Problem connecting l2l on ASA 5510

Similar Questions

• Phones AnyConnect VPN cannot connect to network ASA high-speed AT & T uverse

  Phones AnyConnect VPN are configured to connect to the ASA 5510 running 8.4 (4), and it uses the Active Directory credentials to connect. The connection is successful external ISP systems including Comcast and smaller independent service providers. However, when all of us at the AT & T uverse service take this phone 7965 even at home it networks fails to make any connection to the ASA at all. A capture of packets on the ASA shows no activity connection to the IP address of our uverse.

  What's more, is that we can successfully authenticate the VPN of the phone when using the local account credentials (e.g. username admin password * priv 15) that are entered on the SAA. AT & T said that they are not blocking the ports. It is the confusion that this works for users to access local connection, but not with A/D.

  So I guess the question is: what is the first handshake TCP/UDP composed when a Cisco IP phone links AnyConnect SSL to an ASA and negotiates the authentication of the number of A/D? For example, what are the port numbers used in this handshake?  I couldn't find all the diagrams illustrating the HRT and the RFC for DTLS do not seem to have the answer either.

  Thanks in advance.

  -Athonia

  Note: we have a TAC case open currently with subject ASA 5510 VPN Edition w / 250 annyconnect user - SSL VPN for phones. Configuration

  I too ran on this issue and here is a description of what I found.

  If you use automatic network detection first trys phone ping the TFTP server, he has learned from the DHCP server or manually set with the parameter of the alternate TFTP server.  If the TFTP server is accessible the VPN will not connect and will not allow the user to connect manually.

  ATT Uverse use DHCP option 150, the same option as Cisco UC uses to automatically set the TFTP servers, to locate the local home gateway so that the STB can join him.  For this reason, you should notice that when you have a VPN phone on the network and view network settings the IP address of the TFTP server is the IP address of your default gatewat (The ATT router).

  Because of the automatic detection of network works in ping the TFTP server that the phone will always think that it is connected to the local network.  The workaround is to manually set the TFTP server on the phone * to the IP address that the TFTP server would have been if she had leared it from the DHCP server on your corporate network.  The reason you should do this instead of just using a Bogon address, is that once the VPN is connected it tryes to register to the address that you specified.

  Please let me know if this solves your problem as it did in our case.

  * If you do not know how to set the TFTP replacement setting you must first select the "replacement" TFTP protocol and press on * #.  This will allow you to change the default no to Yes.  The below named parameter TFTP Server 1 will then allow you to manually specify the address.

• IPS in ASA 5510 killing upload speed

  I've recently updated by a circuit of ethernet metro 20 MB for a 100 Mb connection.  My ASA 5510 severely limits the my download speed.  I narrowed down it to the IPS module.  If I stop to send traffic to the IPS, I get speeds of download between 50-85 Mbps.  If I start sending through again, my download speeds are between 3-7 Mbps.  In both cases, my speeds range between 70-92 MB/s, so it's really affecting only my upload speed.  Is there anything I can do for my traffic IPS, so I can still use my modules and still take advantage of the speed upload huge we pay for?

  Here is some info from my ASA:

  I am matching all traffic:

  allow traffic_for_ips to access extensive ip list a whole

  Here is my policy and class parameters:

  class-map inspection_default
  match default-inspection-traffic
  class-map-botnet-DNS
  match eq field udp port
  class-map ips_class_map
  corresponds to the traffic_for_ips access list
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the ftp
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  inspect the preset_dns_map dns
  class ips_class_map
  IPS inline help
  botnet-policy policy-map
  botnet-DNS class
  inspect the snoop-filter-dynamic dns
  !
  global service-policy global_policy
  service-policy botnet-policy to the outside interface

  If anyone has any ideas, I'd love to hear them.  Thank you.

  Created: May 13, 2011 18:49 created by: Chevrel, customer Aastha(AACHAUDH,265429) was experiencing slow download speeds (3-7 Mbps) on in ASA 5510 IPS module. Download the range of speeds between 70-92 MB/s

  Used the workaround for the bug No. CSCsv69844 , i.e. to set the depth of Regex to 800000 (Please note that this workaround should not serve with the recommendation and approval of the ATC.)

