L2L ASA sends not encryted traffic

Similar Questions

• L2L ASA tunnel upward, no traffic (or one way...)

  I have two ASA 5505, 8.2 (1), call the HQ and BRANCH. HQ is a L2L towards a third point, and that one works fine.

  Now I'm setting up a VPN L2L between HQ and BRANCH. The tunnel rises (passes, phases 1 and 2), but I can't ping from both ends.

  HS cry isa his looks like 100% ok

  Cree SH ips its shows that HQ has only decaps, while the branch has only the program. If HQ looks like the main suspect for me (even with his other L2L works very well).

  Here are the configs, great if someone could help me to identify problems of config...

  -----------------------------------------------------------------

  HQ:

  ASA Version 8.2 (1)

  !

  hostname HQ

  domain blah.com/results.htm

  enable password blah

  encrypted passwd bla

  names of

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 172.16.106.1 255.255.255.128

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP address 191.xx.xx.xx 255.255.255.248

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  boot system Disk0: / asa821 - k8.bin

  DNS server-group DefaultDNS

  domain blah.com/results.htm

  access extensive list ip 172.16.106.0 inside_outbound_nat0_acl allow 255.255.255.128 all

  access extensive list ip 172.16.106.0 outside_cryptomap_20 allow 255.255.255.0 any

  access extensive list ip 172.16.106.0 inside_nat0_outbound allow 255.255.255.0 any

  access extensive list ip 172.16.106.0 inside_nat0_outbound allow 255.255.255.128 172.16.106.160 255.255.255.224

  access extensive list ip 172.16.106.0 outside_1_cryptomap allow 255.255.255.0 any

  access extensive list ip 172.16.106.0 outside_1_cryptomap_1 allow 255.255.255.0 any

  IP 172.16.106.0 allow to Access-list HQ-BRANCH extended 255.255.255.128 172.16.106.160 255.255.255.248

  !

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 1 0.0.0.0 0.0.0.0

  Route outside 0.0.0.0 0.0.0.0 191.xx.xx.xx 1

  !

  Sysopt noproxyarp inside

  !

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  Crypto ipsec security association replay disable

  card crypto outside_map 1 match address outside_1_cryptomap_1

  card crypto outside_map 1 set 191.xx.xx.xx counterpart

  map outside_map 1 set of transformation-ESP-3DES-MD5 crypto

  address for correspondence card crypto outside_map 10 HQ-GENERAL management

  card crypto outside_map 10 peers set 82.xx.xx.xx

  outside_map card crypto 10 the transform-set ESP-3DES-MD5 value

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  crypto ISAKMP policy 30

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  No encryption isakmp nat-traversal

  !

  WebVPN

  tunnel-group 191.xx.xx.xx type ipsec-l2l

  191.XX.XX.XX group of tunnel ipsec-attributes

  pre-shared-key *.

  tunnel-group 82.xx.xx.xx type ipsec-l2l

  82.XX.XX.XX group of tunnel ipsec-attributes

  pre-shared-key *.

  by default-group 191.xx.xx.xx tunnel-Group-map

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  global service-policy global_policy

  context of prompt hostname

  : end

  -----------------------------------------------------------------

  GENERAL management:

  ASA Version 8.2 (1)

  !

  hostname BRANCH

  activate djfldksjafl encrypted password

  djfldksjafl encrypted passwd

  names of

  !

  interface Vlan1

  No nameif

  no level of security

  no ip address

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP address dhcp setroute

  !

  interface Vlan3

  nameif inside

  security-level 100

  IP 172.16.106.161 255.255.255.248

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  switchport access vlan 3

  !

  interface Ethernet0/2

  Shutdown

  !

  interface Ethernet0/3

  Shutdown

  !

  interface Ethernet0/4

  switchport access vlan 3

  !

  interface Ethernet0/5

  Shutdown

  !

  interface Ethernet0/6

  Shutdown

  !

  interface Ethernet0/7

  Shutdown

  !

  boot system Disk0: / asa821 - k8.bin

  the obj_any object-group network

  IP 172.16.106.160 allow to Access-list BRANCH-HQ extended 255.255.255.248 172.16.106.0 255.255.255.128

  IP 172.16.106.160 allow Access - list extended SHEEP 255.255.255.248 172.16.106.0 255.255.255.128

  Enable logging

  ICMP unreachable rate-limit 1 burst-size 1

  !

  NAT-control

  Global 1 interface (outside)

  NAT (inside) 0 access-list SHEEP

  NAT (inside) 1 0.0.0.0 0.0.0.0

  Route outside 0.0.0.0 0.0.0.0 82.xx.xx.xx

  !

  Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  address for correspondence card crypto 10 BRANCH-HQ outside_map

  card crypto outside_map 10 peers set 191.xx.xx.xx

  card crypto outside_map 10 transform-set RIGHT

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  dhcpd dns xx.xx.xx.xx

  dhcpd outside auto_config

  !

  dhcpd address 172.16.106.162 - 172.16.106.166 inside

  dhcpd allow inside

  !

  WebVPN

  tunnel-group 191.xx.xx.xx type ipsec-l2l

  191.XX.XX.XX group of tunnel ipsec-attributes

  pre-shared-key *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  !

  global service-policy global_policy

  context of prompt hostname

  : end

  -----------------------------------------------------------------

  Best,

  Johnny

  Hello Johnny,.

  Great to hear that, there, you have some points for you

  Please check the question as answered so future users can draw from what you did

• ASA L2L VPN UP with incoming traffic

  Hello

  I need help with this one, I have two identical VPN tunnel with two different customers who need access to one of our internal server, one of them (customer) works well, but the other (CustomerB) I can only see traffic from the remote peer (ok, RX but no TX). I put a sniffer on ports where the ASA and the server are connected and saw that traffic is to reach the server and traffic to reach the ASA of the server then nothing...

