Multiple site-to-site vpn configuration
I am able to successfully create two different ipsec tunnels and I need them to be operational at the same time. However, when I "crypto map" (physical) external interface of my PIX 515, one of them is operational both. The tunnels go to two different places, different peers and different pre-shared keys. I have to install a logical interface and one card for each or what? Any help is appreciated. I apologize if I didn't spend enough time looking for the forum for an answer, but I tried :-). If you could point me to an example configuration for this, would be great. Thanks in advance for your help.
Mike
use different sequence numbers for different VPN.
card crypto outside_map 10 correspondence address outside_10_cryptomap
card crypto outside_map 10 peer set 192.168.10.10
outside_map crypto 10 card value transform-set ESP-3DES-SHA
card crypto outside_map 20 match address outside_20_cryptomap
peer set card crypto outside_map 20 192.168.20.20
outside_map crypto 20 card value transform-set ESP-3DES-SHA
outside_map interface card crypto outside
Tags: Cisco Security
Similar Questions
-
site to site vpn configuration
I have windows server with two sites in different locations and that you want to configure a site to site vpn, how to configure
Here is the Vista Forums.
http://TechNet.Microsoft.com/en-us/WindowsServer/default.aspx
Try server communities.
See you soon.
Mick Murphy - Microsoft partner
-
Site to Site VPN configuration does not
Hello
I just tried to set up a test site to site VPN. Diagram of arrangement is attached. Router R2 is supposed to act as the 'Internet' to allow connectivity between the two networks.
My VPN on ASA1 and ASA2 configs are below:
ASA1
Note to outside_cryptomap_1 to access list VPN traffic to encrypt
outside_cryptomap_1 to access extended list ip 10.10.10.0 allow 255.255.255.0 172.16.10.0 255.225.255.0Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
aes-256 encryption
sha hash
Group 5
life 86400tunnel-group 11.11.11.2 type ipsec-l2l
IPSec-attributes tunnel-Group 11.11.11.2
Cisco pre-shared key IKEv1Crypto ipsec transform-set ikev1 AES - SHA esp-aes-256 esp-sha-hmac
card crypto outside_map 1 match address outside_cryptomap_1
peer set card crypto outside_map 1 11.11.11.2
card crypto outside_map 1 set of transformation-AES-SHA
outside_map interface card crypto outsideASA2
Note to outside_cryptomap_1 to access list VPN traffic to encrypt
permit access list extended ip 172.16.10.0 outside_cryptomap_1 255.255.255.0 10.10.10.0 255.225.255.0Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
aes-256 encryption
sha hash
Group 5
life 86400tunnel-group 12.12.12.2 type ipsec-l2l
IPSec-attributes tunnel-group 12.12.12.2
Cisco pre-shared key IKEv1Crypto ipsec transform-set ikev1 AES - SHA esp-aes-256 esp-sha-hmac
card crypto outside_map 1 match address outside_cryptomap_1
peer set card crypto outside_map 1 12.12.12.2
card crypto outside_map 1 set of transformation-AES-SHA
outside_map interface card crypto outsideI can ping with the ASA2 ASA1, but when I try to test the VPN trying from one PC to another, I get nothing.
I tried a few commands show and they came out absolutely empty... as I have not configured:
SH in detail its crypto isakmp
There are no SAs IKEv1
There are no SAs IKEv2
SH crypto ipsec his
There is no ipsec security associations
Anyone have any ideas?
Hi martin,
Your configs are quite right. I tried your script, its works really well. Here's the configs & outputs.
What I mentioned in the previous note follow this.--------------------
ASA1
ASA1 (config) # sh run
: Saved
:
ASA Version 8.0 (2)
!
hostname ASA1
activate 8Ry2YjIyt7RRXU24 encrypted password
names of
!
interface Ethernet0/0
nameif outside
security-level 0
IP 12.12.12.2 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
10.10.10.2 IP address 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/5
Shutdown
No nameif
no level of security
no ip address
!
