IPSec on cat6500, not ipsecSPA
Hi all!
can someone help me with this:
I have
MLS: C6509-E
SUP: VS-S720 - 10G
PFC: VS-F6K-PFC3CXL
Im trying to find what is its limitation of traffic encrypted through ASIT it.
* I don't have a SPA for ipsec.
anyone tried or may lead me to a doc on this subject?
Hello
Installation without an accelerator is not supported.
Long ago allowed some configuration versions but as far as I know, nobody got anything working stably.
Marcin
Tags: Cisco Security
Similar Questions
-
IPSEC tunnels does not connect
Out of sudden IPSEC tunnel on remote site 202.68.211.20 is not plug in. Previously is OK. There is no change in config.
IKE Phase 1 even not connect.
I'm debugging, but I don't know what could be the error.
-----------------------------------------------------------------------------
= ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = PuTTY connect 2016.05.12 15:19:36 = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ =.
12 May 12:06:50 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:06:50 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
12 May 12:06:53 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:06:53 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
12 May 12:06:54 [IKEv1 DEBUG]: IP = 202.68.211.20, case of mistaken IKE MM Initiator WSF (struct & 0xd84aff40), : MM_DONE, EV_ERROR--> MM_WAIT_MSG2, EV_RETRY--> MM_WAIT_MSG2, EV_TIMEOUT--> MM_WAIT_MSG2 NullEvent--> MM_SND_MSG1, EV_SND_MSG--> MM_SND_MSG1, EV_START_TMR--> MM_SND_MSG1, EV_RESEND_MSG--> MM_WAIT_MSG2, EV_RETRY
12 May 12:06:54 [IKEv1 DEBUG]: IP = 202.68.211.20, IKE SA MM:914f04ce ending: flags 0 x 01000022, refcnt 0, tuncnt 0
12 May 12:06:54 [IKEv1 DEBUG]: IP = 202.68.211.20, sending clear/delete with the message of reason
12 May 12:06:59 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:06:59 [IKEv1]: IP = 202.68.211.20, initiator of IKE: New Phase 1, Intf internal, IKE Peer 202.68.211.20 address proxy local 10.215.20.0 address remote Proxy 10.210.0.0, Card Crypto (VPN_map)
12 May 12:06:59 [IKEv1 DEBUG]: IP = 202.68.211.20, build the payloads of ISAKMP security
12 May 12:06:59 [IKEv1 DEBUG]: IP = 202.68.211.20, construction of Fragmentation VID + load useful functionality
12 May 12:06:59 [IKEv1]: IP = 202.68.211.20, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
12 May 12:07 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:07 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
12 May 12:07:03 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:07:03 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
12 May 12:07:07 [IKEv1]: IP = 202.68.211.20, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
12 May 12:07:09 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:07:09 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
12 May 12:07:15 [IKEv1]: IP = 202.68.211.20, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
12 May 12:07:23 [IKEv1]: IP = 202.68.211.20, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
12 May 12:07:31 [IKEv1 DEBUG]: IP = 202.68.211.20, case of mistaken IKE MM Initiator WSF (struct & 0xd8457958), : MM_DONE, EV_ERROR--> MM_WAIT_MSG2, EV_RETRY--> MM_WAIT_MSG2, EV_TIMEOUT--> MM_WAIT_MSG2 NullEvent--> MM_SND_MSG1, EV_SND_MSG--> MM_SND_MSG1, EV_START_TMR--> MM_SND_MSG1, EV_RESEND_MSG--> MM_WAIT_MSG2, EV_RETRY
12 May 12:07:31 [IKEv1 DEBUG]: IP = 202.68.211.20, IKE SA MM:be63ea64 ending: flags 0 x 01000022, refcnt 0, tuncnt 0
12 May 12:07:31 [IKEv1 DEBUG]: IP = 202.68.211.20, sending clear/delete with the message of reason
12 May 12:07:37 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:07:37 [IKEv1]: IP = 202.68.211.20, initiator of IKE: New Phase 1, Intf internal, IKE Peer 202.68.211.20 address proxy local 10.215.20.0 address remote Proxy 10.210.0.0, Card Crypto (VPN_map)
12 May 12:07:37 [IKEv1 DEBUG]: IP = 202.68.211.20, build the payloads of ISAKMP security
12 May 12:07:37 [IKEv1 DEBUG]: IP = 202.68.211.20, construction of Fragmentation VID + load useful functionality
12 May 12:07:37 [IKEv1]: IP = 202.68.211.20, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
12 May 12:07:40 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:07:40 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
12 May 12:07:45 [IKEv1]: IP = 202.68.211.20, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
12 May 12:07:46 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:07:46 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
12 May 12:07:53 [IKEv1]: IP = 202.68.211.20, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
qHello
It seems that the tunnel is blocked to MSG_2.
You can check if the UDP 500 traffic is not blocked between peers?
Please check with your provider.
Kind regards
Aditya
Please evaluate the useful messages and mark the correct answers.
-
Hello
I practice a bit with 2 CISCO 2811 routers and 2621. I did the basic configuration for an IPSec connection, but the tunnel seems not to lead. Also, I can ping the external interface of the other router, but I cannot ping inside network behind each of them. Any ideas? The external interface are connected via a cable UTP croosover. Here's the sh run of each:
2621 router:
!
version 12.2
horodateurs service debug uptime
Log service timestamps uptime
encryption password service
!
hostname RPrueba2
!
logging buffered 51200 warnings
enable secret 5 $1$ oNw1$ SQaqP.FazBuaiVZ3MHte70
!
username supervisor privilege 15 password 7 07062F49420C1A110513
voice-card 1
!
IP subnet zero
!
!
!
!
crypto ISAKMP policy 1
md5 hash
preshared authentication
ISAKMP crypto keys Inelectra address 20.20.20.21
!
!
Crypto ipsec transform-set base esp - esp-md5-hmac
!
Armadillo 1 ipsec-isakmp crypto map
defined by peer 20.20.20.21
security-association value seconds of life 4000
Set transform-set basic
PFS Group1 Set
match address 101
!
call the rsvp-sync
!
!
!
!
!
!
controller E1 1/0
!
!
!
interface FastEthernet0/0
IP 192.168.250.1 255.255.255.0
automatic duplex
automatic speed
!
interface Serial0/0
no ip address
Shutdown
!
interface FastEthernet0/1
IP 20.20.20.1 255.255.255.0
automatic duplex
automatic speed
Armadillo card crypto
!
interface Serial0/1
no ip address
Shutdown
!
interface Serial0/2
no ip address
Shutdown
!
!
IP classless
IP route 0.0.0.0 0.0.0.0 20.20.20.21
IP http server
!
!
!
!
!
!
!
!
!
access-list 101 permit ip 192.168.250.0 0.0.0.255 any
access-list 102 permit ip 192.168.250.0 0.0.0.255 192.168.240.0 0.0.0.255
!
!
Dial-peer cor custom
!
!
!
!
!
Line con 0
password 7 020F0A5E07030C355E4F
opening of session
line to 0
line vty 0 4
privilege level 15
password 7 12100B121E0E0F10382A
opening of session
transport input telnet ssh
!
end
2811 router:
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname RPrueba
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$ oNw1$ SQaqP.FazBuaiVZ3MHte70
!
No aaa new-model
!
resources policy
!
iomem 15 memory size
No network-clock-participate wic 1
IP subnet zero
!
!
IP cef
!
!
!
!
voice-card 0
No dspfarm
!
username supervisor privilege 15 password 7 07062F49420C1A110513
!
!
controller E1 1/0/0
!
!
crypto ISAKMP policy 1
md5 hash
preshared authentication
ISAKMP crypto keys Inelectra address 20.20.20.1
!
!
Crypto ipsec transform-set Ineset ah-md5-hmac esp - a
Crypto ipsec transform-set base esp - esp-md5-hmac
!
Armadillo 1 ipsec-isakmp crypto map
defined by peer 20.20.20.1
security-association value seconds of life 4000
Set transform-set basic
PFS Group1 Set
match address 102
!
!
!
!
interface FastEthernet0/0
IP 192.168.240.1 255.255.255.0
automatic duplex
automatic speed
!
interface FastEthernet0/1
IP 20.20.20.21 255.255.255.0
automatic duplex
automatic speed
Armadillo card crypto
!
interface Serial0/0/0
no ip address
Shutdown
no fair queue
2000000 clock frequency
!
interface Serial0/0/1
no ip address
Shutdown
2000000 clock frequency
!
