Multiple IPSec Tunnels, even peer
Hi all
I need to know if it's possible with Cisco technology to create several PKI IPsec tunnels with the same peer and the same subnet of destination in phase2.
Thank you
Brigitta
The server reports that, or the firewall?
If this is the firewall, make sure that you have a nat rule saying not NAT traffic firewall 'interesting' via the VPN.
Tags: Cisco Security
Similar Questions
-
Multiple IPSec tunnels between two international research reports
Hello, I have a no. 2851 to HQ and 2821 2nd site. Using IPSec VPN to connect two LANs and it works very well. Now, I want to connect another local network on each site through the same VPN. I want to separate the traffic between the LANs. Is this possible?
You cannot use another crypto card if you must use the same IP for the peers you.
If you have other addresses ip at each end to close the tunnel, you can use another crypto card.
If the answer is no, then you can manipulate you acl of the traffic of interest to decide which lan can reach for witch lan.
-
Resolution in real-time for IPSec Tunnel peer
Hello
There is a document on Cisco's Web site
http://www.Cisco.com/en/us/docs/iOS/12_3t/12_3t4/feature/guide/gtrlres.html
explaining that when setting up a card encryption static and peer instead of the IP address peer, we can specify following domain COMPLETE with "dynamic" command name I tried this option and no luck. My VPN end point (routers 2611XM and 831) solve another name with a DNS server, but when it starts to lap crypto maps to interfaces I get the following error message:
ISAKMP: reminder: no SA is for 0.0.0.0/0.0.0.0 [vrf 0]
Virtually no SAs are set up and malfunctioning coming IPSec tunnel.
Everyone tried and had the same problem? I would appreciate your help on this.
Thank you
Remi
What authentication method you use? If you use "pre-shared" you can't always use not "cry isa key... name...". "even if the DNS resolves this IP. It is a feature of the IKE Messrs. use so, CERT.
-
force the IPSec tunnel to stay in place even if no traffic
Hello
We had exactly the same problem, as already described here;
https://supportforums.Cisco.com/discussion/11666661/can-we-automatically...
We actually run ASA 9.1 and the remote peer is a Fortigate. There is a new feature that has been introduced since the post on the forum above or fact creating an sla is the only way to follow IPsec tunnel.
Concerning
Nothing new was built in the SAA to take account of this requirement.
I also had good results a script running on an internal host to send a "tcp" ping to a remote host, thus making sure traffic interesting was often enough to maintain the tunnel.
-
IPSEC tunnels does not connect
Out of sudden IPSEC tunnel on remote site 202.68.211.20 is not plug in. Previously is OK. There is no change in config.
IKE Phase 1 even not connect.
I'm debugging, but I don't know what could be the error.
-----------------------------------------------------------------------------
= ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = PuTTY connect 2016.05.12 15:19:36 = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ =.
12 May 12:06:50 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:06:50 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
12 May 12:06:53 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:06:53 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
12 May 12:06:54 [IKEv1 DEBUG]: IP = 202.68.211.20, case of mistaken IKE MM Initiator WSF (struct & 0xd84aff40), : MM_DONE, EV_ERROR--> MM_WAIT_MSG2, EV_RETRY--> MM_WAIT_MSG2, EV_TIMEOUT--> MM_WAIT_MSG2 NullEvent--> MM_SND_MSG1, EV_SND_MSG--> MM_SND_MSG1, EV_START_TMR--> MM_SND_MSG1, EV_RESEND_MSG--> MM_WAIT_MSG2, EV_RETRY
12 May 12:06:54 [IKEv1 DEBUG]: IP = 202.68.211.20, IKE SA MM:914f04ce ending: flags 0 x 01000022, refcnt 0, tuncnt 0
12 May 12:06:54 [IKEv1 DEBUG]: IP = 202.68.211.20, sending clear/delete with the message of reason
12 May 12:06:59 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:06:59 [IKEv1]: IP = 202.68.211.20, initiator of IKE: New Phase 1, Intf internal, IKE Peer 202.68.211.20 address proxy local 10.215.20.0 address remote Proxy 10.210.0.0, Card Crypto (VPN_map)
12 May 12:06:59 [IKEv1 DEBUG]: IP = 202.68.211.20, build the payloads of ISAKMP security
12 May 12:06:59 [IKEv1 DEBUG]: IP = 202.68.211.20, construction of Fragmentation VID + load useful functionality
12 May 12:06:59 [IKEv1]: IP = 202.68.211.20, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
12 May 12:07 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:07 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
12 May 12:07:03 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:07:03 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
12 May 12:07:07 [IKEv1]: IP = 202.68.211.20, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
12 May 12:07:09 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:07:09 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
12 May 12:07:15 [IKEv1]: IP = 202.68.211.20, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
12 May 12:07:23 [IKEv1]: IP = 202.68.211.20, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
12 May 12:07:31 [IKEv1 DEBUG]: IP = 202.68.211.20, case of mistaken IKE MM Initiator WSF (struct & 0xd8457958), : MM_DONE, EV_ERROR--> MM_WAIT_MSG2, EV_RETRY--> MM_WAIT_MSG2, EV_TIMEOUT--> MM_WAIT_MSG2 NullEvent--> MM_SND_MSG1, EV_SND_MSG--> MM_SND_MSG1, EV_START_TMR--> MM_SND_MSG1, EV_RESEND_MSG--> MM_WAIT_MSG2, EV_RETRY
12 May 12:07:31 [IKEv1 DEBUG]: IP = 202.68.211.20, IKE SA MM:be63ea64 ending: flags 0 x 01000022, refcnt 0, tuncnt 0
12 May 12:07:31 [IKEv1 DEBUG]: IP = 202.68.211.20, sending clear/delete with the message of reason
12 May 12:07:37 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:07:37 [IKEv1]: IP = 202.68.211.20, initiator of IKE: New Phase 1, Intf internal, IKE Peer 202.68.211.20 address proxy local 10.215.20.0 address remote Proxy 10.210.0.0, Card Crypto (VPN_map)
12 May 12:07:37 [IKEv1 DEBUG]: IP = 202.68.211.20, build the payloads of ISAKMP security
12 May 12:07:37 [IKEv1 DEBUG]: IP = 202.68.211.20, construction of Fragmentation VID + load useful functionality
12 May 12:07:37 [IKEv1]: IP = 202.68.211.20, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
12 May 12:07:40 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:07:40 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
12 May 12:07:45 [IKEv1]: IP = 202.68.211.20, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
12 May 12:07:46 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
12 May 12:07:46 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
12 May 12:07:53 [IKEv1]: IP = 202.68.211.20, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
qHello
It seems that the tunnel is blocked to MSG_2.
