Private of IPSec VPN-private network between ASA and router

Similar Questions

• Problem with IPsec VPN between ASA and router Cisco - ping is not response

  Hello

  I don't know because the IPsec VPN does not work. This is my setup (IPsec VPN between ASA and R2):

  my network topology data:

  LAN 1 connect ASA - 1 (inside the LAN)

  PC - 10.0.1.3 255.255.255.0 10.0.1.1

  ASA - GigabitEthernet 1: 10.0.1.1 255.255.255.0

  -----------------------------------------------------------------

  ASA - 1 Connect (LAN outide) R1

  ASA - GigabitEthernet 0: 172.30.1.2 255.255.255.252

  R1 - FastEthernet 0/0: 172.30.1.1 255.255.255.252

  ---------------------------------------------------------------------

  R1 R2 to connect

  R1 - FastEthernet 0/1: 172.30.2.1 255.255.255.252

  R2 - FastEthernet 0/1: 172.30.2.2 255.255.255.252

  R2 for lan connection 2

  --------------------------------------------------------------------

  R2 to connect LAN2

  R2 - FastEthernet 0/0: 10.0.2.1 255.255.255.0

  PC - 10.0.2.3 255.255.255.0 10.0.2.1

  ASA configuration:

  1 GigabitEthernet interface
  nameif inside
  security-level 100
  IP 10.0.1.1 255.255.255.0
  no downtime
  interface GigabitEthernet 0
  nameif outside
  security-level 0
  IP 172.30.1.2 255.255.255.252
  no downtime
  Route outside 0.0.0.0 0.0.0.0 172.30.1.1

  ------------------------------------------------------------

  access-list scope LAN1 to LAN2 ip 10.0.1.0 allow 255.255.255.0 10.0.2.0 255.255.255.0
  object obj LAN
  subnet 10.0.1.0 255.255.255.0
  object obj remote network
  10.0.2.0 subnet 255.255.255.0
  NAT (inside, outside) 1 static source obj-local obj-local destination obj-remote control remote obj non-proxy-arp static

  -----------------------------------------------------------
  IKEv1 crypto policy 10
  preshared authentication
  aes encryption
  sha hash
  Group 2
  life 3600
  Crypto ikev1 allow outside
  crypto isakmp identity address

  ------------------------------------------------------------
  tunnel-group 172.30.2.2 type ipsec-l2l
  tunnel-group 172.30.2.2 ipsec-attributes
  IKEv1 pre-shared-key cisco123
  Crypto ipsec transform-set esp-aes-192 ASA1TS, esp-sha-hmac ikev1

  -------------------------------------------------------------
  card crypto ASA1VPN 10 is the LAN1 to LAN2 address
  card crypto ASA1VPN 10 set peer 172.30.2.2
  card crypto ASA1VPN 10 set transform-set ASA1TS ikev1
  card crypto ASA1VPN set 10 security-association life seconds 3600
  ASA1VPN interface card crypto outside

  R2 configuration:

  interface fastEthernet 0/0
  IP 10.0.2.1 255.255.255.0
  no downtime
  interface fastEthernet 0/1
  IP 172.30.2.2 255.255.255.252
  no downtime

  -----------------------------------------------------

  router RIP
  version 2
  Network 10.0.2.0
  network 172.30.2.0

  ------------------------------------------------------
  access-list 102 permit ahp 172.30.1.2 host 172.30.2.2
  access-list 102 permit esp 172.30.1.2 host 172.30.2.2
  access-list 102 permit udp host 172.30.1.2 host 172.30.2.2 eq isakmp
  interface fastEthernet 0/1
  IP access-group 102 to

  ------------------------------------------------------
  crypto ISAKMP policy 110
  preshared authentication
  aes encryption
  sha hash
  Group 2
  life 42300

  ------------------------------------------------------
  ISAKMP crypto key cisco123 address 172.30.1.2

  -----------------------------------------------------
  Crypto ipsec transform-set esp - aes 128 R2TS

  ------------------------------------------------------

  access-list 101 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255

  ------------------------------------------------------

  R2VPN 10 ipsec-isakmp crypto map
  match address 101
  defined by peer 172.30.1.2
  PFS Group1 Set
  R2TS transformation game
  86400 seconds, life of security association set
  interface fastEthernet 0/1
  card crypto R2VPN

  I don't know what the problem

  Thank you

  If the RIP is not absolutely necessary for you, try adding the default route to R2:

  IP route 0.0.0.0 0.0.0.0 172.16.2.1

  If you want to use RIP much, add permissions ACL 102:

  access-list 102 permit udp any any eq 520

• LAN to lan vpn between ASA and router 7200

  Hi friends,

  I need to configure the lan to lan between ASA vpn (remote location) and router 7200 (on our network).

