Issue of ASA and Cisco VPN

Similar Questions

• VPN between ASA and cisco router [phase2 question]

  Hi all

  I have a problem with IPSEC VPN between ASA and cisco router

  I think that there is a problem in the phase 2

  Can you please guide me where could be the problem.
  I suspect questions ACL on the router, but I cannot fix. ACL on the router is specified below

  Looking forward for your help

  Phase 1 is like that

  Cisco_router #sh crypto isakmp his

  IPv4 Crypto ISAKMP Security Association
  status of DST CBC State conn-id slot
  78.x.x.41 87.x.x.4 QM_IDLE 2006 0 ACTIVE

  and ASA

  ASA # sh crypto isakmp his

  ITS enabled: 1
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 1

  1 peer IKE: 78.x.x.41
  Type: L2L role: initiator
  Generate a new key: no State: MM_ACTIVE

  Phase 2 on SAA

  ASA # sh crypto ipsec his
  Interface: Outside
  Tag crypto map: Outside_map, seq num: 20, local addr: 87.x.x.4

  Outside_cryptomap_20 ip 172.19.209.0 access list allow 255.255.255.0 172.
  19.194.0 255.255.255.0
  local ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
  current_peer: 78.x.x.41

  #pkts program: 8813, #pkts encrypt: 8813, #pkts digest: 8813
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 8813, model of #pkts failed: 0, #pkts Dang failed: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt. : 87.x.x.4, remote Start crypto. : 78.x.x.41

  Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
  current outbound SPI: C96393AB

  SAS of the esp on arrival:
  SPI: 0x3E9D820B (1050509835)
  transform: esp-3des esp-md5-hmac no
  running parameters = {L2L, Tunnel}
  slot: 0, id_conn: 7, crypto-card: Outside_map
  calendar of his: service life remaining (KB/s) key: (4275000/3025)
  Size IV: 8 bytes
  support for replay detection: Y
  outgoing esp sas:
  SPI: 0xC96393AB (3378746283)
  transform: esp-3des esp-md5-hmac no
  running parameters = {L2L, Tunnel}
  slot: 0, id_conn: 7, crypto-card: Outside_map
  calendar of his: service life remaining (KB/s) key: (4274994/3023)
  Size IV: 8 bytes
  support for replay detection: Y

  Phase 2 on cisco router

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
  current_peer 87.x.x.4 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 78.x.x.41, remote Start crypto. : 87.x.x.4
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer0
  current outbound SPI: 0x0 (0)

  SAS of the esp on arrival:

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:

  outgoing ah sas:

  outgoing CFP sas:

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
  current_peer 87.x.x.4 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 8947, #pkts decrypt: 8947, #pkts check: 8947
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 78.x.x.41, remote Start crypto. : 87.x.x.4
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer0
  current outbound SPI: 0x3E9D820B (1050509835)

  SAS of the esp on arrival:
  SPI: 0xC96393AB (3378746283)
  transform: esp-3des esp-md5-hmac.
  running parameters = {Tunnel}
  Conn ID: 29, flow_id: Motorola SEC 1.0:29, card crypto: mycryptomap
  calendar of his: service life remaining (k/s) key: (4393981/1196)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0x3E9D820B (1050509835)
  transform: esp-3des esp-md5-hmac.
  running parameters = {Tunnel}
  Conn ID: 30, flow_id: Motorola SEC 1.0:30, card crypto: mycryptomap
  calendar of his: service life remaining (k/s) key: (4394007/1196)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  VPN configuration is less in cisco router

  access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
  access-list 101 permit ip 172.19.206.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
  access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
  access-list 101 permit ip 172.19.203.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
  access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect
  access-list 101 permit ip 172.19.209.0 0.0.0.255 172.19.194.0 0.0.0.255 connect

  access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
  access-list 105 deny ip 172.19.206.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
  access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
  access-list 105 deny ip 172.19.203.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
  access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect
  access-list 105 deny ip 172.19.209.0 0.0.0.255 172.19.194.0 0.0.0.255 connect

  sheep allowed 10 route map
  corresponds to the IP 105

  Crypto ipsec transform-set esp-3des esp-md5-hmac mytransformset

  mycryptomap 100 ipsec-isakmp crypto map
  the value of 87.x.x.4 peer
  Set transform-set mytransformset
  match address 101

  crypto ISAKMP policy 100
  BA 3des
  md5 hash
  preshared authentication
  Group 2
  ISAKMP crypto key xxx2011 address 87.x.x.4

  Your permit for 105 ACL statement should be down is changed to match because it is the most general ACL.

