MS CA for VPN L2L ASA

What type of certifcates I should issueing bee in my ASA.

Now I'm issueing IPSEC (offline) and I don't know if it's the right kind.

I have ICP work for mobile users. simply not L2L

Yes,

Which can cause failure.

Put command

"ignore-ipsec-keyusage" under the CompanyTrustPoint

That should solve.

Tags: Cisco Security

Similar Questions

  • Packet-trace for vpn l2l

    If anyone can help with control of packet - trace to migrate to l2l ipsec vpn

    on ASA (one)

    ciscoasa # packet - trace entry outside tcp 10.10.1.2 12345 192.168.1.2 80

    ASA (one)

    Ip address inside - 192.168.1.2

    Destination port 80

    ASA (b)

    Inside - 10.10.1.2 ip address

    Port source 12345

    Hello

    So if your host 'inside' is 192.168.1.2 and the 'outside' host is 10.10.1.2 then you could just what follows

    Packet-trace entry inside tcp 192.168.1.2 12345 10.10.1.2 80

    If the goal is just to test the VPN negotiation then the ports are not really important, but naturally tested traffic with "packet - tracer" must be authorized by your interface "inside" ACL.  The essential is that the source address and destination match the VPN L2L (Crypto ACL) configurations

    Generally you would use NAT0 for these networks the and remote so NAT should not be a problem to test from that direction. I suppose there might be rare situations where using the command in this sense is not possible

    -Jouni

  • Policy NAT for VPN L2L

    Summary:

    We strive to establish a two-way VPN L2L tunnel with a partner. VPN traffic is one-to-many towards our partner, and our partner they need of a many-to-one to us (they need to access a host on our network). In addition, our partner has many VPN, so they force us to use a separate NAT with two private hosts addresses, one for each direction of the tunnel.

    My initial configuration of the tunnel on my grown up side of Phase 1, but not IPSec. Partner ran debug that revealed that my host did not address NAT'd in the NAT policy. We use an ASA5520, ver 7.0.

    Here is the config:

    # #List of OUR guests

    the OURHosts object-group network

    network-host 192.168.x.y object

    # Hosts PARTNER #List

    the PARTNERHosts object-group network

    network-host 10.2.a.b object

    ###ACL for NAT

    # Many - to - many outgoing

    access-list extended NAT2 allowed ip object-group OURHosts-group of objects PARTNERHosts

    # One - to - many incoming

    VIH3 list extended access permit ip host 192.168.c.d PARTNERHosts object-group

    # #NAT

    NAT (INSIDE) 2-list of access NAT2

    NAT (OUTSIDE) 2 172.20.n.0

    NAT (INSIDE) 3 access-list VIH3

    NAT (OUTSIDE) 3 172.20.n.1

    # #ACL for VPN

    access list permits extended VPN ip object-group objects PARTNERHosts OURHosts-group

    access allowed extended VPN ip host 192.168.c.d PARTNERHosts object-group list

    # #Tunnel

    tunnel-group type ipsec-l2l

    card <#>crypto is the VPN address

    card crypto <#>the value transform-set VPN

    card <#>crypto defined peer

    I realize that the ACL for the VPN should read:

    access allowed extended VPN ip host 172.20.n.0 PARTNERHosts object-group list

    access allowed extended VPN ip host 172.20.n.1 PARTNERHosts object-group list

    .. . If the NAT was working properly, but when this ACL is used, Phase 1 is not even negotiating, so I know the NAT is never translated.

    What am I missing to NAT guests for 172.20 addresses host trying to access their internal addresses via the VPN?

    Thanks in advance.

    Patrick

    Here is the order of operations for NAT on the firewall:

    1 nat 0-list of access (free from nat)

    2. match the existing xlates

    3. match the static controls

    a. static NAT with no access list

    b. static PAT with no access list

    4. match orders nat

    a. nat [id] access-list (first match)

    b. nat [id] [address] [mask] (best match)

    i. If the ID is 0, create an xlate identity

    II. use global pool for dynamic NAT

    III. use global dynamic pool for PAT

    If you can try

    (1) a static NAT with an access list that will have priority on instruction of dynamic NAT

    (2) as you can see on 4A it uses first match with NAT and access list so theoretically Exchange autour should do the trick.