IP classless
IP route 0.0.0.0 0.0.0.0 20.20.20.1
!
!
IP http server
no ip http secure server
!
access-list 101 permit ip 192.168.240.0 0.0.0.255 any
access-list 102 permit ip 192.168.240.0 0.0.0.255 192.168.250.0 0.0.0.255
!
control plan
!
Line con 0
password 7 020F0A5E07030C355E4F
opening of session
line to 0
line vty 0 4
privilege level 15
password 7 12100B121E0E0F10382A
opening of session
transport input telnet ssh
!
Scheduler allocate 20000 1000
!
end
I also tried the isakmp crypto see the its and there is nothing on the table. Thanks for any help.
Gustavo
Under card crypto router armadilloin 2621 =
Use the ACL 102 crypto instead of 101.
match address 102
And then disable the isakmp its ipsec and its
then try to ping.
-
I have configure ipsec-isakmp but do not
R2 #sh crypto isakmp his
conn-id State DST CBC slotR2 #sh crypto isakmp saaccounting databasefce
table alias State conn-id slotes IP src DST
RA #conR2 #sh crypto ipsec his IP ARP
#pkts program: encrypt 0, #pkts: 0, #pkts 0 digest
#pkts decaps: 0, #pkts decrypt: 0, #pkts check 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorsendpt local crypto. : 172.16.1.2, remote Start crypto. : 172.16.1.1
Path mtu 1500, mtu 1500 ip, ip mtu interface FastEthernet0/0
current outbound SPI: 0SAS of the esp on arrival:
the arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
outgoing ah sas:
outgoing CFP sas:
Please post your configuration with a bit of explanation on how the network is set up.
-
I have 2 Cat6, with IPsec SPA card, while the other did not.
I tried setting IPsec tunnel between them, but somehow can't bring up the tunnel, can someone help me to watch set it up?
A (with SPA):
crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 5
ISAKMP crypto cisco123 key address 0.0.0.0 0.0.0.0
ISAKMP crypto keepalive 10
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac testT1
!
Crypto ipsec profile P1
Set transform-set testT1
!
Crypto call admission limit ike his 3000
!
Crypto call admission limit ike in-negotiation-sa 115
!
interface Tunnel962
Loopback962 IP unnumbered
tunnel GigabitEthernet2/37.962 source
tunnel destination 172.16.16.6
ipv4 ipsec tunnel mode
Profile of tunnel P1 ipsec protection
interface GigabitEthernet2/37.962
encapsulation dot1Q 962
IP 172.16.16.5 255.255.255.252
interface Loopback962
1.1.4.200 the IP 255.255.255.255
IP route 2.2.4.200 255.255.255.255 Tunnel962
B (wuthout SPA):
crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 5
ISAKMP crypto cisco123 key address 0.0.0.0 0.0.0.0
!
!
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac T1
!
Crypto ipsec profile P1
game of transformation-T1
interface Tunnel200
Loopback200 IP unnumbered
tunnel GigabitEthernet2/1.1 source
tunnel destination 172.16.16.5
ipv4 ipsec tunnel mode
Profile of tunnel T1 ipsec protection
interface Loopback200
2.2.4.200 the IP 255.255.255.255
interface GigabitEthernet2/1.1
encapsulation dot1Q 962
IP 172.16.16.6 255.255.255.252
IP route 1.1.4.200 255.255.255.255 Tunnel200
I can ping from 172.16.16.6 to 172.16.16.5, but the tunnel just can not upwards. When I turned on "debugging ipsec cry ' and ' debug cry isa", nothing comes out, when I trun on 'cry of debugging sciences', I got:
"00:25:17: crypto_engine_select_crypto_engine: can't handle more."
Hello
You need a map of IPSEC SPA on chassis B do IPSEC encryption. Please see the below URL for more details.
Without a SPA-IPSEC - 2G or IPsec VPN Services Module of acceleration, the IPsec network security feature (configured with the crypto ipsec command) is supported in the software only for administrative for Catalyst 6500 series switches and routers for the Cisco 7600 Series connections.
Kind regards
Arul
* Rate pls if it helps *.
-
Hi all
We have an IPSec tunnel that does not work. I think that Phase 2 is not established but I don't know why.
Add the output and the newspaper.
Thanks for your help
ASA-VPN-PRI/act/pri # sh crypto isakmp his
!
13 peer IKE: 91.209.243.5
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE!
ASA-VPN-PRI/act/pri # sh crypto isakmp his | include the 91.209.243.5
12 peer IKE: 91.209.243.5
ASA-VPN-PRI/act/pri #.ASA-VPN-PRI/act/pri # sh crypto ipsec his | include the 91.209.243.5
ASA-VPN-PRI/act/pri #.7. December 17, 2014 | 15: 40:48 | 713236 | IP = 91.209.243.5, IKE_DECODE SEND Message (msgid = c516994b) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
7. December 17, 2014 | 15: 40:48 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, build payloads of hash qm
7. December 17, 2014 | 15: 40:48 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, payload of empty hash construction
7. December 17, 2014 | 15: 40:48 | 715036 | Group = 91.209.243.5, IP = 91.209.243.5, sending persistent type DPD R-U-HERE-ACK (seq number 0x7d6c)
7. December 17, 2014 | 15: 40:48 | 715075 | Group = 91.209.243.5, IP = 91.209.243.5, received persistent type DPD R-U-LÀ (seq number 0x7d6c)
7. December 17, 2014 | 15: 40:48 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, processing notify payload
7. December 17, 2014 | 15: 40:48 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, payload of hash of treatment
7. December 17, 2014 | 15: 40:48 | 713236 | IP = 91.209.243.5, IKE_DECODE RECEIPT Message (msgid = 29bf4142) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
7. December 17, 2014 | 15: 40:43 | 713236 | IP = 91.209.243.5, IKE_DECODE SEND Message (msgid = b72ddf0a) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
7. December 17, 2014 | 15: 40:43 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, build payloads of hash qm
7. December 17, 2014 | 15: 40:43 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, payload of empty hash construction
7. December 17, 2014 | 15: 40:43 | 715036 | Group = 91.209.243.5, IP = 91.209.243.5, sending persistent type DPD R-U-HERE-ACK (seq number 0x7d6b)
7. December 17, 2014 | 15: 40:43 | 715075 | Group = 91.209.243.5, IP = 91.209.243.5, received persistent type DPD R-U-LÀ (seq number 0x7d6b)
7. December 17, 2014 | 15: 40:43 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, processing notify payload
7. December 17, 2014 | 15: 40:43 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, payload of hash of treatment
7. December 17, 2014 | 15: 40:43 | 713236 | IP = 91.209.243.5, IKE_DECODE RECEIPT Message (msgid = ae5305df) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
7. December 17, 2014 | 15: 40:38 | 713236 | IP = 91.209.243.5, IKE_DECODE SEND Message (msgid = b796798d) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
7. December 17, 2014 | 15: 40:38 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, build payloads of hash qm
7. December 17, 2014 | 15: 40:38 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, payload of empty hash construction
7. December 17, 2014 | 15: 40:38 | 715036 | Group = 91.209.243.5, IP = 91.209.243.5, sending persistent type DPD R-U-HERE-ACK (seq number 0x7d6a)
7. December 17, 2014 | 15: 40:38 | 715075 | Group = 91.209.243.5, IP = 91.209.243.5, received persistent type DPD R-U-LÀ (seq number 0x7d6a)
7. December 17, 2014 | 15: 40:38 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, processing notify payload
7. December 17, 2014 | 15: 40:38 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, payload of hash of treatment
7. December 17, 2014 | 15: 40:38 | 713236 | IP = 91.209.243.5, IKE_DECODE RECEIPT Message (msgid = 98241c 63) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
7. December 17, 2014 | 15: 40:33 | 713236 | IP = 91.209.243.5, IKE_DECODE SEND Message (msgid = e233621d) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
7. December 17, 2014 | 15: 40:33 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, build payloads of hash qm