You can check if the UDP 500 traffic is not blocked between peers?
Please check with your provider.
Kind regards
Aditya
Please evaluate the useful messages and mark the correct answers.
-
Problem on the establishment of a GRE/IPsec tunnel between 2 cisco routers
Hello world
I am trying to establish a GRE IPsec tunnel between two cisco routers (2620XM and a 836).
I created a tunnel interfaces on both routers as follows.
2620XM
interface Tunnel0
IP 10.1.5.2 255.255.255.252
tunnel source x.x.x.x
tunnel destination y.y.y.y
end
836
interface Tunnel0
IP 10.1.5.1 255.255.255.252
tunnel source y.y.y.y
tunnel destination x.x.x.x
end
and configuration of isakmp/ipsec as follows,
2620XM
crypto ISAKMP policy 10
md5 hash
preshared authentication
ISAKMP crypto key {keys} address y.y.y.y no.-xauth
!
!
Crypto ipsec transform-set esp - esp-md5-hmac to_melissia
!
myvpn 9 ipsec-isakmp crypto map
defined peer y.y.y.y
Set transform-set to_melissia
match address 101
2620XM-router #sh ip access list 101
Expand the access IP 101 list
10 permit host x.x.x.x y.y.y.y host will
836
crypto ISAKMP policy 10
md5 hash
preshared authentication
ISAKMP crypto key {keys} address x.x.x.x No.-xauth
!
!
Crypto ipsec transform-set esp - esp-md5-hmac to_metamorfosi
!
myvpn 10 ipsec-isakmp crypto map
defined peer x.x.x.x
Set transform-set to_metamorfosi
match address 101
836-router #sh access list 101
Expand the access IP 101 list
10 licences will host host x.x.x.x y.y.y.y
Unfortunately I had no isakmp security associations at all and when I enter the debugging to this output.
CRYPTO: IPSEC (crypto_map_check_encrypt_core): CRYPTO: removed package as currently being created cryptomap.
Any ideas why I get this result? Any help will be a great help
Thank you!!!
I think it's possible. It seems to me that you are assuming that the address of the interface where goes the card encryption is peering address. While this is the default action, it is possible to configure it differently.
As you have discovered the card encryption must be on the physical output interface. If you want the peering address to have a different value of the physical interface address outgoing, then you can add this command to your crypto card:
card crypto-address
so if you put loopback0 as the id_interface then he would use loopback0 as peering address even if the card encryption may be affected on serial0/0 or another physical interface.
HTH
Rick
-
Using Loopback Interface as Source GRE/IPSec tunnel
Hi all:
I need one to spend a working router to router VPN tunnel using an IP WAN IP interface loopback as a source. I am able to ping the loopback from the other router. As soon as I change the source of tunnel to use the loopback IP address, change the encryption ACL map, and move the cryptographic card of the WAN interface to the loopback interface, the tunnel will not come to the top. If I remove all the crypto config, the tunnel comes up fine as just a GRE tunnel. On the other router, I see the message that says that's not encrypting the traffic below.
* 00:10:33.515 Mar 1: % CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd package not an IPSEC packet. (ip) vrf/adr_dest = 192.168.0.1, src_addr = 192.168.1.2, prot = 47
What Miss me? Is there something else that needs to be done to use the closure of a GRE/IPSec tunnel?
I have install below config in the laboratory to see if I can get it even work in a non-production environment.
R1 WAN IP: 192.168.0.1
R2 WAN IP: 192.168.0.2
R2 Closure: 192.168.1.2
hostname R2
!
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
ISAKMP crypto key abc123 address 192.168.0.1
!
Crypto ipsec transform-set esp-3des esp-md5-hmac T1
transport mode
!
crypto map 1 VPN ipsec-isakmp
Description remote control
defined peer 192.168.0.1
game of transformation-T1
match address VPN1
!
interface Loopback0
IP 192.168.1.2 255.255.255.255
VPN crypto card
!
Tunnel1 interface
IP 172.30.240.2 255.255.255.252
IP mtu 1440
KeepAlive 10 3
tunnel source 192.168.1.2
tunnel destination 192.168.0.1
VPN crypto card
!
interface FastEthernet0
IP 192.168.0.2 255.255.255.0
!
VPN1 extended IP access list
allow ACCORD 192.168.1.2 host 192.168.0.1
you have tried to add "card crypto VPN 1 - address Loopback0".
-
Cisco's ASA IPsec tunnel disconnects after a while
Hi all
I've set up an IPsec tunnel between sonicwall pro road and cisco ASA 5510. The well established tunnel and two subnets can access each other.
I then added a static route to a public ip address on the sonicwall ipsec policy, so that all traffic to this ip address will go through the IPsec tunnel. It also works very well.
But the problem is aftre tunnel Ipsec sometimes breaks down, and then I need to renegotiate the ipsec on sonicwall to restore the tunnel.
This happens twice a day. I'm whther fear that this behavior is because of problems with config. I'm pasting my ASA running Setup here. Plese give some advice.
