IPSec VPN between ASAs with same subnet for disaster recovery
Hello
I need some clarification from you guys.
To do disaster EasyVPN tunnels for the Cisco ASA 5505 firewall recovery site. Now, there is only one main site and 3 remote sites.
Dr., must use the same subnet that it is on the main site because virtual machines Vmware will be replicated to DR.
For the DR we use Double-Take software.
What is the best solution for this? I think we could use NAT of Destination on ASAs. Other sites (HQ and remote control) will be directed to only address NAT of the
DR and not real which is the same as on the main site.
So guys, will this work? We are using IPSec VPN? In packet - trace on ASA, I see that the package is the first using a NAT, and then encrypted, so it should work, Yes?
I hope someone can confirm this.
I can confirm that this will work certainly,
for prior type natting see 8.3:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080b37d0b.shtml#diag
for 8.3 and later it is also achievable.
Tags: Cisco Security
Similar Questions
-
Problem with IPsec VPN between ASA and router Cisco - ping is not response
Hello
I don't know because the IPsec VPN does not work. This is my setup (IPsec VPN between ASA and R2):
my network topology data:
LAN 1 connect ASA - 1 (inside the LAN)
PC - 10.0.1.3 255.255.255.0 10.0.1.1
ASA - GigabitEthernet 1: 10.0.1.1 255.255.255.0
-----------------------------------------------------------------
ASA - 1 Connect (LAN outide) R1
ASA - GigabitEthernet 0: 172.30.1.2 255.255.255.252
R1 - FastEthernet 0/0: 172.30.1.1 255.255.255.252
---------------------------------------------------------------------
R1 R2 to connect
R1 - FastEthernet 0/1: 172.30.2.1 255.255.255.252
R2 - FastEthernet 0/1: 172.30.2.2 255.255.255.252
R2 for lan connection 2
--------------------------------------------------------------------
R2 to connect LAN2
R2 - FastEthernet 0/0: 10.0.2.1 255.255.255.0
PC - 10.0.2.3 255.255.255.0 10.0.2.1
ASA configuration:
1 GigabitEthernet interface
nameif inside
security-level 100
IP 10.0.1.1 255.255.255.0
no downtime
interface GigabitEthernet 0
nameif outside
security-level 0
IP 172.30.1.2 255.255.255.252
no downtime
Route outside 0.0.0.0 0.0.0.0 172.30.1.1------------------------------------------------------------
access-list scope LAN1 to LAN2 ip 10.0.1.0 allow 255.255.255.0 10.0.2.0 255.255.255.0
object obj LAN
subnet 10.0.1.0 255.255.255.0
object obj remote network
10.0.2.0 subnet 255.255.255.0
NAT (inside, outside) 1 static source obj-local obj-local destination obj-remote control remote obj non-proxy-arp static-----------------------------------------------------------
IKEv1 crypto policy 10
preshared authentication
aes encryption
sha hash
Group 2
life 3600
Crypto ikev1 allow outside
crypto isakmp identity address------------------------------------------------------------
tunnel-group 172.30.2.2 type ipsec-l2l
tunnel-group 172.30.2.2 ipsec-attributes
IKEv1 pre-shared-key cisco123
Crypto ipsec transform-set esp-aes-192 ASA1TS, esp-sha-hmac ikev1-------------------------------------------------------------
card crypto ASA1VPN 10 is the LAN1 to LAN2 address
card crypto ASA1VPN 10 set peer 172.30.2.2
card crypto ASA1VPN 10 set transform-set ASA1TS ikev1
card crypto ASA1VPN set 10 security-association life seconds 3600
ASA1VPN interface card crypto outsideR2 configuration:
interface fastEthernet 0/0
IP 10.0.2.1 255.255.255.0
no downtime
interface fastEthernet 0/1
IP 172.30.2.2 255.255.255.252
no downtime-----------------------------------------------------
router RIP
version 2
Network 10.0.2.0
network 172.30.2.0------------------------------------------------------
access-list 102 permit ahp 172.30.1.2 host 172.30.2.2
access-list 102 permit esp 172.30.1.2 host 172.30.2.2
access-list 102 permit udp host 172.30.1.2 host 172.30.2.2 eq isakmp
interface fastEthernet 0/1
IP access-group 102 to------------------------------------------------------
crypto ISAKMP policy 110
preshared authentication
aes encryption
sha hash
Group 2
life 42300------------------------------------------------------
ISAKMP crypto key cisco123 address 172.30.1.2-----------------------------------------------------
Crypto ipsec transform-set esp - aes 128 R2TS------------------------------------------------------
access-list 101 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
------------------------------------------------------
R2VPN 10 ipsec-isakmp crypto map
match address 101
defined by peer 172.30.1.2
PFS Group1 Set
R2TS transformation game
86400 seconds, life of security association set
interface fastEthernet 0/1
card crypto R2VPNI don't know what the problem
Thank you
If the RIP is not absolutely necessary for you, try adding the default route to R2:
IP route 0.0.0.0 0.0.0.0 172.16.2.1
If you want to use RIP much, add permissions ACL 102:
access-list 102 permit udp any any eq 520
-
Hi all
My apologies if this is a trivial question, but I spent considerable time trying to search and had no luck.
I encountered a problem trying to set up a temporary L2L VPN from a Subscriber with CISCO2911 sitting behind the router of the ISP of an ASA. ISP has informed that I can't ignore their device and complete the circuit Internet on the Cisco for a reason, so I'm stuck with it. The Setup is:
company 10.1.17.1 - y.y.y.y - router Internet - z.z.z.z - ISP - LAN - 10.x.x.2 - XXX1 - ASA - 10.1.17.2 - CISCO2911 - 10.1.15.1 LAN
where 10.x.x.x is a corporate LAN Beach private network, y.y.y.y is a public ip address assigned to the external interface of the ASA and the z.z.z.z is the public IP address of the ISP router.
I have forwarded ports 500, 4500 and ESP on the ISP router for 10.1.17.2. The 2911 config attached below, what I can't understand is what peer IP address to configure on the SAA, because if I use z.z.z.z it will be a cause of incompatibility of identity 2911 identifies himself as 10.1.17.2...