• ASA 5510 IPSEC VPN connection problem

  Hello

  We have an ASA 5510 (ASA version 8.0) of remote access VPN configured and works most of the time, but there is a problem when you have more than one client that connects to the same office remotely.  When the first VPN client is connected to the remote desktop, everything works fine, but when the second client connects to the VPN, it connects fine but do not get any traffice return to customer.  I can see under monitor-> statistical VPN-> Sessions-> remote access-> Rx Bytes is 0. Both connections are from the same public IP address of the remote desktop.  I changed some settings on NAT - T and a few other things, but without success.

  Could someone help me please how to fix this?

  Thank you very much.

  Make sure that customers use because that probably her you're not. (default value is NAT - T).

  Federico.

• ASA 5510 L2L VPN static gateway of azure and branches and

  Hello

  I am trying to configure an ASA to operate as a hub between two site-to-site VPN, at our office and the other on Azure.

  i.e.

  Office <-- internet="" --="">ASA <-- internet="" --="">Azure

  On the two sites I can establish a VPN for the hosts of the ASA and access on our data center network, but I can't seem to get the connectivity from end to end of Azure at our office or vice versa.

  Any ideas on what I can try as I have been hitting my head against a wall with this one.

  Hello

  If traffic also came from the blue to office network so it would seem that there is a problem with configuring VPN L2L between ASA and Azure, very probably on the Côte d'Azur.

  -Jouni

• Refuse the TCP (no relation) dan disassembly TCP connection ON ASA 5510, HELP Please

  IM currently implemented with AIP-SSM-10 ASA 5510 IPS and I have problem with ASA, with IPS feature currently disabled, I keep received complain blocked/idle the connection to the oracle server, using port 8000 host remote-office, I traced with syslog and message received from large number associated with the oracle server IP address.

  the network diagram is a bit like this:

  ________ ________ _____________

  | Oracle | switch | ASA 5510 |

  | Server | | ___ |---| transparent |

  -------- -------------

  192.168.10.206 |

  |

  |

  -------------

  | ROUTER |

  |___________|

  |

  ________ -------------

  | DISTANCE | ------ | Router |

  | THE USER | -------------

  ----------

  192.168.5.x

  and the syslog message looks like:

  302013: built inbound connection TCP 1662347 for OUTSIDE:192.168.5.52/1311 (192.168.5.52/1311) inside:192.168.10.206/8000 (192.168.10.206/8000)

  302014: disassembly of the TCP connection 1662345 for OUTSIDE:192.168.5.52/1310 for inside:192.168.10.206/8000 duration 0: 00:00 542 bytes TCP fins

  302013: built inbound connection TCP 1662345 for OUTSIDE:192.168.5.52/1310 (192.168.5.52/1310) inside:192.168.10.206/8000 (192.168.10.206/8000)

  302014: disassembly of the TCP connection 1662343 for OUTSIDE:192.168.5.52/1309 for inside:192.168.10.206/8000 duration 0: 00:00 539 bytes TCP fins

  302013: built inbound connection TCP 1662343 for OUTSIDE:192.168.5.52/1309 (192.168.5.52/1309) inside:192.168.10.206/8000 (192.168.10.206/8000)

  106015: deny TCP 192.168.5.52/1302 to 192.168.10.206/8000 flags ACK END on the OUTSIDE interface (no link)

  302014: disassembly of the TCP connection 1662338 for OUTSIDE:192.168.5.52/1308 for inside:192.168.10.206/8000 duration 0: 00:00 538 bytes TCP fins

  106015: deny TCP 192.168.5.52/1301 to 192.168.10.206/8000 flags ACK END on the OUTSIDE interface (no link)

  106015: deny TCP 192.168.5.52/1298 to 192.168.10.206/8000 flags ACK END on the OUTSIDE interface (no link)

  106015: deny TCP 192.168.5.52/1303 to 192.168.10.206/8000 flags ACK END on the OUTSIDE interface (no link)

  can someone help me, I'm completely stuck on this problem to cause...

  Thank you.

  7.1 (2), which contains the fix for it, is already posted at http://www.cisco.com/cgi-bin/tablebuild.pl/pix.

  If the workaround works for you, however, and you don't touch any other problems, then I would probably recommend you just stay on this version, but I'll leave it up to you.

• Cisco ASA 5510 - Cisco Client can connect to the VPN but cannot Ping!

  Hello

  I have an ASA 5510 with the configuration below. I have configure the ASA as vpn server for remote access with cisco vpn client, now my problem is that I can connect but I can not ping.