SonicWALL publicip 1.1.1.2 192.168.10.0 subnet
Cisco ASA publicip 1.1.1.1 subnet 192.168.5.0
ciscoasa # sh run
: Saved
:
ASA Version 8.2 (1)
!
ciscoasa hostname
domain default.domain.invalid
activate 8Ry2YjIyt7RRXU24 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
Speed 100
full duplex
nameif outside
security-level 0
IP 1.1.1.1 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
192.168.5.1 IP address 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
passive FTP mode
DNS domain-lookup outside
DNS lookup field inside
DNS server-group DefaultDNS
Server name 66.28.0.45
Server name 66.28.0.61
domain default.domain.invalid
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
object-group service rdp tcp
EQ port 3389 object
object-group service tcp OpenVPN
port-object eq 1194
access list outside extended permit icmp any any echo response
access list outside extended permit tcp any host # eq pptp
outside allowed extended access will list any host #.
list of extended outside access permit udp any any eq 1701
extended outdoor access allowed icmp a whole list
access list outside extended permit tcp any host # eq ftp
access list outside extended permit tcp any host # eq ssh
list of extended outside access permit tcp any host # object - group rdp
turn off journal
access list outside extended permit tcp any host 1.1.1.1 object - group Open
VPN
access-list sheep extended ip 192.168.5.0 allow 255.255.255.0 192.168.5.0 255
. 255.255.0
access-list sheep extended ip 192.168.5.0 allow 255.255.255.0 192.168.10.0 255
. 255.255.0
L2L 192.168.5.0 ip extended access-list allow 255.255.255.0 192.168.10.0 255.2
55.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
management of MTU 1500
IP local pool ippool 192.168.5.131 - 192.168.5.151 mask 255.255.255.0
IP local pool l2tppool 192.168.5.155 - 192.168.5.200 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 621.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (outside) 1 192.168.10.0 255.255.255.0
NAT (outside) 1 192.168.5.0 255.255.255.0
NAT (inside) 0 access-list sheep
NAT (inside) 1 192.168.5.0 255.255.255.0
outside access-group in external interface
Route outside 0.0.0.0 0.0.0.0 38.106.51.121 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
Enable http server
http 192.168.1.0 255.255.255.0 management
http 192.168.5.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic dynmap 5 the value reverse-road
Crypto easyvpn dynamic-map 10 transform-set RIGHT
Crypto-map dynamic easyvpn 10 reverse-drive value
card crypto mymap 10 correspondence address l2l
card crypto mymap 10 set peer 1.1.1.2
card crypto mymap 10 transform-set RIGHT
map mymap 30000-isakmp ipsec crypto dynamic easyvpn
mymap outside crypto map interface
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 20
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Crypto isakmp nat-traversal 3600
Telnet 192.168.5.0 255.255.255.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 5
Console timeout 0
Hello to tunnel L2TP 10
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal DefaultRAGroup group strategy
attributes of Group Policy DefaultRAGroup
value of 66.28.0.45 DNS server 66.28.0.61
Protocol-tunnel-VPN IPSec l2tp ipsec
field default value cisco.com
attributes of Group Policy DfltGrpPolicy
internal band easyvpn strategy
attributes of the strategy of band easyvpn
value of 66.28.0.45 DNS server 66.28.0.61
Protocol-tunnel-VPN IPSec
enable IPSec-udp
Split-tunnel-policy tunnelall
the address value ippool pools
VPN-group-policy DefaultRAGroup
attributes global-tunnel-group DefaultRAGroup
address l2tppool pool
Group Policy - by default-DefaultRAGroup
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared-key *.
tunnel-group DefaultRAGroup ppp-attributes
No chap authentication
ms-chap-v2 authentication
tunnel-group 1.1.1.2 type ipsec-l2l
1.1.1.2 tunnel-group ipsec-attributes
pre-shared-key *.
tunnel-group easyvpn type remote access
tunnel-group easyvpn General attributes
Group Policy - by default-easyvpn
easyvpn group tunnel ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the netbios
inspect the tftp
inspect the pptp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:5542615c178d2803f764c9b8f104732b
: endI guess you have typo in the configuration of the ASA?
L2L 192.168.5.0 ip extended access-list allow 255.255.255.0 192.168.10.0 255.255.255.0
list access extended extended permitted host ip voip pubic ip 192.168.10.0 255.255.255.0Can you confirm that you have configured instead the following:
access-list l2l extended permitted host ip voip pubic ip 192.168.10.0 255.255.255.0
Moreover, even if the crypto map tag says easyvpn; peer address is correct to point 1.1.1.2
In addition, don't know why you have the following configuration (but if it is not necessary I suggest to be removed and 'clear xlate' after the withdrawal):
NAT (outside) 1 192.168.10.0 255.255.255.0
Finally, pls turn off keepalive to SonicWall.
If the foregoing still don't resolve the issue, can you try to remove the card dynamic encryption of the ASA (no map mymap 30000-isakmp ipsec crypto dynamic easyvpn), release the tunnel and try to open the tunnel between the ASA and SonicWall and take the exit of "show the isa cry his ' and ' show cry ipsec his» I'm curious to see why he is always referred to the easyvpn crypto map. When you remove the dynamic encryption card, dynamic vpn lan-to-lan of remote access client does not work.
-
Strange problem in IPSec Tunnel - 8.4 NAT (2)
Helloo all,.
This must be the strangest question I've seen since the year last on my ASA.
I have an ASA 5540, who runs the code of 8.4 (2) without any problem until I ran into this problem last week and I spent sleepless nights with no resolution! Then, take a deep breath and here is a brief description of my setup and the problem:
A Simple IPSEC tunnel between my 8.4 (2) ASA 5540 and a Juniper SSG 140 6.3.0r9.0 (road OS based VPN) screen
The tunnel rises without any problem but the ASA refused to encrypt the traffic but it decrypts with GLORY!
