IPSec-s2s-sessiondb-details
Hi guys,.
I have about 3000 s2s vpn tunnels in my asa. in the output attached to the vpn-sessiondb detail, im seen 9046 as total (ikev1 + ipsec)
Can someone help me here... attached to the output - especially the last three lines of the output is confusing.
Hi s,
Based on the following result:
Tunnels Summary --------------------------------------------------------------------------- Active : Cumulative : Peak Concurrent ---------------------------------------------- IKEv1 : 3202 : 3021003 : 3434 IPsec : 5844 : 4914405 : 6339 IPsecOverNatT : 0 : 790 : 2 --------------------------------------------------------------------------- Totals : 9046 : 7936198 ---------------------------------------------------------------------------
What this means is that you have to the 3202 tunnels using ikev1, you see a higher value on the IPsec connections, cause there is not only the connection or peer you have for each VPN, it has all ITS (Security Association).
If you're doing a "Show crypto ipsec his" you will see that they are HIS multiples for each connection, you can filter these SA with the command 'Show crypto ipsec his counterpart x.x.x.x' to check the SAs of intellectual peer.
Please note the useful messages!
It may be useful
-Randy-
Tags: Cisco Security
Similar Questions
-
Display vpn-sessiondb detail l2l. How to clear the connections by Tunnel ID?
With "show-vpndessiondb detail l2l", I get this output
IPsec:
Tunnel ID: 107,2
Local addr: 172.20.18.0/255.255.255.0/0/0
Remote addr: 172.20.24.0/255.255.255.0/0/0
Encryption: 3DES hash: MD5
Encapsulation: Tunnel
Generate a new key Int (T): 28800 seconds given to the key Left (T): 28259 seconds
Generate a new key Int (D): 4608000 K-bytes given to the key Left (D): 4607996 K-bytes
Idle Time Out: 30 Minutes idling left: 21 Minutes
TX Bytes: 5016 Rx bytes: 0
TX pkts: Rx 38 Pkts: 0
IPsec:
Tunnel ID: 107.3
Local addr: 172.20.19.0/255.255.255.0/0/0
Remote addr: 172.20.24.0/255.255.255.0/0/0
Encryption: 3DES hash: MD5
Encapsulation: Tunnel
Generate a new key Int (T): 28800 seconds given to the key Left (T): 28257 seconds
Generate a new key Int (D): 4608000 K-bytes given to the key Left (D): 4607998 K-bytes
Idle Time Out: 30 Minutes idling left: 21 Minutes
TX Bytes: 2244 Rx bytes: 0
TX pkts: Rx 17 Pkts: 0
Is there a way to clean the connection IPsec by "Tunnel ID"? I am familiar with "clear dry ip his
', but this will lower the whole tunnel." I'm looking how to be more granular clear connections from Addr Local 172.20.19.0/255.255.255.0/0/0, for example - see output below Thank you
John
No, unfortunately you can not disable just the connection to 1 ITS specific in a tunnel.
The only option with "Logoff vpn-sessiondeb" is:
http://www.Cisco.com/en/us/docs/security/ASA/asa84/command/reference/uz.html#wp1726098
which is pretty much the same as what you can get "clear cry ipsec his"order."
-
iPsec S2S ASA to ASR with VRF using Lo's ADDRESS
so, I have a solution and then a question about this solution:
first the solution and the config for any guy in the future, who would need it:
to configure the ASA VPN to the ASR:
door-key crypto KEY-SITE-B-DC
address [asr-ip-address]
pre-shared key address [address-ip-ASA] key test123
!
Crypto ISAKMP-SITE-B-DC isakmp profile
VRF VPN
door KEY-SITE-B-DC
identity function address [address-ip-ASA] 255.255.255.255
!
crypto ISAKMP policy 9
BA aes
preshared authentication
Group 2
lifetime 28800
!
card crypto VPN - S2S - address Loopback11
Map 10 S2S - VPN ipsec-isakmp crypto
Description # VPN S2S SITE-B-DC ASA #.
defined by peer [ASA-ip-address]
game of transformation-TRANS_SET-SITE-B-DC
PFS group2 Set
define the profile of isakmp ISAKMP-SITE-B-DC
match address IPSEC-VPN-ACL_SITE-B-DC
!
Crypto ipsec transform-set esp-aes - TRANS_SET-SITE-B-DC esp-sha-hmac
tunnel mode
!
EXIT/ENTRY interface
Description # BECAUSE RUN US DYNAMIC PROTOCOL BGP (in my case), no matter WHAT INTERFACE COULD BE THE If INPUT/OUTPUT, SO THESE IFs MUST ALSO HAVE THE CRYPTOMAP #.
S2S - VPN crypto card
!
interface Loopback11
Description # IPSEC TEST #.
IP 255.255.255.255 [asr-ip-address]
!
!
IPSEC-VPN-ACL_SITE-B-DC extended IP access list
permit ip host [ASR-LAN-addresses] [ASA-LAN-addresses]
!
IP route vrf VPN [ASA-LAN-addresses] 255.255.255.x 8.8.8.8 global name GENERIC-IPSEC-CRYPTO-ROAD (ANYCAST) * the road here is for the traffic is encrypted, the next hop MUST be no recursive road *.
!
So now for my question:
REALLY should be a route with a match on the other than a default route routing table?
(because it does not work with a route that directs the default route, even when the recursive path pointing to the interface even spefic road made).
is there any other way to do this? because to point the way to 8.8.8.8, means im my tunnels to be available on the availability of a course of 8.0.0.0 in the RIBS.
help would be what enjoyed here guys!
Why not let the router hide the complexity of administration using IPP?
The example is not perfect because of the connection point to point between two routers, but you can understand what IP address as the gateway.
I suggest also entry of cryptographic cards, the new software. logical interfaces with tunnel protection is the way to go. The problem does not appear here.
