L2l IPsec question: 0 packages decrypted!
Hello
We have implemented a solution for IPSec-l2l between HQ and remote sites. The last being a ship, we opted for the dynamic Ipsec l2l solution to static using two ASAs. However, the solution fails to certain ports. In fact, the tunnel is established and the packets are encrypted on the ASA remote. However, no packet is decrypted. HQ sees not all encrypted packets. It looks like something between the two does not prevent IPSec packets to reach the HQ...
How could ensure us that the solution works always regardless of any ACL or NAT between the two?
Excerpts of the "sh crypto ipsec his" cmd for a positive and result negative as well as the configuration of the remote control - ASA IPsec.
Distance - ASA # sh crypto isakmp his
Interface: outside
Tag crypto map: CMAP, seq num: 10, local addr: 172.16.1.215
extended vpn ip 10.240.192.0 access list allow 255.255.255.0 10.0.0.0 255.0.0.0
local ident (addr, mask, prot, port): (10.240.192.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (10.0.0.0/255.0.0.0/0/0)
current_peer: 146.40.75.33
#pkts program: 28, encrypt #pkts: 28, #pkts digest: 28
decaps #pkts: 15, #pkts decrypt: 15, #pkts check: 15
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 28, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0
local crypto endpt. : 172.16.1.215, remote Start crypto. : 146.40.75.33
Distance - ASA # sh crypto isakmp his
Interface: outside
Tag crypto map: CMAP, seq num: 10, local addr: 168.240.6.11
extended vpn ip 10.240.192.0 access list allow 255.255.255.0 10.0.0.0 255.0.0.0
local ident (addr, mask, prot, port): (10.240.192.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (10.0.0.0/255.0.0.0/0/0)
current_peer: 146.40.75.33
#pkts program: 45, #pkts encrypt: 45, #pkts digest: 45
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 28, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0
local crypto endpt. : 168.240.6.11, remote Start crypto. : 146.40.75.33
Remote control - ASA config
extended vpn ip 10.240.192.0 access list allow 255.255.255.0 10.0.0.0 255.0.0.0
10.240.192.0 IP Access-list extended sheep 255.255.255.0 allow 10.0.0.0 255.0.0.0
Global 1 interface (outside)
NAT (inside) 0 access-list sheep
NAT (inside) 1 0.0.0.0 0.0.0.0
Crypto ipsec transform-set esp-sha-3des esp-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto CMAP 10 corresponds to the vpn address
card crypto CMAP 10 set pfs Group1
card crypto CMAP 10 set peer 146.40.75.33
card crypto CMAP 10 value transform-set esp-3des-sha
card crypto CMAP 10 set phase 1-mode aggressive Group1
card crypto CMAP 10 set reverse-road
CMAP outside crypto map interface
ISAKMP crypto identity hostname
crypto ISAKMP allow outside
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 1
life 86400
No encryption isakmp nat-traversal
tunnel-group 146.40.75.33 type ipsec-l2l
IPSec-attributes tunnel-group 146.40.75.33
pre-shared key *.
Thanks for your help!
Franc
Hello
The first output shows two packets encrypted/decrypted on the ASA remote.
At this point, the VPN worked very well? What was different?
The second output shows encrypted packets on the ASA remote but no decrypted.
You mentioned that the HQ site does not show decrypted packets either.
It seems that the ASA remote sends the traffic in the tunnel, but they never reached the HQ site.
This can happen when there is a problem of route, NAT problem or some sort of VPN filter.
To understand this better explain what the difference was between the first and the second scenario.
Federico.
Tags: Cisco Security
Similar Questions
-
l2l ipsec vpn - problem XAUTH need-based policy
Hello
I have a problem that I see a few solutions but they do not work.
I have a p2p IPSec vpn, which worked until I added access remote VPN configuration (which works perfectly).
According to the documents, I used isakmp policy allowing mixed tunnels. Now, whenever I try to send traffic through the l2l link I get the following debugging results telling me that the remote router is demanding XAUTH.
September 8 09:53:12: ISAKMP: (2015): the total payload length: 12
September 8 09:53:12: ISAKMP: (2015): send package to [source] my_port 500 peer_port 500 (R) MM_KEY_EXCH
September 8 09:53:12: ISAKMP: (2015): sending a packet IPv4 IKE.
