Problem with tunnel IPSEC with NAT

Hello

I had an ipsec tunnel between a former Cisco router at a remote site. I'm the config 887 to an ASA migration. The remote site cannot establish the tunnel. This is the only site having problems. There are one number of other sites remote connection back without problem.

The Setup is

192.168.1.x (main site inside) - ASA - 86.x.x.x (outside) - Internet - 159.x.x.x (side remote outdoors) - Firewall - 10.10.10.x

The remote site will not accept the 192.168.1.x range so I'm NATing 192.168.50.x which is what they want to see

The config I have is

network of the NAT_TO_Remote1 object
192.168.50.0 subnet 255.255.255.0
network of the Remote1 object
subnet 10.10.10.0 255.255.252.0

NAT NAT_TO_Remote1 (Interior, exterior) destination 192.168.1.0 source static static Remote1 Remote1

IKEv1 crypto policy 30
preshared authentication
3des encryption
sha hash
Group 2
life 86400

Crypto ipsec transform-set esp-3des esp-sha-hmac ikev1 3DES-SHA1

card crypto Outside_map 10 corresponds to the address Qualcom_VPN
card crypto Outside_map 10 set peer 159.x.x.x
card crypto Outside_map 10 set transform-set 3DES-SHA1 ikev1
card crypto Outside_map 10 set pfs Group1
Outside_map interface card crypto outside

RemoteSite_VPN list extended access allowed host ip 192.168.50.20 10.10.10.0 255.255.252.0
RemoteSite_VPN list extended access allowed host ip 192.168.50.30 10.10.10.0 255.255.252.0
RemoteSite_VPN list extended access allowed host ip 192.168.50.40 10.10.10.0 255.255.252.0

tunnel-group 159.x.x.x type ipsec-l2l
tunnel-group 159.x.x.x General-attributes
Group Policy - by default-RemoteSites
159.x.x.x group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.

I was wondering if I'm missing something obvious here.

Hello

You must check the IPSEC transform set and see if they have enabled PFS group or not?

card crypto Outside_map 10 set pfs Group1

Try using group2, or turn it off.

Kind regards

Aditya

Please evaluate the useful messages and mark the correct answers.

Tags: Cisco Security

Similar Questions

  • Problems with NAT? Can't access internet from inside the network?

    I was intrigued with this problem for a few days now. I'm stuck on what could be the issue. The problem is that I can ping my router, G0/0 and G0/1, to the internet. However, since the switch and my PC, I can not ping Internet. I'm sure that everything is configured correctly, but here is my setup for the switch and the router:

    Router 1:

    version 15.1
    no service button
    horodateurs service debug datetime msec
    Log service timestamps datetime msec
    encryption password service
    !
    hostname LAN_Router_1
    !
    boot-start-marker
    boot-end-marker
    !
    !
    enable secret 5 *.
    !
    No aaa new-model
    !
    no location network-clock-participate 3
    !
    dot11 syslog
    no ip source route
    !
    IP cef
    !
    !
    !
    !
    domain IP MyTestLab.com
    8.8.8.8 IP name-server
    IP-server names 8.8.4.4
    No ipv6 cef
    !
    Authenticated MultiLink bundle-name Panel
    !
    !
    !
    !
    !
    voice-card 0
    !
    !
    !
    !
    !
    !
    !
    Crypto pki token removal timeout default 0
    !
    !
    !
    !
    license udi pid CISCO3845-MB sn FOC105013BA
    username * secret privilege 15 5 *.
    !
    redundancy
    !
    !
    property intellectual ssh time 60
    property intellectual ssh authentication-2 retries
    property intellectual ssh event logging
    property intellectual ssh version 2
    !
    !
    !
    !
    !
    !
    !
    !
    interface Loopback0
    192.168.254.1 IP 255.255.255.255
    !
    interface GigabitEthernet0/0
    DHCP IP address
    penetration of the IP stream
    stream IP output
    NAT outside IP
    IP virtual-reassembly in
    automatic duplex
    automatic speed
    media type rj45
    !
    interface GigabitEthernet0/1
    the IP 192.168.0.1 255.255.255.248
    penetration of the IP stream
    stream IP output
    IP nat inside
    IP virtual-reassembly in
    GLBP 100 ip 192.168.0.4
    priority GLBP 100 115
    GLBP 100 preempt
    automatic duplex
    automatic speed
    media type rj45
    !
    ospf Router 5
    router ID - 192.168.254.1
    network 192.168.0.1 0.0.0.0 area 1
    192.168.254.1 network 0.0.0.0 area 0
    !
    IP forward-Protocol ND
    no ip address of the http server
    no ip http secure server
    !
    !
    IP nat inside source list 10 interface GigabitEthernet0/0 overload
    IP route 0.0.0.0 0.0.0.0 dhcp
    !
    access-list 10 permit 192.168.94.32 0.0.0.15 connect
    access-list 10 permit 192.168.17.0 connect 0.0.0.7
    access-list 10 permit 192.168.52.0 connect 0.0.0.7


    access-list 10 permit 192.168.0.0 0.0.0.7 connect
    access-list 10 deny any newspaper
    !
    !
    !
    !
    !
    !
    control plan
    !
    !
    !
    !

    profile MGCP default
    !
    !
    !
    !
    !
    connection of the banner ^ C
    W A R N I N G

    THIS IS A PRIVATE COMPUTER SYSTEM.

    This computer system, including all related equipment, network devices
    (specifically including Internet access), are provided only for
    authorized used.

    All computer systems may be monitored for all lawful, including purpose
    to ensure that their use is authorized, for management of the system, to
    facilitate protection against unauthorized access, and to verify security
    survival and operational security procedures.

    Monitoring includes active attacks by authorized personnel and their
    entities to test or verify the security of the system. During the surveillance,.
    information may be examined, recorded, copied and used for authorized
    purposes.

    All information, including personal information, placed on or sent over
    This system may be monitored. Uses of this system, authorized or
    unauthorized, constitutes consent to monitoring of this system.

    Unauthorized use may subject you to criminal prosecution. Evidence of
    any unauthorized use collected during monitoring may be used for
    administrative, criminal or other adverse action. Use of this system
    constitutes a consent to monitoring for these purposes.
    ^ C
    !
    Line con 0
    Synchronous recording
    local connection
    line to 0
    line vty 0
    local connection
    entry ssh transport
    output transport ssh
    line vty 1 4
    opening of session
    transport of entry all
    !
    Scheduler allocate 20000 1000
    NTP 198.60.73.8 Server
    NTP 13.85.70.43 Server
    SaveRunConfig event manager applet
    cron cron-event timer entry ' 0 0 * * ".
    command action 1.0 cli 'enable '.
    cli 2.0 action command "RAM".

    Router 2:

    version 15.1
    horodateurs service debug datetime msec
    Log service timestamps datetime msec
    encryption password service
    !
    hostname LAN_Router_2
    !
    boot-start-marker
    boot-end-marker
    !
    !
    ! card order type necessary for slot 1
    Monitor logging warnings
    enable secret 5 *.
    !
    No aaa new-model
    !
    clock timezone CST - 5 0
    !
    dot11 syslog
    IP source-route
    !
    IP cef
    !
    !
    !
    !
    domain IP MyTestLab.com
    8.8.8.8 IP name-server
    IP-server names 8.8.4.4
    No ipv6 cef
    !
    Authenticated MultiLink bundle-name Panel
    !
    !
    !
    !
    type of parameter-card inspect global
    Select a dropped packet newspapers
    !
    voice-card 0
    !
    !
    !
    !
    !


    !
    !
    Crypto pki token removal timeout default 0
    !
    !
    !
    !
    license udi pid CISCO3845-MB sn FOC1411592J
    username * secret 5 *.

