L2L ASA tunnel upward, no traffic (or one way...)

Similar Questions

• L2l Tunnel upward, without traffic transits

  Two 5505 ASA s for the main site of a customer and a local office.  I have the tunnel upward.  But I am unable to pass traffic through it.  I thought I got it, but it turns out I was wrong so I'll let the pros have to him.  Thank you!

  Main site:

  ASA Version 7.2 (4)

  !

  City of hostname

  activate iNbSyJZ1ffmb9kn1 encrypted password

  2KFQnbNIdI.2KYOU encrypted passwd

  names of

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 192.168.100.254 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP address 24.x.x.97 255.255.255.248

  !

  interface Vlan3

  prior to interface Vlan1

  nameif dmz

  security-level 50

  no ip address

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  passive FTP mode

  clock timezone IS - 5

  clock to summer time EDT recurring

  DNS server-group DefaultDNS

  outside_in list extended access permit tcp any host 24.x.x.98 eq 3389

  outside_in list extended access permit udp any host 24.x.x.98 eq 1194

  outside_in list extended access permit tcp any host 24.x.x.98 eq www

  extended vpn 192.168.100.0 ip access list allow 255.255.255.0 192.168.199.0 255.255.255.0

  extended vpn 192.168.100.0 ip access list allow 255.255.255.0 192.168.1.0 255.255.255.0

  outside_1_cryptomap to access extended list ip 192.168.100.0 allow 255.255.255.0 192.168.1.0 255.255.255.0

  pager lines 24

  Enable logging

  timestamp of the record

  exploitation forest-size of the buffer of 100000

  recording of debug console

  debug logging in buffered memory

  asdm of logging of information

  Within 1500 MTU

  Outside 1500 MTU

  MTU 1500 dmz

  IP local pool vpnpool 192.168.199.10 - 192.168.199.20

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm - 524.bin

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0-list of access vpn

  NAT (inside) 1 192.168.100.0 255.255.255.0

  public static 24.x.x.98 (Interior, exterior) 192.168.100.3 netmask 255.255.255.255

  Access-group outside_in in external interface

  Route outside 0.0.0.0 0.0.0.0 24.x.x.102 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  AAA authentication enable LOCAL console

  AAA authentication http LOCAL console

  the ssh LOCAL console AAA authentication

  Enable http server

  http 192.168.100.0 255.255.255.0 inside

  http 192.168.100.50 255.255.255.255 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  card crypto outside_map 1 match address outside_1_cryptomap

  card crypto outside_map 1 set pfs

  card crypto outside_map 1 set 24.x.x.54 counterpart

  map outside_map 1 set of transformation-ESP-3DES-MD5 crypto

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP policy 20

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  crypto ISAKMP policy 30

  preshared authentication

  3des encryption

  md5 hash

  Group 1

  life 86400

  Telnet 0.0.0.0 0.0.0.0 inside

  Telnet timeout 5

  SSH 0.0.0.0 0.0.0.0 inside

  SSH 0.0.0.0 0.0.0.0 outdoors

  SSH timeout 60

  Console timeout 0

  attributes of Group Policy DfltGrpPolicy

  No banner

  WINS server no

  DNS server no

  DHCP-network-scope no

  VPN-access-hour no

  VPN - connections 3

  VPN-idle-timeout 30

  VPN-session-timeout no

  VPN-filter no

  Protocol-tunnel-VPN IPSec l2tp ipsec webvpn

  disable the password-storage

  disable the IP-comp

  Re-xauth disable

  Group-lock no

  enable PFS

  IPSec-udp disable

  IPSec-udp-port 10000

  Split-tunnel-policy tunnelall

  Split-tunnel-network-list no

  by default no

  Split-dns no

  Disable dhcp Intercept 255.255.255.255

  disable secure authentication unit

  disable authentication of the user

  user-authentication-idle-timeout 30

  disable the IP-phone-bypass

  disable the leap-bypass

  disable the NEM

  Dungeon-client-config backup servers

  MSIE proxy server no

  MSIE-proxy method non - change

  Internet Explorer proxy except list - no

  Disable Internet Explorer-proxy local-bypass

  disable the NAC

  NAC-sq-period 300

  NAC-reval-period 36000

  NAC-by default-acl no

  address pools no

  enable Smartcard-Removal-disconnect

  the firewall client no

  rule of access-client-none

  WebVPN

  url-entry functions

  HTML-content-filter none

  Home page no

  4 Keep-alive-ignore

  gzip http-comp

  no filter

  list of URLS no

  value of customization DfltCustomization

  port - forward, no

  port-forward-name value access to applications

  SSO-Server no

  value of deny message connection succeeded, but because some criteria have not been met, or because of a specific group policy, you are not allowed to use the VPN features. Contact your administrator for more information

  SVC no

  SVC Dungeon-Installer installed

  SVC keepalive no

  generate a new key SVC time no

  method to generate a new key of SVC no

  client of dpd-interval SVC no

  dpd-interval SVC bridge no

  deflate compression of SVC

  tunnel-group 24.x.x.54 type ipsec-l2l

  24.x.x.54 group of tunnel ipsec-attributes

  pre-shared-key *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the netbios

  inspect the rsh

  inspect the rtsp

  inspect the skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect the tftp

  inspect the sip

  inspect xdmcp

  !

  global service-policy global_policy

  context of prompt hostname

  Cryptochecksum:5180fc35fcb77dbf007b34bc2159c21b

  : end

  # Sh crypto isa city its

  ITS enabled: 1

  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)

  Total SA IKE: 1

  1 peer IKE: 24.x.x.54

  Type: L2L role: initiator

  Generate a new key: no State: MM_ACTIVE

  # Sh crypto ipsec city its

  Interface: outside

  Tag crypto map: outside_map, seq num: 1, local addr: 24.x.x.97

  outside_1_cryptomap 192.168.100.0 ip access list allow 255.255.255.0 192.168.1.0 255.255.255.0

  local ident (addr, mask, prot, port): (192.168.100.0/255.255.255.0/0/0)

  Remote ident (addr, mask, prot, port): (192.168.1.0/255.255.255.0/0/0)

  current_peer: 24.x.x.54

  #pkts program: 56, #pkts encrypt: 56, #pkts digest: 56

  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

  compressed #pkts: 0, unzipped #pkts: 0

  #pkts uncompressed: 56, #pkts comp failed: 0, #pkts Dang failed: 0

  success #frag before: 0, failures before #frag: 0, #fragments created: 0

  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0

  #send errors: 0, #recv errors: 0

  local crypto endpt. : 24.x.x.97, remote Start crypto. : 24.x.x.54

  Path mtu 1500, fresh ipsec generals 58, media, mtu 1500

  current outbound SPI: 16409623

  SAS of the esp on arrival:

  SPI: 0xFC3F0652 (4231988818)

  transform: esp-3des esp-md5-hmac no

  running parameters = {L2L, Tunnel, PFS 2 group}

  slot: 0, id_conn: 21, crypto-card: outside_map

  calendar of his: service life remaining (KB/s) key: (4275000/28514)

  Size IV: 8 bytes

  support for replay detection: Y

  outgoing esp sas:

  SPI: 0 x 16409623 (373331491)

  transform: esp-3des esp-md5-hmac no

  running parameters = {L2L, Tunnel, PFS 2 group}

  slot: 0, id_conn: 21, crypto-card: outside_map

  calendar of his: service life remaining (KB/s) key: (4274996/28514)

  Size IV: 8 bytes

  support for replay detection: Y

  Remote Desktop:

  ASA Version 8.2 (5)

  !

  water host name

  activate rAAeK7vz0gtMeIgU encrypted password

  2KFQnbNIdI.2KYOU encrypted passwd

  names of

  name 192.168.100.0 City City LAN description

  DNS-guard

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 192.168.1.2 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP address 24.x.x.54 255.255.255.248

  !

  passive FTP mode

  clock timezone IS - 5

  clock to summer time EDT recurring

  DNS server-group DefaultDNS

  outside_1_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 255.255.255.0 city

  inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 255.255.255.0 city

  pager lines 24

  Enable logging

  timestamp of the record

  exploitation forest-size of the buffer of 32768

  logging asdm-buffer-size 512

  Monitor logging notifications

  debug logging in buffered memory

  logging trap notifications

  notifications of logging asdm

  Within 1500 MTU

  Outside 1500 MTU

  IP local pool water 192.168.1.15 - 192.168.1.20 mask 255.255.255.0

  ICMP unreachable rate-limit 1 burst-size 1

  don't allow no asdm history

  ARP timeout 14400

  NAT (inside) 0-list of access inside_nat0_outbound

  Route outside 0.0.0.0 0.0.0.0 24.x.x.49 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  AAA authentication LOCAL telnet console

  the ssh LOCAL console AAA authentication

  AAA authentication enable LOCAL console

  Enable http server

  http 192.168.1.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  card crypto outside_map 1 match address outside_1_cryptomap

  card crypto outside_map 1 set pfs

  card crypto outside_map 1 set 24.x.x.97 counterpart

  map outside_map 1 set of transformation-ESP-3DES-MD5 crypto

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map interface card crypto outside

  Crypto ca trustpoint _SmartCallHome_ServerCA

  Configure CRL

  Crypto ca certificate chain _SmartCallHome_ServerCA

  certificate ca 6ecc7aa5a7032009b8cebcf4e952d491

  308204 4 a0030201 d 308205ec 0202106e cc7aa5a7 032009b 8 cebcf4e9 52d 49130

  010105 05003081 09060355 04061302 55533117 ca310b30 0d 864886f7 0d06092a

  30150603 55040 has 13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b

  13165665 72695369 676e2054 72757374 204e6574 776f726b 313 has 3038 06035504

  0b 133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72

  20617574 7a 656420 75736520 6f6e6c79 31453043 06035504 03133c 56 686f7269

  65726953 69676e20 436c 6173 73203320 5075626c 69632050 72696 72792043 61 d

  65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31

  30303230 38303030 3030305a 170d 3230 30323037 32333539 35395a 30 81b5310b

  30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20

  496e632e 311f301d 06035504 0b 131656 65726953 69676e20 54727573 74204e65

  74776f72 6b313b30 5465726d 20757365 20617420 73206f66 39060355 040b 1332

  68747470 7777772e 733a2f2f 76657269 7369676e 2e636f6d 2f727061 20286329

  302d 0603 55040313 26566572 69536967 61737320 33205365 6e20436c 3130312f

  63757265 20536572 76657220 20473330 82012230 0d06092a 864886f7 4341202d

  010101 05000382 010f0030 82010 0d has 02 b187841f 82010100 c20c45f5 bcab2597

  a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10

  9c688b2e 957b899b 13cae234 34c1f35b f3497b62 d188786c 83488174 0253f9bc

  7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b

  15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845

  1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8 63cd

  18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced

  4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f

  81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 01 has 38201 02030100 df308201

  082b 0601 05050701 01042830 26302406 082 b 0601 db303406 05050730 01861868

  7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1 d 130101

  ff040830 02010030 70060355 b 200469 30673065 060, 6086 480186f8 1 d 060101ff

  45010717 03305630 2806082b 06010505 07020116 1 c 687474 70733a2f 2f777777

  2e766572 69736967 6e2e636f 6d2f6370 73302 has 06 082 b 0601 05050702 02301e1a

  1 c 687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406

  03551d1f 042d302b 3029 has 027 a0258623 68747470 3a2f2f63 726c2e76 65726973

  69676e2e 636f6d2f 2d67352e 70636133 63726c 30 0e060355 1d0f0101 ff040403

  02010630 6d06082b 06010505 07010c 59305730 55160969 5da05b30 04 61305fa1

  6 d 616765 2f676966 3021301f 2b0e0302 30070605 1a04148f e5d31a86 ac8d8e6b

  c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973

  69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30

  1 b 311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301D 0603

  445 1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355 c 1604140d 551d0e04

  1 230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300 d 0609 d

  2a 864886 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80 f70d0101

  4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e

  b2227055 d9203340 3307c 265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a

  99 c 71928 8705 404167d 1 273aeddc 866d 24f78526 a2bed877 7d494aca 6decd018

  481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16

  b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0

  5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8

  6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28

  6c2527b9 deb78458 c61f381e a4c4cb66

  quit smoking

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP policy 20

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  crypto ISAKMP policy 30

  preshared authentication

  3des encryption

  md5 hash

  Group 1

  life 86400

  No encryption isakmp nat-traversal

  Telnet 192.168.1.0 255.255.255.0 inside

  Telnet timeout 60

  SSH 192.168.1.0 255.255.255.0 inside

  SSH timeout 5

  Console timeout 0

  dhcpd outside auto_config

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  WebVPN

  attributes of Group Policy DfltGrpPolicy

  Group internal water policy

  attributes of group water policy

  value of 192.168.1.1 DNS server

  VPN-idle-timeout no

  VPN-session-timeout no

  Protocol-tunnel-VPN IPSec

  attributes of Registrar username

  VPN-group-policy DfltGrpPolicy

  type water tunnel-group remote access

  water General attributes tunnel-group

  water of the pool address

  Group Policy - by default-water

  DHCP server 192.168.1.1

  water ipsec-attributes tunnel-group

  pre-shared key *.

  tunnel-group 24.x.x.97 type ipsec-l2l

  24.x.x.97 group of tunnel ipsec-attributes

  pre-shared key *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  !

