IPsec VPN site to site between router problem Cisco ASA. Help, please

Hello community,

I'm stuck in configuring VPN site to site between ASA (OS 9.1) and router Cisco IOS (IOS 15, 2 - 4.M4)

Attachment is router configuration and ASA. I also include the router debug output.

It seems that the two parties must isakmp missmatch configuration, but I have already disabled the KeepAlive parameters. I also turn off PFS setting on both sides. But it does not work. I have no idea on this problem.

Please help me. Any help appreciated.

Thank you

I didn't look any further, but this may be a reason:

 crypto map mymap 1 ipsec-isakmp dynamic dyn1

The dynamic CM must always be the last sequence in a card encryption:

 no crypto map mymap 1 ipsec-isakmp dynamic dyn1 crypto map mymap 65000 ipsec-isakmp dynamic dyn1

Try this first, then we can look further.

Tags: Cisco Security

Similar Questions

tunnel from site to site between router IOS and ASA

I've combed through the configs on both sides of this tunnel 4 x now and the look of policies as they match. I applied the http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml note

My crypto lsits access are good and my nat on the side of IOS are provided with a map of the route and look good. On the SAA traffic side on the side of the remote tunnel ASA is exempt from NAT. Each side already has a site to another tunnel configuration, so I added the appropriate lines to the existing cryptographic cards which include peers, transform set and match address 'access-list. The polcies crypto isakmp on both ends are compatible. I have attached some configs and debugs (from router IOS), but essentially the newspaper on the SAA starts with the phase 1 is complete and then routing not received notification message, no proposal chosen readings and then it goes to IKE lost the connection to a remote peer, connection, drop table correlator counterpart has failed, no match, the deletion and finally disconnected session reason lost service.

Their other tunnel stay standing as well as the configuration of remote access vpn connection is good.

I found a note that recommends checking any access security-list, so I removed the, but no luck, and a Cisco associated with a hub, but had a healthy logic

Is displayed normally with the

Cisco VPN 3000 correspondent

message hub: no proposal

Chosen (14). This is a result of the

being host-to-host connections.

The configuration of the router has the

IPSec proposals ordered so that the

proposal selected for the router

with the access list, but not the

peer. The access list has a larger

network including the host that

a cutting traffic.

Make the router for this proposal

hub to router connection

first in line, so that it corresponds to the

specific to the host first.

but that didn't work either.

Thank you

Bill

Bill,

Take a look at this

000610: * PCTime 10:42:15.094 Sep 27: ISAKMP: (2039): need XAUTH

000611: * 10:42:15.094 PCTime sep 27: ISAKMP: node set 920927400 to CONF_XAUTH

000612: * 27 sep 10:42:15.094 PCTime: ISAKMP/xauth: application XAUTH_USER_NAME_V2 attribute

000613: * 27 sep 10:42:15.094 PCTime: ISAKMP/xauth: application XAUTH_USER_PASSWORD_V2 attribute

000614: * 27 sep 10:42:15.094 PCTime: ISAKMP: (2039): launch peer 74.92.97.166 config. ID = 920927400

000615: * 27 sep 10:42:15.094 PCTime: ISAKMP: (2039): lot of 74.92.97.166 sending peer_port my_port 4500 4500 (R) CONF_XAUTH

-Other - 000616: * PCTime 10:42:15.094 Sep 27: ISAKMP: (2039): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

000617: * PCTime 10:42:15.094 Sep 27: ISAKMP: (2039): former State = new State IKE_P1_COMPLETE = IKE_XAUTH_REQ_SENT

It should not go to extend the authentication. Since you have the client and the L2L on the same router and clients are configured for Extended authentication, the router will ask for XAUTH unless you configure the "No.-xauth" command after the pre-shared key

Please implement the command:

ISAKMP crypto keys in clear text address 74.92.97.166 No.-xauth

Thank you

Gilbert

Printing a document in indesign that contains an eps logo. Part of the logo is not printing, but shows a white circle instead of a ball with a gradient. I think that it is an overlay problem - can anyone help please

Printing a document in indesign that contains an eps logo. Part of the logo is not printing, but shows a white circle instead of a ball with a gradient. I think that it is an overlay problem - can anyone help please

Try to resave the EPS to the native .ai or .psd format (depending on whether it's raster or vector) and use it.

