L2l VPN is up but no traffic flow

Hi people,

Im trying to set up a VPN L2L between a 1841 and a NSA 2400, via the SDM. The Tunnel rises and when I test connectivity it shows as being successful, but I get an error stating: -.

A ping with the size of the data of this VPN interface size MTU and "do not fragment" bit set in the other end VPN device is a failure. This can happen if there is a lower MTU network which removes the packages "do not fragment". »

From my reading, this should not cause any traffic to drop, right?

Currently, I can't ping or telnet services from one end of the tunnel to the other. I was able to ping momentarily at the end of Sonicwall at one point, but this disappeared shortly after (without changing my about config).

All ACLs created have been populated by the SDM.

Should what troubleshooting steps I take?

Reduce the MTU size on the interface of your router

router (config)# interface type [slot_#/]     port_# router (config-if)# ip mtu MTU_size_in_bytes

Tags: Cisco Security

Similar Questions

SSL VPN on IOS but no traffic

Dear score

I configured SSL VPN on c3845. WebVPN working via browser but through webvpn client I am able to connect but can not reach an internal with ip address on the network. Please find the show for your reference

Check your 'ip nat inside' list 1 and make sure that you're not VPN traffic to be NATted

-heather

VPN tunnel upward, but no traffic?

I decided to take a Cisco 1800 series router and try to put in place. Up to now I can get out, and everything seems fine. I then tried to configure a VPN tunnel between this router and a sonicwall router secure.

Now the problem is the GUI of SonicWall and Cisco say that this tunnel is mounted. But I can't access internal networks...

So my cisco LAN is 192.168.11.0 255.255.255.0

and the Sonic Wall is 192.168.1.0 255.255.255.0

They can talk even if the tunnel is up. I was hitting my head, and running through the tutorials and just can not understand.

Here's proof that we have achieved at least the first phase:

inbound esp sas:
      spi: 0xD1BC1B8E(3518765966)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3003, flow_id: FPGA:3, crypto map: vpn
        sa timing: remaining key lifetime (k/sec): (4541007/2298)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

outbound esp sas:
      spi: 0xAE589C1E(2925042718)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3004, flow_id: FPGA:4, crypto map: vpn
        sa timing: remaining key lifetime (k/sec): (4541027/2297)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

So here's my config: (what Miss me?)

Current configuration : 3972 bytes

!

version 12.4 no service pad

service tcp-keepalives-in service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname CompsysRouter

!

boot-start-marker

boot-end-marker

!

enable secret *****************

enable password ***********

!

aaa new-model

!

!

!

aaa session-id common

ip cef

!

!

!

!

no ip domain lookup

ip domain name ********.local

ip inspect name myfw http timeout 3600 ip inspect name myfw tcp timeout 3600 ip inspect name myfw udp timeout 3600 ip inspect name myfw dns timeout 3600 ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 !

!

crypto pki trustpoint TP-self-signed-1821875492 enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1821875492 revocation-check none

rsakeypair TP-self-signed-1821875492 !

!

crypto pki certificate chain TP-self-signed-1821875492 certificate self-signed 01   30820245 308201AE A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31383231 38373534 3932301E 170D3130 31323130 32333433

  35325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38323138

  37353439 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100CC57 E44AB177 3594C4C7 E88B1A4F CE4FD392 87CDB75C 2A6A6B1A 87D10791

  0134F1FC 54A84BB6 08A40213 35B9DD0A FD813D2F 1C778D01 3F8EBEB0 C4793850

  F52F7906 FDBC56A5 A4829AC5 4180DDA7 F54E3AAD DD1D4537 F1F19F11 9AE8A8A0

  91C98934 233CF608 1447DA83 41B09E55 4A0FF674 8D060945 07D3F3F9 8EA7B412

  5FD30203 010001A3 6D306B30 0F060355 1D130101 FF040530 030101FF 30180603

  551D1104 11300F82 0D436F6D 70737973 526F7574 6572301F 0603551D 23041830

  168014DC A9938F71 7CCF0E6D 8BC5DFA5 033DD7E4 0F605130 1D060355 1D0E0416

  0414DCA9 938F717C CF0E6D8B C5DFA503 3DD7E40F 6051300D 06092A86 4886F70D

  01010405 00038181 00148C2F AA7CA155 463B56F2 324FE1ED 3682E618 75E3048F

  93E1EA61 3305767A FA93567B AA93B107 83A2F3D6 8F773779 E6BF0204 DC71879A

  5F7FC07F 627D8444 48781289 7F8DC06A BC9057B1 4C72AE1F B64284BE 94C6059C

  7B6B8A5D 83375B86 3054C760 961E8763 91767604 5E0E0CE3 3736133A E51ACF26

  14F3C7C5 60E08BE3 88   quit

username jdixon secret 5 $*****************

!        

