L2L ASA sends not encryted traffic
I currently have a problem passing an ASA 5520 traffic to a 877W. Traffic is being encryption on the router to the ASA (as shown below), but ASA doesn't send any encrypted traffic. I tried the upgrade to 8.4 (7) 9.1 (5), wiping the config and, configure the VPN via CLI and using the wizard ASDM. I also tried a 1841 and encounter the same problem.
Any ideas before I connect to a TAC case? Pulling my hair out with this one!
877W Config:
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
lifetime 28800
ISAKMP crypto key psk address ASA-EXTERNAL
Crypto ipsec transform-set esp-3des esp-sha-hmac TS
CMAP 10 ipsec-isakmp crypto card
defined by the ASA-EXTERNAL peers
Set security-association second life 28800
game of transformation-TS
match address VPN-TRAFFIC
interface Dialer0
card crypto WCPA
IP route 0.0.0.0 0.0.0.0 Dialer0
overload of IP nat inside source list 100 interface Dialer0
VPN-TRAFFIC extended IP access list
ip licensing 192.168.20.0 0.0.0.255 172.16.250.0 0.0.0.255
access-list 100 remark set NAT
access-list 100 deny ip 192.168.20.0 0.0.0.255 172.16.250.0 0.0.0.255
Access-list 100 remark
access-list 100 deny ip 192.168.20.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 100 permit ip 192.168.20.0 0.0.0.255 any
ASA:
interface GigabitEthernet0/0
nameif outside
security-level 0
IP EXTERNAL-ASA-IP address
!
interface GigabitEthernet0/1
nameif inside
security-level 100
IP 172.16.250.247 255.255.255.0
!
permit same-security-traffic inter-interface
network of the VPNLocal object
172.16.250.0 subnet 255.255.255.0
VPNRemote object network
subnet 192.168.20.0 255.255.255.0
access extensive list ip 172.16.250.0 outside_cryptomap allow 255.255.255.0 VPNRemote object
outside_access_in extended access list permit ip object VPNRemote 172.16.250.0 255.255.255.0 disable log
access extensive list ip 172.16.250.0 inside_access_in allow 255.255.255.0 VPNRemote object
ICMP allow all outside
ICMP allow any inside
NAT (inside, outside) static source VPNLocal VPNLocal static destination VPNRemote VPNRemote non-proxy-arp-search to itinerary
Access-group outside_access_in in interface outside
inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 ISP - IP GATEWAY 1
Route inside 10.0.0.0 255.0.0.0 CORE - ROUTER 1
Sysopt preserve-vpn-flow of connection
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set counterpart 877W-IP
card crypto outside_map 1 set transform-set ESP-3DES-SHA ikev1
outside_map card crypto 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
card crypto outside_map 1 the value reverse-road
outside_map interface card crypto outside
Crypto ikev1 allow outside
IKEv1 crypto policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Statistics-list of access threat detection
no statistical threat detection tcp-interception
Group Policy GroupPolicy_877W-IP internal
attributes of Group Policy GroupPolicy_877W-IP
Ikev1 VPN-tunnel-Protocol
type of tunnel-group ipsec-l2l 877W-IP
attributes global-tunnel-group 877W-IP
Group - default policy - GroupPolicy_81.133.227.150
877W-IP ipsec-attributes tunnel-group
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
Global class-card class
match default-inspection-traffic
!
!
Policy-map global_policy
World-Policy policy-map
Global category
inspect the icmp
inspect the icmp error
!
service-policy-international policy global
context of prompt hostname
877W sh crypto ipsec his
Interface: Dialer0
Tag crypto map: CMAP, local addr 877W-IP
protégé of the vrf: (none)
local ident (addr, mask, prot, port): (192.168.20.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.16.250.0/255.255.255.0/0/0)
current_peer ASA - 500 EXTERNAL port
LICENCE, flags is {origin_is_acl},
#pkts program: 1771, #pkts encrypt: 1771, #pkts digest: 1771
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
#send 17, #recv errors 0
endpt local crypto. : 877W-IP, remote Start crypto. : ASA-EXTERNAL
Path mtu 1500, mtu 1500 ip, ip mtu BID Dialer0
current outbound SPI: 0xD82FD3CE (3627013070)
SAS of the esp on arrival:
SPI: 0x31F9F14C (838463820)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 29, flow_id: Motorola SEC 1.0:29, card crypto: CMAP
calendar of his: service life remaining (k/s) key: (4544227/24786)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE
the arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0xD82FD3CE (3627013070)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 30, flow_id: Motorola SEC 1.0:30, card crypto: CMAP
calendar of his: service life remaining (k/s) key: (4544168/24786)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE
outgoing ah sas:
outgoing CFP sas:
Interface: virtual-Access2
Tag crypto map: CMAP, local addr 0.0.0.0
protégé of the vrf: (none)
local ident (addr, mask, prot, port): (192.168.20.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.16.250.0/255.255.255.0/0/0)
current_peer ASA - 500 EXTERNAL port
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors
endpt local crypto. : 0.0.0.0, remote Start crypto. : ASA-EXTERNAL
Path mtu 1500, mtu 1500 ip, ip mtu IDB virtual-Access2
current outbound SPI: 0x0 (0)
SAS of the esp on arrival:
the arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
outgoing ah sas:
outgoing CFP sas:
ASA crypto ipsec HS her
peer address: 877W-IP
Tag crypto map: outside_map, seq num: 1, local addr: ASA-EXERNAL
access extensive list ip 172.16.250.0 outside_cryptomap allow 255.255.255.0 192.168.20.0 255.255.255.0
local ident (addr, mask, prot, port): (172.16.250.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.20.0/255.255.255.0/0/0)
current_peer: 877W-IP
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 539, #pkts decrypt: 539, #pkts check: 539
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid errors ICMP rcvd: 0, #Invalid ICMP errors received: 0
#send errors: 0, #recv errors: 0
endpt local crypto. : ASA-EXERNAL/0, crypto Start distance. : 877W-IP/0
Path mtu 1500, ipsec 58 (36) generals, media, mtu 1500
PMTU time remaining: 0, political of DF: copy / df
Validation of ICMP error: disabled, TFC packets: disabled
current outbound SPI: 31F9F14C
current inbound SPI: D82FD3CE
SAS of the esp on arrival:
SPI: 0xD82FD3CE (3627013070)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, IKEv1}
slot: 0, id_conn: 81920, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (4373968/24993)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0xFFFFFFFF to 0xFFFFFFFF
outgoing esp sas:
SPI: 0x31F9F14C (838463820)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, IKEv1}
slot: 0, id_conn: 81920, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (4374000/24993)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
Happy that you guessed it sort :-)
--
Please do not forget to select a correct answer and rate useful posts
Tags: Cisco Security
Similar Questions
-
L2L ASA tunnel upward, no traffic (or one way...)
