interesting question of the vpn site to site NAT/PAT traffic config

Similar Questions

• Configure the Cisco VPN client to pass through the VPN site-to-site (GUI)

  Hello

  I say hat the chain and responses I've seen to achieve this goal have been great...

  https://supportforums.Cisco.com/discussion/12234631/Cisco-ASA-5505-VPN-p...

  and

  https://supportforums.Cisco.com/document/12191196/AnyConnect-client-site...

  My question is "we will get this configuration by using the graphical user interface for someone who is not notified about the command line?"

  Thank you

  Of course, all this can be configured via ASDM.

  Looking at the second example you posted above, they point you first change:

  ACL split of the tunnel for the AnyConnect customer

  This Configuration > remote access VPN > network (Client) access > AnyConnect connection profile > (chose the profile and select Edit) > (choose "Manage" next to group policy) > Edit > advanced > Split Tunneling > ensure that the policy does not "Inherit" but rather "Tunnel network list below" > Unselect "Inherit" next to the network list, then 'manage '. Enter your networks you want in the GUI in this dialog box. Click OK all the way back to the main window ASDM and click on apply.

  You then change:

  Crypto ACL for the tunnel from Site to Site

  To do this, go to Configuration > VPN Site-to_site > connection profiles > (choose your profile and select edit) > add the VPN client address pool to the list of local network between protect networks. Yet once, click OK all the way back to the main window ASDM and click on apply.

  Then, allow the

  ASA to redirect back on the same interface traffic it receives

  .. is defined under Configuration > Device Setup > Interfaces. (check the box at the bottom of this screen). Click on apply

  Finally, there is the NAT exemption. For which go to Configuration > firewall > rules NAT. Add a NAT device rule before rules network object with Interface Source out, Source address your address pool VPN, the Destination address to include remote subnets and Action is Static Source NAT type source address and destination address remaining as original (i.e. without NAT). Once on OK all the way back to the main window ASDM and click on apply. Save and test.

  Good luck. Don't forget to note the brand and posts useful when your question is answered.

• Next hop for the static route on the VPN site to site ASA?

  Hi all

  I would be grateful if someone could help me with my problem ASA/misunderstanding. I have a VPN site-to site on a SAA. I want to add a floating static route to point to the VPN on the ASA. Note that the traffic in this way is not with in subnets cryptographic ACL that is used to bring up the VPN. This VPN is used only as a backup.

  The static route with the next hop add local public address or the remote public address of the VPN? The next break maybe local ASA isp internet facing interface? I intend to do on the ASDM. I'm sorry if it's a simple question but I found no material that explains this?

  Concerning

  Ahh, ok, makes sense.

  The next hop should be the next jump to the interface that ends the VPN connection, essentially the same as your Internet connection / outside the next hop interface.

  Example of topology:

  Site B (outside interface - 1.1.1.1) - (next hop: 1.1.1.2) Internet

  The static route must tell:

  outdoor 10.2.2.2 255.255.255.255 1.1.1.2 200

  I hope this helps.

• Problem with the VPN site to site for the two cisco asa 5505

  Starting with cisco asa. I wanted to do a vpn site-to site of cisco. I need help. I can't ping from site A to site B and vice versa.