September 8 09:53:12: ISAKMP: (2015): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
September 8 09:53:12: ISAKMP: (2015): former State = new State IKE_R_MM5 = IKE_P1_COMPLETE
September 8 09:53:12: ISAKMP: (2015): need XAUTH
September 8 09:53:12: ISAKMP: node set 1635909437 to CONF_XAUTH
September 8 09:53:12: ISAKMP/xauth: application XAUTH_USER_NAME_V2 attribute
September 8 09:53:12: ISAKMP/xauth: application XAUTH_USER_PASSWORD_V2 attribute
September 8 09:53:12: ISAKMP: (2015): launch peer config [source]. ID = 1635909437
September 8 09:53:12: ISAKMP: (2015): send package to [source] my_port 500 peer_port 500 (R) CONF_XAUTH
September 8 09:53:12: ISAKMP: (2015): sending a packet IPv4 IKE.
September 8 09:53:12: ISAKMP: (2015): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
September 8 09:53:12: ISAKMP: (2015): former State = new State IKE_P1_COMPLETE = IKE_XAUTH_REQ_SENT
September 8 09:53:12: ISAKMP (2015): package receipt from [source] 500 Global 500 (R) sport dport CONF_XAUTH
September 8 09:53:20: ISAKMP (2015): package receipt from [source] 500 Global 500 (R) sport dport CONF_XAUTH
September 8 09:53:27: ISAKMP: (2015): transmit phase 2 CONF_XAUTH 1635909437...
September 8 09:53:27: ISAKMP (2015): increment the count of errors on the node, try 1 5: retransmit the phase 2
September 8 09:53:27: ISAKMP (2015): increment the count of errors on his, try 1 5: retransmit the phase 2
September 8 09:53:27: ISAKMP: (2015): transmit phase 2 1635909437 CONF_XAUTH
September 8 09:53:27: ISAKMP: (2015): send package to [source] my_port 500 peer_port 500 (R) CONF_XAUTH
September 8 09:53:27: ISAKMP: (2015): sending a packet IPv4 IKE.
September 8 09:53:28: ISAKMP (2015): package receipt from [source] 500 Global 500 (R) sport dport CONF_XAUTH
September 8 09:53:36: ISAKMP (2015): package receipt from [source] 500 Global 500 (R) sport dport CONF_XAUTH
September 8 09:53:42: ISAKMP: (2015): transmit phase 2 CONF_XAUTH 1635909437...
September 8 09:53:42: ISAKMP (2015): increment the count of errors on the node, try 2 of 5: retransmit the phase 2
September 8 09:53:42: ISAKMP (2015): increment the count of errors on his, try 2 of 5: retransmit the phase 2
September 8 09:53:42: ISAKMP: (2015): transmit phase 2 1635909437 CONF_XAUTH
September 8 09:53:42: ISAKMP: (2015): send package to [source] my_port 500 peer_port 500 (R) CONF_XAUTH
September 8 09:53:42: ISAKMP: (2015): sending a packet IPv4 IKE.
September 8 09:53:44: ISAKMP (2015): package receipt from [source] 500 Global 500 (R) sport dport CONF_XAUTH
September 8 09:53:44: ISAKMP: node set 2054552354 to CONF_XAUTH
September 8 09:53:44: ISAKMP: (2015): HASH payload processing. Message ID = 2054552354
September 8 09:53:44: ISAKMP: (2015): treatment of payload to DELETE. Message ID = 2054552354
September 8 09:53:44: ISAKMP: (2015): peer does not paranoid KeepAlive.
So, it seems that Phase 1 ends without XAUTH.
Here's my cryptographic configurations:
Keyring cryptographic s2s
pre-shared key key address [source] [key]
!
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
lifetime 28800
!
crypto ISAKMP policy 5
BA 3des
preshared authentication
lifetime 28800
!
crypto ISAKMP policy 10
preshared authentication
lifetime 28800
!
Configuration group customer crypto isakmp [RA_GROUP]
key [key2]
DNS 192.168.7.7
win 192.168.7.222
ninterface.com field
pool SDM_POOL_1
ACL 100
Max-users 6
netmask 255.255.255.0
ISAKMP crypto ciscocp-ike-profile-1 profile
identity group match [RA_GROUP]
client authentication list ciscocp_vpn_xauth_ml_1
ISAKMP authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-model 1
Crypto isakmp ISA_PROF profile
S2S keyring
function identity [source] address 255.255.255.255
ISAKMP crypto unified profile
identity group match [RA_GROUP]
client authentication list ciscocp_vpn_xauth_ml_1
ISAKMP authorization list ciscocp_vpn_grop_ml_1
client configuration address respond
!
