L2l vpn with Firewall Palo Alto

I'm setting up a tunnel of l2l with a firewall of palo alto and evil.  It is a fairly simple installation, we are traffic encryption public to the public for download of the side sftp asa.  Here are the parts relevant to the config and various outputs...  Remote admin side asserts that the phase 1 pass and we have a timeout of waiting for phase 2.  Any help would be appreciated.

1.1.1.1 (customer2 destination address)
1.1.1.2 (customer2 vpn gateway)
2.2.2.0 (space local public ip)

description of CustomerVPN2 name 1.1.1.1 customer VPN2

Inside_nat0_outbound to access extended list ip 2.2.2.0 allow 255.255.255.240 host CustomerVPN2
Outside_4_cryptomap to access extended list ip 2.2.2.0 allow 255.255.255.240 host CustomerVPN2

card crypto Outside_map 4 corresponds to the address Outside_4_cryptomap
crypto map Outside_map 4 set type of connection are created only
card crypto Outside_map 4 set peer 1.1.1.2
card crypto Outside_map 4 the value transform-set ESP-AES-256-SHA

crypto ISAKMP policy 50
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400

tunnel-group 1.1.1.2 type ipsec-l2l
1.1.1.2 tunnel-group ipsec-attributes
pre-shared-key *.

SH crypto isakmp (reviews listed as type: user)

8 peer IKE: 1.1.1.2
Type: user role: initiator
Generate a new key: no State: MM_WAIT_MSG2

Debug crypto ipsec (looks like he's trying all cryptographic cards except one)

IPSec (crypto_map_check): crypto Outside_map 1 hole card no match for ACL Outside_1_cryptomap.

IPSec (crypto_map_check): card crypto Outside_map 2 do not match for ACL Outside_2_cryptomap hole.

IPSec (crypto_map_check): card crypto Outside_map 3 hole not correspond to ACL Outside_3_cryptomap.

IPSec (crypto_map_check): card crypto Outside_map 3 hole not correspond to ACL OO_temp_Outside_map3.

and finally.

03 Oct 10:39:09 [IKEv1]: IP = 1.1.1.2, removing counterpart peer table faile
d, no match!
03 Oct 10:39:09 [IKEv1]: IP = 1.1.1.2, error: cannot delete PeerTblEntr

Hey Evo,

You asa public interface is the same as the public ip address that you are trying to encrypt?

I think you need to create a Nat policy that can be a private ip address as well and then use it as your side of interesting traffic, because the Admin in Palo Alto is right about the vpn route accordingly.

Here are some links for policy based Nat & paloalto side vpn screenshots and explanations.

http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00807d2874.shtml

http://www.danielelonghi.com/wp-content/uploads/2011/05/Howto-create-VPN-connection-between-JUNOS-and-paloalto.PDF

http://netsecinfo.blogspot.com/2008/02/route-based-VPNs-explained.html

Manish

Tags: Cisco Security

Similar Questions

  • L2l VPN with IPSEC NAT

    Hi all!

    I have a question about L2L VPN and NAT.

    Can I set up the VPN tunnel between two ASAs or routers using the NAT translation from within the private IP addresses to a single public IP address outside the interface and then implement interesting crypto with the source of the public IP address and the destination of the remote private network on the other end (also ASA). For example, I want to translate a private network to the public ip address at one end and use the VPN tunnel with a public IP address as the source. Policy-NAT is not an option, because we really do not want to provide any IP address to the remote end, and IP addresses of the remote end can overlap with our end.

    Thank you!

    Hello

    You can definitely set up an IPSec tunnel between two devices in the translation of your subnet in a single public IP address. You just create the translation and as you mentioned define interesting traffic using the public IP address.

    This is exactly what we call political NAT, I don't understand why you say that NAT policy is not an option. Perhapps you misunderstood concept NAT policy or I misunderstood your question.

    For example, assuming that the LAN private at your side is 172.16.1.0/24, the remote subnet is 192.168.150.0/24, and that the public IP address that you want to use is 200.200.200.200 your NAT config should look like this:

    access-list 199 permit ip 172.16.1.0 255.255.252.0 192.168.150.0 255.255.255.0

    Global (outside) 6 200.200.200.200

    NAT (inside) 6 access-L199

    Which would be NAT traffic to the public IP address only when the traffic matches the ACL.

    Your ACL crypto should then be something like

    cryptomap list of allowed access host ip 200.200.200.200 192.168.150.0 255.255.255.0

    That would hide your address real and all they see is the public IP address you give them. Note that since the NAT takes place on your side your side will be able to raise the tunnel.

    I hope this helps.

