PIX VPN Basics - what the traffic is encrypted.

Similar Questions

• VPN gateway with the traffic filtering

  I work in his laboratory on a configuration on a small scale in which client PC establishes an IPSEC VPN with Cisco 1921 router, I have two questions in this regard.

  (1) for wireless PC clients, uses an IPSEC VPN Client the best option or should I prefer other options. wireless clients also use Radius Server for authentication.

  (2) I want to make sure no other traffic can reach or pass the interface of local network other than the VPN Client traffic, I need to set up on the router to make sure that no other traffic cannot pass other than traffic APV.

  First: The real IPsec VPN client is the AnyConnect. The VPN-config for AnyConnect (especially for IPsec) gateway on the router IOS is much more difficult, so it's on the SAA. If you still have the possibility of changing the front doors, then go for a SAA. It is also much cheaper from a perspective of license given that no license of AnyConnect Essentials for the router. The Cisco VPN Client to the traditional address is EOL and should not begin a new deployment on this basis.

  Your questions:

  (1) all VPN - users should be authenticated in some way. Send the request to a central directory authentication is a best practice and usually done with RADIUS. In addition to authentication, you can also perform an authorization to control what rights Gets a VPN user.

  (2) If you only want to allow IPsec traffic, you must configure an access list, a permit for UDP/500, UDP/4500 and IP/50 of your router IP. With this config, all other traffic will be dropped.

• On Pix VPN tunnel to the same subnet

  I have a customer who want to set up a the PIX VPN tunnel located on each site. For some reason, each side has the same subnet number, for example. 10.10.10.x/32. I'm sure we must run NAT, but is it possible.

  This can help

  http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a00800949f1.shtml

• Site to Site VPN, endpoint of the traffic on the loopback and ping down alternative packages

  Hi team,

  This is my first discussion. Today, I came across a new senario where in I was able to establish the tunnel vpn site-to-site between two sites. To my amazement, I am able to successfully ping to the router (Site A) to the server without drops keeping source as fa 0/1 (172.25.170.1) However, LAN segment (host) alternate packages are declining while reaching the server. Please find the picture below:

  

  R2 - is ISP

  We are required to use private segment WAN ip addresses so we have no choice other than to keep the public ip address on the loopback. To create the site to site, I asked the card encryption on the fa outside interface 0/0 with ip 1.1.1.1. Then I used the command cypto card loopback 1 mount the tunnel and work address local VPN. I then set a route on the Site1 for fa of government local traffic 0/0 to insert the interesting traffice enter the map encryption.

  Now everything works well to router server however I get replacement ping drops (50% success). I am not able to solve this problem. The result above is both real and gns.

  Help, please

  Think it's a bug in IOS, disable IP CEF, hen now this works, but it is only a workaround to make it work for real IOS update.

• Simple PIX PIX VPN issues

  I'm trying to implement a simple PIX PIX VPN using the simple PIX - PIX VPN documentation for the sample config page. I have a lot of VPN tunnels with other very happy other PIX devices so it's quite annoying. Anyway, on the source PIX config is as follows:-

  access-list 101 permit ip 172.18.138.0 255.255.255.0 172.18.133.0 255.255.255.0

  access-list 101 permit ip 172.18.133.0 255.255.255.0 172.18.138.0 255.255.255.0

  NAT (phoenix_private) 0-access list 101

  Permitted connection ipsec sysopt

  No sysopt route dnat

  Crypto ipsec transform-set esp - esp-md5-hmac chevelle

  ntlink 1 ipsec-isakmp crypto map

  1 ipsec-isakmp crypto map TransAm

  correspondence address 1 card crypto transam 101

  card crypto transam 1 set peer 172.18.126.233

  card crypto transam 1 transform-set chevelle

  interface inside crypto map transam

  ISAKMP allows inside

  ISAKMP key * address 172.18.126.233 netmask 255.255.255.255

  ISAKMP identity address

  part of pre authentication ISAKMP policy 1

  of ISAKMP policy 1 encryption

  ISAKMP policy 1 md5 hash

  1 1 ISAKMP policy group

  ISAKMP policy 1 lifetime 1000

  and if I generate the traffic logs show this: -.