  <7200 router="" (ip="" add:="" 10.10.5.2)="">-(Internet) -<(IP add:="" 192.168.12.2)="" asa(5510)="">---192.135.5.0/24 network

  I will have the following configuration:

  7200 router:

  crypto ISAKMP policy 80

  the enc

  AUTH pre-shared

  Group 1

  life 3600

  ISAKMP crypto key cisco123 address 192.168.12.2

  Cryto ipsec transform-set esp - esp-md5-hmac VPNtrans

  map VPNTunnel 80 ipsec-isakmp crypto

  defined by peer 192.168.12.2

  game of transformation-VPNtrans

  match address 110

  int fa0/0

  IP add 10.10.5.2 255.255.255.192

  IP virtual-reassembly

  no ip route cache

  Speed 100

  full duplex

  card crypto VPNTunnel

  access-list 110 permit ip any 192.135.5.0 0.0.0.255

  ASA:

  int e0/0

  nameif inside

  security-level 100

  192.135.5.254 Add IP 255.255.255.0

  int e0/1

  nameif outside

  security-level 0

  IP add 192.168.12.2 255.255.255.240

  access-list ACL extended ip 192.135.5.0 allow 255.255.255.0 any

  Route outside 0.0.0.0 0.0.0.0.0 192.168.12.3 1

  "pre-shared key auth" ISAKMP policy 10

  ISAKMP policy 10-enc

  ISAKMP policy 10 md5 hash

  10 1 ISAKMP policy group

  ISAKMP duration strategy of life 10-3600

  Crypto ipsec transform-set esp - esp-md5-hmac VPNtran

  card crypto VPN 10 matches the ACL address

  card crypto VPN 10 set peer 10.10.5.2

  card crypto VPN 10 the transform-set VPNtran value

  tunnel-group 10.10.5.2 type ipsec-l2l

  IPSec-attributes of type tunnel-group 10.10.5.2

  cisco123 pre-shared key

  card crypto VPN outside interface

  ISAKMP allows outside

  dhcpd address 192.135.5.1 - 192.135.5.250 inside

  dhcpd dns 172.15.4.5 172.15.4.6

  dhcpd wins 172.15.76.5 172.15.74.5

  dhcpd lease 14400

  dhcpd ping_timeout 500

  dhcpd allow inside

  Please check the configuration, please correct me if I missed something. I'm in a critical situation at the moment...

  Please advise...

  Thank you very much...

  Where it fails at the present time?

  Can you share out of after trying to establish the VPN tunnel:

  See the isa scream his

  See the ipsec scream his

  Please also run the following debug to see where it is a failure:

  debugging cry isa

  debugging ipsec cry

• VPN between ASA and router

  Hi all

  First of all, I would like to say I'm trying to implement this on Packet trace. I would like to set up a VPN using an ASA 5505 and a Cisco router 1841 (both available on Packet trace).

  The devices can ping external IP address on the other.

  The problem is that the VPN is not established. If I run sh crypto control its isakmp on the SAA, he said: there are no SAs IKEv1

  Configurations for both devices are attached.

  No idea why it doesn't work? Sorry if it is not the right forum for this, is the first time I post. I've searched the forums and I checked some of the proposed solutions, but I have not found the answer to my problem :-(

  Thanks in advance,

  Patty

  1. On the router, there is no crypto card. Need in a manner consistent with the SAA.
  2. Your policy of phase 1 is not compatible. They settings must match on both sides (router: 3des, ASA: aes)
  3. You can adjust your NAT on both devices that tunnel traffic does not get teeth. Remember that NAT is made prior to IPsec. If you do not exempt NAT traffic, then it will not match the ACL crypto more after NAT.
  4. Yes, the forum is perfectly fine! ;-)

• Build a private network between two physical hosts in ESXi 4.0 for VM guests

  Hi all

  I am a newbie in the use of VMWare ESXi for my company testings and I have a question on networks

  in ESXi. In fact, I always do my tests in my VMware Workstation, and it's pretty easy to build a virtual

  private network between two guests of computer virtual and it needed to do more real testings on ESXi environment.