-
Hello
I have a headquarters and a remote site and I want to get a VPN site-to site between the two. I have the following Setup on each router. 'Show encryption session' says that the VPN is in the IDLE-UP condition (and my somewhat limited understanding of virtual private networks, this means that the phase 1 of IKE is complete and waiting for phase 2) When you run a "debug crypto ipsec" on the remote site, I get "no ip crypto card is for addresses local 100.x.x.x" and the VPN remains to IDLE-UP. The ACL on the external interface allows the IP of the remote site. I have CBAC running on the external interface of both routers and ACL permits all traffic between the addresses 100.x.x.x and 200.x.x.x. Could someone help me with the config? I have to do something wrong somewhere.
Thank you!
Shaun
Router HQ: Local 10.2.0.0/16 (network)
crypto ISAKMP policy 1
BA aes 256
md5 hash
preshared authentication
Group 5
ISAKMP crypto keyaddress 100.x.x.x
!
86400 seconds, duration of life crypto ipsec security association
!
Crypto ipsec transform-set aes - esp AES_MD5_COMPRESSION esp-md5-hmac comp-lzs
!
card crypto S2S_VPN local-address FastEthernet0/0
!
S2S_VPN 10 ipsec-isakmp crypto map
the value of 100.x.x.x peer
game of transformation-AES_MD5_COMPRESSION
PFS Set group5
match address TRAFFIC_TO_REMOTE_NETWORK
!
interface FastEthernet0/0
IP address 200.x.x.x 255.255.255.252
IP access-group firewall in
NAT outside IP
no ip virtual-reassembly
card crypto S2S_VPN
!
TRAFFIC_TO_REMOTE_NETWORK extended IP access list
IP enable any 10.1.0.0 0.0.255.255Remote router: (LAN 10.1.0.0/16)
crypto ISAKMP policy 1
BA aes 256
md5 hash
preshared authentication
Group 5
ISAKMP crypto keyaddress 200.x.x.x
!
86400 seconds, duration of life crypto ipsec security association
!
Crypto ipsec transform-set aes - esp AES_MD5_COMPRESSION esp-md5-hmac comp-lzs
!
card crypto S2S_VPN local-address FastEthernet0/0
!
S2S_VPN 10 ipsec-isakmp crypto map
the value of 200.x.x.x peer
game of transformation-AES_MD5_COMPRESSION
PFS Set group5
match address TRAFFIC_TO_HQ_NETWORK
!
interface FastEthernet0/0
IP address 100.x.x.x 255.255.255.252
IP access-group firewall in
NAT outside IP
no ip virtual-reassembly
card crypto S2S_VPN
!
TRAFFIC_TO_HQ_NETWORK extended IP access list
IP 10.1.0.0 allow 0.0.255.255 10.2.0.0 0.0.255.255Hi Shaun,
Some comments...
The QM_IDLE means that the phase 1 is established. (sh cry isa his)
You should see with "sh cry ips its" that he has put SAs in place for IPsec encryption/decryption of traffic for the phase 2.
The ACL for VPN (the crypto ACL) should be one mirror of the other (you have "all" on one side and two statements by the other peer network.
You do NAT, therefore, there should be a 'workaround NAT rule' VPN traffic (to remove the IPsec NAT traffic).
This should be it.
Federico.
-
IPsec S2S with translated source IPs
We have a client who needs a site to site IPsec tunnel but won't allow our IPs private through the tunnel:
"We do not allow private through the tunnel IP addresses you will need to translate your IP address private source behind IP addresses publicly routable.
How can we define this so all traffic through the tunnel VPN is NAT would be just like any other normal outgoing connection (that is, translated to WAN IP).
Here is an example of configuration of what we have now, waiting for the standard configuration, which does not work because we are not translate the way the customer:
object-group network customer-NETS
host of the object-Network 145.118.20.84 (example)
x
x
NAT (inside, all) static single-lan-NET indiv-lan-NET destination client-NETS static client-NETS
access list client-VPN-ACL scope ip allow object, object-group single-lan-NET customer-NETS
card crypto corp_map 4 correspondence address client-VPN-ACL
peer set card crypto corp_map 4 145.118.20.84
card crypto 4 ikev1 transform-set primaryset set corp_map
tunnel-group 145.118.20.84 type ipsec-l2l
IPSec-attributes tunnel-group 145.118.20.84
IKEv1 pre-shared key xxxxxxxx
Any help with this would be much appreciated!
Hello
In this case, you don't need to change anything in the NAT.
Make sure that you have configured NAT not all exempt.
In the encryption access list source must be your external ip address and destination must be the private IP address of the remote site. and at the remote site, they must configure your external IP address as the destination.
If you try the above, I'm sure that you will face no problem.
Thank you
Jeet Kumar
-
IPsec over UDP - remote VPN access
Hello world
The VPN client user PC IPSEC over UDP option is checked under transport.
When I check the details of the phase 1 of IKE ASDM of user login, it shows only UDP 500 port not port 4500.
Means that user PC VPN ASA there that no device in question makes NAT.
What happens if we checked the same option in the client IPSEC VPN - over UDP and now, if we see the port UDP 4500 under IKE phase 1 Connection Details
This means that there is now ASA a NAT device VPN Client PC, but he allows IKE connection phase 1?
Concerning
MAhesh
Hello Manu,
I suggest to use the following commands on your ASA have a look at these ports as the test of VPN connections. The command that you use depends on your level of software as minor changes in the format of the command
View details remote vpn-sessiondb
view sessiondb-vpn remote detail filter p-ipaddress
Or
View details of ra-ikev1-ipsec-vpn-sessiondb
display the filter retail ra-ikev1-ipsec-vpn-sessiondb p-ipaddress
These will provide information on the type of VPN Client connection.