    I don't see any negative consequences? -Well Yes, you could lose all connectivity. I don't think that will happen, but I can't promise if you do absolutely not this after-hours.

    Jon

  • Design of VPN L2L ASA question

    We expect to have more than 10,000 remote VPN L2L clients.

    I see that each crypto card needs a statement of 'same game' and the IP address is the address of the remote peer VPN L2L.

    :

    EX:

    card encryption UNI-POP 3 set peer 172.23.0.3

    : . . .

    card crypto UNI-POP 10000 set peer 172.26.0.250

    :

    I already feel that this will be a VERY long config, maybe too big to save/read/from memory.

    :

    Anyone would be a better approach?

    Thank you

    Frank

    Frank,

    If the remote end will run only from time to time, you should not have set peer statements and normally it would suffice to have a dynamic encryption card.

    If the remote ends do not support certificates, it is possible to land on defaultl2l tunnel-group.

    bsns-asa5505-19# sh run all tunnel-group
    

    tunnel-group DefaultL2LGroup type ipsec-l2l
    

    tunnel-group DefaultL2LGroup general-attributes
    

    (...)

    You need to test yourself to see if it will work.

    I also agree in terms of more than one firewall. With devices for two in the load balancing or if possible 2pairs of devices in the failover cluster could be great way to have a decent charge by machine and equipment redundancy (ideal circumstances]);. I suggest you ping your system engineer for sure any deployment involving 5585, guys can usually give good advice (and discounts;]).

    Marcin

  • Dynamic IP address of the remote VPN L2L ASA sites

    Hello

    I have a client who is to change their links to backup from ADSL to 4 G - LTE using Cisco 819 s.

    Unfortunately, access to 4G of PSI will have dynamic IP addressing. Online, I see configurations for one remote site with dynamic IP address, speaking to ASA, but I can't find anything on several sites of L2L linking to the ASA with dynamic addressing.

    Does anyone can help with examples of configuration

    concerning

    Richard

    Hi Richard,

    the next days I will also write a blogpost with triple recovery WAN by using this configuration.

    Michael

  • VPN L2L ASA with NAT

    Hello, I was hoping someone might have an example of a site to site VPN configuration where the ASA is statically NATting its internal network. Basically the same configuration like this, but instead of "not nat", the ASA is NATting. So instead of the remote site, connect to the local network 10.10.10.0/24, ASA would be NAT at 172.16.17.0/24 for example.

    http://www.Cisco.com/en/us/products/ps9422/products_configuration_example09186a0080b4ae61.shtml

    Thank you.

    Mike

    It's not very complicated, just keep in mind that NAT is done before the encryption.

    So if you your network 10.10.10.0/24 nat internal to 172.16.17.0/24:

    public static 172.16.17.0 (Interior, exterior) 10.10.10.0 netmask 255.255.255.0

    You can use the address translated into your crypto-ACL:

    REMOTE VPN ip 172.16.17.0 access list allow REMOTE-NET 255.255.255.0 255.255.255.0

    I suppose that you run ASA v8.3 + that you referred to an older document. If you have a more recent software, the logic is the same but the NAT commands differ.

    Sent by Cisco Support technique iPad App

  • Spend 3000 Concentrator VPN L2L ASA

    Hello

    We migrate an ASA5500 450 LAN to LAN VPN a VPN concentrator. Is there a reasonable way to do it? If I remember correctly, the configuration file for the VPN concentrator is in XML is not trivial to even read the config for each VPN. If it took say 15 minutes a VPN which is estimated at about three weeks of the working man!

