Packet-trace for vpn l2l
If anyone can help with control of packet - trace to migrate to l2l ipsec vpn
on ASA (one)
ciscoasa # packet - trace entry outside tcp 10.10.1.2 12345 192.168.1.2 80
ASA (one)
Ip address inside - 192.168.1.2
Destination port 80
ASA (b)
Inside - 10.10.1.2 ip address
Port source 12345
Hello
So if your host 'inside' is 192.168.1.2 and the 'outside' host is 10.10.1.2 then you could just what follows
Packet-trace entry inside tcp 192.168.1.2 12345 10.10.1.2 80
If the goal is just to test the VPN negotiation then the ports are not really important, but naturally tested traffic with "packet - tracer" must be authorized by your interface "inside" ACL. The essential is that the source address and destination match the VPN L2L (Crypto ACL) configurations
Generally you would use NAT0 for these networks the and remote so NAT should not be a problem to test from that direction. I suppose there might be rare situations where using the command in this sense is not possible
-Jouni
Tags: Cisco Security
Similar Questions
-
Summary:
We strive to establish a two-way VPN L2L tunnel with a partner. VPN traffic is one-to-many towards our partner, and our partner they need of a many-to-one to us (they need to access a host on our network). In addition, our partner has many VPN, so they force us to use a separate NAT with two private hosts addresses, one for each direction of the tunnel.
My initial configuration of the tunnel on my grown up side of Phase 1, but not IPSec. Partner ran debug that revealed that my host did not address NAT'd in the NAT policy. We use an ASA5520, ver 7.0.
Here is the config:
# #List of OUR guests
the OURHosts object-group network
network-host 192.168.x.y object
# Hosts PARTNER #List
the PARTNERHosts object-group network
network-host 10.2.a.b object
###ACL for NAT
# Many - to - many outgoing
access-list extended NAT2 allowed ip object-group OURHosts-group of objects PARTNERHosts
# One - to - many incoming
VIH3 list extended access permit ip host 192.168.c.d PARTNERHosts object-group
# #NAT
NAT (INSIDE) 2-list of access NAT2
NAT (OUTSIDE) 2 172.20.n.0
NAT (INSIDE) 3 access-list VIH3
NAT (OUTSIDE) 3 172.20.n.1
# #ACL for VPN
access list permits extended VPN ip object-group objects PARTNERHosts OURHosts-group
access allowed extended VPN ip host 192.168.c.d PARTNERHosts object-group list
# #Tunnel
tunnel-group
type ipsec-l2l card
<#>crypto is the VPN address card crypto
<#>the value transform-set VPN #>card
<#>crypto defined peer #> #>I realize that the ACL for the VPN should read:
access allowed extended VPN ip host 172.20.n.0 PARTNERHosts object-group list
access allowed extended VPN ip host 172.20.n.1 PARTNERHosts object-group list
.. . If the NAT was working properly, but when this ACL is used, Phase 1 is not even negotiating, so I know the NAT is never translated.
What am I missing to NAT guests for 172.20 addresses host trying to access their internal addresses via the VPN?
Thanks in advance.
Patrick
Here is the order of operations for NAT on the firewall:
1 nat 0-list of access (free from nat)
2. match the existing xlates
3. match the static controls
a. static NAT with no access list
b. static PAT with no access list
4. match orders nat
a. nat [id] access-list (first match)
b. nat [id] [address] [mask] (best match)
i. If the ID is 0, create an xlate identity
II. use global pool for dynamic NAT
III. use global dynamic pool for PAT
If you can try
(1) a static NAT with an access list that will have priority on instruction of dynamic NAT
(2) as you can see on 4A it uses first match with NAT and access list so theoretically Exchange autour should do the trick.
I don't see any negative consequences? -Well Yes, you could lose all connectivity. I don't think that will happen, but I can't promise if you do absolutely not this after-hours.
Jon
-
What type of certifcates I should issueing bee in my ASA.
Now I'm issueing IPSEC (offline) and I don't know if it's the right kind.
I have ICP work for mobile users. simply not L2L
Yes,
Which can cause failure.
Put command
"ignore-ipsec-keyusage" under the CompanyTrustPoint
That should solve.
-
ASA 8.4. (1) VPN L2L can only be established through default gateway
Hi all!
We have an ASA 5510, with two internet connections. A destined for VPN l2l and the other to access inet users in general.
On asa 8.04, I configured the encryption on inteface "VPNAccess" card and a static route on the remote peer L2L with access internet VPN, the default rotue pointed the router General inet.
We bought a new firewall with 8.4.1 and now asa only tries to open the remote if peer traffic is on the default gateway.
It does not take into account routes more specific (I mean longer masks) and always tries to use the gateway by default, but only for VPN, if I do a trace to that peer route, it uses the routing table correctly.
Any advice?
Thank you!