    !
    redundancy
    !
    !
    property intellectual ssh time 60
    property intellectual ssh authentication-2 retries
    property intellectual ssh event logging
    property intellectual ssh version 2
    !
    !
    !
    !
    !
    !
    !
    !
    interface Loopback0
    192.168.254.2 the IP 255.255.255.255
    !
    interface GigabitEthernet0/0
    DHCP IP address
    penetration of the IP stream
    stream IP output
    NAT outside IP
    IP virtual-reassembly in
    automatic duplex
    automatic speed
    media type rj45
    !
    interface GigabitEthernet0/1
    IP 192.168.0.2 255.255.255.248
    penetration of the IP stream
    stream IP output
    IP nat inside
    IP virtual-reassembly in
    GLBP 100 ip 192.168.0.4
    priority GLBP 100 110
    automatic duplex
    automatic speed
    media type rj45
    !
    ospf Router 5
    router ID - 192.168.254.2
    network 192.168.0.2 0.0.0.0 area 1
    0.0.0.0 network 192.168.254.2 area 0
    !
    Default IP gateway 192.168.0.1
    IP forward-Protocol ND
    no ip address of the http server
    no ip http secure server
    !
    !
    IP nat inside source list 10 interface GigabitEthernet0/0 overload
    IP route 0.0.0.0 0.0.0.0 dhcp
    !
    SSH extended IP access list
    permit tcp host 192.168.52.2 any eq 22 log
    permit tcp 192.168.10.0 0.0.0.255 any eq 22 log
    permit tcp host 192.168.17.18 any eq 22 log
    any eq 22 host tcp 192.168.0.1 newspaper permit
    permit tcp host 192.168.0.2 any eq 22 log
    permit tcp host 192.168.0.3 any eq 22 log
    permit tcp host 192.168.0.5 any eq 22 log
    denyip a session
    !
    access-list 10 permit 192.168.94.32 0.0.0.15 connect
    access-list 10 permit 192.168.17.0 connect 0.0.0.7
    access-list 10 permit 192.168.52.0 connect 0.0.0.7
    access-list 10 permit 192.168.0.0 0.0.0.7 connect
    access-list 10 deny any newspaper
    !
    !
    !
    !
    !
    !
    control plan
    !
    !
    !
    !
    profile MGCP default
    !
    !
    !
    !
    !
    connection of the banner ^ C
    W A R N I N G

    THIS IS A PRIVATE COMPUTER SYSTEM.

    This computer system, including all related equipment, network devices
    (specifically including Internet access), are provided only for
    authorized used.

    All computer systems may be monitored for all lawful, including purpose
    to ensure that their use is authorized, for management of the system, to
    facilitate protection against unauthorized access, and to verify security
    survival and operational security procedures.

    Monitoring includes active attacks by authorized personnel and their
    entities to test or verify the security of the system. During the surveillance,.
    information may be examined, recorded, copied and used for authorized
    purposes.

    All information, including personal information, placed on or sent over
    This system may be monitored. Uses of this system, authorized or
    unauthorized, constitutes consent to monitoring of this system.

    Unauthorized use may subject you to criminal prosecution. Evidence of
    any unauthorized use collected during monitoring may be used for
    administrative, criminal or other adverse action. Use of this system
    constitutes a consent to monitoring for these purposes.
    ^ C
    !
    Line con 0
    session-timeout 360
    exec-timeout 360 0
    7 password *.
    Synchronous recording
    local connection
    line to 0
    opening of session
    line vty 0 4
    SSH access class in
    Synchronous recording
    local connection
    entry ssh transport
    output transport ssh
    !
    Scheduler allocate 20000 1000
    NTP 198.60.73.8 Server
    NTP 13.85.70.43 Server
    SaveRunConfig event manager applet
    cron cron-event timer entry ' 0 0 * * ".
    command action 1.0 cli 'enable '.
    cli 2.0 action command "RAM".

    Switch:

    version 12.2
    no service button
    tcp KeepAlive-component snap-in service
    a tcp-KeepAlive-quick service
    horodateurs service debug uptime
    Log service timestamps uptime
    encryption password service
    !
    hostname LAN_Switch
    !
    boot-start-marker
    boot-end-marker
    !
    !
    username * secret privilege 15 5 *.
    !
    !
    !
    No aaa new-model
    clock timezone CST - 6
    1 supply ws-c3750-24ts switch
    mtu 1500 routing system
    IP routing
    IP - domain name MyTestLab.com
    8.8.8.8 IP name-server
    IP-server names 8.8.4.4
    !
    !
    !
    !
    !
    !
    !
    !
    !
    spanning tree mode rapid pvst
    spanning tree logging
    spanning tree extend id-system
    !
    internal allocation policy of VLAN ascendant
    !
    property intellectual ssh time 60
    property intellectual ssh authentication-2 retries
    property intellectual ssh event logging
    property intellectual ssh version 2
    !
    !
    interface Loopback0
    192.168.254.5 the IP 255.255.255.255
    !
    interface FastEthernet1/0/1
    switchport access vlan 17
    switchport mode access
    spanning tree portfast
    spanning tree enable bpduguard
    !
    interface FastEthernet1/0/2
    switchport access vlan 10
    switchport mode access
    spanning tree portfast
    spanning tree enable bpduguard
    !
    interface FastEthernet1/0/3
    switchport access vlan 666
    switchport mode access
    Shutdown
    spanning tree portfast
    spanning tree enable bpduguard
    !
    interface FastEthernet1/0/4
    switchport access vlan 666
    switchport mode access
    Shutdown
    spanning tree portfast
    spanning tree enable bpduguard