! ^ ^ ^ ISAKMP (Phase 1) ^ ^ ^!
crypto ISAKMP policy 5
BA 3des
md5 hash
preshared authentication
Group 2
lifetime 28800
isakmp encryption key * address no.-xauth y.y.y.y! ^ ^ ^ IPSEC (Phase 2) ^ ^ ^!
crymap extended IP access list
IP 10.1.15.0 allow 0.0.0.255 10.0.0.0 0.255.255.255
Crypto ipsec transform-set ESP-3DES-SHA 3rd-esp esp-sha-hmac
card crypto 1 TUNNEL VPN ipsec-isakmp
defined peer y.y.y.y
game of transformation-ESP-3DES-SHA
match the address crymapGi0/2 interface
card crypto VPN TUNNELHello
debug output, it seems he's going on IPSEC States at the tunnel of final bud QM_IDLE's.
What I noticed in your configuration of ASA box, it's that you're usig PFS but not on 2911 router.
So I suggest:
no card crypto OUTSIDE_map 4 don't set pfs <-- this="" will="" disable="" pfs="" on="" asa="">-->
Then try tunnel initiate.
Kind regards
Jan
-
VPN between ASA and cisco router [phase2 question]
Hi all
I have a problem with IPSEC VPN between ASA and cisco router
I think that there is a problem in the phase 2
Can you please guide me where could be the problem.
I suspect questions ACL on the router, but I cannot fix. ACL on the router is specified belowLooking forward for your help
Phase 1 is like that
Cisco_router #sh crypto isakmp his
IPv4 Crypto ISAKMP Security Association
status of DST CBC State conn-id slot
78.x.x.41 87.x.x.4 QM_IDLE 2006 0 ACTIVEand ASA
ASA # sh crypto isakmp his
ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 11 peer IKE: 78.x.x.41
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVEPhase 2 on SAA
ASA # sh crypto ipsec his
Interface: Outside
Tag crypto map: Outside_map, seq num: 20, local addr: 87.x.x.4Outside_cryptomap_20 ip 172.19.209.0 access list allow 255.255.255.0 172.
19.194.0 255.255.255.0
local ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
current_peer: 78.x.x.41#pkts program: 8813, #pkts encrypt: 8813, #pkts digest: 8813
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 8813, model of #pkts failed: 0, #pkts Dang failed: 0
#send errors: 0, #recv errors: 0local crypto endpt. : 87.x.x.4, remote Start crypto. : 78.x.x.41
Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: C96393ABSAS of the esp on arrival:
SPI: 0x3E9D820B (1050509835)
transform: esp-3des esp-md5-hmac no
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 7, crypto-card: Outside_map
calendar of his: service life remaining (KB/s) key: (4275000/3025)
Size IV: 8 bytes
support for replay detection: Y
outgoing esp sas:
SPI: 0xC96393AB (3378746283)
transform: esp-3des esp-md5-hmac no
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 7, crypto-card: Outside_map
calendar of his: service life remaining (KB/s) key: (4274994/3023)
Size IV: 8 bytes
support for replay detection: YPhase 2 on cisco router
protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
current_peer 87.x.x.4 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorslocal crypto endpt. : 78.x.x.41, remote Start crypto. : 87.x.x.4
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer0
current outbound SPI: 0x0 (0)SAS of the esp on arrival:
the arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
outgoing ah sas:
outgoing CFP sas:
protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
current_peer 87.x.x.4 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 8947, #pkts decrypt: 8947, #pkts check: 8947
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorslocal crypto endpt. : 78.x.x.41, remote Start crypto. : 87.x.x.4
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer0
current outbound SPI: 0x3E9D820B (1050509835)SAS of the esp on arrival:
SPI: 0xC96393AB (3378746283)
transform: esp-3des esp-md5-hmac.
running parameters = {Tunnel}
Conn ID: 29, flow_id: Motorola SEC 1.0:29, card crypto: mycryptomap
calendar of his: service life remaining (k/s) key: (4393981/1196)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0x3E9D820B (1050509835)
transform: esp-3des esp-md5-hmac.
running parameters = {Tunnel}
Conn ID: 30, flow_id: Motorola SEC 1.0:30, card crypto: mycryptomap
calendar of his: service life remaining (k/s) key: (4394007/1196)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
VPN configuration is less in cisco router
access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
access-list 101 permit ip 172.19.206.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
access-list 101 permit ip 172.19.203.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect
access-list 101 permit ip 172.19.209.0 0.0.0.255 172.19.194.0 0.0.0.255 connectaccess-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
access-list 105 deny ip 172.19.206.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
access-list 105 deny ip 172.19.203.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect
access-list 105 deny ip 172.19.209.0 0.0.0.255 172.19.194.0 0.0.0.255 connectsheep allowed 10 route map
corresponds to the IP 105Crypto ipsec transform-set esp-3des esp-md5-hmac mytransformset
mycryptomap 100 ipsec-isakmp crypto map
the value of 87.x.x.4 peer
Set transform-set mytransformset
match address 101crypto ISAKMP policy 100
BA 3des
md5 hash
preshared authentication
Group 2
ISAKMP crypto key xxx2011 address 87.x.x.4Your permit for 105 ACL statement should be down is changed to match because it is the most general ACL.
You currently have:
Extend the 105 IP access list
5 permit ip 172.19.194.0 0.0.0.255 (18585 matches)
10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connectIt should be:
Extend the 105 IP access list
10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connectIP 172.19.194.0 allow 60 0.0.0.255 (18585 matches)
To remove it and add it to the bottom:
105 extended IP access list
not 5
IP 172.19.194.0 allow 60 0.0.0.255 any
Then ' delete ip nat trans. "
and it should work now.
-
Troubleshooting IPSec Site to Site VPN between ASA and 1841
Hi all
in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.
I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).
I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.
