IPSEC VPN between Pix 515E and 1841 router

Hi all

BACKGROUND

We have implemented a site to site VPN IPSEC between a Pix 515E 8.0 operation (4) and an 1841 using static IP addresses at both ends. We used CCP on the router and the ASDM the pix to build initial tunnels. Now the site with the router is evolving into a dynamic IP address from the ISP so we have implemented dynamic DNS to update dynamic IP address.

PROBLEM

The problem is that ASDM will not allow us to set a domain as the address of peers, it will not accept an IP address. We believe that the solution will be to remove the static Crypto map and replace it with a dynamic Crypto map on the side of Pix. Our questions are simply; is this the best solution? can change us the original static list or is it better to delete and make a new dynamic encryption card? Y at - it a shortcut to change the config command-line? This is a real network, so just check it out before make us any changes on the live kit.

Any help much appreciated.

You don't have to change anything when the peer-address changes. The dynamic crypto map aims to take dynamic peer connections. The only thing to remember, is that only the dynamic peer can initiate the connection. And you reduce your security if you use Pre-Shared key that now you can use a generic-PSK character.

As I remember, the PIX / ASA does not support the dynamic use of FQDNs for peer-resolution. This feature is supported in IOS.

For a feature, it would be preferable to static IP addresses on both sides.

Tags: Cisco Security

Similar Questions

IPSec VPN between Cisco ASA and Fortigate1000

Hello

I find a useful document on how to create a tunnel VPN IPSec with ASA 5510 firewall Fortigate 1000...

the configuration of the coast FG is done without any problem, BUT the document (. doc FG) said I must configure the ASA with a GRE interface and assign an internal IP address in order to communicate with the FG...

The question is: How do I configure the interface on the SAA ACCORD?

Thanks in advance, Experts...

Kind regards...

ASA firewall does not support the interface/GRE GRE tunnel.

If you need to have GRE configured, you will need to complete the GRE tunnel on router IOS.

If you want to configure just pure tunnel VPN IPSec (lan-to-lan), here is an example of configuration on the side of the ASA:

http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080950890.shtml

Hope that helps.

Problem with IPsec VPN between ASA and router Cisco - ping is not response

Hello

I don't know because the IPsec VPN does not work. This is my setup (IPsec VPN between ASA and R2):

my network topology data:

LAN 1 connect ASA - 1 (inside the LAN)

PC - 10.0.1.3 255.255.255.0 10.0.1.1

ASA - GigabitEthernet 1: 10.0.1.1 255.255.255.0

-----------------------------------------------------------------

ASA - 1 Connect (LAN outide) R1

ASA - GigabitEthernet 0: 172.30.1.2 255.255.255.252

R1 - FastEthernet 0/0: 172.30.1.1 255.255.255.252

---------------------------------------------------------------------

R1 R2 to connect

R1 - FastEthernet 0/1: 172.30.2.1 255.255.255.252

R2 - FastEthernet 0/1: 172.30.2.2 255.255.255.252

R2 for lan connection 2

--------------------------------------------------------------------

R2 to connect LAN2

R2 - FastEthernet 0/0: 10.0.2.1 255.255.255.0

PC - 10.0.2.3 255.255.255.0 10.0.2.1

ASA configuration:

1 GigabitEthernet interface
nameif inside
security-level 100
IP 10.0.1.1 255.255.255.0
no downtime
interface GigabitEthernet 0
nameif outside
security-level 0
IP 172.30.1.2 255.255.255.252
no downtime
Route outside 0.0.0.0 0.0.0.0 172.30.1.1

------------------------------------------------------------

access-list scope LAN1 to LAN2 ip 10.0.1.0 allow 255.255.255.0 10.0.2.0 255.255.255.0
object obj LAN
subnet 10.0.1.0 255.255.255.0
object obj remote network
10.0.2.0 subnet 255.255.255.0
NAT (inside, outside) 1 static source obj-local obj-local destination obj-remote control remote obj non-proxy-arp static

-----------------------------------------------------------
IKEv1 crypto policy 10
preshared authentication
aes encryption
sha hash
Group 2
life 3600
Crypto ikev1 allow outside
crypto isakmp identity address

------------------------------------------------------------
tunnel-group 172.30.2.2 type ipsec-l2l
tunnel-group 172.30.2.2 ipsec-attributes
IKEv1 pre-shared-key cisco123
Crypto ipsec transform-set esp-aes-192 ASA1TS, esp-sha-hmac ikev1

-------------------------------------------------------------
card crypto ASA1VPN 10 is the LAN1 to LAN2 address
card crypto ASA1VPN 10 set peer 172.30.2.2
card crypto ASA1VPN 10 set transform-set ASA1TS ikev1
card crypto ASA1VPN set 10 security-association life seconds 3600
ASA1VPN interface card crypto outside

R2 configuration:

interface fastEthernet 0/0
IP 10.0.2.1 255.255.255.0
no downtime
interface fastEthernet 0/1
IP 172.30.2.2 255.255.255.252
no downtime

-----------------------------------------------------

router RIP
version 2
Network 10.0.2.0
network 172.30.2.0

------------------------------------------------------
access-list 102 permit ahp 172.30.1.2 host 172.30.2.2
access-list 102 permit esp 172.30.1.2 host 172.30.2.2
access-list 102 permit udp host 172.30.1.2 host 172.30.2.2 eq isakmp
interface fastEthernet 0/1
IP access-group 102 to

------------------------------------------------------
crypto ISAKMP policy 110
preshared authentication
aes encryption
sha hash
Group 2
life 42300

------------------------------------------------------
ISAKMP crypto key cisco123 address 172.30.1.2

-----------------------------------------------------
Crypto ipsec transform-set esp - aes 128 R2TS

------------------------------------------------------

access-list 101 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255

------------------------------------------------------

R2VPN 10 ipsec-isakmp crypto map
match address 101
defined by peer 172.30.1.2
PFS Group1 Set
R2TS transformation game
86400 seconds, life of security association set
interface fastEthernet 0/1
card crypto R2VPN

I don't know what the problem

Thank you

If the RIP is not absolutely necessary for you, try adding the default route to R2:

IP route 0.0.0.0 0.0.0.0 172.16.2.1

If you want to use RIP much, add permissions ACL 102:

access-list 102 permit udp any any eq 520

IPSec VPN between Cisco and ScreenOS

Hello

I'm trying to set up a simple IPSec VPN between a Cisco 2911 router and a Juniper Netscreen ScreenOS (not exactly now the model) device. Initially the debbuging seems good (QM_IDLE), but the ISAKMP Security Association is deleted.