  See the result of sh crypto ipsec his below and part of the config for both clients

  ------------------

  address:

  local peer 100.100.100.178

  local network 10.10.10.0 / 24

  local server they need access to the 10.10.10.10

  Customer counterpart remote 200.200.200.200

  Customer remote network 172.16.200.0 / 20

  CustomerB peer remote 160.160.143.4

  CustomerB remote network 10.15.160.0 / 21

  ---------------------------

  Output of the command: "SH crypto ipsec its peer 160.160.143.4 det".

  address of the peers: 160.160.143.4
  Tag crypto map: outside_map, seq num: 3, local addr: 100.100.100.178

  outside_cryptomap list of allowed access host ip 10.10.10.10 10.15.160.0 255.255.248.0
  local ident (addr, mask, prot, port): (10.10.10.10/255.255.255.255/0/0)
  Remote ident (addr, mask, prot, port): (10.15.160.0/255.255.248.0/0/0)
  current_peer: 160.160.143.4

  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 827, #pkts decrypt: 827, #pkts check: 827
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #pkts not his (send): 0, invalid #pkts his (RRs): 0
  #pkts program failed (send): 0, #pkts decaps failed (RRs): 0
  #pkts invalid prot (RRs): 0, #pkts check failed: 0
  invalid identity #pkts (RRs): 0, #pkts invalid len (RRs): 0
  #pkts incorrect key (RRs): 0,
  #pkts invalid ip version (RRs): 0,
  replay reversal (send) #pkts: 0, #pkts replay reversal (RRs): 0
  #pkts replay failed (RRs): 0
  #pkts min frag mtu failed (send): bad frag offset 0, #pkts (RRs): 0
  #pkts internal err (send): 0, #pkts internal err (RRs): 0

  local crypto endpt. : 100.100.100.178, remote Start crypto. : 160.160.143.4

  Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
  current outbound SPI: C2AC8AAE

  SAS of the esp on arrival:
  SPI: 0xD88DC8A9 (3633170601)
  transform: esp-3des esp-md5-hmac no compression
  running parameters = {L2L, Tunnel}
  slot: 0, id_conn: 5517312, crypto-card: outside_map
  calendar of his: service life remaining (KB/s) key: (4373959/20144)
  Size IV: 8 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0xFFFFFFFF to 0xFFFFFFFF
  outgoing esp sas:
  SPI: 0xC2AC8AAE (3266087598)
  transform: esp-3des esp-md5-hmac no compression
  running parameters = {L2L, Tunnel}
  slot: 0, id_conn: 5517312, crypto-card: outside_map
  calendar of his: service life remaining (KB/s) key: (4374000/20144)
  Size IV: 8 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001

  -The configuration framework

  ASA Version 8.2 (1)

  !

  172.16.200.0 customer name

  name 10.15.160.0 CustomerB

  !

  interface Ethernet0/0

  nameif outside

  security-level 0

  IP 100.100.100.178 255.255.255.240

  !

  interface Ethernet0/1

  nameif inside

  security-level 100

  10.10.10.0 IP address 255.255.255.0

  !

  outside_1_cryptomap list extended access allowed host ip 10.10.10.10 customer 255.255.240.0

  inside_nat0_outbound_1 list extended access allowed host ip 10.10.10.10 customer 255.255.240.0

  inside_nat0_outbound_1 list extended access allowed host ip 10.10.10.10 CustomerB 255.255.248.0

  outside_cryptomap list extended access allowed host ip 10.10.10.10 CustomerB 255.255.248.0

  NAT-control

  Overall 101 (external) interface

  NAT (inside) 0-list of access inside_nat0_outbound_1

  NAT (inside) 101 0.0.0.0 0.0.0.0

  Route outside 0.0.0.0 0.0.0.0 100.100.100.177

  Route inside 10.10.10.0 255.255.255.0 10.10.10.254 1

  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  card crypto outside_map 1 match address outside_1_cryptomap

  card crypto outside_map 1 set pfs

  peer set card crypto outside_map 1 200.200.200.200

  card crypto outside_map 1 set of transformation-ESP-3DES-SHA

  card crypto outside_map 3 match address outside_cryptomap

  peer set card crypto outside_map 3 160.160.143.4

  card crypto outside_map 3 game of transformation-ESP-3DES-MD5

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  crypto ISAKMP policy 20

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP ipsec-over-tcp port 10000

  attributes of Group Policy DfltGrpPolicy

  Protocol-tunnel-VPN IPSec svc

  internal customer group strategy

  Customer group policy attributes

  Protocol-tunnel-VPN IPSec svc

  internal CustomerB group strategy

  attributes of Group Policy CustomerB

  Protocol-tunnel-VPN IPSec

  tunnel-group 160.160.143.4 type ipsec-l2l

  tunnel-group 160.160.143.4 General-attributes

  Group Policy - by default-CustomerB

  IPSec-attributes tunnel-group 160.160.143.4

  pre-shared key xxx

  tunnel-group 200.200.200.200 type ipsec-l2l

  tunnel-group 200.200.200.200 General attributes

  Customer by default-group-policy

  IPSec-attributes tunnel-group 200.200.200.200

  pre-shared key yyy

  Thank you

  A.

  Hello

  It seems that the ASA is not Encrypting traffic to the second peer (However there is no problem of routing).

  I saw this 7.x code behaviors not on code 8.x

  However you can do a test?

  You can change the order of cryptographic cards?

  card crypto outside_map 1 match address outside_cryptomap

  peer set card crypto outside_map 1 160.160.143.4

  map outside_map 1 set of transformation-ESP-3DES-MD5 crypto

  card crypto outside_map 3 match address outside_1_cryptomap

  card crypto outside_map 3 set pfs

  peer set card crypto outside_map 3 200.200.200.200

  card crypto outside_map 3 game of transformation-ESP-3DES-SHA

  I just want to see if by setting the peer nonworking time to be the first, it works...

  I know it should work the way you have it, I just want to see if this is the same behavior I've seen.

  Thank you.

  Federico.

• 800 series Router and ASA will not create a tunnel

  Hey everybody, what had confused me for a week now, and I feel that it is something small that im overlooking. My 800 router and my ASA will not pass traffic through a VPN. Here are my configs (less sensitive data of course). I also removed irrelevant data to narrow down the config.

