Problem of peripheral access NAS via the VPN Site to Site

Hi all

I am facing a strange problem with a client. I use a VPN from Site to Site between two ASA 5505 to connect its network to ours to replikate between a NAS on his side and a NAS on our side. I use the same configuration with other guests and it works fine.

With this client, while I am able to ping the remote NAS and I have problems using SMB to connect via ssh (it works _sometimes_ but most of the time to access files via eplorer results in a timeout) and join the NAS Web portal (http and https, with https I can see the remote certificate of the SIN but the page does not load). These problems occur on both sides (our network-> NAS, customer network-> our NAS client)

I can access the NAS even without any problems other customers. ASA newspaper I see no connection blocked or whatever it is when this happens and the tunnel seems to work fine otherwise.

Any ideas how to refine the problem here?

Thanks in advance

Tobias

It looks like you can run into problems with packets that are too big for your tunnel. Try to limit the size of TCP segment by putting the following on your ASA units:

 sysopt connection tcpmss 1360

Most VPN tunnels are not going to have an MTU (Maximum Transmission Unit) less than 1400 bytes, so the above should clean things up.

Tags: Cisco Security

Similar Questions

I have an iPhone and a MacBook Air 11 '' 6. iPhone 6 syncs and backup icloud. I can access iCloud via the net on MacBook. The problem is that I can't get the MacBook to sync with iCloud. How can I do this? Help, please. Thank you.

I have an iPhone and a MacBook Air 11 '' 6. iPhone 6 syncs and backup icloud. I can access iCloud via the net on MacBook. The problem is, I can't get the MacBook to sync with iCloud. How can I do this? Help, please. Thank you.

What, in particular, looking to sync with the Mac iCloud? If you mean things like Contacts, calendars, Notes, etc., then you want to go in under the  system preferences, click the iCloud and connect to iCloud there with your iCloud ID. Then select which items you want to sync'd via iCloud.

What - what are you trying to do?

See you soon,.

GB

Windows 7 unable to access XP via the snap-snap-in mmc

Hello gentlemen,

The question that I have met is "Insufficient permissions" which tent to access remotely via the MMC, the Task Scheduler. I came to the conclusion that there is a compatibility issue of cross that I am under Win 7 and tries to access an XP machine. I can access the Task Scheduler on Windows 7 machines without any problem, but the XP machines give me an insufficient permissions error. I have the possible right plu admin for my domain, I excluded insufficient permissions and concluded with cross incompatibility.

Someone has encountered this same problem and/or found a fix for this. Thank you in advance!

Hi Alex,

I would have you post your query in the TechNet forums because it caters to an audience of it professionals. Your question would be more out there.

Check out the link-

http://social.technet.Microsoft.com/forums/en-us/category/w7itpro

Back to us for any issues related to Windows in the future. We will be happy to help you.

Windows XP pro, can not see desktop (just a blank screen) at startup. can access only via the Task Manager. How can I fix? __

Windows XP pro, can not see desktop (just a blank screen) at startup. can access only via the Task Manager. How can I fix?

In the Task Manager, click on "File" and select "new task (run).

Type explorer.exe, and then press the ENTER key.

If you are able to connect successfully to the windows, scan the entire computer using updated anti-virus software and check the virus.

Routing between two remote sites connected over the VPN site to site

I have a problem ping between remote sites. Now the Cryptography and no nat ACL's for different sites just to affect traffic between the remote site and main site. I tried to add roads, adding other subnets to the crypto and no. ACL Nat at the remote sites... nothing worked. Any ideas?

Main site:

192.168.100.0 - call manager / phone VLAN

192.168.1.0/24 - data VLAN

Site 1:

192.168.70.0/24 - phone VLAN

192.168.4.0/24 - data VLAN

Site 2:

192.168.80.0/24 - phone VLAN

192.168.3.0/24 - data VLAN

Main router

Expand the IP ACL5 access list
10 permit ip 192.168.1.0 0.0.0.255 192.168.70.0 0.0.0.255
20 ip 192.168.1.0 allow 0.0.0.255 192.168.4.0 0.0.0.255
30 permits ip 192.168.100.0 0.0.0.255 192.168.4.0 0.0.0.255
IP 192.168.100.0 allow 40 0.0.0.255 192.168.70.0 0.0.0.255)
50 permit ip 10.255.255.0 0.0.0.255 192.168.70.0 0.0.0.255
Expand the IP ACL6 access list
10 permit ip 192.168.1.0 0.0.0.255 192.168.80.0 0.0.0.255
20 ip 192.168.1.0 allow 0.0.0.255 192.168.3.0 0.0.0.255
30 permits ip 192.168.100.0 0.0.0.255 192.168.3.0 0.0.0.255
IP 192.168.100.0 allow 40 0.0.0.255 192.168.80.0 0.0.0.255

Expand the No. - NAT IP access list
10 deny ip 192.168.2.0 0.0.0.255 192.168.70.0 0.0.0.255
20 deny ip 192.168.200.0 0.0.0.255 192.168.4.0 0.0.0.255
30 deny ip 192.168.2.0 0.0.0.255 192.168.80.0 0.0.0.255
40 deny ip 192.168.200.0 0.0.0.255 192.168.3.0 0.0.0.255
320 ip 192.168.1.0 allow 0.0.0.255 any
IP 192.168.100.0 allow 330 0.0.0.255 any

Site 1:

