Problem with tunnel IPSEC with NAT
Hello
I had an ipsec tunnel between a former Cisco router at a remote site. I'm the config 887 to an ASA migration. The remote site cannot establish the tunnel. This is the only site having problems. There are one number of other sites remote connection back without problem.
The Setup is
192.168.1.x (main site inside) - ASA - 86.x.x.x (outside) - Internet - 159.x.x.x (side remote outdoors) - Firewall - 10.10.10.x
The remote site will not accept the 192.168.1.x range so I'm NATing 192.168.50.x which is what they want to see
The config I have is
network of the NAT_TO_Remote1 object
192.168.50.0 subnet 255.255.255.0
network of the Remote1 object
subnet 10.10.10.0 255.255.252.0
NAT NAT_TO_Remote1 (Interior, exterior) destination 192.168.1.0 source static static Remote1 Remote1
IKEv1 crypto policy 30
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Crypto ipsec transform-set esp-3des esp-sha-hmac ikev1 3DES-SHA1
card crypto Outside_map 10 corresponds to the address Qualcom_VPN
card crypto Outside_map 10 set peer 159.x.x.x
card crypto Outside_map 10 set transform-set 3DES-SHA1 ikev1
card crypto Outside_map 10 set pfs Group1
Outside_map interface card crypto outside
RemoteSite_VPN list extended access allowed host ip 192.168.50.20 10.10.10.0 255.255.252.0
RemoteSite_VPN list extended access allowed host ip 192.168.50.30 10.10.10.0 255.255.252.0
RemoteSite_VPN list extended access allowed host ip 192.168.50.40 10.10.10.0 255.255.252.0
tunnel-group 159.x.x.x type ipsec-l2l
tunnel-group 159.x.x.x General-attributes
Group Policy - by default-RemoteSites
159.x.x.x group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
I was wondering if I'm missing something obvious here.
Hello
You must check the IPSEC transform set and see if they have enabled PFS group or not?
card crypto Outside_map 10 set pfs Group1
Try using group2, or turn it off.
Kind regards
Aditya
Please evaluate the useful messages and mark the correct answers.
Tags: Cisco Security
Similar Questions
-
Problems with NAT? Can't access internet from inside the network?
I was intrigued with this problem for a few days now. I'm stuck on what could be the issue. The problem is that I can ping my router, G0/0 and G0/1, to the internet. However, since the switch and my PC, I can not ping Internet. I'm sure that everything is configured correctly, but here is my setup for the switch and the router:
Router 1:
version 15.1
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
hostname LAN_Router_1
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 *.
!
No aaa new-model
!
no location network-clock-participate 3
!
dot11 syslog
no ip source route
!
IP cef
!
!
!
!
domain IP MyTestLab.com
8.8.8.8 IP name-server
IP-server names 8.8.4.4
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
!
!
!
voice-card 0
!
!
!
!
!
!
!
Crypto pki token removal timeout default 0
!
!
!
!
license udi pid CISCO3845-MB sn FOC105013BA
username * secret privilege 15 5 *.
!
redundancy
!
!
property intellectual ssh time 60
property intellectual ssh authentication-2 retries
property intellectual ssh event logging
property intellectual ssh version 2
!
!
!
!
!
!
!
!
interface Loopback0
192.168.254.1 IP 255.255.255.255
!
interface GigabitEthernet0/0
DHCP IP address
penetration of the IP stream
stream IP output
NAT outside IP
IP virtual-reassembly in
automatic duplex
automatic speed
media type rj45
!
interface GigabitEthernet0/1
the IP 192.168.0.1 255.255.255.248
penetration of the IP stream
stream IP output
IP nat inside
IP virtual-reassembly in
GLBP 100 ip 192.168.0.4
priority GLBP 100 115
GLBP 100 preempt
automatic duplex
automatic speed
media type rj45
!
ospf Router 5
router ID - 192.168.254.1
network 192.168.0.1 0.0.0.0 area 1
192.168.254.1 network 0.0.0.0 area 0
!
IP forward-Protocol ND
no ip address of the http server
no ip http secure server
!
!
IP nat inside source list 10 interface GigabitEthernet0/0 overload
IP route 0.0.0.0 0.0.0.0 dhcp
!
access-list 10 permit 192.168.94.32 0.0.0.15 connect
access-list 10 permit 192.168.17.0 connect 0.0.0.7
access-list 10 permit 192.168.52.0 connect 0.0.0.7
access-list 10 permit 192.168.0.0 0.0.0.7 connect
access-list 10 deny any newspaper
!
!
!
!
!
!
control plan
!
!
!
!profile MGCP default
!
!
!
!
!
connection of the banner ^ C
W A R N I N GTHIS IS A PRIVATE COMPUTER SYSTEM.
This computer system, including all related equipment, network devices
(specifically including Internet access), are provided only for
authorized used.All computer systems may be monitored for all lawful, including purpose
to ensure that their use is authorized, for management of the system, to
facilitate protection against unauthorized access, and to verify security
survival and operational security procedures.Monitoring includes active attacks by authorized personnel and their
entities to test or verify the security of the system. During the surveillance,.
information may be examined, recorded, copied and used for authorized
purposes.All information, including personal information, placed on or sent over
This system may be monitored. Uses of this system, authorized or
unauthorized, constitutes consent to monitoring of this system.Unauthorized use may subject you to criminal prosecution. Evidence of
any unauthorized use collected during monitoring may be used for
administrative, criminal or other adverse action. Use of this system
constitutes a consent to monitoring for these purposes.