  800 series router:

  DHCP excluded-address 192.168.2.1 IP 192.168.2.100

  !

  IP dhcp pool internaldhcp

  network 192.168.2.0 255.255.255.0

  x.x.x.x where x.x.x.x DNS server

  default router 192.168.2.1

  !

  !

  IP cef

  no ip domain search

  domain IP (domain here)

  Server name x.x.x.x IP

  Server name x.x.x.x IP

  No ipv6 cef

  !

  !

  crypto ISAKMP policy 1

  BA 3des

  md5 hash

  preshared authentication

  Group 2

  address key (password) crypto isakmp (ip WAN of ASA)

  !

  !

  Crypto ipsec transform-set esp-3des esp-sha-hmac 3des-sha

  Crypto ipsec transform-set esp-3des esp-md5-hmac 3des-md5

  Crypto ipsec transform-set esp-3des esp-md5-hmac distance

  !

  !

  map KentonMap 1 ipsec-isakmp crypto

  defined peer (ASAs WAN IP)

  the value of the transform-set 3des-sha

  match address 110

  !

  !

  !

  !

  !

  interface FastEthernet0

  no ip address

  !

  interface FastEthernet1

  no ip address

  !

  interface FastEthernet2

  no ip address

  !

  interface FastEthernet3

  no ip address

  !

  interface FastEthernet4

  Description outside the int

  (Local WAN) 255.255.255.252 IP address

  NAT outside IP

  IP virtual-reassembly in

  automatic duplex

  automatic speed

  card crypto KentonMap

  service-policy output VoiceLLQ

  !

  interface Vlan1

  IP 192.168.2.1 255.255.255.0

  IP nat inside

  IP virtual-reassembly in

  Fair/fair-queue

  !

  !

  IP nat pool insidepool (WAN IP) (WAN IP) netmask 255.255.255.252

  IP nat inside source list 100 insidepool pool overload

  IP route 0.0.0.0 0.0.0.0 (Next Hop)

  !

  access-list 100 permit ip 192.168.2.0 0.0.0.255 any

  Note access-list 110 VPN ACL

  access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.24.0 0.0.0.255

  !

  The ASA config:

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 192.168.24.1 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  (LOCAL WAN) 255.255.255.252 IP address

  !

  permit same-security-traffic intra-interface

  IP 192.168.24.0 allow Access - list extended sheep 255.255.255.0 192.168.2.0 255.255.255.0

  Access extensive list ip 192.168.24.0 LimatoKenton allow 255.255.255.0 192.168.2.0 255.255.255.0

  OutsideIn list extended access permit tcp any interface outside eq 3389

  Global 1 interface (outside)

  NAT (inside) 0 access-list sheep

  NAT (inside) 1 192.168.24.0 255.255.255.0

  Route outside 0.0.0.0 0.0.0.0 (Next Hop) 1

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-3des esp-sha-hmac 3des-sha

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  card crypto LimaMap 1 corresponds to the address LimatoKenton

  card crypto LimaMap 1 defined peer (800 WAN router)

  card crypto LimaMap 1 the value transform-set 3des-sha

  LimaMap interface card crypto outside

  crypto isakmp identity address

  crypto ISAKMP allow outside

  crypto ISAKMP policy 1

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  tunnel-group (800 WAN router) type ipsec-l2l

  tunnel-group (800 WAN router)

  IPSec-attributes

  pre-shared key *.

  ISAKMP crypto release:

  ASA

  Type: L2L role: initiator

  Generate a new key: no State: MM_ACTIVE

  Router

  DST CBC conn-State id

  (Local WAN)    (ASA WAN)   ACTIVE QM_IDLE 2003

  Hello, Benjamin.

  I guess that your router does NAT same for site traffic to site.

  So, you have to deny traffic between ACL 100 sites.

  PS: If this does not resolve your problem, could you please share isakmp/ipsec its on both sides?

• Site to site VPN upward but not pass traffic (ASA 5505 8.3.1 and 9.2.3 version)

  Hello

  I'll put up a tunnel vpn site-to-site between two locations.  Both have cisco ASA 5505 running a different version, I'll explain in more detail below.  so far, I was able to get the tunnel to come but I can't seem to pass traffic, I work at this for days now and have not been able to understand why he will not pass traffic.  Needless to say that the customer's PO would be on the fact that their VPN is not upward and they had to do by hand.  I'll put the configs below, if possible can someone help me as soon as POSSIBLE, I really want to get this site up and running so that we do not lose the customer.

  An IP address of 0.0.0.0 = site
  Site B IP = 1.1.1.1

  A Version of the site = 8.3.1
  Version of the site B = 9.2.3

  __________________________

  _________

  A RACE OF THE SITE CONFIGURATION

  Output of the command: "sh run".