The guy managing the Juniper device send me an extract from his diary:

###########################################################################

2012-08-28 10:24:16 info 00536 IKE Phase 2 msg ID System

9b 839579: negotiations failed.

2012-08-28 10:24:16 info system 00536 rejected a package of IKE loopback.11

of : 500 to

217.150.152.45:500 with cookies

87960e39d074ca49 and 9302d26c7ce324a5

because there is no acceptable Phase

2 proposals...

It has defined the following phase 2 proposals:

IKE the value p2-proposal "G2_esp_aes256_sha_1800s" group2 esp aes256-sha-1, 1800 second

###########################################################################

And I use these:

###########################################################################

crypto ISAKMP policy 1

BA aes 256

preshared authentication

Group 2

!

ISAKMP crypto key address 217.150.152.45

Crypto ipsec transform-set esp - aes esp - aes 256 esp-sha-hmac

card crypto ipsec vpn 2 isakmp

Description * VPN Anbindung nach PKI in Magdeburg *.

defined by peer 217.150.152.45

define security-association life seconds 1800

the value of the transform-set esp - aes

match address PKI-TRAFFIC

!

###########################################################################

Here is my Log:

#################################################################################################################

28 August 08:23:46.416: ISAKMP: (0): profile of THE request is (NULL)

28 August 08:23:46.416: ISAKMP: created a struct peer 217.150.152.45, peer port 500

28 August 08:23:46.416: ISAKMP: new position created post = 0x2A2D7150 peer_handle = 0x8000003A

28 August 08:23:46.416: ISAKMP: lock struct 0x2A2D7150, refcount 1 to peer isakmp_initiator

28 August 08:23:46.416: ISAKMP: 500 local port, remote port 500

28 August 08:23:46.416: ISAKMP: set new node 0 to QM_IDLE

28 August 08:23:46.416: ISAKMP: (0): insert his with his 31627E04 = success

28 August 08:23:46.416: ISAKMP: (0): cannot start aggressive mode, try the main mode.

28 August 08:23:46.416: ISAKMP: (0): pair found pre-shared key matching 217.150.152.45

28 August 08:23:46.416: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID

28 August 08:23:46.416: ISAKMP: (0): built the seller-07 ID NAT - t

28 August 08:23:46.416: ISAKMP: (0): built of NAT - T of the seller-03 ID

28 August 08:23:46.416: ISAKMP: (0): built the seller-02 ID NAT - t

28 August 08:23:46.416: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

28 August 08:23:46.416: ISAKMP: (0): former State = new State IKE_READY = IKE_I_MM1

28 August 08:23:46.416: ISAKMP: (0): Beginner Main Mode Exchange

28 August 08:23:46.416: ISAKMP: (0): lot of 217.150.152.45 sending my_port 500 peer_port 500 (I) MM_NO_STATE

28 August 08:23:46.416: ISAKMP: (0): sending a packet IPv4 IKE.

28 August 08:23:46.448: ISAKMP (0): received 217.150.152.45 packet dport 500 sport Global 500 (I) MM_NO_STATE

28 August 08:23:46.448: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH

28 August 08:23:46.448: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_I_MM2

28 August 08:23:46.448: ISAKMP: (0): treatment ITS payload. Message ID = 0

28 August 08:23:46.448: ISAKMP: (0): load useful vendor id of treatment

28 August 08:23:46.448: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 239

28 August 08:23:46.448: ISAKMP: (0): load useful vendor id of treatment

28 August 08:23:46.448: ISAKMP: (0): provider ID is DPD

28 August 08:23:46.448: ISAKMP: (0): load useful vendor id of treatment

28 August 08:23:46.448: ISAKMP: (0): IKE frag vendor processing id payload

28 August 08:23:46.448: ISAKMP: (0): IKE Fragmentation support not enabled

28 August 08:23:46.448: ISAKMP: (0): pair found pre-shared key matching 217.150.152.45

28 August 08:23:46.448: ISAKMP: (0): pre-shared key local found

28 August 08:23:46.448: ISAKMP: analysis of the profiles for xauth...

28 August 08:23:46.448: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1

28 August 08:23:46.448: ISAKMP: AES - CBC encryption

28 August 08:23:46.448: ISAKMP: SHA hash

28 August 08:23:46.448: ISAKMP: group by default 2

28 August 08:23:46.448: ISAKMP: pre-shared key auth

28 August 08:23:46.448: ISAKMP: keylength 256

28 August 08:23:46.448: ISAKMP: type of life in seconds

28 August 08:23:46.448: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x80

28 August 08:23:46.448: ISAKMP: (0): atts are acceptable. Next payload is 0

28 August 08:23:46.448: ISAKMP: (0): Acceptable atts: real life: 0

28 August 08:23:46.448: ISAKMP: (0): Acceptable atts:life: 0

28 August 08:23:46.448: ISAKMP: (0): fill atts in his vpi_length:4

28 August 08:23:46.448: ISAKMP: (0): fill atts in his life_in_seconds:86400

28 August 08:23:46.448: ISAKMP: (0): return real life: 86400

28 August 08:23:46.448: ISAKMP: (0): timer life Started: 86400.

28 August 08:23:46.448: ISAKMP: (0): load useful vendor id of treatment

28 August 08:23:46.448: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 239

28 August 08:23:46.448: ISAKMP: (0): load useful vendor id of treatment

28 August 08:23:46.448: ISAKMP: (0): provider ID is DPD

28 August 08:23:46.448: ISAKMP: (0): load useful vendor id of treatment

28 August 08:23:46.448: ISAKMP: (0): IKE frag vendor processing id payload

28 August 08:23:46.448: ISAKMP: (0): IKE Fragmentation support not enabled

28 August 08:23:46.448: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