IPSec VPN Site-to-Site router Cisco 837 to Firewall FortiGate 200 has

I had a challege for a site to site vpn scenario that may need some brainstorming you guys.

So far, I have had a prior configuration planned for this scenario, but I'm not very sure if the tunnel I created will work because I did not test it before with this scenario. I'll go next week on this project and hopefully get a solution of brainstorming you guys. Thanks in advance!

Network diagram:

http://cjunhan.multiply.com/photos/hi-res/5/3?xurl=%2Fphotos%2Fphoto%2F5%2F3

Challenge:

(1) configure CISCO R3 IPSec Site to Site VPN between 172.20.10.0 and 10.20.20.0 using cryptographic cards

(2) IKE Phase I MainMode, lifetime 28000, md5, DH-Group1

IKE Phase II: des-esp, hmac-md5, tunnel mode

PSK: sitetositevpn

Here is my setup for review:

crypto ISAKMP policy 10

the BA

preshared authentication

Group 1

md5 hash

ISAKMP crypto key sitetositevpn address 210.x.x.66

!

Crypto ipsec transform-set esp - esp-md5-hmac ciscoset

!

infotelmap 10 ipsec-isakmp crypto map

the value of 210.x.x.66 peer

Set transform-set ciscoset

match address 111

!

!

interface Ethernet0

3 LAN description

IP 10.20.20.1 255.255.255.0

IP nat inside

servers-exit of service-policy policy

Hold-queue 100 on

!

ATM0 interface

no ip address

ATM vc-per-vp 64

No atm ilmi-keepalive

DSL-automatic operation mode

!

point-to-point interface ATM0.1

IP address 210.x.20.x.255.255.252

no ip redirection<-- disable="">

no ip unreachable<-- disable="" icmp="" host="" unreachable="">

no ip proxy-arp<-- disables="" ip="" directed="">

NAT outside IP

PVC 8/35

aal5snap encapsulation

!

!

IP nat inside source list 102 interface ATM0.1 overload

IP classless

IP route 0.0.0.0 0.0.0.0 ATM0.1

IP route 0.0.0.0 0.x.0.x.190.60.66

no ip http secure server

!

Note access-list 102 NAT traffic

access-list 102 permit ip 10.20.20.0 0.0.0.255 any

!

access-list 111 note VPN Site-to-Site 3 LAN to LAN 2 network

access-list 111 allow 0.0.0.x.x.10.0 ip 10.20.20.0 0.0.0.255

Kind regards

Junhan

Hello

Three changes required in this configuration.

(1) change the NAT-list access 102 as below:

access-list 102 deny ip 10.20.20.0 0.0.0.255 172.20.10.0 0.0.0.255

access-list 102 permit ip 10.20.20.0 0.0.0.255 any

(2) place the card encryption on interface point-to-point ATM.

(3) remote all of a default route.

Thank you

Mustafa

VPN site-to-site between router 831 & windows 2000

We have a Cisco router 831 in a site and windows 2000 Server as a router to another site. Can we set up a vpn site-to site between these two sites? If so, how? Or point me to the link.

This should get you:

http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a00800b12b5.shtml

Problem with the VPN site to site for the two cisco asa 5505

Starting with cisco asa. I wanted to do a vpn site-to site of cisco. I need help. I can't ping from site A to site B and vice versa.