Here are a few out of different situations when connecting with the VPN Client
Dynamic PAT - no Transparent on the Client VPN tunnel
- Through the VPN connections do not work as connects via PAT without Transparent tunnel
Username: Index: 22
Public IP address 10.0.1.2 assigned IP::
Protocol: IPsec IKEv1
IKEv1:
Tunnel ID: 22.1
The UDP Src Port: 18451 UDP Dst Port: 500
IKE Neg Mode: Aggressive Auth Mode: preSharedKeys
Encryption: AES 256 hash: SHA1
Generate a new key Int (T): 28800 seconds given to the key Left (T): 28551 seconds
Group D/H: 2
Name of the filter:
Client OS: Windows NT Client OS worm: 5.0.07.0290
IPsec:
Tunnel ID: 22.2
Local addr: 0.0.0.0/0.0.0.0/0/0
Remote addr: 10.0.1.2/255.255.255.255/0/0
Encryption: AES 256 hash: SHA1
Encapsulation: Tunnel
Generate a new key Int (T): 28800 seconds given to the key Left (T): 28551 seconds
Idle Time Out: 30 Minutes idling left: 25 Minutes
TX Bytes: 0 Rx bytes: 0
TX pkts: Rx Pkts 0: 0
Dynamic PAT - Transparent tunnel (NAT/PAT) on the VPN Client
- Via VPN connections work as we use Tunneling Transparent when we train the dynamic VPN Client through PAT connection
Username: Index: 28
Public IP address 10.0.1.2 assigned IP::
Protocol: IKEv1 IPsecOverNatT
IKEv1:
Tunnel ID: 28.1
The UDP Src Port: 52825 UDP Dst Port: 4500
IKE Neg Mode: Aggressive Auth Mode: preSharedKeys
Encryption: AES 256 hash: SHA1
Generate a new key Int (T): 28800 seconds given to the key Left (T): 28784 seconds
Group D/H: 2
Name of the filter:
Client OS: Windows NT Client OS worm: 5.0.07.0290
IPsecOverNatT:
Tunnel ID: 28.2
Local addr: 0.0.0.0/0.0.0.0/0/0
Remote addr: 10.0.1.2/255.255.255.255/0/0
Encryption: AES 256 hash: SHA1
Encapsulation: Tunnel
Generate a new key Int (T): 28800 seconds given to the key Left (T): 28784 seconds
Idle Time Out: 30 Minutes idling left: 30 Minutes
TX Bytes: 360 bytes Rx: 360
TX pkts: 6 Pkts Rx: 6
Dynamics PAT, Transparent IPsec (TCP) on the Client VPN tunnel
- Via VPN connections work as we use Tunneling Transparent when we train the dynamic VPN Client through PAT connection
Username: Index: 24
Public IP address 10.0.1.2 assigned IP::
Protocol: IKEv1 IPsecOverTCP
IKEv1:
Tunnel ID: 24.1
The UDP Src Port: 20343 UDP Dst Port: 500
IKE Neg Mode: Aggressive Auth Mode: preSharedKeys
Encryption: AES 256 hash: SHA1
Generate a new key Int (T): 28800 seconds given to the key Left (T): 28792 seconds
Group D/H: 2
Name of the filter:
Client OS: Windows NT Client OS worm: 5.0.07.0290
IPsecOverTCP:
Tunnel ID: 24,2
Local addr: 0.0.0.0/0.0.0.0/0/0
Remote addr: 10.0.1.2/255.255.255.255/0/0
Encryption: AES 256 hash: SHA1
Encapsulation: Tunnel TCP Src Port: 20343
The TCP Dst Port: 10000
Generate a new key Int (T): 28800 seconds given to the key Left (T): 28792 seconds
Idle Time Out: 30 Minutes idling left: 30 Minutes
TX Bytes: 180 bytes Rx: 180
TX pkts: Rx 3 Pkts: 3
Static NAT - no Transparent on the Client VPN tunnel
- VPN Client connections to the LAN work because our VPN Client has a static NAT configured for its local IP address. This allows the ESP without encapsulation through the device doing the static NAT. You must allow the ESP traffic through the NAT device of management of the device VPN or configure VPN connections inspection if there is an ASA acting as the NAT device.
Username: Index: 25
Public IP address 10.0.1.2 assigned IP::
Protocol: IPsec IKEv1
IKEv1:
Tunnel ID: 25.1
The UDP Src Port: 50136 UDP Dst Port: 500
IKE Neg Mode: Aggressive Auth Mode: preSharedKeys
Encryption: AES 256 hash: SHA1
Generate a new key Int (T): 28800 seconds given to the key Left (T): 28791 seconds
Group D/H: 2
Name of the filter:
Client OS: Windows NT Client OS worm: 5.0.07.0290
IPsec:
Tunnel ID: 25.2
Local addr: 0.0.0.0/0.0.0.0/0/0
Remote addr: 10.0.1.2/255.255.255.255/0/0
Encryption: AES 256 hash: SHA1
Encapsulation: Tunnel
Generate a new key Int (T): 28800 seconds given to the key Left (T): 28791 seconds
Idle Time Out: 30 Minutes idling left: 30 Minutes
TX Bytes: 120 bytes Rx: 120
TX pkts: Rx 2 Pkts: 2
Static NAT - Transparent tunnel (NAT/PAT) on the VPN Client
- The VPN Client connections are functioning normally. Even if the host Staticly using a NAT VPN Client does not need UDP encapsulation it is always used if your connection of the VPN Client profile is configured to use (tab in the Transport of the client software)
Username: Index: 26
Public IP address 10.0.1.2 assigned IP::
Protocol: IKEv1 IPsecOverNatT
IKEv1:
Tunnel ID: 26.1
The UDP Src Port: 60159 UDP Dst Port: 4500
IKE Neg Mode: Aggressive Auth Mode: preSharedKeys
Encryption: AES 256 hash: SHA1
Generate a new key Int (T): 28800 seconds given to the key Left (T): 28772 seconds
Group D/H: 2
Name of the filter:
Client OS: Windows NT Client OS worm: 5.0.07.0290
IPsecOverNatT:
Tunnel ID: 26.2
Local addr: 0.0.0.0/0.0.0.0/0/0
Remote addr: 10.0.1.2/255.255.255.255/0/0
Encryption: AES 256 hash: SHA1
Encapsulation: Tunnel
Generate a new key Int (T): 28800 seconds given to the key Left (T): 28772 seconds
Idle Time Out: 30 Minutes idling left: 29 Minutes
TX Bytes: 1200 bytes Rx: 1200
TX pkts: Rx 20 Pkts: 20
Static NAT - Transparent tunnel on the VPN Client (IPsec, TCP)
