L2L dynamic peers with no dynamic peers

Similar Questions

• VPN L2L dynamic to static w/o DefaultL2LGroup

  I was looking for a method to have a VPN L2L static dyn without using DefaultL2LGroup but to set in place several groups of tunnel for each router with a dynamic IP address. Many people say it is not possible, but I found this guide: http://inetpro.org/wiki/LAN-to-LAN_IPSec_VPN_between_PIX/ASA_7.2_hub_and_IOS_spokes_with_dynamic_IP_addresses

  Now the problem: the vpn rises, but I can't reach any device with a ping.

  Side static: ASA 5505 - 8.22

  Side Dynamics: Zyxel P-661HW-D3

  Here is the config for the SAA:

  access-list outside extended permit icmp any any
  
      access-list outside extended deny ip any any
  
      access-list inside extended permit ip 10.1.0.0 255.255.248.0 10.51.10.0 255.255.255.0
  
      access-list inside extended deny ip any any
  
      access-list VPN extended permit ip 10.1.0.0 255.255.248.0 10.51.10.0 255.255.255.0
  
      access-list ST_3710 extended permit ip 10.1.0.0 255.255.248.0 10.51.10.0 255.255.255.0
  nat (inside) 0 access-list VPN
  
      nat (inside) 1 10.1.0.0 255.255.248.0
  access-group inside in interface inside
  
      access-group outside in interface outside
  crypto ipsec transform-set myset esp-3des esp-md5-hmac
  
      crypto ipsec security-association lifetime seconds 28800
  
      crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map DN3710 1 match address ST_3710
  
      crypto dynamic-map DN3710 1 set transform-set myset
  crypto map dyn-map 2 ipsec-isakmp dynamic DN3710
  
      crypto map dyn-map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  
      authentication pre-share
  
      encryption 3des
  
      hash md5
  
      group 2
  
      lifetime 86400
  crypto isakmp policy 20
  
      authentication pre-share
  
      encryption des
  
      hash md5
  
      group 2
  
      lifetime 86400
  
      no crypto isakmp nat-traversal
  group-policy GP3710 internal
  
      group-policy GP3710 attributes
  
      vpn-filter value ST_3710
  
      vpn-tunnel-protocol IPSec
  tunnel-group TG3710 type ipsec-l2l
  
      tunnel-group TG3710 general-attributes
  
      default-group-policy GP3710
  
      tunnel-group TG3710 ipsec-attributes
  
      pre-shared-key *********
  

  As you can see it the vpn is in place:

  2   IKE Peer: ***.***.***.***
  
          Type    : L2L             Role    : responder
  
          Rekey   : no              State   : AM_ACTIVE
  

  Thanks in advance if anyone can help me with this problem.

  Kind regards

  Luca

  Hello Luca,

  You have reason for it, you can have the spokes of landing on a separate tunnel-groups, not only for the DefaultL2LGroup, the ASA follows this sequence when making a tunnel-group looup for L2L tunnels with pre-shared keys:

  - ike-id verified first and could be (full fqdn) host name or IP address

  -If ike-id search fails ASA tent peer IP address

  -DefaultRAGroup/DefaultL2LGroup is used as a last resort

  The output of your "sh cry isa his" I can see that at least Phase 1 is in place for your tunnel, please make sure that it landed on the correct tunnel-group.

  The problem I see clearly here is the VPN filter that you have applied Group Policy, keep in mind that we must apply filters on incoming management vpn.

  When a vpn-filter is applied to a political group that governs a LAN to LAN VPN connection, the ACL must be configured with the
  remote network in the position of the ACL src_ip and LAN in the position of dest_ip of the ACL.  Be careful during the construction of the
  ACL for use with the vpn-filter feature.  The ACL are built with traffic after decrypted in mind, however, they are also applied to the traffic
  in the direction opposite.

  In your case, the remote network is 10.51.10.0 255.255.255.0 and the local network 10.1.0.0 255.255.248.0. so let's say you want to allow just telnet:

  The following ACE will allow remote Telnet network for LAN:

  permit access-list vpnfilt-l2l 10.51.10.0 255.255.255.0 10.1.0.0 255.255.248.0 eq 23

  The following ACE will allow LAN to Telnet to the remote network:
  permit access-list vpnfilt-l2l 10.0.0.0 255.255.255.0 eq 23 10.1.0.0 255.255.248.0

  Note: The ACE access-list vpnfilt-l2l allowed 10.51.10.0 255.255.255.0 10.1.0.0 255.255.248.0 eq 23 will allow the local network establish a connection to the remote on any TCP port network if he uses a port source from 23.

  The access-list vpnfilt-l2l allowed 10.0.0.0 ACE 255.255.255.0 eq 23 10.1.0.0 255.255.248.0 will allow the network to remote connect to the LAN on any TCP port if he uses a port source from 23.

  Kind regards

• ASA L2L VPN UP with incoming traffic

  Hello

  I need help with this one, I have two identical VPN tunnel with two different customers who need access to one of our internal server, one of them (customer) works well, but the other (CustomerB) I can only see traffic from the remote peer (ok, RX but no TX). I put a sniffer on ports where the ASA and the server are connected and saw that traffic is to reach the server and traffic to reach the ASA of the server then nothing...