Cisco Config asa1

interface Ethernet0/0
switchport access vlan 1
!
interface Ethernet0/1
switchport access vlan 2
!
interface Vlan1
nameif outside
security-level 0
IP address 172.xxx.xx.4 255.255.240.0
!
interface Vlan2
nameif inside
security-level 100
IP 192.168.60.2 255.255.255.0
!
passive FTP mode
network of the Lan_Outside object
192.168.60.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.60.0_24 object
192.168.60.0 subnet 255.255.255.0
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_2
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_3
ip protocol object
icmp protocol object
Access extensive list ip 192.168.60.0 Outside_cryptomap allow 255.255.255.0 192.168.1.0 255.255.255.0
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
Inside_access_in list extended access allow DM_INLINE_PROTOCOL_2 of object-group a
network of the Lan_Outside object
NAT (inside, outside) interface dynamic dns
Access-group Outside_access_in in interface outside
Inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 172.110.xx.1 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
Enable http server
http 192.168.60.0 255.255.255.0 inside
http 96.xx.xx.222 255.255.255.255 outside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto Outside_map 1 corresponds to the address Outside_cryptomap
card crypto Outside_map 1 set peer 96.88.75.222
card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
Outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
inside access management

dhcpd address 192.168.60.50 - 192.168.60.100 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
AnyConnect essentials
internal GroupPolicy_96.xx.xx.222 group strategy
attributes of Group Policy GroupPolicy_96.xx.xx.222
VPN-tunnel-Protocol ikev1, ikev2
username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
tunnel-group 96.xx.xx.222 type ipsec-l2l
tunnel-group 96.xx.xx.222 General-attributes
Group - default policy - GroupPolicy_96.xx.xx.222
96.XX.XX.222 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Cisco ASA 2 config

interface Ethernet0/0
switchport access vlan 1
!
interface Ethernet0/1
switchport access vlan 2
!
interface Vlan1
nameif outside
security-level 0
IP address 96.xx.xx.222 255.255.255.248
!
interface Vlan2
nameif inside
security-level 100
IP 192.168.1.254 255.255.255.0
!
passive FTP mode
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network of the Lan_Outside object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.60.0_24 object
192.168.60.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_2
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_3
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_4
ip protocol object
icmp protocol object
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_2 of object-group 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
Inside_access_in list extended access allow DM_INLINE_PROTOCOL_4 of object-group a
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.60.0_24 NETWORK_OBJ_192.168.60.0_24 non-proxy-arp-search of route static destination
!
network of the Lan_Outside object
dynamic NAT (all, outside) interface
Access-group Outside_access_in in interface outside
Inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 96.xx.xx.217 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
Enable http server
http 192.168.1.0 255.255.255.0 inside
http 172.xxx.xx.4 255.255.255.255 outside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto Outside_map 1 corresponds to the address Outside_cryptomap
card crypto Outside_map 1 set peer 172.110.74.4
card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
Outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0

dhcpd address 192.168.1.50 - 192.168.1.100 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
AnyConnect essentials
internal GroupPolicy_172.xxx.xx.4 group strategy
attributes of Group Policy GroupPolicy_172.xxx.xx.4
L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
tunnel-group 172.xxx.xx.4 type ipsec-l2l
tunnel-group 172.xxx.xx.4 General-attributes
Group - default policy - GroupPolicy_172.xxx.xx.4
172.xxx.XX.4 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error
inspect the http

For IKEv2 configuration: (example config, you can change to encryption, group,...)

-You must add the declaration of exemption nat (see previous answer).

-set your encryption domain ACLs:

access-list-TRAFFIC IPSEC allowed extended LOCAL REMOTE - LAN LAN ip

-Set the Phase 1:

Crypto ikev2 allow outside
IKEv2 crypto policy 10
3des encryption
the sha md5 integrity
Group 5
FRP sha
second life 86400

-Set the Phase 2:

Crypto ipsec ikev2 ipsec IKEV2-PROPOSAL
Esp aes encryption protocol
Esp integrity sha-1 protocol

-set the Group of tunnel

tunnel-group REMOTE-PUBLIC-IP type ipsec-l2l
REMOTE-PUBLIC-IP tunnel-group ipsec-attributes
IKEv2 authentication remote pre-shared-key cisco123

