L2l VPN is up but no traffic flow
Hi people,
Im trying to set up a VPN L2L between a 1841 and a NSA 2400, via the SDM. The Tunnel rises and when I test connectivity it shows as being successful, but I get an error stating: -.
"
A ping with the size of the data of this VPN interface size MTU and "do not fragment" bit set in the other end VPN device is a failure. This can happen if there is a lower MTU network which removes the packages "do not fragment". »
From my reading, this should not cause any traffic to drop, right?
Currently, I can't ping or telnet services from one end of the tunnel to the other. I was able to ping momentarily at the end of Sonicwall at one point, but this disappeared shortly after (without changing my about config).
All ACLs created have been populated by the SDM.
Should what troubleshooting steps I take?
Reduce the MTU size on the interface of your router
router (config)# interface type [slot_#/] port_# router (config-if)# ip mtu MTU_size_in_bytes
Tags: Cisco Security
Similar Questions
-
Dear score
I configured SSL VPN on c3845. WebVPN working via browser but through webvpn client I am able to connect but can not reach an internal with ip address on the network. Please find the show for your reference
Check your 'ip nat inside' list 1 and make sure that you're not VPN traffic to be NATted
-heather
-
VPN tunnel upward, but no traffic?
I decided to take a Cisco 1800 series router and try to put in place. Up to now I can get out, and everything seems fine. I then tried to configure a VPN tunnel between this router and a sonicwall router secure.
Now the problem is the GUI of SonicWall and Cisco say that this tunnel is mounted. But I can't access internal networks...
So my cisco LAN is 192.168.11.0 255.255.255.0
and the Sonic Wall is 192.168.1.0 255.255.255.0
They can talk even if the tunnel is up. I was hitting my head, and running through the tutorials and just can not understand.
Here's proof that we have achieved at least the first phase:
inbound esp sas:
spi: 0xD1BC1B8E(3518765966)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3003, flow_id: FPGA:3, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4541007/2298)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVEoutbound esp sas:
spi: 0xAE589C1E(2925042718)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3004, flow_id: FPGA:4, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4541027/2297)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
So here's my config: (what Miss me?)
Current configuration : 3972 bytes
!
version 12.4 no service pad
service tcp-keepalives-in service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CompsysRouter
!
boot-start-marker
boot-end-marker
!
enable secret *****************
enable password ***********
!
aaa new-model
!
!
!
aaa session-id common
ip cef
!
!
!
!
no ip domain lookup
ip domain name ********.local
ip inspect name myfw http timeout 3600 ip inspect name myfw tcp timeout 3600 ip inspect name myfw udp timeout 3600 ip inspect name myfw dns timeout 3600 ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 !
!
crypto pki trustpoint TP-self-signed-1821875492 enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1821875492 revocation-check none
rsakeypair TP-self-signed-1821875492 !
!
crypto pki certificate chain TP-self-signed-1821875492 certificate self-signed 01 30820245 308201AE A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383231 38373534 3932301E 170D3130 31323130 32333433
35325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38323138
37353439 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CC57 E44AB177 3594C4C7 E88B1A4F CE4FD392 87CDB75C 2A6A6B1A 87D10791
0134F1FC 54A84BB6 08A40213 35B9DD0A FD813D2F 1C778D01 3F8EBEB0 C4793850
F52F7906 FDBC56A5 A4829AC5 4180DDA7 F54E3AAD DD1D4537 F1F19F11 9AE8A8A0
91C98934 233CF608 1447DA83 41B09E55 4A0FF674 8D060945 07D3F3F9 8EA7B412
5FD30203 010001A3 6D306B30 0F060355 1D130101 FF040530 030101FF 30180603
551D1104 11300F82 0D436F6D 70737973 526F7574 6572301F 0603551D 23041830
168014DC A9938F71 7CCF0E6D 8BC5DFA5 033DD7E4 0F605130 1D060355 1D0E0416
0414DCA9 938F717C CF0E6D8B C5DFA503 3DD7E40F 6051300D 06092A86 4886F70D
01010405 00038181 00148C2F AA7CA155 463B56F2 324FE1ED 3682E618 75E3048F
93E1EA61 3305767A FA93567B AA93B107 83A2F3D6 8F773779 E6BF0204 DC71879A
5F7FC07F 627D8444 48781289 7F8DC06A BC9057B1 4C72AE1F B64284BE 94C6059C
7B6B8A5D 83375B86 3054C760 961E8763 91767604 5E0E0CE3 3736133A E51ACF26
14F3C7C5 60E08BE3 88 quit
username jdixon secret 5 $*****************
!