  : Saved
  :
  ASA Version 8.3 (1)
  !
  hostname SDMCLNASA01
  SDMCLNASA01 domain name. LOCAL
  Select 5E8js/Fs7qxjxWdp of encrypted password
  2KFQnbNIdI.2KYOU encrypted passwd
  names of
  !
  interface Vlan1
  nameif inside
  security-level 100
  the IP 192.168.0.1 255.255.255.0
  !
  interface Vlan2
  nameif outside
  security-level 0
  the IP 0.0.0.0 255.255.255.252
  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  passive FTP mode
  clock timezone CST - 6
  clock to summer time recurring CDT
  DNS lookup field inside
  DNS domain-lookup outside
  DNS server-group DefaultDNS
  SDMCLNASA01 domain name. LOCAL
  permit same-security-traffic inter-interface
  permit same-security-traffic intra-interface
  network of the NETWORK_OBJ_192.168.0.0_24 object
  192.168.0.0 subnet 255.255.255.0
  network of the NETWORK_OBJ_192.168.1.0_24 object
  subnet 192.168.1.0 255.255.255.0
  network lan_internal object
  192.168.0.0 subnet 255.255.255.0
  purpose of the smtp network
  Home 192.168.0.245
  Network http object
  Home 192.168.0.245
  rdp network object
  Home 192.168.0.245
  network ssl object
  Home 192.168.0.245
  network camera_1 object
  host 192.168.0.13
  network camerahttp object
  host 192.168.0.13
  service object 8081
  source eq 8081 destination eq 8081 tcp service
  Dvr description
  network camera-http object
  host 192.168.0.13
  network dvr-http object
  host 192.168.0.13
  network dvr-mediaport object
  host 192.168.0.13
  object-group Protocol DM_INLINE_PROTOCOL_1
  object-protocol udp
  object-tcp protocol
  object-group Protocol TCPUDP
  object-protocol udp
  object-tcp protocol
  DM_INLINE_TCP_1 tcp service object-group
  EQ port 3389 object
  port-object eq www
  EQ object of the https port
  EQ smtp port object
  DM_INLINE_TCP_2 tcp service object-group
  port-object eq 34567
  port-object eq 34599
  EQ port 8081 object
  permit access ip 192.168.0.0 scope list outside_1_cryptomap 255.255.255.0 192.168.1.0 255.255.255.0
  outside_access_in list extended access permit tcp any any eq smtp
  outside_access_in list extended access permit tcp any any DM_INLINE_TCP_1 object-group
  outside_access_in list extended access permit tcp any any DM_INLINE_TCP_2 object-group
  permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.1.0 255.255.255.0
  pager lines 24
  Enable logging
  asdm of logging of information
  Within 1500 MTU
  Outside 1500 MTU
  ICMP unreachable rate-limit 1 burst-size 1
  ICMP allow any inside
  ICMP allow all outside
  don't allow no asdm history
  ARP timeout 14400
  NAT (inside, outside) static static source NETWORK_OBJ_192.168.1.0_24 destination NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.1.0_24
  NAT (exterior, Interior) static static source NETWORK_OBJ_192.168.0.0_24 destination NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.0.0_24
  !

  
  network lan_internal object
  NAT dynamic interface (indoor, outdoor)
  purpose of the smtp network
  NAT (all, outside) interface static tcp smtp smtp service
  Network http object
  NAT (all, outside) interface static tcp www www service
  rdp network object
  NAT (all, outside) interface static service tcp 3389 3389
  network ssl object
  NAT (all, outside) interface static tcp https https service
  network dvr-http object
  NAT (all, outside) interface static 8081 8081 tcp service
  network dvr-mediaport object
  NAT (all, outside) interface static 34567 34567 tcp service
  Access-group outside_access_in in interface outside
  Route outside 0.0.0.0 0.0.0.0 71.42.194.209 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-registration DfltAccessPolicy
  http server enable 8080
  http 192.168.0.0 255.255.255.0 inside
  http 192.168.1.0 255.255.255.0 inside
  http 192.168.1.0 255.255.255.0 outside
  http 71.40.221.136 255.255.255.252 inside
  http 71.40.221.136 255.255.255.252 outside
  http 192.168.0.0 255.255.255.0 outside
  http 97.79.197.42 255.255.255.255 inside
  http 97.79.197.42 255.255.255.255 outside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  card crypto outside_map 1 match address outside_1_cryptomap
  card crypto outside_map 1 set peer 1.1.1.1
  card crypto outside_map 1 set of transformation-ESP-3DES-SHA
  outside_map interface card crypto outside
  crypto isakmp identity address
  crypto ISAKMP allow outside
  crypto ISAKMP policy 65535
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH timeout 5
  Console timeout 0
  dhcpd address 192.168.0.50 - 192.168.0.150 inside
  dhcpd dns 192.168.0.245 209.18.47.62 interface inside
  dhcpd SDMCLNASA01 field. LOCAL inside interface
  dhcpd allow inside
  !

  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  WebVPN
  attributes of Group Policy DfltGrpPolicy
  Protocol-tunnel-VPN IPSec l2tp ipsec
  tunnel-group 1.1.1.1 type ipsec-l2l
  tunnel-group 1.1.1.1 ipsec-attributes
  pre-shared key *.
  !
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  !
  context of prompt hostname
  call-home
  Profile of CiscoTAC-1
  no active account
  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
  email address of destination [email protected] / * /
  destination-mode http transport
  Subscribe to alert-group diagnosis
  Subscribe to alert-group environment
  Subscribe to alert-group monthly periodic inventory
  monthly periodicals to subscribe to alert-group configuration
  daily periodic subscribe to alert-group telemetry
  Cryptochecksum:462428c25e9748896e98863f2d8aeee7
  : end

  ________________________________

  SITE B RUNNING CONFIG

  Output of the command: "sh run".

