life of VPN tunnel

Hello!

I have a question about the life of vpn tunnel. We have two pix 501. A pix has a public ip address on the external interface, the other pix has a dynamic assigned ip address on the external interface. The thing is that only one side can launch the tunnel initially, it's ok, but we don't want the tunnel ever to descend, so communication can be launched from both sides when the tunnel is up, it is very important. Is there any solution for this? / Best regards

Try keepavlive get in place with the command function

ISAKMP keepalive 10

Tags: Cisco Security

Similar Questions

Cisco ASA 5515 two asa firewall ipsec vpn tunnel is not coming

HelloW everyone.

I configured ipsec vpn tunnel between Singapore and Malaysia with asa firewall.

but the vpn does not come to the top. can someone tell me what can be the root cause?

Here is the configuration of twa asa: (I changed the ip address all the)

Singapore:

See the race
ASA 2.0000 Version 4
!
ASA5515-SSG520M hostname
activate the encrypted password of PVSASRJovmamnVkD
names of
!
interface GigabitEthernet0/0
nameif inside
security-level 100
IP 192.168.15.4 255.255.255.0
!
interface GigabitEthernet0/1
nameif DMZ
security-level 50
IP 192.168.5.3 255.255.255.0
!
interface GigabitEthernet0/2
nameif outside
security-level 0
IP 160.83.172.8 255.255.255.224
<--- more="" ---="">

!
<--- more="" ---="">

interface GigabitEthernet0/3
<--- more="" ---="">

Shutdown
<--- more="" ---="">

No nameif
<--- more="" ---="">

no level of security
<--- more="" ---="">

no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
nameif test
security-level 100
IP 192.168.168.219 255.255.255.0
!
interface Management0/0
management only
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
!
connection of the banner ^ C please disconnect if you are unauthorized access ^ C
connection of the banner please disconnect if you are unauthorized access
boot system Disk0: / asa922-4-smp - k8.bin
passive FTP mode
network of the SG object
<--- more="" ---="">

192.168.15.0 subnet 255.255.255.0
network of the MK object
192.168.6.0 subnet 255.255.255.0
service of the TCP_5938 object
Service tcp destination eq 5938
Team Viewer description
service tcp_3306 object
Service tcp destination eq 3306
service tcp_465 object
tcp destination eq 465 service
service tcp_587 object
Service tcp destination eq 587
service tcp_995 object
tcp destination eq 995 service
service of the TCP_9000 object
tcp destination eq 9000 service
network of the Inside_host object
Home 192.168.15.202
service tcp_1111 object
Service tcp destination eq 1111
service tcp_7878 object
Service tcp destination eq 7878
service tcp_5060 object
SIP, service tcp destination eq
<--- more="" ---="">

service tcp_5080 object
Service tcp destination eq 5080
network of the NETWORK_OBJ_192.168.15.0_24 object
192.168.15.0 subnet 255.255.255.0
inside_access_in list extended access allowed object SG ip everything
OUTSIDE_IN list extended access permit tcp any newspaper EQ 9000 Inside_host object
access extensive list ip 192.168.15.0 outside_cryptomap allow 255.255.255.0 object MK
pager lines 24
Enable logging
timestamp of the record
exploitation forest-size of the buffer of 30000
debug logging in buffered memory
recording of debug trap
debugging in the history record
asdm of logging of information
host test 192.168.168.231 record
host test 192.168.168.203 record
Within 1500 MTU
MTU 1500 DMZ
Outside 1500 MTU
test MTU 1500
management of MTU 1500
no failover
<--- more="" ---="">

ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 7221.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source SG SG static destination MK MK non-proxy-arp-search to itinerary
!
network of the SG object
NAT dynamic interface (indoor, outdoor)
network of the Inside_host object
NAT (inside, outside) interface static 9000 9000 tcp service
inside_access_in access to the interface inside group
Access-group OUTSIDE_IN in interface outside
Route outside 0.0.0.0 0.0.0.0 160.83.172.x 1
Route inside 10.0.1.0 255.255.255.0 192.168.15.199 1
Route inside 10.0.2.0 255.255.255.0 192.168.15.199 1
Route inside 10.0.11.0 255.255.255.0 192.168.15.199 1
Route inside 10.1.0.0 255.255.0.0 192.168.15.199 1
Route inside 10.8.0.0 255.255.0.0 192.168.15.199 1
Route inside 10.104.0.0 255.255.0.0 192.168.15.199 1
Route inside 192.168.8.0 255.255.255.0 192.168.15.199 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
<--- more="" ---="">

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
Enable http server

Community trap SNMP-server host test 192.168.168.231 *.
No snmp server location
No snmp Server contact
Server enable SNMP traps syslog
Crypto ipsec transform-set ikev1 VPN-TRANSFORM esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
<--- more="" ---="">

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
<--- more="" ---="">

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec pmtu aging infinite - the security association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
crypto CRYPTO - map 2 map corresponds to the address outside_cryptomap
card crypto CRYPTO-map 2 set peer 103.246.3.54
card crypto CRYPTO-map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto CRYPTO-map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
CRYPTO-card interface card crypto outside
trustpool crypto ca policy
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400

Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL encryption rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1
internal GroupPolicy1 group strategy
attributes of Group Policy GroupPolicy1
Ikev1 VPN-tunnel-Protocol
username, password admin eY/fQXw7Ure8Qrz7 encrypted privilege 15
username gmsadmin password HS/VyK0jtJ/PANQT encrypted privilege 15
tunnel-group 143.216.30.7 type ipsec-l2l
tunnel-group 143.216.30.7 General-attributes
Group Policy - by default-GroupPolicy1
<--- more="" ---="">

IPSec-attributes tunnel-group 143.216.30.7
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
Overall description
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
<--- more="" ---="">

inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:ccce9a600b491c8db30143590825c01d
: end

Malaysia:

:
ASA 2.0000 Version 4
!
hostname ASA5515-SSG5-MK
activate the encrypted password of PVSASRJovmamnVkD
names of
!
interface GigabitEthernet0/0
nameif inside
security-level 100
IP 192.168.6.70 255.255.255.0
!
interface GigabitEthernet0/1
nameif DMZ
security-level 50
IP 192.168.12.2 255.255.255.0
!
interface GigabitEthernet0/2
nameif outside
security-level 0
IP 143.216.30.7 255.255.255.248
<--- more="" ---="">

!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
nameif test
security-level 100
IP 192.168.168.218 255.255.255.0
!
interface Management0/0
management only
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
!
<--- more="" ---="">

Interface Port - Channel 1
No nameif
no level of security
IP 1.1.1.1 255.255.255.0
!
boot system Disk0: / asa922-4-smp - k8.bin
passive FTP mode
clock timezone GMT + 8 8
network of the SG object
192.168.15.0 subnet 255.255.255.0
network of the MK object
192.168.6.0 subnet 255.255.255.0
service of the TCP_5938 object
Service tcp destination eq 5938
Team Viewer description
service tcp_3306 object
Service tcp destination eq 3306
service tcp_465 object
tcp destination eq 465 service
service tcp_587 object
Service tcp destination eq 587
service tcp_995 object
tcp destination eq 995 service
service of the TCP_9000 object
<--- more="" ---="">

tcp destination eq 9000 service
network of the Inside_host object
Home 192.168.6.23
service tcp_1111 object
Service tcp destination eq 1111
service tcp_7878 object
Service tcp destination eq 7878
service tcp_5060 object
SIP, service tcp destination eq
service tcp_5080 object
Service tcp destination eq 5080
network of the NETWORK_OBJ_192.168.2.0_24 object
192.168.6.0 subnet 255.255.255.0
inside_access_in list extended access allowed object SG ip everything
VPN-INTERESTING-TRAFFIC extended access list permit ip object MK SG
OUTSIDE_IN list extended access permit tcp any newspaper EQ 9000 Inside_host object
outside_cryptomap to access extended list ip 192.168.6.0 allow 255.255.255.0 object SG
pager lines 24
Enable logging
timestamp of the record
exploitation forest-size of the buffer of 30000
debug logging in buffered memory
recording of debug trap
asdm of logging of information
<--- more="" ---="">

host test 192.168.168.231 record
host test 192.168.168.203 record
Within 1500 MTU
MTU 1500 DMZ
Outside 1500 MTU
test MTU 1500
management of MTU 1500
reverse IP check management interface path
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 7221.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source MK MK static destination SG SG route no-proxy-arp-search
NAT (inside, outside) static source NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 static destination SG SG route no-proxy-arp-search
!
network of the MK object
NAT dynamic interface (indoor, outdoor)
network of the Inside_host object
NAT (inside, outside) interface static 9000 9000 tcp service
inside_access_in access to the interface inside group
Access-group OUTSIDE_IN in interface outside
Route outside 0.0.0.0 0.0.0.0 143.216.30.x 1
<--- more="" ---="">

Route inside 10.2.0.0 255.255.0.0 192.168.6.200 1
Route inside 10.6.0.0 255.255.0.0 192.168.6.200 1
Route inside 192.168.254.0 255.255.255.0 192.168.6.200 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
the ssh LOCAL console AAA authentication
Enable http server

No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 VPN-TRANSFORM esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
<--- more="" ---="">

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
<--- more="" ---="">

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec pmtu aging infinite - the security association
crypto CRYPTO - map 2 map corresponds to the address outside_cryptomap
card crypto CRYPTO-map 2 set peer 160.83.172.8
card crypto CRYPTO-map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
CRYPTO-card interface card crypto outside
trustpool crypto ca policy
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
SSH timeout 60
SSH group dh-Group1-sha1 key exchange
Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL encryption rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1
attributes of Group Policy DfltGrpPolicy
Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client
internal GroupPolicy1 group strategy
attributes of Group Policy GroupPolicy1
Ikev1 VPN-tunnel-Protocol
username, password admin eY/fQXw7Ure8Qrz7 encrypted privilege 15
username gmsadmin password HS/VyK0jtJ/PANQT encrypted privilege 15
<--- more="" ---="">

tunnel-group MK SG type ipsec-l2l
IPSec-attributes tunnel-group MK-to-SG
IKEv1 pre-shared-key *.
tunnel-group 160.83.172.8 type ipsec-l2l
tunnel-group 160.83.172.8 General-attributes
Group Policy - by default-GroupPolicy1
IPSec-attributes tunnel-group 160.83.172.8
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
<--- more="" ---="">

inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end

Good news, that VPN has been implemented!