  But now I have two Dell servers mounted and with two ESXi 4.1 installed on these servers.

  Each server has two network cards connected to the same network switch.

  In this essay, I have to install a RAC Oracle 11 g as guests of virtual computer on two separate server Dell for

  two RAC nodes.

  The installation Guide for the PAP, I need to build a network between two nodes.

  My superficial knowledge network, the private network address is not the same as

  the public network address, in this case, the IP address provided by the network switch is

  10.1.10.X and it should be public network address.

  In this case, how can I do the private network of ESXi settings?

  I do the settings of the network switch? I'm not the guy of networking and really

  want your expertise in this area.

  If you have an idea or experience to share, please kindly help.

  Thank you very much

  Ray

  SonyRaymond wrote:

  Then private network can be established between NIC (N1) and NIC (N2) with address 192.168.1.X

  range?

  Yes, that's correct. It would have made you have a private network layer 3 between the two guests in the 192.168.1.x address range.

  In general, you also want to isolate a layer 2 (ethernet) with the VLANS on the physical switch, but if this is not possible at this time then it could be implemented now and you could later add VLAN in the switch.

  It is also the reason why I think you should create a new portgroup on the same vSwitch as other existing exchanges. If you later configure VLAN to the physical switch, it will be very easy to activate this on the "private" portgroup

• Microsoft l2tp IPSec VPN site to site ASA on top

  I have a specialized applications casino that requires end-to-end encryption. I'm under the stack of Microsoft IPSec l2tp between my XP machine and my Windows 2003 server on the LAN. Can I use the same type of protocol stack Microsoft l2tp IPSec between my XP machine and the Windows Server 2003 a branch on the SAA to site to site ASA VPN tunnel? The VPN site-to site ASA is a type of key Preshare IPSec VPN tunnelle traffic between our head office and a branch in distance.

  In other words, the ASA site-to-site IPSec VPN will allow Microsoft l2tp through IPSec encrypted traffic? My ACL tunnel would allow full IP access between site. Something like:

  name 192.168.100.0 TexasSubnet

  name 192.168.200.0 RenoSubnet

  IP TexasSubnet 255.255.255.0 RenoSubnet 255.255.255.0 allow Access-list extended nat_zero

  Hello

  Yes, the L2TP can be encapsulated in IPSEC as all other traffic.

  However, make sure that no NAT is performed on each end. L2TP is a default header protection which will see NAT as a falsification of package and reject it.

  See you soon,.

  Daniel

• VPN between ASA and cisco router [phase2 question]

  Hi all

  I have a problem with IPSEC VPN between ASA and cisco router

  I think that there is a problem in the phase 2

  Can you please guide me where could be the problem.
  I suspect questions ACL on the router, but I cannot fix. ACL on the router is specified below

  Looking forward for your help

  Phase 1 is like that

  Cisco_router #sh crypto isakmp his

  IPv4 Crypto ISAKMP Security Association
  status of DST CBC State conn-id slot
  78.x.x.41 87.x.x.4 QM_IDLE 2006 0 ACTIVE

  and ASA

  ASA # sh crypto isakmp his

  ITS enabled: 1
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 1

  1 peer IKE: 78.x.x.41
  Type: L2L role: initiator
  Generate a new key: no State: MM_ACTIVE

  Phase 2 on SAA

  ASA # sh crypto ipsec his
  Interface: Outside
  Tag crypto map: Outside_map, seq num: 20, local addr: 87.x.x.4

  Outside_cryptomap_20 ip 172.19.209.0 access list allow 255.255.255.0 172.
  19.194.0 255.255.255.0
  local ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
  current_peer: 78.x.x.41

  #pkts program: 8813, #pkts encrypt: 8813, #pkts digest: 8813
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 8813, model of #pkts failed: 0, #pkts Dang failed: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt. : 87.x.x.4, remote Start crypto. : 78.x.x.41

  Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
  current outbound SPI: C96393AB