!

ip ssh time-out 60 ip ssh authentication-retries 2 !

!

crypto isakmp policy 1 encr aes 256 authentication pre-share

group 2 lifetime 28800 crypto isakmp key address  !

!

crypto ipsec transform-set compsys esp-aes 256 esp-sha-hmac

!

crypto map vpn 10 ipsec-isakmp

set peer set transform-set compsys

match address 101 !

!

!

interface FastEthernet0/0

ip address "LOCAL ROUTER OUTSIDE" 255.255.255.248 ip access-group Inbound in ip nat outside

ip inspect myfw out

ip virtual-reassembly

duplex auto

speed auto

no keepalive

crypto map vpn

!

interface FastEthernet0/1

ip address 192.168.11.1 255.255.255.0 ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 !

!

ip http server

ip http authentication local

ip http secure-server

ip nat inside source list 1 interface FastEthernet0/0 overload

ip nat inside source static tcp 192.168.11.55 3389 interface FastEthernet0/0 9999 !

ip access-list extended Inbound

permit icmp any any

permit gre host "REMOTE ROUTER" host "LOCAL ROUTER" permit esp host "REMOTE ROUTER" host "LOCAL ROUTER" permit udp host "REMOTE ROUTER" host "LOCAL ROUTER" eq isakmp

permit ahp host "REMOTE ROUTER" host "LOCAL ROUTER" permit udp host "REMOTE ROUTER" host "LOCAL ROUTER" eq non500-isakmp

permit ip host "REMOTE ROUTER" any

permit tcp any host "LOCAL ROUTER" eq 22 !

access-list 1 permit 192.168.11.0 0.0.0.255 access-list 101 permit ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255 !

!

!

!

control-plane

!        

!

!

line con 0 line aux 0 line vty 0 4 !

scheduler allocate 20000 1000 end

NAT exemption is where it is a failure.

Please kindly change to as follows:

access-list 150 deny ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 150 permit ip 192.168.11.0 0.0.0.255 any

IP nat inside source list 150 interface fastethernet0/0 overload

no nat ip within the source list 1 interface fastethernet0/0 overload

Hope that helps.

VPN - VPN easy hardware Client connects, but no traffic

Hello

I have a PIX 515E and 501 acting as a customer of material. Several remote location are connected as a easy VPN clients, a place to connect, but no traffic flows. I went from mode-extension-network client mode and I can connect through other network hosts.

I don't know why this 501 PIX we're different. There is no ACLs except which is extracted from the station.

Any ideas where I should look?

Thank you

Vince

A few quick comments:

1. I don't see 192.168.0.0 is part of this ACL inside_outbound_nat0_acl.

2. I see an instance of card crypto 40 with "incomplete" crypto card, which is actually not a correspondence address.

outside_map 40 ipsec-isakmp crypto map

peer set card crypto outside_map 40 216.27.161.109

outside_map card crypto 40 the transform-set ESP-DES-MD5 value

! Incomplete

Not sure if it's the current configuration of the pix. If there is an instance of card crypto with an incomplete correspondence address, all traffic will be encrypted.

Kind regards

Arul

problem of traffic flow with tunnel created the network with a tunnel to a VPN concentrator

Hi, I worked with Cisco and the seller for 2 weeks on this.II am hoping that what we are witnessing will ring a Bell with someone.

Some basic information:

I work at a seller who needs from one site to the other tunnel. There are currently 1 site to another with the seller using a Juniper SSG, which works without incident in my system. I'm transitioning to routers Cisco 2811 and put in place a new tunnel with the seller for the 2800 uses a different public ip address in my address range. So my network has 2 tunnels with the provider that uses a Cisco VPN concentrator. The hosts behind the tunnel use 20x.x.x.x public IP addresses.

My Cisco router will create a tunnel, but I can't not to hosts on the network of the provider through the Cisco 2811, but I can't get through the tunnel of Juniper. The seller sees my packages and provider host meets them and sends them to the tunnel. They never reach the external interface on my Cisco router.