!
ip ssh time-out 60 ip ssh authentication-retries 2 !
!
crypto isakmp policy 1 encr aes 256 authentication pre-share
group 2 lifetime 28800 crypto isakmp key address !
!
crypto ipsec transform-set compsys esp-aes 256 esp-sha-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer set transform-set compsys
match address 101 !
!
!
interface FastEthernet0/0
ip address "LOCAL ROUTER OUTSIDE" 255.255.255.248 ip access-group Inbound in ip nat outside
ip inspect myfw out
ip virtual-reassembly
duplex auto
speed auto
no keepalive
crypto map vpn
!
interface FastEthernet0/1
ip address 192.168.11.1 255.255.255.0 ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 !
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.11.55 3389 interface FastEthernet0/0 9999 !
ip access-list extended Inbound
permit icmp any any
permit gre host "REMOTE ROUTER" host "LOCAL ROUTER" permit esp host "REMOTE ROUTER" host "LOCAL ROUTER" permit udp host "REMOTE ROUTER" host "LOCAL ROUTER" eq isakmp
permit ahp host "REMOTE ROUTER" host "LOCAL ROUTER" permit udp host "REMOTE ROUTER" host "LOCAL ROUTER" eq non500-isakmp
permit ip host "REMOTE ROUTER" any
permit tcp any host "LOCAL ROUTER" eq 22 !
access-list 1 permit 192.168.11.0 0.0.0.255 access-list 101 permit ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255 !
!
!
!
control-plane
!
!
!
line con 0 line aux 0 line vty 0 4 !
scheduler allocate 20000 1000 endNAT exemption is where it is a failure.
Please kindly change to as follows:
access-list 150 deny ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 150 permit ip 192.168.11.0 0.0.0.255 any
IP nat inside source list 150 interface fastethernet0/0 overload
no nat ip within the source list 1 interface fastethernet0/0 overload
Hope that helps.
-
VPN - VPN easy hardware Client connects, but no traffic
Hello
I have a PIX 515E and 501 acting as a customer of material. Several remote location are connected as a easy VPN clients, a place to connect, but no traffic flows. I went from mode-extension-network client mode and I can connect through other network hosts.
I don't know why this 501 PIX we're different. There is no ACLs except which is extracted from the station.
Any ideas where I should look?
Thank you
Vince
A few quick comments:
1. I don't see 192.168.0.0 is part of this ACL inside_outbound_nat0_acl.
2. I see an instance of card crypto 40 with "incomplete" crypto card, which is actually not a correspondence address.
outside_map 40 ipsec-isakmp crypto map
peer set card crypto outside_map 40 216.27.161.109
outside_map card crypto 40 the transform-set ESP-DES-MD5 value
! Incomplete
Not sure if it's the current configuration of the pix. If there is an instance of card crypto with an incomplete correspondence address, all traffic will be encrypted.
Kind regards
Arul
-
problem of traffic flow with tunnel created the network with a tunnel to a VPN concentrator
Hi, I worked with Cisco and the seller for 2 weeks on this.II am hoping that what we are witnessing will ring a Bell with someone.
Some basic information:
I work at a seller who needs from one site to the other tunnel. There are currently 1 site to another with the seller using a Juniper SSG, which works without incident in my system. I'm transitioning to routers Cisco 2811 and put in place a new tunnel with the seller for the 2800 uses a different public ip address in my address range. So my network has 2 tunnels with the provider that uses a Cisco VPN concentrator. The hosts behind the tunnel use 20x.x.x.x public IP addresses.
My Cisco router will create a tunnel, but I can't not to hosts on the network of the provider through the Cisco 2811, but I can't get through the tunnel of Juniper. The seller sees my packages and provider host meets them and sends them to the tunnel. They never reach the external interface on my Cisco router.
I'm from the external interface so that my endpoint and the peers are the same IP address. (note, I tried to do a static NAT and have an address of tunnel and my different host to the same result.) Cisco has confirmed that I do have 2 addresses different and this configuration was a success with the creation of another successful tunnels toa different network.)