I have two ASA 5505, 8.2 (1), call the HQ and BRANCH. HQ is a L2L towards a third point, and that one works fine.
Now I'm setting up a VPN L2L between HQ and BRANCH. The tunnel rises (passes, phases 1 and 2), but I can't ping from both ends.
HS cry isa his looks like 100% ok
Cree SH ips its shows that HQ has only decaps, while the branch has only the program. If HQ looks like the main suspect for me (even with his other L2L works very well).
Here are the configs, great if someone could help me to identify problems of config...
-----------------------------------------------------------------
HQ:
ASA Version 8.2 (1)
!
hostname HQ
domain blah.com/results.htm
enable password blah
encrypted passwd bla
names of
!
interface Vlan1
nameif inside
security-level 100
IP 172.16.106.1 255.255.255.128
!
interface Vlan2
nameif outside
security-level 0
IP address 191.xx.xx.xx 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system Disk0: / asa821 - k8.bin
DNS server-group DefaultDNS
domain blah.com/results.htm
access extensive list ip 172.16.106.0 inside_outbound_nat0_acl allow 255.255.255.128 all
access extensive list ip 172.16.106.0 outside_cryptomap_20 allow 255.255.255.0 any
access extensive list ip 172.16.106.0 inside_nat0_outbound allow 255.255.255.0 any
access extensive list ip 172.16.106.0 inside_nat0_outbound allow 255.255.255.128 172.16.106.160 255.255.255.224
access extensive list ip 172.16.106.0 outside_1_cryptomap allow 255.255.255.0 any
access extensive list ip 172.16.106.0 outside_1_cryptomap_1 allow 255.255.255.0 any
IP 172.16.106.0 allow to Access-list HQ-BRANCH extended 255.255.255.128 172.16.106.160 255.255.255.248
!
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 191.xx.xx.xx 1
!
Sysopt noproxyarp inside
!
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto ipsec security association replay disable
card crypto outside_map 1 match address outside_1_cryptomap_1
card crypto outside_map 1 set 191.xx.xx.xx counterpart
map outside_map 1 set of transformation-ESP-3DES-MD5 crypto
address for correspondence card crypto outside_map 10 HQ-GENERAL management
card crypto outside_map 10 peers set 82.xx.xx.xx
outside_map card crypto 10 the transform-set ESP-3DES-MD5 value
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
sha hash
Group 2
life 86400
No encryption isakmp nat-traversal
!
WebVPN
tunnel-group 191.xx.xx.xx type ipsec-l2l
191.XX.XX.XX group of tunnel ipsec-attributes
pre-shared-key *.
tunnel-group 82.xx.xx.xx type ipsec-l2l
82.XX.XX.XX group of tunnel ipsec-attributes
pre-shared-key *.
by default-group 191.xx.xx.xx tunnel-Group-map
!
class-map inspection_default
match default-inspection-traffic
!
!
global service-policy global_policy
context of prompt hostname
: end
-----------------------------------------------------------------
GENERAL management:
ASA Version 8.2 (1)
!
hostname BRANCH
activate djfldksjafl encrypted password
djfldksjafl encrypted passwd
names of
!
interface Vlan1
No nameif
no level of security
no ip address
!
interface Vlan2
nameif outside
security-level 0
IP address dhcp setroute
!
interface Vlan3
nameif inside
security-level 100
IP 172.16.106.161 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
Shutdown
!
interface Ethernet0/3
Shutdown
!
interface Ethernet0/4
switchport access vlan 3
!
interface Ethernet0/5
Shutdown
!
interface Ethernet0/6
Shutdown
!
interface Ethernet0/7
Shutdown
!
boot system Disk0: / asa821 - k8.bin
the obj_any object-group network
IP 172.16.106.160 allow to Access-list BRANCH-HQ extended 255.255.255.248 172.16.106.0 255.255.255.128
IP 172.16.106.160 allow Access - list extended SHEEP 255.255.255.248 172.16.106.0 255.255.255.128
Enable logging
ICMP unreachable rate-limit 1 burst-size 1
!
NAT-control
Global 1 interface (outside)
NAT (inside) 0 access-list SHEEP
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 82.xx.xx.xx
!
Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
address for correspondence card crypto 10 BRANCH-HQ outside_map
card crypto outside_map 10 peers set 191.xx.xx.xx
card crypto outside_map 10 transform-set RIGHT
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
dhcpd dns xx.xx.xx.xx
dhcpd outside auto_config
!
dhcpd address 172.16.106.162 - 172.16.106.166 inside
dhcpd allow inside
!
WebVPN
tunnel-group 191.xx.xx.xx type ipsec-l2l
191.XX.XX.XX group of tunnel ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
!
global service-policy global_policy
context of prompt hostname
: end
-----------------------------------------------------------------
Best,
Johnny
Hello Johnny,.