  See the result of sh crypto ipsec his below and part of the config for both clients

  ------------------

  address:

  local peer 100.100.100.178

  local network 10.10.10.0 / 24

  local server they need access to the 10.10.10.10

  Customer counterpart remote 200.200.200.200

  Customer remote network 172.16.200.0 / 20

  CustomerB peer remote 160.160.143.4

  CustomerB remote network 10.15.160.0 / 21

  ---------------------------

  Output of the command: "SH crypto ipsec its peer 160.160.143.4 det".

  address of the peers: 160.160.143.4
  Tag crypto map: outside_map, seq num: 3, local addr: 100.100.100.178

  outside_cryptomap list of allowed access host ip 10.10.10.10 10.15.160.0 255.255.248.0
  local ident (addr, mask, prot, port): (10.10.10.10/255.255.255.255/0/0)
  Remote ident (addr, mask, prot, port): (10.15.160.0/255.255.248.0/0/0)
  current_peer: 160.160.143.4

  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 827, #pkts decrypt: 827, #pkts check: 827
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #pkts not his (send): 0, invalid #pkts his (RRs): 0
  #pkts program failed (send): 0, #pkts decaps failed (RRs): 0
  #pkts invalid prot (RRs): 0, #pkts check failed: 0
  invalid identity #pkts (RRs): 0, #pkts invalid len (RRs): 0
  #pkts incorrect key (RRs): 0,
  #pkts invalid ip version (RRs): 0,
  replay reversal (send) #pkts: 0, #pkts replay reversal (RRs): 0
  #pkts replay failed (RRs): 0
  #pkts min frag mtu failed (send): bad frag offset 0, #pkts (RRs): 0
  #pkts internal err (send): 0, #pkts internal err (RRs): 0

  local crypto endpt. : 100.100.100.178, remote Start crypto. : 160.160.143.4

  Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
  current outbound SPI: C2AC8AAE

  SAS of the esp on arrival:
  SPI: 0xD88DC8A9 (3633170601)
  transform: esp-3des esp-md5-hmac no compression
  running parameters = {L2L, Tunnel}
  slot: 0, id_conn: 5517312, crypto-card: outside_map
  calendar of his: service life remaining (KB/s) key: (4373959/20144)
  Size IV: 8 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0xFFFFFFFF to 0xFFFFFFFF
  outgoing esp sas:
  SPI: 0xC2AC8AAE (3266087598)
  transform: esp-3des esp-md5-hmac no compression
  running parameters = {L2L, Tunnel}
  slot: 0, id_conn: 5517312, crypto-card: outside_map
  calendar of his: service life remaining (KB/s) key: (4374000/20144)
  Size IV: 8 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001

  -The configuration framework

  ASA Version 8.2 (1)

  !

  172.16.200.0 customer name

  name 10.15.160.0 CustomerB

  !

  interface Ethernet0/0

  nameif outside

  security-level 0

  IP 100.100.100.178 255.255.255.240

  !

  interface Ethernet0/1

  nameif inside

  security-level 100

  10.10.10.0 IP address 255.255.255.0

  !

  outside_1_cryptomap list extended access allowed host ip 10.10.10.10 customer 255.255.240.0

  inside_nat0_outbound_1 list extended access allowed host ip 10.10.10.10 customer 255.255.240.0

  inside_nat0_outbound_1 list extended access allowed host ip 10.10.10.10 CustomerB 255.255.248.0

  outside_cryptomap list extended access allowed host ip 10.10.10.10 CustomerB 255.255.248.0

  NAT-control

  Overall 101 (external) interface

  NAT (inside) 0-list of access inside_nat0_outbound_1

  NAT (inside) 101 0.0.0.0 0.0.0.0

  Route outside 0.0.0.0 0.0.0.0 100.100.100.177

  Route inside 10.10.10.0 255.255.255.0 10.10.10.254 1

  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  card crypto outside_map 1 match address outside_1_cryptomap

  card crypto outside_map 1 set pfs

  peer set card crypto outside_map 1 200.200.200.200

  card crypto outside_map 1 set of transformation-ESP-3DES-SHA

  card crypto outside_map 3 match address outside_cryptomap

  peer set card crypto outside_map 3 160.160.143.4

  card crypto outside_map 3 game of transformation-ESP-3DES-MD5

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  crypto ISAKMP policy 20

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP ipsec-over-tcp port 10000

  attributes of Group Policy DfltGrpPolicy

  Protocol-tunnel-VPN IPSec svc

  internal customer group strategy

  Customer group policy attributes

  Protocol-tunnel-VPN IPSec svc

  internal CustomerB group strategy

  attributes of Group Policy CustomerB

  Protocol-tunnel-VPN IPSec

  tunnel-group 160.160.143.4 type ipsec-l2l

  tunnel-group 160.160.143.4 General-attributes

  Group Policy - by default-CustomerB

  IPSec-attributes tunnel-group 160.160.143.4

  pre-shared key xxx

  tunnel-group 200.200.200.200 type ipsec-l2l

  tunnel-group 200.200.200.200 General attributes

  Customer by default-group-policy

  IPSec-attributes tunnel-group 200.200.200.200

  pre-shared key yyy

  Thank you

  A.