    Patrick,

    I hope the post below helps.

    http://Forum.Cisco.com/eForum/servlet/NetProf?page=NetProf&Forum=virtual%20Private%20Networks&topic=security&TopicId=.ee6b2b8&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40^1%40%40.2cc1b2c5/6#selected_message

    Kind regards

    Arul

    * Please note all useful messages *.

  • ASA 8.4. (1) VPN L2L can only be established through default gateway

    Hi all!

    We have an ASA 5510, with two internet connections. A destined for VPN l2l and the other to access inet users in general.

    On asa 8.04, I configured the encryption on inteface "VPNAccess" card and a static route on the remote peer L2L with access internet VPN, the default rotue pointed the router General inet.

    We bought a new firewall with 8.4.1 and now asa only tries to open the remote if peer traffic is on the default gateway.

    It does not take into account routes more specific (I mean longer masks) and always tries to use the gateway by default, but only for VPN, if I do a trace to that peer route, it uses the routing table correctly.

    Any advice?

    Thank you!

    Well well, (any, any) certainly does not help.

    You need to be more specific, otherwise, even once, as suggested earlier, he does not know which interface to use because you don't have specify it.

    In addition, you must also be precise with the source network and destination. Otherwise, the firewall will not know which interface the subnet should be connected to.

    More precise best for NAT statement.

    NAT (, PublicTESAVPNBackup) source static static destination

  • VPN Cisco ASA 5540 L2L - one-way traffic only for the pair to a network

    Hello

    I'm a little confused as to which is the problem. This is the premise for the problem I have face.

    One of our big clients has a Cisco ASA5540 (8.2 (2)) failover (active / standby). Early last year, we have configured a VPN from Lan to Lan to a 3rd party site (a device of control point on their end). He worked until early this week when suddenly the connection problems.

    Only 1 of the 3 networks the / guests can access a remote network on the other side. 2 others have suddenly stopped working. We do not know of any change on our side and the remote end also insists that their end configurations are correct (and what information they sent me it seems to be correct)

    So essentially the encryption field is configured as follows:

    access-list line 1 permit extended ip 10.238.57.21 host 10.82.0.202 (hitcnt = 2)
    access-list line 2 extended permit ip 10.207.0.0 255.255.0.0 10.82.0.200 255.255.255.252 (hitcnt = 198)
    access-list line 3 extended permit ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252 (hitcnt = 173)

    Free NAT has been configured as follows (names modified interfaces):

    NAT (interface1) 0-list of access to the INTERIOR-VPN-SHEEP

    the INTERIOR-VPN-SHEEP line 1 permit access list extended ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
    permit for Access-list SHEEP-VPN-INSIDE line lengthened 2 ip host 10.238.57.21 10.82.0.202

    NAT (interface2) 0-list of access VPN-SHEEP

    VPN-SHEEP line 1 permit access list extended ip 10.207.0.0 255.255.0.0 10.82.0.200 255.255.255.252

    After the problem started only 10.207.0.0/16 network connections worked for the site remote 10.82.0.200/30. All other connections do not work.

    There has been no change made on our side and on the side remote also insists there has been no change. I also checked how long the ASAs have been upward and how long the same device has been active in the failover. Both have been at the same time (about a year)

    The main problem is that users of the 10.231.191.0/24 cant access remote network network. However, the remote user can initiate and implement the VPN on their side but usually get any return traffic. Ive also checked that the routes are configured correctly in the routers in core for the return of their connections traffic should go back to the firewall.

    Also used of "packet - trace" event raising the VPN tunnel (even if it passes the phases VPN). For my understanding "packet - trace" alone with the IP source and destination addresses must activate the VPN connection (even if it generates no traffic to the current tunnel).

    This is printing to the following command: "packet - trace entry interface1 tcp 10.231.191.100 1025 10.82.0.203 80.

