Migrate from tunnel vpn again ASA

Similar Questions

• Publish a server with NAT anchored through a tunnel VPN with ASA

  Hi all

  Thanks in advance for helping me out - I know somebody did, and I have trouble finding how do.  I don't know that I'm missing something simple.

  I have a client who wants to view a DVR device through a VPN tunnel that is published through the public firewall to collocation.  Endpoint DVR is endpoint ip assigned dynamically which tunnelle the host on demand (I know that the tunnel could fall).

  So I think / thought I could hairpin hair/policy nat this, but I'm not the best at this.

  Let's see if I can get this

  IP public 1.1.1.1\

  > External interface of ASA

  2.2.2.2 / private ip

  My config as I know it is pertinant is as follows:

  permit same-security-traffic intra-interface

  list of allowed incoming access extended ip any host 168.215.x.x

  Access-group interface incoming outside

  public static 168.215.x.x (outside, outside) 10.10.x.xnetmask 255.255.255.255

  I am running version 8.2.5 of the image of the SAA.

  If you could take a look and let me know what Miss me you please.

  Thank you

  Hello

  The problem here is of course the fact that we can not configure NAT0 without causing all traffic from the remote Internet can flow through the VPN connection.

  So I wonder if another type of NAT configuration would actually work.

  I would call it static political identity NAT if such a name exists yet.

  Something like that

  Note of DVR-POLICY-NAT-list of Direct HTTP access to VPN traffic

  allow to Access-list DVR-POLICY-NAT tcp host 10.10.2.253 eq 80 a

  public static 10.10.2.53 (inside, outside) access list DVR-POLICY-NAT

  This should basically do what

  • When the DVR is sending any traffic source TCP TCP/80 (essentially the traffic back to the connection from the main site) to ANY destination address (The Internet) then the host must translate to himself.
  • If we consider that NAT is performed before the VPN rules are processed this should mean that since we have concerns address itself, it must match the VPN rule only in this particular case where the traffic is TCP/80, which could only be the result of her replying to a link any destination TCP/80)
  • Which leads me to believe it shouldn't cause any problems with the Central connection on remote site (NAT0 is processed before political static NAT) or the RECORDER to Internet
  • Unless the DVR must be accessible directly via the Internet connection of the remote site. (He would send his answers to these HTTP connections outside with the originating source IP address) Or maybe even completely before connecting the phase failure. I have not tested.

  Hope this helps

  Be sure to mark it as answered in the affirmative. And/or useful response rate.

  Ask more if necessary.

  EDIT: typos

  -Jouni

• Migrating from a Pix 525 ASA 5540

  I'm currently running a PixOS 7.2 (2) and is considering moving to an ASA5540 but I was wondering if the operating system/configuration is similar. Can I just copy / paste the config file?

  Hello

  If the version of the OS and the name/number of interfaces are the same, that shouldn't be a problem - with the exception of certain certificates (i.e. VPN SSL certificates). If ASA5540 7.2 (2) media using this version during the migration, once everything works well in production for about a week, upgrade the operating system to a higher version of your choice.

  Kind regards

  Dandy

• Migrate from vCenter Server again HW with Cisco 1000v in environment

  I have a cluster 13 hosts ESXi 4.1 using a cisco 1kv currently and you want to move the vcenter server to a new host.  I anticipate using the same database as the existing host and IP.  Having the 1kv cisco in the environment will prevent simply connecting me the new instance of an existing database (after powering down the first instance) or it will create no additional steps in the process?

  As long as you manage the server vCenter and db, you should be fine.  You will encounter problems if you change these, like the 1KV, is ultimately always a dvSwitch, associated with the server vcenter himself.  Thus, while you plan to move to new hardware, your vCenter is still considered to be the old vcenter, otherwise, you will encounter problems.

  Hope that makes sense.

  -KjB

• a way vpn with asa to the 800 router

  people

  I have a site to site vpn set up between a asa 5540 and a 800 router

  I want only the vpn to be initiated from the asa with the 800 remote listen incoming connections

  I know that I can define the type of connection on the asa as only come but I can find an equivalent command to answer only for the 800 remote

  can anyone point me in the right direction or is it enough to simply configure the asa as are created only for this encryption card

  Thanks to anyone who takes the time to answer

  Hello

  I recommend you configure the tunnel as a dynamic to static tunnel VPN, the ASA will be the static counterpart, so it will be the initiator and the router will never be able to establish the connection.