IKEv2 authentication local pre-shared-key cisco123

-Define the encryption card

address for correspondence CRYPTOMAP 10 - TRAFFIC IPSEC crypto map
card crypto CRYPTOMAP 10 peer set REMOTE-PUBLIC-IP
card crypto CRYPTOMAP 10 set ipsec ikev2-IKEV2-PROPOSAL
CRYPTOMAP interface card crypto outside
crypto isakmp identity address

On your config, you have all these commands but on your VPN config, you mix ikev1 and ikev2. You have also defined political different ikev2. Just do a bit of cleaning and reached agreement on a 1 strategy for the two site (encryption, hash,...)

Thank you

Microsoft l2tp IPSec VPN site to site ASA on top

I have a specialized applications casino that requires end-to-end encryption. I'm under the stack of Microsoft IPSec l2tp between my XP machine and my Windows 2003 server on the LAN. Can I use the same type of protocol stack Microsoft l2tp IPSec between my XP machine and the Windows Server 2003 a branch on the SAA to site to site ASA VPN tunnel? The VPN site-to site ASA is a type of key Preshare IPSec VPN tunnelle traffic between our head office and a branch in distance.

In other words, the ASA site-to-site IPSec VPN will allow Microsoft l2tp through IPSec encrypted traffic? My ACL tunnel would allow full IP access between site. Something like:

name 192.168.100.0 TexasSubnet

name 192.168.200.0 RenoSubnet

IP TexasSubnet 255.255.255.0 RenoSubnet 255.255.255.0 allow Access-list extended nat_zero

Hello

Yes, the L2TP can be encapsulated in IPSEC as all other traffic.

However, make sure that no NAT is performed on each end. L2TP is a default header protection which will see NAT as a falsification of package and reject it.

See you soon,.

Daniel

VPN site to site Linux OpenSwan with cisco ASA

/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-marge-top : 0 ; mso-para-marge-droit : 0 ; mso-para-marge-bas : 10.0pt ; mso-para-marge-left : 0 ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : Arial ; mso-bidi-theme-font : minor-bidi ;}

I'm trying to create a vpn site-to site between Cisco ASA 5510 and OpenSwan Linux, after completing the configuration of part and came across the VPN tunnel but nothing passes through the tunnel.

I use the software version 8.0 (4) on my firewall SAA, so doing any faces a problem like that.

Appreciate your support

Both bugs are for outgoing VPN traffic. But in your case, we saw 'read' County was '0' which means that ASA has not received any package of Linux in the VPN tunnel.

Routing with Cisco ASA 5520 VPN

I have installed IPsec vpn remote users in the Cisco ASA 5520 using RADIUS in my main network. Works very well. I have a site to my Cisco ASA5520 tunnels going to other sites, some of the tunnels have Cisco ASA and some have SonicWalls. I wish that my users VPN remote IPSec to be able to navigate in these tunnels is a site to access remote subnets attached to these tunnels. Do I need to use a combination of routing and the ACL? Or can I just use ACL only? Or just use routing only?

Thank you

Carlos

Hello

The key to set up here is the two ACL of VPN L2L end points that determine the 'interesting' traffic to connect VPN L2L. You will also need to confirm that the connection of the VPN Client is configured so that traffic to the remote sites have sent to the connection of the VPN client. There are also other things that you should check on your ASA plant