  You currently have:

  Extend the 105 IP access list
  5 permit ip 172.19.194.0 0.0.0.255 (18585 matches)
  10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
  30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
  50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect

  It should be:

  Extend the 105 IP access list
  10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
  30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
  50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect

  IP 172.19.194.0 allow 60 0.0.0.255 (18585 matches)

  To remove it and add it to the bottom:

  105 extended IP access list

  not 5

  IP 172.19.194.0 allow 60 0.0.0.255 any

  Then ' delete ip nat trans. "

  and it should work now.

• RT for Windows and Cisco VPN (AnyConnect) Solutions?

  Microsoft and Cisco are working together to ensure Cisco VPN is soon available for Windows RT?  I read a thread RT of Windows from Microsoft and Cisco VPN without seeing all the comments of Microsoft or Cisco.  Please notify.

  Hi Gabriel,

  The Microsoft Answers community focuses on the context of use. Please reach out to the business community of COMPUTING in the TechNet forum below:

  http://social.technet.Microsoft.com/forums/en-us/categories

• Kernel panic reproducible when using VMWare Fusion and Cisco VPN

  I can reliable reproduce a kernel panic when I use VMWare Fusion and Cisco VPN set.

  Using either done alone causes no problem.

  I'm on a mac book pro using the latest updates from Apple for Leopard.

  My question is: How can I report this to VMWare without having to pay for support?

  When I go to the VMWare fusion support page he wants me to pay for an incident.

  I really do not want to pay them to help solve a kernel panic.  (They pay me .)

  Announcing the details here (don't forget to join the panic.log as in HOWTO: ask (and answer) Questions) will work.

• Cisco ASA and dynamic VPN L2L Fortigate configuration

  I met a problem recently with an ASA 5510 (7.0) and a bunch of Fortigate 50 (3.0 MR7). The ASA is the hub and Fortigates are rays with a dynamic public IP.

  I followed this document on the site Web of Cisco (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml) to set up my ASA and the parameters passed to my counterparts to set up their Fortigates.

  However, the ASA journal reveals that attemtps Fortigate connection always tried with DefaultRAGroup before falling back to DefaultL2LGroup and finally died. Experience with putting in place a dynamic VPN between Cisco and Fortigate someone? Which could not fail at each end? Here's a typical piece of error log ASA. The ASA is currently having a static VPN tunnel and a site-2-client VPN in two groups by default.