86400 seconds, duration of life crypto ipsec security association
!
Crypto ipsec transform-set esp-3des esp-sha-hmac VPN_T_BW
Crypto ipsec transform-set MY - SET esp - aes 256 esp-sha-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac trans-rem
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec df - bit clear
!
Profile of crypto ipsec CiscoCP_Profile1
game of transformation-ESP-3DES-SHA
set of isakmp - profile ciscocp-ike-profile-1
!
!
Crypto dynamic-map [RA_GROUP] 77
the transform-set trans-rem value
Isakmp profile unified set
market arriere-route
!
!
!
list of authentication of card crypto clientmap client RAD_GRP
map clientmap isakmp authorization list rtr crypto / remote
client configuration address map clientmap crypto answer
card crypto clientmap 77-isakmp dynamic ipsec [RA_GROUP]
!
client configuration address card crypto [RA_GROUP] answer
!
Crypto card remote isakmp authorization list rtr / remote
!
RTP 10 ipsec-isakmp crypto map
set peer [source]
MY - Set transform-set
PFS group2 Set
match address 111
It is a bit of a breakfast dogs because I'm at the time of implementation of policies.
I managed to block xauth before I used policy by adding no_xauth the end of my speech key but I can't work out how to add this using the strategy.
I'm something simple Paris that I missed.
Thanks for your help!
Hi Bruno.
Thanks for the brief explanation.
What crypto map is applied on the external interface?
I think the "crypto isakmp profile" solution is the best way and they seem to be ok, however, we must remember that you cannot have a single card encryption by interface, so you should have something like this:
1 - crypto dynamic-map outside_dynamic 10
game of transformation-ESP-AES-SHA
2-outside_map 10 ipsec-isakmp crypto map
the value of xxxx.xxxx.xxxx.xxxx peer
Map 3-crypto outside_map 65535-isakmp ipsec dynamic outside_dynamic
4-interface f0/0
outside_map card crypto
* I'm not configure all of the cryptographic configuration, I wanted to give you a better idea.
Please correct your configuration to accommodate one card encryption.
Just to add more information on isakmp profiles:
Let me know.
Thank you.
Portu.
-
ASA or 871 l2l ipsec to SSG - 140: tunnel is up, but no traffic
Hello
I am currently troubleshooting an ipsec VPN l2l between
1. ASA 7.2 (4) SSG - 140
2 cisco 871W to SSG - 140
In both scenarios the tunnel is well established and the traffic is in the tunnel, but nothing comes out. Of all the encap, but no decap
Looks a routing problem, but we cannot find anything on the two sites.
So maybe I m running in a (known) problem between equipment cisco VPN and SSG-140?
I've searched the forum, but can not find any idea on this subject.
If anyone has an idea the most welcome.
What is a proxy-id problem? Cause they set up stuff like 10.1.1.0/24 and I configure 10.1.1.0 0.0.0.255
Thanks in advance!
Tom, I have not seen the downloaded configs or poster. I would focus on the asa as it's easier to troubleshoot. You can use the ease of packet trace to verify that the syn is sent through the encrypted and external interface. Also gives you the ability to capture. Of course, the problem is that the traffic is encrypted. A syn packet is small and hard to distinguish. Try to send a ping from 10 to 1000 pkt size and see if you can locate in the capture (ipsec will add about 80 bytes). You will need to do a quiet moment to make it easier. Assuming that you can identify the packages, you can repeat the capture and ask someone to do the same thing at the remote end. Also, try to do the ping from the remote device and see if you can capture packets. My guess is that there is something wrong at the other end or a firewall drop packets (ip prot 50) esp. If you want to send the config, display, capture of the [email protected] / * / I can take a look. Matthew
-
question of package ID for an existing application
Hello
I can't update my version of the application because of the question 'ID of Package must match ID of Package in the bundle of original file.I recently updated my laptop and after the upgrade, I published an update and it has been accepted by the world of BB. Its a few months since my last update. I have a new update to my candidacy and now I'm stuck in the question above.