  global service-policy global_policy

  context of prompt hostname

  anonymous reporting remote call

  Cryptochecksum:06bda38461d2419b3e5c4904333b62e7

  : end

  # sh crypto isa water his

  ITS enabled: 1

  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)

  Total SA IKE: 1

  1 peer IKE: 24.x.x.97

  Type: L2L role: answering machine

  Generate a new key: no State: MM_ACTIVE

  water # sh crypto ipsec his

  Interface: outside

  Tag crypto map: outside_map, seq num: 1, local addr: 24.x.x.54

  outside_1_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.100.0 255.255.255.0

  local ident (addr, mask, prot, port): (192.168.1.0/255.255.255.0/0/0)

  Remote ident (addr, mask, prot, port): (Town/255.255.255.0/0/0)

  current_peer: 24.x.x.97

  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

  #pkts decaps: 78, #pkts decrypt: 78, #pkts check: 78

  compressed #pkts: 0, unzipped #pkts: 0

  #pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0

  success #frag before: 0, failures before #frag: 0, #fragments created: 0

  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0

  #send errors: 0, #recv errors: 0

  local crypto endpt. : 24.x.x.54, remote Start crypto. : 24.x.x.97

  Path mtu 1500, fresh ipsec generals 58, media, mtu 1500

  current outbound SPI: FC3F0652

  current inbound SPI: 16409623

  SAS of the esp on arrival:

  SPI: 0 x 16409623 (373331491)

  transform: esp-3des esp-md5-hmac no compression

  running parameters = {L2L, Tunnel, PFS 2 group}

  slot: 0, id_conn: 126976, crypto-card: outside_map

  calendar of his: service life remaining (KB/s) key: (3914995/28408)

  Size IV: 8 bytes

  support for replay detection: Y

  Anti-replay bitmap:

  0xFFFFFFFF to 0xFFFFFFFF

  outgoing esp sas:

  SPI: 0xFC3F0652 (4231988818)

  transform: esp-3des esp-md5-hmac no compression

  running parameters = {L2L, Tunnel, PFS 2 group}

  slot: 0, id_conn: 126976, crypto-card: outside_map

  calendar of his: service life remaining (KB/s) key: (3915000/28408)

  Size IV: 8 bytes

  support for replay detection: Y

  Anti-replay bitmap:

  0x00000000 0x00000001

  Thanks again!

  In addition,

  Now that I actually think...

  The original ICMP you did would go as follows

  • 192.168.100.x send ICMP messages to echo
  • Happens on ASA local
  • Gets sent through the VPN L2L connection
  • Arrives on the ASA remote
  • ASA forwards traffic on the LAN Host 192.168.1.x
  • LAN forward host to respond to its default gateway 192.168.1.1 (NOT ASA)
  • ICMP Echo traffic gets lost because of no real route for the return traffic
    • Therefore, you see no encapsulated traffic to destination, ASA, decapsules only traffic that origin of the host that sends the ICMP messages to echo through the VPN L2L

  -Jouni

• L2L ASA sends not encryted traffic

  I currently have a problem passing an ASA 5520 traffic to a 877W.  Traffic is being encryption on the router to the ASA (as shown below), but ASA doesn't send any encrypted traffic.  I tried the upgrade to 8.4 (7) 9.1 (5), wiping the config and, configure the VPN via CLI and using the wizard ASDM.  I also tried a 1841 and encounter the same problem.

  Any ideas before I connect to a TAC case?  Pulling my hair out with this one!

  877W Config:

  crypto ISAKMP policy 1
  BA 3des
  preshared authentication
  Group 2
  lifetime 28800
  ISAKMP crypto key psk address ASA-EXTERNAL

  Crypto ipsec transform-set esp-3des esp-sha-hmac TS

  CMAP 10 ipsec-isakmp crypto card
  defined by the ASA-EXTERNAL peers
  Set security-association second life 28800
  game of transformation-TS
  match address VPN-TRAFFIC

  interface Dialer0
  card crypto WCPA

  IP route 0.0.0.0 0.0.0.0 Dialer0

  overload of IP nat inside source list 100 interface Dialer0

  VPN-TRAFFIC extended IP access list
  ip licensing 192.168.20.0 0.0.0.255 172.16.250.0 0.0.0.255

  access-list 100 remark set NAT
  access-list 100 deny ip 192.168.20.0 0.0.0.255 172.16.250.0 0.0.0.255
  Access-list 100 remark
  access-list 100 deny ip 192.168.20.0 0.0.0.255 10.0.0.0 0.255.255.255
  access-list 100 permit ip 192.168.20.0 0.0.0.255 any

  ASA:

  interface GigabitEthernet0/0
  nameif outside
  security-level 0
  IP EXTERNAL-ASA-IP address
  !
  interface GigabitEthernet0/1
  nameif inside
  security-level 100
  IP 172.16.250.247 255.255.255.0
  !
  permit same-security-traffic inter-interface
  network of the VPNLocal object
  172.16.250.0 subnet 255.255.255.0
  VPNRemote object network
  subnet 192.168.20.0 255.255.255.0
   
  access extensive list ip 172.16.250.0 outside_cryptomap allow 255.255.255.0 VPNRemote object
  outside_access_in extended access list permit ip object VPNRemote 172.16.250.0 255.255.255.0 disable log
  access extensive list ip 172.16.250.0 inside_access_in allow 255.255.255.0 VPNRemote object

  ICMP allow all outside
  ICMP allow any inside

  NAT (inside, outside) static source VPNLocal VPNLocal static destination VPNRemote VPNRemote non-proxy-arp-search to itinerary
  Access-group outside_access_in in interface outside
  inside_access_in access to the interface inside group

  Route outside 0.0.0.0 0.0.0.0 ISP - IP GATEWAY 1
  Route inside 10.0.0.0 255.0.0.0 CORE - ROUTER 1

  Sysopt preserve-vpn-flow of connection
  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
  Crypto ipsec pmtu aging infinite - the security association

  card crypto outside_map 1 match address outside_cryptomap
  card crypto outside_map 1 set counterpart 877W-IP
  card crypto outside_map 1 set transform-set ESP-3DES-SHA ikev1
  outside_map card crypto 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
  card crypto outside_map 1 the value reverse-road
  outside_map interface card crypto outside
  Crypto ikev1 allow outside

  IKEv1 crypto policy 65535
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
   
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception

  Group Policy GroupPolicy_877W-IP internal
  attributes of Group Policy GroupPolicy_877W-IP
  Ikev1 VPN-tunnel-Protocol

  type of tunnel-group ipsec-l2l 877W-IP
  attributes global-tunnel-group 877W-IP
  Group - default policy - GroupPolicy_81.133.227.150
  877W-IP ipsec-attributes tunnel-group
  IKEv1 pre-shared-key *.
  remote control-IKEv2 pre-shared-key authentication *.
  pre-shared-key authentication local IKEv2 *.
  !
  Global class-card class
  match default-inspection-traffic
  !
  !
  Policy-map global_policy
  World-Policy policy-map
  Global category
  inspect the icmp
  inspect the icmp error
  !
  service-policy-international policy global
  context of prompt hostname