Great to hear that, there, you have some points for you
Please check the question as answered so future users can draw from what you did
-
ASA L2L VPN UP with incoming traffic
Hello
I need help with this one, I have two identical VPN tunnel with two different customers who need access to one of our internal server, one of them (customer) works well, but the other (CustomerB) I can only see traffic from the remote peer (ok, RX but no TX). I put a sniffer on ports where the ASA and the server are connected and saw that traffic is to reach the server and traffic to reach the ASA of the server then nothing...
See the result of sh crypto ipsec his below and part of the config for both clients
------------------
address:
local peer 100.100.100.178
local network 10.10.10.0 / 24
local server they need access to the 10.10.10.10
Customer counterpart remote 200.200.200.200
Customer remote network 172.16.200.0 / 20
CustomerB peer remote 160.160.143.4
CustomerB remote network 10.15.160.0 / 21
---------------------------
Output of the command: "SH crypto ipsec its peer 160.160.143.4 det".
address of the peers: 160.160.143.4
Tag crypto map: outside_map, seq num: 3, local addr: 100.100.100.178outside_cryptomap list of allowed access host ip 10.10.10.10 10.15.160.0 255.255.248.0
local ident (addr, mask, prot, port): (10.10.10.10/255.255.255.255/0/0)
Remote ident (addr, mask, prot, port): (10.15.160.0/255.255.248.0/0/0)
current_peer: 160.160.143.4#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 827, #pkts decrypt: 827, #pkts check: 827
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#pkts not his (send): 0, invalid #pkts his (RRs): 0
#pkts program failed (send): 0, #pkts decaps failed (RRs): 0
#pkts invalid prot (RRs): 0, #pkts check failed: 0
invalid identity #pkts (RRs): 0, #pkts invalid len (RRs): 0
#pkts incorrect key (RRs): 0,
#pkts invalid ip version (RRs): 0,
replay reversal (send) #pkts: 0, #pkts replay reversal (RRs): 0
#pkts replay failed (RRs): 0
#pkts min frag mtu failed (send): bad frag offset 0, #pkts (RRs): 0
#pkts internal err (send): 0, #pkts internal err (RRs): 0local crypto endpt. : 100.100.100.178, remote Start crypto. : 160.160.143.4
Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: C2AC8AAESAS of the esp on arrival:
SPI: 0xD88DC8A9 (3633170601)
transform: esp-3des esp-md5-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 5517312, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (4373959/20144)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0xFFFFFFFF to 0xFFFFFFFF
outgoing esp sas:
SPI: 0xC2AC8AAE (3266087598)
transform: esp-3des esp-md5-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 5517312, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (4374000/20144)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001-The configuration framework
ASA Version 8.2 (1)
!
172.16.200.0 customer name
name 10.15.160.0 CustomerB
!
interface Ethernet0/0
nameif outside
security-level 0
IP 100.100.100.178 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
10.10.10.0 IP address 255.255.255.0
!
outside_1_cryptomap list extended access allowed host ip 10.10.10.10 customer 255.255.240.0
inside_nat0_outbound_1 list extended access allowed host ip 10.10.10.10 customer 255.255.240.0
inside_nat0_outbound_1 list extended access allowed host ip 10.10.10.10 CustomerB 255.255.248.0
outside_cryptomap list extended access allowed host ip 10.10.10.10 CustomerB 255.255.248.0
NAT-control
Overall 101 (external) interface
NAT (inside) 0-list of access inside_nat0_outbound_1
NAT (inside) 101 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 100.100.100.177
Route inside 10.10.10.0 255.255.255.0 10.10.10.254 1
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 200.200.200.200
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
card crypto outside_map 3 match address outside_cryptomap
peer set card crypto outside_map 3 160.160.143.4
card crypto outside_map 3 game of transformation-ESP-3DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 20
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP ipsec-over-tcp port 10000
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec svc
internal customer group strategy
Customer group policy attributes
Protocol-tunnel-VPN IPSec svc
internal CustomerB group strategy
attributes of Group Policy CustomerB
Protocol-tunnel-VPN IPSec
tunnel-group 160.160.143.4 type ipsec-l2l
tunnel-group 160.160.143.4 General-attributes
Group Policy - by default-CustomerB
IPSec-attributes tunnel-group 160.160.143.4
pre-shared key xxx
tunnel-group 200.200.200.200 type ipsec-l2l
tunnel-group 200.200.200.200 General attributes
Customer by default-group-policy
IPSec-attributes tunnel-group 200.200.200.200
pre-shared key yyy
Thank you
A.
Hello
It seems that the ASA is not Encrypting traffic to the second peer (However there is no problem of routing).
I saw this 7.x code behaviors not on code 8.x
However you can do a test?
You can change the order of cryptographic cards?
card crypto outside_map 1 match address outside_cryptomap
peer set card crypto outside_map 1 160.160.143.4
map outside_map 1 set of transformation-ESP-3DES-MD5 crypto
card crypto outside_map 3 match address outside_1_cryptomap
card crypto outside_map 3 set pfs
peer set card crypto outside_map 3 200.200.200.200
card crypto outside_map 3 game of transformation-ESP-3DES-SHA
I just want to see if by setting the peer nonworking time to be the first, it works...
I know it should work the way you have it, I just want to see if this is the same behavior I've seen.
Thank you.
Federico.
-
800 series Router and ASA will not create a tunnel
Hey everybody, what had confused me for a week now, and I feel that it is something small that im overlooking. My 800 router and my ASA will not pass traffic through a VPN. Here are my configs (less sensitive data of course). I also removed irrelevant data to narrow down the config.
800 series router:
DHCP excluded-address 192.168.2.1 IP 192.168.2.100
!