  SAS of the esp on arrival:
  SPI: 0x3E9D820B (1050509835)
  transform: esp-3des esp-md5-hmac no
  running parameters = {L2L, Tunnel}
  slot: 0, id_conn: 7, crypto-card: Outside_map
  calendar of his: service life remaining (KB/s) key: (4275000/3025)
  Size IV: 8 bytes
  support for replay detection: Y
  outgoing esp sas:
  SPI: 0xC96393AB (3378746283)
  transform: esp-3des esp-md5-hmac no
  running parameters = {L2L, Tunnel}
  slot: 0, id_conn: 7, crypto-card: Outside_map
  calendar of his: service life remaining (KB/s) key: (4274994/3023)
  Size IV: 8 bytes
  support for replay detection: Y

  Phase 2 on cisco router

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
  current_peer 87.x.x.4 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 78.x.x.41, remote Start crypto. : 87.x.x.4
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer0
  current outbound SPI: 0x0 (0)

  SAS of the esp on arrival:

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:

  outgoing ah sas:

  outgoing CFP sas:

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
  current_peer 87.x.x.4 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 8947, #pkts decrypt: 8947, #pkts check: 8947
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 78.x.x.41, remote Start crypto. : 87.x.x.4
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer0
  current outbound SPI: 0x3E9D820B (1050509835)

  SAS of the esp on arrival:
  SPI: 0xC96393AB (3378746283)
  transform: esp-3des esp-md5-hmac.
  running parameters = {Tunnel}
  Conn ID: 29, flow_id: Motorola SEC 1.0:29, card crypto: mycryptomap
  calendar of his: service life remaining (k/s) key: (4393981/1196)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0x3E9D820B (1050509835)
  transform: esp-3des esp-md5-hmac.
  running parameters = {Tunnel}
  Conn ID: 30, flow_id: Motorola SEC 1.0:30, card crypto: mycryptomap
  calendar of his: service life remaining (k/s) key: (4394007/1196)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  VPN configuration is less in cisco router

  access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
  access-list 101 permit ip 172.19.206.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
  access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
  access-list 101 permit ip 172.19.203.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
  access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect
  access-list 101 permit ip 172.19.209.0 0.0.0.255 172.19.194.0 0.0.0.255 connect

  access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
  access-list 105 deny ip 172.19.206.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
  access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
  access-list 105 deny ip 172.19.203.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
  access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect
  access-list 105 deny ip 172.19.209.0 0.0.0.255 172.19.194.0 0.0.0.255 connect

  sheep allowed 10 route map
  corresponds to the IP 105

  Crypto ipsec transform-set esp-3des esp-md5-hmac mytransformset

  mycryptomap 100 ipsec-isakmp crypto map
  the value of 87.x.x.4 peer
  Set transform-set mytransformset
  match address 101

  crypto ISAKMP policy 100
  BA 3des
  md5 hash
  preshared authentication
  Group 2
  ISAKMP crypto key xxx2011 address 87.x.x.4

  Your permit for 105 ACL statement should be down is changed to match because it is the most general ACL.

  You currently have:

  Extend the 105 IP access list
  5 permit ip 172.19.194.0 0.0.0.255 (18585 matches)
  10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
  30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
  50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect

  It should be:

  Extend the 105 IP access list
  10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
  30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
  50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect

  IP 172.19.194.0 allow 60 0.0.0.255 (18585 matches)

  To remove it and add it to the bottom:

  105 extended IP access list

  not 5

  IP 172.19.194.0 allow 60 0.0.0.255 any

  Then ' delete ip nat trans. "

  and it should work now.

• network between XP and Vista problems

  I have 2 computers on the private network, an XP and a Vista.

  XP is connected with the ethernet cable to the internet router, Vista with wireless adapter.

  I installed the fix on the XP computer as it appears on the network of map.private Vista network, sharing files on both computers.

  On Vista, I can see and access the shared files on the XP computer. No problem in that direction.

  On XP, I see an old Vista computer network configuration (with an extra disk and other than common shared files) that I can't seem to update.
  XP does not see or update the new configuration on Vista computer and I cannot delete the old configuration (shows "open" or "explore" option only).

  Microsoft no longer supports Live OneCare, the XP computer had Norton and MS security essentials Vista instead.

  Previously, the networking was thin between 2 computers.