    Raga

  • L2l VPN with public ip of the router and firewall with private IP

    Dear all,

    I have a requiremnt for site to site VPN configuration but the firewall on the remote end is not obtained public ip, public ip address is termintaed on the router. Please find the attached diagram

    LAN--> Firewall - privateip--> router-publicip - ISP

    How can I set up the site to site VPN tunnel, enjoy emergency assistance

    Thanks in advance...

    Mikael

    You can configure static NAT for 1:1 for the SAA outside interface with a spare public ip address of the router address.

    If you don't have spare public ip address, then you must configure static UDP/500 and UDP/4500 PAT on the router and enable NAT - T on the SAA.

  • L2l VPN with NAT static to hide the IP internal on Cisco 1841 ISR

    I configured a VPN L2L on a Cisco 1841 ISR.  I'm statically from some of my internal hosts to IPS that are included in encrypted traffic.  Please note that not all internal hosts are underway using a NAT.  I am doing this for hidden some of the actual IP addresses on the inside network.  I confirmed that the VPN works as well as natives of VPN traffic.  I configured VPN L2L traditionally on the Cisco ASA 5500 Series devices, and this is my first attempt with HIA of 1841.  I want just the other to take a glance to see if I missed something, or could I effectively part of the configuration.  All comments are welcome.

    VPN-RTR-01 #show run
    Building configuration...

