NAT and Site to site VPN

Hi all

We currently have a PIX in our local network. There is a Site to site VPN tunnel between this PIX and another network abroad.

We have several networks in our local network.

The VPN tunnel is on a single network: 192.50.175.0 / 24.

and the network of the other site is:

192.100.24.0 21

Part of the configuration:

inside_nat0_outbound ip 192.50.175.0 access list allow 255.255.255.0 192.100.24.0 255.255.248.0

NAT (inside) 0-list of access inside_nat0_outbound

As I said before, we have several networks.

In particular, we have 192.50.160.0/24 too.

And we would like that this network can use the VPN tunnel also.

But the other site does not want to carry our another network in their LAN.

They suggest we 192.50.160.0 NAT / 24 to an IP address on the 192.50.175.0 / 24, users in a network 192.50.160.0 / 24 can also use the VPN tunnel.

Do you know if it is possible to do it with my PIX? And how?

It's a PIX-515-DMZ, v6.3 (5).

Any help would be appreciated!

Thank you

Good point. You can be good then.

Tags: Cisco Security

Similar Questions

NAT and VPN site-2-Site

Hello world.

I have question about Site 2 Site VPN and NAT.

HQ is connected to the partner and the co-location through site to site VPN (with two different tunnels). Co-location is connected to the HQ with the site 2 site VPN.

HQ:
Co-location:
Partner:

Basically, what I want to achieve is to do the following:

All traffic from the combination with destination partner should switch from AC and source what IP must be changed. So it seems that the traffic originated in the DMZ HQ on the side of the partner.

How can I achieve that?

HW: Cisco ASA

Hello Roger,.

The configuration you need will be on the ASA HQ.

First configure the ASA so that it would allow the traffic to leave through the same interface it came through:

permit same-security-traffic intra-interface

Then, you create a nat that an IP address of this beach (it will work if the partner does not need to go to the apartment, just camp to the partner):

policy-based-nat1 permit ip access list

NAT () to access list policy-based-nat1

(Global)

That is asuming that you already have a rule of traffic interesting (crypto ACL map) allowed your DMZ for flatsharing.

For a more specific example, see below:

Colocation network: 192.168.1.0/24

Network DMZ HQ: 10.10.10.0/24

Network partner: 172.16.10.0/24

permit same-security-traffic intra-interface

access list policy-based-nat1 permit ip 192.168.1.0 255.255.255.0 172.16.10.0 255.255.255.0

NAT (outdoor) 100 access list policy-based-nat1

global (outside) 100 10.10.10.253

vpn10 10.10.10.0 ip access list allow 255.255.255.0 172.16.10.0 255.255.255.0

10 correspondence address vpn vpn crypto card

If the partner needs to access the apartment so (two-way access) you may not use the DMZ network as there must be a translation from one to the other and you have the same amount of addresses to be translated you have on the apartment.

However, it would be possible if your DMZ network is greater than the apartment (like DMZ being a 16 and colo in 24) and you can isolate a subnet just for NAT.

Hope this helps to solve the problem.

Cisco ASA Site to Site VPN IPSEC and NAT question

Hi people,

I have a question about the two Site to Site VPN IPSEC and NAT. basically what I want to achieve is to do the following:

ASA2 is at HQ and ASA1 is a remote site. I have no problem setting a static static is a Site to IPSEC VPN between sites. Guests residing in 10.1.0.0/16 are able to communicate with hosts in 192.168.1.0/24, but what I want is to configure the NAT with IPSEC VPN for this host to 10.1.0.0/16 will communicate with hosts in 192.168.1.0/24 with translated addresses

Just an example:

N2 host (10.1.0.1/16) contacted N1 192.168.1.5 with destination host say 10.23.1.5 No 192.168.1.5 (notice the last byte is the same in the present case,.5)

The translation still for the rest of the communication (host pings ip destination host 10.23.1.6 N3 N2 not 192.168.1.6 new last byte is the same)

It sounds a bit confusing to me, but I've seen this type of configuration before when I worked for the supplier of managed services where we have given our customers (Ipsec Site to Site VPN with NAT, don't know how it was setup)

Basically we contact the customer via site-to-site VPN hosts but their real address were hidden and we used as translated address more high 10.23.1.0/24 instead of (real) 192.168.1.0/24, last byte must be the same.

Grateful if someone can shed some light on this subject.

Hello

OK so went with the old format of NAT configuration

It seems to me that you could do the following:
- Configure the ASA1 with static NAT strategy
  - access-list L2LVPN-POLICYNAT allowed ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
  - public static 10.23.1.0 (inside, outside) access-list L2LVPN-POLICYNAT
- Because the above is a static NAT of the policy, this means that the translation will be made only when the destination network is 10.1.0.0/16
- If you have for example a PAT basic configuration to inside-> external traffic, the above NAT configuration and the custom of the actual configuration of PAT interfere with eachother
- ASA2 side, you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
  - Note of the INTERIOR-SHEEP access-list SHEEP L2LVPN
  - the permitted INSIDE SHEEP 10.1.0.0 ip access list 255.255.0.0 10.23.1.0 255.255.255.0
  - NAT (inside) 0-list of access to the INTERIOR-SHEEP
- You will need to consider that your access-list defining the VPN encrypted L2L traffic must reflect the new NAT network
  - ASA1: allowed to access-list L2LVPN-ENCRYPTIONDOMAIN ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
  - ASA2: list L2LVPN-ENCRYPTIONDOMAIN allowed ip 10.1.0.0 access 255.255.0.0 10.23.1.0 255.255.255.0
I could test this configuration to work tomorrow but I would like to know if it works.

Please rate if this was helpful

-Jouni

2 one-Site VPN Cisco 2801 and with crossing NAT

Hi guys,.

I would like to configure two Cisco 2801 using IPSEC/IKE. Both routers are connected to the internet through DSL lines. The DSL line have RFC1918 address side LAN where routers connected to the internet face. I can do NAT on DSL modems.

Cisco IOS 2801 routers allow to configure site-2-site VPN with NAT crossing?

Here is a model of physics/IP configuration:

LAN<->2801 Modem DSL<-Internet->DSL modem<-Priv ip-=""> 2801<-Priv ip-=""><-> LAN

Thank you

Gonçalo

Yes, you're good to go only if one or both of the sites has an IP address which is natted with private IP address statically. The implementation of IPSec on SRI NAT support in most crosses so that shouldn't be a concern

Troubleshooting IPSec Site to Site VPN between ASA and 1841

Hi all

in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.

I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).

I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.

It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),

On the ASA:

Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.

address of the peers: 217.86.154.120
Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.cc

access extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
current_peer: 217.xx.yy.zz

#pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0

local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz

Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: 39135054
current inbound SPI: B2E9E500

SAS of the esp on arrival:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4374000/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
outgoing esp sas:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4373976/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001

Output of the command: "sh crypto isakmp his."

HIS active: 4
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 4

IKE Peer: 217.xx.yy.zz
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE

On the 1841

1841 crypto isakmp #sh its
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE

1841 crypto ipsec #sh its

Interface: Dialer1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors

local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2

SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

outgoing ah sas:

outgoing CFP sas:

Interface: virtual Network1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors

local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2

SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

outgoing ah sas:

outgoing CFP sas:

It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.

Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto. (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.

I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!

It's the running of the 1841 configuration

!
version 15.1
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
host name 1841
!
boot-start-marker
start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
boot-end-marker
!
logging buffered 51200 notifications
!
AAA new-model
!
!
AAA authentication login default local
!
AAA - the id of the joint session
!
iomem 20 memory size
clock timezone PCTime 1
PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
dot11 syslog
IP source-route
!
No dhcp use connected vrf ip
!
IP cef
no ip bootp Server
IP domain name test
name of the IP-server 194.25.2.129
name of the IP-server 194.25.2.130
name of the IP-server 194.25.2.131
name of the IP-server 194.25.2.132
name of the IP-server 194.25.2.133
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
object-group network phone
VoIP phone description
Home 172.20.2.50
Home 172.20.2.51
!
redundancy
!
!
controller LAN 0/0/0
atm mode
Annex symmetrical shdsl DSL-mode B
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
isakmp encryption key * address 62.aa.bb.cc
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
map SDM_CMAP_1 1 ipsec-isakmp crypto
Description Tunnel to62.aa.bb.cc
the value of 62.aa.bb.cc peer
game of transformation-ESP-3DES-SHA
PFS group2 Set
match address 100
!
!
!
interface FastEthernet0/0
DMZ description $ FW_OUTSIDE$
10.10.10.254 IP address 255.255.255.0
IP nat inside
IP virtual-reassembly
automatic duplex
automatic speed
!
interface FastEthernet0/1
Description $ETH - LAN$ $FW_INSIDE$
IP 172.20.2.254 255.255.255.0
IP access-group 100 to
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1412
automatic duplex
automatic speed
!
ATM0/0/0 interface
no ip address
No atm ilmi-keepalive
!
point-to-point interface ATM0/0/0.1
PVC 1/32
PPPoE-client dial-pool-number 1
!
!
interface Dialer1
Description $FW_OUTSIDE$
the negotiated IP address
IP mtu 1452
NAT outside IP
IP virtual-reassembly
encapsulation ppp
Dialer pool 1
Dialer-Group 2
PPP authentication chap callin pap
PPP chap hostname xxxxxxx
PPP chap password 7 xxxxxxx8
PPP pap sent-name of user password xxxxxxx xxxxxxx 7
map SDM_CMAP_1 crypto
!
IP forward-Protocol ND
IP http server
local IP http authentication
IP http secure server
!
!
The dns server IP
IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
!
logging trap notifications
Note category of access list 1 = 2 CCP_ACL
access-list 1 permit 172.20.2.0 0.0.0.255
Note access-list category 2 CCP_ACL = 2
access-list 2 allow 10.10.10.0 0.0.0.255
Note access-list 100 category CCP_ACL = 4
Note access-list 100 IPSec rule
access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
Note CCP_ACL the access list 101 = 2 category
Note access-list 101 IPSec rule
access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 101 permit ip 172.20.2.0 0.0.0.255 any
Note access-list 102 CCP_ACL category = 2
Note access-list 102 IPSec rule
access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
!

