LAN-to-LAN IPsec VPN with overlapping networks problem

I am trying to connect to two networks operlapping via IPsec. I already have google and read

http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080b37d0b.shtml

Details:

Site_A use ASA 5510 with software version 8.0 (4) 32. Site_A use 10.100.0.0/24, 10.100.1.0/24 and 10.100.2.0/24 inside networks. 10.100.0.0/24 is directly connected to ASA (like vlan10), 10.100.1.0/24 and 10.100.2.0/24 are routed.

Site_B use Linux box and networks 10.100.1.0/24, 10.100.2.0/24, 10.100.3.0/24 and so on (mainly 10.100.x.0/24). I have not implemented this ASA, we took over this infrastructure without other documentation whatsoever.

According to the above link I should use double NAT. Site_B will see the Site_A as 10.26.0.0/22 networks, and Site_A see networks in Site_B as 10.25.0.0/24. Site_A is allowed access only 10.100.1.0/24 in the Site_B, and Site_B is allowed access to all the networks of the Site_A 10.100.x.0/24 - so / 22 10.26.0.0/22 mask. I would like, for example, ssh to host in the Site_B to host the Site_A using 10.26.1.222 as the destination ip address (and it should be translated in 10.100.1.222 on the side Site_A). I'm looking for something like ip nat type match-host in Cisco routers - I want to translate only a part of the network address leave the intact host Party. Anyway, following the steps from the link displayed above everything is ok until the command:

static (companyname, outside) 10.26.0.0 access list fake_nat_outbound

which translates into:

WARNING: address real conflict with existing static

TCP companyname:10.100.0.6/443 to outside:x.x.x.178/443 netmask 255.255.255.255

WARNING: address real conflict with existing static

TCP companyname:10.100.0.20/25 to outside:x.x.x.178/25 netmask 255.255.255.255

WARNING: address real conflict with existing static

TCP companyname:10.100.0.128/3389 to outside:x.x.x.178/50000 netmask 255.255.255.255

WARNING: address real conflict with existing static

TCP companyname:10.100.0.26/3389 to outside:x.x.x.181/2001 netmask 255.255.255.255

WARNING: address real conflict with existing static

TCP companyname:10.100.0.27/3389 to outside:x.x.x.181/2002 netmask 255.255.255.255

WARNING: address real conflict with existing static

TCP companyname:10.100.0.28/3389 to outside:x.x.x.178/2003 netmask 255.255.255.255

Those are redirects to port on Site_A used for mail, webmail, etc. What should I do to keep the redirects from the Internet to companyname vlan and at the same time to have work l2l ipsec tunnel linking networks that overlap?

Thank you in advance for any help or advice.

The ASA config snippet below:

!

ASA 4,0000 Version 32

!

no names

name 10.25.0.0 siteB-fake-network description fake NAT network to avoid an overlap of intellectual property

name 10.26.0.0 description of siteA-fake-network NAT fake network to avoid an overlap of intellectual property

!

interface Ethernet0/0

Shutdown

nameif inside

security-level 100

IP 10.200.32.254 255.255.255.0

!

interface Ethernet0/1

nameif outside

security-level 0

IP address x.x.x.178 255.255.255.248

!

interface Ethernet0/2

No nameif

no level of security

no ip address

!

interface Ethernet0/2.10

VLAN 10

nameif companyname

security-level 100

IP 10.100.0.254 255.255.255.0

!

interface Ethernet0/2.20

VLAN 20

nameif wifi

security-level 100

the IP 10.0.0.1 255.255.255.240

!

interface Ethernet0/2.30

VLAN 30

nameif dmz

security-level 50

IP 10.0.30.1 255.255.255.248

!

interface Ethernet0/3

Shutdown

No nameif

no level of security

no ip address

!

interface Management0/0

nameif management

security-level 100

IP 10.100.100.1 255.255.255.0

management only

!

permit same-security-traffic inter-interface

permit same-security-traffic intra-interface

object-group Protocol TCPUDP

object-protocol udp

object-tcp protocol

Group of objects in the inside network

object-network 10.100.0.0 255.255.255.0

object-network 10.100.1.0 255.255.255.0

object-network 10.100.2.0 255.255.255.0

DM_INLINE_TCP_1 tcp service object-group

port-object eq 2221

port-object eq 2222

port-object eq 2223

port-object eq 2224

port-object eq 2846

DM_INLINE_TCP_5 tcp service object-group

port-object eq ftp

port-object eq ftp - data

port-object eq www

EQ object of the https port

object-group service DM_INLINE_SERVICE_1

the eq field tcp service object

the eq field udp service object

DM_INLINE_TCP_6 tcp service object-group

port-object eq 2221

port-object eq 2222

port-object eq 2223

port-object eq 2224

port-object eq 2846

the DM_INLINE_NETWORK_1 object-group network

object-network 10.100.0.0 255.255.255.0

object-network 10.100.2.0 255.255.255.0

standard access list securevpn_splitTunnelAcl allow 10.100.0.0 255.255.255.0

outside_access_in list extended access permit tcp any host x.x.x.178 eq 50000

outside_access_in list extended access permit tcp any host x.x.x.178 eq smtp

outside_access_in list extended access permit tcp any host x.x.x.178 eq https

outside_access_in list extended access permit tcp any host x.x.x.179 DM_INLINE_TCP_1 object-group

outside_access_in list extended access permit tcp any host x.x.x.181 eq ftp

outside_access_in list extended access permit tcp any host x.x.x.181 eq ftp - data

outside_access_in list extended access permit tcp host 205.158.110.63 eq x.x.x.180 idle ssh

access extensive list ip 10.100.0.0 inside_access_in allow 255.255.255.0 10.100.1.0 255.255.255.0

inside_access_in list extended access allowed ip-group of objects to the inside network 10.100.99.0 255.255.255.0

inside_access_in list extended access allowed ip-group of objects to the inside network 10.0.30.0 255.255.255.248

inside_access_in list extended access permit tcp host 10.100.0.6 any eq smtp

inside_access_in list extended access permitted tcp object-group network inside any eq www

inside_access_in list extended access permitted tcp object-group network inside any https eq

inside_access_in list extended access permitted tcp-group of objects to the inside-network WG 1023 any eq ftp - data

inside_access_in list extended access permitted tcp-group of objects to the inside-network WG 1023 any ftp eq

inside_access_in list extended access allowed object-group objects TCPUDP-group to the network inside any eq 9999

inside_access_in list extended access allowed object-group objects TCPUDP-group to the network inside any eq 3389

inside_access_in list extended access allowed object-group network inside udp any eq field

companyname_access_in list extended access allowed ip-group of objects to the inside network 10.100.1.0 255.255.255.0

companyname_access_in list extended access allowed ip-group of objects to the inside network 10.100.99.0 255.255.255.0

companyname_access_in list extended access allowed ip-group of objects to the inside network 10.0.30.0 255.255.255.248

companyname_access_in list extended access permit tcp host 10.100.0.6 any eq smtp

companyname_access_in list extended access permitted tcp object-group network inside any eq www

companyname_access_in list extended access permitted tcp object-group network inside any https eq

companyname_access_in list extended access permitted tcp-group of objects to the inside-network WG 1023 any eq ftp - data

companyname_access_in list extended access permitted tcp-group of objects to the inside-network WG 1023 any ftp eq

companyname_access_in list extended access allowed object-group objects TCPUDP-group to the network inside any eq 9999

companyname_access_in list extended access allowed object-group objects TCPUDP-group to the network inside any eq 3389

companyname_access_in list extended access allowed object-group network inside udp any eq field

wifi_access_in list extended access permitted tcp 10.0.0.0 255.255.255.240 host 10.100.0.40 eq 2001

access extensive list ip 10.100.0.0 companyname_nat0_outbound allow 255.255.255.0 10.100.99.0 255.255.255.0

access extensive list ip 10.100.0.0 companyname_nat0_outbound allow 255.255.255.0 10.0.0.0 255.255.255.240

access extensive list ip 10.100.0.0 companyname_nat0_outbound allow 255.255.255.0 10.0.30.0 255.255.255.248

access extensive list ip 10.100.0.0 companyname_nat0_outbound allow 255.255.255.0 10.100.2.0 255.255.255.0