    Current configuration: 9316 bytes
    !
    version 12.4
    horodateurs service debug datetime msec
    Log service timestamps datetime msec
    encryption password service
    !
    hostname VPN-RTR-01
    !
    boot-start-marker
    boot-end-marker
    !
    ! type map necessary for vwic/slot-slot 0/0 control
    logging buffered 51200 warnings
    no console logging
    enable secret 5 xxxxxxxxxxxxxxx
    enable password 7 xxxxxxxxxxxxxxx
    !
    No aaa new-model
    IP cef
    !
    !
    !
    !
    no ip domain search
    property intellectual auth-proxy max-nodata-& 3
    property intellectual admission max-nodata-& 3
    !
    !
    Crypto pki trustpoint TP-self-signed-2010810276
    enrollment selfsigned
    name of the object cn = IOS - Self - signed - certificate - 2010810276
    revocation checking no
    rsakeypair TP-self-signed-2010810276
    !
    !
    TP-self-signed-2010810276 crypto pki certificate chain
    certificate self-signed 01
    30820246 308201AF A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030
    2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
    69666963 32303130 38313032 6174652D 3736301E 31393334 OF 30333131 170 3131
    30365A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
    4F532D53 5369676E 656C662D 43 65727469 66696361 74652 32 30313038 65642D
    31303237 3630819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
    8100C3FF F5EADA3B BCB06873 5577DB24 2AD8ECBB 00D53F1A 37342E2E 5CC9202A
    7F128E51 016CD6EC D8734F4D 28BE8B0A FCD6B714 8D13585B 7844C09C 79BA8F13
    B75E4E98 25D91F02 A4773F66 83407A8B 85447 64 A6889DD9 6085857F 737F8A9F
    749F4297 8804C4F3 D28A6C33 F4137BBE 67F9B945 F239789E 1303AD6D DB98B7E2
    52B 50203 010001 HAS 3 1 130101 FF040530 030101FF 30190603 0F060355 6E306C30
    551 1104 12301082 0E535458 2D56504E 2 525452 2 303130 1 230418 1F060355 D
    3B 232987 30168014 2CBB9DD0 B34B7243 7F8095C8 7AFBEFE3 301D 0603 551D0E04
    1604143B 2329872C BB9DD0B3 4B72437F 8095C87A FBEFE330 0D06092A 864886F7
    010104 05000381 8100A 831 8E05114A DE8AF6C5 4CB45914 36B6427C 42B30F07 0D
    C5C47BC9 0110BCAA A985CB3F 5CBB855B B12D3225 B8021234 86D1952C 655071E4
    66C18F42 F84492A9 835DE884 341B3A95 A3CED4E8 F37E7609 88F52640 741D74D2
    37842 D 39 E5F2B208 0D4D57E1 C5633DEB ACDFC897 7D50683D 05B5FDAA E42714B4
    DD29E815 E9F90877 4 D 68
    quit smoking
    username privilege 15 password 7 xxxxxxxxxxxxxxx lhocin
    username privilege 15 password 7 xxxxxxxxxxxxxxx jsmith
    !
    !
    !
    !
    crypto ISAKMP policy 5
    BA aes 256
    preshared authentication
    Group 2
    lifetime 28800
    xxxxxxxxxxxxxxx key address 172.21.0.1 crypto ISAKMP xauth No.
    !
    !
    Crypto ipsec transform-set ESP-AES256-SHA esp - aes 256 esp-sha-hmac
    !
    card crypto SITES REMOTE VPN-ipsec-isakmp 1
    defined by peer 172.21.0.1
    game of transformation-ESP-AES256-SHA
    match address VPN-REMOTE-SITE
    !
    !
    !
    interface FastEthernet0/0
    no ip address
    automatic speed
    full-duplex
    No mop enabled
    !
    interface FastEthernet0/0.1
    encapsulation dot1Q 1 native
    !
    interface FastEthernet0/0.2
    Description $FW_INSIDE$
    encapsulation dot1Q 61
    IP 10.1.0.34 255.255.255.224
    IP access-group 100 to
    IP nat inside
    IP virtual-reassembly
    !
    interface FastEthernet0/0.3
    Description $FW_OUTSIDE$
    encapsulation dot1Q 111
    IP 172.20.32.17 255.255.255.224
    IP access-group 101 in
    Check IP unicast reverse path
    NAT outside IP
    IP virtual-reassembly
    crypto VPN-REMOTE-SITE map
    !
    interface FastEthernet0/1
    no ip address
    Shutdown
    automatic duplex
    automatic speed
    !
    IP forward-Protocol ND
    IP route 0.0.0.0 0.0.0.0 172.20.32.1
    IP route 10.16.0.0 255.255.0.0 10.1.0.33
    IP route 10.19.0.0 255.255.0.0 10.1.0.33
    IP route 10.191.0.0 255.255.0.0 10.1.0.33
    IP route 10.192.0.0 255.255.0.0 10.1.0.33
    IP route 192.168.20.48 255.255.255.240 10.1.0.33
    !
    !
    IP http server
    local IP http authentication
    IP http secure server
    IP http timeout policy inactive 600 life 86400 request 10000
    IP nat inside source map route NO_NAT interface FastEthernet0/0.3 overload
    IP nat inside source static 10.191.0.11 192.168.20.54 STATIC_NAT_7 card expandable route
    IP nat inside source static 10.191.0.12 192.168.20.55 STATIC_NAT_8 card expandable route
    IP nat inside source static 10.192.1.1 192.168.20.56 STATIC_NAT_1 card expandable route
    IP nat inside source static 10.192.1.2 192.168.20.57 STATIC_NAT_2 card expandable route
    IP nat inside source static 10.192.1.3 192.168.20.58 STATIC_NAT_3 card expandable route
    IP nat inside source static 10.192.1.4 192.168.20.59 STATIC_NAT_4 card expandable route
    IP nat inside source static 10.192.1.5 192.168.20.61 STATIC_NAT_5 card expandable route
    IP nat inside source static 10.16.1.6 192.168.20.62 STATIC_NAT_6 card expandable route
    !
    VPN-REMOTE-SITE extended IP access list
    IP 192.168.20.48 allow the host 0.0.0.15 10.174.52.39
    IP 192.168.20.48 allow the host 0.0.0.15 10.174.52.40
