ms-chap VPN question
Hello
I was just curious. Given an ASA configured with the typical parameters of phases 1 and 2 ike, if I understand ppp-attribute with ms-chap authentication, when the xp client connects what it means that ms-chap uses the pre-shared key configured on the xp client and that 3des which was originally set on the policy of isakmp on the SAA is not used? Or not the phases of set 1 and 2 complete ike, and then in the tunnel, the xp client sends the name of user and password with ms-chap?
Sorry me doing a little confused here comes the phase name of user and password.
Thanks in advance.
Since you speak of PPP with ms-chap as the authentication, I assume that you speak about L2TP over IPSec.
With the phase 1 and phase 2 that speaks to you, is that the IPSec part.
The PPP with ms-chap as the authentication is the part of L2TP.
So first, you will create a VPN IPSec tunnel, and once you have the established tunnel, the L2TP will be encrypted in the IPSec tunnel.
So, the part of ms-chap belongs to the L2TP authentication.
3DES is the method of encryption IPSec and pre-shared key is used by the IPSec as a method of authentication for the authentication of the peer.
Finally, user name and password is extended to the IPSec authentication and is part of the phase 1.
I hope this helps.
Tags: Cisco Security
Similar Questions
-
Hi, I use the windows Server 2003 and. When I access my server at home I connect the VPN but I not have access to the shared private folder when I try to open the system crashes but the other file I can open without blocking. Please help me solve this problem...
Hi Patchamuthu,
Your question of Windows is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for support on Windows server. Please post your question in the below link:http://social.technet.microsoft.com/Forums/en/itproxpsp/threads
With regard to:
Samhrutha G S - Microsoft technical support.
Visit our Microsoft answers feedback Forum and let us know what you think.
-
I have two questions that regarding ACL is used in the instructions on the Card Crypto:
1. the two devices VPN should have the same ACE in the ACL? I know that without the second ACE site B below will not see as interesting udp traffic, but the will of the vpn tunnel fails because the ACL is not the same ACE?
That is to say...
Site has
Access-list 110 permit tcp 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
Access-list 110 permit udp 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
Site B
Access-list 110 permit tcp 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
2. once a tunnel is established it will send ANY/ALL traffic destined to the remote network through this tunnel. If the first ACE in the ACL 110 to Site A list is used to bring up the tunnel, only tcp from to 10.0.2.0/24 10.0.1.0/24 traffic will use the tunnel or all traffic from 10.0.1.0/24 intended for the remote network to cross the tunnel?
I guess my thought is this. The ACL is only used to determine valuable traffic and once the tunnel is up it is a free for all. Or the ACL only allows traffic that meets the criteria specified in the ACL list to flow once the tunnel is established?
Thank you
Brian
Brian,
Your statement
'Or the ACL allows only traffic that meets the criteria specified in the ACL list to flow after the tunnel is established'
Is correct, only the traffic that meets the ACL crypto will go through the vpn tunnel and all other traffic will be denied. If you need UDP traffic to travel through the tunnel, you need crypto ACL on both sides and not only on one side, that is, SITE A.
Hope this helps,
Jay
-
I am ASA 5505 that I am of is running correctly by using the AnyConnect client. The question is, can I connect to the fine external interface, but cannot ping or attach them to any host on the inside. When I connect, it accepts the user name and password, and I can run the ASDM or SSH to the firewall very well, but not further. In the control, after I log in, I get an IP address inside, of the order of 10.7.30.x as expected.
Following configuration:
: Saved
:
ASA Version 8.2 (5)
!
asa5505 hostname
domain BLA
activate the password * encrypted
passwd * encrypted
no names!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 150
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 10.7.30.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP EXTERNAL IP 255.255.255.128
!
interface Vlan150
nameif WLAN_GUESTS
security-level 50
IP 10.7.150.1 255.255.255.0
!
