IPSEC Idle timeout
Hello
Is someone can you please tell me what the default timeout on IPSEC tunnels. My problem is that I have a tunnel created on a 7206 I need to check what is the timeout on the box settings.
Kind regards
Anuradha.
The time-out period is intended to provide security for a VPN connection. After the time of the said keys etc. are regenerated to reduce the impact of all their discovery during the active lifetime of the seized material. If PFS (Perfect Forward Secrect) serves these concerns are even lower. The SAs are somewhat restored before the time-out period so that there is no downtime. It is by the Guide of Configuration Cisco ASA:
"You can change the values of global life used by the security apparatus in the negotiation of new IPSec security associations. You can override these values of overall life for a particular encryption card.
IPSec security associations use a derived shared secret key. The key part of the SA. They together to demand the key to refresh. Each SA has two lives: "programmed" and "traffic volume." A SA document expires at the end of the respective life expectancy and negotiations begin again. The default lifetimes are 28 800 seconds (eight hours) and 4 608 000 kilobytes (10 megabytes per second for an hour).
If you change a global lifetime, the security apparatus removes the tunnel. It uses the new value in the negotiation of SAs subsequently established.
When a card encryption has no configured lifetime values and the security apparatus asks a new SA, it inserts the global lifetime values used in the SA in the request sent to the peer. When a peer receives a request for negotiation, use the smaller of the value of life proposed by the peer or the value of life locally configured as HIS new life.
Peers are negotiating a new SA before the threshold of life of the existing to ensure that a new is ready when the existing one expires. The peers negotiate a new SA when there are about 5 to 15 percent of the life of the existing AA"
Concerning
Farrukh
Tags: Cisco Security
Similar Questions
-
Hi all
I am trying to diagnose a problem with IPSEC, that I can't understand. I have a tunnel that is constantly giving up connection, run a debugging I see this message as the reason for the passing tunnel:
Group = 1.1.1.1, IP = 1.1.1.1, Connection completed for peer 1.1.1.1. Reason: Remote Proxy 10.20.0.0 Timeout, Proxy Local 10.10.252.0 Idle IPSec Security Association
Group = 1.1.1.1, Username = 1.1.1.1, IP = 1.1.1.1, disconnected Session. Session type: IPSecLAN2LAN, duration: 1: 00: 02:00, xmt bytes: 2300, RRs bytes: 0, right: Idle Timeout
Now, I think that it is basically because there is no interesting traffic (correct me if im wrong).
However, I am a bit confused because after reading this document:
It is said...
"If the IPsec SA slow timers are not configured, only the global lifetimes of IPsec security associations are applied. SAs remained until the expiring global timers, regardless of activity by peers. »
It seems that the idle timer would only be if he specifically configured, if not then it will be just to wait use the world clock but the global timer should not tear connection but just re-new keys.
I try to find the reason why the tunnel is down, but how can he be inactivity timer sa - if it is not configured?
Any help on that would be great.
Thank you
I guess that it is an ASA. Try something like:
attributes of Group Policy DfltGrpPolicy
VPN-idle-timeout 1440For a 24-hour timeout.
-
VPN client idle timeout (need to order)
Hello Experts,
I have the current configuration:
Router Cisco 3700 and a version of the client vpn cisco 4.7
I would like to know what is the command set up on the router so that my vpn clients may be inactive for 1 hour or more without having previously disconnected.
Thank you very much
Randall
Hi Randall,.
You can use the following command to increase the idle-timeout:
cry dynamic-map 1
all security association idle time<60-86400s>
output
* Please rate if this helped.
-Kanishka
-
The 'IETF-RADIUS-Idle-Timeout' value substitute "Vpn-session-timeout' of group policy?
Hello community,
I wish to have a dynamic substitution of "Vpn-session-timeout' of Group Policy (using"ldap attribute-map").
Read the section "Support for RADIUS authorization attributes" of the SAA, it is not clear, but apparently attribute 'IETF-RADIUS-Session-Timeout' being Cisco attribute name of the ASA to "vpn-session-timeout '.
Can anyone confirm?
R, Alex
Yes!
http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_ser...
-
I'm hoping to get help from a code of timeout. I create a book of photo short using Adobe Edge animate and if someone is on Page 3 for more of lets say 1 minute without clicking on the page following I want to return the cover image. As a test I put the scene for his works and 5 seconds to set an alert if not clicked on grand! Unfortunately, it was just a test and I wanted to replace the alert with symbols (the cover image) but it didn't work at all. Help would be appreciated!
Code in step
var r;
var timer;
doIt() {} function
r = confirm ('Hello');
If (r == true) {}
setIt();
} else {}
screen saver
Alert ("bye!"); }};
function setIt() {}
Timer is setTimeout (must, 5000);. };
Code Stage.Click:
clearTimeout() (timer);
setIt();
Hey evanam,
I don't know how you layer your project but this might work, but you can try:
var r;
var timer;
doIt() {} function
r = confirm ('Hello');
If (r == true) {}
setIt();
} else {}
sym.getComposition () .getStage ().$("cover").show ();
}};
function setIt() {}
Timer = setTimeout (must, 60000) ;} ;
Code Stage.Click:
clearTimeout() (timer);
setIt();
What I did is extended to 60 seconds timer and edited the other so if you're in a symbol you can go to the main stage and display the cover element.
hope this helps (if no example of the project would help)
Owen
-
IPSec Tunnel permanent between two ASA
Hello
I configured a VPN IPSec tunnel between two ASA 5505 firewall. I want to assure you as the IPSec tunnel (this is why the security association) is permanent and do not drop due to the idle state.
What should I do?
Thanks for any help
Yves
Disables keepalive IKE processing, which is enabled by default.
(config) #tunnel - 10.165.205.222 group ipsec-attributes
KeepAlive (ipsec-tunnel-config) #isakmp disable
Set a maximum time for VPN connections with the command of vpn-session-timeout in group policy configuration mode or username configuration mode:
attributes of hostname (config) #-Group Policy DfltGrpPolicy
hostname (Group Policy-config) #vpn - idle - timeout noattributes of hostname (config) #-Group Policy DfltGrpPolicy
hostname (Group Policy-config) #vpn - session - timeout noThank you
Ajay
-
I get the error message on debugging ipsec-l2l tunnel
Hello
Can someone help me understand the debug message?
I get the error message on debugging ipsec-l2l tunnelI tried to configure an ASA5520 with an ipsec-l2l to ios router 1721
= 1721 router =.
Cisco 1721 (flash: c1700-k9o3sy7 - mz.123 - 2.XC2.bin)
80.89.47.102 outside
inside 10.100.110.1 255.255.255.0Debug crypto ipsec
Debug crypto ISAKMP-config-
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
0 1234567890 128.39.189.10 crypto isakmp key address
!
!
Crypto ipsec transform-set esp-3des pix-series
!
ASA 10 ipsec-isakmp crypto map
defined by peer 128.39.189.10
transform-set pix - Set
match address 101
!
!
interface FastEthernet0Outside-interface description
IP 80.89.47.102 255.255.255.252
NAT outside IP
card crypto asa
!
interface Vlan10
Inside description
IP 10.100.110.1 255.255.255.0
IP nat inside!
!
IP nat inside source overload map route interface FastEthernet0 sheep
!
access-list 101 permit ip 10.100.110.0 0.0.0.255 10.100.4.0 0.0.3.255
!
access-list 110 deny ip 10.100.110.0 0.0.0.255 10.100.4.0 0.0.3.255
access-list 110 permit ip 10.100.110.0 0.0.0.255 any
!
sheep allowed 10 route map
corresponds to the IP 110
!= Config ASA =.