access extensive list ip 10.100.2.0 companyname_nat0_outbound allow 255.255.255.0 10.0.30.0 255.255.255.248

access extensive list ip 10.100.1.0 companyname_nat0_outbound allow 255.255.255.0 10.100.99.0 255.255.255.0

access extensive list ip 10.100.2.0 companyname_nat0_outbound allow 255.255.255.0 10.100.99.0 255.255.255.0

wifi_nat0_outbound to access ip 10.0.0.0 scope list allow 255.255.255.240 10.100.0.0 255.255.255.0

dmz_access_in list extended access permitted tcp 10.0.30.0 255.255.255.248 any DM_INLINE_TCP_5 object-group

dmz_access_in list extended access permitted tcp 10.0.30.0 255.255.255.248 host 10.100.0.2 object-group DM_INLINE_TCP_6

dmz_access_in list extended access allowed object-group DM_INLINE_SERVICE_1 10.0.30.0 255.255.255.248 object-group DM_INLINE_NETWORK_1

dmz_access_in list extended access deny ip 10.0.30.0 255.255.255.248 all

access extensive list ip 10.0.30.0 dmz_nat0_outbound allow 255.255.255.248 10.100.0.0 255.255.255.0

access extensive list ip 10.0.30.0 dmz_nat0_outbound allow 255.255.255.248 10.100.99.0 255.255.255.0

access extensive list ip 10.0.30.0 dmz_nat0_outbound allow 255.255.255.248 10.100.2.0 255.255.255.0

outside_1_cryptomap to access extended list ip 10.26.0.0 allow 255.255.252.0 10.25.0.0 255.255.255.0

access extensive list ip 10.100.0.0 fake_nat_outbound allow 255.255.252.0 10.25.0.0 255.255.255.0

IP local pool clientVPNpool 10.100.99.101 - 10.100.99.199 mask 255.255.255.0

IP verify reverse path inside interface

IP verify reverse path to the outside interface

IP audit name IPS attack action alarm down reset

IP audit name IPS - inf info action alarm

interface verification IP outside of the IPS - inf

verification of IP outside the SPI interface

NAT-control

Global (inside) 91 10.100.0.2

Global (inside) 92 10.100.0.4

Global (inside) 90 10.100.0.3 netmask 255.255.255.0

Global interface 10 (external)

Global x.x.x.179 91 (outside)

Global x.x.x.181 92 (outside)

Global (outside) 90 x.x.x.180 netmask 255.0.0.0

interface of global (companyname) 10

Global interface (dmz) 20

NAT (outside) 10 10.100.99.0 255.255.255.0

NAT (companyname) 0-list of access companyname_nat0_outbound

NAT (companyname) 10 10.100.0.0 255.255.255.0

NAT (companyname) 10 10.100.1.0 255.255.255.0

NAT (companyname) 10 10.100.2.0 255.255.255.0

wifi_nat0_outbound (wifi) NAT 0 access list

NAT (dmz) 0-list of access dmz_nat0_outbound

NAT (dmz) 10 10.0.30.0 255.255.255.248

static (companyname, outside) tcp https 10.100.0.6 https interface subnet 255.255.255.255 mask

static (companyname, outside) tcp interface smtp 10.100.0.20 smtp netmask 255.255.255.255

static (companyname, outside) interface 50000 10.100.0.128 TCP 3389 netmask 255.255.255.255

static (companyname, external) x.x.x.181 2001 10.100.0.26 TCP 3389 netmask 255.255.255.255

static (companyname, external) x.x.x.181 2002 10.100.0.27 TCP 3389 netmask 255.255.255.255

static (companyname, outside) interface 2003 10.100.0.28 TCP 3389 netmask 255.255.255.255

static (dmz, outside) tcp x.x.x.181 ftp 10.0.30.2 ftp netmask 255.255.255.255

static (companyname, companyname) 10.100.1.0 10.100.1.0 netmask 255.255.255.0

static (companyname, companyname) 10.100.2.0 10.100.2.0 netmask 255.255.255.0

inside_access_in access to the interface inside group

Access-group outside_access_in in interface outside

Access-group companyname_access_in in interface companyname

Access-group wifi_access_in in wifi interface

Access-group dmz_access_in in dmz interface

Route outside 0.0.0.0 0.0.0.0 x.x.x.177 1

Companyname route 10.0.1.0 255.255.255.0 10.100.0.1 1

Companyname route 10.100.1.0 255.255.255.0 10.100.0.1 1

Companyname route 10.100.2.0 255.255.255.0 10.100.0.1 1

dynamic-access-policy-registration DfltAccessPolicy

!

Crypto-map dynamic outside_dyn_map 20 set pfs

Crypto-map dynamic outside_dyn_map 20 the transform-set ESP - 3DES - SHA TRANS_ESP_3DES_MD5 value

life together - the association of security crypto dynamic-map outside_dyn_map 20 28800 seconds

Crypto-map dynamic outside_dyn_map 20 kilobytes of life together - the association of safety 4608000

PFS set 40 crypto dynamic-map outside_dyn_map

Crypto-map dynamic outside_dyn_map 40 value transform-set ESP-3DES-SHA

life together - the association of security crypto dynamic-map outside_dyn_map 40 28800 seconds

Crypto-map dynamic outside_dyn_map 40 kilobytes of life together - the association of safety 4608000

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define security association lifetime 28800 seconds

cryptographic kilobytes 4608000 life of the set - the association of security of the 65535 SYSTEM_DEFAULT_CRYPTO_MAP of the dynamic-map

card crypto outside_map 1 match address outside_1_cryptomap

card crypto outside_map 1 set pfs Group1

outside_map 1 counterpart set a.b.c.1 crypto card

card crypto outside_map 1 set of transformation-ESP-3DES-SHA

map outside_map 20-isakmp ipsec crypto dynamic outside_dyn_map

outside_map interface card crypto outside

!

internal DefaultRAGroup group strategy

attributes of Group Policy DefaultRAGroup

value of server WINS 10.100.0.3

value of server DNS 10.100.0.3

nom_societe.com value by default-field

internal DefaultRAGroup_1 group strategy

attributes of Group Policy DefaultRAGroup_1

value of server DNS 10.100.0.3

Protocol-tunnel-VPN l2tp ipsec

internal group securevpn strategy

securevpn group policy attributes

value of server WINS 10.100.0.3 10.100.0.2

value of 10.100.0.3 DNS server 10.100.0.2

VPN-idle-timeout 30

Protocol-tunnel-VPN IPSec

nom_societe.com value by default-field

attributes global-tunnel-group DefaultRAGroup

address clientVPNpool pool

authentication-server-group COMPANYNAME_AD

Group Policy - by default-DefaultRAGroup_1

IPSec-attributes tunnel-group DefaultRAGroup

pre-shared-key *.

tunnel-group securevpn type remote access

tunnel-group securevpn General attributes

address clientVPNpool pool

authentication-server-group COMPANYNAME_AD

Group Policy - by default-securevpn

tunnel-group securevpn ipsec-attributes

pre-shared-key *.

tunnel-group securevpn ppp-attributes

ms-chap-v2 authentication

tunnel-group a.b.c.1 type ipsec-l2l

a.b.c.1 group tunnel ipsec-attributes

pre-shared-key *.

Are you sure that static-config does not make to the running configuration?

By applying this 'static big' you're essentially trying to redirect the ports, which have already been transmitted by the rules in your existing configuration. This explains the caveat: what you are trying to do has some overlap with existing static.

(Sorry for the use of the transmission of the word, but this behavior makes more sense if you look at it like this; although "port forwarding" is not Cisco-terminology.)

But... whenever I stumbled upon this question, the warning was exactly that: a WARNING, not an ERROR. And everything works as I want it to work: the specific static in my current config simply have priority over static grand.

If you would like to try to do the other opposite you would get an error (first static major, then try to apply more specific) and the config is not applied.

So could you tell me the config is really not accepted?

Tags: Cisco Security

Similar Questions

  • IOS IPSEC VPN with NAT - translation problem

    I'm having a problem with IOS IPSEC VPN configuration.