IP dhcp pool internaldhcp
network 192.168.2.0 255.255.255.0
x.x.x.x where x.x.x.x DNS server
default router 192.168.2.1
!
!
IP cef
no ip domain search
domain IP (domain here)
Server name x.x.x.x IP
Server name x.x.x.x IP
No ipv6 cef
!
!
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
address key (password) crypto isakmp (ip WAN of ASA)
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac 3des-sha
Crypto ipsec transform-set esp-3des esp-md5-hmac 3des-md5
Crypto ipsec transform-set esp-3des esp-md5-hmac distance
!
!
map KentonMap 1 ipsec-isakmp crypto
defined peer (ASAs WAN IP)
the value of the transform-set 3des-sha
match address 110
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
Description outside the int
(Local WAN) 255.255.255.252 IP address
NAT outside IP
IP virtual-reassembly in
automatic duplex
automatic speed
card crypto KentonMap
service-policy output VoiceLLQ
!
interface Vlan1
IP 192.168.2.1 255.255.255.0
IP nat inside
IP virtual-reassembly in
Fair/fair-queue
!
!
IP nat pool insidepool (WAN IP) (WAN IP) netmask 255.255.255.252
IP nat inside source list 100 insidepool pool overload
IP route 0.0.0.0 0.0.0.0 (Next Hop)
!
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
Note access-list 110 VPN ACL
access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.24.0 0.0.0.255
!
The ASA config:
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.24.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
(LOCAL WAN) 255.255.255.252 IP address
!
permit same-security-traffic intra-interface
IP 192.168.24.0 allow Access - list extended sheep 255.255.255.0 192.168.2.0 255.255.255.0
Access extensive list ip 192.168.24.0 LimatoKenton allow 255.255.255.0 192.168.2.0 255.255.255.0
OutsideIn list extended access permit tcp any interface outside eq 3389
Global 1 interface (outside)
NAT (inside) 0 access-list sheep
NAT (inside) 1 192.168.24.0 255.255.255.0
Route outside 0.0.0.0 0.0.0.0 (Next Hop) 1
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac 3des-sha
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto LimaMap 1 corresponds to the address LimatoKenton
card crypto LimaMap 1 defined peer (800 WAN router)
card crypto LimaMap 1 the value transform-set 3des-sha
LimaMap interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
tunnel-group (800 WAN router) type ipsec-l2l
tunnel-group (800 WAN router)
IPSec-attributes
pre-shared key *.
ISAKMP crypto release:
ASA
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE
Router
DST CBC conn-State id
(Local WAN) (ASA WAN) ACTIVE QM_IDLE 2003
Hello, Benjamin.
I guess that your router does NAT same for site traffic to site.
So, you have to deny traffic between ACL 100 sites.
PS: If this does not resolve your problem, could you please share isakmp/ipsec its on both sides?
-
Hello
I'll put up a tunnel vpn site-to-site between two locations. Both have cisco ASA 5505 running a different version, I'll explain in more detail below. so far, I was able to get the tunnel to come but I can't seem to pass traffic, I work at this for days now and have not been able to understand why he will not pass traffic. Needless to say that the customer's PO would be on the fact that their VPN is not upward and they had to do by hand. I'll put the configs below, if possible can someone help me as soon as POSSIBLE, I really want to get this site up and running so that we do not lose the customer.
An IP address of 0.0.0.0 = site
Site B IP = 1.1.1.1A Version of the site = 8.3.1
Version of the site B = 9.2.3__________________________
_________A RACE OF THE SITE CONFIGURATION
Output of the command: "sh run".
: Saved
:
ASA Version 8.3 (1)
!
hostname SDMCLNASA01
SDMCLNASA01 domain name. LOCAL
Select 5E8js/Fs7qxjxWdp of encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
the IP 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
the IP 0.0.0.0 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
clock timezone CST - 6
clock to summer time recurring CDT
DNS lookup field inside
DNS domain-lookup outside
DNS server-group DefaultDNS
SDMCLNASA01 domain name. LOCAL
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network of the NETWORK_OBJ_192.168.0.0_24 object
192.168.0.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
network lan_internal object
192.168.0.0 subnet 255.255.255.0
purpose of the smtp network
Home 192.168.0.245
Network http object
Home 192.168.0.245
rdp network object
Home 192.168.0.245
network ssl object
Home 192.168.0.245
network camera_1 object
host 192.168.0.13
network camerahttp object
host 192.168.0.13
service object 8081
source eq 8081 destination eq 8081 tcp service
Dvr description
network camera-http object
host 192.168.0.13
network dvr-http object
host 192.168.0.13
network dvr-mediaport object
host 192.168.0.13
object-group Protocol DM_INLINE_PROTOCOL_1
object-protocol udp
object-tcp protocol
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
DM_INLINE_TCP_1 tcp service object-group
EQ port 3389 object
port-object eq www
EQ object of the https port
EQ smtp port object
DM_INLINE_TCP_2 tcp service object-group
port-object eq 34567
port-object eq 34599
EQ port 8081 object
permit access ip 192.168.0.0 scope list outside_1_cryptomap 255.255.255.0 192.168.1.0 255.255.255.0
outside_access_in list extended access permit tcp any any eq smtp
outside_access_in list extended access permit tcp any any DM_INLINE_TCP_1 object-group
outside_access_in list extended access permit tcp any any DM_INLINE_TCP_2 object-group
permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow all outside
don't allow no asdm history
ARP timeout 14400
NAT (inside, outside) static static source NETWORK_OBJ_192.168.1.0_24 destination NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.1.0_24
NAT (exterior, Interior) static static source NETWORK_OBJ_192.168.0.0_24 destination NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.0.0_24
!
