problem setting up vpn site-to-site between asa and 1811 router
I get the following error.
3. January 8, 2008 | 15: 47:31 | 710003 | 192.168.0.45 | 192.168.0.50. TCP access denied by ACL to 192.168.0.45/3698 to LAN:192.168.0.50/80
3. January 8, 2008 | 15:47:28 | 710003 | 192.168.0.45 | 192.168.0.50. TCP access denied by ACL to 192.168.0.45/3698 to LAN:192.168.0.50/80
6. January 8, 2008 | 15:47:28 | 302021 | 192.168.0.45 | 192.168.0.50. Connection of disassembly for faddr gaddr laddr 192.168.0.50/0 192.168.0.50/0 192.168.0.45/1024 ICMP
6. January 8, 2008 | 15:47:28 | 302020 | 192.168.0.45 | 192.168.0.50. Built of ICMP incoming connections for faddr gaddr laddr 192.168.0.50/0 192.168.0.50/0 192.168.0.45/1024
5. January 8, 2008 | 15: 47:03 | 713904 | IP = public IP address, encrypted packet received with any HIS correspondent, drop
4. January 8, 2008 | 15: 47:03 | 113019 | Group = public IP address, Username = public IP address, IP = IP address public, disconnected Session. Session type: IPSecLAN2LAN, duration: 0 h: 00 m: 00s, xmt bytes: 0, RRs bytes: 0, right: Phase 2 Mismatch
3. January 8, 2008 | 15: 47:03 | 713902 | Group = public IP address, IP = public IP address, peer table correlator withdrawal failed, no match!
3. January 8, 2008 | 15: 47:03 | 713902 | Group = public IP address, IP = IP address public, error QM WSF (P2 struct & 0x4969c90, mess id 0xf3d044e8).
5. January 8, 2008 | 15: 47:03 | 713904 | Group = public IP address, IP = IP proposals public, IPSec Security Association all found unacceptable.
3. January 8, 2008 | 15: 47:03 | 713119 | Group = public IP address, IP = IP address public, PHASE 1 COMPLETED
6. January 8, 2008 | 15: 47:03 | 113009 | AAA recovered in group policy by default (DfltGrpPolicy) to the user = public IP address
4. January 8, 2008 | 15: 47:03 | 713903 | Group = public IP address, IP = IP address public, previously allocated memory release for authorization-dn-attributes
I do not think that because of the incompatibility of encryption. Any help is appreciated.
Thank you
Nilesh
You have PFS (Perfect Forward Secrecy) configured on the ASA and not the router. This could be one of the reasons why the tunnel fails in Phase 2.
If you do not need a PFS, can you not make a 'no encryption card WAN_map 1 set pfs' the configuration of the ASA and make appear the tunnel.
Kind regards
Arul
Tags: Cisco Security
Similar Questions
-
VPN between ASA and cisco router [phase2 question]
Hi all
I have a problem with IPSEC VPN between ASA and cisco router
I think that there is a problem in the phase 2
Can you please guide me where could be the problem.
I suspect questions ACL on the router, but I cannot fix. ACL on the router is specified belowLooking forward for your help
Phase 1 is like that
Cisco_router #sh crypto isakmp his
IPv4 Crypto ISAKMP Security Association
status of DST CBC State conn-id slot
78.x.x.41 87.x.x.4 QM_IDLE 2006 0 ACTIVEand ASA
ASA # sh crypto isakmp his
ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 11 peer IKE: 78.x.x.41
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVEPhase 2 on SAA
ASA # sh crypto ipsec his
Interface: Outside
Tag crypto map: Outside_map, seq num: 20, local addr: 87.x.x.4Outside_cryptomap_20 ip 172.19.209.0 access list allow 255.255.255.0 172.
19.194.0 255.255.255.0
local ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
current_peer: 78.x.x.41#pkts program: 8813, #pkts encrypt: 8813, #pkts digest: 8813
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 8813, model of #pkts failed: 0, #pkts Dang failed: 0
#send errors: 0, #recv errors: 0local crypto endpt. : 87.x.x.4, remote Start crypto. : 78.x.x.41
Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: C96393ABSAS of the esp on arrival:
SPI: 0x3E9D820B (1050509835)
transform: esp-3des esp-md5-hmac no
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 7, crypto-card: Outside_map
calendar of his: service life remaining (KB/s) key: (4275000/3025)
Size IV: 8 bytes
support for replay detection: Y
outgoing esp sas:
SPI: 0xC96393AB (3378746283)
transform: esp-3des esp-md5-hmac no
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 7, crypto-card: Outside_map
calendar of his: service life remaining (KB/s) key: (4274994/3023)
Size IV: 8 bytes
support for replay detection: YPhase 2 on cisco router
protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
current_peer 87.x.x.4 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorslocal crypto endpt. : 78.x.x.41, remote Start crypto. : 87.x.x.4
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer0
current outbound SPI: 0x0 (0)SAS of the esp on arrival:
the arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
outgoing ah sas:
outgoing CFP sas:
protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
current_peer 87.x.x.4 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 8947, #pkts decrypt: 8947, #pkts check: 8947
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorslocal crypto endpt. : 78.x.x.41, remote Start crypto. : 87.x.x.4
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer0
current outbound SPI: 0x3E9D820B (1050509835)SAS of the esp on arrival:
SPI: 0xC96393AB (3378746283)
transform: esp-3des esp-md5-hmac.
running parameters = {Tunnel}
Conn ID: 29, flow_id: Motorola SEC 1.0:29, card crypto: mycryptomap
calendar of his: service life remaining (k/s) key: (4393981/1196)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0x3E9D820B (1050509835)
transform: esp-3des esp-md5-hmac.
running parameters = {Tunnel}
Conn ID: 30, flow_id: Motorola SEC 1.0:30, card crypto: mycryptomap
calendar of his: service life remaining (k/s) key: (4394007/1196)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
VPN configuration is less in cisco router
access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
access-list 101 permit ip 172.19.206.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
access-list 101 permit ip 172.19.203.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect
access-list 101 permit ip 172.19.209.0 0.0.0.255 172.19.194.0 0.0.0.255 connectaccess-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
access-list 105 deny ip 172.19.206.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
access-list 105 deny ip 172.19.203.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect
access-list 105 deny ip 172.19.209.0 0.0.0.255 172.19.194.0 0.0.0.255 connectsheep allowed 10 route map
corresponds to the IP 105Crypto ipsec transform-set esp-3des esp-md5-hmac mytransformset
mycryptomap 100 ipsec-isakmp crypto map
the value of 87.x.x.4 peer
Set transform-set mytransformset
match address 101crypto ISAKMP policy 100
BA 3des
md5 hash
preshared authentication
Group 2
ISAKMP crypto key xxx2011 address 87.x.x.4Your permit for 105 ACL statement should be down is changed to match because it is the most general ACL.