  Hello

  It seems that the ASA is not Encrypting traffic to the second peer (However there is no problem of routing).

  I saw this 7.x code behaviors not on code 8.x

  However you can do a test?

  You can change the order of cryptographic cards?

  card crypto outside_map 1 match address outside_cryptomap

  peer set card crypto outside_map 1 160.160.143.4

  map outside_map 1 set of transformation-ESP-3DES-MD5 crypto

  card crypto outside_map 3 match address outside_1_cryptomap

  card crypto outside_map 3 set pfs

  peer set card crypto outside_map 3 200.200.200.200

  card crypto outside_map 3 game of transformation-ESP-3DES-SHA

  I just want to see if by setting the peer nonworking time to be the first, it works...

  I know it should work the way you have it, I just want to see if this is the same behavior I've seen.

  Thank you.

  Federico.

• PIX-to-router VPN static-to-dynamic

  Dear friends,

  I'm trying to configure an IPSec tunnel between a router IOS and a PIX v7.0. I've seen some URL pointing here for a configuration example. However, this example only covers the v6.x PIX version, is not not helpful to resolve my case.

  My situation is that the router connects to a DSL provider and obtain a dynamic IP address and my PIX device has a static (Leased line) connection to the Internet. So, I have to establish the tunnel using preshared keys.

  How to make using v7.x on the PIX?

  Appreciate the help,

  Mauricio

  Mauricio,

  Here is an example for version 7.0 of PIX a tunnel L2L dynamic.

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml

  You must create a dynamic encryption card, and use the tunnel defaultL2L-group for pre-shared key settings.

  The rate of this post, if that helps.

  See you soon

  Gilbert

• l2l ASA vpn issues

  Hi all

  I have two firewalls that I'm trying to implement VPNs l2l between them. Once of them is an old wall of sonic and the other 5505.

  I put in all and ends the phase 1/2 and the tunnel rises however no traffic passes through

  Here is my configuration

  ASA (outside, 192.168.30.1) asa internal 192.168.10.0/25

  (Outside 192.168.30.2) SonicWALL sonicwall 192.168.20.0/24

  I have an accesslist that is configured on the asa and applied to the cypto card using card crypto XXXX 1, atch address YYY

  However when I watch the news ebugging on the console it says: "cannot locate the output for UDP of XXXX interface: 192.168.10.10/1 to 192.178.20.1/0.

  any ideas why this is?

  I just need a static route to say all traffic on asa with 192 source... 10.0 should go through 192.168.30.2?

  I guess it's the work of crypto card

  Am I wrong?

  Hello

  Begins to seems to me you have a filter ACL configured for your L2L VPN VPN and also the ACL filter of VPN and Crypto ACLs are the same things, which means you use a simple both ACL.

  Why I think it's like this is the fact that you say that your VPN L2L cross trading in the "packet-tracer" VPN Phase means Crypto VPN L2L ACL was correct. At the same time say you that the connection was stopped to the Phase of the VPN USER. He points to a VPN filter ACL being configured.

  In view of the foregoing, I also know that the ACL of filter for the L2L VPN behave with a logic different than typical ACL interface. In VPN L2L the ACL filter ALWAYS mention the remote network as the source ALWAYS and your Local network as the destination.

  If add you an ACL rule with order switched networks appears this fixes the VPN filter ACL problems and finally allowed traffic. Naturally I can only guess that I saw actual configurations at this point (which, usually with release "packet - trace", help to solve a problem faster just guessing)

  If you indeed filter VPN, you may be able to track him down with the following commands

  See the tunnel-group race

  Check if a "group policy" is defined then the command

  See establishing group policy enforcement

  This output should list the name of the ACL filter VPN if its game

  Regarding the installantion auto road. The default setting for ASA, is that it will create NO static routes automatically depending on the VPN configurations. This must be enabled manually in "crypto map" configurations, or you can configure static routes manually.

  ASA tracking to default TCP and UDP connections. ICMP is inspected only if his permit. By default, it is NOT inspected.

  Hope this helps

  Remember to mark a reply as the answer if it answered your question.

  Feel free to ask more if necessary.

  -Jouni

• Site to Site with NATing

  Hi all

  I'm kind new to Cisco and I have no expertise CLI. I need to configure a VPN site-to site (IPsec tunnel) with NATing. I have already installed several L2L no need with ASDM without problem, NATing.  Here's the scenario:

  Site1 use 192.168.1.0/24 for all internal clients that need to connect to two hosts on the Site2.

  Site1 users need to access hosts Site2 namely 192.168.25.100 and 192.168.25.101

  Site2 already has a L2L with another configuration of the site for the 192.168.1.0/24 range, so they asked if I can NAT outgoing traffic on my memory of end of 172.10.25.0/24.

  So all customers on 192.168.1.0/24 connect via only this VPNtunnel of Site1 to Site2 should be coordinated to 172.10.25.0/24 (one?).  Now, I wonder if this can be done through ASDM and if so, how? I guess I need to do it in two steps, 1) installation of the L2L using 2) installation all necessary NAT and ACLs Wizard.   I'm under Cisco ASA 5510. ver. 7.2  If not, what are the exact commands for CLI?  Again once this NATing is for this VPN tunnel and I don't want Site1 (192.168.1.0/24) users to be assigned to other VPN L2L is already set up and everything related to internally.