  Cisco Config asa1

  interface Ethernet0/0
  switchport access vlan 1
  !
  interface Ethernet0/1
  switchport access vlan 2
  !
  interface Vlan1
  nameif outside
  security-level 0
  IP address 172.xxx.xx.4 255.255.240.0
  !
  interface Vlan2
  nameif inside
  security-level 100
  IP 192.168.60.2 255.255.255.0
  !
  passive FTP mode
  network of the Lan_Outside object
  192.168.60.0 subnet 255.255.255.0
  network of the NETWORK_OBJ_192.168.1.0_24 object
  subnet 192.168.1.0 255.255.255.0
  network of the NETWORK_OBJ_192.168.60.0_24 object
  192.168.60.0 subnet 255.255.255.0
  object-group Protocol DM_INLINE_PROTOCOL_1
  ip protocol object
  icmp protocol object
  object-group Protocol DM_INLINE_PROTOCOL_2
  ip protocol object
  icmp protocol object
  object-group Protocol DM_INLINE_PROTOCOL_3
  ip protocol object
  icmp protocol object
  Access extensive list ip 192.168.60.0 Outside_cryptomap allow 255.255.255.0 192.168.1.0 255.255.255.0
  Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
  Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
  Inside_access_in list extended access allow DM_INLINE_PROTOCOL_2 of object-group a
  network of the Lan_Outside object
  NAT (inside, outside) interface dynamic dns
  Access-group Outside_access_in in interface outside
  Inside_access_in access to the interface inside group
  Route outside 0.0.0.0 0.0.0.0 172.110.xx.1 1
  Timeout xlate 03:00
  Pat-xlate timeout 0:00:30
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  identity of the user by default-domain LOCAL
  AAA authentication http LOCAL console
  Enable http server
  http 192.168.60.0 255.255.255.0 inside
  http 96.xx.xx.222 255.255.255.255 outside
  No snmp server location
  No snmp Server contact
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
  Crypto ipsec ikev2 ipsec-proposal OF
  encryption protocol esp
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 proposal ipsec 3DES
  Esp 3des encryption protocol
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 ipsec-proposal AES
  Esp aes encryption protocol
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 ipsec-proposal AES192
  Protocol esp encryption aes-192
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 AES256 ipsec-proposal
  Protocol esp encryption aes-256
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec pmtu aging infinite - the security association
  card crypto Outside_map 1 corresponds to the address Outside_cryptomap
  card crypto Outside_map 1 set peer 96.88.75.222
  card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
  card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
  Outside_map interface card crypto outside
  trustpool crypto ca policy
  IKEv2 crypto policy 1
  aes-256 encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 10
  aes-192 encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 20
  aes encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 30
  3des encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 40
  the Encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  Crypto ikev2 allow outside
  Crypto ikev1 allow outside
  IKEv1 crypto policy 10
  authentication crack
  aes-256 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 20
  authentication rsa - sig
  aes-256 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 30
  preshared authentication
  aes-256 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 40
  authentication crack
  aes-192 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 50
  authentication rsa - sig
  aes-192 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 60
  preshared authentication
  aes-192 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 70
  authentication crack
  aes encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 80
  authentication rsa - sig
  aes encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 90
  preshared authentication
  aes encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 100
  authentication crack
  3des encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 110
  authentication rsa - sig
  3des encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 120
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 130
  authentication crack
  the Encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 140
  authentication rsa - sig
  the Encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 150
  preshared authentication
  the Encryption
  sha hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH stricthostkeycheck
  SSH timeout 5
  SSH group dh-Group1-sha1 key exchange
  Console timeout 0
  inside access management

  dhcpd address 192.168.60.50 - 192.168.60.100 inside
  dhcpd allow inside
  !
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  WebVPN
  AnyConnect essentials
  internal GroupPolicy_96.xx.xx.222 group strategy
  attributes of Group Policy GroupPolicy_96.xx.xx.222
  VPN-tunnel-Protocol ikev1, ikev2
  username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
  tunnel-group 96.xx.xx.222 type ipsec-l2l
  tunnel-group 96.xx.xx.222 General-attributes
  Group - default policy - GroupPolicy_96.xx.xx.222
  96.XX.XX.222 group of tunnel ipsec-attributes
  IKEv1 pre-shared-key *.
  remote control-IKEv2 pre-shared-key authentication *.
  pre-shared-key authentication local IKEv2 *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  inspect the icmp
  inspect the icmp error

  ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

  Cisco ASA 2 config

  interface Ethernet0/0
  switchport access vlan 1
  !
  interface Ethernet0/1
  switchport access vlan 2
  !
  interface Vlan1
  nameif outside
  security-level 0
  IP address 96.xx.xx.222 255.255.255.248
  !
  interface Vlan2
  nameif inside
  security-level 100
  IP 192.168.1.254 255.255.255.0
  !
  passive FTP mode
  permit same-security-traffic inter-interface
  permit same-security-traffic intra-interface
  network of the Lan_Outside object
  subnet 192.168.1.0 255.255.255.0
  network of the NETWORK_OBJ_192.168.60.0_24 object
  192.168.60.0 subnet 255.255.255.0
  network of the NETWORK_OBJ_192.168.1.0_24 object
  subnet 192.168.1.0 255.255.255.0
  object-group Protocol DM_INLINE_PROTOCOL_1
  ip protocol object
  icmp protocol object
  object-group Protocol DM_INLINE_PROTOCOL_2
  ip protocol object
  icmp protocol object
  object-group Protocol DM_INLINE_PROTOCOL_3
  ip protocol object
  icmp protocol object
  object-group Protocol DM_INLINE_PROTOCOL_4
  ip protocol object
  icmp protocol object
  Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_2 of object-group 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0
  Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
  Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
  Inside_access_in list extended access allow DM_INLINE_PROTOCOL_4 of object-group a
  pager lines 24
  Enable logging
  asdm of logging of information
  Outside 1500 MTU
  Within 1500 MTU
  no failover
  ICMP unreachable rate-limit 1 burst-size 1
  don't allow no asdm history
  ARP timeout 14400
  no permit-nonconnected arp
  NAT (inside, outside) static source NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.60.0_24 NETWORK_OBJ_192.168.60.0_24 non-proxy-arp-search of route static destination
  !
  network of the Lan_Outside object
  dynamic NAT (all, outside) interface
  Access-group Outside_access_in in interface outside
  Inside_access_in access to the interface inside group
  Route outside 0.0.0.0 0.0.0.0 96.xx.xx.217 1
  Timeout xlate 03:00
  Pat-xlate timeout 0:00:30
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  identity of the user by default-domain LOCAL
  AAA authentication http LOCAL console
  Enable http server
  http 192.168.1.0 255.255.255.0 inside
  http 172.xxx.xx.4 255.255.255.255 outside
  No snmp server location
  No snmp Server contact
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
  Crypto ipsec ikev2 ipsec-proposal OF
  encryption protocol esp
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 proposal ipsec 3DES
  Esp 3des encryption protocol
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 ipsec-proposal AES
  Esp aes encryption protocol
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 ipsec-proposal AES192
  Protocol esp encryption aes-192
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 AES256 ipsec-proposal
  Protocol esp encryption aes-256
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec pmtu aging infinite - the security association
  card crypto Outside_map 1 corresponds to the address Outside_cryptomap
  card crypto Outside_map 1 set peer 172.110.74.4
  card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
  card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
  Outside_map interface card crypto outside
  trustpool crypto ca policy
  IKEv2 crypto policy 1
  aes-256 encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 10
  aes-192 encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 20
  aes encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 30
  3des encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 40
  the Encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  Crypto ikev2 allow outside
  Crypto ikev1 allow outside
  IKEv1 crypto policy 10
  authentication crack
  aes-256 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 20
  authentication rsa - sig
  aes-256 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 30
  preshared authentication
  aes-256 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 40
  authentication crack
  aes-192 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 50
  authentication rsa - sig
  aes-192 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 60
  preshared authentication
  aes-192 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 70
  authentication crack
  aes encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 80
  authentication rsa - sig
  aes encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 90
  preshared authentication
  aes encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 100
  authentication crack
  3des encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 110
  authentication rsa - sig
  3des encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 120
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 130
  authentication crack
  the Encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 140
  authentication rsa - sig
  the Encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 150
  preshared authentication
  the Encryption
  sha hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH stricthostkeycheck
  SSH timeout 5
  SSH group dh-Group1-sha1 key exchange
  Console timeout 0