^ C
!
Line con 0
Synchronous recording
local connection
line to 0
line vty 0
local connection
entry ssh transport
output transport ssh
line vty 1 4
opening of session
transport of entry all
!
Scheduler allocate 20000 1000
NTP 198.60.73.8 Server
NTP 13.85.70.43 Server
SaveRunConfig event manager applet
cron cron-event timer entry ' 0 0 * * ".
command action 1.0 cli 'enable '.
cli 2.0 action command "RAM".Router 2:
version 15.1
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
hostname LAN_Router_2
!
boot-start-marker
boot-end-marker
!
!
! card order type necessary for slot 1
Monitor logging warnings
enable secret 5 *.
!
No aaa new-model
!
clock timezone CST - 5 0
!
dot11 syslog
IP source-route
!
IP cef
!
!
!
!
domain IP MyTestLab.com
8.8.8.8 IP name-server
IP-server names 8.8.4.4
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
!
!
type of parameter-card inspect global
Select a dropped packet newspapers
!
voice-card 0
!
!
!
!
!
!
!
Crypto pki token removal timeout default 0
!
!
!
!
license udi pid CISCO3845-MB sn FOC1411592J
username * secret 5 *.!
redundancy
!
!
property intellectual ssh time 60
property intellectual ssh authentication-2 retries
property intellectual ssh event logging
property intellectual ssh version 2
!
!
!
!
!
!
!
!
interface Loopback0
192.168.254.2 the IP 255.255.255.255
!
interface GigabitEthernet0/0
DHCP IP address
penetration of the IP stream
stream IP output
NAT outside IP
IP virtual-reassembly in
automatic duplex
automatic speed
media type rj45
!
interface GigabitEthernet0/1
IP 192.168.0.2 255.255.255.248
penetration of the IP stream
stream IP output
IP nat inside
IP virtual-reassembly in
GLBP 100 ip 192.168.0.4
priority GLBP 100 110
automatic duplex
automatic speed
media type rj45
!
ospf Router 5
router ID - 192.168.254.2
network 192.168.0.2 0.0.0.0 area 1
0.0.0.0 network 192.168.254.2 area 0
!
Default IP gateway 192.168.0.1
IP forward-Protocol ND
no ip address of the http server
no ip http secure server
!
!
IP nat inside source list 10 interface GigabitEthernet0/0 overload
IP route 0.0.0.0 0.0.0.0 dhcp
!
SSH extended IP access list
permit tcp host 192.168.52.2 any eq 22 log
permit tcp 192.168.10.0 0.0.0.255 any eq 22 log
permit tcp host 192.168.17.18 any eq 22 log
any eq 22 host tcp 192.168.0.1 newspaper permit
permit tcp host 192.168.0.2 any eq 22 log
permit tcp host 192.168.0.3 any eq 22 log
permit tcp host 192.168.0.5 any eq 22 log
denyip a session
!
access-list 10 permit 192.168.94.32 0.0.0.15 connect
access-list 10 permit 192.168.17.0 connect 0.0.0.7
access-list 10 permit 192.168.52.0 connect 0.0.0.7
access-list 10 permit 192.168.0.0 0.0.0.7 connect
access-list 10 deny any newspaper
!
!
!
!
!
!
control plan
!
!
!
!
profile MGCP default
!
!
!
!
!
connection of the banner ^ C
W A R N I N GTHIS IS A PRIVATE COMPUTER SYSTEM.
This computer system, including all related equipment, network devices
(specifically including Internet access), are provided only for
authorized used.All computer systems may be monitored for all lawful, including purpose
to ensure that their use is authorized, for management of the system, to
facilitate protection against unauthorized access, and to verify security
survival and operational security procedures.Monitoring includes active attacks by authorized personnel and their
entities to test or verify the security of the system. During the surveillance,.
information may be examined, recorded, copied and used for authorized
purposes.All information, including personal information, placed on or sent over
This system may be monitored. Uses of this system, authorized or
unauthorized, constitutes consent to monitoring of this system.Unauthorized use may subject you to criminal prosecution. Evidence of
any unauthorized use collected during monitoring may be used for
administrative, criminal or other adverse action. Use of this system
constitutes a consent to monitoring for these purposes.
^ C
!
Line con 0
session-timeout 360
exec-timeout 360 0
7 password *.
Synchronous recording
local connection
line to 0
opening of session
line vty 0 4
SSH access class in
Synchronous recording
local connection
entry ssh transport
output transport ssh
!
Scheduler allocate 20000 1000
NTP 198.60.73.8 Server
NTP 13.85.70.43 Server
SaveRunConfig event manager applet
cron cron-event timer entry ' 0 0 * * ".
command action 1.0 cli 'enable '.
cli 2.0 action command "RAM".Switch:
version 12.2
no service button
tcp KeepAlive-component snap-in service
a tcp-KeepAlive-quick service
horodateurs service debug uptime
Log service timestamps uptime
encryption password service
!
hostname LAN_Switch
!
boot-start-marker
boot-end-marker
!
!
username * secret privilege 15 5 *.