    /*

    crypto ISAKMP policy 10

    BA 3des

    preshared authentication

    Group 2

    ISAKMP crypto keys TEST123 address 205.xx.1.4

    !

    !

    Crypto ipsec transform-set esp-3des esp-sha-hmac CHAIN

    !

    !

    Map 10 CRYPTO map ipsec-isakmp crypto

    the value of 205.xx.1.4 peer

    transformation-CHAIN game

    match address 115

    !

    interface FastEthernet0/0

    Description FOR the EDGE ROUTER

    IP address 208.xx.xx.33 255.255.255.252

    NAT outside IP

    card crypto CRYPTO-map

    !

    interface FastEthernet0/1

    INTERNAL NETWORK description

    IP 10.15.2.4 255.255.255.0

    IP nat inside

    access-list 115 permit 192.xx.xx.128 0.0.0.3 ip 172.xx.1.0 0.0.0.3

    */

    (This configuration is incomplete / NAT configuration needed)

    Here is the solution that I'm looking for:

    When a session is initiated from the "internal network" to the "distance IPSEC - 172.xx.1.0/30 ' network I want the address scheme '10.15.0.0/16' NAT translation deals with '192.xx.xx.128/30' before forwarding via the IPSEC VPN Tunnel.

    For more information, see "SCHEMA ATTACHED".

    Any help is greatly appreciated!

    Thank you

    Clint Simmons

    Network engineer

    You can try the following NAT + route map approach (method 2 in this link)

    http://www.Cisco.com/en/us/Tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml

    Thank you

    Raja K

  • IPSec VPN with DynDNS host problems after change of address

    Hi guys,.

    I have a weird problem on an IOS router.

    I need to implement IPSec VPN L2L.

    Because of the security requirements of each site needed a clean pre-shared key. Sites dynamic IP and it's

    why I use dyndns.

    ISAKMP crypto key KEY hostname XXXXXXXXXXX.dyndns.org

    CMAP_1 1 ipsec-isakmp crypto map
    define peer dynamic XXXXXXXXX.dyndns.org

    First of all, it works fine, but after the change of IP address it no longer works.

    Debugging, I discovered that it resolves the new IP address but IPSec attempts to connect to the previous INVESTIGATION period.

    I tried this on two other IOS, 15.0 and 12.4

    This debugging output:

    01:02:39.735 Mar 1: IPSEC: addr of Peer Link70 (70.1.1.3) is out of date, triggering DNS
    * 01:02:39.735 Mar 1: IPSEC: Peer has the address 70.1.1.3 (DNS cache).                 New IP address
    * 1 Mar 01:02:41.731: IPSEC (sa_request):,.
    (Eng. msg key.) Local OUTGOING = 1.1.1.2, distance = 70.1.1.200, OLD IP
    local_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4),
    remote_proxy = 10.254.70.0/255.255.255.0/0/0 (type = 4),
    Protocol = ESP, transform = esp-3des esp-sha-hmac (Tunnel),
    lifedur = 240 s and KB 4608000,
    SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0
    * 1 Mar 01:02:41.739: ISAKMP: (0): profile of THE request is (NULL)
    * 01:02:41.739 Mar 1: ISAKMP: created a struct peer 70.1.1.200, peer port 500
    * 01:02:41.739 Mar 1: ISAKMP: new created position = 0x673FB268 peer_handle = 0 x 80000008
    * 01:02:41.739 Mar 1: ISAKMP: lock struct 0x673FB268, refcount 1 to peer isakmp_initiator
    * 01:02:41.743 Mar 1: ISAKMP: 500 local port, remote port 500
    * 01:02:41.743 Mar 1: ISAKMP: set new node 0 to QM_IDLE
    * 01:02:41.743 Mar 1: insert his with his 650AE400 = success
    * 01:02:41.747 Mar 1: ISAKMP: (0): cannot start aggressive mode, try the main mode.
    * 01:02:41.747 Mar 1: ISAKMP: (0): no pre-shared with 70.1.1.200!                     PROBLEM!
    * 1 Mar 01:02:41.747: ISAKMP: (0): pre-shared key or Cert No. address.                   PROBLEM!
    * 1 Mar 01:02:41.747: ISAKMP: (0): construct_initial_message: cannot start main mode
    * 01:02:41.751 Mar 1: ISAKMP: Unlocking counterpart struct 0x673FB268 for isadb_unlock_peer_delete_sa(), count 0
    * 01:02:41.751 Mar 1: ISAKMP: delete peer node by peer_reap for 70.1.1.200: 673FB268
    * 01:02:41.751 Mar 1: ISAKMP: (0): serving SA., his is 650AE400, delme is 650AE400
    * 01:02:41.755 Mar 1: ISAKMP: (0): purge the node-267512777
    * 01:02:41.755 Mar 1: ISAKMP: error during the processing of HIS application: failed to initialize SA
    * 01:02:41.755 Mar 1: ISAKMP: error while processing message KMI 0, error 2.
    * 1 Mar 01:02:41.759: IPSEC (key_engine): had an event of the queue with 1 KMI messages...
    Success rate is 0% (0/5)

    I'm building a lab to find a solution for this.

    The other side is a VPN Linksys router, I tried with an IOS router on both sites also, but I got same results.

    I tried with DPD, ISAKMP profiles don't... no help.

    Hi Smailmilak83,

    Configuration of a static encryption with a specific peer card creates a society of surveillance for the peer. Dns lookup he's now only the first time, he tries to connect, after which it's just going to be her generate a new key. If she would ideally use the value peer in the his and not the config or a dns lookup. So, it is wise to use a dynamic encryption card.

    Please try to use a dynamic encryption instead of a static map. Although there are some limitations including crypto being initiated only at the other end, we can work around keeping the tunnel directly.

    Hope that helps.

    Sent by Cisco Support technique iPhone App

    -Please note the solutions.

  • Several tunnels to Datacenter VPN with overlapping networks

    Hello guys,.

    We are starting to host applications for customers who need trusts (maybe?) Windows and full access to a class C subnet in our IP data center.

    My problem is most of our customers are small MOM and pop stores IPed to 192.168.1.x. I intend to install my own Cisco ASA in each of these sites and create a VPN to the data center to access the application. The last 2 sites I've done, I have re-IPed network to a mine plan. I start to run in many customers that we simply host the app for and I can't really make them Re - IP network if they do not want.

    My question is what are my options here? I guess some kind of NAT, but I don't really know how it works. With a Windows trust communication must be 2 tracks. If we did not trust, I could see this work without problem with a simple NAT right? Firewall guy would you NAT on? The remote end or Data Center?

    Any help and advice is appreciated.

    I'm a complete network of Cisco, ASAs, catalysts, routers, etc...

    Hi Billy,

    Basically, for the overlap of networks, you will run natting on both sites for interesting traffic.
    If you have networks that overlap, you can follow this link if you use Cisco ASA and this link for Cisco routers as a VPN endpoint devices.

    Kind regards
    Dinesh Moudgil

    PS Please rate helpful messages.

  • IPSEC VPN with Dynamics to dynamic IP

    Hello

    I tried IPSEC VPN with dynamic IP to dynamic (router to router) for some time. But still can not auto-établir the tunnel.

    Is someone can you please tell me if it is possible to do?

    If so, please share with me the secret to do work.

    Thank you!

    Best regards

    Rather than the Crypto map, I would use the profile of Crypto.  Then, establish you an IPSEC tunnel.  The beauty of the profile, is that you can run through it routing protocols, and you do not have to change constantly the cards whenever you change the topology of the network.  The "* * *" in the timer event is "minute hour day week month" so "* * *" is updated every minute.  In Tunnel destination, it's an IP address, not a hostname that is stored, but when you set it, you can put in a HOST name and it converts to the moment where you configure it to an IP address.

    So, if you type:

    config t

    interface tunnel100
    destination remote.dyndns.com tunnel

    output

    See the race int tunnel100

    It shows:

    interface Tunnel100
    tunnel destination 75.67.43.79

    That's why the event handler goes and becomes the destination of tunnel every minute what ever the DDNS says that is the new IP address.

    I have seen that two of your routers running DDNS.  They will have to do this.