I'm from the external interface so that my endpoint and the peers are the same IP address. (note, I tried to do a static NAT and have an address of tunnel and my different host to the same result.) Cisco has confirmed that I do have 2 addresses different and this configuration was a success with the creation of another successful tunnels toa different network.)

I tested this configuration on a network of transit area before moving the router to the production network and my Cisco 2811 has managed to create the tunnel and ping the inside host. Once we moved the router at camp, we can no longer ping on the host behind the seller tunnel. The seller assured me that the tunnel setting is exactly the same, and he sees his host to send traffic to the tunnel. The seller seems well versed with the VPN concentrator and manages connections for many customers successfully.

The seller has a second VPN concentrator on a separate network and I can connect to this VPN concentrator with success of the Cisco 2811 who is having problems with the hub, which has also a tunnel with Gin.

Here is what we have done so far:

(1) confirm the config with the help of Cisco 2811. The tunnel is up. SH cyrpto ipa wristwatch tunnel upward.
(2) turn on Nat - T side of the tunnel VPN landscapers
(3) confirm that the traffic flows properly a tunnel on another network (which would indicate that the Cisco config is ok)
(4) successfully, tunnel and reach a different configuration hosting
(5) to confirm all the settings of tunnel with the seller
(6) the seller confirmed that his side host has no way and that it points to the default gateway
(7) to rebuild the tunnel from scratch
8) confirm with our ISP that no way divert traffic elsewhere. My gateway lSP sees my directly connected external address.
(9) confirm that the ACL matches with the seller
(10) I can't get the Juniper because he is in production and in constant use

Is there a known issue with the help of a VPN concentrator to connect to 2 tunnels on the same 28 network range?

Options or ideas are welcome. I had countless sessions with Cisco webex, but do not have access to the hub of the seller. I can forward suggestions.

Here's a code

crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
!
crypto ISAKMP policy 2
BA 3des
preshared authentication
Group 2

Crypto ipsec transform-set mytrans aes - esp esp-sha-hmac

Crypto-map dynamic dynmap 30
Set transform-set RIGHT

ISAKMP crypto key address No.-xauth

interface FastEthernet0/0
Description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE $ 0/0
IP 255.255.255.240
IP access-group 107 to
IP access-group out 106
NAT outside IP
IP virtual-reassembly
route IP cache flow
automatic duplex
automatic speed
crypto mymap map

logging of access lists (applied outside to get an idea of what will happen. No esp traffic happens, he has never hits)

allowed access list 106 esp host host newspaper
106 ip access list allow a whole
allowed access list 107 esp host host Journal
access-list 107 permit ip host host Journal

access-list 107 permit ip host host Journal
107 ip access list allow a whole

Crypto isa HS her
IPv4 Crypto ISAKMP Security Association
status of DST CBC State conn-id slot
QM_IDLE ASSETS 0 1010

"Mymap" ipsec-isakmp crypto map 1
Peer =.
Extend the 116 IP access list
access - list 116 permit ip host host (which is a public IP address))
Current counterpart:
Life safety association: 4608000 kilobytes / 2800 seconds
PFS (Y/N): N
Transform sets = {}
myTrans,
}

OK - so I have messed around the lab for 20 minutes and came up with the below (ip are IP test:-)

(4) ip nat pool crypto-nat 10.1.1.1 10.1.1.1 prefix length 30 <> it comes to the new address of NAT

!
(1) ip nat inside source list 102 interface FastEthernet0/0 overload <> it comes to the interface by default NAT

!
IP nat inside source map route overload of crypto-nat of crypto-nat pool <> it is the policy of the NAT function

!

(6) access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255 <> defines the IP source and destination traffic

!

(2) access-list 102 deny ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255 <> does not NAT the normal communication

(3) access-list 102 deny ip 10.1.1.1 host 172.16.2.0 0.0.0.255 <> does not re - NAT NAT

(1) access-list 102 permit ip 172.16.1.0 0.0.0.255 any <> allows everyone else to use the IP Address of the interface for NAT

!