!
!
!
No aaa new-model
clock timezone CST - 6
1 supply ws-c3750-24ts switch
mtu 1500 routing system
IP routing
IP - domain name MyTestLab.com
8.8.8.8 IP name-server
IP-server names 8.8.4.4
!
!
!
!
!
!
!
!
!
spanning tree mode rapid pvst
spanning tree logging
spanning tree extend id-system
!
internal allocation policy of VLAN ascendant
!
property intellectual ssh time 60
property intellectual ssh authentication-2 retries
property intellectual ssh event logging
property intellectual ssh version 2
!
!
interface Loopback0
192.168.254.5 the IP 255.255.255.255
!
interface FastEthernet1/0/1
switchport access vlan 17
switchport mode access
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/2
switchport access vlan 10
switchport mode access
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/3
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/4
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/5
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/6
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/7
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/8
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/9
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/10
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/11
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/12
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/13
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/14
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/15
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/16
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/17
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/18
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/19
Description # PC #.
switchport access vlan 10
switchport mode access
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/20
Description # X_BOX #.
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/21
switchport access vlan 94
switchport mode access
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/22
switchport access vlan 5
switchport mode access
!
interface FastEthernet1/0/23
switchport access vlan 5
switchport mode access
!
interface FastEthernet1/0/24
switchport access vlan 5
switchport mode access
!
GigabitEthernet1/0/1 interface
switchport access vlan 666
Shutdown
!
interface GigabitEthernet1/0/2
switchport access vlan 666
Shutdown
!
interface Vlan1
no ip address
Shutdown
!
interface Vlan5
IP 192.168.0.5 255.255.255.248
!
interface Vlan10
address 192.168.10.2 255.255.255.0
!
interface Vlan17
IP 192.168.17.17 255.255.255.248
!
interface Vlan52
IP 192.168.52.1 255.255.255.248
!
interface Vlan94
IP 192.168.94.33 255.255.255.240
!
ospf Router 5
router ID - 192.168.254.5
Log-adjacency-changes
network 192.168.0.5 0.0.0.0 area 1
network 192.168.10.2 0.0.0.0 area 2
network 192.168.17.17 0.0.0.0 area 2
network 192.168.52.1 0.0.0.0 area 2
network 192.168.94.33 0.0.0.0 area 2
0.0.0.0 network 192.168.254.5 area 0
!
IP classless
IP route 0.0.0.0 0.0.0.0 192.168.0.4 permanent
no ip address of the http server
no ip http secure server
!
!
SSH_IN extended IP access list
permit tcp host 192.168.52.2 any eq 22 log
permit tcp 192.168.10.0 0.0.0.255 any eq 22 log
permit tcp host 192.168.17.18 any eq 22 log
any eq 22 host tcp 192.168.0.1 newspaper permit
permit tcp host 192.168.0.2 any eq 22 log
permit tcp host 192.168.0.3 any eq 22 log
permit tcp host 192.168.0.5 any eq 22 log
deny ip any any newspaper
!
!
connection of the banner ^ C
W A R N I N G
THIS IS A PRIVATE COMPUTER SYSTEM.
This computer system, including all related equipment, network devices
(specifically including Internet access), are provided only for
authorized used.
All computer systems may be monitored for all lawful, including purpose
to ensure that their use is authorized, for management of the system, to
facilitate protection against unauthorized access, and to verify security
survival and operational security procedures.
Monitoring includes active attacks by authorized personnel and their
entities to test or verify the security of the system. During the surveillance,.
information may be examined, recorded, copied and used for authorized
purposes.
All information, including personal information, placed on or sent over
This system may be monitored. Uses of this system, authorized or
unauthorized, constitutes consent to monitoring of this system.
Unauthorized use may subject you to criminal prosecution. Evidence of
any unauthorized use collected during monitoring may be used for
administrative, criminal or other adverse action. Use of this system
constitutes a consent to monitoring for these purposes.
^ C
!
Line con 0
session-timeout 60
exec-timeout 60 0
Synchronous recording
local connection
line vty 0
access-class SSH_IN in
local connection
line vty 1 4
access-class SSH_IN in
opening of session
line vty 5 15
access-class SSH_IN in
opening of session
!
NTP 198.60.73.8 Server
Event Manager environment suspend_ports_config flash: / susp_ports.dat
Event Manager environment suspend_ports_days 7
Event Manager user Directorystrategie "flash: / policies /.
Event manager session cli username "stw".
political event manager sl_suspend_ports.tcl
political event manager tm_suspend_ports.tcl
SaveRunConfig event manager applet
cron cron-event timer entry ' 0 0 * * ".
command action 1.0 cli 'enable '.
cli 2.0 action command "RAM".Well, I totally forgot the keyword "log" and NAT:
Cisco IOS NAT support ACLs with a keyword "log"?
A. When you configure Cisco IOS NAT translation dynamic NAT, an ACL is used to identify the packages that can be translated. The current NAT architecture does not support the ACL with a keyword "log".
http://www.Cisco.com/c/en/us/support/docs/IP/network-address-translation...
If your problem is not the mask with joker, but the command "log"...
-
I have this very basic SNAT configuration.