7. December 17, 2014 | 15: 40:33 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, payload of empty hash construction
7. December 17, 2014 | 15: 40:33 | 715036 | Group = 91.209.243.5, IP = 91.209.243.5, sending persistent type DPD R-U-HERE-ACK (seq number 0x7d69)
7. December 17, 2014 | 15: 40:33 | 715075 | Group = 91.209.243.5, IP = 91.209.243.5, received persistent type DPD R-U-LÀ (seq number 0x7d69)
7. December 17, 2014 | 15: 40:33 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, processing notify payload
7. December 17, 2014 | 15: 40:33 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, payload of hash of treatment
7. December 17, 2014 | 15: 40:33 | 713236 | IP = 91.209.243.5, IKE_DECODE RECEIPT Message (msgid = 36ecdf6a) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
7. December 17, 2014 | 15: is.40:28 | 713236 | IP = 91.209.243.5, IKE_DECODE SEND Message (msgid = cb1b978d) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
7. December 17, 2014 | 15: is.40:28 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, build payloads of hash qm
7. December 17, 2014 | 15: is.40:28 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, payload of empty hash construction
7. December 17, 2014 | 15: is.40:28 | 715036 | Group = 91.209.243.5, IP = 91.209.243.5, sending persistent type DPD R-U-HERE-ACK (seq number 0x7d68)
7. December 17, 2014 | 15: is.40:28 | 715075 | Group = 91.209.243.5, IP = 91.209.243.5, received persistent type DPD R-U-LÀ (seq number 0x7d68)
7. December 17, 2014 | 15: is.40:28 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, processing notify payload
7. December 17, 2014 | 15: is.40:28 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, payload of hash of treatment
7. December 17, 2014 | 15: is.40:28 | 713236 | IP = 91.209.243.5, IKE_DECODE RECEIPT Message (msgid = f25bcdb5) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
7. December 17, 2014 | 15: 40:23 | 713236 | IP = 91.209.243.5, IKE_DECODE SEND Message (msgid = 32bca075) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
7. December 17, 2014 | 15: 40:23 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, build payloads of hash qm
7. December 17, 2014 | 15: 40:23 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, payload of empty hash construction
7. December 17, 2014 | 15: 40:23 | 715036 | Group = 91.209.243.5, IP = 91.209.243.5, sending persistent type DPD R-U-HERE-ACK (seq number 0x7d67)
7. December 17, 2014 | 15: 40:23 | 715075 | Group = 91.209.243.5, IP = 91.209.243.5, received persistent type DPD R-U-LÀ (seq number 0x7d67)
7. December 17, 2014 | 15: 40:23 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, processing notify payload
7. December 17, 2014 | 15: 40:23 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, payload of hash of treatment
7. December 17, 2014 | 15: 40:23 | 713236 | IP = 91.209.243.5, IKE_DECODE RECEIPT Message (msgid = a3f0e3f9) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84Please repeat the debug with "debug crypto isakmp 100". And compare the config of the Phase 2 on both sides:
- Is what ACL crypto exactly in the opposite direction on both sides?
- Your transformation sets include exactly the same algorithms?
-
IPSec tunnel do not come between two ASA - 5540 s.
I've included the appropriate configuration of the two ASA lines - 5540 s that I'm trying to set up a tunnel of 2 lan lan between. The first few lines show the messages that are generated when I try to ping another host on each side.
Did I miss something that will prevent the tunnel to come?
4 IP = 10.10.1.147, error: cannot delete PeerTblEntry
3 IP = 10.10.1.147, Removing peer to peer table has not, no match!
6 IP = 10.10.1.147, P1 retransmit msg sent to the WSF MM
5 IP is 10.10.1.147, in double Phase 1 detected package. Retransmit the last packet.
6 IP = 10.10.1.147, P1 retransmit msg sent to the WSF MM
5 IP is 10.10.1.147, in double Phase 1 detected package. Retransmit the last packet.
4 IP = 10.10.1.147, error: cannot delete PeerTblEntry
3 IP = 10.10.1.147, Removing peer to peer table has not, no match!
6 IP = 10.10.1.147, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
6 IP = 10.10.1.147, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
6 IP = 10.10.1.147, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
5 IP = 10.10.1.147, IKE initiator: New Phase 1, Intf inside, IKE Peer 10.10.1.147 address Proxy local 10.10.1.135, Proxy address remote 10.10.1.155, Card Crypto (outside_map0)
ROC-ASA5540-A # sh run
!
ASA Version 8.0 (3)
!
CRO-ASA5540-A host name
names of
10.10.1.135 GHC_Laptop description name to test the VPN
10.10.1.155 SunMed_pc description name to test the VPN
!
interface GigabitEthernet0/0
Speed 100
full duplex
nameif inside
security-level 100
IP 10.10.1.129 255.255.255.240
!
interface GigabitEthernet0/3
nameif outside
security-level 0
IP 10.10.1.145 255.255.255.248
!
!
outside_2_cryptomap list extended access permit ip host host GHC_Laptop SunMed_pc
!
ASDM image disk0: / asdm - 603.bin
!
Route outside 255.255.255.248 10.10.1.152 10.10.1.147 1
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
card crypto game 2 outside_map0 address outside_2_cryptomap
outside_map0 crypto map peer set 2 10.10.1.147
card crypto outside_map0 2 the value transform-set ESP-3DES-SHA
outside_map0 card crypto 2 set nat-t-disable
outside_map0 interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 5
preshared authentication
3des encryption
sha hash
Group 2
life 86400
!
Group Policy Lan-2-Lan_only internal
attributes of Lan-2-Lan_only-group policy
VPN-filter no
Protocol-tunnel-VPN IPSec
tunnel-group 10.10.1.147 type ipsec-l2l
IPSec-attributes tunnel-group 10.10.1.147
pre-shared-key *.
!
ROC-ASA5540-A #.
----------------------------------------------------------
ROC-ASA5540-B # sh run
: Saved
:
ASA Version 8.0 (3)
!
name of host ROC-ASA5540-B
!
names of
name 10.10.1.135 GHC_laptop
name 10.10.1.155 SunMed_PC
!
interface GigabitEthernet0/0
Speed 100
full duplex
nameif inside
security-level 100
IP 10.10.1.153 255.255.255.248
!
interface GigabitEthernet0/3
nameif outside
security-level 0
IP 10.10.1.147 255.255.255.248
!
outside_cryptomap list extended access permit ip host host SunMed_PC GHC_laptop
!
ASDM image disk0: / asdm - 603.bin
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
card crypto outside_map2 1 match address outside_cryptomap
outside_map2 card crypto 1jeu peer 10.10.1.145
outside_map2 card crypto 1jeu transform-set ESP-3DES-SHA
outside_map2 card crypto 1jeu nat-t-disable
outside_map2 interface card crypto outside
crypto ISAKMP allow inside
crypto ISAKMP policy 5
preshared authentication
3des encryption
sha hash
Group 2
life 86400
!
internal Lan-2-Lan group strategy
Lan Lan 2-strategy of group attributes
Protocol-tunnel-VPN IPSec
tunnel-group 10.10.1.145 type ipsec-l2l
IPSec-attributes tunnel-group 10.10.1.145
pre-shared-key *.
!
ROC-ASA5540-B #.
On the ASA of ROC-ASA5540-B, you have "isakmp allows inside", it should be "enable isakmp outside."
Please reconfigure the ASA and let me know how it goes.
Kind regards
Arul
* Please note the useful messages *.
-
ASA 8.6 - l2l IPsec tunnel established - not possible to ping
Hello world
I have a problem of configuration of the CISCO ASA 5512-x (IOS 8.6).
The IPsec tunnel is created between ASA and an another non-CISCO router (hereinafter "router"). I can send packets ping from router to ASA, but ASA is NOT able to meet these demands. Sending requests of ASA is also NOT possible.
I'm trying to interconnect with the network 192.168.2.0/24 (CISCO, interface DMZ) premises and 192.168.3.0/24 (router).
The CISCO ASA has a static public IP address. The router has a dynamic IP address, so I use the dynamic-map option...