boot system Disk0: / asa825 - k8.bin
config to boot Disk0: / running-config
passive FTP mode
clock timezone STD - 7
DNS server-group DefaultDNS
domain BLA
permit same-security-traffic intra-interface
object-group service tcp Webaccess
port-object eq www
EQ object of the https port
object-group network McAfee
network-object 208.65.144.0 255.255.248.0
network-object 208.81.64.0 255.255.248.0
access extensive list ip 10.7.30.0 outside_1_cryptomap allow 255.255.255.0 192.168.24.0 255.255.252.0
access extensive list ip 10.7.30.0 inside_nat0_outbound allow 255.255.255.0 192.168.24.0 255.255.252.0
access extensive list ip 10.7.30.0 inside_nat0_outbound allow 255.255.255.0 172.16.10.0 255.255.255.0
outside_access_in list extended access permit tcp any host 159.87.30.252 eq smtp
outside_access_in list extended access permit tcp any host 159.87.30.136 Webaccess object-group
outside_access_in list extended access permit tcp any host 159.87.30.243 Webaccess object-group
access-list extended outside_access_in permit tcp host 159.87.70.66 host 159.87.30.251 eq lpd
outside_access_in list extended access permit tcp any host 159.87.30.252 Webaccess object-group
outside_access_in list extended access permit tcp any host 159.87.30.245 Webaccess object-group
outside_access_in list extended access permitted tcp object-group McAfee any eq smtp
permit access list extended ip 172.16.10.0 outside_access_in 255.255.255.0 10.7.30.0 255.255.255.0
outside_access_in list extended access permit ip host 159.87.64.30 all
standard access list vpn_users_splitTunnelAcl allow 10.7.30.0 255.255.255.0
IPS_TRAFFIC of access allowed any ip an extended list
access extensive list ip 10.7.30.0 outside_nat0_outbound allow 255.255.255.0 any
inside_access_in list extended access permit udp 10.7.30.0 255.255.255.0 any eq snmp
access extensive list ip 10.7.30.0 outside_cryptomap allow 255.255.255.0 172.16.10.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
host of logging inside the 10.7.30.37
Debugging trace record
Within 1500 MTU
Outside 1500 MTU
MTU 1500 WLAN_GUESTS
local pool VPN_POOL 10.7.30.190 - 10.7.30.200 255.255.255.0 IP mask
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm-645 - 206.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (outside) 0-list of access outside_nat0_outbound
NAT (WLAN_GUESTS) 1 0.0.0.0 0.0.0.0
public static 159.87.30.251 (Interior, exterior) 10.7.30.50 netmask 255.255.255.255
public static 159.87.30.245 (Interior, exterior) 10.7.30.53 netmask 255.255.255.255
public static 159.87.30.252 (Interior, exterior) 10.7.30.30 netmask 255.255.255.255
public static 159.87.30.243 (Interior, exterior) 10.7.30.19 netmask 255.255.255.255
public static 159.87.30.136 (Interior, exterior) 10.7.30.43 netmask 255.255.255.255
Access-group inside_access_in in interface inside the control plan
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 159.87.30.254 1
Route inside 172.16.1.0 255.255.255.0 10.7.30.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
AAA-server ADWM-FPS-02 nt Protocol
AAA-server ADWM-FPS-02 (inside) host 10.7.30.32
Timeout 5
auth-domain NT ADWM-FPS-02 controller
AAA-server ADWM-FPS-02 (inside) host 10.7.30.49
auth-DC NT ADWM-DC02
AAA authentication http LOCAL console
AAA authentication LOCAL telnet console
the ssh LOCAL console AAA authentication
Enable http server
http 206.169.55.66 255.255.255.255 outside
http 206.169.50.171 255.255.255.255 outside
http 10.7.30.0 255.255.255.0 inside
http 206.169.51.32 255.255.255.240 outside
http 159.87.35.84 255.255.255.255 outside
SNMP-server host within the 10.7.30.37 community * version 2 c
location of the SNMP server *.
contact SNMP Server
Community SNMP-server
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic outside_dyn_map pfs set 20 Group1
card crypto outside_map 1 match address outside_1_cryptomap
peer set card crypto outside_map 1 206.169.55.66
map outside_map 1 set of transformation-ESP-3DES-MD5 crypto
card crypto outside_map 2 match address outside_cryptomap
peer set card crypto outside_map 2 159.87.64.30
card crypto outside_map 2 game of transformation-ESP-AES-192-SHA
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
Crypto ca trustpoint *.
Terminal registration
full domain name *.
name of the object *.
MYKEY keypairs
Configure CRL
Crypto ca trustpoint A1
Terminal registration
fqdn ***************
name of the object *.