The ERT is the the Gulf war of the 172.31.1.0/24 subnet, the VM has an IP 172.31.1.5. The external IP address of the ERT is 192.168.202.37. I can see traffic hit ERT, but no NAT rule is the table. The following two screenshots are with a ping extended to 1.1.1.1 running in the back.
No idea, I tried this in many ways and I do not see why does not.
Thank you.
Have you tried to apply the NAT rule to the 192.168.x.x instead of vNic_2 interface? Also definitely turned the firewall on the GSS?
-
IPSec Tunnel between Cisco 2801 and Netscren 50 with NAT and static
Hello
My problem isn't really the IPSec connection between two devices (it is already done...) But my problem is that I have a mail server on the site of Cisco, who have a static NAT from inside to outside. Due to the static NAT, I do not see the server in the VPN tunnel. I found a document that almost describes the problem:
"Configuration of a router IPSEC Tunnel private-to-private network with NAT and static" (Document ID 14144)
NAT takes place before the encryption verification!
In this document, the solution is 'routing policy' using the loopback interface. But, how can I handle this with the Netscreen firewall. Someone has an idea?
Thanks for any help
Best regards
Heiko
Hello
Try to change your static NAT with static NAT based policy.
That is to say the static NAT should not be applicable for VPN traffic
permissible static route map 1
corresponds to the IP 104
access-list 104 refuse host ip 10.1.110.10 10.1.0.0 255.255.0.0
access-list 104 allow the host ip 10.1.110.10 all
IP nat inside source static 10.1.110.10 81.222.33.90 map of static route
HTH
Kind regards
GE.
-
IOS IPSEC VPN with NAT - translation problem
I'm having a problem with IOS IPSEC VPN configuration.
/*
crypto ISAKMP policy 10
BA 3des
preshared authentication
Group 2
ISAKMP crypto keys TEST123 address 205.xx.1.4
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac CHAIN
!
!
Map 10 CRYPTO map ipsec-isakmp crypto
the value of 205.xx.1.4 peer
transformation-CHAIN game
match address 115
!
interface FastEthernet0/0
Description FOR the EDGE ROUTER
IP address 208.xx.xx.33 255.255.255.252
NAT outside IP
card crypto CRYPTO-map
!
interface FastEthernet0/1
INTERNAL NETWORK description
IP 10.15.2.4 255.255.255.0
IP nat inside
access-list 115 permit 192.xx.xx.128 0.0.0.3 ip 172.xx.1.0 0.0.0.3
*/
(This configuration is incomplete / NAT configuration needed)
Here is the solution that I'm looking for:
When a session is initiated from the "internal network" to the "distance IPSEC - 172.xx.1.0/30 ' network I want the address scheme '10.15.0.0/16' NAT translation deals with '192.xx.xx.128/30' before forwarding via the IPSEC VPN Tunnel.
For more information, see "SCHEMA ATTACHED".
Any help is greatly appreciated!
Thank you
Clint Simmons
Network engineer
You can try the following NAT + route map approach (method 2 in this link)
http://www.Cisco.com/en/us/Tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml
Thank you
Raja K
-
ASA IPSEC site-to-site with NAT problem
Hello
I have what I thought was a simple configuration, but I saw the questions and could use a second set of eyes.
I have a site-to-site between two locations:
Site A is 192.168.0.0/24
Site B is 192.168.4.0/24
I was requested to NAT all communications between these sites for 10.57.4.0/24 and for a single static 192.168.0.112 NAT host at 10.57.4.50.
Tunnel is running, and I can ping through the link at the end to 192.168.4.20 host; no problems. But I'm having a problem application where it will be established communications. I suspect it's the reverse NAT, but I went through the configuration several times. All NAT connections would be 10.57.4.50 address should given to 192.168.0.112, no restrictions. All connections to 192.168.4.20, should be NAT should 10.57.4.50 to transverse tunnel.
The system of site B can also ping 10.57.4.50.
Here's the running configuration:
ASA 8.3 Version (2)
!
hostname fw1
domain name
activate the
password encrypted passwd
encrypted names of
!
interface Vlan1
Description city network internal
nameif inside
security-level 100
IP 192.168.9.1 255.255.255.0
!
interface Vlan2
Description Internet Public
nameif outside
security-level 0
IP 173.166.117.186 255.255.255.248
!
interface Vlan3
DMZ (CaTV) description
nameif dmz
security-level 50
IP 192.168.2.1 255.255.255.0
!
interface Vlan5
PD Network description
nameif PDNet
security level 95
the IP 192.168.0.1 255.255.255.0
!
interface Vlan10
Description Network Infrastructure
nameif InfraNet
security-level 100
IP 192.168.10.1 255.255.255.0
!
interface Vlan13
Description wireless comments
nameif Wireless-comments
security-level 25
IP 192.168.1.1 255.255.255.0
!
interface Vlan23
nameif StateNet
security-level 75
IP 10.63.198.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport trunk allowed vlan 1,5,10,13
switchport trunk vlan 1 native
switchport mode trunk
Speed 100
full duplex
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
switchport trunk allowed vlan 1,10,13
switchport trunk vlan 1 native
switchport mode trunk
!
interface Ethernet0/5
switchport access vlan 23
!
interface Ethernet0/6
Shutdown
!
interface Ethernet0/7
switchport trunk allowed vlan 1
switchport trunk vlan 1 native
switchport mode trunk
Shutdown
!