Cisco 5520 ASA Version 8.2 (1)
128.39.189.10 outside
inside 10.100.4.255 255.255.252.0Debug crypto ipsec
Debug crypto ISAKMP-Config-
!
Allow Access-list extended sheep 255.255.252.0 IP 10.100.4.0 10.100.110.0 255.255.255.0
!
access extensive list ip 10.100.4.0 outside110 allow 255.255.252.0 10.100.110.0 255.255.255.0
!Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
86400 seconds, duration of life crypto ipsec security association
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 11 match address outside110
peer set card crypto outside_map 11 80.89.47.102
card crypto outside_map 11 game of transformation-ESP-3DES-MD5
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400!
attributes of Group Policy DfltGrpPolicy
VPN-idle-timeout no
Protocol-tunnel-VPN IPSec!
tunnel-group 80.89.47.102 type ipsec-l2l
IPSec-attributes tunnel-group 80.89.47.102
pre-shared key 1234567890Concerning
TorYou have a transformation defined on the SAA named ESP-3DES-MD5? Your crypto card refers to that but I don't see it listed in the config you have posted. I don't have much experience with routers, but is MD5 hashing algoritm (and why it is not)?
James
-
Hello
I configured on ASA windows L2TP/Ipsec connections. Phase 1 and 2 are successful, the tunnel is created but immediately after this deletet. Tested from windows XP and windows 7. I use DefaultRAGroup for that (can not use any group which is by default not - limitation of windows). Here is my config:
attributes of Group Policy DfltGrpPolicy
value of 10.1.1.1 WINS server
value of server DNS 10.1.1.1
VPN-idle-timeout 300
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
the authentication of the user activation
allow to NEM
NAC-parameters DfltGrpPolicy-NAC-framework-create value
WebVPN
SVC keepalive no
client of dpd-interval SVC no
dpd-interval SVC bridge no
value of customization DfltCustomizationattributes global-tunnel-group DefaultRAGroup
asa-admins address pool
authentication-server-group CSACS
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared-key *.
Disable ISAKMP keepalive
tunnel-group DefaultRAGroup ppp-attributes
PAP Authentication
ms-chap-v2 authentication
eap-proxy authenticationCrypto-map dynamic outside_dyn_map 10 the value transform-set TRANS_ESP_AES_SHA TRANS_ESP_DES_SHA ESP-AES-256-SHA ESP-AES-256-MD5 ESP-AES-128-SHA ESP-AES-128-MD5 MD5-ESP-3DES ESP-3DES-SHA ESP-DES-MD5 ESP-DES-SHA
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outsideAnd here are some logs:
17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-7-715027: Group = DefaultRAGroup, IP = 193.193.193.193, IPSec SA proposal # 1, turn # 1 entry overall SA IPSec acceptable matches # 10
17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-7-710005: UDP request and eliminated from 193.193.193.193/4204 outside: outside-interface/4500
17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-6-602303: IPSEC: outgoing remote access to ITS (SPI = 0xAEA59455) between the outside of the interface and 193.193.193.193 (user = DefaultRAGroup) was created.
17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-7-715007: Group = DefaultRAGroup, IP = 193.193.193.193, IKE got a msg KEY_ADD for SA: SPI = 0xaea59455
17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-6-602303: IPSEC: incoming remote access to ITS (SPI = 0x9D3B8BDE) between the outside of the interface and 193.193.193.193 (user = DefaultRAGroup) was created.
17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-7-715077: Group = DefaultRAGroup, IP = 193.193.193.193, pitcher: received KEY_UPDATE, spi 0x9d3b8bde
17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-7-715080: Group = DefaultRAGroup, IP = 193.193.193.193, timer to generate a new key to start P2: 3060 seconds.
17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % 713120-5-ASA: Group = DefaultRAGroup, IP = 193.193.193.193, PHASE 2 COMPLETED (msgid = 00000001)
17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-7-713906: IKEQM_Active() Add L2TP classification rules: ip <193.193.193.193>mask <0xFFFFFFFF>port<4204>
17 February 13:27:08 vpnasa1 February 17, 2010 13:27:08 vpnasa1: % ASA-7-710005: UDP request and eliminated from 193.193.193.193/4204 outside: outside-interface/1701
17 February 13:27:08 vpnasa1 February 17, 2010 13:27:08 vpnasa1: % ASA-6-302016: connection UDP disassembly 56281479 for outside:193.193.193.193/4204 of identity: outside-interface/1701 duration 0:01:07 431 bytes
17 February 13:27:10 vpnasa1 February 17, 2010 13:27:10 vpnasa1: % ASA-6-302015: built connection UDP incoming 56282536 for outside:193.193.193.193/4204 (193.193.193.193/4204) to the identity: outside-interface/1701 (outside-interface/1701)
17 February 13:27:10 vpnasa1 February 17, 2010 13:27:10 vpnasa1: % ASA-6-603106: L2TP Tunnel created, tunnel_id 50, remote_peer_ip is 193.193.193.193 ppp_virtual_interface_id 1, client_dynamic_ip is 0.0.0.0 username is user1
17 February 13:27:10 vpnasa1 February 17, 2010 13:27:10 vpnasa1: % ASA-6-603107: L2TP Tunnel deleted, tunnel_id = 50 remote_peer_ip = 193.193.193.19317 February 13:27:10 vpnasa1 February 17, 2010 13:27:10 vpnasa1: % ASA-4-113019: Group = DefaultRAGroup, username =, IP = 193.193.193.193, disconnected Session. Session type: IPsecOverNatT, duration: 0 h: 00 m: 03 s, xmt bytes: 795 bytes RRs: 1204, reason: L2TP initiated
What's wrong?
Thanx
Please go ahead and activate the following command:
ISAKMP nat-traversal crypto
Try again.
-
unlimited time-out, but the idle time-out is 30 minutes per session
Hi all
I connect with client Anyconnect for an ASA5510 (8.2.1 (11))
In group policy, I idle timeout = unlimited, but if I control the session in asdm and the command line
I find idle timeout = 30 minutes.
If I insert idle timeout = 60 in politics, in the session I see Idle timeout = 60 min.
Is only a problem in the visualization of the session?
Defining the 'vpn-idle-timeout none' group strategy is a misunderstood command. When it is set in group policy, it does not neutralize the idle-timeout. In the past, I filed a bug in order to clarify what this setting (see CSCsm15079) to clarify the misunderstanding. In more recent versions of the code with bug fix, context-sensitive help for command now correctly explained:
ASA(config-Group-Policy) # vpn - idle - timeout?
orders/options mode group policy:
<1-35791394>Number of minutes
No IPsec VPN: disable the time-out and allow indefinite idling;
VPN SSL: Use the value by defect-idle-timeout
When set to none, and you are using SSL VPN, this means that he will inherit the default-timeout defined under the Webvpn config. The default value for this command is 30 minutes, so that's probably why ASDM displays 30 minutes. If you want to adjust this value, it can be changed with:
conf t
WebVPN
by default-idle-timeout
If you want an 'unlimited' idle time, must be defined the vpn-idle-timeout in group policy for a specific number instead of "none" - the maximum that you can set to the vpn-idle-timeout command is 35791394 minutes (something like ~ 24000 days or essentially unlimited).
Please note this post and mark it as resolved if he addressed the issue.
-
IPSEC RA - activate crossed but restrict access to the web
ASA5520 8.2 (5) 30
Greetings,
I have an IPSEC RA strategy that has implemented to tunnel all traffic (no split tunnel) by the ASA (which ends on the external interface). I need to be able to allow VPN users to access a web page (crossed) thesesame on the external interface.