According to the ping problem, my suggestion is to check, if some type of firewall based on host computers on both sides block ICMP requests.

Anyway, you can still use the capture of packets on the inside of the interfaces of the two ASAs, to check if the ICMP traffic is to reach the ASA.

In addition, you can try to enable ICMP inspection:

Policy-map global_policy
class inspection_default

inspect the icmp

inspect the icmp error

VPN tunnel action

HELO all

I'm in this situation:

I have a tunnel VPN setup and running on a router 1800.
Our customer wants a tunnel of intervention similar to this (with other peer IP of course).

When the main vpn tunnel has dropped the other will take over.

My question: can I put a second peer who will take over when the first falls:

Nome-240 crypto map ipsec-isakmp crypto
VPN CLIENT description
defined by peer 201.94.151.141
defined by peer 201.94.151.142
86400 seconds, life of security association set
the value of the transform-set 3des-sha
match the address vpn_intlfcstone

or

I have to make another card encryption as follows (using the same access list)?

Nome- 240 crypto map ipsec-isakmp crypto
VPN CLIENT description
defined by peer 201.94.151.141 -(main post)
86400 seconds, life of security association set
the value of the transform-set 3des-sha
address for correspondence vpn_intlfcstone

Nome- 250 crypto map ipsec-isakmp crypto
VPN CLIENT description
defined by peer 201.94.151.142 -(second peer)
86400 seconds, life of security association set
the value of the transform-set 3des-sha
address for correspondence vpn_intlfcstone

The two Tunnel VPN must be on the same router (unfortunately) (1800).

Hello edilson.silva1,

You can configure a second IP for backup VPN peer.

http://www.Cisco.com/c/en/us/TD/docs/iOS-XML/iOS/sec_conn_vpnav/configuration/XE-3s/asr1000/sec-VPN-availability-XE-3s-asr1000-book/sec-IPSec-pref-peer.html#GUID-527C42AE-44EC-4178-BBC3-B65189329B03

Creating a different sequence in the encryption for the same traffic map will generate a problem that overlap.

Impossible to pass traffic through the VPN tunnel

I have an ASA 5505 9.1 running. I have the VPN tunnel connection, but I am not able to pass traffic. through the tunnel. Ping through the internet works fine.

Here is my config

LN-BLF-ASA5505 > en
Password: *.
ASA5505-BLF-LN # sho run
: Saved
:
: Serial number: JMX1216Z0SM
: Material: ASA5505, 256 MB RAM, 500 MHz Geode Processor
:
ASA 5,0000 Version 21
!
LN-BLF-ASA5505 hostname
domain lopeznegrete.com
activate the password
volatile xlate deny tcp any4 any4
volatile xlate deny tcp any4 any6
volatile xlate deny tcp any6 any4
volatile xlate deny tcp any6 any6
volatile xlate deny udp any4 any4 eq field
volatile xlate deny udp any4 any6 eq field
volatile xlate deny udp any6 any4 eq field
volatile xlate deny udp any6 any6 eq field
passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.116.254 255.255.255.0
OSPF cost 10
!
interface Vlan2
nameif outside
security-level 0
IP 50.201.218.69 255.255.255.224
OSPF cost 10
!
boot system Disk0: / asa915-21 - k8.bin
passive FTP mode
DNS server-group DefaultDNS
domain lopeznegrete.com
network obj_any object
subnet 0.0.0.0 0.0.0.0
the LNC_Local_TX_Nets object-group network
Description of internal networks Negrete Lopez (Texas)
object-network 192.168.1.0 255.255.255.0
object-network 192.168.2.0 255.255.255.0
object-network 192.168.3.0 255.255.255.0
object-network 192.168.4.0 255.255.255.0
object-network 192.168.5.0 255.255.255.0
object-network 192.168.51.0 255.255.255.0
object-network 192.168.55.0 255.255.255.0
object-network 192.168.52.0 255.255.255.0
object-network 192.168.20.0 255.255.255.0
object-network 192.168.56.0 255.255.255.0
object-network 192.168.59.0 255.255.255.0
object-network 10.111.14.0 255.255.255.0
object-network 10.111.19.0 255.255.255.0
the LNC_Blueleaf_Nets object-group network
object-network 192.168.116.0 255.255.255.0
access outside the permitted scope icmp any4 any4 list
extended outdoor access allowed icmp a whole list
outside_1_cryptomap list extended access permitted ip object-group LNC_Blueleaf_Nets-group of objects LNC_Local_TX_Nets
inside_nat0_outbound list extended access permitted ip object-group LNC_Blueleaf_Nets-group of objects LNC_Local_TX_Nets
LNC_BLF_HOU_VPN list extended access permitted ip object-group LNC_Blueleaf_Nets-group of objects LNC_Local_TX_Nets
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 741.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
outside access-group in external interface
!
router ospf 1
255.255.255.255 network 192.168.116.254 area 0
Journal-adj-changes
default-information originate always
!
Route outside 0.0.0.0 0.0.0.0 50.201.218.94 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
AAA authentication enable LOCAL console
Enable http server
http 192.168.2.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 1 match address outside_1_cryptomap
peer set card crypto outside_map 1 50.201.218.93
card crypto outside_map 1 set transform-set ESP-3DES-SHA ikev1
outside_map interface card crypto outside
Crypto ca trustpoint _SmartCallHome_ServerCA
no use of validation
Configure CRL
trustpool crypto ca policy
Crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
308204 4 a0030201 d 308205ec 0202106e cc7aa5a7 032009b 8 cebcf4e9 52d 49130
010105 05003081 09060355 04061302 55533117 ca310b30 0d 864886f7 0d06092a
30150603 55040 has 13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313 has 3038 06035504
0b 133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 7a 656420 75736520 6f6e6c79 31453043 06035504 03133c 56 686f7269
65726953 69676e20 436c 6173 73203320 5075626c 69632050 72696 72792043 61 d
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
30303230 38303030 3030305a 170d 3230 30323037 32333539 35395a 30 81b5310b
30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
496e632e 311f301d 06035504 0b 131656 65726953 69676e20 54727573 74204e65
74776f72 6b313b30 5465726d 20757365 20617420 73206f66 39060355 040b 1332
68747470 7777772e 733a2f2f 76657269 7369676e 2e636f6d 2f727061 20286329
302d 0603 55040313 26566572 69536967 61737320 33205365 6e20436c 3130312f
63757265 20536572 76657220 20473330 82012230 0d06092a 864886f7 4341202d
010101 05000382 010f0030 82010 0d has 02 b187841f 82010100 c20c45f5 bcab2597
a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
9c688b2e 957b899b 13cae234 34c1f35b f3497b62 d188786c 83488174 0253f9bc
7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8 63cd
18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 01 has 38201 02030100 df308201
082b 0601 05050701 01042830 26302406 082 b 0601 db303406 05050730 01861868
7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1 d 130101
ff040830 02010030 70060355 b 200469 30673065 060, 6086 480186f8 1 d 060101ff
45010717 03305630 2806082b 06010505 07020116 1 c 687474 70733a2f 2f777777
2e766572 69736967 6e2e636f 6d2f6370 73302 has 06 082 b 0601 05050702 02301e1a
1 c 687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
03551d1f 042d302b 3029 has 027 a0258623 68747470 3a2f2f63 726c2e76 65726973
69676e2e 636f6d2f 2d67352e 70636133 63726c 30 0e060355 1d0f0101 ff040403
02010630 6d06082b 06010505 07010c 59305730 55160969 5da05b30 04 61305fa1
6 d 616765 2f676966 3021301f 2b0e0302 30070605 1a04148f e5d31a86 ac8d8e6b
c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
1 b 311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301D 0603
445 1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355 c 1604140d 551d0e04
1 230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300 d 0609 d
2a 864886 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80 f70d0101
4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
b2227055 d9203340 3307c 265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
99 c 71928 8705 404167d 1 273aeddc 866d 24f78526 a2bed877 7d494aca 6decd018
481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
6c2527b9 deb78458 c61f381e a4c4cb66
quit smoking
crypto isakmp identity address
Crypto isakmp nat-traversal 1500
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
aes-256 encryption
sha hash
Group 5
life 86400
IKEv1 crypto policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH 0.0.0.0 0.0.0.0 inside
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 5
SSH version 2
SSH group dh-Group1-sha1 key exchange
Console timeout 0
management-access inside

a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
attributes of Group Policy DfltGrpPolicy
Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client
username
username
tunnel-group 50.201.218.93 type ipsec-l2l
IPSec-attributes tunnel-group 50.201.218.93
IKEv1 pre-shared-key *.
NOCHECK Peer-id-validate
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
call-home service
anonymous reporting remote call
call-home
contact-email-addr [email protected] / * /
Profile of CiscoTAC-1
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:e519f212867755f697101394f40d9ed7
: end
LN-BLF-ASA5505 #.