  877W sh crypto ipsec his

  Interface: Dialer0
  Tag crypto map: CMAP, local addr 877W-IP

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (192.168.20.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (172.16.250.0/255.255.255.0/0/0)
  current_peer ASA - 500 EXTERNAL port
  LICENCE, flags is {origin_is_acl},
  #pkts program: 1771, #pkts encrypt: 1771, #pkts digest: 1771
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  #send 17, #recv errors 0

  endpt local crypto. : 877W-IP, remote Start crypto. : ASA-EXTERNAL
  Path mtu 1500, mtu 1500 ip, ip mtu BID Dialer0
  current outbound SPI: 0xD82FD3CE (3627013070)

  SAS of the esp on arrival:
  SPI: 0x31F9F14C (838463820)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 29, flow_id: Motorola SEC 1.0:29, card crypto: CMAP
  calendar of his: service life remaining (k/s) key: (4544227/24786)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xD82FD3CE (3627013070)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 30, flow_id: Motorola SEC 1.0:30, card crypto: CMAP
  calendar of his: service life remaining (k/s) key: (4544168/24786)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  Interface: virtual-Access2
  Tag crypto map: CMAP, local addr 0.0.0.0

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (192.168.20.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (172.16.250.0/255.255.255.0/0/0)
  current_peer ASA - 500 EXTERNAL port
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  endpt local crypto. : 0.0.0.0, remote Start crypto. : ASA-EXTERNAL
  Path mtu 1500, mtu 1500 ip, ip mtu IDB virtual-Access2
  current outbound SPI: 0x0 (0)

  SAS of the esp on arrival:

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:

  outgoing ah sas:

  outgoing CFP sas:

  ASA crypto ipsec HS her

  peer address: 877W-IP
  Tag crypto map: outside_map, seq num: 1, local addr: ASA-EXERNAL

  access extensive list ip 172.16.250.0 outside_cryptomap allow 255.255.255.0 192.168.20.0 255.255.255.0
  local ident (addr, mask, prot, port): (172.16.250.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.20.0/255.255.255.0/0/0)
  current_peer: 877W-IP

  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 539, #pkts decrypt: 539, #pkts check: 539
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #TFC rcvd: 0, #TFC sent: 0
  #Valid errors ICMP rcvd: 0, #Invalid ICMP errors received: 0
  #send errors: 0, #recv errors: 0

  endpt local crypto. : ASA-EXERNAL/0, crypto Start distance. : 877W-IP/0
  Path mtu 1500, ipsec 58 (36) generals, media, mtu 1500
  PMTU time remaining: 0, political of DF: copy / df
  Validation of ICMP error: disabled, TFC packets: disabled
  current outbound SPI: 31F9F14C
  current inbound SPI: D82FD3CE

  SAS of the esp on arrival:
  SPI: 0xD82FD3CE (3627013070)
  transform: esp-3des esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, IKEv1}
  slot: 0, id_conn: 81920, crypto-card: outside_map
  calendar of his: service life remaining (KB/s) key: (4373968/24993)
  Size IV: 8 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0xFFFFFFFF to 0xFFFFFFFF
  outgoing esp sas:
  SPI: 0x31F9F14C (838463820)
  transform: esp-3des esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, IKEv1}
  slot: 0, id_conn: 81920, crypto-card: outside_map
  calendar of his: service life remaining (KB/s) key: (4374000/24993)
  Size IV: 8 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001

  Happy that you guessed it sort :-)

  --

  Please do not forget to select a correct answer and rate useful posts

• ASA L2L VPN UP with incoming traffic

  Hello

  I need help with this one, I have two identical VPN tunnel with two different customers who need access to one of our internal server, one of them (customer) works well, but the other (CustomerB) I can only see traffic from the remote peer (ok, RX but no TX). I put a sniffer on ports where the ASA and the server are connected and saw that traffic is to reach the server and traffic to reach the ASA of the server then nothing...

  See the result of sh crypto ipsec his below and part of the config for both clients

  ------------------

  address:

  local peer 100.100.100.178

  local network 10.10.10.0 / 24

  local server they need access to the 10.10.10.10

  Customer counterpart remote 200.200.200.200

  Customer remote network 172.16.200.0 / 20

  CustomerB peer remote 160.160.143.4

  CustomerB remote network 10.15.160.0 / 21

  ---------------------------

  Output of the command: "SH crypto ipsec its peer 160.160.143.4 det".

  address of the peers: 160.160.143.4
  Tag crypto map: outside_map, seq num: 3, local addr: 100.100.100.178

  outside_cryptomap list of allowed access host ip 10.10.10.10 10.15.160.0 255.255.248.0
  local ident (addr, mask, prot, port): (10.10.10.10/255.255.255.255/0/0)
  Remote ident (addr, mask, prot, port): (10.15.160.0/255.255.248.0/0/0)
  current_peer: 160.160.143.4

  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 827, #pkts decrypt: 827, #pkts check: 827
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #pkts not his (send): 0, invalid #pkts his (RRs): 0
  #pkts program failed (send): 0, #pkts decaps failed (RRs): 0
  #pkts invalid prot (RRs): 0, #pkts check failed: 0
  invalid identity #pkts (RRs): 0, #pkts invalid len (RRs): 0
  #pkts incorrect key (RRs): 0,
  #pkts invalid ip version (RRs): 0,
  replay reversal (send) #pkts: 0, #pkts replay reversal (RRs): 0
  #pkts replay failed (RRs): 0
  #pkts min frag mtu failed (send): bad frag offset 0, #pkts (RRs): 0
  #pkts internal err (send): 0, #pkts internal err (RRs): 0

  local crypto endpt. : 100.100.100.178, remote Start crypto. : 160.160.143.4

  Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
  current outbound SPI: C2AC8AAE

  SAS of the esp on arrival:
  SPI: 0xD88DC8A9 (3633170601)
  transform: esp-3des esp-md5-hmac no compression
  running parameters = {L2L, Tunnel}
  slot: 0, id_conn: 5517312, crypto-card: outside_map
  calendar of his: service life remaining (KB/s) key: (4373959/20144)
  Size IV: 8 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0xFFFFFFFF to 0xFFFFFFFF
  outgoing esp sas:
  SPI: 0xC2AC8AAE (3266087598)
  transform: esp-3des esp-md5-hmac no compression
  running parameters = {L2L, Tunnel}
  slot: 0, id_conn: 5517312, crypto-card: outside_map
  calendar of his: service life remaining (KB/s) key: (4374000/20144)
  Size IV: 8 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001

  -The configuration framework

  ASA Version 8.2 (1)

  !