2KFQnbNIdI.2KYOU encrypted passwd
passive FTP mode
extended vpn 10.10.10.0 ip access list allow 255.255.255.0 172.16.10.0 255.255.255.0
pager lines 24
Within 1500 MTU
Outside 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Route outside 0.0.0.0 0.0.0.0 12.12.12.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac tset
card crypto cmap 1 match for vpn
card crypto cmap 1 set peer 11.11.11.2
card crypto cmap 1 transform-set tset
cmap outside crypto map interface
crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
md5 hash
Group 5
life 86400
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
!
!
tunnel-group 11.11.11.2 type ipsec-l2l
IPSec-attributes tunnel-Group 11.11.11.2
pre-shared-key *.
context of prompt hostname
Cryptochecksum:00000000000000000000000000000000
: end
ASA1 (config) #.
---------------------ASA2 (config) # sh run
: Saved
:
ASA Version 8.0 (2)
!
hostname ASA2
activate 8Ry2YjIyt7RRXU24 encrypted password
names of
!
interface Ethernet0/0
nameif outside
security-level 0
IP 11.11.11.2 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
IP 172.16.10.2 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/5
Shutdown
No nameif
no level of security
no ip address
!
2KFQnbNIdI.2KYOU encrypted passwd
passive FTP mode
extended vpn 172.16.10.0 ip access list allow 255.255.255.0 10.10.10.0 255.255.255.0
pager lines 24
Outside 1500 MTU
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Route outside 0.0.0.0 0.0.0.0 11.11.11.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac tset
card crypto cmap 1 match for vpn
card crypto cmap 1 set peer 12.12.12.2
card crypto cmap 1 transform-set tset
cmap outside crypto map interface
crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
md5 hash
Group 5
life 86400
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
!
!
!
tunnel-group 12.12.12.2 type ipsec-l2l
IPSec-attributes tunnel-group 12.12.12.2
pre-shared-key *.
context of prompt hostname
Cryptochecksum:00000000000000000000000000000000
: end
ASA2 (config) #.-------------------------
OUTPUTS:*********************
ASA1 (config) # sh crypto isakmp his
ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 11 peer IKE: 11.11.11.2
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE---------------------
ASA1 (config) # sh crypto ipsec his
Interface: outside
Tag crypto map: cmap, seq num: 1, local addr: 12.12.12.2access vpn ip 10.10.10.0 list allow 255.255.255.0 172.16.10.0 255.255.255.0
local ident (addr, mask, prot, port): (10.10.10.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.16.10.0/255.255.255.0/0/0)
current_peer: 11.11.11.2#pkts program: 50, #pkts encrypt: 50, #pkts digest: 50
#pkts decaps: 49, #pkts decrypt: 49, #pkts check: 49
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 50, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0local crypto endpt. : 12.12.12.2, remote Start crypto. : 11.11.11.2
------------------------
ASA2 (config) # sh crypto isakmp hisITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 11 peer IKE: 12.12.12.2
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE------------------------
ASA2 (config) # sh crypto ipsec his
Interface: outside
Tag crypto map: cmap, seq num: 1, local addr: 11.11.11.2access vpn ip 172.16.10.0 list allow 255.255.255.0 10.10.10.0 255.255.255.0
local ident (addr, mask, prot, port): (172.16.10.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (10.10.10.0/255.255.255.0/0/0)
current_peer: 12.12.12.2#pkts program: 49, #pkts encrypt: 49, #pkts digest: 49
#pkts decaps: 50, #pkts decrypt: 50, #pkts check: 50
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 49, #pkts comp failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0local crypto endpt. : 11.11.11.2, remote Start crypto. : 12.12.12.2
------------------------- -
Site to site VPN configuration... Please it is urgent
I WANT to CREATE THE SITE to SITE VPN... Then my friend send me to configure this setting, and I did not now how to set it up for CLI... Please someone can help me how to set up
Thank you allllllll
MODEM ROUTER VPN PEER IS 155.155.155.X
IKE parameters
Encryption Key Exchange = 3DES
The integrity of the data / MD5 hash algorithm of ==
Diffie-Hellman Group 1 phase is group 2
IPSec life (seconds) is 86400
IKE SA Lifetime (seconds = 86400
-----------------------------------------------------------------------------------------------------------------------
IPSEC settings
UDP encapsulation = YES
PROTOCOL IS ESP
IPSEC = 3DES
DATA INTEGRITITY = MD5
PROTECT THE NETWORK = 192.168.80.0
Here are two examples-
http://packetlife.net/blog/2011/Jul/11/LAN-LAN-VPN-ASA-5505/
http://www.networking-forum.com/wiki/ASA_VPNs
Thank you
Ajay
-
questions from site to site vpn configuration
I am trying to connect to our offices with our remote data center, and I don't know exactly where to look for information.