Here most of the things you usually have to confirm
- Set up 'permit same-security-traffic intra-interface' if it is already present in your configuration
  - This setting will allow connections to form between the hosts that are connected to the same interface on the ASA. In this case, applies because the VPN client users are connected to the interface 'outside' of the ASA and also remote sites are connected to the ASA to "external". If the traffic between the remote VPN Client and VPN L2L sites will be to enter and exit the same interface
- You will need to check how the customer if configured VPN connection. Split or full Tunnel tunnel
  - If the connection of the VPN Client is configured as Split Tunnel then you need to add all the networks from the remote to the Split Tunnel, so that the connections between the VPN Client is transmitted to the ASA and from there connections VPN L2L
  - If the connection of the VPN Client is configured as full Tunnel, then there no problem that all traffic is transferred to the Client VPN connection all its assets
- Define the VPN pool in the ACL of VPN L2L
  - You should make sure that the pool network VPN Client is defined in the ACL that define 'interesting' traffic to connect VPN L2L. So, you need to add the pool VPN VPN L2L configurations on the sites of Central America and remote control
- Configure NAT0 / NAT exempt for remote VPN Client to L2L VPN Site traffic at both ends of the VPN L2L
  - You must ensure that the NAT0 / exempt NAT rules exist for the VPN Client for Remote Site traffic. This will have to be configured on the SAA "outside" interface. Format of configuration varies naturally a bit on the ASA Central his software level.
These should be the most common things to set up and confirm for traffic to flow between the VPN Client and Remote Sites

Hope this helps please rate if yes or ask more if necessary.

-Jouni

I get an error: Ox80070424 when I try to change my firewall settings... I don't know how to solve this problem... help please.

Im trying to let allow sharing of zune media allowed on windows firewall... However, when I click on it says: error: Ox80070424 cannot change settings... so I have no idea on where to start to fix this type of problem help please.

Hello

Did you change your computer?

Method 1:

I suggest you run the fixit tool and check.

Diagnose and automatically fix problems of Windows Firewall service

http://support.Microsoft.com/mats/windows_firewall_diagnostic/

Method 2

I also suggest you to follow the link and check.

Error code: 0x8007042c 'firewall Windows cannot change some of your settings' when you try to activate your Windows Firewall

http://support.Microsoft.com/kb/2530126

Method 3:

I also suggest you perform the clean boot and check.

How to troubleshoot a problem by performing a clean boot in Windows Vista or in Windows 7

http://support.Microsoft.com/kb/929135

See also:

Understanding Windows Firewall settings

http://Windows.Microsoft.com/en-us/Windows7/Understanding-Windows-Firewall-settings

Photoshop CC on the creative cloud trial stops at 42% with an error not described. I've tried everything! I had a look at my logs to download but I don't understand what the problem is! Help, please!