  Thanks in advance for any help/suggestions.

  Yes, you are absolutely correct with all 3 instructions.

• Road by default from version 6.3 PIX IPsec tunnel

  We have a PIX 501 running IOS version 6.3.1.

  There are currently 3 tunnels IPsec active as described below.

  What we would like is to have all traffic by default (0.0.0.0 0.0.0.0) range out through the tunnel of the middle line so that traffic can be protected by a firewall on the other side of the tunnel.  Since ICF is a Sonicwall what would be needed to be changed in the configuration on the PIX to get there?

  Thank you

  6.3 (1) version PIX

  interface ethernet0 10baset

  interface ethernet1 100full

  ethernet0 nameif outside security0

  nameif ethernet1 inside the security100

  activate the 86AZXXmRLxfv/oUQ encrypted password

  86AZXXmRLxfv/oUQ encrypted passwd

  Site A hostname

  domain default.int

  clock timezone STD - 7

  fixup protocol dns-length maximum 512

  fixup protocol ftp 21

  fixup protocol h323 h225 1720

  fixup protocol h323 ras 1718-1719

  fixup protocol http 80

  fixup protocol they 389

  fixup protocol rsh 514

  fixup protocol rtsp 554

  fixup protocol sip 5060

  fixup protocol sip udp 5060

  fixup protocol 2000 skinny

  fixup protocol smtp 25

  fixup protocol sqlnet 1521

  fixup protocol tftp 69

  names of

  name 75.75.75.2 CovadHub

  name 75.48.25.12 Sonicwall

  access-list 101 permit ip 10.10.5.0 255.255.255.0 10.10.1.0 255.255.255.0

  access-list 101 permit ip 10.10.5.0 255.255.255.0 10.10.2.0 255.255.255.0

  access-list 101 permit ip 10.10.5.0 255.255.255.0 10.10.3.0 255.255.255.0

  access-list 101 permit icmp any any echo response

  access-list 101 permit icmp any any echo

  access-list 102 permit ip 10.10.5.0 255.255.255.0 10.10.2.0 255.255.255.0

  access-list 103 allow ip 10.10.5.0 255.255.255.0 10.10.1.0 255.255.255.0

  access-list 104. allow ip 10.10.5.0 255.255.255.0 10.10.3.0 255.255.255.0

  pager lines 24

  opening of session

  monitor debug logging

  logging warnings put in buffered memory

  ICMP allow 10.10.5.0 255.255.255.0 inside

  Outside 1500 MTU

  Within 1500 MTU

  external IP 75.25.14.2 255.255.255.0

  IP address inside 10.10.5.1 255.255.255.0

  alarm action IP verification of information

  alarm action attack IP audit

  location of PDM 10.10.5.0 255.255.255.0 inside

  PDM logging 100 information

  history of PDM activate

  ARP timeout 14400

  Global 1 interface (outside)

  (Inside) NAT 0-list of access 101

  NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

  allow icmp a conduit

  Route outside 0.0.0.0 0.0.0.0 75.25.14.1 1

  Timeout xlate 0:05:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

  Timeout, uauth 0:05:00 absolute

  GANYMEDE + Protocol Ganymede + AAA-server

  RADIUS Protocol RADIUS AAA server

  AAA-server local LOCAL Protocol

  NTP server 132.163.4.102 source outdoors

  NTP server 129.7.1.66 source outdoors

  Enable http server

  http 10.10.1.0 255.255.255.0 inside

  http 10.10.5.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  SNMP-Server Community public