Our Setup looks like:
[Office LAN: 192.168.0.0/22 (GE0/1)]-> [Cisco 2821 (GE0/0)]-> Internet <- [cisco="" 2911="" (ge0/0)]-="">[LAN DC: 10.10.10.0/26 (GE0/1)]
Can someone point me in the right direction to set up a VPN connection that routes traffic Office dedicated to the 10.10.10.0/26 network reach the data center?
Thank you!
Ben
You must have a single ACL NAT, so you need a config like this:
Site 1:
192.168.0.0/22 LAN
Site 2:
LAN 10.10.10.0/26
Site 1:
NAT extended IP access list
deny ip 192.168.0.0 0.0.3.255 10.10.10.0 0.0.0.63
IP 192.168.0.0 allow 0.0.3.255 all
overload of IP nat inside source list NAT concert 0/0 interface
concert int 0/1
IP nat inside
concert int 0/0
NAT outside IP
150 extended IP access list
IP 192.168.0.0 allow 0.0.3.255 10.10.10.0 0.0.0.63
Site 2:
NAT extended IP access list
refuse the 10.10.10.0 ip 0.0.0.63 192.168.0.0 0.0.3.255
IP 10.10.10.0 allow 0.0.0.63 everything
overload of IP nat inside source list NAT concert 0/0 interface
concert int 0/1
IP nat inside
concert int 0/0
NAT outside IP
150 extended IP access list
IP 192.168.0.0 allow 0.0.3.255 10.10.10.0 0.0.0.63
In addition, when you type the pre-shared key you must check if they match:
crypto ISAKMP key 6 asdf address datacenter.external.ip.address
ISAKMP crypto asdf keys address office.external.ip.address
6 in the early line shows that will follow a key encrypted according to me.
Make these changes and we will check the debug output:
debugging cry isa
debugging ipsec cry
term Lun
Federico.
-> -
887VDSL2 IPSec site to site vpn does NOT use the easy vpn
Much of community support.
as I'm looking through the config Guide about 870 router series, only to find information about the config with eazy vpn.
is there a classic way, about 870 Series site 2 site without eazy vpn IPSec configuration?
Have a classic way if a tunnel? Have the 870 is not as a vpn client?
Thank you
Of course, here's example of Site to Site VPN configuration for your reference:
http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080194650.shtml
Hope that helps.
-
RV180 restrict access to the Site to Site VPN
Hello
I'm trying to set up my network so that VPN traffic is routed only to a physical single on the RV180 port or to a certain subset of devices on a network.
I have a site to site vpn configuration in a Home Office and connect to the corporate network. The user has a couple of devices on the home network who need to access the corporate network.
We hope to leave his PC accessible to its home network and the corporate network, but limit other devices to access the vpn.
I think that I could do playing with the subnet, but I just can't get my head around it.
It must be something simpleish to do this, isn't there?
I'd appreciate any help you have.
Thank you
Gary
Hi boys, here's a hypothetical situation.
VLAN 1 is port 1
VLAN 2 is port 2
VLAN 1 has a switch connected to your local network of services
VLAN 2 has a switch to maintain your VPN.
The configuration of the port for each port would be the vlan respective unidentified.