  I tried repeatedly to share files on the computer to Vista, but since the changes, sharing does not seem to take.
  Records are marked as shared, but when I check the details, shows only the user account from the vista computer.

  Previously, he showed "everyone" as well.

  Since this is the most obvious difference, I guess the problem is with the settings on the computer Vista, has perhaps to do with the switch to Ms security essentials.

  Any suggestions?

  Hello

  (1) what exactly happens when you try to delete the old configuration? Do you receive an error message?

  I suggest you to try the steps below and check if it helps.

  Method 1: Try the steps from the link below.

  Network connection issues: http://Windows.Microsoft.com/en-us/Windows-Vista/troubleshoot-network-connection-problems

  Method 2: If the problem persists, then try to adjust your Windows vista computer in a clean boot state, and check to see if the same problem happens.

  By setting your boot system minimum state helps determine if third-party applications or startup items are causing the problem.

  How to troubleshoot a problem by performing a clean boot in Windows Vista or Windows 7:
  http://support.Microsoft.com/kb/929135

  Note: After the boot minimum troubleshooting step, follow step 7 in the link provided to return the computer to a Normal startup mode.

  Hope this information is useful.

• Troubleshooting IPSec Site to Site VPN between ASA and 1841

  Hi all

  in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.

  I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).

  I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.

  It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),

  On the ASA:

  Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.

  address of the peers: 217.86.154.120
  Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.cc

  access extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
  local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
  current_peer: 217.xx.yy.zz

  #pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz

  Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
  current outbound SPI: 39135054
  current inbound SPI: B2E9E500

  SAS of the esp on arrival:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, PFS 2 group}
  slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
  calendar of his: service life remaining (KB/s) key: (4374000/1598)
  Size IV: 8 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001
  outgoing esp sas:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, PFS 2 group}
  slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
  calendar of his: service life remaining (KB/s) key: (4373976/1598)
  Size IV: 8 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001

  Output of the command: "sh crypto isakmp his."

  HIS active: 4
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 4

  IKE Peer: 217.xx.yy.zz
  Type: L2L role: initiator
  Generate a new key: no State: MM_ACTIVE

  On the 1841

  1841 crypto isakmp #sh its
  IPv4 Crypto ISAKMP Security Association
  DST CBC conn-State id
  217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE

  1841 crypto ipsec #sh its

  Interface: Dialer1
  Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
  current_peer 62.153.156.163 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
  current outbound SPI: 0xB2E9E500 (3001672960)
  PFS (Y/N): Y, Diffie-Hellman group: group2

  SAS of the esp on arrival:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505068/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505118/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  Interface: virtual Network1
  Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
  current_peer 62.153.156.163 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
  current outbound SPI: 0xB2E9E500 (3001672960)
  PFS (Y/N): Y, Diffie-Hellman group: group2

  SAS of the esp on arrival:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505068/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505118/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.

  Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto.      (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.

  I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!