28 August 08:23:46.448: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM2

28 August 08:23:46.448: ISAKMP: (0): lot of 217.150.152.45 sending my_port 500 peer_port 500 (I) MM_SA_SETUP

28 August 08:23:46.448: ISAKMP: (0): sending a packet IPv4 IKE.

28 August 08:23:46.452: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

28 August 08:23:46.452: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM3

28 August 08:23:46.484: ISAKMP (0): received 217.150.152.45 packet dport 500 sport Global 500 (I) MM_SA_SETUP

28 August 08:23:46.484: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH

28 August 08:23:46.484: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_I_MM4

28 August 08:23:46.484: ISAKMP: (0): processing KE payload. Message ID = 0

28 August 08:23:46.508: ISAKMP: (0): processing NONCE payload. Message ID = 0

28 August 08:23:46.508: ISAKMP: (0): pair found pre-shared key matching 217.150.152.45

28 August 08:23:46.508: ISAKMP: (1049): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

28 August 08:23:46.508: ISAKMP: (1049): former State = new State IKE_I_MM4 = IKE_I_MM4

28 August 08:23:46.508: ISAKMP: (1049): send initial contact

28 August 08:23:46.508: ISAKMP: (1049): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication

28 August 08:23:46.508: ISAKMP (1049): payload ID

next payload: 8

type: 1

address: 92.67.80.237

Protocol: 17

Port: 500

Length: 12

28 August 08:23:46.508: ISAKMP: (1049): the total payload length: 12

28 August 08:23:46.508: ISAKMP: (1049): lot of 217.150.152.45 sending my_port 500 peer_port 500 (I) MM_KEY_EXCH

28 August 08:23:46.508: ISAKMP: (1049): sending a packet IPv4 IKE.

28 August 08:23:46.508: ISAKMP: (1049): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

28 August 08:23:46.508: ISAKMP: (1049): former State = new State IKE_I_MM4 = IKE_I_MM5

28 August 08:23:46.540: ISAKMP (1049): received 217.150.152.45 packet dport 500 sport Global 500 (I) MM_KEY_EXCH

28 August 08:23:46.540: ISAKMP: (1049): payload ID for treatment. Message ID = 0

28 August 08:23:46.540: ISAKMP (1049): payload ID

next payload: 8

type: 1

address: 217.150.152.45

Protocol: 17

Port: 500

Length: 12

28 August 08:23:46.540: ISAKMP: (0): peer games * no * profiles

28 August 08:23:46.540: ISAKMP: (1049): HASH payload processing. Message ID = 0

28 August 08:23:46.540: ISAKMP: (1049): SA authentication status:

authenticated

28 August 08:23:46.540: ISAKMP: (1049): SA has been authenticated with 217.150.152.45

28 August 08:23:46.540: ISAKMP: try inserting a peer /217.150.152.45/500/ and inserted 2A2D7150 successfully.

28 August 08:23:46.540: ISAKMP: (1049): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH

28 August 08:23:46.540: ISAKMP: (1049): former State = new State IKE_I_MM5 = IKE_I_MM6

28 August 08:23:46.540: ISAKMP: (1049): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

28 August 08:23:46.540: ISAKMP: (1049): former State = new State IKE_I_MM6 = IKE_I_MM6

28 August 08:23:46.540: ISAKMP: (1049): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

28 August 08:23:46.540: ISAKMP: (1049): former State = new State IKE_I_MM6 = IKE_P1_COMPLETE

28 August 08:23:46.540: ISAKMP: (1049): start Quick Mode Exchange, M - ID of 1582159006

28 August 08:23:46.552: ISAKMP: (1049): initiator QM gets spi

28 August 08:23:46.552: ISAKMP: (1049): lot of 217.150.152.45 sending my_port 500 peer_port 500 (I) QM_IDLE

28 August 08:23:46.552: ISAKMP: (1049): sending a packet IPv4 IKE.

28 August 08:23:46.552: ISAKMP: (1049): entrance, node-1582159006 = IKE_MESG_INTERNAL, IKE_INIT_QM

28 August 08:23:46.552: ISAKMP: (1049): former State = new State IKE_QM_READY = IKE_QM_I_QM1

28 August 08:23:46.552: ISAKMP: (1049): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

28 August 08:23:46.552: ISAKMP: (1049): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

28 August 08:23:46.584: ISAKMP (1049): received 217.150.152.45 packet dport 500 sport Global 500 (I) QM_IDLE

28 August 08:23:46.584: ISAKMP: node set-452721455 to QM_IDLE

28 August 08:23:46.584: ISAKMP: (1049): HASH payload processing. Message ID =-452721455

28 August 08:23:46.584: ISAKMP: (1049): treatment protocol NOTIFIER PROPOSAL_NOT_CHOSEN 1

SPI 0, message ID =-452721455, his 0x31627E04 =

28 August 08:23:46.584: ISAKMP: (1049): peer does not paranoid KeepAlive.

28 August 08:23:46.584: ISAKMP: (1049): remove the reason for HIS "fatal Recevied of information' State (I) QM_IDLE (post 217.150.152.45)

28 August 08:23:46.584: ISAKMP: (1049): node-452721455 error suppression FALSE reason 'informational (en) State 1.

28 August 08:23:46.584: ISAKMP: (1049): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

28 August 08:23:46.584: ISAKMP: (1049): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

28 August 08:23:46.584: ISAKMP: node set 494253780 to QM_IDLE

28 August 08:23:46.584: ISAKMP: (1049): lot of 217.150.152.45 sending my_port 500 peer_port 500 (I) QM_IDLE

28 August 08:23:46.584: ISAKMP: (1049): sending a packet IPv4 IKE.

28 August 08:23:46.584: ISAKMP: (1049): purge the node 494253780

28 August 08:23:46.584: ISAKMP: (1049): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

28 August 08:23:46.584: ISAKMP: (1049): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA

28 August 08:23:46.584: ISAKMP: (1049): remove the reason for HIS "fatal Recevied of information' State (I) QM_IDLE (post 217.150.152.45)

Intertoys_Zentrale_Waddinxveen_01 #.