    Phase: 1
    Type: ACCESS-LIST
    Subtype:
    Result: ALLOW
    Config:
    Implicit rule
    Additional information:
    MAC access list

    Phase: 2
    Type: FLOW-SEARCH
    Subtype:
    Result: ALLOW
    Config:
    Additional information:
    Not found no corresponding stream, creating a new stream

    Phase: 3
    Type:-ROUTE SEARCH
    Subtype: entry
    Result: ALLOW
    Config:
    Additional information:
    in 10.82.0.200 255.255.255.252 outside

    Phase: 4
    Type: ACCESS-LIST
    Subtype: Journal
    Result: ALLOW
    Config:
    Access-group interface interface1
    access-list extended allow ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
    Additional information:

    Phase: 5
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional information:

    Phase: 6
    Type: INSPECT
    Subtype: np - inspect
    Result: ALLOW
    Config:
    class-map inspection_default
    match default-inspection-traffic
    Policy-map global_policy
    class inspection_default
    inspect the http
    global service-policy global_policy
    Additional information:

    Phase: 7
    Type: FOVER
    Subtype: Eve-updated
    Result: ALLOW
    Config:
    Additional information:

    Phase: 8
    Type: NAT-FREE
    Subtype:
    Result: ALLOW
    Config:
    NAT-control
    is the intellectual property inside 10.231.191.0 255.255.255.0 outside 10.82.0.200 255.255.255.252
    Exempt from NAT
    translate_hits = 32, untranslate_hits = 35251
    Additional information:

    -Phase 9 is a static nat of the problem to another network interface. Don't know why his watch to print.

    Phase: 9
    Type: NAT
    Subtype: host-limits
    Result: ALLOW
    Config:
    static (interface1, interface3) 10.231.0.0 10.231.0.0 255.255.0.0 subnet mask
    NAT-control
    is the intellectual property inside 10.231.0.0 255.255.0.0 interface3 all
    static translation at 10.231.0.0
    translate_hits = 153954, untranslate_hits = 88
    Additional information:

    -Phase 10 seems to be the default NAT for the local network configuration when traffic is to the Internet

    Phase: 10
    Type: NAT
    Subtype:
    Result: ALLOW
    Config:
    NAT (interface1) 5 10.231.191.0 255.255.255.0
    NAT-control
    is the intellectual property inside 10.231.191.0 255.255.255.0 outside of any
    dynamic translation of hen 5 (y.y.y.y)
    translate_hits = 3048900, untranslate_hits = 77195
    Additional information:

    Phase: 11
    Type: VPN
    Subtype: encrypt
    Result: ALLOW
    Config:
    Additional information:

    Phase: 12
    Type: VPN
    Subtype: ipsec-tunnel-flow
    Result: ALLOW
    Config:
    Additional information:

    Phase: 13
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional information:

    Phase: 14
    Type: CREATING STREAMS
    Subtype:
    Result: ALLOW
    Config:
    Additional information:
    New workflow created with the 1047981896 id, package sent to the next module

    Result:
    input interface: interface1
    entry status: to the top
    entry-line-status: to the top
    output interface: outside
    the status of the output: to the top
    output-line-status: to the top
    Action: allow

    So, basically, the connection should properly go to connect VPN L2L but yet is not. I tried to generate customer traffic of base (with the source IP address of the client network and I see the connection on the firewall, but yet there is absolutely no encapsulated packets when I check "crypto ipsec to show his" regarding this connection VPN L2L.) Its almost as if the firewall only transfers the packets on the external interface instead of encapsulating for VPN?

    And as I said, at the same time the remote end can activate the connection between these 2 networks very well, but just won't get any traffic back to their echo ICMP messages.

    access-list extended allow ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
    local ident (addr, mask, prot, port): (10.231.191.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (10.82.0.200/255.255.255.252/0/0)
    current_peer: y.y.y.y

    #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
    #pkts decaps: 131, #pkts decrypt: 131, #pkts check: 131
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
    success #frag before: 0, failures before #frag: 0, #fragments created: 0
    Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
    #send errors: 0, #recv errors: 0

    If it was just a routing problem it would be a simple thing to fix, but it is not because I can see the connection I have to confirm it by the router base on the firewall, but they don't just get passed on to the VPN connection.