  It's the running of the 1841 configuration

  !
  version 15.1
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  encryption password service
  !
  host name 1841
  !
  boot-start-marker
  start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
  boot-end-marker
  !
  logging buffered 51200 notifications
  !
  AAA new-model
  !
  !
  AAA authentication login default local
  !
  AAA - the id of the joint session
  !
  iomem 20 memory size
  clock timezone PCTime 1
  PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
  dot11 syslog
  IP source-route
  !
  No dhcp use connected vrf ip
  !
  IP cef
  no ip bootp Server
  IP domain name test
  name of the IP-server 194.25.2.129
  name of the IP-server 194.25.2.130
  name of the IP-server 194.25.2.131
  name of the IP-server 194.25.2.132
  name of the IP-server 194.25.2.133
  No ipv6 cef
  !
  Authenticated MultiLink bundle-name Panel
  !
  !
  object-group network phone
  VoIP phone description
  Home 172.20.2.50
  Home 172.20.2.51
  !
  redundancy
  !
  !
  controller LAN 0/0/0
  atm mode
  Annex symmetrical shdsl DSL-mode B
  !
  !
  crypto ISAKMP policy 1
  BA 3des
  preshared authentication
  Group 2
  isakmp encryption key * address 62.aa.bb.cc
  !
  !
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  !
  map SDM_CMAP_1 1 ipsec-isakmp crypto
  Description Tunnel to62.aa.bb.cc
  the value of 62.aa.bb.cc peer
  game of transformation-ESP-3DES-SHA
  PFS group2 Set
  match address 100
  !
  !
  !
  interface FastEthernet0/0
  DMZ description $ FW_OUTSIDE$
  10.10.10.254 IP address 255.255.255.0
  IP nat inside
  IP virtual-reassembly
  automatic duplex
  automatic speed
  !
  interface FastEthernet0/1
  Description $ETH - LAN$ $FW_INSIDE$
  IP 172.20.2.254 255.255.255.0
  IP access-group 100 to
  IP nat inside
  IP virtual-reassembly
  IP tcp adjust-mss 1412
  automatic duplex
  automatic speed
  !
  ATM0/0/0 interface
  no ip address
  No atm ilmi-keepalive
  !
  point-to-point interface ATM0/0/0.1
  PVC 1/32
  PPPoE-client dial-pool-number 1
  !
  !
  interface Dialer1
  Description $FW_OUTSIDE$
  the negotiated IP address
  IP mtu 1452
  NAT outside IP
  IP virtual-reassembly
  encapsulation ppp
  Dialer pool 1
  Dialer-Group 2
  PPP authentication chap callin pap
  PPP chap hostname xxxxxxx
  PPP chap password 7 xxxxxxx8
  PPP pap sent-name of user password xxxxxxx xxxxxxx 7
  map SDM_CMAP_1 crypto
  !
  IP forward-Protocol ND
  IP http server
  local IP http authentication
  IP http secure server
  !
  !
  The dns server IP
  IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
  IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
  IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
  IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
  IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
  !
  logging trap notifications
  Note category of access list 1 = 2 CCP_ACL
  access-list 1 permit 172.20.2.0 0.0.0.255
  Note access-list category 2 CCP_ACL = 2
  access-list 2 allow 10.10.10.0 0.0.0.255
  Note access-list 100 category CCP_ACL = 4
  Note access-list 100 IPSec rule
  access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  Note CCP_ACL the access list 101 = 2 category
  Note access-list 101 IPSec rule
  access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  access-list 101 permit ip 172.20.2.0 0.0.0.255 any
  Note access-list 102 CCP_ACL category = 2
  Note access-list 102 IPSec rule
  access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  access-list 102 permit ip 10.10.10.0 0.0.0.255 any
  !

  !
  allowed SDM_RMAP_1 1 route map
  corresponds to the IP 101
  !
  allowed SDM_RMAP_2 1 route map
  corresponds to the IP 102
  !
  !
  control plan
  !
  !
  Line con 0
  line to 0
  line vty 0 4
  length 0
  transport input telnet ssh
  !
  Scheduler allocate 20000 1000
  NTP-Calendar Update
  NTP 172.20.2.250 Server prefer
  end

  As I mentioned previously: suspicion is much appreciated!

  Best regards

  Joerg

  Joerg,

  ASA receives not all VPN packages because IOS does not send anything.

  Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)

  The problem seems so on the side of the router.

  I think that is a routing problem, but you only have one default gateway (no other channels on the router).

  The ACL 100 is set to encrypt the traffic between the two subnets.

  It seems that the ACL 101 is also bypassing NAT for VPN traffic.

  Follow these steps:

  Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.

  I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.

  Federico.

• Private network between hosts in different regions

  Dear guys,

  I have just asked me if it would be possible that 2 hosts in different regions (EU-NA) can communicate on a virtual private network over the Wan.

  How to perform I thought to arrive at:

  -import the host NA in a cluster in the EU vcenter

  -create a tmp DVS and attach 2 guests to the DVS

  -create a private VLAN GP and configure 2 virtual machines with this PG = > they just have to communicate with each other, this is just a test

  The question I have is this: given that the 2 hosts are in different regions, traffic of 2 VMs would go across the WAN using the DVS even?

  Thanks in advance.

  Daniele

  I thought on it and it is not possible, DVS and a dummy network, we have L2 and we have no tools for the encapsulation of L2 to L3, I have no NSX.

  I will give points me

  Daniele

• What is the most safe, efficient, better and without or beside free VPN (Virtual Private Network), to download and what source on Windows 7 Home Premium 32-bit?