Well well, (any, any) certainly does not help.
You need to be more specific, otherwise, even once, as suggested earlier, he does not know which interface to use because you don't have specify it.
In addition, you must also be precise with the source network and destination. Otherwise, the firewall will not know which interface the subnet should be connected to.
More precise best for NAT statement.
NAT (, PublicTESAVPNBackup) source static static destination
-
Cisco ASA (8.3) - Packet trace / Multi context Classification
Hello
I use packet - trace for a while on and outside, with mixed results.
I am running a firewall context multi with more than 10 of the same shared contexts outside the interface / network.
All interfaces have obviously valid and unique IPs and also the unique MAC addresses as automatic address mac is enabled in the system context.
It is an ASA 5550 running 8.3 (2.10) Provisional includes therefore the fix for the bug failed packet classification - draw well known.
So in theory, with firewall settings on a shared interface ASA must use the firewall MAC address to classify incoming traffic on the correct firewall and as far as I know, only retreating to use TAR to classify if the Mac of the interface are the same. Actually on my platform, appears not to be the case and the classifier uses NAT to determine the context of destination. I see this with live traffic (that is not generated by packet - trace) in newspapers and can prove it by disabling some NAT rules (there is some overlap with the IP address behind each firewall).
My question about packet trace is - in the scenario above with an external interface shared, tracer package uses not ALWAYS NAT to determine the context of destination? Or tracer packet search address MAC interface penetration depending on what context you run packet tracer of? It seems that packet - trace uses NAT in my case which could be just symptomatic of the potential bug I described above, rather than by design.
I searched the forums for an answer to this and have not found one - don't know if it will be a question for developers TAC?
See you soon
Paul
Hi Paul,.
The packet - trace has no way to specify the MAC address of the simulated package, so it will always return a check of the NAT. It is currently a limiation of the feature of packet - trace in multiple context mode.
In addition, if your NAT rules contains the 'none' keyword of the pair of the interface, you should be aware of this bug:
CSCts07069 - ASA: packet classifier fails with "any" in the rule being NAT (fixed in 8.3.2.28)
Hope that helps.
-Mike
-
S2S vpn pings go but watch drop packet tracer
Hi guys,.
Thanks for a great forum!
I have a vpn tunnel of work implemented between 2 ASAs, that I use the tunnel daily for management purposes. When I simulate the traffic entering the tunnel at tracers package one end shows a drop of water...
The flow rate is gcoutside inside the shared_vpn_inside interface.
Packet-trace entry tcp gcoutside 192.168.77.109 10000 192.168.70.10 80 retail
It gives the following:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DECLINE
Config:
Additional information:
Direct flow from returns search rule:
ID = 0x744b44f0, priority = 69 = ipsec-tunnel-flow area, deny = false
hits = 32062, user_data = 0xb2f965c, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
Hide ip src/id =192.168.77.0, = 255.255.255.0, port = 0, = 0 tag
IP/ID=192.168.70.0 DST, mask is 255.255.255.0, port = 0, tag = dscp 0 = 0 x 0
input_ifc = gcoutside, output_ifc = any
And just to point out, all through the tunnel works... I can't find any errors anywhere... Not in the newspapers, nowhere.
Why is it when everything seems to work?
See you soon
Hello
I guess I could have remembered as bad. I tend not to use the "packet-tracer" to test the management VPN remote connections to the Local level. I tend to use to begin the negotiation of VPN when I don't have access to equipment that can use the VPN L2L connection.
So it would be nice if you can not just simply test connectivity to the subject of connection that are supposed to be coming through a VPN connection. Even if this VPN connection is currently on the rise.
I actually tested with earlier with a couple of different units of the SAA, and it has not worked for the connection which were rising and negotiated SAs.
-Jouni
-
Dynamic routing for VPN Failover L2L
Hello
Can someone offer me some advice on this please?
I have attached a simple diagram of our EXTENSIVE referral network.
Overview
- The firewall is ASA 5510 running 8.4 (9)
- Basic to the Headquarters network uses OSPF
- On ASA static routes are redistributed into OSPF
- On ASA for VPN static routes are redistributed into OSPF with 130 metric so redistributed BGP routes are preferred
- Basic network has a static route to 10.0.0.0/8 to Corporate WAN, which is redistributed into OSPF
- Branch Office WAN uses BGP - routes are redistributed into OSPF
- The branch routers using VRRP for redundancy of the IP for the default gateway of local customers.
- Branch router main past off VRRP IP to router backup when the WAN interface is down
- BO backup router (. 253) contains only a default route to the internet
- In normal operation, the traffic to and from BO uses Local Branch Office WAN
- If local BO WAN link fails, traffic to and from the BO uses IPSec VPN via public Internet
I try to configure dynamic routing on our network for when a branch switches to the IPsec VPN. What I want to happen (not sure if it is possible) is for the ASA announce the subnet to the remote end of the VPN in OSPF to Headquarters.