- The VPN Client connections are functioning normally. Even if the host Staticly using a NAT VPN Client does not need TCP encapsulation it is always used if your connection of the VPN Client profile is configured to use (tab in the Transport of the client software)
Username: Index: 27
Public IP address 10.0.1.2 assigned IP::
Protocol: IKEv1 IPsecOverTCP
IKEv1:
Tunnel ID: 27.1
The UDP Src Port: 61575 UDP Dst Port: 500
IKE Neg Mode: Aggressive Auth Mode: preSharedKeys
Encryption: AES 256 hash: SHA1
Generate a new key Int (T): 28800 seconds given to the key Left (T): 28790 seconds
Group D/H: 2
Name of the filter:
Client OS: Windows NT Client OS worm: 5.0.07.0290
IPsecOverTCP:
Tunnel ID: 27.2
Local addr: 0.0.0.0/0.0.0.0/0/0
Remote addr: 10.0.1.2/255.255.255.255/0/0
Encryption: AES 256 hash: SHA1
Encapsulation: Tunnel TCP Src Port: 61575
The TCP Dst Port: 10000
Generate a new key Int (T): 28800 seconds given to the key Left (T): 28790 seconds
Idle Time Out: 30 Minutes idling left: 30 Minutes
TX Bytes: 120 bytes Rx: 120
TX pkts: Rx 2 Pkts: 2
VPN device with a public IP address directly connected (as a customer VPN) to an ASA
Username: Index: 491
Assigned IP: 172.31.1.239 public IP address:
Protocol: IPsec IKE
IKE:
Tunnel ID: 491.1
The UDP Src Port: 500 UDP Dst Port: 500
IKE Neg Mode: Aggressive Auth Mode: preSharedKeys
Encryption: 3DES hash: SHA1
Generate a new key Int (T): 86400 seconds given to the key Left (T): 71016 seconds
Group D/H: 2
Name of the filter:
IPsec:
Tunnel ID: 491.2
Local addr: 0.0.0.0/0.0.0.0/0/0
Remote addr: 172.31.1.239/255.255.255.255/0/0
Encryption: AES128 hash: SHA1
Encapsulation: Tunnel
Generate a new key Int (T): 28800 seconds given to the key Left (T): 12123 seconds
Generate a new key Int (D): 4608000 K-bytes given to the key Left (D): 4607460 K-bytes
Idle Time Out: 0 Minutes idling left: 0 Minutes
TX Bytes: bytes 3767854 Rx: 7788633
TX pkts: 56355 Pkts Rx: 102824
Above are examples for your reference. I must also say that I am absolutely not an expert when it comes to virtual private networks in general. I had to learn two firewall/vpn basically on my own, as during my studies, we had no classes related to them (which was quite strange).
While I learned how to set up VPN and troubleshoot them I think I missed on the basic theory. I had plans to get the title Associates CCNA/CCNP certifications but at the moment everything is possible. Don't have the time for it.
I guess that you already go to the VPN security CCNP Exam?
Hope this helps and I hope that I didn't get anything wrong above
-Jouni
-
A Site with IPsec without restoring a new tunnel
Hello, I have a question about IPSec S2S.
In this topoloy, I would like to that IPSec S2S between 172.21.0.0/24 and 172.22.0.0/24.
The serial line is the first priority and route on ISP is the second priority for routing.
The question is how can I create the IPsec Site to Site connection without restore when the routing path changes?
The AR configuration:
!
version 15.1
no service the timestamps don't log datetime msec
no service timestamps debug datetime msec
no password encryption service
!
hostname AR
!
!
!
!
!
!
!
!
no ip cef
No ipv6 cef
!
!
!
username cisco password 0 BR
!
!
license udi pid CISCO2901/K9 sn FTX1524YO05
licence start-up module c2900 technology-package securityk9
!
!
!
crypto ISAKMP policy 10
BA 3des
md5 hash
preshared authentication
Group 2
!
cisco key crypto isakmp 10.0.0.2 address
address of cisco crypto isakmp 200.200.200.2 keys
!
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac TS
!
CMAP 10 ipsec-isakmp crypto card
defined peer 10.0.0.2
defined by peer 200.200.200.2
game of transformation-TS
match the vpn address
!
!
!
!
!
!
pvst spanning-tree mode
!
!
!
!
!
!
interface GigabitEthernet0/0
IP 100.100.100.2 255.255.255.252
automatic duplex
automatic speed
card crypto WCPA
!
interface GigabitEthernet0/1
IP 172.21.0.254 255.255.255.0
automatic duplex
automatic speed
!
interface Serial0/0/0
the IP 10.0.0.1 255.255.255.252
encapsulation ppp
Chap PPP authentication protocol
2000000 clock frequency
card crypto WCPA
!
interface Serial0/0/1
no ip address
2000000 clock frequency
Shutdown
!
interface Vlan1
no ip address
Shutdown
!
router ospf 1
Log-adjacency-changes
Network 10.0.0.0 0.0.0.3 area 0
network 172.21.0.0 0.0.0.255 area 0
!
router RIP
version 2
network 100.0.0.0
network 172.21.0.0
No Auto-resume
!
IP classless
!
IP flow-export version 9
!
!
list of IP - vpn access scope
IP 172.21.0.0 allow 0.0.0.255 172.22.0.0 0.0.0.255
!
!
!
!
!
Line con 0
!
line to 0
!
line vty 0 4
opening of session
!
!
!
endConfiguration of BR:
!
version 15.1
no service the timestamps don't log datetime msec
no service timestamps debug datetime msec
no password encryption service
!
hostname BR
!
!
!
!
!
!
!
!
no ip cef
No ipv6 cef
!
!
!
Cisco spends 0 username AR
!
!
license udi pid CISCO2901/K9 sn FTX1524L63A
licence start-up module c2900 technology-package securityk9
!
!
!
crypto ISAKMP policy 10
BA 3des
md5 hash
preshared authentication
Group 2
!
cisco key crypto isakmp 10.0.0.1 address
address of cisco crypto isakmp 100.100.100.2 keys
!
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac TS
!
CMAP 10 ipsec-isakmp crypto card
defined peer 10.0.0.1
defined by peer 100.100.100.2
game of transformation-TS
match the vpn address
!