!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 101
!
allowed SDM_RMAP_2 1 route map
corresponds to the IP 102
!
!
control plan
!
!
Line con 0
line to 0
line vty 0 4
length 0
transport input telnet ssh
!
Scheduler allocate 20000 1000
NTP-Calendar Update
NTP 172.20.2.250 Server prefer
end

As I mentioned previously: suspicion is much appreciated!

Best regards

Joerg

Joerg,

ASA receives not all VPN packages because IOS does not send anything.

Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)

The problem seems so on the side of the router.

I think that is a routing problem, but you only have one default gateway (no other channels on the router).

The ACL 100 is set to encrypt the traffic between the two subnets.

It seems that the ACL 101 is also bypassing NAT for VPN traffic.

Follow these steps:

Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.

I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.

Federico.

Site to Site VPN Possible behind routers NAT on both ends?

Nice day

After extensive research I have not found an answer so I turn to the community.

I'm trying to help a friend facility a VPN but it's a scenario that I have not dealt and hope that someone has.

Here's the basic scheme;

Site 1 - 172.16.23.0/24

Site 2 - 172.16.24.0/24

(Site of ASA 1 - router 172.16.23.5) - Linksys w / static public IP - Internet - Linksys router w / static public IP-(ASA Site 2 - 172.16.24.5)

Is this possible scenario with port forwarding? The warnings, I need to watch out for?

I read that I'll need a route to my ASA, say Site 1 ASA, who said... Route 172.16.24.0 255.255.255.0 1.1.1.1 (point to ASA local public IP).

I also read I'll need one additional lane in my (site 1) linksys router that says... Route 172.16.24.0 255.255.255.0 172.16.23.5 (point to the local interface of the ASA)

Thanks for all comments and suggestions.

A

Hi Adam,.

You are right with a port forwarding, you can create an IPSEC tunnel, even if NAT is present on both ends.

Also, NAT - T is a feature enabled by default on the ASA that automatically detects if the camera is behind a NAT and pass the IPSEC UDP 4500 port. Here is the syntax of the command:

ASA (config) # crypto isakmp nat-traversal 20

How NAT - T works

So, here is a document for your reference build the VPN tunnel:

http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-next-generation-firewalls/119141-configure-ASA-00.html

About routing, all traffic will go out of the ASA using intellectual property where the card encryption is applied, routing on linkysys devices just take care that this IP is routed Internet and that there is connection between the 2 ASAs.

It may be useful

-Randy-

Using Cisco Client to site VPN on a behind a NAT ASA 5520

I apologize if this has been asked and we answered in the forums. I looked, and while I found a large number of entries that were dancing all around this question, I never found nothing which addressed this specific issue. We currently use an ASA 5520 as the head end of a relatively large customer to site IPSEC VPN (approximately 240 users, not consecutively). This ASA is currently sitting behind a Checkpoint firewall with a real publicly addressable IP address on its public interface. All of our customers use the legacy Cisco VPN (not the one anyconnect) client. We plan to a few controllers F5 link set up between ISPS and firewalls. For VPN connectivity F5 recommends that we NAT IP address (called a broad IP) to point back to a private IP address on the ASA and F5. My question is, will this work? I've always heard say that the head of line needed to have a public IP address on this subject because this is what will be placed in packages for the client to respond to.

For further information, here's what we have now and what we are invited to attend.

Current

ISP - router - firewall-fire - ASA (public IP address as endpoint)

Proposed

ISP - router - F5 (public IP address as endpoint using a NAT to ASA) - Firewall - ASA (10.X.X.X as its external interface)

Proposed alternative

ISP - router - F5 (public IP address as endpoint using a NAT to ASA) - ASA (10.X.X.X as its external interface)

All thoughts at this moment would be greatly appreciated. Thank you!

Hello

If there is a static NAT one by one on F5 to the external interface of the ASA, then I don't think they would be any problems.
Because when the client will attempt to connect to IKE to the translated public IP, F5 will redirect the request to ASA outside interface that is configured for the VPN.

In addition, to ensure the udp500, 4500 and esp is allowed and then you should be good to go.

HTH

Concerning
Mohit

You try to run a Site to site VPN and remote VPN from the same IP remotely

We currently have a site to site VPN configuration between our offices call center and a 3rd party that allows them to access our training to their employees to use environment while being trained on our systems. This tunnel is running between our ASA and their ASA without problem; However, when we have managers come out to the call center, they are unable to use remote VPN to access our office.

Apparently the same IP peer remote that we use for our site to the other tunnel is the same IP that our managers use to access the internet when they are on-site with the customer. When I look at the logs it shows the VPN attempt and then I get treatment Information Exchange has failed. So from what I can understand when our managers are trying to connect to our firewall from the same IP address as the counterpart of site to site it automatically tries to create a tunnel, according to the information of the site to the other tunnel. If our managers are anywhere else, they can connect through remote VPN with no problems.

My question is if anyone knows of a way to make the firewall allow VPN site to site and remote connections with the same remote IP address.

Hi John,.

Basically, in older versions, when you hit a static encryption card and you does not match this static encryption completely map the connection continues until the dynamic encryption card. For this reason, you can connect your IPSec clients before. A bug has been opened on this vulnerability.

CSCuc75090 Details of bug

The crypto IPSec Security Association are created by dynamic crypto map to static peers

Symptom:

When a static VPN peer adds all traffic to the ACL crypto, a surveillance society is based even if the pair IP is not allowed in the acl to the main façade encryption. Are these SA finally put in correspondence and commissioning the dynamic crypto map instance.

Conditions:

It was a planned design since the first day that allowed customers to fall through in the case of static crypto map did not provide a necessary cryptographic services.

The SA must be made from a peer configured statically and a dynamic crypto map instance must be configured on the receiving end.

Workaround solution:

N/A

Some possible workarounds are:

Configure a static nat device when you try to use the remote VPN if the firewall remotely will be hit with a different public IP address. It would be a good solution, but it will depend on how many ip addresses public you have available, if you really want one of these ip addresses for that access.

Also, I thought you could use AnyConnect instead of the IPSec VPN client. I don't know how many users need to connect from your PC to the remote site, but the ASA has 2 licenses SSL available that you could use. Because Anyconnect uses the SSL protocol, it won't have a problem on your environment.

Below some information:

http://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa84/configuration/guide/asa_84_cli_config/vpn_anyconnect.html

Hope this helps,

Luis.

remote VPN and vpn site to site vpn remote users unable to access the local network

As per below config remote vpn and vpn site to site vpn remote users unable to access the local network please suggest me a required config

The local 192.168.215.4 not able ping server IP this server connectivity remote vpn works fine but not able to ping to the local network vpn users.