I managed to get this working using IPP, but for some reason any VPN stay up all the time when we are not in a failover scenario. This causes the ASA added the table as a static route is the remote subnet in it and do not use the announced route of OSPF from the core network. This prevents the BO customers access to the Internet. If I remove the IPP on the VPN setting, ASA learns the route to the subnet via the WAN BO - resumes normal operation.
I have configured the metric of the static routes that get redistributed into OSPF by ASA superior to 110. This is so that the routes redistributed by the WAN BO OSPF BGP, are preferred. The idea being that when the WAN link is again available, the routing changes automatically and the site fails to WAN BO.
I guess what I need to know is; This design is feasible, and if so where I'm going wrong?
Thank you
Paul
Hi Paul,.
your ASA maintains the tunnel alive only because this path exists on ASA. This is why you must use IP - SLA on ASA to push network taffic "10.10.10.0/24" based on the echo response, using the ALS-intellectual property
Please look at the example below, in the example below shows that the traffic flows through the tunnel, only if the ASA cannot reach the 10.10.10.0/24 network via the internal network of HQ.
This configuration illuminate ASA.
Route inside 10.10.10.0 255.255.2550 10.0.0.2 track 10
(assuming 10.0.0.2 ip peering from inside the ip address of the router to HO)
Route outside 10.10.10.0 255.255.255.0 xxx.xxx.xxx.xxx 254
(value of 254 is a more expensive route to go via IPSec tunnel and x = the bridge by default-ISP)
ALS 99 monitor
type echo protocol ipIcmpEcho 10.10.10.254 inside interface
NUM-package of 3
frequency 10
Annex monitor SLA 99 life never start-time now
track 10 rtr 99 accessibility
Let me know, if this can help.
Thank you
Rizwan James
-
VPN l2l failed inside on ASA 5520 (8.02)
VPN l2l is dropping packets to Phase 5 because of a rule configured. I have an isakmp his but the client cannot connect to the destination here in my network. I'll post my config to access list at the bottom of the Packet-trace output.
vpnASA01 # entry packet - trace within the icmp [10.0.0.243] 0 8 10.97.29.73 det
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xc92087c8, priority = 12, area = capture, deny = false
hits = 85188209121, user_data = 0xc916a478, cs_id = 0 x 0, l3_type = 0 x 0
Mac SRC = 0000.0000.0000, mask is 0000.0000.0000
DST = 0000.0000.0000 Mac, mask is 0000.0000.0000
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit rule
Additional information:
Direct flow from returns search rule:
ID = 0xc87f1f98, priority = 1, domain = allowed, deny = false
hits = 85193048387, user_data = 0 x 0, cs_id = 0 x 0, l3_type = 0 x 8
Mac SRC = 0000.0000.0000, mask is 0000.0000.0000
DST = 0000.0000.0000 Mac, mask is 0000.0000.0000
Phase: 3
Type: FLOW-SEARCH
Subtype:
Result: ALLOW
Config:
Additional information:
Not found no corresponding stream, creating a new stream
Phase: 4
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
in 10.0.0.0 255.0.0.0 inside
Phase: 5
Type: ACCESS-LIST
Subtype:
Result: DECLINE
Config:
Implicit rule
Additional information:
Direct flow from returns search rule:
ID = 0xc87f3670, priority = 111, domain = allowed, deny = true
hits = 67416, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 4000, protocol = 0
SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
DST ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
Result:
input interface: inside
entry status: to the top
entry-line-status: to the top
the output interface: inside
the status of the output: to the top
output-line-status: to the top
Action: drop
Drop-reason: flow (acl-drop) is denied by the configured rule
= ACCESS-LIST + Config =.
the object-group L2LVPN-blah_local network
network-object 10.97.29.73 255.255.255.255
the object-group L2LVPN-blah_remote network
network-object [10.0.0.240] 255.255.255.240INBOUND_OUTSIDE list of allowed ip extended access object-L2LVPN-blah_remote L2LVPN-blah_local group object
L2LVPN-blah_obj allowed extended ip access-list object-L2LVPN-blah_local group L2LVPN-blah_remote
access-list SHEEP extended permits all ip [10.0.0.243] 255.255.255.240
Route outside [10.0.0.240] [10.97.29.1] 255.255.255.240 1
address for correspondence card crypto outside-VPN 46 L2LVPN - blah_obj
peer set card crypto VPN-exterior 46 [10.0.0.243]
outside-VPN 46 transform-set esp-sha-aes-256 crypto card
outside-VPN interface card crypto outsideIPSec-l2l type tunnel-group [10.0.0.243]
IPSec-attributes of tunnel-group [10.0.0.243]
pre-shared-key *.[10.0.0.1] is to protect the global addresses of clients. Assume that these are still used in place of the current range of intellectual property. 10.0.0.240/28
===========================================
Thanks in advance.