    Could this happen due to a bug in the Software ASA? Would this be something with Checkpoint VPN device? (I have absolutely no experience with devices of control point)

    If there is any essential information that I can give, please ask.

    -Jouni

    Jouni,

    8.2.4.1 is the minimum - 8.2.4 had some issues (including TCP proxy).

    If this does not resolve the problem - I suggest open TAC box to get to the bottom of this ;-)

    Marcin

  • Darkness of 8.4 (1) vpn L2L filter ASA when you specify the Protocol and port

    Hi all - I've spent many hours trying to diagnose this and have read several discussions and the Cisco docs unsuccessfully...

    Situation: two sites running Cisco ASA 5520 on 8.4 (1) with L2L IPsec on the public internet between each of them. The configuration of IPsec and associated routing works as it should and we are able to pass traffic between networks private behind each device as expected. The problem occurs when you try to block sessions using a vpn-filter group policy configuration.

    Each site has 3 private subnets that are able to communicate correctly without the vpn-filter configuration. We want to restrict access to specific protocols, hosts, and ports between each network.

    SITE A: 10.10.0.0/18, 10.10.64.0/18, 10.10.128.0/18

    SITE B: 10.20.0.0/18, 10.20.64.0/18, 10.20.128.0/18

    When we apply a filter-vpn configuration which restricted access only two guests, as follows...

    SITE A: vpn_acl_x_x_x_x list extended access permit ip host 10.20.0.1 host 10.10.0.1

    SITE b: the ip host 10.10.0.1 allowed extended access list vpn_acl_x_x_x_x host 10.20.0.1

    ... the configuration works correctly. However, when we try to lock the configuration more far and specify the protocols and ports, as follows...

    SITE A: vpn_acl_x_x_x_x list extended access permit tcp host 10.20.0.1 host 10.10.0.1 eq 22

    SITE b: vpn_acl_x_x_x_x to the list of access permit tcp host 10.10.0.1 host 10.20.0.1 eq 22

    ... and then try to establish a SSH connection between 10.10.0.1 and 10.20.0.1 or vice versa, the package is stopped on the side of the SOURCE. ..

    Mar 22 11:58:01 x.x.x.x 22 March 2011 14:34:56: % ASA-4-106103: vpn_acl_x_x_x_x of the access list refused tcp to the user "" inside-data/10.10.0.1(59112)-> outside-iptrans/10.20.0.1(22) hit - cnt 1 first success [0xd8d1c1b4, 0 x 0]

    I would really appreciate it if someone could shed some light on what is wrong with this Setup.

    SOLUTION

    The ACE must be implemented on the source and the end of the tunnel destination to facilitate this configuration.

    EXAMPLE 1: allow SSH two-way communication between hosts on each network (SITE A can connect to SITE B, SITE B can connect to SITE A)...

    SITE A:
    

    access-list vpn_acl_x_x_x_x extended permit tcp host 10.20.0.1 host 10.10.0.1 eq 22
    

    access-list vpn_acl_x_x_x_x extended permit tcp host 10.20.0.1 eq 22 host 10.10.0.1
    

    SITE B:
    

    access-list vpn_acl_x_x_x_x extended permit tcp host 10.10.0.1 host 10.20.0.1 eq 22
    

    access-list vpn_acl_x_x_x_x extended permit tcp host 10.10.0.1 eq 22 host 10.20.0.1

    EXAMPLE 2: allow communication one-way SSH between hosts on each network (SITE A can connect to SITE B, SITE B is unable to connect to SITE A)...

    SITE A:
    

    access-list vpn_acl_x_x_x_x extended permit tcp host 10.20.0.1 eq 22 host 10.10.0.1
    

    SITE B:
    

    access-list vpn_acl_x_x_x_x extended permit tcp host 10.10.0.1 host 10.20.0.1 eq 22

    Very good and thank you for this post. Please kindly marks the message as answered while others may learn from your post. I think that you have started a very good discussion on vpn-filter for tunnel L2L.