06/12/15 15:59:38:523 | [ERROR] | | | | | | | 20599137 | AAM URI: Error in deleting the folder/Applications/Adobe Application Manager. Error = error Domain = NSCocoaErrorDomain Code = 4 "'Adobe Application Manager' could not be deleted." UserInfo = 0x40a1a0 {NSUnderlyingError = 0x40cf90 "the operation could not be completed. No such file or directory', NSFilePath = / / Applications/Adobe Application Manager, NSUserStringVariant =)
06/02/16 17:54:57:215 | [ERROR] | | | | | | | 156753 | AAM URI: Error in deleting the folder/Applications/Adobe Application Manager. Error = error Domain = NSCocoaErrorDomain Code = 4 "'Adobe Application Manager' could not be deleted." UserInfo = {NSUnderlyingError = 0 121150 x {error Domain NSPOSIXErrorDomain Code = 2 = "No such file or directory"}, NSFilePath = / Applications/Adobe Application Manager, NSUserStringVariant = ()}
06/02/16 17:57:08:177 | [ERROR] | | | | | | | 161805 | ACCC URI: Error in deleting the folder/Applications/Adobe Creative Cloud / Adobe Creative Cloud. Error = error Domain = NSCocoaErrorDomain Code = 4 "'Adobe Creative Cloud' could not be deleted." UserInfo = {NSUnderlyingError = 0x7d011290 {error Domain NSPOSIXErrorDomain Code = 2 = "No such file or directory"}, NSFilePath = / Applications/Adobe Creative Cloud/Adobe Creative Cloud, NSUserStringVariant = ()}
06/02/16 17:57:43:068 | [WARNING] | 6FDEED33-4E08-4D76-989B-CEEA57C4534C | | | | | | 162902 | A mistake came during the download with the error type --4 operation and error Code - 404
06/02/16 18:04:19:111 | [ERROR] | | | | | DLMNative | | 177183 | UpdaterCoreHelper::StartUpdateOpCallback: Another case: 0
06/02/16 18:05:05:592 | [ERROR] | | | | | DLMNative | | 177183 | UpdaterCoreHelper::StartUpdateOpCallback: Another case: 0
06/02/16 18:05:11:745 | [ERROR] | | | | | DLMNative | | 177183 | Progress UpdaterCore returned error Code: U44M1P218
06/02/16 18:05:11:745 | [ERROR] | | | | | DLMNative | | 177183 | Install updates returned the error
06/02/16 18:05:11:745 | [ERROR] | 842CE02E-88E0-437F-BDD9-600A44E3F874 | | | | DLMNative | | 177183 | Install updates returned 44 installation, errorCode:218
06/02/16 18:05:11:745 | [ERROR] | 842CE02E-88E0-437F-BDD9-600A44E3F874 | | | | DLMNative | | 177183 | Updates: under updated systems may not run
06/02/16 18:25:36:290 | [WARNING] | FCDCC309-BA74-447F-BB8F-9F937003D595 | | | | | | 228373 | A mistake came during the download with the error type --4 operation and error Code - 404
06/02/16 18:32:27:367 | [WARNING] | 3F02C0A3-180E-48C3-8E34-323D40C88E38 | | | | | | 243129 | A mistake came during the download with the error type --4 operation and error Code - 404
06/02/16 19:54:03:943 | [ERROR] | | | | | | | 44833 | ACCC URI: Error in deleting the folder/Applications/Adobe Creative Cloud / Adobe Creative Cloud. Error = error Domain = NSCocoaErrorDomain Code = 4 "'Adobe Creative Cloud' could not be deleted." UserInfo = {NSUnderlyingError = 0x7b815330 {error Domain NSPOSIXErrorDomain Code = 2 = "No such file or directory"}, NSFilePath = / Applications/Adobe Creative Cloud/Adobe Creative Cloud, NSUserStringVariant = ()}
06/02/16 19:55:01:255 | [WARNING] | 381C4013-B118-485D-92E6-40D31FCDE927 | | | | | | 47978 | A mistake came during the download with the error type --4 operation and error Code - 404
06/02/16 20:22:51:325 | [WARNING] | 39C0376C-178B-4354-8030-B29BB9660D2E | | | | | | 16457 | A mistake came during the download with the error type --4 operation and error Code - 404
06/02/16 17:57:42:749 | [ERROR] | | | | | | | 163639 | The error came and the error http - code 404
06/02/16 17:57:42:749 | [ERROR] | | | | | | | 163639 | the download work (0) could not run. The State of the work is STOPPED_STATE
06/02/16 17:57:42:749 | [ERROR] | | | | | | | 163639 | the download work (0) could not run. The status of the job is ERROR_STATE
06/02/16 17:57:42:750 | [INFO] | | | | | | | 163639 | WorkerThread::ThreadProc current job is in an error that is not recoverable state
06/02/16 18:25:36:068 | [ERROR] | | | | | | | 229107 | The error came and the error http - code 404
06/02/16 18:25:36:068 | [ERROR] | | | | | | | 229107 | the download work (0) could not run. The State of the work is STOPPED_STATE
06/02/16 18:25:36:068 | [ERROR] | | | | | | | 229107 | the download work (0) could not run. The status of the job is ERROR_STATE
06/02/16 18:25:36:068 | [INFO] | | | | | | | 229107 | WorkerThread::ThreadProc current job is in an error that is not recoverable state
06/02/16 18:32:27:089 | [ERROR] | | | | | | | 243784 | The error came and the error http - code 404
06/02/16 18:32:27:089 | [ERROR] | | | | | | | 243784 | the download work (0) could not run. The State of the work is STOPPED_STATE
06/02/16 18:32:27:089 | [ERROR] | | | | | | | 243784 | the download work (0) could not run. The status of the job is ERROR_STATE
06/02/16 18:32:27:089 | [INFO] | | | | | | | 243784 | WorkerThread::ThreadProc current job is in an error that is not recoverable state
06/02/16 19:55:01:071 | [ERROR] | | | | | | | 48297 | The error came and the error http - code 404
06/02/16 19:55:01:071 | [ERROR] | | | | | | | 48297 | the download work (0) could not run. The State of the work is STOPPED_STATE
06/02/16 19:55:01:071 | [ERROR] | | | | | | | 48297 | the download work (0) could not run. The status of the job is ERROR_STATE
06/02/16 19:55:01:072 | [INFO] | | | | | | | 48297 | WorkerThread::ThreadProc current job is in an error that is not recoverable state
06/02/16 20:22:51:031 | [ERROR] | | | | | | | 17879. The error came and the error http - code 404
06/02/16 20:22:51:031 | [ERROR] | | | | | | | 17879. the download work (0) could not run. The State of the work is STOPPED_STATE
06/02/16 20:22:51:031 | [ERROR] | | | | | | | 17879. the download work (0) could not run. The status of the job is ERROR_STATE
06/02/16 20:22:51:031 | [INFO] | | | | | | | 17879. WorkerThread::ThreadProc current job is in an error that is not recoverable state
Help, please!