Michael Garcia
Profit Systems, Inc..
Hi Michael,
-Is the IP peer really part of the network that make up the field of encryption?
-Is the ACL INBOUND_OUTSIDE applied (incoming) inside or outside interface (inbound)? It is the current form, it would need to be on the external interface.
-You specify the peer IP only in the ACL SHEEP, so all other traffic is NAT would and eventually denied because it does not match the field of encryption
Someone else may have a few ideas, but these are questions I have for the moment.
James
-
I have a client with an ASA 5505 who has several networks, he tries to communicate via a VPN tunnel with a desktop remotely. One of the networks does not work because it is also used on the other side of the tunnel management interface, and none of both sides seem ready to re - IP their interior space.
Their proposed solution is to NAT the contradictory network on this side to a different subnet firewall before passing through the tunnel. How to implement a NAT which only uses the VPN tunnel while the rest of the traffic that comes through this device of the United-NATted Nations?
The network in question is 192.168.0.0/24. Their target you want the NAT is 172.16.0.0/24. Config of the SAA is attached.
Hello
Basically, the political dynamic configuration PAT should work to connect VPN L2L because the PAT political dynamics is processed before PAT/NAT dynamic configurations.
Only NAT configurations that can replace this dynamic NAT of the policy are
- NAT0 / exempt NAT configuration
- Strategy static NAT/PAT
- Public static NAT/PAT
And because we have determined that the only problem is with the network 192.168.0.0/24 and since there is no static configuration NAT/PAT or static policy NAT/PAT, then PAT political dynamics should be applied. Unless some configurations NAT0 continues to cause problems.
The best way to determine what rules are hit for specific traffic is to use the command "packet - trace" on the SAA
Packet-trace entry inside tcp 192.168.0.100 12345 10.1.7.100 80
For example to simulate an HTTP connection at random on the remote site
This should tell us for example
- Where the package would be sent
- He would pass the ACL interface
- What NAT would be applied
- It would correspond to any configuration VPN L2L
- and many others
Then can you take a sample output from the command mentioned twice and copy/paste the second result here. I ask get exit twice because that where the actual VPN L2L negotiations would go through the first time that this command would only raise the L2L VPN while the second command could show already all the info of what actually passed to the package simulated.
In addition, judging by the NAT format you chose (political dynamics PAT), I assume that only your site connects to the remote site? Given that the political dynamics PAT (or dynamic PAT) normal does not allow creating a two-way connection. Connections can be opened that from your site to the remote site (naturally return traffic through automatically because existing connections and translations)
-Jouni
-
Direct specific ports down a VPN L2L
I have a client who is trying to use an ISP hosted web filtering and content management a gateway, the ISP wants to use and L2L ISPEC VPN on site at their front door to control the traffic. Today we have the tunnel with an ACL test for peripheral test side customer down the tunnel, but that it blocks all traffic that is not being analyzed. The problem is that they are on an ASA 5510 with 8.2.2. You cannot add ports tcp in the ACL sheep, it error when you try to apply the nat 0 access-list statement sheep (inside). We can define the ports to go down the VPN traffic interesting ACL with number, but there is no way to send just the web ports down the VPN and allow the other ports on regular overflow interface NAT I was look in 8.4 and see if it allows a policy NAT (twice the NAT for virtual private networks) to set a port to a range of IPS (IE (: nat static destination WEBINSPECT-WEBINSPECT (indoor, outdoor) static source a whole) but who only define as web ports.
I do not have an ASA test to use, but I guess that vpn l2l will be only by IP and I can not define a port tunnel.
In any case, it is a strange, but the ideas are welcome. I don't think it's possible, but I thought I'd see if anyone encountered at the front.
Hello
Well to give you a simple example where we use the double NAT / manual transmission NAT to handle traffic
For example a configuration example I just did on my 8.4 (5) ASA
The following configuration will
- Set the 'object' that contains the source network for NAT
- Set the 'object' that contains the service for NAT
- Define the real NAT
The real NAT is going to make any connection from the network under 'Wireless' network object to the destination port TCP/80 will be sent 'WAN' interface without NAT
Of course it is the next step with VPN L2L network under 'network wireless of the object' would correspond to the ACL of VPN L2L. But that seemed straight forward for you already
the subject wireless network
10.0.255.0 subnet 255.255.255.0
service object WWW
Service tcp destination eq www
NAT (WLAN, WAN) static source without WIRE WIRELESS WWW WWW service
The following configuration will
- Define the "object-group", that defines networks of the source of the rule by default PAT for Internet traffic
- Set the 'object' for the PAT address (could just use 'interface' instead of the 'object')
- Define the real NAT
The NAT configuration will just make a rule by default PAT for the wireless network. The key thing to note here is that we use the setting "auto after." This basically inserts the NAT rule to the priority of the very bottom of the ASA.
object-group, network WIRELESS-network
object-network 10.0.255.0 255.255.255.0
network of the PAT object - 1.1.1.1
host 1.1.1.1
NAT (WLAN, WAN) after the automatic termination of wireless - NETWORK PAT dynamic source - 1.1.1.1
Now we can use the command "packet - trace" to confirm that the NAT works as expected.