Assuming that you have an active IPSEC security association (i.e. "show crypto ipsec his" shows the tunnel is up), please perform a packet trace to see why it's a failure:
```
 packet-tracer input inside tcp 192.168.116.1 1025 192.168.1.1 80 detail
```
(simulating a hypothetical customer of blue LNC tries to navigate to a hypothetical LNC TX Local site server)

VPN Tunnel access to several subnets ASA 5505

Greetings,

We spent a little time trying to configure our ASA 5505 in order to TUNNEL into several different subnets. Subnets include 192.168.1.0 / 192.168.2.0 / 192.168.10.0

Someone is about to review this setup running and indicate where we have gone wrong. When I connect via the VPN Client, I can access the 192.168.1.0 network, no problem. But fail to reach the other two. Thank you very much.

Output from the command: 'show running-config '.

: Saved

:

ASA Version 8.2 (5)

!

hostname BakerLofts

activate kn7RHw13Elw2W2eU encrypted password

2KFQnbNIdI.2KYOU encrypted passwd

names of

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 12

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.1.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

IP 74.204.54.4 255.255.255.248

!

interface Vlan12

nameif Inside2

security-level 100

IP address 192.168.10.254 255.255.255.0

!

passive FTP mode

permit same-security-traffic inter-interface

permit same-security-traffic intra-interface

vpn_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0

outside_access_in of access allowed any ip an extended list

inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.3.0 255.255.255.0

Inside2_access_in of access allowed any ip an extended list

permit Inside2_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0

pager lines 24

Enable logging

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

MTU 1500 Inside2

IP local pool vpn 192.168.3.1 - 192.168.3.254 mask 255.255.255.0

no failover

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 1 0.0.0.0 0.0.0.0

NAT (outside) 0 192.168.3.0 255.255.255.0 outside

NAT (Inside2) 0-list of access Inside2_nat0_outbound

NAT (Inside2) 1 0.0.0.0 0.0.0.0

Access-group outside_access_in in interface outside

Access-group Inside2_access_in in the interface Inside2

Route outside 0.0.0.0 0.0.0.0 74.204.54.1 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

AAA authentication enable LOCAL console

AAA authentication LOCAL telnet console

Enable http server

http 192.168.1.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

Crypto ca trustpoint _SmartCallHome_ServerCA

Configure CRL

Crypto ca certificate chain _SmartCallHome_ServerCA

certificate ca 6ecc7aa5a7032009b8cebcf4e952d491

308204 4 a0030201 d 308205ec 0202106e cc7aa5a7 032009b 8 cebcf4e9 52d 49130

010105 05003081 09060355 04061302 55533117 ca310b30 0d 864886f7 0d06092a

30150603 55040 has 13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b

13165665 72695369 676e2054 72757374 204e6574 776f726b 313 has 3038 06035504

0b 133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72

20617574 7a 656420 75736520 6f6e6c79 31453043 06035504 03133c 56 686f7269

65726953 69676e20 436c 6173 73203320 5075626c 69632050 72696 72792043 61 d

65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31

30303230 38303030 3030305a 170d 3230 30323037 32333539 35395a 30 81b5310b

30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20

496e632e 311f301d 06035504 0b 131656 65726953 69676e20 54727573 74204e65

74776f72 6b313b30 5465726d 20757365 20617420 73206f66 39060355 040b 1332

68747470 7777772e 733a2f2f 76657269 7369676e 2e636f6d 2f727061 20286329

302d 0603 55040313 26566572 69536967 61737320 33205365 6e20436c 3130312f

63757265 20536572 76657220 20473330 82012230 0d06092a 864886f7 4341202d

010101 05000382 010f0030 82010 0d has 02 b187841f 82010100 c20c45f5 bcab2597

a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10

9c688b2e 957b899b 13cae234 34c1f35b f3497b62 d188786c 83488174 0253f9bc

7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b

15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845

1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8 63cd

18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced

4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f

81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 01 has 38201 02030100 df308201

082b 0601 05050701 01042830 26302406 082 b 0601 db303406 05050730 01861868

7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1 d 130101

ff040830 02010030 70060355 b 200469 30673065 060, 6086 480186f8 1 d 060101ff

45010717 03305630 2806082b 06010505 07020116 1 c 687474 70733a2f 2f777777

2e766572 69736967 6e2e636f 6d2f6370 73302 has 06 082 b 0601 05050702 02301e1a

1 c 687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406

03551d1f 042d302b 3029 has 027 a0258623 68747470 3a2f2f63 726c2e76 65726973

69676e2e 636f6d2f 2d67352e 70636133 63726c 30 0e060355 1d0f0101 ff040403

02010630 6d06082b 06010505 07010c 59305730 55160969 5da05b30 04 61305fa1

6 d 616765 2f676966 3021301f 2b0e0302 30070605 1a04148f e5d31a86 ac8d8e6b

c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973

69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30

1 b 311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301D 0603

445 1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355 c 1604140d 551d0e04

1 230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300 d 0609 d

2a 864886 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80 f70d0101

4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e

b2227055 d9203340 3307c 265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a

99 c 71928 8705 404167d 1 273aeddc 866d 24f78526 a2bed877 7d494aca 6decd018

481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16

b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0

5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8

6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28

6c2527b9 deb78458 c61f381e a4c4cb66

quit smoking

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Telnet 192.168.1.0 255.255.255.0 inside

Telnet timeout 5

SSH timeout 5

Console timeout 0

dhcpd outside auto_config

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

internal vpn group policy

attributes of vpn group policy

value of server DNS 8.8.8.8

Protocol-tunnel-VPN IPSec

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list vpn_splitTunnelAcl

username, password samn aXJbUl92B77AGcc. encrypted privilege 0

samn attributes username

Strategy-Group-VPN vpn

username password encrypted QUe2MihLFbj2.Iw0 privilege 0 jmulwa

username jmulwa attributes

Strategy-Group-VPN vpn

jangus Uixpk4uuyEDOu9eu username encrypted password

username jangus attributes

Strategy-Group-VPN vpn

vpn tunnel-group type remote access

VPN tunnel-group general attributes

vpn address pool

Group Policy - by default-vpn

Tunnel vpn ipsec-attributes group

pre-shared key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

context of prompt hostname

anonymous reporting remote call

Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e

: end

I see two problems:

1. your ASA has not an interior road to the Incas inside networks. You must add:

Route inside 192.168.2.0 255.255.255.0

Route inside 192.168.10.0 255.255.255.0

.. .specifying your gateway address of these networks.

2. the statement "access-list standard vpn_splitTunnelAcl permit 192.168.1.0 255.255.255.0" sends only a route for 192.168.1.0/24 to your customer. You need to add entries for the other two networks.

ASA base S2S VPN, Tunnel establishes only when interesting traffic hits to end distance

Dear all,

I need your help to solve the problem mentioned below.

VPN tunnel established between the unit two ASA. A DEVICE and device B

(1) if interesting traffic initiates a LAN device. traffic ACL hits. TUNEL is not coming

(2) if interesting traffic initiates B LAN device. Tunnel will establish all the works of serivces

(3) after the Tunnel device establishmnet B. We forced to tunnel down at both ends. Interesting again traffic initiates device a surpringly tunnel

will go up. After 2 or 3 days (after life expire 86400 seconds) initiated traffic of device A, tunnel will not esatblish.

(it comes to rescue link: interesting won't be there all the time.)

checked all parametrs, everthing seems fine. Here are the logs of attached but not more informative debugging on the balls. Please suggest.

February 2, 2010 13:23:17: % ASA-7-713236: IP = 81.145.x.x, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 496

February 2, 2010 13:23:18: % ASA-6-713219: IP = 81.x.x.x, KEY-ACQUIRE Queuing messages are treated when SA P1 is finished.

February 2, 2010 13:23:18: % ASA-6-713219: IP = 81.x.x.x, KEY-ACQUIRE Queuing messages are treated when SA P1 is finished.

February 2, 2010 13:23:23: % ASA-6-713219: IP = 81.x.x.x, KEY-ACQUIRE Queuing messages are treated when SA P1 is finished.