28 August 08:23:46.584: ISAKMP: Unlocking counterpart struct 0x2A2D7150 for isadb_mark_sa_deleted(), count 0

28 August 08:23:46.584: ISAKMP: delete peer node by peer_reap for 217.150.152.45: 2A2D7150

28 August 08:23:46.584: ISAKMP: (1049): node-1582159006 error suppression FALSE reason 'IKE deleted.

28 August 08:23:46.584: ISAKMP: (1049): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH

28 August 08:23:46.584: ISAKMP: (1049): former State = new State IKE_DEST_SA = IKE_DEST_SA

#################################################################################################################

Is there something special that needs to be addressed when creating a VPN for Juniper devices?

Greetings

Thomas

The peer IPSec a PFS enabled, do the same in your crypto-map:

card crypto ipsec vpn 2 isakmp

PFS group2 Set

--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni

PPTP VPN between clients Windows and Cisco 2921 router

Hi all!

I have a problem with PPTP VPN between Windows clients and router Cisco 2921 with permission of RADIUS (IAS). When I try to connect to Cisco 2921 of Windows 7 by using MS-CHAP v2 I get the message 778: it was not possible to verify the identity of the server. Can I use PAP - power is OK. On Windows XP, the same situation.

Cisco config:

version 15.0

horodateurs service debug datetime msec

Log service timestamps datetime msec

encryption password service

!

hostname gw.izmv

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

AAA new-model

!

AAA authentication ppp default local radius group of

!

AAA - the id of the joint session

!

clock timezone + 002 2

!

No ipv6 cef

IP source-route

IP cef

!

!

Authenticated MultiLink bundle-name Panel

!

Async-bootp Server dns 192.168.192.XX

VPDN enable

!

VPDN-Group 1

! PPTP by default VPDN group

accept-dialin

Pptp Protocol

virtual-model 1

echo tunnel PPTP 10

tunnel L2TP non-session timeout 15

PMTU IP

adjusting IP mtu

!

redundancy

!

interface Loopback0

IP 192.168.207.1 255.255.255.0

!

!

interface GigabitEthernet0/0

Description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE $ 0/0

IP 192.168.192.XXX 255.255.255.0

IP 192.168.192.XX 255.255.255.0 secondary

IP nat inside

IP virtual-reassembly

automatic duplex

automatic speed

!

!

interface GigabitEthernet0/1

no ip address

Shutdown

automatic duplex

automatic speed

!

!

interface GigabitEthernet0/2

Description - Inet-

no ip address

NAT outside IP

IP virtual-reassembly

automatic duplex

automatic speed

PPPoE enable global group

PPPoE-client dial-pool-number 1

No cdp enable

!

!

interface virtual-Template1

IP unnumbered Loopback0

IP mtu 1492

IP virtual-reassembly

AutoDetect encapsulation ppp

by default PPP peer ip address pool

PPP mppe auto encryption required

PPP authentication ms-chap-v2

!

!

interface Dialer1

the negotiated IP address

NAT outside IP

IP virtual-reassembly

encapsulation ppp

Dialer pool 1

Dialer-Group 1

PPP authentication pap callin

PPP pap sent-username DSLUSERNAME password DSLPASSWORD

No cdp enable

!

!

IP local pool PPP 192.168.207.200 192.168.207.250

IP forward-Protocol ND

!

!

overload of IP nat inside source list NAT_ACL interface Dialer1

IP nat inside source static tcp 192.168.192.XX 25 expandable 25 82.XXX.XXX.XXX

IP nat inside source static tcp 192.168.192.XX 1352 82.XXX.XXX.XXX 1352 extensible

IP route 0.0.0.0 0.0.0.0 Dialer1

!

NAT_ACL extended IP access list

deny ip 192.168.192.0 0.0.0.255 192.168.YYY.0 0.0.0.255

deny ip 192.168.192.0 0.0.0.255 192.168.YYY.0 0.0.0.255

deny ip 192.168.192.0 0.0.0.255 192.168.YYY.0 0.0.0.255

deny ip 192.168.192.0 0.0.0.255 192.168.YYY.0 0.0.0.255

permit tcp 192.168.192.0 0.0.0.255 any eq www

permit tcp 192.168.192.0 0.0.0.255 any eq 443

permit tcp 192.168.192.0 0.0.0.255 any eq 1352

permit tcp host 192.168.192.XX no matter what eq smtp

permit tcp 192.168.192.0 0.0.0.255 any eq 22

permit tcp host 192.168.192.XX no matter what eq field

permit tcp host 192.168.192.XX no matter what eq field

permit tcp host 192.168.192.XX no matter what eq field

allowed UDP host 192.168.192.XX matter what eq field

allowed UDP host 192.168.192.XX matter what eq field

allowed UDP host 192.168.192.XX matter what eq field

!

host 192.168.192.XX auth-port 1645 1646 RADIUS server acct-port

Server RADIUS IASKEY key

!

control plan

!

!

!

Line con 0

line to 0

line vty 0 4

line vty 5 15

!