  Config

  ciscoasa # sh run

  : Saved

  :

  ASA Version 8.0 (3)

  !

  ciscoasa hostname

  activate the 5QB4svsHoIHxXpF password / encrypted

  names of

  xxx.xxx.xxx.xxx SAP_router_IP_on_SAP name

  xxx.xxx.xxx.xxx ISA_Server_second_external_IP name

  xxx.xxx.xxx.xxx name Mail_Server

  xxx.xxx.xxx.xxx IncomingIP name

  xxx.xxx.xxx.xxx SAP name

  xxx.xxx.xxx.xxx Web server name

  xxx.xxx.xxx.xxx cms_eservices_projects_sharepointold name

  isa_server_outside name 192.168.2.2

  !

  interface Ethernet0/0

  nameif outside

  security-level 0

  address IP IncomingIP 255.255.255.248

  !

  interface Ethernet0/1

  nameif inside

  security-level 100

  IP 192.168.2.1 255.255.255.0

  !

  interface Ethernet0/2

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Ethernet0/3

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Management0/0

  nameif management

  security-level 100

  IP 192.168.1.253 255.255.255.0

  management only

  !

  passwd 123

  passive FTP mode

  clock timezone IS 2

  clock summer-time EEDT recurring last Sun Mar 03:00 last Sun Oct 04:00

  TCP_8081 tcp service object-group

  EQ port 8081 object

  DM_INLINE_TCP_1 tcp service object-group

  EQ port 3389 object

  port-object eq ftp

  port-object eq www

  EQ object of the https port

  EQ smtp port object

  EQ Port pop3 object

  port-object eq 3200

  port-object eq 3300

  port-object eq 3600

  port-object eq 3299

  port-object eq 3390

  EQ port 50000 object

  port-object eq 3396

  port-object eq 3397

  port-object eq 3398

  port-object eq imap4

  EQ port 587 object

  port-object eq 993

  port-object eq 8000

  EQ port 8443 object

  port-object eq telnet

  port-object eq 3901

  purpose of group TCP_8081

  EQ port 1433 object

  port-object eq 3391

  port-object eq 3399

  EQ object of port 8080

  EQ port 3128 object

  port-object eq 3900

  port-object eq 3902

  port-object eq 7777

  port-object eq 3392

  port-object eq 3393

  port-object eq 3394

  Equalizer object port 3395

  port-object eq 92

  port-object eq 91

  port-object eq 3206

  port-object eq 8001

  EQ port 8181 object

  object-port 7778 eq

  port-object eq 8180

  port-object 22222 eq

  port-object eq 11001

  port-object eq 11002

  port-object eq 1555

  port-object eq 2223

  port-object eq 2224

  object-group service RDP - tcp

  EQ port 3389 object

  3901 tcp service object-group

  3901 description

  port-object eq 3901

  object-group service tcp 50000

  50000 description

  EQ port 50000 object

  Enable_Transparent_Tunneling_UDP udp service object-group

  port-object eq 4500

  access-list connection to SAP Note inside_access_in

  inside_access_in to access extended list ip 192.168.2.0 allow 255.255.255.0 host SAP_router_IP_on_SAP

  access-list inside_access_in note outgoing VPN - PPTP

  inside_access_in list extended access permitted tcp 192.168.2.0 255.255.255.0 any eq pptp

  access-list inside_access_in note outgoing VPN - GRE

  inside_access_in list extended access allow accord 192.168.2.0 255.255.255.0 any

  Comment from inside_access_in-list of access VPN - GRE

  inside_access_in list extended access will permit a full

  access-list inside_access_in note outgoing VPN - Client IKE

  inside_access_in list extended access permitted udp 192.168.2.0 255.255.255.0 any isakmp eq

  Comment of access outgoing VPN - IPSecNAT - inside_access_in-list T

  inside_access_in list extended access permitted udp 192.168.2.0 255.255.255.0 any eq 4500

