IPSec Tunnel site to Site between ASA (static IP) to the firewall Microtick (dynamic IP) cannot telnet routeros and open https

Similar Questions

• Impossible to establish vpn site to site between asa 5505 5510 year

  Hi all experts

  We are now plan to form an IPSec VPN tunnel from site to site between ASA 5505 (ASA Version 8.4) and ASA 5510 (ASA Version 8.0) but failed, would you please show me how to establish? A reference guide?

  Hugo

  Here are the links to the guides-cisco config:

  http://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/site2sit.html

  http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/vpn_site2site.html

  In addition to VPN, you need to consider in NAT exemption:

  http://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/cfgnat.html#wp1043541

  http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/nat_overview.html#wpxref25608

  http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/nat_rules.html#wp1232160

  And many examples:

  http://www.Cisco.com/en/us/products/ps6120/prod_configuration_examples_list.html

  --
  Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
  http://www.Kiva.org/invitedBy/karsteni

• site-to-site between ASA 5510 (8.4 (2)) w / static IP and Dlink DIR130 w / dynamic IP.

  I'm trying to implement a VPN site link to site between the ASA5510 we use exclusively as a VPN endpoint on campus and a D-Link DIR130 router off campus, to a local company with a dynamically assigned IP address.  We currently use the ASA to remote access users who use the Cisco VPN client on mobile devices, as well as a link to site-to-site unique in our telecommunications provider for the purposes of remote monitoring telecoms equipment.

  We are looking for a way to deploy at a lower cost of VPN connections for local businesses to allow them to use the devices for sale which connect to systems on campus, so students can use their meal in local restaurants cards, similar to the way they use them in the cafeteria on campus.

  I have experience setting up Cisco switches, routers and APs, but ASA appliance absolutely baffles me.  I futzed with the AMPS 6.4 config autour gui and tried to match the configurations between the DIR130 and the ASA, but I can never get a VPN to come.  Anyone who can point me to an example, or provide me with help on this would be appreciated.  I have google searched and found very little, with my limited experience in setting up ASA, I ask to my script.

  You must configure the static route on the 6509 for 192.168.5.0/24 to ASA inside the interface:

  IP route 192.168.5.0 255.255.255.0 131.162.160.2

  Assuming that 131.162.160.1 is your 6509

• Site to Site between ASA VPN connection and router 2800

  I'm trying to get a L2L VPN working between a ASA code 8.4 and a 2800 on 12.4.

  I first saw the following errors in the debug logs on the side of the ASA:

  Error message % PIX | ASA-6-713219: KEY-GAIN message queues to deal with when
  ITS P1 is complete.

  I see the following on the end of 2800:

  ISAKMP: (0): treatment charge useful vendor id
  ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 157
  ISAKMP: (0): provider ID is NAT - T v3
  ISAKMP: (0): treatment charge useful vendor id
  ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
  ISAKMP (0): provider ID is NAT - T RFC 3947
  ISAKMP: (0): treatment charge useful vendor id
  ISAKMP: (0): treatment of frag vendor id IKE payload
  ISAKMP: (0): IKE Fragmentation support not enabled
  ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM1

  ISAKMP: (0): built NAT - T of the seller-rfc3947 ID
  ISAKMP: (0): send package to x.x.x.x my_port 500 peer_po0 (R) MM_SA_SETUP
  ISAKMP: (0): sending a packet IPv4 IKE.
  ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM2

  ISAKMP (0): packet received from x.x.x.x dport 500 sports global (R)

  MM_SA_SETUP
  ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  ISAKMP: (0): former State = new State IKE_R_MM2 = IKE_R_MM3

  ISAKMP: (0): processing KE payload. Message ID = 0
  ISAKMP: (0): processing NONCE payload. Message ID = 0
  ISAKMP: (0): found peer pre-shared key x.x.x.x corresponding
  ISAKMP: (2345): treatment charge useful vendor id
  ISAKMP: (2345): provider ID is the unit
  ISAKMP: (2345): treatment charge useful vendor id
  ISAKMP: (2345): provider ID seems the unit/DPD but major incompatibility of 54
  ISAKMP: (2345): provider ID is XAUTH
  ISAKMP: (2345): treatment charge useful vendor id
  ISAKMP: (2345): addressing another box of IOS!
  ISAKMP: (2345): treatment charge useful vendor id
  ISAKMP: (2345): vendor ID seems the unit/DPD but hash mismatch
  ISAKMP: receives the payload type 20
  ISAKMP (2345): sound not hash no match - this node outside NAT
  ISAKMP: receives the payload type 20
  ISAKMP (2345): no NAT found for oneself or peer
  ISAKMP: (2345): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  ISAKMP: (2345): former State = new State IKE_R_MM3 = IKE_R_MM3

  ISAKMP: (2345): sending package x.x.x.x my_port Exchange 500 500 (R)

  MM_KEY_EXCH

  ----------

  This is part of the configuration of the ASA:

  network of the ABCD object
  10.20.30.0 subnet 255.255.255.0
   
  network of the ABCD-Net object
  172.16.10.0 subnet 255.255.255.0
   
  cry-map-77-ip object-group XXXX object abc-site_Network allowed extended access list
   
  access list abc-site extended permitted ip object-group XXXX object abc-site_Network
   
  ip access list of abc-site allowed extended object abc-site_Network object-group XXXX-60
   
  NAT (any, any) static source 20 XXXX XXXX-20 destination static abc-site_Network abc-site_Network
   
  NAT (any, any) static source 20 XXXX XXXX-20 destination static abc-site_Network abc-site_Network
   
  XXXX-20
   
  object-group network XXXX-20
  ABCD-Net network object
  object-abcd-Int-Net Group
   
  XXXX_127
   
  object-group network XXXX-20
  ABCD-Net network object
  object-abcd-Int-Net Group
   
  ip access list of abc-site allowed extended object abc-site_Network object-group XXXX-60
   
   
  Crypto card off-map-44 11 match address cry-map-77
  card crypto out-map-44 11 counterpart set 62.73.52.xxx
  card crypto out-map-44 11 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  cry-map-77-ip object-group XXXX object abc-site_Network allowed extended access list

  Crypto card off-map-44 11 match address cry-map-77
  card crypto out-map-44 11 counterpart set 62.73.52.xxx
  card crypto out-map-44 11 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  card crypto out-map-44 11 set transform-set ESP-3DES-SHA ikev1

  object-group network XXXX
  ABCD-Net network object
  object-abcd-Int-Net Group

  ------------------------

  Here is a part of the 2800:

  !
  crypto ISAKMP policy 1
  BA 3des
  preshared authentication
  Group 2
  ISAKMP crypto key r2374923 address 72.15.21.xxx
  !
  !
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  !
  card crypto cry-map-1 1 ipsec-isakmp
  the value of 72.15.21.xxx peer
  game of transformation-ESP-3DES-SHA
  match address VPN
  !
  type of class-card inspect match class-map-vpn
  game group-access 100
  type of class-card inspect cm-inspect-1 correspondence
  group-access name inside-out game
  type of class-card inspect correspondence cm-inspect-2
  match the name of group-access outside
  !
  !
  type of policy-card inspect policy-map-inspect
  class type inspect cm-inspect-1
  inspect
  class class by default
  drop
   
  type of policy-card inspect policy-map-inspect-2
  class type inspect class-map-vpn
  inspect
  class type inspect cm-inspect-2
  class class by default
  drop
  !

  !
  interface FastEthernet0
  IP address 74.25.89.xxx 255.255.255.252
  NAT outside IP
  IP virtual-reassembly
  security of the outside Member area
  automatic duplex
  automatic speed
  crypto cry-card-1 card
  !
  interface FastEthernet1
  no ip address
  Shutdown
  automatic duplex
  automatic speed
  !
  IP nat inside source overload map route route-map-1 interface FastEthernet0
  !
  IP access-list extended inside-out
  IP 172.16.10.0 allow 0.0.0.255 any
  IP nat - acl extended access list
  deny ip 192.168.0.0 0.0.255.255 172.16.10.0 0.0.0.255
  deny ip 10.200.0.0 0.0.255.255 172.16.10.0 0.0.0.255
  deny ip 192.168.0.0 0.0.255.255 172.16.10.0 0.0.0.255
  deny ip 0.0.255.255 28.20.14.xxx.0.0 172.16.10.0 0.0.0.255
  refuse the 10.10.10.0 ip 0.0.0.255 172.16.10.0 0.0.0.255
  refuse the 172.16.10.0 ip 0.0.0.255 192.168.0.0 0.0.255.255
  refuse the 172.16.10.0 ip 0.0.0.255 10.200.0.0 0.0.255.255
  refuse the 172.16.10.0 ip 0.0.0.255 192.168.0.0 0.0.255.255
  refuse the 172.16.10.0 ip 0.0.0.255 28.20.14.xxx.0.0 0.0.255.255
  refuse the 172.16.10.0 ip 0.0.0.255 10.10.10.0 0.0.0.255
  allow an ip
  outside extended IP access list
  allow an ip
  list of IP - VPN access scope
  IP 172.16.10.0 allow 0.0.0.255 192.168.0.0 0.0.255.255
  IP 172.16.10.0 allow 0.0.0.255 10.200.0.0 0.0.255.255
  IP 172.16.10.0 allow 0.0.0.255 192.168.0.0 0.0.255.255
  IP 172.16.10.0 allow 0.0.0.255 28.20.14.xxx.0.0 0.0.255.255
  IP 172.16.10.0 allow 0.0.0.255 10.10.10.0 0.0.0.255
  IP 192.168.0.0 allow 0.0.255.255 172.16.10.0 0.0.0.255
  IP 10.200.0.0 allow 0.0.255.255 172.16.10.0 0.0.0.255
  IP 192.168.0.0 allow 0.0.255.255 172.16.10.0 0.0.0.255
  28.20.14.xxx.0.0 0.0.255.255 ip permit 172.16.10.0 0.0.0.255
  ip licensing 10.10.10.0 0.0.0.255 172.16.10.0 0.0.0.255