  dhcpd address 192.168.1.50 - 192.168.1.100 inside
  dhcpd allow inside
  !
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  WebVPN
  AnyConnect essentials
  internal GroupPolicy_172.xxx.xx.4 group strategy
  attributes of Group Policy GroupPolicy_172.xxx.xx.4
  L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
  username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
  tunnel-group 172.xxx.xx.4 type ipsec-l2l
  tunnel-group 172.xxx.xx.4 General-attributes
  Group - default policy - GroupPolicy_172.xxx.xx.4
  172.xxx.XX.4 group of tunnel ipsec-attributes
  IKEv1 pre-shared-key *.
  remote control-IKEv2 pre-shared-key authentication *.
  pre-shared-key authentication local IKEv2 *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  inspect the icmp
  inspect the icmp error
  inspect the http

  For IKEv2 configuration: (example config, you can change to encryption, group,...)

  -You must add the declaration of exemption nat (see previous answer).

  -set your encryption domain ACLs:

  access-list-TRAFFIC IPSEC allowed extended LOCAL REMOTE - LAN LAN ip

  -Set the Phase 1:

  Crypto ikev2 allow outside
  IKEv2 crypto policy 10
  3des encryption
  the sha md5 integrity
  Group 5
  FRP sha
  second life 86400

  -Set the Phase 2:

  Crypto ipsec ikev2 ipsec IKEV2-PROPOSAL
  Esp aes encryption protocol
  Esp integrity sha-1 protocol

  -set the Group of tunnel

  tunnel-group REMOTE-PUBLIC-IP type ipsec-l2l
  REMOTE-PUBLIC-IP tunnel-group ipsec-attributes
  IKEv2 authentication remote pre-shared-key cisco123

  
  IKEv2 authentication local pre-shared-key cisco123

  -Define the encryption card

  address for correspondence CRYPTOMAP 10 - TRAFFIC IPSEC crypto map
  card crypto CRYPTOMAP 10 peer set REMOTE-PUBLIC-IP
  card crypto CRYPTOMAP 10 set ipsec ikev2-IKEV2-PROPOSAL
  CRYPTOMAP interface card crypto outside
  crypto isakmp identity address

  On your config, you have all these commands but on your VPN config, you mix ikev1 and ikev2. You have also defined political different ikev2. Just do a bit of cleaning and reached agreement on a 1 strategy for the two site (encryption, hash,...)

  Thank you

• Site of the error of phase 2 for the VPN site

  Dear all,

  We have a VPN site to site with a partner, we need to access three different hosts on the network of partners. Phase 1 came but there is problem with the guests of the three phase 2 we can only connected with a host of others are not connected, and they all share the same settings.

  Below is show access ip list matching packages shown but connection to host failed

  With the crypto ipsec to see his I saw send error and I don't know what could be responsible.

