Manage the 5512 ASA with SSH via VPN
Hello
We are facing problems with ssh access on our ASA5512 on a Site-2-Site VPN tunnel.
SSH seems to be implemented properly, because we can login from inside and outside on both Interfaces.
But when we try to connect the ASA from a remote location with SSH Putty reports a timeout.
We set up a lot of these configurations with ASA5510 and ASA Image 8.x without any problem, so I guess it must have something to do with the new version of the ASA.
The value by defect-rsa-key was generated successfully.
VPN is ok and log viewer shows:
6 | March 21, 2016 | 10:21:44 | 302013 | 192.168.0.100 | 51682 | 192.168.1.1 | 22 |
Built of TCP connections incoming 597903 for outside:192.168.0.100/51682 (192.168.0.100/51682) at inside:192.168.1.1/22 (192.168.1.1/22) |
That's how we set up the configuration:
the ssh LOCAL console AAA authentication
SSH 192.168.0.0 255.255.255.0 inside (192.168.0.0 is the remote VPN network)
management-access inside
username privilege 15 PASSWORD USER password
We missed something?
Thank you
Best regards
Dennis
Hi Dennis,
The config looks very good.
Are you able to ping inside the interface through the tunnel.
If not can check you the nat for traffic and adds the route search key word.
If you use not all certificates on the SAA you can use the command for related on the SAA rsa keys:
encryption key tied rsa or try to be specific: related encryption rsa label key<>
Try to remove the SSH configuration and reapply.
I would like to know if it works or not. If this isn't the case, then take debug ssh 255 and part.
Kind regards
Aditya
Please evaluate the useful messages.
Tags: Cisco Security
Similar Questions
-
Check sensor SFR with FireSight via VPN - does not work
Hello security experts.
I have an ASA5515-X with SFR installed 5.4.0 and manage with 5.4 FireSight installed on the virtual machine on LAN and I record the sensor without any problem but when I try to register the sensor to FireSight via VPN I can't do. The interface on the ASA management has no intellectual property nor nameif configured and the interface is connected to the switch, SFR has the IP even configured as LAN addressing. I can see traffic being exchanged between the sensor and the FireSight but I can't save the sensor.
Has anyone managed to register the sensor via VPN? Is there something else to be configured in order to save the sensor with the MC via the VPN?
The delay between the Firesight and the sensor (on WAN and VPN) I get between 80 and 100 ms, what could be the problem?
Thank you very much!
Remi
Hello
If you are unable to telnet from DC to the sensor on the port 8305 delivers connectivity then.
Can try you to ping from sensor to DC:
ping -M do -c 20 -s 1572
By default, the MTU is 1500 on eth0, if the ping does not work I will suggest to lower the MTU on the interface and see if it works. See also: / var/log/messages | grep sftunnel and see the error messages on DC and sensor and send it to me everywhere. Best regards, Aastha Bhardwaj rate if this is useful! -
Make the remote web server accessible via VPN Site to website
We have two test sites that are connected by a tunnel IPSEC VPN site-to-site (hosted on a SAA each site) over the Internet. We are trying to set up an environment to test two web applications running side by side. Two web servers are running on the Site of Test 1. We don't have the same public IP available at each site.
To address the public site 1 unique IP address restriction, we try to install ACL and NAT rules to have 2 Site accept traffic from the internet and send it on the site to the other tunnel. So 1 Web server would accept the ASA 1 internet traffic and Web Server 2 accept traffic from ASA 2 to the other site. Here's a network diagram:
We have difficulties to get this configuration works correctly. Please note that the network 192.168.3.0/24 clients are able to access the servers Web1 and Web2. This question seems to be due to our NAT configuration. This is the type of error, we see on the two firewalls:
Asymmetrical NAT rules matched for flows forward and backward; Connection for tcp src outside:4.4.4.4/443 dst outside:192.168.1.10/443 refused due to path failure reverse that of NAT
Our situation seems similar to this post: https://supportforums.cisco.com/thread/2242230
Any help would be appreciated.
Hello
What Karsten said above is true. While it is possible and works, it also means that the configuration is a little more complex to manage. I have done no such features in a real-life network environment and have always used additional public IP addresses on the local site when a server is hosted.
If you want to continue to move forward with this so here's a few points to consider and the configurations that you need.