  9 August 18:40:15 10.60.6.247% PIX-3-305005: no translation not found for icmp src phoenix_private:172.18.138.111 dst domestic group: 172.18.133.51 (type 8, code 0)

  9 August 18:40:17 10.60.6.247% PIX-3-305005: no translation not found for icmp src phoenix_private:172.18.138.111 dst domestic group: 172.18.133.51 (type 8, code 0)

  9 August 18:40:18 10.60.6.247% PIX-3-305005: no group of translation not found for udp src phoenix_private:172.18.138.111/3832 dst inside:172.18.133.51/53

  9 August 18:40:18 10.60.6.247% PIX-3-305005: no translation not found for icmp src phoenix_private:172.18.138.111 dst domestic group: 172.18.133.51 (type 8, code 0)

  9 August 18:40:19 10.60.6.247% PIX-3-305005: no group of translation not found for udp src phoenix_private:172.18.138.111/3832 dst inside:172.18.133.51/53

  No isakmp and ipsec debugging message appears, but you who wait that the PIX does not even link the traffic with the access list or a NAT.

  I do something obviously stupid, can someone tell me what it is, thank you.

  Jon.

  Hello

  1. you create a second access as list:

  outside_cryptomap ip 172.18.138.0 access list allow 255.255.255.0 172.18.133.0 255.255.255.0

  and

  2. instead of

  correspondence address 1 card crypto transam 101

  You must configure

  card crypto transam 1 match address outside_cryptomap

  the problem is that you configure an ACL for nat and crypto - that does not work

  concerning

  Alex

• A PIX-to-PIX VPN can allow traffic in only one direction?

  Here is the configuration of the PIX 501 that accepts incoming VPN tunnels of the other PIX dynamic-ip.  Everything works very well, allowing traffic to flow both ways after that the tunnel rises.  But then I somehow limit or prevent the traffic that originates on the PIX (192.168.27.2) to go to other networks of PIX?  In other words, if a tunnel exists (192.168.3.0 to 192.168.27.0), I only want to allow network traffic to access the network 27.0 3.0, and I want to anyone on the network 27.0 access network 3.0.

  Thanks for any comments.