    inside_nat_static_1 extended IP access list
    permit ip host 10.192.1.1 10.174.52.39
    permit ip host 10.192.1.1 10.174.52.40
    refuse an entire ip
    inside_nat_static_2 extended IP access list
    permit ip host 10.192.1.2 10.174.52.39
    permit ip host 10.192.1.2 10.174.52.40
    refuse an entire ip
    inside_nat_static_3 extended IP access list
    permit ip host 10.192.1.3 10.174.52.39
    permit ip host 10.192.1.3 10.174.52.40
    refuse an entire ip
    inside_nat_static_4 extended IP access list
    permit ip host 10.192.1.4 10.174.52.39
    permit ip host 10.192.1.4 10.174.52.40
    refuse an entire ip
    inside_nat_static_5 extended IP access list
    permit ip host 10.192.1.5 10.174.52.39
    permit ip host 10.192.1.5 10.174.52.40
    refuse an entire ip
    inside_nat_static_6 extended IP access list
    permit ip host 10.16.1.6 10.174.52.39
    permit ip host 10.16.1.6 10.174.52.40
    refuse an entire ip
    inside_nat_static_7 extended IP access list
    permit ip host 10.191.0.11 10.174.52.39
    permit ip host 10.191.0.11 10.174.52.40
    refuse an entire ip
    inside_nat_static_8 extended IP access list
    permit ip host 10.191.0.12 10.174.52.39
    permit ip host 10.191.0.12 10.174.52.40
    refuse an entire ip
    !
    access-list 100 remark self-generated by the configuration of the firewall SDM
    Access-list 100 = 1 SDM_ACL category note
    access-list 100 deny ip 172.20.32.0 0.0.0.31 all
    access-list 100 deny ip 255.255.255.255 host everything
    access-list 100 deny ip 127.0.0.0 0.255.255.255 everything
    access ip-list 100 permit a whole
    Remark SDM_ACL category of access list 101 = 17
    access-list 101 permit udp any host 192.168.20.62
    access-list 101 permit tcp any host 192.168.20.62
    access-list 101 permit udp any host 192.168.20.61
    access-list 101 permit tcp any host 192.168.20.61
    access-list 101 permit udp any host 192.168.20.59
    access-list 101 permit tcp any host 192.168.20.59
    access-list 101 permit udp any host 192.168.20.58
    access-list 101 permit tcp any host 192.168.20.58
    access-list 101 permit udp any host 192.168.20.57
    access-list 101 permit tcp any host 192.168.20.57
    access-list 101 permit udp any host 192.168.20.56
    access-list 101 permit tcp any host 192.168.20.56
    access-list 101 permit udp any host 192.168.20.55
    access-list 101 permit tcp any host 192.168.20.55
    access-list 101 permit udp any host 192.168.20.54
    access-list 101 permit tcp any host 192.168.20.54
    access-list 101 permit ip 10.174.52.40 host 192.168.20.48 0.0.0.15
    access-list 101 permit ip 10.174.52.39 host 192.168.20.48 0.0.0.15
    access-list 101 permit udp host 172.21.0.1 host 172.20.32.17 eq non500-isakmp
    access-list 101 permit udp host 172.21.0.1 host 172.20.32.17 eq isakmp
    access-list 101 permit esp 172.21.0.1 host 172.20.32.17
    access-list 101 permit ahp host 172.21.0.1 172.20.32.17
    access-list 101 permit icmp any host 172.20.32.17 - response
    access-list 101 permit icmp any host 172.20.32.17 time limit
    access-list 101 permit icmp any unreachable host 172.20.32.17
    access-list 101 permit udp any host isakmp 172.20.32.17 newspaper eq
    access-list 101 permit udp any host 172.20.32.17 eq non500-isakmp
    access-list 101 permit tcp any host 172.20.32.17 eq 443
    access-list 101 permit tcp any host 172.20.32.17 eq 22
    access-list 101 permit tcp any host 172.20.32.17 eq cmd
    access-list 101 deny ip 10.1.0.32 0.0.0.31 all
    access-list 101 deny ip 10.0.0.0 0.255.255.255 everything
    access-list 101 deny ip 172.16.0.0 0.15.255.255 all
    access-list 101 deny ip 192.168.0.0 0.0.255.255 everything
    access-list 101 deny ip 127.0.0.0 0.255.255.255 everything
    access-list 101 deny ip 255.255.255.255 host everything
    access-list 101 deny host ip 0.0.0.0 everything
    access-list 101 deny ip any any newspaper
    access-list 102 deny ip 192.168.20.48 0.0.0.15 host 10.174.52.40
    access-list 102 deny ip 192.168.20.48 0.0.0.15 host 10.174.52.39
    access-list 102 permit ip 10.1.0.32 0.0.0.31 all
    !
    allowed NO_NAT 1 route map
    corresponds to the IP 102
    !
    STATIC_NAT_8 allowed 10 route map
    inside_nat_static_8 match ip address
    !
    STATIC_NAT_5 allowed 10 route map
    inside_nat_static_5 match ip address
    !
    STATIC_NAT_4 allowed 10 route map
    inside_nat_static_4 match ip address
    !
    STATIC_NAT_7 allowed 10 route map
    inside_nat_static_7 match ip address
    !
    STATIC_NAT_6 allowed 10 route map
    inside_nat_static_6 match ip address
    !
    STATIC_NAT_1 allowed 10 route map
    inside_nat_static_1 match ip address
    !
    STATIC_NAT_3 allowed 10 route map
    inside_nat_static_3 match ip address
    !
    STATIC_NAT_2 allowed 10 route map
    inside_nat_static_2 match ip address
    !
    !
    !
    control plan
    !
    !
    !
    Line con 0
    exec-timeout 30 0
    line to 0
    line vty 0 4
    privilege level 15
    local connection
    transport input telnet ssh
    line vty 5 15
    privilege level 15
    local connection
    transport input telnet ssh
    !
    Scheduler allocate 20000 1000
    end