My BBIDToken has expired, so I'm a new to the dev site. saved in a location, and then run the script of "blackberry-signatory" to connect my bbid with KSB files. running the script says ' Info: CSK connected successfully to BBID' but after cleaning and re - compile, file bar is not always be accepted by the world of BB.
I checked my name-package and it corresponds, however, package-id is not, that is the question. I have files from previous bar, can be used in some way to extract the information needed to get the update?
Also, I used 'restore' option in the Configuration of signature BlackBerry with a zip file consisting of barsigner.csk, barsigner.db and author.p12.
BTW, I followed the steps on http://supportforums.blackberry.com/t5/Native-Development/Help-Package-ID-must-match-Package-ID-in-o... but no luck.
Please suggest.
Step 3 must be done once, before starting to use a token created in your BlackBerry ID account Do you have applications using key method (CSJ) that is earlier than chips BlackBerry code signing ID? Initially link to your BlackBerry ID Token when you installed everything first he?
By default, the tools uses a BlackBerry ID token if it is present, ignoring the code signing key. If you have installed the token, signed, and then linked to your previous code signing keys, it would change the package author Id of the BlackBerry ID account to match the original code signing key account. This could have happened?
Send me a private message with your package-author-Id of your original file BAR and I can watch the account used to sign.
-
question of packages .bar
Hello world. One moment, I tried to load the app for the first time using .bar files and I realized that the package is not up-to-date with my current source code cause I guess it will be updated when a build the project.
My question is how to rebuild the .bar files to make it current. Thank you
Construction is expected to withdraw all your changes.
You could try to do a clean install and see if that solves your problem.
Also if you are sideloading the folder bar just to do a quick validation test you took in the correct place.
-
WRVS4400N ASA 5540 L2L IPSec connection
I have a remote WRVS4400N with a dynamic outside the address that opens a connection to an ASA 5540 with a static address.
I'm all set on the side of the ASA. My questions concern the 4400N. It does not seem to have a very robust configuration/configuration available for L2L tunnels. For one my encryption is limited to 3DES.
But I wonder if I'm missing something in the config. I have to configure L2L tunnels to two other firewalls. One firewall has 3 non-contiguous networks, and the other has 2. I have 5 tunnels configuration, this is the only way? What I'd like to see is 2 tunnels, one for each firewall distance, but then each tunnel would have access to networks (like on the side of the ASA), is anyway to do this? Perhaps a useful command line for this unit?
My other question concerns the tunnel-groups I've implemented on my ASA, and I do not want to use the proper names... However I can't seem to find a way to allow this to happen on the side of 4400N... I mean, I need a way to create a 'keyword' identifier or a "firewall identifier" on the 4400N and I do not see an appropriate field in the web interface. Someone at - it ideas?
Thanks in advance.
Hi WS, the WRVS router does not support a complete tunnel configuration or routes to have a multi site configuration. You would need a separate tunnel for each location.
Traditionally, the WRVS router was not a good game on any platform ASA. In most cases, I saw when a tunnel has put in place will be the router WRVS crash in an hour or less due to low memory. If you run a scenario where the WRVS stops responding or the tunnel down, this is the likely scenario.
I highly recommend is not to use the WRVS router for all tunnel with the ASA. If you are looking to stay in the field of small business, a RV220W or a RV042 router would be a much more suitable match.
-Tom
Please mark replied messages useful -
L2l IPSec VPN 3000 and PIX 501
Hello
I have a remote site that has a broadband internet connection and uses a PIX 501. We wanted to connect them with our main office using our VPN 3000 via VPN site-to-site.
I followed the following documentation:
However the L2L session does not appear on the hub when I check the active sessions.
The network diagram, as well as the PIX config and the screenshots of the VPN configuration for the IPSec-L2L tunnel is attached.
Any help or advice are appreciated.
I just noticed that the PIX firewall, the phase 1 paramateres are not configured. You must configure the same PASE 1 and phase 2 settings on both ends of the tunnel.
For example, on CVPN 3000, you have configured settings Phase 1 as 3DES, pre-shared key etc... We have the same configuration on the PIX firewall too.
Here is an example of sample config
I hope this helps!
-
Cisco ASA - l2l IPSEC tunnel two dynamic hosts
Hello
I have two firewall Cisco ASA an i want to made a l2l between two ipsec tunnel, the problem is that both parties have a dynamic IP, on both sides I have configured dyndns, can I did an ipsec tunnel using dyndns name such as address peer?