February 2, 2010 13:23:25: % ASA-7-715065: IP = 81.x.x.x, history of mistake IKE MM Initiator WSF (struct & 0x1abb1e10) , : MM_DONE, EV_ERROR--> MM_WAIT_MSG2, EV_RETRY--> MM_WAIT_MSG2, EV_TIMEOUT--> MM_WAIT_MSG2 NullEvent--> MM_SND_MSG1, EV_SND_MSG--> MM_SND_MSG1, EV_START_TMR--> MM_SND_MSG1, EV_RESEND_MSG--> MM_WAIT_MSG2, EV_RETRY

February 2, 2010 13:23:25: % ASA-7-713906: IP = 81.x.x.x, IKE SA MM:56f95c85 ending: flags 0 x 01000022, refcnt 0, tuncnt 0

February 2, 2010 13:23:25: % ASA-7-713906: IP = 81.x.x.x, sending clear/delete with the message of reason

February 2, 2010 13:23:25: % ASA-3-713902: IP = 81.x.x.x, counterpart of drop table counterpart, didn't match!

February 2, 2010 13:23:25: % ASA-4-713903: IP = 81.x.x.x, error: cannot delete PeerTblEntry

Hi, I have a similar problem a long time ago. You can choose which set up the tunnel in your crypto card:

card crypto bidirectional IPsec_map 1 set-type of connection

I hope that it might help to solve your problem. Kind regards.

FAILURE OF VPN TUNNEL

Hello guys,.

I have an ASA 5505 firewall tries to create a VPN tunnel from site to site with a router of 2621 running Advanced IP services. The tunnel keeps do not and I don't know why. Below is the config.

!
hostname SeCuReWaLL
domain default.domain.invalid
activate 2KFQnbNIdI.2KYOU encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
name 192.168.2.0 outside
name 192.168.3.0 inside
!
interface Vlan1
Description of network links extended to outside of the
nameif outside
security-level 0
192.168.2.101 IP address 255.255.255.0
!
interface Vlan2
Description within a private network
nameif inside
security-level 100
address 192.168.3.1 IP 255.255.255.0
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
Shutdown
!
interface Ethernet0/3
Shutdown
!
interface Ethernet0/4
Shutdown
!
interface Ethernet0/5
Shutdown
!
interface Ethernet0/6
Shutdown
!
interface Ethernet0/7
Shutdown
!
boot system Disk0: / asa822 - k8.bin
passive FTP mode
DNS server-group DefaultDNS
domain default.domain.invalid
allow inside_access_in to access extended list ip inside outside 255.255.255.0 255.255.255.0
outside_access_in list extended access permit icmp any any echo response
site_router to access extended list ip inside 255.255.255.0 allow 192.168.5.0 255.255.255.0
pager lines 24
Outside 1500 MTU
Within 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 625.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access site_router
NAT (inside) 1 inside 255.255.255.0
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
Outdoor 192.168.5.0 255.255.255.0 192.168.2.107 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
HTTP inside 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac secure_set
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
peer set card crypto ipsec_map 10 192.168.2.107
card crypto ipsec_map 10 transform-set secure_set
ipsec_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 5
lifetime 28800
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd dns 192.168.2.1
!
dhcpd address 192.168.3.10 - 192.168.3.40 inside
dhcpd allow inside
!

a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
tunnel-group 192.168.2.107 type ipsec-l2l
IPSec-attributes tunnel-group 192.168.2.107
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:a6ffc4e9572dbee8e526c3013a96a510
: end

!
InternetRouter hostname
!
boot-start-marker
boot-end-marker
!
!
No aaa new-model
no location network-clock-participate 1
No network-clock-participate wic 0
IP cef
!
!
!
!
no ip domain search
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto ISAKMP policy 10
BA 3des
md5 hash
preshared authentication
Group 5
lifetime 28800
key cisco address 192.168.2.101 crypto ISAKMP xauth No.
!
!
Crypto ipsec transform-set esp-3des secure_set
!
ipsec_map 10 ipsec-isakmp crypto map
defined peer 192.168.2.101
Set transform-set secure_set
match the address router_site
!
!
!
!
interface Loopback0
192.168.5.1 IP address 255.255.255.0
!
interface FastEthernet0/0
IP 192.168.2.107 255.255.255.0
automatic duplex
automatic speed
ipsec_map card crypto
!
interface Serial0/0
no ip address
Shutdown
!
interface FastEthernet0/1
no ip address
Shutdown
automatic duplex
automatic speed
!
interface Serial0/1
no ip address
Shutdown
!
IP route 192.168.3.0 255.255.255.0 192.168.2.101
!
!
IP http server
no ip http secure server
!
router_site extended IP access list
ip licensing 192.168.5.0 0.0.0.255 192.168.3.0 0.0.0.255
!
!
!
!
control plan
!
!
!
Voice-port 1/0/0
!
Voice-port 1/0/1
!
Voice-port 1/1/0
!
Voice-port 1/1/1
!
!
!
!
!
!
!
!
Line con 0
exec-timeout 0 0
Synchronous recording
line to 0
line vty 0 4
opening of session
!
!
end

InternetRouter #debug isakmp crypto
Crypto ISAKMP debug is on
InternetRouter #ping
Protocol [ip]:
Target IP address: 192.168.3.10
Number of repetitions [5]:
Size of datagram [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Address source or interface: 192.168.5.1
Type of service [0]:
Set the DF bit in the IP header? [None]:
Validate the response data? [None]:
Data model [0xABCD]:
In bulk, Strict, Record, Timestamp, Verbose [no]:
Scan the range of sizes [n]:
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.3.10, time-out is 2 seconds:
Packet sent with the address source 192.168.5.1

* 01:49:47.699 Mar 1: ISAKMP: ke received message (1/1)
* 01:49:47.699 Mar 1: ISAKMP: (0:0:N / A:0): THE application profile is (NULL)
* 01:49:47.699 Mar 1: ISAKMP: created a struct peer 192.168.2.101, peer port 500
* 01:49:47.699 Mar 1: ISAKMP: new created position = 0x8553C778 peer_handle = 0 x 80000013
* 01:49:47.699 Mar 1: ISAKMP: lock struct 0x8553C778, refcount IKE peer 1 for isakmp_initiator
* 01:49:47.699 Mar 1: ISAKMP: 500 local port, remote port 500
* 01:49:47.699 Mar 1: ISAKMP: set new node 0 to QM_IDLE
* 01:49:47.703 Mar 1: insert his with his 84074CC8 = success
* 01:49:47.703 Mar 1: ISAKMP: (0:0:N / A:0): cannot start aggressive mode, try the main mode.
* 01:49:47.703 Mar 1: ISAKMP: (0:0:N / A:0): found peer pre-shared key matching 192.168.2.101
* 01:49:47.703 Mar 1: ISAKMP: (0:0:N / A:0): built the seller-07 ID NAT - t
* 01:49:47.703 Mar 1: ISAKMP: (0:0:N / A:0): built of NAT - T of the seller-03 ID
* 01:49:47.703 Mar 1: ISAKMP: (0:0:N / A:0): built the seller-02 ID NAT - t
* 01:49:47.703 Mar 1: ISAKMP: (0:0:N / A:0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
* 01:49:47.707 Mar 1: ISAKMP: (0:0:N / A:0): former State = new State IKE_READY = IKE_I_MM1

* 01:49:47.707 Mar 1: ISAKMP: (0:0:N / A:0): early changes of Main Mode
* 01:49:47.707 Mar 1: ISAKMP: (0:0:N / A:0): send package to 192.168.2.101 my_port 500 peer_port 500 (I) MM_NO_STATE
* 01:49:47.711 Mar 1: ISAKMP (0:0): packet received 192.168.2.101 dport 500 sport Global 500 (I) MM_NO_STATE
* 01:49:47.711 Mar 1: ISAKMP: (0:0:N / A:0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 01:49:47.711 Mar 1: ISAKMP: (0:0:N / A:0): former State = new State IKE_I_MM1 = IKE_I_MM2

* 01:49:47.715 Mar 1: ISAKMP: (0:0:N / A:0): treatment ITS payload. Message ID = 0
* 01:49:47.715 Mar 1: ISAKMP: (0:0:N / A:0): load useful vendor id of treatment
* 01:49:47.715 Mar 1: ISAKMP: (0:0:N / A:0): supplier code seems the unit/DPD but major incompatibilite.123
* 01:49:47.715 Mar 1: ISAKMP: (0:0:N / A:0): provider ID is NAT - T v2
* 01:49:47.719 Mar 1: ISAKMP: (0:0:N / A:0): load useful vendor id of treatment
* 01:49:47.719 Mar 1: ISAKMP: (0:0:N / A:0): supplier code seems the unit/DPD but major incompatibility of 194
* 01:49:47.719 Mar 1: ISAKMP: (0:0:N / A:0): found peer pre-shared key matching 192.168.2.101
* 01:49:47.719 Mar 1: ISAKMP: (0:0:N / A:0): pre-shared key local found
* 01:49:47.719 Mar 1: ISAKMP: analysis of the profiles for xauth...
* 01:49:47.719 Mar 1: ISAKMP: (0:0:N / A:0): audit ISAKMP transform 1 against the policy of priority 10
* 01:49:47.719 Mar 1: ISAKMP: 3DES-CBC encryption
* 01:49:47.719 Mar 1: ISAKMP: MD5 hash
* 01:49:47.719 Mar 1: ISAKMP: group by default 5
* 01:49:47.719 Mar 1: ISAKMP: pre-shared key auth
* 01:49:47.723 Mar 1: ISAKMP: type of life in seconds
* 01:49:47.723 Mar 1: ISAKMP: life (basic) of 28800
* 01:49:47.723 Mar 1: ISAKMP: (0:0:N / A:0): atts are acceptable. Next payload is 0
* 1 Mar 01:49:48.119: ISAKMP:(0:1:SW:1): load useful vendor id of treatment
* 1 Mar 01:49:48.119: ISAKMP:(0:1:SW:1): vendor ID seems the unit/DPD but major incompatibility of 123
* 1 Mar 01:49:48.123: ISAKMP:(0:1:SW:1): vendor ID is NAT - T v2
* 1 Mar 01:49:48.123: ISAKMP:(0:1:SW:1): load useful vendor id of treatment
* 1 Mar 01:49:48.123: ISAKMP:(0:1:SW:1): vendor ID seems the unit/DPD but major incompatibility of 194
* 01:49:48.123 Mar 1: ISAKMP: (0:1:SW:1): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
* 01:49:48.123 Mar 1: ISAKMP: (0:1:SW:1): former State = new State IKE_I_MM2 = IKE_I_MM2