  172.16.200.0 customer name

  name 10.15.160.0 CustomerB

  !

  interface Ethernet0/0

  nameif outside

  security-level 0

  IP 100.100.100.178 255.255.255.240

  !

  interface Ethernet0/1

  nameif inside

  security-level 100

  10.10.10.0 IP address 255.255.255.0

  !

  outside_1_cryptomap list extended access allowed host ip 10.10.10.10 customer 255.255.240.0

  inside_nat0_outbound_1 list extended access allowed host ip 10.10.10.10 customer 255.255.240.0

  inside_nat0_outbound_1 list extended access allowed host ip 10.10.10.10 CustomerB 255.255.248.0

  outside_cryptomap list extended access allowed host ip 10.10.10.10 CustomerB 255.255.248.0

  NAT-control

  Overall 101 (external) interface

  NAT (inside) 0-list of access inside_nat0_outbound_1

  NAT (inside) 101 0.0.0.0 0.0.0.0

  Route outside 0.0.0.0 0.0.0.0 100.100.100.177

  Route inside 10.10.10.0 255.255.255.0 10.10.10.254 1

  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  card crypto outside_map 1 match address outside_1_cryptomap

  card crypto outside_map 1 set pfs

  peer set card crypto outside_map 1 200.200.200.200

  card crypto outside_map 1 set of transformation-ESP-3DES-SHA

  card crypto outside_map 3 match address outside_cryptomap

  peer set card crypto outside_map 3 160.160.143.4

  card crypto outside_map 3 game of transformation-ESP-3DES-MD5

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  crypto ISAKMP policy 20

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP ipsec-over-tcp port 10000

  attributes of Group Policy DfltGrpPolicy

  Protocol-tunnel-VPN IPSec svc

  internal customer group strategy

  Customer group policy attributes

  Protocol-tunnel-VPN IPSec svc

  internal CustomerB group strategy

  attributes of Group Policy CustomerB

  Protocol-tunnel-VPN IPSec

  tunnel-group 160.160.143.4 type ipsec-l2l

  tunnel-group 160.160.143.4 General-attributes

  Group Policy - by default-CustomerB

  IPSec-attributes tunnel-group 160.160.143.4

  pre-shared key xxx

  tunnel-group 200.200.200.200 type ipsec-l2l

  tunnel-group 200.200.200.200 General attributes

  Customer by default-group-policy

  IPSec-attributes tunnel-group 200.200.200.200

  pre-shared key yyy

  Thank you

  A.

  Hello

  It seems that the ASA is not Encrypting traffic to the second peer (However there is no problem of routing).

  I saw this 7.x code behaviors not on code 8.x

  However you can do a test?

  You can change the order of cryptographic cards?

  card crypto outside_map 1 match address outside_cryptomap

  peer set card crypto outside_map 1 160.160.143.4

  map outside_map 1 set of transformation-ESP-3DES-MD5 crypto

  card crypto outside_map 3 match address outside_1_cryptomap

  card crypto outside_map 3 set pfs

  peer set card crypto outside_map 3 200.200.200.200

  card crypto outside_map 3 game of transformation-ESP-3DES-SHA

  I just want to see if by setting the peer nonworking time to be the first, it works...

  I know it should work the way you have it, I just want to see if this is the same behavior I've seen.

  Thank you.

  Federico.

• How to set up a one-way IPSec-L2L tunnel

  This may be a silly question, since VPN for communications between the parties of confidence and that most people would try to correct a unidirectional tunnel.

  But I'm interested to transform a regular one-way only, tunnel that traffic to my side can initiate the tunnel.

  Recently, we built this tunnel between our ASA5510 and ASA5510 of our biz partner to run critical applications on their web servers not connected to the Internet. I want to tie down so that they cannot launch the VPN. I have the crypto ACL set to limit to a port address, so they can only come from this port once the tunnel is established. We also have a personal firewall installed on each host.

  Any idea on how to make the one-way tunnel and protect also us better once the tunnel is mounted?

  Hello

  You can use the following command:

  defined card crypto seq - num connection-type name {only answer | only | two-way}

  This command defines whether the tunnel is come only or single answer. If you set the tunnel on your side to come alone, the asa will never accept the installation of tunnel from your business partner. However, you can still start the configuration of the vpn tunnel.

  Check:

  http://www.Cisco.com/en/us/partner/docs/security/ASA/asa80/command/reference/C5.html#wp2152576

  Even if the reference is to ASA8.0 I know it works for 7.2.x so

  Hope this helps

  Kind regards

  Pieter-Jan

• ASA 8.6 - l2l IPsec tunnel established - not possible to ping

  Hello world

  I have a problem of configuration of the CISCO ASA 5512-x (IOS 8.6).

  The IPsec tunnel is created between ASA and an another non-CISCO router (hereinafter "router"). I can send packets ping from router to ASA, but ASA is NOT able to meet these demands. Sending requests of ASA is also NOT possible.

  I'm trying to interconnect with the network 192.168.2.0/24 (CISCO, interface DMZ) premises and 192.168.3.0/24 (router).

  The CISCO ASA has a static public IP address. The router has a dynamic IP address, so I use the dynamic-map option...

  Here is the output of "show run":

  ---------------------------------------------------------------------------------------------------------------------------------------------

  ASA 1.0000 Version 2

  !

  ciscoasa hostname

  activate oBGOJTSctBcCGoTh encrypted password

  2KFQnbNIdI.2KYOU encrypted passwd

  names of

  !

  interface GigabitEthernet0/0

  nameif outside

  security-level 0

  address IP X.X.X.X 255.255.255.0

  !

  interface GigabitEthernet0/1

  nameif inside

  security-level 100

  the IP 192.168.0.1 255.255.255.0

  !

  interface GigabitEthernet0/2

  nameif DMZ

  security-level 50

  IP 192.168.2.1 255.255.255.0

  !

  interface GigabitEthernet0/3

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface GigabitEthernet0/4

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface GigabitEthernet0/5

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Management0/0

  nameif management

  security-level 100

  IP 192.168.1.1 255.255.255.0

  management only

  !

  passive FTP mode

  internal subnet object-

  192.168.0.0 subnet 255.255.255.0

  object Web Server external network-ip

  host Y.Y.Y.Y

  Network Web server object

  Home 192.168.2.100

  network vpn-local object - 192.168.2.0

  Subnet 192.168.2.0 255.255.255.0

  network vpn-remote object - 192.168.3.0

  subnet 192.168.3.0 255.255.255.0

  outside_acl list extended access permit tcp any object Web server

  outside_acl list extended access permit tcp any object webserver eq www

  access-list l2l-extensive list allowed ip, vpn-local - 192.168.2.0 vpn-remote object - 192.168.3.0

  dmz_acl access list extended icmp permitted an echo

  pager lines 24

  asdm of logging of information

  Outside 1500 MTU

  Within 1500 MTU

  MTU 1500 DMZ

  management of MTU 1500

  ICMP unreachable rate-limit 1 burst-size 1

  don't allow no asdm history

  ARP timeout 14400

  NAT (DMZ, outside) static static vpn-local destination - 192.168.2.0 vpn-local - 192.168.2.0, 192.168.3.0 - remote control-vpn vpn-remote control - 192.168.3.0