MYKEY keypairs
Configure CRL
Crypto ca trustpoint INTERMEDIARY
Terminal registration
no client-type
Configure CRL
Crypto ca trustpoint _SmartCallHome_ServerCA
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint0
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint1
Configure CRL
ca encryption certificate chain *.
certificate ca 0301
BUNCH OF STUFF
quit smoking
A1 crypto ca certificate chain
OTHER LOTS of certificate
quit smoking
encryption ca INTERMEDIATE certificate chain
YET ANOTHER certificate
quit smoking
Crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca LAST BOUQUET
quit smoking
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
No encryption isakmp nat-traversal
Telnet 10.7.30.0 255.255.255.0 inside
Telnet timeout 30
SSH 206.169.55.66 255.255.255.255 outsideSSH timeout 5
Console timeout 0
management-access inside
dhcpd 4.2.2.2 dns 8.8.8.8
!
dhcpd address 10.7.150.10 - 10.7.150.30 WLAN_GUESTS
enable WLAN_GUESTS dhcpd
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL encryption rc4 - md5 of sha1
SSL-trust A1 out point
WebVPN
allow outside
AnyConnect essentials
SVC disk0:/anyconnect-dart-win-2.5.2019-k9.pkg 1 image
enable SVC
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
internal VPNUsers group strategy
Group Policy VPNUsers attributes
value of server DNS 10.7.30.20
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list vpn_users_splitTunnelAcl
dwm2000.WM.State.AZ.us value by default-field
Split-dns value dwm2000.wm.state.az.us
username HCadmin password * encrypted privilege 15
attributes global-tunnel-group DefaultWEBVPNGroup
address VPN_POOL pool
authentication-server-group ADWM-FPS-02
strategy - by default-VPNUsers group
tunnel-group 206.169.55.66 type ipsec-l2l
IPSec-attributes tunnel-group 206.169.55.66
pre-shared key *.
tunnel-group 159.87.64.30 type ipsec-l2l
IPSec-attributes tunnel-group 159.87.64.30
pre-shared key *.
!
class-map IPS_TRAFFIC
corresponds to the IPS_TRAFFIC access list
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the icmp
Review the ip options
class IPS_TRAFFIC
IPS inline help
!
global service-policy global_policy
field of context fast hostname
anonymous reporting remote call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:e70de424cf976e0a62b5668dc2284587
: end
ASDM image disk0: / asdm-645 - 206.bin
ASDM location 159.87.70.66 255.255.255.255 inside
ASDM location 208.65.144.0 255.255.248.0 inside
ASDM location 208.81.64.0 255.255.248.0 inside
ASDM location 172.16.10.0 255.255.255.0 inside
ASDM location 159.87.64.30 255.255.255.255 inside
don't allow no asdm historyAnyone have any ideas?
Hello
Please, add this line in your configuration and let me know if it works:
access extensive list ip 10.7.30.0 inside_nat0_outbound allow 255.255.255.0 10.7.30.0 255.255.255.0
I ask you to add that it is because you have not specified any exceptions for the return shipping. Once you add to it, will allow you to go through the tunnel VPN, packets back. When this command is not there, you will be able to access everything on the SAA but nothing behind it.
Let me know if it helps.
Thank you
Vishnu
-
VPN question: ISP assigned a private ip address
Hi all
Internet-online-online headquarters VPN 3015 concentrator
Users remote VPN Client connected to the internet using a private ip address provided by the ISP (cable) is to establish a VPN tunnel, but they can not ping our private network.
The only way to get the VPN works is when remote users use a public ip.
It is a question of Cisco VPN Client? Or it has a solution...
Thanks in advance,
Kind regards
Carlos Welhous
Network engineer
Hi Carlos,
If your ISP gave you a private address, they must use NAT - in which case you will have to enable NAT - T on the VPN concentrator.
To configure the NAT - T in the world, go to Configuration | System | Tunnelling protocols. IPSec | Screen of transparent NAT and check on NAT - T IPSec case.
-
VPN - question of General design for a ut of a router tunnel more
Hello
We have a router that has VPN connections with different partners of our company. VPN remote access were used on computers that are connecting to the different partners of our company.
There has been problems of this kind, that is to say put on both a watchdog and a customer vpn cisco router led to blue-screens on the PC.
The current idea is to put different tunnels from site to site on the router (default gateway of PC clients that connect to the partners). My question is... How our PC to get DHCP addresses on networks of visitors, once the tunnels are up? I guess I'm alittle confused about the address for the PC on our side how will work.
Thanks for your help.
Divide the pool of ip from the internal network, you're going to visit. for example the document below will be exaplain the same configuration in user mode.
-
Try to find what happened. I had the remote end raise the tunnel, as they can ping resources on my side. I am unable to ping 10.90.238.148 through this tunnel. I used to be able to until the interface of K_Inc has been added. The network behind this interface is 10/8.