  The ASA will be a common L2L configuration, but the router will use a dynamic encryption card.

  http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a008051a69a.shtml

  The PIX in the example is old, then you can simply adjust the controls to your current version, the important thing is to understand the concept.

  Please let me know if that answers your question,

  Thank you.

• How to secure Tunnel VPN

  Hello

  I installed a tunnel VPN between ASA and PIX. I want to implement security on the ASA or PIX so that some remote endpoint specfic IP can access resources of tunnel. is it possible to block additional IP addresses?

  Thank you

  Amardeep

  Please read this link, you can implement VPN-filter.

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

  Thank you

  Ajay

• Problem with Tunnel VPN L2L between 2 ASA´s

  Hi guys,.

  I have some problems with my VPN Site to site tunnel between 2 ASA (5520/5505).

  I watched a lot of videos on youtube, but I can't find out why the tunnel does not...

  Both devices can ping eachothers WAN IP address (outside interfaces), but I don't see any traffic between the 2 sites. It seems that the tunnel is not open to everyone. When i PING from the local to the Remote LAN (which should be an interesting traffic for the tunnel...), the its IKEv1 remains empty...

  Am I missing something? I can't understand it more why same phase 1 is not engaged.

  You NAT won't. In your config file traffic is NATted initially and then does not match any more crypto ACL. You must move the rule dynamic NAT/PAT until the end of the table on two ASAs NAT:

   no nat (INSIDE,OUTSIDE) source dynamic any interface nat (INSIDE,OUTSIDE) after-auto source dynamic any interface

• Tunnel VPN remote Internet and VPN remote VPN from Site to Site traffic?

  Hello

  We try to remote traffic from our users VPN tunnel through our ASA 5510 as well as to allow the only access for remote user VPN traffic to the other end of the all our VPN site-to-site connected to the same ASA. Basically, we who want to VPN in the network in order to access all of our networks business. We try to get away with this without using split Tunneling.

  I can currently get internal traffic from the remote user VPN to reach all other vpn site-to-site tunnels without the internet in tunnel. The problem is when I add the following statement to the NAT:

  NAT (outside) 1 10.10.19.0 255.255.255.0 * 10.10.19.0 is the address of the remote VPN Client

  Internet traffic to the remote VPN starts to get in the tunnel, but I lose the opportunity to reach one of the other tunnels from site to site by the remote VPN tunnel.

  I also begin to receive the following errors in the journal of the ASA

  3 July 1, 2009 12:34:18 305005 10.10.19.255 137 no group of translation not found for udp src outside:10.10.19.3/137 dst outside:10.10.19.255/137

  Any help with how NAT statements must be defined for this work would be appreciated.

  Thank you

  Will be

  Will,

  the link of this post for your scenario of vpn hub & speak reference, you problem may be on exempt nat rules.

  Have a second look at your sheep rules.

  Be sure to eliminate tunnel rules related to rheumatoid arthritis, as appropriate, to not let him get in the way of splitting.

  http://forums.Cisco.com/eForum/servlet/NetProf?page=NetProf&Forum=security&topic=firewalling&TopicId=.ee6e1fa&fromOutline=true&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc2e0f6/4

  If always emits discribe topology for l2ls and info logic RA and sanatized hub config asa... but I think if you look at the thread above, you should be able to solve.

  Concerning

• Tunnel from site to site ASA with U turn to config

  Hello

  I have a VPN tunnel site race between ASA 5510 (8.2) and Cisco PIX506 (remote site). I need allow remote users to surf the net. I was looking for in the documentation here and circulation activated to enter/exit the same interface on the ASA (same-security-traffic intra-interface permit), however it still something lack. I don't know how to fix this...