  !

  internal subnet object-

  NAT dynamic interface (indoor, outdoor)

  Network Web server object

  NAT (DMZ, outside) Web-external-ip static tcp www www Server service

  Access-Group global dmz_acl

  Route outside 0.0.0.0 0.0.0.0 Z.Z.Z.Z 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  identity of the user by default-domain LOCAL

  Enable http server

  http 192.168.1.0 255.255.255.0 management

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

  IKEv1 crypto ipsec transform-set ikev1-trans-set esp-3des esp-md5-hmac

  Crypto ipsec ikev2 proposal ipsec 3des-GNAT

  Esp 3des encryption protocol

  Esp integrity md5 Protocol

  Crypto dynamic-map dynMidgeMap 1 match l2l-address list

  Crypto dynamic-map dynMidgeMap 1 set pfs

  Crypto dynamic-map dynMidgeMap 1 set ikev1 ikev1-trans-set transform-set

  Crypto dynamic-map dynMidgeMap 1 set ikev2 ipsec-proposal 3des-GNAT

  Crypto dynamic-map dynMidgeMap 1 life span of seconds set association security 28800

  Crypto dynamic-map dynMidgeMap 1 the value reverse-road

  midgeMap 1 card crypto ipsec-isakmp dynamic dynMidgeMap

  midgeMap interface card crypto outside

  ISAKMP crypto identity hostname

  IKEv2 crypto policy 1

  3des encryption

  the md5 integrity

  Group 2

  FRP md5

  second life 86400

  Crypto ikev2 allow outside

  Crypto ikev1 allow outside

  IKEv1 crypto policy 1

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  management of 192.168.1.2 - dhcpd address 192.168.1.254

  enable dhcpd management

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  WebVPN

  internal midgeTrialPol group policy

  attributes of the strategy of group midgeTrialPol

  L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2

  enable IPSec-udp

  tunnel-group midgeVpn type ipsec-l2l

  tunnel-group midgeVpn General-attributes

  Group Policy - by default-midgeTrialPol

  midgeVpn group of tunnel ipsec-attributes

  IKEv1 pre-shared-key *.

  remote control-IKEv2 pre-shared-key authentication *.

  pre-shared-key authentication local IKEv2 *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  !

  global service-policy global_policy

  context of prompt hostname

  no remote anonymous reporting call

  Cryptochecksum:fa02572f9ff8add7bbfe622a4801e606

  : end

  ------------------------------------------------------------------------------------------------------------------------------

  X.X.X.X - ASA public IP

  Y.Y.Y.Y - a web server

  Z.Z.Z.Z - default gateway

  -------------------------------------------------------------------------------------------------------------------------------

  ASA PING:

  ciscoasa # ping DMZ 192.168.3.1

  Type to abort escape sequence.

  Send 5, echoes ICMP 100 bytes to 192.168.3.1, time-out is 2 seconds:

  ?????

  Success rate is 0% (0/5)

  PING from router (debug on CISCO):

  NAT ciscoasa #: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0

  NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0

  NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0

  Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 0 len = 40

  Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 1 len = 40

  Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 2 len = 40

  Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = len 3 = 40

  -------------------------------------------------------------------------------------------------------------------------------

  ciscoasa # show the road outside

  Code: C - connected, S - static, RIP, M - mobile - IGRP, R - I, B - BGP

  D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone

  N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2

  E1 - OSPF external type 1, E2 - external OSPF of type 2, E - EGP

  i - IS - L1 - IS - IS level 1, L2 - IS - IS IS level 2, AI - IS inter zone

  * - candidate by default, U - static route by user, o - ODR

  P periodical downloaded static route

  Gateway of last resort is Z.Z.Z.Z to network 0.0.0.0

  C Z.Z.Z.0 255.255.255.0 is directly connected to the outside of the

  S 192.168.3.0 255.255.255.0 [1/0] via Z.Z.Z.Z, outdoors

  S * 0.0.0.0 0.0.0.0 [1/0] via Z.Z.Z.Z, outdoors

  -------------------------------------------------------------------------------------------------------------------------------

  Do you have an idea that I am wrong? Probably some bad NAT/ACL I suppose, but I could always find something only for 8.4 iOS and not 8.6... Perhaps and no doubt I already missed the configuration with the unwanted controls, but I've tried various things...

  Please, if you have an idea, let me know! Thank you very much!

  Hello

  I've never used "global" option in ACL, but it looks to be the origin of the problem. Cisco doc.

  "The global access rules are defined as a special ACL that is processed for each interface on the device for incoming traffic in the interface. Thus, although the ACL is configured once on the device, it acts as an ACL defined for Management In secondary interface-specific. (Global rules are always in the direction of In, never Out Management). "

  You ACL: access-list extended dmz_acl to any any icmp echo

  For example, when you launch the ASA, there is an echo response from the router on the external interface--> global can block.

  Then to initiate router, the ASA Launches echo-reply being blocked again.

  Try to add permit-response to echo as well.

  In addition, you can use both "inspect icmp" in world politics than the ACL.

  If none does not work, you can run another t-shoot with control packet - trace on SAA.

  THX

  MS

• Traffic permitted only one-way for VPN-connected computers

  Hello

  I currently have an ASA 5505.  I put up as a remote SSL VPN access. My computers can connect to the VPN very well.  They just cannot access the internal network (192.168.250.0).  They cannot ping the inside interface of the ASA, nor any of the machines.  It seems that all traffic is blocked for them.  The strange thing is that when someone is connected to the VPN, I can ping this ASA VPN connection machine and other machines inside the LAN.  It seems that the traffic allows only one way.  I messed up with ACL with nothing doesn't.  Any suggestions please?