    Local router:

    crypto ISAKMP policy 1
    BA aes 256
    preshared authentication
    Group 2
    ISAKMP crypto key XXXXXXX address 0.0.0.0 0.0.0.0 no.-xauth
    !
    !
    Crypto ipsec transform-set ESP-AES-SHA esp - aes 256 esp-sha-hmac
    !
    Profile of crypto ipsec CRYPTOPROFILE
    game of transformation-ESP-AES-SHA
    !
    interface Tunnel100
    Description of remote.dyndns.org
    IP 10.254.220.10 255.255.255.252
    IP virtual-reassembly
    IP tcp adjust-mss 1400
    source of Dialer0 tunnel
    tunnel destination 75.67.43.79
    ipv4 ipsec tunnel mode
    Tunnel CRYPTOPROFILE ipsec protection profile

    IP route 192.168.2.0 255.255.255.0 10.254.220.9

    Change-tunnel-dest applet event handler
    cron-event entry timer cron name "CHRON" * * *"
    command action 1.0 cli 'enable '.
    action 1.1 cli command "configures terminal.
    Action 1.2 command cli "interface tunnel100".
    Action 1.3 cli command "destination remote.dyndns.org tunnel".
    !

    --------

    Remote router:

    crypto ISAKMP policy 1
    BA aes 256
    preshared authentication
    Group 2
    ISAKMP crypto key XXXXXXX address 0.0.0.0 0.0.0.0 no.-xauth
    !
    !
    Crypto ipsec transform-set ESP-AES-SHA esp - aes 256 esp-sha-hmac
    !
    Profile of crypto ipsec CRYPTOPROFILE
    game of transformation-ESP-AES-SHA
    !
    interface Tunnel100
    Description of local.dyndns.org
    IP 10.254.220.9 255.255.255.252
    IP virtual-reassembly
    IP tcp adjust-mss 1400
    source of Dialer0 tunnel
    tunnel destination 93.219.58.191
    ipv4 ipsec tunnel mode
    Tunnel CRYPTOPROFILE ipsec protection profile

    IP route 192.168.1.0 255.255.255.0 10.254.220.10

    Change-tunnel-dest applet event handler
    cron-event entry timer cron name "CHRON" * * *"
    command action 1.0 cli 'enable '.
    action 1.1 cli command "configures terminal.
    Action 1.2 command cli "interface tunnel100".
    Action 1.3 cli command "destination local.dyndns.org tunnel".

    Thank you

    Bert

  • IPSec VPN with private WAN address... Help!

    I am trying to establish an IPSec Site to Site VPN to my company network. I use a Cisco 2811. If I plug a Public IP WAN connection my tunnel past traffic without problem, but if I tell a router in the middle where the 2811 pulls a private IP address of the home router I no longer get a tunnel a success. Any suggestion?

    I have the following instructions.

    FA 0/0
    DHCP IP ADDRESS
    CRYPTO MAP AESMAP

    VLAN 1
    IP ADDRESS XX. XX. XX. XX 255.255.255.240 (public IP)

    IP ROUTE 0.0.0.0 0.0.0.0 FA 0/0

    If this can help clerify the "router" is a CradlePoint (CRT500) that takes the Mobile 3 G and send it to an ethernet port on the WAN port on my router. The installation remains mobile and I rarely get the chance to have a public IP address for my WAN. Currently I use a SonicWall TX 100 router that allows me to VPN to my network of companies. We hope to move all of our mobile kits to the cisco product, but need to find a solution before change can occur.

    If I do 'Show IP Crypto ISAKMP SA' it shows: XX. XX. XX. XX (PUBLIC) <> Active 192.168.0.1.

    My thoughts are that my TCP 500 traffic to the VPN router and when the VPN router sends traffic to the address there SA with it's no the case because it is an ip address private. Limited my knowledge of the works of the VPN, I think only in Phase 1, two addresses must "bind" and NAT cannot be used with VPN? But I keep out hope that this might be a somewhat common question and there is a procedure in place to get around, or maybe I'm just a bad configuration or IP road...

    When I disable card crypto on the FA 0/0 and add NAT to the FA 0/0 and 1 VLAN more change my IP Route to "0.0.0.0 0.0.0.0 192.168.0.1" I get non - vpn connectivity.  Also, I put the address that gets my FA 0/0 in the DMZ of the Cradlepoint.

    Thanks for any help anyone can provide!

    Brandon,

    NAT - T is designed to overcome the problems of NAT/PAT, known in the world of IPv4.

    The big problem is that if you have a public IPv4 address, you will need to run PAT. Packages ESP / AH do not have a port number so that they cannot be PATed. To do this, we enacapsulate IPsec payload inside udp/4500 packages.

    That being said, some providers overcome this problem differently, but it's not THE standard way.

    Your head should see you as PublicIP facig of internet device.

    I agree, that both sonicwall and IOS should work with other IOS. At the same time, it is difficult to say what is happening in the middle.

    I would say that if possible, connect you to a case of TAC, the guys will be able to view your configs and able to solve the problem when it's there. These types of discussions on the forums can go for very long ;-)

    Marcin

  • ISA500 site by site ipsec VPN with Cisco IGR

    Hello

    I tried a VPN site by site work with Openswan and Cisco 2821 router configuration an Ipsec tunnel to site by site with Cisco 2821 and ISA550.

    But without success.

    my config for openswan, just FYI, maybe not importand for this problem

    installation of config

    protostack = netkey

    nat_traversal = yes

    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%4:!$RIGHT_SUBNET

    nhelpers = 0

    Conn rz1

    IKEv2 = no

    type = tunnel

    left = % all

    leftsubnet=192.168.5.0/24

    right =.

    rightsourceip = 192.168.1.2

    rightsubnet=192.168.1.0/24

    Keylife 28800 = s

    ikelifetime 28800 = s

    keyingtries = 3

    AUTH = esp

    ESP = aes128-sha1

    KeyExchange = ike

    authby secret =

    start = auto

    IKE = aes128-sha1; modp1536

    dpdaction = redΘmarrer

    dpddelay = 30

    dpdtimeout = 60

    PFS = No.

    aggrmode = no

    Config Cisco 2821 for dynamic dialin:

    crypto ISAKMP policy 1

    BA aes

    sha hash

    preshared authentication

    Group 5

    lifetime 28800

    !

    card crypto CMAP_1 1-isakmp dynamic ipsec DYNMAP_1

    !

    access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255

    !

    Crypto ipsec transform-set ESP-AES-SHA1 esp - aes esp-sha-hmac

    crypto dynamic-map DYNMAP_1 1

    game of transformation-ESP-AES-SHA1

    match address 102

    !

    ISAKMP crypto key address 0.0.0.0 0.0.0.0

    ISAKMP crypto keepalive 30 periodicals

    !

    life crypto ipsec security association seconds 28800

    !

    interface GigabitEthernet0/0.4002

    card crypto CMAP_1

    !

    I tried ISA550 a config with the same constelations, but without suggesting.

    Anyone has the same problem?

    And had anyone has a tip for me, or has someone expirense with a site-by-site with ISA550 and Cisco 2821 ipsec tunnel?

    I can successfully establish a tunnel between openswan linux server and the isa550.

    Patrick,

    as you can see on newspapers, the software behind ISA is also OpenSWAN

    I have a facility with a 892 SRI running which should be the same as your 29erxx.

    Use your IOS Config dynmap, penny, you are on the average nomad. If you don't have any RW customer you shoul go on IOS "No.-xauth" after the isakmp encryption key.

    Here is my setup, with roardwarrior AND 2, site 2 site.

    session of crypto consignment

    logging crypto ezvpn

    !

    crypto ISAKMP policy 1

    BA 3des

    preshared authentication

    Group 2

    lifetime 28800

    !

    crypto ISAKMP policy 2

    BA 3des

    md5 hash

    preshared authentication

    Group 2

    lifetime 28800

    !

    crypto ISAKMP policy 3

    BA 3des

    preshared authentication

    Group 2

    !

    crypto ISAKMP policy 4

    BA 3des

    md5 hash

    preshared authentication

    Group 2

    !

    crypto ISAKMP policy 5

    BA 3des

    preshared authentication

    Group 2

    life 7200

    ISAKMP crypto address XXXX XXXXX No.-xauth key

    XXXX XXXX No.-xauth address isakmp encryption key

    !