First off it seems to me that the other server will be organized by the local Site 1 so a simple static PAT (Port Forward) must manage the Site 1.
network of the WEB-HTTP object
host 192.168.1.10
NAT (inside, outside) interface static tcp 443 443 service
And if you need TCP/80 also then you will need
network of the HTTPS WEB object
host 192.168.1.10
NAT (inside, outside) interface static service tcp 80 80
Now, 2 Site will naturally a little different that the server is hosted on the Site 1 and Site 2 is the public IP address used to publish the server on the external network.
Essentially, you will need to configure NAT that both makes dynamic PAT for the addresses of the source of the connection to your server Web 2, but also makes the static PAT (Port Forward) for the IP address of the Web Server 2. Additionally, you have to set the area of encryption on the Site 1 and Site 2 to match this new addition to the L2L VPN connection.
Unless of course you use an existing IP address on the field of encryption in the dynamic translation of PAT for the source address. In this case, it would take no change VPN L2L. I'll use that in the example below.
The NAT configuration might look like this
service object WWW
destination eq 80 tcp service
service object HTTPS
destination eq 443 tcp service
the object SOURCE-PAT-IP network
host 192.168.3.254
network of the WEB-SERVER-2-SITE1 object
host 192.168.1.11
NAT (outside, outside) 1 dynamic source no matter what static SOURCE-PAT-IP destination interface WEB-SERVER-2-SITE1 service WWW WWW
NAT (outdoors, outdoor), 2 dynamic source no matter what static SOURCE-PAT-IP destination interface WEB-SERVER-2-SITE1 service HTTPS HTTPS
So, essentially, NAT configurations above should ake 'all' traffic coming from behind 'outside' interface intended to "outside" "interface" IP address and translate the source to ' SOURCE-PAT-IP ' address and untranslate destination to "WEB-SERVER-2-SITE1".
Make sure that the IP address chosen (in this case 192.168.3.254) is not used on any device. If she is then replace it with something that is not currently used in the network. Otherwise, configure an IP address of some other subnet and include in the L2L VPN configurations on both sites.
Unless you already have it, you also have this configuration command to activate the traffic to make a U-turn/pin on the ' outside ' of the Site 2 ASA interface
permit same-security-traffic intra-interface
Hope this helps
Remember to mark a reply as the answer if it answered your question.
Feel free to ask more if necessary.
-Jouni
-
ASA with several L2L VPN Dynamics
I have an ASA 5510 such as VPN, used for about 30 L2L - VPN concentrator.
I need also some VPN L2L with dynamic peer remote.
While the configuration for a single dyn - VPN is quite simple (as described in several examples), how can I configure the ASA in the case of many dyn - VPN?
Basically, all the VPN - dyn must use the same PSK (the DefaultL2LGroup).
But using the "aggressive" on the remote peer mode, I could use a different PSK for every dyn - VPN:
tunnel-group ipsec-attributes ABCD
pre-shared-key *.
This configuration is correct?
Best regards
Claudio
Hello
Maybe the solutions provided in the following document may also be an option to configure multiple dynamic VPN L2L connections on the SAA
http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a0080bc7d13.shtml
Hope this helps
-Jouni
-
Hi people,
Unable to access the PIX inside interface using ssh.
The VPN works well and can access other devices more far in the network without problem.
local IP NETWORK-SUPPORT-POOL pool 192.168.31.241 - 192.168.31.254
vpngroup-grip LOAD NETWORK address NETWORK-SUPPORT-POOL pool
vpngroup-grip LOAD NETWORK Server dns adc01-Interior
vpngroup split of NETWORK-SUPPORT NETWORK-SUPPORT_splitTunnelAcl tunnel
vpngroup NETWORK-SUPPORT-idle time 3600
NETWORK-SUPPORT vpngroup password of some
list of access NETWORK-SUPPORT_splitTunnelAcl allowed ip 192.168.0.0 255.255.0.0 any
See you soon
Tony
Tony,
What you need to do is this...
(config mode you PIX)
SSH 192.168.31.0 255.255.255.0 inside
When you connect through your VPN client, the Interior of interface type IP address of your PIX on your SSH Client (I use Putty SSH). Additionally, make sure that you have found for ssh rsa keys to work!
If you're still having problems, then (again in mode config) add: management-access to the Interior.