You can disable the router in order to prohibit intervlan communication. But also, and especially, the vpn is a specific meaning, subnet, you specify the specific ip subnet on the config of the tunnel because the config include not a second subnet will not work it's traffic in the tunnel.
-Tom
Please mark replied messages useful -
Site to site VPN to allow sharing of files and AD domain trust.
Hello
I don't know exactly what I need to add to a current site 2 site vpn activate specifically these processes (2).
Happy Advisor.
Without knowing the current site-to-site VPN configuration, it is difficult to give you a good answer on what you add. The site of the current to the other use a card encryption with an access list that identifies the traffic is encrypted? If yes then you should probably add something to the access list. The current site to use a tunnel and encrypt everything that goes through the tunnel. If Yes, then you should probably add the routing logic that ensures that this traffic is sent through the tunnel.
HTH
Rick
-
You try to run a Site to site VPN and remote VPN from the same IP remotely
We currently have a site to site VPN configuration between our offices call center and a 3rd party that allows them to access our training to their employees to use environment while being trained on our systems. This tunnel is running between our ASA and their ASA without problem; However, when we have managers come out to the call center, they are unable to use remote VPN to access our office.
Apparently the same IP peer remote that we use for our site to the other tunnel is the same IP that our managers use to access the internet when they are on-site with the customer. When I look at the logs it shows the VPN attempt and then I get treatment Information Exchange has failed. So from what I can understand when our managers are trying to connect to our firewall from the same IP address as the counterpart of site to site it automatically tries to create a tunnel, according to the information of the site to the other tunnel. If our managers are anywhere else, they can connect through remote VPN with no problems.
My question is if anyone knows of a way to make the firewall allow VPN site to site and remote connections with the same remote IP address.
Hi John,.
Basically, in older versions, when you hit a static encryption card and you does not match this static encryption completely map the connection continues until the dynamic encryption card. For this reason, you can connect your IPSec clients before. A bug has been opened on this vulnerability.
CSCuc75090 Details of bug
The crypto IPSec Security Association are created by dynamic crypto map to static peers
Symptom:
When a static VPN peer adds all traffic to the ACL crypto, a surveillance society is based even if the pair IP is not allowed in the acl to the main façade encryption. Are these SA finally put in correspondence and commissioning the dynamic crypto map instance.
Conditions:
It was a planned design since the first day that allowed customers to fall through in the case of static crypto map did not provide a necessary cryptographic services.
The SA must be made from a peer configured statically and a dynamic crypto map instance must be configured on the receiving end.
Workaround solution:
N/A
Some possible workarounds are:
Configure a static nat device when you try to use the remote VPN if the firewall remotely will be hit with a different public IP address. It would be a good solution, but it will depend on how many ip addresses public you have available, if you really want one of these ip addresses for that access.
Also, I thought you could use AnyConnect instead of the IPSec VPN client. I don't know how many users need to connect from your PC to the remote site, but the ASA has 2 licenses SSL available that you could use. Because Anyconnect uses the SSL protocol, it won't have a problem on your environment.
Below some information:
Hope this helps,
Luis.
-
Hello
I am facing a problem in my site to site VPN configuration, router management site gets the address public IP of the DHCP server as I have built a dynamic crypto map on the router HQ
First phase ISAKMP is operational running, I am trying to ping the LAN 192.168.85.0 for the HQ 172.16.12.0 LAN but it won't go through and when I check the ipsec security associations I can see that packets are encrypted on the side of the branch and decrypted on the side of HQ but the HQ router no PING response at all and he saw not encrypted packets
I have attached my configurations, I had to hide some information just for safety
Help, please!
Mostafa
Hello Mustafa,
Havinf a glance at your config, it seems you have not correctly configured on your HQ NAT exemption.
ip access-list extended NAT deny ip 172.16.12.0 0.0.0.255 192.168.75.0 0.0.0.255 deny ip 172.16.12.0 0.0.0.255 172.16.20.0 0.0.0.255 permit ip 172.16.12.0 0.0.0.255 any deny ip 172.16.12.0 0.0.0.255 192.168.85.0 0.0.0.255
In this interesting ACL traffic is refused in the last. So it is not exempted from NAT, as ACL are processed in top-down, your valuable traffic is already matching permit statement in NAT ACL therefore subject to NAT on HQ. Refuse the declaration of exemption, interesting traffic NAT should precede the statement of license.