I tested this configuration on a network of transit area before moving the router to the production network and my Cisco 2811 has managed to create the tunnel and ping the inside host. Once we moved the router at camp, we can no longer ping on the host behind the seller tunnel. The seller assured me that the tunnel setting is exactly the same, and he sees his host to send traffic to the tunnel. The seller seems well versed with the VPN concentrator and manages connections for many customers successfully.
The seller has a second VPN concentrator on a separate network and I can connect to this VPN concentrator with success of the Cisco 2811 who is having problems with the hub, which has also a tunnel with Gin.
Here is what we have done so far:
(1) confirm the config with the help of Cisco 2811. The tunnel is up. SH cyrpto ipa wristwatch tunnel upward.
(2) turn on Nat - T side of the tunnel VPN landscapers
(3) confirm that the traffic flows properly a tunnel on another network (which would indicate that the Cisco config is ok)
(4) successfully, tunnel and reach a different configuration hosting
(5) to confirm all the settings of tunnel with the seller
(6) the seller confirmed that his side host has no way and that it points to the default gateway
(7) to rebuild the tunnel from scratch
8) confirm with our ISP that no way divert traffic elsewhere. My gateway lSP sees my directly connected external address.
(9) confirm that the ACL matches with the seller
(10) I can't get the Juniper because he is in production and in constant useIs there a known issue with the help of a VPN concentrator to connect to 2 tunnels on the same 28 network range?
Options or ideas are welcome. I had countless sessions with Cisco webex, but do not have access to the hub of the seller. I can forward suggestions.
Here's a code
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
!
crypto ISAKMP policy 2
BA 3des
preshared authentication
Group 2Crypto ipsec transform-set mytrans aes - esp esp-sha-hmac
Crypto-map dynamic dynmap 30
Set transform-set RIGHTISAKMP crypto key
address No.-xauth interface FastEthernet0/0
Description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE $ 0/0
IP255.255.255.240
IP access-group 107 to
IP access-group out 106
NAT outside IP
IP virtual-reassembly
route IP cache flow
automatic duplex
automatic speed
crypto mymap maplogging of access lists (applied outside to get an idea of what will happen. No esp traffic happens, he has never hits)
allowed access list 106 esp host
host newspaper
106 ip access list allow a whole
allowed access list 107 esp hosthost Journal
access-list 107 permit ip hosthost Journal access-list 107 permit ip host
host Journal
107 ip access list allow a wholeCrypto isa HS her
IPv4 Crypto ISAKMP Security Association
status of DST CBC State conn-id slot
QM_IDLE ASSETS 0 1010 "Mymap" ipsec-isakmp crypto map 1
Peer =.
Extend the 116 IP access list
access - list 116 permit ip hosthost (which is a public IP address))
Current counterpart:
Life safety association: 4608000 kilobytes / 2800 seconds
PFS (Y/N): N
Transform sets = {}
myTrans,
}OK - so I have messed around the lab for 20 minutes and came up with the below (ip are IP test:-)
(4) ip nat pool crypto-nat 10.1.1.1 10.1.1.1 prefix length 30 <> it comes to the new address of NAT
!
(1) ip nat inside source list 102 interface FastEthernet0/0 overload <> it comes to the interface by default NAT!
IP nat inside source map route overload of crypto-nat of crypto-nat pool <> it is the policy of the NAT function!
(6) access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255 <> defines the IP source and destination traffic
!
(2) access-list 102 deny ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255 <> does not NAT the normal communication
(3) access-list 102 deny ip 10.1.1.1 host 172.16.2.0 0.0.0.255 <> does not re - NAT NAT
(1) access-list 102 permit ip 172.16.1.0 0.0.0.255 any <> allows everyone else to use the IP Address of the interface for NAT
!
(5) crypto-nat route-map permit 5 <> condition for the specific required NAT
corresponds to the IP 101 <> game of traffic source and destination IP must be NAT'td(7) access list 103 permit ip 10.1.1.1 host 172.16.2.0 0.0.0.255 <> crypto acl
Then, how the works above, when a package with the what IP 172.16.1.0/24 source wants to leave the router to connect to google, say the source will change to IP interface (1). When 172.16.1.0/24 wants to talk to172.16.2.0/24, it does not get translated (2). When the remote end traffic equaled the following clause of NAT - the already NAT'td IP will not be affected again (3) when a host 172.16.1.0/24 wants to communicate with 172.16.2.20/24 we need a NAT NAT specific pool is required (4). We must define a method of specific traffic to apply the NAT with a roadmap (5) which applies only when the specific traffic (6), then simply define the interesting traffic to the VPN to initiate and enable comms (7) corresponding
-
Client VPN und Cisco asa 5505 tunnel work but no traffic
Hi all
I am new to this forum and Don t have a lot of experience with Cisco, so I hope I can get help from specialists.