Here are a few outputs debug, see the output and a package tracer output that also has an explanation of my problem of NAT WEIRD:
my setup - (I won't get into the details of encryption tunnel as my tunnel negotiations are perfect and returns from the outset when the ASA is configured as response only)
CISCO ASA - IPSec network details
LAN - 10.2.4.0/28
REMOTE NETWORK - 192.168.171.8/32
JUNIPER SSG 140 - IPSec networks details
ID OF THE PROXY:
LAN - 192.168.171.8/32
REMOTE NETWORK - 10.2.4.0/28
Name host # sh cry counterpart his ipsec
peer address:
Tag crypto map: outside_map, seq num: 5, local addr:
outside_cryptomap_4 to access extended list ip 10.2.4.0 allow 255.255.255.240 host 192.168.171.8
local ident (addr, mask, prot, port): (10.2.4.0/255.255.255.240/0/0)
Remote ident (addr, mask, prot, port): (192.168.171.8/255.255.255.255/0/0)
current_peer:
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 72, #pkts decrypt: 72, #pkts check: 72
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0
local crypto endpt. :
0, remote Start. crypto: 0 Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: 5041C19F
current inbound SPI: 0EC13558
SAS of the esp on arrival:
SPI: 0x0EC13558 (247543128)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 22040576, crypto-card: outside_map
calendar of his: service life remaining key (s): 3232
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0xFFFFFFFF to 0xFFFFFFFF
outgoing esp sas:
SPI: 0x5041C19F (1346486687)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 22040576, crypto-card: outside_map
calendar of his: service life remaining key (s): 3232
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
CONTEXTS for this IPSEC VPN tunnel:
# Sh asp table det vpn context host name
VPN CTX = 0x0742E6BC
By peer IP = 192.168.171.8
Pointer = 0x78C94BF8
State = upwards
Flags = BA + ESP
ITS = 0X9C28B633
SPI = 0x5041C19D
Group = 0
Pkts = 0
Pkts bad = 0
Incorrect SPI = 0
Parody = 0
Bad crypto = 0
Redial Pkt = 0
Call redial = 0
VPN = filter
VPN CTX = 0x07430D3C
By peer IP = 192.168.1.8
Pointer = 0x78F62018
State = upwards
Flags = DECR + ESP
ITS = 0X9C286E3D
SPI = 0x9B6910C5
Group = 1
Pkts = 297
Pkts bad = 0
Incorrect SPI = 0
Parody = 0
Bad crypto = 0
Redial Pkt = 0
Call redial = 0
VPN = filter
outside_cryptomap_4 to access extended list ip 10.2.4.0 allow 255.255.255.240 host 192.168.171.8
NAT (inside, outside) static source Ren - Ren - about destination static counterpart-host peer to route non-proxy-arp-search
network of the Ren - around object
subnet 10.2.4.0 255.255.255.240
network of the host object counterpart
Home 192.168.171.8
HS cry ipsec his
IKE Peer:
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE
output packet tracer extracted a packet transmitted by the network of 10.2.4.0/28 to 192.168.171.8 host
Phase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0x7789d788, priority = 70, domain = encrypt, deny = false
Hits = 2, user_data is0x742e6bc, cs_id = 0x7ba38680, reverse, flags = 0 x 0 = 0 protocol
IP/ID=10.2.4.0 SRC, mask is 255.255.255.240, port = 0
IP/ID=192.168.171.8 DST, mask is 255.255.255.255, port = 0, dscp = 0 x 0
input_ifc = none, output_ifc = external
VPN settings corresponding to the encrytpion + encapsulation and the hits here increment only when I run a test of tracer from my host on the remote peer inside package.
A tracer complete package out for a packet of the 10.2.4.1 255.255.255.255 network to host 192.168.171.8:
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit rule
Additional information:
Direct flow from returns search rule:
ID = 0x77ebd1b0, priority = 1, domain = allowed, deny = false
hits = 3037156, user_data = 0 x 0, cs_id = 0 x 0, l3_type = 0 x 8
Mac SRC = 0000.0000.0000, mask is 0000.0000.0000
DST = 0000.0000.0000 Mac, mask is 0100.0000.0000
input_ifc = output_ifc = any to inside,
Phase: 2
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
in 192.168.171.0 255.255.255.0 outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0x77ec1030, priority = 0, sector = inspect-ip-options, deny = true
hits = 212950, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0
input_ifc = output_ifc = any to inside,
Phase: 4
Type:
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0x7c12cb18, priority = 18, area = import-export flows, deny = false
hits = 172188, user_data = 0x78b1f438, cs_id = 0 x 0, use_real_addr, flags = 0 x 0,
IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0
input_ifc = output_ifc = any to inside,
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT (inside, outside) static source Ren - Ren - about destination static counterpart-host peer to route non-proxy-arp-search
Additional information:
Definition of static 10.2.4.1/2700 to 10.2.4.1/2700
Direct flow from returns search rule:
ID = 0x77e0a878, priority = 6, area = nat, deny = false
hits = 9, user_data is 0x7b7360a8, cs_id = 0 x 0, use_real_addr, flags = 0 x 0, proto
IP/ID=10.2.4.1 SRC, mask is 255.255.255.240, port = 0
IP/ID=192.168.171.8 DST, mask is 255.255.255.255, port = 0, dscp = 0 x 0
input_ifc = inside, outside = output_ifc
(it's the weird NAT problem I see. I see the number of hits is increment only when I run the packet tracer understands even I have pings (traffic) the 192.168.171.8 constant welcomes the 10.2.4.1/28)-s'il please see the package I pasted after the capture section)
Phase: 6
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0x7b8751f8, priority = 70, domain = encrypt, deny = false
hits = 3, user_data = 0x7432b74, cs_id = 0x7ba38680, reverse, flags = 0 x 0, proto
IP/ID=10.2.4.1 SRC, mask is 255.255.255.240, port = 0
IP/ID=192.168.171.8 DST, mask is 255.255.255.255, port = 0, dscp = 0 x 0
input_ifc = none, output_ifc = external
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional information:
Reverse flow from returns search rule:
ID = 0x78b0c280, priority = 69 = ipsec-tunnel-flow area, deny = false
hits = 154, user_data is 0x7435f94, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
IP/ID=192.168.171.8 SRC, mask is 255.255.255.255, port = 0
IP/ID=10.2.4.1 DST, mask is 255.255.255.240, port = 0, dscp = 0 x 0
input_ifc = out, output_ifc = any
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Reverse flow from returns search rule:
ID = 0x77e7a510, priority = 0, sector = inspect-ip-options, deny = true
hits = 184556, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0
input_ifc = out, output_ifc = any
Phase: 9
Type: CREATING STREAMS
Subtype:
Result: ALLOW
Config:
Additional information:
New workflow created with the 119880921 id, package sent to the next module
Information module for forward flow...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Information for reverse flow...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input interface: inside
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: allow
Hostname # sh Cap A1
8 packets captured
1: 12:26:53.376033 192.168.10.252 > 10.2.4.1: icmp: echo request
2: 12:26:53.376597 10.2.4.1 > 192.168.10.252: icmp: echo reply
3: 12:26:56.487905 192.168.171.8 > 10.2.4.1: icmp: echo request
4: 12:27:01.489217 192.168.171.8 > 10.2.4.1: icmp: echo request
5: 12:27:03.378245 192.168.10.252 > 10.2.4.1: icmp: echo request
6: 12:27:03.378825 10.2.4.1 > 192.168.10.252: icmp: echo reply
7: 12:27:06.491597 192.168.171.8 > 10.2.4.1: icmp: echo request
8: 12:27:11.491856 192.168.171.8 > 10.2.4.1: icmp: echo request
8 packets shown
As you can see, there is no echo response packet at all because the package may not be wrapped while he was sent to.
I'm Karen with it. In addition, he is a firewall multi-tenant live production with no problems at all outside this for a Juniper ipsec tunnel!
Also, the 192.168.10.0/24 is another remote network of IPSec tunnel to this network of 10.2.4.0/28 and this IPSEC tunnel has a similar Juniper SSG 140 screen os 6.3.0r9.0 at the remote end and this woks like a charm with no problems, but the 171 is not be encrypted by the ASA at all.
If someone could help me, that would be greatt and greatly appreciated!
Thanks heaps. !
Perfect! Now you must find something else inside for tomorrow--> forecast rain again
Please kindly marks the message as answered while others may learn from it. Thank you.
-
Traffic is failed on plain IPSec tunnel between two 892 s
Have a weird case and you are looking for some suggestions/thougs where to dig because I have exhausted the options.
Note: I replaced the Networkid real to a mentined below.
Topology: a classic IPSec VPN tunnel between two 892 s of Cisco, with pre-shared key and no GRE. A 892 (branch_892) has access to the Internet using PPPoE and has three network / VLAN behind it. A VLAN is coordinated to the PPPoE internet access. Access to the other two VLAN - VL92 (100.100.200.0/24) and VL93 (100.100.100.0/24) is performed via the VPN tunnel.
Second 892 (892_DC) has just one interface - WAN on Gigabit enabled/connected and a static route to the default GW. It doesn't have any defined interal network. If the router is strictly used to send traffic to VL92/VL93 to the domestic 892 via IPSec tunnel.
Here's the problem: access to VL93 (100.100.100.0/24) works, however for VL92 (100.100.100.0/24) - does not work.
Devices in VL92 I ping IP address of 892_DC through the VPN tunnel. The 892_DC router I can ping devices in VL92. However, I can't VL92 ping any device beyond the 892_DC and at the same time the packets arriving on 892_DC for VL92 are not sent through the VPN tunnel.
I took the package trace on 892_DC using capture point/buffer to nathalie caron to VL92 packages and saw that the traffic coming to the 892_DC. I run the nathalie caron even on Branch_892, and there was not a single package.
So... What's the problem? More interesting, I modified the way left on VL92 access list and still - no packets are sent through the tunnel.
Any idea? Two routers config are below
-------
892_DC #show ru
!
crypto ISAKMP policy 10
BA aes 256
hash sha256
preshared authentication
Group 2
isakmp encryption key * address 1.2.3.4
ISAKMP crypto keepalive 10 periodicals
!
address of 1.2.3.4 crypto isakmp peers
Description of-COIL-892
!
!
Crypto ipsec transform-set IT-IPSec-Transform-Set esp - aes 256 sha256-esp-hmac
Crypto ipsec df - bit clear
!
map IT ipsec - IPSec crypto - Crypto - map 10-isakmp
defined peer 1.2.3.4
disable the kilobytes of life together - the security association
86400 seconds, life of security association set
the transform-set IT-IPSec-Transform-Set value
match a lists 101
market arriere-route
QoS before filing
!
interface GigabitEthernet0
IP 10,20,30,40 255.255.255.240
IP 1400 MTU
IP tcp adjust-mss 1360
automatic duplex
automatic speed
card crypto IT-IPSec-Crypto-map
!
IP route 0.0.0.0 0.0.0.0 10.20.30.41
!
access list 101 ip allow any 100.100.100.0 0.0.0.255 connect
access list 101 ip allow any 100.100.200.0 0.0.0.255 connect
-------------------------------------------------------------------------------------
Branch_892 #sh run
!
crypto ISAKMP policy 10
BA aes 256
hash sha256
preshared authentication
Group 2
isakmp encryption key * address 10,20,30,40
ISAKMP crypto keepalive 10 periodicals
!
address peer isakmp crypto 10,20,30,40
!
!
Crypto ipsec transform-set IT-IPSec-Transform-Set esp - aes 256 sha256-esp-hmac
Crypto ipsec df - bit clear
!
map IT ipsec - IPSec crypto - Crypto - map 10-isakmp
defined peer 10,20,30,40
disable the kilobytes of life together - the security association
86400 seconds, life of security association set
the transform-set IT-IPSec-Transform-Set value
match address 101
market arriere-route
QoS before filing
!