  pixfirewall # sh conf
  : Saved
  : Written by enable_15 at 13:29:50.396 UTC Saturday, July 3, 2010
  6.3 (4) version PIX
  interface ethernet0 car
  interface ethernet1 100full
  ethernet0 nameif outside security0
  nameif ethernet1 inside the security100
  activate the encrypted password
  encrypted passwd
  pixfirewall hostname
  .com domain name
  fixup protocol dns-maximum length 4096
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol they 389
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol 2000 skinny
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names of
  access-list 101 permit ip 192.168.27.0 255.255.255.0 10.10.10.0 255.255.255.0
  access-list 102 permit ip 192.168.27.0 255.255.255.0 10.10.0.0 255.255.0.0
  access-list 102 permit ip 192.168.27.0 255.255.255.0 192.168.3.0 255.255.255.0
  access-list 102 permit ip 192.168.27.0 255.255.255.0 192.168.7.0 255.255.255.0
  pager lines 24
  ICMP deny everything outside
  Outside 1500 MTU
  Within 1500 MTU
  IP address outside xxx.xxx.xxx.248 255.255.255.255
  IP address inside 192.168.27.2 255.255.255.0
  alarm action IP verification of information
  alarm action attack IP audit
  IP local pool ippool 10.10.10.1 - 10.10.10.254
  PDM logging 100 information
  history of PDM activate
  ARP timeout 14400
  NAT (inside) - 0 102 access list
  Route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1 1
  Timeout xlate 0:05:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
  Timeout, uauth 0:05:00 absolute
  GANYMEDE + Protocol Ganymede + AAA-server
  AAA-server GANYMEDE + 3 max-failed-attempts
  AAA-server GANYMEDE + deadtime 10
  RADIUS Protocol RADIUS AAA server
  AAA-server RADIUS 3 max-failed-attempts
  AAA-RADIUS deadtime 10 Server
  AAA-server local LOCAL Protocol
  No snmp server location
  No snmp Server contact
  SNMP-Server Community public
  No trap to activate snmp Server
  enable floodguard
  Permitted connection ipsec sysopt
  Crypto ipsec transform-set esp - esp-md5-hmac gvnset
  Crypto-map dynamic dynmap 10 transform-set gvnset
  gvnmap 10 card crypto ipsec-isakmp dynamic dynmap
  gvnmap interface card crypto outside
  ISAKMP allows outside
  ISAKMP key * address 0.0.0.0 netmask 0.0.0.0
  ISAKMP identity address
  ISAKMP keepalive 60
  ISAKMP nat-traversal 20
  part of pre authentication ISAKMP policy 9
  encryption of ISAKMP policy 9
  ISAKMP policy 9 md5 hash
  9 2 ISAKMP policy group
  ISAKMP policy 9 life 86400
  vpngroup address ippool pool gvnclient
  vpngroup dns 192.168.27.1 Server gvnclient
  vpngroup gvnclient wins server - 192.168.27.1
  vpngroup gvnclient by default-domain '.com'
  vpngroup split tunnel 101 gvnclient
  vpngroup idle 1800 gvnclient-time
  vpngroup password gvnclient *.
  Telnet 0.0.0.0 0.0.0.0 inside
  Telnet timeout 30
  SSH 0.0.0.0 0.0.0.0 outdoors
  SSH timeout 30
  management-access inside
  Console timeout 0
  Terminal width 80
  Cryptochecksum:
  pixfirewall #.

  Of course, without a doubt capable.

  You can configure the inside interface access list to deny traffic from 192.168.27.0/24 to 192.168.3.0/24, and then allow anything else.

  Example:

  access list for the Interior-acl deny ip 192.168.27.0 255.255.255.0 192.168.3.0 255.255.255.0

  the Interior-acl ip access list allow a whole

  group-access Interior-acl in the interface inside

  Hope that helps.

• Problem with VPN client connecting the PIX of IPSec.

  PIX # 17 Sep 14:58:51 [IKEv1 DEBUG]: IP = Y, IKE Peer included IKE fragmentation capability flags: Main Mode: real aggressive Mode: false

  Sep 17 14:58:51 [IKEv1]: IP = Y, landed on tunnel_group connection

  Sep 17 14:58:51 [IKEv1 DEBUG]: Group = X, IP = Y, IKE SA proposal # 1, transform # 13 entry overall IKE acceptable matches # 1

  Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, the authenticated user (X).

  Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, mode of transaction attribute not supported received: 5

  Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, Y = IP, Type of customer: Client Windows NT Version of the Application: 5.0.06.0160

  Sep 17 14:58:58 [IKEv1]: Group = Xe, Username = X, IP = Y, assigned private IP 10.0.1.7 remote user address

  Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, IP = Y, fast Mode resumed treatment, Cert/Trans Exch/RM IDDM

  Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, PHASE 1 COMPLETED

  Sep 17 14:58:58 [IKEv1]: IP = Y, Keep-alive type for this connection: DPD

  Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, Y = IP, timer to generate a new key to start P1: 6840 seconds.

  Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, Y = IP, data received in payload ID remote Proxy Host: address 10.0.1.7, protocol 0, Port 0

  Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, received data IP Proxy local subnet in payload ID: address 0.0.0.0 Mask 0.0.0.0, protocol 0, Port 0

  Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, his old QM IsRekeyed not found addr

  Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, Y = IP, remote peer IKE configured crypto card: outside_dyn_map

  Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, Y = IP, IPSec processing SA payload

  Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, Y = IP, IPSec SA proposal # 14, turn # 1 entry overall SA IPSec acceptable matches # 20

  Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, IKE: asking SPI!

  Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, Y = IP, IPSec initiator of the substitution of regeneration of the key duration to 2147483 to 7200 seconds

  Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, IP = Y, passing the Id of the Proxy:

  Remote host: 10.0.1.7 Protocol Port 0 0

  Local subnet: 0.0.0.0 mask 0.0.0.0 Protocol Port 0 0

  Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, IP = notification sending answering MACHINE service LIFE of the initiator

  Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, the security negotiation is complete for the user (slalanne) answering machine, Inbound SPI = 0 x 6

  044adb5, outbound SPI = 0xcd82f95e

  Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, Y = IP, timer to generate a new key to start P2: 6840 seconds.

  Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, adding static route to the customer's address: 10.0.1.7

  Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, PHASE 2 COMPLETED (msgid = c4d80320)

  PIX # 17 Sep 14:59:40 [IKEv1]: Group = X, Username = X, Y = IP, Connection over for homologous X.  Reason: Peer terminate remote Proxy 10.0.1.7, 0.0.0.0Sep Proxy Local 17 14:59:40 [IKEv1 DEBUG]: Group = X, Username = X, IP = Y, IKE removing SA: 10.0.1.7 Remote Proxy, Proxy Local 0.0.0.0

  Sep 17 14:59:40 [IKEv1]: IP = Y, encrypted packet received with any HIS correspondent, drop

  Then debugging IPSec are also normal.

  Now this user is a disconnect and other clients to connect normally. the former user is trying to connect to the site and here is the difference in debugging:

  Sep 17 14:25:22 [IKEv1]: Group = X, Username = X, Y = IP, tunnel IPSec rejecting: no entry card crypto for remote proxy proxy 10.0.1.8/255.255.255.255/0/0 local 0.0.0.0/0.0.0.0/0/0 on the interface outside
  Sep 17 14:25:22 [IKEv1]: Group = X, Username = X, IP = Y, error QM WSF (P2 struct & 0x2a5fd68, mess id 0x16b59315).
  Sep 17 14:25:22 [IKEv1 DEBUG]: Group = X, Username = X, IP = O, case of mistaken IKE responder QM WSF (struct & 0x2a5fd68) , :
  QM_DONE, EV_ERROR--> QM_BLD_MSG2, EV_NEGO_SA--> QM_BLD_MSG2, EV_IS_REKEY--> QM_BL
  D_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MSG--> QM_BLD_MSG2, EV_HASH_OK--> QM_
  BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH
  Sep 17 14:25:22 [IKEv1]: Group = X, Username = X, IP = Y, peer table correlator withdrawal failed, no match!
  Sep 17 14:25:22 [IKEv1]: IP = Y, encrypted packet received with any HIS correspondent, drop

  Here is the config VPN... and I don't see what the problem is:

  Dynamic crypto map outside_dyn_map 20 match address outside_cryptomap_dyn_20
  Crypto-map dynamic outside_dyn_map 20 the transform-set ESP-DES-MD5 value
  life together - the association of security crypto dynamic-map outside_dyn_map 20 seconds 7200
  map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
  outside_map interface card crypto outside
  ISAKMP crypto identity hostname
  crypto ISAKMP allow outside
  crypto ISAKMP policy 20
  preshared authentication
  the Encryption
  md5 hash
  Group 2
  life 7200
  crypto ISAKMP policy 65535
  preshared authentication
  the Encryption
  sha hash
  Group 2
  life 86400

  outside_cryptomap_dyn_20 list of allowed ip extended access any 10.0.1.0 255.255.255.248

  attributes global-tunnel-group DefaultRAGroup
  authentication-server-group (outside LOCAL)
  Type-X group tunnel ipsec-ra
  tunnel-group X general attributes
  address pool addresses
  authentication-server-group (outside LOCAL)
  Group Policy - by default-X
  tunnel-group X ipsec-attributes
  pre-shared-key *.
  context of prompt hostname

  mask of 10.0.1.6 - 10.0.1.40 IP local pool 255.255.255.0

  Please remove the acl of the dynamic encryption card crypto, it causes odd behavior

  try to use split instead of the acl acl in dynamic crypto map, and let me know how it goes