ACL5 extended IP access list

IP 192.168.70.0 allow 0.0.0.255 192.168.1.0 0.0.0.255

ip licensing 192.168.4.0 0.0.0.255 192.168.100.0 0.0.0.255

IP 192.168.70.0 allow 0.0.0.255 192.168.100.0 0.0.0.255

ip licensing 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255

IP 192.168.70.0 allow 0.0.0.255 10.255.255.0 0.0.0.255

No. - NAT extended IP access list

deny ip 192.168.70.0 0.0.0.255 192.168.1.0 0.0.0.255

refuse the 192.168.4.0 ip 0.0.0.255 192.168.100.0 0.0.0.255

deny ip 192.168.70.0 0.0.0.255 192.168.100.0 0.0.0.255

refuse the 192.168.4.0 ip 0.0.0.255 192.168.1.0 0.0.0.255

deny ip 192.168.70.0 0.0.0.255 10.255.255.0 0.0.0.255

IP 192.168.70.0 allow 0.0.0.255 any

ip licensing 192.168.4.0 0.0.0.255 any

Site 2:

ACL6 extended IP access list
IP 192.168.80.0 allow 0.0.0.255 192.168.1.0 0.0.0.255
ip licensing 192.168.3.0 0.0.0.255 192.168.100.0 0.0.0.255
IP 192.168.80.0 allow 0.0.0.255 192.168.100.0 0.0.0.255
ip licensing 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
IP 192.168.80.0 allow 0.0.0.255 10.255.255.0 0.0.0.255
No. - NAT extended IP access list
deny ip 192.168.80.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.3.0 0.0.0.255 192.168.100.0 0.0.0.255
deny ip 192.168.80.0 0.0.0.255 192.168.100.0 0.0.0.255
deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.80.0 0.0.0.255 10.255.255.0 0.0.0.255
IP 192.168.80.0 allow 0.0.0.255 any
ip licensing 192.168.3.0 0.0.0.255 any

What should I do for these two sites can ping each other? I looked through the forums but can't seem to find someone with a similar problem, which has received a definitive answer.

Thanks in advance!

Hi, I assume that you need site 1 and 2 to communicate with each other via the main site right? If this is the case, then you need to set add the following lines to your ACL crypto:

Main router

Expand the IP ACL5 access list

IP 192.168.80.0 allow 0.0.0.255 192.168.70.0 0.0.0.255

IP 192.168.80.0 allow 0.0.0.255 192.168.4.0 0.0.0.255

ip licensing 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255

ip licensing 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

Expand the IP ACL6 access list

IP 192.168.70.0 allow 0.0.0.255 192.168.80.0 0.0.0.255

IP 192.168.70.0 allow 0.0.0.255 192.168.3.0 0.0.0.255

ip licensing 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

ip licensing 192.168.4.0 0.0.0.255 192.168.80.0 0.0.0.255

Make sure you add these lines before the last permit

Expand the No. - NAT IP access list

deny ip 192.168.80.0 0.0.0.255 192.168.70.0 0.0.0.255

deny ip 192.168.80.0 0.0.0.255 192.168.4.0 0.0.0.255

deny ip 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255

deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

deny ip 192.168.70.0 0.0.0.255 192.168.80.0 0.0.0.255

refuse the 192.168.4.0 ip 0.0.0.255 192.168.80.0 0.0.0.255

deny ip 192.168.70.0 0.0.0.255 192.168.3.0 0.0.0.255

refuse the 192.168.4.0 ip 0.0.0.255 192.168.3.0 0.0.0.255

Site 1:

ACL5 extended IP access list

IP 192.168.70.0 allow 0.0.0.255 192.168.80.0 0.0.0.255

ip licensing 192.168.4.0 0.0.0.255 192.168.80.0 0.0.0.255

IP 192.168.70.0 allow 0.0.0.255 192.168.3.0 0.0.0.255

ip licensing 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

Make sure that these lines are added before the last permit

No. - NAT extended IP access list

deny ip 192.168.70.0 0.0.0.255 192.168.80.0 0.0.0.255

refuse the 192.168.4.0 ip 0.0.0.255 192.168.80.0 0.0.0.255

deny ip 192.168.70.0 0.0.0.255 192.168.3.0 0.0.0.255

refuse the 192.168.4.0 ip 0.0.0.255 192.168.3.0 0.0.0.255

Site 2:

ACL6 extended IP access list

IP 192.168.80.0 allow 0.0.0.255 192.168.70.0 0.0.0.255

ip licensing 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255

IP 192.168.80.0 allow 0.0.0.255 192.168.4.0 0.0.0.255

ip licensing 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

So make sure that these lines are added before the last permit

No. - NAT extended IP access list

deny ip 192.168.80.0 0.0.0.255 192.168.70.0 0.0.0.255

deny ip 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255

deny ip 192.168.80.0 0.0.0.255 192.168.4.0 0.0.0.255

deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

So you're saying good enough your routers with these definitions which will be reached via one main remote sites (sites 1 and 2).

I would like to know if this is what you need.

Next hop for the static route on the VPN site to site ASA?

Hi all

I would be grateful if someone could help me with my problem ASA/misunderstanding. I have a VPN site-to site on a SAA. I want to add a floating static route to point to the VPN on the ASA. Note that the traffic in this way is not with in subnets cryptographic ACL that is used to bring up the VPN. This VPN is used only as a backup.

The static route with the next hop add local public address or the remote public address of the VPN? The next break maybe local ASA isp internet facing interface? I intend to do on the ASDM. I'm sorry if it's a simple question but I found no material that explains this?

Concerning

Ahh, ok, makes sense.

The next hop should be the next jump to the interface that ends the VPN connection, essentially the same as your Internet connection / outside the next hop interface.

Example of topology:

Site B (outside interface - 1.1.1.1) - (next hop: 1.1.1.2) Internet

The static route must tell:

outdoor 10.2.2.2 255.255.255.255 1.1.1.2 200

I hope this helps.