ASA Version 8.2 (2)
!
host name
domain kunchevrolet
activate r8xwsBuKsSP7kABz encrypted password
r8xwsBuKsSP7kABz encrypted passwd
names of
!
interface Ethernet0/0
nameif outside
security-level 0
PPPoE client vpdn group dataone
IP address pppoe
!
interface Ethernet0/1
nameif inside
security-level 50
IP 192.168.215.2 255.255.255.0
!
interface Ethernet0/2
nameif Internet
security-level 0
IP address dhcp setroute
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
No nameif
no level of security
no ip address
management only
!
passive FTP mode
clock timezone IST 5 30
DNS server-group DefaultDNS
domain kunchevrolet
permit same-security-traffic intra-interface
object-group network GM-DC-VPN-Gateway
object-group, net-LAN
access extensive list ip 192.168.215.0 sptnl allow 255.255.255.0 192.168.2.0 255.255.255.0
192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0
tunnel of splitting allowed access list standard 192.168.215.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
MTU 1500 Internet
IP local pool VPN_Users 192.168.2.1 - 192.168.2.250 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
enable ASDM history
ARP timeout 14400
NAT-control
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 59.90.214.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
AAA authentication http LOCAL console
AAA authentication enable LOCAL console
LOCAL AAA authentication serial console
Enable http server
x.x.x.x 255.255.255.252 out http
http 192.168.215.0 255.255.255.252 inside
http 192.168.215.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic dynmap 65500 transform-set RIGHT
card crypto 10 VPN ipsec-isakmp dynamic dynmap
card crypto VPN outside interface
card crypto 10 ASA-01 set peer 221.135.138.130
card crypto 10 ASA - 01 the transform-set RIGHT value
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 65535
preshared authentication
the Encryption
sha hash
Group 2
lifetime 28800
Telnet 192.168.215.0 255.255.255.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 5
Console timeout 0
management-access inside
VPDN group dataone request dialout pppoe
VPDN group dataone localname bb4027654187_scdrid
VPDN group dataone ppp authentication chap
VPDN username bb4027654187_scdrid password * local store
interface for identifying DHCP-client Internet customer
dhcpd dns 218.248.255.141 218.248.245.1
!
dhcpd address 192.168.215.11 - 192.168.215.254 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
Des-sha1 encryption SSL
WebVPN
allow outside
tunnel-group-list activate
internal kun group policy
kun group policy attributes
VPN - connections 8
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value split tunnel
kunchevrolet value by default-field
test P4ttSyrm33SV8TYp encrypted password username
username kunauto password bSHrKTGl8PUbvus / encrypted privilege 15
username kunauto attributes
Strategy Group-VPN-kun
Protocol-tunnel-VPN IPSec
tunnel-group vpngroup type remote access
tunnel-group vpngroup General attributes
address pool VPN_Users
Group Policy - by default-kun
tunnel-group vpngroup webvpn-attributes
the vpngroup group alias activation
vpngroup group tunnel ipsec-attributes
pre-shared key *.
type tunnel-group test remote access
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:0d2497e1280e41ab3875e77c6b184cf8
: end
kunauto #.

Hello

Looking at the configuration, there is an access list this nat exemption: -.

192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0

But it is not applied in the States of nat.

Send the following command to the nat exemption to apply: -.

NAT (inside) 0 access-list sheep

Kind regards

Dinesh Moudgil

P.S. Please mark this message as 'Responded' If you find this information useful so that it brings goodness to other users of the community

IPSec site to site VPN cisco VPN client routing problem and

Hello

I'm really stuck with the configuration of ipsec site to site vpn (hub to spoke, multiple rays) with cisco vpn remote client access to this vpn.

The problem is with remote access - cisco vpn client access - I can communicate with hub lan - but I need also communication of all lans speaks of the cisco vpn client.

There are on the shelves, there is no material used cisco - routers DLINK.

Someone told me that it is possible to use NAT to translate remote access IP-lan-HUB customers and thus allow communication - but I'm unable to set up and operate.

Can someone help me please?

Thank you

Peter

RAYS - not cisco devices / another provider

Cisco 1841 HSEC HUB:

crypto ISAKMP policy 1

BA 3des

preshared authentication

Group 2

ISAKMP crypto key x xx address no.-xauth

!

the group x crypto isakmp client configuration

x key

pool vpnclientpool

ACL 190

include-local-lan

!

86400 seconds, duration of life crypto ipsec security association

Crypto ipsec transform-set esp-3des esp-sha-hmac 1cisco

!

Crypto-map dynamic dynmap 10

Set transform-set 1cisco

!

card crypto ETH0 client authentication list userauthen

card crypto isakmp authorization list groupauthor ETH0

client configuration address card crypto ETH0 answer

ETH0 1 ipsec-isakmp crypto map

set peer x

Set transform-set 1cisco

PFS group2 Set

match address 180

card ETH0 10-isakmp ipsec crypto dynamic dynmap

!

!

interface FastEthernet0/1

Description $ES_WAN$

card crypto ETH0

!

IP local pool vpnclientpool 192.168.200.100 192.168.200.150

!

!

overload of IP nat inside source list LOCAL interface FastEthernet0/1

!

IP access-list extended LOCAL

deny ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

deny ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255

IP 192.168.7.0 allow 0.0.0.255 any

!

access-list 180 allow ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255

!

How the DLINK has been configured for traffic between the site to site VPN subnets? You are able to add multiple remote subnets on DLINK? If you can, then you must add the pool of Client VPN subnet.

Alternatively, if you cannot add multiple subnet on DLINK router, you can change the pool of Client VPN 192.168.6.0/24, and on the crypto ACL between the site to site VPN, you must edit the 180 existing ACL

DE:

access-list 180 allow ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 180 allow ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255

TO:

access-list 180 allow ip 192.168.6.0 0.0.1.255 192.168.1.0 0.0.0.255

Also change the ACL 190 split tunnel:

DE:

access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 190 allow ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255

TO:

access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 190 allow ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255

Finally, replace the remote subnet 192.168.7.0/255.255.255.0 192.168.6.0/255.255.254.0 DLINK.

Hope that helps.

Site to SIte VPN through a NAT device

I have, I am having trouble running a vpn site-to site between two 3725 routers running c3725-advsecurityk9-mz124 - 15 T 1, that I hope I can get some help with, I am probably missing something here. The VPN ran very well when both VPN routers were connected directly to the internet and had on WAN interfaces public IP addresses, but I had to move one of the firewall inside on a private IP address. Installation is now as below

Router VPN one (192.168.248.253) - internal company network - Fortigate FW - internet-(217.155.113.179) router VPN B

The fortigate FW is doing some translations address
-traffic between 192.168.248.253 and 217.155.113.179 has its source in 37.205.62.5
-traffic between 217.155.113.179 and 37.205.62.5 has its destination translated to 192.168.248.253
-Firewall rules allow all traffic between the 2 devices, no port locking enabled.

-The 37.205.62.5 address is used by anything else.

I basically have a GRE tunnel between two routers, and I'm trying to encrypt it.

The router shows below

Card crypto SERVER-RTR #show
"S2S_VPN" 10 ipsec-isakmp crypto map
Peer = 217.155.113.179
Expand the access IP 101 list
access-list 101 permit gre 192.168.248.253 host 217.155.113.179
Current counterpart: 217.155.113.179
Life safety association: 4608000 Kbytes / 3600 seconds
PFS (Y/N): N
Transform sets = {}
STRONG,
}
Interfaces using crypto card S2S_VPN:
FastEthernet0/1

SERVER-RTR #show crypto sessio
Current state of the session crypto

Interface: FastEthernet0/1
The session state: down
Peer: 217.155.113.179 port 500
FLOW IPSEC: allowed 47 192.168.248.253 host 217.155.113.179
Active sAs: 0, origin: card crypto

Interface: FastEthernet0/1
The session state: IDLE-UP
Peer: 217.155.113.179 port 4500
IKE SA: local 192.168.248.253/4500 remote 217.155.113.179/4500 Active
IKE SA: local 192.168.248.253/4500 remote 217.155.113.179/4500 inactive
IKE SA: local 192.168.248.253/4500 remote 217.155.113.179/4500 inactive

Router B shows below

Card crypto BSU - RTR #show
"S2S_VPN" 10 ipsec-isakmp crypto map
Peer = 37.205.62.5
Expand the access IP 101 list
access-list 101 permit gre 217.155.113.179 host 37.205.62.5
Current counterpart: 37.205.62.5
Life safety association: 4608000 Kbytes / 3600 seconds
PFS (Y/N): N
Transform sets = {}
STRONG,
}
Interfaces using crypto card S2S_VPN:
FastEthernet0/1

BSU - RTR #show sess crypto
Current state of the session crypto

Interface: FastEthernet0/1
The session state: down
Peer: 37.205.62.5 port 500
FLOW IPSEC: allowed 47 217.155.113.179 host 37.205.62.5
Active sAs: 0, origin: card crypto

Interface: FastEthernet0/1
The session state: IDLE-UP
Peer: 37.205.62.5 port 4500
IKE SA: local 217.155.113.179/4500 remote 37.205.62.5/4500 Active
IKE SA: local 217.155.113.179/4500 remote 37.205.62.5/4500 inactive
IKE SA: local 217.155.113.179/4500 remote 37.205.62.5/4500 inactive

I can see counters incrementing on the ACL on both routers, so I don't know the traffic free WILL is interesting.