Hope this helps and please rate messages! :)
Jay
-
Access to the DMZ to remote sites via VPN S2S
We have an ASA 5520 and two remote site ASA 5505 that connect to each other through tunnels VPN S2S. They are doing tunneling split, while local traffic passes over the tunnel. We are local LAN (10.0.0.0/16) and our network to the DMZ (10.3.0.0/24) on the main site. The DMZ hosts our external sharepoint, but we access it internally
The problem is site A (10.1.0.0/24) and B (10.2.0.0/24) have no idea of it, and when you try to go to the site, it fails. You can access it via the external site address, but that's the only way. Normally the external address is blocked when you're an intern.
That I'm stuck on is even when we had all sent traffic from Site A to our Senior Center, would find it yet. I do a separate vpn purely tunnel that traffic to DMZ?
Yes. So if you do this in ASDM under Edit Site profile connection Site, it will look like this.
Local network: 10.0.0/16, 10.3.0.0/24
Distance: 10.1.0.0/24
-
Cannot access the internal network with Cisco easy vpn client RV320
I have a cisco RV320 (firmware v1.1.1.06) and created a tunnel easy vpn (= split tunnel tunnel mode), then I installed the cisco client vpn v5.0.07.0290 in Windows 7 64 bit, I can connect to the vpn, but I do not see the other pc ping nor them, no idea?
Thank you
Hello
1. is the firewall on the active Windows 7 computer? If so, please disable it
2. can you check that you get a correct IP address in the range of the POOL of IP configured?
3. When you perform the tracert command to access an internal server, it crosses the VPN¨?
4. is the tunnel of split giving you access to internal IP subnets defined?
5. on the RV320 you see the user connected and sending and receiving bytes?
Don t forget to rate and score as correct the helpful post!
David Castro,
Kind regards
-
How to manage the current line with radio button selection?
Hello world
I have an ADF page with a table and a search"" button.
I created a new attribute with VARCHAR2 (1) in the VO and dragged this attribute as the first column of the table. And changed this first column of the option button to select only a single line at a time.
By clicking on the "Search" button, I need to get the current selected row values.
How can I get the values of selected line?
What code should I write to get the values of the selected line in the method of binding the button 'search '?
All suggestions will be really useful.
Thank you.Hello Kumar,
I have a few comments on your case.
>
I created a new attribute with VARCHAR2 (1) in the t
>
1. you should create this attribute in the object of the entity, and then add it to the view object.
2-do you need this radio that a button is defined for all lines? If yes then you need handle the case where the user set several lines and clear the value of the attribute for all other lines.>
How can I get all the values of the current row in backing bean, binding of the Find method (method)?
can u please give me the code for this?
>
If you mean by the current row is the row for which the value of the selected attribute is defined (the radio button is set to the rank), then you can write a method in the viewObjectImpl class and expose it to the customer interface and call it from your bean.
Here is a sample Department table in the HR schema.//This method is written in DepartmentsViewImpl public Row getSelectedRadioRow(){ //create a second row set to not impact the row set used in ADF RowSet duplicateRowSet = this.createRowSet("duplicateRowSet"); //get the current row of the table to set it back after re-executing the VO DepartmentsViewRowImpl currentRow = (DepartmentsViewRowImpl)this.getCurrentRow(); Row[] filteredRows = duplicateRowSet.getFilteredRows("IsSelected", "1"); DepartmentsViewRowImpl row=null; if(filteredRows.length>0){ row = (DepartmentsViewRowImpl)filteredRows[0]; System.out.println("Department Name " + row.getDepartmentName()); } this.setCurrentRow(currentRow); duplicateRowSet.closeRowSet(); return row; }
-
Configuration of the Cisco ACS 5.3 AnyConnect VPN and management of a Cisco ASA 5500.
We have configured a Cisco ASA 5505 as a VPN endpoint for one of our user groups. It works, but it works too well.
We have a group called XXX we need to have access to the Cisco AnyConnect Client. We have selected this group of our Active Directory and added to our ACS configuration. We've also added a group called YYY that will manage the ASA. However, this group has no need to access the VPN.
We added XXX movies for the elements of the policy of access to the network-> authorization profiles. We also have a profile of YYY.
She continues to knock on our default Service rule that says allow all.
We have also created a default network access rule. for this.
I am at a loss. I'm sure I missed a checkbox or something.
Any help would be really appreciated.
Dwane
We use Protocol Management GANYMEDE ASA and Ray for VPN access?
For administration, you must change the device by default admin access strategy and create a permission policy. Even by the way, you can change the network access by default for vpn access and create a respective policy for that too.
On the SAA, you must configure Ganymede and Ray both as a server group.