  Any body who could be wrong please help me to am exhausted.

  access-list

  10 permit ip host 4.2.3.1 4.2.6.22 (647594 matches)
  20 permit ip host 4.2.3.14 4.2.6.64 (47794 matches)
  30 permit ip host 41.2.3.37 41.2.6.76 (581720 matches)

  Crypto ipsec to show his

  local ident (addr, mask, prot, port): (41.2.3.37/255.255.255.255/0/0)
  Remote ident (addr, mask, prot, port): (4.2.6.76/255.255.255.255/0/0)
  current_peer 4.2.6.24 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
   Errors #send 198, #recv errors 0

  local crypto endpt. : 4.2.3.16, remote Start crypto. : 4.2.6.24
  clearly, mtu 1500, path mtu 1500, mtu 1500 ip mtu IDB FastEthernet4 ip
  current outbound SPI: 0x0 (0)
  PFS (Y/N): N, Diffie-Hellman group: no

  SAS of the esp on arrival:

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:

  outgoing ah sas:

  outgoing CFP sas:

  local ident (addr, mask, prot, port): (4.2.3.14/255.255.255.255/0/0)
  Remote ident (addr, mask, prot, port): (4.2.6.64/255.255.255.255/0/0)
  current_peer 4.2.6.24 port 500
  PERMITS, flags = {origin_is_acl, ipsec_sa_request_sent}
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
      Errors #send 508, #recv errors 0

  local crypto endpt. : 4.2.3.16, remote Start crypto. : 4.2.6.24
  clearly, mtu 1500, path mtu 1500, mtu 1500 ip mtu IDB FastEthernet4 ip
  current outbound SPI: 0x0 (0)
  PFS (Y/N): N, Diffie-Hellman group: no

  SAS of the esp on arrival:

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:

  outgoing ah sas:

  outgoing CFP sas:

  Edit: can you put the configuration on both sides of the tunnel? Otherwise re - check once more the configs on both sides

• local host to access the vpn site to site with nat static configured

  I have two 881 routers with vpn site to site between them. I have a static nat on the router for a Web server that is accessible from the internet. I can't access the Web server through the vpn. All other traffic is fine its VPN. I think that there is a problem with the NAT. Here are the relevant configuration lines.

  IP nat inside source overload map route SDM_RMAP_1 interface FastEthernet4
  IP nat inside source static 192.168.150.2 bonnefin map route SDM_RMAP_1

  allowed SDM_RMAP_1 1 route map
  corresponds to the IP 100

  access-list 100 deny ip 192.168.150.0 0.0.0.255 192.168.123.0 0.0.0.255
  access-list 100 permit ip 192.168.150.0 0.0.0.255 any

  You should be able to access the web server with its IP private (192.168.150.2) through the VPN connection.

  If you just add the VPN and the road map, try to clear the existing translation and see if you can access it via its private of the Remote LAN VPN ip address.

• Order to check the ability or the bandwidth between the VPN Site-to-Site Tunnel

  Hello

  How can we verify capacity/bandwidth between the end of the B-end of the site-to-site VPN tunnel.

  You can't very easily. The capacity and bandwidth dependent not only on your devices, but on a lot of devices and paths between them that you have no control or visibility.

  You can "show traffic" or common report on the use of interface using any performance management tool (cactus, which is gold, SolarWinds NPM, Cisco first LMS, etc..). Those usually do not distinguish between overall traffic interface and that due to virtual private networks. If you export the ASA Netflow data, you can break it down by remote IP address and which derive the use VPN. NetFlow records must be exported in tool like ntop, SolarWinds NTA or first LMS or Infrastructure to be useful.

  Cisco Security Manager will query the VPN statistics periodically and you Beach individual VPN or users to gather a bunch of queries, as it does on an ongoing basis.

• Convert the VPN Site-to-Site of PIX to ASA 8.2

  I worked on the conversion of a config above a PIX an ASA 8.2 but I am running into trouble with the site to site vpn. The PIX has a VPN client and site to site. Given that some of the configs for the cross from site to site on the VPN client I'm confuse. Any help would be apperciated.

  Below are excerpts from just the PIX VPN related orders.

  permit access ip 192.168.0.0 list Remote_splitTunnelAcl 255.255.0.0 any

  inside_outbound_nat0_acl ip access list allow any 192.168.0.160 255.255.255.240

  inside_outbound_nat0_acl Zenoss_OS CNP 255.255.255.0 ip host allowed access list

  inside_outbound_nat0_acl SilverBack NOC 255.255.255.0 ip host allowed access list

  inside_outbound_nat0_acl allowed host NOC 255.255.255.0 enoss_Hardware ip access-list

  outside_cryptomap_dyn_20 ip access list allow any 192.168.0.160 255.255.255.240

  outside_cryptomap_20 Zenoss_OS CNP 255.255.255.0 ip host allowed access list

  outside_cryptomap_20 SilverBack NOC 255.255.255.0 ip host allowed access list

  outside_cryptomap_20 Zenoss_Hardware CNP 255.255.255.0 ip host allowed access list