Hello
ASA supports only the RFC compliant method for updates used with dynamic DNS, not updates HTTP, such as dyndns.org and others use.
i.e. https://tools.cisco.com/bugsearch/bug/CSCsk25102/?reffering_site=dumpcrOn ASA, it is not possible to configure the tunnel between two dynamic peers.
You will need to have a static end to configure static to dynamic IP.For routers, you can follow this link.
I hope this helps.Kind regards
Dinesh MoudgilPS Please rate helpful messages.
-
ASA 8.6 - l2l IPsec tunnel established - not possible to ping
Hello world
I have a problem of configuration of the CISCO ASA 5512-x (IOS 8.6).
The IPsec tunnel is created between ASA and an another non-CISCO router (hereinafter "router"). I can send packets ping from router to ASA, but ASA is NOT able to meet these demands. Sending requests of ASA is also NOT possible.
I'm trying to interconnect with the network 192.168.2.0/24 (CISCO, interface DMZ) premises and 192.168.3.0/24 (router).
The CISCO ASA has a static public IP address. The router has a dynamic IP address, so I use the dynamic-map option...
Here is the output of "show run":
---------------------------------------------------------------------------------------------------------------------------------------------
ASA 1.0000 Version 2
!
ciscoasa hostname
activate oBGOJTSctBcCGoTh encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface GigabitEthernet0/0
nameif outside
security-level 0
address IP X.X.X.X 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
the IP 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
IP 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
passive FTP mode
internal subnet object-
192.168.0.0 subnet 255.255.255.0
object Web Server external network-ip
host Y.Y.Y.Y
Network Web server object
Home 192.168.2.100
network vpn-local object - 192.168.2.0
Subnet 192.168.2.0 255.255.255.0
network vpn-remote object - 192.168.3.0
subnet 192.168.3.0 255.255.255.0
outside_acl list extended access permit tcp any object Web server
outside_acl list extended access permit tcp any object webserver eq www
access-list l2l-extensive list allowed ip, vpn-local - 192.168.2.0 vpn-remote object - 192.168.3.0
dmz_acl access list extended icmp permitted an echo
pager lines 24
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
MTU 1500 DMZ
management of MTU 1500
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT (DMZ, outside) static static vpn-local destination - 192.168.2.0 vpn-local - 192.168.2.0, 192.168.3.0 - remote control-vpn vpn-remote control - 192.168.3.0
!
internal subnet object-
NAT dynamic interface (indoor, outdoor)
Network Web server object
NAT (DMZ, outside) Web-external-ip static tcp www www Server service
Access-Group global dmz_acl
Route outside 0.0.0.0 0.0.0.0 Z.Z.Z.Z 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 192.168.1.0 255.255.255.0 management
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
IKEv1 crypto ipsec transform-set ikev1-trans-set esp-3des esp-md5-hmac
Crypto ipsec ikev2 proposal ipsec 3des-GNAT
Esp 3des encryption protocol
Esp integrity md5 Protocol
Crypto dynamic-map dynMidgeMap 1 match l2l-address list
Crypto dynamic-map dynMidgeMap 1 set pfs
Crypto dynamic-map dynMidgeMap 1 set ikev1 ikev1-trans-set transform-set
Crypto dynamic-map dynMidgeMap 1 set ikev2 ipsec-proposal 3des-GNAT
Crypto dynamic-map dynMidgeMap 1 life span of seconds set association security 28800
Crypto dynamic-map dynMidgeMap 1 the value reverse-road
midgeMap 1 card crypto ipsec-isakmp dynamic dynMidgeMap
midgeMap interface card crypto outside
ISAKMP crypto identity hostname
IKEv2 crypto policy 1
3des encryption
the md5 integrity
Group 2
FRP md5
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal midgeTrialPol group policy
attributes of the strategy of group midgeTrialPol
L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
enable IPSec-udp
tunnel-group midgeVpn type ipsec-l2l
tunnel-group midgeVpn General-attributes
Group Policy - by default-midgeTrialPol
midgeVpn group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:fa02572f9ff8add7bbfe622a4801e606
: end
------------------------------------------------------------------------------------------------------------------------------
X.X.X.X - ASA public IP
Y.Y.Y.Y - a web server
Z.Z.Z.Z - default gateway
-------------------------------------------------------------------------------------------------------------------------------
ASA PING:
ciscoasa # ping DMZ 192.168.3.1
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.3.1, time-out is 2 seconds:
?????