  access-list 23 allow 192.168.0.0 0.0.255.255
  access-list 23 allow 10.200.0.0 0.0.255.255
  access-list 23 allow 172.16.10.0 0.0.0.255
  access-list 123 note category class-map-LCA-4 = 0
  access-list 123 allow ip 192.168.0.0 0.0.255.255 172.16.10.0 0.0.0.255
  access-list 123 allow ip 10.200.0.0 0.0.255.255 172.16.10.0 0.0.0.255
  access-list 123 allow ip 192.168.0.0 0.0.255.255 172.16.10.0 0.0.0.255
  access-list 123 allow ip 0.0.255.255 28.20.14.xxx.0.0 172.16.10.0 0.0.0.255
  access-list 123 allow ip 10.10.10.0 0.0.0.255 172.16.10.0 0.0.0.255
  access-list 123 allow ip 172.16.10.0 0.0.0.255 192.168.0.0 0.0.255.255
  access-list 123 allow ip 172.16.10.0 0.0.0.255 10.200.0.0 0.0.255.255
  access-list 123 allow ip 172.16.10.0 0.0.0.255 192.168.0.0 0.0.255.255
  access-list 123 allow ip 172.16.10.0 0.0.0.255 28.20.14.xxx.0.0 0.0.255.255
  access-list 123 allow ip 172.16.10.0 0.0.0.255 10.10.10.0 0.0.0.255
  !
  !
  !

  !
  route-map-1 allowed route map 1
  match the IP nat - acl
  !

  Hello

  I quickly browsed your config and I could notice is

  your game of transformation (iskamp) on SAA and router are not the same, try to configure the same on both sides.

  in the statement of the ASA NAT you gave (any, any) try to give the name of the interface instead of a whole.

• VPN SITE-TO-SITE BETWEEN ASA 5505 ASN 5510 DISORDERS

  Hello everyone, I have a problem with my vpn between two ASAs, I will review the configuration of the two devices running, but I couldn't see anything out of the normal.

  As you can see in the image, that the VPN is upward, but in the ASA 5510 I bytes of Rx (ZERO), I tried to config ASAs yet but I have the same problem, I don't know what I can do, please help me...

  

  Hello

  You should make sure that

  • Remote ends of NAT configurations are correct
    • NAT0 or another type of translation is not configured
    • A NAT rule is the substitution of the rule that you have configured for the VPN L2L?
  • Make sure that you have allowed the circulation/connection you are trying
    • VPN traffic is allowed to bypass the 'external' ACL interface on the remote end or the traffic should be allowed in the 'outer' interface ACL?
  • Make sure that the remote host responds to the same type of its local network connection attempt before trying the same thing from a remote location through VPN L2L
    • If a tested service does not work, try another. For example ICMP is not always the best thing to test connections.

  Can you also give us additional context information.

  • This VPN L2L worked, or did it stop working at some point?
  • I assume that you have administrator access to two ASA? Can you perhaps share some configurations
  • What kind of connections you attempt by the L2L VPN?
    • TCP/UDP/ICMP?
    • IP source and destination?
  • You monitor the newspapers of the SAA through the ASDM on the other end? The device at the remote end which does not send anything back on the L2L VPN connection.

  And as a last post a very common configuration that is absent of configurations of ASA during the test with ICMP

  Make sure you two ASAs have below "icmp inspect" configured

  Policy-map global_policy

  class inspection_default

  inspect the icmp

  -Jouni

• VPN site-to-site between ASA 5505 and 2911

  Hi all

  I'm trying to setup VPN S2S. A.a.a.a of ip for the router 2911 office, remote office ASA 5505 8.4 (3) with ip b.b.b.b, but no luck.

  2911 config:

  !

  version 15.2

  horodateurs service debug datetime msec

  Log service timestamps datetime msec

  encryption password service

  !

  host name 2911

  !

  boot-start-marker

  Boot system flash c2900-universalk9-mz. Spa. 152 - 2.T.bin

  boot-end-marker

  !

  !

  Min-length 10 Security passwords

  logging buffered 51200 warnings

  !

  No aaa new-model

  !

  !

  min-threshold queue spd IPv6 62

  Max-threshold queue spd IPv6 63

  No ipv6 cef

  the 5 IP auth-proxy max-login-attempts

  max-login-attempts of the IP 5 admission

  !

  !

  !

  DHCP excluded-address IP 192.168.10.1 192.168.10.99

  DHCP excluded-address IP 192.168.22.1 192.168.22.99

  DHCP excluded-address IP 192.168.33.1 192.168.33.99

  DHCP excluded-address IP 192.168.44.1 192.168.44.99

  DHCP excluded-address IP 192.168.55.1 192.168.55.99

  192.168.10.240 IP dhcp excluded-address 192.168.10.254

  DHCP excluded-address IP 192.168.22.240 192.168.22.254

  DHCP excluded-address IP 192.168.33.240 192.168.33.254

  DHCP excluded-address IP 192.168.44.240 192.168.44.254

  DHCP excluded-address IP 192.168.55.240 192.168.55.254

  !

  desktop IP dhcp pool

  import all

  network 192.168.33.0 255.255.255.0

  router by default - 192.168.33.254

  192.168.10.10 DNS server 202.50.246.41 202.50.246.42

  local domain name

  -192.168.10.10 NetBIOS name server

  h-node NetBIOS node type

  !

  wi - fi IP dhcp pool

  import all

  network 192.168.44.0 255.255.255.0

  192.168.10.10 DNS server 202.50.246.41 202.50.246.42

  local domain name

  router by default - 192.168.44.254

  -192.168.10.10 NetBIOS name server

  h-node NetBIOS node type

  !

  DMZ IP dhcp pool

  import all

  network 192.168.55.0 255.255.255.0

  192.168.10.10 DNS server 202.50.246.41 202.50.246.42

  local domain name

  router by default - 192.168.55.254

  -192.168.10.10 NetBIOS name server

  h-node NetBIOS node type

  !

  IP dhcp pool voip

  import all

  network 192.168.22.0 255.255.255.0

  192.168.10.10 DNS server 202.50.246.41 202.50.246.42

  local domain name

  router by default - 192.168.22.254

  -192.168.10.10 NetBIOS name server

  h-node NetBIOS node type

  !

  IP dhcp pool servers

  import all

  network 192.168.10.0 255.255.255.0

  default router 192.168.10.254

  192.168.10.10 DNS server 202.50.246.41 202.50.246.42

  local domain name

  -192.168.10.10 NetBIOS name server

  h-node NetBIOS node type

  !

  !

  IP domain name of domain

  name-server IP 192.168.10.10

  IP cef

  connection-for block 180 tent 3-180

  Timeout 10

  VLAN ifdescr detail

  !

  Authenticated MultiLink bundle-name Panel

  !

  !

  Crypto pki token removal timeout default 0

  !

  Crypto pki trustpoint TP-self-signed-3956567439

  enrollment selfsigned

  name of the object cn = IOS - Self - signed - certificate - 3956567439

  revocation checking no

  rsakeypair TP-self-signed-3956567439

  !

  !

  TP-self-signed-3956567439 crypto pki certificate chain

  certificate self-signed 01 nvram:IOS - Self-Sig #1.cer

  license udi pid sn CISCO2911/K9

  !

  !

  the FULL_NET object-group network

  full range of the network Description

  192.168.10.0 255.255.255.0

  192.168.11.0 255.255.255.0

  192.168.22.0 255.255.255.0

  192.168.33.0 255.255.255.0

  192.168.44.0 255.255.255.0

  !

  object-group network limited

  description without servers and router network

  192.168.22.0 255.255.255.0

  192.168.33.0 255.255.255.0

  192.168.44.0 255.255.255.0

  !

  VTP version 2

  password username admin privilege 0 password 7

  !

  redundancy

  !

  !

  !

  !

  !

  no passive ftp ip

  !