  : Saved
  :
  : Serial number: JMX1635Z1BV
  : Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor
  :
  ASA Version 9.2 (3)
  !
  ciscoasa hostname
  activate qddbwnZVxqYXToV9 encrypted password
  volatile xlate deny tcp any4 any4
  volatile xlate deny tcp any4 any6
  volatile xlate deny tcp any6 any4
  volatile xlate deny tcp any6 any6
  volatile xlate deny udp any4 any4 eq field
  volatile xlate deny udp any4 any6 eq field
  volatile xlate deny udp any6 any4 eq field
  volatile xlate deny udp any6 any6 eq field
  names of
  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  interface Vlan1
  nameif inside
  security-level 100
  IP 192.168.1.1 255.255.255.0
  !
  interface Vlan2
  nameif outside
  security-level 0
  IP 1.1.1.1 255.255.255.252
  !
  passive FTP mode
  clock timezone CST - 6
  clock to summer time recurring CDT
  permit same-security-traffic inter-interface
  permit same-security-traffic intra-interface
  network camera_http object
  host 192.168.1.13
  network camera_media object
  host 192.168.1.13
  network of the NETWORK_OBJ_192.168.0.0_24 object
  192.168.0.0 subnet 255.255.255.0
  network of the NETWORK_OBJ_192.168.1.0_24 object
  subnet 192.168.1.0 255.255.255.0
  outside_access_in list extended access permit tcp any any eq 9000
  outside_access_in list extended access permit tcp any any eq www
  outside_access_in list extended access permit icmp any one
  outside_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 object NETWORK_OBJ_192.168.0.0_24
  pager lines 24
  Enable logging
  asdm of logging of information
  Within 1500 MTU
  Outside 1500 MTU
  no failover
  ICMP unreachable rate-limit 1 burst-size 1
  ICMP allow any inside
  ICMP allow all outside
  ASDM image disk0: / asdm - 732.bin
  don't allow no asdm history
  ARP timeout 14400
  no permit-nonconnected arp
  NAT (inside, outside) static static source NETWORK_OBJ_192.168.0.0_24 destination NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.0.0_24
  NAT (exterior, Interior) static static source NETWORK_OBJ_192.168.1.0_24 destination NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.1.0_24
  !
  network camera_http object
  NAT (all, outside) interface static tcp www www service
  network camera_media object
  NAT (all, outside) interface static 9000 9000 tcp service
  !
  NAT source auto after (indoor, outdoor) dynamic one interface
  Access-group outside_access_in in interface outside
  Route outside 0.0.0.0 0.0.0.0 71.40.221.137 1
  Timeout xlate 03:00
  Pat-xlate timeout 0:00:30
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  identity of the user by default-domain LOCAL
  Enable http server
  http 192.168.1.0 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
  Crypto ipsec ikev2 AES256 ipsec-proposal
  Protocol esp encryption aes-256
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 ipsec-proposal AES192
  Protocol esp encryption aes-192
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 ipsec-proposal AES
  Esp aes encryption protocol
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 proposal ipsec 3DES
  Esp 3des encryption protocol
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 ipsec-proposal OF
  encryption protocol esp
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec pmtu aging infinite - the security association
  card crypto outside_map 1 match address outside_cryptomap
  card crypto outside_map 1 peer set 0.0.0.0
  card crypto outside_map 1 set transform-set ESP-3DES-SHA ikev1
  outside_map interface card crypto outside
  trustpool crypto ca policy
  IKEv2 crypto policy 1
  aes-256 encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 10
  aes-192 encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 20
  aes encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 30
  3des encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 40
  the Encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  Crypto ikev1 allow outside
  IKEv1 crypto policy 120
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH stricthostkeycheck
  SSH timeout 5
  SSH group dh-Group1-sha1 key exchange
  Console timeout 0

  dhcpd address 192.168.1.50 - 192.168.1.150 inside
  dhcpd dns 192.168.0.245 209.18.47.61 interface inside
  dhcpd SDPHARR field. LOCAL inside interface
  dhcpd allow inside
  !
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  WebVPN
  AnyConnect essentials
  attributes of Group Policy DfltGrpPolicy
  Ikev1 VPN-tunnel-Protocol
  internal GroupPolicy_0.0.0.0 group strategy
  attributes of Group Policy GroupPolicy_0.0.0.0
  VPN-tunnel-Protocol ikev1, ikev2
  tunnel-group 0.0.0.0 type ipsec-l2l
  tunnel-group 0.0.0.0 ipsec-attributes
  IKEv1 pre-shared-key *.
  remote control-IKEv2 pre-shared-key authentication *.
  pre-shared-key authentication local IKEv2 *.
  !
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  !
  context of prompt hostname
  no remote anonymous reporting call
  call-home
  Profile of CiscoTAC-1
  no active account
  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
  email address of destination [email protected] / * /
  destination-mode http transport
  Subscribe to alert-group diagnosis
  Subscribe to alert-group environment
  Subscribe to alert-group monthly periodic inventory
  monthly periodicals to subscribe to alert-group configuration
  daily periodic subscribe to alert-group telemetry
  Cryptochecksum:19031ab1e3bae21d7cc8319fb7ecf0eb
  : end

  Sorry my mistake.

  Delete this if it's still there

  card crypto external_map 1 the value reverse-road

  Add this to both sides

  card crypto outside_map 1 the value reverse-road

  Sorry about that.

  Mike

• Can not pass traffic from the VPN client to remote VPN site to site

  Hello

  I can't get the traffic flowing between my VPN clients and my remote site-to-site VPN, I did step by step in this link:

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

  my firewall says that the package is abandoned by statefull inspection.

  But this should be the command "same-security-traffic..." "this problem must be resolved

  % ASA-6-302020: built ICMP incoming connections for faddr gaddr laddr (nworks) 10.48.100.2/0 10.48.100.2/0 10.45.231.163/1

  % ASA-6-302020: built outgoing ICMP connection for faddr gaddr laddr 10.45.231.163/1 10.45.231.163/1 10.48.100.2/0

  % ASA-6-302021: disassembly ICMP connection for faddr gaddr laddr (nworks) 10.48.100.2/0 10.48.100.2/0 10.45.231.163/1

  % ASA-6-302021: disassembly ICMP connection for faddr gaddr laddr 10.45.231.163/1 10.45.231.163/1 10.48.100.2/0

  Is it all what you might think that I'm missing?

  Best regards

  Erik

  Erik,

  Please check it out because no decaps means the ASA does not what it is the other side of the tunnel.

  If you send traffic and you will see the crypt increment... but nothing in return... 99% sure that the problem is at the other end.

  Federico.

• ASA encrypt interesting VPN traffic

  Hello everybody out there using ASA.

  I had a few IPSEC VPN tunnels between the company's central site and remote sites.

  Two dsl lines were connected to the ASA, one for VPN traffic and the other for the internet.

  The default gateway has been configured online internet, some static while insured roads as traffic to the sites of the company was sent through the other line.

  A few days ago we changed the configuration of ASA to use only a single dsl connection, then the line serving the internet has been cut, while the other will become the gateway default and static routes have been removed.

  The VPN connections instant stopped working and trying to send packets to the remote lan, it seems that ASA will not recognize that the traffic is encrypted. Obviousely we checked cryptomap, acl, ecc, but we find no problem... do you have any suggestions?

