. The PIX has a VPN client and site to site. Given that some of the configs for the cross from site to site on the VPN client I'm confuse. Any help would be apperciated.
Below are excerpts from just the PIX VPN related orders.
permit access ip 192.168.0.0 list Remote_splitTunnelAcl 255.255.0.0 any
inside_outbound_nat0_acl ip access list allow any 192.168.0.160 255.255.255.240
inside_outbound_nat0_acl Zenoss_OS CNP 255.255.255.0 ip host allowed access list
inside_outbound_nat0_acl SilverBack NOC 255.255.255.0 ip host allowed access list
inside_outbound_nat0_acl allowed host NOC 255.255.255.0 enoss_Hardware ip access-list
outside_cryptomap_dyn_20 ip access list allow any 192.168.0.160 255.255.255.240
outside_cryptomap_20 Zenoss_OS CNP 255.255.255.0 ip host allowed access list
outside_cryptomap_20 SilverBack NOC 255.255.255.0 ip host allowed access list
outside_cryptomap_20 Zenoss_Hardware CNP 255.255.255.0 ip host allowed access list
IP pool local DHCP_Pool 192.168.0.161 - 192.168.0.174
NAT (inside) 0-list of access inside_outbound_nat0_acl
Sysopt connection permit VPN
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Dynamic crypto map outside_dyn_map 20 match address outside_cryptomap_dyn_20
Crypto-map dynamic outside_dyn_map 20 the transform-set ESP-DES-MD5 value
outside_map 20 ipsec-isakmp crypto map
card crypto outside_map 20 match address outside_cryptomap_20
card crypto outside_map 20 peers set 205.x.29.41
outside_map crypto 20 card value transform-set ESP-DES-SHA
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
client authentication card crypto outside_map LOCAL
outside_map interface card crypto outside
ISAKMP allows outside
ISAKMP key address 205.x.29.41 netmask 255.255.255.255 No.-xauth-config-mode no.
ISAKMP nat-traversal 180
part of pre authentication ISAKMP policy 20
encryption of ISAKMP policy 20
ISAKMP policy 20 md5 hash
20 2 ISAKMP policy group
ISAKMP duration strategy of life 20 86400
part of pre authentication ISAKMP policy 40
encryption of ISAKMP policy 40
ISAKMP policy 40 sha hash
40 2 ISAKMP policy group
ISAKMP duration strategy of life 40 86400
vpngroup address pool DHCP_Pool GHA_Remote
vpngroup dns 192.168.0.11 server GHA_Remote
vpngroup wins 192.168.0.11 GHA_Remote-Server
vpngroup GHA_Remote by default-field x.org
vpngroup split tunnel Remote_splitTunnelAcl GHA_Remote
vpngroup idle 1800 GHA_Remote-time
vpngroup password KEY GHA_Remote
I guess what I really wonder is if someone can convert the version of site to site of this VPN ASA 8.2 config so I can compare it to what I have. I need to have this, so I can just fall into place and work.
Also, it does appear that political isakmp 40 are used, correct?
On your ASA in Setup mode, simply type vpnsetup steps for remote access ipsec or vpnsetup site - not and it lists what it takes or you can download the PIX of the ASA migration tool.
-
Routing between two remote sites connected over the VPN site to site
I have a problem ping between remote sites. Now the Cryptography and no nat ACL's for different sites just to affect traffic between the remote site and main site. I tried to add roads, adding other subnets to the crypto and no. ACL Nat at the remote sites... nothing worked. Any ideas?