  No trap to activate snmp Server

  enable floodguard

  Permitted connection ipsec sysopt

  Crypto ipsec transform-set esp - esp-md5-hmac pix11

  peer11 card crypto ipsec-isakmp 10

  correspondence address 10 card crypto peer11 102

  peer11 card crypto 10 peers set 75.95.21.41

  peer11 card crypto 10 set transform-set pix11

  11 peer11 of ipsec-isakmp crypto map

  correspondence address 11 card crypto peer11 103

  11 peer11 peer Sonicwall crypto card game

  card crypto peer11 11 set transform-set pix11

  12 peer11 of ipsec-isakmp crypto map

  correspondence address 12 card crypto peer11 104

  card crypto peer11 12 set peer 75.62.58.28

  card crypto peer11 12 set transform-set pix11

  peer11 interface card crypto outside

  ISAKMP allows outside

  ISAKMP key * address 75.62.58.28 netmask 255.255.255.240

  ISAKMP key * address netmask 255.255.255.224 Sonicwall

  ISAKMP key * address 75.95.21.41 netmask 255.255.255.252

  ISAKMP identity address

  ISAKMP keepalive 10

  ISAKMP nat-traversal 20

  part of pre authentication ISAKMP policy 10

  encryption of ISAKMP policy 10

  ISAKMP policy 10 md5 hash

  10 2 ISAKMP policy group

  ISAKMP life duration strategy 10 86400

  part of pre authentication ISAKMP policy 11

  encryption of ISAKMP policy 11

  ISAKMP policy 11 md5 hash

  11 2 ISAKMP policy group

  ISAKMP duration strategy of life 11 28800

  part of pre authentication ISAKMP policy 12

  encryption of ISAKMP policy 12

  ISAKMP policy 12 md5 hash

  12 2 ISAKMP policy group

  ISAKMP duration strategy of life 12 36000

  Telnet 10.10.5.0 255.255.255.0 inside

  Telnet 0.0.0.0 0.0.0.0 inside

  Telnet timeout 5

  SSH 0.0.0.0 0.0.0.0 outdoors

  SSH 0.0.0.0 0.0.0.0 inside

  SSH timeout 60

  Console timeout 0

  dhcpd address 10.10.5.70 - 10.10.5.101 inside

  dhcpd dns 10.10.1.214

  dhcpd rental 43200

  dhcpd ping_timeout 750

  dhcpd field default.int

  dhcpd outside auto_config

  dhcpd allow inside

  Terminal width 80

  Cryptochecksum:36d2c26afa8

  03957d 3659

  868d9219f8

  2

  : end

  Hello

  You do not configure really any type of default route for the VPN L2L. You match rather traffic with 'everything' destination on configuring VPN L2L. Basically you would like to configure the VPN L2L ACL encryption with the 'whole' destination map

  I guess in your case it would be the ACL named "103".

  access-list 103 allow ip 10.10.5.0 255.255.255.0 any

  IP 10.10.5.0 doesn't allow any access list 103 255.255.255.0 10.10.1.0 255.255.255.0

  Naturally, your NAT0 ACL configuration should also reflect this change. I guess the end remote Sonicwall'd private NAT to public Internet access in this case whereas. I guess that in this case, the ACL NAT0 might even be just this one rule ACL

  access-list 101 permit ip 10.10.5.0 255.255.255.0 any

  BUT what I was asking however for now mainly is the fact it has a priority of '11' in the 'crypto map' which has between 2 other L2L VPN connections.

  peer11 card crypto ipsec-isakmp 10

  correspondence address 10 card crypto peer11 102

  peer11 card crypto 10 peers set 75.95.21.41

  peer11 card crypto 10 set transform-set pix11

  11 peer11 of ipsec-isakmp crypto map

  correspondence address 11 card crypto peer11 103

  11 peer11 peer Sonicwall crypto card game

  card crypto peer11 11 set transform-set pix11

  12 peer11 of ipsec-isakmp crypto map

  correspondence address 12 card crypto peer11 104

  card crypto peer11 12 set peer 75.62.58.28

  card crypto peer11 12 set transform-set pix11

  If you have changed the destination address of '103' crypto VPN L2L ACL at "" I guess that would probably cause so that the last connection VPN L2L with "12" priority may stop working since the previous connection already corresponds to 'all' your network 'inside' destination address.

  The solution might be to delete the current configuration of the '11' priority and add it with '13' for example, so that the other 2 connections VPN L2L could continue to work and all the rest of the traffic would be passed to the connection VPN L2L with Sonicwall as the remote peer.

  No crypto map ipsec-isakmp 11 peer11

  no correspondence address 11 card crypto peer11 103

  no set of 11 peer11 card crypto don't peer Sonicwall

  No peer11 11 set transform-set pix11 crypto card

  13 peer11 of ipsec-isakmp crypto map

  correspondence address 13 card crypto peer11 103

  13 card crypto peer Sonicwall peer11 game

  card crypto peer11 13 pix11 transform-set game

  I have to say that this is how I expect it should work. I worked with VPN L2L that have been configured in this way but its quite rare.

  If you want to try something like that, of course, be ready to return to the old configuration with your admins of the remote peer, if things do not work. I guess more difficult configurations changes must be made on the remote end while your configuration of the ends should be fairly simple.

  Hope this helps

  -Jouni

• ASA, VPN Site-to-Site

  Hello

  I would like to VPN site-to-site using ASA 5520 and I have some question if you don't mind:

  Site A:

  Peer IP address: aaa.aaa.aaa.aaa/32

  Local network: bbb.bbb.bbb.bbb/32

  Site b:

  Peer IP address: xxx.xxx.xxx.xxx/32

  Local network: yyy.yyy.yyy.yyy/32

  on the site to site vpn Wizard (site B), the network of peers should be site A and the LAN must be site B and remote network must be the site one right?

  the IP address of the local network should be not be used right by other devices on the right? I can use use a unique IP address instead of the beach of network on the LAN and remotely? from the client on site give me a unique IP address?

  can I allow on site A browse only a single IP address on my site B and allowing only ports 80 and 443, please can you give me example I prefer ASDM.

  Thank you and waiting for your help.

  Hello

  I can only really give an example of this using the CLI (or I rather do as I do not use ASDM almost at all)

  You have all already existing L2L / Site to Site VPN connections on the SAA?

  Could you share your current configuration (delete all sensitive information) so we can take into account all existing configurations you have

  Did you agree on what will be the settings phase 1 VPN L2L and Phase2 with the other sites technical contact who will set up their side of the L2L VPN?

  -Jouni

• VPN client connected but no ping nor access to privat network

  Hello

  I have a 1802w installed, a VPN client that can connect to the router and L2L connection, which works very well.