  IP pool local DHCP_Pool 192.168.0.161 - 192.168.0.174

  NAT (inside) 0-list of access inside_outbound_nat0_acl

  Sysopt connection permit VPN

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

  Dynamic crypto map outside_dyn_map 20 match address outside_cryptomap_dyn_20

  Crypto-map dynamic outside_dyn_map 20 the transform-set ESP-DES-MD5 value

  outside_map 20 ipsec-isakmp crypto map

  card crypto outside_map 20 match address outside_cryptomap_20

  card crypto outside_map 20 peers set 205.x.29.41

  outside_map crypto 20 card value transform-set ESP-DES-SHA

  map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

  client authentication card crypto outside_map LOCAL

  outside_map interface card crypto outside

  ISAKMP allows outside

  ISAKMP key address 205.x.29.41 netmask 255.255.255.255 No.-xauth-config-mode no.

  ISAKMP nat-traversal 180

  part of pre authentication ISAKMP policy 20

  encryption of ISAKMP policy 20

  ISAKMP policy 20 md5 hash

  20 2 ISAKMP policy group

  ISAKMP duration strategy of life 20 86400

  part of pre authentication ISAKMP policy 40

  encryption of ISAKMP policy 40

  ISAKMP policy 40 sha hash

  40 2 ISAKMP policy group

  ISAKMP duration strategy of life 40 86400

  vpngroup address pool DHCP_Pool GHA_Remote

  vpngroup dns 192.168.0.11 server GHA_Remote

  vpngroup wins 192.168.0.11 GHA_Remote-Server

  vpngroup GHA_Remote by default-field x.org

  vpngroup split tunnel Remote_splitTunnelAcl GHA_Remote

  vpngroup idle 1800 GHA_Remote-time

  vpngroup password KEY GHA_Remote

  I guess what I really wonder is if someone can convert the version of site to site of this VPN ASA 8.2 config so I can compare it to what I have. I need to have this, so I can just fall into place and work.

  Also, it does appear that political isakmp 40 are used, correct?

  On your ASA in Setup mode, simply type vpnsetup steps for remote access ipsec or vpnsetup site - not and it lists what it takes or you can download the PIX of the ASA migration tool.

• Routing between two remote sites connected over the VPN site to site

  I have a problem ping between remote sites.  Now the Cryptography and no nat ACL's for different sites just to affect traffic between the remote site and main site. I tried to add roads, adding other subnets to the crypto and no. ACL Nat at the remote sites... nothing worked.  Any ideas?

  Main site:

  192.168.100.0 - call manager / phone VLAN

  192.168.1.0/24 - data VLAN

  Site 1:

  192.168.70.0/24 - phone VLAN

  192.168.4.0/24 - data VLAN

  Site 2:

  192.168.80.0/24 - phone VLAN

  192.168.3.0/24 - data VLAN

  Main router

  Expand the IP ACL5 access list
  10 permit ip 192.168.1.0 0.0.0.255 192.168.70.0 0.0.0.255
  20 ip 192.168.1.0 allow 0.0.0.255 192.168.4.0 0.0.0.255
  30 permits ip 192.168.100.0 0.0.0.255 192.168.4.0 0.0.0.255
  IP 192.168.100.0 allow 40 0.0.0.255 192.168.70.0 0.0.0.255)
  50 permit ip 10.255.255.0 0.0.0.255 192.168.70.0 0.0.0.255
  Expand the IP ACL6 access list
  10 permit ip 192.168.1.0 0.0.0.255 192.168.80.0 0.0.0.255
  20 ip 192.168.1.0 allow 0.0.0.255 192.168.3.0 0.0.0.255
  30 permits ip 192.168.100.0 0.0.0.255 192.168.3.0 0.0.0.255
  IP 192.168.100.0 allow 40 0.0.0.255 192.168.80.0 0.0.0.255

  Expand the No. - NAT IP access list
  10 deny ip 192.168.2.0 0.0.0.255 192.168.70.0 0.0.0.255
  20 deny ip 192.168.200.0 0.0.0.255 192.168.4.0 0.0.0.255
  30 deny ip 192.168.2.0 0.0.0.255 192.168.80.0 0.0.0.255
  40 deny ip 192.168.200.0 0.0.0.255 192.168.3.0 0.0.0.255
  320 ip 192.168.1.0 allow 0.0.0.255 any
  IP 192.168.100.0 allow 330 0.0.0.255 any

  Site 1:

  ACL5 extended IP access list

  IP 192.168.70.0 allow 0.0.0.255 192.168.1.0 0.0.0.255

  ip licensing 192.168.4.0 0.0.0.255 192.168.100.0 0.0.0.255

  IP 192.168.70.0 allow 0.0.0.255 192.168.100.0 0.0.0.255

  ip licensing 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255

  IP 192.168.70.0 allow 0.0.0.255 10.255.255.0 0.0.0.255

  No. - NAT extended IP access list

  deny ip 192.168.70.0 0.0.0.255 192.168.1.0 0.0.0.255

  refuse the 192.168.4.0 ip 0.0.0.255 192.168.100.0 0.0.0.255

  deny ip 192.168.70.0 0.0.0.255 192.168.100.0 0.0.0.255

  refuse the 192.168.4.0 ip 0.0.0.255 192.168.1.0 0.0.0.255

  deny ip 192.168.70.0 0.0.0.255 10.255.255.0 0.0.0.255

  IP 192.168.70.0 allow 0.0.0.255 any

  ip licensing 192.168.4.0 0.0.0.255 any

  Site 2:

  ACL6 extended IP access list
  IP 192.168.80.0 allow 0.0.0.255 192.168.1.0 0.0.0.255
  ip licensing 192.168.3.0 0.0.0.255 192.168.100.0 0.0.0.255
  IP 192.168.80.0 allow 0.0.0.255 192.168.100.0 0.0.0.255
  ip licensing 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
  IP 192.168.80.0 allow 0.0.0.255 10.255.255.0 0.0.0.255
  No. - NAT extended IP access list
  deny ip 192.168.80.0 0.0.0.255 192.168.1.0 0.0.0.255
  deny ip 192.168.3.0 0.0.0.255 192.168.100.0 0.0.0.255
  deny ip 192.168.80.0 0.0.0.255 192.168.100.0 0.0.0.255
  deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
  deny ip 192.168.80.0 0.0.0.255 10.255.255.0 0.0.0.255
  IP 192.168.80.0 allow 0.0.0.255 any
  ip licensing 192.168.3.0 0.0.0.255 any

  What should I do for these two sites can ping each other?  I looked through the forums but can't seem to find someone with a similar problem, which has received a definitive answer.

  Thanks in advance!

  Hi, I assume that you need site 1 and 2 to communicate with each other via the main site right? If this is the case, then you need to set add the following lines to your ACL crypto:

  Main router

  Expand the IP ACL5 access list

  IP 192.168.80.0 allow 0.0.0.255 192.168.70.0 0.0.0.255

  IP 192.168.80.0 allow 0.0.0.255 192.168.4.0 0.0.0.255

  ip licensing 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255

  ip licensing 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

  Expand the IP ACL6 access list

  IP 192.168.70.0 allow 0.0.0.255 192.168.80.0 0.0.0.255

  IP 192.168.70.0 allow 0.0.0.255 192.168.3.0 0.0.0.255

  ip licensing 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

  ip licensing 192.168.4.0 0.0.0.255 192.168.80.0 0.0.0.255

  Make sure you add these lines before the last permit

  Expand the No. - NAT IP access list

  deny ip 192.168.80.0 0.0.0.255 192.168.70.0 0.0.0.255

  deny ip 192.168.80.0 0.0.0.255 192.168.4.0 0.0.0.255

  deny ip 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255

  deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

  deny ip 192.168.70.0 0.0.0.255 192.168.80.0 0.0.0.255

  refuse the 192.168.4.0 ip 0.0.0.255 192.168.80.0 0.0.0.255

  deny ip 192.168.70.0 0.0.0.255 192.168.3.0 0.0.0.255

  refuse the 192.168.4.0 ip 0.0.0.255 192.168.3.0 0.0.0.255

  Site 1:

  ACL5 extended IP access list

  IP 192.168.70.0 allow 0.0.0.255 192.168.80.0 0.0.0.255

  ip licensing 192.168.4.0 0.0.0.255 192.168.80.0 0.0.0.255

  IP 192.168.70.0 allow 0.0.0.255 192.168.3.0 0.0.0.255

  ip licensing 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

  Make sure that these lines are added before the last permit

  No. - NAT extended IP access list

  deny ip 192.168.70.0 0.0.0.255 192.168.80.0 0.0.0.255

  refuse the 192.168.4.0 ip 0.0.0.255 192.168.80.0 0.0.0.255

  deny ip 192.168.70.0 0.0.0.255 192.168.3.0 0.0.0.255

  refuse the 192.168.4.0 ip 0.0.0.255 192.168.3.0 0.0.0.255

  Site 2:

  ACL6 extended IP access list

  IP 192.168.80.0 allow 0.0.0.255 192.168.70.0 0.0.0.255

  ip licensing 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255

  IP 192.168.80.0 allow 0.0.0.255 192.168.4.0 0.0.0.255

  ip licensing 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

  So make sure that these lines are added before the last permit

  No. - NAT extended IP access list

  deny ip 192.168.80.0 0.0.0.255 192.168.70.0 0.0.0.255

  deny ip 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255

  deny ip 192.168.80.0 0.0.0.255 192.168.4.0 0.0.0.255

  deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

  So you're saying good enough your routers with these definitions which will be reached via one main remote sites (sites 1 and 2).

  I would like to know if this is what you need.

• Just send a question to the support site that I can NOT connect on my email account after auto update of 38.3.0, cannot connect to my account to check the issue!