You currently have:
Extend the 105 IP access list
5 permit ip 172.19.194.0 0.0.0.255 (18585 matches)
10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connectIt should be:
Extend the 105 IP access list
10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connectIP 172.19.194.0 allow 60 0.0.0.255 (18585 matches)
To remove it and add it to the bottom:
105 extended IP access list
not 5
IP 172.19.194.0 allow 60 0.0.0.255 any
Then ' delete ip nat trans. "
and it should work now.
-
VPN site to Site btw Pix535 and 2811 router, can't get to work
Hi, everyone, I spent a few days doing a VPN site-to site between PIX535 and 2811 router but returned empty-handed, I followed the instructions here:
http://www.Cisco.com/en/us/products/ps9422/products_configuration_example09186a0080b4ae61.shtml
#1: config PIX:
: Saved
: Written by enable_15 to the 18:05:33.678 EDT Saturday, October 20, 2012
!
8.0 (4) version PIX
!
hostname pix535
!
interface GigabitEthernet0
Description to cable-modem
nameif outside
security-level 0
address IP X.X.138.132 255.255.255.0
OSPF cost 10
!
interface GigabitEthernet1
Description inside 10/16
nameif inside
security-level 100
IP 10.1.1.254 255.255.0.0
OSPF cost 10
!
outside_access_in of access allowed any ip an extended list
access extensive list ip 10.1.0.0 inside_nat0_outbound allow 255.255.0.0 10.20.0.0 255.255.0.0
inside_nat0_outbound list of allowed ip extended access all 10.1.1.192 255.255.255.248
outside_cryptomap_dyn_60 list of allowed ip extended access all 10.1.1.192 255.255.255.248
access extensive list ip 10.1.0.0 outside_1_cryptomap allow 255.255.0.0 10.20.0.0 255.255.0.0
pager lines 24
cnf-8-ip 10.1.1.192 mask - 10.1.1.199 IP local pool 255.255.0.0
Global interface 10 (external)
15 1.2.4.5 (outside) global
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 15 10.1.0.0 255.255.0.0
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 X.X.138.1 1
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA MD5-ESP-3DES ESP-DES-MD5
life together - the association of security crypto dynamic-map outside_dyn_map 20 28800 seconds
Crypto-map dynamic outside_dyn_map 20 kilobytes of life together - the association of safety 4608000
Crypto-map dynamic outside_dyn_map 40 value transform-set ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA
life together - the association of security crypto dynamic-map outside_dyn_map 40 28800 seconds
Crypto-map dynamic outside_dyn_map 40 kilobytes of life together - the association of safety 4608000
Dynamic crypto map outside_dyn_map 60 match address outside_cryptomap_dyn_60
Crypto-map dynamic outside_dyn_map 60 value transform-set ESP-3DES-MD5 ESP-3DES-SHA ESP-DES-MD5 ESP-DES-SHA
life together - the association of security crypto dynamic-map outside_dyn_map 60 28800 seconds
Crypto-map dynamic outside_dyn_map 60 kilobytes of life together - the association of safety 4608000
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-SHA-3DES ESP-MD5-3DES ESP-DES-SHA ESP-DES-MD5
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define security association lifetime 28800 seconds
cryptographic kilobytes 4608000 life of the set - the association of security of the 65535 SYSTEM_DEFAULT_CRYPTO_MAP of the dynamic-map
card crypto outside_map 1 match address outside_1_cryptomap
outside_map game 1 card crypto peer X.X.21.29
card crypto outside_map 1 set of transformation-ESP-DES-SHA
outside_map map 1 lifetime of security association set seconds 28800 crypto
card crypto outside_map 1 set security-association life kilobytes 4608000
outside_map card crypto 65534 isakmp ipsec dynamic SYSTEM_DEFAULT_CRYPTO_MAP
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
ISAKMP crypto identity hostname
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
the Encryption
sha hash
Group 1
life 86400
crypto ISAKMP policy 20
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Crypto isakmp nat-traversal 3600
internal GroupPolicy1 group strategy
cnf-vpn-cls group policy internal
attributes of cnf-vpn-cls-group policy
value of 10.1.1.7 WINS server
value of 10.1.1.7 DNS server 10.1.1.205
Protocol-tunnel-VPN IPSec l2tp ipsec
field default value x.com
sean U/h5bFVjXlIDx8BtqPFrQw password user name is nt encrypted
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared-key secret1
RADIUS-sdi-xauth
tunnel-group DefaultRAGroup ppp-attributes
ms-chap-v2 authentication
tunnel-group cnf-vpn-cls type remote access
tunnel-group global cnf-vpn-cls-attributes
cnf-8-ip address pool
Group Policy - by default-cnf-vpn-cls
tunnel-group cnf-CC-vpn-ipsec-attributes
pre-shared-key secret2
ISAKMP ikev1-user authentication no
tunnel-group cnf-vpn-cls ppp-attributes
ms-chap-v2 authentication
tunnel-group X.X.21.29 type ipsec-l2l
IPSec-attributes tunnel-Group X.X.21.29
Pre-shared key SECRET
!
class-map inspection_default
match default-inspection-traffic
!
!
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:9780edb09bc7debe147db1e7d52ec39c
: end
#2: 2811 router config:
!
! Last configuration change to 09:15:32 PST Friday, October 19, 2012 by cnfla
! NVRAM config update at 13:45:03 PST Tuesday, October 16, 2012
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname THE-2800
!
!
Crypto pki trustpoint TP-self-signed-1411740556
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 1411740556
revocation checking no
rsakeypair TP-self-signed-1411740556
!
!
TP-self-signed-1411740556 crypto pki certificate chain
certificate self-signed 01
308201A 8 A0030201 02020101 3082023F 300 D 0609 2A 864886 F70D0101 04050030
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
69666963 31343131 37343035 6174652D 3536301E 170 3132 31303136 32303435
30335A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 34313137 65642D
34303535 3630819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
8100F75F F1BDAD9B DE9381FD 7EAF9685 CF15A317 165B 5188 1 B 424825 9C66AA28
C990B2D3 D69A2F0F D745DB0E 2BB4995D 73415AC4 F01B2019 C4BCF9E0 84373199
E599B86C 17DBDCE6 47EBE0E3 8DBC90B2 9B4E217A 87F04BF7 A182501E 24381019
A61D2C05 5404DE88 DA2A1ADC A81B7F65 C318B697 7ED69DF1 2769E4C8 F3449B33
010001A 3 67306530 1 130101 FF040530 030101FF 30120603 0F060355 35AF0203
1104 B 0 300982 074C412D 32383030 551D 551 2304 18301680 14B56EEB 301F0603
88054CCA BB8CF8E8 F44BFE2C B77954E1 52301 D 06 04160414 B56EEB88 03551D0E
054CCABB 8CF8E8F4 4BFE2CB7 7954E152 300 D 0609 2A 864886 F70D0101 04050003
81810056 58755 56 331294F8 BEC4FEBC 54879FF5 0FCC73D4 B964BA7A 07D 20452
E7F40F42 8B 355015 77156C9F AAA45F9F 59CDD27F 89FE7560 F08D953B FC19FD2D
310DA96E A5F3E83B 52D515F8 7B4C99CF 4CECC3F7 1A0D4909 BD08C373 50BB53CC
659 4246 2CB7B79F 43D94D96 586F9103 9B4659B6 5C8DDE4F 7CC5FC68 C4AD197A 4EC322 C
quit smoking
!