  On the router, I see that the client is connected, but no traffic passes. In sh crypto ipsec, I see that traffic is decrypted, but no packtets are encypted.

  Can someone point me in the right direction? I have the confs and debugs attached. Thanks for the help in advance.

  Erich

  Erich,

  Looking at your configuration, two things:

  1 - is the current running configuration. I see your Tunnel L2L is configured with an address of correspondence of 101, but I don't see a 101 ACL set on the router.

  2. your Split Tunnel must be reconfigured. Which means, the source and destination must be exchanged.

  SplitList extended IP access list

  permit ip 192.168.2.0 0.0.0.255 192.168.111.0 0.0.0.255

  Split Tunneling

  http://www.Cisco.com/en/us/Tech/tk59/technologies_configuration_example09186a00800a393b.shtml#Con4

  Also, the IP address pool you assign to clients, ensure that they are not part of a LAN on your side. If so, you can then run in routing problems.

  Kind regards

  Arul

  * Please note all useful messages *.

• Order of operations NAT on Site to Site VPN Cisco ASA

  Hello

  I have a question about the order of operations NAT on Site to Site VPN Cisco ASA 8.2.x. I have a scenario where the internal IP address of the range 10.17.128.x are NATTED IP public 31.10.10.x. below is the config:

  Tunnel normally passes traffic to dmz - 31.10.11.10, 31.10.11.11 servers.

  But the servers NATTED (10.17.128.x <->31.10.10.x) does not work.

  inside_map crypto 50 card value transform-set ESP-3DES-SHA

  tunnel-group 100.1.1.1 type ipsec-l2l

  tunnel-group 100.1.1.1 General-attributes

  Group Policy - by default-PHX_HK

  IPSec-attributes tunnel-group 100.1.1.1

  pre-shared key *.

  internal PHX_HK group policy

  PHX_HK group policy attributes

  VPN-filter no

  Protocol-tunnel-VPN IPSec svc webvpn

  card crypto inside_map 50 match address outside_cryptomap_50

  peer set card crypto inside_map 50 100.1.1.1

  inside_map crypto 50 card value transform-set ESP-3DES-SHA

  inside_map crypto 50 card value reverse-road

  the PHX_Local object-group network

  host of the object-Network 31.10.11.10

  host of the object-Network 31.10.11.11

  host of the object-Network 31.10.10.10

  host of the object-Network 31.10.10.11

  host of the object-Network 31.10.10.12

  host of the object-Network 31.10.10.13

  host of the object-Network 10.17.128.20

  host of the object-Network 10.17.128.21

  host of the object-Network 10.17.128.22

  host of the object-Network 10.17.128.23

  the HK_Remote object-group network

  host of the object-Network 102.1.1.10

  inside_nat0_outbound list extended access permitted ip object-group PHX_Local-group of objects HK_Remote

  ACL_INSIDE list extended access permitted ip object-group PHX_Local-group of objects HK_Remote

  ACL_OUTSIDE list extended access permitted ip object-group HK_Remote-group of objects PHX_Local

  outside_cryptomap_50 list extended access permitted ip object-group PHX_Local-group of objects HK_Remote

  Route outside 102.1.1.10 255.255.255.255 30.1.1.1 1

  public static 31.10.10.10 (Interior, exterior) 10.17.128.20 netmask 255.255.255.255

  public static 31.10.10.11 (Interior, exterior) 10.17.128.21 netmask 255.255.255.255

  public static 31.10.10.12 (Interior, exterior) 10.17.128.22 netmask 255.255.255.255

  public static 31.10.10.13 (Interior, exterior) 10.17.128.23 netmask 255.255.255.255

  He started to work when I did another group of object by name PHX_Local1 and added to the list of access inside_nat0_outbound, instead of the object group PHX_Local, as below:

  the PHX_Local1 object-group network

  host of the object-Network 31.10.10.10

  host of the object-Network 31.10.10.11

  host of the object-Network 31.10.10.12

  host of the object-Network 31.10.10.13

  No inside_nat0_outbound access list extended only to allowed ip object-group PHX_Local-group of objects HK_Remote

  inside_nat0_outbound list extended access permitted ip object-group PHX_Local1-group of objects HK_Remote

  Can you please help me understand why group object PHX_Local failed with access-list inside_nat0_outbound, but he began to work with the Group of objects PHX_Local1.

  Also, if you could tell me the order of operations to NAT via VPN Site to Site, it would be useful.

  Thank you

  Kind regards

  Thomas

  Hello

  I think you could have said the original question in a way that could be missleading. In other words, if I understand now.

  From what I understand now, you have the DMZ set up the server that are measured with a public IP address on the real servers. And for those that you have configured NAT0.

  Then you have other servers that do not have public IP addresses themselves, but they are translated on the SAA.

  If this is the case, then the next question would be. The server with the NAT should attend the L2L VPN connection with their real IP or address IP NAT.

  Of course if you configure static NAT for the same servers and NAT0 the NAT0 will always win.