  Thanks in advance,

  Matt

  -----------------------------------------------------------------------------------------------------------------------------------------------------------------

  XNetwork object network
  10.10.0.0 subnet 255.255.255.0

  network of the YNetwork object
  172.0.1.0 subnet 255.255.255.0

  card crypto RB1ITSHDSL001_map2 1 corresponds to the address RB1ITSHDSL001_1_cryptomap
  card crypto RB1ITSHDSL001_map2 1 set peer a.b.c.186
  RB1ITSHDSL001_map2 1 transform-set ESP-3DES-SHA crypto card game

  RB1ITSHDSL001_1_cryptomap list extended access permitted ip XNetwork object YNetwork

  -------------------------------------------------------------------------------------------------------------------------------------------------------------------

  Hello

  Your exit the ASA must be encrypting the traffic between XNetwork and YNetwork.

  If the ASA does not encrypt this traffic, it could be because there is a problem with the NAT configuration.

  When the ASA receives a packet, it must first check if there are ACLs that allows traffic, passes through the inspection engine and check that the associated NAT. For example, if the package is coordinated, then the private IP encryption will never take place.

  Could ensure you that packets from the XNetwork are really reach the ASA, the NAT rule is correct and you may be looking for "debugging cry isa 127" and "scream ips 127" debug to check for errors of incompatibility.

  In addition, what is the condition of the tunnel trying to communicate: "sh cry isa his"

  Federico.

• Site2Site VPN ASA 5505 - allow established traffic

  Hello

  I have an ikev1/Ipsec tunnel between two ASA.

  Network with local 10.31.0.0/16

  The other network with local 172.21.0.0/24

  But I would like that only traffic that is launched from the 10.31.0.0/16 is allowed to 172.21.0.0/24 to 10.31.0.0/16 is it possible?

  (to answer 10.31.0.0/16 is enable between this remote network 172.21.0.0/24)

  Best regards, Steffen.

  Hello

  If I didn't understand anything wrong in the above question then I think you might be able to perform the following operations on the ASA with the local network of 10.31.0.0/16.

  The ASA has the following global configuration, which is the default if you don't the have not changed

  Sysopt connection permit VPN

  This show CUSTOMARY in CLI configuration given above is the default setting.

  You can check this with the command

  See the race all the sysopt

  This will list even the default setting

  Now that this configuration means essentially is allow ALL traffic that comes through a VPN connection to get through the ASA ACL interface. So in your case at the location where the ASA with the network 10.31.0.0/16, the ASA would allow connections coming through the other network of 172.21.0.0/24 sites (as long as it was OK on other sites ASAs LAN interface ACL)

  What you could do is to insert the following configuration

  No vpn sysopt connection permit

  What this would do is ask you to ALLOW ALL traffic that is coming through the VPN connection via the interface ' outside ' of the ASA you want to spend. (which I suppose is the name of your current interface that handles VPN connections). In other words, the VPN traffic would not receive a "pass" to get through the ACL of 'outside'interface, instead you must allow as all other traffic from the Internet.

  If you decide to do, then you MUST CONSIDER the following thing. If you have other VPN connections as other connections L2L VPN or VPN Client, THEN you must first allow their traffic in your 'external' ACL interface for the SAA to the LAN. If you do this and insert the configuration above, you will notice that the traffic will start to get blocked by the "external" ACL interface (or if you don't have an ACL configured then the ASAs 'security level' will naturally block traffic in the same way as would an ACL)

  So if we assume that the L2L VPN is the only link you had configured on the SAA with 10.31.0.0/16 then the following changes would happen.

  • Hosts in the network 10.31.0.0/16 would be able to open connections to the remote network of 172.21.0.0/24 provided interfaces LAN what ACL allow this traffic
  • Return for this connection of course traffic be would allow by the same ASA like all other traffic.
  • IF certain incoming connection requests to the ASA with 10.31.0.0/16 network 172.21.0.0/24 network, it could crash except IF you ALLOW it to the 'outside' interfaces ACL

  Hope this made sense and helped

  Think about scoring the answer as the answer if it answered your question.

  Naturally ask more if necessary

  -Jouni

• My computer is runing but sends not the power of the moniter the mouse or the keyboard. What could be?

  Original title: does not!

  my computer is runing but sends not the power of the moniter the mouse or the keyboard. What could be?

  Hello

  These details are pointing to it is not material.

  If under warranty, I suggest you contact the manufacturer; or if not under warranty get it to a repair shop local and good.

  See you soon...

• ASA does not propagate any routes for VPN users

  Good afternoon

  I m a problem concerning the spread of the roads to authenticated VPN users through the asa tunnel-group.

  I have a VPN-users-pool where my users receive their IP address, and after authentication and the tunnel is established the idea is that the user get to the networks defined in the following ACL:

  access-list within the standard allow 10.1.0.0 255.255.0.0

  access-list within the standard allow 192.168.15.0 255.255.224.0

  Now, the problem is that, after the tunnel is set up the only way, that the user receives is the default route (which is not supposed to be sent). The user does not receive the roads specified in the ACL list above. It has not received the network mask and assumes one 8 netmask (given that the pool of network from where it receives the IP address is a class A network).

  Network routing works as expected (when I add the static routes directly to PC users, everything works OK). It s just the matter of the ASA do not spread the roads as it should.

  Here is my split tunneling settings:

  attributes of Group Policy DefaultRAGroup

  VPN-idle-timeout 1

  Protocol-tunnel-VPN l2tp ipsec

  disable the PFS

  Split-tunnel-policy tunnelspecified

  Split-tunnel-network-list value inside

  (...)

  attributes of Group Policy DfltGrpPolicy

  Split-tunnel-policy tunnelspecified

  Split-tunnel-network-list value inside

  (...)

  Any ideas?