    ISAKMP crypto client configuration group by default

    key XXXX

    DNS XXXX

    default pool

    ACL easyvpn_client_routes

    PFS

    !

    !

    Crypto ipsec transform-set esp-3des esp-sha-hmac FEAT

    !

    dynamic-map crypto VPN 20

    game of transformation-FEAT

    market arriere-route

    !

    !

    card crypto client VPN authentication list by default

    card crypto VPN isakmp authorization list by default

    crypto map VPN client configuration address respond

    10 VPN ipsec-isakmp crypto map

    Description of VPN - 1

    defined peer XXX

    game of transformation-FEAT

    match the address internal_networks_ipsec

    11 VPN ipsec-isakmp crypto map

    VPN-2 description

    defined peer XXX

    game of transformation-FEAT

    PFS group2 Set

    match the address internal_networks_ipsec2

    card crypto 20-isakmp dynamic VPN ipsec VPN

    !

    !

    Michael

    Please note all useful posts

  • WILL IPSec VPN with mapped IP question

    Hello

    I am trying to configure two Cisco routers (1801 & 837) for VPN IPSec de ERG. One of them has a static IP and the other is a DSL connection; so a dynamic IP address. We have a few additional static IP assigned to us through DSL connection. So I try to use a static NAT to get the VPN connection. Unfortuantely, the VPN connection does not come to the top. Can anyone help... ? The configuration of the two routers is attached here.

    R1

    crypto ISAKMP policy 10
    BA 3des
    preshared authentication
    Group 5
    life 3600

    !
    XXXX address 11.22.33.44 isakmp encryption key
    !
    Crypto ipsec transform-set 10 ah-sha-hmac esp-3des esp-sha-hmac
    !
    Crypto ipsec profile myprof
    the value of the transform-set 10

    !

    interface Tunnel10
    IP 192.168.100.1 address 255.255.255.0
    tunnel source 22.33.44.55
    tunnel destination 11.22.33.44
    protection of ipsec profile myprof tunnel

    IP nat inside source 192.168.3.1 static 22.33.44.55

    R2

    crypto ISAKMP policy 11
    BA 3des
    preshared authentication
    Group 5
    life 3600
    !
    XXXX address 22.33.44.55 isakmp encryption key
    !
    Crypto ipsec transform-set 10 ah-sha-hmac esp-3des esp-sha-hmac
    !
    Crypto ipsec profile myprof
    the value of the transform-set 10

    !
    interface Tunnel10
    192.168.100.2 IP address 255.255.255.0
    tunnel source 11.22.33.44
    tunnel destination 22.33.44.55
    protection of ipsec profile myprof tunnel

    FYI:-J' I try the same config with a loop back, also without success. But if I just change the IP address of the source R1 to be the dynamic IP address, it works fine. But, since it is a dynamic IP, I can't implement this.

    Thank you in advance to you all...

    Nimal

    Hi Chris,

    If public IP address 22,33,44,55 is routable R2, you can use the p2p gre + ipsec vpn. You can test it by creating an address of loopback on R1

    lo10 int

    22.33.44.55 Add IP 255.255.255.255

    and ping 22.33.44.55 source R2 11.22.33.44.

    If this public IP address is routable, you can use your configuration.

    HTH,

    Lei Tian

  • ASA IPSEC VPN with public IP dynamic

    Hey,.

    I have never deployed IPSEC VPN tunnel using ASA on two sides of a side using public IP dynamic production. I normally deploy VPN Tunnels with both sides using public static IP addresses (not always a public IP address on ASA directly however).

    So I wonder how stable it works with a static public IP and the other side uses dynamic public IP?

    Thank you

    Shuai

    If you use certificates and psk or main mode and aggressive it will work very well. I have a number of production sites using this method.

    Sent by Cisco Support technique iPad App

  • Remote IPSec VPN with L2L

    Hello.

    I work at Sunrise a site to site VPN, but I'm running a problem when I apply the plan of the cry to the external interface.

    I already have a remote IPSec VPN access to the top with this cry map applied to the external interface. When I apply the plan that I created for the L2L, it will drop the RA VPN when applied to this interface. I was wondering how I can make this work with the two IPSec VPN.

    Crypto ipsec transform-set esp-3des esp-sha-hmac IPSec ikev1

    Crypto ipsec transform-set esp-3des esp-sha-hmac ikev1 l2lvpn

    Crypto dynamic-map IPSecVPNDM 1 set ikev1 IPSec transform-set

    Crypto-map dynamic IPSecVPNDM 1jeu reverse-road

    card crypto IPSecVPNCM 1-isakmp dynamic ipsec IPSecVPNDM

    IPSecVPNCM interface card crypto outside

    card crypto IPSecL2L 1 corresponds to the address CSM_IPSEC_ACL_1

    card crypto IPSecL2L 1 set counterpart x.x.x.x

    card crypto IPSecL2L 1 set transform-set l2lvpn ikev1

    Crypto ca trustpoint ASDM_TrustPoint0

    registration auto

    full domain name no

    name of the object CN = IPSec-SMU-5505

    Configure CRL

    Crypto ikev1 allow outside

    IKEv1 crypto policy 1

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    IKEv1 crypto policy 2

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 43200

    Thank you

    Hello

    I guess that you may need to remove these also

    Crypto dynamic-map IPSecVPNDM 1 set ikev1 IPSec transform-set

    Crypto-map dynamic IPSecVPNDM 1jeu reverse-road

    card crypto IPSecVPNCM 1-isakmp dynamic ipsec IPSecVPNDM

    And again with the sequence number of 65535 for example instead of 1

    Dynamic crypto map IPSecVPNDM 65535 define ikev1 IPSec transform-set

    Crypto-map dynamic IPSecVPNDM 65535 the value reverse-road

    map of crypto IPSecVPNCM 65535 - isakmp dynamic ipsec IPSecVPNDM

    Then use a different number of VPN L2L sequence. For example, the sequence number indicates where order ASA tries to find a match for a VPN connection. Also, it probably gives this error message because you have dynamic configurations already with this sequence number and try to use the same with VPN L2L configurations.

    Yet once if you can configure a second VPN L2L at some point then again would you use a different sequence number for this connection

    -Jouni

  • IPSec VPN with compression

    Hi all

    I find this compression of supporting IPPCP 2600XM for IPSec VPN. It seems that it is supported only with a VPN module, is it?

    What would you say if I don't have module VPN, but the IPSec VPN configuration and compression for a connection low speed?

    BTW, the IPSec VPN and "compress stac" can co-exist?

    Also, what kind of compression support in 28xx with IPSec VPN?

    Thank you very much.

    MAK

    MAK,

    It depends on the installed vpn module. The previous support compression, but the compression is performed in software, not on the card, which offers only encryption. For this to work, you must run IOS 12.2 (13) T or later.

    If your previous IOS running, you cannot use compression alongside encryption PURPOSE cards at all.

    The latest maps AIM-VPN /? P II IPPC support in hardware.

    More information is here:

    http://www.Cisco.com/en/us/products/HW/routers/ps259/products_data_sheet09186a0080088750.html

    This link displays information related to the release of functionality of software compression of 12.2 (13) T

    http://www.Cisco.com/en/us/products/SW/iosswrel/ps1839/products_feature_guide09186a0080110c00.html#1027177

    Thus, the options you have depend on the IOS and the card BUT you have.

    Beginning IOS and card without compression

    12.2 (13) T and IOS beginning, hardware encryption software compression

    Last map and supporting encryption and hardware compression IOS.

    I'm unsure of the 2800 series, I expected that they support the latest novelty of compression and hardware encryption.

    Andy

  • Router configuration Cisco for the IPSec VPN with VPN in Windows 7 builtin client

    Where can I find an example config for IPSec VPN where Windows 7 native client to connect to the Cisco routers. I use the cisco 881w, in this case.

    Thomas McLeod

    Native Client Windows supports only L2TP over IPSec. Example at the end of this doc may be enough for you:

    http://www.Cisco.com/en/us/docs/security/vpn_modules/6342/configuration/guide/6342vpn4.html#wp1036111

    I've not personally configured L2TP/IPSec on IOS, only on ASA, so cannot be 100% sure that the config in the link works, but the general idea should be ok.