!
!
crypto ISAKMP policy 1
preshared authentication
ISAKMP crypto key address SECRET X.X.138.132 No.-xauth
!
!
Crypto ipsec transform-set the-2800-trans-set esp - esp-sha-hmac
!
map 1 la-2800-ipsec policy ipsec-isakmp crypto
ipsec vpn Description policy
defined by peer X.X.138.132
the transform-set the-2800-trans-set value
match address 101
!
!
!
!
!
!
interface FastEthernet0/0
Description WAN side
address IP X.X.216.29 255.255.255.248
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
No cdp enable
No mop enabled
card crypto 2800-ipsec-policy
!
interface FastEthernet0/1
Description side LAN
IP 10.20.1.1 255.255.255.0
IP nat inside
IP virtual-reassembly
full duplex
automatic speed
No mop enabled
!
IP nat inside source map route sheep interface FastEthernet0/0 overload
access-list 10 permit X.X.138.132
access-list 99 allow 64.236.96.53
access-list 99 allow 98.82.1.202
access list 101 remark vpn tunnerl acl
Note access-list 101 category SDM_ACL = 4
policy of access list 101 remark tunnel
access-list 101 permit ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 permit ip 10.20.0.0 0.0.0.255 any
public RO SNMP-server community
!
!
!
sheep allowed 10 route map
corresponds to the IP 110
!
!
!
!
WebVPN gateway gateway_1
IP address X.X.216.29 port 443
SSL trustpoint TP-self-signed-1411740556
development
!
WebVPN install svc flash:/webvpn/svc.pkg
!
WebVPN gateway-1 context
title 'b '.
secondary-color white
color of the title #CCCC66
text-color black
SSL authentication check all
!
!
policy_1 political group
functions compatible svc
SVC-pool of addresses "WebVPN-Pool."
SVC Dungeon-client-installed
SVC split include 10.20.0.0 255.255.0.0
Group Policy - by default-policy_1
Gateway gateway_1
development
!
!
end
#3: test Pix to the router:
ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 1
1 peer IKE: X.X.21.29
Type: user role: initiator
Generate a new key: no State: MM_WAIT_MSG2
> DEBUG:
12:07:14 pix535:Oct 22 Oct 22 12:20:28 EDT: % PIX-vpn-3-713902: IP = X.X.21.29, Removing peer to peer table has not, no match22 Oct 12:07:14 pix535: 22 Oct 12:20:28 EDT: % PIX-vpn-4-713903: IP = X.X.21.29, error: cannot delete PeerTblEntry#4: test the router to pix:LA - 2800 #sh crypto isakmp hisIPv4 Crypto ISAKMP Security Associationstatus of DST CBC State conn-id slotX.X.138.132 X.X.216.29 MM_KEY_EXCH 1017 ASSETS 0> debugLA - 2800 #ping 10.1.1.7 source 10.20.1.1Type to abort escape sequence.Send 5, echoes ICMP 100 bytes to 10.1.1.7, time-out is 2 seconds:Packet sent with a source address of 10.20.1.1Oct 22 16:24:33.945: ISAKMP: (0): profile of THE request is (NULL)22 Oct 16:24:33.945: ISAKMP: created a struct peer X.X.138.132, peer port 50022 Oct 16:24:33.945: ISAKMP: new created position = 0x488B25C8 peer_handle = 0 x 8000001322 Oct 16:24:33.945: ISAKMP: lock struct 0x488B25C8, refcount 1 to peer isakmp_initiator22 Oct 16:24:33.945: ISAKMP: 500 local port, remote port 50022 Oct 16:24:33.945: ISAKMP: set new node 0 to QM_IDLE22 Oct 16:24:33.945: ISAKMP: find a dup her to the tree during the isadb_insert his 487720 A 0 = call BVA22 Oct 16:24:33.945: ISAKMP: (0): cannot start aggressive mode, try the main mode.22 Oct 16:24:33.945: ISAKMP: (0): pair found pre-shared key matching 70.169.138.132Oct 22 16:24:33.945: ISAKMP: (0): built of NAT - T of the seller-rfc3947 IDOct 22 16:24:33.945: ISAKMP: (0): built the seller-07 ID NAT - tOct 22 16:24:33.945: ISAKMP: (0): built of NAT - T of the seller-03 IDOct 22 16:24:33.945: ISAKMP: (0): built the seller-02 ID NAT - t22 Oct 16:24:33.945: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM22 Oct 16:24:33.945: ISAKMP: (0): former State = new State IKE_READY = IKE_I_MM1Oct 22 16:24:33.945: ISAKMP: (0): Beginner Main Mode ExchangeOct 22 16:24:33.945: ISAKMP: (0): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_NO_STATE22 Oct 16:24:33.945: ISAKMP: (0): sending a packet IPv4 IKE.22 Oct 16:24:34.049: ISAKMP (0:0): packet received dport 500 sport Global 500 (I) MM_NO_STATE X.X.138.13222 Oct 16:24:34.049: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH22 Oct 16:24:34.049: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_I_MM2Oct 22 16:24:34.049: ISAKMP: (0): treatment ITS payload. Message ID = 0Oct 22 16:24:34.049: ISAKMP: (0): load useful vendor id of treatmentOct 22 16:24:34.049: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123Oct 22 16:24:34.049: ISAKMP: (0): provider ID is NAT - T v2Oct 22 16:24:34.049: ISAKMP: (0): load useful vendor id of treatmentOct 22 16:24:34.049: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 19422 Oct 16:24:34.053: ISAKMP: (0): pair found pre-shared key matching 70.169.138.132Oct 22 16:24:34.053: ISAKMP: (0): pre-shared key local found22 Oct 16:24:34.053: ISAKMP: analysis of the profiles for xauth...22 Oct 16:24:34.053: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 122 Oct 16:24:34.053: ISAKMP: DES-CBC encryption22 Oct 16:24:34.053: ISAKMP: SHA hash22 Oct 16:24:34.053: ISAKMP: default group 122 Oct 16:24:34.053: ISAKMP: pre-shared key auth22 Oct 16:24:34.053: ISAKMP: type of life in seconds22 Oct 16:24:34.053: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x8022 Oct 16:24:34.053: ISAKMP: (0): atts are acceptable22 Oct 16:24:34.053: ISAKMP: (0): Acceptable atts: real life: 022 Oct 16:24:34.053: ISAKMP: (0): Acceptable atts:life: 022 Oct 16:24:34.053: ISAKMP: (0): fill atts in his vpi_length:422 Oct 16:24:34.053: ISAKMP: (0): fill atts in his life_in_seconds:8640022 Oct 16:24:34.053: ISAKMP: (0): return real life: 8640022 Oct 16:24:34.053: ISAKMP: (0): timer life Started: 86400.Oct 22 16:24:34.053: ISAKMP: (0): load useful vendor id of treatmentOct 22 16:24:34.053: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123Oct 22 16:24:34.053: ISAKMP: (0): provider ID is NAT - T v2Oct 22 16:24:34.053: ISAKMP: (0): load useful vendor id of treatmentOct 22 16:24:34.053: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 19422 Oct 16:24:34.053: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE22 Oct 16:24:34.053: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM2Oct 