  !

  crypto ISAKMP policy 10

  BA aes 256

  sha512 hash

  preshared authentication

  ISAKMP crypto key admin address b.b.b.b

  invalid-spi-recovery crypto ISAKMP

  !

  !

  Crypto ipsec transform-set esp - aes esp-sha-hmac SET

  !

  !

  !

  10 map ipsec-isakmp crypto map

  the value of b.b.b.b peer

  Set transform-set

  match address 160

  !

  !

  !

  !

  !

  Interface Port - Channel 1

  no ip address

  waiting-150 to

  !

  Interface Port - channel1.1

  encapsulation dot1Q 1 native

  IP 192.168.11.254 255.255.255.0

  IP nat inside

  IP virtual-reassembly in

  !

  Interface Port - channel1.10

  encapsulation dot1Q 10

  IP address 192.168.10.254 255.255.255.0

  IP nat inside

  IP virtual-reassembly in

  !

  Interface Port - channel1.22

  encapsulation dot1Q 22

  IP 192.168.22.254 255.255.255.0

  IP nat inside

  IP virtual-reassembly in

  !

  Interface Port - channel1.33

  encapsulation dot1Q 33

  IP 192.168.33.254 255.255.255.0

  IP nat inside

  IP virtual-reassembly in

  !

  Interface Port - channel1.44

  encapsulation dot1Q 44

  IP 192.168.44.254 255.255.255.0

  IP nat inside

  IP virtual-reassembly in

  !

  Interface Port - channel1.55

  encapsulation dot1Q 55

  IP 192.168.55.254 255.255.255.0

  IP nat inside

  IP virtual-reassembly in

  !

  the Embedded-Service-Engine0/0 interface

  no ip address

  Shutdown

  !

  interface GigabitEthernet0/0

  Description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE $ 0/0

  no ip address

  Shutdown

  automatic duplex

  automatic speed

  !

  interface GigabitEthernet0/1

  no ip address

  automatic duplex

  automatic speed

  channel-group 1

  !

  interface GigabitEthernet0/2

  Description $ES_LAN$

  no ip address

  automatic duplex

  automatic speed

  channel-group 1

  !

  interface GigabitEthernet0/0/0

  IP address a.a.a.a 255.255.255.224

  NAT outside IP

  IP virtual-reassembly in

  automatic duplex

  automatic speed

  crypto map

  !

  IP forward-Protocol ND

  !

  no ip address of the http server

  23 class IP http access

  local IP http authentication

  IP http secure server

  IP http timeout policy slowed down 60 life 86400 request 10000

  !

  overload of IP nat inside source list NAT_INTERNET interface GigabitEthernet0/0/0

  IP nat inside source udp 500 interface GigabitEthernet0/0/0 500 a.a.a.a static

  IP route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx

  !

  NAT_INTERNET extended IP access list

  refuse the object-group ip FULL_NET 192.168.17.0 0.0.0.255

  refuse the object-group ip FULL_NET 192.168.1.0 0.0.0.255

  permit ip FULL_NET object-group everything

  !

  access-list 1 permit 192.168.44.100

  access-list 23 allow 192.168.10.7

  access-list 23 permit 192.168.44.0 0.0.0.255

  access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255

  access-list 160 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255

  !

  !

  !

  control plan

  !

  !

  !

  Line con 0

  password password 7

  opening of session

  line to 0

  line 2

  no activation-character

  No exec

  preferred no transport

  transport of entry all

  transport output pad rlogin lapb - your MOP v120 udptn ssh telnet

  StopBits 1

  line vty 0 4

  access-class 23 in

  privilege level 15

  local connection

  entry ssh transport

  line vty 5 15

  access-class 23 in

  privilege level 15

  local connection

  entry ssh transport

  !

  Scheduler allocate 20000 1000

  !

  end

  The ASA config:

  : Saved : ASA Version 8.4(3) ! hostname C domain-name domain enable password password encrypted passwd passwd encrypted names ! interface Ethernet0/0 ! interface Ethernet0/1 shutdown ! interface Ethernet0/2 shutdown ! interface Ethernet0/3 shutdown ! interface Ethernet0/4 shutdown ! interface Ethernet0/5 switchport access vlan 100 ! interface Ethernet0/6 switchport trunk allowed vlan 2,6 switchport mode trunk ! interface Ethernet0/7 shutdown ! interface Vlan1 description INTERNET mac-address 1234.5678.0001 nameif WAN security-level 0 ip address b.b.b.b 255.255.255.248 standby c.c.c.c ospf cost 10 ! interface Vlan2 description OLD-PRIVATE mac-address 1234.5678.0102 nameif OLD-Private security-level 100 ip address 192.168.17.2 255.255.255.0 standby 192.168.17.3 ospf cost 10 ! interface Vlan6 description MANAGEMENT mac-address 1234.5678.0106 nameif Management security-level 100 ip address 192.168.1.2 255.255.255.0 standby 192.168.1.3 ospf cost 10 ! interface Vlan100 description LAN Failover Interface ! boot system disk0:/asa843-k8.bin ftp mode passive clock timezone NZST 12 clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 2:00 dns domain-lookup WAN dns server-group DefaultDNS name-server 208.67.222.222 domain-name domain same-security-traffic permit intra-interface object network obj-192.168.17.0 subnet 192.168.17.0 255.255.255.0 object network obj-192.168.10.0 subnet 192.168.10.0 255.255.255.0 object network obj-192.168.2.0 subnet 192.168.2.0 255.255.255.0 object network obj-192.168.9.0 subnet 192.168.9.0 255.255.255.0 object network obj-192.168.33.0 subnet 192.168.33.0 255.255.255.0 object network obj-192.168.44.0 subnet 192.168.44.0 255.255.255.0 object network obj_any object network obj_any-01 object network NETWORK_OBJ_192.168.10.0_24 subnet 192.168.10.0 255.255.255.0 object network NETWORK_OBJ_192.168.17.0_24 subnet 192.168.17.0 255.255.255.0 object network subnet-00 subnet 0.0.0.0 0.0.0.0 object-group protocol TCPUDP protocol-object udp protocol-object tcp object-group service RDP tcp description RDP port-object eq 3389 object-group network DM_INLINE_NETWORK_1 network-object 192.168.17.0 255.255.255.0 network-object 192.168.10.0 255.255.255.0 network-object 192.168.33.0 255.255.255.0 network-object 192.168.44.0 255.255.255.0 object-group network DM_INLINE_NETWORK_2 network-object 192.168.10.0 255.255.255.0 network-object 192.168.33.0 255.255.255.0 network-object 192.168.44.0 255.255.255.0 object-group network subnet-17 network-object 192.168.17.0 255.255.255.0 object-group network subnet-2 network-object 192.168.2.0 255.255.255.0 object-group network subnet-9 network-object 192.168.9.0 255.255.255.0 object-group network subnet-10 network-object 192.168.10.0 255.255.255.0 access-list LAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list LAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list LAN_IP standard permit 192.168.17.0 255.255.255.0 access-list WAN_access_in extended permit ip any any log debugging access-list WAN_access_in extended permit tcp any object-group RDP any object-group RDP log debugging access-list WAN_access_in extended permit icmp x.x.x.x 255.255.255.248 192.168.10.0 255.255.255.0 access-list MANAGEMENT_access_in extended permit ip any any log debugging access-list OLD-PRIVATE_access_in extended permit ip any any log debugging access-list OLD-PRIVATE_access_in extended permit icmp any object-group DM_INLINE_NETWORK_1 access-list 101 extended permit tcp host 192.168.10.7 any eq 3389 log debugging access-list WAN_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list WAN_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list CiscoVPNClient_splitTunnelAcl standard permit 192.168.17.0 255.255.255.0 access-list LAN_access_in extended permit ip any any log debugging access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list WAN_2_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list WAN_2_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list LAN_IP_inbound standard permit 192.168.10.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0 access-list vpnusers_splitTunnelAcl extended permit ip 192.168.17.0 255.255.255.0 any access-list nonat-in extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0 pager lines 24 logging enable logging buffer-size 52000 logging monitor informational logging trap informational logging asdm informational logging from-address syslog logging recipient-address admin level errors logging host OLD-Private 192.168.17.110 format emblem logging debug-trace logging permit-hostdown mtu WAN 1500 mtu OLD-Private 1500 mtu Management 1500 ip local pool VPN_Admin_IP 192.168.1.150-192.168.1.199 mask 255.255.255.0 ip local pool vpnclient 192.168.2.1-192.168.2.5 mask 255.255.255.0 failover failover lan unit primary failover lan interface failover Vlan100 failover polltime interface 15 holdtime 75 failover key ***** failover interface ip failover 192.168.100.1 255.255.255.0 standby 192.168.100.2 icmp unreachable rate-limit 1 burst-size 1 icmp permit 192.168.10.0 255.255.255.0 WAN icmp permit host x.x.x.x WAN icmp permit 192.168.17.0 255.255.255.0 WAN icmp permit host c.c.c.c WAN icmp permit host a.a.a.a WAN icmp deny any WAN icmp permit 192.168.10.0 255.255.255.0 OLD-Private icmp permit 192.168.17.0 255.255.255.0 OLD-Private icmp permit host a.a.a.a OLD-Private icmp permit host 192.168.10.0 Management icmp permit host 192.168.17.138 Management icmp permit 192.168.1.0 255.255.255.0 Management icmp permit host 192.168.1.26 Management icmp permit host a.a.a.a Management asdm image disk0:/asdm-647.bin no asdm history enable arp timeout 14400 nat (OLD-Private,any) source static subnet-17 subnet-17 destination static subnet-10 subnet-10 no-proxy-arp nat (OLD-Private,any) source static subnet-17 subnet-17 destination static subnet-2 subnet-2 no-proxy-arp nat (OLD-Private,any) source static subnet-17 subnet-17 destination static subnet-9 subnet-9 no-proxy-arp nat (Management,WAN) source static NETWORK_OBJ_192.168.17.0_24 NETWORK_OBJ_192.168.17.0_24 destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 no-proxy-arp route-lookup ! object network subnet-00 nat (OLD-Private,WAN) dynamic interface access-group WAN_access_in in interface WAN access-group OLD-PRIVATE_access_in in interface OLD-Private access-group MANAGEMENT_access_in in interface Management route WAN 0.0.0.0 0.0.0.0 x.x.x.x 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL aaa local authentication attempts max-fail 10 http server enable http b.b.b.b 255.255.255.255 WAN http 0.0.0.0 0.0.0.0 WAN no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart service resetoutside crypto ipsec ikev1 transform-set OFFICE esp-aes esp-sha-hmac crypto map WAN_map 1 match address WAN_1_cryptomap crypto map WAN_map 1 set pfs crypto map WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map Office 2 match address WAN_1_cryptomap crypto map Office 2 set peer a.a.a.a crypto map Office interface WAN crypto map MAP 10 set peer a.a.a.a crypto map MAP 10 set ikev1 transform-set OFFICE crypto ikev2 enable WAN crypto ikev1 enable WAN crypto ikev1 policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption des hash sha group 1 lifetime 86400 telnet timeout 5 ssh a.a.a.a 255.255.255.255 WAN ssh timeout 30 ssh version 2 console timeout 0 dhcpd auto_config OLD-Private ! threat-detection basic-threat threat-detection statistics host threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp server 129.6.15.28 source WAN prefer webvpn group-policy DfltGrpPolicy attributes vpn-tunnel-protocol ikev1 ssl-client ssl-clientless group-policy admin internal group-policy admin attributes dns-server value 208.67.222.222 156.154.70.1 vpn-tunnel-protocol ikev1 group-policy GroupPolicy_a.a.a.a internal group-policy GroupPolicy_a.a.a.a attributes vpn-tunnel-protocol ikev1 ikev2 group-policy CiscoVPNClient internal group-policy CiscoVPNClient attributes vpn-idle-timeout 30 vpn-session-timeout none vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless split-tunnel-policy tunnelspecified split-tunnel-network-list value CiscoVPNClient_splitTunnelAcl username admin password password encrypted privilege 15 tunnel-group admin type remote-access tunnel-group admin general-attributes address-pool vpnclient authorization-server-group LOCAL default-group-policy admin tunnel-group a.a.a.a type ipsec-l2l tunnel-group a.a.a.a general-attributes default-group-policy GroupPolicy_a.a.a.a tunnel-group a.a.a.a ipsec-attributes ikev1 pre-shared-key ***** ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** tunnel-group CiscoVPNClient type remote-access tunnel-group CiscoVPNClient general-attributes address-pool vpnclient default-group-policy CiscoVPNClient tunnel-group CiscoVPNClient ipsec-attributes ikev1 pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters   message-length maximum client auto   message-length maximum 512 policy-map global_policy class inspection_default   inspect dns preset_dns_map   inspect ftp   inspect h323 h225   inspect h323 ras   inspect rsh   inspect rtsp   inspect esmtp   inspect sqlnet   inspect skinny    inspect sunrpc   inspect xdmcp   inspect sip    inspect netbios   inspect tftp   inspect ip-options   inspect icmp ! service-policy global_policy global smtp-server 192.168.17.10 prompt hostname context no call-home reporting anonymous call-home contact-email-addr admin contact-name admin profile CiscoTAC-1   no active : end asdm image disk0:/asdm-647.bin asdm location c.c.c.c 255.255.255.255 WAN asdm location 192.168.17.2 255.255.255.255 WAN asdm location a.a.a.a 255.255.255.255 OLD-Private no asdm history enable 