Main site:
192.168.100.0 - call manager / phone VLAN
192.168.1.0/24 - data VLAN
Site 1:
192.168.70.0/24 - phone VLAN
192.168.4.0/24 - data VLAN
Site 2:
192.168.80.0/24 - phone VLAN
192.168.3.0/24 - data VLAN
Main router
Expand the IP ACL5 access list
10 permit ip 192.168.1.0 0.0.0.255 192.168.70.0 0.0.0.255
20 ip 192.168.1.0 allow 0.0.0.255 192.168.4.0 0.0.0.255
30 permits ip 192.168.100.0 0.0.0.255 192.168.4.0 0.0.0.255
IP 192.168.100.0 allow 40 0.0.0.255 192.168.70.0 0.0.0.255)
50 permit ip 10.255.255.0 0.0.0.255 192.168.70.0 0.0.0.255
Expand the IP ACL6 access list
10 permit ip 192.168.1.0 0.0.0.255 192.168.80.0 0.0.0.255
20 ip 192.168.1.0 allow 0.0.0.255 192.168.3.0 0.0.0.255
30 permits ip 192.168.100.0 0.0.0.255 192.168.3.0 0.0.0.255
IP 192.168.100.0 allow 40 0.0.0.255 192.168.80.0 0.0.0.255Expand the No. - NAT IP access list
10 deny ip 192.168.2.0 0.0.0.255 192.168.70.0 0.0.0.255
20 deny ip 192.168.200.0 0.0.0.255 192.168.4.0 0.0.0.255
30 deny ip 192.168.2.0 0.0.0.255 192.168.80.0 0.0.0.255
40 deny ip 192.168.200.0 0.0.0.255 192.168.3.0 0.0.0.255
320 ip 192.168.1.0 allow 0.0.0.255 any
IP 192.168.100.0 allow 330 0.0.0.255 anySite 1:
ACL5 extended IP access list
IP 192.168.70.0 allow 0.0.0.255 192.168.1.0 0.0.0.255
ip licensing 192.168.4.0 0.0.0.255 192.168.100.0 0.0.0.255
IP 192.168.70.0 allow 0.0.0.255 192.168.100.0 0.0.0.255
ip licensing 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
IP 192.168.70.0 allow 0.0.0.255 10.255.255.0 0.0.0.255
No. - NAT extended IP access list
deny ip 192.168.70.0 0.0.0.255 192.168.1.0 0.0.0.255
refuse the 192.168.4.0 ip 0.0.0.255 192.168.100.0 0.0.0.255
deny ip 192.168.70.0 0.0.0.255 192.168.100.0 0.0.0.255
refuse the 192.168.4.0 ip 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.70.0 0.0.0.255 10.255.255.0 0.0.0.255
IP 192.168.70.0 allow 0.0.0.255 any
ip licensing 192.168.4.0 0.0.0.255 any
Site 2:
ACL6 extended IP access list
IP 192.168.80.0 allow 0.0.0.255 192.168.1.0 0.0.0.255
ip licensing 192.168.3.0 0.0.0.255 192.168.100.0 0.0.0.255
IP 192.168.80.0 allow 0.0.0.255 192.168.100.0 0.0.0.255
ip licensing 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
IP 192.168.80.0 allow 0.0.0.255 10.255.255.0 0.0.0.255
No. - NAT extended IP access list
deny ip 192.168.80.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.3.0 0.0.0.255 192.168.100.0 0.0.0.255
deny ip 192.168.80.0 0.0.0.255 192.168.100.0 0.0.0.255
deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.80.0 0.0.0.255 10.255.255.0 0.0.0.255
IP 192.168.80.0 allow 0.0.0.255 any
ip licensing 192.168.3.0 0.0.0.255 anyWhat should I do for these two sites can ping each other? I looked through the forums but can't seem to find someone with a similar problem, which has received a definitive answer.
Thanks in advance!