WWW TEST-TRAFFIC
ASA (config) # packet - trace 12355 1.2.3.4 entry WLAN tcp 10.0.255.100 80
Phase: 1
Type: UN - NAT
Subtype: static
Result: ALLOW
Config:
NAT (WLAN, WAN) static source without WIRE WIRELESS WWW WWW service
Additional information:
NAT divert on the output WAN interface
Untranslate 1.2.3.4/80 to 1.2.3.4/80
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT (WLAN, WAN) static source without WIRE WIRELESS WWW WWW service
Additional information:
Definition of static 10.0.255.100/12355 to 10.0.255.100/12355
Phase: 4
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional information:
Phase: 5
Type: NAT
Subtype: rpf check
Result: ALLOW
Config:
NAT (WLAN, WAN) static source without WIRE WIRELESS WWW WWW service
Additional information:
Phase: 6
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Phase: 8
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional information:
Phase: 9
Type: CREATING STREAMS
Subtype:
Result: ALLOW
Config:
Additional information:
New workflow created with the 1727146 id, package sent to the next module
Result:
input interface: WLAN
entry status: to the top
entry-line-status: to the top
the output interface: WAN
the status of the output: to the top
output-line-status: to the top
Action: allow
TEST FTP - TRAFFIC
ASA (config) # packet - trace entry tcp 10.0.255.100 WLAN 12355 1.2.3.4 21
Phase: 1
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
in 0.0.0.0 0.0.0.0 WAN
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Phase: 3
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
Policy-map global_policy
class inspection_default
inspect the ftp
global service-policy global_policy
Additional information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT (WLAN, WAN) after the automatic termination of wireless - NETWORK PAT dynamic source - 1.1.1.1
Additional information:
Definition of dynamic 10.0.255.100/12355 to 1.1.1.1/12355
Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional information:
Phase: 6
Type: NAT
Subtype: rpf check
Result: ALLOW
Config:
NAT (WLAN, WAN) after the automatic termination of wireless - NETWORK PAT dynamic source - 1.1.1.1
Additional information:
Phase: 7
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Phase: 9
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional information:
Phase: 10
Type: CREATING STREAMS
Subtype:
Result: ALLOW
Config:
Additional information:
New workflow created with the 1727154 id, package sent to the next module
Result:
input interface: WLAN
entry status: to the top
entry-line-status: to the top
the output interface: WAN
the status of the output: to the top
output-line-status: to the top
Action: allow
As you can see traffic TCP/80 corresponds to rule on the other. And the FTP used for example corresponds to rule by default PAT as expected.
If you want to know a little more about the new NAT 8.3 format + you can check a document I created
https://supportforums.Cisco.com/docs/doc-31116
Hope this helps you, please mark it as answered in the affirmative or rate of answer.
Naturally ask more if necessary
-Jouni
-
Problem VPN l2l * No. Tx and Rx *.
Hi friends,
I have a problem with the version 2 of ASA´s 5540 and 5510 8.4.3 and 8.2.5 respectively, TOPOLOGY: LAN - ASA-* WAN *-ASA - LAN
I have no side 5540 TX
# sh vpn-sessiondb detail l2l
Session type: LAN-to-LAN detailed
Link: 189.213.94.5
Index: 107 IP Addr: 189.213.94.5
Protocol: IPsec IKEv1
Encryption: hashing 3DES 3DES 3DES: SHA1 SHA1 SHA1
TX Bytes: 0 bytes Rx: 19104
Opening time: 09:30:57 CST Friday, February 8, 2013
Duration: 0: 00: 14:00
IKEv1 Tunnels: 1
IPsec Tunnels: 2
IKEv1:
Tunnel ID: 107.1
The UDP Src Port: 500 UDP Dst Port: 500
IKE Neg Mode: Hand Auth Mode: preSharedKeys
Encryption: 3DES hash: SHA1