  ASA:

  # show crypto ipsec his

  There is no ipsec security associations

  # show crypto isakmp his

  There are no SAs IKEv1

  There are no SAs IKEv2

  2911:

  #show crypto ipsec his

  Interface: GigabitEthernet0/0/0

  Tag crypto map: map, addr a.a.a.a local

  protégé of the vrf: (none)

  local ident (addr, mask, prot, port): (192.168.10.0/255.255.255.0/0/0)

  Remote ident (addr, mask, prot, port): (192.168.17.0/255.255.255.0/0/0)

  current_peer b.b.b.b port 500

  LICENCE, flags is {origin_is_acl},

  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

  compressed #pkts: 0, unzipped #pkts: 0

  #pkts uncompressed: 0, #pkts compr. has failed: 0

  #pkts not unpacked: 0, #pkts decompress failed: 0

  Errors of #send 4, #recv errors 0

  local crypto endpt. : a.a.a.a, remote Start crypto. : b.b.b.b

  Path mtu 1500, mtu 1500 ip, ip mtu IDB GigabitEthernet0/0/0

  current outbound SPI: 0x0 (0)

  PFS (Y/N): N, Diffie-Hellman group: no

  SAS of the esp on arrival:

  -Other - arrival ah sas:

  -More-

  -More - CFP sas on arrival:

  -More-

  -More - outgoing esp sas:

  -More-

  -More - out ah sas:

  -More-

  -More - out CFP sas:

  Thanks for your time,

  Nick

  Please add

  map Office 2 set transform-set OFFICE ikev1 crypto

  If it is not helpful, please enable debug crypto ipsec 255 and paste here.
  
  HTH. Please rate if it was helpful. "Correct answer" will be also pleasant.

• IPSec tunnel do not come between two ASA - 5540 s.

  I've included the appropriate configuration of the two ASA lines - 5540 s that I'm trying to set up a tunnel of 2 lan lan between. The first few lines show the messages that are generated when I try to ping another host on each side.

  Did I miss something that will prevent the tunnel to come?

  4 IP = 10.10.1.147, error: cannot delete PeerTblEntry

  3 IP = 10.10.1.147, Removing peer to peer table has not, no match!

  6 IP = 10.10.1.147, P1 retransmit msg sent to the WSF MM

  5 IP is 10.10.1.147, in double Phase 1 detected package. Retransmit the last packet.

  6 IP = 10.10.1.147, P1 retransmit msg sent to the WSF MM

  5 IP is 10.10.1.147, in double Phase 1 detected package. Retransmit the last packet.

  4 IP = 10.10.1.147, error: cannot delete PeerTblEntry

  3 IP = 10.10.1.147, Removing peer to peer table has not, no match!

  6 IP = 10.10.1.147, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.

  6 IP = 10.10.1.147, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.

  6 IP = 10.10.1.147, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.

  5 IP = 10.10.1.147, IKE initiator: New Phase 1, Intf inside, IKE Peer 10.10.1.147 address Proxy local 10.10.1.135, Proxy address remote 10.10.1.155, Card Crypto (outside_map0)

  ROC-ASA5540-A # sh run

  !

  ASA Version 8.0 (3)

  !

  CRO-ASA5540-A host name

  names of

  10.10.1.135 GHC_Laptop description name to test the VPN

  10.10.1.155 SunMed_pc description name to test the VPN

  !

  interface GigabitEthernet0/0

  Speed 100

  full duplex

  nameif inside

  security-level 100

  IP 10.10.1.129 255.255.255.240

  !

  interface GigabitEthernet0/3

  nameif outside

  security-level 0

  IP 10.10.1.145 255.255.255.248

  !

  !

  outside_2_cryptomap list extended access permit ip host host GHC_Laptop SunMed_pc

  !

  ASDM image disk0: / asdm - 603.bin

  !

  Route outside 255.255.255.248 10.10.1.152 10.10.1.147 1

  !

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  card crypto game 2 outside_map0 address outside_2_cryptomap

  outside_map0 crypto map peer set 2 10.10.1.147

  card crypto outside_map0 2 the value transform-set ESP-3DES-SHA

  outside_map0 card crypto 2 set nat-t-disable

  outside_map0 interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 5

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  !