  ASA is configured for NAT inside customers to a single public IP address (VPN tunnel ends also at this interface)

  ASA:

  Global 1 208.x.x.x (outside)
  NAT (inside) - 0 no.-Nat-VPN access list
  NAT (inside) 1 0.0.0.0 0.0.0.0

  So when packets Internet comes through the tunnel, there need be sent on the same interface and NATted (but for the tunnel at work I had to exempt intrested NAT traffic). What is the cause of a problem?

  Hello

  NAT rules should be like this:

  Global 1 208.x.x.x (outside)
  NAT (outside) 1 mask x.x.x.x--> pool VPN

  With the foregoing, you are from the VPN clients out to the Internet.

  You can always leave the SHEEP ACL for the VPN itself traffic.

  Federico.

• automatic start of Tunnel VPN ASA.

  I was wondering if anyone had ideas for a problem I'm having.

  I had previously configured a router IOS which had a dynamic IP address from the ISP vpn to PIX headquarters. I got the PIX configured to address generic isakmp/crypto peer so he did not care what peer IP address attempted vpn handshake with him. But, in order to show the VPN, to be launched on the side IOS router because of the dynamics to static vpn LAN is configured.

  The problem I had initially was behind the IOS router on its side LAN I had cameras that has not generated any traffic by themselves, so the VPN is not never come to the top and how I had the time that was on the IOS router I set an IP address of the fake NTP server that was in the subnet through the VPN on the side of PIX and then source the The IOS NTP ethernet router so it would automatically take place of the tunnel by himself.

  Now we are trying to implement and ASA instead of and router IOS and the NTP commands are there including the source option that can be 'inside' or 'outside' but it does not work as did the IOS router. I also tried to create a kind of SNMP or SLA with some source options but who did not bring to the top of the tunnel either. It's as if he's not he sourcing from an IP address or interface that looks like to the interesting traffic.

  I wonder if it's something to with the fact that the ASA, we set up we did put the IP addresses on the local VIRTUAL network interfaces and then put the Ethernet Interfaces in the vlan access switchport special instead of putting on the Interfaces Ethernet IP addresses themselves.

  Someone has any ideas in order to automatically initialize the vpn tunnel to the ASA configuration?

  You may need to add outside of ASA interface as interesting traffic. That is usually when you want a remote ASA/pix syslog to a local syslog server. I know you do ntp, but should be the same. Looks like the same problem here. In any case it is worth it.

  Here is the doc for pix but it is similar to the ASA.

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a0080094469.shtml

• Tunnel of Split VPN Setup ASA to force inside the tunnel for single address

  Hi all

  We have an ASA with IPSec VPN facility to addresses Internet of Tunnel from Split.  We have an Internet address that must come from the external interface of the ASA.  I have added this address to the list of split tunnel and confirmed on the client that is the road to the tunnel, but I'm not able to get to this address via the VPN.

  How the ASA to allow this unique Internet address to come via the VPN and route back on the same interface to the Internet and the return traffic to back up in the client VPN tunnel.

  I need to get to the address is 213.92.42.118. Here's the config relavent (let me know if I left anything):

  interface GigabitEthernet0/0
  nameif outside
  IP 1.1.1.1 255.255.255.0
  permit same-security-traffic inter-interface
  permit same-security-traffic intra-interface
  name 10.80.177.0 VPN_Pool
  Outbound_Ports tcp service object-group
  port-object eq www
  access-list extended sheep allowed any ip VPN_Pool 255.255.255.0
  access-list extended users allow icmp a whole
  access-list extended users enable a tcp
  access-list extended users allow udp a whole
  users_splitTunnelAcl list standard access allowed 10.0.0.0 255.0.0.0
  standard access list users_splitTunnelAcl allow 192.168.43.0 255.255.255.0
  users_splitTunnelAcl list standard access allowed 192.168.40.0 255.255.255.0
  users_splitTunnelAcl list standard access allowed host 213.92.42.118

  FWOB list extended access permit tcp any any Outbound_Ports object-group

  Global (LUXCVGASA01e) 2 1.1.1.1

  NAT (LUXCVGASA01i) 2 10.0.0.0 255.0.0.0
  NAT 0 access-list sheep (LUXCVGASA01i)

  Any help is appreciated.