* 1 Mar 01:49:48.127: ISAKMP:(0:1:SW:1): sending package to 192.168.2.101 my_port 500 peer_port 500 (I) MM_SA_SETUP
* 01:49:48.127 Mar 1: ISAKMP: (0:1:SW:1): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
* 01:49:.48.131 Mar 1: ISAKMP: (0:1:SW:1): former State = new State IKE_I_MM2 = IKE_I_MM3

* 01:49:48.383 Mar 1: ISAKMP (0:134217729): packet received 192.168.2.101 dport 500 sport Global 500 (I) MM_SA_SETUP
* 01:49:48.383 Mar 1: ISAKMP: (0:1:SW:1): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 01:49:48.383 Mar 1: ISAKMP: (0:1:SW:1): former State = new State IKE_I_MM3 = IKE_I_MM4

* 1 Mar 01:49:48.387: ISAKMP:(0:1:SW:1): processing KE payload. Message ID = 0
* 1 Mar 01:49:48.887: ISAKMP:(0:1:SW:1): processing NONCE payload. Message ID = 0
* 01:49:48.887 Mar 1: ISAKMP: (0:1:SW:1): found peer pre-shared key matching 192.168.2.101
* 01:49:48.891 Mar 1: ISAKMP: (0:1:SW:1): SKEYID generated State
* 1 Mar 01:49:48.891: ISAKMP:(0:1:SW:1): load useful vendor id of treatment
* 1 Mar 01:49:48.891: ISAKMP:(0:1:SW:1): vendor ID is the unit
* 1 Mar 01:49:48.891: ISAKMP:(0:1:SW:1): load useful vendor id of treatment
* 1 Mar 01:49:48.891: ISAKMP:(0:1:SW:1): vendor ID seems the unit/DPD but major incompatibility of 145
* 1 Mar 01:49:48.891: ISAKMP:(0:1:SW:1): vendor ID is XAUTH
* 1 Mar 01:49:48.895: ISAKMP:(0:1:SW:1): load useful vendor id of treatment
* 1 Mar 01:49:48.895: ISAKMP:(0:1:SW:1): speaking to another box of IOS!
* 1 Mar 01:49:48.895: ISAKMP:(0:1:SW:1): load useful vendor id of treatment
* 01:49:48.895 Mar 1: ISAKMP: (0:1:SW:1): supplier code seems the unit/DPD but hash mismatch
* 01:49:48.895 Mar 1: ISAKMP: receives the payload type 20
* 01:49:48.895 Mar 1: ISAKMP: receives the payload type 20
* 01:49:48.895 Mar 1: ISAKMP: (0:1:SW:1): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
* 01:49:48.899 Mar 1: ISAKMP: (0:1:SW:1): former State = new State IKE_I_MM4 = IKE_I_MM4

* 01:49:48.899 Mar 1: ISAKMP: (0:1:SW:1): send initial contact
* 01:49:48.899 Mar 1: ISAKMP: (0:1:SW:1): ITS been pr.e using id ID_IPV4_ADDR type shared-key authentication
* 01:49:48.899 Mar 1: ISAKMP (0:134217729): payload ID
next payload: 8
type: 1
address: 192.168.2.107
Protocol: 17
Port: 500
Length: 12
* 01:49:48.903 Mar 1: ISAKMP: (0:1:SW:1): the total payload length: 12
* 1 Mar 01:49:48.903: ISAKMP:(0:1:SW:1): sending package to 192.168.2.101 my_port 500 peer_port 500 (I) MM_KEY_EXCH
* 01:49:48.907 Mar 1: ISAKMP: (0:1:SW:1): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
* 01:49:48.907 Mar 1: ISAKMP: (0:1:SW:1): former State = new State IKE_I_MM4 = IKE_I_MM5

* 01:49:48.907 Mar 1: ISAKMP (0:134217729): packet received 192.168.2.101 dport 500 sport Global 500 (I) MM_KEY_EXCH
* 1 Mar 01:49:48.911: ISAKMP:(0:1:SW:1): payload ID for treatment. Message ID = 0
* 01:49:48.911 Mar 1: ISAKMP (0:134217729): payload ID
next payload: 8
type: 1
address: 192.168.2.101
Protocol: 17
Port: 0
Length: 12
* 1 Mar 01:49:48.911: ISAKMP:(0:1:SW:1): peer games * no * profiles
* 1 Mar 01:49:48.911: ISAKMP:(0:1:SW:1): HASH payload processing. Message ID = 0
* 01:49:48.915 Mar 1: ISAKMP: received payload type 17
* 1 Mar 01:49:48.915: ISAKMP:(0:1:SW:1): load useful vendor id of treatment
* 1 Mar 01:49:48.915: ISAKMP:(0:1:SW:1): vendor ID is DPD
* 01:49:48.915 Mar 1: ISAKMP: (0:1:SW:1): SA authentication status:
authenticated
* 01:49:48.915 Mar 1: ISAKMP: (0:1:SW:1): SA has been authenticated with 192.168.2.101
* 01:49:48.915 Mar 1: ISAKMP: attempts to insert a 192.168.2.107/192.168.2.101/500/ peer and inserted 8553 778 successfully.
* 01:49:48.919 Mar 1: ISAKMP: (0:1:SW:1): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 01:49:48.919 Mar 1: ISAKMP: (0:1:SW:1.): O State of LD = new State IKE_I_MM5 = IKE_I_MM6

* 01:49:48.919 Mar 1: ISAKMP: (0:1:SW:1): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
* 01:49:48.919 Mar 1: ISAKMP: (0:1:SW:1): former State = new State IKE_I_MM6 = IKE_I_MM6

* 01:49:48.923 Mar 1: ISAKMP: (0:1:SW:1): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
* 01:49:48.923 Mar 1: ISAKMP: (0:1:SW:1): former State = new State IKE_I_MM6 = IKE_P1_COMPLETE

* 01:49:48.927 Mar 1: ISAKMP: (0:1:SW:1): start Quick Mode Exchange, M - ID of 590019425
* 1 Mar 01:49:48.931: ISAKMP:(0:1:SW:1): sending package to 192.168.2.101 my_port 500 peer_port 500 (I) QM_IDLE
* 01:49:48.931 Mar 1: ISAKMP: (0:1:SW:1): entrance, node-590019425 = IKE_MESG_INTERNAL, IKE_INIT_QM
* 01:49:48.931 Mar 1: ISAKMP: (0:1:SW:1): former State = new State IKE_QM_READY = IKE_QM_I_QM1
* 01:49:48.931 Mar 1: ISAKMP: (0:1:SW:1): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
* 01:49:48.935 Mar 1: ISAKMP: (0:1:SW:1): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

* 01:49:48.939 Mar 1: ISAKMP (0:134217729): packet received 192.168.2.101 dport 500 sport Global 500 (I) QM_IDLE
* 01:49:48.939 Mar 1: ISAKMP: node set 330122531 to QM_IDLE
* 1 Mar 01:49:48.943: ISAKMP:(0:1:SW:1): HASH payload processing. Message ID = 330122531
* 1 Mar 01:49:48.943: ISAKMP:(0:1:SW:1): treatment protocol NOTIFIER INVALID_ID_INFO 1
0, message ID SPI = 330122531, a = 84074CC8
* 01:49:48.943 Mar 1: ISAKMP: (0:1:SW:1): the peer is not paranoid KeepAlive.