    !
    interface FastEthernet1/0/5
    switchport access vlan 666
    switchport mode access
    Shutdown
    spanning tree portfast
    spanning tree enable bpduguard
    !
    interface FastEthernet1/0/6
    switchport access vlan 666
    switchport mode access
    Shutdown
    spanning tree portfast
    spanning tree enable bpduguard
    !
    interface FastEthernet1/0/7
    switchport access vlan 666
    switchport mode access
    Shutdown
    spanning tree portfast
    spanning tree enable bpduguard
    !
    interface FastEthernet1/0/8
    switchport access vlan 666
    switchport mode access
    Shutdown
    spanning tree portfast
    spanning tree enable bpduguard
    !
    interface FastEthernet1/0/9
    switchport access vlan 666
    switchport mode access
    Shutdown
    spanning tree portfast
    spanning tree enable bpduguard
    !
    interface FastEthernet1/0/10
    switchport access vlan 666
    switchport mode access
    Shutdown
    spanning tree portfast
    spanning tree enable bpduguard
    !
    interface FastEthernet1/0/11
    switchport access vlan 666
    switchport mode access
    Shutdown
    spanning tree portfast
    spanning tree enable bpduguard
    !
    interface FastEthernet1/0/12
    switchport access vlan 666
    switchport mode access
    Shutdown
    spanning tree portfast
    spanning tree enable bpduguard
    !
    interface FastEthernet1/0/13
    switchport access vlan 666
    switchport mode access
    Shutdown
    spanning tree portfast
    spanning tree enable bpduguard
    !
    interface FastEthernet1/0/14
    switchport access vlan 666
    switchport mode access
    Shutdown
    spanning tree portfast
    spanning tree enable bpduguard
    !
    interface FastEthernet1/0/15
    switchport access vlan 666
    switchport mode access
    Shutdown
    spanning tree portfast
    spanning tree enable bpduguard
    !
    interface FastEthernet1/0/16
    switchport access vlan 666
    switchport mode access
    Shutdown
    spanning tree portfast
    spanning tree enable bpduguard
    !
    interface FastEthernet1/0/17
    switchport access vlan 666
    switchport mode access
    Shutdown
    spanning tree portfast
    spanning tree enable bpduguard
    !
    interface FastEthernet1/0/18
    switchport access vlan 666
    switchport mode access
    Shutdown
    spanning tree portfast
    spanning tree enable bpduguard
    !
    interface FastEthernet1/0/19
    Description # PC #.
    switchport access vlan 10
    switchport mode access
    spanning tree portfast
    spanning tree enable bpduguard
    !
    interface FastEthernet1/0/20
    Description # X_BOX #.
    switchport access vlan 666
    switchport mode access
    Shutdown
    spanning tree portfast
    spanning tree enable bpduguard
    !
    interface FastEthernet1/0/21
    switchport access vlan 94
    switchport mode access
    spanning tree portfast
    spanning tree enable bpduguard
    !
    interface FastEthernet1/0/22
    switchport access vlan 5
    switchport mode access
    !
    interface FastEthernet1/0/23
    switchport access vlan 5
    switchport mode access
    !
    interface FastEthernet1/0/24
    switchport access vlan 5
    switchport mode access
    !
    GigabitEthernet1/0/1 interface
    switchport access vlan 666
    Shutdown
    !
    interface GigabitEthernet1/0/2
    switchport access vlan 666
    Shutdown
    !
    interface Vlan1
    no ip address
    Shutdown
    !
    interface Vlan5
    IP 192.168.0.5 255.255.255.248
    !
    interface Vlan10
    address 192.168.10.2 255.255.255.0
    !
    interface Vlan17
    IP 192.168.17.17 255.255.255.248
    !
    interface Vlan52
    IP 192.168.52.1 255.255.255.248
    !
    interface Vlan94
    IP 192.168.94.33 255.255.255.240
    !
    ospf Router 5
    router ID - 192.168.254.5
    Log-adjacency-changes
    network 192.168.0.5 0.0.0.0 area 1
    network 192.168.10.2 0.0.0.0 area 2
    network 192.168.17.17 0.0.0.0 area 2
    network 192.168.52.1 0.0.0.0 area 2
    network 192.168.94.33 0.0.0.0 area 2
    0.0.0.0 network 192.168.254.5 area 0
    !
    IP classless
    IP route 0.0.0.0 0.0.0.0 192.168.0.4 permanent
    no ip address of the http server
    no ip http secure server
    !
    !
    SSH_IN extended IP access list
    permit tcp host 192.168.52.2 any eq 22 log
    permit tcp 192.168.10.0 0.0.0.255 any eq 22 log
    permit tcp host 192.168.17.18 any eq 22 log
    any eq 22 host tcp 192.168.0.1 newspaper permit
    permit tcp host 192.168.0.2 any eq 22 log
    permit tcp host 192.168.0.3 any eq 22 log
    permit tcp host 192.168.0.5 any eq 22 log
    deny ip any any newspaper
    !
    !
    connection of the banner ^ C
    W A R N I N G
    THIS IS A PRIVATE COMPUTER SYSTEM.
    This computer system, including all related equipment, network devices
    (specifically including Internet access), are provided only for
    authorized used.
    All computer systems may be monitored for all lawful, including purpose
    to ensure that their use is authorized, for management of the system, to
    facilitate protection against unauthorized access, and to verify security
    survival and operational security procedures.
    Monitoring includes active attacks by authorized personnel and their
    entities to test or verify the security of the system. During the surveillance,.
    information may be examined, recorded, copied and used for authorized
    purposes.
    All information, including personal information, placed on or sent over
    This system may be monitored. Uses of this system, authorized or
    unauthorized, constitutes consent to monitoring of this system.
    Unauthorized use may subject you to criminal prosecution. Evidence of
    any unauthorized use collected during monitoring may be used for
    administrative, criminal or other adverse action. Use of this system
    constitutes a consent to monitoring for these purposes.
    ^ C
    !
    Line con 0
    session-timeout 60
    exec-timeout 60 0
    Synchronous recording
    local connection
    line vty 0
    access-class SSH_IN in
    local connection
    line vty 1 4
    access-class SSH_IN in
    opening of session
    line vty 5 15
    access-class SSH_IN in
    opening of session
    !
    NTP 198.60.73.8 Server
    Event Manager environment suspend_ports_config flash: / susp_ports.dat
    Event Manager environment suspend_ports_days 7
    Event Manager user Directorystrategie "flash: / policies /.
    Event manager session cli username "stw".
    political event manager sl_suspend_ports.tcl
    political event manager tm_suspend_ports.tcl
    SaveRunConfig event manager applet
    cron cron-event timer entry ' 0 0 * * ".
    command action 1.0 cli 'enable '.
    cli 2.0 action command "RAM".

    Well, I totally forgot the keyword "log" and NAT:

    Cisco IOS NAT support ACLs with a keyword "log"?

    A. When you configure Cisco IOS NAT translation dynamic NAT, an ACL is used to identify the packages that can be translated. The current NAT architecture does not support the ACL with a keyword "log".

    http://www.Cisco.com/c/en/us/support/docs/IP/network-address-translation...

    If your problem is not the mask with joker, but the command "log"...

  • Problems with NAT

    I have this very basic SNAT configuration.

    Screen Shot 2015-10-06 at 11.04.28 PM.png

    The ERT is the the Gulf war of the 172.31.1.0/24 subnet, the VM has an IP 172.31.1.5. The external IP address of the ERT is 192.168.202.37. I can see traffic hit ERT, but no NAT rule is the table. The following two screenshots are with a ping extended to 1.1.1.1 running in the back.

    Screen Shot 2015-10-06 at 11.07.51 PM.png

    Screen Shot 2015-10-06 at 11.08.34 PM.png

    No idea, I tried this in many ways and I do not see why does not.

    Thank you.

    Have you tried to apply the NAT rule to the 192.168.x.x instead of vNic_2 interface? Also definitely turned the firewall on the GSS?

  • IPSec Tunnel between Cisco 2801 and Netscren 50 with NAT and static

    Hello

    My problem isn't really the IPSec connection between two devices (it is already done...) But my problem is that I have a mail server on the site of Cisco, who have a static NAT from inside to outside. Due to the static NAT, I do not see the server in the VPN tunnel. I found a document that almost describes the problem:

    "Configuration of a router IPSEC Tunnel private-to-private network with NAT and static" (Document ID 14144)

    NAT takes place before the encryption verification!

    In this document, the solution is 'routing policy' using the loopback interface. But, how can I handle this with the Netscreen firewall. Someone has an idea?

    Thanks for any help

    Best regards

    Heiko

    Hello

    Try to change your static NAT with static NAT based policy.

    That is to say the static NAT should not be applicable for VPN traffic

    permissible static route map 1

    corresponds to the IP 104

    access-list 104 refuse host ip 10.1.110.10 10.1.0.0 255.255.0.0

    access-list 104 allow the host ip 10.1.110.10 all

    IP nat inside source static 10.1.110.10 81.222.33.90 map of static route

    HTH

    Kind regards

    GE.

  • IOS IPSEC VPN with NAT - translation problem

    I'm having a problem with IOS IPSEC VPN configuration.

    /*

    crypto ISAKMP policy 10

    BA 3des

    preshared authentication

    Group 2

    ISAKMP crypto keys TEST123 address 205.xx.1.4

    !

    !

    Crypto ipsec transform-set esp-3des esp-sha-hmac CHAIN

    !

    !