Success rate is 0% (0/5)
PING from router (debug on CISCO):
NAT ciscoasa #: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0
NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0
NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 0 len = 40
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 1 len = 40
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 2 len = 40
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = len 3 = 40
-------------------------------------------------------------------------------------------------------------------------------
ciscoasa # show the road outside
Code: C - connected, S - static, RIP, M - mobile - IGRP, R - I, B - BGP
D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone
N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2
E1 - OSPF external type 1, E2 - external OSPF of type 2, E - EGP
i - IS - L1 - IS - IS level 1, L2 - IS - IS IS level 2, AI - IS inter zone
* - candidate by default, U - static route by user, o - ODR
P periodical downloaded static route
Gateway of last resort is Z.Z.Z.Z to network 0.0.0.0
C Z.Z.Z.0 255.255.255.0 is directly connected to the outside of the
S 192.168.3.0 255.255.255.0 [1/0] via Z.Z.Z.Z, outdoors
S * 0.0.0.0 0.0.0.0 [1/0] via Z.Z.Z.Z, outdoors
-------------------------------------------------------------------------------------------------------------------------------
Do you have an idea that I am wrong? Probably some bad NAT/ACL I suppose, but I could always find something only for 8.4 iOS and not 8.6... Perhaps and no doubt I already missed the configuration with the unwanted controls, but I've tried various things...
Please, if you have an idea, let me know! Thank you very much!
Hello
I've never used "global" option in ACL, but it looks to be the origin of the problem. Cisco doc.
"The global access rules are defined as a special ACL that is processed for each interface on the device for incoming traffic in the interface. Thus, although the ACL is configured once on the device, it acts as an ACL defined for Management In secondary interface-specific. (Global rules are always in the direction of In, never Out Management). "
You ACL: access-list extended dmz_acl to any any icmp echo
For example, when you launch the ASA, there is an echo response from the router on the external interface--> global can block.
Then to initiate router, the ASA Launches echo-reply being blocked again.
Try to add permit-response to echo as well.
In addition, you can use both "inspect icmp" in world politics than the ACL.
If none does not work, you can run another t-shoot with control packet - trace on SAA.
THX
MS
-
QOS with ASA - corresponding to questions of packages
I have a few questions of mote of ASA and QOS - level code 8.2.5
Let's say I have the following...
TG-NonVoice class-map
corresponds to the tg-traffic-acl access list
class-map-traffic TCP
corresponds to the tcp-traffic-acl access list
class-map voice-TG
match dscp ef
match tunnel-group x.x.x.x
How to know the hierarchy of what the ASA uses to match a package? Since a package can only correspond to a class-map, I created the access list to refuse statements to ensure that the packet matches what I want. Example - tcp-traffic-acl access list, I didn't include the traffic tunnel so I denied the traffic of the tunnel at the beginning of the access list. This is the correct procedure given that I did not know what order the ASA aligns packages to my access to my class-maps lists. Y at - it an order? TG-voice has priority in the plan of the policy is it automatically get used to match first?
Second example:
Let's say I
TG-NonVoice class-map
match flow ip destination-address
match tunnel-group x.x.x.x
class-map-traffic TCP
corresponds to the tcp-traffic-acl access list
class-map voice-TG
match dscp ef
match tunnel-group x.x.x.x
Here I have only an access list. How know if order used to filter packets? If I don't want the tcp-traffic-acl include NOT packages that could possibly correspond in the VPN tunnel that I put a refusal at the beginning of the list of access for VPN traffic to be sure? What would be the rate used by the ASA to determine if a packet matches a rule of class-card for a package would correspond to multiples, but from what I've read, that it does not get included in other once it corresponds to the first match. Understand?
Thank you
Hello
I think that this price covers everything
This is the best document I found on the web about the MPF.
To take a reading
http://blog.INE.com/2009/04/19/understanding-modular-policy-framework/
Note all useful posts!
Kind regards
Jcarvaja
Follow me on http://laguiadelnetworking.com
-
Nice day!