• Request for delivery of the traffic/VPN

  We have 5 sites in the United Kingdom, connected to internet configured as a fully meshed IPSec VPN. Each site also has an IPSec peering with a sister in France. We are moving UK connections to another WAN service provider and they will not be connected to the internet. We do not want to lose the link to the France, so what I want to do is to configure all traffic through the hub in Manchester, then to the France site until we roll over the WAN again. That is to say, I want to delete the counterpart in France of each site and configure the traffic that would normally go to France to be delivered in Manchester, then to the France. It will work, i.e. traffic will come in a tunnel, and then again on a different tunnel (same interface) on the hub site, Manchester and vice versa for return traffic?

  Thanks in advance.

  It depends on the device that is forming the hub. A Pix Firewall as hub will not forward a packet to the same interface it comes. Router Cisco however will redirect a return package via the same interface.

• Add PIX VPN to the already established network of MPLS

  I have a client who operates the site three on a MPLS cloud. Now they want to add more security between these different places. A place internet offers to the United Nations. However, all sites can communicate securely with each other.

  Each location has its own 10... subnet.

  They believe as a PIX at every place on every 10. / subnet and VPN tunnels between each PIX, it's what it takes.

  Is there a third party place connections between these PIX on their MPLS VPN cloud?

  Thanks cowtan. Please mark as resolved post, which might be useful for others. response rate (s) If you found useful responses...

• VPN tunnel using the public as IP being the preserve of LAN to LAN encryption

  I have a question who responded to variations throughout the forum, and I feel that my beginner status will be clear. Here is my installation problem... I use a Cisco ASA 5506 and I connect to a provider. I just need the configuration on the local side that they manipulate to their side.

  Internal IP range
  192.168.1.1 255.255.255.0

  Public IP address from ISP

  97.X.X.22

  174.X.X.194

  Config required by the seller.

  All Http Https traffic must come from the 97.X.X.22

  local peer 97.X.X.22

  remote peer 144.X.X.25

  Our local encryption field must be a public IP address: 174.X.X.194/32

  Areas of remote encryption:

  207.X.X.0 255.255.255.0

  144.X.X.90 255.255.255.255
  144.X.X.91 255.255.255.255
  144.X.X.22 255.255.255.255
  144.X.X.25 255.255.255.255

  currently I have the external value 97.X.X.22
  

  I know now that I need to NAT all inside the traffic destined for the remote areas of encryption to 174.X.X.194/32 and then move the valuable traffic to the VPN.

  I use the ASA Version 9.5 (2) can someone help me so that I can avoid interruptions of service, it will be very appreciated. ?

  You will need to modify the ACL Crypto to be the public IP address you use

  outside_cryptomap_1 list extended access permit ip host 174.X.X.194 object-group SP

  --

  Please do not forget to select a correct answer and rate useful posts

• How to pass the traffic of a site VPN S2S by ASA to another S2S VPN site?

  I have a need for hosts on separate VPN networks connected to my ASA corp to communicate among themselves.  Example: Host A site 1 a need to communicate with host B on the site 2.  Both sites 1 & 2 are connected via the VPN S2S.  I would get every site traffic to flow through the ASA at the other site.  Where should I start my configuration?  NAT? ACL?

  I can ping each host in the network Corp. but cannot ping from one site to the other.  I set up same-security-traffic permit intra-interface and addition of NAT and rules the ACL to allow/permit 1 Site to contact Site 2.  When I do a trace of package through Deputy Ministers DEPUTIES, packets are allowed to pass. I read different that tell no NAT y at - it something at the other end of the VPN to do?  should NAT and ACLs rules be mirrored? Just in case, a site is an instance of MS Azure VM and the other is a 3rd party VM instance.