  -Jeff

  Hi Jeff,

  Just had a chance to look through the Setup and I guess that configured nat is incorrect.

  access-list extended sheep allowed any ip VPN_Pool 255.255.255.0
  NAT 0 access-list sheep (LUXCVGASA01i)
  NAT (LUXCVGASA01i) 2 10.0.0.0 255.0.0.0

  Global (LUXCVGASA01e) 2 1.1.1.1

  The access-list says sheep that ALL traffic goes to the pool of the VPN to go UN-natted. So, when you try to access the public ip address via the tunnel VPN, the traffic the ASA, ASA then performs a search destination NAT and matches the nat command "nat (LUXCVGASA01i) 0 access-list sheep." If the ASA detects a destination NAT translation, it will bypass route search and uses the destination NAT translation to determine the output interface (in this scenario, the output interface is LUXCVGASA01i.

  So, to resolve this problem, change the acl sheep from "any to VPN_Pool 255.255.255.0" inside"to the network VPN_Pool 255.255.255.0.

  clear xlate and re-initialization of the tunnel, and this should solve the problem.

  Let me know if that answers your query.

  Kind regards

  Manisha masseur

• Tunnel VPN from Site to Site dynamic

  I spent the last 2 days, try to set up a dynamic tunnel VPN site to site of a Cisco 5510 to a Cisco SA540. The 540 is a dynamic supplier that can not be changed. There a dyndns account.

  I was lucky that the other 10 sites are all static and the ADSM Assistant creates these tunnels without problems.

  What I try to do is:

  Is it possible to do it VIA ADSM?

  If this isn't the case, someone please in detail can help with orders.

  Kind regards

  PP

  Hello Paul,

  This is possible thanks to the ASDM, but you do have to use some advanced settings:

  Configuration > VPN Site to Site > advanced > Tunnel groups

  It change the group called "DefaultL2LGroup" and add the brightness button before the SA540 (Note: all of your sites with dynamic IP addresses will have the same key communicated in advance, if you have IPSec VPN clients, it will be a good idea to use a different key).

  

  Click ok and then apply.

  Then go to Configuration > VPN Site to Site > advanced > Crypto Maps and add a new entry dynamic

  

  Make sure that you match the phase 2 are on your SA540 (pictured ESP-AES-128-SHA), select a dynamic strategy and make the last sequence number (65535) then ok, apply.

  Then go to Configuration > VPN Site to Site > advanced > IKE policies and make sure you have corresponding policies of the phase 1.

  

  If no corresponding policy is found, add them.

  Through CLI:

  IKEv1 crypto policy 1

  preshared authentication

  aes encryption

  sha hash

  Group 2

  Crypto-map dynamic outside_dyn_map 65535 set transform-set ESP-AES-128-SHA ikev1

  CARD crypto ipsec-isakmp 65535 dynamic outside_dyn_map

  IPSec-attributes tunnel-group DefaultL2LGroup

  IKEv1 pre-shared-key *.

  I hope this helps.

• IPSec vpn cisco asa and acs 5.1

  We have configured authentication ipsec vpn cisco asa acs 5.1:

  Here is the config in cisco vpn 5580:

  standard access list acltest allow 10.10.30.0 255.255.255.0

  RADIUS protocol AAA-server Gserver

  AAA-server host 10.1.8.10 Gserver (inside)

  Cisco key

  AAA-server host 10.1.8.11 Gserver (inside)

  Cisco key

  internal group gpTest strategy

  gpTest group policy attributes

  Protocol-tunnel-VPN IPSec

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list acltest

  type tunnel-group test remote access

  tunnel-group test general attributes

  address localpool pool

  Group Policy - by default-gpTest

  authentication-server-group LOCAL Gserver

  authorization-server-group Gserver

  accounting-server-group Gserver

  IPSec-attributes of tunnel-group test

  pre-shared-key cisco123

  GBA, we config user group: VPN users. all VPN users in this group. ACS can visit his political profile: If the user in the 'VPN users' group, access ACS.

  When we connect from a VPN Client to the server, all users connect to success. When you see the parser in ACS journal, each user success connect also get

  error:

  22040 wrong password or invalid shared secret

  (pls see picture to attach it)

  the system still works, but I don't know why, we get the error log.

  Thanks for any help you can provide!