  6. January 10, 2011 20:58:45 | 713905: Group DefaultL2LGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
  5. January 10, 2011 20:58:45 | 713201: Group = DefaultL2LGroup, IP = 116.230.243.205, in double Phase 1 detected package.  Retransmit the last packet.
  6. January 10, 2011 20:58:45 | 713905: Group DefaultL2LGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
  5. January 10, 2011 20:58:45 | 713201: Group = DefaultL2LGroup, IP = 116.230.243.205, in double Phase 1 detected package.  Retransmit the last packet.
  6. January 10, 2011 20:58:41 | 713905: Group DefaultL2LGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
  5. January 10, 2011 20:58:41 | 713201: Group = DefaultL2LGroup, IP = 116.230.243.205, in double Phase 1 detected package.  Retransmit the last packet.
  4. January 10, 2011 20:58:39 | 713903: Group = DefaultL2LGroup, IP = 116.230.243.205, ERROR, had decrypt packets, probably due to problems not match pre-shared key.  Abandonment
  5. January 10, 2011 20:58:39 | 713904: Group = DefaultL2LGroup, IP = 116.230.243.205, received the package of Mode main Oakley encrypted with invalid payloads, MessID = 0
  6. January 10, 2011 20:58:39 | 713905: Group = DefaultRAGroup, IP = 116.230.243.205, WARNING, had decrypt packets, probably due to problems not match pre-shared key.  User switching to the tunnel-group: DefaultL2LGroup
  5. January 10, 2011 20:58:39 | 713904: Group = DefaultRAGroup, IP = 116.230.243.205, received the package of Mode main Oakley encrypted with invalid payloads, MessID = 0
  4. January 10, 2011 20:58:33 | 713903: Group = DefaultRAGroup, IP = 116.230.243.205, error: cannot delete PeerTblEntry
  3. January 10, 2011 20:58:33 | 713902: Group = DefaultRAGroup, IP = 116.230.243.205, Removing peer to peer table has no, no match!
  6. January 10, 2011 20:58:33 | 713905: Group DefaultRAGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
  5. January 10, 2011 20:58:33 | 713201: Group = DefaultRAGroup, IP = 116.230.243.205, in double Phase 1 detected package.  Retransmit the last packet.
  6. January 10, 2011 20:58:25 | 713905: Group DefaultRAGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
  5. January 10, 2011 20:58:25 | 713201: Group = DefaultRAGroup, IP = 116.230.243.205, in double Phase 1 detected package.  Retransmit the last packet.
  6. January 10, 2011 20:58:21 | 713905: Group DefaultRAGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
  5. January 10, 2011 20:58:21 | 713201: Group = DefaultRAGroup, IP = 116.230.243.205, in double Phase 1 detected package.  Retransmit the last packet.
  5. January 10, 2011 20:58:19 | 713904: IP = 116.230.243.205, encrypted packet received with any HIS correspondent, drop

  Yes, sounds about right. He will try to match with the DefaultRAGroup first, and when you know that it's a dynamic IPSec in LAN-to-LAN, it will be

  then back to the DefaultL2LGroup, because he doesn't know if the VPN Client or L2L again when he is contacted fist as they are connecting from dynamic IP peer.

  You must ensure that your L2L tunnel-group by default has been configured with the corresponding pre-shared key.

  Assuming that you have configured the dynamic map and assign to the card encryption.

  Here is an example of configuration where ASA has a static and peripheral ip address pair has dynamic IP:

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml

  Hope that helps.

• SafeNet and Cisco VPN Client Compatible?

  I have been using the Cisco VPN for quite awhile with no problems. Recently, we have added a Watchguard Firebox somewhere else and have installed the Client of Watchguard MUVPN, otherwise known as a customer of Safenet.

  Since the installation, I could not yet properly use the Cisco Client. If I disable the two Services of Safenet, I invited to my user id and password and connect to the Cisco Concentrator and get an ip, etc. However, I can't ping anything on the network.

  My solution is to completely uninstall both clients and reinstall the Cisco by itself. This is not very practical.

  If anyone know a fix for this I'd appreciate comments.

  Thank you

  Patrick Dunnigan

  Hi Patrick,

  I only got lucky with the SafeNet customer brand Watchguard with the 4.0.x releases of the Cisco client. I think Cisco 4.6 clients use a newer driver from the DNE or else that plays well with SafeNet.

  In any case, here's how to set up PC that requires both clients:

  First, install the Cisco VPN client. Restart the application, and then stop and disable the Windows service.

  Install the client for Watchguard, reboot as requested.

  Then, stop and set to manual both SafeNet services, then start and set to automatic the Cisco service.

  Delete the shortcut in your Start menu Startup group safecfg.exe (or the key of HKLM\MS\Windows\CurrentVer\Run, where he gets set.)

  Delete the shortcut to start for the Cisco VPN client as well.

  Whenever you want to use the Cisco customer, you can just launch the Dialer to IPSec. If you want to run the SafeNet client, stop the Cisco service, start the services of SafeNet, then run safecfg.exe. A few batch files facilitate this process for users.

  Hope that helps,

  Chris

• MS RADIUS and Cisco VPN client

  We currently have with a Server Windows RAS and IAS authentication with PPTP to users.

  I want to move a hub (we have two not used) and the use of the Cisco VPN client with IPSEC 3005, also using the RADIUS (IAS) in Windows to authenticate against Active Directory.