Here are a few debugs too
--------------
Router

Debug crypto ISAKMP

* 23:07:10.898 Mar 2: ISAKMP: (1024): purge the node 940426884
* 23:07:10.898 Mar 2: ISAKMP: (1024): purge the node 1837874301
* 23:07:10.898 Mar 2: ISAKMP: (1024): purge the node-475409474
* 23:07:20.794 Mar 2: ISAKMP (0:0): received 217.155.113.179 packet dport 500 sport 500 SA NEW Global (N)
* 23:07:20.794 Mar 2: ISAKMP: created a struct peer 217.155.113.179, peer port 500
* 23:07:20.794 Mar 2: ISAKMP: new position created post = 0x64960C04 peer_handle = 0x80000F0E
* 23:07:20.794 Mar 2: ISAKMP: lock struct 0x64960C04, refcount 1 to peer crypto_isakmp_process_block
* 23:07:20.794 Mar 2: ISAKMP: 500 local port, remote port 500
* 23:07:20.794 Mar 2: ISAKMP: find a dup her to the tree during the isadb_insert his 6464D3F0 = call BVA
* 23:07:20.794 Mar 2: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 23:07:20.794 Mar 2: ISAKMP: (0): former State = new State IKE_READY = IKE_R_MM1

* 2 Mar 23:07:20.794: ISAKMP: (0): treatment ITS payload. Message ID = 0
* 2 Mar 23:07:20.794: ISAKMP: (0): load useful vendor id of treatment
* 2 Mar 23:07:20.794: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
* 23:07:20.798 Mar 2: ISAKMP (0:0): provider ID is NAT - T RFC 3947
* 2 Mar 23:07:20.798: ISAKMP: (0): load useful vendor id of treatment
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 245
* 23:07:20.798 Mar 2: ISAKMP (0:0): provider ID is NAT - T v7
* 2 Mar 23:07:20.798: ISAKMP: (0): load useful vendor id of treatment
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 157
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID is NAT - T v3
* 2 Mar 23:07:20.798: ISAKMP: (0): load useful vendor id of treatment
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID is NAT - T v2
* 23:07:20.798 Mar 2: ISAKMP: (0): pair found pre-shared key matching 217.155.113.179
* 2 Mar 23:07:20.798: ISAKMP: (0): pre-shared key local found
* 23:07:20.798 Mar 2: ISAKMP: analysis of the profiles for xauth...
* 23:07:20.798 Mar 2: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1
* 23:07:20.798 Mar 2: ISAKMP: DES-CBC encryption
* 23:07:20.798 Mar 2: ISAKMP: SHA hash
* 23:07:20.798 Mar 2: ISAKMP: default group 1
* 23:07:20.798 Mar 2: ISAKMP: pre-shared key auth
* 23:07:20.798 Mar 2: ISAKMP: type of life in seconds
* 23:07:20.798 Mar 2: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x80
* 23:07:20.798 Mar 2: ISAKMP: (0): atts are acceptable. Next payload is 0
* 23:07:20.798 Mar 2: ISAKMP: (0): Acceptable atts: real life: 0
* 23:07:20.798 Mar 2: ISAKMP: (0): Acceptable atts:life: 0
* 23:07:20.798 Mar 2: ISAKMP: (0): fill atts in his vpi_length:4
* 23:07:20.798 Mar 2: ISAKMP: (0): fill atts in his life_in_seconds:86400
* 23:07:20.798 Mar 2: ISAKMP: (0): return real life: 86400
* 23:07:20.798 Mar 2: ISAKMP: (0): timer life Started: 86400.

* 2 Mar 23:07:20.798: ISAKMP: (0): load useful vendor id of treatment
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
* 23:07:20.798 Mar 2: ISAKMP (0:0): provider ID is NAT - T RFC 3947
* 2 Mar 23:07:20.798: ISAKMP: (0): load useful vendor id of treatment
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 245
* 23:07:20.798 Mar 2: ISAKMP (0:0): provider ID is NAT - T v7
* 2 Mar 23:07:20.798: ISAKMP: (0): load useful vendor id of treatment
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 157
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID is NAT - T v3
* 2 Mar 23:07:20.798: ISAKMP: (0): load useful vendor id of treatment
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID is NAT - T v2
* 23:07:20.798 Mar 2: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
* 23:07:20.798 Mar 2: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM1

* 2 Mar 23:07:20.802: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
* 2 Mar 23:07:20.802: ISAKMP: (0): lot of 217.155.113.179 sending my_port 500 peer_port 500 (R) MM_SA_SETUP
* 23:07:20.802 Mar 2: ISAKMP: (0): sending a packet IPv4 IKE.
* 23:07:20.802 Mar 2: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
* 23:07:20.802 Mar 2: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM2

* 23:07:20.822 Mar 2: ISAKMP (0:0): received 217.155.113.179 packet 500 Global 500 (R) sport dport MM_SA_SETUP
* 23:07:20.822 Mar 2: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 23:07:20.822 Mar 2: ISAKMP: (0): former State = new State IKE_R_MM2 = IKE_R_MM3

* 2 Mar 23:07:20.822: ISAKMP: (0): processing KE payload. Message ID = 0
* 2 Mar 23:07:20.850: ISAKMP: (0): processing NONCE payload. Message ID = 0
* 23:07:20.854 Mar 2: ISAKMP: (0): pair found pre-shared key matching 217.155.113.179
* 2 Mar 23:07:20.854: ISAKMP: (1027): load useful vendor id of treatment
* 2 Mar 23:07:20.854: ISAKMP: (1027): provider ID is the unit
* 2 Mar 23:07:20.854: ISAKMP: (1027): load useful vendor id of treatment
* 2 Mar 23:07:20.854: ISAKMP: (1027): provider ID is DPD
* 2 Mar 23:07:20.854: ISAKMP: (1027): load useful vendor id of treatment
* 2 Mar 23:07:20.854: ISAKMP: (1027): addressing another box of IOS!
* 23:07:20.854 Mar 2: ISAKMP: receives the payload type 20
* 23:07:20.854 Mar 2: ISAKMP (0:1027): NAT found, the node inside the NAT
* 23:07:20.854 Mar 2: ISAKMP: receives the payload type 20
* 23:07:20.854 Mar 2: ISAKMP: (1027): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
* 23:07:20.854 Mar 2: ISAKMP: (1027): former State = new State IKE_R_MM3 = IKE_R_MM3

* 2 Mar 23:07:20.854: ISAKMP: (1027): lot of 217.155.113.179 sending my_port 500 peer_port 500 (R) MM_KEY_EXCH
* 23:07:20.854 Mar 2: ISAKMP: (1027): sending a packet IPv4 IKE.
* 23:07:20.858 Mar 2: ISAKMP: (1027): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
* 23:07:20.858 Mar 2: ISAKMP: (1027): former State = new State IKE_R_MM3 = IKE_R_MM4

* 23:07:20.898 Mar 2: ISAKMP: (1024): serving SA., his is 64D5723C, delme is 64D5723C
* 23:07:20.902 Mar 2: ISAKMP (0:1027): received 217.155.113.179 packet dport 4500 4500 Global (R) MM_KEY_EXCH sport
* 23:07:20.902 Mar 2: ISAKMP: (1027): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 23:07:20.902 Mar 2: ISAKMP: (1027): former State = new State IKE_R_MM4 = IKE_R_MM5

* 2 Mar 23:07:20.902: ISAKMP: (1027): payload ID for treatment. Message ID = 0
* 23:07:20.902 Mar 2: ISAKMP (0:1027): payload ID
next payload: 8
type: 1
address: 217.155.113.179
Protocol: 17
Port: 0
Length: 12
* 2 Mar 23:07:20.902: ISAKMP: (0): peer games * no * profiles
* 2 Mar 23:07:20.906: ISAKMP: (1027): HASH payload processing. Message ID = 0
* 2 Mar 23:07:20.906: ISAKMP: (1027): treatment protocol NOTIFIER INITIAL_CONTACT 1
SPI 0, message ID = 0, a = 6464D3F0
* 23:07:20.906 Mar 2: ISAKMP: (1027): SA authentication status:
authenticated
* 23:07:20.906 Mar 2: ISAKMP: (1027): SA has been authenticated with 217.155.113.179
* 23:07:20.906 Mar 2: ISAKMP: (1027): port detected floating port = 4500
* 23:07:20.906 Mar 2: ISAKMP: try to find found and existing peer 192.168.248.253/217.155.113.179/4500/ peer 648EAD00 to reuse existing, free 64960 04
* 23:07:20.906 Mar 2: ISAKMP: Unlocking counterpart struct 0x64960C04 Reuse existing peer count 0
* 23:07:20.906 Mar 2: ISAKMP: delete peer node by peer_reap for 217.155.113.179: 64960 04
* 23:07:20.906 Mar 2: ISAKMP: lock struct 0x648EAD00, refcount 2 for peer peer reuse existing
* 23:07:20.906 Mar 2: ISAKMP: (1027): SA authentication status:
authenticated
* 2 Mar 23:07:20.906: ISAKMP: (1027): process of first contact.
lowering existing phase 1 and 2 with local 192.168.248.253 217.155.113.179 remote remote port 4500
* 23:07:20.906 Mar 2: ISAKMP: (1026): received first contact, delete SA
* 23:07:20.906 Mar 2: ISAKMP: (1026): peer does not paranoid KeepAlive.