(5) crypto-nat route-map permit 5 <> condition for the specific required NAT
corresponds to the IP 101 <> game of traffic source and destination IP must be NAT'td

(7) access list 103 permit ip 10.1.1.1 host 172.16.2.0 0.0.0.255 <> crypto acl

Then, how the works above, when a package with the what IP 172.16.1.0/24 source wants to leave the router to connect to google, say the source will change to IP interface (1). When 172.16.1.0/24 wants to talk to172.16.2.0/24, it does not get translated (2). When the remote end traffic equaled the following clause of NAT - the already NAT'td IP will not be affected again (3) when a host 172.16.1.0/24 wants to communicate with 172.16.2.20/24 we need a NAT NAT specific pool is required (4). We must define a method of specific traffic to apply the NAT with a roadmap (5) which applies only when the specific traffic (6), then simply define the interesting traffic to the VPN to initiate and enable comms (7) corresponding

Client VPN und Cisco asa 5505 tunnel work but no traffic

Hi all

I am new to this forum and Don t have a lot of experience with Cisco, so I hope I can get help from specialists.

I have the following problem:

I installed und konfigured ASA 5505 for use with vpn client. I would like to access the local network from outside through vpn.

To test, I installed ASA 5505 with ADSL (pppoe) and tried to give access to the internal network.

Of course whenever I have recive the supplier's different IP address, but it didn't is not a problem reconfigure in the vpn client.

After the connection is established (vpn tunnel work) I can see my external network packets. But I Don t have any connection to the internal network.

I erased my setup yesterday and tried to reconfigure ASA again. I didn t tested yesterday, because it was too late. And I know that I Don t have the authorization rule at present by the ACL. But I think I'm having the same problem again. (tunnel but no traffic).

What I did wrong. Could someone let me know what I have to do today.

With hope for your help Dimitri.

ASA configuration after reset and basic configuration: works to the Internet from within the course.

: Saved

: Written by enable_15 to the CEDT 20:29:18.909 Sunday, August 29, 2010

!

ASA Version 8.2 (2)

!

ciscoasa hostname

activate 2KFQnbNIdI.2KYOU encrypted password

2KFQnbNIdI.2KYOU encrypted passwd

names of

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

PPPoE client vpdn group home

IP address pppoe setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system Disk0: / asa822 - k8.bin

passive FTP mode

clock timezone THATS 1

clock to summer time CEDT recurring last Sun Mar 02:00 last Sun Oct 03:00

DNS domain-lookup outside

DNS server-group DefaultDNS

Server name 194.25.0.60

Server name 194.25.0.68

DM_INLINE_TCP_1 tcp service object-group

port-object eq www

EQ object of the https port

inside_access_in list extended access permitted udp 192.168.1.0 255.255.255.0 no matter what eq field open a debug session

inside_access_in list extended access permitted tcp 192.168.1.0 255.255.255.0 any object-group DM_INLINE_TCP_1 open a debug session

inside_access_in list extended access deny ip any any debug log

inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.0.0 255.255.0.0

permit inside_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 192.168.10.0 255.255.255.128

homegroup_splitTunnelAcl list standard access allowed 192.168.10.0 255.255.255.0

pager lines 24

Enable logging

asdm of logging of information

Outside 1500 MTU

Within 1500 MTU

IP local pool homepool 192.168.10.1 - 192.168.10.100 mask 255.255.255.0

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm-625 - 53.bin

ASDM location 192.168.0.0 255.255.0.0 inside

ASDM location 192.168.10.0 255.255.255.0 inside

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 1 0.0.0.0 0.0.0.0

inside_access_in access to the interface inside group

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-registration DfltAccessPolicy

Enable http server

http 192.168.1.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Telnet timeout 5

SSH timeout 5

Console timeout 0

VPDN group home request dialout pppoe

VPDN group House localname 04152886790

VPDN group House ppp authentication PAP

VPDN username 04152886790 password 1

dhcpd outside auto_config

!

dhcpd address 192.168.1.5 - 192.168.1.36 inside

dhcpd allow inside

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

TFTP server 192.168.1.5 inside c:/tftp-root

WebVPN

Group Policy inner residential group

attributes of the strategy of group home group

value of 192.168.1.1 DNS server

Protocol-tunnel-VPN IPSec

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list homegroup_splitTunnelAcl

username user01 encrypted password privilege 0 v5P40l1UGvtJa7Nn

user01 username attributes

VPN-strategy group home group

tunnel-group home group type remote access

attributes global-tunnel-group home group

address homepool pool

Group Policy - by default-homegroup

tunnel-group group residential ipsec-attributes

pre-shared-key ciscotest

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

context of prompt hostname

Cryptochecksum:930e6cddf25838e47ef9633dc2f07acb

: end

Hello

Normally, you want a static public IP address on the ASA to allow it to receive connections from VPN clients (avoid to change the IP address all the time).