It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),
On the ASA:
Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.
address of the peers: 217.86.154.120
Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.ccaccess extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
current_peer: 217.xx.yy.zz#pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz
Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: 39135054
current inbound SPI: B2E9E500SAS of the esp on arrival:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4374000/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
outgoing esp sas:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4373976/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001Output of the command: "sh crypto isakmp his."
HIS active: 4
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 4IKE Peer: 217.xx.yy.zz
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVEOn the 1841
1841 crypto isakmp #sh its
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE1841 crypto ipsec #sh its
Interface: Dialer1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorslocal crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
Interface: virtual Network1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorslocal crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.
Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto. (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.
I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!
It's the running of the 1841 configuration
!
version 15.1
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
host name 1841
!
boot-start-marker
start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
boot-end-marker
!
logging buffered 51200 notifications
!
AAA new-model
!
!
AAA authentication login default local
!
AAA - the id of the joint session
!
iomem 20 memory size
clock timezone PCTime 1
PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
dot11 syslog
IP source-route
!
No dhcp use connected vrf ip
!
IP cef
no ip bootp Server
IP domain name test
name of the IP-server 194.25.2.129
name of the IP-server 194.25.2.130
name of the IP-server 194.25.2.131
name of the IP-server 194.25.2.132
name of the IP-server 194.25.2.133
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
object-group network phone
VoIP phone description
Home 172.20.2.50
Home 172.20.2.51
!
redundancy
!
!
controller LAN 0/0/0
atm mode
Annex symmetrical shdsl DSL-mode B
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
isakmp encryption key * address 62.aa.bb.cc
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
map SDM_CMAP_1 1 ipsec-isakmp crypto
Description Tunnel to62.aa.bb.cc
the value of 62.aa.bb.cc peer
game of transformation-ESP-3DES-SHA
PFS group2 Set
match address 100
!
!
!
interface FastEthernet0/0
DMZ description $ FW_OUTSIDE$
10.10.10.254 IP address 255.255.255.0
IP nat inside
IP virtual-reassembly
automatic duplex
automatic speed
!
interface FastEthernet0/1
Description $ETH - LAN$ $FW_INSIDE$
IP 172.20.2.254 255.255.255.0
IP access-group 100 to
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1412
automatic duplex
automatic speed
!
ATM0/0/0 interface
no ip address
No atm ilmi-keepalive
!
point-to-point interface ATM0/0/0.1
PVC 1/32
PPPoE-client dial-pool-number 1
!
!
interface Dialer1
Description $FW_OUTSIDE$
the negotiated IP address
IP mtu 1452
NAT outside IP
IP virtual-reassembly
encapsulation ppp
Dialer pool 1
Dialer-Group 2
PPP authentication chap callin pap
PPP chap hostname xxxxxxx
PPP chap password 7 xxxxxxx8
PPP pap sent-name of user password xxxxxxx xxxxxxx 7
map SDM_CMAP_1 crypto
!
IP forward-Protocol ND
IP http server
local IP http authentication
IP http secure server
!
!
The dns server IP
IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
!
logging trap notifications
Note category of access list 1 = 2 CCP_ACL
access-list 1 permit 172.20.2.0 0.0.0.255
Note access-list category 2 CCP_ACL = 2
access-list 2 allow 10.10.10.0 0.0.0.255
Note access-list 100 category CCP_ACL = 4
Note access-list 100 IPSec rule
access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
Note CCP_ACL the access list 101 = 2 category
Note access-list 101 IPSec rule
access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 101 permit ip 172.20.2.0 0.0.0.255 any
Note access-list 102 CCP_ACL category = 2
Note access-list 102 IPSec rule
access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
!!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 101
!
allowed SDM_RMAP_2 1 route map
corresponds to the IP 102
!
!
control plan
!
!
Line con 0
line to 0
line vty 0 4
length 0
transport input telnet ssh
!
Scheduler allocate 20000 1000
NTP-Calendar Update
NTP 172.20.2.250 Server prefer
endAs I mentioned previously: suspicion is much appreciated!
Best regards
Joerg
Joerg,
ASA receives not all VPN packages because IOS does not send anything.
Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)
The problem seems so on the side of the router.
I think that is a routing problem, but you only have one default gateway (no other channels on the router).
The ACL 100 is set to encrypt the traffic between the two subnets.
It seems that the ACL 101 is also bypassing NAT for VPN traffic.
Follow these steps:
Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.
I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.
Federico.
-
ASA 5505 - I can't create an IPSEC VPN between two ASA 5505
Hello
I have two ASA 5505 with basic license and I'm trying to create a VPN IPSEC using the CLI. Here are the steps I did:
1 Configure ASA-1 (host name, vlan 1 and vlan 2).
2. configure a static route
3. create object network (local and remote)
4. create the access list
5. create ikev1 crypto
6. create tunnel-group
7 Configure nat
and I repeat the steps above with the ASA but another change IP.
Are to correct the above steps?
Why can I not create an IPSEC VPN between devices?.
No, you needn't. The ASA configuration is ok. Packet trace proved it. I think it can be a problem on the hosts. Please, check the firewall on the PC and try to put out of service, if it is running.
-
Configure several IPSec VPN between Cisco routers
I would like to create multiple ipsec VPN between 3 routers. Before applying it, I would like to check on the config I wrote to see if it works. It's just on RouterA configuration for virtual private networks to RouterB, and RouterC.
As you can apply in a cyptomap by interface, I say with the roadmap, that it should be able to manage traffic for both routers. Or is there a better way to do it?
RouterA - 1.1.1.1
RouterB - 2.2.2.2
RouterC - 3.3.3.3
RouterA
crypto ISAKMP policy 10
BA 3des
preshared authentication
Group 2
ISAKMP crypto key RouterB address 2.2.2.2
ISAKMP crypto keys RouterC address 3.3.3.3
invalid-spi-recovery crypto ISAKMP
ISAKMP crypto keepalive 5 10 periodicals
ISAKMP crypto nat keepalive 30
!
life crypto ipsec security association seconds 28800
!