  • Coming out of the IPSec VPN connection behind Pix535 problem: narrowed down for NAT-Associates

    Hello world

    Previously, I've seen a similar thread and posted my troubles with the outbound VPN connections inside that thread:

    https://supportforums.Cisco.com/message/3688980#3688980

    I had the great help but unfortunatedly my problem is a little different and connection problem.  Here, I summarize once again our configurations:

    hostname pix535 8.0 (4)

    all PC here use IP private such as 10.1.0.0/16 by dynamic NAT, we cannot initiate an OUTBOUND IPSec VPN (for example QuickVPN) at our offices, but the reverse (inbound) is very well (we have IPsec working long server /PP2P). I did a few tests of new yesterday which showed that if the PC a static NAT (mapped to a real public IP), outgoing connection VPN is fine; If the same PC has no static NAT (he hides behind the dynamic NAT firewall), outgoing VPN is a no-go (same IP to the same PC), so roughly, I have narrowed down our connection problem VPN is related to NAT, here are a few commands for NAT of our PIX:

    interface GigabitEthernet0
    Description to cable-modem
    nameif outside
    security-level 0
    IP 70.169.X.X 255.255.255.0
    OSPF cost 10
    !
    interface GigabitEthernet1
    Description inside 10/16
    nameif inside
    security-level 100
    IP 10.1.1.254 255.255.0.0
    OSPF cost 10
    !
    !
    interface Ethernet2
    Vlan30 description
    nameif dmz2
    security-level 50
    IP 30.30.30.30 255.255.255.0
    OSPF cost 10
    !
    permit same-security-traffic inter-interface
    permit same-security-traffic intra-interface

    ......

    Global interface 10 (external)
    Global (dmz2) interface 10
    NAT (inside) 0-list of access inside_nat0_outbound
    NAT (inside) 10 inside8 255.255.255.0
    NAT (inside) 10 Vlan10 255.255.255.0
    NAT (inside) 10 vlan50 255.255.255.0
    NAT (inside) 10 192.168.0.0 255.255.255.0
    NAT (inside) 10 192.168.1.0 255.255.255.0
    NAT (inside) 10 192.168.10.0 255.255.255.0
    NAT (inside) 10 pix-inside 255.255.0.0

    Crypto isakmp nat-traversal 3600

    -------

    Results of packet capture are listed here for the same PC for the same traffic to Server VPN brach, the main difference is UDP 4500 (PC with static NAT has good traffic UDP 4500, does not have the same PC with dynamic NAT):

    #1: when the PC uses static NAT, it is good of outgoing VPN:

    54 packets captured
    1: 15:43:51.112054 10.1.1.82.1608 > 76.196.10.57.443: S 1763806634:1763806634 (0) win 64240
    2: 15:43:54.143028 10.1.1.82.1608 > 76.196.10.57.443: S 1763806634:1763806634 (0) win 64240
    3: 15:44:00.217273 10.1.1.82.1608 > 76.196.10.57.443: S 1763806634:1763806634 (0) win 64240
    4: 15:44:01.724938 10.1.1.82.1609 > 76.196.10.57.60443: S 2904546955:2904546955 (0) win 64240
    5: 15:44:01.784642 76.196.10.57.60443 > 10.1.1.82.1609: S 2323205974:2323205974 (0) ack 2904546956 win 5808
    6: 15:44:01.784886 10.1.1.82.1609 > 76.196.10.57.60443:. ACK 2323205975 win 64240
    7: 15:44:01.785527 10.1.1.82.1609 > 76.196.10.57.60443: P 2904546956:2904547080 (124) ack 2323205975 win 64240
    8: 15:44:01.856462 76.196.10.57.60443 > 10.1.1.82.1609:. ACK 2904547080 win 5808
    9: 15:44:01.899596 76.196.10.57.60443 > 10.1.1.82.1609: P 2323205975:2323206638 (663) ack 2904547080 win 5808
    10: 15:44:02.056897 10.1.1.82.1609 > 76.196.10.57.60443:. ACK 2323206638 win 63577
    11: 15:44:03.495030 10.1.1.82.1609 > 76.196.10.57.60443: P 2904547080:2904547278 (198) ack 2323206638 win 63577
    12: 15:44:03.667095 76.196.10.57.60443 > 10.1.1.82.1609:. ACK 2904547278 win 6432
    13: 15:44:03.740592 76.196.10.57.60443 > 10.1.1.82.1609: P 2323206638:2323206697 (59) ack 2904547278 win 6432
    14: 15:44:03.741264 10.1.1.82.1609 > 76.196.10.57.60443: P 2904547278:2904547576 (298) ack 2323206697 win 63518
    15: 15:44:03.814029 76.196.10.57.60443 > 10.1.1.82.1609:. ACK 2904547576 win 7504
    16: 15:44:06.989008 76.196.10.57.60443 > 10.1.1.82.1609: P 2323206697:2323207075 (378) ack 2904547576 win 7504
    17: 15:44:06.990228 76.196.10.57.60443 > 10.1.1.82.1609: 2323207075:2323207075 F (0) ack 2904547576 win 7504
    18: 15:44:06.990564 10.1.1.82.1609 > 76.196.10.57.60443:. ACK 2323207076 win 63140
    19: 15:44:06.990656 10.1.1.82.1609 > 76.196.10.57.60443: P 2904547576:2904547613 (37) ack 2323207076 win 63140
    20: 15:44:06.990854 10.1.1.82.1609 > 76.196.10.57.60443: 2904547613:2904547613 F (0) ack 2323207076 win 63140
    21: 15:44:07.049359 76.196.10.57.60443 > 10.1.1.82.1609: R 2323207076:2323207076 (0) win 0
    22: 15:44:17.055417 10.1.1.82.500 > 76.196.10.57.500: udp 276
    23: 15:44:17.137657 76.196.10.57.500 > 10.1.1.82.500: udp 140
    24: 15:44:17.161475 10.1.1.82.500 > 76.196.10.57.500: udp 224
    25: 15:44:17.309066 76.196.10.57.500 > 10.1.1.82.500: udp 220
    26: 15:44:17.478780 10.1.1.82.4500 > 76.196.10.57.4500: udp 80
    27: 15:44:17.550356 76.196.10.57.4500 > 10.1.1.82.4500: 64 udp
    28: 15:44:17.595214 10.1.1.82.4500 > 76.196.10.57.4500: udp 304
    29: 15:44:17.753470 76.196.10.57.4500 > 10.1.1.82.4500: udp 304
    30: 15:44:17.763037 10.1.1.82.4500 > 76.196.10.57.4500: udp 68
    31: 15:44:17.763540 10.1.1.82.4500 > 76.196.10.57.4500: udp 56
    32: 15:44:18.054516 10.1.1.82.4500 > 76.196.10.57.4500: udp 68
    33: 15:44:18.124840 76.196.10.57.4500 > 10.1.1.82.4500: udp 68
    34: 15:44:21.835390 10.1.1.82.4500 > 76.196.10.57.4500: udp 72
    35: 15:44:21.850831 10.1.1.82.4500 > 76.196.10.57.4500: udp 80
    36: 15:44:21.901183 76.196.10.57.4500 > 10.1.1.82.4500: udp 72
    37: 15:44:22.063747 10.1.1.82.1610 > 76.196.10.57.60443: S 938188365:938188365 (0) win 64240
    38: 15:44:22.104746 76.196.10.57.4500 > 10.1.1.82.4500: udp 80
    39: 15:44:22.122277 76.196.10.57.60443 > 10.1.1.82.1610: S 1440820945:1440820945 (0) ack 938188366 win 5808
    40: 15:44:22.122536 10.1.1.82.1610 > 76.196.10.57.60443:. ACK 1440820946 win 64240
    41: 15:44:22.123269 10.1.1.82.1610 > 76.196.10.57.60443: P 938188366:938188490 (124) ack 1440820946 win 64240
    42: 15:44:22.187108 76.196.10.57.60443 > 10.1.1.82.1610:. ACK 938188490 win 5808
    43: 15:44:22.400675 76.196.10.57.60443 > 10.1.1.82.1610: P 1440820946:1440821609 (663) ack 938188490 win 5808
    44: 15:44:22.474600 10.1.1.82.1610 > 76.196.10.57.60443: P 938188490:938188688 (198) ack 1440821609 win 63577
    45: 15:44:22.533648 76.196.10.57.60443 > 10.1.1.82.1610:. ACK 938188688 win 6432
    46: 15:44:22.742286 76.196.10.57.60443 > 10.1.1.82.1610: P 1440821609:1440821668 (59) ack 938188688 win 6432
    47: 15:44:22.742927 10.1.1.82.1610 > 76.196.10.57.60443: P 938188688:938189002 (314) ack 1440821668 win 63518
    48: 15:44:22.802570 76.196.10.57.60443 > 10.1.1.82.1610:. ACK 938189002 win 7504
    49: 15:44:25.180486 76.196.10.57.60443 > 10.1.1.82.1610: P 1440821668:1440821934 (266) ack 938189002 win 7504
    50: 15:44:25.181753 76.196.10.57.60443 > 10.1.1.82.1610: 1440821934:1440821934 F (0) ack 938189002 win 7504
    51: 15:44:25.181997 10.1.1.82.1610 > 76.196.10.57.60443:. ACK 1440821935 win 63252
    52: 15:44:25.182134 10.1.1.82.1610 > 76.196.10.57.60443: P 938189002:938189039 (37) ack 1440821935 win 63252
    53: 15:44:25.182333 10.1.1.82.1610 > 76.196.10.57.60443: 938189039:938189039 F (0) ack 1440821935 win 63252
    54: 15:44:25.241869 76.196.10.57.60443 > 10.1.1.82.1610: R 1440821935:1440821935 (0) win 0