  Duyen

  Hello Duyen,

  I think I've narrowed the issue. When remote access VPN using RADIUS authentication we must keep in mind that authentication and authorization are included on the same package.

  Depending on your configuration, the ACS is defined as a server RADIUS (Gserver Protocol radius aaa server) and becomes the VPN Tunnel authenticated and 'authorized' on this server group:

  authentication-server-group LOCAL Gserver

  authorization-server-group Gserver

  As noted above, the RADIUS of request/response includes authentication and authorization on the same package. This seems to be a problem of incorrect configuration that we should not set up the 'permission' in the Tunnel of the group.

  Please remove the authorization under the Tunnel of Group:

  No authorization-server-group Gserver

  Please test the connection again and check the logs of the ACS. At this point there are only sucessful newspaper reported on the side of the ACS.

  Is 'Permission-server-group' LDAP permission when authenticating to a LDAP server so to retrieve the attributes of permission on the server. RAY doesn't have the command as explained above.

  I hope this helps.

  Kind regards.

• Troubleshooting IPSec Site to Site VPN between ASA and 1841

  Hi all

  in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.

  I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).

  I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.

  It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),

  On the ASA:

  Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.

  address of the peers: 217.86.154.120
  Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.cc

  access extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
  local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
  current_peer: 217.xx.yy.zz

  #pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz

  Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
  current outbound SPI: 39135054
  current inbound SPI: B2E9E500

  SAS of the esp on arrival:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, PFS 2 group}
  slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
  calendar of his: service life remaining (KB/s) key: (4374000/1598)
  Size IV: 8 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001
  outgoing esp sas:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, PFS 2 group}
  slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
  calendar of his: service life remaining (KB/s) key: (4373976/1598)
  Size IV: 8 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001

  Output of the command: "sh crypto isakmp his."

  HIS active: 4
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 4

  IKE Peer: 217.xx.yy.zz
  Type: L2L role: initiator
  Generate a new key: no State: MM_ACTIVE

  On the 1841

  1841 crypto isakmp #sh its
  IPv4 Crypto ISAKMP Security Association
  DST CBC conn-State id
  217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE

  1841 crypto ipsec #sh its

  Interface: Dialer1
  Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
  current_peer 62.153.156.163 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
  current outbound SPI: 0xB2E9E500 (3001672960)
  PFS (Y/N): Y, Diffie-Hellman group: group2

  SAS of the esp on arrival:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505068/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505118/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  Interface: virtual Network1
  Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
  current_peer 62.153.156.163 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
  current outbound SPI: 0xB2E9E500 (3001672960)
  PFS (Y/N): Y, Diffie-Hellman group: group2

  SAS of the esp on arrival:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505068/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505118/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.

  Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto.      (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.

  I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!