Crypto ipsec transform-set AES - SHA esp - aes 256 esp-sha-hmac
!
outsidemap 20 ipsec-isakmp crypto map
defined peer 2.2.2.2
game of transformation-AES-SHA
match address 222
outsidemap 30 ipsec-isakmp crypto map
defined peer 3.3.3.3
game of transformation-AES-SHA
match address 333
!
interface GigabitEthernet0/0
Description * Internet *.
NAT outside IP
outsidemap card crypto
!
interface GigabitEthernet0/1
Description * LAN *.
IP 1.1.1.1 255.255.255.0
IP nat inside
!
IP nat inside source map route RouterA interface GigabitEthernet0/0 overload
!
access-list 222 allow ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
access-list 223 deny ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
access-list 223 allow ip 1.1.1.0 0.0.0.255 any
access-list 333 allow ip 1.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255
access-list 334 deny ip 1.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255
access-list 334 allow ip 1.1.1.0 0.0.0.255 any
!
!
RouterA route map permit 10
corresponds to the IP 223 334
Hi Chris,
The two will remain active.
The configuration you have is for several ste VPN site is not for the redundant VPN.
The config for the redundant VPN is completely different allows so don't confuse is not with it.
In the redundant VPN configuration both peers are defined in the same card encryption.
Traffic that should be passed through the tunnel still depend on the access list, we call in the card encryption.
This access-lsist is firstly cheked and as a result, the traffic is passed through the correct tunnel
HTH!
Concerning
Regnier
Please note all useful posts
-
IPSec VPN between Cisco and ScreenOS
Hello
I'm trying to set up a simple IPSec VPN between a Cisco 2911 router and a Juniper Netscreen ScreenOS (not exactly now the model) device. Initially the debbuging seems good (QM_IDLE), but the ISAKMP Security Association is deleted.
The guy managing the Juniper device send me an extract from his diary:
###########################################################################
2012-08-28 10:24:16 info 00536 IKE Phase 2 msg ID
System 9b 839579: negotiations failed.
2012-08-28 10:24:16 info system 00536 rejected a package of IKE loopback.11
of
: 500 to 217.150.152.45:500 with cookies
87960e39d074ca49 and 9302d26c7ce324a5
because there is no acceptable Phase
2 proposals...
It has defined the following phase 2 proposals:
IKE the value p2-proposal "G2_esp_aes256_sha_1800s" group2 esp aes256-sha-1, 1800 second
###########################################################################
And I use these:
###########################################################################
crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 2
!
ISAKMP crypto key
address 217.150.152.45 Crypto ipsec transform-set esp - aes esp - aes 256 esp-sha-hmac
card crypto ipsec vpn 2 isakmp
Description * VPN Anbindung nach PKI in Magdeburg *.
defined by peer 217.150.152.45
define security-association life seconds 1800
the value of the transform-set esp - aes
match address PKI-TRAFFIC
!
###########################################################################
Here is my Log:
#################################################################################################################