I have the following problem:
I installed und konfigured ASA 5505 for use with vpn client. I would like to access the local network from outside through vpn.
To test, I installed ASA 5505 with ADSL (pppoe) and tried to give access to the internal network.
Of course whenever I have recive the supplier's different IP address, but it didn't is not a problem reconfigure in the vpn client.
After the connection is established (vpn tunnel work) I can see my external network packets. But I Don t have any connection to the internal network.
I erased my setup yesterday and tried to reconfigure ASA again. I didn t tested yesterday, because it was too late. And I know that I Don t have the authorization rule at present by the ACL. But I think I'm having the same problem again. (tunnel but no traffic).
What I did wrong. Could someone let me know what I have to do today.
With hope for your help Dimitri.
ASA configuration after reset and basic configuration: works to the Internet from within the course.
: Saved
: Written by enable_15 to the CEDT 20:29:18.909 Sunday, August 29, 2010
!
ASA Version 8.2 (2)
!
ciscoasa hostname
activate 2KFQnbNIdI.2KYOU encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
PPPoE client vpdn group home
IP address pppoe setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system Disk0: / asa822 - k8.bin
passive FTP mode
clock timezone THATS 1
clock to summer time CEDT recurring last Sun Mar 02:00 last Sun Oct 03:00
DNS domain-lookup outside
DNS server-group DefaultDNS
Server name 194.25.0.60
Server name 194.25.0.68
DM_INLINE_TCP_1 tcp service object-group
port-object eq www
EQ object of the https port
inside_access_in list extended access permitted udp 192.168.1.0 255.255.255.0 no matter what eq field open a debug session
inside_access_in list extended access permitted tcp 192.168.1.0 255.255.255.0 any object-group DM_INLINE_TCP_1 open a debug session
inside_access_in list extended access deny ip any any debug log
inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.0.0 255.255.0.0
permit inside_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 192.168.10.0 255.255.255.128
homegroup_splitTunnelAcl list standard access allowed 192.168.10.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
IP local pool homepool 192.168.10.1 - 192.168.10.100 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm-625 - 53.bin
ASDM location 192.168.0.0 255.255.0.0 inside
ASDM location 192.168.10.0 255.255.255.0 inside
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
inside_access_in access to the interface inside group
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
VPDN group home request dialout pppoe
VPDN group House localname 04152886790
VPDN group House ppp authentication PAP
VPDN username 04152886790 password 1
dhcpd outside auto_config
!
dhcpd address 192.168.1.5 - 192.168.1.36 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
TFTP server 192.168.1.5 inside c:/tftp-root
WebVPN
Group Policy inner residential group
attributes of the strategy of group home group
value of 192.168.1.1 DNS server
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list homegroup_splitTunnelAcl
username user01 encrypted password privilege 0 v5P40l1UGvtJa7Nn
user01 username attributes
VPN-strategy group home group
tunnel-group home group type remote access
attributes global-tunnel-group home group
address homepool pool
Group Policy - by default-homegroup
tunnel-group group residential ipsec-attributes
pre-shared-key ciscotest
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:930e6cddf25838e47ef9633dc2f07acb
: end
Hello
Normally, you want a static public IP address on the ASA to allow it to receive connections from VPN clients (avoid to change the IP address all the time).
If you connect via VPN, check the following:
1. the tunnel is established:
HS cry isa his
Must say QM_IDLE or MM_ACTIVE
2 traffic is flowing (encrypted/decrypted):
HS cry ips its
3. Enter the command:
management-access inside
And check if you can PING the inside ASA VPN client IP.
4. check that the default gateway for the LAN internal ASA within intellectual property (or there is a road to the ASA to send traffic to the VPN clients).
Federico.
-
Remote VPN on 2801 upward but no traffic
I decided to set up a remote vpn on 2801 router. so, after some time a get my VPN tunnel to the top and State QM_IDLE but all traffic on VPN Client work around or ignored so I can't access my internal network via the VPN tunnel.can you please help?Ahhhhhhhhhhhhhhhhhhh, now I know, k first of all if it is the card top debit MOBILE, it is not supported by the vpn client
Now we have a work around, Setup your 3 g as a connection by modem and boom, it should start working
Kind regards
Rebecca
-
VPN client connected but no ping nor access to privat network
Hello
I have a 1802w installed, a VPN client that can connect to the router and L2L connection, which works very well.