  Note to inside_access_in of outgoing DNS list access

  inside_access_in list extended access udp allowed any any eq field

  Note to inside_access_in of outgoing DNS list access

  inside_access_in list extended access permit tcp any any eq field

  Note to inside_access_in to access list carried forward Ports

  inside_access_in list extended access permitted tcp 192.168.2.0 255.255.255.0 any DM_INLINE_TCP_1 object-group

  access extensive list ip 172.16.1.0 inside_access_in allow 255.255.255.0 any

  outside_access_in of access allowed any ip an extended list

  outside_access_in list extended access permit tcp any any eq pptp

  outside_access_in list extended access will permit a full

  outside_access_in list extended access allowed grateful if any host Mail_Server

  outside_access_in list extended access permit tcp any host Mail_Server eq pptp

  outside_access_in list extended access allow esp a whole

  outside_access_in ah allowed extended access list a whole

  outside_access_in list extended access udp allowed any any eq isakmp

  outside_access_in list of permitted udp access all all Enable_Transparent_Tunneling_UDP object-group

  list of access allowed standard VPN 192.168.2.0 255.255.255.0

  corp_vpn to access extended list ip 192.168.2.0 allow 255.255.255.0 172.16.1.0 255.255.255.0

  pager lines 24

  Enable logging

  asdm of logging of information

  Outside 1500 MTU

  Within 1500 MTU

  management of MTU 1500

  pool POOL 172.16.1.10 - 172.16.1.20 255.255.255.0 IP mask

  no failover

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm - 603.bin

  don't allow no asdm history

  ARP timeout 14400

  NAT-control

  Global (outside) 2 Mail_Server netmask 255.0.0.0

  Global 1 interface (outside)

  Global interface (2 inside)

  NAT (inside) 0-list of access corp_vpn

  NAT (inside) 1 0.0.0.0 0.0.0.0

  static (inside, outside) tcp Mail_Server 8001 8001 ISA_Server_second_external_IP netmask 255.255.255.255

  static (inside, outside) tcp Mail_Server 8000 ISA_Server_second_external_IP 8000 netmask 255.255.255.255

  static (inside, outside) tcp Mail_Server pptp pptp netmask 255.255.255.255 isa_server_outside

  public static tcp (indoor, outdoor) Mail_Server smtp smtp isa_server_outside mask 255.255.255.255 subnet

  static (inside, outside) tcp 587 Mail_Server isa_server_outside 587 netmask 255.255.255.255

  static (inside, outside) tcp Mail_Server 9444 isa_server_outside 9444 netmask 255.255.255.255

  static (inside, outside) tcp 9443 Mail_Server 9443 netmask 255.255.255.255 isa_server_outside

  static (inside, outside) tcp 3389 3389 netmask 255.255.255.255 isa_server_outside Mail_Server

  static (inside, outside) tcp 3390 Mail_Server 3390 netmask 255.255.255.255 isa_server_outside

  static (inside, outside) tcp Mail_Server 3901 isa_server_outside 3901 netmask 255.255.255.255

  static (inside, outside) tcp SAP 50000 50000 netmask 255.255.255.255 isa_server_outside

  static (inside, outside) tcp SAP 3200 3200 netmask 255.255.255.255 isa_server_outside

  static (inside, outside) SAP 3299 isa_server_outside 3299 netmask 255.255.255.255 tcp

  static (inside, outside) tcp Mail_Server www isa_server_outside www netmask 255.255.255.255

  static (inside, outside) tcp Mail_Server https isa_server_outside https netmask 255.255.255.255

  static (inside, outside) tcp Mail_Server pop3 pop3 netmask 255.255.255.255 isa_server_outside

  static (inside, outside) tcp imap4 Mail_Server imap4 netmask 255.255.255.255 isa_server_outside

  static (inside, outside) tcp cms_eservices_projects_sharepointold 9999 9999 netmask 255.255.255.255 isa_server_outside

  public static 192.168.2.0 (inside, outside) - corp_vpn access list

  Access-group outside_access_in in interface outside

  inside_access_in access to the interface inside group

  Route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout, uauth 0:05:00 absolute

  dynamic-access-policy-registration DfltAccessPolicy

  Enable http server

  http 192.168.2.0 255.255.255.0 inside

  http 192.168.1.0 255.255.255.0 management

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp - esp-md5-hmac transet

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto-map dynamic dynmap 10 set pfs

  Crypto-map dynamic dynmap 10 transform-set ESP-3DES-SHA transet

  cryptomap 10 card crypto ipsec-isakmp dynamic dynmap

  cryptomap interface card crypto outside

  crypto isakmp identity address

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  crypto ISAKMP policy 30

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  No encryption isakmp nat-traversal