* 01:49:48.943 Mar 1: ISAKMP: (0:1:SW:1): remove the reason for HIS "fatal Recevied of information' State (I) QM_IDLE (ext. 192.168.2.101)
* 01:49:48.943 Mar 1: ISAKMP: (0:1:SW:1): remove error node 330122531 FALSE reason 'informational (en) st.
Success rate is 0% (0/5)
InternetRouter #ate 1 "
* 01:49:48.943 Mar 1: ISAKMP: (0:1:SW:1): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
* 01:49:48.947 Mar 1: ISAKMP: (0:1:SW:1): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

* 01:49:48.947 Mar 1: ISAKMP (0:134217729): packet received 192.168.2.101 dport 500 sport Global 500 (I) QM_IDLE
* 01:49:48.951 Mar 1: ISAKMP: node set-412204705 to QM_IDLE
* 1 Mar 01:49:48.951: ISAKMP:(0:1:SW:1): sending package to 192.168.2.101 my_port 500 peer_port 500 (I) QM_IDLE
* 01:49:48.951 Mar 1: ISAKMP: (0:1:SW:1): purge the node-412204705
* 01:49:48.955 Mar 1: ISAKMP: (0:1:SW:1): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
* 01:49:48.955 Mar 1: ISAKMP: (0:1:SW:1): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA

* 01:49:48.955 Mar 1: ISAKMP: (0:1:SW:1): removal of HIS State "No reason" why (I) QM_IDLE (ext. 192.168.2.101)
* 01:49:48.955 Mar 1: ISAKMP: Unlocking IKE struct 0x8553C778 for isadb_mark_sa_deleted(), count 0
* 01:49:48.959 Mar 1: ISAKMP: delete peer node by peer_reap for 192.168.2.101: 8553 778
* 01:49:48.959 Mar 1: ISAKMP: (0:1:SW:1): error in node-590019425 FALSE reason for deletion "deleted IKE."
* 01:49:48.959 Mar 1: ISAKMP: (0:1:SW:1): node error 330122531 FALSE reason for deletion "removed IKE."
* 01:49:48.959 Mar 1: ISAKMP: (0:1:SW:1): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 01:49:48.959 Mar 1: ISAKMP: (0:1:SW:1): former State = new State IKE_DEST_SA = IKE_DEST_SA

Hello

I gave a quick scan here for the configuration on both devices, found two or three commands are missing from the configuration of the ASA

ASA
---

card crypto ipsec_map 10 correspondence address site_router

outside_access_in list extended access udp allowed any any eq 500
outside_access_in list extended access udp allowed any any eq 4500
outside_access_in list extended access allow esp a whole

I'm assuming pre shared key defined on ASA cisco is the same on router

On router
---------

Try running the following commands: -.

No crypto ipsec transform-set esp-3des secure_set
Crypto ipsec transform-set esp-3des esp-sha-hmac secure_set

At the time of the opening of the tunnel, please gather at the debug crypto isa 127 output and debug crypto ipsec 127 of ASA

You can also check the configuration below document link

http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805e8c80.shtml

Ignore the map route on router configuration contained in the above document *.

HTH...

Kind regards
Mohit

Help with a VPN tunnel between ASA 5510 and Juniper SSG20

Hello

We have a customer wanting to configure a VPN Site to Site tunnel between a new purchased 5510 of ASA located in his direction with its Juniper SSG20 Office, located in the main office. We contacted HP and they send us a Cisco professional to do the job.

After 2 days from 16:00 to 22:00 and error and countless hours of research online and nunerous calls, we are still unable to get traffic from the network of agencies to enter the tunnel.

Main branch
1.1.1.2                                 1.1.1.1
-----                                               -----------
192.168.8.0/24 | ASA|-----------------------------------| Juniper |    192.168.1.0/24
-----                                               -----------
192.168.8.254 192.168.1.254

According to Cisco professionals, the tunnel is now in place but no traffic through. We are unable to ping anything on the network on the other side (192.168.1.0/24). We receive timeout ping all the time. The Cisco professional told us it's a routing or NAT problem and he's working on a solution!

Through research, I came across a post on Experts-Exchange (here) [the 1st comment on the original post] which States "...". that both sides of the VPN must have a different class of LAN for the VPN to work... " Would that be our problem?

It has become a critical issue to the point that he had to replace the Cisco ASA with a temporary Juniper SSG5 on another subnet (192.168.7.0/24) to get the tunnel upward and through traffic until the ASA VPN issue is resolved and I didn't need to say that the client is killing us!

Help is very appreciated.

Thank you

1. Yes, ping package from the interface of the ASA is considered valuable traffic to the LAN of Juniper.

SAA, need you traffic from the interface source ASA's private, because interesting to determine by crypto ACL MYLIST traffic between 192.168.8.0/24 and 192.168.1.0/24.

You will also need to add the following configuration to be able to get the ping of the interface of the ASA:

management-private access

To initiate the ping of the private interface ASA:

ping 192.168.1.254 private

2. the default time before the next generation of new key is normally 28800 seconds, and if there is no interesting traffic flowing between 2 subnets, he'll tear the VPN tunnel down. As soon as there is interesting traffic, the VPN tunnel will be built automatically into the next generation of new key. However, if there is traffic before generating a new key, the new tunnel will be established, and VPN tunnel will remain standing and continue encrypt and decrypt traffic.

Currently, your configuration has been defined with ITS lifetime of 3600 seconds GOLD / 4608000 kilobytes of traffic before the next generate a new key (it will be either 3600 seconds, or 4608000 kilobytes period expires first). You can certainly change it by default to 28800 seconds without configuring kilobytes. SA life is negotiated between the ASA and Juniper, and whatever is the lowest value will be used.

Hope that helps.

ASA to 1841 VPN Tunnel

Hello

I am trying to establish a VPN tunnel from site to site between 2 offices. An agency has a Cisco 1841 and the other a pair of ASA 5510. I get the tunnel to establish without problem. The problem is that traffic will the intended to the ASA 1841 will not encrypt to this particular tunnel. I get decaps on the session, but no program. I've reconfigured the tunnel several times but keep getting the same result:

Interface: FastEthernet0/1
The session state: UP-ACTIVE
Peer: 202.41.148.5 port fvrf 500: (none) ivrf: (none)
Phase1_id: 202.41.148.5
DESC: (none)
IKE SA: local 81.218.42.130/500 remote 202.41.148.5/500 Active
Capabilities: (None) connid:98 life time: 23:45:02
FLOW IPSEC: allowed ip 192.168.5.0/255.255.255.0 10.0.96.0/255.255.240.0
Active sAs: 2, origin: card crypto
On arrival: dec #pkts'ed 17 drop 0 life (KB/s) 4569995/2704
Outbound: #pkts enc'ed drop 0 0 life (KB/s) 4569996/2704

Any suggestions would be greatly appreciated.

Andy

Your ACL 100 is not exempt traffic 192.168.5.0-> 10.0.96.0 of the NAT process. Please add the line below above the permit statement and test again.

access-list 100 deny ip 192.168.5.0 0.0.0.255 10.0.96.0 0.0.15.255

IPSEC VPN tunnel on issue of Zonebased Firewall

Help, please!

I'm trying to configure a router lab ISR1921 to build the VPN tunnel with vmware vshield edge. The configuration of the 1921 is pasted below. There is not a lot of adjustment on the side of vshield really and I'm sure both sides are adapting to phase 1 & 2.

The question I have: the tunnel can be built correctly and I also see from show crypto ipsec release encap and decap counters. However the devices on each side can communicate. That said, I can ping from 1921 to the IP of the internal interface of the vshield with IP source specified. But just no communication part and other...

I did debugs and only "error" messages are:

01:58:03.193 20 February: ISAKMP: (1001): error suppression node 1656104565 FALSE reason 'informational (in) State d1.

...

01:58:03.193 20 February: ISAKMP: (1001): purge the node-1657220080

I hope that I did a stupid thing to configure error, but I spent too much time on it. It is supposed to be a really simple installation... Please help!

!

version 15.4

horodateurs service debug datetime msec

Log service timestamps datetime msec

no password encryption service

!

Lab-1900 host name

!

boot-start-marker

boot system flash: c1900-universalk9-mz. Spa. 154 - 1.T1.bin

boot system flash: c1900-universalk9-mz. Spa. 151 - 4.M7.bin

boot system flash: c1900-universalk9-mz. Spa. 150 - 1.M4.bin

boot-end-marker

!

AAA new-model

!

AAA authentication login default local

authorization AAA console

AAA authorization exec default local

!

AAA - the id of the joint session

clock timezone AST - 4 0

clock to summer time recurring ADT 3 Sun Mar 2 Sun Nov 02:00 02:00

!

DHCP excluded-address IP 192.168.100.1 192.168.100.40

!

dhcp DHCPPOOL IP pool

import all

network 192.168.100.0 255.255.255.0

LAB domain name

DNS 8.8.8.8 Server 4.2.2.2

default router 192.168.100.1

4 rental

!