  Group Policy Lan-2-Lan_only internal

  attributes of Lan-2-Lan_only-group policy

  VPN-filter no

  Protocol-tunnel-VPN IPSec

  tunnel-group 10.10.1.147 type ipsec-l2l

  IPSec-attributes tunnel-group 10.10.1.147

  pre-shared-key *.

  !

  ROC-ASA5540-A #.

  ----------------------------------------------------------

  ROC-ASA5540-B # sh run

  : Saved

  :

  ASA Version 8.0 (3)

  !

  name of host ROC-ASA5540-B

  !

  names of

  name 10.10.1.135 GHC_laptop

  name 10.10.1.155 SunMed_PC

  !

  interface GigabitEthernet0/0

  Speed 100

  full duplex

  nameif inside

  security-level 100

  IP 10.10.1.153 255.255.255.248

  !

  interface GigabitEthernet0/3

  nameif outside

  security-level 0

  IP 10.10.1.147 255.255.255.248

  !

  outside_cryptomap list extended access permit ip host host SunMed_PC GHC_laptop

  !

  ASDM image disk0: / asdm - 603.bin

  !

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  card crypto outside_map2 1 match address outside_cryptomap

  outside_map2 card crypto 1jeu peer 10.10.1.145

  outside_map2 card crypto 1jeu transform-set ESP-3DES-SHA

  outside_map2 card crypto 1jeu nat-t-disable

  outside_map2 interface card crypto outside

  crypto ISAKMP allow inside

  crypto ISAKMP policy 5

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  !

  internal Lan-2-Lan group strategy

  Lan Lan 2-strategy of group attributes

  Protocol-tunnel-VPN IPSec

  tunnel-group 10.10.1.145 type ipsec-l2l

  IPSec-attributes tunnel-group 10.10.1.145

  pre-shared-key *.

  !

  ROC-ASA5540-B #.

  On the ASA of ROC-ASA5540-B, you have "isakmp allows inside", it should be "enable isakmp outside."

  Please reconfigure the ASA and let me know how it goes.

  Kind regards

  Arul

  * Please note the useful messages *.

• Site to site between ASA 8.2 VPN, cannot ping

  Two 8.2 ASA is configured with a VPN tunnel from site to site, as shown in the diagram:

  

  Here is my setup for both.

  Clients on the inside network to the ASA cannot ping inside, network clients, else the ASA. Why not?

  When the rattling from inside network SALMONARM inside network of KAMLOOPS, the following debug logs can be seen on SALMONARM:

  %ASA-7-609001: Built local-host outside:10.30.7.2
  %ASA-6-302020: Built outbound ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512
  %ASA-6-302021: Teardown ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512
  %ASA-7-609002: Teardown local-host outside:10.30.7.2 duration 0:00:02
  %ASA-7-609001: Built local-host outside:10.30.7.2
  %ASA-6-302020: Built outbound ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512
  %ASA-6-302021: Teardown ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512
  %ASA-7-609002: Teardown local-host outside:10.30.7.2 duration 0:00:02
  %ASA-7-609001: Built local-host outside:10.30.7.2
  %ASA-6-302020: Built outbound ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512
  ...
  

  Each attempt to ping responds with "Request timed out" on the computer of ping.

  Why clients cannot mutually ping on the VPN tunnel?

  Hello

  Create a NAT0 ACL at both ends.

  ex: 10.30.0.0 ip access-list extended SHEEP 255.255.0.0 allow 10.45.0.0 255.255.0.0

  NAT (inside) 0 access-list SHEEP

  THX

  MS

  Edit: at the beginning, I mentioned ACL #, it may not work.

• problem setting up vpn site-to-site between asa and 1811 router

  I get the following error.

  3. January 8, 2008 | 15: 47:31 | 710003 | 192.168.0.45 | 192.168.0.50. TCP access denied by ACL to 192.168.0.45/3698 to LAN:192.168.0.50/80

  3. January 8, 2008 | 15:47:28 | 710003 | 192.168.0.45 | 192.168.0.50. TCP access denied by ACL to 192.168.0.45/3698 to LAN:192.168.0.50/80

  6. January 8, 2008 | 15:47:28 | 302021 | 192.168.0.45 | 192.168.0.50. Connection of disassembly for faddr gaddr laddr 192.168.0.50/0 192.168.0.50/0 192.168.0.45/1024 ICMP

  6. January 8, 2008 | 15:47:28 | 302020 | 192.168.0.45 | 192.168.0.50. Built of ICMP incoming connections for faddr gaddr laddr 192.168.0.50/0 192.168.0.50/0 192.168.0.45/1024

  5. January 8, 2008 | 15: 47:03 | 713904 | IP = public IP address, encrypted packet received with any HIS correspondent, drop

  4. January 8, 2008 | 15: 47:03 | 113019 | Group = public IP address, Username = public IP address, IP = IP address public, disconnected Session. Session type: IPSecLAN2LAN, duration: 0 h: 00 m: 00s, xmt bytes: 0, RRs bytes: 0, right: Phase 2 Mismatch

  3. January 8, 2008 | 15: 47:03 | 713902 | Group = public IP address, IP = public IP address, peer table correlator withdrawal failed, no match!

  3. January 8, 2008 | 15: 47:03 | 713902 | Group = public IP address, IP = IP address public, error QM WSF (P2 struct & 0x4969c90, mess id 0xf3d044e8).

  5. January 8, 2008 | 15: 47:03 | 713904 | Group = public IP address, IP = IP proposals public, IPSec Security Association all found unacceptable.

  3. January 8, 2008 | 15: 47:03 | 713119 | Group = public IP address, IP = IP address public, PHASE 1 COMPLETED

  6. January 8, 2008 | 15: 47:03 | 113009 | AAA recovered in group policy by default (DfltGrpPolicy) to the user = public IP address

  4. January 8, 2008 | 15: 47:03 | 713903 | Group = public IP address, IP = IP address public, previously allocated memory release for authorization-dn-attributes

  I do not think that because of the incompatibility of encryption. Any help is appreciated.

  Thank you

  Nilesh

  You have PFS (Perfect Forward Secrecy) configured on the ASA and not the router. This could be one of the reasons why the tunnel fails in Phase 2.

  If you do not need a PFS, can you not make a 'no encryption card WAN_map 1 set pfs' the configuration of the ASA and make appear the tunnel.

  Kind regards

  Arul

• Tunnel of Split VPN Setup ASA to force inside the tunnel for single address

  Hi all

  We have an ASA with IPSec VPN facility to addresses Internet of Tunnel from Split.  We have an Internet address that must come from the external interface of the ASA.  I have added this address to the list of split tunnel and confirmed on the client that is the road to the tunnel, but I'm not able to get to this address via the VPN.

  How the ASA to allow this unique Internet address to come via the VPN and route back on the same interface to the Internet and the return traffic to back up in the client VPN tunnel.

  I need to get to the address is 213.92.42.118. Here's the config relavent (let me know if I left anything):

  interface GigabitEthernet0/0
  nameif outside
  IP 1.1.1.1 255.255.255.0
  permit same-security-traffic inter-interface
  permit same-security-traffic intra-interface
  name 10.80.177.0 VPN_Pool
  Outbound_Ports tcp service object-group
  port-object eq www
  access-list extended sheep allowed any ip VPN_Pool 255.255.255.0
  access-list extended users allow icmp a whole
  access-list extended users enable a tcp
  access-list extended users allow udp a whole
  users_splitTunnelAcl list standard access allowed 10.0.0.0 255.0.0.0
  standard access list users_splitTunnelAcl allow 192.168.43.0 255.255.255.0
  users_splitTunnelAcl list standard access allowed 192.168.40.0 255.255.255.0
  users_splitTunnelAcl list standard access allowed host 213.92.42.118

  FWOB list extended access permit tcp any any Outbound_Ports object-group

  Global (LUXCVGASA01e) 2 1.1.1.1

  NAT (LUXCVGASA01i) 2 10.0.0.0 255.0.0.0
  NAT 0 access-list sheep (LUXCVGASA01i)

  Any help is appreciated.

  -Jeff

  Hi Jeff,

  Just had a chance to look through the Setup and I guess that configured nat is incorrect.

  access-list extended sheep allowed any ip VPN_Pool 255.255.255.0
  NAT 0 access-list sheep (LUXCVGASA01i)
  NAT (LUXCVGASA01i) 2 10.0.0.0 255.0.0.0

  Global (LUXCVGASA01e) 2 1.1.1.1

  The access-list says sheep that ALL traffic goes to the pool of the VPN to go UN-natted. So, when you try to access the public ip address via the tunnel VPN, the traffic the ASA, ASA then performs a search destination NAT and matches the nat command "nat (LUXCVGASA01i) 0 access-list sheep." If the ASA detects a destination NAT translation, it will bypass route search and uses the destination NAT translation to determine the output interface (in this scenario, the output interface is LUXCVGASA01i.

  So, to resolve this problem, change the acl sheep from "any to VPN_Pool 255.255.255.0" inside"to the network VPN_Pool 255.255.255.0.

  clear xlate and re-initialization of the tunnel, and this should solve the problem.