22 16:24:34.057: ISAKMP: (0): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_SA_SETUP22 Oct 16:24:34.057: ISAKMP: (0): sending a packet IPv4 IKE.22 Oct 16:24:34.057: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE22 Oct 16:24:34.057: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM322 Oct 16:24:34.181: ISAKMP (0:0): packet received dport 500 sport Global 500 (I) MM_SA_SETUP X.X.138.13222 Oct 16:24:34.181: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH22 Oct 16:24:34.181: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_I_MM4Oct 22 16:24:34.181: ISAKMP: (0): processing KE payload. Message ID = 0Oct 22 16:24:34.217: ISAKMP: (0): processing NONCE payload. Message ID = 022 Oct 16:24:34.217: ISAKMP: (0): pre-shared key found peer corresponding to X.X.138.132Oct 22 16:24:34.217: ISAKMP: (1018): load useful vendor id of treatmentOct 22 16:24:34.217: ISAKMP: (1018): provider ID is the unitOct 22 16:24:34.217: ISAKMP: (1018): load useful vendor id of treatmentOct 22 16:24:34.217: ISAKMP: (1018): provider ID seems the unit/DPD but major incompatibility of 55Oct 22 16:24:34.217: ISAKMP: (1018): provider ID is XAUTHOct 22 16:24:34.217: ISAKMP: (1018): load useful vendor id of treatmentOct 22 16:24:34.217: ISAKMP: (1018): addressing another box of IOS!Oct 22 16:24:34.221: ISAKMP: (1018): load useful vendor id of treatment22 Oct 16:24:34.221: ISAKMP: (1018): vendor ID seems the unit/DPD but hash mismatch22 Oct 16:24:34.221: ISAKMP: receives the payload type 2022 Oct 16:24:34.221: ISAKMP: receives the payload type 2022 Oct 16:24:34.221: ISAKMP: (1018): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE22 Oct 16:24:34.221: ISAKMP: (1018): former State = new State IKE_I_MM4 = IKE_I_MM422 Oct 16:24:34.221: ISAKMP: (1018): send initial contact22 Oct 16:24:34.221: ISAKMP: (1018): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication22 Oct 16:24:34.221: ISAKMP (0:1018): payload IDnext payload: 8type: 1address: X.X.216.29Protocol: 17Port: 500Length: 1222 Oct 16:24:34.221: ISAKMP: (1018): the total payload length: 12Oct 22 16:24:34.221: ISAKMP: (1018): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH22 Oct 16:24:34.221: ISAKMP: (1018): sending a packet IPv4 IKE.22 Oct 16:24:34.225: ISAKMP: (1018): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE22 Oct 16:24:34.225: ISAKMP: (1018): former State = new State IKE_I_MM4 = IKE_I_MM5...22 Oct 16:24:38.849: ISAKMP: (1017): purge the node 19855474022 Oct 16:24:38.849: ISAKMP: (1017): purge the node 81238000222 Oct 16:24:38.849: ISAKMP: (1017): purge node 773209335...Success rate is 0% (0/5)# THE-2800Oct 22 16:24:44.221: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...22 Oct 16:24:44.221: ISAKMP (0:1018): increment the count of errors on his, try 1 5: retransmit the phase 1Oct 22 16:24:44.221: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCHOct 22 16:24:44.221: ISAKMP: (1018): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH22 Oct 16:24:44.221: ISAKMP: (1018): sending a packet IPv4 IKE.22 Oct 16:24:44.317: ISAKMP (0:1018): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH X.X.138.132Oct 22 16:24:44.317: ISAKMP: (1018): package of phase 1 is a duplicate of a previous package.Oct 22 16:24:44.321: ISAKMP: (1018): retransmission jumped to the stage 1 (time elapsed since the last transmission 96)22 Oct 16:24:48.849: ISAKMP: (1017): serving SA., his is 469BAD60, delme is 469BAD6022 Oct 16:24:52.313: ISAKMP (0:1018): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH X.X.138.132Oct 22 16:24:52.313: ISAKMP: (1018): package of phase 1 is a duplicate of a previous package.Oct 22 16:24:52.313: ISAKMP: (1018): retransmission due to phase 1 of retransmissionOct 22 16:24:52.813: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...22 Oct 16:24:52.813: ISAKMP (0:1018): increment the count of errors on his, try 2 of 5: retransmit the phase 1Oct 22 16:24:52.813: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCHOct 22 16:24:52.813: ISAKMP: (1018): package X.X138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH22 Oct 16:24:52.813: ISAKMP: (1018): sending a packet IPv4 IKE.Oct 22 16:24:52.913: ISAKMP: (1018): package of phase 1 is a duplicate of a previous package.Oct 22 16:24:52.913: ISAKMP: (1018): retransmission jumped to the stage 1 (time elapsed since the last transmission of 100)22 Oct 16:25:00.905: ISAKMP (0:1018): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH X.X.138.13222 Oct 16:25:00.905: ISAKMP: node set 422447177 to QM_IDLE....22 Oct 16:25:03.941: ISAKMP: (1018): SA is still budding. New application of ipsec in the annex22 Oct 16:25:03.941: ISAKMP: error during the processing of HIS application: failed to initialize SA22 Oct 16:25:03.941: ISAKMP: error while processing message KMI 0, error 2.Oct 22 16:25:12.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...22 Oct 16:25:12.814: ISAKMP (0:1018): increment the count of errors on his, try 4 out 5: retransmit the phase 1Oct 22 16:25:12.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCHOct 22 16:25:12.814: ISAKMP: (1018): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH22 Oct 16:25:12.814: ISAKMP: (1018): sending a packet IPv4 IKE.Oct 22 16:25:22.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...22 Oct 16:25:22.814: ISAKMP (0:1018): increment the count of errors on his, try 5 of 5: retransmit the phase 1Oct 22 16:25:22.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCHOct 22 16:25:22.814: ISAKMP: (1018): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH22 Oct 16:25:22.814: ISAKMP: (1018): sending a packet IPv4 IKE.Oct 22 16:25:32.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...22 Oct 16:25:32.814: ISAKMP: (1018): peer does not paranoid KeepAlive.......22 Oct 16:25:32.814: ISAKMP: (1018): removal of reason ITS status of 'Death by retransmission P1' (I) MM_KEY_EXCH (post 70.169.138.132)
22 Oct 16:25:32.814: ISAKMP: (1018): removal of reason ITS status of 'Death by retransmission P1' (I) MM_KEY_EXCH (post 70.169.138.132)