FastEthernet6 interface
Description VL92
switchport access vlan 92
!
interface FastEthernet7
Description VL93
switchport access vlan 93
!
interface GigabitEthernet0
Description # to WAN #.
no ip address
automatic duplex
automatic speed
PPPoE-client dial-pool-number 1
!
interface Vlan1
Description # local to #.
IP 192.168.1.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
interface Vlan92
Description fa6-nexus e100/0/40
IP 100.100.200.1 255.255.255.0
!
interface Vlan93
Description fa7-nexus e100/0/38
IP 100.100.100.1 255.255.255.0
!
interface Dialer0
no ip address
No cdp enable
!
interface Dialer1
IP 1.2.3.4 255.255.255.248
IP mtu 1454
NAT outside IP
IP virtual-reassembly in max-pumping 256
encapsulation ppp
IP tcp adjust-mss 1414
Dialer pool 1
Dialer-Group 1
Authentication callin PPP chap Protocol
PPP chap hostname ~ ~ ~
PPP chap password =.
No cdp enable
card crypto IT-IPSec-Crypto-map
!
Dialer-list 1 ip protocol allow
!
access-list 101 permit ip 100.100.100.0 0.0.0.255 any
access-list 101 permit ip 100.100.200.0 0.0.0.255 any
!
IP route 0.0.0.0 0.0.0.0 Dialer1
Yes correct sounds - so another possible problem is the routing is routing 100% correct on both sides? Can you put the two sides config for review?
-
How to troubleshoot an IPSec tunnel GRE?
Hello
My topology includes two firewalls connected through the Internet "" (router) and behind each firewall, there is a router.
The routers I configured a GRE tunnel that is successful, then I configured an IPsec tunnel on the firewall.
I does not change the mode to transport mode in the transform-set configuration.
Everything works; If I connect a PC to the router, it can ping another PC on the other router. However if I change mode of transport mode that they cannot.
I was wondering how can I ensure that the IPSec tunnel WILL really works? How can I fix it or package tracking?
Thank you.
I was wondering how can I ensure that the IPSec tunnel WILL really works? How can I fix it or package tracking?
To verify that the VPN tunnel works well, check the output of
ISAKMP crypto to show his
Crypto ipsec to show hisHere are the commands of debug
Debug condition crypto x.x.x.x, where x.x.x.x IP = peer peer
Debug crypto isakmp 200
Debug crypto ipsec 200You will see ACTIVE int the first output and program non-zero and decaps on the output of the latter.
For the GRE tunnel.
check the condition of the tunnel via "int ip see the brief.In addition, you can configure keepalive via the command:
Router # configure terminal
Router (config) #interface tunnel0
Router(Config-if) 5 4 #keepaliveand then run "debug keepalive tunnel" to see packets hello tunnel going and coming from the router.
Kind regards
Dinesh MoudgilPS Please rate helpful messages.
-
ASA5505 - connection reset when you try to SSH IPSEC tunnel
Hello
VPN IPSEC just bought myself an ASA5505 to replace a PIX 501 and having been transferred to the bulk of the previous configuration, I managed to get the two tunnels to work as before.
Unfortunately when I try and SSH for the SAA the right connection restores instantly even when the tunnel is up. It seems as if the ASA actively refuses the connection, if the journal does not specify this. I had always assumed that the traffic on an established IPSEC tunnel has been implicitly trust and not subject to the usual rules of access list.
I can't SSH to the ASA in the 10.0.0.x range, but I can't SSH to a machine on 10.27.0.4 (I know the tunnel is up and working)
Reference attached config (less sensitive information not relevant).
Also - although I'm not sure of the relevance is given the tunnels seem to work - when I get the line "meepnet-map outside crypto map interface" in the reports of the ASA configuration mode "warning: the crypto map entry is incomplete!" even though I provided the access list, peers, and transform-set variables.
Any help gratefully received! :)
Thank you
DAZ
Hello Darren,
Please mark as answer, if your querry is resolved. Enjoy your time!
Kind regards
Ankur Thukral
Community Manager - security & VPN
-
Hi-
We have connected tunnel / VPN configuration between an ASA 5505 - worm = 8.4 (7) and 5512 - worm = 9.2 (3).
We can only ping in a sense - 5505 to the 5512, but not of vice-versa(5512 to 5505).Networks:
Local: 192.168.1.0 (answering machine)
Distance: 192.168.54.0 (initiator)See details below on our config:
SH run card cry
card crypto outside_map 2 match address outside_cryptomap_ibfw
card crypto outside_map 2 pfs set group5
outside_map 2 peer XX crypto card game. XX.XXX.XXX
card crypto outside_map 2 set transform-set ESP-AES-256-SHA ikev1
crypto map outside_map 2 set ikev2 AES256 ipsec-proposaloutside_map interface card crypto outside
Note:
Getting to hit numbers below on rules/ACL...SH-access list. I have 54.0
permit for access list 6 outside_access_out line scope ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0 (hitcnt = 15931) 0x01aecbcc
permit for access list 1 outside_cryptomap_ibfw line extended ip object NETWORK_OBJ_192.168.1.0_24 object NETWORK_OBJ_192.168.54.0_24 (hitcnt = 3) 0xa75f0671
access-list 1 permit line outside_cryptomap_ibfw extended ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0 (hitcnt = 3) 0xa75f0671SH run | I have access-group
Access-group outside_access_out outside interfaceNOTE:
WE have another working on the 5512 - VPN tunnel we use IKE peer #2 below (in BOLD)...HS cry his ikev1
IKEv1 SAs:
HIS active: 2
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 21 peer IKE: XX. XX.XXX.XXX
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE
2 IKE peers: XXX.XXX.XXX.XXX
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVESH run tunnel-group XX. XX.XXX.XXX
tunnel-group XX. XX.XXX.XXX type ipsec-l2l
tunnel-group XX. XX.XXX.XXX General-attributes
Group - default policy - GroupPolicy_XX.XXX.XXX.XXX
tunnel-group XX. XX.XXX.XXX ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.SH run | I have political ikev1
ikev1 160 crypto policy
preshared authentication
aes-256 encryption
Group 5
life 86400SH run | I Dynamics
NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
NAT source auto after (indoor, outdoor) dynamic one interfaceNOTE:
To from 5512 at 5505-, we can ping a host on the remote network of ASA local# ping inside the 192.168.54.20
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.54.20, wait time is 2 seconds:
!!!!!