++++++++++++++++++++++++++++++
Here are the current settings:
Group Policy Admins L internal
attributes of Group Policy L_Admins
value of server WINS 172.16.0.33 172.16.0.9
value of 172.16.0.33 DNS server 172.16.0.9
VPN-idle-timeout 60
VPN-session-timeout 480
VPN-value filter-admin-l
IP 172.30.4.0 allow Access-list l-admin-test-filter extended 255.255.255.252 host 172.16.0.33
IP 172.30.4.0 allow Access-list l-admin-test-filter extended 255.255.255.252 host 172.16.0.9
IP 172.30.4.0 allow Access-list l-admin-test-filter extended 255.255.252.252 172.16.1.4 host
IP 172.30.4.0 allow Access-list l-admin-test-filter extended 255.255.252.252 welcome 172.16.1.2
access-list extended l-admin-test-filter permit ip 172.30.4.0 255.255.252.252 10.24.0.0 255.252.0.0
IP 172.30.4.0 allow Access-list l-admin-test-filter extended 255.255.252.252 the host 172.16.0.233
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelall
value by default-field IHI.local
type tunnel-group L_Admins remote access
attributes global-tunnel-group L_Admins
address ili_global pool
PhoneFactor authentication-server-group
Group Policy - by default-L_Admins
IPSec-attributes tunnel-group L_Admins
pre-shared-key *.
++++++++++++++++++++++
Crossed is not currently enabled, so I guess I have to add:
permit same-security-traffic inter-interface
and (I guess)
mask IP local pool l_admins 172.30.4.1 - 172.30.4.2 255.255.255.252
Global (outside) 1 interface * PAT IP
NAT (outside) 1 mask 172.30.4.1 - 172.30.4.2 255.255.255.252
But from there I don't know how to restrict access to a single external IP on the web on port 80.
Hello
Enter the correct command to permit traffic and the same interface of leave is
permit same-security-traffic intra-interface
The command you posted allow traffic between 2 different interfaces that have the same value of 'security level'
permit same-security-traffic inter-interface
What about PAT Dynamics for Internet traffic
If you have already
Global 1 interface (outside)
Then you will need the command "nat" for the VPN pool
NAT (outside) 1 172.30.4.0 255.255.255.252
In what concerns the control of Internet traffic, should not be able to simply add this destination IP address to the VPN filter ACL you have ever used? I mean the ACL named "l-admin-test-filter".
For example
L-admin-test-filter access list note allow the external server connection
access-list l-admin-filter-test permit tcp 172.30.4.0 255.255.255.252 host eq 80
access-list l-admin-filter-test permit tcp 172.30.4.0 255.255.255.252 host eq 443
access-list l-admin-filter-test permit tcp 172.30.4.0 255.255.255.252 host eq 8080
-Jouni
-
Hi all
I have a problem of Client VPN configuration in my ASA 5512, ASA 9.02 running. I tried several configuration but still does not not even using the VPN WIZARD in ASDM.
Please let know us if I missed something.
There is no response when I try to connect using VPN CLient 5.0.07.0410.
VERSION OF THE ASA
Cisco Adaptive Security Appliance Software Version 9.0 (2)
Version 7.1 Device Manager (2) 102
###############################################################################################################
Config 1
access-list standard SPLIT allow 192.168.100.0 255.255.255.0
!
local pool VPN_POOL 192.168.200.1 - 192.168.200.254 255.255.255.0 IP mask
!
Crypto ipsec transform-set esp-3des esp-md5-hmac VPNU ikev1
Crypto dynamic-map DYN_MAP 1 set transform-set VPNU ikev1
!
card crypto IPSec_map 1-isakmp dynamic ipsec DYN_MAP
IPSec_map interface card crypto outside
Crypto ikev1 allow outside
!
IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
!
IKEv1 crypto policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
!
internal GETUVPN_POLICY group policy
GETUVPN_POLICY group policy attributes
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value SPLIT
!
type tunnel-group GETUVPN remote access
attributes global-tunnel-group GETUVPN
address VPN_POOL pool
LOCAL authority-server-group
Group Policy - by default-GETUVPN_POLICY
IPSec-attributes tunnel-group GETUVPN
IKEv1 pre-shared-key cisco123
!
###############################################################################################################
Config 2
IP local pool vpnpool 192.168.200.1 - 192.168.200.254
!
Note of sheep-access list ACL for avoidance of Nat
10.10.100.0 IP Access-list extended sheep 255.255.255.192 allow 192.168.200.0 255.255.255.0
!
Note access list ACL for VPN Tunnel from Split vpn_SplitTunnel
standard access list vpn_SplitTunnel allow 10.10.100.0 255.255.255.192
!
!
NAT (inside) 0 access-list sheep
!
!
internal IPSec_map group strategy
attributes of Group Policy IPSec_map
VPN-idle-timeout 120
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list vpn_SplitTunnel
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set high - esp-3des esp-md5-hmac
Crypto-card high dynmap 30 transform-set Dynamics - a
card crypto ipsec IPSec_map 65535-isakmp dynamic dynmap
IPSec_map interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 11
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
Crypto isakmp nat-traversal 20
tunnel-group GETUVPN type ipsec-ra
attributes global-tunnel-group GETUVPN
address vpnpool pool
Group Policy - by default-IPSec_map
!
!
IPSec-attributes tunnel-group GETUVPN
pre-shared-key Cisco123
!
###############################################################################################################
Config 3
IKEv1 crypto policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 86400
!
address identity ikev1 crypto
Crypto ikev1 allow outside
IKEv1 crypto policy 11
!
IP local pool vpnpool 192.168.200.1 - 192.168.200.254
!
Crypto ipsec transform-set esp-3des esp-md5-hmac CLIENTVPN ikev1
type tunnel-group GETUVPN remote access
attributes global-tunnel-group GETUVPN
address pool VPN-pool
!
IPSec-attributes tunnel-group GETUVPN
IKEv1 pre-shared-key Cisco123
Crypto-map dynamic dyn1 ikev1 transform-set VPNU 1 set
Crypto-map dynamic dyn1 1jeu reverse-road
map IPSec_map 1-isakmp ipsec crypto dynamic dyn1
IPSec_map interface card crypto outside
!
Hello
Try the first config with a minor change (marked in red)
access-list standard SPLIT allow 192.168.100.0 255.255.255.0
!
local pool VPN_POOL 192.168.200.1 - 192.168.200.254 255.255.255.0 IP mask
!
Crypto ipsec transform-set esp-3des esp-md5-hmac VPNU ikev1
Dynamic crypto map DYN_MAP 65535 set transform-set VPNU ikev1
!
card crypto IPSec_map 65535-isakmp dynamic ipsec DYN_MAP
IPSec_map interface card crypto outside
Crypto ikev1 allow outside
!
IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
!
IKEv1 crypto policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
!
internal GETUVPN_POLICY group policy
GETUVPN_POLICY group policy attributes
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value SPLIT
!
type tunnel-group GETUVPN remote access
attributes global-tunnel-group GETUVPN
address VPN_POOL pool
LOCAL authority-server-group
Group Policy - by default-GETUVPN_POLICY
IPSec-attributes tunnel-group GETUVPN
IKEv1 pre-shared-key cisco123
Also add a NAT0 configuration in the new format NAT
the object of the LAN network
255.255.255.192 subnet 10.10.100.0
network of the VPN-POOL object
192.168.200.0 subnet 255.255.255.0
NAT static destination LAN LAN (indoor, outdoor) static source VPN-VPN-POOL
Hope this helps
-Jouni
-
ASA IPSEC site-to-site with NAT problem
Hello
I have what I thought was a simple configuration, but I saw the questions and could use a second set of eyes.
I have a site-to-site between two locations:
Site A is 192.168.0.0/24
Site B is 192.168.4.0/24
I was requested to NAT all communications between these sites for 10.57.4.0/24 and for a single static 192.168.0.112 NAT host at 10.57.4.50.