Cannot access remote network by VPN Site to Site ASA

Hello everyone

First of all I must say that I have configured the VPN site-to site a million times before. Stuck with it. First of all I can't ping outside the interface of my ASA remote. Secondly, VPN is in place, but no connectivity between local networks

ASA local:
hostname gyd - asa
domain bct.az
activate the encrypted password of XeY1QWHKPK75Y48j
XeY1QWHKPK75Y48j encrypted passwd
names of
DNS-guard
!
interface GigabitEthernet0/0
Shutdown
nameif vpnswc
security-level 0
IP 10.254.17.41 255.255.255.248
!
interface GigabitEthernet0/1
Vpn-turan-Baku description
nameif outside Baku
security-level 0
IP 10.254.17.9 255.255.255.248
!
interface GigabitEthernet0/2
Vpn-ganja description
nameif outside-Ganja
security-level 0
IP 10.254.17.17 255.255.255.248
!
interface GigabitEthernet0/2.30
Description remote access
VLAN 30
nameif remote access
security-level 0
IP 85.*. *. * 255.255.255.0
!
interface GigabitEthernet0/3
Description BCT_Inside
nameif inside-Bct
security-level 100
IP 10.40.50.65 255.255.255.252
!
interface Management0/0
nameif management
security-level 100
IP 192.168.251.1 255.255.255.0
management only
!
boot system Disk0: / asa823 - k8.bin
passive FTP mode
DNS server-group DefaultDNS
name-server 192.168.1.3
domain bct.az
permit same-security-traffic intra-interface
object-group network obj - 192.168.121.0
object-group network obj - 10.40.60.0
object-group network obj - 10.40.50.0
object-group network obj - 192.168.0.0
object-group network obj - 172.26.0.0
object-group network obj - 10.254.17.0
object-group network obj - 192.168.122.0
object-group service obj-tcp-eq-22
object-group network obj - 10.254.17.18
object-group network obj - 10.254.17.10
object-group network obj - 10.254.17.26
access-list 110 scope ip allow a whole
NAT list extended access permit tcp any host 10.254.17.10 eq ssh
NAT list extended access permit tcp any host 10.254.17.26 eq ssh
access-list extended ip allowed any one sheep
icmp_inside list extended access permit icmp any one
icmp_inside of access allowed any ip an extended list
access list nat-ganja extended permit tcp any host 10.254.17.18 eq ssh
RDP list extended access permit tcp any host 192.168.45.3 eq 3389
rdp extended permitted any one ip access list
sheep-vpn access-list extended permits all ip 192.168.121.0 255.255.255.0
NAT-vpn-internet access-list extended ip 192.168.121.0 allow 255.255.255.0 any
NAT-vpn-internet access-list extended ip 172.26.0.0 allow 255.255.255.0 any
NAT-vpn-internet access-list extended ip 192.168.122.0 allow 255.255.255.0 any
access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 10.40.60.0 255.255.255.0
access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 10.40.50.0 255.255.255.0
access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 192.168.0.0 255.255.0.0
access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 172.26.0.0 255.255.255.0
access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 10.254.17.0 255.255.255.0
GHC-ganja-internet access-list extended ip 192.168.45.0 allow 255.255.255.0 any
Standard access list Split_Tunnel_List allow 192.168.16.0 255.255.255.0
azans 192.168.69.0 ip extended access-list allow 255.255.255.0 any
permit inside_nat0_outbound to access extended list ip 192.168.0.0 255.255.0.0 192.168.121.0 255.255.255.0
permit inside_nat0_outbound to access extended list ip 192.168.0.0 255.255.0.0 192.168.80.0 255.255.255.0
pager lines 24
Enable logging
emblem of logging
recording of debug console
recording of debug trap
asdm of logging of information
Interior-Bct 192.168.1.27 host connection
flow-export destination inside-Bct 192.168.1.27 9996
vpnswc MTU 1500
outside Baku MTU 1500
outside-Ganja MTU 1500
MTU 1500 remote access
Interior-Bct MTU 1500
management of MTU 1500
IP local pool raccess 192.168.121.60 - 192.168.121.120 mask 255.255.255.0
IP local pool ssl 192.168.121.130 - 192.168.121.200 mask 255.255.255.0
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any outside Baku
ICMP allow access remotely
ICMP allow any interior-Bct
ASDM image disk0: / asdm - 621.bin
don't allow no asdm history
ARP timeout 14400
global (outside-Baku) 1 interface
global (outside-Ganja) interface 2
3 overall (RAS) interface
azans access-list NAT 3 (outside-Ganja)
NAT (remote access) 0 access-list sheep-vpn-city
NAT 3 list nat-vpn-internet access (remote access)
NAT (inside-Bct) 0-list of access inside_nat0_outbound
NAT (inside-Bct) 2-nat-ganja access list
NAT (inside-Bct) 1 access list nat
Access-group rdp on interface outside-Ganja
!
Router eigrp 2008
No Auto-resume
neighbor 10.254.17.10 interface outside Baku
neighbor 10.40.50.66 Interior-Bct interface
Network 10.40.50.64 255.255.255.252
Network 10.250.25.0 255.255.255.0
Network 10.254.17.8 255.255.255.248
Network 10.254.17.16 255.255.255.248
redistribute static
!
Access remote 0.0.0.0 0.0.0.0 85.*. *. * 1
Outside-Baku route 10.0.11.0 255.255.255.0 10.254.17.10 1
Outside-Baku route 10.0.33.0 255.255.255.0 10.254.17.10 1
Outside-Baku route 10.0.150.0 255.255.255.0 10.254.17.10 1
Outside-Baku route 10.0.170.0 255.255.255.0 10.254.17.10 1
Route outside Baku 10.254.17.24 255.255.255.248 10.254.17.10 1
Route outside Baku 10.254.17.32 255.255.255.248 10.254.17.10 1
Route outside Baku 192.1.1.0 255.255.255.0 10.254.17.10 1
Outside-Baku route 192.168.27.0 255.255.255.0 10.254.17.10 1
Outside-Baku route 192.168.39.0 255.255.255.0 10.254.17.10 1
Route outside-Ganja 192.168.45.0 255.255.255.0 10.254.17.18 1
Route outside-Ganja 192.168.66.0 255.255.255.0 10.254.17.18 1
Route outside-Ganja 192.168.69.0 255.255.255.0 10.254.17.18 1
Outside-Baku route 192.168.80.0 255.255.255.0 10.254.17.11 1
Access remote 192.168.121.0 255.255.255.0 85.132.43.1 1
Route outside-Ganja 192.168.184.0 255.255.255.0 10.254.17.18 1
Route outside Baku 192.168.208.16 255.255.255.240 10.254.17.10 1
Route outside-Ganja 192.168.208.112 255.255.255.240 10.254.17.18 1
Route inside-Bct 192.168.254.0 255.255.255.0 10.40.50.66 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
AAA-server protocol Ganymede GANYMEDE +.
AAA-server GANYMEDE (Interior-Bct) 192.168.1.8
key *.
AAA-server GANYMEDE (Interior-Bct) 192.168.22.46
key *.
RADIUS protocol AAA-server TACACS1
AAA-server TACACS1 (Interior-Bct) host 192.168.1.8
key *.
AAA-server TACACS1 (Interior-Bct) host 192.168.22.46
key *.
authentication AAA ssh console LOCAL GANYMEDE
Console to enable AAA authentication RADIUS LOCAL
Console Telnet AAA authentication RADIUS LOCAL
AAA accounting ssh console GANYMEDE
Console Telnet accounting AAA GANYMEDE
Enable http server
http 192.168.1.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 Interior-Bct
http 192.168.139.0 255.255.255.0 Interior-Bct
http 192.168.0.0 255.255.255.0 Interior-Bct
Survey community SNMP-server host inside-Bct 192.168.1.27
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
Crypto ipsec transform-set newset aes - esp esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac myset2
Crypto ipsec transform-set esp-3des esp-md5-hmac raccess
Crypto ipsec transform-set esp-3des esp-sha-hmac vpnclienttrans
Crypto ipsec transform-set vpnclienttrans transport mode
life crypto ipsec security association seconds 2147483646
Crypto ipsec kilobytes of life security-association 2147483646
raccess 1 set transform-set vpnclienttrans crypto dyn1 dynamic-map
correspondence address card crypto mymap 10 110
card crypto mymap 10 peers set 10.254.17.10
card crypto mymap 10 transform-set RIGHT
correspondence address card crypto mymap 20 110
card crypto mymap 20 peers set 10.254.17.11
mymap 20 transform-set myset2 crypto card
card crypto mymap interface outside Baku
correspondence address card crypto ganja 10 110
10 ganja crypto map peer set 10.254.17.18
card crypto ganja 10 transform-set RIGHT
card crypto interface outside-Ganja ganja
correspondence address card crypto vpntest 20 110
peer set card crypto vpntest 20 10.250.25.1
newset vpntest 20 transform-set card crypto
card crypto vpntest interface vpnswc
vpnclientmap 30 card crypto ipsec-isakmp dynamic dyn1
card crypto interface for remote access vpnclientmap
Crypto ca trustpoint ASDM_TrustPoint0
registration auto
name of the object CN = gyd - asa .az .bct
sslvpnkeypair key pair
Configure CRL
map of crypto DefaultCertificateMap 10 ca certificate