Hi, I assume that you need site 1 and 2 to communicate with each other via the main site right? If this is the case, then you need to set add the following lines to your ACL crypto:
Main router
Expand the IP ACL5 access list
IP 192.168.80.0 allow 0.0.0.255 192.168.70.0 0.0.0.255
IP 192.168.80.0 allow 0.0.0.255 192.168.4.0 0.0.0.255
ip licensing 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255
ip licensing 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
Expand the IP ACL6 access list
IP 192.168.70.0 allow 0.0.0.255 192.168.80.0 0.0.0.255
IP 192.168.70.0 allow 0.0.0.255 192.168.3.0 0.0.0.255
ip licensing 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
ip licensing 192.168.4.0 0.0.0.255 192.168.80.0 0.0.0.255
Make sure you add these lines before the last permit
Expand the No. - NAT IP access list
deny ip 192.168.80.0 0.0.0.255 192.168.70.0 0.0.0.255
deny ip 192.168.80.0 0.0.0.255 192.168.4.0 0.0.0.255
deny ip 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255
deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
deny ip 192.168.70.0 0.0.0.255 192.168.80.0 0.0.0.255
refuse the 192.168.4.0 ip 0.0.0.255 192.168.80.0 0.0.0.255
deny ip 192.168.70.0 0.0.0.255 192.168.3.0 0.0.0.255
refuse the 192.168.4.0 ip 0.0.0.255 192.168.3.0 0.0.0.255
Site 1:
ACL5 extended IP access list
IP 192.168.70.0 allow 0.0.0.255 192.168.80.0 0.0.0.255
ip licensing 192.168.4.0 0.0.0.255 192.168.80.0 0.0.0.255
IP 192.168.70.0 allow 0.0.0.255 192.168.3.0 0.0.0.255
ip licensing 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
Make sure that these lines are added before the last permit
No. - NAT extended IP access list
deny ip 192.168.70.0 0.0.0.255 192.168.80.0 0.0.0.255
refuse the 192.168.4.0 ip 0.0.0.255 192.168.80.0 0.0.0.255
deny ip 192.168.70.0 0.0.0.255 192.168.3.0 0.0.0.255
refuse the 192.168.4.0 ip 0.0.0.255 192.168.3.0 0.0.0.255
Site 2:
ACL6 extended IP access list
IP 192.168.80.0 allow 0.0.0.255 192.168.70.0 0.0.0.255
ip licensing 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255
IP 192.168.80.0 allow 0.0.0.255 192.168.4.0 0.0.0.255
ip licensing 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
So make sure that these lines are added before the last permit
No. - NAT extended IP access list
deny ip 192.168.80.0 0.0.0.255 192.168.70.0 0.0.0.255
deny ip 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255
deny ip 192.168.80.0 0.0.0.255 192.168.4.0 0.0.0.255
deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
So you're saying good enough your routers with these definitions which will be reached via one main remote sites (sites 1 and 2).
I would like to know if this is what you need.
-
I just posted a question on the last update automatic 38.3.0 it is possible to log into different e-mail accounts in a profile, only the first e-mail account. My support mozilla account is linked to one of the email accounts that I can NOT connect to. Can't connect to this email account to check the issue. Your last 38.3.0 Thunderbird is useless because it is no longer possible to log in different e-mail accounts in a profile, and your support solution is useless because you need to connect to the e-mail account to check the issue.
How to proceed?You can change your email associated with your media profile.
I have 38.3.0 and I can access all my email accounts I suggest you try the initial tests:Start T-bird with disabled modules.
If it works on your module is to blame and you need to activate one by one.Start your operating system in safe mode with active network.
If it works probably your antivirus is blocking or delaying. (Or driver). -
Two questions: Running XP and have some interesting questions at the start and with IE.
Hi, I try to wear the IT hat and works to clear up some questions on my mother's computer. #1 I guess that the computer was shipped with a version of Corel Photo software on it and we cannot get rid "Installer" messages at the beginning upward. We tried to remove the program and the same message comes back to tell us that "Installer can do the requested action without the CD/program files" it gets about 6 of these reviews that it must close any until the computer will continue to boot the system. Please, please tell me how to get rid of this. I tried to install the 'Installer' update to see if that would make the difference and nope. I also tried to remove the Corel file via CCleaner and got the same message. I do not have the program disc, I don't want to program... I want to just get rid of it!
#2 when entering address in the Internet Explorer address bar, the browser opens a second browser instead of going to the requested site. For example, when I open my Internet Explorer and say go to the top of the address bar and typewww.google.com, instead of going to Google, it opens a completely separate browser. When she did this, it's EXTREMELY SLOW! until you think that IE went unresponsive and then finally opens the second browser.
I'd appreciate any help! I'm trying to solve these problems, while I'll be staying here so that I can leave him a computer running.
Thank you!
Hello
· What version of Internet explorer that you are using (Internet Explorer 6, 7 or 8)?
· Was long before Internet Explorer work?
· Since when are you facing this problem?
Step 1:
It may be some third-party software that runs in the background that is shown with the process, I suggest you do a clean boot and check. To perform a clean boot follow the steps mentioned in the link given below.