exec banner restricted access
banner restricted access connection
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
DNS server-group DefaultDNS
domain name
permit same-security-traffic inter-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
service of the IMAPoverSSL object
destination eq 993 tcp service
IMAP over SSL description
service of the POPoverSSL object
tcp destination eq 995 service
POP3 over SSL description
service of the SMTPwTLS object
tcp destination eq 465 service
SMTP with TLS description
network object obj - 192.168.9.20
Home 192.168.9.20
object obj-claggett-https network
Home 192.168.9.20
network of object obj-claggett-imap4
Home 192.168.9.20
network of object obj-claggett-pop3
Home 192.168.9.20
network of object obj-claggett-smtp
Home 192.168.9.20
object obj-claggett-imapoverssl network
Home 192.168.9.20
object obj-claggett-popoverssl network
Home 192.168.9.20
object obj-claggett-smtpwTLS network
Home 192.168.9.20
network object obj - 192.168.9.120
Home 192.168.9.120
network object obj - 192.168.9.119
Home 192.168.9.119
network object obj - 192.168.9.121
Home 192.168.9.121
object obj-wirelessnet network
subnet 192.168.1.0 255.255.255.0
network of the Clients_sans_fil object
subnet 192.168.1.0 255.255.255.0
object obj-dmznetwork network
Subnet 192.168.2.0 255.255.255.0
network of the FD_Firewall object
Home 74.94.142.229
network of the FD_Net object
192.168.6.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.10.0_24 object
192.168.10.0 subnet 255.255.255.0
object obj-TownHallNet network
192.168.9.0 subnet 255.255.255.0
network obj_InfraNet object
192.168.10.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.0.0_24 object
192.168.0.0 subnet 255.255.255.0
network of the NHDOS_Firewall object
Home 72.95.124.69
network of the NHDOS_SpotsHub object
Home 192.168.4.20
network of the IMCMOBILE object
Home 192.168.0.112
network of the NHDOS_Net object
subnet 192.168.4.0 255.255.255.0
network of the NHSPOTS_Net object
10.57.4.0 subnet 255.255.255.0
network of the IMCMobile_NAT_IP object
Home 10.57.4.50
service EmailServices object-group
Description of e-mail Exchange Services / Normal
service-object, object IMAPoverSSL
service-object, object POPoverSSL
service-object, object SMTPwTLS
the purpose of the tcp destination eq https service
the purpose of the tcp destination eq imap4 service
the purpose of the tcp destination eq pop3 service
the purpose of the tcp destination eq smtp service
object-group service DM_INLINE_SERVICE_1
service-object, object IMAPoverSSL
service-object, object POPoverSSL
service-object, object SMTPwTLS
the purpose of the tcp destination eq pop3 service
the purpose of the tcp destination eq https service
the purpose of the tcp destination eq smtp service
object-group service DM_INLINE_SERVICE_2
service-object, object IMAPoverSSL
service-object, object POPoverSSL
service-object, object SMTPwTLS
the purpose of the tcp destination eq https service
the purpose of the tcp destination eq pop3 service
the purpose of the tcp destination eq smtp service
the obj_clerkpc object-group network
PCs of the clerk Description
network-object object obj - 192.168.9.119
network-object object obj - 192.168.9.120
network-object object obj - 192.168.9.121
the TownHall_Nets object-group network
object-network 192.168.10.0 255.255.255.0
network-object object obj-TownHallNet
the DM_INLINE_NETWORK_1 object-group network
object-network 192.168.10.0 255.255.255.0
object-network 192.168.9.0 255.255.255.0
the DOS_Networks object-group network
network-object 10.56.0.0 255.255.0.0
network-object, object NHDOS_Net
outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_2 any external interface
outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_1 any host 192.168.9.20
StateNet_access_in list extended access permitted ip object-group obj_clerkpc one
permit access ip 192.168.0.0 scope list PDNet_access_in 255.255.255.0 192.168.10.0 255.255.255.0
PDNet_access_in list extended access allowed object IMCMobile_NAT_IP object-group DOS_Networks debug log ip
PDNet_access_in list extended access permitted ip object IMCMOBILE object-group DOS_Networks
outside_2_cryptomap extended access list permit ip DM_INLINE_NETWORK_1 object FD_Net object-group
outside_1_cryptomap extended access list permit ip object NHSPOTS_Net object-group DOS_Networks
pager lines 24
Enable logging
Test1 logging level list class debug vpn
logging of debug asdm
E-mail logging errors
address record
logging level
-l errors ' address of the recipient Within 1500 MTU
Outside 1500 MTU
MTU 1500 dmz
MTU 1500 Wireless-comments
MTU 1500 StateNet
MTU 1500 InfraNet
MTU 1500 PDNet
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 635.bin
don't allow no asdm history
ARP timeout 14400
NAT (InfraNet, outside) static static source to destination TownHall_Nets TownHall_Nets FD_Net FD_Net
NAT static TownHall_Nets TownHall_Nets destination (indoor, outdoor) static source FD_Net FD_Net
public static IMCMOBILE IMCMobile_NAT_IP destination NAT (all, outside) static source DOS_Networks DOS_Networks
!