* 23:07:20.906 Mar 2: ISAKMP: (1026): deletion of 'Initial of receive Contact' State HIS reason (R) QM_IDLE (post 217.155.113.179)
* 23:07:20.906 Mar 2: ISAKMP: (0): cannot decrement IKE Call Admission Control incoming_active stat because he's already 0.
* 23:07:20.906 Mar 2: ISAKMP: (1027): UDP ENC parameter counterpart struct 0x0 his = 0x6464D3F0
* 23:07:20.906 Mar 2: ISAKMP: (1027): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
* 23:07:20.906 Mar 2: ISAKMP: (1027): former State = new State IKE_R_MM5 = IKE_R_MM5

* 23:07:20.910 Mar 2: ISAKMP: node set-98987637 to QM_IDLE
* 2 Mar 23:07:20.910: ISAKMP: (1026): lot of 217.155.113.179 sending peer_port my_port 4500 4500 (R) QM_IDLE
* 23:07:20.910 Mar 2: ISAKMP: (1026): sending a packet IPv4 IKE.
* 23:07:20.910 Mar 2: ISAKMP: (1026): purge the node-98987637
* 23:07:20.910 Mar 2: ISAKMP: (1026): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
* 23:07:20.910 Mar 2: ISAKMP: (1026): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA

* 23:07:20.910 Mar 2: ISAKMP: (1027): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
* 23:07:20.910 Mar 2: ISAKMP (0:1027): payload ID
next payload: 8
type: 1
address: 192.168.248.253
Protocol: 17
Port: 0
Length: 12
* 23:07:20.910 Mar 2: ISAKMP: (1027): the total payload length: 12
* 2 Mar 23:07:20.914: ISAKMP: (1027): lot of 217.155.113.179 sending peer_port my_port 4500 4500 (R) MM_KEY_EXCH
* 23:07:20.914 Mar 2: ISAKMP: (1027): sending a packet IPv4 IKE.
* 23:07:20.914 Mar 2: ISAKMP: (1027): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
* 23:07:20.914 Mar 2: ISAKMP: (1027): former State = new State IKE_R_MM5 = IKE_P1_COMPLETE

* 23:07:20.914 Mar 2: ISAKMP: (1026): deletion of 'Initial of receive Contact' State HIS reason (R) QM_IDLE (post 217.155.113.179)
* 23:07:20.914 Mar 2: ISAKMP: Unlocking counterpart struct 0x648EAD00 for isadb_mark_sa_deleted(), count 1
* 23:07:20.914 Mar 2: ISAKMP: (1026): error suppression node 334747020 FALSE reason 'IKE deleted.
* 23:07:20.914 Mar 2: ISAKMP: (1026): node-1580729900 error suppression FALSE reason 'IKE deleted.
* 23:07:20.914 Mar 2: ISAKMP: (1026): node-893929227 error suppression FALSE reason 'IKE deleted.
* 23:07:20.914 Mar 2: ISAKMP: (1026): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 23:07:20.914 Mar 2: ISAKMP: (1026): former State = new State IKE_DEST_SA = IKE_DEST_SA

* 23:07:20.914 Mar 2: ISAKMP: (1027): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
* 23:07:20.914 Mar 2: ISAKMP: (1027): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

* 23:07:20.930 Mar 2: ISAKMP (0:1026): received 217.155.113.179 packet dport 4500 4500 Global (R) MM_NO_STATE sport
* 23:07:20.934 Mar 2: ISAKMP (0:1027): received 217.155.113.179 packet dport 4500 4500 Global (R) QM_IDLE sport
* 23:07:20.934 Mar 2: ISAKMP: node set 1860263019 to QM_IDLE
* 2 Mar 23:07:20.934: ISAKMP: (1027): HASH payload processing. Message ID = 1860263019
* 2 Mar 23:07:20.934: ISAKMP: (1027): treatment ITS payload. Message ID = 1860263019
* 23:07:20.934 Mar 2: ISAKMP: (1027): proposal of IPSec checking 1
* 23:07:20.934 Mar 2: ISAKMP: turn 1, ESP_AES
* 23:07:20.934 Mar 2: ISAKMP: attributes of transformation:
* 23:07:20.934 Mar 2: ISAKMP: program is 3 (Tunnel-UDP)
* 23:07:20.934 Mar 2: ISAKMP: type of life in seconds
* 23:07:20.934 Mar 2: ISAKMP: life of HIS (basic) 3600
* 23:07:20.934 Mar 2: ISAKMP: type of life in kilobytes
* 23:07:20.934 Mar 2: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
* 23:07:20.934 Mar 2: ISAKMP: key length is 128
* 23:07:20.934 Mar 2: ISAKMP: (1027): atts are acceptable.
* 2 Mar 23:07:20.934: ISAKMP: (1027): IPSec policy invalidated proposal with error 32
* 2 Mar 23:07:20.934: ISAKMP: (1027): politics of ITS phase 2 is not acceptable! (local 192.168.248.253 remote 217.155.113.179)
* 23:07:20.938 Mar 2: ISAKMP: node set 1961554007 to QM_IDLE
* 23:07:20.938 Mar 2: ISAKMP: (1027): Protocol to send NOTIFIER PROPOSAL_NOT_CHOSEN 3
SPI 1688526152, message ID = 1961554007
* 2 Mar 23:07:20.938: ISAKMP: (1027): lot of 217.155.113.179 sending peer_port my_port 4500 4500 (R) QM_IDLE
* 23:07:20.938 Mar 2: ISAKMP: (1027): sending a packet IPv4 IKE.
* 23:07:20.938 Mar 2: ISAKMP: (1027): purge the node 1961554007
* 23:07:20.938 Mar 2: ISAKMP: (1027): error suppression node 1860263019 REAL reason "QM rejected."
* 23:07:20.938 Mar 2: ISAKMP: (1027): entrance, node 1860263019 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
* 23:07:20.938 Mar 2: ISAKMP: (1027): former State = new State IKE_QM_READY = IKE_QM_READY
* 23:07:24.510 Mar 2: ISAKMP: set new node 0 to QM_IDLE
* 2 Mar 23:07:24.510: ITS a exceptional applications (100.100.213.56 local port 4500, 100.100.213.84 remote port 4500)
* 2 Mar 23:07:24.510: ISAKMP: (1027): sitting IDLE. From QM immediately (QM_IDLE)
* 23:07:24.510 Mar 2: ISAKMP: (1027): start Quick Mode Exchange, M - ID 670698820
* 23:07:24.510 Mar 2: ISAKMP: (1027): initiator QM gets spi
* 2 Mar 23:07:24.510: ISAKMP: (1027): lot of 217.155.113.179 sending peer_port my_port 4500 4500 (R) QM_IDLE
* 23:07:24.510 Mar 2: ISAKMP: (1027): sending a packet IPv4 IKE.
* 23:07:24.514 Mar 2: ISAKMP: (1027): entrance, node 670698820 = IKE_MESG_INTERNAL, IKE_INIT_QM
* 23:07:24.514 Mar 2: ISAKMP: (1027): former State = new State IKE_QM_READY = IKE_QM_I_QM1
* 23:07:24.530 Mar 2: ISAKMP (0:1027): received 217.155.113.179 packet dport 4500 4500 Global (R) QM_IDLE sport
* 23:07:24.534 Mar 2: ISAKMP: node set 1318257670 to QM_IDLE
* 2 Mar 23:07:24.534: ISAKMP: (1027): HASH payload processing. Message ID = 1318257670
* 2 Mar 23:07:24.534: ISAKMP: (1027): treatment protocol NOTIFIER PROPOSAL_NOT_CHOSEN 3
SPI 3268378219, message ID = 1318257670, a = 6464D3F0
* 2 Mar 23:07:24.534: ISAKMP: (1027): removal of spi 3268378219 message ID = 670698820
* 23:07:24.534 Mar 2: ISAKMP: (1027): node 670698820 REAL reason error suppression "remove larval.
* 23:07:24.534 Mar 2: ISAKMP: (1027): error suppression node 1318257670 FALSE reason 'informational (en) State 1.
* 23:07:24.534 Mar 2: ISAKMP: (1027): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
* 23:07:24.534 Mar 2: ISAKMP: (1027): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

* 23:07:40.898 Mar 2: ISAKMP: (1025): purge the node-238086324
* 23:07:40.898 Mar 2: ISAKMP: (1025): purge the node-1899972726
* 23:07:40.898 Mar 2: ISAKMP: (1025): purge the node-321906720

Router B
----------
Debug crypto ISAKMP

1d23h: ISAKMP: (0): profile of THE request is (NULL)
1d23h: ISAKMP: created a struct peer 37.205.62.5, peer port 500
1d23h: ISAKMP: new position created post = 0x652C3B54 peer_handle = 0x80000D8C
1d23h: ISAKMP: lock struct 0x652C3B54, refcount 1 to peer isakmp_initiator
1d23h: ISAKMP: 500 local port, remote port 500
1d23h: ISAKMP: set new node 0 to QM_IDLE
1d23h: ISAKMP: find a dup her to the tree during the isadb_insert his 652CBDC4 = call BVA
1d23h: ISAKMP: (0): cannot start aggressive mode, try the main mode.
1d23h: ISAKMP: (0): pair found pre-shared key matching 37.205.62.5
1d23h: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
1d23h: ISAKMP: (0): built the seller-07 ID NAT - t
1d23h: ISAKMP: (0): built of NAT - T of the seller-03 ID
1d23h: ISAKMP: (0): built the seller-02 ID NAT - t
1d23h: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
1d23h: ISAKMP: (0): former State = new State IKE_READY = IKE_I_MM1