On the router, I see that the client is connected, but no traffic passes. In sh crypto ipsec, I see that traffic is decrypted, but no packtets are encypted.
Can someone point me in the right direction? I have the confs and debugs attached. Thanks for the help in advance.
Erich
Erich,
Looking at your configuration, two things:
1 - is the current running configuration. I see your Tunnel L2L is configured with an address of correspondence of 101, but I don't see a 101 ACL set on the router.
2. your Split Tunnel must be reconfigured. Which means, the source and destination must be exchanged.
SplitList extended IP access list
permit ip 192.168.2.0 0.0.0.255 192.168.111.0 0.0.0.255
Split Tunneling
http://www.Cisco.com/en/us/Tech/tk59/technologies_configuration_example09186a00800a393b.shtml#Con4
Also, the IP address pool you assign to clients, ensure that they are not part of a LAN on your side. If so, you can then run in routing problems.
Kind regards
Arul
* Please note all useful messages *.
-
Site2Site VPN ASA 5505 - allow established traffic
Hello
I have an ikev1/Ipsec tunnel between two ASA.
Network with local 10.31.0.0/16
The other network with local 172.21.0.0/24
But I would like that only traffic that is launched from the 10.31.0.0/16 is allowed to 172.21.0.0/24 to 10.31.0.0/16 is it possible?
(to answer 10.31.0.0/16 is enable between this remote network 172.21.0.0/24)
Best regards, Steffen.
Hello
If I didn't understand anything wrong in the above question then I think you might be able to perform the following operations on the ASA with the local network of 10.31.0.0/16.
The ASA has the following global configuration, which is the default if you don't the have not changed
Sysopt connection permit VPN
This show CUSTOMARY in CLI configuration given above is the default setting.
You can check this with the command
See the race all the sysopt
This will list even the default setting
Now that this configuration means essentially is allow ALL traffic that comes through a VPN connection to get through the ASA ACL interface. So in your case at the location where the ASA with the network 10.31.0.0/16, the ASA would allow connections coming through the other network of 172.21.0.0/24 sites (as long as it was OK on other sites ASAs LAN interface ACL)
What you could do is to insert the following configuration
No vpn sysopt connection permit
What this would do is ask you to ALLOW ALL traffic that is coming through the VPN connection via the interface ' outside ' of the ASA you want to spend. (which I suppose is the name of your current interface that handles VPN connections). In other words, the VPN traffic would not receive a "pass" to get through the ACL of 'outside'interface, instead you must allow as all other traffic from the Internet.
If you decide to do, then you MUST CONSIDER the following thing. If you have other VPN connections as other connections L2L VPN or VPN Client, THEN you must first allow their traffic in your 'external' ACL interface for the SAA to the LAN. If you do this and insert the configuration above, you will notice that the traffic will start to get blocked by the "external" ACL interface (or if you don't have an ACL configured then the ASAs 'security level' will naturally block traffic in the same way as would an ACL)
So if we assume that the L2L VPN is the only link you had configured on the SAA with 10.31.0.0/16 then the following changes would happen.
- Hosts in the network 10.31.0.0/16 would be able to open connections to the remote network of 172.21.0.0/24 provided interfaces LAN what ACL allow this traffic
- Return for this connection of course traffic be would allow by the same ASA like all other traffic.
- IF certain incoming connection requests to the ASA with 10.31.0.0/16 network 172.21.0.0/24 network, it could crash except IF you ALLOW it to the 'outside' interfaces ACL
Hope this made sense and helped
Think about scoring the answer as the answer if it answered your question.
Naturally ask more if necessary
-Jouni
-
Hello Experts from Cisco,
I run in trouble with one of my l2l ipec vpn between an asa 5510 and 5520 cisco running version 8.2.2.
Our existing l2l VPN are connected fine and work very well. Currently SITE a (10.10.0.0/16) connects to the SITE B (10.20.0.0/16). SITE A connects to SITE C (10.100.8.0/21). These are OK.