    VPN-RTR-01 #.

    Hello

    Configuration looks ok to me.

    yet you can cross-reference with the following link:

    http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080223a59.shtml

    I hope this helps.

    Kind regards

    Anisha

    P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.

  • L2l VPN with nat

    Hi all

    I'm quite inexperienced in this subject and would appreciate advice on this

    I need to create a VPN tunnel between our site and a remote site.

    On our site, we are a network 192.168.0.X our external ip address is 12.53.150.100

    We need to connect to the site is 69.144.38.48

    We need to move from host to host meaning 192.168.0.97--> 69.144.38.50 and they want our ip to translate to 10.9.250.1

    Thanks in advance

    Jason

    Are you familiar with the establishment of a regular L2L tunnel? In addition to this, you just create a nat policy:

    access-list extended 100 permit ip host 192.168.0.97 69.144.38.50

    public static 10.9.250.1 (inside, outside) - access list 100

    When you define your ACL crypto, you specify 10.9.250.1 as the source instead of 192.168.0.97.

    Let me know if you need help most.

  • L2l - VPN with NAT incoming

    Cisco ASA (site A) with 2 L2L-VLNs (call the Site B and Site C)

    I need "inbound nat' Site-C network.

    Let me explain better:

    -Site-B (10.14.63.0/24) accepts only traffic between the local network of the site-A (10.1.6.0/24), and I can't change the VPN.

    -Now, I've logged on the Site-A site-C, and this must also communicate with site-B

    -So I thought I have nat, the network of Site-C (10.168.3.0/24) in order to present with an IP of A Site.

    Possible?

    And how to configure the ASA at the Site-A?

    Thank you

    Claudio

    Hello

    What is the level of software on the Site to ASA?

    -Jouni

  • Unable to connect to the site Web SSL VPN with firewall zone configured

    I recently updated my 2911 company and set up a firewall area.  This is my first experience with this and I used Cisco Configuration Professional to build the configuration of the firewall first and then edited the names to make it readable by humans.  The only problem I can't solve is to learn site Web SSL VPN from outside.  I can navigate the website and connect without problem from the inside, and even if it was useful to verify that the Routing and the site work properly it is really not what I.  I don't get anything on the syslog for drops because of the firewall server, or for any other reason but packet capture show that no response is received when you try to navigate to the outside Web site.  I am currently using a customer VPN IPSEC solution until I can get this to work and have no problem with it.  I have attached a sanitized with the included relevant lines configuration (deleted ~ 400 lines including logging, many inspections on the movement of the area to the area and the ipsec vpn, which I already mentioned).  I searched anything about this problem and no one has no problem connecting to their Web site, just to get other features to work correctly.  All thoughts are welcome.

    See the security box

    area to area

    Members of Interfaces:

    GigabitEthernet0/0.15

    GigabitEthernet0/0.30

    GigabitEthernet0/0.35

    GigabitEthernet0/0.45

    area outside zone

    Members of Interfaces:

    GigabitEthernet0/1

    sslvpn area area

    Members of Interfaces:

    Virtual-Template1

    SSLVPN-VIF0

    I tried to change the composition of the area on the interface virtual-Template1 to the outside the area nothing helps.

    See the pair area security

    Name of the pair area SSLVPN - AUX-in

    Source-Zone sslvpn-area-zone of Destination in the area

    Service-SSLVPN-AUX-IN-POLICY

    Name of the pair area IN SSLVPN

    Source-Zone in the Destination zone sslvpn-zone

    service-policy IN SSLVPN-POLICY

    Name of the pair area SELF SSLVPN

    Source-Zone sslvpn-area free-zone Destination schedule

    Service-SELF-to-SSLVPN-POLICY

    Zone-pair name IN-> AUTO

    Source-Zone in the Destination zone auto

    Service-IN-to-SELF-POLICY policy

    Name of the pair IN-> IN box

    In the Destination area source-Zone in the area

    service-policy IN IN-POLICY

    Zone-pair name SELF-> OUT

    Source-Zone auto zone of Destination outside the area

    Service-SELF-AUX-OUT-POLICY

    Name of the pair OUT zone-> AUTO

    Source-Zone out-area Destination-area auto

    Service-OUT-to-SELF-POLICY

    Zone-pair name IN-> OUT

    Source-Zone in the Destination area outside zone

    service-strategy ALLOW-ALL

    The pair OUT zone name-> IN

    Source-out-zone-time zone time Zone of Destination in the area

    Service-OUT-to-IN-POLICY

    Name of the pair area SSLVPN-to-SELF

    Source-Zone-Zone of sslvpn-area auto

    Service-SSLVPN-FOR-SELF-POLICY

    I also tried to add a pair of area for the outside zone sslvpn-zone passing all traffic and it doesn't change anything.

    The area of networks

    G0/0.15

    172.16.0.1 26

    G0/0.30

    172.16.0.65/26

    G0/0.35

    172.16.0.129/25

    G0/0.45

    172.18.0.1 28

    Pool of SSL VPN

    172.20.0.1 - 172.20.0.14

    Latest Version of IOS:

    Cisco IOS software, software C2900 (C2900-UNIVERSALK9-M), Version 15.0 (1) M10, RELEASE SOFTWARE (fc1)

    Glad works now. Weird question, no doubt.

    I guess that on the deployment guide said that the firewall will not support inspection of TCP to the free zone, however, class nested maps are used to accomplish this, to be completely honest, I think it's a mess and the best thing to do is action past to auto for the protocols that you want and then drop the rest.

    Let us know if you have any other problems.