HTH
"Please note useful posts.
-
Problems with site-to-site vpn
Hello world
I recently received the mission assigned to the site to site vpn configuration and this is my first time. I'm trying to set up a vpn with pix 501 but short questions site. I managed to get that below, but I'm stuck now and do not know what could be the problem. Here's the debug output.
Any help is greatly appreciated on what could be the potential problem.
-AK
ISAKMP (0:0): sending of NAT - T vendor ID - rev 2 & 3
ISAKMP (0): early changes of Main Mode
crypto_isakmp_process_block:src:208.249.117.203, dest:70.91.20.245 spt:500 dpt:500
Exchange OAK_MM
ISAKMP (0): treatment ITS payload. Message ID = 0ISAKMP (0): audit ISAKMP transform 1 against 20 priority policy
ISAKMP: 3DES-CBC encryption
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: preshared auth
ISAKMP: type of life in seconds
ISAKMP: duration of life (basic) of 28800
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): load useful treatment vendor idISAKMP (0): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
to return to the State is IKMP_NO_ERROR
crypto_isakmp_process_block:src:208.249.117.203, dest:70.91.20.245 spt:500 dpt:5
00
Exchange OAK_MM
ISAKMP (0): processing KE payload. Message ID = 0ISAKMP (0): processing NONCE payload. Message ID = 0
ISAKMP (0): load useful treatment vendor id
ISAKMP (0): load useful treatment vendor id
ISAKMP (0): provider v6 code received xauth
ISAKMP (0): load useful treatment vendor id
ISAKMP (0): addressing another box of IOS!
ISAKMP (0): load useful treatment vendor id
ISAKMP (0): addressing a VPN3000 concentrator
ISAKMP (0): ID payload
next payload: 8
type: 1
Protocol: 17
Port: 0
Length: 8
ISAKMP (0): the total payload length: 12
to return to the State is IKMP_NO_ERROR
crypto_isakmp_process_block:src:208.249.117.203, dest:70.91.20.245 spt:500 dpt:5
00
Exchange OAK_MM
ISAKMP (0): processing ID payload. Message ID = 0
ISAKMP (0): HASH payload processing. Message ID = 0
ISAKMP (0): keep treatment alive: proposal = 32767/32767 sec., real = 3276/2 sec.ISAKMP (0): load useful treatment vendor id
ISAKMP (0): Peer Remote supports dead peer detection
ISAKMP (0): SA has been authenticated.
ISAKMP (0): start Quick Mode changes, 413131006:189fe0feIPSEC (key_e M - ID
(Display): had an event of the queue...
IPSec (spi_response): spi 0x3e9451fa graduation (1049907706) for SA
from 208.249.117.203 to 70.91.20.245 for prot 3to return to the State is IKMP_NO_ERROR
ISAKMP (0): send to notify INITIAL_CONTACT
ISAKMP (0): sending message 24578 NOTIFY 1 protocol
Peer VPN: ISAKMP: approved new addition: ip:208.249.117.203/500 Total VPN peer: 1
Peer VPN: ISAKMP: ip:208.249.117.203/500 Ref cnt is incremented to peers: 1 Total VPN
Peers: 1
crypto_isakmp_process_block:src:208.249.117.203, dest:70.91.20.245 spt:500 dpt:5
00
ISAKMP (0): processing DELETE payload. Message ID = 3425658127, spi size = 16
ISAKMP (0): delete SA: src 70.91.20.245 dst 208.249.117.203
to return to the State is IKMP_NO_ERR_NO_TRANS
ISADB: Reaper checking HIS 0xac149c, id_conn = 0 DELETE IT!Peer VPN: ISAKMP: ip:208.249.117.203/500 Ref cnt decremented to peers: 0 Total VPN
Peers: 1
Peer VPN: ISAKMP: deleted peer: ip:208.249.117.203/500 VPN peer Total: 0IPSEC (ke
y_engine): got an event from the queue.