network lan_internal object
NAT dynamic interface (indoor, outdoor)
purpose of the smtp network
NAT (all, outside) interface static tcp smtp smtp service
Network http object
NAT (all, outside) interface static tcp www www service
rdp network object
NAT (all, outside) interface static service tcp 3389 3389
network ssl object
NAT (all, outside) interface static tcp https https service
network dvr-http object
NAT (all, outside) interface static 8081 8081 tcp service
network dvr-mediaport object
NAT (all, outside) interface static 34567 34567 tcp service
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 71.42.194.209 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
http server enable 8080
http 192.168.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 outside
http 71.40.221.136 255.255.255.252 inside
http 71.40.221.136 255.255.255.252 outside
http 192.168.0.0 255.255.255.0 outside
http 97.79.197.42 255.255.255.255 inside
http 97.79.197.42 255.255.255.255 outside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set peer 1.1.1.1
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
outside_map interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd address 192.168.0.50 - 192.168.0.150 inside
dhcpd dns 192.168.0.245 209.18.47.62 interface inside
dhcpd SDMCLNASA01 field. LOCAL inside interface
dhcpd allow inside
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared key *.
!
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
!
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:462428c25e9748896e98863f2d8aeee7
: end________________________________
SITE B RUNNING CONFIG
Output of the command: "sh run".
: Saved
:
: Serial number: JMX1635Z1BV
: Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor
:
ASA Version 9.2 (3)
!
ciscoasa hostname
activate qddbwnZVxqYXToV9 encrypted password
volatile xlate deny tcp any4 any4
volatile xlate deny tcp any4 any6
volatile xlate deny tcp any6 any4
volatile xlate deny tcp any6 any6
volatile xlate deny udp any4 any4 eq field
volatile xlate deny udp any4 any6 eq field
volatile xlate deny udp any6 any4 eq field
volatile xlate deny udp any6 any6 eq field
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 1.1.1.1 255.255.255.252
!
passive FTP mode
clock timezone CST - 6
clock to summer time recurring CDT
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network camera_http object
host 192.168.1.13
network camera_media object
host 192.168.1.13
network of the NETWORK_OBJ_192.168.0.0_24 object
192.168.0.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
outside_access_in list extended access permit tcp any any eq 9000
outside_access_in list extended access permit tcp any any eq www
outside_access_in list extended access permit icmp any one
outside_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 object NETWORK_OBJ_192.168.0.0_24
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow all outside
ASDM image disk0: / asdm - 732.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static static source NETWORK_OBJ_192.168.0.0_24 destination NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.0.0_24
NAT (exterior, Interior) static static source NETWORK_OBJ_192.168.1.0_24 destination NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.1.0_24
!
network camera_http object
NAT (all, outside) interface static tcp www www service
network camera_media object
NAT (all, outside) interface static 9000 9000 tcp service
!
NAT source auto after (indoor, outdoor) dynamic one interface
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 71.40.221.137 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 peer set 0.0.0.0
card crypto outside_map 1 set transform-set ESP-3DES-SHA ikev1
outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev1 allow outside
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0dhcpd address 192.168.1.50 - 192.168.1.150 inside
dhcpd dns 192.168.0.245 209.18.47.61 interface inside
dhcpd SDPHARR field. LOCAL inside interface
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
AnyConnect essentials
attributes of Group Policy DfltGrpPolicy
Ikev1 VPN-tunnel-Protocol
internal GroupPolicy_0.0.0.0 group strategy
attributes of Group Policy GroupPolicy_0.0.0.0
VPN-tunnel-Protocol ikev1, ikev2
tunnel-group 0.0.0.0 type ipsec-l2l
tunnel-group 0.0.0.0 ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
!
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:19031ab1e3bae21d7cc8319fb7ecf0eb
: endSorry my mistake.
Delete this if it's still there
card crypto external_map 1 the value reverse-road
Add this to both sides
card crypto outside_map 1 the value reverse-road
Sorry about that.
Mike
-
Can not pass traffic from the VPN client to remote VPN site to site
Hello
I can't get the traffic flowing between my VPN clients and my remote site-to-site VPN, I did step by step in this link:
my firewall says that the package is abandoned by statefull inspection.
But this should be the command "same-security-traffic..." "this problem must be resolved
% ASA-6-302020: built ICMP incoming connections for faddr gaddr laddr (nworks) 10.48.100.2/0 10.48.100.2/0 10.45.231.163/1
% ASA-6-302020: built outgoing ICMP connection for faddr gaddr laddr 10.45.231.163/1 10.45.231.163/1 10.48.100.2/0
% ASA-6-302021: disassembly ICMP connection for faddr gaddr laddr (nworks) 10.48.100.2/0 10.48.100.2/0 10.45.231.163/1
% ASA-6-302021: disassembly ICMP connection for faddr gaddr laddr 10.45.231.163/1 10.45.231.163/1 10.48.100.2/0
Is it all what you might think that I'm missing?
Best regards
Erik
Erik,
Please check it out because no decaps means the ASA does not what it is the other side of the tunnel.
If you send traffic and you will see the crypt increment... but nothing in return... 99% sure that the problem is at the other end.
Federico.
-
ASA encrypt interesting VPN traffic
Hello everybody out there using ASA.
I had a few IPSEC VPN tunnels between the company's central site and remote sites.
Two dsl lines were connected to the ASA, one for VPN traffic and the other for the internet.
The default gateway has been configured online internet, some static while insured roads as traffic to the sites of the company was sent through the other line.
A few days ago we changed the configuration of ASA to use only a single dsl connection, then the line serving the internet has been cut, while the other will become the gateway default and static routes have been removed.
The VPN connections instant stopped working and trying to send packets to the remote lan, it seems that ASA will not recognize that the traffic is encrypted. Obviousely we checked cryptomap, acl, ecc, but we find no problem... do you have any suggestions?