crypto isakmp identity address
ISAKMP crypto enable vpnswc
ISAKMP crypto enable outside-Baku
ISAKMP crypto enable outside-Ganja
crypto ISAKMP enable remote access
ISAKMP crypto enable Interior-Bct
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 20
preshared authentication
aes encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 40
preshared authentication
aes encryption
sha hash
Group 2
life 86400
Crypto isakmp nat-traversal 30
No vpn-addr-assign aaa
Telnet timeout 5
SSH 192.168.0.0 255.255.255.0 Interior-Bct
SSH timeout 35
Console timeout 0
priority queue outside Baku
queue-limit 2046
TX-ring-limit 254
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
Server NTP 192.168.1.3
SSL encryption, 3des-sha1 rc4 - md5 aes128-sha1 sha1-aes256
SSL-trust point ASDM_TrustPoint0 to vpnlb-ip remote access
SSL-trust ASDM_TrustPoint0 remote access point
WebVPN
turn on remote access
SVC disk0:/anyconnect-win-2.4.1012-k9.pkg 1 image
enable SVC
tunnel-group-list activate
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
internal group ssl policy
attributes of group ssl policy
banner welcome to SW value
value of DNS-server 192.168.1.3
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
group-lock value SSL
WebVPN
value of the SPS URL-list
internal vpn group policy
attributes of vpn group policy
value of DNS-server 192.168.1.3
Protocol-tunnel-VPN IPSec l2tp ipsec
disable the PFS
BCT.AZ value by default-field
ssl VPN-group-strategy
WebVPN
value of the SPS URL-list
IPSec-attributes tunnel-group DefaultL2LGroup
ISAKMP retry threshold 20 keepalive 5
attributes global-tunnel-group DefaultRAGroup
raccess address pool
Group-RADIUS authentication server
Group Policy - by default-vpn
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared key *.
ISAKMP retry threshold 20 keepalive 5
IPSec-attributes tunnel-group DefaultWEBVPNGroup
ISAKMP retry threshold 20 keepalive 5
tunnel-group 10.254.17.10 type ipsec-l2l
IPSec-attributes tunnel-group 10.254.17.10
pre-shared key *.
ISAKMP retry threshold 20 keepalive 5
type SSL tunnel-group remote access
attributes global-group-tunnel SSL
ssl address pool
Authentication (remote access) LOCAL servers group
Group Policy - by default-ssl
certificate-use-set-name username
Group-tunnel SSL webvpn-attributes
enable SSL group-alias
Group-url https://85. *. *. * / activate
tunnel-group 10.254.17.18 type ipsec-l2l
IPSec-attributes tunnel-group 10.254.17.18
pre-shared key *.
ISAKMP retry threshold 20 keepalive 5
tunnel-group 10.254.17.11 type ipsec-l2l
IPSec-attributes tunnel-group 10.254.17.11
pre-shared key *.
ISAKMP retry threshold 20 keepalive 5
type tunnel-group DefaultSWITGroup remote access
attributes global-tunnel-group DefaultSWITGroup
raccess address pool
Group-RADIUS authentication server
Group Policy - by default-vpn
IPSec-attributes tunnel-group DefaultSWITGroup
pre-shared key *.
!
type of policy-card inspect dns migrated_dns_map_1
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the migrated_dns_map_1 dns
inspect the rsh
inspect the rtsp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect the netbios
Review the ip options
class flow_export_cl
flow-export-type of event all the destination 192.168.1.27
class class by default
flow-export-type of event all the destination 192.168.1.27
Policy-map Voicepolicy
class voice
priority
The class data
police release 80000000
!
global service-policy global_policy
service-policy interface outside Baku Voicepolicy
context of prompt hostname