  Let me know if that answers your query.

  Kind regards

  Manisha masseur

• IPsec VPN site to site between router problem Cisco ASA. Help, please

  Hello community,

  I'm stuck in configuring VPN site to site between ASA (OS 9.1) and router Cisco IOS (IOS 15, 2 - 4.M4)

  Attachment is router configuration and ASA. I also include the router debug output.

  It seems that the two parties must isakmp missmatch configuration, but I have already disabled the KeepAlive parameters. I also turn off PFS setting on both sides. But it does not work. I have no idea on this problem.

  Please help me. Any help appreciated.

  Thank you

   
   

  I didn't look any further, but this may be a reason:

   crypto map mymap 1 ipsec-isakmp dynamic dyn1 

  The dynamic CM must always be the last sequence in a card encryption:

   no crypto map mymap 1 ipsec-isakmp dynamic dyn1 crypto map mymap 65000 ipsec-isakmp dynamic dyn1

  Try this first, then we can look further.

• ASA5510-CISCO871 DOWN IPSEC TUNNEL

  Help!

  Site between ASA 5510 and 871 ROUTER ipsec tunnel site cannot be established.

  Config and debug info:

  ASA:
  1.1.1.26 external ip address
  1.1.1.254 the gateway ip
  3.3.3.0 LAN network
  3.3.3.250 ip LAN
  3.3.3.20 PC in LAN

  ROUTER 871
  2.2.2.226 external ip address
  2.2.2.225 the gateway ip
  4.4.4.0 network LAN
  4.4.4.254 ip LAN
  4.4.4.28 PC in LAN

  ASA 5510 CONFIG:

  interface Ethernet0/0
  WAN description
  nameif AI_WAN
  security-level 0
  IP 1.1.1.26 255.255.255.248

  interface GigabitEthernet1/0
  network LAN AB Description
  nameif AB_LAN
  security-level 100
  IP 3.3.3.250 255.255.255.0

  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
  Crypto than dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 the value reverse-road

  card crypto AI_WAN_map 1 corresponds to the address AI_WAN_1_cryptomap
  card crypto AI_WAN_map 1 set peer 2.2.2.226
  AI_WAN_map 1 transform-set ESP-DES-MD5 crypto card game
  card crypto AI_WAN_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
  AI_WAN_map AI_WAN crypto map interface

  ISAKMP crypto enable AI_WAN
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  crypto ISAKMP policy 30
  preshared authentication
  the Encryption
  sha hash
  Group 2
  life 86400
  crypto ISAKMP ipsec-over-tcp port 10000
  crypto ISAKMP disconnect - notify

  Route 0.0.0.0 AI_WAN 0.0.0.0 1.1.1.254
  Route AI_WAN 4.4.4.0 255.255.255.0 2.2.2.226

  AI_WAN_1_cryptomap to access extended list ip 3.3.3.0 allow 255.255.255.0 4.4.4.0 255.255.255.0

  tunnel-group 2.2.2.226 type ipsec-l2l
  tunnel-group 2.2.2.226 General-attributes
  IPSec-attributes tunnel-group 2.2.2.226
  pre-shared key *.

  CONFIG ROUTER 871:

  crypto ISAKMP policy 2
  preshared authentication
  Group 2
  isakmp encryption key * address 1.1.1.26

  Crypto ipsec transform-set esp - esp-md5-hmac des-md5

  map SDM_CMAP_1 1 ipsec-isakmp crypto
  Description Tunnel to1.1.1.26
  defined by peer 1.1.1.26
  the transform-set des-md5 value
  match address 100

  interface FastEthernet4
  IP 2.2.2.226 255.255.255.0
  IP virtual-reassembly
  automatic duplex
  automatic speed
  map SDM_CMAP_1 crypto

  interface Vlan1
  IP 4.4.4.254 255.255.255.0
  IP virtual-reassembly

  IP route 0.0.0.0 0.0.0.0 2.2.2.225
  IP route 3.3.3.0 255.255.255.0 1.1.1.26

  access-list 100 permit ip 4.4.4.0 0.0.0.255 3.3.3.0 0.0.0.255

  DEBUGGING OF ASA 5510

  ciscoasa (config) # 25 Feb 21:58:07 [IKEv1]: IP = 2.2.2.226, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + SA (1) the SELLER (13) + the SELLER (13), SELLER (13) + (0) NONE total length: 180
  25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, SA payload processing
  25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
  25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
  25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
  25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
  25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, Oakley proposal is acceptable
  25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, payload processing VID
  25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, payload processing VID
  25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, worm received 03 NAT-Traversal, VID
  25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, payload processing VID
  25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, received NAT-Traversal worm 02 VID
  25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA payload processing
  25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
  25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
  25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
  25 FEV 21:58: 07 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
  25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA proposal # 1, turn # 1 entry overall IKE acceptable matches # 4
  25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, build the payloads of ISAKMP security
  25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, constructing the payload of the NAT-Traversal VID ver 02
  25 FEV 21:58: 07 [IKEv1 DEBUG]: IP = 2.2.2.226, construction of Fragmentation VID + load useful functionality
  25 FEV 21:58: 07 [IKEv1]: IP = 2.2.2.226, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
  25 FEV 21:58: 15 [IKEv1]: IP = 2.2.2.226, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
  25 FEV 21:58: 17 [IKEv1]: IP = 2.2.2.226, first detected duplicate package.  Ignoring the package.
  25 FEV 21:58: 23 [IKEv1]: IP = 2.2.2.226, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
  25 FEV 21:58: 27 [IKEv1]: IP = 2.2.2.226, first detected duplicate package.  Ignoring the package.
  25 FEV 21:58: 31 [IKEv1]: IP = 2.2.2.226, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
  25 FEV 21:58: 37 [IKEv1]: IP = 2.2.2.226, first detected duplicate package.  Ignoring the package.
  25 FEV 21:58: 39 [IKEv1 DEBUG]: IP = 2.2.2.226, case of mistaken IKE MM Responder WSF (struct & 0xadb2fdf8) , : MM_DONE, EV_ERROR--> MM_WAIT_MSG3, EV_TIMEOUT--> MM_WAIT_MSG3 NullEvent--> MM_SND_MSG2, EV_SND_MSG--> MM_SND_MSG2, EV_START_TMR--> MM_SND_MSG2, EV_RESEND_MSG--> MM_WAIT_MSG3, EV_TIMEOUT--> MM_WAIT_MSG3, NullEvent
  25 FEV 21:58: 39 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA MM:8d4057b1 ending: flags 0 x 01000002, refcnt 0, tuncnt 0
  25 FEV 21:58: 39 [IKEv1 DEBUG]: IP = 2.2.2.226, sending clear/delete with the message of reason
  25 FEV 21:58: 47 [IKEv1]: IP = 2.2.2.226, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + SA (1) the SELLER (13) + the SELLER (13), SELLER (13) + (0) NONE total length: 180
  25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, SA payload processing
  25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
  25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
  25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
  25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
  25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, Oakley proposal is acceptable
  25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, payload processing VID
  25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, payload processing VID
  25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, worm received 03 NAT-Traversal, VID
  25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, payload processing VID
  25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, received NAT-Traversal worm 02 VID
  25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA payload processing
  25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
  25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
  25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
  25 FEV 21:58: 47 [IKEv1]: Phase 1 failed: Mismatched types of attributes of class Group Description: RRs would be: Cfg 1 group would be: Group 2
  25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA proposal # 1, turn # 1 entry overall IKE acceptable matches # 4
  25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, build the payloads of ISAKMP security
  25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, constructing the payload of the NAT-Traversal VID ver 02
  25 FEV 21:58: 47 [IKEv1 DEBUG]: IP = 2.2.2.226, construction of Fragmentation VID + load useful functionality
  25 FEV 21:58: 47 [IKEv1]: IP = 2.2.2.226, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
  25 FEV 21:58: 55 [IKEv1]: IP = 2.2.2.226, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
  25 FEV 21:58: 57 [IKEv1]: IP = 2.2.2.226, first detected duplicate package.  Ignoring the package.
  25 FEV 21:59: 03 [IKEv1]: IP = 2.2.2.226, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
  25 FEV 21:59: 11 [IKEv1]: IP = 2.2.2.226, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 128
  25 FEV 21:59: 19 [IKEv1 DEBUG]: IP = 2.2.2.226, case of mistaken IKE MM Responder WSF (struct & 0xadb2fdf8) , : MM_DONE, EV_ERROR--> MM_WAIT_MSG3, EV_TIMEOUT--> MM_WAIT_MSG3 NullEvent--> MM_SND_MSG2, EV_SND_MSG--> MM_SND_MSG2, EV_START_TMR--> MM_SND_MSG2, EV_RESEND_MSG--> MM_WAIT_MSG3, EV_TIMEOUT--> MM_WAIT_MSG3, NullEvent
  25 FEV 21:59: 19 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA MM:7622 has 639 ending: flags 0 x 01000002, refcnt 0, tuncnt 0
  25 FEV 21:59: 19 [IKEv1 DEBUG]: IP = 2.2.2.226, sending clear/delete with the message of reason