Mac or Windows and EXACTLY what version of the operating system?

Recent Mac AND Windows operating systems have been known to cause problems "weird."

Are you using a computer administrator account will be full read/write permissions?

Please read https://forums.adobe.com/thread/1499014

-try some steps such as changing browsers and disable your firewall

-also clear the cache of your browser if you start with a fresh browser

-check the file hosts for blocked entries https://forums.adobe.com/thread/1912777

http://myleniumerrors.com/installation-and-licensing-problems/creative-cloud-error-codes-w ip.

https://helpx.Adobe.com/creative-cloud/KB/creative-cloud-desktop-application-failed.html

http://helpx.Adobe.com/creative-cloud/KB/failed-install-creative-cloud-desktop.html

or

A chat session where an agent can remotely look inside your computer can help

Chat/phone: Mon - Fri 05:00-19:00 (US Pacific Time)<=== note="" days="" and="">

Cloud creative support chat (all creative cloud customer service problems)

http://helpx.Adobe.com/x-productkb/global/service-CCM.html

VPN clients cannot access remote sites - PIX, routing problem?

I have a problem with routing to remote from our company websites when users connect via their VPN client remotely (i.e. for home workers)

Our headquarters contains a PIX 515E firewall. A number of remote sites to connect (via ADSL) to head office using IPSEC tunnels, ending the PIX.

Behind the PIX is a router 7206 with connections to the seat of LANs and connections to a number of ISDN connected remote sites. The default route on 7206 points to the PIX from traffic firewall which sits to ADSL connected remote sites through the PIX. Internal traffic for LAN and ISDN connected sites is done via the 7206.

Very good and works very well.

When a user connects remotely using their VPN client (connection is interrupted on the PIX) so that they get an IP address from the pool configured on the PIX and they can access resources located on local networks to the office with no problems.

However, the problem arises when a remote user wants access to a server located in one of the remote sites ADSL connected - it is impossible to access all these sites.

On the remote site routers, I configured the access lists to allow access from the pool of IP addresses used by the PIX. But it made no difference. I think that the problem may be the routes configured on the PIX itself, but I don't know what is necessary to solve this problem.

Does anyone have suggestions on what needs to be done to allow access to remote sites for users connected remotely via VPN?

(Note: I suggested a workaround, users can use a server on LAN headquarters as a "jump point" to connect to remote servers from there)

with pix v6, no traffic is allowed to redirect to the same interface.

for example, a remote user initiates an rdp session for one of the barns adsl. PIX decrypts the packet coming from the external interface and looks at the destination. because the destination is one of adsl sites, pix will have to return traffic to the external interface. Unfortunately, pix v6.x has a limitation that would force the pix to drop the packet.

with the v7, this restriction has been removed with the "same-security-traffic control intra-interface permits".

http://www.Cisco.com/en/us/partner/products/HW/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

IPSEC VPN site to site on Transparent mode

Hello

The new version of the OS of the SAA does support IPSEC site-to-site VPN for partners on more Transparent?