IPSec (key_engine_delete_sas): rec would remove the ISAKMP notify
IPSec (key_engine_delete_sas): remove all SAs shared with 208.249.117.203
IPSec (key_engine): request timer shot: count = 2,.
local (identity) = 70.91.20.245, distance = 208.249.117.203.
local_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4),
remote_proxy = 206.200.22.0/255.255.255.0/0/0 (type = 4)Hello
Newspapers, I see you are using a VPN 3000 Concentrator as the remote vpn end point. Now, also of the debugs next section is interesting:
local (identity) = 70.91.20.245, distance = 208.249.117.203.
local_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4),
remote_proxy = 206.200.22.0/255.255.255.0/0/0 (type = 4)-Looks like our traffic interesting PIX and the hub are not mirrors of each other, and does not. Can you please paste the PIX here cryptographic access lists, so that I can analyze the entries.
-Also, please make sure that you have followed all the steps during the vpn configuration according to the following links:
If your PIX is running at version 7.x and more: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008064a06f.shtml
If your PIX is running version 6.3.x: http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800949d2.shtml
Once you check the config on PIX and concentrator, please provide me with the output of "sh cry isa his" and "sh cry ipsec his ' of the PIX. With this release, we can continue to troubleshoot if there is more questions.
Let me know if this can help,
See you soon,.
Christian V
-
devices to set up a site to site vpn
I have a stupid question. In a site to site vpn environment, can I do the installation program by using an asa5505 on one end and a router 1811 on the other end or do I need to have two asa5505 or two 1811 routers? Can another word, I mix and match devices and perform still a site to site vpn configuration or do I have to have the same features on the two end?
You can mix and match all you want. To him my friend. Reference the link below.
-
OK my forehead is painful to all keyboard strokes that I know that it must be something simple, but I am brand new to the SAA. I had a site to site VPN configuration via routers 1751 that worked very well, but we're looking to add some more remote field offices, and I felt that it would be easier to maintain several sites is on the ASA 5510. I have the VPN configured on the SAA and he said that the tunnel is up. I can telnet to the ASA and ping the remote gateway on the even side of VPN and it pings fine. If I try to ping on a local computer, I get a "Request timed out". If I makes no changes apart from go to the computer room and replace the network cable the 1751 and then through the 1751 I can now ping the remote door way to my computer. The remote router works obviously very well, my statement of route on my router for vpn push through the ASA (same ip address) IP traffic that has been used by the 1751 works obviously. It seems so just like ASA is not being pushed in the ethernet0/0 VPN traffic or at least it is not encrypted. I also noticed that the ACL for NAT seems to increase in number of access either it seems, there is really just one small thing missing to make the ASA except and encrypt incoming traffic on ethernet0/0:
My network is not configured with a DMZ is something like that, the ASA ethernet0/0 and my local network on the same subnet:
Router (Cisco 2811)
|
Layer switch 2 (ProCurve)
| |
ASA5510 LAN computers
I'm trying to except both sides of the VPN in and out on Ethernet0/0 traffic I saw there was a framework for this "permit communication between VPN peers connected to the same interface' and I've activated this option.
In short, I need to understand why the VPN tunnel shows that upward and I can ping the remote of the SAA, but peripheral gateway on my network can not ping to the remote gateway through the int Ethernet0/0 on the SAA.
From the console of the ASA, I get this:
ASA5510 # ping 192.52.128.1
Send 5, echoes ICMP 100 bytes to 192.52.128.1, wait time is 2 seconds:
!!!!!
Success rate is 100 per cent (5/5), round-trip min/avg/max = 100/108/120 msASA5510 # show crypto ipsec his
Interface: *.