If you connect via VPN, check the following:

1. the tunnel is established:

HS cry isa his

Must say QM_IDLE or MM_ACTIVE

2 traffic is flowing (encrypted/decrypted):

HS cry ips its

3. Enter the command:

management-access inside

And check if you can PING the inside ASA VPN client IP.

4. check that the default gateway for the LAN internal ASA within intellectual property (or there is a road to the ASA to send traffic to the VPN clients).

Federico.

Remote VPN on 2801 upward but no traffic

I decided to set up a remote vpn on 2801 router. so, after some time a get my VPN tunnel to the top and State QM_IDLE but all traffic on VPN Client work around or ignored so I can't access my internal network via the VPN tunnel.

can you please help?

Ahhhhhhhhhhhhhhhhhhh, now I know, k first of all if it is the card top debit MOBILE, it is not supported by the vpn client

Now we have a work around, Setup your 3 g as a connection by modem and boom, it should start working

Kind regards

Rebecca

VPN client connected but no ping nor access to privat network

Hello

I have a 1802w installed, a VPN client that can connect to the router and L2L connection, which works very well.

On the router, I see that the client is connected, but no traffic passes. In sh crypto ipsec, I see that traffic is decrypted, but no packtets are encypted.

Can someone point me in the right direction? I have the confs and debugs attached. Thanks for the help in advance.

Erich

Erich,

Looking at your configuration, two things:

1 - is the current running configuration. I see your Tunnel L2L is configured with an address of correspondence of 101, but I don't see a 101 ACL set on the router.

2. your Split Tunnel must be reconfigured. Which means, the source and destination must be exchanged.

SplitList extended IP access list

permit ip 192.168.2.0 0.0.0.255 192.168.111.0 0.0.0.255

Split Tunneling

http://www.Cisco.com/en/us/Tech/tk59/technologies_configuration_example09186a00800a393b.shtml#Con4

Also, the IP address pool you assign to clients, ensure that they are not part of a LAN on your side. If so, you can then run in routing problems.

Kind regards

Arul

* Please note all useful messages *.

Site2Site VPN ASA 5505 - allow established traffic

Hello

I have an ikev1/Ipsec tunnel between two ASA.

Network with local 10.31.0.0/16

The other network with local 172.21.0.0/24

But I would like that only traffic that is launched from the 10.31.0.0/16 is allowed to 172.21.0.0/24 to 10.31.0.0/16 is it possible?

(to answer 10.31.0.0/16 is enable between this remote network 172.21.0.0/24)

Best regards, Steffen.

Hello

If I didn't understand anything wrong in the above question then I think you might be able to perform the following operations on the ASA with the local network of 10.31.0.0/16.

The ASA has the following global configuration, which is the default if you don't the have not changed

Sysopt connection permit VPN

This show CUSTOMARY in CLI configuration given above is the default setting.

You can check this with the command

See the race all the sysopt

This will list even the default setting

Now that this configuration means essentially is allow ALL traffic that comes through a VPN connection to get through the ASA ACL interface. So in your case at the location where the ASA with the network 10.31.0.0/16, the ASA would allow connections coming through the other network of 172.21.0.0/24 sites (as long as it was OK on other sites ASAs LAN interface ACL)

What you could do is to insert the following configuration

No vpn sysopt connection permit

What this would do is ask you to ALLOW ALL traffic that is coming through the VPN connection via the interface ' outside ' of the ASA you want to spend. (which I suppose is the name of your current interface that handles VPN connections). In other words, the VPN traffic would not receive a "pass" to get through the ACL of 'outside'interface, instead you must allow as all other traffic from the Internet.

If you decide to do, then you MUST CONSIDER the following thing. If you have other VPN connections as other connections L2L VPN or VPN Client, THEN you must first allow their traffic in your 'external' ACL interface for the SAA to the LAN. If you do this and insert the configuration above, you will notice that the traffic will start to get blocked by the "external" ACL interface (or if you don't have an ACL configured then the ASAs 'security level' will naturally block traffic in the same way as would an ACL)

So if we assume that the L2L VPN is the only link you had configured on the SAA with 10.31.0.0/16 then the following changes would happen.
- Hosts in the network 10.31.0.0/16 would be able to open connections to the remote network of 172.21.0.0/24 provided interfaces LAN what ACL allow this traffic
- Return for this connection of course traffic be would allow by the same ASA like all other traffic.
- IF certain incoming connection requests to the ASA with 10.31.0.0/16 network 172.21.0.0/24 network, it could crash except IF you ALLOW it to the 'outside' interfaces ACL
Hope this made sense and helped

Think about scoring the answer as the answer if it answered your question.