  • l2l ASA vpn issues

    Hi all

    I have two firewalls that I'm trying to implement VPNs l2l between them. Once of them is an old wall of sonic and the other 5505.

    I put in all and ends the phase 1/2 and the tunnel rises however no traffic passes through

    Here is my configuration

    ASA (outside, 192.168.30.1) asa internal 192.168.10.0/25

    (Outside 192.168.30.2) SonicWALL sonicwall 192.168.20.0/24

    I have an accesslist that is configured on the asa and applied to the cypto card using card crypto XXXX 1, atch address YYY

    However when I watch the news ebugging on the console it says: "cannot locate the output for UDP of XXXX interface: 192.168.10.10/1 to 192.178.20.1/0.

    any ideas why this is?

    I just need a static route to say all traffic on asa with 192 source... 10.0 should go through 192.168.30.2?

    I guess it's the work of crypto card

    Am I wrong?

    Hello

    Begins to seems to me you have a filter ACL configured for your L2L VPN VPN and also the ACL filter of VPN and Crypto ACLs are the same things, which means you use a simple both ACL.

    Why I think it's like this is the fact that you say that your VPN L2L cross trading in the "packet-tracer" VPN Phase means Crypto VPN L2L ACL was correct. At the same time say you that the connection was stopped to the Phase of the VPN USER. He points to a VPN filter ACL being configured.

    In view of the foregoing, I also know that the ACL of filter for the L2L VPN behave with a logic different than typical ACL interface. In VPN L2L the ACL filter ALWAYS mention the remote network as the source ALWAYS and your Local network as the destination.

    If add you an ACL rule with order switched networks appears this fixes the VPN filter ACL problems and finally allowed traffic. Naturally I can only guess that I saw actual configurations at this point (which, usually with release "packet - trace", help to solve a problem faster just guessing)

    If you indeed filter VPN, you may be able to track him down with the following commands

    See the tunnel-group race

    Check if a "group policy" is defined then the command

    See establishing group policy enforcement

    This output should list the name of the ACL filter VPN if its game

    Regarding the installantion auto road. The default setting for ASA, is that it will create NO static routes automatically depending on the VPN configurations. This must be enabled manually in "crypto map" configurations, or you can configure static routes manually.

    ASA tracking to default TCP and UDP connections. ICMP is inspected only if his permit. By default, it is NOT inspected.

    Hope this helps

    Remember to mark a reply as the answer if it answered your question.

    Feel free to ask more if necessary.

    -Jouni

  • ASA - several IPS for VPN

    I'll put up Anyconnect to replace our customers of Cisco IPsec VPN, since it is end of life. A part of the process is to get an SSL certificate and a FULL domain name to use for this. I've got that and it is applied to the ASA very well. Now we don't get these warnings to the subject it is not not sure and such.

    The problem is that we use a non-standard port for the SSL VPN from 443 is already sent to an internal device. I have unused public addresses to the external interface of the ASA, but I don't know how I could use them. I would like to have a different IP address for SSL VPN, so I don't have to mess with the port forward that is currently in place. I read on proxy arp, but that looks like it could be a problem. I could have someone connect another cable to a different interface on the ASA (5512-X) and assign this static interface I want for the VPN, but I'm not sure it will work well. We have connections VPN site to site in place as well. Can I have the ASA listening on two different interfaces at the same time?

    Recap:

    IP 1 - address primary NAT, Site at tunnels put end here, some Cisco IPsec VPN terminate customer

    IP 2 - want to have all customers of Anyconnect connect here, to migrate all legacy Cissco IPsec clients until they are all over Anyconnect.

    Key is that I can not stop listening on IP 1 for site-to-site connections.

    Thoughts?

    Thank you!