Generate a new key Int (T): 86400 seconds given to the key Left (T): 85549 seconds
Group D/H: 2
Name of the filter: OUTSIDE_cryptomap_1
IPv6 filter:
IPsec:
Tunnel ID: 107,2
Local addr: 10.10.0.0/255.255.255.0/0/0
Remote addr: 192.168.2.0/255.255.255.0/0/0
Encryption: 3DES hash: SHA1
Encapsulation: Tunnel PFS Group: 2
Generate a new key Int (T): 28800 seconds given to the key Left (T): 27949 seconds
Generate a new key Int (D): 4608000 K-bytes given to the key Left (D): 4607991 K-bytes
Idle Time Out: 0 Minutes idling left: 0 Minutes
TX Bytes: 0 bytes Rx: 10200
TX pkts: 0 Rx Pkts: 170
IPsec:
Tunnel ID: 107.3
Local addr: 10.5.0.0/255.255.0.0/0/0
Remote addr: 192.168.2.0/255.255.255.0/0/0
Encryption: 3DES hash: SHA1
Encapsulation: Tunnel PFS Group: 2
Generate a new key Int (T): 28800 seconds given to the key Left (T): 27952 seconds
Generate a new key Int (D): 4608000 K-bytes given to the key Left (D): 4607992 K-bytes
Idle Time Out: 0 Minutes idling left: 0 Minutes
TX Bytes: 0 bytes Rx: 8904
TX pkts: 0 Rx Pkts: 84
NAC:
Reval Int (T): 0 seconds Left (T) Reval: 0 seconds
SQ (T) Int: 0 seconds EoU Age (T): 852 seconds
Chock on the left (T): 0 second Posture token:
Redirect URL:
And I have no side 5510 Rx
# sh vpn-sessiondb detail l2l
Session type: LAN-to-LAN detailed
Link: 201.140.121.82
Index: 695 IP Addr: 201.140.121.82
Protocol: IPsec IKE
Encryption: 3DES hash: SHA1
TX Bytes: 22480 Rx bytes: 0
Connect time: 17:33:15 CST Friday, February 8, 2013
Duration: 0: 00: 16:00
IKE tunnels: 1
IPsec Tunnels: 2
IKE:
Tunnel ID: 695.1
The UDP Src Port: 500 UDP Dst Port: 500
IKE Neg Mode: Hand Auth Mode: preSharedKeys
Encryption: 3DES hash: SHA1
Generate a new key Int (T): 86400 seconds given to the key Left (T): 85407 seconds
Group D/H: 2
Name of the filter:
IPsec:
Tunnel ID: 695.2
Local addr: 192.168.2.0/255.255.255.0/0/0
Remote addr: 10.10.0.0/255.255.255.0/0/0
Encryption: 3DES hash: SHA1
Encapsulation: Tunnel PFS Group: 2
Generate a new key Int (T): 28800 seconds given to the key Left (T): 27808 seconds
Generate a new key Int (D): 4608000 K-bytes given to the key Left (D): 0 K-bytes
Idle Time Out: 0 Minutes idling left: 0 Minutes
TX Bytes: 11880 Rx bytes: 0
TX pkts: Rx 198 Pkts: 0
IPsec:
Tunnel ID: 695.3
Local addr: 192.168.2.0/255.255.255.0/0/0
Remote addr: 10.5.0.0/255.255.0.0/0/0
Encryption: 3DES hash: SHA1
Encapsulation: Tunnel PFS Group: 2
Generate a new key Int (T): 28800 seconds given to the key Left (T): 27811 seconds
Generate a new key Int (D): 4608000 K-bytes given to the key Left (D): 0 K-bytes
Idle Time Out: 0 Minutes idling left: 0 Minutes
TX Bytes: 10600 Rx bytes: 0
TX pkts: Rx 100 Pkts: 0
NAC:
Reval Int (T): 0 seconds Left (T) Reval: 0 seconds
SQ (T) Int: 0 seconds EoU Age (T): 994 seconds
Chock on the left (T): 0 second Posture token:
Redirect URL:
Hope you guys could help me understand the issue correctly.
Thank you!
Looks like your problem is that you have the route to 192.168.2.X pointing inwards on your 5540, when it should be pointing to your interface OUTSIDE, or just leave the default route take care of it.
Remove the static method for 192.168.2.0 on the 5540:
no road inside 192.168.2.0 255.255.255.0 10.10.0.1 1
Then see if two-way communication that happens. Try: entry packet - trace inside the 10.10.0.1 icmp 1 1 192.168.2.1
Once again. If all checked out, see if you have two-way communication through the VPN.
-
Traffic from internal hosts will NAT address works ok, but what speaks tests it traffic never connects.
get the 10.1.12.232 NAT host would be 172.27.63.133 and past through the VPN tunnel to 10.24.4.65 without problem. However when 10.24.4.65 tries to ping or connect to 172.27.63.133 traffic does not make inside host 10.1.12.232
ASA-1 #.