I have a problem with IPSEC Site to site configurtaion between ASA (8.4)
Scheme of connection
CENTER: (LAN-10.10.0.0/30)-ASA-(WAN-37.203.241.XX)---(WAN-87.245.206.XX) - ASA-(LAN-10.20.34.0/24): SPB
Here is my config of ASA
ASA CENTER
----
the LocalNet object network
subnet 10.10.0.0 255.255.255.252
the RemoteNet object network
10.20.34.0 subnet 255.255.255.0
---
INT_TRAFFIC list of allowed ip extended access all 10.20.34.0 255.255.255.0
---
NAT (insidelocal, outside) static source LocalNet LocalNet static destination RemoteNet RemoteNet
---
Crypto ipsec transform-set esp-3des esp-md5-hmac VPN ikev1
card crypto TO_SPB 1 corresponds to the address INT_TRAFFIC
crypto TO_SPB 1 peer 87.245.206.XX card game
card crypto TO_SPB 1 set transform-set VPN ikev1
TO_SPB interface card crypto outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
----
tunnel-group 87.245.206.XX type ipsec-l2l
IPSec-attributes tunnel-group 87.245.206.XX
IKEv1 pre-shared-key *.
ASA SPB
the LocalNet object network
10.20.34.0 subnet 255.255.255.0
the RemoteNet object network
subnet 10.10.0.0 255.255.255.252
----
INT_TRAFFIC list of allowed ip extended access any 10.10.0.0 255.255.255.252
----
NAT (inside, outside) static source LocalNet LocalNet static destination RemoteNet RemoteNet
----
Crypto ipsec transform-set esp-3des esp-md5-hmac VPN ikev1
card crypto TO_CENTER 1 corresponds to the address INT_TRAFFIC
crypto TO_CENTER 1 peer 37.203.241.XX card game
card crypto TO_CENTER 1 set transform-set VPN ikev1
TO_CENTER interface card crypto outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
----
tunnel-group 37.203.241.XX type ipsec-l2l
IPSec-attributes tunnel-group 37.203.241.XX
IKEv1 pre-shared-key *.
---
Where is a mistake? Can you please tell me...
Show on the two ASA command
-----
See ikev1 crypto his
There are no SAs IKEv1
-----
Hello
The line of the ACL
Access extensive list ip 10.20.34.0 INT_TRAFFIC allow 255.255.255.0 10.10.0.0 255.255.255.252
Already includes ICMP then please remove the ACL containing the "icmp" (pull it out of two ASAs)
No INT_TRAFFIC extended access lists allow icmp 10.20.34.0 255.255.255.0 10.10.0.0 255.255.255.252
The status of the phase 1 MM_WAIT_MSG6 would indicate that the L2L VPN is not yet come. At least when you took this command, it seems to be in place.
This seems to indicate that the "pre shared key" values do not match. Please check that the PSK is correctly registered both of the SAA. Or maybe replace the two PSK with some simple versions just to be able to test connectivity VPN L2L.
If you have not already enabled on your firewall ICMP inspection then add "fixup protocol icmp" and retest the traffic.
-Jouni
-
Design of VPN L2L ASA question
We expect to have more than 10,000 remote VPN L2L clients.
I see that each crypto card needs a statement of 'same game' and the IP address is the address of the remote peer VPN L2L.
:
EX:
card encryption UNI-POP 3 set peer 172.23.0.3
: . . .
card crypto UNI-POP 10000 set peer 172.26.0.250
:
I already feel that this will be a VERY long config, maybe too big to save/read/from memory.
:
Anyone would be a better approach?
Thank you
Frank
Frank,
If the remote end will run only from time to time, you should not have set peer statements and normally it would suffice to have a dynamic encryption card.
If the remote ends do not support certificates, it is possible to land on defaultl2l tunnel-group.
bsns-asa5505-19# sh run all tunnel-group
tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup general-attributes
(...)
You need to test yourself to see if it will work.
I also agree in terms of more than one firewall. With devices for two in the load balancing or if possible 2pairs of devices in the failover cluster could be great way to have a decent charge by machine and equipment redundancy (ideal circumstances]);. I suggest you ping your system engineer for sure any deployment involving 5585, guys can usually give good advice (and discounts;]).
Marcin
-
L2l IPSec VPN blocks SQL (ASA v8.4)
Good evening everyone,
I have an ASA 5510 8.4 (2) which has an IPSec VPN site to a 3rd party who run a form any checkpoint running. VPN establishes and allows to access a server in our demilitarized zone on all the ports that we tested (so far HTTP, FTP, SSL, RDP), with the exception of SQL that does not even reach the server. I've got Wireshark running on the DMZ server and if the 3rd party initiates a conversation of TCP of their server on any of the ports on the server I see all desired packages come with the correct IPs ETC (without NAT takes place through the VPN), but when an ODBC client attempts to query the SQL Server on our DMZ zone packets do not reach the level of the server. What I see is the number of bytes of RX on the VPN increases whenever the query is run, but certainly not arriving on the SQL Server.