How to configure Windows XP to start in a "clean boot" State
http://support.Microsoft.com/kb/310353
Note: Once you have finished installing, follow step 7 to start the computer in normal startup.
If the steps above don't help you not to remove the Corel Photo software, I suggest you to post your query on the forums of XP. Click on the link below.
http://social.answers.Microsoft.com/forums/en-us/xpprograms/threads?filter=answered
For Internet Explorer related issues, follow steps 2 and 3 of the step.
Step 2:
I suggest you run the fix it this tin article given to repair Internet explore
How to reinstall or repair Internet Explorer in Windows Vista and Windows XP
http://support.Microsoft.com/kb/318378
Step 3:
If you use Internet Explorer 7 or 8 I suggest you run the fix it is present in the article below. If you use Internet Explorer 6, you can follow the steps mentioned in the article given below where they apply to Internet Explorer 6 also.
How to reset Internet Explorer settings
http://support.Microsoft.com/kb/923737
Thanks and regards.
Thahaseena M
Microsoft Answers Support Engineer.
Visit our Microsoft answers feedback Forum and let us know what you think. -
How can I vote for an interesting question on the dedicated forum?
Hello
I know that Muse is a brand new application, but there are several relevant question - in my opinion - that should be considered first.
After much navigation (!), I found a forum where you can vote for these interesting questions users have faced.
Unfortunately, I'm unable to vote for one of theses messages if I am connected.
Is there something to do to get this "right to vote"?
I really want to participate in this improvement, just gimme the tools to do!
Thanks for your response
We know a few emails as of late in the ideas of the forums section and thus our Admin had turned off their.
I have re-enabled them so you can vote and add ideas and apologize for the inconvenience.
-j
-
Problem of peripheral access NAS via the VPN Site to Site
Hi all
I am facing a strange problem with a client. I use a VPN from Site to Site between two ASA 5505 to connect its network to ours to replikate between a NAS on his side and a NAS on our side. I use the same configuration with other guests and it works fine.
With this client, while I am able to ping the remote NAS and I have problems using SMB to connect via ssh (it works _sometimes_ but most of the time to access files via eplorer results in a timeout) and join the NAS Web portal (http and https, with https I can see the remote certificate of the SIN but the page does not load). These problems occur on both sides (our network-> NAS, customer network-> our NAS client)
I can access the NAS even without any problems other customers. ASA newspaper I see no connection blocked or whatever it is when this happens and the tunnel seems to work fine otherwise.
Any ideas how to refine the problem here?
Thanks in advance
Tobias
It looks like you can run into problems with packets that are too big for your tunnel. Try to limit the size of TCP segment by putting the following on your ASA units:
sysopt connection tcpmss 1360
Most VPN tunnels are not going to have an MTU (Maximum Transmission Unit) less than 1400 bytes, so the above should clean things up.
-
the WAN connection becomes too slow after you have configured the VPN (Site Site)
Hello
I have two branches connected via WAN (MPLS) connection using two 2921 routers.the connection is 2 M.
I set up a VPN between these two sites, but after the connection has become very slow.
y at - it something I can do to speed up the speed of connection.
VPN proposals are:
Proposals of the phase 1: 3DES, pre-shared,.
Phase 2 proposals: esp-3des esp-sha-hmac
I don't think that lower levels of security proposals will add a lot to the speed...
Hi Marc,
one thing you should definitely is a hardware encryption go if you do not already tht, it also reduces the load on your cpu
You can try other things is play with mtu, according to your line mtu and what applications are mainly used. try setting the mtu of at least 60 odd bytes lower than the mtu and also sometimes server line recommended mtu settings like server many have obligation to mtu to 1300 or 1400, if that's not it can cause a lot of re transmissions, you can also try fragmentation before encryption
-
The local PIX ip access to hosts on the VPN site
I have a vpn connection from site to site with ASA 5510 PIX 515 which works very well. There is no problem for hosts on any side of the tunnel access to a cross. However the IP local (192.168.20.1) on the interface client of my PIX is not allowed access to guests across the tunnel.