Thank you very much

Kind regards

J

The transparent firewall supports for connections to management only site-to-site VPN tunnels. It doesn't end of VPN connections for traffic through the ASA. You can pass through the ASA VPN traffic using a more extended access list, but it fails to complete connections not frames. Clientless SSL VPN is also not supported.

Force start negotiating IPsec VPN Sit-to-site

Hello

I have attached two TXT files with the configurations of the two cisco 837 routers.

The problem is that the ROUTER2 has dynamic IP, and to establish the tunnel must do a ping from the ethernet interface 0 ROUTER1.

You can select the connection?

Try it without source ethernet loop back 0 instead.

client ipSec VPN and NAT on the router Cisco = FAIL

I have a Cisco 3825 router that I have set up for a Cisco VPN ipSec client. The same router is NAT.

ipSec logs, but can not reach the internal network unless NAT is disabled on the inside interface. But I need both at the same time.

Suggestions?

crypto ISAKMP policy 3

BA 3des

preshared authentication

Group 2

!

ISAKMP crypto client configuration group myclient

key password!

DNS 1.1.1.1

Domain name

pool myVPN

ACL 111

!

!

Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT

!

Crypto-map dynamic dynmap 10

Set transform-set RIGHT

market arriere-route

!

!
list of card crypto clientmap client VPN - AAA authentication
card crypto clientmap AAA - VPN isakmp authorization list
client configuration address map clientmap crypto answer
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
!

interface Loopback0
IP 10.88.0.1 255.255.255.0
!
interface GigabitEthernet0/0
/ / DESC it's external interface

IP 192.168.168.5 255.255.255.0
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
media type rj45
clientmap card crypto
!
interface GigabitEthernet0/1

/ / DESC it comes from inside interface
10.0.1.10 IP address 255.255.255.0
IP nat inside<=================ipSec client="" connects,="" but="" cannot="" reach="" interior="" network="" unless="" this="" is="">
IP virtual-reassembly
the route cache same-interface IP
automatic duplex
automatic speed
media type rj45

!

IP local pool myVPN 10.88.0.2 10.88.0.10

p route 0.0.0.0 0.0.0.0 192.168.168.1
IP route 10.0.0.0 255.255.0.0 10.0.1.4
!

IP nat inside source list 1 interface GigabitEthernet0/0 overload
!
access-list 1 permit 10.0.0.0 0.0.255.255
access-list 111 allow ip 10.0.0.0 0.0.255.255 10.88.0.0 0.0.0.255
access-list 111 allow ip 10.88.0.0 0.0.0.255 10.0.0.0 0.0.255.255

Hello

I think that you need to configure the ACL default PAT so there first statemts 'decline' for traffic that is NOT supposed to be coordinated between the local network and VPN pool

For example, to do this kind of configuration, ACL and NAT

Note access-list 100 NAT0 customer VPN

access-list 100 deny ip 10.0.1.0 0.0.0.255 10.88.0.0 0.0.0.255

Note access-list 100 default PAT for Internet traffic

access-list 100 permit ip 10.0.1.0 0.0.0.255 ay

overload of IP nat inside source list 100 interface GigabitEthernet0/0

EDIT: seem to actually you could have more than 10 networks behind the router

Then you could modify the ACL on this

Note access-list 100 NAT0 customer VPN

access-list 100 deny ip 10.0.1.0 0.0.255.255 10.88.0.0 0.0.0.255

Note access-list 100 default PAT for Internet traffic

access-list 100 permit ip 10.0.1.0 0.0.255.255 ay

Don't forget to mark the answers correct/replys and/or useful answers to rate

-Jouni

IPsec VPN site to site between router problem Cisco ASA. Help, please

Similar Questions

Maybe you are looking for