What is a failure is when I try to connect SITE B to SITE C. The tunnel coming up and phase 1 and 2 complete successfully. However, even if in the course of execution: ' entry packet - trace within the icmp 10.20.8.2 8 0 detailed 10.100.8.1 ' I get the following:
Phase: 10
Type: VPN
Subtype: encrypt
Result: DECLINE
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xad1c4500, priority = 70, domain = encrypt, deny = false
hits = 609, user_data = 0 x 0, cs_id = 0xad1c2e10, reverse, flags = 0 x 0 = 0 protocol
SRC ip = 10.20.0.0, mask is 255.255.0.0, port = 0
DST ip = 10.100.8.0, mask is 255.255.248.0, port = 0, dscp = 0 x 0
I noticed that when the tunnel came, the road to 10.100.8.0/21 was added in the routing table and cyrpto what ACL has not been applied on the SAA remote. I added the route manually but cannot get the cryto ACL to apply.
Useful info:
C SITE
the object-group NoNatDMZ-objgrp network
object-network 10.10.0.0 255.255.0.0
object-network 10.10.12.0 255.255.255.0
network-object 10.20.0.0 255.255.0.0
access extensive list ip 10.100.8.0 outside_30_cryptomap allow 255.255.248.0 10.20.0.0 255.255.0.0
IP 10.100.8.0 allow Access - list extended sheep 255.255.248.0 sheep-objgrp object-group
card crypto outside_map 30 match address outside_30_cryptomap
card crypto outside_map 30 peers set x.x.x.x
crypto outside_map 30 card value transform-set ESP-AES256-SHA
crypto outside_map 30 card value reverse-road
outside_map interface card crypto outside
SITE B
object-group network sheep-objgrp
object-network 10.10.0.0 255.255.0.0
object-network 10.21.0.0 255.255.0.0
object-network 10.10.12.0 255.255.255.0
network-object 10.100.8.0 255.255.248.0
IP 10.20.0.0 allow Access - list extended sheep 255.255.0.0 sheep-objgrp object-group
allow outside_50_cryptomap to access extended list ip 10.20.0.0 255.255.0.0 10.100.8.0 255.255.248.0
card crypto outside_map 50 match address outside_50_cryptomap
game card crypto outside_map 50 peers XX. XX. XX. XX
outside_map crypto 50 card value transform-set ESP-AES256-SHA
outside_map crypto 50 card value reverse-road
outside_map interface card crypto outside
I've been struggling with this these days. Any help is very appreciated!
Thank you!!
Follow these steps:
no card outside_map 10-isakmp ipsec crypto dynamic outside_dyn_map
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
clear crypto ipsec its SITE_B_Public peer
Try again and attach the same outputs.
Let me know.
Thank you.
-
Hello world
For WLC I need config as strict ACLs of the traffic flow.
I have to config ACL in both directions?
As in ASA returns traffic is allowed because it's with State I must it ACL for traffic back from the outside to the inside also?
Concerning
MAhesh
Hello
It depends, but in general, you need to configure in both directions.
Have a look here:
http://www.Cisco.com/c/en/us/support/docs/wireless-mobility/wireless-LAN...
Concerning
-
Cisco VPN Site to Site - Interesting traffic required to put in place a VPN or not?
A really quick and easy for the guru there VPN...
Essentially, I am setting up a VPN for backup, but there is NO interesting traffic unfortunately and we need VPN upward.
So... is this possible?
Thanks in advance
Arnoult
I would also like to add to David's response. Some persistent according to which firewall and configuration, you use either have phase 1 KeepAlive, or full end-to-end KeepAlive 2 phase.
I do not know the equivalent of Cisco or if they even have one. Example of this with Juniper dead-peer-detection (DPD) sends only persistent IKEv1/2, while the monitoring of VPN sends ICMP echo requests to follow the VPN / or says he's dead.
With DPD, it isn't exactly a traffic interesting survey, it's just the IKE "Hello you're here" messages. After awhile, the vpn can go down due to lack of interesting traffic or having to re - negotiate the phase 2. However, to create interesting traffic, you can assign an sla for icmp ip end-to-end.
You may have noticed in the past that VPN will just down after a while (if you have this configuration)
There are three modes of RE how actually starts in the negotiations on the SAA
One answer: Specifies that this peer does respond to incoming connections from IKE first during the exchange of the original owner to determine the appropriate peer to connect to.
Bidirectional (default): Specifies that this peer can accept and come from the connections based on this crypto map entry. This is the type of default login for Site-to-Site connections. [Only if interesting traffic is put in correspondence]
Originate only: Specifies that this peer is launching the first Exchange of industrial property to determine the appropriate peer to connect to.