Laboratory of IP domain name

8.8.8.8 IP name-server

IP-server names 4.2.2.2

inspect the IP log drop-pkt

IP cef

No ipv6 cef

!

type of parameter-card inspect global

Select a dropped packet newspapers

Max-incomplete 18000 low

20000 high Max-incomplete

Authenticated MultiLink bundle-name Panel

!

redundancy

!

property intellectual ssh version 2

!

type of class-card inspect entire game ESP_CMAP

match the name of group-access ESP_ACL

type of class-card inspect the correspondence SDM_GRE_CMAP

match the name of group-access GRE_ACL

type of class-card inspect entire game PAC-cls-icmp-access

match icmp Protocol

tcp protocol match

udp Protocol game

type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-13

game group-access 154

class-card type check ALLOW-VPN-TRAFFIC-OUT match-all

match the ALLOW-VPN-TRAFFIC-OUT access group name

type of class-card inspect entire game PAC-cls-insp-traffic

match Protocol pptp

dns protocol game

ftp protocol game

https protocol game

match icmp Protocol

match the imap Protocol

pop3 Protocol game

netshow Protocol game

Protocol shell game

match Protocol realmedia

match rtsp Protocol

smtp Protocol game

sql-net Protocol game

streamworks Protocol game

tftp Protocol game

vdolive Protocol game

tcp protocol match

udp Protocol game

http protocol game

type of class-card inspect entire game AH_CMAP

match the name of group-access AH_ACL

inspect the class-map match ALLOW VPN TRAFFIC type

match the ALLOW-VPN-TRAFFIC-OUT access group name

type of class-card inspect correspondence ccp-invalid-src

game group-access 126

type of class-card inspect entire game PAC-insp-traffic

corresponds to the class-map PAC-cls-insp-traffic

type of class-card inspect entire game SDM_VPN_TRAFFIC

match Protocol isakmp

match Protocol ipsec-msft

corresponds to the AH_CMAP class-map

corresponds to the ESP_CMAP class-map

type of class-card inspect correspondence ccp-icmp-access

corresponds to the class-ccp-cls-icmp-access card

type of class-card inspect the correspondence SDM_VPN_PT

game group-access 137

corresponds to the SDM_VPN_TRAFFIC class-map

!

type of policy-card inspect self-out-pmap

class type inspect PCB-icmp-access

inspect

class class by default

Pass

policy-card type check out-self-pmap

class type inspect SDM_VPN_PT

Pass

class class by default

Drop newspaper

policy-card type check out-pmap

class type inspect PCB-invalid-src

Drop newspaper

class type inspect ALLOW VPN TRAFFIC OUT

inspect

class type inspect PCB-insp-traffic

inspect

class class by default

Drop newspaper

policy-card type check out in pmap

class type inspect sdm-cls-VPNOutsideToInside-13

inspect

class class by default

Drop newspaper

!

security of the area outside the area

safety zone-to-zone

safety zone-pair zp-self-out source destination outside zone auto

type of service-strategy inspect self-out-pmap

safety zone-pair zp-out-to source out-area destination in the area

type of service-strategy check out in pmap

safety zone-pair zp-in-out source in the area of destination outside the area

type of service-strategy inspect outside-pmap

source of zp-out-auto security area outside zone destination auto pair

type of service-strategy check out-self-pmap

!

crypto ISAKMP policy 1

BA 3des

preshared authentication

Group 2

ISAKMP crypto key iL9rY483fF address 172.24.92.103

!

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

tunnel mode

!

IPSEC_MAP 1 ipsec-isakmp crypto map

Tunnel Sandbox2 description

defined by peer 172.24.92.103

Set security-association second life 28800

game of transformation-ESP-3DES-SHA

PFS group2 Set

match address 150

!

the Embedded-Service-Engine0/0 interface

no ip address

Shutdown

!

interface GigabitEthernet0/0

WAN description

IP 172.24.92.18 255.255.255.0

NAT outside IP

No virtual-reassembly in ip

outside the area of security of Member's area

automatic duplex

automatic speed

No mop enabled

card crypto IPSEC_MAP

Crypto ipsec df - bit clear

!

interface GigabitEthernet0/1

LAN description

IP 192.168.100.1 address 255.255.255.0

IP nat inside

IP virtual-reassembly in

Security members in the box area

automatic duplex

automatic speed

!

IP forward-Protocol ND

!

IP http server

access-class 2 IP http

local IP http authentication

IP http secure server

!

IP nat inside source map route RMAP_4_PAT interface GigabitEthernet0/0 overload

IP route 0.0.0.0 0.0.0.0 172.24.92.254

!

AH_ACL extended IP access list

allow a whole ahp

ALLOW-VPN-TRAFFIC-OUT extended IP access list

IP 192.168.100.0 allow 0.0.0.255 192.168.1.0 0.0.0.255

ESP_ACL extended IP access list

allow an esp

TELNET_ACL extended IP access list

permit tcp any any eq telnet

!

allowed RMAP_4_PAT 1 route map

corresponds to the IP 108

!

1snmp2use RO SNMP-server community

access-list 108 deny ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 108 allow ip 192.168.100.0 0.0.0.255 any

access-list 126 allow the ip 255.255.255.255 host everything

access-list 126 allow ip 127.0.0.0 0.255.255.255 everything

access-list 137 allow ip 172.24.92.0 0.0.0.255 any

access-list 150 permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 154 allow ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255

!

control plan

!

Line con 0

exec-timeout 0 0

Synchronous recording

line to 0

line 2

no activation-character

No exec

preferred no transport

transport output pad rlogin lapb - your MOP v120 udptn ssh telnet

StopBits 1

line vty 0 4

access-class TELNET_ACL in

exec-timeout 0 0

Synchronous recording

transport of entry all

line vty 5 15

access-class TELNET_ACL in

exec-timeout 0 0

Synchronous recording

transport of entry all

!

Scheduler allocate 20000 1000

0.ca.pool.ntp.org server NTP prefer

1.ca.pool.ntp.org NTP server

!

end

NAT looks fine.

Please create an ACL with bidirecctional ACEs and add it as a group of access to the interface of penetration:

IP access-list extended 180

IP 192.168.100.0 allow 0.0.0.255 192.168.1.0 0.0.0.255 connect

ip permit 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255 connect

allow an ip

interface GigabitEthernet0/1

IP access-group 180 to

IP access-group out 180

Generer generate traffic, then run the command display 180 access lists .

Also, if possible activate debug ip icmp at the same time.

Share the results.

Thank you

Profile VPN (tunnel group) under the same IP pool

Hello

I have on my clients VPN from Cisco ASA 5510 works perfectly. The thing is that now I want to create a new profile or a tunnel in order to create the new cause of ACL I want to restrict only to certain hosts. But I don't know if I can do it under the same IP pool. If the answer is yes how could bind the new tunnel group to the correct ACL.

This is my config:

vpnxxxx list of allowed ip extended access all 192.168.125.0 255.255.255.0

IP local pool ippool 192.168.125.10 - 192.168.125.254

NAT (outside) 1 192.168.125.0 255.255.255.0

NAT (inside) 0-list of access vpnxxxx

RADIUS Protocol RADIUS AAA server

RADIUS protocol AAA-server partnerauth

AAA-server partnerauth (inside) host xxxx.xxxx.xxxx.xxxx

key xxxx

Crypto-map dynamic dynmap1 20 set transform-set Myset1

lifespan 20 set security-association crypto dynamic-map dynmap1 seconds 28800

Crypto-map dynamic dynmap1 20 kilobytes of life together - the association of safety 4608000

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

internal group RA - VPN strategy

attributes of RA-VPN-group policy

Server DNS 172.16.1.100 value

VPN-idle-timeout 30

Protocol-tunnel-VPN IPSec l2tp ipsec webvpn

Split-tunnel-policy tunnelspecified

type tunnel-group RA - VPN remote access

General-attributes of RA - VPN Tunnel-group

ippool address pool

authentication-server-group (outside partnerauth)

Group Policy - by default-RA-VPN

tunnel-group RA - VPN ipsec-attributes

pre-shared-key *.

Thank you

The command is "vpn-filter" in the Group Policy section.

Define a group policy for each group of tunnel and select it with 'by default-group-policy' in the section of the tunnel.

ASA5505 with 2 VPN tunnels failing to implement the 2nd tunnel

Hello

I have an ASA5505 that currently connects a desktop remotely for voip and data. I added a 2nd site VPN tunnel to a vendor site. It's this 2nd VPN tunnel that I have problems with. It seems that the PHASE 1 negotiates well. However, I'm not a VPN expert! So, any help would be greatly appreciated. I have attached the running_config on my box, debug (ipsec & isakmp) information and information about the provider they gave me today. They use an ASA5510.

My existing VPN tunnel (which works) is marked 'outside_1_cryptomap '. It has the following as interesting traffic:

192.168.1.0/24-> 192.168.3.0/24

192.168.2.0/24-> 192.168.3.0/24

10.1.1.0/24-> 192.168.3.0/24

-> 192.168.3.0/24 10.1.2.0/24

10.1.10.0/24-> 192.168.3.0/24

10.2.10.0/24-> 192.168.3.0/24

The new VPN tunnel (does not work) is labeled "eInfomatics_1_cryptomap". It has the following as interesting traffic:

192.168.1.25/32-> 10.10.10.83/32

192.168.1.25/32-> 10.10.10.47/32

192.168.1.26/32-> 10.10.10.83/32

192.168.1.26/32-> 10.10.10.47/32

Here's the info to other VPN (copy & pasted from the config)

permit access list extended ip 192.168.1.26 eInfomatics_1_cryptomap host 10.10.10.83

permit access ip host 192.168.1.25 extended list eInfomatics_1_cryptomap 10.10.10.83

permit access ip host 192.168.1.25 extended list eInfomatics_1_cryptomap 10.10.10.47

permit access list extended ip 192.168.1.26 eInfomatics_1_cryptomap host 10.10.10.47

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

card crypto outside_map 1 match address outside_1_cryptomap

peer set card crypto outside_map 1 24.180.14.50

card crypto outside_map 1 set of transformation-ESP-3DES-SHA

card crypto outside_map 2 match address eInfomatics_1_cryptomap

peer set card crypto outside_map 2 66.193.183.170

card crypto outside_map 2 game of transformation-ESP-3DES-SHA

outside_map interface card crypto outside

crypto isakmp identity address

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

tunnel-group 24.180.14.50 type ipsec-l2l

IPSec-attributes tunnel-group 24.180.14.50

pre-shared key *.

tunnel-group 66.193.183.170 type ipsec-l2l

IPSec-attributes tunnel-group 66.193.183.170

pre-shared key *.