Tunnel is running, and I can ping through the link at the end to 192.168.4.20 host; no problems. But I'm having a problem application where it will be established communications. I suspect it's the reverse NAT, but I went through the configuration several times. All NAT connections would be 10.57.4.50 address should given to 192.168.0.112, no restrictions. All connections to 192.168.4.20, should be NAT should 10.57.4.50 to transverse tunnel.
The system of site B can also ping 10.57.4.50.
Here's the running configuration:
ASA 8.3 Version (2)
!
hostname fw1
domain name
activate the
password encrypted passwd
encrypted names of
!
interface Vlan1
Description city network internal
nameif inside
security-level 100
IP 192.168.9.1 255.255.255.0
!
interface Vlan2
Description Internet Public
nameif outside
security-level 0
IP 173.166.117.186 255.255.255.248
!
interface Vlan3
DMZ (CaTV) description
nameif dmz
security-level 50
IP 192.168.2.1 255.255.255.0
!
interface Vlan5
PD Network description
nameif PDNet
security level 95
the IP 192.168.0.1 255.255.255.0
!
interface Vlan10
Description Network Infrastructure
nameif InfraNet
security-level 100
IP 192.168.10.1 255.255.255.0
!
interface Vlan13
Description wireless comments
nameif Wireless-comments
security-level 25
IP 192.168.1.1 255.255.255.0
!
interface Vlan23
nameif StateNet
security-level 75
IP 10.63.198.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport trunk allowed vlan 1,5,10,13
switchport trunk vlan 1 native
switchport mode trunk
Speed 100
full duplex
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
switchport trunk allowed vlan 1,10,13
switchport trunk vlan 1 native
switchport mode trunk
!
interface Ethernet0/5
switchport access vlan 23
!
interface Ethernet0/6
Shutdown
!
interface Ethernet0/7
switchport trunk allowed vlan 1
switchport trunk vlan 1 native
switchport mode trunk
Shutdown
!
exec banner restricted access
banner restricted access connection
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
DNS server-group DefaultDNS
domain name
permit same-security-traffic inter-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
service of the IMAPoverSSL object
destination eq 993 tcp service
IMAP over SSL description
service of the POPoverSSL object
tcp destination eq 995 service
POP3 over SSL description
service of the SMTPwTLS object
tcp destination eq 465 service
SMTP with TLS description
network object obj - 192.168.9.20
Home 192.168.9.20
object obj-claggett-https network
Home 192.168.9.20
network of object obj-claggett-imap4
Home 192.168.9.20
network of object obj-claggett-pop3
Home 192.168.9.20
network of object obj-claggett-smtp
Home 192.168.9.20
object obj-claggett-imapoverssl network
Home 192.168.9.20
object obj-claggett-popoverssl network
Home 192.168.9.20
object obj-claggett-smtpwTLS network
Home 192.168.9.20
network object obj - 192.168.9.120
Home 192.168.9.120
network object obj - 192.168.9.119
Home 192.168.9.119
network object obj - 192.168.9.121
Home 192.168.9.121
object obj-wirelessnet network
subnet 192.168.1.0 255.255.255.0
network of the Clients_sans_fil object
subnet 192.168.1.0 255.255.255.0
object obj-dmznetwork network
Subnet 192.168.2.0 255.255.255.0
network of the FD_Firewall object
Home 74.94.142.229
network of the FD_Net object
192.168.6.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.10.0_24 object
192.168.10.0 subnet 255.255.255.0
object obj-TownHallNet network
192.168.9.0 subnet 255.255.255.0
network obj_InfraNet object
192.168.10.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.0.0_24 object
192.168.0.0 subnet 255.255.255.0
network of the NHDOS_Firewall object
Home 72.95.124.69
network of the NHDOS_SpotsHub object
Home 192.168.4.20
network of the IMCMOBILE object
Home 192.168.0.112
network of the NHDOS_Net object
subnet 192.168.4.0 255.255.255.0
network of the NHSPOTS_Net object
10.57.4.0 subnet 255.255.255.0
network of the IMCMobile_NAT_IP object
Home 10.57.4.50
service EmailServices object-group
Description of e-mail Exchange Services / Normal
service-object, object IMAPoverSSL
service-object, object POPoverSSL
service-object, object SMTPwTLS
the purpose of the tcp destination eq https service
the purpose of the tcp destination eq imap4 service
the purpose of the tcp destination eq pop3 service
the purpose of the tcp destination eq smtp service
object-group service DM_INLINE_SERVICE_1
service-object, object IMAPoverSSL
service-object, object POPoverSSL
service-object, object SMTPwTLS
the purpose of the tcp destination eq pop3 service
the purpose of the tcp destination eq https service
the purpose of the tcp destination eq smtp service
object-group service DM_INLINE_SERVICE_2
service-object, object IMAPoverSSL
service-object, object POPoverSSL
service-object, object SMTPwTLS
the purpose of the tcp destination eq https service
the purpose of the tcp destination eq pop3 service
the purpose of the tcp destination eq smtp service
the obj_clerkpc object-group network
PCs of the clerk Description
network-object object obj - 192.168.9.119
network-object object obj - 192.168.9.120
network-object object obj - 192.168.9.121
the TownHall_Nets object-group network
object-network 192.168.10.0 255.255.255.0
network-object object obj-TownHallNet
the DM_INLINE_NETWORK_1 object-group network
object-network 192.168.10.0 255.255.255.0
object-network 192.168.9.0 255.255.255.0
the DOS_Networks object-group network
network-object 10.56.0.0 255.255.0.0
network-object, object NHDOS_Net
outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_2 any external interface
outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_1 any host 192.168.9.20
StateNet_access_in list extended access permitted ip object-group obj_clerkpc one
permit access ip 192.168.0.0 scope list PDNet_access_in 255.255.255.0 192.168.10.0 255.255.255.0
PDNet_access_in list extended access allowed object IMCMobile_NAT_IP object-group DOS_Networks debug log ip
PDNet_access_in list extended access permitted ip object IMCMOBILE object-group DOS_Networks
outside_2_cryptomap extended access list permit ip DM_INLINE_NETWORK_1 object FD_Net object-group
outside_1_cryptomap extended access list permit ip object NHSPOTS_Net object-group DOS_Networks
pager lines 24
Enable logging
Test1 logging level list class debug vpn
logging of debug asdm
E-mail logging errors
address record
logging level
-l errors ' address of the recipient Within 1500 MTU
Outside 1500 MTU
MTU 1500 dmz
MTU 1500 Wireless-comments
MTU 1500 StateNet
MTU 1500 InfraNet
MTU 1500 PDNet
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 635.bin
don't allow no asdm history
ARP timeout 14400
NAT (InfraNet, outside) static static source to destination TownHall_Nets TownHall_Nets FD_Net FD_Net
NAT static TownHall_Nets TownHall_Nets destination (indoor, outdoor) static source FD_Net FD_Net
public static IMCMOBILE IMCMobile_NAT_IP destination NAT (all, outside) static source DOS_Networks DOS_Networks
!