  You have these guests who were not able to use the VPN L2L

  31.10.10.10 10.17.128.20

  31.10.10.11 10.17.128.21

  31.10.10.12 10.17.128.22

  31.10.10.13 10.17.128.23

  IF you want them to go to the VPN L2L with their original IP address then you must configure

  object-group, LAN

  host of the object-Network 10.17.128.20

  host of the object-Network 10.17.128.21

  host of the object-Network 10.17.128.22

  host of the object-Network 10.17.128.23

  object-group, REMOTE network

  host of the object-Network 102.1.1.10

  inside_nat0_outbound list extended access allowed ip-group of objects LOCAL object-group remote

  outside_cryptomap_50 list extended access allowed ip-group of objects LOCAL object-group remote

  IF you want to use the L2L VPN with the public IP address, then you must configure

  object-group, LAN

  host of the object-Network 31.10.10.10

  host of the object-Network 31.10.10.11

  host of the object-Network 31.10.10.12

  host of the object-Network 31.10.10.13

  object-group, REMOTE network

  host of the object-Network 102.1.1.10

  outside_cryptomap_50 list extended access allowed ip-group of objects LOCAL object-group remote

  EDIT: in this case you naturally do not configure any NAT0 for actual IP addresses we want precisely the IP addresses to be visible to the L2L VPN with the IP NAT address.

  Or you can of course use the same "object-group" as currently but change the content in an appropriate manner

  Be sure to mark it as answered if it was answered.

  Ask more if necessary

  -Jouni

• even host multiple NATs

  hub 3030... I have a local host that needs to access the L2L multiple tunnels with different requirements of NAT:

  I currently have that configured NAT...

  source destination of 134.x.x.x/32 the NAT static 10.1.1.1/32 ANY

  I need to configure the NAT...

  source 10.1.1.1/32 static NAT 10.99.17.x/32 destination 32.x.x.x/32

  Is this possible?  I tried and I get "Source and the address of the remote network.

  conflict with an existing rule.  The source or the address of the remote network

  must be changed. "  This is the conflict because of the destination of ANY pre-existing rule?

  I thought that, since the destination of the rule I have to add is more specific than that

  should work.

  Thanks for your help, Anne

  Hi Anne,.

  Yes the conflict error that we see is due to the pre-existing State OF destination. Ideally, we need to have more specific static instructions in static rules to have several nat for the same source. So I would say that we find out the list of remote networks for which we need the 1 translation (134.x.x.x/32) and apply the static rule (may need more than 1 static rule if several remote subnets are the case), and similarly a plus for the new static we are looking (for the 32.x.x.x/32 destination).

  Now on some of the other safety devices, we have a work around for our scenario, but I do not know if the version of the software running on your hub it would support.

  Try to remove the static rule to all (1st statement) and then apply the new rule first (to 32.x.x.x/32). After that, apply the original static rule (destination at all). The idea is to have more State static speific first, and then the General static (all) the rule for the rest of the destinations. I suggest you try this in a maintenance window to avoid any impact on users.

  Let me know if that helps...

  See you soon,.

  Christian V

• L2l between an ASA 5505 and WatchGuard XTM330 with dynamic IP

  Hi guys,.

  I looked for a solution on this one but can't find inappropriate, most of the discussions were old and with dead links to the solution.

  We have an ASA 5505 with static IP address on the outside and a customer who have a WatchGuard XTM330 with dynamic IP address to the outside.

  Is it possible to have an L2L VPN between our ASA and the WatchGuard when he has a dynamic IP?

  I have no experience on the series of WatchGuard,

  so, I am very grateful for any answer!

  Thanks in advance and have a nice day

  BR

  Robin

  Hi Robin,

  Here are the links you can make reference when configuring static to the dynamic VPN tunnel: -.
  http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-next-generation-firewalls/112075-dynamic-IPSec-ASA-router-CCP.html

  This one is with Pix on the remote side, but the configuration will remain the same on the local side: -.
  http://www.WatchGuard.com/docs/4-6-Firebox-CiscoPix.PDF

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.

• Help with dynamic static L2L

  I'm having some trouble with a L2L tunnel where the remote end has a address DHCP on the external interface, this is a

  WRVS4400N Wireless - N Gigabit Security Router with VPN, and I am locked into a particular to this end configuration.  My end is an ASA5540, who must accept a dynamic connection, and I can do everything I need of to get this up and running...

  Remote endpoint in Rome

  192.168.252.0/24 within the network and must be able to talk to my end 192.168.240.0/24; 192.168.241.0/24; and 192.168.242.0/24

  Setting up IPSec in Rome which cannot be changed:

  IKE with preshared key

  Phase 1 3DES, MD5, DH 2, key to life 86400

  Phase2 3DES, MD5, activate the PFS, 2 DH, life 28800, pre-shared key XXXXX

  On my end, I have immunity from the ACL and NAT correct... I can actually treat the current remote outside intellectual property as static and bring the tunnel up without problem.  My problem is getting the correct dynamic Cryptography.

  Here is what I currently have (or should I say have configured previously) on the SAA in the measurement of the dynamic crypto:

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  Crypto dynamic-map cisco 1 set of transformation-ESP-3DES-MD5

  Crypto dynamic-map cisco 1 lifetime of security association set seconds 28800

  kilobytes of life crypto dynamic-map cisco 1 set security-association 4608000

  crypto isakmp identity address

  crypto ISAKMP allow outside

  crypto ISAKMP policy 5

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  Therefore my isakmp policy 5 is my stage 1 Kit.  My ESP-3DES-MD5 transformation corresponds to my need phase 2 encryption/authentication...