Here is the output of "show run":
---------------------------------------------------------------------------------------------------------------------------------------------
ASA 1.0000 Version 2
!
ciscoasa hostname
activate oBGOJTSctBcCGoTh encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface GigabitEthernet0/0
nameif outside
security-level 0
address IP X.X.X.X 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
the IP 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
IP 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
passive FTP mode
internal subnet object-
192.168.0.0 subnet 255.255.255.0
object Web Server external network-ip
host Y.Y.Y.Y
Network Web server object
Home 192.168.2.100
network vpn-local object - 192.168.2.0
Subnet 192.168.2.0 255.255.255.0
network vpn-remote object - 192.168.3.0
subnet 192.168.3.0 255.255.255.0
outside_acl list extended access permit tcp any object Web server
outside_acl list extended access permit tcp any object webserver eq www
access-list l2l-extensive list allowed ip, vpn-local - 192.168.2.0 vpn-remote object - 192.168.3.0
dmz_acl access list extended icmp permitted an echo
pager lines 24
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
MTU 1500 DMZ
management of MTU 1500
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT (DMZ, outside) static static vpn-local destination - 192.168.2.0 vpn-local - 192.168.2.0, 192.168.3.0 - remote control-vpn vpn-remote control - 192.168.3.0
!
internal subnet object-
NAT dynamic interface (indoor, outdoor)
Network Web server object
NAT (DMZ, outside) Web-external-ip static tcp www www Server service
Access-Group global dmz_acl
Route outside 0.0.0.0 0.0.0.0 Z.Z.Z.Z 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 192.168.1.0 255.255.255.0 management
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
IKEv1 crypto ipsec transform-set ikev1-trans-set esp-3des esp-md5-hmac
Crypto ipsec ikev2 proposal ipsec 3des-GNAT
Esp 3des encryption protocol
Esp integrity md5 Protocol
Crypto dynamic-map dynMidgeMap 1 match l2l-address list
Crypto dynamic-map dynMidgeMap 1 set pfs
Crypto dynamic-map dynMidgeMap 1 set ikev1 ikev1-trans-set transform-set
Crypto dynamic-map dynMidgeMap 1 set ikev2 ipsec-proposal 3des-GNAT
Crypto dynamic-map dynMidgeMap 1 life span of seconds set association security 28800
Crypto dynamic-map dynMidgeMap 1 the value reverse-road
midgeMap 1 card crypto ipsec-isakmp dynamic dynMidgeMap
midgeMap interface card crypto outside
ISAKMP crypto identity hostname
IKEv2 crypto policy 1
3des encryption
the md5 integrity
Group 2
FRP md5
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal midgeTrialPol group policy
attributes of the strategy of group midgeTrialPol
L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
enable IPSec-udp
tunnel-group midgeVpn type ipsec-l2l
tunnel-group midgeVpn General-attributes
Group Policy - by default-midgeTrialPol
midgeVpn group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:fa02572f9ff8add7bbfe622a4801e606
: end
------------------------------------------------------------------------------------------------------------------------------
X.X.X.X - ASA public IP
Y.Y.Y.Y - a web server
Z.Z.Z.Z - default gateway
-------------------------------------------------------------------------------------------------------------------------------
ASA PING:
ciscoasa # ping DMZ 192.168.3.1
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.3.1, time-out is 2 seconds:
?????
Success rate is 0% (0/5)
PING from router (debug on CISCO):
NAT ciscoasa #: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0
NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0
NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 0 len = 40
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 1 len = 40
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 2 len = 40
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = len 3 = 40
-------------------------------------------------------------------------------------------------------------------------------
ciscoasa # show the road outside
Code: C - connected, S - static, RIP, M - mobile - IGRP, R - I, B - BGP
D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone
N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2
E1 - OSPF external type 1, E2 - external OSPF of type 2, E - EGP
i - IS - L1 - IS - IS level 1, L2 - IS - IS IS level 2, AI - IS inter zone
* - candidate by default, U - static route by user, o - ODR
P periodical downloaded static route
Gateway of last resort is Z.Z.Z.Z to network 0.0.0.0
C Z.Z.Z.0 255.255.255.0 is directly connected to the outside of the
S 192.168.3.0 255.255.255.0 [1/0] via Z.Z.Z.Z, outdoors
S * 0.0.0.0 0.0.0.0 [1/0] via Z.Z.Z.Z, outdoors
-------------------------------------------------------------------------------------------------------------------------------
Do you have an idea that I am wrong? Probably some bad NAT/ACL I suppose, but I could always find something only for 8.4 iOS and not 8.6... Perhaps and no doubt I already missed the configuration with the unwanted controls, but I've tried various things...
Please, if you have an idea, let me know! Thank you very much!
Hello
I've never used "global" option in ACL, but it looks to be the origin of the problem. Cisco doc.
"The global access rules are defined as a special ACL that is processed for each interface on the device for incoming traffic in the interface. Thus, although the ACL is configured once on the device, it acts as an ACL defined for Management In secondary interface-specific. (Global rules are always in the direction of In, never Out Management). "
You ACL: access-list extended dmz_acl to any any icmp echo
For example, when you launch the ASA, there is an echo response from the router on the external interface--> global can block.
Then to initiate router, the ASA Launches echo-reply being blocked again.
Try to add permit-response to echo as well.
In addition, you can use both "inspect icmp" in world politics than the ACL.
If none does not work, you can run another t-shoot with control packet - trace on SAA.
THX
MS
-
IPSEC packets are not encrypted
Hello (and Happy Thanksgiving in the USA),
We recently switched our ASA and applied again the saved for the new device configuration. There is a VPN site-to site that works and a remote VPN client that does not work. We use certain Cisco VPN clients and some Shrew Soft VPN clients. I compared the config of the ASA again to that of ASA old and I can't find all the differences (but the remote client VPN was working on the old ASA). Remote clients connect and a tunnel is created, but they are unable to pass traffic. Systems on the network where the ASA are able to access the internet.
Out of sho isakmp crypto his (ignore peer #1, this is the site to site VPN work)
HIS active: 2
Generate a new key SA: 0 (a tunnel report Active 1 and 1 generate a new key ITS d)
Total SA IKE: 2
1 peer IKE: xx.168.155.98
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE
2 IKE peers: xx.211.206.48
Type: user role: answering machine
Generate a new key: no State: AM_ACTIVE
Output of sho crypto ipsec his (info about VPN site-to-site deleted). Packets are decrypted but unencrypted.
Tag crypto map: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: publi
c ip
local ident (addr, mask, prot, port): (0.0.0.0/0.0.0.0/0/0)
Remote ident (addr, mask, prot, port): (10.20.1.100/255.255.255.255/0/0)
current_peer: xx.211.206.48, username: me
dynamic allocated peer ip: 10.20.1.100
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 20, #pkts decrypt: 20, #pkts check: 20
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0
endpt local crypto. : public-ip/4500, crypto endpt distance. : xx.211.206.48/4
500
Path mtu 1500, fresh ipsec generals 82, media, mtu 1500
current outbound SPI: 7E0BF9B9
current inbound SPI: 41B75CCD
SAS of the esp on arrival:
SPI: 0x41B75CCD (1102535885)
transform: aes - esp esp-sha-hmac no compression
running parameters = {RA, Tunnel, NAT-T program,}
slot: 0, id_conn: 16384, crypto-card: SYSTEM_DEFAULT_CRYPTO_MAP
calendar of his: service life remaining key (s): 28776
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
SPI: 0xC06BF0DD (3228299485)
transform: aes - esp esp-sha-hmac no compression
running parameters = {RA, Tunnel, NAT-T program Rekeyed}
slot: 0, id_conn: 16384, crypto-card: SYSTEM_DEFAULT_CRYPTO_MAP
calendar of his: service life remaining key (s): 28774
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0x000003FF 0xFFF80001
outgoing esp sas:
SPI: 0x7E0BF9B9 (2114714041)
transform: aes - esp esp-sha-hmac no compression
running parameters = {RA, Tunnel, NAT-T program,}
slot: 0, id_conn: 16384, crypto-card: SYSTEM_DEFAULT_CRYPTO_MAP
calendar of his: service life remaining key (s): 28774
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
SPI: 0xCBF945AC (3422111148)
transform: aes - esp esp-sha-hmac no compression
running parameters = {RA, Tunnel, NAT-T program Rekeyed}
slot: 0, id_conn: 16384, crypto-card: SYSTEM_DEFAULT_CRYPTO_MAP
calendar of his: service life remaining key (s): 28772
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
Config of ASA
: Saved
: Written by me at 19:56:37.957 pst Tuesday, November 26, 2013
!