!
!
!
!
!
pvst spanning-tree mode
!
!
!
!
!
!
interface GigabitEthernet0/0
IP 200.200.200.2 255.255.255.252
automatic duplex
automatic speed
card crypto WCPA
!
interface GigabitEthernet0/1
IP 172.22.0.254 255.255.255.0
automatic duplex
automatic speed
!
interface Serial0/0/0
the IP 10.0.0.2 255.255.255.252
encapsulation ppp
Chap PPP authentication protocol
card crypto WCPA
!
interface Serial0/0/1
no ip address
2000000 clock frequency
Shutdown
!
interface Vlan1
no ip address
Shutdown
!
router ospf 1
Log-adjacency-changes
Network 10.0.0.0 0.0.0.3 area 0
network 172.22.0.0 0.0.0.255 area 0
!
router RIP
version 2
network 172.22.0.0
network 200.200.200.0
No Auto-resume
!
IP classless
!
IP flow-export version 9
!
!
list of IP - vpn access scope
IP 172.22.0.0 allow 0.0.0.255 172.21.0.0 0.0.0.255
!
!
!
!
!
Line con 0
!
line to 0
!
line vty 0 4
opening of session
!
!
!
endThank you very much!
Although you might go this route, I wouldn't.
I would use VTI (GRE tunnels that run over IPSec) interfaces. One on the series circuit and the other on the circuit of the ISP.
You can then either use GRE KeepAlive to detect which tunnels are in place and use static routes or dynamic routing as EIGRP Protocol (put a higher value of the 'bandwidth' with the 'bandwidth' command on the favorite tunnel).
-
I've set up a site to site VPN and I can't seem to get the VPN filter works. I've followed this document:
http://www.Cisco.com/image/gif/paws/99103/PIX-ASA-VPN-filter.PDF
I created an ACL and created an ACE with only traffic I want to allow. Then, I went to the site to site group policy and apply this filter. However, I can still ping remote network from a customer who should not be allowed. Remote network is 192.168.2.0/24.Here is my partial config:
permit Test access extended list ip 192.168.2.0 255.255.255.0 192.168.1.2 host
Trying to deny a range ip extended access listGroup Policy internal Test
Test group policy attributes
value of VPN-Filter Testtunnel-group Test_tunnel type ipsec-l2l
attributes global-tunnel-group Test_tunnel
Group Policy - by default-TestHello
First of all I would like to clarify that the group name used for one site to the other tunnel tunnel must be the ip address of the host "at least for the tunnels l2l static" it's tunnel-g were you must apply this "Test" group policy, configuring the filter seems perfect, but you must make sure that you apply the strategy of Group accordingly. Now, once you apply group policy to the correct you have to bounce the tunnel tunnel-g otherwise the new filter will not take effect, you can use the command "erase the crypto ipsec his counterpart x.x.x.x" generate some traffic and bring up the tunnel is again he should have the filter.
If you apply correctly and bounce the tunnel it will work.
You can check if the filter is applied with the command "show vpn-sessiondb detail l2l" and find the name of the ACL
Best regards, please rate.
-
VPN connectivity lost after the regeneration of the keys (I think)
Hello
I have a L2L IPSEC tunnel between a set of failover pair of two ASA5510 and a unique ASA5505. Over time, they will lose connectivity through the tunnel. The tunnel itself remains standing, but can not pass any traffic.
When you look at the tunnel I still see what is on the Board of 5510's (shown in bold @ IPSEC ID 3):
advdns # sh vpn-sessiondb detail l2l filter ipaddress 93.160.2xx.1xx
Session type: LAN-to-LAN detailed
Link: 93.160.2xx.1xx
Index: 14 IP Addr: K015-Peer
Protocol: IPSecLAN2LAN encryption: 3DES
Hash: SHA1
TX Bytes: bytes 430820527 Rx: 9869311
Connect time: 01:16:13 CEDT Monday, March 28, 2011
Duration: 7 h: 46 m: 47 s
Filter name: K015-L2L-filterIKE Sessions: 1
IPSec sessions: 2IKE:
Session ID: 1
The UDP Src Port: 500 UDP Dst Port: 500
IKE Neg Mode: Hand Auth Mode: preSharedKeys
Encryption: 3DES hash: SHA1
Generate a new key Int (T): 86400 seconds given to the key Left (T): 58390 seconds
Group D/H: 2IPSec:
Session ID: 2
Local addr: HOST_RDC001/255.255.255.255/0/0
Remote addr: 192.168.15.0/255.255.255.0/0/0
Encryption: 3DES hash: SHA1
Encapsulation: Tunnel
Generate a new key Int (T): 28800 seconds given to the key Left (T): 25270 seconds
Generate a new key Int (D): 413696 K-bytes given to the key Left (D): 413688 K-bytes
TX Bytes: 24387 bytes Rx: 12754
TX pkts: Rx 195 Pkts: 195IPSec:
Session ID: 3
Local addr: 10.30.15.0/255.255.255.0/0/0
Remote addr: 192.168.15.0/255.255.255.0/0/0
Encryption: 3DES hash: SHA1
Encapsulation: Tunnel
Generate a new key Int (T): 28800 seconds given to the key Left (T): 25715 seconds
Generate a new key Int (D): 413696 K - bytes given to the key Left (D): 1 K-bytes
TX Bytes: bytes 430796140 Rx: 9856557
TX pkts: 385454 Pkts Rx: 207904This is the result of the order even at the end of the tunnel ASA5505:
PFF # sh vpn-sessiondb detail l2l
Session type: LAN-to-LAN detailed
Link: 83.136.xx.xxx
Index: 1 IP address: 83.136.xx.xxx
Protocol: IPSecLAN2LAN encryption: 3DES
Hash: SHA1
TX Bytes: bytes 9869359 Rx: 430815282
Connect time: 14:00:28 UTC Sunday, March 27, 2011
Duration: 7 h: 47 m: 00s
Name of the filter:IKE Sessions: 1
IPSec sessions: 2IKE:
Session ID: 1
The UDP Src Port: 500 UDP Dst Port: 500
IKE Neg Mode: Hand Auth Mode: preSharedKeys
Encryption: 3DES hash: SHA1
Generate a new key Int (T): 86400 seconds given to the key Left (T): 58381 seconds
Group D/H: 2IPSec:
Session ID: 2
Local addr: 192.168.15.0/255.255.255.0/0/0
Remote addr: 10.1.11.1/255.255.255.255/0/0
Encryption: 3DES hash: SHA1
Encapsulation: Tunnel
Generate a new key Int (T): 28800 seconds given to the key Left (T): 25256 seconds
Generate a new key Int (D): 4275000 K-bytes given to the key Left (D): 4274992 K-bytes
Idle Time Out: 30 Minutes idling left: 29 Minutes
TX Bytes: 12754 bytes Rx: 24387
TX pkts: Rx 195 Pkts: 195IPSec:
Session ID: 3
Local addr: 192.168.15.0/255.255.255.0/0/0
Remote addr: 10.30.15.0/255.255.255.0/0/0
Encryption: 3DES hash: SHA1
Encapsulation: Tunnel
Generate a new key Int (T): 28800 seconds given to the key Left (T): 25701 seconds
Generate a new key Int (D): 4275000 K-bytes given to the key Left (D): 3861311 K-bytes
Idle Time Out: 30 Minutes idling left: 30 Minutes
TX Bytes: bytes 9856605 Rx: 430790895
TX pkts: 207905 Pkts Rx: 385265On the ASA5505 I can see the following in the log:
March 27, 2011 21:21:17: % ASA-4-402120: IPSEC: received a package ESP (SPI = 0xBB2A21CF, sequence number = 0x1BB08) 83.136.xx.xxx (user = 83.136.xx.xxx) at 93.160.2xx.1xx, which has no authentication.