Scheduler allocate 20000 1000

end

Debugging is followed:

14:47:51.755 on 21 oct: PPP: Alloc context [294C7BC4]

14:47:51.755 on 21 oct: ppp98 PPP: Phase is

14:47:51.755 on 21 oct: ppp98 PPP: using AAA Id Unique = 8 b

14:47:51.755 on 21 oct: ppp98 PPP: permission NOT required

14:47:51.755 on 21 oct: ppp98 PPP: via vpn, set the direction of the call

14:47:51.755 on 21 oct: ppp98 PPP: treatment of connection as a callin

14:47:51.755 on 21 oct: ppp98 PPP: Session Session handle [62] id [98]

14:47:51.755 on 21 oct: ppp98 TPIF: State of the event [OPEN] [initial check]

14:47:51.755 on 21 oct: ppp98 PPP LCP: switch to passive mode, State [stopped]

14:47:53.759 on 21 oct: ppp98 PPP LCP: exit passive mode, State [departure]

14:47:53.759 on 21 oct: LCP ppp98: O CONFREQ [departure] id 1 len 19

14:47:53.759 on 21 oct: ppp98 TPIF: MRU 1464 (0x010405B8)

14:47:53.759 on 21 oct: ppp98 TPIF: AuthProto MS-CHAP-V2 (0x0305C22381)

14:47:53.759 on 21 oct: ppp98 TPIF: MagicNumber 0xF018D237 (0x0506F018D237)

14:47:53.759 on 21 oct: ppp98 TPIF: event [UP] State [departure at REQsent]

14:47:54.351 on 21 oct: ppp98 TPIF: I CONFREQ [REQsent] id 0 len 18

14:47:54.351 on 21 oct: ppp98 TPIF: MRU 1400 (0 x 01040578)

14:47:54.351 on 21 oct: ppp98 TPIF: MagicNumber 0x2F7C5F7E (0x05062F7C5F7E)

14:47:54.351 on 21 oct: ppp98 TPIF: PFC (0 x 0702)

14:47:54.351 on 21 oct: ppp98 TPIF: RAC (0 x 0802)

14:47:54.351 on 21 oct: LCP ppp98: O CONFNAK [REQsent] id 0 len 8

14:47:54.351 on 21 oct: ppp98 TPIF: MRU 1464 (0x010405B8)

14:47:54.351 on 21 oct: ppp98 TPIF: State of the event [receive ConfReq-] [REQsent to REQsent]

14:47:54.751 on 21 oct: ppp98 TPIF: I CONFACK [REQsent] id 1 len 19

14:47:54.751 on 21 oct: ppp98 TPIF: MRU 1464 (0x010405B8)

14:47:54.751 on 21 oct: ppp98 TPIF: AuthProto MS-CHAP-V2 (0x0305C22381)

14:47:54.751 on 21 oct: ppp98 TPIF: MagicNumber 0xF018D237 (0x0506F018D237)

14:47:54.751 on 21 oct: ppp98 TPIF: State of the event [receive ConfAck] [REQsent to ACKrcvd]

14:47:54.915 on 21 oct: ppp98 TPIF: I CONFREQ [ACKrcvd] id 1 len 18

14:47:54.915 on 21 oct: ppp98 TPIF: MRU 1400 (0 x 01040578)

14:47:54.915 on 21 oct: ppp98 TPIF: MagicNumber 0x2F7C5F7E (0x05062F7C5F7E)

14:47:54.915 on 21 oct: ppp98 TPIF: PFC (0 x 0702)

14:47:54.915 on 21 oct: ppp98 TPIF: RAC (0 x 0802)

14:47:54.915 on 21 oct: LCP ppp98: O CONFNAK [ACKrcvd] id 1 len 8

14:47:54.915 on 21 oct: ppp98 TPIF: MRU 1464 (0x010405B8)

14:47:54.915 on 21 oct: ppp98 TPIF: State of the event [receive ConfReq-] [ACKrcvd to ACKrcvd]

14:47:55.275 on 21 oct: ppp98 TPIF: I CONFREQ [ACKrcvd] id 2 len 18

14:47:55.275 on 21 oct: ppp98 TPIF: MRU 1464 (0x010405B8)

14:47:55.275 on 21 oct: ppp98 TPIF: MagicNumber 0x2F7C5F7E (0x05062F7C5F7E)

14:47:55.275 on 21 oct: ppp98 TPIF: PFC (0 x 0702)

14:47:55.275 on 21 oct: ppp98 TPIF: RAC (0 x 0802)

14:47:55.275 on 21 oct: LCP ppp98: O CONFACK [ACKrcvd] id 2 len 18

14:47:55.275 on 21 oct: ppp98 TPIF: MRU 1464 (0x010405B8)

14:47:55.275 on 21 oct: ppp98 TPIF: MagicNumber 0x2F7C5F7E (0x05062F7C5F7E)

14:47:55.275 on 21 oct: ppp98 TPIF: PFC (0 x 0702)

14:47:55.275 on 21 oct: ppp98 TPIF: RAC (0 x 0802)

14:47:55.275 on 21 oct: ppp98 TPIF: State of the event [receive ConfReq +] [ACKrcvd to open]

14:47:55.295 on 21 oct: ppp98 PPP: Phase is AUTHENTICATING,

14:47:55.295 on 21 oct: ppp98 MS-CHAP-V2: O CHALLENGE id 1 len 28 of 'gw.izmv '.

14:47:55.295 on 21 oct: ppp98 TPIF: State is open

14:47:55.583 on 21 oct: ppp98 MS-CHAP-V2: I ANSWER id 1 len 71 of "domain\username".

14:47:55.583 on 21 oct: ppp98 PPP: Phase TRANSFER, tempting with impatience

14:47:55.583 on 21 oct: ppp98 PPP: Phase is AUTHENTICATING, unauthenticated user

14:47:55.587 on 21 oct: ppp98 PPP: request sent MSCHAP_V2 LOGIN

14:47:55.591 on 21 oct: ppp98 PPP: received LOGIN response PASS

14:47:55.591 on 21 oct: ppp98 PPP AUTHOR: author data NOT available

14:47:55.591 on 21 oct: ppp98 PPP: Phase TRANSFER, tempting with impatience

14:47:55.595 on 21 oct: Vi3 PPP: Phase is AUTHENTICATING, authenticated user

14:47:55.595 on 21 oct: Vi3: given msg No. MS_CHAP_V2

14:47:55.595 on 21 oct: Vi3 MS-CHAP-V2: SUCCESS O id 1 len 46 msg is "tG @ #QDD @(@B@ (@[email protected]/ ** / @I @:[email protected]/ ** / @@@ EJFDE)).