Naturally ask more if necessary

-Jouni

Cisco ASA l2l VPN disorder

Hello Experts from Cisco,

I run in trouble with one of my l2l ipec vpn between an asa 5510 and 5520 cisco running version 8.2.2.

Our existing l2l VPN are connected fine and work very well. Currently SITE a (10.10.0.0/16) connects to the SITE B (10.20.0.0/16). SITE A connects to SITE C (10.100.8.0/21). These are OK.

What is a failure is when I try to connect SITE B to SITE C. The tunnel coming up and phase 1 and 2 complete successfully. However, even if in the course of execution: ' entry packet - trace within the icmp 10.20.8.2 8 0 detailed 10.100.8.1 ' I get the following:

Phase: 10

Type: VPN

Subtype: encrypt

Result: DECLINE

Config:

Additional information:

Direct flow from returns search rule:

ID = 0xad1c4500, priority = 70, domain = encrypt, deny = false

hits = 609, user_data = 0 x 0, cs_id = 0xad1c2e10, reverse, flags = 0 x 0 = 0 protocol

SRC ip = 10.20.0.0, mask is 255.255.0.0, port = 0

DST ip = 10.100.8.0, mask is 255.255.248.0, port = 0, dscp = 0 x 0

I noticed that when the tunnel came, the road to 10.100.8.0/21 was added in the routing table and cyrpto what ACL has not been applied on the SAA remote. I added the route manually but cannot get the cryto ACL to apply.

Useful info:

C SITE

the object-group NoNatDMZ-objgrp network

object-network 10.10.0.0 255.255.0.0

object-network 10.10.12.0 255.255.255.0

network-object 10.20.0.0 255.255.0.0

access extensive list ip 10.100.8.0 outside_30_cryptomap allow 255.255.248.0 10.20.0.0 255.255.0.0

IP 10.100.8.0 allow Access - list extended sheep 255.255.248.0 sheep-objgrp object-group

card crypto outside_map 30 match address outside_30_cryptomap

card crypto outside_map 30 peers set x.x.x.x

crypto outside_map 30 card value transform-set ESP-AES256-SHA

crypto outside_map 30 card value reverse-road

outside_map interface card crypto outside

SITE B

object-group network sheep-objgrp

object-network 10.10.0.0 255.255.0.0

object-network 10.21.0.0 255.255.0.0

object-network 10.10.12.0 255.255.255.0

network-object 10.100.8.0 255.255.248.0

IP 10.20.0.0 allow Access - list extended sheep 255.255.0.0 sheep-objgrp object-group

allow outside_50_cryptomap to access extended list ip 10.20.0.0 255.255.0.0 10.100.8.0 255.255.248.0

card crypto outside_map 50 match address outside_50_cryptomap

game card crypto outside_map 50 peers XX. XX. XX. XX

outside_map crypto 50 card value transform-set ESP-AES256-SHA

outside_map crypto 50 card value reverse-road

outside_map interface card crypto outside

I've been struggling with this these days. Any help is very appreciated!

Thank you!!

Follow these steps:

no card outside_map 10-isakmp ipsec crypto dynamic outside_dyn_map

map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

clear crypto ipsec its SITE_B_Public peer

Try again and attach the same outputs.

Let me know.

Thank you.

WLC and ACLs traffic flow

Hello world

For WLC I need config as strict ACLs of the traffic flow.

I have to config ACL in both directions?

As in ASA returns traffic is allowed because it's with State I must it ACL for traffic back from the outside to the inside also?

Concerning

MAhesh

Hello

It depends, but in general, you need to configure in both directions.

Have a look here:

http://www.Cisco.com/c/en/us/support/docs/wireless-mobility/wireless-LAN...

Concerning

Cisco VPN Site to Site - Interesting traffic required to put in place a VPN or not?

A really quick and easy for the guru there VPN...

Essentially, I am setting up a VPN for backup, but there is NO interesting traffic unfortunately and we need VPN upward.

So... is this possible?

Thanks in advance

Arnoult

I would also like to add to David's response. Some persistent according to which firewall and configuration, you use either have phase 1 KeepAlive, or full end-to-end KeepAlive 2 phase.