28 August 08:23:46.416: ISAKMP: (0): profile of THE request is (NULL)
28 August 08:23:46.416: ISAKMP: created a struct peer 217.150.152.45, peer port 500
28 August 08:23:46.416: ISAKMP: new position created post = 0x2A2D7150 peer_handle = 0x8000003A
28 August 08:23:46.416: ISAKMP: lock struct 0x2A2D7150, refcount 1 to peer isakmp_initiator
28 August 08:23:46.416: ISAKMP: 500 local port, remote port 500
28 August 08:23:46.416: ISAKMP: set new node 0 to QM_IDLE
28 August 08:23:46.416: ISAKMP: (0): insert his with his 31627E04 = success
28 August 08:23:46.416: ISAKMP: (0): cannot start aggressive mode, try the main mode.
28 August 08:23:46.416: ISAKMP: (0): pair found pre-shared key matching 217.150.152.45
28 August 08:23:46.416: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
28 August 08:23:46.416: ISAKMP: (0): built the seller-07 ID NAT - t
28 August 08:23:46.416: ISAKMP: (0): built of NAT - T of the seller-03 ID
28 August 08:23:46.416: ISAKMP: (0): built the seller-02 ID NAT - t
28 August 08:23:46.416: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
28 August 08:23:46.416: ISAKMP: (0): former State = new State IKE_READY = IKE_I_MM1
28 August 08:23:46.416: ISAKMP: (0): Beginner Main Mode Exchange
28 August 08:23:46.416: ISAKMP: (0): lot of 217.150.152.45 sending my_port 500 peer_port 500 (I) MM_NO_STATE
28 August 08:23:46.416: ISAKMP: (0): sending a packet IPv4 IKE.
28 August 08:23:46.448: ISAKMP (0): received 217.150.152.45 packet dport 500 sport Global 500 (I) MM_NO_STATE
28 August 08:23:46.448: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
28 August 08:23:46.448: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_I_MM2
28 August 08:23:46.448: ISAKMP: (0): treatment ITS payload. Message ID = 0
28 August 08:23:46.448: ISAKMP: (0): load useful vendor id of treatment
28 August 08:23:46.448: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 239
28 August 08:23:46.448: ISAKMP: (0): load useful vendor id of treatment
28 August 08:23:46.448: ISAKMP: (0): provider ID is DPD
28 August 08:23:46.448: ISAKMP: (0): load useful vendor id of treatment
28 August 08:23:46.448: ISAKMP: (0): IKE frag vendor processing id payload
28 August 08:23:46.448: ISAKMP: (0): IKE Fragmentation support not enabled
28 August 08:23:46.448: ISAKMP: (0): pair found pre-shared key matching 217.150.152.45
28 August 08:23:46.448: ISAKMP: (0): pre-shared key local found
28 August 08:23:46.448: ISAKMP: analysis of the profiles for xauth...
28 August 08:23:46.448: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1
28 August 08:23:46.448: ISAKMP: AES - CBC encryption
28 August 08:23:46.448: ISAKMP: SHA hash
28 August 08:23:46.448: ISAKMP: group by default 2
28 August 08:23:46.448: ISAKMP: pre-shared key auth
28 August 08:23:46.448: ISAKMP: keylength 256
28 August 08:23:46.448: ISAKMP: type of life in seconds
28 August 08:23:46.448: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x80
28 August 08:23:46.448: ISAKMP: (0): atts are acceptable. Next payload is 0
28 August 08:23:46.448: ISAKMP: (0): Acceptable atts: real life: 0
28 August 08:23:46.448: ISAKMP: (0): Acceptable atts:life: 0
28 August 08:23:46.448: ISAKMP: (0): fill atts in his vpi_length:4
28 August 08:23:46.448: ISAKMP: (0): fill atts in his life_in_seconds:86400
28 August 08:23:46.448: ISAKMP: (0): return real life: 86400
28 August 08:23:46.448: ISAKMP: (0): timer life Started: 86400.
28 August 08:23:46.448: ISAKMP: (0): load useful vendor id of treatment
28 August 08:23:46.448: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 239
28 August 08:23:46.448: ISAKMP: (0): load useful vendor id of treatment
28 August 08:23:46.448: ISAKMP: (0): provider ID is DPD
28 August 08:23:46.448: ISAKMP: (0): load useful vendor id of treatment
28 August 08:23:46.448: ISAKMP: (0): IKE frag vendor processing id payload
28 August 08:23:46.448: ISAKMP: (0): IKE Fragmentation support not enabled
28 August 08:23:46.448: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
28 August 08:23:46.448: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM2
28 August 08:23:46.448: ISAKMP: (0): lot of 217.150.152.45 sending my_port 500 peer_port 500 (I) MM_SA_SETUP
28 August 08:23:46.448: ISAKMP: (0): sending a packet IPv4 IKE.
28 August 08:23:46.452: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
28 August 08:23:46.452: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM3
28 August 08:23:46.484: ISAKMP (0): received 217.150.152.45 packet dport 500 sport Global 500 (I) MM_SA_SETUP
28 August 08:23:46.484: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
28 August 08:23:46.484: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_I_MM4
28 August 08:23:46.484: ISAKMP: (0): processing KE payload. Message ID = 0
28 August 08:23:46.508: ISAKMP: (0): processing NONCE payload. Message ID = 0
28 August 08:23:46.508: ISAKMP: (0): pair found pre-shared key matching 217.150.152.45
28 August 08:23:46.508: ISAKMP: (1049): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
28 August 08:23:46.508: ISAKMP: (1049): former State = new State IKE_I_MM4 = IKE_I_MM4
28 August 08:23:46.508: ISAKMP: (1049): send initial contact
28 August 08:23:46.508: ISAKMP: (1049): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
28 August 08:23:46.508: ISAKMP (1049): payload ID
next payload: 8
type: 1
address: 92.67.80.237
Protocol: 17
Port: 500
Length: 12
28 August 08:23:46.508: ISAKMP: (1049): the total payload length: 12
28 August 08:23:46.508: ISAKMP: (1049): lot of 217.150.152.45 sending my_port 500 peer_port 500 (I) MM_KEY_EXCH
28 August 08:23:46.508: ISAKMP: (1049): sending a packet IPv4 IKE.
28 August 08:23:46.508: ISAKMP: (1049): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
28 August 08:23:46.508: ISAKMP: (1049): former State = new State IKE_I_MM4 = IKE_I_MM5
28 August 08:23:46.540: ISAKMP (1049): received 217.150.152.45 packet dport 500 sport Global 500 (I) MM_KEY_EXCH
28 August 08:23:46.540: ISAKMP: (1049): payload ID for treatment. Message ID = 0
28 August 08:23:46.540: ISAKMP (1049): payload ID
next payload: 8
type: 1
address: 217.150.152.45
Protocol: 17
Port: 500
Length: 12
28 August 08:23:46.540: ISAKMP: (0): peer games * no * profiles
28 August 08:23:46.540: ISAKMP: (1049): HASH payload processing. Message ID = 0
28 August 08:23:46.540: ISAKMP: (1049): SA authentication status:
authenticated
28 August 08:23:46.540: ISAKMP: (1049): SA has been authenticated with 217.150.152.45
28 August 08:23:46.540: ISAKMP: try inserting a peer
/217.150.152.45/500/ and inserted 2A2D7150 successfully. 28 August 08:23:46.540: ISAKMP: (1049): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