    #2: same PC with Dynamic NAT, VPN connection fails:

    70 packets captured
    1: 14:08:31.758261 10.1.1.82.1073 > 76.196.10.57.443: S 820187495:820187495 (0) win 64240
    2: 14:08:34.876907 10.1.1.82.1073 > 76.196.10.57.443: S 820187495:820187495 (0) win 64240
    3: 14:08:40.746055 10.1.1.82.1073 > 76.196.10.57.443: S 820187495:820187495 (0) win 64240
    4: 14:08:42.048627 10.1.1.82.1074 > 76.196.10.57.60443: S 3309127022:3309127022 (0) win 64240
    5: 14:08:42.120248 76.196.10.57.60443 > 10.1.1.82.1074: S 1715577781:1715577781 (0) ack 3309127023 win 5808
    6: 14:08:42.120568 10.1.1.82.1074 > 76.196.10.57.60443:. ACK 1715577782 win 64240
    7: 14:08:42.121102 10.1.1.82.1074 > 76.196.10.57.60443: P 3309127023:3309127147 (124) ack 1715577782 win 64240
    8: 14:08:42.183553 76.196.10.57.60443 > 10.1.1.82.1074:. ACK 3309127147 win 5808
    9: 14:08:42.232867 76.196.10.57.60443 > 10.1.1.82.1074: P 1715577782:1715578445 (663) ack 3309127147 win 5808
    10: 14:08:42.405145 10.1.1.82.1074 > 76.196.10.57.60443:. ACK 1715578445 win 63577
    11: 14:08:43.791340 10.1.1.82.1074 > 76.196.10.57.60443: P 3309127147:3309127345 (198) ack 1715578445 win 63577
    12: 14:08:43.850450 76.196.10.57.60443 > 10.1.1.82.1074:. ACK 3309127345 win 6432
    13: 14:08:44.028196 76.196.10.57.60443 > 10.1.1.82.1074: P 1715578445:1715578504 (59) ack 3309127345 win 6432
    14: 14:08:44.058544 10.1.1.82.1074 > 76.196.10.57.60443: P 3309127345:3309127643 (298) ack 1715578504 win 63518
    15: 14:08:44.116403 76.196.10.57.60443 > 10.1.1.82.1074:. ACK 3309127643 win 7504
    16: 14:08:47.384654 76.196.10.57.60443 > 10.1.1.82.1074: P 1715578504:1715578882 (378) ack 3309127643 win 7504
    17: 14:08:47.385417 76.196.10.57.60443 > 10.1.1.82.1074: 1715578882:1715578882 F (0) ack 3309127643 win 7504
    18: 14:08:47.394068 10.1.1.82.1074 > 76.196.10.57.60443:. ACK 1715578883 win 63140
    19: 14:08:47.394922 10.1.1.82.1074 > 76.196.10.57.60443: P 3309127643:3309127680 (37) ack 1715578883 win 63140
    20: 14:08:47.395151 10.1.1.82.1074 > 76.196.10.57.60443: 3309127680:3309127680 F (0) ack 1715578883 win 63140
    21: 14:08:47.457633 76.196.10.57.60443 > 10.1.1.82.1074: R 1715578883:1715578883 (0) win 0
    22: 14:08:57.258073 10.1.1.82.500 > 76.196.10.57.500: udp 276
    23: 14:08:57.336255 76.196.10.57.500 > 10.1.1.82.500: udp 40
    24: 14:08:58.334211 10.1.1.82.500 > 76.196.10.57.500: udp 276
    25: 14:08:58.412850 76.196.10.57.500 > 10.1.1.82.500: udp 40
    26: 14:09:00.333311 10.1.1.82.500 > 76.196.10.57.500: udp 276
    27: 14:09:00.410730 76.196.10.57.500 > 10.1.1.82.500: udp 40
    28: 14:09:02.412561 10.1.1.82.1075 > 76.196.10.57.443: S 968016865:968016865 (0) win 64240
    29: 14:09:04.349164 10.1.1.82.500 > 76.196.10.57.500: udp 276
    30: 14:09:04.431648 76.196.10.57.500 > 10.1.1.82.500: udp 40
    31: 14:09:05.442710 10.1.1.82.1075 > 76.196.10.57.443: S 968016865:968016865 (0) win 64240
    32: 14:09:11.380427 10.1.1.82.1075 > 76.196.10.57.443: S 968016865:968016865 (0) win 64240
    33: 14:09:12.349926 10.1.1.82.500 > 76.196.10.57.500: udp 276
    34: 14:09:12.421502 10.1.1.82.1076 > 76.196.10.57.60443: S 3856215672:3856215672 (0) win 64240
    35: 14:09:12.430794 76.196.10.57.500 > 10.1.1.82.500: udp 40
    36: 14:09:12.481832 76.196.10.57.60443 > 10.1.1.82.1076: S 248909856:248909856 (0) ack 3856215673 win 5808
    37: 14:09:12.527972 10.1.1.82.1076 > 76.196.10.57.60443:. ACK 248909857 win 64240
    38: 14:09:12.529238 10.1.1.82.1076 > 76.196.10.57.60443: P 3856215673:3856215797 (124) ack 248909857 win 64240
    39: 14:09:12.608275 76.196.10.57.60443 > 10.1.1.82.1076:. ACK 3856215797 win 5808
    40: 14:09:12.658581 76.196.10.57.60443 > 10.1.1.82.1076: P 248909857:248910520 (663) ack 3856215797 win 5808
    41: 14:09:12.664531 10.1.1.82.1076 > 76.196.10.57.60443: P 3856215797:3856215995 (198) ack 248910520 win 63577
    42: 14:09:12.725533 76.196.10.57.60443 > 10.1.1.82.1076:. ACK 3856215995 win 6432
    43: 14:09:12.880813 76.196.10.57.60443 > 10.1.1.82.1076: P 248910520:248910579 (59) ack 3856215995 win 6432
    44: 14:09:12.892272 10.1.1.82.1076 > 76.196.10.57.60443: P 3856215995:3856216293 (298) ack 248910579 win 63518
    45: 14:09:12.953029 76.196.10.57.60443 > 10.1.1.82.1076:. ACK 3856216293 win 7504
    46: 14:09:12.955043 76.196.10.57.60443 > 10.1.1.82.1076: 248910579:248910579 F (0) ack 3856216293 win 7504
    47: 14:09:12.955242 10.1.1.82.1076 > 76.196.10.57.60443:. ACK 248910580 win 63518
    48: 14:09:12.955516 10.1.1.82.1076 > 76.196.10.57.60443: P 3856216293:3856216330 (37) ack 248910580 win 63518
    49: 14:09:12.955730 10.1.1.82.1076 > 76.196.10.57.60443: 3856216330:3856216330 F (0) ack 248910580 win 63518
    50: 14:09:13.019743 76.196.10.57.60443 > 10.1.1.82.1076: R 248910580:248910580 (0) win 0
    51: 14:09:16.068691 10.1.1.82.500 > 76.196.10.57.500: udp 56
    52: 14:09:16.227588 10.1.1.82.1077 > 76.196.10.57.60443: S 3657181617:3657181617 (0) win 64240
    53: 14:09:16.283783 76.196.10.57.60443 > 10.1.1.82.1077: S 908773751:908773751 (0) ack 3657181618 win 5808
    54: 14:09:16.306823 10.1.1.82.1077 > 76.196.10.57.60443:. ACK 908773752 win 64240
    55: 14:09:16.307692 10.1.1.82.1077 > 76.196.10.57.60443: P 3657181618:3657181742 (124) ack 908773752 win 64240
    56: 14:09:16.370998 76.196.10.57.60443 > 10.1.1.82.1077:. ACK 3657181742 win 5808
    57: 14:09:16.411935 76.196.10.57.60443 > 10.1.1.82.1077: P 908773752:908774415 (663) ack 3657181742 win 5808
    58: 14:09:16.417870 10.1.1.82.1077 > 76.196.10.57.60443: P 3657181742:3657181940 (198) ack 908774415 win 63577
    59: 14:09:16.509388 76.196.10.57.60443 > 10.1.1.82.1077:. ACK 3657181940 win 6432
    60: 14:09:16.708413 76.196.10.57.60443 > 10.1.1.82.1077: P 908774415:908774474 (59) ack 3657181940 win 6432
    61: 14:09:16.887100 10.1.1.82.1077 > 76.196.10.57.60443: P 3657181940:3657182254 (314) ack 908774474 win 63518
    62: 14:09:16.948193 76.196.10.57.60443 > 10.1.1.82.1077:. ACK 3657182254 win 7504
    63: 14:09:19.698465 76.196.10.57.60443 > 10.1.1.82.1077: P 908774474:908774740 (266) ack 3657182254 win 7504
    64: 14:09:19.699426 76.196.10.57.60443 > 10.1.1.82.1077: 908774740:908774740 F (0) ack 3657182254 win 7504
    65: 14:09:20.060162 10.1.1.82.1077 > 76.196.10.57.60443:. ACK 908774741 win 63252
    66: 14:09:20.062191 76.196.10.57.60443 > 10.1.1.82.1077: P 908774474:908774740 (266) ack 3657182254 win 7504
    67: 14:09:20.063732 10.1.1.82.1077 > 76.196.10.57.60443:. ACK 908774741 win 63252
    68: 14:09:20.063900 10.1.1.82.1077 > 76.196.10.57.60443: P 3657182254:3657182291 (37) ack 908774741 win 63252
    69: 14:09:20.064098 10.1.1.82.1077 > 76.196.10.57.60443: 3657182291:3657182291 F (0) ack 908774741 win 63252
    70: 14:09:20.127694 76.196.10.57.60443 > 10.1.1.82.1077: R 908774741:908774741 (0) win 0
    70 packages shown