  On the HubASA, can I set up a new card encryption that selects the Site1 Site2 traffic and protect the traffic and value her counterpart Site2 public IP or just add this selection of traffic to the existing encryption card for the existing tunnel between HubASA and Site2?

  Just add this traffic to the existing encryption card.

  Remember that this should be added on three routers (two hubs and there has been talk).

  Site1

  CRYPTO ip access list allow Site2 subnet >

  CRYPTO ip access list allow subnet training3 >

  CRYPTO ip access list allow subnet HUB >

  Site2

  CRYPTO ip access list allow Site1 subnet >

  CRYPTO ip access list allow subnet training3 >

  CRYPTO ip access list allow subnet HUB >

  Training3

  CRYPTO ip access list allow Site1 subnet >

  CRYPTO ip access list allow Site2 subnet >

  CRYPTO ip access list allow subnet HUB >

  HUB

  CRYPTO_1 ip access list allow Site1 subnet >

  CRYPTO_1 ip access list allow Site1 subnet >

  CRYPTO_1 ip access list allow Site1 subnet >

  CRYPTO_2 ip access list allow Site2 subnet >

  CRYPTO_2 ip access list allow Site2 subnet >

  CRYPTO_2 ip access list allow Site2 subnet >

  CRYPTO_3 ip access list allow subnet training3 >

  CRYPTO_3 ip access list allow subnet training3 >

  CRYPTO_3 ip access list allow subnet training3 >

  Each of these ACLs is attributed to their respective crypto cards.  CRYPTO_1 is assigned the site1 crypto map, CRYPTO_2 is assigned to the site2 crypto card... etc.

  I hope that's clear

  In addition to this, you need to configure identity NAT / NAT provides both the HUB and the spokes of sites.

  --

  Please do not forget to select a correct answer and rate useful posts

• the traffic in a vpn site-to-site tunnel restrictions

  Hello

  I have install a VPN site-to site between an ASA 5550 7.2 (3) and the external network of the contractor. I have set up the VPN using the wizard and it worked fine. The wizard has created the cryptomap acl see below

  outside_2_cryptomap list extended access allowed object-group ip 10.0.0.0 LOCAL_IPS 255.255.255.0

  where LOCAL_IPS is a group of objects containing our local subnets to be dug and 10.0.0.0/24 is the network of the remote end.

  I'm trying to restrict the traffic tunnel at about 6 tcp ports, so I changed the acl (using the GUI as well from the CLI) to the following:-

  outside_2_cryptomap list extended access permitted tcp object-group LOCAL_IPS 10.0.0.0 255.255.255.0 PERMITTED_TRAFFIC object-group

  where PERMITTED_TRAFFIC is a group of TCP services containing the ports we'd like to tunnel.

  As soon as I apply this acl (applied at the other end also) the tunnel down and or end it can re - open.

  My question is - how do you restrict what traffic (tcp ports) that you want to send in the tunnel on the SAA?

  Thank you

  Andy

  You have 2 options.

  VPN-filter

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

  Or something like that...

  No sysopt permi-vpn connection

  list of access vpn extended permitted tcp object-group LOCAL_IPS 10.0.0.0 255.255.255.0 PERMITTED_TRAFFIC object-group

  list of vpn access deny ip 10.0.0.0 LOCAL_IPS object-group 255.255.255.0

  extended vpn allowed any one ip access list

  group-access vpn in interface inside

• VPN site to Site - ASA to PIX - same subnet on the inside

  Chaps,

  I have a unusual scenario, whereby case I need a tunnel vpn site-to-site between a pix of cisco version 7 and version 8 cisco asa, which have the same subnet ip to each endpoint.  Is it possible to create such a tunnel from site to site or do I change one of the remote endpoints?

  Thank you

  Nick

  Hi Nicolas,.

  To allow the traffic through the tunnel when having the same at both ends addressing scheme, you should NAT VPN traffic.

  That is to say.