Thanks in advance

-Matt

Hello

The seller put a parameter group2 PFS (Perfect Forward Secrecy) of Phase 2, so that you don't have it.

So you can probalby try adding the following

card crypto outside_map 2 pfs group2 set

I think he'll simply enter as

card crypto outside_map 2 set pfs

Given that the 'group 2' is the default

-Jouni

NAT before going on a VPN Tunnel Cisco ASA or SA520

I have a friend who asked me to try to help. We are established VPN site to site with a customer. Our camp is a Cisco sa520 and side there is a control point. The tunnel is up, we checked the phase 1 and 2 are good. The question is through the tunnel to traffic, our LAN ip address are private addresses 10.10.1.0/24 but the client says must have a public IP address for our local network in order to access that server on local network there. So, in all forums, I see that you cannot NAT before crossing the VPN tunnel, but our problem is that our site has only 6 assigned IP addresses and the comcast router, on the side of the firewall SA520 WAN. So we were wondering was there a way we can use the WAN on the SA520 interface or use another available 6 who were assigned to the NAT traffic and passes through the tunnel. That sounds confusing to you? Sorry, but it's rarely have I a customer say that I must have a public IP address on my side of the LAN. Now, I say this is a SA520 firewall, but if it is not possible to do with who he is a way were able with an ASA5505?

Help or direction would be very useful.

Hello

I guess I could quickly write a basic configuration. Can't be sure I remember all correctly. But should be the biggest part of it.

Some of the course settings may be different depending on the type of VPN L2L connection settings, you have chosen.

Naturally, there are also a lot of the basic configuration which is not mentioned below.

For example
- Configurations management and AAA
- DHCP for LAN
- Logging
- Interface "nonstop."
- etc.
Information for parameters below
- x.x.x.x = ASA 'outside' of the public IP interface
- y.y.y.y = ASA "outside" network mask
- z.z.z.z = ASA "outside" IP address of the default gateway
- a.a.a.a = the address of the remote site VPN L2L network
- b.b.b.b = mask of network to the remote site VPN L2L
- c.c.c.c = IP address of the public peer device VPN VPN L2L remote site
- PSK = The Pre Shared Key to connect VPN L2L
Interfaces - Default - Access-list Route

interface Vlan2

WAN description

nameif outside

security-level 0

Add IP x.x.x.x y.y.y.y

Route outside 0.0.0.0 0.0.0.0 z.z.z.z

interface Ethernet0

Description WAN access

switchport access vlan 2
- All interfaces are on default Vlan1 so their ' switchport access vlan x "will not need to be configured
interface Vlan1

LAN description

nameif inside

security-level 100

10.10.1.0 add IP 255.255.255.0

Note to access the INSIDE-IN list allow all local network traffic

access to the INTERIOR-IN ip 10.10.1.0 list allow 255.255.255.0 any

group-access INTERIOR-IN in the interface inside

Configuring NAT and VPN L2L - ASA 8.2 software and versions prior

Global 1 interface (outside)

NAT (inside) 1 10.10.1.0 255.255.255.0

Crypto ipsec transform-set AES-256 aes-256-esp esp-sha-hmac

crypto ISAKMP policy 10

preshared authentication

aes-256 encryption

sha hash

Group 2

lifetime 28800

L2L-VPN-CRYPTOMAP of the access list allow ip x.x.x.x a.a.a.a b.b.b.b host

card crypto WAN-CRYPTOMAP 10 matches L2L-VPN-CRYPTOMAP address

card crypto WAN-CRYPTOMAP 10 set peer c.c.c.c

card crypto WAN-CRYPTOMAP 10 the value transform-set AES-256

card crypto WAN-CRYPTOMAP 10 set security-association second life 3600

CRYPTOMAP WAN interface card crypto outside

crypto isakmp identity address

crypto ISAKMP allow outside

tunnel-group c.c.c.c type ipsec-l2l

tunnel-group c.c.c.c ipsec-attributes

pre-shared key, PSK

NAT and VPN L2L - ASA 8.3 software configuration and after

NAT source auto after (indoor, outdoor) dynamic one interface

Crypto ipsec transform-set ikev1 AES-256 aes-256-esp esp-sha-hmac

IKEv1 crypto policy 10

preshared authentication

aes-256 encryption

sha hash

Group 2

lifetime 28800

L2L-VPN-CRYPTOMAP of the access list allow ip x.x.x.x a.a.a.a b.b.b.b host

card crypto WAN-CRYPTOMAP 10 matches L2L-VPN-CRYPTOMAP address

card crypto WAN-CRYPTOMAP 10 set peer c.c.c.c

card crypto WAN-CRYPTOMAP 10 set transform-set AES-256 ikev1

card crypto WAN-CRYPTOMAP 10 set security-association second life 3600

CRYPTOMAP WAN interface card crypto outside

crypto isakmp identity address

Crypto ikev1 allow outside

tunnel-group c.c.c.c type ipsec-l2l

tunnel-group c.c.c.c ipsec-attributes

IKEv1 pre-shared key, PSK

I hope that the above information was useful please note if you found it useful

If it boils down to the configuration of the connection with the ASA5505 and does not cut the above configuration, feel free to ask for more

-Jouni

The L2L VPN Tunnels on several external Interfaces ISP

Due to special circumstances, we have 2 links on an ASA5510 ISP. I'm trying to put an end to some VPN L2L tunnels on a link and others on the second link of Internet service provider, for example below:

LOCAL FIREWALL

card crypto outside-map_isp1 20 corresponds to the address VPN_ACL_A
set outside-map_isp1 20 crypto map peer 1.1.1.1
outside-map_isp1 20 game card crypto transform-set TS-generic

card crypto outside-map_isp2 30 corresponds to the address VPN_ACL_B
peer set card crypto outside-map_isp2 30 3.3.3.3
card crypto outside-map_isp2 30 value transform-set TS-generic

crypto map interface outside-map-isps1 ISP_1
outside-map-isp2 interface card crypto ISP_2

ISAKMP crypto enable ISP_1
ISAKMP crypto enable ISP_2

Route 0.0.0.0 ISP_1 0.0.0.0 1.1.1.254
Route ISP_2 3.3.3.3 255.255.255.255 2.2.2.254

Establishing the VPN tunnels in both directions when using ISP_1 works very well establshing in both directions of remote access users and several tunnels L2L (only showing a for example).

On ISP_2

1. peer device 3.3.3.3 establishes a VPN tunnel, but the return traffic does NOT get back to devices 3.3.3.3 tunnel.

2. the local firewall does NOT establish a VPN tunnel to 3.3.3.3

It suggests that the problems lies with this firewall multihomed do not direct traffic properly on back down and VPN tunnel of workbenches (point1) or to trigger a tunnel if there is (point 2).

Reconfiguration of the VPN tunnel to 3.3.3.3 counterpart to be on the local firewall, all the springs in the life ISP_1! All ideas, there are enough license etc...

Another way you need is the subnet of destination on VPN_ACL_B to be routed to ISP_2 as well.

So you must send the address of peers (in your case 3.3.3.3) and the remote subnet (in your destination subnet case VPN_ACL_B) at 2.2.2.254

SBS 2008 office1 Serv2008 Office 2 need to share assets between them via a site to site VPN tunnel

Hi all.

I really need help on this one.

The office 1 installer running SBS2008 Office 2 running Server 2008.

Each firm has its own FQDN Office 1 CompanyABC 2 A_B_C of the company office.

Each firm has its own internal IP address pool Office 1 192.168.69.xxx and office 192.168.20.xxx 2.

Site to site VPN tunnel between 2 office routers Netgear SRX5308 1 and 2 Netgear FVS318G Office established and working.

Each firm has its own DNS server and acts as a domain controller

How to configure the 2 networks to see each other and be able to use assets on every network (files, printers)?

Is it so simple that the addition of another pool internal IP for each DNS server?

Thanks in advance for your help.

Hello

Your Question is beyond the scope of this community.

I suggest that repost you your question in the Forums of SBS.

https://social.technet.Microsoft.com/forums/en-us/home?Forum=smallbusinessserver

"Windows Small Business Server 2011 Essentials online help"

https://msdn.Microsoft.com/en-us/library/home-client.aspx

TechNet Server forums.

http://social.technet.Microsoft.com/forums/WindowsServer/en-us/home?category=WindowsServer

See you soon.

life of VPN tunnel

Similar Questions

Maybe you are looking for