  DEBUGGING OF 871 ROUTER

  871_router #debu cry isa
  871_router #ping 3.3.3.20 4.4.4.254 source

  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 3.3.3.20, wait time is 2 seconds:
  Packet sent with a source address of 4.4.4.254

  Feb 25 21:58:06.799: ISAKMP: (0): profile of THE request is (NULL)
  21:58:06.799 25 Feb: ISAKMP: created a struct peer 1.1.1.26, peer port 500
  21:58:06.799 25 Feb: ISAKMP: new position created post = 0x834B2AB4 peer_handle = 0x8000000C
  21:58:06.799 25 Feb: ISAKMP: lock struct 0x834B2AB4, refcount 1 to peer isakmp_initiator
  21:58:06.799 25 Feb: ISAKMP: 500 local port, remote port 500
  21:58:06.799 25 Feb: ISAKMP: set new node 0 to QM_IDLE
  25 Feb 21:58:06.799: insert his with his 83476114 = success
  21:58:06.799 25 Feb: ISAKMP: (0): cannot start aggressive mode, try the main mode.
  21:58:06.799 25 Feb: ISAKMP: (0): pair found pre-shared key matching 1.1.1.26
  Feb 25 21:58:06.799: ISAKMP: (0): built the seller-07 ID NAT - t
  Feb 25 21:58:06.799: ISAKMP: (0): built of NAT - T of the seller-03 ID
  Feb 25 21:58:06.799: ISAKMP: (0): built the seller-02 ID NAT - t
  21:58:06.799 25 Feb: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
  21:58:06.799 25 Feb: ISAKMP: (0): former State = new State IKE_READY = IKE._I_MM1

  Feb 25 21:58:06.803: ISAKMP: (0): Beginner Main Mode Exchange
  Feb 25 21:58:06.803: ISAKMP: (0): lot of 1.1.1.26 sending my_port 500 peer_port 500 (I) MM_NO_STATE...
  Success rate is 0% (0/5)
  Sokuluk #.
  Feb 25 21:58:16.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
  21:58:16.803 25 Feb: ISAKMP (0:0): increment the count of errors on his, try 1 5: retransmit the phase 1
  Feb 25 21:58:16.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE
  Feb 25 21:58:16.803: ISAKMP: (0): lot of 1.1.1.26 sending my_port 500 peer_port 500 (I) MM_NO_STATE
  Feb 25 21:58:26.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
  21:58:26.803 25 Feb: ISAKMP (0:0): increment the count of errors on his, try 2 of 5: retransmit the phase 1
  Feb 25 21:58:26.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE
  Feb 25 21:58:26.803: ISAKMP: (0): lot of 1.1.1.26 sending my_port 500 peer_port 500 (I) MM_NO_STATE
  21:58:36.799 25 Feb: ISAKMP: set new node 0 to QM_IDLE
  21:58:36.799 25 Feb: ISAKMP: (0): SA is still budding. Attached new request ipsec. (2.2.2.226 local 1.1.1.26 remote)
  21:58:36.799 25 Feb: ISAKMP: error during the processing of HIS application: failed to initialize SA
  21:58:36.799 25 Feb: ISAKMP: error while processing message KMI 0, error 2.
  Feb 25 21:58:36.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
  21:58:36.803 25 Feb: ISAKMP (0:0): increment the count of errors on his, try 3 of 5: retransmit the phase 1
  Feb 25 21:58:36.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE
  Feb 25 21:58:36.803: ISAKMP: (0): lot of 1.1.1.26 sending my_port 500 peer_port 500 (I) MM_NO_STATE
  Feb 25 21:58:46.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
  21:58:46.803 25 Feb: ISAKMP (0:0): increment the count of errors on his, try 4 out 5: retransmit the phase 1
  Feb 25 21:58:46.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE
  Feb 25 21:58:46.803: ISAKMP: (0): lot of 1.1.1.26 sending my_port 500 peer_port 500 (I) MM_NO_STATE
  Feb 25 21:58:56.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE...
  21:58:56.803 25 Feb: ISAKMP (0:0): increment the count of errors on his, try 5 of 5: retransmit the phase 1
  Feb 25 21:58:56.803: ISAKMP: (0): transmit phase 1 MM_NO_STATE
  Feb 25 21:58:56.803: ISAKMP: (0): lot of 1.1.1.26 sending my_port 500 peer_port 500 (I) MM_NO_STATE
  21:59:06.799 25 Feb: ISAKMP: (0): the peer is not paranoid KeepAlive.

  21:59:06.799 25 Feb: ISAKMP: (0): removal of reason HIS State "P1 remove notification (en)" (I) MM_NO_STATE (post 1.1.1.26)
  21:59:06.799 25 Feb: ISAKMP: (0): removal of reason HIS State "P1 remove notification (en)" (I) MM_NO_STATE (post 1.1.1.26)
  21:59:06.799 25 Feb: ISAKMP: Unlocking counterpart struct 0x834B2AB4 for isadb_mark_sa_deleted(), count 0
  21:59:06.799 25 Feb: ISAKMP: delete peer node by peer_reap for 1.1.1.26: 834B2AB4
  21:59:06.799 25 Feb: ISAKMP: (0): node-254301187 error suppression FALSE reason 'IKE deleted.
  21:59:06.799 25 Feb: ISAKMP: (0): node-1584635621 error suppression FALSE reason 'IKE deleted.
  21:59:06.799 25 Feb: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
  21:59:06.799 25 Feb: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_DEST_SA

  Here is the download page for 871 router - IOS 12.4 (15) T14:

  http://www.Cisco.com/Cisco/software/release.html?mdfid=279624003&dvdid=279978467&flowid=8212&softwareid=280805680&release=12.4.15T14&rellifecycle=MD&relind=available&RelType=all

  However, you will need to have Smartnet contract and your link of CEC account to the contract in order to download the software.

• Cannot resolve the problem between ASA - CheckPoint (VPN)

  Hi team,

  I have a strange problem with a L2L VPN between an ASA on my side and a checkpoint as her counterpart.

  The IPsec tunnel works very well, but from time to time, the traffic stop through the tunnel.

  Scenario:

  172.31.250.0/28--ASA---Internet---checkpoint---200.122.x.y/32

  I've done many tunnels between ASAs and control points, but this time we found this:

  access extensive list ip 172.31.250.0 outside_1_cryptomap allow 255.255.255.240 host 200.122.164.165

  local ident (addr, mask, prot, port): (172.31.250.0/255.255.255.240/0/0)

  Remote ident (addr, mask, prot, port): (200.122.164.165/255.255.255.255/0/0)

  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

  #pkts decaps: 1148, #pkts decrypt: 1148, #pkts check: 1148

  local ident (addr, mask, prot, port): (172.31.250.8/255.255.255.248/0/0)

  Remote ident (addr, mask, prot, port): (200.122.164.0/255.255.255.0/0/0)

  #pkts program: 27682, #pkts encrypt: 27683, #pkts digest: 27683

  #pkts decaps: 27683, #pkts decrypt: 27683, #pkts check: 27683

  local ident (addr, mask, prot, port): (172.31.250.8/255.255.255.248/0/0)

  Remote ident (addr, mask, prot, port): (200.122.164.165/255.255.255.255/0/0)

  #pkts program: 3579, #pkts encrypt: 3579, #pkts digest: 3579

  #pkts decaps: 10443, #pkts decrypt: 10443, #pkts check: 10443

  Traffic is defined between 172.31.250.0/28 and a single host, but I see three SAs:

  1 172.31.250.0/28 - 200.122.164.165/32

  2 172.31.250.8/32 - 200.122.164.0/24

  3 172.31.250.8/32 - 200.122.164.165/32

  What is the reason for this?

  The reason why I have paste this above is because the control point defines the traffic "interesting" as two rules (one in each direction).

  Control point:

  Rule 1: The traffic of 200.122.164.165/32 172.31.250.0/28

  Rule 2: The traffic of 172.31.250.0/28 200.122.164.165/32

  So, I think that the problem occurs because we hear by the SAs of the phase 2 bidirectional rules (crypto ACL), and control point sets the SAs of the phase 2 as one-way rules. Even if traffic matches, I see the output above.

  I think this means that the ASA receives a portion of the traffic in a SA and send it via another, and I don't know if that is causing the problem and if so, how to fix?

  The problem is totally random. We have reduced the time to generate a new key for 2 minutes at the minute of the phase 2 and 5 on the phase 1 and there is no problem during the generate a new key.

  We had not been able to capture the log at the exact moment of the problem. Then the tunnel suddenly rises again and start working.

  ASA 5510 version 8.2 (5)

  Any help is appreciated!

  Federico.