    Map 10 CRYPTO map ipsec-isakmp crypto

    the value of 205.xx.1.4 peer

    transformation-CHAIN game

    match address 115

    !

    interface FastEthernet0/0

    Description FOR the EDGE ROUTER

    IP address 208.xx.xx.33 255.255.255.252

    NAT outside IP

    card crypto CRYPTO-map

    !

    interface FastEthernet0/1

    INTERNAL NETWORK description

    IP 10.15.2.4 255.255.255.0

    IP nat inside

    access-list 115 permit 192.xx.xx.128 0.0.0.3 ip 172.xx.1.0 0.0.0.3

    */

    (This configuration is incomplete / NAT configuration needed)

    Here is the solution that I'm looking for:

    When a session is initiated from the "internal network" to the "distance IPSEC - 172.xx.1.0/30 ' network I want the address scheme '10.15.0.0/16' NAT translation deals with '192.xx.xx.128/30' before forwarding via the IPSEC VPN Tunnel.

    For more information, see "SCHEMA ATTACHED".

    Any help is greatly appreciated!

    Thank you

    Clint Simmons

    Network engineer

    You can try the following NAT + route map approach (method 2 in this link)

    http://www.Cisco.com/en/us/Tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml

    Thank you

    Raja K

  • ASA IPSEC site-to-site with NAT problem

    Hello

    I have what I thought was a simple configuration, but I saw the questions and could use a second set of eyes.

    I have a site-to-site between two locations:

    Site A is 192.168.0.0/24

    Site B is 192.168.4.0/24

    I was requested to NAT all communications between these sites for 10.57.4.0/24 and for a single static 192.168.0.112 NAT host at 10.57.4.50.

    Tunnel is running, and I can ping through the link at the end to 192.168.4.20 host; no problems.   But I'm having a problem application where it will be established communications.  I suspect it's the reverse NAT, but I went through the configuration several times.   All NAT connections would be 10.57.4.50 address should given to 192.168.0.112, no restrictions.    All connections to 192.168.4.20, should be NAT should 10.57.4.50 to transverse tunnel.

    The system of site B can also ping 10.57.4.50.

    Here's the running configuration:

    ASA 8.3 Version (2)

    !

    hostname fw1

    domain name

    activate the password encrypted

    passwd encrypted

    names of

    !

    interface Vlan1

    Description city network internal

    nameif inside

    security-level 100

    IP 192.168.9.1 255.255.255.0

    !

    interface Vlan2

    Description Internet Public

    nameif outside

    security-level 0

    IP 173.166.117.186 255.255.255.248

    !

    interface Vlan3

    DMZ (CaTV) description

    nameif dmz

    security-level 50

    IP 192.168.2.1 255.255.255.0

    !

    interface Vlan5

    PD Network description

    nameif PDNet

    security level 95

    the IP 192.168.0.1 255.255.255.0

    !

    interface Vlan10

    Description Network Infrastructure

    nameif InfraNet

    security-level 100

    IP 192.168.10.1 255.255.255.0

    !

    interface Vlan13

    Description wireless comments

    nameif Wireless-comments

    security-level 25

    IP 192.168.1.1 255.255.255.0

    !

    interface Vlan23

    nameif StateNet

    security-level 75

    IP 10.63.198.2 255.255.255.0

    !

    interface Ethernet0/0

    switchport access vlan 2

    !

    interface Ethernet0/1

    switchport trunk allowed vlan 1,5,10,13

    switchport trunk vlan 1 native

    switchport mode trunk

    Speed 100

    full duplex

    !

    interface Ethernet0/2

    switchport access vlan 3

    !

    interface Ethernet0/3

    !

    interface Ethernet0/4

    switchport trunk allowed vlan 1,10,13

    switchport trunk vlan 1 native

    switchport mode trunk

    !

    interface Ethernet0/5

    switchport access vlan 23

    !

    interface Ethernet0/6

    Shutdown

    !

    interface Ethernet0/7

    switchport trunk allowed vlan 1

    switchport trunk vlan 1 native

    switchport mode trunk

    Shutdown

    !

    exec banner restricted access

    banner restricted access connection

    passive FTP mode

    clock timezone IS - 5

    clock to summer time EDT recurring

    DNS server-group DefaultDNS

    domain name

    permit same-security-traffic inter-interface

    network obj_any object

    subnet 0.0.0.0 0.0.0.0

    service of the IMAPoverSSL object

    destination eq 993 tcp service

    IMAP over SSL description

    service of the POPoverSSL object

    tcp destination eq 995 service

    POP3 over SSL description

    service of the SMTPwTLS object

    tcp destination eq 465 service

    SMTP with TLS description

    network object obj - 192.168.9.20

    Home 192.168.9.20

    object obj-claggett-https network

    Home 192.168.9.20

    network of object obj-claggett-imap4

    Home 192.168.9.20

    network of object obj-claggett-pop3

    Home 192.168.9.20

    network of object obj-claggett-smtp

    Home 192.168.9.20

    object obj-claggett-imapoverssl network

    Home 192.168.9.20

    object obj-claggett-popoverssl network

    Home 192.168.9.20

    object obj-claggett-smtpwTLS network

    Home 192.168.9.20

    network object obj - 192.168.9.120

    Home 192.168.9.120

    network object obj - 192.168.9.119

    Home 192.168.9.119

    network object obj - 192.168.9.121

    Home 192.168.9.121

    object obj-wirelessnet network

    subnet 192.168.1.0 255.255.255.0

    network of the Clients_sans_fil object

    subnet 192.168.1.0 255.255.255.0

    object obj-dmznetwork network

    Subnet 192.168.2.0 255.255.255.0

    network of the FD_Firewall object

    Home 74.94.142.229

    network of the FD_Net object

    192.168.6.0 subnet 255.255.255.0

    network of the NETWORK_OBJ_192.168.10.0_24 object

    192.168.10.0 subnet 255.255.255.0

    object obj-TownHallNet network

    192.168.9.0 subnet 255.255.255.0

    network obj_InfraNet object

    192.168.10.0 subnet 255.255.255.0

    network of the NETWORK_OBJ_192.168.0.0_24 object

    192.168.0.0 subnet 255.255.255.0

    network of the NHDOS_Firewall object

    Home 72.95.124.69

    network of the NHDOS_SpotsHub object

    Home 192.168.4.20

    network of the IMCMOBILE object

    Home 192.168.0.112

    network of the NHDOS_Net object

    subnet 192.168.4.0 255.255.255.0

    network of the NHSPOTS_Net object

    10.57.4.0 subnet 255.255.255.0

    network of the IMCMobile_NAT_IP object

    Home 10.57.4.50

    service EmailServices object-group

    Description of e-mail Exchange Services / Normal

    service-object, object IMAPoverSSL

    service-object, object POPoverSSL

    service-object, object SMTPwTLS

    the purpose of the tcp destination eq https service

    the purpose of the tcp destination eq imap4 service

    the purpose of the tcp destination eq pop3 service

    the purpose of the tcp destination eq smtp service

    object-group service DM_INLINE_SERVICE_1

    service-object, object IMAPoverSSL

    service-object, object POPoverSSL

    service-object, object SMTPwTLS

    the purpose of the tcp destination eq pop3 service

    the purpose of the tcp destination eq https service

    the purpose of the tcp destination eq smtp service

    object-group service DM_INLINE_SERVICE_2

    service-object, object IMAPoverSSL

    service-object, object POPoverSSL

    service-object, object SMTPwTLS

    the purpose of the tcp destination eq https service

    the purpose of the tcp destination eq pop3 service

    the purpose of the tcp destination eq smtp service

    the obj_clerkpc object-group network

    PCs of the clerk Description

    network-object object obj - 192.168.9.119

    network-object object obj - 192.168.9.120

    network-object object obj - 192.168.9.121

    the TownHall_Nets object-group network

    object-network 192.168.10.0 255.255.255.0

    network-object object obj-TownHallNet

    the DM_INLINE_NETWORK_1 object-group network

    object-network 192.168.10.0 255.255.255.0

    object-network 192.168.9.0 255.255.255.0

    the DOS_Networks object-group network

    network-object 10.56.0.0 255.255.0.0

    network-object, object NHDOS_Net

    outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_2 any external interface

    outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_1 any host 192.168.9.20

    StateNet_access_in list extended access permitted ip object-group obj_clerkpc one

    permit access ip 192.168.0.0 scope list PDNet_access_in 255.255.255.0 192.168.10.0 255.255.255.0