    On the SAA, you cannot use the additional IPS for VPN.

    If tcp/443 is already used for an external server, then I would reconfigure the DNS entry for it to use the second IP address that must be sent to the internal server. You can then use the IP interface of the ASA for AnyConnect.

  • Certificates for IPSEC vpn in ASA 8.0 clients

    Hello!

    I have configured MS CA and I have setup client vpn and ASA 7.0 make tunnel with certificates.

    Same configuration does not work with ASA 8.0 I get the error

    CRYPTO_PKI: Check whether an identical cert is

    already in the database...

    CRYPTO_PKI: looking for cert = d4bb2888, digest = handle

    B8 74 97 f3 bf 25 1 c e5 2nd e5 21 3rd d1 93 15 d6 |... t...%...! >....

    CRYPTO_PKI: Recording of Cert not found, return E_NOT_FOUND

    CRYPTO_PKI: Cert not found in the database.

    CRYPTO_PKI: Looking for suitable trustpoints...

    CRYPTO_PKI: Found a suitable trustpoint authenticated A1.

    CRYPTO_PKI (make trustedCerts list) CRYPTO_PKI:check_key_usage: KeyUsage Incorrect

    (40)

    CRYPTO_PKI: Validation of certificate: State failure: 1873. Any attempt of recovery

    If necessary revocation status

    ERROR: Certificate validation failed. Peer certificate's key usage is not valid, ser

    Number of the IAL: 250F3ECE0000000009AF, name of the object: cn = xxxxx, unit of organization = xxxx, o = xxxxx, c =

    XX

    CRYPTO_PKI: Certificate not validated

    Why the use of the key is invalid? What model of certificate must be used in MS in order to get a regular use of the key?

    The schooling of CA's Terminal.

    Thank you!

    The cert needs to have defined Digital Signature key usage.

    Don't know what models are available on MS, but it should be something like "User Ipsec" I guess.

    Make 8 ASA behave like ASA 7 (i.e. disable th control on the use of the key of the cert), configure:

    Crypto ca trustpoint

    ignore-ipsec-keyusage

  • Do not do a ping ASA inside IP port of the remote site VPN L2L with her

    The established VPN L2L OK between ASA-1/ASA-2:

    ASA-2# see the crypto isakmp his

    KEv1 SAs:

    ITS enabled: 1

    Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)

    Total SA IKE: 1

    1 peer IKE: 207.140.28.102

    Type: L2L role: answering machine

    Generate a new key: no State: MM_ACTIVE

    There are no SAs IKEv2

    QUESTION: 3750-2, we ping 3750-1 (10.10.2.253) are OK, but not ASA-1 inside port (10.10.2.254).

    Debug icmp ASA-1 data:

    ASA-1 debug icmp trace #.

    trace of icmp debug enabled at level 1

    Echo ICMP Internet request: 10.100.2.252 server: 10.10.2.253 ID = 400 seq = 0 len = 72

    ICMP echo response from the server: 10.10.2.253 Internet: 10.100.2.252 ID = 400 seq = 0 len = 72

    Echo ICMP Internet request: 10.100.2.252 server: 10.10.2.253 ID = 400 seq = 1 len = 72

    ICMP echo response from the server: 10.10.2.253 Internet: 10.100.2.252 ID = 400 seq = 1 len = 72

    Echo request ICMP 10.100.2.252 to 10.10.2.254 ID = 401 seq = 0 len = 72

    Echo request ICMP 10.100.2.252 to 10.10.2.254 ID = 401 seq = 1 len = 72

    Echo request ICMP 10.100.2.252 to 10.10.2.254 ID = 401 seq = 2 len = 72

    Make sure you have access to the administration # inside

    lt me know f This allows.