  I just posted a question on the last update automatic 38.3.0 it is possible to log into different e-mail accounts in a profile, only the first e-mail account. My support mozilla account is linked to one of the email accounts that I can NOT connect to. Can't connect to this email account to check the issue. Your last 38.3.0 Thunderbird is useless because it is no longer possible to log in different e-mail accounts in a profile, and your support solution is useless because you need to connect to the e-mail account to check the issue.
  How to proceed?

  You can change your email associated with your media profile.
  I have 38.3.0 and I can access all my email accounts I suggest you try the initial tests:

  Start T-bird with disabled modules.
  If it works on your module is to blame and you need to activate one by one.

  Start your operating system in safe mode with active network.
  If it works probably your antivirus is blocking or delaying. (Or driver).

• Two questions: Running XP and have some interesting questions at the start and with IE.

  Hi, I try to wear the IT hat and works to clear up some questions on my mother's computer.  #1 I guess that the computer was shipped with a version of Corel Photo software on it and we cannot get rid "Installer" messages at the beginning upward.  We tried to remove the program and the same message comes back to tell us that "Installer can do the requested action without the CD/program files" it gets about 6 of these reviews that it must close any until the computer will continue to boot the system.  Please, please tell me how to get rid of this.  I tried to install the 'Installer' update to see if that would make the difference and nope.  I also tried to remove the Corel file via CCleaner and got the same message.  I do not have the program disc, I don't want to program... I want to just get rid of it!

  #2 when entering address in the Internet Explorer address bar, the browser opens a second browser instead of going to the requested site.  For example, when I open my Internet Explorer and say go to the top of the address bar and typewww.google.com, instead of going to Google, it opens a completely separate browser.  When she did this, it's EXTREMELY SLOW!  until you think that IE went unresponsive and then finally opens the second browser.

  I'd appreciate any help!  I'm trying to solve these problems, while I'll be staying here so that I can leave him a computer running.

  Thank you!

  Hello

  ·        What version of Internet explorer that you are using (Internet Explorer 6, 7 or 8)?

  ·        Was long before Internet Explorer work?

  ·        Since when are you facing this problem?

  Step 1:

  It may be some third-party software that runs in the background that is shown with the process, I suggest you do a clean boot and check. To perform a clean boot follow the steps mentioned in the link given below.

  How to configure Windows XP to start in a "clean boot" State

  http://support.Microsoft.com/kb/310353

  Note: Once you have finished installing, follow step 7 to start the computer in normal startup.

  If the steps above don't help you not to remove the Corel Photo software, I suggest you to post your query on the forums of XP. Click on the link below.

  http://social.answers.Microsoft.com/forums/en-us/xpprograms/threads?filter=answered

  For Internet Explorer related issues, follow steps 2 and 3 of the step.

  Step 2:

  I suggest you run the fix it this tin article given to repair Internet explore

  How to reinstall or repair Internet Explorer in Windows Vista and Windows XP

  http://support.Microsoft.com/kb/318378

  Step 3:

  If you use Internet Explorer 7 or 8 I suggest you run the fix it is present in the article below. If you use Internet Explorer 6, you can follow the steps mentioned in the article given below where they apply to Internet Explorer 6 also.

  How to reset Internet Explorer settings

  http://support.Microsoft.com/kb/923737

  Thanks and regards.

  Thahaseena M
  Microsoft Answers Support Engineer.
  Visit our Microsoft answers feedback Forum and let us know what you think.

• How can I vote for an interesting question on the dedicated forum?

  Hello

  I know that Muse is a brand new application, but there are several relevant question - in my opinion - that should be considered first.

  After much navigation (!), I found a forum where you can vote for these interesting questions users have faced.

  Unfortunately, I'm unable to vote for one of theses messages if I am connected.

  Is there something to do to get this "right to vote"?

  I really want to participate in this improvement, just gimme the tools to do!

  Thanks for your response

  We know a few emails as of late in the ideas of the forums section and thus our Admin had turned off their.

  I have re-enabled them so you can vote and add ideas and apologize for the inconvenience.

  -j

• Problem of peripheral access NAS via the VPN Site to Site

  Hi all

  I am facing a strange problem with a client. I use a VPN from Site to Site between two ASA 5505 to connect its network to ours to replikate between a NAS on his side and a NAS on our side. I use the same configuration with other guests and it works fine.

  With this client, while I am able to ping the remote NAS and I have problems using SMB to connect via ssh (it works _sometimes_ but most of the time to access files via eplorer results in a timeout) and join the NAS Web portal (http and https, with https I can see the remote certificate of the SIN but the page does not load). These problems occur on both sides (our network-> NAS, customer network-> our NAS client)

  I can access the NAS even without any problems other customers. ASA newspaper I see no connection blocked or whatever it is when this happens and the tunnel seems to work fine otherwise.

  Any ideas how to refine the problem here?