1d23h: ISAKMP: (0): Beginner Main Mode Exchange
1d23h: ISAKMP: (0): lot of 37.205.62.5 sending my_port 500 peer_port 500 (I) MM_NO_STATE
1d23h: ISAKMP: (0): sending a packet IPv4 IKE.
1d23h: ISAKMP (0:0): received 37.205.62.5 packet dport 500 sport Global 500 (I) MM_NO_STATE
1d23h: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
1d23h: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_I_MM2

1d23h: ISAKMP: (0): treatment ITS payload. Message ID = 0
1d23h: ISAKMP: (0): load useful vendor id of treatment
1d23h: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
1d23h: ISAKMP (0:0): provider ID is NAT - T RFC 3947
1d23h: ISAKMP: (0): pair found pre-shared key matching 37.205.62.5
1d23h: ISAKMP: (0): pre-shared key local found
1d23h: ISAKMP: analysis of the profiles for xauth...
1d23h: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1
1d23h: ISAKMP: DES-CBC encryption
1d23h: ISAKMP: SHA hash
1d23h: ISAKMP: default group 1
1d23h: ISAKMP: pre-shared key auth
1d23h: ISAKMP: type of life in seconds
1d23h: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x80
1d23h: ISAKMP: (0): atts are acceptable. Next payload is 0
1d23h: ISAKMP: (0): Acceptable atts: real life: 0
1d23h: ISAKMP: (0): Acceptable atts:life: 0
1d23h: ISAKMP: (0): fill atts in his vpi_length:4
1d23h: ISAKMP: (0): fill atts in his life_in_seconds:86400
1d23h: ISAKMP: (0): return real life: 86400
1d23h: ISAKMP: (0): timer life Started: 86400.

1d23h: ISAKMP: (0): load useful vendor id of treatment
1d23h: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
1d23h: ISAKMP (0:0): provider ID is NAT - T RFC 3947
1d23h: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
1d23h: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM2

1d23h: ISAKMP: (0): lot of 37.205.62.5 sending my_port 500 peer_port 500 (I) MM_SA_SETUP
1d23h: ISAKMP: (0): sending a packet IPv4 IKE.
1d23h: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
1d23h: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM3

1d23h: ISAKMP (0:0): received 37.205.62.5 packet dport 500 sport Global 500 (I) MM_SA_SETUP
1d23h: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
1d23h: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_I_MM4

1d23h: ISAKMP: (0): processing KE payload. Message ID = 0
1d23h: ISAKMP: (0): processing NONCE payload. Message ID = 0
1d23h: ISAKMP: (0): pair found pre-shared key matching 37.205.62.5
1d23h: ISAKMP: (1034): load useful vendor id of treatment
1d23h: ISAKMP: (1034): provider ID is the unit
1d23h: ISAKMP: (1034): load useful vendor id of treatment
1d23h: ISAKMP: (1034): provider ID is DPD
1d23h: ISAKMP: (1034): load useful vendor id of treatment
1d23h: ISAKMP: (1034): addressing another box of IOS!
1d23h: ISAKMP: receives the payload type 20
1d23h: ISAKMP: receives the payload type 20
1d23h: ISAKMP (0:1034): NAT found, the node outside NAT
1d23h: ISAKMP: (1034): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
1d23h: ISAKMP: (1034): former State = new State IKE_I_MM4 = IKE_I_MM4

1d23h: ISAKMP: (1034): send initial contact
1d23h: ISAKMP: (1034): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
1d23h: ISAKMP (0:1034): payload ID
next payload: 8
type: 1
address: 217.155.113.179
Protocol: 17
Port: 0
Length: 12
1d23h: ISAKMP: (1034): the total payload length: 12
1d23h: ISAKMP: (1034): lot of 37.205.62.5 sending peer_port my_port 4500 4500 (I) MM_KEY_EXCH
1d23h: ISAKMP: (1034): sending a packet IPv4 IKE.
1d23h: ISAKMP: (1034): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
1d23h: ISAKMP: (1034): former State = new State IKE_I_MM4 = IKE_I_MM5

1d23h: ISAKMP: (1031): serving SA., his is 652D60C8, delme is 652D60C8
1d23h: ISAKMP (0:1033): received 37.205.62.5 packet dport 4500 sport Global 4500 (I) QM_IDLE
1d23h: ISAKMP: node set 33481563 to QM_IDLE
1d23h: ISAKMP: (1033): HASH payload processing. Message ID = 33481563
1d23h: ISAKMP: receives the payload type 18
1d23h: ISAKMP: (1033): treatment remove with load useful reason
1d23h: ISAKMP: (1033): remove the doi = 1
1d23h: ISAKMP: (1033): remove Protocol id = 1
1d23h: ISAKMP: (1033): remove spi_size = 16
1d23h: ISAKMP: (1033): remove the spis num = 1
1d23h: ISAKMP: (1033): delete_reason = 11
1d23h: ISAKMP: (1033): load DELETE_WITH_REASON, processing of message ID = 33481563, reason: Unknown delete reason!
1d23h: ISAKMP: (1033): peer does not paranoid KeepAlive.

1d23h: ISAKMP: (1033): deletion of 'Initial of receive Contact' State HIS reason (I) QM_IDLE (post 37.205.62.5)
1d23h: ISAKMP: (1033): error suppression node 33481563 FALSE reason 'informational (en) State 1.
1d23h: ISAKMP: node set 1618266182 to QM_IDLE
1d23h: ISAKMP: (1033): lot of 37.205.62.5 sending peer_port my_port 4500 4500 (I) QM_IDLE
1d23h: ISAKMP: (1033): sending a packet IPv4 IKE.
1d23h: ISAKMP: (1033): purge the node 1618266182
1d23h: ISAKMP: (1033): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
1d23h: ISAKMP: (1033): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA

1d23h: ISAKMP (0:1034): received 37.205.62.5 packet dport 4500 sport Global 4500 (I) MM_KEY_EXCH
1d23h: ISAKMP: (1034): payload ID for treatment. Message ID = 0
1d23h: ISAKMP (0:1034): payload ID
next payload: 8
type: 1
address: 192.168.248.253
Protocol: 17
Port: 0
Length: 12
1d23h: ISAKMP: (0): peer games * no * profiles
1d23h: ISAKMP: (1034): HASH payload processing. Message ID = 0
1d23h: ISAKMP: (1034): SA authentication status:
authenticated
1d23h: ISAKMP: (1034): SA has been authenticated with 37.205.62.5
1d23h: ISAKMP: try to insert a 217.155.113.179/37.205.62.5/4500/ peer and found existing in a 643BCA10 to reuse, free 652C3B54
1d23h: ISAKMP: Unlocking counterpart struct 0x652C3B54 Reuse existing peer count 0
1d23h: ISAKMP: delete peer node by peer_reap for 37.205.62.5: 652C3B54
1d23h: ISAKMP: lock struct 0x643BCA10, refcount 2 for peer peer reuse existing
1d23h: ISAKMP: (1034): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
1d23h: ISAKMP: (1034): former State = new State IKE_I_MM5 = IKE_I_MM6

1d23h: ISAKMP: (1033): deletion of 'Initial of receive Contact' State HIS reason (I) QM_IDLE (post 37.205.62.5)
1d23h: ISAKMP: (0): cannot decrement IKE Call Admission Control outgoing_active stat because he's already 0.
1d23h: ISAKMP: Unlocking counterpart struct 0x643BCA10 for isadb_mark_sa_deleted(), count 1
1d23h: ISAKMP: (1033): error suppression node 1267924911 FALSE reason 'IKE deleted.
1d23h: ISAKMP: (1033): error suppression node 1074093103 FALSE reason 'IKE deleted.
1d23h: ISAKMP: (1033): node-183194519 error suppression FALSE reason 'IKE deleted.
1d23h: ISAKMP: (1033): error suppression node 33481563 FALSE reason 'IKE deleted.
1d23h: ISAKMP: (1033): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
1d23h: ISAKMP: (1033): former State = new State IKE_DEST_SA = IKE_DEST_SA

1d23h: ISAKMP: (1034): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
1d23h: ISAKMP: (1034): former State = new State IKE_I_MM6 = IKE_I_MM6

1d23h: ISAKMP: (1034): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
1d23h: ISAKMP: (1034): former State = new State IKE_I_MM6 = IKE_P1_COMPLETE