22 Oct 16:25:32.814: ISAKMP: Unlocking counterpart struct 0x488B25C8 for isadb_mark_sa_deleted(), count 0
22 Oct 16:25:32.814: ISAKMP: delete peer node by peer_reap for X.X.138.132: 488B25C8
22 Oct 16:25:32.814: ISAKMP: (1018): error suppression node 1112432180 FALSE reason 'IKE deleted.
22 Oct 16:25:32.814: ISAKMP: (1018): error suppression node 422447177 FALSE reason 'IKE deleted.
22 Oct 16:25:32.814: ISAKMP: (1018): node-278980615 error suppression FALSE reason 'IKE deleted.
22 Oct 16:25:32.814: ISAKMP: (1018): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
22 Oct 16:25:32.814: ISAKMP: (1018): former State = new State IKE_I_MM5 = IKE_DEST_SA
22 Oct 16:26:22.816: ISAKMP: (1018): purge the node 1112432180
22 Oct 16:26:22.816: ISAKMP: (1018): purge the node 422447177
22 Oct 16:26:22.816: ISAKMP: (1018): purge the node-278980615
22 Oct 16:26:32.816: ISAKMP: (1018): serving SA., its A 487720, 0 =, delme = A 487720, 0
The PIX is also used VPN client, such as the VPN Cicso 5.0 client access, works very well. Router is used as a server SSL VPN, too much work
I know there are a lot of data here, I hope that these data may be useful for diagnostic purposes.
All suggestions and tips are greatly appreciated.
Sean
Recommended action:
On the PIX:
no card crypto outside_map 1
!
crypto ISAKMP policy 5
preshared authentication
3des encryption
sha hash
Group 2
life 86400
!
card crypto outside_map 10 correspondence address outside_1_cryptomap
crypto outside_map 10 peer X.X.216.29 card game
outside_map crypto 10 card value transform-set ESP-3DES-SHA
life safety association set card crypto outside_map 10 28800 seconds
card crypto outside_map 10 set security-association life kilobytes 4608000
!
tunnel-group X.X.216.29 type ipsec-l2l
IPSec-attributes tunnel-Group X.X.216.29
Pre-shared key SECRET
!
On the router:
crypto ISAKMP policy 10
preshared authentication
Group 2
3des encryption
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
output
!
card 10 la-2800-ipsec policy ipsec-isakmp crypto
ipsec vpn Description policy
defined by peer X.X.138.132
game of transformation-ESP-3DES-SHA
match address 101
!
No crypto card-2800-ipsec-policy 1
Let me know how it goes.
Portu.
Please note all useful posts
Post edited by: Javier Portuguez
-
Impossible to establish vpn site to site between asa 5505 5510 year
Hi all experts
We are now plan to form an IPSec VPN tunnel from site to site between ASA 5505 (ASA Version 8.4) and ASA 5510 (ASA Version 8.0) but failed, would you please show me how to establish? A reference guide?
Hugo
Here are the links to the guides-cisco config:
http://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/site2sit.html
http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/vpn_site2site.html
In addition to VPN, you need to consider in NAT exemption:
http://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/cfgnat.html#wp1043541
http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/nat_overview.html#wpxref25608
http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/nat_rules.html#wp1232160
And many examples:
http://www.Cisco.com/en/us/products/ps6120/prod_configuration_examples_list.html
--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni -
Problem with IPsec VPN between ASA and router Cisco - ping is not response
Hello
I don't know because the IPsec VPN does not work. This is my setup (IPsec VPN between ASA and R2):
my network topology data:
LAN 1 connect ASA - 1 (inside the LAN)
PC - 10.0.1.3 255.255.255.0 10.0.1.1
ASA - GigabitEthernet 1: 10.0.1.1 255.255.255.0
-----------------------------------------------------------------
ASA - 1 Connect (LAN outide) R1
ASA - GigabitEthernet 0: 172.30.1.2 255.255.255.252
R1 - FastEthernet 0/0: 172.30.1.1 255.255.255.252
---------------------------------------------------------------------
R1 R2 to connect
R1 - FastEthernet 0/1: 172.30.2.1 255.255.255.252
R2 - FastEthernet 0/1: 172.30.2.2 255.255.255.252
R2 for lan connection 2
--------------------------------------------------------------------
R2 to connect LAN2
R2 - FastEthernet 0/0: 10.0.2.1 255.255.255.0
PC - 10.0.2.3 255.255.255.0 10.0.2.1
ASA configuration:
1 GigabitEthernet interface
nameif inside
security-level 100
IP 10.0.1.1 255.255.255.0
no downtime
interface GigabitEthernet 0
nameif outside
security-level 0
IP 172.30.1.2 255.255.255.252
no downtime
Route outside 0.0.0.0 0.0.0.0 172.30.1.1------------------------------------------------------------
access-list scope LAN1 to LAN2 ip 10.0.1.0 allow 255.255.255.0 10.0.2.0 255.255.255.0
object obj LAN
subnet 10.0.1.0 255.255.255.0
object obj remote network
10.0.2.0 subnet 255.255.255.0
NAT (inside, outside) 1 static source obj-local obj-local destination obj-remote control remote obj non-proxy-arp static-----------------------------------------------------------
IKEv1 crypto policy 10
preshared authentication
aes encryption
sha hash
Group 2
life 3600
Crypto ikev1 allow outside
crypto isakmp identity address------------------------------------------------------------
tunnel-group 172.30.2.2 type ipsec-l2l
tunnel-group 172.30.2.2 ipsec-attributes
IKEv1 pre-shared-key cisco123
Crypto ipsec transform-set esp-aes-192 ASA1TS, esp-sha-hmac ikev1-------------------------------------------------------------
card crypto ASA1VPN 10 is the LAN1 to LAN2 address
card crypto ASA1VPN 10 set peer 172.30.2.2
card crypto ASA1VPN 10 set transform-set ASA1TS ikev1
card crypto ASA1VPN set 10 security-association life seconds 3600
ASA1VPN interface card crypto outsideR2 configuration:
interface fastEthernet 0/0
IP 10.0.2.1 255.255.255.0
no downtime
interface fastEthernet 0/1
IP 172.30.2.2 255.255.255.252
no downtime-----------------------------------------------------
router RIP
version 2
Network 10.0.2.0
network 172.30.2.0------------------------------------------------------
access-list 102 permit ahp 172.30.1.2 host 172.30.2.2
access-list 102 permit esp 172.30.1.2 host 172.30.2.2
access-list 102 permit udp host 172.30.1.2 host 172.30.2.2 eq isakmp
interface fastEthernet 0/1
IP access-group 102 to------------------------------------------------------
crypto ISAKMP policy 110
preshared authentication
aes encryption
sha hash
Group 2
life 42300------------------------------------------------------
ISAKMP crypto key cisco123 address 172.30.1.2-----------------------------------------------------
Crypto ipsec transform-set esp - aes 128 R2TS------------------------------------------------------
access-list 101 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
------------------------------------------------------
R2VPN 10 ipsec-isakmp crypto map
match address 101
defined by peer 172.30.1.2
PFS Group1 Set
R2TS transformation game
86400 seconds, life of security association set
interface fastEthernet 0/1
card crypto R2VPNI don't know what the problem
Thank you
If the RIP is not absolutely necessary for you, try adding the default route to R2:
IP route 0.0.0.0 0.0.0.0 172.16.2.1
If you want to use RIP much, add permissions ACL 102:
access-list 102 permit udp any any eq 520
-
Private of IPSec VPN-private network between ASA and router
Hello community,
This is first time for me to configure IPSec VPN between ASA and router. I have an ASA 5540 at Headquarters and 877 router to EH Branch
Headquarters ASA summary.