Success rate is 100 per cent (5/5), round-trip min/avg/max = 30/32/40 msDetermination of 192.168.1.79 - local host route to 192.168.54.20 - remote host - derivation tunnel?
The IPSEC tunnel check - seems OK?
SH crypto ipsec his
Interface: outside
Tag crypto map: outside_map, seq num: 2, local addr: XX.XXX.XXX.XXXoutside_cryptomap_ibfw to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.54.0 255.255.255.0
local ident (addr, mask, prot, port): (192.168.1.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.54.0/255.255.255.0/0/0)
current_peer: XX. XX.XXX.XXX#pkts program: 4609, #pkts encrypt: 4609, #pkts digest: 4609
#pkts decaps: 3851, #pkts decrypt: 3851, #pkts check: 3851
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 4609, model of #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid errors ICMP rcvd: 0, #Invalid ICMP errors received: 0
#send errors: 0, #recv errors: 0local crypto endpt. : XX.XXX.XXX.XXX/0, remote Start crypto. : XX. XX.XXX.XXX/0
Path mtu 1500, ipsec 74 (44) generals, media, mtu 1500
PMTU time remaining: 0, political of DF: copy / df
Validation of ICMP error: disabled, TFC packets: disabled
current outbound SPI: CDC99C9F
current inbound SPI: 06821CBBSAS of the esp on arrival:
SPI: 0x06821CBB (109190331)
transform: aes-256-esp esp-sha-hmac no compression
running parameters = {L2L, Tunnel, group 5 PFS, IKEv1}
slot: 0, id_conn: 339968, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (3914789/25743)
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0xFFFFFFFF to 0xFFFFFFFF
outgoing esp sas:
SPI: 0xCDC99C9F (3452542111)
transform: aes-256-esp esp-sha-hmac no compression
running parameters = {L2L, Tunnel, group 5 PFS, IKEv1}
slot: 0, id_conn: 339968, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (3913553/25743)
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001--> The local ASA 5512 - where we have questions - tried Packet Tracer... seems we receive requests/responses...
SH cap CAP
34 packets captured
1: 16:41:08.120477 192.168.1.79 > 192.168.54.20: icmp: echo request
2: 16:41:08.278138 192.168.54.20 > 192.168.1.79: icmp: echo request
3: 16:41:08.278427 192.168.1.79 > 192.168.54.20: icmp: echo reply
4: 16:41:09.291992 192.168.54.20 > 192.168.1.79: icmp: echo request
5: 16:41:09.292282 192.168.1.79 > 192.168.54.20: icmp: echo reply--> On the ASA 5505 distance - we can ping through the 5512 to the local host (192.168.1.79)
SH cap A2
42 packets captured
1: 16:56:16.136559 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
2: 16:56:16.168860 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
3: 16:56:17.140434 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
4: 16:56:17.171652 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
5: 16:56:18.154426 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
6: 16:56:18.186178 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
7: 16:56:19.168417 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request--> Package trace on 5512 does no problem... but we cannot ping from host to host?
entry Packet-trace within the icmp 192.168.1.79 8 0 detailed 192.168.54.20
Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map default class
match any
Policy-map global_policy
class class by default
Decrement-ttl connection set
global service-policy global_policy
Additional information:
Direct flow from returns search rule:
ID = 0x7fffa2d0ba90, priority = 7, area = conn-set, deny = false
hits = 4417526, user_data = 0x7fffa2d09040, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = output_ifc = any to inside,Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
Additional information:
Definition of dynamic 192.168.1.79/0 to XX.XXX.XXX.XXX/43904
Direct flow from returns search rule:
ID = 0x7fffa222d130, priority = 6, area = nat, deny = false
hits = 4341877, user_data = 0x7fffa222b970, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = inside, outside = output_ifc...
Phase: 14
Type: CREATING STREAMS
Subtype:
Result: ALLOW
Config:
Additional information:
New workflow created with the 7422689 id, package sent to the next module
Information module for forward flow...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_statInformation for reverse flow...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_statResult:
input interface: inside
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: allow--> On remote ASA 5505 - Packet track is good and we can ping remote host very well... dunno why he "of Nations United-NAT?
Destination - initiator:
entry Packet-trace within the icmp 192.168.54.20 8 0 detailed 192.168.1.79
...
Phase: 4
Type: UN - NAT
Subtype: static
Result: ALLOW
Config:
NAT (inside, outside) static source NETWORK_OBJ_192.168.54.0_24 NETWORK_OBJ_192.168.54.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
Additional information:
NAT divert on exit to the outside interface
Untranslate 192.168.1.79/0 to 192.168.1.79/0
...Summary:
We "don't" ping from a host (192,168.1.79) on 5512 - within the network of the 5505 - inside the network host (192.168.54.20).
But we can ping the 5505 - inside the network host (192.168.54.20) 5512 - inside the network host (192.168.1.79).Please let us know what other details we can provide to help solve, thanks for any help in advance.
-SP
Well, I think it is a NAT ordering the issue.
Basically as static and this NAT rule-
NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
are both in article 1 and in this article, it is done on the order of the rules so it does match the dynamic NAT rule rather than static because that seems to be higher in the order.
To check just run a 'sh nat"and this will show you what order everthing is in.
The ASA is working its way through the sections.