  I have a config to work for the client and it performs authentication, but I'm afraid that you can't configure IAS to work with IPSEC, unless you configure the policy for

  "Unencrypted authentication (PAP, SPAP).

  on the Authentication tab

  and

  "No encryption".

  on the encryption tab.

  Are encrypted with IPSEC credentials to establish the tunnel of the Cisco VPN client?

  For RADIUS PAP authentication, the user name is clear and the password is encrypted with the RADIUS shared secret.

  To maximize security, you would use GANYMEDE + or IPSec transport mode and isolated VLAN. But for most of us, strong passwords and physical security prevents the RADIUS PAP to a significant weakness.

• Access VPN ASA and cisco ISE Admin

  Hello

  Currently I'm deployment anyconnect VPN Solution for my client on ASA 9.2 (3). We use the ISE 1.3 to authenticate remote users.

  In the policy stipulates the conditions, I put the condition as below.

  Policy name: Anyconnect

  Condition: DEVICE: Device Type Device Type #All Device Types #Dial - in access EQUALS AND
  RADIUS: NAS-Port-Type is equal to virtual

  I'm authenticating users against the AD.

  I am also restrict users based on group membership in authorization policies by using the OU attributes.

  This works as expected for remote users.

  We also use the ISE to authenticate administrators to connect to the firewall. Now what happens is, Cisco ASA valid also against policy, administrators and their default name Anyconnect.

  Now the question is, how to set up different political requirement for access network admin and users the same Firewall VPN.

  Any suggestions on this would be a great help.

  See you soon,.

  Sri

  You can get some ideas from this article of mine:

  http://ltlnetworker.WordPress.com/2014/08/31/using-Cisco-ISE-as-a-generic-RADIUS-server/

• Cisco ASA and AnyConnect VPN certificate error

  Hello

  I am trying to configure Cisco AnyConnect VPN and everything works, but I get this warning message when the connection is opened:

  Error.jpg

  

  I don't have public certificate in ASA. Is it possible to use the self-signed certificate and get rid of this warning message?

  Hello

  This is expected behavior on the SAA for an SSL connection. You can certainly use the certificate self-signed on the SAA and then apply it on the external interface.
  Once done, you will need to install this certificate on the clients and this will alleviate the popup error message.

  Here is a document that you can refer to create a self-signed certificate.
  https://supportforums.Cisco.com/document/44116/ASA-self-signed-certificate-WebVPN

  Kind regards
  Dinesh Moudgil

  PS Please note the useful messages.

• EZVPN between ASA and Cisco 2801

  Hi Experts,

  Need help with establishing ezvpn. I have a Cisco 2801 with the following configuration:

  router version 124 - 24.T3 (advanceipservicesk9)

  Crypto ipsec client ezvpn BOS-BACKUP
  connect auto
  Group bosnsw keys clar3nc3
  client mode
  peer 202.47.85.1
  xauth userid interactive mode

  interface FastEthernet0/0
  IP 10.80.3.85 255.255.255.0
  automatic duplex
  automatic speed
  Crypto ipsec client ezvpn BOS-BACKUP inside

  the Cellular0/1/0 interface
  the negotiated IP address
  encapsulation ppp
  load-interval 60
  Broadband Dialer
  GSM Transmitter station
  Dialer-Group 2
  interactive asynchronous mode
  no fair queue
  a model of PPP chap hostname
  PPP chap 0 dummy password
  PPP ipcp dns request
  Crypto ipsec client ezvpn BOS-BACKUP
  !
  IP route 0.0.0.0 0.0.0.0 Cellular0/1/0
  !
  Dialer-list 2 ip protocol allow

  Celuular interface is up and the router is able to ping the exchange of vpn:

  Router # ping 202.47.85.1

  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 202.47.85.1, wait time is 2 seconds:
  !!!!!
  Success rate is 100 per cent (5/5), round-trip min/avg/max = 396/473/780 ms

  The ASA configuration:

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set ESP-3DES esp-3des esp-sha-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  card crypto OUTSIDE_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
  OUTSIDE_map interface card crypto OUTSIDE