Peer IP: 111.111.111.111
Local network: 10.0.0.0
Branch
Peer IP: 123.123.123.123
LAN: 192.168.1.0/24
Please can someone help me set up the vpn.
Hello
This guide covers exactly what you need:
Establishment of ASDM and SDM - http://www.netcraftsmen.net/resources/archived-articles/273.html
Tunnel VPN - ASA to the router configuration:
http://www.Cisco.com/en/us/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml#ASDM
Kind regards
Jimmy
-
Problem with VPN Site-to-Site between RV215W and ISA550
Hello
I tried to set up a site connection to site between a RV215W and an ISA550 for a whole day without success now, could someone help me with an example of configuration?
I'm new to this kind of configurations and VPN Options of two routers seem very different, with IKE an IPsec on the RV, IPsec and IKE policies, transform the policies on the ISA.
Outputs the Wizards from Site to Site are not either.
The RV215W is intended to connect a new branch via 3G and that it doesn't have a fixed IP address.
Subnet the ISA is 10.10.11.0/24 VR 192.168.100.0/24
Thanks for any help in advance!
T
Hello
I check all the screenshots and you must:
-Disable the PFS on ISA500 (screenshot of ISA500 of a second)
-Enable IPsec on ISA500 (first screenshot of ISA500)
-Activate the VPN on RV215W (first screenshot of RV215W) policy
And iniate the RV215W VPN
I hope that this step will fix the problem
Thank you
Mehdi
-
Problem with VPN Site-to-Site between RV215W and ASA5510
The RV215W is intended to connect a new branch via 3G, but fail.
But when connected to the internet via a cable modem VPN works.
I have set up with the FULL domain name and remote ip address.
Please help me soon as soon as you can.
Thaks a lot.
Henriux2412.
Dear Henry;
Thank you to the small community of Support Business.
I doubt that this VPN site-to-site is compatible with the USB modem broadband Mobile 3 G, but I have when even suggest to verify that the Status field of the map will show your mobile card is connected (status > Mobile network). I've seen a similar problem with a Verizon USB modem where the solution was to change a few settings in their access Manager software ("NDIS Mode - connect manually" has been selected and change this option to "Modem Mode - connect manually fixed), but if this is not your case then I suggest you to check with your service provider about supported VPN site to site on the WAN configuration.
Except that I advise you to contact the Small Business Support Center for more information on this subject, although I don't think they will support
https://supportforums.Cisco.com/community/NetPro/small-business/sbcountrysupport
Do not hesitate to contact me if there is anything I can help you with in the meantime.
Kind regards
Jeffrey Rodriguez S... : | :. : | :.
Support Engineer Cisco client* Please rate the Post so other will know when an answer has been found.
-
Troubleshooting IPSec Site to Site VPN between ASA and 1841
Hi all
in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.
I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).
I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.
It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),
On the ASA:
Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.
address of the peers: 217.86.154.120
Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.ccaccess extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
current_peer: 217.xx.yy.zz#pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz
Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: 39135054
current inbound SPI: B2E9E500SAS of the esp on arrival:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4374000/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
outgoing esp sas:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4373976/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001Output of the command: "sh crypto isakmp his."
HIS active: 4
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 4IKE Peer: 217.xx.yy.zz
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVEOn the 1841
1841 crypto isakmp #sh its
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE1841 crypto ipsec #sh its
Interface: Dialer1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorslocal crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
Interface: virtual Network1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorslocal crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.
Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto. (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.
I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!
It's the running of the 1841 configuration
!
version 15.1
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
host name 1841
!
boot-start-marker
start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
boot-end-marker
!
logging buffered 51200 notifications
!
AAA new-model
!
!
AAA authentication login default local
!
AAA - the id of the joint session
!
iomem 20 memory size
clock timezone PCTime 1
PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
dot11 syslog
IP source-route
!
No dhcp use connected vrf ip
!
IP cef
no ip bootp Server
IP domain name test
name of the IP-server 194.25.2.129
name of the IP-server 194.25.2.130
name of the IP-server 194.25.2.131
name of the IP-server 194.25.2.132
name of the IP-server 194.25.2.133
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
object-group network phone
VoIP phone description
Home 172.20.2.50
Home 172.20.2.51
!
redundancy
!
!
controller LAN 0/0/0
atm mode
Annex symmetrical shdsl DSL-mode B
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
isakmp encryption key * address 62.aa.bb.cc
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
map SDM_CMAP_1 1 ipsec-isakmp crypto
Description Tunnel to62.aa.bb.cc
the value of 62.aa.bb.cc peer
game of transformation-ESP-3DES-SHA
PFS group2 Set
match address 100
!
!
!
interface FastEthernet0/0
DMZ description $ FW_OUTSIDE$
10.10.10.254 IP address 255.255.255.0
IP nat inside
IP virtual-reassembly
automatic duplex
automatic speed
!
interface FastEthernet0/1
Description $ETH - LAN$ $FW_INSIDE$
IP 172.20.2.254 255.255.255.0
IP access-group 100 to
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1412
automatic duplex
automatic speed
!