  Federico,

  New installation SAs is not so to generate a new key, it consicides with a homologous assuming it matches traffic again and must so initial has ITS new.

  Now when we have a static, selector of this SA traffic encryption card new must match what we defined in the ACL.

  Generally, you will get an error if there is absolutely no match and tunnel would fail to phase 2.

  I want to just make sure we're on the same page. When it ends on a dynamic encryption card, we know (or rarely know) what will look like the SA distance so we accept everything.

  I do not say that this checkpoint of the half was here half it matched. I say it's more likely (for some reason I couldn't be aware, or a bug) implemented match the ACL under static crypto map.

  Marcin

• Using Loopback Interface as Source GRE/IPSec tunnel

  Hi all:

  I need one to spend a working router to router VPN tunnel using an IP WAN IP interface loopback as a source.  I am able to ping the loopback from the other router.  As soon as I change the source of tunnel to use the loopback IP address, change the encryption ACL map, and move the cryptographic card of the WAN interface to the loopback interface, the tunnel will not come to the top.  If I remove all the crypto config, the tunnel comes up fine as just a GRE tunnel.  On the other router, I see the message that says that's not encrypting the traffic below.

  * 00:10:33.515 Mar 1: % CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd package not an IPSEC packet. (ip) vrf/adr_dest = 192.168.0.1, src_addr = 192.168.1.2, prot = 47

  What Miss me?  Is there something else that needs to be done to use the closure of a GRE/IPSec tunnel?

  I have install below config in the laboratory to see if I can get it even work in a non-production environment.

  R1 WAN IP: 192.168.0.1

  R2 WAN IP: 192.168.0.2

  R2 Closure: 192.168.1.2

  hostname R2

  !

  crypto ISAKMP policy 1

  BA 3des

  md5 hash

  preshared authentication

  Group 2

  ISAKMP crypto key abc123 address 192.168.0.1

  !

  Crypto ipsec transform-set esp-3des esp-md5-hmac T1

  transport mode

  !

  crypto map 1 VPN ipsec-isakmp

  Description remote control

  defined peer 192.168.0.1

  game of transformation-T1

  match address VPN1

  !

  interface Loopback0

  IP 192.168.1.2 255.255.255.255

  VPN crypto card

  !

  Tunnel1 interface

  IP 172.30.240.2 255.255.255.252

  IP mtu 1440

  KeepAlive 10 3

  tunnel source 192.168.1.2

  tunnel destination 192.168.0.1

  VPN crypto card

  !

  interface FastEthernet0

  IP 192.168.0.2 255.255.255.0

  !

  VPN1 extended IP access list

  allow ACCORD 192.168.1.2 host 192.168.0.1

  you have tried to add "card crypto VPN 1 - address Loopback0".

• Troubleshooting IPSec Site to Site VPN between ASA and 1841

  Hi all

  in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.

  I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).

  I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.

  It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),

  On the ASA:

  Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.

  address of the peers: 217.86.154.120
  Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.cc

  access extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
  local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
  current_peer: 217.xx.yy.zz

  #pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz

  Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
  current outbound SPI: 39135054
  current inbound SPI: B2E9E500

  SAS of the esp on arrival:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, PFS 2 group}
  slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
  calendar of his: service life remaining (KB/s) key: (4374000/1598)
  Size IV: 8 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001
  outgoing esp sas:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, PFS 2 group}
  slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
  calendar of his: service life remaining (KB/s) key: (4373976/1598)
  Size IV: 8 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001

  Output of the command: "sh crypto isakmp his."

  HIS active: 4
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 4

  IKE Peer: 217.xx.yy.zz
  Type: L2L role: initiator
  Generate a new key: no State: MM_ACTIVE

  On the 1841

  1841 crypto isakmp #sh its
  IPv4 Crypto ISAKMP Security Association
  DST CBC conn-State id
  217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE

  1841 crypto ipsec #sh its

  Interface: Dialer1
  Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
  current_peer 62.153.156.163 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
  current outbound SPI: 0xB2E9E500 (3001672960)
  PFS (Y/N): Y, Diffie-Hellman group: group2

  SAS of the esp on arrival:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505068/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505118/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  Interface: virtual Network1
  Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
  current_peer 62.153.156.163 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
  current outbound SPI: 0xB2E9E500 (3001672960)
  PFS (Y/N): Y, Diffie-Hellman group: group2

  SAS of the esp on arrival:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505068/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505118/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.

  Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto.      (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.

  I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!

  It's the running of the 1841 configuration

  !
  version 15.1
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  encryption password service
  !
  host name 1841
  !
  boot-start-marker
  start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
  boot-end-marker
  !
  logging buffered 51200 notifications
  !
  AAA new-model
  !
  !
  AAA authentication login default local
  !
  AAA - the id of the joint session
  !
  iomem 20 memory size
  clock timezone PCTime 1
  PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
  dot11 syslog
  IP source-route
  !
  No dhcp use connected vrf ip
  !
  IP cef
  no ip bootp Server
  IP domain name test
  name of the IP-server 194.25.2.129
  name of the IP-server 194.25.2.130
  name of the IP-server 194.25.2.131
  name of the IP-server 194.25.2.132
  name of the IP-server 194.25.2.133
  No ipv6 cef
  !
  Authenticated MultiLink bundle-name Panel
  !
  !
  object-group network phone
  VoIP phone description
  Home 172.20.2.50
  Home 172.20.2.51
  !
  redundancy
  !
  !
  controller LAN 0/0/0
  atm mode
  Annex symmetrical shdsl DSL-mode B
  !
  !
  crypto ISAKMP policy 1
  BA 3des
  preshared authentication
  Group 2
  isakmp encryption key * address 62.aa.bb.cc
  !
  !
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  !
  map SDM_CMAP_1 1 ipsec-isakmp crypto
  Description Tunnel to62.aa.bb.cc
  the value of 62.aa.bb.cc peer
  game of transformation-ESP-3DES-SHA
  PFS group2 Set
  match address 100
  !
  !
  !
  interface FastEthernet0/0
  DMZ description $ FW_OUTSIDE$
  10.10.10.254 IP address 255.255.255.0
  IP nat inside
  IP virtual-reassembly
  automatic duplex
  automatic speed
  !
  interface FastEthernet0/1
  Description $ETH - LAN$ $FW_INSIDE$
  IP 172.20.2.254 255.255.255.0
  IP access-group 100 to
  IP nat inside
  IP virtual-reassembly
  IP tcp adjust-mss 1412
  automatic duplex
  automatic speed
  !
  ATM0/0/0 interface
  no ip address
  No atm ilmi-keepalive
  !
  point-to-point interface ATM0/0/0.1
  PVC 1/32
  PPPoE-client dial-pool-number 1
  !
  !
  interface Dialer1
  Description $FW_OUTSIDE$
  the negotiated IP address
  IP mtu 1452
  NAT outside IP
  IP virtual-reassembly
  encapsulation ppp
  Dialer pool 1
  Dialer-Group 2
  PPP authentication chap callin pap
  PPP chap hostname xxxxxxx
  PPP chap password 7 xxxxxxx8
  PPP pap sent-name of user password xxxxxxx xxxxxxx 7
  map SDM_CMAP_1 crypto
  !
  IP forward-Protocol ND
  IP http server
  local IP http authentication
  IP http secure server
  !
  !
  The dns server IP
  IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
  IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
  IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
  IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
  IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
  !
  logging trap notifications
  Note category of access list 1 = 2 CCP_ACL
  access-list 1 permit 172.20.2.0 0.0.0.255
  Note access-list category 2 CCP_ACL = 2
  access-list 2 allow 10.10.10.0 0.0.0.255
  Note access-list 100 category CCP_ACL = 4
  Note access-list 100 IPSec rule
  access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  Note CCP_ACL the access list 101 = 2 category
  Note access-list 101 IPSec rule
  access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  access-list 101 permit ip 172.20.2.0 0.0.0.255 any
  Note access-list 102 CCP_ACL category = 2
  Note access-list 102 IPSec rule
  access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  access-list 102 permit ip 10.10.10.0 0.0.0.255 any
  !

  !
  allowed SDM_RMAP_1 1 route map
  corresponds to the IP 101
  !
  allowed SDM_RMAP_2 1 route map
  corresponds to the IP 102
  !
  !
  control plan
  !
  !
  Line con 0
  line to 0
  line vty 0 4
  length 0
  transport input telnet ssh
  !
  Scheduler allocate 20000 1000
  NTP-Calendar Update
  NTP 172.20.2.250 Server prefer
  end

  As I mentioned previously: suspicion is much appreciated!

  Best regards

  Joerg

  Joerg,

  ASA receives not all VPN packages because IOS does not send anything.

  Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)

  The problem seems so on the side of the router.

  I think that is a routing problem, but you only have one default gateway (no other channels on the router).

  The ACL 100 is set to encrypt the traffic between the two subnets.

  It seems that the ACL 101 is also bypassing NAT for VPN traffic.

  Follow these steps:

  Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.

  I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.

  Federico.