  Thanks in advance

  Tobias

  It looks like you can run into problems with packets that are too big for your tunnel. Try to limit the size of TCP segment by putting the following on your ASA units:

   sysopt connection tcpmss 1360

  Most VPN tunnels are not going to have an MTU (Maximum Transmission Unit) less than 1400 bytes, so the above should clean things up.

• the WAN connection becomes too slow after you have configured the VPN (Site Site)

  Hello

  I have two branches connected via WAN (MPLS) connection using two 2921 routers.the connection is 2 M.

  I set up a VPN between these two sites, but after the connection has become very slow.

  y at - it something I can do to speed up the speed of connection.

  VPN proposals are:

  Proposals of the phase 1: 3DES, pre-shared,.

  Phase 2 proposals: esp-3des esp-sha-hmac

  I don't think that lower levels of security proposals will add a lot to the speed...

  Hi Marc,

  one thing you should definitely is a hardware encryption go if you do not already tht, it also reduces the load on your cpu

  You can try other things is play with mtu, according to your line mtu and what applications are mainly used. try setting the mtu of at least 60 odd bytes lower than the mtu and also sometimes server line recommended mtu settings like server many have obligation to mtu to 1300 or 1400, if that's not it can cause a lot of re transmissions, you can also try fragmentation before encryption

  http://www.Cisco.com/en/us/docs/interfaces_modules/services_modules/VSPA/configuration/guide/ivmvpnb.PDF

• The local PIX ip access to hosts on the VPN site

  I have a vpn connection from site to site with ASA 5510 PIX 515 which works very well. There is no problem for hosts on any side of the tunnel access to a cross. However the IP local (192.168.20.1) on the interface client of my PIX is not allowed access to guests across the tunnel.

  Packet-trace entry client tcp 192.168.20.1 12345 192.168.13.13 80 detailed

  Phase: 3

  Type: ACCESS-LIST

  Subtype:

  Result: DECLINE

  Config:

  Implicit rule

  Additional information:

  Direct flow from returns search rule:

  ID = 0x3ec5bc8, priority = 500, area = allowed, deny = true

  hits = 8, user_data = 0 x 6, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

  SRC ip = 192.168.20.1, mask is 255.255.255.255, port = 0

  DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

  There must be a setting that I missed. All otherip on 192.168.20.0 don't get the same error with packet - trace. Can someone help me please?

  interface Ethernet0

  nameif outside

  security-level 0

  IP address dhcp setroute

  interface Ethernet1

  customer nameif

  security-level 90

  address 192.168.20.1 255.255.255.0

  interface Ethernet1.21

  VLAN 21

  nameif Server

  security-level 100

  IP 192.168.21.1 255.255.255.0

  the DM_INLINE_NETWORK_1 object-group network

  object-network 192.168.10.0 255.255.255.0

  object-network 192.168.11.0 255.255.255.0

  object-network 192.168.13.0 255.255.255.0

  access-list extended 100 permit customer ip 255.255.255.0 DM_INLINE_NETWORK_1 object-group

  Global 1 interface (outside)

  (Client) NAT 0-list of access 100

  NAT (client) 1 0.0.0.0 0.0.0.0

  NAT (server) 0-access list 100

  NAT (server) 1 0.0.0.0 0.0.0.0

  static (client, server) Server server netmask 255.255.255.0

  static (client, server) client client netmask 255.255.255.0

  client_access_in access to the customer of the interface group

  Route outside 0.0.0.0 0.0.0.0 95.129.13.1 1

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set sveden-aes256 esp-aes-256 esp-sha-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  correspondence address card crypto myvpnmap 10 100

  card crypto myvpnmap pfs set 10 group5

  peer set card crypto myvpnmap 10 12.218.14.129

  card crypto myvpnmap 10 transform-set sveden-aes256

  life safety association set card crypto myvpnmap 10 28800 seconds

  card crypto myvpnmap 10 set security-association life kilobytes 4608000

  myvpnmap crypto 10 card value reverse-road

  myvpnmap interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  aes-256 encryption

  sha hash

  Group 5

  life 86400

  IPSec-attributes tunnel-group DefaultRAGroup

  ISAKMP retry threshold 10 keepalive 2

  tunnel-group 12.218.14.129 type ipsec-l2l

  tunnel-group 12.218.14.129 General-attributes

  IPSec-attributes tunnel-group 12.218.14.129

  pre-shared-key *.

  Cordially Mikael

  Hello

  You plan to connect to the firewall with address 192.168.20.1 for management purposes or why the IP should be able to generate connections to connect VPN L2L?

  By default, the 'packet - trace' will fail if you are using a firewall interface IP address as the source address of the command. This result is always the same. (Although I have not tried the packet - trace with the below mentioned command enabled)

  If you want to access the IP 192.168.20.1 interface via the L2L VPN on the other side, then you will have to configure

  customer management-access

  Here is more information on the above command

  http://www.Cisco.com/en/us/docs/security/ASA/asa82/command/reference/m.html#wp2027985

  -Jouni