  Pool DHCP-192.168.250.20 - 50--> for LAN

  Pool VPN: 192.168.250.100 and 192.168.250.101

  Outside interface to get the modem DHCP

  The inside interface: 192.168.1.1

  Courses Running Config:

  : Saved

  :

  ASA Version 8.2 (5)

  !

  hostname HardmanASA

  activate the password # encrypted

  passwd # encrypted

  names of

  !

  interface Ethernet0/0

  switchport access vlan 20

  !

  interface Ethernet0/1

  switchport access vlan 10

  !

  interface Ethernet0/2

  switchport access vlan 10

  !

  interface Ethernet0/3

  Shutdown

  !

  interface Ethernet0/4

  Shutdown

  !

  interface Ethernet0/5

  Shutdown

  !

  interface Ethernet0/6

  Shutdown

  !

  interface Ethernet0/7

  switchport access vlan 10

  !

  interface Vlan1

  No nameif

  no level of security

  no ip address

  !

  interface Vlan10

  nameif inside

  security-level 100

  IP 192.168.250.1 255.255.255.0

  !

  interface Vlan20

  nameif outside

  security-level 0

  IP address dhcp setroute

  !

  passive FTP mode

  DNS lookup field inside

  DNS domain-lookup outside

  pager lines 24

  Within 1500 MTU

  Outside 1500 MTU

  mask 192.168.250.100 - 192.168.250.101 255.255.255.0 IP local pool VPN_Pool

  ICMP unreachable rate-limit 1 burst-size 1

  don't allow no asdm history

  ARP timeout 14400

  Global interface 10 (external)

  NAT (inside) 10 192.168.250.0 255.255.255.0

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  the ssh LOCAL console AAA authentication

  Enable http server

  http 192.168.250.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  Telnet timeout 5

  SSH 192.168.250.0 255.255.255.0 inside

  SSH timeout 5

  SSH version 2

  Console timeout 0

  dhcpd dns 8.8.8.8

  !

  dhcpd address 192.168.250.20 - 192.168.250.50 inside

  dhcpd allow inside

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  WebVPN

  allow outside

  SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 1 image

  SVC disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2 image

  Picture disk0:/anyconnect-linux-2.5.2014-k9.pkg 3 SVC

  enable SVC

  tunnel-group-list activate

  attributes of Group Policy DfltGrpPolicy

  value of server DNS 8.8.8.8

  Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn

  tunnel-group AnyConnect type remote access

  tunnel-group AnyConnect General attributes

  address pool VPN_Pool

  tunnel-group AnyConnect webvpn-attributes

  enable AnyConnect group-alias

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  Review the ip options

  inspect the netbios

  inspect the rsh

  inspect the rtsp

  inspect the skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect the tftp

  inspect the sip

  inspect xdmcp

  !

  global service-policy global_policy

  context of prompt hostname

  no remote anonymous reporting call

  call-home

  Profile of CiscoTAC-1

  no active account

  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

  email address of destination [email protected] / * /

  destination-mode http transport

  Subscribe to alert-group diagnosis

  Subscribe to alert-group environment

  Subscribe to alert-group monthly periodic inventory

  monthly periodicals to subscribe to alert-group configuration

  daily periodic subscribe to alert-group telemetry

  Cryptochecksum:30fadff4b400e42e73e17167828e046f

  : end

  Hello

  No worries

  As we change the config I would do as well as possible.

  First, it is strongly recommended to use a different range of IP addresses for VPN clients and the internal network

  No VPN_Pool 192.168.250.100 - 192.168.250.101 255.255.255.0 ip local pool mask

  mask 192.168.251.100 - 192.168.251.101 255.255.255.0 IP local pool VPN_Pool

  NAT_0 ip 192.168.250.0 access list allow 255.255.255.0 192.168.251.0 255.255.255.0

  NAT (inside) 0-list of access NAT_0

  Then give it a try and it work note this post hehe

• Site2Site VPN ASA 5505 - allow established traffic

  Hello

  I have an ikev1/Ipsec tunnel between two ASA.

  Network with local 10.31.0.0/16

  The other network with local 172.21.0.0/24

  But I would like that only traffic that is launched from the 10.31.0.0/16 is allowed to 172.21.0.0/24 to 10.31.0.0/16 is it possible?

  (to answer 10.31.0.0/16 is enable between this remote network 172.21.0.0/24)

  Best regards, Steffen.

  Hello

  If I didn't understand anything wrong in the above question then I think you might be able to perform the following operations on the ASA with the local network of 10.31.0.0/16.

  The ASA has the following global configuration, which is the default if you don't the have not changed

  Sysopt connection permit VPN

  This show CUSTOMARY in CLI configuration given above is the default setting.

  You can check this with the command

  See the race all the sysopt

  This will list even the default setting

  Now that this configuration means essentially is allow ALL traffic that comes through a VPN connection to get through the ASA ACL interface. So in your case at the location where the ASA with the network 10.31.0.0/16, the ASA would allow connections coming through the other network of 172.21.0.0/24 sites (as long as it was OK on other sites ASAs LAN interface ACL)

  What you could do is to insert the following configuration

  No vpn sysopt connection permit

  What this would do is ask you to ALLOW ALL traffic that is coming through the VPN connection via the interface ' outside ' of the ASA you want to spend. (which I suppose is the name of your current interface that handles VPN connections). In other words, the VPN traffic would not receive a "pass" to get through the ACL of 'outside'interface, instead you must allow as all other traffic from the Internet.

  If you decide to do, then you MUST CONSIDER the following thing. If you have other VPN connections as other connections L2L VPN or VPN Client, THEN you must first allow their traffic in your 'external' ACL interface for the SAA to the LAN. If you do this and insert the configuration above, you will notice that the traffic will start to get blocked by the "external" ACL interface (or if you don't have an ACL configured then the ASAs 'security level' will naturally block traffic in the same way as would an ACL)

  So if we assume that the L2L VPN is the only link you had configured on the SAA with 10.31.0.0/16 then the following changes would happen.

  • Hosts in the network 10.31.0.0/16 would be able to open connections to the remote network of 172.21.0.0/24 provided interfaces LAN what ACL allow this traffic
  • Return for this connection of course traffic be would allow by the same ASA like all other traffic.
  • IF certain incoming connection requests to the ASA with 10.31.0.0/16 network 172.21.0.0/24 network, it could crash except IF you ALLOW it to the 'outside' interfaces ACL

  Hope this made sense and helped

  Think about scoring the answer as the answer if it answered your question.

  Naturally ask more if necessary

  -Jouni

• LAN - to - LAN 837 to 3000series one-way traffic

  Hello

  Not even sure that there is even a way traffic. The 837 is encryting and the 3000series is done by increments Rx but nowhere on decrypt it and Tx respectively.

  Tracking guides and hub configuration cisco IOS religiously.

  The 837 ipsec cypto debugs seems to show that SAS created - when they actually decide to show them selves on the console.

  Routing is not a problem - unless you consider static routes on the 3000. Am I supposed to create a static route to send traffic to the LAN remote (837) on the public interface? Or is it not necessary to have an itinerary as SA definition will determine the tunnel to go down?

  Unfortunately no other LAN-to-LAN tnnnels on 3000 to compare these questions and I have no laboratory.

  Any help would be welcome. Of course, I can provide more information, all that is necessary. Am at my wits end with this one. So simple and yet not working - have to do something stupid.