  • VPN l2l failed inside on ASA 5520 (8.02)

    VPN l2l is dropping packets to Phase 5 because of a rule configured. I have an isakmp his but the client cannot connect to the destination here in my network. I'll post my config to access list at the bottom of the Packet-trace output.

    vpnASA01 # entry packet - trace within the icmp [10.0.0.243] 0 8 10.97.29.73 det

    Phase: 1

    Type: CAPTURE

    Subtype:

    Result: ALLOW

    Config:

    Additional information:

    Direct flow from returns search rule:

    ID = 0xc92087c8, priority = 12, area = capture, deny = false

    hits = 85188209121, user_data = 0xc916a478, cs_id = 0 x 0, l3_type = 0 x 0

    Mac SRC = 0000.0000.0000, mask is 0000.0000.0000

    DST = 0000.0000.0000 Mac, mask is 0000.0000.0000

    Phase: 2

    Type: ACCESS-LIST

    Subtype:

    Result: ALLOW

    Config:

    Implicit rule

    Additional information:

    Direct flow from returns search rule:

    ID = 0xc87f1f98, priority = 1, domain = allowed, deny = false

    hits = 85193048387, user_data = 0 x 0, cs_id = 0 x 0, l3_type = 0 x 8

    Mac SRC = 0000.0000.0000, mask is 0000.0000.0000

    DST = 0000.0000.0000 Mac, mask is 0000.0000.0000

    Phase: 3

    Type: FLOW-SEARCH

    Subtype:

    Result: ALLOW

    Config:

    Additional information:

    Not found no corresponding stream, creating a new stream

    Phase: 4

    Type:-ROUTE SEARCH

    Subtype: entry

    Result: ALLOW

    Config:

    Additional information:

    in 10.0.0.0 255.0.0.0 inside

    Phase: 5

    Type: ACCESS-LIST

    Subtype:

    Result: DECLINE

    Config:

    Implicit rule

    Additional information:

    Direct flow from returns search rule:

    ID = 0xc87f3670, priority = 111, domain = allowed, deny = true

    hits = 67416, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 4000, protocol = 0

    SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

    DST ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

    Result:

    input interface: inside

    entry status: to the top

    entry-line-status: to the top

    the output interface: inside

    the status of the output: to the top

    output-line-status: to the top

    Action: drop

    Drop-reason: flow (acl-drop) is denied by the configured rule

    = ACCESS-LIST + Config =.

    the object-group L2LVPN-blah_local network
    network-object 10.97.29.73 255.255.255.255
    the object-group L2LVPN-blah_remote network
    network-object [10.0.0.240] 255.255.255.240

    INBOUND_OUTSIDE list of allowed ip extended access object-L2LVPN-blah_remote L2LVPN-blah_local group object

    L2LVPN-blah_obj allowed extended ip access-list object-L2LVPN-blah_local group L2LVPN-blah_remote

    access-list SHEEP extended permits all ip [10.0.0.243] 255.255.255.240

    Route outside [10.0.0.240] [10.97.29.1] 255.255.255.240 1

    address for correspondence card crypto outside-VPN 46 L2LVPN - blah_obj
    peer set card crypto VPN-exterior 46 [10.0.0.243]
    outside-VPN 46 transform-set esp-sha-aes-256 crypto card
    outside-VPN interface card crypto outside

    IPSec-l2l type tunnel-group [10.0.0.243]
    IPSec-attributes of tunnel-group [10.0.0.243]
    pre-shared-key *.

    [10.0.0.1] is to protect the global addresses of clients. Assume that these are still used in place of the current range of intellectual property. 10.0.0.240/28

    ===========================================

    Thanks in advance.

    Michael Garcia

    Profit Systems, Inc..

    Hi Michael,

    -Is the IP peer really part of the network that make up the field of encryption?

    -Is the ACL INBOUND_OUTSIDE applied (incoming) inside or outside interface (inbound)? It is the current form, it would need to be on the external interface.

    -You specify the peer IP only in the ACL SHEEP, so all other traffic is NAT would and eventually denied because it does not match the field of encryption

    Someone else may have a few ideas, but these are questions I have for the moment.

    James

Maybe you are looking for