ASA Version 8.2 (4)
!
hostname mfw01
domain company.int
enable encrypted password xxx
XXX encrypted passwd
names of
Name xx.174.143.97 description cox cox-gateway Gateway
name 172.16.10.0 iscsi-description iscsi network
name 192.168.1.0 network heritage heritage network description
name 10.20.50.0 management-description management network
name 10.20.10.0 network server server-description
name 10.20.20.0 user-network description user-network
name 192.168.1.101 private-em-imap description private-em-imap
name 10.20.10.2 description of private Exchange private-Exchange
name 10.20.10.3 description of private-private ftp ftp
name 192.168.1.202 description private-private-ip-phones ip phones,
name 10.20.10.6 private-kaseya kaseya private description
name 192.168.1.2 private mitel 3300 description private mitel 3300
name 10.20.10.1 private-pptp pptp private description
name 10.20.10.7 private-sharepoint description private-sharepoint
name 10.20.10.4 private-tportal private-tportal description
name 10.20.10.8 private-xarios private-xarios description
name 192.168.1.215 private-xorcom description private-xorcom
Name xx.174.143.99 description public Exchange public-Exchange
public xx.174.143.100 public-ftp ftp description name
Name xx.174.143.101 public-tportal public tportal description
Name xx.174.143.102 public-sharepoint description public-sharepoint
name of the public ip description public-ip-phones-phones xx.174.143.103
name mitel-public-3300 xx.174.143.104 description public mitel 3300
Name xx.174.143.105 public-xorcom description public-xorcom
xx.174.143.108 public-remote control-support name description public-remote control-support
Name xx.174.143.109 public-xarios public xarios description
Name xx.174.143.110 public-kaseya kaseya-public description
Name xx.174.143.111 public-pptp pptp-public description
name Irvine_LAN description Irvine_LAN 192.168.2.0
Name xx.174.143.98 public-ip
name 10.20.10.14 private-RevProxy description private-RevProxy
Name xx.174.143.107 public-RevProxy description public RevProxy
name 10.20.10.9 private-XenDesktop description private-XenDesktop
Name xx.174.143.115 public-XenDesktop description public-XenDesktop
name 10.20.1.1 private-bridge description private-bridge
name 192.168.1.96 description private-remote control-support private-remote control-support
!
interface Ethernet0/0
public nameif
security-level 0
IP address public ip 255.255.255.224
!
interface Ethernet0/1
Speed 100
full duplex
nameif private
security-level 100
address private-gateway IP, 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
the IP 192.168.0.1 255.255.255.0
management only
!
passive FTP mode
clock timezone pst - 8
clock summer-time recurring PDT
DNS server-group DefaultDNS
domain mills.int
object-group service ftp
the tcp eq ftp service object
the purpose of the tcp eq ftp service - data
object-group service DM_INLINE_SERVICE_1
Group-object ftp
the eq tftp udp service object
DM_INLINE_TCP_1 tcp service object-group
port-object eq 40
EQ port ssh object
object-group service web-server
the purpose of the service tcp eq www
the eq https tcp service object
object-group service DM_INLINE_SERVICE_2
EQ-tcp smtp service object
object-group web server
object-group service DM_INLINE_SERVICE_3
EQ-ssh tcp service object
object-group web server
object-group service kaseya
the purpose of the service tcp eq 4242
the purpose of the service tcp 5721 eq
EQ-8080 tcp service object
the eq 5721 udp service object
object-group service DM_INLINE_SERVICE_4
Group-object kaseya
object-group web server
object-group service DM_INLINE_SERVICE_5
will the service object
the eq pptp tcp service object
object-group service VPN
will the service object
ESP service object
the purpose of the service ah
the eq pptp tcp service object
EQ-udp 4500 service object
the eq isakmp udp service object
the MILLS_VPN_VLANS object-group network
object-network 10.20.1.0 255.255.255.0
Server-network 255.255.255.0 network-object
user-network 255.255.255.0 network-object
255.255.255.0 network-object-network management
legacy-network 255.255.255.0 network-object
object-group service InterTel5000
the purpose of the service tcp 3998 3999 range
the 6800-6802 range tcp service object
the eq 20001 udp service object
the purpose of the udp 5004 5007 range service
the purpose of the udp 50098 50508 range service
the purpose of the udp 6604 7039 range service
the eq bootpc udp service object
the eq tftp udp service object
the eq 4000 tcp service object
the purpose of the service tcp eq 44000
the purpose of the service tcp eq www
the eq https tcp service object
the purpose of the service tcp eq 5566
the eq 5567 udp service object
the purpose of the udp 6004 6603 range service
the eq 6880 tcp service object
object-group service DM_INLINE_SERVICE_6
ICMP service object
the eq 2001 tcp service object
the purpose of the service tcp eq 2004
the eq 2005 tcp service object
object-group service DM_INLINE_SERVICE_7
ICMP service object
Group object InterTel5000
object-group service DM_INLINE_SERVICE_8
ICMP service object
the eq https tcp service object
EQ-ssh tcp service object
RevProxy tcp service object-group
RevProxy description
port-object eq 5500
XenDesktop tcp service object-group
Xen description
EQ object of port 8080
port-object eq 2514
port-object eq 2598
object-port 27000 eq
port-object eq 7279
port-object eq 8000
port-object eq citrix-ica
public_access_in list any host public-ip extended access allowed object-group DM_INLINE_SERVICE_8
public_access_in list any host public-ip extended access allowed object-group VPN
public_access_in list extended access allowed object-group DM_INLINE_SERVICE_7 any host public-ip-phones
public_access_in list extended access allowed object-group DM_INLINE_SERVICE_1 any public ftp host
public_access_in allowed extended access list tcp any host public-xorcom DM_INLINE_TCP_1 object-group
public_access_in list extended access allowed object-group DM_INLINE_SERVICE_2 any host public-Exchange
public_access_in allowed extended access list tcp all welcome RevProxy-public-group of objects RevProxy
public_access_in list extended access allowed object-group DM_INLINE_SERVICE_3 any host public-remote control-support
public_access_in list extended access allowed object-group DM_INLINE_SERVICE_6 any host public-xarios
public_access_in list extended access allowed object-group web server any host public-sharepoint
public_access_in list extended access allowed object-group web server any host public-tportal
public_access_in list extended access allowed object-group DM_INLINE_SERVICE_4 any host public-kaseya
public_access_in list extended access allowed object-group DM_INLINE_SERVICE_5 any host public-pptp
public_access_in list extended access permit ip any host public-XenDesktop
private_access_in list extended access permit icmp any one
private_access_in of access allowed any ip an extended list
VPN_Users_SplitTunnelAcl list standard allowed server-network access 255.255.255.0
VPN_Users_SplitTunnelAcl list standard allowed user-network access 255.255.255.0
VPN_Users_SplitTunnelAcl standard access list allow management-network 255.255.255.0
VPN_Users_SplitTunnelAcl standard access list allow 10.20.1.0 255.255.255.0
VPN_Users_SplitTunnelAcl standard access list allow legacy-network 255.255.255.0
private_nat0_outbound list extended access allowed object-group ip MILLS_VPN_VLANS 255.255.255.0 Irvine_LAN
private_nat0_outbound list extended access allowed object-group ip MILLS_VPN_VLANS 10.20.1.96 255.255.255.240
private_nat0_outbound list extended access allowed object-group ip MILLS_VPN_VLANS 10.90.2.0 255.255.255.0
public_1_cryptomap list extended access allowed object-group ip MILLS_VPN_VLANS 255.255.255.0 Irvine_LAN