  Telnet 192.168.2.0 255.255.255.0 inside

  Telnet 192.168.1.0 255.255.255.0 management

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx interface inside

  dhcpd domain.local domain inside interface

  !

  a basic threat threat detection

  host of statistical threat detection

  Statistics-list of access threat detection

  Management Server TFTP 192.168.1.123.

  internal group mypolicy strategy

  mypolicy group policy attributes

  Split-tunnel-policy tunnelspecified

  Split-tunnel-network-list value VPN

  Pseudo vpdn password 123

  vpdn username attributes

  VPN-group-policy mypolicy

  type of remote access service

  type mypolicy tunnel-group remote access

  tunnel-group mypolicy General attributes

  address-pool

  strategy-group-by default mypolicy

  tunnel-group mypolicy ipsec-attributes

  pre-shared-key *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  inspect the pptp

  !

  global service-policy global_policy

  context of prompt hostname

  Cryptochecksum:b8bb19b6cb05cfa9ee125ad7bc5444ac

  : end

  Thank you very much.

  Hello

  You probably need

  Policy-map global_policy

  class inspection_default

  inspect the icmp

  inspect the icmp error

  Your Tunnel of Split and NAT0 configurations seem to.

  -Jouni

• Server connection error:-1 there is a problem connecting to the server... hp photosmart 5510

  HP photosmart 5510 e - while a printer B111a

  Windows vista 32-bit

  connection error message-Server error:-1 there was a problem connecting to the server, press Retry or ok to continue

  No changes have been made to my operating system

  Try to add new applications with eprint center of my Compaq Presario CQ60 laptop to my HP printer. Computer tells me that the new applications are there and ready to use, but printer says 'server connection error "? I followed all the instructions to connect to the wireless router, but I'm not sure how to connect to the "Server"?

  The steps below a usually resolve the problem you are experiencing:

  1. unplug the power cord at the back of the printer.

  2. unplug the power cord at the back of your router (and the modem, if they are separated from the router).

  3. wait 20 seconds, then plug the router (and the modem, if necessary) in.

  4. wait for 30 seconds, then plug the printer back and power.

  5. press the button on the front of the printer ePrint, and it should try to connect to Web Services again.

  These steps usually fix the problem, but if it persists, you can try definition of network information static for the printer (which is sometimes useful to stabilize the ability of the printer to get outside of your network to the internet):

  1. tap the wireless at the top of the screen of the printer and note the IP address.
   
  2. Enter the IP address in the address bar of a web browser on a computer and press on enter or click the go button browser.
   
  3. the printer status page must be open.  Click network in the upper part.
   
  4. click on networking on the left.
   
  5. Select the Proxy settings.
  Note: If you are prompted for a redirect, click OK.  If you receive a certificate warning, select the option that allows you to continue anyway.
  If you receive an internal system error, refresh the page until it loads the proxy settings.
   
  6. check that all fields are empty.  If they are not, make them disappear and make sure that the Proxy Server requires authentication is unchecked and click on apply.  You should get a success message.
   
  7. click on the network address (IP) on the left.
  Note: If you only configuring IP address and DNS address with a yellow note Configuration, refresh the page until it loads completely.
   
  8. leave automatic IP IP address Configuration.
   
  9 change the DNS address to the manual DNS Server Configuration.
   
  10. enter manual for the manual preferred DNS Server 8.8.8.8 and 8.8.4.4 for auxiliary DNS.
   
  11. click Apply and you should get a success message.
   
  12. turn off the printer for 30 seconds and then turn it on again to force the new settings take effect.

  Let me know if you have any additional questions. Thank you!

• Unable to connect to server vpn behind ASA 5510 with windows clients

  Hi all

  I've seen a number of posts on this and followed by a few documents of support on this issue, but I'm totally stuck now, nothing seems to work for me.

  This is the usual scenario, I have a VPN windows 2003 Server sat on the lan deprived of our ASA 5510 firewall, and I try to get my Windows XP / 7 laptop computers to connect to it.

  Within the ASDM:

  (1) Server Public created for Protocol 1723

  (2) Public created for the GRE protocol Server

  3) created two public servers have the same public and private addresses

  (4) the foregoing has created config Public Private static route in the section NAT firewall

  (5) rules to Firewall 2 also created above on the external interface for both 1723 and GRE

  When you try to connect, I get the following entry in the debug log.