Tag crypto map: * _map, local addr: 10.52.120.23local ident (addr, mask, prot, port): (10.52.120.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.52.128.0/255.255.255.0/0/0)
current_peer: x.x.x.204program #pkts: 9, #pkts encrypt: 9, #pkts digest: 9
decaps #pkts: 9, #pkts decrypt: 9, #pkts check: 9
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 9, #pkts comp failed: 0, #pkts Dang failed: 0
#send errors: 0, #recv errors: 0local crypto endpt. : 10.52.120.23, remote Start crypto. : x.x.x.204
Path mtu 1500, fresh ipsec generals 60, media, mtu 1500
current outbound SPI: C49EF75FSAS of the esp on arrival:
SPI: 0x21FDBB9D (570276765)
transform: esp-3des esp-md5-hmac
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 1, crypto-map: * _map
calendar of his: service life remaining (KB/s) key: (3824999/3529)
Size IV: 8 bytes
support for replay detection: Y
outgoing esp sas:
SPI: 0xC49EF75F (3298752351)
transform: esp-3des esp-md5-hmac
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 1, crypto-map: * _map
calendar of his: service life remaining (KB/s) key: (3824999/3527)
Size IV: 8 bytes
support for replay detection: YFrom my office on the 10.52.120.0 even the etherenet0/0 interface on the ASA network I get this:
C:\Users\***>ping 192.52.128.1
Ping 192.52.128.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.Ping statistics for 192.52.128.1:
Packets: Sent = 4, received = 0, lost = 4 (100% loss)C:\Users\***>ping 10.52.120.23
Ping 10.52.120.23 with 32 bytes of data:
Reply from 10.52.120.23: bytes = 32 time = 5ms TTL = 255
Reply from 10.52.120.23: bytes = 32 time = 3ms TTL = 255
Reply from 10.52.120.23: bytes = 32 time = 1ms TTL = 255
Reply from 10.52.120.23: bytes = 32 time = 1ms TTL = 255Ping statistics for 10.52.120.23:
Packets: Sent = 4, received = 4, lost = 0 (0% loss),
Time approximate round trip in milli-seconds:
Minimum = 1ms, Maximum = 5ms, average = 2msCount on VPN Tunnel ACL does not increase when I try to ping the address of the remote gateway.
Here is the running of the ASA configuration:
ASA Version 7.0 (2)
names of
!
interface Ethernet0/0
nameif InsideNetwork
security-level 100
IP 10.52.120.23 255.255.255.0
!
interface Ethernet0/1
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
activate the encrypted password of XXXXXXXXXXXXXXXX
passwd encrypted XXXXXXXXXXXXXXXXXXX
ciscoasa hostname
domain default.domain.invalid
passive FTP mode
permit same-security-traffic intra-interface
Access extensive list ip 10.52.120.0 InsideNetwork_nat0_outbound allow 255.255.25
5.0 192.52.128.0 255.255.255.0
Access extensive list ip 10.52.120.0 InsideNetwork_cryptomap_20 allow 255.255.255
.0 192.52.128.0 255.255.255.0
pager lines 24
asdm of logging of information
management of MTU 1500
MTU 1500 InsideNetwork
management of the interface of the monitor
the interface of the monitor InsideNetwork
ASDM image disk0: / asdm - 502.bin
don't allow no asdm history
ARP timeout 14400
NAT (InsideNetwork) 0-list of access InsideNetwork_nat0_outbound
Route InsideNetwork 0.0.0.0 0.0.0.0 10.52.120.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00
Timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
Enable http server
http 192.168.1.0 255.255.255.0 management
http 10.52.120.0 255.255.255.0 InsideNetwork
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
card crypto InsideNetwork_map 20 corresponds to the address InsideNetwork_cryptomap_20
card crypto InsideNetwork_map 20 set peer x.x.x.204
InsideNetwork_map 20 transform-set ESP-3DES-MD5 crypto card game
InsideNetwork_map InsideNetwork crypto map interface
ISAKMP enable InsideNetwork
part of pre authentication ISAKMP policy 10
ISAKMP policy 10 3des encryption
ISAKMP policy 10 md5 hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
Telnet 10.52.120.0 255.255.255.0 InsideNetwork
Telnet timeout 5
SSH timeout 5
Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
dhcpd lease 3600
dhcpd ping_timeout 50
enable dhcpd management
tunnel-group x.x.x.204 type ipsec-l2l
x.x.x.204 group of tunnel ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
Policy-map global_policy
class inspection_default
inspect the dns-length maximum 512
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
Cryptochecksum:7e478b60b3e406091de466675c52eaaa
: endI haven't added anything to the config except what seemed necessary to get the job of VPN tunnel. It should be fairly clean.