I asked a question earlier in another post and advises him to play opposite road of Cryptography. And who did it. I was able to ping 10.90.238.148 of 192.168.141.10, with the config below.
I am at a loss to why I can't all of a sudden. A bit of history, given routes have not changed. By adding the command set opposite road to cryptography, I find myself with a static entry for the 10.90.238.0 network is what fixed it initially so I don't think it's a problem of route. The remote end had an overlap with the 192.168.141.0/24 that is why my side is natted on the 10.40.27.0. None of the nats have changed so if adding the reverse route worked for a day, it should still work. Any thoughts?
interface GigabitEthernet0/3.10
VLAN 10
nameif K_Inc
security-level 100
IP address 192.168.10.254 255.255.255.0
interface GigabitEthernet0/3.141
VLAN 141
cold nameif
security-level 100
IP 192.168.141.254 255.255.255.0
(Cold) NAT 0 access-list sheep
NAT (cold) 1 192.168.141.0 255.255.255.0
Access extensive list ip 192.168.141.0 CSVPNOFFSITE allow 255.255.255.0 10.90.238.0 255.255.255.0
Access extensive list ip 10.40.27.0 CSVPNOFFSITE allow 255.255.255.0 10.90.238.0 255.255.255.0
Access extensive list ip 192.168.141.0 CSVPNNAT allow 255.255.255.0 10.90.238.0 255.255.255.0
IP 10.40.27.0 allow Access-list extended sheep 255.255.255.0 10.90.238.0 255.255.255.0
static 10.40.27.0 (cold, outside) - CSVPNNAT access list
card crypto Outside_map 5 corresponds to the address CSVPNOFFSITE
card crypto Outside_map 5 the value reverse-road
card crypto Outside_map 5 set pfs
card crypto Outside_map 5 set peer 20.x.x.3
Outside_map 5 transform-set ESP-3DES-MD5 crypto card game
card crypto Outside_map 5 defined security-association life seconds 28800
card crypto Outside_map 5 set security-association kilobytes of life 4608000
tunnel-group 20.x.x.3 type ipsec-l2l
20.x.x.3 Group of tunnel ipsec-attributes
pre-shared-key *.
Route outside 0.0.0.0 0.0.0.0 7.x.x.1 1
Route 10.0.0.0 K_Inc 255.192.0.0 192.168.10.252 1
Route K_Inc 10.64.0.0 255.224.0.0 192.168.10.252 1
Route K_Inc 10.100.100.0 255.255.255.0 192.168.10.252 1
Route K_Inc 10.128.0.0 255.128.0.0 192.168.10.252 1
Tunnel is up:
14 peer IKE: 20.x.x.243
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE
EDIT:
I just noticed when tracer packet i run I don't get a phase VPN or encrypt:
Packet-trace entry cold tcp 192.168.141.10 80 80 10.90.238.148 det
Phase: 1
Type: FLOW-SEARCH
Subtype:
Result: ALLOW
Config:
Additional information:
Not found no corresponding stream, creating a new stream
Phase: 2
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
in 10.90.238.0 255.255.255.0 outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xad048d08, priority = 0, sector = option-ip-enabled, deny = true
hits = 2954624, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0
Phase: 4
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xb2ed4b80, priority = 72, domain = qos by class, deny = false
hits = 2954687, user_data = 0xb2ed49d8, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0
Phase: 5
Type: FOVER
Subtype: Eve-updated
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xad090180, priority = 20, area = read, deny = false
hits = 618776, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 0, Protocol = 6
SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
static (ColdSpring, external) 74.x.x.50 192.168.141.10 netmask 255.255.255.255
match ip host 192.168.141.10 ColdSpring outside of any
static translation at 74.x.x.50
translate_hits = 610710, untranslate_hits = 188039
Additional information:
Definition of static 192.168.141.10/0 to 74.112.122.50/0 using subnet mask 255.255.255.255
Direct flow from returns search rule:
ID = 0xac541e50, priority = 5, area = nat, deny = false
hits = 610742, user_data = 0xac541c08, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
SRC ip = 192.168.141.10, mask is 255.255.255.255, port = 0
DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (ColdSpring, dmz) 192.168.141.0 192.168.141.0 netmask 255.255.255.0
match ip ColdSpring 192.168.141.0 255.255.255.0 dmz all
static translation at 192.168.141.0
translate_hits = 4194, untranslate_hits = 20032
Additional information:
Direct flow from returns search rule:
ID = 0xace2c1a0, priority = 5, area = host, deny = false
hits = 2954683, user_data = 0xace2ce68, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
SRC ip = 192.168.141.0, mask is 255.255.255.0, port = 0
DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Reverse flow from returns search rule:
ID = 0xaacbcb90, priority = 0, sector = option-ip-enabled, deny = true
hits = 282827537, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0
Phase: 9
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional information:
Reverse flow from returns search rule:
ID = 0xb2ed5c78, priority = 72, domain = qos by class, deny = false
hits = 4749562, user_data = 0xb2ed5ad0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0
Phase: 10
Type: CREATING STREAMS
Subtype:
Result: ALLOW
Config:
Additional information:
New workflow created with the 339487904 id, package sent to the next module
Information module for forward flow...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Information for reverse flow...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Phase: 11
Type:-ROUTE SEARCH
Subtype: output and contiguity
Result: ALLOW
Config:
Additional information:
found 7.x.x.1 of next hop using ifc of evacuation outside
contiguity Active
0007.B400.1402 address of stretch following mac typo 51982146
Result:
input interface: cold
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: allow
What version are you running to ASA?