  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400

  username password encrypted UaV1j04bjTagjYnj privilege 0 bosnsw
  username bosnsw attributes
  VPN-group-policy DfltGrpPolicy
  Protocol-tunnel-VPN IPSec l2tp ipsec
  No vpn-framed-ip-address

  type tunnel-group bosnsw remote access
  tunnel-group bosnsw General-attributes
  address BOS_CORPORATE pool
  No ipv6 address pool
  authentication-server-group LOCAL ACS_AUTH
  secondary-authentication-server-group no
  no accounting server group
  Group Policy - by default-BOS_CORPORATE
  No dhcp server
  No band Kingdom
  no password-management
  No substitution-disabling the account
  No band group
  gap required
  certificate-CN user name OR
  secondary username-certificate CN OR
  authentication-attr-of primary server
  authenticated-session-user principal name
  tunnel-group bosnsw webvpn-attributes
  catch-fail-group policy DfltGrpPolicy
  personalization DfltCustomization
  the aaa authentication
  No substitution-svc-download
  No message of rejection-RADIUS-
  no proxy-auth sdi
  no pre-fill-username-ssl client
  no pre-fill-username without client
  No school-pre-fill-name user-customer ssl
  No school-pre-fill-user without customer name
  DNS-Group DefaultDNS
  not without CSD
  bosnsw group of tunnel ipsec-attributes
  pre-shared-key *.
  by the peer-id-validate req
  no chain
  no point of trust
  ISAKMP retry threshold 300 keepalive 2
  no RADIUS-sdi-xauth
  ISAKMP xauth user ikev1-authentication

  BOS-NRD-IT-FW1 # sh cry isa his

  HIS active: 2
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 2

  1 peer IKE: 112.213.172.108
  Type: user role: answering machine
  Generate a new key: no State: AM_TM_INIT_XAUTH_V6H

  I've attached the output of debugging of router and firewall. Hope someone can shed some light on this issue. Thanks in advance.

  Thats is correct! You must configure the network extension mode if you want to change the IP address

  Here is the guide to configure the router and ASA in network extension mode. Hope you find it useful.

  http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080809222.shtml#TS1

  Thank you

  Françoise

• IKE Dead Peer Detection between Cisco ASA and Cisco PIX

  I have a network environment in Star with about 30 offices of satellite remote using VPN Site to Site connectivity.  The majority of remote satellite offices have the features of Cisco PIX 501 running PIX Version 6.3.  The hub office runs a version 8.2 (1) Cisco ASA.

  I configured Dead Peer Detection on the Cisco ASA device at the office hub with the default settings of the following-

  Confidence interval - 10 seconds

  Retry interval - 2 seconds

  I think I'm right assuming that raises are limited to 3 before the tunnel is completely demolished.  Basically, the problem that I am facing is with several remote satellite offices.  What seems to be the case, the tunnel between the remote offices and the hub is demolished (probably because of the length of IKE, always 86400 seconds) and the tunnel then fails to renegotiate unless traffic is physically forced from the hub office.  The tunnel NOT to renegotiate after satellite office, ONLY the end of the hub; so that means sending traffic to the satellite when the VPN tunnel is out of service, not to renegotiate the tunnel.  The Hub office is a colo and therefore traffic rarely comes to that end, the tunnel remains so down until manual intervention occurs and the ICMP traffic is forced into the tunnel.

  Should the KeepAlive and retry interval settings corresponds to both ends, for example if the two devices be configured for DPD?

  What are the potential pitfalls to the extension of the life of IKE, and this will help or even hinder the problem?

  Thank you in advance for helping out with this.

  Hi Nicolas,.

  I think that the two DPD settings must match on both ends, if these do not match then problems like yours might arise which seems to happen here, is that one end shows a tunnel down, but the other end may not detect it down, we could have to watch debugs, or record two ends to see if this is the case , setting in the meantime ike DPD for same timers could hetlp on.

  In regard to the increase in the life expectancy of IKE, well you just need to be aware that this could allow keys to be discovered since these are not renegotiated unless the tunnel is down on the level of IKE. Other than that I don't see why this would affect you.

• How to open the port 161 on the ASA and Cisco switches for monitoring of BB

  Dear all,

  I want to install BB to monitor snmptraps suffering of failure.