public_2_cryptomap list extended access allowed object-group ip MILLS_VPN_VLANS 10.90.2.0 255.255.255.0
pager lines 24
Enable logging
list of logging level warnings error events
Monitor logging warnings
logging warnings put in buffered memory
logging trap warnings
exploitation forest asdm warnings
e-mail logging warnings
private private-kaseya host connection
forest-hostdown operating permits
logging of trap auth class alerts
MTU 1500 public
MTU 1500 private
management of MTU 1500
mask 10.20.1.100 - 10.20.1.110 255.255.255.0 IP local pool VPN_Users
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global interface 101 (public)
private_nat0_outbound of access list NAT 0 (private)
NAT (private) 101 0.0.0.0 0.0.0.0
NAT (management) 101 0.0.0.0 0.0.0.0
static DNS (private, public) public-private-netmask 255.255.255.255 ip phones, ip phones,
static DNS (private, public) private public-ftp-ftp netmask 255.255.255.255
static (private, public) public-private-xorcom netmask 255.255.255.255 xorcom dns
static DNS (private, public) public Exchange private-Exchange netmask 255.255.255.255
RevProxy-public (private, public) public static private-RevProxy netmask 255.255.255.255 dns
static DNS (private, public) public-remote control-support private-remote control-support netmask 255.255.255.255
static (private, public) public-private-xarios netmask 255.255.255.255 xarios dns
static public-sharepoint (private, public) private-sharepoint netmask 255.255.255.255 dns
TPORTAL-public (private, public) public static private-tportal netmask 255.255.255.255 dns
static (private, public) public-private-netmask 255.255.255.255 kaseya kaseya dns
static public-pptp (private, public) private-pptp netmask 255.255.255.255 dns
static public-XenDesktop (private, public) private-XenDesktop netmask 255.255.255.255 dns
Access-group public_access_in in the public interface
Access-group behind closed doors, interface private_access_in
Public route 0.0.0.0 0.0.0.0 cox-gateway 1
Private server network route 255.255.255.0 10.20.1.254 1
Route private user-network 255.255.255.0 10.20.1.254 1
Private networking route 255.255.255.0 10.20.1.254 1
Route private network iscsi 255.255.255.0 10.20.1.254 1
Private heritage network 255.255.255.0 route 10.20.1.254 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Admin-control LDAP attribute-map
Comment by card privileged-level name
LDAP attribute-map allow dialin
name of the msNPAllowDialin IETF-Radius-class card
msNPAllowDialin card-value FALSE NOACCESS
msNPAllowDialin card-value TRUE IPSecUsers
attribute-map LDAP Mills-VPN_Users
name of the msNPAllowDialin IETF-Radius-class card
msNPAllowDialin card-value FALSE NOACCESS
map-value msNPAllowDialin true IPSecUsers
LDAP attribute-map network admins
memberOf IETF Radius-Service-Type card name
map-value memberOf NOACCESS FAKE
map-value memberOf 'Network Admins' 6
dynamic-access-policy-registration DfltAccessPolicy
AAA-server protocol nt Mills
host of Mills (private) AAA-server private-pptp
auth-ms01.mills.int NT domain controller
AAA-server Mills_NetAdmin protocol ldap
AAA-server Mills_NetAdmin (private) host private-pptp
Server-port 389
or base LDAP-dn = San Diego, dc = factories, dc = int
or LDAP-group-base dn = San Diego, dc = factories, dc = int
LDAP-scope subtree
name attribute LDAP cn
LDAP-login-password *.
LDAP-connection-dn cn = asa, OU = Service accounts, or = San Diego, dc = factories, dc = int
microsoft server type
LDAP-attribute-map-Mills-VPN_Users
AAA-server NetworkAdmins protocol ldap
AAA-server NetworkAdmins (private) host private-pptp
or base LDAP-dn = San Diego, dc = factories, dc = int
or LDAP-group-base dn = San Diego, dc = factories, dc = int
LDAP-scope subtree
name attribute LDAP cn
LDAP-login-password *.
LDAP-connection-dn cn = asa, OU = Service accounts, or = San Diego, dc = factories, dc = int
microsoft server type
LDAP-attribute-map network-admins
AAA-server ADVPNUsers protocol ldap
AAA-server ADVPNUsers (private) host private-pptp
or base LDAP-dn = San Diego, dc = factories, dc = int
or LDAP-group-base dn = San Diego, dc = factories, dc = int
LDAP-scope subtree
name attribute LDAP cn
LDAP-login-password *.
LDAP-connection-dn cn = asa, OU = Service accounts, or = San Diego, dc = factories, dc = int
microsoft server type
LDAP-attribute-map-Mills-VPN_Users
Console to enable AAA authentication LOCAL ADVPNUsers
Console HTTP authentication of the AAA ADVPNUsers LOCAL
AAA authentication serial console LOCAL ADVPNUsers
Console Telnet AAA authentication LOCAL ADVPNUsers
authentication AAA ssh console LOCAL ADVPNUsers
Enable http server
http 0.0.0.0 0.0.0.0 management
http 0.0.0.0 0.0.0.0 public
http 0.0.0.0 0.0.0.0 private
Community private private-kaseya SNMP-server host * version 2 c
Server SNMP - San Diego location plants
contact SNMP server, help the Mills
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Sysopt noproxyarp private
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto public_map 1 match address public_1_cryptomap
card crypto public_map 1 set pfs
card crypto public_map 1 set xx.168.155.98 counterpart
card crypto public_map 1 the value transform-set ESP-3DES-MD5-ESP-AES-128-SHA
public_map card crypto 1 set nat-t-disable
card crypto public_map 1 phase 1-mode of aggressive setting
card crypto public_map 2 match address public_2_cryptomap
card crypto public_map 2 pfs set group5
card crypto public_map 2 peers set xx.181.134.141
card crypto public_map 2 game of transformation-ESP-AES-128-SHA
public_map card crypto 2 set nat-t-disable
public_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
public crypto map public_map interface
crypto ISAKMP enable public
crypto ISAKMP policy 1
preshared authentication
aes encryption
sha hash
Group 5
life 86400
crypto ISAKMP policy 10
preshared authentication
aes encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
md5 hash
Group 1
lifetime 28800
Telnet 0.0.0.0 0.0.0.0 private
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 public
SSH 0.0.0.0 0.0.0.0 private
SSH 0.0.0.0 0.0.0.0 management
SSH timeout 5
Console timeout 0
management of 192.168.0.2 - dhcpd addresses 192.168.0.254
!
a basic threat threat detection
Statistics-list of access threat detection
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
authenticate the NTP
NTP server 216.129.110.22 public source
NTP server 173.244.211.10 public source
NTP server 24.124.0.251 public source prefers
WebVPN
allow the public
enable SVC
internal group NOACCESS strategy
NOACCESS group policy attributes
VPN - concurrent connections 0
VPN-tunnel-Protocol svc
internal IPSecUsers group strategy
attributes of Group Policy IPSecUsers
value of server WINS 10.20.10.1
value of server DNS 10.20.10.1
Protocol-tunnel-VPN IPSec
allow password-storage
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPN_Users_SplitTunnelAcl
Mills.int value by default-field
the address value VPN_Users pools
Irvine internal group policy
Group Policy attributes Irvine
Protocol-tunnel-VPN IPSec
username admin password encrypted in Kra9/kXfLDwlSxis
type VPNUsers tunnel-group remote access
tunnel-group VPNUsers General attributes
address pool VPN_Users
authentication-server-group Mills_NetAdmin
Group Policy - by default-IPSecUsers
tunnel-group VPNUsers ipsec-attributes
pre-shared-key *.
tunnel-group xx.189.99.114 type ipsec-l2l
tunnel-group xx.189.99.114 General-attributes
Group Policy - by default-Irvine
XX.189.99.114 group of tunnel ipsec-attributes
pre-shared-key *.
tunnel-group xx.205.23.76 type ipsec-l2l
tunnel-group xx.205.23.76 General-attributes
Group Policy - by default-Irvine
XX.205.23.76 group of tunnel ipsec-attributes
pre-shared-key *.
tunnel-group xx.168.155.98 type ipsec-l2l
tunnel-group xx.168.155.98 General-attributes
Group Policy - by default-Irvine
XX.168.155.98 group of tunnel ipsec-attributes
pre-shared-key *.
!