1d23h: ISAKMP: (1034): start Quick Mode Exchange, M - ID 1297417008
1d23h: ISAKMP: (1034): initiator QM gets spi
1d23h: ISAKMP: (1034): lot of 37.205.62.5 sending peer_port my_port 4500 4500 (I) QM_IDLE
1d23h: ISAKMP: (1034): sending a packet IPv4 IKE.
1d23h: ISAKMP: (1034): entrance, node 1297417008 = IKE_MESG_INTERNAL, IKE_INIT_QM
1d23h: ISAKMP: (1034): former State = new State IKE_QM_READY = IKE_QM_I_QM1
1d23h: ISAKMP: (1034): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
1d23h: ISAKMP: (1034): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

1d23h: ISAKMP (0:1034): received 37.205.62.5 packet dport 4500 sport Global 4500 (I) QM_IDLE
1d23h: ISAKMP: node set-874376893 to QM_IDLE
1d23h: ISAKMP: (1034): HASH payload processing. Message ID =-874376893
1d23h: ISAKMP: (1034): treatment protocol NOTIFIER PROPOSAL_NOT_CHOSEN 3
SPI 56853244, message ID =-874376893, his 652CBDC4 =
1d23h: ISAKMP: (1034): removal of spi 56853244 message ID = 1297417008
1d23h: ISAKMP: (1034): node 1297417008 REAL reason error suppression "remove larval.
1d23h: ISAKMP: (1034): node-874376893 error suppression FALSE reason 'informational (en) State 1.
1d23h: ISAKMP: (1034): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
1d23h: ISAKMP: (1034): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

1d23h: ISAKMP (0:1034): received 37.205.62.5 packet dport 4500 sport Global 4500 (I) QM_IDLE
1d23h: ISAKMP: node set 439453045 to QM_IDLE
1d23h: ISAKMP: (1034): HASH payload processing. Message ID = 439453045
1d23h: ISAKMP: (1034): treatment ITS payload. Message ID = 439453045
1d23h: ISAKMP: (1034): proposal of IPSec checking 1
1d23h: ISAKMP: turn 1, ESP_AES
1d23h: ISAKMP: attributes of transformation:
1d23h: ISAKMP: program is 3 (Tunnel-UDP)
1d23h: ISAKMP: type of life in seconds
1d23h: ISAKMP: life of HIS (basic) 3600
1d23h: ISAKMP: type of life in kilobytes
1d23h: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
1d23h: ISAKMP: key length is 128
1d23h: ISAKMP: (1034): atts are acceptable.
1d23h: ISAKMP: (1034): IPSec policy invalidated proposal with error 32
1d23h: ISAKMP: (1034): politics of ITS phase 2 is not acceptable! (local 217.155.113.179 remote 37.205.62.5)
1d23h: ISAKMP: node set 1494356901 to QM_IDLE
1d23h: ISAKMP: (1034): Protocol to send NOTIFIER PROPOSAL_NOT_CHOSEN 3
SPI 1687353736, message ID = 1494356901
1d23h: ISAKMP: (1034): lot of 37.205.62.5 sending peer_port my_port 4500 4500 (I) QM_IDLE
1d23h: ISAKMP: (1034): sending a packet IPv4 IKE.
1d23h: ISAKMP: (1034): purge the node 1494356901
1d23h: ISAKMP: (1034): error suppression node 439453045 REAL reason "QM rejected."
1d23h: ISAKMP: (1034): entrance, node 439453045 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
1d23h: ISAKMP: (1034): former State = new State IKE_QM_READY = IKE_QM_READY
1d23h: ISAKMP: (1032): purge the node 1513722556
1d23h: ISAKMP: (1032): purge the node-643121396
1d23h: ISAKMP: (1032): purge the node 1350014243
1d23h: ISAKMP: (1032): purge the node 83247347

Hi Nav,

I'm happy it's working now. Your interpretation is correct. Transport mode IPSEC encrypts the payload, while tunnel mode figure the whole ip packet (original header / payload) and inserts a new ip header. Thus, the tunnel mode is used for ipsec site to site VPN and transport is used for point to point VPN ipsec. GRE is used with ipsec, all packages will be encapsulated with a GRE header first, so, essentially, this is a point to point VPN ipsec.

The problem that you are having with tunnel mode, the router's package is going to be wrapped with the header 192.168.248.253 GRE source 217.155.113.179 destination. The whole package is then encrypted and a new header is added with the same source/destination. This new header will be coordinated by the FW, but not incorporated or encrypted GRE header. When the packet arrives at Router B, after decrypt them the package, router B will see the GRE header, which is different from that of source/destination tunnel she uses. This breaks the GRE tunnel and the routing between router A and router B Protocol.

HTH,

Lei Tian

A Site VPN PIX501 and CISCO router

Hello Experts,

I have an at home test lab, I set up a site to site vpn using a router Cisco PIX501 and CISCO2691, for configurations, I have just a few links on the internet, because my background on VPN configuration is not too good, for the configuration of routers, I followed this link:

www.Firewall.CX/Cisco-Technical-Knowledgebase/Cisco-Routers/867-Cisco-ro...

and for configuring pIX I just use the VPN Wizard of pix. All confgurations but ping failed. Hope you can help me with this, don't know what to do here (troubleshooting).

Joint here is the configuration of my router, topology, as well as the pix configuration. Hope you can help me with this. Thanks in advance.

Hi Mark,

I went in the Config of the ASA

I see that the dispensation of Nat is stil missing there

Please add the following

access-list allowed sheep ip 192.168.1.0 255.255.255.0 172.21.1.0 255.255.255.0

inside NAT) 0 access-list sheep

Then try it should work

Thank you

REDA

Order of operations NAT on Site to Site VPN Cisco ASA

Hello

I have a question about the order of operations NAT on Site to Site VPN Cisco ASA 8.2.x. I have a scenario where the internal IP address of the range 10.17.128.x are NATTED IP public 31.10.10.x. below is the config:

Tunnel normally passes traffic to dmz - 31.10.11.10, 31.10.11.11 servers.

But the servers NATTED (10.17.128.x <->31.10.10.x) does not work.

inside_map crypto 50 card value transform-set ESP-3DES-SHA

tunnel-group 100.1.1.1 type ipsec-l2l

tunnel-group 100.1.1.1 General-attributes

Group Policy - by default-PHX_HK

IPSec-attributes tunnel-group 100.1.1.1

pre-shared key *.

internal PHX_HK group policy

PHX_HK group policy attributes

VPN-filter no

Protocol-tunnel-VPN IPSec svc webvpn

card crypto inside_map 50 match address outside_cryptomap_50

peer set card crypto inside_map 50 100.1.1.1

inside_map crypto 50 card value transform-set ESP-3DES-SHA

inside_map crypto 50 card value reverse-road

the PHX_Local object-group network

host of the object-Network 31.10.11.10

host of the object-Network 31.10.11.11

host of the object-Network 31.10.10.10

host of the object-Network 31.10.10.11

host of the object-Network 31.10.10.12

host of the object-Network 31.10.10.13

host of the object-Network 10.17.128.20

host of the object-Network 10.17.128.21

host of the object-Network 10.17.128.22

host of the object-Network 10.17.128.23

the HK_Remote object-group network

host of the object-Network 102.1.1.10

inside_nat0_outbound list extended access permitted ip object-group PHX_Local-group of objects HK_Remote

ACL_INSIDE list extended access permitted ip object-group PHX_Local-group of objects HK_Remote

ACL_OUTSIDE list extended access permitted ip object-group HK_Remote-group of objects PHX_Local

outside_cryptomap_50 list extended access permitted ip object-group PHX_Local-group of objects HK_Remote

Route outside 102.1.1.10 255.255.255.255 30.1.1.1 1

public static 31.10.10.10 (Interior, exterior) 10.17.128.20 netmask 255.255.255.255

public static 31.10.10.11 (Interior, exterior) 10.17.128.21 netmask 255.255.255.255

public static 31.10.10.12 (Interior, exterior) 10.17.128.22 netmask 255.255.255.255

public static 31.10.10.13 (Interior, exterior) 10.17.128.23 netmask 255.255.255.255

He started to work when I did another group of object by name PHX_Local1 and added to the list of access inside_nat0_outbound, instead of the object group PHX_Local, as below:

the PHX_Local1 object-group network

host of the object-Network 31.10.10.10

host of the object-Network 31.10.10.11

host of the object-Network 31.10.10.12

host of the object-Network 31.10.10.13

No inside_nat0_outbound access list extended only to allowed ip object-group PHX_Local-group of objects HK_Remote

inside_nat0_outbound list extended access permitted ip object-group PHX_Local1-group of objects HK_Remote

Can you please help me understand why group object PHX_Local failed with access-list inside_nat0_outbound, but he began to work with the Group of objects PHX_Local1.

Also, if you could tell me the order of operations to NAT via VPN Site to Site, it would be useful.

Thank you

Kind regards

Thomas

Hello

I think you could have said the original question in a way that could be missleading. In other words, if I understand now.

From what I understand now, you have the DMZ set up the server that are measured with a public IP address on the real servers. And for those that you have configured NAT0.

Then you have other servers that do not have public IP addresses themselves, but they are translated on the SAA.