For the administration, you can set Ganymede as an external authentication under orders aaa Server
AAA-server protocol Ganymede GANYMEDE +.
Console HTTP authentication AAA GANYMEDE
Console Telnet AAA authentication RADIUS LOCAL
authentication AAA ssh console LOCAL GANYMEDE
Console to enable AAA authentication RADIUS LOCAL
For VPN, you must set the authentication radius under the tunnel-group.
I hope this helps.
Kind regards
Jousset
The rate of useful messages-
-
Is VLAN via VPN possible with any of the Small Business routers?
A tagged VLAN (for voice) will be routed through a VPN gateway to gateway on any of the Small Business routers, such as the SA520? This router is equipped
Parameters of VLAN Trunking.
No, it is not possible to send traffic to vlan via VPN on a series of SA500, but you can create a tunnel for each subnet, you need to pass traffic.
hope this helps,
Jasbryan
-
Situation: we have a few portable computers test Ubuntu running DHCP servers. We need get the updates and other changes in corporate network sometimes. Today, we turn off the DHCP server, set up to get an IP via DHCP (besides) and make our updates.
Problem: we do not want someone accidentally connect the laptop to the corporate network, while its DHCP server is running.
Question: so, if we go via wifi using a Cisco VPN client, the DHCP server IP addresses above the tunnel?
Thanks for reading.
N ° DHCP uses layer 2 broadcasts to disseminate IP addresses. Because your clients are connected via VPN, there is no contiguity of layer 2. The only way he would accidentally do it is if you have configured an address to support IP dhcp as one of your VPN clients on the network, which I imagine you wouldn't.
-
ASA5505 management via VPN/Anyconnect without group
I have 2 questions about the configuration of the SAA.
The first is related to the SSL VPN configuration. Just one group of users to which you connect to our main office via remote access. Is there a way to configure SSL VPN to not display a group selection?
I have the omission of the list of the groups-tunnel-enable command and configuration group on user accounts locking, but neither work.
Secondly, I am at a loss on how to configure ssh to allow users connected via VPN connections. I guess:
SSH 172.16.1.0 255.255.255.0 inside
with 172.16.1.0 24 is the ip pool assigned to remote access vpn users would do so, however, it's a no go. How can users of remote access (which are for the most part, all technicians) granted the possibility to connect to the device?
Thanks for your help.
To be able to manage the ASA via SSH via a VPN tunnel, you will need to enter the configuration command "in man".
-
Customer remote cannot access the server LAN via VPN
Hi friends,
I'm a new palyer in ASA.
My business is small. We need to the LAN via VPN remote client access server.
I have an ASA5510 with version 7.0. I have configured remote access VPN and it can establish the tunnel with success. But I can not access the server.
Client VPN is 5.0.07.0290 version. Encrypted packages have increased but the decrypted packet is 0 in the VPN client statistics, after I connected successfully.
Next to the ASA, I show crypto ipsec sa, just deciphering the packets increase.
Who can help me?
Thank you very much.
The following configuration:
ASA Version 7.0(7)
!
hostname VPNhost
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 10
ip address 221.122.96.51 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.42.199 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
ftp mode passive
dns domain-lookup inside
access-list PAT_acl extended permit ip 192.168.42.0 255.255.255.0 any
access-list allow_PING extended permit icmp any any inactive
access-list Internet extended permit ip host 221.122.96.51 any inactive
access-list VPN extended permit ip 192.168.42.0 255.255.255.0 192.168.43.0 255.255.255.0
access-list VPN extended permit ip 192.168.43.0 255.255.255.0 192.168.42.0 255.255.255.0
access-list CAPTURE extended permit ip host 192.168.43.10 host 192.168.42.251
access-list CAPTURE extended permit ip host 192.168.42.251 host 192.168.43.10
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool testpool 192.168.43.10-192.168.43.20arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list VPN
nat (inside) 1 access-list PAT_acl
route outside 0.0.0.0 0.0.0.0 221.122.96.49 10
username testuser password 123
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 3no sysopt connection permit-ipsec
crypto ipsec transform-set FirstSet esp-des esp-md5-hmac
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp nat-traversal 3600
tunnel-group testgroup type ipsec-ra
tunnel-group testgroup general-attributes
address-pool testpool
tunnel-group testgroup ipsec-attributes
pre-shared-key *
telnet timeout 5ssh timeout 10
console timeout 0: end
Topology as follows:
Hello
Configure the split for the VPN tunneling.