March 27, 2011 21:26:12: % ASA-4-402120: IPSEC: received a package ESP (SPI = 0xBB2A21CF, sequence number = 0x2EF6E) 83.136.xx.xxx (user = 83.136.xx.xxx) at 93.160.2xx.1xx, which has no authentication.It has done this 4 - 5 times now, so I don't think it's a temporary problem. The ASA5505 has been restarted several times... 5510 failover restart is not an option. The 5510 holds currently more than 50 IPSEC tunnels, and it is the only features like this.
If I make one counterpart of his clear cry ips 'The 5505 IP', then the tunnel's functional again.
The SW version is:
5510: 7.2. (4) 9
5505: 7.2. (4)
This is the setup I use for the tunnel:
5510:
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
address for correspondence card crypto outside_map 15 K015-L2L-list
outside_map 15 peer Peer-K015 crypto card game
card crypto outside_map 15 game of transformation-ESP-3DES-SHA
life safety association set card crypto outside_map 15 28800 seconds
card crypto outside_map 15 set security-association life kilobytes 4608000
outside_map interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 864005505:
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
card crypto VPNMAP 10 corresponds to the address Hosting_List
card crypto VPNMAP 10 set peer 83.136.xx.xxx
10 VPNMAP transform-set ESP-3DES-SHA crypto card game
VPNMAP interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400Anyone of you you have any good ideas?
Best regards
Jesper Ross
I just checked and there are a number of bugs to generate a new key, ASA version 7.2.4 Please kindly pass the two ASA at least version 7.2.5.
Here are the bugs for your reference:
CSCtc47782 Invalid IKE traffic causes to generate a new key to fail:
CSCso87442 ASA displays smaller traffic-volume lifetime than negotiated:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCso87442
CSCsq67954 ASA rekeys at less traffic volume than expected value:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsq67954Prior to upgrade, you can just remove the following and see if it makes any difference:
crypto map VPNMAP 10 set security-association lifetime kilobytes 4608000
crypto map outside_map 15 set security-association lifetime kilobytes 4608000Clear tunnels on both end, and monitor to see if you are seeing the same issue.
-
Problem VPN l2l * No. Tx and Rx *.
Hi friends,
I have a problem with the version 2 of ASA´s 5540 and 5510 8.4.3 and 8.2.5 respectively, TOPOLOGY: LAN - ASA-* WAN *-ASA - LAN
I have no side 5540 TX
# sh vpn-sessiondb detail l2l
Session type: LAN-to-LAN detailed
Link: 189.213.94.5
Index: 107 IP Addr: 189.213.94.5
Protocol: IPsec IKEv1
Encryption: hashing 3DES 3DES 3DES: SHA1 SHA1 SHA1
TX Bytes: 0 bytes Rx: 19104
Opening time: 09:30:57 CST Friday, February 8, 2013
Duration: 0: 00: 14:00
IKEv1 Tunnels: 1
IPsec Tunnels: 2
IKEv1:
Tunnel ID: 107.1
The UDP Src Port: 500 UDP Dst Port: 500
IKE Neg Mode: Hand Auth Mode: preSharedKeys
Encryption: 3DES hash: SHA1
Generate a new key Int (T): 86400 seconds given to the key Left (T): 85549 seconds
Group D/H: 2
Name of the filter: OUTSIDE_cryptomap_1
IPv6 filter:
IPsec:
Tunnel ID: 107,2
Local addr: 10.10.0.0/255.255.255.0/0/0
Remote addr: 192.168.2.0/255.255.255.0/0/0
Encryption: 3DES hash: SHA1
Encapsulation: Tunnel PFS Group: 2
Generate a new key Int (T): 28800 seconds given to the key Left (T): 27949 seconds
Generate a new key Int (D): 4608000 K-bytes given to the key Left (D): 4607991 K-bytes
Idle Time Out: 0 Minutes idling left: 0 Minutes
TX Bytes: 0 bytes Rx: 10200
TX pkts: 0 Rx Pkts: 170
IPsec:
Tunnel ID: 107.3
Local addr: 10.5.0.0/255.255.0.0/0/0
Remote addr: 192.168.2.0/255.255.255.0/0/0
Encryption: 3DES hash: SHA1
Encapsulation: Tunnel PFS Group: 2
Generate a new key Int (T): 28800 seconds given to the key Left (T): 27952 seconds
Generate a new key Int (D): 4608000 K-bytes given to the key Left (D): 4607992 K-bytes
Idle Time Out: 0 Minutes idling left: 0 Minutes
TX Bytes: 0 bytes Rx: 8904
TX pkts: 0 Rx Pkts: 84
NAC:
Reval Int (T): 0 seconds Left (T) Reval: 0 seconds
SQ (T) Int: 0 seconds EoU Age (T): 852 seconds
Chock on the left (T): 0 second Posture token:
Redirect URL:
And I have no side 5510 Rx
# sh vpn-sessiondb detail l2l
Session type: LAN-to-LAN detailed
Link: 201.140.121.82
Index: 695 IP Addr: 201.140.121.82
Protocol: IPsec IKE
Encryption: 3DES hash: SHA1
TX Bytes: 22480 Rx bytes: 0
Connect time: 17:33:15 CST Friday, February 8, 2013
Duration: 0: 00: 16:00
IKE tunnels: 1
IPsec Tunnels: 2
IKE:
Tunnel ID: 695.1