14:47:55.595 on 21 oct: Vi3 PPP: Phase is in PLACE

14:47:55.595 on 21 oct: Vi3 CPIW: protocol configured, start state cf. [original]

14:47:55.595 on 21 oct: Vi3 CPIW: State of the event [OPEN] [Initial report on startup]

14:47:55.595 on 21 oct: Vi3 CPIW: O CONFREQ [departure] id 1 len 10

14:47:55.595 on 21 oct: Vi3 CPIW: address of 192.168.207.1 (0x0306C0A8CF01)

14:47:55.595 on 21 oct: Vi3 CPIW: event [UP] State [begins to REQsent]

14:47:55.595 on 21 oct: Vi3 CCP: protocol configured, start state cf. [original]

14:47:55.595 on 21 oct: Vi3 CCP: State of the event [OPEN] [Initial report on startup]

14:47:55.595 on 21 oct: Vi3 CCP: O CONFREQ [departure] id 1 len 10

14:47:55.595 on 21 oct: Vi3 CCP: MS - PPC supported bits 0 x 01000060 (0 x 120601000060)

14:47:55.595 on 21 oct: Vi3 CCP: event [UP] State [begins to REQsent]

14:47:55.599 on 21 oct: % LINK-3-UPDOWN: Interface virtual-access.3, changed State to

14:47:55.603 on 21 oct: % LINEPROTO-5-UPDOWN: Line protocol on Interface virtual-access.3, changed State to

14:47:56.027 on 21 oct: Vi3 LCP: I have TERMREQ [open] id 3 len 16

14:47:56.027 on 21 oct: Vi3 LCP: (0x2F7C5F7E003CCD740000030A)

14:47:56.027 on 21 oct: Vi3 CPIW: event [BOTTOM] State [REQsent on startup]

14:47:56.027 on 21 oct: Vi3 CPIW: State of event [CLOSE] [begins with initial]

14:47:56.027 on 21 oct: Vi3 CCP: event [BOTTOM] State [REQsent on startup]

14:47:56.027 on 21 oct: Vi3 PPP DISC: MPPE required not negotiated

14:47:56.027 on 21 oct: Vi3 PPP: sending Acct event [low] id [8B]

14:47:56.027 on 21 oct: Vi3 CCP: State of event [CLOSE] [start with initial]

14:47:56.027 on 21 oct: Vi3 LCP: O TERMACK [open] id 3 len 4

14:47:56.027 on 21 oct: Vi3 LCP: event [receive TermReq] State [Open to stop]

14:47:56.027 on 21 oct: Vi3 PPP: Phase ENDS

14:47:56.027 on 21 oct: Vi3 LCP: event [CLOSE] [off status of closing]

14:47:56.675 on 21 oct: Vi3 PPP: block vaccess to be released [0x10]

14:47:56.675 on 21 oct: Vi3 LCP: event [CLOSE] State [closing closing]

14:47:56.679 on 21 oct: Vi3 LCP: event [BOTTOM] State [closing on Initial]

14:47:56.679 on 21 oct: Vi3 PPP: compensation AAA Id Unique = 8 b

14:47:56.679 on 21 oct: Vi3 PPP: unlocked by [0x10] always locked by 0 x [0]

14:47:56.679 on 21 oct: Vi3 PPP: free previously blocked vaccess

14:47:56.679 on 21 oct: Vi3 PPP: Phase is BROKEN

14:47:56.679 on 21 oct: % LINK-3-UPDOWN: Interface virtual-access.3, changed State to down

14:47:56.683 on 21 oct: % LINEPROTO-5-UPDOWN: Line protocol on Interface virtual-access.3, state change downstairs

I'll be very grateful for any useful suggestions

We had the same problem using MS-CHAP-V2 and 3945 router using IOS 15.2. When you add the same combination of username/password locally it worked fine but it wasn't no of course of the solution. We have solved this problem by adding the following line in the config file:

AAA authorization network default authenticated if

This is because Windows 2000 clients require the use of a statement of authorization aaa in the router config. Maybe it was default (and therefore not shown) previous iOS releases.

Success!

Wil Schenkeveld

ASA 5505 - I can't create an IPSEC VPN between two ASA 5505

Hello

I have two ASA 5505 with basic license and I'm trying to create a VPN IPSEC using the CLI. Here are the steps I did:

1 Configure ASA-1 (host name, vlan 1 and vlan 2).

2. configure a static route

3. create object network (local and remote)

4. create the access list

5. create ikev1 crypto

6. create tunnel-group

7 Configure nat

and I repeat the steps above with the ASA but another change IP.

Are to correct the above steps?

Why can I not create an IPSEC VPN between devices?.

No, you needn't. The ASA configuration is ok. Packet trace proved it. I think it can be a problem on the hosts. Please, check the firewall on the PC and try to put out of service, if it is running.

Configure several IPSec VPN between Cisco routers

I would like to create multiple ipsec VPN between 3 routers. Before applying it, I would like to check on the config I wrote to see if it works. It's just on RouterA configuration for virtual private networks to RouterB, and RouterC.

As you can apply in a cyptomap by interface, I say with the roadmap, that it should be able to manage traffic for both routers. Or is there a better way to do it?