    PDNet_access_in list extended access allowed object IMCMobile_NAT_IP object-group DOS_Networks debug log ip

    PDNet_access_in list extended access permitted ip object IMCMOBILE object-group DOS_Networks

    outside_2_cryptomap extended access list permit ip DM_INLINE_NETWORK_1 object FD_Net object-group

    outside_1_cryptomap extended access list permit ip object NHSPOTS_Net object-group DOS_Networks

    pager lines 24

    Enable logging

    Test1 logging level list class debug vpn

    logging of debug asdm

    E-mail logging errors

    address record

    logging level -l errors ' address of the recipient

    Within 1500 MTU

    Outside 1500 MTU

    MTU 1500 dmz

    MTU 1500 Wireless-comments

    MTU 1500 StateNet

    MTU 1500 InfraNet

    MTU 1500 PDNet

    no failover

    ICMP unreachable rate-limit 1 burst-size 1

    ASDM image disk0: / asdm - 635.bin

    don't allow no asdm history

    ARP timeout 14400

    NAT (InfraNet, outside) static static source to destination TownHall_Nets TownHall_Nets FD_Net FD_Net

    NAT static TownHall_Nets TownHall_Nets destination (indoor, outdoor) static source FD_Net FD_Net

    public static IMCMOBILE IMCMobile_NAT_IP destination NAT (all, outside) static source DOS_Networks DOS_Networks

    !

    network obj_any object

    NAT static interface (indoor, outdoor)

    object obj-claggett-https network

    NAT (inside, outside) interface static tcp https https service

    network of object obj-claggett-imap4

    NAT (inside, outside) interface static tcp imap4 imap4 service

    network of object obj-claggett-pop3

    NAT (inside, outside) interface static tcp pop3 pop3 service

    network of object obj-claggett-smtp

    NAT (inside, outside) interface static tcp smtp smtp service

    object obj-claggett-imapoverssl network

    NAT (inside, outside) interface static tcp 993 993 service

    object obj-claggett-popoverssl network

    NAT (inside, outside) interface static tcp 995 995 service

    object obj-claggett-smtpwTLS network

    NAT (inside, outside) interface static tcp 465 465 service

    network object obj - 192.168.9.120

    NAT (inside, StateNet) 10.63.198.12 static

    network object obj - 192.168.9.119

    NAT (all, StateNet) 10.63.198.10 static

    network object obj - 192.168.9.121

    NAT (all, StateNet) 10.63.198.11 static

    object obj-wirelessnet network

    NAT (Wireless-Guest, outside) static interface

    object obj-dmznetwork network

    interface static NAT (all, outside)

    network obj_InfraNet object

    NAT (InfraNet, outside) static interface

    Access-group outside_access_in in interface outside

    Access-group StateNet_access_in in the StateNet interface

    Access-group PDNet_access_in in interface PDNet

    Route outside 0.0.0.0 0.0.0.0 173.x.x.x 1

    Route StateNet 10.x.x.x 255.255.0.0 10.63.198.1 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    dynamic-access-policy-registration DfltAccessPolicy

    http server enable 5443

    http 192.x.x.x 255.255.255.0 inside

    http 7.x.x.x 255.255.255.255 outside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    card crypto outside_map 1 match address outside_1_cryptomap

    card crypto outside_map 1 set 72.x.x.x counterpart

    map outside_map 1 set of transformation-ESP-3DES-MD5 crypto

    card crypto outside_map 2 match address outside_2_cryptomap

    card crypto outside_map 2 set pfs

    card crypto outside_map 2 peers set 173.x.x.x

    card crypto outside_map 2 game of transformation-ESP-3DES-SHA

    outside_map interface card crypto outside

    crypto ISAKMP allow outside

    crypto ISAKMP policy 10

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 30

    preshared authentication

    3des encryption

    md5 hash

    Group 2

    life 86400

    Telnet 192.168.9.0 255.255.255.0 inside

    Telnet timeout 5

    SSH 192.168.9.0 255.255.255.0 inside

    SSH timeout 5

    Console timeout 0

    dhcpd dns 208.67.222.222 208.67.220.220

    dhcpd lease 10800

    dhcpd outside auto_config

    !

    dhcpd address dmz 192.168.2.100 - 192.168.2.254

    dhcpd dns 8.8.8.8 8.8.4.4 dmz interface

    dhcpd enable dmz

    !

    dhcpd address 192.168.1.100 - 192.168.1.254 Wireless-comments

    dhcpd enable Wireless-comments

    !

    a basic threat threat detection

    a statistical threat detection host number rate 2

    statistical threat detection port

    Statistical threat detection Protocol

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    NTP server 63.240.161.99 prefer external source

    NTP server 207.171.30.106 prefer external source

    NTP server 70.86.250.6 prefer external source

    WebVPN

    attributes of Group Policy DfltGrpPolicy

    internal FDIPSECTunnel group strategy

    attributes of Group Policy FDIPSECTunnel

    VPN-idle-timeout no

    Protocol-tunnel-VPN IPSec l2tp ipsec

    support for username password encrypted privilege 15

    tunnel-group 72.x.x.x type ipsec-l2l

    72.x.x.x group of tunnel ipsec-attributes

    pre-shared key *.

    tunnel-group 173.x.x.x type ipsec-l2l

    tunnel-group 173.x.x.x General-attributes

    Group Policy - by default-FDIPSECTunnel

    173.x.x.x group of tunnel ipsec-attributes

    pre-shared key *.

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns migrated_dns_map_1

    parameters

    message-length maximum 1024

    Policy-map global_policy

    class inspection_default

    inspect the migrated_dns_map_1 dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the rsh

    inspect the rtsp

    inspect esmtp

    inspect sqlnet

    inspect the skinny

    inspect sunrpc

    inspect xdmcp

    inspect the sip

    inspect the netbios

    inspect the tftp

    inspect the icmp

    !

    global service-policy global_policy

    192.168.9.20 SMTP server

    context of prompt hostname

    call-home

    Profile of CiscoTAC-1

    no active account

    http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

    email address of destination [email protected] / * /

    destination-mode http transport

    Subscribe to alert-group diagnosis

    Subscribe to alert-group environment

    Subscribe to alert-group monthly periodic inventory

    monthly periodicals to subscribe to alert-group configuration

    daily periodic subscribe to alert-group telemetry

    Cryptochecksum:ad0f9ad192c3ee212172f5b00b12ce76

    : end

    If you do not have access to the remote site, you participate themselves to network and compare each other configurations.  You will need to make sure that they see as 10.57.4.50 192.168.0.112 and their server responds to that and NOT the 192.168.0.112.

  • Problem with IPSEC tunnel between Cisco PIX and Cisco ASA

    Hi all!

    Have a strange problem with one of our tunnel ipsec for one of our customers, we can open the tunnel of the customers of the site, but not from our site, don't understand what's wrong, if it would be a configuration problem should can we not all up the tunnel.