You also have this-
NAT source auto after (indoor, outdoor) dynamic one interface
which does the same thing as first statement but is in section 3, it is never used.
If you do one of two things-
(1) configure the static NAT statement is above the dynamic NAT in section 1 that is to say. You can specify the command line
or
(2) remove the dynamic NAT of section 1 and then your ASA will use the entry in section 3.
There is a very good document on this site for NAT and it is recommended to use section 3 for your general purpose NAT dynamic due precisely these questions.
It is interesting on your ASA 5505 you duplicated your instructions of dynamic NAT again but this time with article 2 and the instructions in section 3 that is why your static NAT works because he's put in correspondence before all your dynamic rules.
The only thing I'm not sure of is you remove the dynamic NAT statement in article 1 and rely on the statement in section 3, if she tears the current connections (sorry can't remember).
Then you can simply try to rearrange so your static NAT is above it just to see if it works.
Just in case you want to see the document here is the link-
Jon
-
IPSEC tunnel between 2 7606 PE
I am creating an IPSec tunnel between two 7606 PE routers... get this error when I ping everywhere and if I start using the path descends LDP.
12 Nov 16:32:22.801 IS: IPSEC (key_engine): request timer shot: count = 1,.
local (identity) = 10.10.135.1, distance = 10.10.135.2.
local_proxy = 10.10.0.0/255.255.0.0/0/0 (type = 4),
remote_proxy = 10.10.0.0/255.255.0.0/0/0 (type = 4)
12 Nov 16:32:22.801 IS: IPSEC (sa_request):,.
(Eng. msg key.) Local OUTGOING = 10.10.135.1, distance = 10.10.135.2.
local_proxy = 10.10.0.0/255.255.0.0/0/0 (type = 4),
remote_proxy = 10.10.0.0/255.255.0.0/0/0 (type = 4),
Protocol = ESP, transform = NONE (Tunnel),
lifedur = 190 s and 4608000 Ko,.
SPI = 0 x 0 (0), id_conn = 0, keysize = 256, flags = 0 x 0
12 Nov 16:32:22.801 IS: ISAKMP: (0): profile of ITS application is test
12 Nov 16:32:22.801 IS: ISAKMP: created a struct peer 10.10.135.2, peer port 500
12 Nov 16:32:22.801 IS: ISAKMP: new position created post = 0x5326A08C peer_handle = 0x8000001A
12 Nov 16:32:22.801 IS: ISAKMP: lock struct 0x5326A08C, refcount 1 to peer isakmp_initiator
12 Nov 16:32:22.801 IS: ISAKMP: 500 local port, remote port 500
12 Nov 16:32:22.801 IS: ISAKMP: impossible to allocate IKE SA
12 Nov 16:32:22.801 IS: ISAKMP: Unlocking counterpart struct 0x5326A08C for isadb_unlock_peer_delete_sa(), count 0
12 Nov 16:32:22.801 IS: ISAKMP: delete peer node by peer_reap for 10.10.135.2: 5326A08C
12 Nov 16:32:22.801 IS: ISAKMP: (0): purge SA., his = 0, delme = 532E8364
PE2 #.
12 Nov 16:32:22.801 IS: ISAKMP: error during the processing of HIS application: failed to initialize SA
12 Nov 16:32:22.801 IS: ISAKMP: error while processing message KMI 0, error 2.
12 Nov 16:32:22.801 IS: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
PE2 #.
12 Nov 16:32:52.801 IS: IPSEC (key_engine): request timer shot: count = 2,.
local (identity) = 10.10.135.1, distance = 10.10.135.2.
local_proxy = 10.10.0.0/255.255.0.0/0/0 (type = 4),
remote_proxy = 10.10.0.0/255.255.0.0/0/0 (type = 4)
IPsec only is not supported on the 6500 and 7600 without module series IPsec (IPsec-SPA or VPNSM), sorry.
-
I can weight of the IPSec Tunnels between ASAs
Hello
Remote site: link internet NYC 150 MB/s
Local site: link internet Baltimore 400 MB/s
Backup site: link internet Washington 200 Mb/s
My main site and my backup site are connected via a gigabit Ethernet circuit between the respective base site switches. Each site has its own internet connection and my OSPF allows to switch their traffic to the backup site if the main website is down. We are opening an office in New York with one ASA unique connected to 150 Mbps FIOS internet circuit. We want to set up an IPSec tunnel on the main site and the backup on the remote site, but want the remote site to prefer the tunnel in Baltimore, except if it is down.
Interesting traffic would be the same for the two tunnels
I know that ASA cannot be a GRE endpoint. How can I force the New York traffic through the tunnel in Baltimore as long as it works? An IPSec tunnel can be weighted?
Thank you
It is not in itself weighting, but you can create up to 10 backup over LAN to LAN VPN IPsec peers.
For each tunnel, the security apparatus tried to negotiate with the first peer in the list. If this peer does not respond, the security apparatus made his way to the bottom of the list until a peer responds, or there is no peer more in the list.
Maybe you are looking for
-
touchpad and mouse are active, even if the touchpad is disabled
-
I lost recovery DVDs. Can I get a copy?
Hi people, my laptop is working really bad slow. its all clogged and need formatting. I can't find my dvd data recovery so I thought of what are the options I have. pleeeeeeeeeease help... can I get a copy of it? It will be so much easier if I did...
-
Compaq Presario C751NR battery problem
My Compaq Presario C751NR with 32-bit VISTA turns off after 5 min. to the battery power but runs all day on current alternative. When I run a battery check, he says none detected the main battery. It is not on the recall list. Thank you
-
Save the text data and digital
Hello It is two part question/need help: -. 1. I want to display the same number of decimal places on the table as in the attached picture. In addition, include text on the last column of entry (as shown in the picture). 2. I also want to save the d
-
cable / broadband optical fiber connection
Can I use my modem/router WAG320N with a fiber optic broadband? If it isn't that one do I have to get / that you recommend? Thank you