RouterA - 1.1.1.1

RouterB - 2.2.2.2

RouterC - 3.3.3.3

RouterA

crypto ISAKMP policy 10

BA 3des

preshared authentication

Group 2

ISAKMP crypto key RouterB address 2.2.2.2

ISAKMP crypto keys RouterC address 3.3.3.3

invalid-spi-recovery crypto ISAKMP

ISAKMP crypto keepalive 5 10 periodicals

ISAKMP crypto nat keepalive 30

!

life crypto ipsec security association seconds 28800

!

Crypto ipsec transform-set AES - SHA esp - aes 256 esp-sha-hmac

!

outsidemap 20 ipsec-isakmp crypto map

defined peer 2.2.2.2

game of transformation-AES-SHA

match address 222

outsidemap 30 ipsec-isakmp crypto map

defined peer 3.3.3.3

game of transformation-AES-SHA

match address 333

!

interface GigabitEthernet0/0

Description * Internet *.

NAT outside IP

outsidemap card crypto

!

interface GigabitEthernet0/1

Description * LAN *.

IP 1.1.1.1 255.255.255.0

IP nat inside

!

IP nat inside source map route RouterA interface GigabitEthernet0/0 overload

!

access-list 222 allow ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

access-list 223 deny ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

access-list 223 allow ip 1.1.1.0 0.0.0.255 any

access-list 333 allow ip 1.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255

access-list 334 deny ip 1.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255

access-list 334 allow ip 1.1.1.0 0.0.0.255 any

!

!

RouterA route map permit 10

corresponds to the IP 223 334

Hi Chris,

The two will remain active.

The configuration you have is for several ste VPN site is not for the redundant VPN.

The config for the redundant VPN is completely different allows so don't confuse is not with it.

In the redundant VPN configuration both peers are defined in the same card encryption.

Traffic that should be passed through the tunnel still depend on the access list, we call in the card encryption.

This access-lsist is firstly cheked and as a result, the traffic is passed through the correct tunnel

HTH!

Concerning

Regnier

Please note all useful posts

Setting up a VPN between a WRVS4400N and ASA device

I'm a newbie when it comes to Cisco devices and I have a problem setting a VPN between a local and a seat some distance away.

Here, our local office, we have a device Cisco WRVS4400N Small Business.

At Headquarters, they have a feature of Cisco ASA.

We must set up a point to point VPN and I have no idea how to proceed with these devices.

To compound things, resources, I'm at the other end in an unknown entity that also does not seem to have a lot of experience with this.

Is there any type of step by step guide for such a configuration?

If not, can someone please help with this?

Hello William,.

I would call 1866-606-1866 Support Center for assistance on the side the tunnel then the entire side of the ASA WRVS has to do is match the settings. If the side ASA needs support with which we can transfer more TAC.

Cisco Small Business Support Center

Randy Manthey

CCNA, CCNA - security

VPN - Pix 515e for Cisco router

I have the following Setup and I can't seem to get the next tunnel. My end is a PIX 515e race 7.2 (4). The other end is a Cisco router-not sure of the model or version of the IOS.

PIX:

90 extended access-list allow ip host a.a.a.a host b.b.b.b

NAT (inside) - 0-90 access list

correspondence address card crypto mymap 20 90
card crypto mymap 20 peers set x.x.x.x
map mymap 20 set transformation-strong crypto
mymap outside crypto map interface
ISAKMP crypto identity hostname
crypto ISAKMP allow outside
crypto ISAKMP policy 8
preshared authentication
3des encryption
sha hash
Group 2
life 86400

tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
pre-shared key 12345

Router:

/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-margin : 0 ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;} / * Définitions de style * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-margin : 0 ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}

SDM_5 extended IP access list

permit ip host b.b.b.b host a.a.a.a

ISAKMP crypto key 12345 address y.y.y.y no.-xauth

map SDM_CMAP_1 5 ipsec-isakmp crypto

Description vpn for laboratory

defined peer y.y.y.y

game of transformation-ESP-3DES-SHA

match address SDM_5

I'm running him debugs following:

Debug crypto ipsec enabled at level 1
ISAKMP crypto debugging enabled at level 1

I get the following debug output:

August 16-04:16:10 [IKEv1]: IP = x.x.x.x, counterpart of drop table counterpart, didn't match!
August 16-04:16:10 [IKEv1]: IP = x.x.x.x, error: cannot delete PeerTblEntry

Isa HS her

IKE Peer: x.x.x.x
Type: user role: initiator
Generate a new key: no State: MM_WAIT_MSG2

Any ideas?

Thank you

Dave

If you see the MM_WAIT_MSG2, which means that her counterpart (the other side) does not answer and this side where you can see the status MM_WAIT_MSG2 sent the first message IKE, however, did not hear of the peer.

You can check if UDP/500 is stuck on the way between the 2 sites.

Try running traffic on the other side and see if you also get the same status of MM_WAIT_MSG2. If you do, that confirms 100% 500/UDP is blocked on the way between the 2 sites.

Site to Site VPN between PIX and Linksys RV042

I am trying to create a tunnel between a 506th PIX and a Linksys RV042 vpn . I configured the Phase 1 and Phase 2 as well as the transformation defined and interested traffic and connected to the external interface, but it will not create the tunnel. Configurations are as follows:

506th PIX running IOS 6.3

part of pre authentication ISAKMP policy 40
ISAKMP policy 40 cryptographic 3des
ISAKMP policy 40 sha hash
40 2 ISAKMP policy group
ISAKMP duration strategy of life 40 86400
ISAKMP key * address 96.10.xxx.xxx netmask 255.255.255.255
access-list 101 permit ip 192.168.21.0 255.255.255.0 192.168.1.0 255.255.255.0crypto map Columbia_to_Office 10 ipsec-isakmp
crypto Columbia_to_Office 10 card matches the address 101
card crypto Columbia_to_Office 10 set peer 96.10.xxx.xxx
10 Columbia_to_Office transform-set ESP-3DES-SHA crypto card game
Columbia_to_Office interface card crypto outside

Linksys RV042

Configuration of local groups
IP only
IP address: 96.10.xxx.xxx
Type of local Security group: subnet
IP address: 192.168.1.0
Subnet mask: 255.255.255.0

Configuration of the remote control groups
IP only
IP address: 66.192.xxx.xxx
Security remote control unit Type: subnet
IP address: 192.168.21.0
Subnet mask: 255.255.255.0

IPSec configuration
Input mode: IKE with preshared key
Group Diffie-Hellman phase 1: group2
Phase 1 encryption: 3DES
Authentication of the phase 1: SHA1
Life of ITS phase 1: 86400

Phase2 encryption: 3DES
Phase2 authentication: SHA1
Phase2 life expectancy: 3600 seconds
Pre-shared key *.