network obj_any object
NAT static interface (indoor, outdoor)
object obj-claggett-https network
NAT (inside, outside) interface static tcp https https service
network of object obj-claggett-imap4
NAT (inside, outside) interface static tcp imap4 imap4 service
network of object obj-claggett-pop3
NAT (inside, outside) interface static tcp pop3 pop3 service
network of object obj-claggett-smtp
NAT (inside, outside) interface static tcp smtp smtp service
object obj-claggett-imapoverssl network
NAT (inside, outside) interface static tcp 993 993 service
object obj-claggett-popoverssl network
NAT (inside, outside) interface static tcp 995 995 service
object obj-claggett-smtpwTLS network
NAT (inside, outside) interface static tcp 465 465 service
network object obj - 192.168.9.120
NAT (inside, StateNet) 10.63.198.12 static
network object obj - 192.168.9.119
NAT (all, StateNet) 10.63.198.10 static
network object obj - 192.168.9.121
NAT (all, StateNet) 10.63.198.11 static
object obj-wirelessnet network
NAT (Wireless-Guest, outside) static interface
object obj-dmznetwork network
interface static NAT (all, outside)
network obj_InfraNet object
NAT (InfraNet, outside) static interface
Access-group outside_access_in in interface outside
Access-group StateNet_access_in in the StateNet interface
Access-group PDNet_access_in in interface PDNet
Route outside 0.0.0.0 0.0.0.0 173.x.x.x 1
Route StateNet 10.x.x.x 255.255.0.0 10.63.198.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
http server enable 5443
http 192.x.x.x 255.255.255.0 inside
http 7.x.x.x 255.255.255.255 outside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set 72.x.x.x counterpart
map outside_map 1 set of transformation-ESP-3DES-MD5 crypto
card crypto outside_map 2 match address outside_2_cryptomap
card crypto outside_map 2 set pfs
card crypto outside_map 2 peers set 173.x.x.x
card crypto outside_map 2 game of transformation-ESP-3DES-SHA
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
Telnet 192.168.9.0 255.255.255.0 inside
Telnet timeout 5
SSH 192.168.9.0 255.255.255.0 inside
SSH timeout 5
Console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd lease 10800
dhcpd outside auto_config
!
dhcpd address dmz 192.168.2.100 - 192.168.2.254
dhcpd dns 8.8.8.8 8.8.4.4 dmz interface
dhcpd enable dmz
!
dhcpd address 192.168.1.100 - 192.168.1.254 Wireless-comments
dhcpd enable Wireless-comments
!
a basic threat threat detection
a statistical threat detection host number rate 2
statistical threat detection port
Statistical threat detection Protocol
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP server 63.240.161.99 prefer external source
NTP server 207.171.30.106 prefer external source
NTP server 70.86.250.6 prefer external source
WebVPN
attributes of Group Policy DfltGrpPolicy
internal FDIPSECTunnel group strategy
attributes of Group Policy FDIPSECTunnel
VPN-idle-timeout no
Protocol-tunnel-VPN IPSec l2tp ipsec
support for username
password encrypted privilege 15 tunnel-group 72.x.x.x type ipsec-l2l
72.x.x.x group of tunnel ipsec-attributes
pre-shared key *.
tunnel-group 173.x.x.x type ipsec-l2l
tunnel-group 173.x.x.x General-attributes
Group Policy - by default-FDIPSECTunnel
173.x.x.x group of tunnel ipsec-attributes
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns migrated_dns_map_1
parameters
message-length maximum 1024
Policy-map global_policy
class inspection_default
inspect the migrated_dns_map_1 dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the icmp
!
global service-policy global_policy
192.168.9.20 SMTP server
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:ad0f9ad192c3ee212172f5b00b12ce76
: end
If you do not have access to the remote site, you participate themselves to network and compare each other configurations. You will need to make sure that they see as 10.57.4.50 192.168.0.112 and their server responds to that and NOT the 192.168.0.112.
-
Cisco's VPN IPSec client for LAN connectivity
I've looked through further discussions and were not able to find a clear answer on this, so I apologize if this is a duplicate question.
I have the client setup Cisco VPN on an ASA 5505 with tunneling split. I can connect to the VPN very well. I can access the internet fine. I can't get the LAN, however. I try to do a ping, telnet, rdp, etc devices on the side LAN of the firewall without a bit of luck. I have torn down and configure the VPN several times via the CLI and I even used various configurations by using the wizard, all this without a bit of luck. Any help would be appreciated.
ASA Version 8.2 (2)
!
hostname spp-provo-001-fwl-001
domain servpro.local
activate the F7n9M1BQr1HPy/zu encrypted password
F7n9M1BQr1HPy/zu encrypted passwd
no names
name 10.0.0.11 Exch-Srv
name 10.0.0.12 DRAC
name 10.0.0.10 DVR
!
interface Vlan1
nameif inside
security-level 100
the IP 10.0.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ServPro PPPoE client vpdn group
IP address pppoe setroute
!
interface Vlan12
nameif Guest_Wireless
security-level 90
IP 10.10.0.1 address 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 12
!
exec banner * only authorized access *.
exec banner * this system is the property of ServPro. Unplug IMMEDIATELY that you are not an authorized user. *
connection of the banner * only authorized access *.
connection of the banner * this system is the property of ServPro. Unplug IMMEDIATELY that you are not an authorized user. *
banner asdm * only authorized access *.
banner asdm * this system is the property of ServPro. Unplug IMMEDIATELY that you are not an authorized user. *
boot system Disk0: / asa822 - k8.bin
passive FTP mode
clock timezone STD - 7
clock to summer time recurring MDT
DNS lookup field inside
DNS server-group DefaultDNS
10.0.0.11 server name
Name-Server 8.8.8.8
domain servpro.local
DRACServices tcp service object-group
EQ port 5900 object
EQ object of the https port
EQ object Port 5901
object-group service Exch-SrvServices tcp
EQ port 587 object
port-object eq 993
port-object eq www
EQ object of the https port
port-object eq imap4
EQ Port pop3 object
EQ smtp port object
SBS1Services tcp service object-group
EQ port 3389 object
port-object eq www
EQ object of the https port
EQ smtp port object
outside_access_in list extended access permit tcp any host *. *. *. * object-group SrvServices Exch
outside_access_in list permits all icmp access *. *. *. * 255.255.255.248
capture a whole list of access allowed icmp
Servpro_splitTunnelAcl list standard access allowed 10.0.0.0 255.255.255.0
inside_nat0_outbound to access ip 10.0.0.0 scope list allow 255.255.255.0 172.16.10.0 255.255.255.240
inside_nat0_outbound list of allowed ip extended access any 172.16.10.0 255.255.255.240
guest_wireless_in list extended access permitted tcp a whole
guest_wireless_in of access allowed any ip an extended list
NO_NAT to access ip 10.0.0.0 scope list allow 255.255.255.0 10.10.0.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
MTU 1500 Guest_Wireless
mask 172.16.10.1 - 172.16.10.14 255.255.255.240 IP local pool ServProDHCPVPN
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 625.bin
don't allow no asdm history
ARP timeout 14400
NAT-control
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (Guest_Wireless) 1 0.0.0.0 0.0.0.0
static (inside, outside) *. *. *. * 10.0.0.11 netmask 255.255.255.255