    Mike

  • Palo Alto Global protect VPN is not compatible with Windows RT

    I'm not able to use this VPN product with my Tablet Surface RT.  Any ideas?

    DH

    Contact Palo Alto Global Connect.  They know their best products.

  • L2l VPN between ASA with the IP address public and CISCO2911 behind the ISP router with port forwarding

    Hi all

    My apologies if this is a trivial question, but I spent considerable time trying to search and had no luck.

    I encountered a problem trying to set up a temporary L2L VPN from a Subscriber with CISCO2911 sitting behind the router of the ISP of an ASA. ISP has informed that I can't ignore their device and complete the circuit Internet on the Cisco for a reason, so I'm stuck with it. The Setup is:

    company 10.1.17.1 - y.y.y.y - router Internet - z.z.z.z - ISP - LAN - 10.x.x.2 - XXX1 - ASA - 10.1.17.2 - CISCO2911 - 10.1.15.1 LAN

    where 10.x.x.x is a corporate LAN Beach private network, y.y.y.y is a public ip address assigned to the external interface of the ASA and the z.z.z.z is the public IP address of the ISP router.

    I have forwarded ports 500, 4500 and ESP on the ISP router for 10.1.17.2. The 2911 config attached below, what I can't understand is what peer IP address to configure on the SAA, because if I use z.z.z.z it will be a cause of incompatibility of identity 2911 identifies himself as 10.1.17.2...

    ! ^ ^ ^ ISAKMP (Phase 1) ^ ^ ^!
    crypto ISAKMP policy 5
    BA 3des
    md5 hash
    preshared authentication
    Group 2
    lifetime 28800
    isakmp encryption key * address no.-xauth y.y.y.y

    ! ^ ^ ^ IPSEC (Phase 2) ^ ^ ^!
    crymap extended IP access list
    IP 10.1.15.0 allow 0.0.0.255 10.0.0.0 0.255.255.255
    Crypto ipsec transform-set ESP-3DES-SHA 3rd-esp esp-sha-hmac
    card crypto 1 TUNNEL VPN ipsec-isakmp
    defined peer y.y.y.y
    game of transformation-ESP-3DES-SHA
    match the address crymap

    Gi0/2 interface
    card crypto VPN TUNNEL

    Hello

    debug output, it seems he's going on IPSEC States at the tunnel of final bud QM_IDLE's.

    What I noticed in your configuration of ASA box, it's that you're usig PFS but not on 2911 router.

    So I suggest:

    no card crypto OUTSIDE_map 4 don't set pfs <-- this="" will="" disable="" pfs="" on="" asa="">

    Then try tunnel initiate.

    Kind regards

    Jan

  • ASA with several L2L VPN Dynamics

    I have an ASA 5510 such as VPN, used for about 30 L2L - VPN concentrator.

    I need also some VPN L2L with dynamic peer remote.

    While the configuration for a single dyn - VPN is quite simple (as described in several examples), how can I configure the ASA in the case of many dyn - VPN?

    Basically, all the VPN - dyn must use the same PSK (the DefaultL2LGroup).

    But using the "aggressive" on the remote peer mode, I could use a different PSK for every dyn - VPN:

    tunnel-group ipsec-attributes ABCD

    pre-shared-key *.

    This configuration is correct?

    Best regards

    Claudio

    Hello

    Maybe the solutions provided in the following document may also be an option to configure multiple dynamic VPN L2L connections on the SAA

    http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a0080bc7d13.shtml

    Hope this helps

    -Jouni

  • Easy VPN with IPSec VPN L2L (Site - to - Site) in the same ASA 5505

    Hi Experts,

    We have an ASA 5505 in our environment, and currently two IPSec VPN L2L tunnels are established. But we intend to connect with VPN (Network Extension Mode) easy to another site as a customer. Is it possible to configure easy VPN configurations by keeping the currently active IPSec L2L VPN(Site-to-Site) tunnels? If not possible is there any work around?

    Here's the warning we get then tried to configure the easy VPN Client.

    NOCMEFW1 (config) # vpnclient enable

    * Delete "nat (inside) 0 S2S - VPN"

    * Detach crypto card attached to the outside interface

    * Remove the tunnel groups defined by the user

    * Remove the manual configuration of ISA policies

    CONFLICT of CONFIG: Configuration that would prevent the Cisco Easy VPN Remo success

    you

    operation was detected and listed above. Please solve the

    above a configuration and re - activate.

    Thanks and greetings

    ANUP sisi

    "Dynamic crypto map must be installed on the server device.

    Yes, dynamic crypto is configured on the EasyVPN server.