  I have apreciate your help

  Best regards

  Just a question, I see:

  attributes of Group Policy DefaultRAGroup

  Protocol-tunnel-VPN l2tp ipsec

  Split-tunnel-policy tunnelspecified

  Split-tunnel-network-list value inside

  internal DefaultRAGroup_1 group strategy

  attributes of Group Policy DefaultRAGroup_1

  Split-tunnel-policy tunnelspecified

  It looks like your policy

  DefaultRAGroup_1 you set ACLs and the other doesn't seem to be for L2TP/IPSEC. How do you connect to the ASA, using L2TP/IPSEC or Cisco IPSEC client? In addition, if your users are devoted to this group policy:

  DefaultRAGroup_1 it looks like the acl is missing for the split tunneling

• ASA cx does not not with traffic redirection

  Hi all

  I am facing a problem with asa cx feature where asa is having all the traffice defined, but there is no traffic coming to cx.traffic of the asa is visible that in the case of monitor only mode.please tell me:

  1. how to redirect all traffic to the asa in asa cx.

  2. how to add the entire interior of the customers work asa cx envoirment to check the details there instead of the ip address.

  NOTE: I'm working through PRSM NOT BY CLI.

  Hello

  If the traffic is then visible on CX in the single mode of monitor, your redirection strategy are correct.

  Only change, you need to do is only on ASA to ensure that you have a monitor only in your policy plan.

  To monitor only:

  Policy-map CX

  class CX
  cxsc farm-fail monitor only

  For roller online:

  Policy-map CX

  class CX
  cxsc fail-close

  Also on CX GUI disable monitor mode only:

  Navigate: Settings > monitor only and disable monitor mode only.

  I hope that helps!

  Thank you

  R.Seth

  Be sure to mark the response as correct if it can help resolve your query!

• Tunnel VPN L2L with NATTing will not allow traffic which will be initiated by spoke to the hub.

  Traffic from internal hosts will NAT address works ok, but what speaks tests it traffic never connects.

  get the 10.1.12.232 NAT host would be 172.27.63.133 and past through the VPN tunnel to 10.24.4.65 without problem. However when 10.24.4.65 tries to ping or connect to 172.27.63.133 traffic does not make inside host 10.1.12.232

  ASA-1 #.
  !
  network object obj - 172.27.73.0
  172.27.73.0 subnet 255.255.255.0
  network object obj - 172.27.63.0
  172.27.63.0 subnet 255.255.255.0
  network object obj - 10.1.0.0
  10.1.0.0 subnet 255.255.0.0
  network object obj - 10.24.4.64
  subnet 10.24.4.64 255.255.255.224
  network object obj - 172.27.73.0 - 172.27.73.255
  range 172.27.73.0 172.27.73.255
  the object of the 10.0.0.0 network
  subnet 10.0.0.0 255.0.0.0
  network object obj - 24.173.237.212
  Home 24.173.237.212
  network object obj - 10.1.12.232
  Home 10.1.12.232
  network object obj - 172.27.63.133
  Home 172.27.63.133
  the DM_INLINE_NETWORK_9 object-group network
  object-network 10.0.0.0 255.255.255.0
  object-network 10.0.11.0 255.255.255.0
  object-network 10.0.100.0 255.255.255.0
  object-network 10.0.101.0 255.255.255.0
  object-network 10.0.102.0 255.255.255.0
  object-network 10.0.103.0 255.255.255.0
  the DM_INLINE_NETWORK_16 object-group network
  object-network 10.1.11.0 255.255.255.0
  object-network 10.1.12.0 255.255.255.0
  object-network 10.1.13.0 255.255.255.0
  object-network 10.1.3.0 255.255.255.0
  !
  outside_1_cryptomap list extended access permitted ip object-group DM_INLINE_NETWORK_16-group of objects DM_INLINE_NETWORK_9
  access extensive list ip 172.27.73.0 outside_8_cryptomap allow 255.255.255.0 10.24.4.64 255.255.255.224
  access extensive list ip 172.27.63.0 outside_8_cryptomap allow 255.255.255.0 10.24.4.64 255.255.255.224
  !
  list of allowed outside access extended ip 10.24.4.64 255.255.255.224 172.27.63.0 255.255.255.0
  list of allowed outside access extended ip 10.24.4.64 255.255.255.224 10.1.0.0 255.255.0.0
  list of allowed outside access extended ip 172.27.63.0 255.255.255.0 10.1.0.0 255.255.0.0
  !
  NAT (inside, all) source static obj - 172.27.73.0 obj - 172.27.73.0 destination static obj - 10.24.4.64 obj - 10.24.4.64 no-proxy-arp-search to itinerary
  NAT (inside, all) source static obj - 172.27.63.0 obj - 172.27.63.0 destination static obj - 10.24.4.64 obj - 10.24.4.64 no-proxy-arp-search to itinerary
  NAT (inside, outside) source dynamic obj - 10.66.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
  NAT (inside, outside) source dynamic obj - 10.70.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
  NAT (inside, outside) source dynamic obj - 10.96.228.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
  NAT (inside, outside) source dynamic obj - 10.96.229.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
  NAT (inside, outside) source dynamic obj - 192.168.5.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
  NAT (inside, outside) source dynamic obj - 10.75.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
  NAT (inside, outside) source dynamic obj - 10.11.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
  NAT (inside, outside) source static obj - 10.1.3.37 obj - 10.71.0.37 destination static obj - 50.84.209.140 obj - 50.84.209.140
  NAT (inside, outside) source static obj - 10.1.3.38 obj - 10.71.0.38 destination static obj - 50.84.209.140 obj - 50.84.209.140
  NAT (inside, outside) source static obj - 10.1.12.232 obj - 172.27.63.133 destination static obj - 10.24.4.64 obj - 10.24.4.64
  NAT (inside, outside) source dynamic obj - 10.1.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
  !
  NAT (exterior, Interior) source static obj - 10.24.4.64 obj - 10.24.4.64 destination static obj - 172.27.63.133 obj - 10.1.12.232
  NAT (outside, outside) source static obj - 10.24.4.64 obj - 10.24.4.64 destination static obj - 172.27.63.133 obj - 10.1.12.232

  the object of the 10.0.0.0 network
  NAT (inside, outside) dynamic obj - 24.173.237.212
  !
  NAT (VendorDMZ, outside) the after-service automatic source dynamic obj - 192.168.13.0 obj - 24.173.237.212
  outside access-group in external interface
  Route outside 0.0.0.0 0.0.0.0 24.173.237.209 1
  Route inside 10.1.0.0 255.255.0.0 10.1.10.1 1
  Route inside 10.2.1.0 255.255.255.248 10.1.10.1 1
  !
  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-SHA-DH2-esp-3des esp-sha-hmac
  Crypto ipsec pmtu aging infinite - the security association
  !
  card crypto GEMed 8 corresponds to the address outside_8_cryptomap
  card crypto GEMed 8 set peer 64.245.57.4
  card crypto GEMed 8 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-256-MD5
  GEMed outside crypto map interface
  !
  : end
  ASA-1 #.