I'm a novice on the VPN. Thanks in advance for your expertise.

Yes, version PIX 6.3 does not support HS running nat or sh run crypto.

Please please post the complete config if you don't mind.

Please also try to send traffic between subnets 2 and get the output of:

See the isa scream his

See the ipsec scream his

PIX 515E and remote access VPN

I use a PIX 515E with: ASDM Version: 5,0000 51 PIX Version: 8.0 (4) and configure it with remote access VPN.

I would like to get an email every time that a user login (and or disconnection) to the VPN. Remote clients use the Cisco VPN Client.

Any help is appreciated,

Hello

Here is a link to the email configuration when you log in to the ASA/PIX: http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#anc7

Then you can create a list of message to send the logs only for the connection/disconnection of the VPN user: http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#anc18

There is a wire that is linked here: https://supportforums.cisco.com/discussion/10798976/asa-email-logging-issue

VPN between 2 routers Cisco 1841 (LAN to LAN)

Hello

I need to connect two offices (two different LAN) using routers cisco 1841 at both ends.

Currently the two cisco router are in working condition and refer the internet LAN clients. (making the NAT).

Can someone please tell us what is the easiest way to set up a VPN between two sites, so that LAN users to an office to access mail servers electronic/request to the office LAN.

I understand that I need IPSec Site to Site VPN (I think).

Anyonce can you please advise.

Kind regards.
```
s.nasheet wrote:
Hi ,
I need to connect two offices ( two different LAN's) together using cisco 1841 routers at both end.
Currently both cisco router are in working order and  acting as a internet gateway to the LAN clients. ( doing NAT).
Can anybody please advise what is the easiest method to configure VPN between two sites so that  LAN users at one office be able to access  the  email/application servers at the other LAN office.
I understand I need IPSec Site to Site VPN  ( i think).
Can anyonce please advise.
Regards.
```
Yes, you need a VPN site-to site. Start with this link which gives a number of examples to set up a VPN S2S between 2 routers Cisco.

http://www.Cisco.com/en/us/Tech/tk583/TK372/tech_configuration_examples_list.html#anchor16

Jon

IPSec Tunnel between Cisco 2801 and Netscren 50 with NAT and static

Hello

My problem isn't really the IPSec connection between two devices (it is already done...) But my problem is that I have a mail server on the site of Cisco, who have a static NAT from inside to outside. Due to the static NAT, I do not see the server in the VPN tunnel. I found a document that almost describes the problem:

"Configuration of a router IPSEC Tunnel private-to-private network with NAT and static" (Document ID 14144)

NAT takes place before the encryption verification!

In this document, the solution is 'routing policy' using the loopback interface. But, how can I handle this with the Netscreen firewall. Someone has an idea?

Thanks for any help

Best regards

Heiko

Hello

Try to change your static NAT with static NAT based policy.

That is to say the static NAT should not be applicable for VPN traffic

permissible static route map 1

corresponds to the IP 104

access-list 104 refuse host ip 10.1.110.10 10.1.0.0 255.255.0.0

access-list 104 allow the host ip 10.1.110.10 all

IP nat inside source static 10.1.110.10 81.222.33.90 map of static route

HTH

Kind regards

GE.

Client VPN Cisco ASA 5505 Cisco 1841 router

Hello. I'm doing a connection during a cisco vpn client and a vpn on one server asa 5505 behind a 1841 router (internet adsl2 + and NAT router).

My topology is almost as follows

customer - tunnel - 1841 - ASA - PC

ASA is the endpoint vpn (outside interface) device. I forward udp port 500 and 4500 on my router to the ASA and the tunnel rises. I exempt nat'ting on the asa and the router to the IP in dhcp vpn pool. I can connect to my tunnel but I can't "see" anything in the internal network. I allowed all traffic from the outside inwards buy from the ip vpn pool and I still send packets through the tunnel and I get nothing. I take a look at the statistics on the vpn client and I 2597 bytes (ping traffic) and there are no bytes. Any idea?

Where you you logged in when you took the "crypto ipsec to show his"? If this isn't the case then try again, also this option allows IPSEC over UDP 4500 and it is disabled, enable it.

ISAKMP nat-traversal crypto

Just enter the command as it is, then try to connect again after activation of this option and get the same result to see the.

VPN with ASA 5500 VPN with PIX 515E vs

I wonder what are the differences between the use of an exisitng PIX 515E for VPN remote users as appossed to acquire an ASA 5500 VPN remote users? Information or advice are appreciated to help me lean toward one or the other.

Craig

According to the version of the code that you run on the PIX on the PIX or ASA VPN features must be the same. So if the choice is not based on differences in features, what else would help guide the choice? You can consider if the existing PIX has sufficient resources to add the extra processing VPN load or if you should put that on another box. You might consider that the PIX is an older product range, and his end is near, while the ASA is the product that is the strategic replacement for the PIX. Given a choice I probably prefer to use a technology newer than the old technology. I also believe that the ASA will give you more choice of technology to go forward (a way of better growth) while the PIX provides current capacity but no path of growth.

On the other hand, there is the aspect of consider that using the existing PIX does not need not to buy something new and ASA would be an expense you have to cover in the budget. And for some people the budget constraint is an important consideration.

HTH

Rick

IPSEC VPN between Pix 515E and 1841 router

Similar Questions

Maybe you are looking for