Create the access list that defines the network behind the ASA.
ciscoasa(config)#access-list Split_Tunnel_List remark The corporate network behind the ASA. ciscoasa(config)#access-list Split_Tunnel_List standard permit 10.0.1.0 255.255.255.0
Mode of configuration of group policy for the policy you want to change.
ciscoasa(config)#group-policy hillvalleyvpn attributes ciscoasa(config-group-policy)#
Specify the policy to split tunnel. In this case, the policy is tunnelspecified.
ciscoasa(config-group-policy)#split-tunnel-policy tunnelspecified
Specify the access tunnel split list. In this case, the list is Split_Tunnel_List.
ciscoasa(config-group-policy)#split-tunnel-network-list value Split_Tunnel_List
Type this command:
ciscoasa(config)#tunnel-group hillvalleyvpn general-attributes
Associate the group with the tunnel group policy
ciscoasa(config-tunnel-ipsec)# default-group-policy hillvalleyvpn
Leave the two configuration modes.
ciscoasa(config-group-policy)#exit ciscoasa(config)#exit ciscoasa#
Save configuration to non-volatile RAM (NVRAM) and press enter when you are prompted to specify the name of the source file.
Kind regards
Abhishek Purohit
CCIE-S-35269 -
Need help - Cisco ASA with the power of fire
Hello
Currently, we use asa 5510 without function of firepower. Our goal is to publish web servers and microsoft lync with reverse proxy method. control internet traffic, apply extensions individual file not to download, management of bandwidth etc.
Is it possible if we add firepower on asa 5510... Please guide me... Thank you
Power of fire must be installed on the new series X of the SAA. 5512 x, x 5515, 5525 x, etc.
If you have a 5510, you probably want a 5512 x with an SSD. Cisco has beams of firepower include the ASAx with SSD and the license of firepower.
Adds that you must also Firesight management software, and there is a license bundle of 2 camera for under $ 500 that you can install on VMWare.
Firepower is not reverse proxy, it's transparent online packages, analysis and filtering by URL / Application / and threat mitigation.
If you want a reverse proxy, you should look into Microsoft ISA server or a Proxy Server reverse dedicated Web. Cisco gave its product Web Director, who has done this function.
You can host Web sites behind a firewall of ASA without proxy reverse. And the ASA has an inspection of the request for HTTP traffic, responsible for watching HTTP requests. The firepower to the ASA system also has specific signatures that monitor traffic to the web servers and prevent specific vulnerabilities that are known on those servers, so if that is what you want the Reverse Proxy for, then the power of fire module would probably cover your needs.
Don't forget that until the next quarter firepower system has no decryption on the box, and you might want to wait that the feature is released and put in place, so that you know what size firewall you need protect your network with the SSL decryption. I believe that the ASA5512x is testing at 75 Mbps stream decrypted via the fire power module, which is about half of what was before CX, then you could use the sizing numbers CX and extrapolate until Cisco releases official decryption numbers.
-
Problem with remote access VPN on ASA 5505
I currently have a problem of an ASA 5505 configuration to connect via VPN remote access by using the Cisco VPN Client 5.0.07.0440 under Windows 8 Pro x 64. The VPN client will prompt you for the user name and password during the connection process, but fails soon after.
The VPN client connects is as follows:
---------------------------------------------------------------------------------------------------------------------------------------
Cisco Systems VPN Client Version 5.0.07.0440
Copyright (C) 1998-2010 Cisco Systems, Inc.. All rights reserved.
Customer type: Windows, Windows NT
Running: 6.2.9200
2 15:09:21.240 11/12/12 Sev = Info/4 CM / 0 x 63100002
Start the login process
3 15:09:21.287 11/12/12 Sev = Info/4 CM / 0 x 63100004
Establish a secure connection
4 15:09:21.287 11/12/12 Sev = Info/4 CM / 0 x 63100024
Attempt to connect with the server "*." **. ***. *** »
5 15:09:21.287 11/12/12 Sev = Info/6 IKE/0x6300003B
Try to establish a connection with *. **. ***. ***.
6 15:09:21.287 11/12/12 Sev = Info/4 IKE / 0 x 63000001
From IKE Phase 1 negotiation
7 15:09:21.303 11/12/12 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) to *. **. ***. ***
8 15:09:21.365 11/12/12 Sev = Info/6 GUI/0x63B00012
Attributes of the authentication request is 6: 00.