  6 August 6, 2010 17:09:37 302013 195.74.141.2 1045 1723 ChamberVPN-internal built ride connection TCP 1889195 for outside:195.74.141.2/1045 (195.74.141.2/1045) to the inside: ChamberVPN-internal/1723 (XXX.XXX.XXX.XXX/1723)

  but nothing else.

  The server shows not attempting a connection so I think I'm missing something on the firewall now.

  Also inside interface there is a temporary rule:

  Source: no

  Destination: any

  Service: IP

  Action: enabled

  This should allow all outbound traffic only as far as I know...

  Any help would be greatly appreciated.

  Chris

  Hi Chris,

  ASA newspaper indicates that the connection is interrupted because of "syn timeout. This means that asa receives no response from the Windows Server. Right now, we need to clarify some points.

  1 - your vpn server committed a correct default gateway error or the path that lies in your fw interface asa.

  is 2 - possible to start capturing packets on Windows Server. Hereby, we can get data flow information beetween client and server. And we can be sure that Windows Server wonders vpn.

  Ufuk Güler

• Cisco ASA 5510 multiple dynamic config VPN L2L necessary

  Hello

  We have a Cisco asa 5510 with static IP address. Also, we have a remote office with a dynamic IP address. We now have a dynamic to static VPN configured L2L. And now, we must add new tunnel to another site with a dynamic IP address. Is this possible? Does anyone have an example of woking, or manual?

  Oleg Kobelev

  The config only you need in the ASA is: -.

  (1) set of crypto processing

  (2) political ISAKMP

  (3) dynamic Crypto map

  (4) default group L2L & PSK

  (5) Config RRI (reverse Route Injection)

  HTH >

• Cisco ASA 5510 L2L VPN on the backup interface

  OK, here is what I have and I even if I knew how to do this, but it has not worked for me.  I hope someone out there can help you.

  I have an ASA 5510 running 8.4 with double configuration of ISPs on 2 different interfaces: outside (primary), backup (backup).  I also have a site to site VPN ASA another in another city.  The VPN is now configured on the external interface and works very well.  What I wanted to do, is to make the VPN running on backup interface only.

  So, I changed the card encryption on the remote side to use the backup interface IP and created a tunnel-group for her.  Then, I created a map encryption for backup interface and activated ikev1 on it.  The default route is configured to use the external interface, so I created a static route that routes traffic destined for the external interface of the remote side to the backup interface default gateway.  I can get to establish tunnels, but no traffic passes through them.  I have however while I need a NAT device for the tunnel traffic to I created a NAT so but still no transmitted traffic.  I tried the packet - trace and he said: the traffic was allowed and show its crypto ipsec command, I see the configuration of the tunnel, but no traffic will pass through it.  Can anyone help?

  Ben,

  you use a code to version 8.4, I recommend starting by removing the config NAT statements at both ends. This version does not have the NAT and control, and if you don't need... I've seen instances with 8.4 (3) where a NAT even though apparently correct was causing not to pass through the traffic.

  Site A:

  NAT (inside, backup) source static obj-SiteALAN obj-SiteALAN static obj-SiteBLAN obj-SiteBLAN

  Site b:

  NAT (inside, outside) source static obj - 192.168.5.0 obj - 192.168.5.0 destination static obj - 192.168.3.0 obj - 192.168.3.0

  If possible, you should increase your AES encryption, but this is a personal point of view and should not stop the traffic through the links. You should be able to see the counters for the data transmitted / received are these incrementing?

  Do you have the ACLs that are from the inside to the outside and internal interface to the Interface of backup (duplicated.

  In this model, the control is the routing.

  Best regards

  Ju

  http://helpamunky.WordPress.com/

• Cisco ASA 5510, ipsec vpn. What address to connect the client to

  Hello

  It's maybe a stupid question, but I can't find the answer anywhere.

  I used the ipsec vpn configuration wizard, I activated the external interface to access ipsec and went through SCW pools of addresses etc. When I try to connect with the cisco vpn client to my address of the external interface (of a remote host) I'm unable to connect. I scanned the interface for open ports, but there is not, I have to allow traffic to ipsec at this interface?

  Best regards

  Andreas

  No, once you have configured the access remote vpn ipsec, it will be automatically activated, and you should be able to connect to the ASA outside the ip address of the interface.

  Can you please share the configuration? and also which group name you are trying to access the vpn client?