    On our side as initiator:

    Jan 14 13:53:26 172.27.1.254% PIX-7-702208: ISAKMP Phase 1 Exchange started (local 1.1.1.1 (initiator), remote 2.2.2.2)

    Jan 14 13:53:26 172.27.1.254% PIX-7-702210: Exchange of ISAKMP Phase 1 is complete (local 1.1.1.1 (initiator), remote 2.2.2.2)

    Jan 14 13:53:26 172.27.1.254% 6-PIX-602202: ISAKMP connected session (local 1.1.1.1 (initiator), remote 2.2.2.2)

    Jan 14 13:53:26 172.27.1.254% PIX-6-602201: Phase 1 ISAKMP Security Association created (local 1.1.1.1/500 (initiator), 2.2.2.2/500 remotely, authentication = pre-action, encryption = 3DES-CBC, hash = SHA, group = 2, life = 86400 s)

    Jan 14 13:53:26 172.27.1.254% PIX-7-702209: ISAKMP Phase 2 Exchange started (local 1.1.1.1 (initiator), remote 2.2.2.2)

    Jan 14 13:53:26 172.27.1.254% PIX-7-702201: ISAKMP Phase 1 delete received (local 1.1.1.1 (initiator), remote 2.2.2.2)

    Jan 14 13:53:26 172.27.1.254% PIX-6-602203: ISAKMP disconnected session (local 1.1.1.1 (initiator), remote 2.2.2.2)

    Jan 14 13:53:56 172.27.1.254% PIX-7-702303: sa_request, CBC (MSG key in English) = 1.1.1.1, dest = 2.2.2.2, src_proxy = 172.27.1.10/255.255.255.255/0/0 (type = 1), dest_proxy = 192.168.100.18/255.255.255.255/0/0 (type = 1), Protocol is ESP transform = lifedur hmac-sha-esp, esp-3des 28800 = s and 4608000 Ko, spi = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 4004

    The site of the customer like an answering machine:

    14 jan 11:58:23 172.27.1.254% PIX-7-702208: ISAKMP Phase 1 Exchange started (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

    14 jan 11:58:23 172.27.1.254% PIX-7-702210: Exchange of ISAKMP Phase 1 is complete (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

    14 jan 11:58:23 172.27.1.254% 6-PIX-602202: ISAKMP connected session (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

    14 jan 11:58:23 172.27.1.254% PIX-6-602201: Phase 1 ISAKMP Security Association created (local 1.1.1.1/500 (answering machine), distance 2.2.2.2/500, authentication = pre-action, encryption = 3DES-CBC, hash = MD5, group = 1, life = 86400 s)

    14 jan 11:58:23 172.27.1.254% PIX-7-702209: ISAKMP Phase 2 Exchange started (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

    14 jan 11:58:23 172.27.1.254% PIX-6-602301: its created, (his) sa_dest = 2.2.2.2, sa_prot = 50, sa_spi = 0x9de820bd (2649235645) sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 116

    14 jan 11:58:23 172.27.1.254% PIX-7-702211: Exchange of ISAKMP Phase 2 is complete (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

    Jan 14 12:28:54 172.27.1.254% PIX-6-602302: SA deletion, (his) sa_dest = 2.2.2.2, sa_prot = 50, sa_spi = 0x9de820bd (2649235645), sa_trans = esp-3desesp-sha-hmac, sa_conn_id = 116

    Kind regards

    Johan

    From my experience when a tunnel is launched on one side, but it is not on the other hand, that the problem is with an inconsistency of the isakmp and ipsec policies, mainly as ipsec policies change sets and corresponding address with ASA platform when a tunnel is not a statically defined encryption card he sometimes use the dynamic tag to allocate this vpn connection. To check if this is the case go ahead and make a "crypto ipsec to show his" when the tunnel is active on both sides, see on the SAA if the corresponding tunnel is the static encryption card set or if it presents the dynamic encryption card.

    I advise you to go to the settings on both sides and ensure that they are both in the opposite direction.

  • Problem with Tunnel VPN L2L between 2 ASA´s

    Hi guys,.

    I have some problems with my VPN Site to site tunnel between 2 ASA (5520/5505).

    I watched a lot of videos on youtube, but I can't find out why the tunnel does not...

    Both devices can ping eachothers WAN IP address (outside interfaces), but I don't see any traffic between the 2 sites. It seems that the tunnel is not open to everyone. When i PING from the local to the Remote LAN (which should be an interesting traffic for the tunnel...), the its IKEv1 remains empty...

    Am I missing something? I can't understand it more why same phase 1 is not engaged.

    You NAT won't. In your config file traffic is NATted initially and then does not match any more crypto ACL. You must move the rule dynamic NAT/PAT until the end of the table on two ASAs NAT:

     no nat (INSIDE,OUTSIDE) source dynamic any interface nat (INSIDE,OUTSIDE) after-auto source dynamic any interface

  • Problem with VPN client connecting the PIX of IPSec.

    PIX # 17 Sep 14:58:51 [IKEv1 DEBUG]: IP = Y, IKE Peer included IKE fragmentation capability flags: Main Mode: real aggressive Mode: false

    Sep 17 14:58:51 [IKEv1]: IP = Y, landed on tunnel_group connection

    Sep 17 14:58:51 [IKEv1 DEBUG]: Group = X, IP = Y, IKE SA proposal # 1, transform # 13 entry overall IKE acceptable matches # 1

    Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, the authenticated user (X).

    Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, mode of transaction attribute not supported received: 5

    Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, Y = IP, Type of customer: Client Windows NT Version of the Application: 5.0.06.0160

    Sep 17 14:58:58 [IKEv1]: Group = Xe, Username = X, IP = Y, assigned private IP 10.0.1.7 remote user address

    Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, IP = Y, fast Mode resumed treatment, Cert/Trans Exch/RM IDDM

    Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, PHASE 1 COMPLETED

    Sep 17 14:58:58 [IKEv1]: IP = Y, Keep-alive type for this connection: DPD

    Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, Y = IP, timer to generate a new key to start P1: 6840 seconds.

    Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, Y = IP, data received in payload ID remote Proxy Host: address 10.0.1.7, protocol 0, Port 0

    Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, received data IP Proxy local subnet in payload ID: address 0.0.0.0 Mask 0.0.0.0, protocol 0, Port 0

    Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, his old QM IsRekeyed not found addr

    Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, Y = IP, remote peer IKE configured crypto card: outside_dyn_map

    Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, Y = IP, IPSec processing SA payload

    Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, Y = IP, IPSec SA proposal # 14, turn # 1 entry overall SA IPSec acceptable matches # 20

    Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, IKE: asking SPI!

    Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, Y = IP, IPSec initiator of the substitution of regeneration of the key duration to 2147483 to 7200 seconds

    Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, IP = Y, passing the Id of the Proxy:

    Remote host: 10.0.1.7 Protocol Port 0 0

    Local subnet: 0.0.0.0 mask 0.0.0.0 Protocol Port 0 0

    Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, IP = notification sending answering MACHINE service LIFE of the initiator

    Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, the security negotiation is complete for the user (slalanne) answering machine, Inbound SPI = 0 x 6

    044adb5, outbound SPI = 0xcd82f95e

    Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, Y = IP, timer to generate a new key to start P2: 6840 seconds.

    Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, adding static route to the customer's address: 10.0.1.7

    Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, PHASE 2 COMPLETED (msgid = c4d80320)

    PIX # 17 Sep 14:59:40 [IKEv1]: Group = X, Username = X, Y = IP, Connection over for homologous X.  Reason: Peer terminate remote Proxy 10.0.1.7, 0.0.0.0Sep Proxy Local 17 14:59:40 [IKEv1 DEBUG]: Group = X, Username = X, IP = Y, IKE removing SA: 10.0.1.7 Remote Proxy, Proxy Local 0.0.0.0

    Sep 17 14:59:40 [IKEv1]: IP = Y, encrypted packet received with any HIS correspondent, drop

    Then debugging IPSec are also normal.