ATM0/0/0 interface
no ip address
No atm ilmi-keepalive
!
point-to-point interface ATM0/0/0.1
PVC 1/32
PPPoE-client dial-pool-number 1
!
!
interface Dialer1
Description $FW_OUTSIDE$
the negotiated IP address
IP mtu 1452
NAT outside IP
IP virtual-reassembly
encapsulation ppp
Dialer pool 1
Dialer-Group 2
PPP authentication chap callin pap
PPP chap hostname xxxxxxx
PPP chap password 7 xxxxxxx8
PPP pap sent-name of user password xxxxxxx xxxxxxx 7
map SDM_CMAP_1 crypto
!
IP forward-Protocol ND
IP http server
local IP http authentication
IP http secure server
!
!
The dns server IP
IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
!
logging trap notifications
Note category of access list 1 = 2 CCP_ACL
access-list 1 permit 172.20.2.0 0.0.0.255
Note access-list category 2 CCP_ACL = 2
access-list 2 allow 10.10.10.0 0.0.0.255
Note access-list 100 category CCP_ACL = 4
Note access-list 100 IPSec rule
access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
Note CCP_ACL the access list 101 = 2 category
Note access-list 101 IPSec rule
access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 101 permit ip 172.20.2.0 0.0.0.255 any
Note access-list 102 CCP_ACL category = 2
Note access-list 102 IPSec rule
access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
!!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 101
!
allowed SDM_RMAP_2 1 route map
corresponds to the IP 102
!
!
control plan
!
!
Line con 0
line to 0
line vty 0 4
length 0
transport input telnet ssh
!
Scheduler allocate 20000 1000
NTP-Calendar Update
NTP 172.20.2.250 Server prefer
endAs I mentioned previously: suspicion is much appreciated!
Best regards
Joerg
Joerg,
ASA receives not all VPN packages because IOS does not send anything.
Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)
The problem seems so on the side of the router.
I think that is a routing problem, but you only have one default gateway (no other channels on the router).
The ACL 100 is set to encrypt the traffic between the two subnets.
It seems that the ACL 101 is also bypassing NAT for VPN traffic.
Follow these steps:
Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.
I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.
Federico.
-
Problem with the VPN site to site for the two cisco asa 5505
Starting with cisco asa. I wanted to do a vpn site-to site of cisco. I need help. I can't ping from site A to site B and vice versa.
Cisco Config asa1
interface Ethernet0/0
switchport access vlan 1
!
interface Ethernet0/1
switchport access vlan 2
!
interface Vlan1
nameif outside
security-level 0
IP address 172.xxx.xx.4 255.255.240.0
!
interface Vlan2
nameif inside
security-level 100
IP 192.168.60.2 255.255.255.0
!
passive FTP mode
network of the Lan_Outside object
192.168.60.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.60.0_24 object
192.168.60.0 subnet 255.255.255.0
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_2
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_3
ip protocol object
icmp protocol object
Access extensive list ip 192.168.60.0 Outside_cryptomap allow 255.255.255.0 192.168.1.0 255.255.255.0
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
Inside_access_in list extended access allow DM_INLINE_PROTOCOL_2 of object-group a
network of the Lan_Outside object
NAT (inside, outside) interface dynamic dns
Access-group Outside_access_in in interface outside
Inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 172.110.xx.1 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
Enable http server
http 192.168.60.0 255.255.255.0 inside
http 96.xx.xx.222 255.255.255.255 outside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto Outside_map 1 corresponds to the address Outside_cryptomap
card crypto Outside_map 1 set peer 96.88.75.222
card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
Outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
inside access managementdhcpd address 192.168.60.50 - 192.168.60.100 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
AnyConnect essentials
internal GroupPolicy_96.xx.xx.222 group strategy
attributes of Group Policy GroupPolicy_96.xx.xx.222
VPN-tunnel-Protocol ikev1, ikev2
username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
tunnel-group 96.xx.xx.222 type ipsec-l2l
tunnel-group 96.xx.xx.222 General-attributes
Group - default policy - GroupPolicy_96.xx.xx.222
96.XX.XX.222 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Cisco ASA 2 config
interface Ethernet0/0
switchport access vlan 1
!
interface Ethernet0/1
switchport access vlan 2
!
interface Vlan1
nameif outside
security-level 0
IP address 96.xx.xx.222 255.255.255.248
!
interface Vlan2
nameif inside
security-level 100
IP 192.168.1.254 255.255.255.0
!
passive FTP mode
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network of the Lan_Outside object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.60.0_24 object
192.168.60.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_2
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_3
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_4
ip protocol object
icmp protocol object
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_2 of object-group 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
Inside_access_in list extended access allow DM_INLINE_PROTOCOL_4 of object-group a
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.60.0_24 NETWORK_OBJ_192.168.60.0_24 non-proxy-arp-search of route static destination
!
network of the Lan_Outside object
dynamic NAT (all, outside) interface
Access-group Outside_access_in in interface outside
Inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 96.xx.xx.217 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
Enable http server
http 192.168.1.0 255.255.255.0 inside
http 172.xxx.xx.4 255.255.255.255 outside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto Outside_map 1 corresponds to the address Outside_cryptomap
card crypto Outside_map 1 set peer 172.110.74.4
card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
Outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0dhcpd address 192.168.1.50 - 192.168.1.100 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
AnyConnect essentials
internal GroupPolicy_172.xxx.xx.4 group strategy
attributes of Group Policy GroupPolicy_172.xxx.xx.4
L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
tunnel-group 172.xxx.xx.4 type ipsec-l2l
tunnel-group 172.xxx.xx.4 General-attributes
Group - default policy - GroupPolicy_172.xxx.xx.4
172.xxx.XX.4 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error
inspect the httpFor IKEv2 configuration: (example config, you can change to encryption, group,...)
-You must add the declaration of exemption nat (see previous answer).
-set your encryption domain ACLs:
access-list-TRAFFIC IPSEC allowed extended LOCAL REMOTE - LAN LAN ip
-Set the Phase 1:
Crypto ikev2 allow outside
IKEv2 crypto policy 10
3des encryption
the sha md5 integrity
Group 5
FRP sha
second life 86400-Set the Phase 2:
Crypto ipsec ikev2 ipsec IKEV2-PROPOSAL
Esp aes encryption protocol
Esp integrity sha-1 protocol-set the Group of tunnel
tunnel-group REMOTE-PUBLIC-IP type ipsec-l2l
REMOTE-PUBLIC-IP tunnel-group ipsec-attributes
IKEv2 authentication remote pre-shared-key cisco123
IKEv2 authentication local pre-shared-key cisco123-Define the encryption card
address for correspondence CRYPTOMAP 10 - TRAFFIC IPSEC crypto map
card crypto CRYPTOMAP 10 peer set REMOTE-PUBLIC-IP
card crypto CRYPTOMAP 10 set ipsec ikev2-IKEV2-PROPOSAL
CRYPTOMAP interface card crypto outside
crypto isakmp identity addressOn your config, you have all these commands but on your VPN config, you mix ikev1 and ikev2. You have also defined political different ikev2. Just do a bit of cleaning and reached agreement on a 1 strategy for the two site (encryption, hash,...)