Also if I come back to the ASA to the old PIX, it replaced with the same VPN configuration but on version 7.x, then it works fine.
While I find some time to clean up the config this weekend, I have ideas.
Thank you very much
Simon.
Hi Simon,.
If you look at the options sys in the ASDM he advises that you still need ACL for traffic. As I understand it, in the old days, when you were in as you pointed out. If you set the ports in this group then Yes, it's a whole and potentially your only protection is the NAT or his absence.
I would like to add an another ACE to the external interface, which allows the source to you DMZ host (see below)
Object-group service GROUP SQL-tcp PORTS
EQ port 1433 object
EQ object Port 1434
Port-object eq 1521
outside_access extended access list permit tcp host 192.168.100.30 DMZ_158-group of objects SQL-PORTS object
Concerning
-
Question of package data from the horizon and ThinApp
Hello
I have a question about ThinApp packages. I added the package in the ThinApp repository and sync in Horizon workspace. Everything was green and succesfull without alerts.
When I installed the Client of Horizon Workspace on my laptop, I got the message "error package; Cannot install Total Commander 8.5. "Cannot copy the file: the network path was not found" (I have translated from the Czech version of OS)
Files in sync between my laptop and HW works, but not applications.
What should I do to correct the problem with ThinApp packages?
Hi Black
If you use the installation program (running in a Windows command window) command line, instead of install by double-clicking the EXE file, you can set various options, including the installation mode.
Command line Setup is described in this topic Center doc Horizon Workspace:
For example, in a command prompt window, to install with install mode using HTTP download, you will run:
VMware-Horizon-workspace - 1.8.0 1800-165331 .exe /s
/v HORIZONURLhttps:// = yourHorizonURL INSTALL_MODE = HTTP_DOWNLOAD
Are these packages of ThinApp 64-bit? Is the Windows 64 - bit Windows where you installed the client?
-
Hello...
I created a tunnel of L2L b & w a Juniper NetScreen VPN 3005... .the tunnel is mounted, but we both are unable to ping the ip allowed... Another thing, I don't see him rx traffic but no traffic tx from... suspecting me keep the alives...
It's the second tunnel I built on this VPN 3005 box, this first has no problem with what I have now...
help them on this issue... Thanks in advance
Hello
Well, that's your problem. When the 192.168.10.10 pc attempts to send traffic to the PC 172.16.10.10 traffic goes first to the Pix. But because you run v6.x from the pix it is not allowed to send the traffic, he came back on the same interface the and he needs to do this to send traffic to the VPN 3005.
With pix v7.x, you can do this, but a solution to your problem without having to upgrade would be to add a static route on your 192.168.10.10 PC saying to 172.16.10.10 go to 192.168.10.15.
HTH
Jon
Maybe you are looking for
-
Why 'options' appears as a tab when I open firefox?
When I open Firefox there are always 2 visible tabs. The first is my home page, and the second is my options. How can I stop options appear as a second tab. I can reach the options menu if I need. It's annoying to have to close every time I open Fire
-
BUG: Stop asking me what program I want to use it to open images in Windows 10
Yes, there is another thread on this, but it has an accepted answer that does not solve the problem. In Windows 10 whenever you click on an image in Skype, you get an annoying screen asking what program you want to open it with. I have put my flaws s
-
Hello I recently bought a lenovo Y510P and made a clean windows 7 64-bit installation. Yesterday I reset my BIOS default setting and now it doesn't reconise any of my hard drives or USB keys. The only thing that I can boot from are (I think) network
-
HP Officejet Pro 8620: Cartridges HP officejet Pro 8620 - change
How can I change the ink cartridges in my new 8620 in Officejet Pro? My shows manual work only with and implementation of the procedures of fax. I'm out of my yellow cartridge and don't know yet how to open this printer to access the cartridges.
-
Windows Boot Manager failed error
NB: I have a very short time. her tomorrow. I have a very glitchy w4 Iconia, who has been with us for a day and night, with several screen flickers and this problem I am submitting. Boot Manager Windows failed to start my iconia, which means I can't