I do not know the equivalent of Cisco or if they even have one. Example of this with Juniper dead-peer-detection (DPD) sends only persistent IKEv1/2, while the monitoring of VPN sends ICMP echo requests to follow the VPN / or says he's dead.

With DPD, it isn't exactly a traffic interesting survey, it's just the IKE "Hello you're here" messages. After awhile, the vpn can go down due to lack of interesting traffic or having to re - negotiate the phase 2. However, to create interesting traffic, you can assign an sla for icmp ip end-to-end.

You may have noticed in the past that VPN will just down after a while (if you have this configuration)

There are three modes of RE how actually starts in the negotiations on the SAA

One answer: Specifies that this peer does respond to incoming connections from IKE first during the exchange of the original owner to determine the appropriate peer to connect to.

Bidirectional (default): Specifies that this peer can accept and come from the connections based on this crypto map entry. This is the type of default login for Site-to-Site connections. [Only if interesting traffic is put in correspondence]

Originate only: Specifies that this peer is launching the first Exchange of industrial property to determine the appropriate peer to connect to.

For the ASA Experts out there, please correct me if I'm wrong.

Hope this helps

Bilal

L2l VPN between ASA with the IP address public and CISCO2911 behind the ISP router with port forwarding

Hi all

My apologies if this is a trivial question, but I spent considerable time trying to search and had no luck.

I encountered a problem trying to set up a temporary L2L VPN from a Subscriber with CISCO2911 sitting behind the router of the ISP of an ASA. ISP has informed that I can't ignore their device and complete the circuit Internet on the Cisco for a reason, so I'm stuck with it. The Setup is:

company 10.1.17.1 - y.y.y.y - router Internet - z.z.z.z - ISP - LAN - 10.x.x.2 - XXX1 - ASA - 10.1.17.2 - CISCO2911 - 10.1.15.1 LAN

where 10.x.x.x is a corporate LAN Beach private network, y.y.y.y is a public ip address assigned to the external interface of the ASA and the z.z.z.z is the public IP address of the ISP router.

I have forwarded ports 500, 4500 and ESP on the ISP router for 10.1.17.2. The 2911 config attached below, what I can't understand is what peer IP address to configure on the SAA, because if I use z.z.z.z it will be a cause of incompatibility of identity 2911 identifies himself as 10.1.17.2...

! ^ ^ ^ ISAKMP (Phase 1) ^ ^ ^!
crypto ISAKMP policy 5
BA 3des
md5 hash
preshared authentication
Group 2
lifetime 28800
isakmp encryption key * address no.-xauth y.y.y.y

! ^ ^ ^ IPSEC (Phase 2) ^ ^ ^!
crymap extended IP access list
IP 10.1.15.0 allow 0.0.0.255 10.0.0.0 0.255.255.255
Crypto ipsec transform-set ESP-3DES-SHA 3rd-esp esp-sha-hmac
card crypto 1 TUNNEL VPN ipsec-isakmp
defined peer y.y.y.y
game of transformation-ESP-3DES-SHA
match the address crymap

Gi0/2 interface
card crypto VPN TUNNEL

Hello

debug output, it seems he's going on IPSEC States at the tunnel of final bud QM_IDLE's.

What I noticed in your configuration of ASA box, it's that you're usig PFS but not on 2911 router.

So I suggest:

no card crypto OUTSIDE_map 4 don't set pfs <-- this="" will="" disable="" pfs="" on="" asa="">

Then try tunnel initiate.

Kind regards

Jan

ASA with several L2L VPN Dynamics

I have an ASA 5510 such as VPN, used for about 30 L2L - VPN concentrator.

I need also some VPN L2L with dynamic peer remote.

While the configuration for a single dyn - VPN is quite simple (as described in several examples), how can I configure the ASA in the case of many dyn - VPN?

Basically, all the VPN - dyn must use the same PSK (the DefaultL2LGroup).

But using the "aggressive" on the remote peer mode, I could use a different PSK for every dyn - VPN:

tunnel-group ipsec-attributes ABCD

pre-shared-key *.

This configuration is correct?

Best regards

Claudio

Hello

Maybe the solutions provided in the following document may also be an option to configure multiple dynamic VPN L2L connections on the SAA

http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a0080bc7d13.shtml

Hope this helps

-Jouni

L2l VPN tunnel is reset during the generate a new IPSec key

I have a tunnel VPN L2L that resets completely, start with Phase 1, at the expiration of the timer of the IPSec Security Association. Although there are several SAs, it always resets all of the tunnel.