If this is the case, then the next question would be. The server with the NAT should attend the L2L VPN connection with their real IP or address IP NAT.

Of course if you configure static NAT for the same servers and NAT0 the NAT0 will always win.

You have these guests who were not able to use the VPN L2L

31.10.10.10 10.17.128.20

31.10.10.11 10.17.128.21

31.10.10.12 10.17.128.22

31.10.10.13 10.17.128.23

IF you want them to go to the VPN L2L with their original IP address then you must configure

object-group, LAN

host of the object-Network 10.17.128.20

host of the object-Network 10.17.128.21

host of the object-Network 10.17.128.22

host of the object-Network 10.17.128.23

object-group, REMOTE network

host of the object-Network 102.1.1.10

inside_nat0_outbound list extended access allowed ip-group of objects LOCAL object-group remote

outside_cryptomap_50 list extended access allowed ip-group of objects LOCAL object-group remote

IF you want to use the L2L VPN with the public IP address, then you must configure

object-group, LAN

host of the object-Network 31.10.10.10

host of the object-Network 31.10.10.11

host of the object-Network 31.10.10.12

host of the object-Network 31.10.10.13

object-group, REMOTE network

host of the object-Network 102.1.1.10

outside_cryptomap_50 list extended access allowed ip-group of objects LOCAL object-group remote

EDIT: in this case you naturally do not configure any NAT0 for actual IP addresses we want precisely the IP addresses to be visible to the L2L VPN with the IP NAT address.

Or you can of course use the same "object-group" as currently but change the content in an appropriate manner

Be sure to mark it as answered if it was answered.

Ask more if necessary

-Jouni

Site to Site VPN NAT conflicts

I have a site to site vpn between my main office and an office. Traffic between flow correctly with the exception of some protocols. My main router has static NAT configured for port 25 and a few others. For each of these protocols that have a static nat, I can't send the traffic from my office to the IP in the static nat

either I can't access port 25 on 172.16.1.1 of my office of the branch of the 172.17.1.1, but I have remote desktop access

It's like my list of NAT is excluding the static entries that follow. I have posted below the configs. Any help would be appreciated.

Main office: 2811

Branch: 1841

Two routers connected to the internet. VPN site to Site between them with the following config

crypto ISAKMP policy 1

BA 3des

md5 hash

preshared authentication

Group 2

isakmp encryption key * address *. ***. * *.116

!

!

Crypto ipsec transform-set esp-3des esp-md5-hmac VPN - TS

!

map VPN-map 10 ipsec-isakmp crypto

set peer *. ***. * *.116

game of transformation-VPN-TS

match address VPN-TRAFFIC

I have two IP addresses on the router principal.122 et.123

There is an installer from the list of the deny on the two routers - that's the main:

overload of IP nat inside source list 100 interface FastEthernet0/0

access-list 100 remark = [Service NAT] =-

access-list 100 deny ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255

access-list 100 permit ip 172.16.0.0 0.0.255.255 everything

access-list 100 permit ip 172.24.0.0 0.0.255.255 everything

To serve clients vpn no internet, the following nat is configured to send e-mail to exchamge

IP nat inside source static tcp 172.16.1.1 25 *. ***. * expandable 25 *.122

Try to use the nat policy to exclude traffic from your servers to be natted when switching to the branch office network.

Sth like this

STATIC_NAT extended IP access list

deny ip 172.16.1.1 host 172.17.1.0 255.255.255.0 aka nat0 for traffic from the server

allow the ip 172.16.1.1 host a

policy-NAT route map

corresponds to the IP STATIC_NAT

IP nat inside source static tcp 172.16.1.1 25 *. ***. 25-card *.122 of extensible policy-NAT route

Site to Site VPN of IOS - impossible route after VPN + NAT

Hello

I have problems with a VPN on 2 routers access 8xx: I am trying to set up a quick and dirty VPN Site to Site with a source NAT VPN tunnel endpoint. This configuration is only intended to run from one day only inter. I managed to do the work of VPN and I traced the translations of NAT VPN tunnel endpoint, but I couldn't make these translated packages which must move outside the access router, because intended to be VPN traffic network is not directly connected to leave the router. However, I can ping the hosts directly connected to the router for access through the VPN.

Something done routing not to work, I don't think the NATing, because I tried to remove the NAT and I couldn't follow all outgoing packets that must be sent, so I suspect this feature is not included in the IOS of the range of routers Cisco 8xx.

I'm that extends the features VPN + NAT + routing too, or is there a configuration error in my setup?

This is the configuration on the router from Cisco 8xx (I provided only the VPN endpoint, as the works of VPN endpoint)

VPN endpoints: 10.20.1.2 and 10.10.1.2

routing to 192.168.2.0 is necessary to 192.168.1.2 to 192.168.1.254

From 172.31.0.x to 192.168.1.x

!

version 12.4

no service button

horodateurs service debug datetime msec

Log service timestamps datetime msec

encryption password service

!

hostname INSIDEVPN

!

boot-start-marker

boot-end-marker

!

enable secret 5 xxxxxxxxxxxxxxx

!

No aaa new-model

!

!

dot11 syslog

no ip cef

!

!

!

!

IP domain name xxxx.xxxx

!

Authenticated MultiLink bundle-name Panel

!

!

username root password 7 xxxxxxxxxxxxxx

!

!

crypto ISAKMP policy 10

BA 3des

preshared authentication

ISAKMP crypto key address 10.20.1.2 xxxxxxxxxxxxx

!

!

Crypto ipsec transform-set esp-3des esp-sha-hmac VPN-TRANSFORMATIONS

!

CRYPTOMAP 10 ipsec-isakmp crypto map

defined by peer 10.20.1.2

game of transformation-VPN-TRANSFORMATIONS

match address 100

!

Archives

The config log

hidekeys

!

!

LAN controller 0

line-run cpe

!

!

!

!

interface BRI0

no ip address

encapsulation hdlc

Shutdown

!

interface FastEthernet0

switchport access vlan 12

No cdp enable

card crypto CRYPTOMAP

!

interface FastEthernet1

switchport access vlan 2

No cdp enable

!

interface FastEthernet2

switchport access vlan 2

No cdp enable

!

interface FastEthernet3

switchport access vlan 2

No cdp enable

!

interface Vlan1

no ip address

!

interface Vlan2

IP 192.168.1.1 255.255.255.248

NAT outside IP

IP virtual-reassembly

!

interface Vlan12

10.10.1.2 IP address 255.255.255.0

IP nat inside

IP virtual-reassembly

card crypto CRYPTOMAP

!

IP forward-Protocol ND

IP route 192.168.2.0 255.255.255.0 192.168.1.254

IP route 10.20.0.0 255.255.0.0 10.10.1.254

Route IP 172.31.0.0 255.255.0.0 Vlan12

!

!

no ip address of the http server

no ip http secure server

IP nat inside source static 172.31.0.2 192.168.1.11

IP nat inside source 172.31.0.3 static 192.168.1.12

!

access-list 100 permit ip 192.168.1.0 0.0.0.255 172.31.0.0 0.0.255.255

access-list 100 permit ip 192.168.2.0 0.0.0.255 172.31.0.0 0.0.255.255

!

!

control plan

!

!

Line con 0

no activation of the modem

line to 0

line vty 0 4

password 7 xxxxxxxxx

opening of session

!

max-task-time 5000 Planner

end

Hi Jürgen,

First of all, when I went through your config, I saw these lines,

!

interface Vlan2

IP 192.168.1.1 255.255.255.248

!

!

IP route 192.168.2.0 255.255.255.0 192.168.1.254

!

With 255.255.255.248 192.168.1.1 and 192.168.1.254 subnet will fall to different subnets. So I don't think you can join 192.168.2.0/24 subnet to the local router at this point. I think you should fix that first.

Maybe have 192.168.1.2 255.255.255. 248 on the router connected (instead of 192.168.1.254)

Once this has been done. We will have to look at routing.

You are 172.31.0.2-> 192.168.1.11 natting

Now, in order for that to work, make sure that a source addresses (192.168.1.11) NAT is outside the subnet router to router connected (if you go with 192.168.1.0/29 subnet router to router, with 192.168.1.1/29 on the local router and 192.168.1.2/29 on the connected router as suggested, it will be fine). So in this case 192.168.1.8/29 to the subnet that your NAT would be sources fall.

Have a static route on the router connected (192.168.1.2) for the network 192.168.1.8/29 pointing 192.168.1.1,

!

IP route 192.168.1.8 255.255.255.248 192.168.1.1

!

If return packets will be correctly routed toward our local router.

If you have an interface on the connected rotuer which includes the NAT would be source address range, let's say 192.168.1.254/24, even if you do your packages reach somehow 192.168.2.0/24, the package return never goes to the local router (192.168.1.1) because the connected router sees it as a connected subnet, so it will only expire

I hope I understood your scenario. Pleae make changes and let me know how you went with it.

Also, please don't forget to rate this post so useful.

Shamal

NAT and Site to site VPN

Similar Questions

Maybe you are looking for