For the ASA Experts out there, please correct me if I'm wrong.
Hope this helps
Bilal
-
Hi all
My apologies if this is a trivial question, but I spent considerable time trying to search and had no luck.
I encountered a problem trying to set up a temporary L2L VPN from a Subscriber with CISCO2911 sitting behind the router of the ISP of an ASA. ISP has informed that I can't ignore their device and complete the circuit Internet on the Cisco for a reason, so I'm stuck with it. The Setup is:
company 10.1.17.1 - y.y.y.y - router Internet - z.z.z.z - ISP - LAN - 10.x.x.2 - XXX1 - ASA - 10.1.17.2 - CISCO2911 - 10.1.15.1 LAN
where 10.x.x.x is a corporate LAN Beach private network, y.y.y.y is a public ip address assigned to the external interface of the ASA and the z.z.z.z is the public IP address of the ISP router.
I have forwarded ports 500, 4500 and ESP on the ISP router for 10.1.17.2. The 2911 config attached below, what I can't understand is what peer IP address to configure on the SAA, because if I use z.z.z.z it will be a cause of incompatibility of identity 2911 identifies himself as 10.1.17.2...
! ^ ^ ^ ISAKMP (Phase 1) ^ ^ ^!
crypto ISAKMP policy 5
BA 3des
md5 hash
preshared authentication
Group 2
lifetime 28800
isakmp encryption key * address no.-xauth y.y.y.y! ^ ^ ^ IPSEC (Phase 2) ^ ^ ^!
crymap extended IP access list
IP 10.1.15.0 allow 0.0.0.255 10.0.0.0 0.255.255.255
Crypto ipsec transform-set ESP-3DES-SHA 3rd-esp esp-sha-hmac
card crypto 1 TUNNEL VPN ipsec-isakmp
defined peer y.y.y.y
game of transformation-ESP-3DES-SHA
match the address crymapGi0/2 interface
card crypto VPN TUNNELHello
debug output, it seems he's going on IPSEC States at the tunnel of final bud QM_IDLE's.
What I noticed in your configuration of ASA box, it's that you're usig PFS but not on 2911 router.
So I suggest:
no card crypto OUTSIDE_map 4 don't set pfs <-- this="" will="" disable="" pfs="" on="" asa="">-->
Then try tunnel initiate.
Kind regards
Jan
-
ASA with several L2L VPN Dynamics
I have an ASA 5510 such as VPN, used for about 30 L2L - VPN concentrator.
I need also some VPN L2L with dynamic peer remote.
While the configuration for a single dyn - VPN is quite simple (as described in several examples), how can I configure the ASA in the case of many dyn - VPN?
Basically, all the VPN - dyn must use the same PSK (the DefaultL2LGroup).
But using the "aggressive" on the remote peer mode, I could use a different PSK for every dyn - VPN:
tunnel-group ipsec-attributes ABCD
pre-shared-key *.
This configuration is correct?
Best regards
Claudio
Hello
Maybe the solutions provided in the following document may also be an option to configure multiple dynamic VPN L2L connections on the SAA
http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a0080bc7d13.shtml
Hope this helps
-Jouni
-
L2l VPN tunnel is reset during the generate a new IPSec key
I have a tunnel VPN L2L that resets completely, start with Phase 1, at the expiration of the timer of the IPSec Security Association. Although there are several SAs, it always resets all of the tunnel.