Thank you
-
VPN SITE-TO-SITE BETWEEN ASA 5505 ASN 5510 DISORDERS
Hello everyone, I have a problem with my vpn between two ASAs, I will review the configuration of the two devices running, but I couldn't see anything out of the normal.
As you can see in the image, that the VPN is upward, but in the ASA 5510 I bytes of Rx (ZERO), I tried to config ASAs yet but I have the same problem, I don't know what I can do, please help me...
Hello
You should make sure that
- Remote ends of NAT configurations are correct
- NAT0 or another type of translation is not configured
- A NAT rule is the substitution of the rule that you have configured for the VPN L2L?
- Make sure that you have allowed the circulation/connection you are trying
- VPN traffic is allowed to bypass the 'external' ACL interface on the remote end or the traffic should be allowed in the 'outer' interface ACL?
- Make sure that the remote host responds to the same type of its local network connection attempt before trying the same thing from a remote location through VPN L2L
- If a tested service does not work, try another. For example ICMP is not always the best thing to test connections.
Can you also give us additional context information.
- This VPN L2L worked, or did it stop working at some point?
- I assume that you have administrator access to two ASA? Can you perhaps share some configurations
- What kind of connections you attempt by the L2L VPN?
- TCP/UDP/ICMP?
- IP source and destination?
- You monitor the newspapers of the SAA through the ASDM on the other end? The device at the remote end which does not send anything back on the L2L VPN connection.
And as a last post a very common configuration that is absent of configurations of ASA during the test with ICMP
Make sure you two ASAs have below "icmp inspect" configured
Policy-map global_policy
class inspection_default
inspect the icmp
-Jouni
- Remote ends of NAT configurations are correct
-
Problem with Telnet VPN site to site ASA - ASA
Hi techies,.
I created a site to site through ASA VPN... An ASA 5505 and other ASA 5510 East. 5510 have 3 interfaces. both of them is on the inside. No DMZ. and it is outside the interface. one of the inside interface has 100 security level and other has 90. The 5510 is client-side. We can telnet to this ASA through the interface with the security level of 100... We enabled telnet via the lowest (90) with security-level interface, even if we can not telnet to this interface. We just change the security level of 90 to 100, but it did not work... so changed to 90. the telnet configuration is also even any other interface...
but it did not work... If someone please suggest a fair solution ASAP...
Thank you & best regards
Vipin Raj
You can only manage 1 inside the ASA by the VPN interface, and it is activated by the command "access management".
Why do you need to manage the ASA via all interfaces from the inside by the VPN?
ASA cannot be managed from the interface where you connect since with the exception of the 1 cross interface when you VPN in.
Example:
If you are connected to the ASA inside the interface, you can only manage the ASA inside the interface, not the DMZ or outside the interface.
If you are connected to the ASA outside interface, you can only manage the ASA outside interface, with the exception of when you VPN, you can handle the 1 other interfaces, but you will have to enable it with the command "access management".
Hope that makes sense.
-
I'm trying to implement a VPN site link to site between the ASA5510 we use exclusively as a VPN endpoint on campus and a D-Link DIR130 router off campus, to a local company with a dynamically assigned IP address. We currently use the ASA to remote access users who use the Cisco VPN client on mobile devices, as well as a link to site-to-site unique in our telecommunications provider for the purposes of remote monitoring telecoms equipment.
We are looking for a way to deploy at a lower cost of VPN connections for local businesses to allow them to use the devices for sale which connect to systems on campus, so students can use their meal in local restaurants cards, similar to the way they use them in the cafeteria on campus.
I have experience setting up Cisco switches, routers and APs, but ASA appliance absolutely baffles me. I futzed with the AMPS 6.4 config autour gui and tried to match the configurations between the DIR130 and the ASA, but I can never get a VPN to come. Anyone who can point me to an example, or provide me with help on this would be appreciated. I have google searched and found very little, with my limited experience in setting up ASA, I ask to my script.
You must configure the static route on the 6509 for 192.168.5.0/24 to ASA inside the interface:
IP route 192.168.5.0 255.255.255.0 131.162.160.2
Assuming that 131.162.160.1 is your 6509
-
Site to Site with ASA and FortiGate
I have setup a VPN site-to site between my ASA and FortiGate customers. The tunnel rises with success, but we can not pass traffic. When I do a packet capture on my ASA, I see traffic on the port of entry as usual, but on the output port, the source address gets NAT had I checked all statements of NAT, and there is a statement NAT exempted from the entry port to the port of exit and in the VPN configuration.
Then your oder of NAT statements in probably wrong. The dynamic NAT for outgoing traffic must be at the end (I put them always in article 3), while the Exemption must be at the beginning of Section 1.
-
Hello
I'm setting up a VPN router between 871 and ASA 5505 for the first time and having a problem. I have attached my network diagram as well as the configuration of 871 and ASA. Although the VPN tunnel is coming for example sh crypto isakmp his watch QM_IDLE and Exchange ipsec SA is successuful as well, but none of the machine can access each other. Please help as I am in desperate need to operate.
Thank you all,.
Jérôme
Hello
It seems that you are missing some required configuration. See the link below...
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805e8c80.shtml
HTH
MS
* Rate of useful messages *.
Maybe you are looking for
-
Firefox crashes because as his tent to update the last website I went to have uninstalled and reinstalled several times and always the case. How can I erase this site so it seems not for her? Also happens in safe mode.
-
Satellite A300 - part number for the palmrest
HI, I have a Satellite A300-1BZ which requires a new set of rest-hands/touchpad (upper part of the housing). I can find the second part of user A300/A305/A305D part no V000120350. However, the metal screen on V000120350 seems different than an A300-1
-
Hi all. Is there such a device that is a TV and a combined xbox360?
I'm in the right forum?
-
Re-apply Anytime Upgrade license after running recovery disk
4 years ago, I bought a Toshiba laptop with Windows Home Premium pre-installed, and provided with a Toshiba recovery media. As I need to join a domain but wanted to keep the media center software that I used also provided Express Upgrade disk to upgr
-
How to make a Vista 32 bit media upgrade to 64 - bit with an OEM System Builder pack.
I bought a Vista 32 bit Home Premium OEM system builder pack just now when I built my computer and I was wandering how to do media upgrade to 64 - bit.