  Site a 10.1.1.0/24 LAN

  Site B LAN 10.1.1.0/24

  The site config:

  NAT permit list to access ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0

  (in, out) static 192.168.1.0 access-list NAT

  license of crypto list to access ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

  Site B config:

  NAT permit list to access ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

  (in, out) static 192.168.2.0 access-list NAT

  license of crypto list to access ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

  The idea is that Site A will to 192.168.1.0 translatefd when you go to Site B, and Site B will result to 192.168.2.0 when you go to the Site A.

  Hope that makes sense.

  Federico.

• Problems with VPN tunnels after the upgrade to PIX 7.0

  It seems that Cisco has revamped the VPN process on the new Version of PIX 7.0.

  After I've upgraded, I noticed that AH (i.e. ah-sha-hmac, ah-md5-hmac) was no longer supported and all my container transformation games OH no were not converted.

  Another question, if you have enabled on Versieon 6.3, names when you upgrade, tunnel groups will be created (formerly "identity isakmp crypto, crypto key isakmp peer ') which will include a hostname (hostname of identity) instead of IP as it was to the point 6.3. Guess what... Nothing works! Having to delete and recreate it using the IP address.

  See an example...

  tunnel-group OTHER_END type ipsec-l2l

  IPSec-attributes tunnel-group OTHER_END

  pre-shared-key *.

  The above does not work... Having to recreate using the IP address mapped to OTHER_END...

  tunnel-group 2.2.2.2 type ipsec-l2l

  2.2.2.2 tunnel-group ipsec-attributes

  pre-shared-key *.

  Furthermore, I have problems with my racoon and freeswan extranet... Did someone recently updated with success and other gateways VPN provider (i.e. checkpoint, Freeswan and Racoon) work?

  We found the solution for this problem. It appeared that the perfect forward secrecy is enabled at the other side. If a 'card crypto outside_map 10 set pfs' is necessary. With the pix 6.3 version that appears not to make the difference, the vpn works even with pfs disabled on the side of pix.

• Overlapping address space question - how to NAT inside the traffic to one address different range on SAA for comms with 3rd party VPN?

  We already have a connectivity of IPSEC VPN site to site with a 3rd party.

  They must be able to access a couple of servers on our internal network but the problem, it's the subnet these servers are hosted on clashes with the address space they already used elsewhere. Thus, they asked if we can put in place a new subnet and have our firewall (running v7.2) ASA NAT the traffic to and from our servers ' real' internal addresses.

  for example

  • 3rd party 10.10.10.0/24 subnet
  • Our subnet 10.20.20.0/24 (but this clashes with the 3rd part of the address elsewhwere space)
  • Our 'real' internal server addresses are 10.20.20.1 and 10.20.20.2

  How do we setup NAT on our ASA translating internal addresses 'real' of these servers for some other addresses that don't clash?

  that is that the 3rd party is concerned, they would simply have to communicate with this 'new' subnet, say, 192.168.20.0/24 and our ASA firewall NAT traffic accordingly to allow some comms unfold?

  (And it should affect only comms on these servers for the 3rd party - NOT for one of our other multiple VPN connections! "And should not affect the other comms from the servers themselves!).

  That's what I've tried so far, for one of the servers, without success:

  On ASA:

  !

  access-list 1 permit line 3rdpartysite extended ip host 192.168.20.1 10.10.10.0 255.255.255.0
  !
  access-list SERVER-NAT line 1 permit extended ip host 10.20.20.1 10.10.10.0 255.255.255.0
  !
  static (inside, outside) 192.168.20.1 public - access NAT SERVER list

  "sh xlate" indicates:

  192.168.20.1 global local 10.20.20.1

  Can someone help with the necessary NAT configurations on the ASA?

  Thank you!

  'Clear xlate' after you have configured NAT statements?

  When you try to ping from the 10.20.20.1, get it to the ASA? You have an ACL on this interface that would block the ping? Also, can you run capture packets on the ASA to see if the ASA receives even the traffic?

  What is the subnet mask of the 10.20.20.1 host? I guess it's 255.255.255.0?

  You don't need something specific on the ASA with regard to the delivery of the 192.168.20.1.