I see the following in the log errors when this happens:

03/06/2013 12:54:41 Local7.Notice ipRemoved June 3, 2013 12:54:41 LKM-NVP-L2L-01: % 713050-5-ASA: Group = ipRemoved, IP = ipRemoved, completed for the ipRemoved peer connection. Reason: Peer terminate Proxy remote n/a, Proxy Local n/a

03/06/2013 12:54:41 Local7.Notice ipRemoved June 3, 2013 12:54:41 LKM-NVP-L2L-01: % 713259-5-ASA: Group = ipRemoved, IP = ipRemoved, Session is be demolished. Reason: The user has requested

03/06/2013 12:54:41 Local7.Warning ipRemoved June 3, 2013 12:54:41 LKM-NVP-L2L-01: % ASA-4-113019: Group = ipRemoved username = ipRemoved, IP = ipRemoved, disconnected Session. Session type: IKE, duration: 4 h: 00 m: 06 s, xmt bytes: 260129, RRs bytes: 223018, reason: the user has requested

03/06/2013 12:55:33 Local7.Notice ipRemoved June 3, 2013 12:55:33 LKM-NVP-L2L-01: % 713041-5-ASA: IP = ipRemoved, IKE initiator: New Phase 1, Intf inside, IKE Peer ipRemoved local Proxy 204.139.127.24 address, address remote Proxy 156.30.21.200, Card Crypto (L2LVPN)

03/06/2013 12:55:33 Local7.Notice ipRemoved June 3, 2013 12:55:33 LKM-NVP-L2L-01: % 713119-5-ASA: Group = ipRemoved, IP = ipRemoved, PHASE 1 COMPLETED

Local7.Notice ipRemoved June 3, 2013 03/06/2013-12:55:33 12:55:33 LKM-NVP-L2L-01: % 713049-5-ASA: Group = ipRemoved, IP = ipRemoved, the security negotiation is complete for LAN - to - LAN Group (ipRemoved) initiator, Inbound SPI = 0x9213bdc9, outbound SPI = 0x1799a099

03/06/2013 12:55:33 Local7.Notice ipRemoved June 3, 2013 12:55:33 LKM-NVP-L2L-01: % 713120-5-ASA: Group = ipRemoved, IP = ipRemoved, PHASE 2 COMPLETED (msgid = b8a47603)

03/06/2013 13:02:11 Local7.Notice ipRemoved June 3, 2013 13:02:11 LKM-NVP-L2L-01: % 713041-5-ASA: Group = ipRemoved, IP = ipRemoved, IKE initiator: New Phase 2, Intf inside, IKE Peer ipRemoved local Proxy 204.139.127.71 address, address remote Proxy 156.30.21.200, Card Crypto (L2LVPN)

Local7.Notice ipRemoved June 3, 2013 03/06/2013-13:02:11 13:02:11 LKM-NVP-L2L-01: % 713049-5-ASA: Group = ipRemoved, IP = ipRemoved, the security negotiation is complete for LAN - to - LAN Group (ipRemoved) initiator, Inbound SPI = 0x93f9be6c, outbound SPI = 0x1799a16d

03/06/2013 13:02:11 Local7.Notice ipRemoved June 3, 2013 13:02:11 LKM-NVP-L2L-01: % 713120-5-ASA: Group = ipRemoved, IP = ipRemoved, PHASE 2 COMPLETED (msgid = 1f6c9acd)

Any thoughts on why she would do that?

Thank you.

Jason

Hello

Both the log messages seems to suggest that the remote end is closed/compensation connection.

Is this a new connection that suffer from this problem or has it started on an existing connection?

The Cisco documentation associated with the Syslog messages does really not all useful information about these log messages.

I guess that your problem is that TCP by L2L VPN connections suffer from the complete renegotiations of the L2L VPN.

I wonder if the following configuration can help even if this situation persists

Sysopt preserve-vpn-flow of connection

Here is a link to the order of the ASA reference (8, 4-8, 6 software) with a better explanation of this configuration.

http://www.Cisco.com/en/us/docs/security/ASA/asa84/command/reference/S8.html#wp1538395

It is not enabled by default on the SAA.

Hope this helps

-Jouni

L2l VPN is up but no traffic flow

Similar Questions

Maybe you are looking for