    Thank you

  • Configuration of the L3 Switch to send the traffic to Palo Alto

    Please forgive my ignorance when it comes to Palo Alto. This is the first time that I do business with them. We need to ensure one VLAN located behind the Palo Alto. I am including a diagram to show a simulation of what we seek to do. We have by default VLAN1 which is our default data VLAN. We have 19 VLAN is VLAN we want it secure. The VLAN1 SVI IP is 10.1.1.1 and VLAN19 SVI IP is 10.1.2.1. On the Palo Alto, we have an IP interface was like 10.1.1.2 for default data VLAN and 10.1.2.2 for the VLAN secure. There are also a pair of HA with IPS 10.1.1.3 and 10.1.2.3 respectively. We have EIGRP that announces the network default VLAN1. Here's what we want to do. Anything from the 10.1.1.x network, go to the 10.1.2.x network, must pass through the Palo Alto. Whatever either from the 10.1.2.x network, must go through the Palo Alto as well. Nothing to any other network 10.1.1.x, takes the route by default (and), and anything from 10.1.2.x to anything else on 10.1.2.x should stay local to the LAN (not pass through Palo Alto. Need just for the MAC address arp). My question is, how do I tell my L3 switch to send all traffic created in the 10.1.2.x, through the Palestinian Authority? I can't do an IP route because from the local network VIRTUAL lives on these L3 switches and is a directly connected route. Really, I can't do the ACB on the switch, because that is really meant to routers. I can put a long match, for everything on the 10.1.2.x network (i.e. the route ip 10.1.2.7 255.255.255.255 10.1.1.2), but for some reason when do whatsoever of 10.1.2.x another thing goes on 10.1.2.x through the palo alto so. Anyone have any suggestions on what would be the best practice, from a network perspective, on how to do this? Thanks for any help!

    Looks like you want all traffic to and from the secure virtual local network to pass through the firewall of your description?

    I'm not familiar with Palo Alto firewall is so I don't know how they work in HA, IE. with other devices do you want to simply talk to a VIP which is responsible for two firewalls?

    In your example the two firewalls have an IP address per vlan, but always just use you one IP addresses for the end-end connectivity. I'll assume that you do, you may need to change, but when I say that I mean the one that reminds you of the devices for routing etc..

    So for all the traffic to and from the network 10.1.2.0/24 to go through the firewall, you must-

    (1) remove the battery switch the IVR for vlan 19. You need the firewall to be routing vlan not secure the 3750 s. You leave vlan 19 in the database for vlan.

    (2) point them vlan 19 customers as default gateway

    (3) addition of a route on the stack of 3750 for the network 10.1.2.0/24-

    IP route 10.1.2.0 255.255.255.0

    (4) if the 10.1.2.0/24 network needs to talk to other that 10.1.1.0/24 remote subnets, then for each of these networks the firewall should be a route. The syntax will not be IOS, but this should give you an idea-

    IP 10.1.1.1 road

    etc... for each remote network

    That means foregoing is all the traffic going and coming from 10.1.2.x customers to other subnets must go through the firewall. The customer traffic in the vlan secured to other clients in the vlan safe doesn't have to go the firewalls.

    Jon

  • Select Cisco ASA to replace Palo Alto PA 500

    Hello world

    Pls suggest a Cisco ASA (equivalent or superior) 5500 series to replace the PA500. Thank you

    Palo Alto PA500

    • Firewall of 250 Mbit/s throughput (App - ID1active)
    • 100 Mbps threat prevention throughput
    • 50 VPN IPSec Mbps throughput
    • 64 000 max sessions
    • 7 500 new sessions per second
    • Tunnels/tunnel VPN IPSec 250 interfaces
    • 100 users, SSL VPN
    • 3 virtual routers
    • Virtual systems (basic/max) N/A
    • 20 security zones
    • 1 000 maximum policies

    Hi you can opt for the Asa 5510 or Asa 5520 two of them correspond to your needs. Here is a link to their characteristics http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-serie... Aditya cordially

  • Is site to site VPN with sufficiently secure router?

    Hello

    I have a question about the site to site VPN with router.

    Internet <> router <> LAN

    If I have a VPN site-to-site configured on the router above with another site. I configured to block incoming Internet connections with the exception of VPN to access list. What are the risks of the LAN is exposed to threats from the Internet? Recommend that you put in a firewall between the router and the LAN, or replace the router with a firewall?

    Thank you

    Hi Amanda,.

    Assuming your L2L looks like this:

    LAN - router - INTERNET - Router_Remote - LAN

    |-------------------------------------------------------------------------------|

    L2L

    Traffic between the two local area networks is protected by the VPN tunnel. It is recommended to use the recommended security (strong encryption settings) to ensure that the encrypted traffic would not be compromised through the Internet.

    On the other hand, if you talk about outbound plaintext to the Internet, as when a user acceses google.com, then you just make out traffic, but never allow all incoming connections.