9 15:09:21.334 11/12/12 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
10 15:09:21.334 11/12/12 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" ag="" (sa,="" ke,="" non,="" id,="" hash,="" vid(unity),="" vid(xauth),="" vid(dpd),="" vid(nat-t),="" nat-d,="" nat-d,="" vid(frag),="" vid(?))="" from="">
11 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000001
Peer is a compatible peer Cisco-Unity
12 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000001
Peer supports XAUTH
13 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000001
Peer supports the DPD
14 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000001
Peer supports NAT - T
15 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000001
Peer supports fragmentation IKE payloads
16 15:09:21.334 11/12/12 Sev = Info/6 IKE / 0 x 63000001
IOS Vendor ID successful construction
17 15:09:21.334 11/12/12 Sev = Info/4 IKE / 0 x 63000013
SENDING > ISAKMP OAK AG * (HASH, NOTIFY: NAT - D, NAT - D, VID (?), STATUS_INITIAL_CONTACT, VID (Unity)) to *. **. ***. ***
18 15:09:21.334 11/12/12 Sev = Info/6 IKE / 0 x 63000055
Sent a keepalive on the IPSec Security Association
19 15:09:21.334 11/12/12 Sev = Info/4 IKE / 0 x 63000083
IKE port in use - Local Port = 0xFBCE, Remote Port = 0 x 1194
20 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000072
Automatic NAT detection status:
Remote endpoint is NOT behind a NAT device
This effect is behind a NAT device
21 15:09:21.334 11/12/12 Sev = Info/4 CM/0x6310000E
ITS established Phase 1. 1 crypto IKE Active SA, 0 IKE SA authenticated user in the system
22 15:09:21.365 11/12/12 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
23 15:09:21.365 11/12/12 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">
24 15:09:21.365 11/12/12 Sev = Info/4 CM / 0 x 63100015
Launch application xAuth
25 15:09:21.474 11/12/12 Sev = Info/4 IPSEC / 0 x 63700008
IPSec driver started successfully
26 15:09:21.474 11/12/12 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
27 15:09:27.319 11/12/12 Sev = Info/4 CM / 0 x 63100017
xAuth application returned
28 15:09:27.319 11/12/12 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***
29 15:09:27.365 11/12/12 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
30 15:09:27.365 11/12/12 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">
31 15:09:27.365 11/12/12 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***
32 15:09:27.365 11/12/12 Sev = Info/4 CM/0x6310000E
ITS established Phase 1. 1 crypto IKE Active SA, 1 IKE SA authenticated user in the system
33 15:09:27.365 11/12/12 Sev = Info/5 IKE/0x6300005E
Customer address a request from firewall to hub
34 15:09:27.365 11/12/12 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***
35 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
36 15:09:27.397 11/12/12 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">
37 15:09:27.397 11/12/12 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS:, value = 192.168.2.70
38 15:09:27.397 11/12/12 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK:, value = 255.255.255.0
39 15:09:27.397 11/12/12 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (1):, value = 192.168.2.1
40 15:09:27.397 11/12/12 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (2):, value = 8.8.8.8
41 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD:, value = 0x00000001
42 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN:, value = NCHCO
43 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS:, value = 0x00000000
44 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc. ASA5505 Version 8.2 (5) built by manufacturers on Saturday, May 20, 11 16:00
45 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT:, value = 0x00000001
46 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = received and by using the NAT - T port number, value = 0 x 00001194
47 15:09:27.397 11/12/12 Sev = Info/4 CM / 0 x 63100019
Data in mode Config received
48 15:09:27.412 11/12/12 Sev = Info/4 IKE / 0 x 63000056
Received a request from key driver: local IP = 192.168.2.70, GW IP = *. **. ***. remote IP address = 0.0.0.0
49 15:09:27.412 11/12/12 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK QM * (HASH, SA, NO, ID, ID) to *. **. ***. ***
50 15:09:27.444 11/12/12 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
51 15:09:27.444 11/12/12 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:status_resp_lifetime)="" from="">
52 15:09:27.444 11/12/12 Sev = Info/5 IKE / 0 x 63000045