!
network object obj - 172.27.73.0
172.27.73.0 subnet 255.255.255.0
network object obj - 172.27.63.0
172.27.63.0 subnet 255.255.255.0
network object obj - 10.1.0.0
10.1.0.0 subnet 255.255.0.0
network object obj - 10.24.4.64
subnet 10.24.4.64 255.255.255.224
network object obj - 172.27.73.0 - 172.27.73.255
range 172.27.73.0 172.27.73.255
the object of the 10.0.0.0 network
subnet 10.0.0.0 255.0.0.0
network object obj - 24.173.237.212
Home 24.173.237.212
network object obj - 10.1.12.232
Home 10.1.12.232
network object obj - 172.27.63.133
Home 172.27.63.133
the DM_INLINE_NETWORK_9 object-group network
object-network 10.0.0.0 255.255.255.0
object-network 10.0.11.0 255.255.255.0
object-network 10.0.100.0 255.255.255.0
object-network 10.0.101.0 255.255.255.0
object-network 10.0.102.0 255.255.255.0
object-network 10.0.103.0 255.255.255.0
the DM_INLINE_NETWORK_16 object-group network
object-network 10.1.11.0 255.255.255.0
object-network 10.1.12.0 255.255.255.0
object-network 10.1.13.0 255.255.255.0
object-network 10.1.3.0 255.255.255.0
!
outside_1_cryptomap list extended access permitted ip object-group DM_INLINE_NETWORK_16-group of objects DM_INLINE_NETWORK_9
access extensive list ip 172.27.73.0 outside_8_cryptomap allow 255.255.255.0 10.24.4.64 255.255.255.224
access extensive list ip 172.27.63.0 outside_8_cryptomap allow 255.255.255.0 10.24.4.64 255.255.255.224
!
list of allowed outside access extended ip 10.24.4.64 255.255.255.224 172.27.63.0 255.255.255.0
list of allowed outside access extended ip 10.24.4.64 255.255.255.224 10.1.0.0 255.255.0.0
list of allowed outside access extended ip 172.27.63.0 255.255.255.0 10.1.0.0 255.255.0.0
!
NAT (inside, all) source static obj - 172.27.73.0 obj - 172.27.73.0 destination static obj - 10.24.4.64 obj - 10.24.4.64 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 172.27.63.0 obj - 172.27.63.0 destination static obj - 10.24.4.64 obj - 10.24.4.64 no-proxy-arp-search to itinerary
NAT (inside, outside) source dynamic obj - 10.66.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.70.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.96.228.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.96.229.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 192.168.5.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.75.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.11.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source static obj - 10.1.3.37 obj - 10.71.0.37 destination static obj - 50.84.209.140 obj - 50.84.209.140
NAT (inside, outside) source static obj - 10.1.3.38 obj - 10.71.0.38 destination static obj - 50.84.209.140 obj - 50.84.209.140
NAT (inside, outside) source static obj - 10.1.12.232 obj - 172.27.63.133 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.1.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
!
NAT (exterior, Interior) source static obj - 10.24.4.64 obj - 10.24.4.64 destination static obj - 172.27.63.133 obj - 10.1.12.232
NAT (outside, outside) source static obj - 10.24.4.64 obj - 10.24.4.64 destination static obj - 172.27.63.133 obj - 10.1.12.232the object of the 10.0.0.0 network
NAT (inside, outside) dynamic obj - 24.173.237.212
!
NAT (VendorDMZ, outside) the after-service automatic source dynamic obj - 192.168.13.0 obj - 24.173.237.212
outside access-group in external interface
Route outside 0.0.0.0 0.0.0.0 24.173.237.209 1
Route inside 10.1.0.0 255.255.0.0 10.1.10.1 1
Route inside 10.2.1.0 255.255.255.248 10.1.10.1 1
!
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-DH2-esp-3des esp-sha-hmac
Crypto ipsec pmtu aging infinite - the security association
!
card crypto GEMed 8 corresponds to the address outside_8_cryptomap
card crypto GEMed 8 set peer 64.245.57.4
card crypto GEMed 8 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-256-MD5
GEMed outside crypto map interface
!
: end
ASA-1 #.Hello
First of all, I would like to remove these two lines because they do nothing productive
nat (outside,inside) source static obj-10.24.4.64 obj-10.24.4.64 destination static obj-172.27.63.133 obj-10.1.12.232nat (outside,outside) source static obj-10.24.4.64 obj-10.24.4.64 destination static obj-172.27.63.133 obj-10.1.12.232
Then, I was running packet - trace to see what NAT rule actually hit you.packet-tracer input inside 10.1.12.232 12345 10.24.4.65 12345
-
Add the existing network of VPN l2l
I have properly configured VPN l2l between our main site and 2 offices. Now, I would like to allow additional networks on the main site to access the branch sites. Here the doc of Cisco (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fad90.shtml) presents a method to do this by adding an additional interface. Is it possible to do without the addition of an interface?