  Due to some problems, I need start using a VPN and I went to CNET research here, but I find many that are 'free' and a trial are only a purchase while others I think might also have additional files which includes the constant advertising and there's enough of this everywhere as it is and I don't want that. I searched elsewhere, too, but then I don't want to not also learn that I had also allowed some keylogger or other files hidden, unwanted and dangerous, too. So, I just need a free or almost free (by means as the purchase of any service or an object like many do now in Exchange for a service/membership number) VPN that is as safe and effective where it can be turned on or off with a simple mouse click which is low in memory consumption and easy to use.

  Not exactly what you want or what you need to do, but if you want a secure via a third party VPN tunnel, then you probably won't find much free, the old adage "you get what you pay for" would certainly apply.  I don't expect everyone to implement VPN reliable good free servers to provide free encrypted tunnels between computers of end users and to host servers all over the internet!  Perhaps a proxy server would do... or do you really need VPN?

  John

• VPN between ASA and 871

  Hello

  I'm setting up a VPN router between 871 and ASA 5505 for the first time and having a problem. I have attached my network diagram as well as the configuration of 871 and ASA. Although the VPN tunnel is coming for example sh crypto isakmp his watch QM_IDLE and Exchange ipsec SA is successuful as well, but none of the machine can access each other. Please help as I am in desperate need to operate.

  Thank you all,.

  Jérôme

  Hello

  It seems that you are missing some required configuration. See the link below...

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805e8c80.shtml

  HTH

  MS

  * Rate of useful messages *.

• problem setting up vpn site-to-site between asa and 1811 router

  I get the following error.

  3. January 8, 2008 | 15: 47:31 | 710003 | 192.168.0.45 | 192.168.0.50. TCP access denied by ACL to 192.168.0.45/3698 to LAN:192.168.0.50/80

  3. January 8, 2008 | 15:47:28 | 710003 | 192.168.0.45 | 192.168.0.50. TCP access denied by ACL to 192.168.0.45/3698 to LAN:192.168.0.50/80

  6. January 8, 2008 | 15:47:28 | 302021 | 192.168.0.45 | 192.168.0.50. Connection of disassembly for faddr gaddr laddr 192.168.0.50/0 192.168.0.50/0 192.168.0.45/1024 ICMP

  6. January 8, 2008 | 15:47:28 | 302020 | 192.168.0.45 | 192.168.0.50. Built of ICMP incoming connections for faddr gaddr laddr 192.168.0.50/0 192.168.0.50/0 192.168.0.45/1024

  5. January 8, 2008 | 15: 47:03 | 713904 | IP = public IP address, encrypted packet received with any HIS correspondent, drop

  4. January 8, 2008 | 15: 47:03 | 113019 | Group = public IP address, Username = public IP address, IP = IP address public, disconnected Session. Session type: IPSecLAN2LAN, duration: 0 h: 00 m: 00s, xmt bytes: 0, RRs bytes: 0, right: Phase 2 Mismatch

  3. January 8, 2008 | 15: 47:03 | 713902 | Group = public IP address, IP = public IP address, peer table correlator withdrawal failed, no match!

  3. January 8, 2008 | 15: 47:03 | 713902 | Group = public IP address, IP = IP address public, error QM WSF (P2 struct & 0x4969c90, mess id 0xf3d044e8).

  5. January 8, 2008 | 15: 47:03 | 713904 | Group = public IP address, IP = IP proposals public, IPSec Security Association all found unacceptable.

  3. January 8, 2008 | 15: 47:03 | 713119 | Group = public IP address, IP = IP address public, PHASE 1 COMPLETED

  6. January 8, 2008 | 15: 47:03 | 113009 | AAA recovered in group policy by default (DfltGrpPolicy) to the user = public IP address

  4. January 8, 2008 | 15: 47:03 | 713903 | Group = public IP address, IP = IP address public, previously allocated memory release for authorization-dn-attributes

  I do not think that because of the incompatibility of encryption. Any help is appreciated.

  Thank you

  Nilesh

  You have PFS (Perfect Forward Secrecy) configured on the ASA and not the router. This could be one of the reasons why the tunnel fails in Phase 2.

  If you do not need a PFS, can you not make a 'no encryption card WAN_map 1 set pfs' the configuration of the ASA and make appear the tunnel.