Answering MACHINE-LIFE notify has value of 86400 seconds
53 15:09:27.444 11/12/12 Sev = Info/5 IKE / 0 x 63000047
This SA was already alive for 6 seconds, setting expiration 86394 seconds now
54 15:09:27.459 11/12/12 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
55 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:no_proposal_chosen)="" from="">
56 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK INFO *(HASH, DEL) to *. **. ***. ***
57 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000049
IPsec security association negotiation made scrapped, MsgID = CE99A8A8
58 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000017
Marking of IKE SA delete (I_Cookie = A3A341F1C7606AD5 R_Cookie = F1F403018625E924) reason = DEL_REASON_IKE_NEG_FAILED
59 15:09:27.459 11/12/12 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
60 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000058
Received an ISAKMP for a SA message no assets, I_Cookie = A3A341F1C7606AD5 R_Cookie = F1F403018625E924
61 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" info="" *(dropped)="" from="">
62 15:09:27.490 11/12/12 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
63 15:09:30.475 11/12/12 Sev = Info/4 IKE/0x6300004B
IKE negotiation to throw HIS (I_Cookie = A3A341F1C7606AD5 R_Cookie = F1F403018625E924) reason = DEL_REASON_IKE_NEG_FAILED
64 15:09:30.475 11/12/12 Sev = Info/4 CM / 0 x 63100012
ITS phase 1 deleted before first Phase 2 SA is caused by "DEL_REASON_IKE_NEG_FAILED". Crypto 0 Active IKE SA, 0 IKE SA authenticated user in the system
65 15:09:30.475 11/12/12 Sev = Info/5 CM / 0 x 63100025
Initializing CVPNDrv
66 15:09:30.475 11/12/12 Sev = Info/6 CM / 0 x 63100046
Set indicator established tunnel to register to 0.
67 15:09:30.475 11/12/12 Sev = Info/4 IKE / 0 x 63000001
Signal received IKE to complete the VPN connection
68 15:09:30.475 11/12/12 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
69 15:09:30.475 11/12/12 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
70 15:09:30.475 11/12/12 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
71 15:09:30.475 11/12/12 Sev = Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
---------------------------------------------------------------------------------------------------------------------------------------
The running configuration is the following (there is a VPN site-to-site set up as well at an another ASA 5505, but that works perfectly):
: Saved
:
ASA Version 8.2 (5)
!
hostname NCHCO
Select hTjwXz/V8EuTw9p9 of encrypted password
hTjwXz/V8EuTw9p9 of encrypted passwd
names of
description of NCHCO name 192.168.2.0 City offices
name 192.168.2.80 VPN_End
name 192.168.2.70 VPN_Start
!
interface Ethernet0/0
switchport access vlan 2
Speed 100
full duplex
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address **. ***. 255.255.255.248
!
boot system Disk0: / asa825 - k8.bin
passive FTP mode
access extensive list ip NCHCO 255.255.255.0 outside_nat0_outbound allow 192.168.1.0 255.255.255.0
access extensive list ip NCHCO 255.255.255.0 inside_nat0_outbound allow 192.168.1.0 255.255.255.0
inside_nat0_outbound list of allowed ip extended access all 192.168.2.64 255.255.255.224
access extensive list ip NCHCO 255.255.255.0 outside_1_cryptomap allow 192.168.1.0 255.255.255.0
access extensive list ip NCHCO 255.255.255.0 outside_1_cryptomap_1 allow 192.168.1.0 255.255.255.0
Standard access list LAN_Access allow NCHCO 255.255.255.0
LAN_Access list standard access allowed 0.0.0.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
mask of VPN_Pool VPN_Start VPN_End of local pool IP 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 645.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (outside) 0-list of access outside_nat0_outbound
Route outside 0.0.0.0 0.0.0.0 74.219.208.49 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
network-acl outside_nat0_outbound
WebVPN
SVC request to enable default svc
Enable http server
http 192.168.1.0 255.255.255.0 inside
http *. **. ***. 255.255.255.255 outside
http 74.218.158.238 255.255.255.255 outside
http NCHCO 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac l2tp-transform
Crypto ipsec transform-set l2tp-transformation mode transit
Crypto ipsec transform-set vpn-transform esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA
Crypto ipsec transform-set transit mode TRANS_ESP_3DES_SHA
Crypto ipsec transform-set esp-3des esp-md5-hmac TRANS_ESP_3DES_MD5
Crypto ipsec transform-set transit mode TRANS_ESP_3DES_MD5