28 August 08:23:46.540: ISAKMP: (1049): former State = new State IKE_I_MM5 = IKE_I_MM6
28 August 08:23:46.540: ISAKMP: (1049): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
28 August 08:23:46.540: ISAKMP: (1049): former State = new State IKE_I_MM6 = IKE_I_MM6
28 August 08:23:46.540: ISAKMP: (1049): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
28 August 08:23:46.540: ISAKMP: (1049): former State = new State IKE_I_MM6 = IKE_P1_COMPLETE
28 August 08:23:46.540: ISAKMP: (1049): start Quick Mode Exchange, M - ID of 1582159006
28 August 08:23:46.552: ISAKMP: (1049): initiator QM gets spi
28 August 08:23:46.552: ISAKMP: (1049): lot of 217.150.152.45 sending my_port 500 peer_port 500 (I) QM_IDLE
28 August 08:23:46.552: ISAKMP: (1049): sending a packet IPv4 IKE.
28 August 08:23:46.552: ISAKMP: (1049): entrance, node-1582159006 = IKE_MESG_INTERNAL, IKE_INIT_QM
28 August 08:23:46.552: ISAKMP: (1049): former State = new State IKE_QM_READY = IKE_QM_I_QM1
28 August 08:23:46.552: ISAKMP: (1049): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
28 August 08:23:46.552: ISAKMP: (1049): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE
28 August 08:23:46.584: ISAKMP (1049): received 217.150.152.45 packet dport 500 sport Global 500 (I) QM_IDLE
28 August 08:23:46.584: ISAKMP: node set-452721455 to QM_IDLE
28 August 08:23:46.584: ISAKMP: (1049): HASH payload processing. Message ID =-452721455
28 August 08:23:46.584: ISAKMP: (1049): treatment protocol NOTIFIER PROPOSAL_NOT_CHOSEN 1
SPI 0, message ID =-452721455, his 0x31627E04 =
28 August 08:23:46.584: ISAKMP: (1049): peer does not paranoid KeepAlive.
28 August 08:23:46.584: ISAKMP: (1049): remove the reason for HIS "fatal Recevied of information' State (I) QM_IDLE (post 217.150.152.45)
28 August 08:23:46.584: ISAKMP: (1049): node-452721455 error suppression FALSE reason 'informational (en) State 1.
28 August 08:23:46.584: ISAKMP: (1049): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
28 August 08:23:46.584: ISAKMP: (1049): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE
28 August 08:23:46.584: ISAKMP: node set 494253780 to QM_IDLE
28 August 08:23:46.584: ISAKMP: (1049): lot of 217.150.152.45 sending my_port 500 peer_port 500 (I) QM_IDLE
28 August 08:23:46.584: ISAKMP: (1049): sending a packet IPv4 IKE.
28 August 08:23:46.584: ISAKMP: (1049): purge the node 494253780
28 August 08:23:46.584: ISAKMP: (1049): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
28 August 08:23:46.584: ISAKMP: (1049): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA
28 August 08:23:46.584: ISAKMP: (1049): remove the reason for HIS "fatal Recevied of information' State (I) QM_IDLE (post 217.150.152.45)
Intertoys_Zentrale_Waddinxveen_01 #.
28 August 08:23:46.584: ISAKMP: Unlocking counterpart struct 0x2A2D7150 for isadb_mark_sa_deleted(), count 0
28 August 08:23:46.584: ISAKMP: delete peer node by peer_reap for 217.150.152.45: 2A2D7150
28 August 08:23:46.584: ISAKMP: (1049): node-1582159006 error suppression FALSE reason 'IKE deleted.
28 August 08:23:46.584: ISAKMP: (1049): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
28 August 08:23:46.584: ISAKMP: (1049): former State = new State IKE_DEST_SA = IKE_DEST_SA
#################################################################################################################
Is there something special that needs to be addressed when creating a VPN for Juniper devices?
Greetings
Thomas
The peer IPSec a PFS enabled, do the same in your crypto-map:
card crypto ipsec vpn 2 isakmp
PFS group2 Set
--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni -
IPSec vpn cisco asa and acs 5.1
We have configured authentication ipsec vpn cisco asa acs 5.1:
Here is the config in cisco vpn 5580:
standard access list acltest allow 10.10.30.0 255.255.255.0
RADIUS protocol AAA-server Gserver
AAA-server host 10.1.8.10 Gserver (inside)
Cisco key
AAA-server host 10.1.8.11 Gserver (inside)
Cisco key
internal group gpTest strategy
gpTest group policy attributes
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list acltest
type tunnel-group test remote access
tunnel-group test general attributes
address localpool pool
Group Policy - by default-gpTest
authentication-server-group LOCAL Gserver
authorization-server-group Gserver
accounting-server-group Gserver
IPSec-attributes of tunnel-group test
pre-shared-key cisco123
GBA, we config user group: VPN users. all VPN users in this group. ACS can visit his political profile: If the user in the 'VPN users' group, access ACS.
When we connect from a VPN Client to the server, all users connect to success. When you see the parser in ACS journal, each user success connect also get
error:
22040 wrong password or invalid shared secret
(pls see picture to attach it)
the system still works, but I don't know why, we get the error log.
Thanks for any help you can provide!
Duyen
Hello Duyen,
I think I've narrowed the issue. When remote access VPN using RADIUS authentication we must keep in mind that authentication and authorization are included on the same package.
Depending on your configuration, the ACS is defined as a server RADIUS (Gserver Protocol radius aaa server) and becomes the VPN Tunnel authenticated and 'authorized' on this server group:
authentication-server-group LOCAL Gserver
authorization-server-group Gserver
As noted above, the RADIUS of request/response includes authentication and authorization on the same package. This seems to be a problem of incorrect configuration that we should not set up the 'permission' in the Tunnel of the group.
Please remove the authorization under the Tunnel of Group:
No authorization-server-group Gserver
Please test the connection again and check the logs of the ACS. At this point there are only sucessful newspaper reported on the side of the ACS.
Is 'Permission-server-group' LDAP permission when authenticating to a LDAP server so to retrieve the attributes of permission on the server. RAY doesn't have the command as explained above.
I hope this helps.
Kind regards.
-
Procedures and guidelines for Disaster Recovery (DR)
Hi all
Our TI auditor asked me to submit/provide procedures for guidelines for disaster recovery.
I tried Google, but the process docs seem so vast and complex.
We have a dataguard configuration. Can I give him to the contrary the docs on how to recover/restore using Data Guard?
Can you share me link to good documentation on the recovery?
Thank you
Petra k.
> We have a dataguard configuration
Generally, the documentation is created with the Setup program. Documentation describing the configuration. Documentation detailing the procedures for different situations. Documentation that lists the commands to use and the expected responses for commands. Documentation that indicates the error handling methods if you try the commands.
Your dataguard configuration is incomplete without these documents.
Hemant K Collette
-
Certificates for IPSEC vpn in ASA 8.0 clients
Hello!
I have configured MS CA and I have setup client vpn and ASA 7.0 make tunnel with certificates.
Same configuration does not work with ASA 8.0 I get the error
CRYPTO_PKI: Check whether an identical cert is
already in the database...
CRYPTO_PKI: looking for cert = d4bb2888, digest = handle
B8 74 97 f3 bf 25 1 c e5 2nd e5 21 3rd d1 93 15 d6 |... t...%...! >....
CRYPTO_PKI: Recording of Cert not found, return E_NOT_FOUND
CRYPTO_PKI: Cert not found in the database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: Found a suitable trustpoint authenticated A1.
CRYPTO_PKI (make trustedCerts list) CRYPTO_PKI:check_key_usage: KeyUsage Incorrect
(40)
CRYPTO_PKI: Validation of certificate: State failure: 1873. Any attempt of recovery
If necessary revocation status
ERROR: Certificate validation failed. Peer certificate's key usage is not valid, ser
Number of the IAL: 250F3ECE0000000009AF, name of the object: cn = xxxxx, unit of organization = xxxx, o = xxxxx, c =
XX
CRYPTO_PKI: Certificate not validated
Why the use of the key is invalid? What model of certificate must be used in MS in order to get a regular use of the key?