Access-group outside_access_in in interface outside
Access-group guest_wireless_in in the Guest_Wireless interface
Route outside 0.0.0.0 0.0.0.0 *. *. *. * 2 track 2
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
AAA-server Exch-Srv Protocol nt
AAA-server Exch-Srv (inside) host 10.0.0.11
Timeout 5
auth-NT-PDC SRV EXCH
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
AAA authentication http LOCAL console
LOCAL AAA authentication serial console
Enable http server
http server idle-timeout 10
http 10.0.0.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outdoors
redirect http outside 80
redirect http inside 80
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
monitor SLA 124
type echo protocol ipIcmpEcho 4.2.2.2 outside interface
NUM-package of 3
frequency 10
Annex monitor SLA 124 life never start-time now
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
Crypto ca trustpoint ASDM_TrustPoint0
registration auto
name of the object CN = cisco.spprovo.com
ServPro key pair
Configure CRL
string encryption ca ASDM_TrustPoint0 certificates
certificate f642be4b
308202fc 308201e4 a0030201 020204f6 42be4b30 0d06092a 864886f7 0d 010105
311a 3018 05003040 06035504 03131163 6973636f 2e737070 726f766f 2e636f6d
31223020 06092 has 86 01090216 13636973 636f2e73 726f2e6c 65727670 4886f70d
6f63616c 31303034 30383230 35363232 30303430 35323035 5a170d32 301e170d
3632325a 3040311a 30180603 55040313 and 11636973 636f2e73 7070726f 766f2e63
6f6d3122 30200609 2a 864886 f70d0109 02161363 6973636f 2e736572 7670726f
2e6c6f63 616c 3082 0122300d 06092 has 86 01010105 00038201 0f003082 4886f70d
010a 0282 010100 has 5 b4646cde f981f048 efa54c8a 4ba4f51c 25471e01 459ea905
313ef490 72b4d853 4e95ab7d a8c1350e 5728dca6 a98c439e 2c12d219 06ee7209
9f2584d1 b2abf71c 31c0890f 3098533b 6bc3ad4b 3bcd8986 e70ca78e 07a749d6
ee4e0892 4fcb79b6 724f7012 9f42fc2f b80c17ed adb5d36b 67590061 453d9ae6
16583d 36 5a22b7c2 737fd705 94656f3f 578fb67f 79bd2a59 17522be3 d2386e22
2c62352f cda317b0 be805a04 76f19989 34031cbd a5fc62a7 1d9f52f3 00cf60b6
bbbdc4f0 fb651b82 b3e22a0a 718ff0b4 e213f4ac cdeb413b 9c4a47c3 9134d7a9
e8dcf2c5 c1cd4075 61d75e3a 475a17f1 2f955741 9ed2a8d6 c381eba3 247134e1
b5c33fac 7ae03d02 03010001 300 d 0609 2a 864886 05050003 82010100 f70d0101
156 5fde62c5 b4cbb0f4 0c61fab7 fae04399 27457ab7 9790c 3fac914d 70595db9
e69d3f19 3476dc51 32c885de b5904030 05624fe0 e8983e0a ab5527f3 8c5dd64a
1e1a6082 b6091657 8704c 539 a3c6be47 da2a871f 4fafe668 70db2c2b 573d47b2
7f3df02f c9d53a92 bcf5f518 9953e14c f957a6ca 279f9e9f ddbd2561 6e0503c2
ba59a165 055d697f dd028d00 5cc288c4 83ced827 9c82ef3e 7e67f2d2 6de573e3
42a0b6bf ef8d06ed cb9805f2 c38011d3 5263bc3f 5b68df7a bef36c40 8c5e33f3
26b02c27 63a9848c 8461738f cd19ae95 f059ee34 afe4bdbc 8d8d2335 751b 0621
65464b2c 4649779d 3ba01b69 8977 has 790 73815f8b 3c483f93 a5ca9685 04b6e18a
quit smoking
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
No encryption isakmp nat-traversal
!
Track 2 rtr 124 accessibility
Telnet 10.0.0.0 255.255.255.0 inside
Telnet timeout 10
SSH 10.0.0.0 255.255.255.0 inside
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 10
SSH version 2
Console timeout 10
VPDN group ServPro request dialout pppoe
VPDN group ServPro localname *
VPDN group ServPro ppp authentication pap
password username * VPDN * local store
dhcpd outside auto_config
!
dhcpd address 10.10.0.100 - 10.10.0.227 Guest_Wireless
dhcpd dns 8.8.8.8 4.2.2.2 interface Guest_Wireless
enable Guest_Wireless dhcpd
!
a basic threat threat detection
threat detection statistics
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
NTP server 38.117.195.101 source outdoors
NTP server 72.18.205.157 prefer external source
SSL-trust outside ASDM_TrustPoint0 point
WebVPN
allow outside
SVC disk0:/anyconnect-win-2.3.0254-k9.pkg 1 image
enable SVC
tunnel-group-list activate
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
Servpro internal group policy
Group Policy attributes Servpro
Server DNS 10.0.0.11 value
Protocol-tunnel-VPN IPSec svc webvpn
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Servpro_splitTunnelAcl
SERVPRO.local value by default-field
servpro encrypted NtdaWcySmet6H6T0 privilege 15 password username
servpro username attributes
type of service admin
username, encrypted bHGJDrPmHaAZY/78 Integratechs password
tunnel-group Servpro type remote access
attributes global-tunnel-group Servpro
address pool ServProDHCPVPN
authentication-server-group LOCAL Exch-Srv
strategy-group-by default Servpro
tunnel-group Servpro webvpn-attributes
enable ServPro group-alias
IPSec-attributes tunnel-group Servpro
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:52bca254012b1b05cca7dfaa30d1c42a
: end
Most likely you are behind a router PAT when you are connected to the VPN, so please allow the following:
Crypto isakmp nat-traversal 30
-
IPsec Security Association keep it up
Hello community,
Customer has about 50 distance 871 s (home) with IP phones.
Main site has ASA 5510 sheltering the CUCM.
Problem is...
When user1 calls user2 there no audio data (since there is no built between remote users IPsec security association).
The fact that user1 called user2 built IPsec between ROUTER1 and ASA, but since there is no IPsec security association for users between ROUTER2 and ASA, audio fails.
If User2 calls user1 now, then the call is successful, because the SAs are built:
IPsec security association between ROUTER1 and ASA for the traffic of user1 and user2
IPsec security association between ROUTER2 and ASA for the user1 user2 traffic
So, the problem is that both parties must open up traffic to make this work.
What I did to solve the problem, is to configure IP SLA on routers to send a PING packet every 10 minutes at their home by peers (thus keeping the SAs between remote sites all the time).
IP SLA works, but I'm looking for a better way to solve the problem of having to manually launch the traffic (DMVPN or running as one routing protocol does not work with the ASA through the tunnel).
I guess to increase life expectancy IPsec Security Association is another option.
Looking to get recommendations, thanks!
Federico.
Hi Federico,.
Have you considered EzVPN/Easy VPN, with ASA like server EzVPN configuration and Clients (routers/ASA5505) as clients of EzVPN? This would create the tunnel as soon as it is configured.
In addition, apart from the increase in the life expectancy of the AA (which is basically report to generate a new key stage 2), you can configure vpn-idle-timeout to be 'none' in the group-policy framework of the SAA.
Any thoughts?
Kind regards
Praveen
-
LAN-to-LAN IPsec VPN with overlapping networks problem
I am trying to connect to two networks operlapping via IPsec. I already have google and read
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080b37d0b.shtml
Details:
Site_A use ASA 5510 with software version 8.0 (4) 32. Site_A use 10.100.0.0/24, 10.100.1.0/24 and 10.100.2.0/24 inside networks. 10.100.0.0/24 is directly connected to ASA (like vlan10), 10.100.1.0/24 and 10.100.2.0/24 are routed.
Site_B use Linux box and networks 10.100.1.0/24, 10.100.2.0/24, 10.100.3.0/24 and so on (mainly 10.100.x.0/24). I have not implemented this ASA, we took over this infrastructure without other documentation whatsoever.