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map dyn-map 10 set pfs Group1
crypto dynamic-map dyn-map transform 10-set, vpn l2tp-transformation-transformation
dynamic-map encryption dyn-map 10 value reverse-road
Crypto-map dynamic outside_dyn_map 20 game of transformation-TRANS_ESP_3DES_MD5
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs Group1
peer set card crypto outside_map 1 74.219.208.50
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
map outside_map 20-isakmp ipsec crypto dynamic outside_dyn_map
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
inside crypto map inside_map interface
card crypto vpn-map 1 match address outside_1_cryptomap_1
card crypto vpn-card 1 set pfs Group1
set vpn-card crypto map peer 1 74.219.208.50
card crypto vpn-card 1 set of transformation-ESP-3DES-SHA
dynamic vpn-map 10 dyn-map ipsec isakmp crypto map
crypto isakmp identity address
crypto ISAKMP allow inside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 15
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 35
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP ipsec-over-tcp port 10000
enable client-implementation to date
Telnet 192.168.1.0 255.255.255.0 inside
Telnet NCHCO 255.255.255.0 inside
Telnet timeout 5
SSH 192.168.1.0 255.255.255.0 inside
SSH NCHCO 255.255.255.0 inside
SSH timeout 5
Console timeout 0
dhcpd address 192.168.2.150 - 192.168.2.225 inside
dhcpd dns 216.68.4.10 216.68.5.10 interface inside
lease interface 64000 dhcpd inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal DefaultRAGroup group strategy
attributes of Group Policy DefaultRAGroup
value of server DNS 192.168.2.1
Protocol-tunnel-VPN IPSec l2tp ipsec
nchco.local value by default-field
attributes of Group Policy DfltGrpPolicy
value of server DNS 192.168.2.1
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
allow password-storage
enable IPSec-udp
enable dhcp Intercept 255.255.255.0
the address value VPN_Pool pools
internal NCHVPN group policy
NCHVPN group policy attributes
value of 192.168.2.1 DNS Server 8.8.8.8
Protocol-tunnel-VPN IPSec l2tp ipsec
value by default-field NCHCO
admin LbMiJuAJjDaFb2uw encrypted privilege 15 password username
username privilege 15 encrypted password yB1lHEVmHZGj5C2Z 8njferg
username, encrypted NCHvpn99 QhZZtJfwbnowceB7 password
attributes global-tunnel-group DefaultRAGroup
address (inside) VPN_Pool pool
address pool VPN_Pool
authentication-server-group (inside) LOCAL
authentication-server-group (outside LOCAL)
LOCAL authority-server-group
authorization-server-group (inside) LOCAL
authorization-server-group (outside LOCAL)
Group Policy - by default-DefaultRAGroup
band-Kingdom
band-band
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared key *.
NOCHECK Peer-id-validate
tunnel-group DefaultRAGroup ppp-attributes
No chap authentication
no authentication ms-chap-v1
ms-chap-v2 authentication
tunnel-group DefaultWEBVPNGroup ppp-attributes
PAP Authentication
ms-chap-v2 authentication
tunnel-group 74.219.208.50 type ipsec-l2l
IPSec-attributes tunnel-group 74.219.208.50
pre-shared key *.
type tunnel-group NCHVPN remote access
attributes global-tunnel-group NCHVPN
address pool VPN_Pool
Group Policy - by default-NCHVPN
IPSec-attributes tunnel-group NCHVPN
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:15852745977ff159ba808c4a4feb61fa
: end
ASDM image disk0: / asdm - 645.bin
ASDM VPN_Start 255.255.255.255 inside location
ASDM VPN_End 255.255.255.255 inside location
don't allow no asdm history
Anyone have any idea why this is happening?
Thank you!
Add, crypto dynamic-map outside_dyn_map 20 value reverse-road.
With respect,
Safwan
Maybe you are looking for
-
How to uninstall Adobe 7.0.9
I cannot uninstall Adobe 7.0.9 - I've downloaded the latest Adobes, but Adobe 7.0.9 seems to hinder my a few introductory statements I get now - can anyone help - thank you very much
-
I do not use outlook express and still get msg, oe can compact the message. How to stop
I do not use outlook express and still get msg, oe can compact the message. How do I prevent this every time that I turn on computer to come.
-
fire fox works very well but the Explorer is
-
One of my users has lost something that was on his desk. It is a search for a file that has been on this issue, has achieved success on the name, but it was only a link to where the file was. Any ideas as to where this folder or files can be. She
-
My email is unable compact my mails, it starts the process and then stops.
My email is unable compact my mails, it starts the process and stops, any help