• SSL VPN ASA 5510 connect Any

  Hello

  I want to configure SSL VPN for mobile users on ASA 5510 I have following requirements

  > What are the condition of licence on ASA 5510 VPN with Anyconnect SSL?

  > VPN users have full access to the local network via ASA

  > Authentication method preferred, Local or AD (LDAP)

  > users use not laptops should be limited to the Clientless SSL VPN

  > How to add a URL is visible to users in the Web page

  > Can someone view example configuration for the above requirements

  TIA

  Hitesh Vinzoda

  > If you need both AnyConnect and WebVPN (Clientless SSL VPN), you can buy the AnyConnect Premium license (and this is a base user license). The ASA would come with default 2 SSL VPN license.

  > To have full access to the local network, you must use AnyConnect SSL VPN. Here is an example of configuration:

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00808efbd2.shtml

  > You can authenticate to AD or Local or RADIUS, etc. By default, this would be local authentication.

  > Here's some example configuration for clientless SSL VPN:

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a008072462a.shtml

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00806ea271.shtml

  Hope that helps.

• IPSEC with the router and asa 5510

  Hi all

  I have problems connecting ipsec l2l. I have set up a router and asa 5510 make ipsec between them, but it seems to fail on the phase 1. I already check and I am 100% sure that is the key. You can a few shed light on the issue, I have. Here's the output debug I get the two system.

  Thank you

  Hello

  Isakmp policy match on both devices? What version of ios is running on the router and the asa5510

  Thank you

• Cisco ASA 5510 VPN Site to Site with Sonicwall

  I am trying to configure a tunnel between a Cisco ASA 5510 VPN (Version 8.2 (2)) and TZ200 Sonicwall. I rose tunnel and go and I am able to ping the internal IP address of Cisco ASA of the Sonicwall LAN but nothing work. When I try to ping a host behind the Cisco ASA of the Sonicwall LAN I get the following message "rules asymmetrical NAT matched for flows forward and backward; Connection for tcp src outside:10.20.10.x/xxxx dst inside:10.20.2.x/xxxx refused due to failure of reverse path of NAT"on the SAA

  Googling the error above shows the problems with version 8.3 or later that resembled the nat commands have been changed SAA, train is still on 8.2 but I another common question does not add an exemption of NAT I have double-triple checked that I did add an exception rule of NAT of the hosts on the network from cisco for the guests of the Sonicwall network. Looks like I hit a road block so any help would be appreciated. Thank you

  Here are a few excertps of the config file (10.20.2.0 behind the cisco) and 10.20.10.0 behind the sonicwall

  NAT (inside) 0 access-list sheep

  ..

  IP 10.20.2.0 allow Access-list extended sheep 255.255.255.0 10.20.10.0 255.255.255.0

  access extensive list ip 10.20.2.0 outside_1_cryptomap allow 255.255.255.0 10.20.10.0 255.255.255.0

  ..

  card crypto outside_map 1 match address outside_1_cryptomap

  card crypto outside_map 1 set counterpart x.x.x.x

  card crypto outside_map 1 set of transformation-ESP-3DES-SHA

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map interface card crypto outside

  ..

  crypto ISAKMP allow outside

  crypto ISAKMP policy 5

  preshared authentication

  3des encryption

  sha hash

  Group 2

  lifetime 28800

  ..

  internal SiteToSitePolicy group strategy

  attributes of Group Policy SiteToSitePolicy

  VPN-idle-timeout no

  Protocol-tunnel-VPN IPSec

  Split-tunnel-network-list no

  ..

  tunnel-group x.x.x.x type ipsec-l2l

  tunnel-group x.x.x.x General attributes

  Group Policy - by default-SiteToSitePolicy

  tunnel-group ipsec-attributes x.x.x.x

  pre-shared key *.

  ..

  Added some excerpts from the configuration file

  Hello Manjitriat,

  Okay, detected IPSEC parody is normal, that means you are trying to send unencrypted on a line of encrypted packets.

  Now, if you see on the plotter of package that traffic will hollow the VPN channel all its fine in your site.

  Now the packet tracer must be something like this:

  entrance to Packet-trace inside private_ip_lan destination_private_ip_lan 1025 tcp 80

  Please provide us with the result of the following instructions after you run the packet tracer.

  See the crypto Isakamp SA

  See the crypto Ipsec SA

  Kind regards

  Julio