    If you want to protect your network with advanced security as a FW features, you can consider ZBF, which is the available in IOS Firewall/set function:

    Design of the area Guide of Application and firewall policies

    If you consider that this is not enough, check the ASA5500 series.

    HTH.

    Portu.

    Please note all useful posts

  • L2l VPN tunnel is reset during the generate a new IPSec key

    I have a tunnel VPN L2L that resets completely, start with Phase 1, at the expiration of the timer of the IPSec Security Association.  Although there are several SAs, it always resets all of the tunnel.

    I see the following in the log errors when this happens:

    03/06/2013 12:54:41 Local7.Notice ipRemoved June 3, 2013 12:54:41 LKM-NVP-L2L-01: % 713050-5-ASA: Group = ipRemoved, IP = ipRemoved, completed for the ipRemoved peer connection.  Reason: Peer terminate Proxy remote n/a, Proxy Local n/a

    03/06/2013 12:54:41 Local7.Notice ipRemoved June 3, 2013 12:54:41 LKM-NVP-L2L-01: % 713259-5-ASA: Group = ipRemoved, IP = ipRemoved, Session is be demolished. Reason: The user has requested

    03/06/2013 12:54:41 Local7.Warning ipRemoved June 3, 2013 12:54:41 LKM-NVP-L2L-01: % ASA-4-113019: Group = ipRemoved username = ipRemoved, IP = ipRemoved, disconnected Session. Session type: IKE, duration: 4 h: 00 m: 06 s, xmt bytes: 260129, RRs bytes: 223018, reason: the user has requested

    03/06/2013 12:55:33 Local7.Notice ipRemoved June 3, 2013 12:55:33 LKM-NVP-L2L-01: % 713041-5-ASA: IP = ipRemoved, IKE initiator: New Phase 1, Intf inside, IKE Peer ipRemoved local Proxy 204.139.127.24 address, address remote Proxy 156.30.21.200, Card Crypto (L2LVPN)

    03/06/2013 12:55:33 Local7.Notice ipRemoved June 3, 2013 12:55:33 LKM-NVP-L2L-01: % 713119-5-ASA: Group = ipRemoved, IP = ipRemoved, PHASE 1 COMPLETED

    Local7.Notice ipRemoved June 3, 2013 03/06/2013-12:55:33 12:55:33 LKM-NVP-L2L-01: % 713049-5-ASA: Group = ipRemoved, IP = ipRemoved, the security negotiation is complete for LAN - to - LAN Group (ipRemoved) initiator, Inbound SPI = 0x9213bdc9, outbound SPI = 0x1799a099

    03/06/2013 12:55:33 Local7.Notice ipRemoved June 3, 2013 12:55:33 LKM-NVP-L2L-01: % 713120-5-ASA: Group = ipRemoved, IP = ipRemoved, PHASE 2 COMPLETED (msgid = b8a47603)

    03/06/2013 13:02:11 Local7.Notice ipRemoved June 3, 2013 13:02:11 LKM-NVP-L2L-01: % 713041-5-ASA: Group = ipRemoved, IP = ipRemoved, IKE initiator: New Phase 2, Intf inside, IKE Peer ipRemoved local Proxy 204.139.127.71 address, address remote Proxy 156.30.21.200, Card Crypto (L2LVPN)

    Local7.Notice ipRemoved June 3, 2013 03/06/2013-13:02:11 13:02:11 LKM-NVP-L2L-01: % 713049-5-ASA: Group = ipRemoved, IP = ipRemoved, the security negotiation is complete for LAN - to - LAN Group (ipRemoved) initiator, Inbound SPI = 0x93f9be6c, outbound SPI = 0x1799a16d

    03/06/2013 13:02:11 Local7.Notice ipRemoved June 3, 2013 13:02:11 LKM-NVP-L2L-01: % 713120-5-ASA: Group = ipRemoved, IP = ipRemoved, PHASE 2 COMPLETED (msgid = 1f6c9acd)

    Any thoughts on why she would do that?

    Thank you.

    Jason

    Hello

    Both the log messages seems to suggest that the remote end is closed/compensation connection.

    Is this a new connection that suffer from this problem or has it started on an existing connection?

    The Cisco documentation associated with the Syslog messages does really not all useful information about these log messages.

    I guess that your problem is that TCP by L2L VPN connections suffer from the complete renegotiations of the L2L VPN.

    I wonder if the following configuration can help even if this situation persists

    Sysopt preserve-vpn-flow of connection

    Here is a link to the order of the ASA reference (8, 4-8, 6 software) with a better explanation of this configuration.

    http://www.Cisco.com/en/us/docs/security/ASA/asa84/command/reference/S8.html#wp1538395

    It is not enabled by default on the SAA.

    Hope this helps

    -Jouni

Maybe you are looking for