network obj_any object
NAT static interface (indoor, outdoor)
object obj-claggett-https network
NAT (inside, outside) interface static tcp https https service
network of object obj-claggett-imap4
NAT (inside, outside) interface static tcp imap4 imap4 service
network of object obj-claggett-pop3
NAT (inside, outside) interface static tcp pop3 pop3 service
network of object obj-claggett-smtp
NAT (inside, outside) interface static tcp smtp smtp service
object obj-claggett-imapoverssl network
NAT (inside, outside) interface static tcp 993 993 service
object obj-claggett-popoverssl network
NAT (inside, outside) interface static tcp 995 995 service
object obj-claggett-smtpwTLS network
NAT (inside, outside) interface static tcp 465 465 service
network object obj - 192.168.9.120
NAT (inside, StateNet) 10.63.198.12 static
network object obj - 192.168.9.119
NAT (all, StateNet) 10.63.198.10 static
network object obj - 192.168.9.121
NAT (all, StateNet) 10.63.198.11 static
object obj-wirelessnet network
NAT (Wireless-Guest, outside) static interface
object obj-dmznetwork network
interface static NAT (all, outside)
network obj_InfraNet object
NAT (InfraNet, outside) static interface
Access-group outside_access_in in interface outside
Access-group StateNet_access_in in the StateNet interface
Access-group PDNet_access_in in interface PDNet
Route outside 0.0.0.0 0.0.0.0 173.x.x.x 1
Route StateNet 10.x.x.x 255.255.0.0 10.63.198.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
http server enable 5443
http 192.x.x.x 255.255.255.0 inside
http 7.x.x.x 255.255.255.255 outside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set 72.x.x.x counterpart
map outside_map 1 set of transformation-ESP-3DES-MD5 crypto
card crypto outside_map 2 match address outside_2_cryptomap
card crypto outside_map 2 set pfs
card crypto outside_map 2 peers set 173.x.x.x
card crypto outside_map 2 game of transformation-ESP-3DES-SHA
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
Telnet 192.168.9.0 255.255.255.0 inside
Telnet timeout 5
SSH 192.168.9.0 255.255.255.0 inside
SSH timeout 5
Console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd lease 10800
dhcpd outside auto_config
!
dhcpd address dmz 192.168.2.100 - 192.168.2.254
dhcpd dns 8.8.8.8 8.8.4.4 dmz interface
dhcpd enable dmz
!
dhcpd address 192.168.1.100 - 192.168.1.254 Wireless-comments
dhcpd enable Wireless-comments
!
a basic threat threat detection
a statistical threat detection host number rate 2
statistical threat detection port
Statistical threat detection Protocol
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP server 63.240.161.99 prefer external source
NTP server 207.171.30.106 prefer external source
NTP server 70.86.250.6 prefer external source
WebVPN
attributes of Group Policy DfltGrpPolicy
internal FDIPSECTunnel group strategy
attributes of Group Policy FDIPSECTunnel
VPN-idle-timeout no
Protocol-tunnel-VPN IPSec l2tp ipsec
support for username
password encrypted privilege 15 tunnel-group 72.x.x.x type ipsec-l2l
72.x.x.x group of tunnel ipsec-attributes
pre-shared key *.
tunnel-group 173.x.x.x type ipsec-l2l
tunnel-group 173.x.x.x General-attributes
Group Policy - by default-FDIPSECTunnel
173.x.x.x group of tunnel ipsec-attributes
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns migrated_dns_map_1
parameters
message-length maximum 1024
Policy-map global_policy
class inspection_default
inspect the migrated_dns_map_1 dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the icmp
!
global service-policy global_policy
192.168.9.20 SMTP server
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:ad0f9ad192c3ee212172f5b00b12ce76
: end
If you do not have access to the remote site, you participate themselves to network and compare each other configurations. You will need to make sure that they see as 10.57.4.50 192.168.0.112 and their server responds to that and NOT the 192.168.0.112.
-
Problem with IPSEC tunnel between Cisco PIX and Cisco ASA
Hi all!
Have a strange problem with one of our tunnel ipsec for one of our customers, we can open the tunnel of the customers of the site, but not from our site, don't understand what's wrong, if it would be a configuration problem should can we not all up the tunnel.