The schooling of CA's Terminal.
Thank you!
The cert needs to have defined Digital Signature key usage.
Don't know what models are available on MS, but it should be something like "User Ipsec" I guess.
Make 8 ASA behave like ASA 7 (i.e. disable th control on the use of the key of the cert), configure:
Crypto ca trustpoint
ignore-ipsec-keyusage
-
IPSec VPN between Cisco ASA and Fortigate1000
Hello
I find a useful document on how to create a tunnel VPN IPSec with ASA 5510 firewall Fortigate 1000...
the configuration of the coast FG is done without any problem, BUT the document (. doc FG) said I must configure the ASA with a GRE interface and assign an internal IP address in order to communicate with the FG...
The question is: How do I configure the interface on the SAA ACCORD?
Thanks in advance, Experts...
Kind regards...
ASA firewall does not support the interface/GRE GRE tunnel.
If you need to have GRE configured, you will need to complete the GRE tunnel on router IOS.
If you want to configure just pure tunnel VPN IPSec (lan-to-lan), here is an example of configuration on the side of the ASA:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080950890.shtml
Hope that helps.
-
Hello
First I must admit that I am not very versed in Cisco equipment or in general IPSEC connections so my apologies if I'm doing something really good obviously stupid, but I checked through any kind of things that I could find on the internet on the configuration of IPSEC VPN.
The setup I have is an asa 5520 (o/s 8.2) firewall which, for now, is connected to a temporary connection beautiful style home broadband for testing purposes. The netopia router is configured to allow ipsec passthrough and redirect 62515 UDP, TCP 10000, 4500 UDP, UDP 500 ports in the asa 5520.
I'm trying to connein out of a laptop with disabled windows firewall and vpn cisco 5.0.02.0090 client version.
I ran several attempts through the ipsec configuration wizard options. most of the time that nothing comes in the newspaper to show that a connection was attempted, but there is a way I can set up product options the following on the firewall log:
4. Sep 24 2010 | 13: 54:29 | 713903 | Group = VPNtest9, IP = 86.44.x.x, error: cannot delete PeerTblEntry
5: Sep 24 2010 | 13: 54:29 | 713902 | Group = VPNtest9, IP = 86.44.x.x, drop table homologous counterpart does not, no match!
6. Sep 24 2010 | 13: 54:21 | 713905 | Group VPNtest9, IP = 86.44.x.x, P1 = relay msg sent to AM WSF
3: Sep 24 2010 | 13: 54:21 | 713201 | Group = VPNtest9, IP = 86.44.x.x, double-Phase 1 detected package. Retransmit the last packet.
6. Sep 24 2010 | 13: 54:16 | 713905 | Group VPNtest9, IP = 86.44.x.x, P1 = relay msg sent to AM WSF
3: Sep 24 2010 | 13: 54:16 | 713201 | Group = VPNtest9, IP = 86.44.x.x, double-Phase 1 detected package. Retransmit the last packet.
6. Sep 24 2010 | 13: 54:11 | 713905 | Group VPNtest9, IP = 86.44.x.x, P1 = relay msg sent to AM WSF
3: Sep 24 2010 | 13: 54:11 | 713201 | Group = VPNtest9, IP = 86.44.x.x, double-Phase 1 detected package. Retransmit the last packet.
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
6. Sep 24 2010 | 13: 54:06 | 302015 | 86.44.x.x | 51905 | 192.168.0.27 | 500 | Built UDP inbound connection 7487 for Internet:86.44.x.x/51905 (86.44.x.x/51905) at identity:192.168.0.27/500 (192.168.0.27/500)
and this, in the journal of customer:
Cisco Systems VPN Client Version 5.0.02.0090
Copyright (C) 1998-2007 Cisco Systems, Inc.. All rights reserved.
Customer type: Windows, Windows NT
Running: 5.1.2600 Service Pack 3
24 13:54:08.250 24/09/10 Sev = Info/4 CM / 0 x 63100002
Start the login process
25 13:54:08.265 24/09/10 Sev = Info/4 CM / 0 x 63100004
Establish a secure connection
26 13:54:08.265 24/09/10 Sev = Info/4 CM / 0 x 63100024
Attempt to connect with the server "213.94.x.x".
27 13:54:08.437 24/09/10 Sev = Info/6 IKE/0x6300003B
Attempts to establish a connection with 213.94.x.x.
28 13:54:08.437 24/09/10 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) at 213.94.x.x
29 13:54:08.484 24/09/10 Sev = Info/4 IPSEC / 0 x 63700008
IPSec driver started successfully
30 13:54:08.484 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
31 13:54:13.484 24/09/10 Sev = Info/4 IKE / 0 x 63000021
Retransmit the last package!
32 13:54:13.484 24/09/10 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK AG (Retransmission) to 213.94.x.x
33 13:54:18.484 24/09/10 Sev = Info/4 IKE / 0 x 63000021
Retransmit the last package!
34 13:54:18.484 24/09/10 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK AG (Retransmission) to 213.94.x.x
35 13:54:23.484 24/09/10 Sev = Info/4 IKE / 0 x 63000021
Retransmit the last package!
36 13:54:23.484 24/09/10 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK AG (Retransmission) to 213.94.x.x
37 13:54:28.484 24/09/10 Sev = Info/4 IKE / 0 x 63000017
Marking of IKE SA delete (I_Cookie = 36C50ACCE984B0B0 R_Cookie = 0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
38 13:54:28.984 24/09/10 Sev = Info/4 IKE/0x6300004B
IKE negotiation to throw HIS (I_Cookie = 36C50ACCE984B0B0 R_Cookie = 0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
39 13:54:28.984 24/09/10 Sev = Info/4 CM / 0 x 63100014
Could not establish the Phase 1 SA with the server '213.94.x.x' due to the 'DEL_REASON_PEER_NOT_RESPONDING '.