Packet-trace entry client tcp 192.168.20.1 12345 192.168.13.13 80 detailed
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DECLINE
Config:
Implicit rule
Additional information:
Direct flow from returns search rule:
ID = 0x3ec5bc8, priority = 500, area = allowed, deny = true
hits = 8, user_data = 0 x 6, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
SRC ip = 192.168.20.1, mask is 255.255.255.255, port = 0
DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0
There must be a setting that I missed. All otherip on 192.168.20.0 don't get the same error with packet - trace. Can someone help me please?
interface Ethernet0
nameif outside
security-level 0
IP address dhcp setroute
interface Ethernet1
customer nameif
security-level 90
address 192.168.20.1 255.255.255.0
interface Ethernet1.21
VLAN 21
nameif Server
security-level 100
IP 192.168.21.1 255.255.255.0
the DM_INLINE_NETWORK_1 object-group network
object-network 192.168.10.0 255.255.255.0
object-network 192.168.11.0 255.255.255.0
object-network 192.168.13.0 255.255.255.0
access-list extended 100 permit customer ip 255.255.255.0 DM_INLINE_NETWORK_1 object-group
Global 1 interface (outside)
(Client) NAT 0-list of access 100
NAT (client) 1 0.0.0.0 0.0.0.0
NAT (server) 0-access list 100
NAT (server) 1 0.0.0.0 0.0.0.0
static (client, server) Server server netmask 255.255.255.0
static (client, server) client client netmask 255.255.255.0
client_access_in access to the customer of the interface group
Route outside 0.0.0.0 0.0.0.0 95.129.13.1 1
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set sveden-aes256 esp-aes-256 esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
correspondence address card crypto myvpnmap 10 100
card crypto myvpnmap pfs set 10 group5
peer set card crypto myvpnmap 10 12.218.14.129
card crypto myvpnmap 10 transform-set sveden-aes256
life safety association set card crypto myvpnmap 10 28800 seconds
card crypto myvpnmap 10 set security-association life kilobytes 4608000
myvpnmap crypto 10 card value reverse-road
myvpnmap interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
aes-256 encryption
sha hash
Group 5
life 86400
IPSec-attributes tunnel-group DefaultRAGroup
ISAKMP retry threshold 10 keepalive 2
tunnel-group 12.218.14.129 type ipsec-l2l
tunnel-group 12.218.14.129 General-attributes
IPSec-attributes tunnel-group 12.218.14.129
pre-shared-key *.
Cordially Mikael
Hello
You plan to connect to the firewall with address 192.168.20.1 for management purposes or why the IP should be able to generate connections to connect VPN L2L?
By default, the 'packet - trace' will fail if you are using a firewall interface IP address as the source address of the command. This result is always the same. (Although I have not tried the packet - trace with the below mentioned command enabled)
If you want to access the IP 192.168.20.1 interface via the L2L VPN on the other side, then you will have to configure
customer management-access
Here is more information on the above command
http://www.Cisco.com/en/us/docs/security/ASA/asa82/command/reference/m.html#wp2027985
-Jouni
Maybe you are looking for
-
How to clean the fan on the Satellite A100-153
Hello First of all, my warranty on this laptop is expires.My laptop runs hot and that's why I want to clean my fan module.Where can I find documentation, how do I open up my laptop? I despaired of m, because I don t find anything in the WWW. I hope t
-
typing cursor disappears on the internet
New problem: when I want to type text on the internet, typing the cursor disappears. So I type in a vacuum. I have to click with the mouse to find my type of cursor.Mozilla FirefoxWindows XP Home Edition
-
Replace a hard drive in dv6 but is not completed the installation phase
I replaced my hard drive with a disks recommended by an expert from HP in this forum, and he seemed fine. After starting with my #1 recovery and loading of each disk when you are prompted, I got the final guest/message: "preparation of the recovery i
-
Constantly called to set default home app
I had downloaded a third party-thrower and always selected by default, but whenever I go out an app, it constantly posters me to select the default home app. I tried clear the cache and force him to leave the House Xperia, but that does not solve the
-
Approval workflow via BlackBerry - message viewer application
Hello world I had a few requests I can only approve/reject or through outlook web app. The message (e-mail) used to process the request is formatted for outlook and output on the BlackBerry is not very good. I would like to be able to accept or rejec