My guess is that your two static NAT is configured above policy nat you have configured for the VPN? If this is the case, move your above these static NAT NAT policy and you should see the traffic start to flow properly.
--
Please note all useful posts
-
All, I have an IPhone and I'm VPN'ing in a SAA with IOS 8.2.2. I do not have vpn'ing of issues, but I have a question that is causing quite a stir here. When I try to use names rather than IP addresses (trying to access a server or an internal Web site), the client does not receive DNS answers. I can get to the servers via IP, but not by the name of the server. I can use the same PCF file for my laptop, and it works fine. Someone at - it a resolution to this scenario? Any help appreciated.
Add the domain name in the attributes of Group Policy: -.
value by default-domain MYDOMAIN.COM
Manish
-
Access remote VPN question - hairpin
Hello, I did a search before posting this question but I have not found anything specific to my situation.
We have our ASA5520 configured in our main office to allow remote access Cisco VPN client users to access our network. We have a (network 192.168.1.0/24) remote desktop we have a configured on the same ASA5520 VPN IPSec tunnel that allows the use of internal users (in the main office) to access resources on the network remote (192.168.1.0) and vice versa. The problem is that when users connect to the remote VPN access, they are not able to access the resources of the remote office network. We created the nat0 ACL and labour, and split tunnel routing is implemented for users VPN remote network access (if I make a copy of the route on my laptop after connecting to the VPN, I see the road to 192.168.0.0/24 in my routing table). Routing everything is in place to do this, since the IPSec VPN tunnel is up and working. My suspicion is that the question has something to do with the consolidation of these VPN clients.
What else needs to be configured to work? Thank you.
Hi Scott,.
I have a client with a PIX 515E which allows connections to remote VPN and VPN LAN2LAN multiple connections.
We had this problem too... so what I made in my pix was:
TEST (config) # same-security-traffic intra-interface permits (its off by default)
If you use ASDM go to:
Configuration > Interfaces >
at the bottom of this page, there is an option that says: 'enable traffic between two or more host computers connected to the same interface '.
Check and it should work... I hope
I await your comments...
Kind regards.
Joao Tendeiro
-
ASA (Active standby) site-to-Site VPN Question
Hello
I had the question as below
Site A - 1 unit of VPN Netscreen firewall
Site B - 2 units of ASA VPN firewall
I'm trying to set up a VPN from Site to Site, but a problem with the configuration of the active standby.
Initially, I tried Site A 1 unit Netscreen and Site B 1 unit ASA vpn site-to-site. There's no problem.
but joins another ASA at site B and configure it as active / standby then I saw a few questions that I need help from here
Things that confuse me.
(1) do I need to use 2 public IP address on the SAA? (public IP for assets and the other a public IP ensures IP. it seems like a waste of the public IP address.)
(2) link failover and dynamic failover can be configured on the same interface?
Please help in this case, configuring VPN from Site to Site with active configuration / standby.
just to add to this,
just be careful when you dedicate an interface for dynamic failover, make sure that it is the highest capacity, or at least the same ability as an interface offers th
so if you use concert for passing traffic interface uses a concert for dynamic failover port, several times we saw people using the management for steful interface when they ports of concert and they run into issues where the dynamic function does not work as expected
You can read more here
https://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/failover.html#wp1051759
-
Gateway RV320 ping RV320 VPN question
Hi all
I have 3 x RV320 with the latest firmware to all configure to use VPN from gateway to gateway in a configuration of spokes and hub.