Thanks in advance,
Matt
-----------------------------------------------------------------------------------------------------------------------------------------------------------------
XNetwork object network
10.10.0.0 subnet 255.255.255.0network of the YNetwork object
172.0.1.0 subnet 255.255.255.0card crypto RB1ITSHDSL001_map2 1 corresponds to the address RB1ITSHDSL001_1_cryptomap
card crypto RB1ITSHDSL001_map2 1 set peer a.b.c.186
RB1ITSHDSL001_map2 1 transform-set ESP-3DES-SHA crypto card gameRB1ITSHDSL001_1_cryptomap list extended access permitted ip XNetwork object YNetwork
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
Hello
Your exit the ASA must be encrypting the traffic between XNetwork and YNetwork.
If the ASA does not encrypt this traffic, it could be because there is a problem with the NAT configuration.
When the ASA receives a packet, it must first check if there are ACLs that allows traffic, passes through the inspection engine and check that the associated NAT. For example, if the package is coordinated, then the private IP encryption will never take place.
Could ensure you that packets from the XNetwork are really reach the ASA, the NAT rule is correct and you may be looking for "debugging cry isa 127" and "scream ips 127" debug to check for errors of incompatibility.
In addition, what is the condition of the tunnel trying to communicate: "sh cry isa his"
Federico.
-
Site2Site VPN ASA 5505 - allow established traffic
Hello
I have an ikev1/Ipsec tunnel between two ASA.
Network with local 10.31.0.0/16
The other network with local 172.21.0.0/24
But I would like that only traffic that is launched from the 10.31.0.0/16 is allowed to 172.21.0.0/24 to 10.31.0.0/16 is it possible?
(to answer 10.31.0.0/16 is enable between this remote network 172.21.0.0/24)
Best regards, Steffen.
Hello
If I didn't understand anything wrong in the above question then I think you might be able to perform the following operations on the ASA with the local network of 10.31.0.0/16.
The ASA has the following global configuration, which is the default if you don't the have not changed
Sysopt connection permit VPN
This show CUSTOMARY in CLI configuration given above is the default setting.
You can check this with the command
See the race all the sysopt
This will list even the default setting
Now that this configuration means essentially is allow ALL traffic that comes through a VPN connection to get through the ASA ACL interface. So in your case at the location where the ASA with the network 10.31.0.0/16, the ASA would allow connections coming through the other network of 172.21.0.0/24 sites (as long as it was OK on other sites ASAs LAN interface ACL)
What you could do is to insert the following configuration
No vpn sysopt connection permit
What this would do is ask you to ALLOW ALL traffic that is coming through the VPN connection via the interface ' outside ' of the ASA you want to spend. (which I suppose is the name of your current interface that handles VPN connections). In other words, the VPN traffic would not receive a "pass" to get through the ACL of 'outside'interface, instead you must allow as all other traffic from the Internet.
If you decide to do, then you MUST CONSIDER the following thing. If you have other VPN connections as other connections L2L VPN or VPN Client, THEN you must first allow their traffic in your 'external' ACL interface for the SAA to the LAN. If you do this and insert the configuration above, you will notice that the traffic will start to get blocked by the "external" ACL interface (or if you don't have an ACL configured then the ASAs 'security level' will naturally block traffic in the same way as would an ACL)
So if we assume that the L2L VPN is the only link you had configured on the SAA with 10.31.0.0/16 then the following changes would happen.
- Hosts in the network 10.31.0.0/16 would be able to open connections to the remote network of 172.21.0.0/24 provided interfaces LAN what ACL allow this traffic
- Return for this connection of course traffic be would allow by the same ASA like all other traffic.
- IF certain incoming connection requests to the ASA with 10.31.0.0/16 network 172.21.0.0/24 network, it could crash except IF you ALLOW it to the 'outside' interfaces ACL
Hope this made sense and helped
Think about scoring the answer as the answer if it answered your question.
Naturally ask more if necessary
-Jouni
-
Original title: does not!
my computer is runing but sends not the power of the moniter the mouse or the keyboard. What could be?
Hello
These details are pointing to it is not material.
If under warranty, I suggest you contact the manufacturer; or if not under warranty get it to a repair shop local and good.
See you soon...
-
ASA does not propagate any routes for VPN users
Good afternoon
I m a problem concerning the spread of the roads to authenticated VPN users through the asa tunnel-group.
I have a VPN-users-pool where my users receive their IP address, and after authentication and the tunnel is established the idea is that the user get to the networks defined in the following ACL:
access-list within the standard allow 10.1.0.0 255.255.0.0
access-list within the standard allow 192.168.15.0 255.255.224.0
Now, the problem is that, after the tunnel is set up the only way, that the user receives is the default route (which is not supposed to be sent). The user does not receive the roads specified in the ACL list above. It has not received the network mask and assumes one 8 netmask (given that the pool of network from where it receives the IP address is a class A network).
Network routing works as expected (when I add the static routes directly to PC users, everything works OK). It s just the matter of the ASA do not spread the roads as it should.
Here is my split tunneling settings:
attributes of Group Policy DefaultRAGroup
VPN-idle-timeout 1
Protocol-tunnel-VPN l2tp ipsec
disable the PFS
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value inside
(...)
attributes of Group Policy DfltGrpPolicy
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value inside
(...)
Any ideas?