  Thank you

  If the tunnel is under construction and your getting the traffic in one direction and not the other, it is usually the routing.

  The 831 sends traffic to the 3000 and 3000 is received, ranging from your counters. The problem is probably that the hosts behind the 3000 do not know how to return to the LAN behind the 831. Your internal network behind the 3000 will need a route to the LAN 831 that points to the interface of the 3000. The 3000 justs needs a default gateway pointing out the public interface.

  On the local network of 3000, if you have not all router internal and your interior hosts are directly connected to the same hub/switch interface private 3000, then each host will need a static route to the LAN 831 that points to the private interface 3000 (this is assuming of course that the 3000 is not the default gateway for hosts (, which is usually not).

  Keep in mind that if you see not all TX packets on the 3000, then the 3000 is not even see packets of it is inside the hosts which are intended for the 831 LAN, check the local routing behind the 3000 to see what is happening.

• Overlapping address space question - how to NAT inside the traffic to one address different range on SAA for comms with 3rd party VPN?

  We already have a connectivity of IPSEC VPN site to site with a 3rd party.

  They must be able to access a couple of servers on our internal network but the problem, it's the subnet these servers are hosted on clashes with the address space they already used elsewhere. Thus, they asked if we can put in place a new subnet and have our firewall (running v7.2) ASA NAT the traffic to and from our servers ' real' internal addresses.

  for example

  • 3rd party 10.10.10.0/24 subnet
  • Our subnet 10.20.20.0/24 (but this clashes with the 3rd part of the address elsewhwere space)
  • Our 'real' internal server addresses are 10.20.20.1 and 10.20.20.2

  How do we setup NAT on our ASA translating internal addresses 'real' of these servers for some other addresses that don't clash?

  that is that the 3rd party is concerned, they would simply have to communicate with this 'new' subnet, say, 192.168.20.0/24 and our ASA firewall NAT traffic accordingly to allow some comms unfold?

  (And it should affect only comms on these servers for the 3rd party - NOT for one of our other multiple VPN connections! "And should not affect the other comms from the servers themselves!).

  That's what I've tried so far, for one of the servers, without success:

  On ASA:

  !

  access-list 1 permit line 3rdpartysite extended ip host 192.168.20.1 10.10.10.0 255.255.255.0
  !
  access-list SERVER-NAT line 1 permit extended ip host 10.20.20.1 10.10.10.0 255.255.255.0
  !
  static (inside, outside) 192.168.20.1 public - access NAT SERVER list

  "sh xlate" indicates:

  192.168.20.1 global local 10.20.20.1

  Can someone help with the necessary NAT configurations on the ASA?

  Thank you!

  'Clear xlate' after you have configured NAT statements?

  When you try to ping from the 10.20.20.1, get it to the ASA? You have an ACL on this interface that would block the ping? Also, can you run capture packets on the ASA to see if the ASA receives even the traffic?

  What is the subnet mask of the 10.20.20.1 host? I guess it's 255.255.255.0?

  You don't need something specific on the ASA with regard to the delivery of the 192.168.20.1.

• Design of VPN L2L ASA question

  We expect to have more than 10,000 remote VPN L2L clients.

  I see that each crypto card needs a statement of 'same game' and the IP address is the address of the remote peer VPN L2L.

  :

  EX:

  card encryption UNI-POP 3 set peer 172.23.0.3

  : . . .

  card crypto UNI-POP 10000 set peer 172.26.0.250

  :

  I already feel that this will be a VERY long config, maybe too big to save/read/from memory.

  :

  Anyone would be a better approach?

  Thank you

  Frank

  Frank,

  If the remote end will run only from time to time, you should not have set peer statements and normally it would suffice to have a dynamic encryption card.

  If the remote ends do not support certificates, it is possible to land on defaultl2l tunnel-group.

  bsns-asa5505-19# sh run all tunnel-group
  tunnel-group DefaultL2LGroup type ipsec-l2l
  tunnel-group DefaultL2LGroup general-attributes
  (...)
  

  You need to test yourself to see if it will work.

  I also agree in terms of more than one firewall. With devices for two in the load balancing or if possible 2pairs of devices in the failover cluster could be great way to have a decent charge by machine and equipment redundancy (ideal circumstances]);. I suggest you ping your system engineer for sure any deployment involving 5585, guys can usually give good advice (and discounts;]).

  Marcin

• One way or another on my email print size has decreased to the point I can hardly read it.

  One way or another on my email print size has decreased to the point I can hardly read it.  Can any of you tell me please what keys hold and scroll to get the largest print size. Thank you very much.

  original title: Email printing size

  Sorry, but being the Webmail of Yahoo leaves me without a clue. Maybe Internet Explorer forum or Yahoo support might be more useful.

  Internet Explorer forums
  http://answers.Microsoft.com/en-us/IE

  Yahoo help
  http://help.Yahoo.com/l/us/Yahoo/helpcentral/

• One-way video problem

  Hello

  We have two expressways and we have received a report of a company, call one of our sites had issues with one-way video. The appellant could not see the person they had composed, but they could see the appellant. Audio was OK. They were ordered to place a new call through our other expressway and all audio and video works just fine. So, I'm trying to understand if there is a difference between highways and why this happens. They run every two X8.1.1. The strange thing is that we only received from an enterprise report then having this problem through this "faulty" highway is us or them? Apparently, they do not have problems with one another that they make calls...

  Looks like maybe it's time to collect newspapers... but everyone else encountered this? No I well confused everyone :)

  Thank you!

  In general I really wouldn't expect things to need to a few reboots to register.

  Well sure a typical tech & response of the TAC will be "upgrading to the last" which I also recommended,.

  but your symptoms still its a bit sketchy.

  Its a good start to check if your firewall/network/dns /... are ok as well. A lot of questions

  are hidden there. It is difficult to see the full extend of here.

  Please get some internal or as a good Cisco partner or network resources.

  And Yes, look in the upgrade to CUCM!

  But the network / the environment should still be ok for that as well :-)

  Please note the messages with the stars below and define the thread if it is a response.

• Is there one way other than to_char to get the month of the date field

  Is there one way other than to_char to get the month of the date field

  Hello

  raj4tech wrote:

  Is there one way other than to_char to get the month of the date field

  EXTRACT is one:

  SELECT INTERESTED (SYSDATE MONTHS) AS curr_month

  DOUBLE;

• Is it only a one-way sync?

  It does not appear the changes I do either Illustrator or Indesign gets returned to the application?  It would be really great.  Maybe I'm not saving correctly?  In any case, looks very promising!

  J.

  It is one-way. The application of the model is to make a model, a "global," sketching a layout.

  The file is sent to InDesign/Illustrator/Photoshop for the realization of the project.

  He actually quite brilliantly designed and implemented, especially for a 1.0 release.