Cryptochecksum:4f35f975ba7a0c11f7f46dfd541d266f
: end
GYD - asa #.

ASA remote:
ASA Version 8.2 (3)
!
ciscoasa hostname
activate the encrypted password of XeY1QWHKPK75Y48j
2KFQnbNIdI.2KYOU encrypted passwd
names of
DNS-guard
!
interface Ethernet0/0
nameif inside
security-level 100
IP 192.168.80.14 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
IP 10.254.17.11 255.255.255.248
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
nameif management
security-level 100
no ip address
management only
!
boot system Disk0: / asa823 - k8.bin
passive FTP mode
access-list 110 scope ip allow a whole
192.168.80.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.0.0 255.255.0.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
management of MTU 1500
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow all outside
ICMP allow any inside
ASDM image disk0: / asdm - 621.bin
don't allow no asdm history
ARP timeout 14400
NAT (inside) 0 access-list sheep
Route outside 0.0.0.0 0.0.0.0 10.254.17.9 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.1.0 255.255.255.0 management
http 192.168.80.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
Crypto ipsec transform-set newset aes - esp esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac myset2
life crypto ipsec security association seconds 2147483646
Crypto ipsec kilobytes of life security-association 2147483646
correspondence address card crypto mymap 10 110
card crypto mymap 10 peers set 10.254.17.9
mymap 10 transform-set myset2 crypto card
mymap outside crypto map interface
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 20
preshared authentication
aes encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 40
preshared authentication
aes encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN

tunnel-group 10.254.17.9 type ipsec-l2l
IPSec-attributes tunnel-group 10.254.17.9
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns migrated_dns_map_1
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the migrated_dns_map_1 dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname

Cryptochecksum:1c1ac60e2fb84f65269d15d53f27c21b
: end
ciscoasa # $

Still, I can't ping ASA remote outside from outside of the Local interface. And there is no connectivity between the 192.168.80.0 distance and local don't say 192.168.1.0. I have run out of ideas

Would appreciate any help. Thank you in advance...

If the tunnel is up (phase 1), but no traffic passing the best test is the following:

Add order management-access to the Interior , and then try to PING the intellectual property inside ASA counterpart.

inside x.x.x.x ping --> x.x.x.x is the IP of the ASA peer inside

The test above shows if the traffic passes through the tunnel (check encrypted/decrypted packets of sh cry ips its).

Test on both directions.

Please post the results.

Federico.

ASA 5505 VPN works great but can't access internet via the tunnel to customers

We have an ASA 5505 ASA 8.2.1 running and using IPSec for Remote access clients in the main office. Remote access is a lot of work, with full access to network resources in the main office and the only thing I can't get to work is access to internet through the tunnel. I don't want to use split tunneling. I use ASDM 6.2.1 for configuration. Any help is appreciated. I'm probably missing something simple and it looked so much, I'm probably looking at right beyond the error. Thanks in advance for your time and help! Jim

Add a statement of nat for your segment of customer on the external interface

NAT (outside) - access list

then allow traffic routing back on the same interface, it is entered in the

permit same-security-traffic intra-interface

*

*

* more than information can be found here:

http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a00807...

On Wednesday, 27 January 2010, at 23:12, jimcanova

Internet via the VPN tunnel

Hi I have a question.

I hope one of you can help me.

My problem is that I want to the internet using VPN tunnenl.

I have a VPN connection with my ASA 5505 at home.

I am able to access the entire inside of the devices. But I'm unable to access the internet.

is it possible the internet using the internet connection I have at home.

i'f played a bit with the following commands:

same-security-traffic permits intera-interface &
```
 same-security-traffic permit intera-interface & split-tunnel-policy tunnelall
```
ASA version: 9.1 2

ASDM version: 7.1 (3)

Greetings

Palermo

the client that is connected via VPN you are able to ping 4.2.2.2?

If Yes, if you issue a nslookup google.com is the resolved name?

If this isn't the case, then I think that the following command highlighted is the problem:

Group Policy home-attributes VPNSSL
WINS server no
DNS server no
Ikev1 VPN-tunnel-Protocol, l2tp ipsec ikev2 ssl-client

Try setting your DNS here server and test.