Global class-card class
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
World-Policy policy-map
Global category
inspect the dns
inspect esmtp
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the sip
inspect the skinny
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect xdmcp
!
service-policy-international policy global
privilege level 3 mode exec cmd command perfmon
privilege level 3 mode exec cmd ping command
mode privileged exec command cmd level 3
logging of the privilege level 3 mode exec cmd commands
privilege level 3 exec command failover mode cmd
privilege level 3 mode exec command packet cmd - draw
privilege show import at the level 5 exec mode command
privilege level 5 see fashion exec running-config command
order of privilege show level 3 exec mode reload
privilege level 3 exec mode control fashion show
privilege see the level 3 exec firewall command mode
privilege see the level 3 exec mode command ASP.
processor mode privileged exec command to see the level 3
privilege command shell see the level 3 exec mode
privilege show level 3 exec command clock mode
privilege exec mode level 3 dns-hosts command show
privilege see the level 3 exec command access-list mode
logging of orders privilege see the level 3 exec mode
privilege, level 3 see the exec command mode vlan
privilege show level 3 exec command ip mode
privilege, level 3 see fashion exec command ipv6
privilege, level 3 see the exec command failover mode
privilege, level 3 see fashion exec command asdm
exec mode privilege see the level 3 command arp
command routing privilege see the level 3 exec mode
privilege, level 3 see fashion exec command ospf
privilege, level 3 see the exec command in aaa-server mode
AAA mode privileged exec command to see the level 3
privilege, level 3 see fashion exec command eigrp
privilege see the level 3 exec mode command crypto
privilege, level 3 see fashion exec command vpn-sessiondb
privilege level 3 exec mode command ssh show
privilege, level 3 see fashion exec command dhcpd
privilege, level 3 see fashion exec command vpn
privilege level see the 3 blocks from exec mode command
privilege, level 3 see fashion exec command wccp
privilege, level 3 see the exec command in webvpn mode
privilege control module see the level 3 exec mode
privilege, level 3 see fashion exec command uauth
privilege see the level 3 exec command compression mode
level 3 for the show privilege mode configure the command interface
level 3 for the show privilege mode set clock command
level 3 for the show privilege mode configure the access-list command
level 3 for the show privilege mode set up the registration of the order
level 3 for the show privilege mode configure ip command
level 3 for the show privilege mode configure command failover
level 5 mode see the privilege set up command asdm
level 3 for the show privilege mode configure arp command
level 3 for the show privilege mode configure the command routing
level 3 for the show privilege mode configure aaa-order server
level mode 3 privilege see the command configure aaa
level 3 for the show privilege mode configure command crypto
level 3 for the show privilege mode configure ssh command
level 3 for the show privilege mode configure command dhcpd
level 5 mode see the privilege set privilege to command
privilege level clear 3 mode exec command dns host
logging of the privilege clear level 3 exec mode commands
clear level 3 arp command mode privileged exec
AAA-server of privilege clear level 3 exec mode command
privilege clear level 3 exec mode command crypto
level 3 for the privilege cmd mode configure command failover
clear level 3 privilege mode set the logging of command
privilege mode clear level 3 Configure arp command
clear level 3 privilege mode configure command crypto
clear level 3 privilege mode configure aaa-order server
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:5d5c963680401d150bee94b3c7c85f7a
Maybe my eyes is glazed looking at it for too long. Something seems wrong? Maybe I missed a command that would not appear in the config?
Thanks in advance to those who take a glance.
We see that the UI is sent the echo request but there is no response to echo. This seems to be a routing problem between the ASA and the host you are trying to ping. You can see the range so that the traffic to 10.20.1.0 network is routed to the ASA. If there is no other routing device make sure that the default gateway is correct on the host computer, you're trying to reach.
If you try to ping a windows machine make sure that the windows firewall is disabled or allows ICMP.
--
Please do not forget to rate and choose a response from xorrect
-
Feature IPSec VPN is not in router CISCO891-K9
I want to configure IPsec over GRE tunnel in CISCO891-K9 router. GRE tunnel works well, but I can not configure IPSEC. I found the command of ipsec isakmp or crypro encryption isn't here. The version of the CISCO891-K9 show is:
EFLWH-1 #sh worm
Cisco IOS software, software C890 (C890-UNIVERSALK9_NPE-M), Version 15.2 (4) M2, R SENSE SOFTWARE (fc2)
Technical support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Updated Thursday, November 7, 12 and 23:11 by prod_rel_team
ROM: System Bootstrap, Version 12.4 YB3 (22r), RELEASE SOFTWARE (fc1)
EFLWH-1 uptime is 2 days, 19 hours, 24 minutes
System to regain the power ROM
System image file is "flash: c890-universalk9_npe - mz.152 - 4.M2.bin.
Last reload type: normal charging
Reload last reason: power
This product contains cryptographic features and is under the United States
States and local laws governing the import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third party approval to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. laws and local countries. By using this product you
agree to comply with the regulations and laws in force. If you are unable
to satisfy the United States and local laws, return the product.
A summary of U.S. laws governing Cisco cryptographic products to:
http://www.Cisco.com/WWL/export/crypto/tool/stqrg.html
If you need assistance please contact us by mail at
Cisco 891 (MPC8300) processor (revision 1.0) with 498688K / 25600K bytes of memory.
Card processor ID FGL170926DF
9 FastEthernet interfaces
1 gigabit Ethernet interface
Serial 1 interface
1 line of terminal
256K bytes of non-volatile configuration memory.
247464K bytes of ATA CompactFlash (read/write)
License info:
License IDU:
-------------------------------------------------
Device SN # PID
-------------------------------------------------
* FGL170926DF 0 CISCO891-K9
Information about the license for "c890.
License level: advipservices_npe Type: Permanent
Next reboot license level: advipservices_npe
Configuration register is 0 x 2102
Yes, it should work then.
--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni -
IPSec sequence numbers not working not for the multi VPN
a site at a single site VPN works no problem, but when I add the second peer in the concentrator, router it does not connect. There is no routing in place that all routers are connected to the same switch, and with no crypto card they can all two ping 192.168.2.1. With crypto card only 192.168.2.2 can ping 192.168.2.1. I'm at a loss as to what I'm doing wrong, it seems simple I just add the Test input with a different number, but it won't work.
Ask any other question you can think of. I followed the same controls on both spoke routers so that it seems that it would be in the hub, router, but he beat me as to why.
Thanks for the help.
Concentrator, router:
----------------------------------------------------------------------------------------------------------------------------------------------
R1 #sh card crypto
1 test card crypto ipsec-isakmp
Peer = 192.168.2.2
Expand the IP 110 access list
access ip-list 110 permit a whole
Current counterpart: 192.168.2.2
Life safety association: 4608000 kilobytes / 86400 seconds
PFS (Y/N): N
Transform sets = {}
Test,
}
Interfaces using crypto sheet test:
FastEthernet0/0
2 ipsec-isakmp crypto map test
Peer = 192.168.2.3
Expand the IP 110 access list
access ip-list 110 permit a whole
Current counterpart: 192.168.2.3
Life safety association: 4608000 kilobytes / 86400 seconds
PFS (Y/N): N
Transform sets = {}
Test,
}
Interfaces using crypto sheet test:
FastEthernet0/0
---------------------------------------------------------------------------------------------------------------------------------------------
R2 #sh card crypto
1 test card crypto ipsec-isakmp
Peer = 192.168.2.1
Expand the IP 110 access list
access ip-list 110 permit a whole
Current counterpart: 192.168.2.1
Life safety association: 4608000 kilobytes / 86400 seconds
PFS (Y/N): N
Transform sets = {}
Test,
}
Interfaces using crypto sheet test:
FastEthernet0/0
----------------------------------------------------------------------------------------------------------------------------------------------
R3 #sh card crypto
1 test card crypto ipsec-isakmp
Peer = 192.168.2.1
Expand the IP 110 access list
access ip-list 110 permit a whole
Current counterpart: 192.168.2.1
Life safety association: 4608000 kilobytes / 86400 seconds
PFS (Y/N): N
Transform sets = {}
Test,
}
Interfaces using crypto sheet test:
FastEthernet0/0
There is a typing error in the IP for the PSK on R3.
--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni -
Hello
I just upgraded to macOS Sierra and built-in Cisco IPsec VPN no longer works. When you try to connect, I get a "cannot validate the certificate of the server. "Check your settings and try to reconnect" error message. I use Cisco ASA with self-signed certificates and everything worked fine with previous versions of OS X.
Please help me, I need my VPN Thx a lot
I am having the same problem with StrongSwan and help cert signed with the channel to complete certificates included in the pkcs12 file imported to the keychain. It was working properly in El Capitan, but now broken in the Sierra.