  It's the running of the 1841 configuration

  !
  version 15.1
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  encryption password service
  !
  host name 1841
  !
  boot-start-marker
  start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
  boot-end-marker
  !
  logging buffered 51200 notifications
  !
  AAA new-model
  !
  !
  AAA authentication login default local
  !
  AAA - the id of the joint session
  !
  iomem 20 memory size
  clock timezone PCTime 1
  PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
  dot11 syslog
  IP source-route
  !
  No dhcp use connected vrf ip
  !
  IP cef
  no ip bootp Server
  IP domain name test
  name of the IP-server 194.25.2.129
  name of the IP-server 194.25.2.130
  name of the IP-server 194.25.2.131
  name of the IP-server 194.25.2.132
  name of the IP-server 194.25.2.133
  No ipv6 cef
  !
  Authenticated MultiLink bundle-name Panel
  !
  !
  object-group network phone
  VoIP phone description
  Home 172.20.2.50
  Home 172.20.2.51
  !
  redundancy
  !
  !
  controller LAN 0/0/0
  atm mode
  Annex symmetrical shdsl DSL-mode B
  !
  !
  crypto ISAKMP policy 1
  BA 3des
  preshared authentication
  Group 2
  isakmp encryption key * address 62.aa.bb.cc
  !
  !
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  !
  map SDM_CMAP_1 1 ipsec-isakmp crypto
  Description Tunnel to62.aa.bb.cc
  the value of 62.aa.bb.cc peer
  game of transformation-ESP-3DES-SHA
  PFS group2 Set
  match address 100
  !
  !
  !
  interface FastEthernet0/0
  DMZ description $ FW_OUTSIDE$
  10.10.10.254 IP address 255.255.255.0
  IP nat inside
  IP virtual-reassembly
  automatic duplex
  automatic speed
  !
  interface FastEthernet0/1
  Description $ETH - LAN$ $FW_INSIDE$
  IP 172.20.2.254 255.255.255.0
  IP access-group 100 to
  IP nat inside
  IP virtual-reassembly
  IP tcp adjust-mss 1412
  automatic duplex
  automatic speed
  !
  ATM0/0/0 interface
  no ip address
  No atm ilmi-keepalive
  !
  point-to-point interface ATM0/0/0.1
  PVC 1/32
  PPPoE-client dial-pool-number 1
  !
  !
  interface Dialer1
  Description $FW_OUTSIDE$
  the negotiated IP address
  IP mtu 1452
  NAT outside IP
  IP virtual-reassembly
  encapsulation ppp
  Dialer pool 1
  Dialer-Group 2
  PPP authentication chap callin pap
  PPP chap hostname xxxxxxx
  PPP chap password 7 xxxxxxx8
  PPP pap sent-name of user password xxxxxxx xxxxxxx 7
  map SDM_CMAP_1 crypto
  !
  IP forward-Protocol ND
  IP http server
  local IP http authentication
  IP http secure server
  !
  !
  The dns server IP
  IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
  IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
  IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
  IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
  IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
  !
  logging trap notifications
  Note category of access list 1 = 2 CCP_ACL
  access-list 1 permit 172.20.2.0 0.0.0.255
  Note access-list category 2 CCP_ACL = 2
  access-list 2 allow 10.10.10.0 0.0.0.255
  Note access-list 100 category CCP_ACL = 4
  Note access-list 100 IPSec rule
  access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  Note CCP_ACL the access list 101 = 2 category
  Note access-list 101 IPSec rule
  access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  access-list 101 permit ip 172.20.2.0 0.0.0.255 any
  Note access-list 102 CCP_ACL category = 2
  Note access-list 102 IPSec rule
  access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  access-list 102 permit ip 10.10.10.0 0.0.0.255 any
  !

  !
  allowed SDM_RMAP_1 1 route map
  corresponds to the IP 101
  !
  allowed SDM_RMAP_2 1 route map
  corresponds to the IP 102
  !
  !
  control plan
  !
  !
  Line con 0
  line to 0
  line vty 0 4
  length 0
  transport input telnet ssh
  !
  Scheduler allocate 20000 1000
  NTP-Calendar Update
  NTP 172.20.2.250 Server prefer
  end

  As I mentioned previously: suspicion is much appreciated!

  Best regards

  Joerg

  Joerg,

  ASA receives not all VPN packages because IOS does not send anything.

  Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)

  The problem seems so on the side of the router.

  I think that is a routing problem, but you only have one default gateway (no other channels on the router).

  The ACL 100 is set to encrypt the traffic between the two subnets.

  It seems that the ACL 101 is also bypassing NAT for VPN traffic.

  Follow these steps:

  Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.

  I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.

  Federico.

• How to determine the cause of the ipsec tunnel fall on ASA 5510

  Is there an easy way to determine the cause of tunnel VPN ipsec l2l fall on one asa 5510? I have enabled logging, but the buffer is full so fast, I can't find something when it is 24 hours later. I'm working on obtaining a server/aggregator syslog configuration but... until it is complete I need a temporary measure. Suggestions?

  Hi Jessica.

  For the buffering limit, you can try:

  Increase the maximum buffer size.

  limit the newspapers to the class of vpn:

  Buffered Debug class vpn connection.

  On the other hand, you can try him debugs:

  Debug crypto peer peer_address condition

  debugging cry isa 128

  debugging ipsec 128 cry

  If you lose the ssh session debugging is disabled.  Finally for the vpn tunnels usually it goes down due to:

  Idle time-out

  the dead peer detection

  remove it from the other end.

  HTH.