  I think that all I'm missing is a way to match the PFS and DH 2 for phase2?

  And since my ACL is named in Rome, then my tunnel-group must be named Rome as well?

  Thank you.

  I don't think that we can have several dynamic IP counterparts use diff pre-shared in these settings.

  -

  Sourav

• L2l VPN static to the dynamic with redundancy

  Hi I have IPSEC VPN configured between two Cisco routers.

  a Dyamic, static end head end. and it works like a charm,

  What I want to achieve now is.

  If my head goes down, I want to end Remtoe to connect to NDDN Head end.

  is this possible?

  currently on my side, I have configured this way (partial configuration)

  vpn 10 ipsec-isakmp crypto map

  the value of 8.2x.1x.4 peer

  Set low transformation game

  match address 100

  what I want is if 8.2x.1x.4 is unreachable, VPN must be connected to the second head say 1.1.1.1

  any help would be great.

  Hello Ahmad,

  Yes it is possible.

  You set the primary peer as your default and so the default peer will always prefered.

  http://www.Cisco.com/en/us/docs/iOS/Security/command/reference/sec_s2.html#wp1046908

  Thank you

  Rizwan James

• Cisco VPN Site to Site with a static and dynamic does not

  Hello

  I have ASA 5510 in Headquarters with static, IP and ASA 5505 in the remote site behind ADSL router trying to establish VPN, but its failure in phase 1

  Config of the headquarters

  interface Ethernet0/0

  Description link to router LeaseLine

  nameif outside

  security-level 0

  IP x.x.x.x 255.255.255.248

  !

  interface Ethernet0/1

  Description link to LAN internal

  nameif inside

  security-level 100

  IP 172.17.1.15 255.255.255.0

  access extensive list ip 172.17.1.0 inside_nat0_outbound_1 allow 255.255.255.0 172.20.1.0 255.255.255.0

  access extensive list ip 172.17.1.0 inside_nat0_outbound_1 allow 255.255.255.0 172.19.1.0 255.255.255.0

  access extensive list ip 172.17.1.0 vpn_to_remote allow 255.255.255.0 172.19.1.0 255.255.255.0

  extended VPN ip 172.17.1.0 access list allow 255.255.255.0 172.20.1.0 255.255.255.0

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_nat0_outbound_1

  NAT (inside) 1 0.0.0.0 0.0.0.0

  Route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

  Crypto ipsec transform-set esp-aes-256-md5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  correspondence address 1 crypto dynamic-map cisco VPN

  Crypto dynamic-map cisco 1 set of transformation-ESP-AES-256-SHA

  card crypto outside_map 10 correspondence address vpn_to_remote

  card crypto outside_map 10 set pfs

  card crypto outside_map 10 peers set y.y.y.y

  card crypto outside_map 10 transform-set esp-aes-256-md5

  outside_map crypto 10 card value reverse-road

  dynamic outside_map 30-isakmp ipsec crypto map Cisco

  outside_map interface card crypto outside

  crypto isakmp identity address

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  aes-256 encryption

  md5 hash

  Group 5

  life 86400

  crypto ISAKMP policy 20

  preshared authentication

  aes encryption

  md5 hash

  Group 2

  life 86400

  crypto ISAKMP policy 30

  preshared authentication

  aes-256 encryption

  sha hash

  Group 2

  life 86400

  Crypto isakmp nat-traversal 20

  tunnel-group y.y.y.y type ipsec-l2l

  tunnel-group ipsec-attributes y.y.y.y

  pre-shared-key *.

  tunnel-group parkplace type ipsec-l2l

  tunnel-group ipsec-attributes parkplace

  pre-shared-key *.

  The Remote Site configuration

  interface Vlan1

  nameif inside

  security-level 100

  address 172.20.1.1 IP 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP 192.168.1.2 255.255.255.0

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  ICMP list extended access permit icmp any one

  access-list SHEEP extended ip 172.20.1.0 allow 255.255.255.0 172.17.1.0 255.255.255.0

  extended VPN 172.20.1.0 ip access list allow 255.255.255.0 172.17.1.0 255.255.255.0

  Global 1 interface (outside)

  NAT (inside) 0 access-list SHEEP

  NAT (inside) 1 0.0.0.0 0.0.0.0 outdoors

  Access-group ICMP in interface outside

  Route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  crypto map outside_map 1 is the VPN address

  peer set card crypto outside_map 1 83.111.252.242

  card crypto outside_map 1 set of transformation-ESP-AES-256-SHA

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  aes-256 encryption

  sha hash

  Group 2

  life 86400

  Crypto isakmp nat-traversal 20

  tunnel-group fairmount type ipsec-l2l

  tunnel-group fairmount ipsec-attributes

  pre-shared-key *.

  Best regards / Asfar

  Hello

  Have you tried to replace the names of 'tunnel-group' entry with Ip address on both ends... ?

  Thank you

  MS