  Hello

  First of all, I would like to remove these two lines because they do nothing productive

  nat (outside,inside) source static obj-10.24.4.64 obj-10.24.4.64 destination static obj-172.27.63.133 obj-10.1.12.232nat (outside,outside) source static obj-10.24.4.64 obj-10.24.4.64 destination static obj-172.27.63.133 obj-10.1.12.232

  Then, I was running packet - trace to see what NAT rule actually hit you.

  packet-tracer input inside 10.1.12.232 12345 10.24.4.65 12345

• do not get traffic of ASA AIP-SSM-20.

  Hello

  We have Cisco ASA 5510, and we recently added Cisco AIP - SSM. We have configured the sensor and did as well as ASA also but we don't get newspapers in ADM please help me on this.

  Please find attached Sersor Configuration and version of the IPS and ASA module.

  Kind regards

  Nathalie. M

  On the SAA, you need

  access-list aip-acl extended deny ip any any
  
  class-map aip-class
  
  match access-list aip-acl
  
  policy-map global_policy
  
  class aip-class
  
    ips inline fail-open
  
  service-policy global_policy global

  so that it sends traffic to the agreement in principle for inspection.

  I hope it helps.

  PK

• ASA 8.3 VPN site-to-site does not UDP traffic to other peer

  Hello!!!

  Someone turned off the lights :-) I say this because that's 6.2 6.3 I can't get the basic things...

  On a SAA, I created a "site-site" VPN profile to connect to a remote site, on the other side (ASA 8.2) sees no problem, I can pass all IP traffic via VPN without NAT; but on a new ASA5505 with 8.3 (1) version fw and ASDM 6.3 (1) can't do that in any way :-(

  What I get is trivial...

  ... It works perfectly with TCP and ICMP traffic, but does not have UDP traffic: in practice, if I followed the traffic to a remote private IP, TCP and ICMP traffic I see only packets in vlan "inside" with the private IP, but with the UDP traffic on top of that, I see traffic on vlan 'out' with the IP public ASA and source port changed :

  Inside: UDP to 172.16.2.128:6000 to 172.16.0.200:6000
  Outside: UDP to 5.5.5.5:23400 to 172.16.0.200:6000

  Why?

  Of course, the traffic is not encrypted and does not reach the other side of the tunnel!

  Here are the important parts of the configuration:

  interface Vlan1
  nameif inside
  security-level 100
  172.16.2.1 IP address 255.255.255.0

  network obj_any object
  subnet 0.0.0.0 0.0.0.0

  remote network object
  172.16.0.0 subnet 255.255.254.0

  outside_cryptomap to access extended list ip 172.16.2.0 allow 255.255.255.0 network remote control object

  NAT (inside, outside) static source any any destination static remote-remote network

  network obj_any object

  NAT dynamic interface (indoor, outdoor)

  card crypto outside_map0 1 match address outside_cryptomap

  outside_map0 card crypto 1jeu pfs

  card crypto outside_map0 1 set ip.ip.ip.ip counterpart

  outside_map0 card crypto 1jeu nat-t-disable

  outside_map0 interface card crypto outside

  Given that the new business object, I have not yet quite clear (ok, I don't find time to do a deep reading of the documentation), someone is able to direct me to fix this trivial?

  Note: If I remove my drive manual nat and I flag "network translating" on the remote network object thus indicate that they want NAT with ip network remote control then don't work any IP vs. remote site traffic. Why, why have not more than the simple rules of 'nat exception' the old version and why the crypto-plan applies only to TCP traffic? Possible that there is an object any which takes all IP traffic?

  A big thank you to all.

  73,

  Arturo

  Hi Arturo,.

  I know that there is a certain NAT related bugs in 8.3 (1) and although I don't remember a specific which corresponds to your symptoms, I would say you try 8.3 (2) instead, or maybe even the last available version of a temp (currently to 8.3 (2.4):)

  http://tools.cisco.com/support/downloads/go/ImageList.x?relVer=8.3.2+Interim&mdfid=279916854&sftType=Adaptive+Security+Appliance+%28ASA%29+Software&optPlat=&nodecount=9&edesignator=null&modelName=Cisco+ASA+5510+Adaptive+Security+Appliance&treeMdfId=268438162&modifmdfid=&imname=&treeName=Security&hybrid=Y&imst=N

  If you still see the problem, then, check

  entry Packet-trace within the udp 172.16.2.2 1025 172.16.0.1 detail 123

  entry Packet-trace inside tcp 172.16.2.2 1025 172.16.0.1 detail 123

  and check what's different.

  HTH

  Herbert

• VPN site to site thanks to a pair of asa 5505 does not pass traffic

  the configurations are fairly simple. Ping between the two lan pc fails. "show isakmp crypto his" and "crypto ipsec to show his" got out, if.

  Please refer to the attached text and diagram files.

  I'm pre-configures the ASA, for external interfaces have ip addresses private for the moment.

  all entries are welcome.

  Thank you!

  Your look simple configurations.

  As the Phase 1 and Phase 2 SAs are coming, the VPN seems correct.

  We see program leaving ASA1 and decaps ASA2, but no return traffic seems to come in.

  I suspect a problem with the host 192.168.102.5. Can you capture the top packages and check that it receives traffic initiated from the host 192.168.101.5 (side ASA1) and he answers with the ASA2 as its default gateway?