  The newspaper shows BB cannot connect to all ports of the switch 161, and I even can't telnet to 161 XXX_17f for example.

  My switches are Cisco C3550, C2950, etc. of the ASA.

  Mon 7 Nov 15:43:03 2011 bbnet cannot connect to the server XXX_17f on port 161

  Mon 7 Nov 15:43:03 2011 bbnet cannot connect to the server XXX_9f on port 161

  Mon 7 Nov 15:43:03 2011 bbnet can't connect to XXX server on port 161

  Thank you

  Anson

  no need to adjust anything in bb-hosts. If you have added setings in bb-hosts, delete them. Also remove associated in bbvar/logs log files. (otherwise, you'll have purple when you delete the SNMP, trap tags bb-hosts)

  A column of trap will be that no show until the device sends a trap to BB.

• NAT via LAN-to-LAN configuration between router IOS and Cisco VPN 3000

  Hello

  I have the following document on the creation of a virtual LAN2LAN including NAT private network.

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_configuration_example09186a00801ae24c.shtml

  It? s easily do this with the hub. Now, I have to set it up on the IOS router, and for this purpose, I can? t find any information. NAT, I have my private network to a single IP address that must be by tunnel as my local network official.

  Anyone have documentation on this szenario? I can? t is not on the OCC.

  Thanks for the support

  Hello.

  Concentrators are very friendly units (IMHO) to VPN with NAT and VPN.

  You build an acl defined traffic over the vpn (110) based on the nat wouldn't

  You create an acl to set what is NAT had (111) and create a NAT statement accordingly

  Here is an example configuration.

  !

  crypto ISAKMP policy 10

  BA 3des

  md5 hash

  preshared authentication

  Group 2

  vpnsrock crypto isakmp key! address x.x.x.x

  !

  !

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  !

  10 VPN ipsec-isakmp crypto map

  defined peer x.x.x.x

  game of transformation-ESP-3DES-SHA

  match address 110

  !

  interface Fa0

  NAT outside IP

  VPN crypto card

  !

  !

  interface fa1

  IP nat inside

  !

  IP nat inside source list 111 interface fa0 overload

  IP route 0.0.0.0 0.0.0.0 y.y.y.y

  access-list 110 permit ip fa0 - ip network-remote control-generic generic-mask

  access-list 111 allow local-network ip network-remote control-generic generic-mask

  !

• Asa and Cisco ldap authentication

  Hi all

  I have a problem with LDAP authentication.

  I have a cisco Asa5510 and windows Server 2008 R2

  I create the LDAP authentication.

  AAA-server LDAPGROUP protocol ldap
  AAA-server host 10.0.1.30 LDAPGROUP (inside)
  Server-port 389
  LDAP-base-dn dc = systems, dc = local
  LDAP-naming-attribute sAMAccountName
  LDAP-login-password *.
  LDAP-connection-dn CN = users, OU = users, DC = network, DC = local
  microsoft server type

  but when I test, I have an error (user account work directly to the server)

  AAA-authentication server LDAPGROUP host 10.0.1.30 userid password test *.

  INFO: Attempt to <10.0.1.30>IP address authentication test (timeout: 12 seconds)
  ERROR: Authentication rejected: not specified

  Help, please

  concerning

  Frédéric

  You have the account with username 'user' in ' 'reseaux.local' and "Utilisateurs.reseau.local '?"

  If so, can you check if they are two other AD domain? The bug pointed out that ASA do not support authentication via LDAP refererals multi-domain.

  You might consider to using an account administrator AD in "reseaus.local" for ASA to connect to AD.

• IPhone and cisco vpn question

  All, I have an IPhone and I'm VPN'ing in a SAA with IOS 8.2.2.  I do not have vpn'ing of issues, but I have a question that is causing quite a stir here.  When I try to use names rather than IP addresses (trying to access a server or an internal Web site), the client does not receive DNS answers.  I can get to the servers via IP, but not by the name of the server.  I can use the same PCF file for my laptop, and it works fine.  Someone at - it a resolution to this scenario?  Any help appreciated.

  Add the domain name in the attributes of Group Policy: -.

  value by default-domain MYDOMAIN.COM

  Manish