I see the following in the log errors when this happens:
03/06/2013 12:54:41 Local7.Notice ipRemoved June 3, 2013 12:54:41 LKM-NVP-L2L-01: % 713050-5-ASA: Group = ipRemoved, IP = ipRemoved, completed for the ipRemoved peer connection. Reason: Peer terminate Proxy remote n/a, Proxy Local n/a
03/06/2013 12:54:41 Local7.Notice ipRemoved June 3, 2013 12:54:41 LKM-NVP-L2L-01: % 713259-5-ASA: Group = ipRemoved, IP = ipRemoved, Session is be demolished. Reason: The user has requested
03/06/2013 12:54:41 Local7.Warning ipRemoved June 3, 2013 12:54:41 LKM-NVP-L2L-01: % ASA-4-113019: Group = ipRemoved username = ipRemoved, IP = ipRemoved, disconnected Session. Session type: IKE, duration: 4 h: 00 m: 06 s, xmt bytes: 260129, RRs bytes: 223018, reason: the user has requested
03/06/2013 12:55:33 Local7.Notice ipRemoved June 3, 2013 12:55:33 LKM-NVP-L2L-01: % 713041-5-ASA: IP = ipRemoved, IKE initiator: New Phase 1, Intf inside, IKE Peer ipRemoved local Proxy 204.139.127.24 address, address remote Proxy 156.30.21.200, Card Crypto (L2LVPN)
03/06/2013 12:55:33 Local7.Notice ipRemoved June 3, 2013 12:55:33 LKM-NVP-L2L-01: % 713119-5-ASA: Group = ipRemoved, IP = ipRemoved, PHASE 1 COMPLETED
Local7.Notice ipRemoved June 3, 2013 03/06/2013-12:55:33 12:55:33 LKM-NVP-L2L-01: % 713049-5-ASA: Group = ipRemoved, IP = ipRemoved, the security negotiation is complete for LAN - to - LAN Group (ipRemoved) initiator, Inbound SPI = 0x9213bdc9, outbound SPI = 0x1799a099
03/06/2013 12:55:33 Local7.Notice ipRemoved June 3, 2013 12:55:33 LKM-NVP-L2L-01: % 713120-5-ASA: Group = ipRemoved, IP = ipRemoved, PHASE 2 COMPLETED (msgid = b8a47603)
03/06/2013 13:02:11 Local7.Notice ipRemoved June 3, 2013 13:02:11 LKM-NVP-L2L-01: % 713041-5-ASA: Group = ipRemoved, IP = ipRemoved, IKE initiator: New Phase 2, Intf inside, IKE Peer ipRemoved local Proxy 204.139.127.71 address, address remote Proxy 156.30.21.200, Card Crypto (L2LVPN)
Local7.Notice ipRemoved June 3, 2013 03/06/2013-13:02:11 13:02:11 LKM-NVP-L2L-01: % 713049-5-ASA: Group = ipRemoved, IP = ipRemoved, the security negotiation is complete for LAN - to - LAN Group (ipRemoved) initiator, Inbound SPI = 0x93f9be6c, outbound SPI = 0x1799a16d
03/06/2013 13:02:11 Local7.Notice ipRemoved June 3, 2013 13:02:11 LKM-NVP-L2L-01: % 713120-5-ASA: Group = ipRemoved, IP = ipRemoved, PHASE 2 COMPLETED (msgid = 1f6c9acd)
Any thoughts on why she would do that?
Thank you.
Jason
Hello
Both the log messages seems to suggest that the remote end is closed/compensation connection.
Is this a new connection that suffer from this problem or has it started on an existing connection?
The Cisco documentation associated with the Syslog messages does really not all useful information about these log messages.
I guess that your problem is that TCP by L2L VPN connections suffer from the complete renegotiations of the L2L VPN.
I wonder if the following configuration can help even if this situation persists
Sysopt preserve-vpn-flow of connection
Here is a link to the order of the ASA reference (8, 4-8, 6 software) with a better explanation of this configuration.
http://www.Cisco.com/en/us/docs/security/ASA/asa84/command/reference/S8.html#wp1538395
It is not enabled by default on the SAA.
Hope this helps
-Jouni
Maybe you are looking for
-
Bookmark toolbar 'Shop on Amazon' appeared, so how can I remove it?
For a few weeks, I got a ToolTip which told me to see your new tab 'shop on Amazon. I kept hitting 'x' so he could get out. Today, I missed the 'x', he went to a tab from Amazon. Now, I can't get rid of the tab/bookmark or anything like that! I went
-
How can I underline, change fonts or print "BOLD" in a response on a web page?
In response to a question on a web page, I want to use the bold or highlight important points. I don't find any help in the toolbars.
-
Connect the clamps in one without export
I'm working on a project in iMovie that will eventually be long enough. To make less confusing editing, I am organize clips by topic (for example clips from each country) and try to work country by country. After trimming all the clips from a specif
-
My main script called Sequence_A, which is located in the file. Sequence_B which is also in the A.Now hits without unloading anything, I charge a different Sequence_A of the A_New file. It has it's own Sequence_B in the same file. However the new Seq
-
Hello I have the problem. I use the application (examples) with connetion through ethernet to my Daq. And it works. Then, I create this application (exe file). There are only 3 files in the build directory. There are of course on the destination comp