Here are the relevant config on the main site ASA (8,0) and one of the remote PIX (7.0):
=========================
ASA (main site)
access extensive list ip 172.16.0.0 outside_1_cryptomap allow 255.255.255.0 172.16.29.0 255.255.255.0
access extensive list ip 172.16.1.0 outside_1_cryptomap allow 255.255.255.0 172.16.29.0 255.255.255.0
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set 24.97.x.x counterpart
map outside_map 1 set of transformation-ESP-3DES-MD5 crypto
=========================
PIX (remote site)
access extensive list ip 172.16.29.0 outside_cryptomap_20_2 allow 255.255.255.0 172.16.0.0 255.255.255.0
access extensive list ip 172.16.29.0 outside_cryptomap_20_2 allow 255.255.255.0 172.16.1.0 255.255.255.0
card crypto outside_map 20 match address outside_cryptomap_20_2
card crypto outside_map 20 peers set 204.14.x.x
outside_map card crypto 20 the transform-set ESP-3DES-MD5 value
Just add valuable traffic to your access lists. New = 172.16.2.0/24 network
ASA (main site)
outside_1_cryptomap to access extended list ip 172.16.2.0 allow 255.255.255.0 172.16.29.0 255.255.255.0
PIX (remote site)
access extensive list ip 172.16.29.0 outside_cryptomap_20_2 allow 255.255.255.0 172.16.2.0 255.255.255.0
Don't forget your nat exemption acl as well. For example...
ASA (main site)
extended access-list allow ip 172.16.2.0 255.255.255.0 172.16.29.0 255.255.255.0
PIX (remote site)
permit extended access list ip 172.16.29.0 255.255.255.0 172.16.2.0 255.255.255.0
-
Question of redundancy VPN l2l using 2811 as endpoint devices
I have a new implementation of VPN L2L passes using two 2811 s than VPN terminal devices. I'll try to use the HSRP address between the public interfaces of both routers as VPN peer address. The problem that I found during the test is that the tunnel will become active and debugs watch the HSRP address as an invalid address to form the tunnel. Have a work-around, or a better plan for redundancy on peering address using similar devices? Thanks in advance.
Take a look at this doc about IOS IPSec HA.
-
Go simple configuration of vpn L2L comply with security requirements
Hello
I have successfully install a L2L connection (5510, 7.2) and a 3rd party (SonicWall).
Security requirements are such that (contractors) to our office users to connect to various devices to the 3rd party, BUT nothing to the 3rd party must connect to what be it at our office.
I tried an outbound ACL (access-group L2L-RESTRICT the interface inside) inside the interface. But the funny thing is that I'm getting hits on the declarations of refusal on the ACL, although tests show no problems for you connect to multiple hosts to our site of the 3rd party. My ACL config looks like the following:
<..snip..>
Note to L2L-RESTRICT access-list * ATTENTION * WITH CAUTION - RESTRICTIONS ON the 3rd PARTY VPN L2L
L2L-RESTRICT access-list scope allow icmp 192.168.16.0 255.255.255.0 10.180.21.0 255.255.255.0 echo-reply
deny access list L2L-RESTRICT the scope ip 192.168.16.0 255.255.255.0 no matter what newspaper
Note to L2L-RESTRICT access-list > NOTE< last="" line="" *must*="" be="" permit="" any="">
L2L-RESTRICT access-list scope ip allow a whole
!
L2L-RESTRICT the interface inside access-group
<..snip..>
Their network is obviously 192.168.16.x and they won't be able to use a vlan from different source as "interesting traffic" ACL won't allow it. So that sounds good in theory
I have it configured correctly? Is there a better way?
Thanks in advance,
Mike
Mike,
It seems that you might be able to assign a VPN ACL filter via a group assigned to each tunnel L2L policy. I have never done this personally before, but looks like it would work...
Maybe you are looking for
-
Airport extreme wired to my xbox, one I have 1 gig of internet but only put 120 megabits
We went right at 1 gig of internet and my xbox one connected to the router using a cable ethernet capable after the opening of teredo tunneling and change address mac my xbox we still don't receive on average 120 Mbps. Anyone have any ideas on how t
-
When my T230 running Windows 7 is told to stop, via the start menu, it happens on the screen showing the words stop with the little circle going round and round then stays there indefinitely. Even an hour later it will always get stuck there. The onl
-
23 HP - ro23a: modification of the support Wizard
I was OK with support assistant, then it has been updated to a new total package and can not access my computer identity, I'm still under warranty, am in Australia and have seen reasons to not work, would always get what I paid for, #booklj
-
no internet after switching Internet service provider
I just changed my ISP. I use a prolink WNR1006 router. Now, I can not connect to internet with my new ISP settings. What I have to reset the router, or it will automatically trace the new settings of the ISP? Thank you
-
Slow refresh rate using a D3100 connect two monitors U2311H
Hello I have a macbook pro 2016 and bought the Dell D3100 triple display USB adapter to use with it. The two monitors are connected to DVI using adapters connected to the displayport and hdmi ports. I installed the latest drivers from displaylink for