According to the above link I should use double NAT. Site_B will see the Site_A as 10.26.0.0/22 networks, and Site_A see networks in Site_B as 10.25.0.0/24. Site_A is allowed access only 10.100.1.0/24 in the Site_B, and Site_B is allowed access to all the networks of the Site_A 10.100.x.0/24 - so / 22 10.26.0.0/22 mask. I would like, for example, ssh to host in the Site_B to host the Site_A using 10.26.1.222 as the destination ip address (and it should be translated in 10.100.1.222 on the side Site_A). I'm looking for something like ip nat type match-host in Cisco routers - I want to translate only a part of the network address leave the intact host Party. Anyway, following the steps from the link displayed above everything is ok until the command:
static (companyname, outside) 10.26.0.0 access list fake_nat_outbound
which translates into:
WARNING: address real conflict with existing static
TCP companyname:10.100.0.6/443 to outside:x.x.x.178/443 netmask 255.255.255.255
WARNING: address real conflict with existing static
TCP companyname:10.100.0.20/25 to outside:x.x.x.178/25 netmask 255.255.255.255
WARNING: address real conflict with existing static
TCP companyname:10.100.0.128/3389 to outside:x.x.x.178/50000 netmask 255.255.255.255
WARNING: address real conflict with existing static
TCP companyname:10.100.0.26/3389 to outside:x.x.x.181/2001 netmask 255.255.255.255
WARNING: address real conflict with existing static
TCP companyname:10.100.0.27/3389 to outside:x.x.x.181/2002 netmask 255.255.255.255
WARNING: address real conflict with existing static
TCP companyname:10.100.0.28/3389 to outside:x.x.x.178/2003 netmask 255.255.255.255
Those are redirects to port on Site_A used for mail, webmail, etc. What should I do to keep the redirects from the Internet to companyname vlan and at the same time to have work l2l ipsec tunnel linking networks that overlap?
Thank you in advance for any help or advice.
The ASA config snippet below:
!
ASA 4,0000 Version 32
!
no names
name 10.25.0.0 siteB-fake-network description fake NAT network to avoid an overlap of intellectual property
name 10.26.0.0 description of siteA-fake-network NAT fake network to avoid an overlap of intellectual property
!
interface Ethernet0/0
Shutdown
nameif inside
security-level 100
IP 10.200.32.254 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
IP address x.x.x.178 255.255.255.248
!
interface Ethernet0/2
No nameif
no level of security
no ip address
!
interface Ethernet0/2.10
VLAN 10
nameif companyname
security-level 100
IP 10.100.0.254 255.255.255.0
!
interface Ethernet0/2.20
VLAN 20
nameif wifi
security-level 100
the IP 10.0.0.1 255.255.255.240
!
interface Ethernet0/2.30
VLAN 30
nameif dmz
security-level 50
IP 10.0.30.1 255.255.255.248
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 10.100.100.1 255.255.255.0
management only
!
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
Group of objects in the inside network
object-network 10.100.0.0 255.255.255.0
object-network 10.100.1.0 255.255.255.0
object-network 10.100.2.0 255.255.255.0
DM_INLINE_TCP_1 tcp service object-group
port-object eq 2221
port-object eq 2222
port-object eq 2223
port-object eq 2224
port-object eq 2846
DM_INLINE_TCP_5 tcp service object-group
port-object eq ftp
port-object eq ftp - data
port-object eq www
EQ object of the https port
object-group service DM_INLINE_SERVICE_1
the eq field tcp service object
the eq field udp service object
DM_INLINE_TCP_6 tcp service object-group
port-object eq 2221
port-object eq 2222
port-object eq 2223
port-object eq 2224
port-object eq 2846
the DM_INLINE_NETWORK_1 object-group network
object-network 10.100.0.0 255.255.255.0
object-network 10.100.2.0 255.255.255.0
standard access list securevpn_splitTunnelAcl allow 10.100.0.0 255.255.255.0
outside_access_in list extended access permit tcp any host x.x.x.178 eq 50000
outside_access_in list extended access permit tcp any host x.x.x.178 eq smtp
outside_access_in list extended access permit tcp any host x.x.x.178 eq https
outside_access_in list extended access permit tcp any host x.x.x.179 DM_INLINE_TCP_1 object-group
outside_access_in list extended access permit tcp any host x.x.x.181 eq ftp
outside_access_in list extended access permit tcp any host x.x.x.181 eq ftp - data
outside_access_in list extended access permit tcp host 205.158.110.63 eq x.x.x.180 idle ssh
access extensive list ip 10.100.0.0 inside_access_in allow 255.255.255.0 10.100.1.0 255.255.255.0
inside_access_in list extended access allowed ip-group of objects to the inside network 10.100.99.0 255.255.255.0
inside_access_in list extended access allowed ip-group of objects to the inside network 10.0.30.0 255.255.255.248
inside_access_in list extended access permit tcp host 10.100.0.6 any eq smtp
inside_access_in list extended access permitted tcp object-group network inside any eq www
inside_access_in list extended access permitted tcp object-group network inside any https eq
inside_access_in list extended access permitted tcp-group of objects to the inside-network WG 1023 any eq ftp - data
inside_access_in list extended access permitted tcp-group of objects to the inside-network WG 1023 any ftp eq
inside_access_in list extended access allowed object-group objects TCPUDP-group to the network inside any eq 9999
inside_access_in list extended access allowed object-group objects TCPUDP-group to the network inside any eq 3389
inside_access_in list extended access allowed object-group network inside udp any eq field
companyname_access_in list extended access allowed ip-group of objects to the inside network 10.100.1.0 255.255.255.0
companyname_access_in list extended access allowed ip-group of objects to the inside network 10.100.99.0 255.255.255.0
companyname_access_in list extended access allowed ip-group of objects to the inside network 10.0.30.0 255.255.255.248
companyname_access_in list extended access permit tcp host 10.100.0.6 any eq smtp
companyname_access_in list extended access permitted tcp object-group network inside any eq www
companyname_access_in list extended access permitted tcp object-group network inside any https eq
companyname_access_in list extended access permitted tcp-group of objects to the inside-network WG 1023 any eq ftp - data
companyname_access_in list extended access permitted tcp-group of objects to the inside-network WG 1023 any ftp eq
companyname_access_in list extended access allowed object-group objects TCPUDP-group to the network inside any eq 9999
companyname_access_in list extended access allowed object-group objects TCPUDP-group to the network inside any eq 3389
companyname_access_in list extended access allowed object-group network inside udp any eq field
wifi_access_in list extended access permitted tcp 10.0.0.0 255.255.255.240 host 10.100.0.40 eq 2001
access extensive list ip 10.100.0.0 companyname_nat0_outbound allow 255.255.255.0 10.100.99.0 255.255.255.0
access extensive list ip 10.100.0.0 companyname_nat0_outbound allow 255.255.255.0 10.0.0.0 255.255.255.240
access extensive list ip 10.100.0.0 companyname_nat0_outbound allow 255.255.255.0 10.0.30.0 255.255.255.248
access extensive list ip 10.100.0.0 companyname_nat0_outbound allow 255.255.255.0 10.100.2.0 255.255.255.0
access extensive list ip 10.100.2.0 companyname_nat0_outbound allow 255.255.255.0 10.0.30.0 255.255.255.248
access extensive list ip 10.100.1.0 companyname_nat0_outbound allow 255.255.255.0 10.100.99.0 255.255.255.0
access extensive list ip 10.100.2.0 companyname_nat0_outbound allow 255.255.255.0 10.100.99.0 255.255.255.0
wifi_nat0_outbound to access ip 10.0.0.0 scope list allow 255.255.255.240 10.100.0.0 255.255.255.0
dmz_access_in list extended access permitted tcp 10.0.30.0 255.255.255.248 any DM_INLINE_TCP_5 object-group