On all RV320, I can see the connected state of the VPN tunnels. However, I can't do a ping to gateway to gateway or computer connected to each RV320. Firewall has been disabled on all RV320.
Any help will be appreciated.
concerning
J
Try the ping of the diagnosis of each rv320 page. Recreational vehicles cannot ping between them? If so, your tunnel is up, but something wrong with the subnet configs.
-
How would restrict a VPN user to specific IP addresses on the local network. I want them to be able to get to specific devices on the local network, but not all of the devices. I'm leaning towards ACL but do not know if this is the best way, and if it is how to create them. I am using a concentrator 3005.
Thanks in advance
Ron...
Hi Ron
Yes you can set up filters (ACL) 3005 concentrator.
Please see the link for more information:
http://www.Cisco.com/en/us/Tech/tk59/technologies_configuration_example09186a0080094eac.shtml
Concerning
-
Dear,
I have configured anyconnect on my asa and it works fine, but I can't manage the ASA it free VPN, all ideas session
BR
Hazem
It is possible with the help of the command "access management". Please refer to the following documentation: -.
Make sure you have good split tunnel and free of nat-access list for traffic destined for the interface of the ASA.
Kind regards
Dinesh MoudgilPS Please rate helpful messages.
-
Multi frame ASA SSL VPN Question
Hello
We have a pair of firewalls, we do multiple contexts on clients. We have recently updated their and have been using the newly Anyconnect customer support. This all works fine but I feel I'm missing something. If the customer does not have the anyconnect client already how do get? Normally, you go to the web page and it will download the client, but all I get is "Clientless VPN is not supported in context mode Multiple." which is good, but how is the customer supposed to to get the customer in the first place?
Any information would be helpful.
Chris L.
Hi Chris,
The AnyConnect WebLaunch feature is not supported in ASA running on multi-contexte mode.
There is a demand of improvement that has been opened to allow this as other characteristics while ASA in multi mode context. Here is the link, you can refer:
https://Tools.Cisco.com/bugsearch/bug/CSCuw19758/?reffering_site=dumpcr
Kind regards
Aditya
Please evaluate the useful messages and mark the correct answers.
-
Hello
I created a vpn between two routers in two different sites. The VPN works well, but I noticed something that I can ping from peer1 at peer2 however the tunnel although the ACL of the interesting traffic allows no icmp between two counterparts, it is configured as follows:
access-list 120 allow ip 10.10.10.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 120 allow ip 1.1.1.1 host 2.2.2.2
No icmp is allowed, but the icmp traffic is encapsulated, encrypted, and through the tunnel, why?
Hello moahmed1981,
When you configure access-list for IPs, so it includes ICMP, TCP, and UDP, therefore, it is expected that you will be able to ping across the tunnel.
If you want to change this, please configure the VPN filter to prevent the ping to the vpn tunnel.
Here's a doc for your reference:-
https://popravak.WordPress.com/2011/11/07/Cisco-IOS-VPN-filter/Kind regards
Dinesh MoudgilPS Please rate helpful messages.
Maybe you are looking for
-
Why my iMac is slowing down? I don't want to download any software that is not without danger. I am looking for a download free and safe to use, you know what? Who will help me to solve my problem. I have also a long start of closing down for the n
-
-Compaq Mini C110, cnu9300dcp, model 110 c - 1010sa
help please Compaq Mini c110, cnu9300dcp, model 110 c - 1010sa Enter the current password...
-
I got the license serial number Acrobat Professional DC2015. I enter the Adobe ID to register the product, but it says invalid. How to activate it?
-
Treo 650 Z and keys are switched
Hi all Has recently had problems with my Treo 650 for several years. Verizon has sent a replacement 650. One of the issues of the old Treo remains. It seems that the keys Z and Y on the keyboard are switched, i.e. Z type a Y and Y Z of type. How can
-
Crash 10.8.5 and 10.9.5 on Vmware fusion 7 pro, do not know what causes this!
HelloI use Vmware with jenkins/Sikuli to automate a large number of tests for our platform.I get spontaneous reboots of the operating system 10.8 and 10.9 running in Vmware.Never seen on the physical testservers.logs attached.Anyone see the guilty?