On our side as initiator:
Jan 14 13:53:26 172.27.1.254% PIX-7-702208: ISAKMP Phase 1 Exchange started (local 1.1.1.1 (initiator), remote 2.2.2.2)
Jan 14 13:53:26 172.27.1.254% PIX-7-702210: Exchange of ISAKMP Phase 1 is complete (local 1.1.1.1 (initiator), remote 2.2.2.2)
Jan 14 13:53:26 172.27.1.254% 6-PIX-602202: ISAKMP connected session (local 1.1.1.1 (initiator), remote 2.2.2.2)
Jan 14 13:53:26 172.27.1.254% PIX-6-602201: Phase 1 ISAKMP Security Association created (local 1.1.1.1/500 (initiator), 2.2.2.2/500 remotely, authentication = pre-action, encryption = 3DES-CBC, hash = SHA, group = 2, life = 86400 s)
Jan 14 13:53:26 172.27.1.254% PIX-7-702209: ISAKMP Phase 2 Exchange started (local 1.1.1.1 (initiator), remote 2.2.2.2)
Jan 14 13:53:26 172.27.1.254% PIX-7-702201: ISAKMP Phase 1 delete received (local 1.1.1.1 (initiator), remote 2.2.2.2)
Jan 14 13:53:26 172.27.1.254% PIX-6-602203: ISAKMP disconnected session (local 1.1.1.1 (initiator), remote 2.2.2.2)
Jan 14 13:53:56 172.27.1.254% PIX-7-702303: sa_request, CBC (MSG key in English) = 1.1.1.1, dest = 2.2.2.2, src_proxy = 172.27.1.10/255.255.255.255/0/0 (type = 1), dest_proxy = 192.168.100.18/255.255.255.255/0/0 (type = 1), Protocol is ESP transform = lifedur hmac-sha-esp, esp-3des 28800 = s and 4608000 Ko, spi = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 4004
The site of the customer like an answering machine:
14 jan 11:58:23 172.27.1.254% PIX-7-702208: ISAKMP Phase 1 Exchange started (local 1.1.1.1 (answering machine), 2.2.2.2 remote)
14 jan 11:58:23 172.27.1.254% PIX-7-702210: Exchange of ISAKMP Phase 1 is complete (local 1.1.1.1 (answering machine), 2.2.2.2 remote)
14 jan 11:58:23 172.27.1.254% 6-PIX-602202: ISAKMP connected session (local 1.1.1.1 (answering machine), 2.2.2.2 remote)
14 jan 11:58:23 172.27.1.254% PIX-6-602201: Phase 1 ISAKMP Security Association created (local 1.1.1.1/500 (answering machine), distance 2.2.2.2/500, authentication = pre-action, encryption = 3DES-CBC, hash = MD5, group = 1, life = 86400 s)
14 jan 11:58:23 172.27.1.254% PIX-7-702209: ISAKMP Phase 2 Exchange started (local 1.1.1.1 (answering machine), 2.2.2.2 remote)
14 jan 11:58:23 172.27.1.254% PIX-6-602301: its created, (his) sa_dest = 2.2.2.2, sa_prot = 50, sa_spi = 0x9de820bd (2649235645) sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 116
14 jan 11:58:23 172.27.1.254% PIX-7-702211: Exchange of ISAKMP Phase 2 is complete (local 1.1.1.1 (answering machine), 2.2.2.2 remote)
Jan 14 12:28:54 172.27.1.254% PIX-6-602302: SA deletion, (his) sa_dest = 2.2.2.2, sa_prot = 50, sa_spi = 0x9de820bd (2649235645), sa_trans = esp-3desesp-sha-hmac, sa_conn_id = 116
Kind regards
Johan
From my experience when a tunnel is launched on one side, but it is not on the other hand, that the problem is with an inconsistency of the isakmp and ipsec policies, mainly as ipsec policies change sets and corresponding address with ASA platform when a tunnel is not a statically defined encryption card he sometimes use the dynamic tag to allocate this vpn connection. To check if this is the case go ahead and make a "crypto ipsec to show his" when the tunnel is active on both sides, see on the SAA if the corresponding tunnel is the static encryption card set or if it presents the dynamic encryption card.
I advise you to go to the settings on both sides and ensure that they are both in the opposite direction.
-
Problem with Tunnel VPN L2L between 2 ASA´s
Hi guys,.
I have some problems with my VPN Site to site tunnel between 2 ASA (5520/5505).
I watched a lot of videos on youtube, but I can't find out why the tunnel does not...
Both devices can ping eachothers WAN IP address (outside interfaces), but I don't see any traffic between the 2 sites. It seems that the tunnel is not open to everyone. When i PING from the local to the Remote LAN (which should be an interesting traffic for the tunnel...), the its IKEv1 remains empty...
Am I missing something? I can't understand it more why same phase 1 is not engaged.
You NAT won't. In your config file traffic is NATted initially and then does not match any more crypto ACL. You must move the rule dynamic NAT/PAT until the end of the table on two ASAs NAT:
no nat (INSIDE,OUTSIDE) source dynamic any interface nat (INSIDE,OUTSIDE) after-auto source dynamic any interface
-
Problem with VPN client connecting the PIX of IPSec.
PIX # 17 Sep 14:58:51 [IKEv1 DEBUG]: IP = Y, IKE Peer included IKE fragmentation capability flags: Main Mode: real aggressive Mode: false
Sep 17 14:58:51 [IKEv1]: IP = Y, landed on tunnel_group connection
Sep 17 14:58:51 [IKEv1 DEBUG]: Group = X, IP = Y, IKE SA proposal # 1, transform # 13 entry overall IKE acceptable matches # 1
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, the authenticated user (X).
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, mode of transaction attribute not supported received: 5
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, Y = IP, Type of customer: Client Windows NT Version of the Application: 5.0.06.0160
Sep 17 14:58:58 [IKEv1]: Group = Xe, Username = X, IP = Y, assigned private IP 10.0.1.7 remote user address
Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, IP = Y, fast Mode resumed treatment, Cert/Trans Exch/RM IDDM
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, PHASE 1 COMPLETED
Sep 17 14:58:58 [IKEv1]: IP = Y, Keep-alive type for this connection: DPD
Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, Y = IP, timer to generate a new key to start P1: 6840 seconds.