--

Please do not forget to select a correct answer and rate useful posts

local host to access the vpn site to site with nat static configured

I have two 881 routers with vpn site to site between them. I have a static nat on the router for a Web server that is accessible from the internet. I can't access the Web server through the vpn. All other traffic is fine its VPN. I think that there is a problem with the NAT. Here are the relevant configuration lines.

IP nat inside source overload map route SDM_RMAP_1 interface FastEthernet4
IP nat inside source static 192.168.150.2 bonnefin map route SDM_RMAP_1

allowed SDM_RMAP_1 1 route map
corresponds to the IP 100

access-list 100 deny ip 192.168.150.0 0.0.0.255 192.168.123.0 0.0.0.255
access-list 100 permit ip 192.168.150.0 0.0.0.255 any

You should be able to access the web server with its IP private (192.168.150.2) through the VPN connection.

If you just add the VPN and the road map, try to clear the existing translation and see if you can access it via its private of the Remote LAN VPN ip address.

The local PIX ip access to hosts on the VPN site

I have a vpn connection from site to site with ASA 5510 PIX 515 which works very well. There is no problem for hosts on any side of the tunnel access to a cross. However the IP local (192.168.20.1) on the interface client of my PIX is not allowed access to guests across the tunnel.

Packet-trace entry client tcp 192.168.20.1 12345 192.168.13.13 80 detailed

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DECLINE

Config:

Implicit rule

Additional information:

Direct flow from returns search rule:

ID = 0x3ec5bc8, priority = 500, area = allowed, deny = true

hits = 8, user_data = 0 x 6, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

SRC ip = 192.168.20.1, mask is 255.255.255.255, port = 0

DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

There must be a setting that I missed. All otherip on 192.168.20.0 don't get the same error with packet - trace. Can someone help me please?

interface Ethernet0

nameif outside

security-level 0

IP address dhcp setroute

interface Ethernet1

customer nameif

security-level 90

address 192.168.20.1 255.255.255.0

interface Ethernet1.21

VLAN 21

nameif Server

security-level 100

IP 192.168.21.1 255.255.255.0

the DM_INLINE_NETWORK_1 object-group network

object-network 192.168.10.0 255.255.255.0

object-network 192.168.11.0 255.255.255.0

object-network 192.168.13.0 255.255.255.0

access-list extended 100 permit customer ip 255.255.255.0 DM_INLINE_NETWORK_1 object-group

Global 1 interface (outside)

(Client) NAT 0-list of access 100

NAT (client) 1 0.0.0.0 0.0.0.0

NAT (server) 0-access list 100

NAT (server) 1 0.0.0.0 0.0.0.0

static (client, server) Server server netmask 255.255.255.0

static (client, server) client client netmask 255.255.255.0

client_access_in access to the customer of the interface group

Route outside 0.0.0.0 0.0.0.0 95.129.13.1 1

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set sveden-aes256 esp-aes-256 esp-sha-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

correspondence address card crypto myvpnmap 10 100

card crypto myvpnmap pfs set 10 group5

peer set card crypto myvpnmap 10 12.218.14.129

card crypto myvpnmap 10 transform-set sveden-aes256

life safety association set card crypto myvpnmap 10 28800 seconds

card crypto myvpnmap 10 set security-association life kilobytes 4608000

myvpnmap crypto 10 card value reverse-road

myvpnmap interface card crypto outside

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

aes-256 encryption

sha hash

Group 5

life 86400

IPSec-attributes tunnel-group DefaultRAGroup

ISAKMP retry threshold 10 keepalive 2

tunnel-group 12.218.14.129 type ipsec-l2l

tunnel-group 12.218.14.129 General-attributes

IPSec-attributes tunnel-group 12.218.14.129

pre-shared-key *.

Cordially Mikael

Hello

You plan to connect to the firewall with address 192.168.20.1 for management purposes or why the IP should be able to generate connections to connect VPN L2L?

By default, the 'packet - trace' will fail if you are using a firewall interface IP address as the source address of the command. This result is always the same. (Although I have not tried the packet - trace with the below mentioned command enabled)

If you want to access the IP 192.168.20.1 interface via the L2L VPN on the other side, then you will have to configure

customer management-access

Here is more information on the above command

http://www.Cisco.com/en/us/docs/security/ASA/asa82/command/reference/m.html#wp2027985

-Jouni

Client VPN cannot access anything at the main Site

I am sure that this problem has been resolved in a million times more, but I can't get this to work. Can someone take a look at this quick config and tell me what is the problem?

The Cisco VPN client connects without problems but I can't access anything whatsoever.

ASA Version 8.4 (4)

!

ciscoasa hostname

activate 8Ry2YjIyt7RRXU24 encrypted password

2KFQnbNIdI.2KYOU encrypted passwd

names of

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 15

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.43.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

IP address a.a.a.a 255.255.255.248

!

interface Vlan15

prior to interface Vlan1

nameif IPOffice

security-level 100

IP 192.168.42.254 255.255.255.0

!

boot system Disk0: / asa844 - k8.bin

passive FTP mode

network object obj - 192.168.43.0

192.168.43.0 subnet 255.255.255.0

network obj_any object

subnet 0.0.0.0 0.0.0.0

network of the NETWORK_OBJ_10.11.12.0_24 object

10.11.12.0 subnet 255.255.255.0

network of the NETWORK_OBJ_192.168.43.160_28 object

subnet 192.168.43.160 255.255.255.240

network of the IPOffice object

subnet 0.0.0.0 0.0.0.0

outside_access_in list extended access permit icmp any 192.168.42.0 255.255.255.0