I have apreciate your help
Best regards
Just a question, I see:
attributes of Group Policy DefaultRAGroup
Protocol-tunnel-VPN l2tp ipsec
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value inside
internal DefaultRAGroup_1 group strategy
attributes of Group Policy DefaultRAGroup_1
Split-tunnel-policy tunnelspecified
It looks like your policy
DefaultRAGroup_1 you set ACLs and the other doesn't seem to be for L2TP/IPSEC. How do you connect to the ASA, using L2TP/IPSEC or Cisco IPSEC client? In addition, if your users are devoted to this group policy:
DefaultRAGroup_1 it looks like the acl is missing for the split tunneling
-
ASA cx does not not with traffic redirection
Hi all
I am facing a problem with asa cx feature where asa is having all the traffice defined, but there is no traffic coming to cx.traffic of the asa is visible that in the case of monitor only mode.please tell me:
1. how to redirect all traffic to the asa in asa cx.
2. how to add the entire interior of the customers work asa cx envoirment to check the details there instead of the ip address.
NOTE: I'm working through PRSM NOT BY CLI.
Hello
If the traffic is then visible on CX in the single mode of monitor, your redirection strategy are correct.
Only change, you need to do is only on ASA to ensure that you have a monitor only in your policy plan.
To monitor only:
Policy-map CX
class CX
cxsc farm-fail monitor onlyFor roller online:
Policy-map CX
class CX
cxsc fail-closeAlso on CX GUI disable monitor mode only:
Navigate: Settings > monitor only and disable monitor mode only.
I hope that helps!
Thank you
R.Seth
Be sure to mark the response as correct if it can help resolve your query!
-
Traffic from internal hosts will NAT address works ok, but what speaks tests it traffic never connects.
get the 10.1.12.232 NAT host would be 172.27.63.133 and past through the VPN tunnel to 10.24.4.65 without problem. However when 10.24.4.65 tries to ping or connect to 172.27.63.133 traffic does not make inside host 10.1.12.232
ASA-1 #.
!
network object obj - 172.27.73.0
172.27.73.0 subnet 255.255.255.0
network object obj - 172.27.63.0
172.27.63.0 subnet 255.255.255.0
network object obj - 10.1.0.0
10.1.0.0 subnet 255.255.0.0
network object obj - 10.24.4.64
subnet 10.24.4.64 255.255.255.224
network object obj - 172.27.73.0 - 172.27.73.255
range 172.27.73.0 172.27.73.255
the object of the 10.0.0.0 network
subnet 10.0.0.0 255.0.0.0
network object obj - 24.173.237.212
Home 24.173.237.212
network object obj - 10.1.12.232
Home 10.1.12.232
network object obj - 172.27.63.133
Home 172.27.63.133
the DM_INLINE_NETWORK_9 object-group network
object-network 10.0.0.0 255.255.255.0
object-network 10.0.11.0 255.255.255.0
object-network 10.0.100.0 255.255.255.0
object-network 10.0.101.0 255.255.255.0
object-network 10.0.102.0 255.255.255.0
object-network 10.0.103.0 255.255.255.0
the DM_INLINE_NETWORK_16 object-group network
object-network 10.1.11.0 255.255.255.0
object-network 10.1.12.0 255.255.255.0
object-network 10.1.13.0 255.255.255.0
object-network 10.1.3.0 255.255.255.0
!
outside_1_cryptomap list extended access permitted ip object-group DM_INLINE_NETWORK_16-group of objects DM_INLINE_NETWORK_9
access extensive list ip 172.27.73.0 outside_8_cryptomap allow 255.255.255.0 10.24.4.64 255.255.255.224
access extensive list ip 172.27.63.0 outside_8_cryptomap allow 255.255.255.0 10.24.4.64 255.255.255.224
!
list of allowed outside access extended ip 10.24.4.64 255.255.255.224 172.27.63.0 255.255.255.0
list of allowed outside access extended ip 10.24.4.64 255.255.255.224 10.1.0.0 255.255.0.0
list of allowed outside access extended ip 172.27.63.0 255.255.255.0 10.1.0.0 255.255.0.0
!
NAT (inside, all) source static obj - 172.27.73.0 obj - 172.27.73.0 destination static obj - 10.24.4.64 obj - 10.24.4.64 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 172.27.63.0 obj - 172.27.63.0 destination static obj - 10.24.4.64 obj - 10.24.4.64 no-proxy-arp-search to itinerary
NAT (inside, outside) source dynamic obj - 10.66.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.70.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.96.228.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.96.229.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 192.168.5.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.75.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.11.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source static obj - 10.1.3.37 obj - 10.71.0.37 destination static obj - 50.84.209.140 obj - 50.84.209.140
NAT (inside, outside) source static obj - 10.1.3.38 obj - 10.71.0.38 destination static obj - 50.84.209.140 obj - 50.84.209.140
NAT (inside, outside) source static obj - 10.1.12.232 obj - 172.27.63.133 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.1.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
!
NAT (exterior, Interior) source static obj - 10.24.4.64 obj - 10.24.4.64 destination static obj - 172.27.63.133 obj - 10.1.12.232
NAT (outside, outside) source static obj - 10.24.4.64 obj - 10.24.4.64 destination static obj - 172.27.63.133 obj - 10.1.12.232the object of the 10.0.0.0 network
NAT (inside, outside) dynamic obj - 24.173.237.212
!
NAT (VendorDMZ, outside) the after-service automatic source dynamic obj - 192.168.13.0 obj - 24.173.237.212
outside access-group in external interface
Route outside 0.0.0.0 0.0.0.0 24.173.237.209 1
Route inside 10.1.0.0 255.255.0.0 10.1.10.1 1
Route inside 10.2.1.0 255.255.255.248 10.1.10.1 1
!
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-DH2-esp-3des esp-sha-hmac
Crypto ipsec pmtu aging infinite - the security association
!
card crypto GEMed 8 corresponds to the address outside_8_cryptomap
card crypto GEMed 8 set peer 64.245.57.4
card crypto GEMed 8 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-256-MD5
GEMed outside crypto map interface
!