    We had this problem of connection VPN IPsec from the years (I first thought it is restriction access problem, but it does not work or if I disable all access lists, experience of yesterday for the same restriction of the access-list shows longer than PC is not the cause). All suggestions and tips are greatly appreciated.

    Sean

    Hi Sean, please remove th lines highlighted in your pix and try and let me know, that these lines are not the default configuration of the PIX.

    VPN-udp-class of the class-map

    corresponds to the list of access vpn-udp-acl

    vpn-udp-policy policy-map

    VPN-udp-class

    inspect the amp-ipsec

    type of policy-card inspect dns migrated_dns_map_1

    parameters

    message-length maximum 768

    Policy-map global_policy

    class inspection_default

    inspect the migrated_dns_map_1 dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the http

    inspect the netbios

    inspect the rsh

    inspect the rtsp

    inspect the skinny

    inspect sqlnet

    inspect sunrpc

    inspect the tftp

    inspect the sip

    inspect xdmcp

    inspect the pptp

    inspect the amp-ipsec

    permit same-security-traffic inter-interface

    permit same-security-traffic intra-interface

    IP verify reverse path to the outside interface

    Thank you

    Rizwan James

  • Problem VPN site to Site with overlapping networks

    We currently have a PIX 515E firewall as a headboard with many tunnels of site-to-site configured for her with the enpoints of PIX 506. Our internal LAN addressing scheme is 172.18.0.0 255.255.0.0. Addresses of local network in two of the remote networks with congigured VPN site-to-site are 172.18.107.0 255.255.255.224 and 172.18.107.32 255.255.255.0. Remote network access to all services on our internal network very well. We have 20 other network segments configured the same way. The 172.18.107.32.0 network needs to communicate with the 172.18.107.0 network for the services of file on the other remote PIX. Since the station PIX will not allow traffic to leave the same interface it came we thought with him we would just set up a tunnel from site to site between the two remote LAN. After the configuration of the site to another remote firewalls do not appear to try to establish tunnels when sending valuable traffic. I turned on debug for ISAKMP and nothing is either sent or received on a remote Firewall with regard to these tunnels. It's almost like since we already have a tunnel set to our 172.18.0.0 internal LAN that the remote PIX will not build specifically to 172.18.107.0 tunnel. I am able to ping each remote peer with each other and hear protection rules, but nothing has ever been established.

    Is what we are trying to do possible? Sorry for the long post but the kind of a strange scenario. Thanks in advance for any help.

    In what order are the numbers of seqence card crypto for configuring vpn on pix distance units? It could be that you are trying to install is a lot and will be checked later as head of pix. If this is the case, then yes the 172.18/16 road prevail the 172.18.107/24. Try to rebuild the entrance card crypto with a lower number so that traffic to 172.18.107/24 comes first.

    I would like to know how it works.

  • LAN-to-lan ipsec vpn

    Hi all

    I need to change my actual lan-to-LAN vpn configuration in host-to-lan, and I have a few questions. Maybe someone here can help me.

    Current configuration:

    SITE A:

    -cisco 892

    -subnet: 192.168.1.0/24

    SITE B:

    -hub cisco 3000

    -subnet 192.168.2.0/24

    I have access to only the site router.

    Currently, all clients in the site one can reached site B and vice versa.

    Here are my ACLs of the SITE a router:

    ip permit 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

    Now, I need to change the vpn config in:

    -vpn ipsec must be configured between 192.168.2.0/24 (SITE B) and 10.1.1.1/32 (ip protocol used for the nat all clients from SITE A to SITE B)

    SITE A router ACL shoul become:

    permit host 10.1.1.1 ip 192.168.2.0 0.0.0.255.

    All SITE A clients who want to join the SITE B are nat - ed by 10.1.1.1. SITE B cannot reach subnet A SITE, only 10.1.1.1

    Now the questions:

    IP address 10.1.1.1 shoul be configured on a loopback interface?

    How the nat configuration?

    Thank you very much.

    Hello Richard,.

    10.1.1.1 will be configured on loopback interaface. Here's the basic config->

    interface Loopback0

    10.1.1.1 IP address 255.255.255.255

    NAT outside IP

    !

    interface FastEthernet0/0

    IP 192.168.1.1 255.255.255.0

    IP nat inside

    !

    interface FastEthernet0/1

    IP 23.0.0.2 255.255.255.0

    NAT outside IP

    card crypto WCPA

    !

    overload of IP nat inside source list VPN_NAT_ACL interface Loopback0

    !

    VPN_NAT_ACL extended IP access list

    ip permit 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

    VPN_TRAFFIC_ENCRYPT extended IP access list

    permit host 10.1.1.1 ip 192.168.2.0 0.0.0.255

    Best regards

    Please note all useful messages and close issues resolved

Maybe you are looking for