    Now this user is a disconnect and other clients to connect normally. the former user is trying to connect to the site and here is the difference in debugging:

    Sep 17 14:25:22 [IKEv1]: Group = X, Username = X, Y = IP, tunnel IPSec rejecting: no entry card crypto for remote proxy proxy 10.0.1.8/255.255.255.255/0/0 local 0.0.0.0/0.0.0.0/0/0 on the interface outside
    Sep 17 14:25:22 [IKEv1]: Group = X, Username = X, IP = Y, error QM WSF (P2 struct & 0x2a5fd68, mess id 0x16b59315).
    Sep 17 14:25:22 [IKEv1 DEBUG]: Group = X, Username = X, IP = O, case of mistaken IKE responder QM WSF (struct & 0x2a5fd68) , :
    QM_DONE, EV_ERROR--> QM_BLD_MSG2, EV_NEGO_SA--> QM_BLD_MSG2, EV_IS_REKEY--> QM_BL
    D_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MSG--> QM_BLD_MSG2, EV_HASH_OK--> QM_

    BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH
    Sep 17 14:25:22 [IKEv1]: Group = X, Username = X, IP = Y, peer table correlator withdrawal failed, no match!
    Sep 17 14:25:22 [IKEv1]: IP = Y, encrypted packet received with any HIS correspondent, drop

    Here is the config VPN... and I don't see what the problem is:

    Dynamic crypto map outside_dyn_map 20 match address outside_cryptomap_dyn_20
    Crypto-map dynamic outside_dyn_map 20 the transform-set ESP-DES-MD5 value
    life together - the association of security crypto dynamic-map outside_dyn_map 20 seconds 7200
    map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
    outside_map interface card crypto outside
    ISAKMP crypto identity hostname
    crypto ISAKMP allow outside
    crypto ISAKMP policy 20
    preshared authentication
    the Encryption
    md5 hash
    Group 2
    life 7200
    crypto ISAKMP policy 65535
    preshared authentication
    the Encryption
    sha hash
    Group 2
    life 86400

    outside_cryptomap_dyn_20 list of allowed ip extended access any 10.0.1.0 255.255.255.248

    attributes global-tunnel-group DefaultRAGroup
    authentication-server-group (outside LOCAL)
    Type-X group tunnel ipsec-ra
    tunnel-group X general attributes
    address pool addresses
    authentication-server-group (outside LOCAL)
    Group Policy - by default-X
    tunnel-group X ipsec-attributes
    pre-shared-key *.
    context of prompt hostname

    mask of 10.0.1.6 - 10.0.1.40 IP local pool 255.255.255.0

    Please remove the acl of the dynamic encryption card crypto, it causes odd behavior

    try to use split instead of the acl acl in dynamic crypto map, and let me know how it goes

  • Problems with VPN tunnels after the upgrade to PIX 7.0

    It seems that Cisco has revamped the VPN process on the new Version of PIX 7.0.

    After I've upgraded, I noticed that AH (i.e. ah-sha-hmac, ah-md5-hmac) was no longer supported and all my container transformation games OH no were not converted.

    Another question, if you have enabled on Versieon 6.3, names when you upgrade, tunnel groups will be created (formerly "identity isakmp crypto, crypto key isakmp peer ') which will include a hostname (hostname of identity) instead of IP as it was to the point 6.3. Guess what... Nothing works! Having to delete and recreate it using the IP address.

    See an example...

    tunnel-group OTHER_END type ipsec-l2l

    IPSec-attributes tunnel-group OTHER_END

    pre-shared-key *.

    The above does not work... Having to recreate using the IP address mapped to OTHER_END...

    tunnel-group 2.2.2.2 type ipsec-l2l

    2.2.2.2 tunnel-group ipsec-attributes

    pre-shared-key *.

    Furthermore, I have problems with my racoon and freeswan extranet... Did someone recently updated with success and other gateways VPN provider (i.e. checkpoint, Freeswan and Racoon) work?

    We found the solution for this problem. It appeared that the perfect forward secrecy is enabled at the other side. If a 'card crypto outside_map 10 set pfs' is necessary. With the pix 6.3 version that appears not to make the difference, the vpn works even with pfs disabled on the side of pix.

  • Publish a server with NAT anchored through a tunnel VPN with ASA

    Hi all

    Thanks in advance for helping me out - I know somebody did, and I have trouble finding how do.  I don't know that I'm missing something simple.

    I have a client who wants to view a DVR device through a VPN tunnel that is published through the public firewall to collocation.  Endpoint DVR is endpoint ip assigned dynamically which tunnelle the host on demand (I know that the tunnel could fall).

    So I think / thought I could hairpin hair/policy nat this, but I'm not the best at this.

    Let's see if I can get this

    IP public 1.1.1.1\

    > External interface of ASA

    2.2.2.2 / private ip

    My config as I know it is pertinant is as follows:

    permit same-security-traffic intra-interface

    list of allowed incoming access extended ip any host 168.215.x.x

    Access-group interface incoming outside

    public static 168.215.x.x (outside, outside) 10.10.x.xnetmask 255.255.255.255

    I am running version 8.2.5 of the image of the SAA.

    If you could take a look and let me know what Miss me you please.

    Thank you

    Hello

    The problem here is of course the fact that we can not configure NAT0 without causing all traffic from the remote Internet can flow through the VPN connection.

    So I wonder if another type of NAT configuration would actually work.

    I would call it static political identity NAT if such a name exists yet.

    Something like that

    Note of DVR-POLICY-NAT-list of Direct HTTP access to VPN traffic

    allow to Access-list DVR-POLICY-NAT tcp host 10.10.2.253 eq 80 a

    public static 10.10.2.53 (inside, outside) access list DVR-POLICY-NAT

    This should basically do what

    • When the DVR is sending any traffic source TCP TCP/80 (essentially the traffic back to the connection from the main site) to ANY destination address (The Internet) then the host must translate to himself.
    • If we consider that NAT is performed before the VPN rules are processed this should mean that since we have concerns address itself, it must match the VPN rule only in this particular case where the traffic is TCP/80, which could only be the result of her replying to a link any destination TCP/80)
    • Which leads me to believe it shouldn't cause any problems with the Central connection on remote site (NAT0 is processed before political static NAT) or the RECORDER to Internet
    • Unless the DVR must be accessible directly via the Internet connection of the remote site. (He would send his answers to these HTTP connections outside with the originating source IP address) Or maybe even completely before connecting the phase failure. I have not tested.

    Hope this helps

    Be sure to mark it as answered in the affirmative. And/or useful response rate.

    Ask more if necessary.

    EDIT: typos

    -Jouni

  • After the upgrade to Windows 8, problem with teredo tunneling adapter says code 10 error and the device cannot start

    Original title: teredo tunneling adapter error number 10 on windows 8

    on my acer travel mate 6292 which I just upgraded to windows 8 pro recently got a problem with teredo tunneling adapter.

    It says error code 10 and that the device cannot start, it made me unable to use wifi on my laptop

    I tried to reinstall the driver but it just says: windows encountered a problem installing and he says its error code 10

    Please help me

    Thanks in advance

    Hi Samuel,.

    We appreciate your efforts to solve this problem. We will put all our efforts in order to solve the problem.

    Teredo is a tunneling protocol designed to grant IPv6 connectivity to nodes that are located behind IPv6 NAT (network address translation) not compatible devices. It defines a way of encapsulating IPv6 packets in IPv4 UDP (User Datagram Protocol) datagrams can be routed through NAT devices, on the IPv4 internet.

    I wish to inform you that Acer has not released Windows 8 compatible drivers for Acer 6292 travel companion.