Note access list ACL for VPN Tunnel from Split vpn_SplitTunnel

standard access list vpn_SplitTunnel allow 192.168.43.0 255.255.255.0

AnyConnect_Client_Local_Print deny ip extended access list a whole

AnyConnect_Client_Local_Print list extended access permit tcp any any eq lpd

Note AnyConnect_Client_Local_Print of access list IPP: Internet Printing Protocol

AnyConnect_Client_Local_Print list extended access permit tcp any any eq 631

print the access-list AnyConnect_Client_Local_Print Note Windows port

AnyConnect_Client_Local_Print list extended access permit tcp any any eq 9100

access-list AnyConnect_Client_Local_Print mDNS Note: multicast DNS protocol

AnyConnect_Client_Local_Print list extended access permit udp any host 224.0.0.251 eq 5353

AnyConnect_Client_Local_Print of access list LLMNR Note: link Local Multicast Name Resolution protocol

AnyConnect_Client_Local_Print list extended access permit udp any host 224.0.0.252 eq 5355

Note access list TCP/NetBIOS protocol AnyConnect_Client_Local_Print

AnyConnect_Client_Local_Print list extended access permit tcp any any eq 137

AnyConnect_Client_Local_Print list extended access udp allowed any any eq netbios-ns

pager lines 24

Enable logging

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

MTU 1500 IPOffice

IP local pool newvpnpool 10.11.12.100 - 10.11.12.150 mask 255.255.255.0

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm - 649.bin

don't allow no asdm history

ARP timeout 14400

NAT (inside, outside) static source any any static destination NETWORK_OBJ_10.11.12.0_24 NETWORK_OBJ_10.11.12.0_24 non-proxy-arp-search to itinerary

NAT (inside, outside) static source any any static destination NETWORK_OBJ_192.168.43.160_28 NETWORK_OBJ_192.168.43.160_28 non-proxy-arp-search to itinerary

NAT (IPOffice, outside) static source any any static destination NETWORK_OBJ_192.168.43.160_28 NETWORK_OBJ_192.168.43.160_28 non-proxy-arp-search to itinerary

!

network obj_any object

NAT dynamic interface (indoor, outdoor)

network of the IPOffice object

NAT (IPOffice, outside) dynamic interface

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 b.b.b.b 1

Timeout xlate 03:00

Pat-xlate timeout 0:00:30

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

identity of the user by default-domain LOCAL

AAA authentication http LOCAL console

AAA authentication LOCAL telnet console

Enable http server

http 192.168.1.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outdoors

http 192.168.43.0 255.255.255.0 inside

http 192.168.42.0 255.255.255.0 IPOffice

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

IKEv1 crypto ipsec transform-set high - esp-3des esp-md5-hmac

crypto ipsec transform-set encrypt method 1 IKEv1 esp-3des esp-sha-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

Crypto-map dynamic dynmap pfs set 30 Group1

Crypto-map dynmap 30 set transform-set ikev1 strong dynamic - a

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

map rpVPN 65535-isakmp ipsec crypto dynamic dynmap

rpVPN interface card crypto outside

crypto isakmp identity address

Crypto ikev1 allow outside

IKEv1 crypto policy 1

preshared authentication

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 2

preshared authentication

3des encryption

md5 hash

Group 2

life 86400

Telnet timeout 5

SSH timeout 5

SSH group dh-Group1-sha1 key exchange

Console timeout 0

dhcpd outside auto_config

!

dhcpd address 192.168.43.5 - 192.168.43.36 inside

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

allow outside

AnyConnect image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

AnyConnect enable

tunnel-group-list activate

internal RPVPN group policy

RPVPN group policy attributes

value of server DNS 8.8.8.8

Ikev1 VPN-tunnel-Protocol

username admin privilege 15 encrypted password gP3lHsTOEfvj7Z3g

username password encrypted blPoPZBKFYhjYewF privilege 0 mark

type tunnel-group RPVPN remote access

attributes global-tunnel-group RPVPN

address newvpnpool pool

Group Policy - by default-RPVPN

IPSec-attributes tunnel-group RPVPN

IKEv1 pre-shared-key *.

!

!

context of prompt hostname

no remote anonymous reporting call

Cryptochecksum:b3f15dda5472d65341d7c457f2e8b2a2

: end

Well Yes, you are quite right on site!

Asymmetric routing is not supported on the firewall, such as trafficking and out should be via the interfaces of same, in the contrary case, it think it's an attack and drop the package.

Default gateway on the subnet devices IPOffice should be the interface IPOffice ASA (192.168.42.254), not the switch, if it is a switch shared with your home network. Similarly for devices inside subnet, default gateway must be ASA 192.168.43.254.

In regards to the switch, you can get a default gateway or the ASA inside or IP interface IPOffice ASA and the needs of return traffic to route through the same path

Security problems of Windows 7 connecting to the VPN to a ras server

We run a domain for most of our users - but not all - due to the merger of companies

We use vpn connections from Windows at the standard address to access remotely via a no domain Server 2003 running RSA

Windows name nigel.hunter@domain-name

VPN username nhunter

When runnin Windows xp users can get access to the files on the servers

When you run Windows 7, they can

have found that the system windows 7 are passing the VPN user name and credentials instead of the credentials of domain

This does not prevent access

Anyone know how I can get to pass the credentials of the doamin during access to the VPN servers

Thanks in advanced for any help

Hello

The question you posted would be better suited in the TechNet Forums. I would recommend posting your query in the TechNet Forums.

TechNet Forum

http://social.technet.Microsoft.com/forums/en-us/category/WindowsServer

Hope this information helps.

Problem with the VPN site to site for the two cisco asa 5505

Starting with cisco asa. I wanted to do a vpn site-to site of cisco. I need help. I can't ping from site A to site B and vice versa.