The UDP Src Port: 500 UDP Dst Port: 500
IKE Neg Mode: Hand Auth Mode: preSharedKeys
Encryption: 3DES hash: SHA1
Generate a new key Int (T): 86400 seconds given to the key Left (T): 85407 seconds
Group D/H: 2
Name of the filter:
IPsec:
Tunnel ID: 695.2
Local addr: 192.168.2.0/255.255.255.0/0/0
Remote addr: 10.10.0.0/255.255.255.0/0/0
Encryption: 3DES hash: SHA1
Encapsulation: Tunnel PFS Group: 2
Generate a new key Int (T): 28800 seconds given to the key Left (T): 27808 seconds
Generate a new key Int (D): 4608000 K-bytes given to the key Left (D): 0 K-bytes
Idle Time Out: 0 Minutes idling left: 0 Minutes
TX Bytes: 11880 Rx bytes: 0
TX pkts: Rx 198 Pkts: 0
IPsec:
Tunnel ID: 695.3
Local addr: 192.168.2.0/255.255.255.0/0/0
Remote addr: 10.5.0.0/255.255.0.0/0/0
Encryption: 3DES hash: SHA1
Encapsulation: Tunnel PFS Group: 2
Generate a new key Int (T): 28800 seconds given to the key Left (T): 27811 seconds
Generate a new key Int (D): 4608000 K-bytes given to the key Left (D): 0 K-bytes
Idle Time Out: 0 Minutes idling left: 0 Minutes
TX Bytes: 10600 Rx bytes: 0
TX pkts: Rx 100 Pkts: 0
NAC:
Reval Int (T): 0 seconds Left (T) Reval: 0 seconds
SQ (T) Int: 0 seconds EoU Age (T): 994 seconds
Chock on the left (T): 0 second Posture token:
Redirect URL:
Hope you guys could help me understand the issue correctly.
Thank you!
Looks like your problem is that you have the route to 192.168.2.X pointing inwards on your 5540, when it should be pointing to your interface OUTSIDE, or just leave the default route take care of it.
Remove the static method for 192.168.2.0 on the 5540:
no road inside 192.168.2.0 255.255.255.0 10.10.0.1 1
Then see if two-way communication that happens. Try: entry packet - trace inside the 10.10.0.1 icmp 1 1 192.168.2.1
Once again. If all checked out, see if you have two-way communication through the VPN.
-
AnyConnect macosx tls1.2 support
Does anyone know what version of macOSX AnyConnect supports the tls1.2?
I've gleamed of the post here this AnyConnect 4.0.00048 and higher supports TLS1.2 but am assuming it as AnyConnect-Win. Please correct my thinking... If I'm wrong!
Thank you
Frank
The release is part of the command that allows you to watch your VPN sessions:
show vpn-sessiondb ...
In this case, I used keywords to watch AnyConnect-sessions:show vpn-sessiondb detail anyconnect
-
Can someone tell me please the command that will show anyconnect connections on an ASA 5510 running version 8.4. Also, I would like to know the command to erase CLI connections?
Any help will be greatly appreciated.
Thank you
Lake
show vpn-sessiondb anyconnect show vpn-sessiondb detail anyconnect vpn-sessiondb logoff ...
-
I have a remote location with about 10 PCs and users behind it. I am currently using a standard IPSEC S2S connection but (don't ask, long story) the site soon will move to an ISP who can give him it is the own public IP address. You get a private on its external interface IP address and using a NAT behind the public IP address of the ISP endangered. This obviously means that I can't use a normal IPSEC tunnel. My thought was to EZVPN to connect the clients/subnet behind the ASA remote to subnets behind the ASA HQ. I just need someone for the sanity check my work. Here's the config EZVPN I plan on adding the remote control and HQ ASAs. I want that all traffic to RFC 1918 IPs to travel through the tunnel, while the internet traffic to the remote site continues to get out its own connection and not in the tunnel.
192.168.98.0 24 will be the subnet to the remote site. The HQ site has subnets in all 3 areas of RFC 1918.
--------------------------------------------
ASA HQ CONFIG:
inside_nat0_outbound list of allowed ip extended access all 192.168.98.0 255.255.255.0
NAT (inside) 0-list of access inside_nat0_outbound
EZVPNSPLIT list of allowed ip extended access any 192.168.0.0 255.255.255.0
EZVPNSPLIT list of allowed ip extended access any 10.0.0.0 255.0.0.0
EZVPNSPLIT list of allowed ip extended access any 172.16.0.0 255.240.255.0
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
internal RemoteTG group strategy
attributes of Group Policy RemoteTG
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list EZVPNSPLIT
value by default-field
allow to NEM
WebVPN
username password remote CLI! privilege 0
username remote attributes
VPN-group-policy RemoteTG
type tunnel-group RemoteTG remote access
attributes global-tunnel-group RemoteTG
Group Policy - by default-RemoteTG
IPSec-attributes tunnel-group RemoteTG
pre-shared key CLI!