dmz_access_in list extended access permitted tcp 10.0.30.0 255.255.255.248 host 10.100.0.2 object-group DM_INLINE_TCP_6
dmz_access_in list extended access allowed object-group DM_INLINE_SERVICE_1 10.0.30.0 255.255.255.248 object-group DM_INLINE_NETWORK_1
dmz_access_in list extended access deny ip 10.0.30.0 255.255.255.248 all
access extensive list ip 10.0.30.0 dmz_nat0_outbound allow 255.255.255.248 10.100.0.0 255.255.255.0
access extensive list ip 10.0.30.0 dmz_nat0_outbound allow 255.255.255.248 10.100.99.0 255.255.255.0
access extensive list ip 10.0.30.0 dmz_nat0_outbound allow 255.255.255.248 10.100.2.0 255.255.255.0
outside_1_cryptomap to access extended list ip 10.26.0.0 allow 255.255.252.0 10.25.0.0 255.255.255.0
access extensive list ip 10.100.0.0 fake_nat_outbound allow 255.255.252.0 10.25.0.0 255.255.255.0
IP local pool clientVPNpool 10.100.99.101 - 10.100.99.199 mask 255.255.255.0
IP verify reverse path inside interface
IP verify reverse path to the outside interface
IP audit name IPS attack action alarm down reset
IP audit name IPS - inf info action alarm
interface verification IP outside of the IPS - inf
verification of IP outside the SPI interface
NAT-control
Global (inside) 91 10.100.0.2
Global (inside) 92 10.100.0.4
Global (inside) 90 10.100.0.3 netmask 255.255.255.0
Global interface 10 (external)
Global x.x.x.179 91 (outside)
Global x.x.x.181 92 (outside)
Global (outside) 90 x.x.x.180 netmask 255.0.0.0
interface of global (companyname) 10
Global interface (dmz) 20
NAT (outside) 10 10.100.99.0 255.255.255.0
NAT (companyname) 0-list of access companyname_nat0_outbound
NAT (companyname) 10 10.100.0.0 255.255.255.0
NAT (companyname) 10 10.100.1.0 255.255.255.0
NAT (companyname) 10 10.100.2.0 255.255.255.0
wifi_nat0_outbound (wifi) NAT 0 access list
NAT (dmz) 0-list of access dmz_nat0_outbound
NAT (dmz) 10 10.0.30.0 255.255.255.248
static (companyname, outside) tcp https 10.100.0.6 https interface subnet 255.255.255.255 mask
static (companyname, outside) tcp interface smtp 10.100.0.20 smtp netmask 255.255.255.255
static (companyname, outside) interface 50000 10.100.0.128 TCP 3389 netmask 255.255.255.255
static (companyname, external) x.x.x.181 2001 10.100.0.26 TCP 3389 netmask 255.255.255.255
static (companyname, external) x.x.x.181 2002 10.100.0.27 TCP 3389 netmask 255.255.255.255
static (companyname, outside) interface 2003 10.100.0.28 TCP 3389 netmask 255.255.255.255
static (dmz, outside) tcp x.x.x.181 ftp 10.0.30.2 ftp netmask 255.255.255.255
static (companyname, companyname) 10.100.1.0 10.100.1.0 netmask 255.255.255.0
static (companyname, companyname) 10.100.2.0 10.100.2.0 netmask 255.255.255.0
inside_access_in access to the interface inside group
Access-group outside_access_in in interface outside
Access-group companyname_access_in in interface companyname
Access-group wifi_access_in in wifi interface
Access-group dmz_access_in in dmz interface
Route outside 0.0.0.0 0.0.0.0 x.x.x.177 1
Companyname route 10.0.1.0 255.255.255.0 10.100.0.1 1
Companyname route 10.100.1.0 255.255.255.0 10.100.0.1 1
Companyname route 10.100.2.0 255.255.255.0 10.100.0.1 1
dynamic-access-policy-registration DfltAccessPolicy
!
Crypto-map dynamic outside_dyn_map 20 set pfs
Crypto-map dynamic outside_dyn_map 20 the transform-set ESP - 3DES - SHA TRANS_ESP_3DES_MD5 value
life together - the association of security crypto dynamic-map outside_dyn_map 20 28800 seconds
Crypto-map dynamic outside_dyn_map 20 kilobytes of life together - the association of safety 4608000
PFS set 40 crypto dynamic-map outside_dyn_map
Crypto-map dynamic outside_dyn_map 40 value transform-set ESP-3DES-SHA
life together - the association of security crypto dynamic-map outside_dyn_map 40 28800 seconds
Crypto-map dynamic outside_dyn_map 40 kilobytes of life together - the association of safety 4608000
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define security association lifetime 28800 seconds
cryptographic kilobytes 4608000 life of the set - the association of security of the 65535 SYSTEM_DEFAULT_CRYPTO_MAP of the dynamic-map
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs Group1
outside_map 1 counterpart set a.b.c.1 crypto card
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
map outside_map 20-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
!
internal DefaultRAGroup group strategy
attributes of Group Policy DefaultRAGroup
value of server WINS 10.100.0.3
value of server DNS 10.100.0.3
nom_societe.com value by default-field
internal DefaultRAGroup_1 group strategy
attributes of Group Policy DefaultRAGroup_1
value of server DNS 10.100.0.3
Protocol-tunnel-VPN l2tp ipsec
internal group securevpn strategy
securevpn group policy attributes
value of server WINS 10.100.0.3 10.100.0.2
value of 10.100.0.3 DNS server 10.100.0.2
VPN-idle-timeout 30
Protocol-tunnel-VPN IPSec
nom_societe.com value by default-field
attributes global-tunnel-group DefaultRAGroup
address clientVPNpool pool
authentication-server-group COMPANYNAME_AD
Group Policy - by default-DefaultRAGroup_1
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared-key *.
tunnel-group securevpn type remote access
tunnel-group securevpn General attributes
address clientVPNpool pool
authentication-server-group COMPANYNAME_AD
Group Policy - by default-securevpn
tunnel-group securevpn ipsec-attributes
pre-shared-key *.
tunnel-group securevpn ppp-attributes
ms-chap-v2 authentication
tunnel-group a.b.c.1 type ipsec-l2l
a.b.c.1 group tunnel ipsec-attributes
pre-shared-key *.
Are you sure that static-config does not make to the running configuration?
By applying this 'static big' you're essentially trying to redirect the ports, which have already been transmitted by the rules in your existing configuration. This explains the caveat: what you are trying to do has some overlap with existing static.
(Sorry for the use of the transmission of the word, but this behavior makes more sense if you look at it like this; although "port forwarding" is not Cisco-terminology.)
But... whenever I stumbled upon this question, the warning was exactly that: a WARNING, not an ERROR. And everything works as I want it to work: the specific static in my current config simply have priority over static grand.
If you would like to try to do the other opposite you would get an error (first static major, then try to apply more specific) and the config is not applied.
So could you tell me the config is really not accepted?
Maybe you are looking for
-
need help to change my macbook pro hdd
Hello. need help to change my macbook pro 13 "mid 2012 hdd. witch HDD I buy 1 TB 7200 RPM 2.5 witch should I choose sata2? or sata3? If you know any suggestions, it would be really appreciated. And when I add the new hard disk can you restore with li
-
I m facing the incomplete restoration after frm recovery disc factory reset. WHT should I do please suggest a method
-
Spectrum X 360: Change image system for Windows 10 picture factory/restore
I just factory reset my laptop to Windows 8.1. Apparently, I'll have to wait a while until I get the upgrade of Windows 10 new. I want to ask if HP version new images of factory for the spectrum X 360 and If there is a way to update the image of plan
-
Qosmio G30-141: Question on the use of an external video card
Hello world! Is - anyone know something about external video for toshiba card notes? Like Asus XG Station, Village Tronic ViDock Gfx Pro or AMILO GraphicBooster. Will be toshiba develop & manufacture a similar device like them? My rating is Qosmio F3
-
Microphone is not working after upg Windows 10 TP yoga
Updated my Yoga TP to Windows 10 and the microphone doesn't work more (built-in or the Mic socket with external microphone). Micro driver is not yet loaded. I ran the latest updates from Lenovo and have all the latest drivers. Any ideas?