: end
ASA-1 #.Hello
First of all, I would like to remove these two lines because they do nothing productive
nat (outside,inside) source static obj-10.24.4.64 obj-10.24.4.64 destination static obj-172.27.63.133 obj-10.1.12.232nat (outside,outside) source static obj-10.24.4.64 obj-10.24.4.64 destination static obj-172.27.63.133 obj-10.1.12.232
Then, I was running packet - trace to see what NAT rule actually hit you.packet-tracer input inside 10.1.12.232 12345 10.24.4.65 12345
-
do not get traffic of ASA AIP-SSM-20.
Hello
We have Cisco ASA 5510, and we recently added Cisco AIP - SSM. We have configured the sensor and did as well as ASA also but we don't get newspapers in ADM please help me on this.
Please find attached Sersor Configuration and version of the IPS and ASA module.
Kind regards
Nathalie. M
On the SAA, you need
access-list aip-acl extended deny ip any any
class-map aip-class
match access-list aip-acl
policy-map global_policy
class aip-class
ips inline fail-open
service-policy global_policy globalso that it sends traffic to the agreement in principle for inspection.
I hope it helps.
PK
-
ASA 8.3 VPN site-to-site does not UDP traffic to other peer
Hello!!!
Someone turned off the lights :-) I say this because that's 6.2 6.3 I can't get the basic things...
On a SAA, I created a "site-site" VPN profile to connect to a remote site, on the other side (ASA 8.2) sees no problem, I can pass all IP traffic via VPN without NAT; but on a new ASA5505 with 8.3 (1) version fw and ASDM 6.3 (1) can't do that in any way :-(
What I get is trivial...
... It works perfectly with TCP and ICMP traffic, but does not have UDP traffic: in practice, if I followed the traffic to a remote private IP, TCP and ICMP traffic I see only packets in vlan "inside" with the private IP, but with the UDP traffic on top of that, I see traffic on vlan 'out' with the IP public ASA and source port changed :
Inside: UDP to 172.16.2.128:6000 to 172.16.0.200:6000
Outside: UDP to 5.5.5.5:23400 to 172.16.0.200:6000Why?
Of course, the traffic is not encrypted and does not reach the other side of the tunnel!
Here are the important parts of the configuration:
interface Vlan1
nameif inside
security-level 100
172.16.2.1 IP address 255.255.255.0network obj_any object
subnet 0.0.0.0 0.0.0.0remote network object
172.16.0.0 subnet 255.255.254.0outside_cryptomap to access extended list ip 172.16.2.0 allow 255.255.255.0 network remote control object
NAT (inside, outside) static source any any destination static remote-remote network
network obj_any object
NAT dynamic interface (indoor, outdoor)
card crypto outside_map0 1 match address outside_cryptomap
outside_map0 card crypto 1jeu pfs
card crypto outside_map0 1 set ip.ip.ip.ip counterpart
outside_map0 card crypto 1jeu nat-t-disable
outside_map0 interface card crypto outside
Given that the new business object, I have not yet quite clear (ok, I don't find time to do a deep reading of the documentation), someone is able to direct me to fix this trivial?
Note: If I remove my drive manual nat and I flag "network translating" on the remote network object thus indicate that they want NAT with ip network remote control then don't work any IP vs. remote site traffic. Why, why have not more than the simple rules of 'nat exception' the old version and why the crypto-plan applies only to TCP traffic? Possible that there is an object any which takes all IP traffic?
A big thank you to all.
73,
Arturo
Hi Arturo,.
I know that there is a certain NAT related bugs in 8.3 (1) and although I don't remember a specific which corresponds to your symptoms, I would say you try 8.3 (2) instead, or maybe even the last available version of a temp (currently to 8.3 (2.4):)
If you still see the problem, then, check
entry Packet-trace within the udp 172.16.2.2 1025 172.16.0.1 detail 123
entry Packet-trace inside tcp 172.16.2.2 1025 172.16.0.1 detail 123
and check what's different.
HTH
Herbert
-
VPN site to site thanks to a pair of asa 5505 does not pass traffic
the configurations are fairly simple. Ping between the two lan pc fails. "show isakmp crypto his" and "crypto ipsec to show his" got out, if.
Please refer to the attached text and diagram files.
I'm pre-configures the ASA, for external interfaces have ip addresses private for the moment.
all entries are welcome.
Thank you!
Your look simple configurations.
As the Phase 1 and Phase 2 SAs are coming, the VPN seems correct.
We see program leaving ASA1 and decaps ASA2, but no return traffic seems to come in.
I suspect a problem with the host 192.168.102.5. Can you capture the top packages and check that it receives traffic initiated from the host 192.168.101.5 (side ASA1) and he answers with the ASA2 as its default gateway?
Maybe you are looking for
-
I adjusted my DPI to a size that makes printing & larger icons. I want to change that, however, the method of customization won't work b/c, the screen resolution setting box is so great that the apply/OK button does not work. I tried to drag and dr
-
YouTube app on Tablet dell 7840
Hey guys,. Quick question... Is anyone able to watch the videos above 720 p on the YouTube app? All I get is a 720 p max resolution when the Tablet is capable of 1440 p. Any thoughts?
-
BlackBerry smartphones turn off the Blackberry "BOLD"
OK, I know this sounds stupid, but what is the correct procedure to turn off and restart the Blackberry "BOLD"? I hav tried holding in the key power, I get the stop message, press any key to cancel, I leave it alone and the backlight turns off, left
-
product downloads and then disappears when you try to install. I tried compatibility says not compatible. It is a 32 bit program have 64 bits. How do I down load 64-bit
-
Started my testversion today, but there is only the option 'buy' of Photoshop.
Hi allI hope you could help me and I don't have to wait until Monday for the support.I wanted to test Photoshop today, so I downloaded the creative cloud and also Photoshop.Everything went well, but I couldn't start the programm and also on my descto