    I suggest you try to install the drivers for the card wireless in compatibility mode and check if it works. Check out the following link to download and install drivers in compatibility mode.

    Make the programs more compatible with this version of Windows

    http://Windows.Microsoft.com/en-us/Windows-8/older-programs-compatible-version-Windows

    The link below to download the drivers for the wireless card: http://us.acer.com/ac/en/US/content/drivers

    A Code 10 error is generated in the Device Manager in one of the following situations:

    1. the Device Manager cannot start the device.

    2. one of the pilots who needs the unit does not start.

    3 device Manager has sufficient information to recognize the error that spread upwards by the device driver.

    We could try following common resolutions to solve the problem:

    1. update the drivers for this device

    2 launch a service of automated troubleshooting

    3 contact material supplier technical support

    For more information, please see the following article:

    FIX: "this device cannot start" error Code 10 in the Device Manager in Windows

    http://support.Microsoft.com/kb/943104/en-us

    In addition, this article could also be designated:

    How can I troubleshoot network card?

    http://Windows.Microsoft.com/en-in/Windows/fix-network-adapter-problems#1TC=Windows-8

     

    Please answer us on the State of the question to help you further.

  • There is a problem with the Microsoft Teredo Tunneling adapter driver. The driver must be reinstalled.

    I notice that I need to solve problems for my computer.  The message said: there is a problem with the Microsoft Teredo Tunneling adapter driver. The driver must be installed.  One of the options is to reinstall the driver.  I tried, but it did not.  What is this adapter, and how should I do if the error message goes away?

    There is a problem with the Microsoft Teredo Tunneling adapter driver. The driver must be reinstalled.
    The device information
    Name: Microsoft Teredo Tunneling adapter
    ID: ROOT\ * TEREDO\0000
    Error code: 10
    Reinstall the device driver
    Completed
    There is a problem with the Microsoft Teredo Tunneling adapter driver. Reinstall the driver may resolve this issue.
    Problem with the PnP devices
    Detected
    There are problems with some devices PnP. Windows will take additional steps to continue troubleshooting these devices.
    It is a known problem if you have Zone alarm installed.  If you have installed remove it at least to check

    To disable Teredo tunneling 6to4 interface open an elevated command prompt and type

    netsh interface set terredo disabled state.
    To re - install
    1. Click on start.
    2. Type Device Manager in the start search box, and then open it.
    3. Click the Action tab on top and click Add legacy hardware
      then click next and next again, he will then scan and find nothing then click on the screen after that.
      Wait a minute and you will see a list of devices appear, scroll and select network adapters and click Next, then in the left column choose Microsoft then in the right hand column scroll down and choose Microsoft Teredo Tunneling adapter, and then click Next and it will install it.
      To check simply do as it is set to show hidden devices right click on the Device Manager right click view, then show hidden devices.
  • Client VPN with tunneling IPSEC over TCP transport does not

    Hello world

    Client VPN works well with tunneling IPSEC over UDP transport.

    I test to see if it works when I chose the VPN client with ipsec over tcp.

    Under the group policy, I disabled the IPSEC over UDP and home port 10000

    But the VPN connection has failed.

    What should I do to work VPN using IPSEC over TCP

    Concerning

    MAhesh

    Mahesh,

    You must use "ikev1 crypto ipsec-over-tcp port 10000.

    As crypto isakmp ipsec-over-tcp work on image below 8.3

    HTH

  • Static NAT problem with PIX501

    Hi all

    We have problems with our PIX firewall. We have configured PIX 501 with static NAT for our Web server. Here's the running configuration.

    6.3 (4) version PIX

    interface ethernet0 car

    interface ethernet1 100full

    ethernet0 nameif outside security0

    nameif ethernet1 inside the security100

    pixfirewall hostname

    domain ciscopix.com

    fixup protocol dns-length maximum 512

    fixup protocol ftp 21

    fixup protocol h323 h225 1720

    fixup protocol h323 ras 1718-1719

    fixup protocol http 80

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol sip 5060

    fixup protocol sip udp 5060

    fixup protocol 2000 skinny

    fixup protocol smtp 25

    fixup protocol sqlnet 1521

    fixup protocol tftp 69

    names of

    access-list 101 permit tcp any host x.x.x.26 eq www

    access-list 101 permit tcp any host x.x.x.26 EQ field

    access-list 101 permit udp any host x.x.x.26 EQ field

    pager lines 24

    Outside 1500 MTU

    Within 1500 MTU

    IP address outside x.x.x.28 255.255.255.248

    IP address inside 192.168.90.1 255.255.255.0

    alarm action IP verification of information

    alarm action attack IP audit

    location of PDM 192.168.90.0 255.255.255.0 inside

    history of PDM activate

    ARP timeout 14400

    Global 1 interface (outside)

    NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

    static (inside, outside) x.x.x.26 192.168.90.3 netmask 255.255.255.255 0 0

    Access-group 101 in external interface

    Route outside 0.0.0.0 0.0.0.0 x.x.x.25 1

    Route inside 192.168.1.0 255.255.255.0 192.168.90.2 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

    H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

    Timeout, uauth 0:05:00 absolute

    GANYMEDE + Protocol Ganymede + AAA-server

    AAA-server GANYMEDE + 3 max-failed-attempts

    AAA-server GANYMEDE + deadtime 10

    RADIUS Protocol RADIUS AAA server

    AAA-server RADIUS 3 max-failed-attempts

    AAA-RADIUS deadtime 10 Server

    AAA-server local LOCAL Protocol

    Enable http server

    http 192.168.90.0 255.255.255.0 inside

    No snmp server location

    No snmp Server contact

    SNMP-Server Community public

    No trap to activate snmp Server

    enable floodguard

    Telnet timeout 5

    SSH timeout 5

    Console timeout 0

    Terminal width 80

    : end

    the problem is the configuration, we are unable to access the web server both inside and outside the network.

    All input will be greatly appreciated.

    Kind regards

    udimpas

    activate icmp backtrace and then ping the x.x.x.26 of the internet. the output should be as below:

    3363574:-out ICMP echo request: ID = 21834 seq = 1202 length = 80

    3363575: ICMP echo request: external untranslating: inside: 192.168.90.3

    3363576: ICMP echo-reply from the inside: 192.168.90.3 ID = 21834 seq = 1202 length = 80

    3363577: response to ICMP echo -: translate inside: 192.168.90.3 out:

    by doing this, you can 1. Check the nat 2. If the server responds to the internet.

    do not forget to allow incoming icmp:

    access-l 101 permit icmp any one

Maybe you are looking for

  • Real email from Apple?

    I received a bill from iTunes saying: I bought an album that wasn't me.  I'm suspicious that the e-mail address doesn't look like an address from apple is a phishing email?  He was sent by the sender below - [email protected] I changed my p

  • Including complex.h fails

    I want to use the functions of complex numbers in C99 that this pagehttp://digital.ni.com/public.nsf/allkb/73AEAD30C8AF681A86257BBB0054A26B , should be possible. However, Labwindows cannot find the header complex.h file in the #include statement. How

  • 2000 HP ethernet controller drivers

    I can't find the right drivers for these someone can help? Winows 7 OS. laptop HP 2000 Ethernet controllerPCI\VEN_10EC & DEV_8136 & SUBSYS_3577103C & REV_05PCI\VEN_10EC & DEV_8136 & SUBSYS_3577103CPCI\VEN_10EC & DEV_8136 & CC_020000PCI\VEN_10EC & DEV

  • HP5514 printer - black not printing

    Due to no black printing, can be changed on a HP5514 printer printheads?  The ink cartridges have been replaced.  No error message is displayed.

  • Windows 7 and windeos 10 can be used together on the same PC?

    Windows 7 and windeos 10 can be used together on the same PC?