Thanks in advance for any help... I really hope that it is something really simple as a recruit ASA just forgot
Strange, but good news. Thanks for the update. I'm glad everything is working.
THX
MS
-
Multiple site to site VPN connections
Hello.
I've finally set up a site to site VPN connection and now wonder how I can configure multiple connections that are accessible by different VLAN.
So that VLAN1 use a tunnel and VLAN2 another.
Best regards Tommy Svensson
Configuration up to now:
crypto ISAKMP policy 10
BA aes 256
preshared authentication
Group 5
life 3600
vpnkey crypto isakmp key address?. 206
!
!
Crypto ipsec transform-set VPN aes - esp esp-sha-hmac
!
VPNMAP 10 ipsec-isakmp crypto map
Site 2 site description
defined by peers? 206
security-association the value of life 4000 kilobytes
game of transformation-VPN
PFS Set group5
match address 100access-list 100 permit ip 10.10.1.0 0.0.0.255 192.168.3.0 0.0.0.255
Hi Tommy
In order to complete their reviews of Marcin, something like this should help (obviously you need to change the IP addresses accordingly).
VPNMAP 10 ipsec-isakmp crypto map
Site 2 site description
defined by peers? 206
security-association the value of life 4000 kilobytes
game of transformation-VPN
PFS Set group5
match address 100!
VPNMAP 20 ipsec-isakmp crypto map
Description site-2-site n ° 2
defined by peers?
security-association the value of life 4000 kilobytes
game of transformation-VPN
PFS Set group5
match address 101access-list 100 permit ip 10.10.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 permit ip x.x.x.0 0.0.0.255 y.y.y.0 0.0.0.255
Barry
-
Routing multiple subnets on a site to site VPN
What is the recommended solution to deliver several subnets on a site to site vpn? Each subnet requires its own policy or a policy can be used for one or more subnets if the remote site has several subnets? In addition, if the remote router has only two fastethernet interfaces, it'll work if one of the interfaces of subinterface configuration or router on a stick?
If you talk about static routing, you can simply add the routes and change the ACL for encrypted as a result traffic.
If you want to run a dynamic routing. you will then need to IPSEC VTI. Here is the link
http://www.Cisco.com/en/us/docs/iOS/12_3t/12_3t14/feature/guide/gtIPSctm.html#wp1063136
and although I did not use of subinterfaces for IPSEC VTI. but according to me, it will work.
Maybe you are looking for
-
appleid is vergrendeld. Hoe ontgrendel ik dat?
Mijn appleid is vergrendeld. Hoe komt wat doe ik er aan en dat?
-
Skype keep me disconnecting?
the title says it well the I tried to reinstall Skype & passes amended, why get signed on Skype? someone help me please.
-
Pavilion 17-g011nm: bcm43142a0
I buy HP Pavilion 17-g011nm and windows 64-bit eng SL 8.1 and have problem to install BCM43142A0. I try to install manually from the page http://support.hp.com/us-en/drivers/selfservice/HP-Pavilion-17-g000-Notebook-PC-series/7771368/model... but with
-
Memory available for the 3rd Gen X carbon 1 update?
Hi everyone, can current 3rd Gen X 1 carbon evolve beyond the max 8 G of RAM configuration? I plan to upgrade my first gen X 1, but really prefer a machine that can be configured to 16 g. thanks for any advice.
-
Add devices...
my computer does not recognize a wireless network into the USB port