40 13:54:28.984 24/09/10 Sev = Info/5 CM / 0 x 63100025
Initializing CVPNDrv
41 13:54:28.984 24/09/10 Sev = Info/6 CM / 0 x 63100046
Set indicator established tunnel to register to 0.
42 13:54:28.984 24/09/10 Sev = Info/4 IKE / 0 x 63000001
Signal received IKE to complete the VPN connection
43 13:54:29.187 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
44 13:54:29.187 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
45 13:54:29.187 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
46 13:54:29.187 24/09/10 Sev = Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
I have connectivity full http from the internet to a machine inside the asa 5520 so I think that the static routing and NAT'ing should be ok, but I am pleased to provide you with all the details.
Can you see what I'm doing wrong?
Thank you
Sam
Pls add the following policy:
crypto ISAKMP policy 10
preshared authentication
the Encryption
md5 hash
Group 2
You can also run debug on the ASA:
debugging cry isa
debugging ipsec cry
and retrieve debug output after trying to connect.
-
S - S VPN between ASA and ASR1001
Hello
We have 2 routers ASR to connected to ISP headquarters and there are new remote sites that must be connected to the AC over the site to site VPN. Each remote branch will be ASA, IPs outside of these two recommendations are in the same subnet.
1. is it possible to reach redudancy beside HQ in this design?
2. can I create L2L tunnels to two ASR? If yes how can I do 1 active tunnel and other secondary?
| ASR1
Users---L3SW---ASA---ISP---CPE---|
| ASR2
Any suggestions are welcome
Thank you
There are two ways:
- IPSec stateful failover
http://www.Cisco.com/c/en/us/TD/docs/iOS-XML/iOS/sec_conn_vpnav/configuration/15-Mt/sec-VPN-availability-15-Mt-book/Sec-State-fail-IPSec.html
http://packetlife.net/blog/2009/Aug/17/fun-IPSec-stateful-failover/ - VPN config with two counterparts one ASA.
Here you have two individual bridges on the HQ and the ASA has two tunnel-groups en the two bridges but only a single sequence in the crypto plan. Peer education has two HQ - IPs configured.
- IPSec stateful failover
-
LAN to lan vpn between ASA and router 7200
Hi friends,
I need to configure the lan to lan between ASA vpn (remote location) and router 7200 (on our network).
<7200 router="" (ip="" add:="" 10.10.5.2)="">-(Internet) -<(IP add:="" 192.168.12.2)="" asa(5510)="">---192.135.5.0/24 network
I will have the following configuration:
7200 router:
crypto ISAKMP policy 80
the enc
AUTH pre-shared
Group 1
life 3600
ISAKMP crypto key cisco123 address 192.168.12.2
Cryto ipsec transform-set esp - esp-md5-hmac VPNtrans
map VPNTunnel 80 ipsec-isakmp crypto
defined by peer 192.168.12.2
game of transformation-VPNtrans
match address 110
int fa0/0
IP add 10.10.5.2 255.255.255.192
IP virtual-reassembly
no ip route cache
Speed 100
full duplex
card crypto VPNTunnel
access-list 110 permit ip any 192.135.5.0 0.0.0.255
ASA:
int e0/0
nameif inside
security-level 100
192.135.5.254 Add IP 255.255.255.0
int e0/1
nameif outside
security-level 0
IP add 192.168.12.2 255.255.255.240
access-list ACL extended ip 192.135.5.0 allow 255.255.255.0 any
Route outside 0.0.0.0 0.0.0.0.0 192.168.12.3 1
"pre-shared key auth" ISAKMP policy 10
ISAKMP policy 10-enc
ISAKMP policy 10 md5 hash
10 1 ISAKMP policy group
ISAKMP duration strategy of life 10-3600
Crypto ipsec transform-set esp - esp-md5-hmac VPNtran
card crypto VPN 10 matches the ACL address
card crypto VPN 10 set peer 10.10.5.2
card crypto VPN 10 the transform-set VPNtran value
tunnel-group 10.10.5.2 type ipsec-l2l
IPSec-attributes of type tunnel-group 10.10.5.2
cisco123 pre-shared key
card crypto VPN outside interface
ISAKMP allows outside
dhcpd address 192.135.5.1 - 192.135.5.250 inside
dhcpd dns 172.15.4.5 172.15.4.6
dhcpd wins 172.15.76.5 172.15.74.5
dhcpd lease 14400
dhcpd ping_timeout 500
dhcpd allow inside
Please check the configuration, please correct me if I missed something. I'm in a critical situation at the moment...
Please advise...
Thank you very much...
Where it fails at the present time?
Can you share out of after trying to establish the VPN tunnel:
See the isa scream his
See the ipsec scream his
Please also run the following debug to see where it is a failure:
debugging cry isa
debugging ipsec cry
(IP>7200>
Maybe you are looking for
-
Equium A100-027 - Question about the installation of Win 7:32-bit or 64-bit
Hello I have an Equium A100-027I have just ordered an upgrade to 2 GB RAM and want to do a new install of WINDOWS 7 on Vista. Should I go for the 32-bit version or 64 - not sure if I need one over the other based on the processor? Thanks in advance D
-
Hello I am contacting mi CANopen OR PCI CAN Series 2 and a module HBM MP55. This module provides an interface to PDO CAN. I tried with the NI CANopen Receive.vi example but I only get messages from the interface when I disconnect the connection and r
-
I walk Canon D5 mark iii and Nikon D800E
I've been with Canon products for 30 years on SLR & DSLR camera and video... And now look forward to the Nikon DSLR camera... As Nikon D800E full frame DSLR... Please give me an advice.
-
Change via the registry account lockout policy
I'm trying to change through the registry account lockout policy; However I can't find the way/keys relevant Registry. The specific setting I need to change is the LockoutDuration. The PC is a stand alone and is not on a domain. Does anyone know the
-
How to search with options in Windows 7?
I'm trying to search for a file, but with options to filter a search. So I click on the start menu button and enter the name of the file as possible. BUT, I want to enter a date range, an extension or the keyword that may be in the file. I've been