-
ASA 5505 VPN to IPSec website DOES NOT CONNECT
I spent 2 days already to try to get 2 ASA 5505 to connect by using an IPSec vpn tunnel. I can't understand what im doing wrong, I'm using 192.168.97.0 and 192.168.100.0 as my internal networks that I am trying to connect via a link directly connected on the outside with 50.1.1.1 and 50.1.1.2 interfaces such as addresses (all 24). I also tried with and without active NAT. Here is for both of the ASA configs, the vpn config was conducted by the ASDM, but I also tried the approach of the command-line without success. I followed various guides to the letter online, starting with an empty config and factory default. I also tried the IOS 8.4.
ASA 1 Config ASA 8.3 Version (2)
!
VIC hostname
activate 8Ry2YjIyt7RRXU24 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.97.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 50.1.1.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
Shutdown
!
interface Ethernet0/3
Shutdown
!
interface Ethernet0/4
Shutdown
!
interface Ethernet0/5
Shutdown
!
interface Ethernet0/6
Shutdown
!
interface Ethernet0/7
Shutdown
!
boot system Disk0: / asa832 - k8.bin
passive FTP mode
pager lines 24
Within 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.97.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Telnet timeout 5
SSH timeout 5
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:4745f7cd76c82340ba1e7920dbfd2395
Config ASA2 ASA 8.3 Version (2)
!
hostname QLD
activate 8Ry2YjIyt7RRXU24 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.100.1 address 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 50.1.1.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
Shutdown
!
interface Ethernet0/3
Shutdown
!
interface Ethernet0/4
Shutdown
!
interface Ethernet0/5
Shutdown
!
interface Ethernet0/6
Shutdown
!
interface Ethernet0/7
Shutdown
!
passive FTP mode
network of the SITEA object
192.168.97.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.100.0_24 object
255.255.255.0 subnet 192.168.100.0
outside_1_cryptomap to access extended list ip 192.168.100.0 allow 255.255.255.0 object SITEA
pager lines 24
Within 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT (inside, outside) static source NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 static destination SITEA SITEA
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.100.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs Group1
peer set card crypto outside_map 1 50.1.1.1
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
tunnel-group 50.1.1.1 type ipsec-l2l
IPSec-attributes tunnel-group 50.1.1.1
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:d987f3446fe780ab5fbb9d4213b3adff
: end
Hello Mitchell,
Thanks for letting us know the resolution of this topic.
Please answer the question as answered so future users can learn from this topic.
Kind regards
Julio
-
WRVS4400N will not route all traffic on IPsec
All my remote sites use various routers to route all their traffic via IPsec. However, I have a WRVS4400N w/firmware configured 2.0.2.1 with a tunnel of work. My problem is that I need to define the Group of remote 0.0.0.0 0.0.0.0 so all traffic is forced through the IPsec tunnel and not on the local gateway. When I make the mistake, Remote Security Group and Local security group cannot be in the same network. However, it works with Cisco/Linksys RV042.
Any ideas? Attached are the screenshots of each.
Transmission of wildcard ESP isn't a feature support, therefore not documented in the product documentation. If you need a wifi router that supports this feature, you can see the series Cisco ISR, which is base IOS.
-
Problem with IPsec VPN between ASA and router Cisco - ping is not response
Hello
I don't know because the IPsec VPN does not work. This is my setup (IPsec VPN between ASA and R2):
my network topology data:
LAN 1 connect ASA - 1 (inside the LAN)
PC - 10.0.1.3 255.255.255.0 10.0.1.1
ASA - GigabitEthernet 1: 10.0.1.1 255.255.255.0
-----------------------------------------------------------------
ASA - 1 Connect (LAN outide) R1
ASA - GigabitEthernet 0: 172.30.1.2 255.255.255.252
R1 - FastEthernet 0/0: 172.30.1.1 255.255.255.252
---------------------------------------------------------------------
R1 R2 to connect
R1 - FastEthernet 0/1: 172.30.2.1 255.255.255.252
R2 - FastEthernet 0/1: 172.30.2.2 255.255.255.252
R2 for lan connection 2
--------------------------------------------------------------------
R2 to connect LAN2
R2 - FastEthernet 0/0: 10.0.2.1 255.255.255.0
PC - 10.0.2.3 255.255.255.0 10.0.2.1
ASA configuration:
1 GigabitEthernet interface
nameif inside
security-level 100
IP 10.0.1.1 255.255.255.0
no downtime
interface GigabitEthernet 0
nameif outside
security-level 0
IP 172.30.1.2 255.255.255.252
no downtime
Route outside 0.0.0.0 0.0.0.0 172.30.1.1------------------------------------------------------------
access-list scope LAN1 to LAN2 ip 10.0.1.0 allow 255.255.255.0 10.0.2.0 255.255.255.0
object obj LAN
subnet 10.0.1.0 255.255.255.0
object obj remote network
10.0.2.0 subnet 255.255.255.0
NAT (inside, outside) 1 static source obj-local obj-local destination obj-remote control remote obj non-proxy-arp static-----------------------------------------------------------
IKEv1 crypto policy 10
preshared authentication
aes encryption
sha hash
Group 2
life 3600
Crypto ikev1 allow outside
crypto isakmp identity address------------------------------------------------------------
tunnel-group 172.30.2.2 type ipsec-l2l
tunnel-group 172.30.2.2 ipsec-attributes
IKEv1 pre-shared-key cisco123
Crypto ipsec transform-set esp-aes-192 ASA1TS, esp-sha-hmac ikev1-------------------------------------------------------------
card crypto ASA1VPN 10 is the LAN1 to LAN2 address
card crypto ASA1VPN 10 set peer 172.30.2.2
card crypto ASA1VPN 10 set transform-set ASA1TS ikev1
card crypto ASA1VPN set 10 security-association life seconds 3600
ASA1VPN interface card crypto outsideR2 configuration:
interface fastEthernet 0/0
IP 10.0.2.1 255.255.255.0
no downtime
interface fastEthernet 0/1
IP 172.30.2.2 255.255.255.252
no downtime-----------------------------------------------------
router RIP
version 2
Network 10.0.2.0
network 172.30.2.0------------------------------------------------------
access-list 102 permit ahp 172.30.1.2 host 172.30.2.2
access-list 102 permit esp 172.30.1.2 host 172.30.2.2
access-list 102 permit udp host 172.30.1.2 host 172.30.2.2 eq isakmp
interface fastEthernet 0/1
IP access-group 102 to------------------------------------------------------
crypto ISAKMP policy 110
preshared authentication
aes encryption
sha hash
Group 2
life 42300------------------------------------------------------
ISAKMP crypto key cisco123 address 172.30.1.2-----------------------------------------------------
Crypto ipsec transform-set esp - aes 128 R2TS------------------------------------------------------
access-list 101 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
------------------------------------------------------
R2VPN 10 ipsec-isakmp crypto map
match address 101
defined by peer 172.30.1.2
PFS Group1 Set
R2TS transformation game
86400 seconds, life of security association set
interface fastEthernet 0/1
card crypto R2VPNI don't know what the problem
Thank you
If the RIP is not absolutely necessary for you, try adding the default route to R2:
IP route 0.0.0.0 0.0.0.0 172.16.2.1
If you want to use RIP much, add permissions ACL 102:
access-list 102 permit udp any any eq 520
Maybe you are looking for
-
What can reset so that the Research Assistant appears instead of windows search?
When I click on search in a folder I get Windows Search instead of the search wizard. This happened after I installed an upgrade to the indexing service. What can reset so that the Research Assistant appears instead of windows search?
-
Compaq presario C700 (C750EL): SSD info and motherboard
I have a C750EL with T8100 processor and 3 GB of RAM, BIOS F.35 I would like to know if it is possible to install a SSD HDD into the WiFi slot (mini PCIe, right?) my intention is to put a SSD quick 32-64 GB with operating system to boot from instead
-
How to record a radio station that plays on my computer?
How to record a radio station that plays onmy computer?
-
Visual my manager of vertical scrolling
Hello everyone, I use a vertical Manager that contains 7 custom managers (HM) horizontal focusable containing 3 fields each. When I run my application on devices of small screen like the 9300, I see 4 (HM) at a time and the need to scroll down to see
-
Hi all...I have a RV320 (internal LAN 10.78.0.0/24) connection to a PIX 515E (10.10.0.0/24) using the VPN Tunnel.The tunnel between the two is in place and working. My workstation (10.10.0.47), I can ping and connect to a server on the LAN of RV320 (