  Kind regards

  Arul

• EZVPN between ASA and Cisco 2801

  Hi Experts,

  Need help with establishing ezvpn. I have a Cisco 2801 with the following configuration:

  router version 124 - 24.T3 (advanceipservicesk9)

  Crypto ipsec client ezvpn BOS-BACKUP
  connect auto
  Group bosnsw keys clar3nc3
  client mode
  peer 202.47.85.1
  xauth userid interactive mode

  interface FastEthernet0/0
  IP 10.80.3.85 255.255.255.0
  automatic duplex
  automatic speed
  Crypto ipsec client ezvpn BOS-BACKUP inside

  the Cellular0/1/0 interface
  the negotiated IP address
  encapsulation ppp
  load-interval 60
  Broadband Dialer
  GSM Transmitter station
  Dialer-Group 2
  interactive asynchronous mode
  no fair queue
  a model of PPP chap hostname
  PPP chap 0 dummy password
  PPP ipcp dns request
  Crypto ipsec client ezvpn BOS-BACKUP
  !
  IP route 0.0.0.0 0.0.0.0 Cellular0/1/0
  !
  Dialer-list 2 ip protocol allow

  Celuular interface is up and the router is able to ping the exchange of vpn:

  Router # ping 202.47.85.1

  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 202.47.85.1, wait time is 2 seconds:
  !!!!!
  Success rate is 100 per cent (5/5), round-trip min/avg/max = 396/473/780 ms

  The ASA configuration:

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set ESP-3DES esp-3des esp-sha-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  card crypto OUTSIDE_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
  OUTSIDE_map interface card crypto OUTSIDE

  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400

  username password encrypted UaV1j04bjTagjYnj privilege 0 bosnsw
  username bosnsw attributes
  VPN-group-policy DfltGrpPolicy
  Protocol-tunnel-VPN IPSec l2tp ipsec
  No vpn-framed-ip-address

  type tunnel-group bosnsw remote access
  tunnel-group bosnsw General-attributes
  address BOS_CORPORATE pool
  No ipv6 address pool
  authentication-server-group LOCAL ACS_AUTH
  secondary-authentication-server-group no
  no accounting server group
  Group Policy - by default-BOS_CORPORATE
  No dhcp server
  No band Kingdom
  no password-management
  No substitution-disabling the account
  No band group
  gap required
  certificate-CN user name OR
  secondary username-certificate CN OR
  authentication-attr-of primary server
  authenticated-session-user principal name
  tunnel-group bosnsw webvpn-attributes
  catch-fail-group policy DfltGrpPolicy
  personalization DfltCustomization
  the aaa authentication
  No substitution-svc-download
  No message of rejection-RADIUS-
  no proxy-auth sdi
  no pre-fill-username-ssl client
  no pre-fill-username without client
  No school-pre-fill-name user-customer ssl
  No school-pre-fill-user without customer name
  DNS-Group DefaultDNS
  not without CSD
  bosnsw group of tunnel ipsec-attributes
  pre-shared-key *.
  by the peer-id-validate req
  no chain
  no point of trust
  ISAKMP retry threshold 300 keepalive 2
  no RADIUS-sdi-xauth
  ISAKMP xauth user ikev1-authentication

  BOS-NRD-IT-FW1 # sh cry isa his

  HIS active: 2
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 2

  1 peer IKE: 112.213.172.108
  Type: user role: answering machine
  Generate a new key: no State: AM_TM_INIT_XAUTH_V6H

  I've attached the output of debugging of router and firewall. Hope someone can shed some light on this issue. Thanks in advance.

  Thats is correct! You must configure the network extension mode if you want to change the IP address

  Here is the guide to configure the router and ASA in network extension mode. Hope you find it useful.

  http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080809222.shtml#TS1

  Thank you

  Françoise

• Tunnel PPPOE ACL between Pix515 and router

  Coporate site have Pix515 and remote site router a. I have a configuration of tunnel from a remote location to the office. I am looking for information on ACLs of is to apply to the interface of Dialer to allow ipsec / isakmp and all traffic from Headquarters to the remote site. Would you allow the public address of remote router access with ipsec PIX / traffic isakmp and company's private network address pop3 / smtp and udp.

  The PIX with the dynamic address will look like the config of the Tiger and the other PIX will be

  resemble the config of Lion.

  http://www.Cisco.com/warp/public/110/38.html