-----------------------
ASA REMOTE CONFIG:
vpnclient Server
vpnclient mode network-extension-mode
vpnclient vpngroup password CLI RemoteTG!
vpnclient username password remote CLI!
vpnclient enable
Overall, it seems. Two things:
(1) on the SAA, normally a standard ACL is used for split Tunneling, but the scope can also work. Some subnet masks were wrong in your ACL:
EZVPNSPLIT list standard access allowed 10.0.0.0 255.0.0.0
EZVPNSPLIT list standard access allowed 172.16.0.0 255.240.0.0
EZVPNSPLIT list standard access allowed 192.168.0.0 255.255.0.0
(2) if it isn't already in your config file (and depending on your version) you must enable NAT-Traversal:
Crypto isakmp nat-traversal 20
--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni -
IPsec client for s2s NAT problem
Hello
We have a remote site (Paris) with a 5512 with some s2s and RA light customer vpn (anyconnect IPsec) tunnels. AnyConnect has no problem, but the ipsec client can not pass traffic on the LAN. The subnet behind the fw is 10.176.0.0/16 and the RA 10.172.28.0/24 customer pool. However, we have a s2s than nat 10.0.0.0/8 tunnel and it appears that customers vpn IPSEC RA being bound traffic matches this rule and prevents connectivity to local resources via vpn ipsec client.
......
hits = 485017, user_data = 0x7fffa5d1aa10, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
IP/ID=10.176.0.0 SRC, mask is 255.255.0.0, port = 0
IP/ID=10.0.0.0 DST, mask is 255.0.0.0, port = 0, dscp = 0 x 0
input_ifc = inside, outside = output_ifc
...
Manual NAT policies (Section 1)
1 (outdoor) static source Paris_Network Paris_Network static destination Remote2_LAN_Networks Remote2_LAN_Networks non-proxy-arp-search to itinerary (inside)
translate_hits = 58987, untranslate_hits = 807600
2 (inside) (outside) static source Paris_Network Paris_Network static destination DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2-route search
translate_hits = 465384, untranslate_hits = 405850
3 (inside) (outside) static source Paris_Network Paris_Network static destination Remote1_Networks Remote1_Networks-route search
translate_hits = 3102307, untranslate_hits = 3380754
4 (outside) (inside) static source Paris_RA_VPN Paris_RA_VPN static destination Paris_Network Paris_Network-route search
translate_hits = 0, untranslate_hits = 3
This method works on other sites with almost identical configuration, but for some reason, it doesn't work here. I can't specify different subnets for the s2s tunnel because there is too much of. Can someone help me and tell me why I can't get this to work?
Hello
So you're saying that the AnyConnect is working but not IPsec? What is the the AnyConnect VPN? It is outside the 10.0.0.0/8 network?
You should be able to substitute the NAT VPN L2L configuration by simply configuring a separate NAT for the local network for VPN pool traffic at the top of your NAT configurations
For example
being PARIS-LAN network
10.176.0.0 subnet 255.255.0.0
object netwok PARIS-VPN-POOL
10.172.28.0 subnet 255.255.255.0
NAT (inside, outside) 1 static source PARIS PARIS - LAN LAN destination PARIS-VPN-POOL PARIS-VPN-POOL static
This should ensure that the first rule on the SAA is the NAT rule that matches the VPN Client for LAN traffic. Other aircraft in the L2L VPN should still hit the original NAT rule to the VPN L2L
If this does not work then we must look closer, the configuration.
Hope this helps
Remember to mark a reply as the answer if it answered your question.
Feel free to ask more if necessary
-Jouni
-
Wildcard to attribute LDAP - IPSEC not WebVPN
Hello
I have installation using LDAP authentication and it works fine.
I'm trying to limit to only users who are members of a security group (VPN users) to VPN in.
I created a map to attribute LDAP (vpnmap) that checks if the user is a member of the required security group and if correct assigns a group policy (XXXvpntunnel).
However, if a user is not a member of the group, the plan of ldap attribute does not affect Group Policy above it, but the user can always VPN in and when I do a check for group policy being used sh vpn-sessiondb remote detail, it shows me the same XXXvpntunnel used group policy.
I created another group policy called XXXvpntunneldeny with ipsec sessions set to 0, but how can I assign this profile to group users who aren't a memberOf VPN users, so that they can not VPN in?
I also tested by adding SamAccountname in the map of the attribute and the value "Administrator" and "xxxvpntunneldeny" group policy and it stops falling administrator in the via the VPN, but I want to be able to use a wildcard character to prevent all users not in the security VPN users group to connect through the VPN.
Any suggestions on the best way to prevent users are not part of the VPN users group in AD to VPN in?
Thank you.
Here is a good link http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml
modify the group policy by default for vpn - concurrent connections 0
apply a vpn simultaneous connections in the new group policy-specific.
attributes of Group Policy DfltGrpPolicy
VPN - concurrent connections 0
Group POLICY-policy attributes
VPN - 10 concurrent connections
I was able to get this to work.
forget the mapping for the call permissions. not necessary here.
If someone are mapped to one of your manually created group policies, only default group policy applies, and they are unable to open a session.
Maybe you are looking for
-
Will 5-minute quick charge device damage my iPhone 6 s more? If so, what is recommended to recharge my iPhone in the car without any usb port or cigarette plug? Thank you
-
When and where 'New private window' Safari appear on the main stage of the MacBook Pro as a "choice".
-
Satellite C650 problem with USB ports
Hello I have a problem with my laptop, with my USB ports. A few days ago, I plugged my mp3 to charge its battery. I did when system Windows began and after a few ports seconds has stopped working. They work for one to five minutes after starting my c
-
HP 1210 PSC ALL IN ONE PRINTER: HP PHOTOSMART SOFTWARE SUITE
I moved, lost the installation disc for my PRINTER ALL-IN-ONE of HP 1210 PSC. Went to HP site & can only find the basic driver Installation. I need the driver Installation complete which includes the HP Photosmart Software Suite. Can't find anywhe
-
T5i Image through viewfinder review?
I just upgraded to an EOS Rebel T5i (my old camera was a SX20 IS). Well I'm going through the manual, I was not able to find the answer to several questions. This is one of them - I apologize upfront for the newbie questions I used to look through