Cisco Config asa1

interface Ethernet0/0
switchport access vlan 1
!
interface Ethernet0/1
switchport access vlan 2
!
interface Vlan1
nameif outside
security-level 0
IP address 172.xxx.xx.4 255.255.240.0
!
interface Vlan2
nameif inside
security-level 100
IP 192.168.60.2 255.255.255.0
!
passive FTP mode
network of the Lan_Outside object
192.168.60.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.60.0_24 object
192.168.60.0 subnet 255.255.255.0
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_2
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_3
ip protocol object
icmp protocol object
Access extensive list ip 192.168.60.0 Outside_cryptomap allow 255.255.255.0 192.168.1.0 255.255.255.0
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
Inside_access_in list extended access allow DM_INLINE_PROTOCOL_2 of object-group a
network of the Lan_Outside object
NAT (inside, outside) interface dynamic dns
Access-group Outside_access_in in interface outside
Inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 172.110.xx.1 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
Enable http server
http 192.168.60.0 255.255.255.0 inside
http 96.xx.xx.222 255.255.255.255 outside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto Outside_map 1 corresponds to the address Outside_cryptomap
card crypto Outside_map 1 set peer 96.88.75.222
card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
Outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
inside access management

dhcpd address 192.168.60.50 - 192.168.60.100 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
AnyConnect essentials
internal GroupPolicy_96.xx.xx.222 group strategy
attributes of Group Policy GroupPolicy_96.xx.xx.222
VPN-tunnel-Protocol ikev1, ikev2
username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
tunnel-group 96.xx.xx.222 type ipsec-l2l
tunnel-group 96.xx.xx.222 General-attributes
Group - default policy - GroupPolicy_96.xx.xx.222
96.XX.XX.222 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Cisco ASA 2 config

interface Ethernet0/0
switchport access vlan 1
!
interface Ethernet0/1
switchport access vlan 2
!
interface Vlan1
nameif outside
security-level 0
IP address 96.xx.xx.222 255.255.255.248
!
interface Vlan2
nameif inside
security-level 100
IP 192.168.1.254 255.255.255.0
!
passive FTP mode
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network of the Lan_Outside object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.60.0_24 object
192.168.60.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_2
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_3
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_4
ip protocol object
icmp protocol object
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_2 of object-group 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
Inside_access_in list extended access allow DM_INLINE_PROTOCOL_4 of object-group a
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.60.0_24 NETWORK_OBJ_192.168.60.0_24 non-proxy-arp-search of route static destination
!
network of the Lan_Outside object
dynamic NAT (all, outside) interface
Access-group Outside_access_in in interface outside
Inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 96.xx.xx.217 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
Enable http server
http 192.168.1.0 255.255.255.0 inside
http 172.xxx.xx.4 255.255.255.255 outside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto Outside_map 1 corresponds to the address Outside_cryptomap
card crypto Outside_map 1 set peer 172.110.74.4
card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
Outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0

dhcpd address 192.168.1.50 - 192.168.1.100 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
AnyConnect essentials
internal GroupPolicy_172.xxx.xx.4 group strategy
attributes of Group Policy GroupPolicy_172.xxx.xx.4
L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
tunnel-group 172.xxx.xx.4 type ipsec-l2l
tunnel-group 172.xxx.xx.4 General-attributes
Group - default policy - GroupPolicy_172.xxx.xx.4
172.xxx.XX.4 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error
inspect the http

For IKEv2 configuration: (example config, you can change to encryption, group,...)

-You must add the declaration of exemption nat (see previous answer).

-set your encryption domain ACLs:

access-list-TRAFFIC IPSEC allowed extended LOCAL REMOTE - LAN LAN ip

-Set the Phase 1:

Crypto ikev2 allow outside
IKEv2 crypto policy 10
3des encryption
the sha md5 integrity
Group 5
FRP sha
second life 86400

-Set the Phase 2:

Crypto ipsec ikev2 ipsec IKEV2-PROPOSAL
Esp aes encryption protocol
Esp integrity sha-1 protocol

-set the Group of tunnel

tunnel-group REMOTE-PUBLIC-IP type ipsec-l2l
REMOTE-PUBLIC-IP tunnel-group ipsec-attributes
IKEv2 authentication remote pre-shared-key cisco123

IKEv2 authentication local pre-shared-key cisco123

-Define the encryption card

address for correspondence CRYPTOMAP 10 - TRAFFIC IPSEC crypto map
card crypto CRYPTOMAP 10 peer set REMOTE-PUBLIC-IP
card crypto CRYPTOMAP 10 set ipsec ikev2-IKEV2-PROPOSAL
CRYPTOMAP interface card crypto outside
crypto isakmp identity address

On your config, you have all these commands but on your VPN config, you mix ikev1 and ikev2. You have also defined political different ikev2. Just do a bit of cleaning and reached agreement on a 1 strategy for the two site (encryption, hash,...)

Thank you

Problem connecting to HP DJ5900 via the USB port on the router

HP DeskJet 5940, MacBook Pro, OS x 10.6.8.

I want to connect the DJ5940 through my router (Speedport W723V) via the USB port.

I see that the printer is connected to the USB port of routers and adding a printer on the MBP works.

However, when I try to print, printing dialoge sas is printing (full % increases), but nothing is displayed and the status of the printer finally chnges for "printer paused".

Is what I'm trying to do possible?

Dean,

Thanks for your help, but I went in a different direction: the Speedport router is EXTREAMELY oriented Windows, to the extent that it has nothing in the documentation to do anything with a Mac, so I've dug a former print USB/Ethernet of Axis Communications Server. At least 7 years old and no documentation, but connect to its IP address allowed me to set it up, and Macs connected to it directly.

Problem of peripheral access NAS via the VPN Site to Site

Similar Questions

Maybe you are looking for