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, Y = IP, data received in payload ID remote Proxy Host: address 10.0.1.7, protocol 0, Port 0
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, received data IP Proxy local subnet in payload ID: address 0.0.0.0 Mask 0.0.0.0, protocol 0, Port 0
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, his old QM IsRekeyed not found addr
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, Y = IP, remote peer IKE configured crypto card: outside_dyn_map
Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, Y = IP, IPSec processing SA payload
Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, Y = IP, IPSec SA proposal # 14, turn # 1 entry overall SA IPSec acceptable matches # 20
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, IKE: asking SPI!
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, Y = IP, IPSec initiator of the substitution of regeneration of the key duration to 2147483 to 7200 seconds
Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, IP = Y, passing the Id of the Proxy:
Remote host: 10.0.1.7 Protocol Port 0 0
Local subnet: 0.0.0.0 mask 0.0.0.0 Protocol Port 0 0
Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, IP = notification sending answering MACHINE service LIFE of the initiator
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, the security negotiation is complete for the user (slalanne) answering machine, Inbound SPI = 0 x 6
044adb5, outbound SPI = 0xcd82f95e
Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, Y = IP, timer to generate a new key to start P2: 6840 seconds.
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, adding static route to the customer's address: 10.0.1.7
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, PHASE 2 COMPLETED (msgid = c4d80320)
PIX # 17 Sep 14:59:40 [IKEv1]: Group = X, Username = X, Y = IP, Connection over for homologous X. Reason: Peer terminate remote Proxy 10.0.1.7, 0.0.0.0Sep Proxy Local 17 14:59:40 [IKEv1 DEBUG]: Group = X, Username = X, IP = Y, IKE removing SA: 10.0.1.7 Remote Proxy, Proxy Local 0.0.0.0
Sep 17 14:59:40 [IKEv1]: IP = Y, encrypted packet received with any HIS correspondent, drop
Then debugging IPSec are also normal.
Now this user is a disconnect and other clients to connect normally. the former user is trying to connect to the site and here is the difference in debugging:
Sep 17 14:25:22 [IKEv1]: Group = X, Username = X, Y = IP, tunnel IPSec rejecting: no entry card crypto for remote proxy proxy 10.0.1.8/255.255.255.255/0/0 local 0.0.0.0/0.0.0.0/0/0 on the interface outside
Sep 17 14:25:22 [IKEv1]: Group = X, Username = X, IP = Y, error QM WSF (P2 struct & 0x2a5fd68, mess id 0x16b59315).
Sep 17 14:25:22 [IKEv1 DEBUG]: Group = X, Username = X, IP = O, case of mistaken IKE responder QM WSF (struct & 0x2a5fd68), :
QM_DONE, EV_ERROR--> QM_BLD_MSG2, EV_NEGO_SA--> QM_BLD_MSG2, EV_IS_REKEY--> QM_BL
D_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MSG--> QM_BLD_MSG2, EV_HASH_OK--> QM_
BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH
Sep 17 14:25:22 [IKEv1]: Group = X, Username = X, IP = Y, peer table correlator withdrawal failed, no match!
Sep 17 14:25:22 [IKEv1]: IP = Y, encrypted packet received with any HIS correspondent, dropHere is the config VPN... and I don't see what the problem is:
Dynamic crypto map outside_dyn_map 20 match address outside_cryptomap_dyn_20
Crypto-map dynamic outside_dyn_map 20 the transform-set ESP-DES-MD5 value
life together - the association of security crypto dynamic-map outside_dyn_map 20 seconds 7200
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
ISAKMP crypto identity hostname
crypto ISAKMP allow outside
crypto ISAKMP policy 20
preshared authentication
the Encryption
md5 hash
Group 2
life 7200
crypto ISAKMP policy 65535
preshared authentication
the Encryption
sha hash
Group 2
life 86400outside_cryptomap_dyn_20 list of allowed ip extended access any 10.0.1.0 255.255.255.248
attributes global-tunnel-group DefaultRAGroup
authentication-server-group (outside LOCAL)
Type-X group tunnel ipsec-ra
tunnel-group X general attributes
address pool addresses
authentication-server-group (outside LOCAL)
Group Policy - by default-X
tunnel-group X ipsec-attributes
pre-shared-key *.
context of prompt hostnamemask of 10.0.1.6 - 10.0.1.40 IP local pool 255.255.255.0
Please remove the acl of the dynamic encryption card crypto, it causes odd behavior
try to use split instead of the acl acl in dynamic crypto map, and let me know how it goes
-
Problems with VPN tunnels after the upgrade to PIX 7.0
It seems that Cisco has revamped the VPN process on the new Version of PIX 7.0.
After I've upgraded, I noticed that AH (i.e. ah-sha-hmac, ah-md5-hmac) was no longer supported and all my container transformation games OH no were not converted.
Another question, if you have enabled on Versieon 6.3, names when you upgrade, tunnel groups will be created (formerly "identity isakmp crypto, crypto key
isakmp peer ') which will include a hostname (hostname of identity) instead of IP as it was to the point 6.3. Guess what... Nothing works! Having to delete and recreate it using the IP address. See an example...
tunnel-group OTHER_END type ipsec-l2l
IPSec-attributes tunnel-group OTHER_END
pre-shared-key *.
The above does not work... Having to recreate using the IP address mapped to OTHER_END...
tunnel-group 2.2.2.2 type ipsec-l2l
2.2.2.2 tunnel-group ipsec-attributes
pre-shared-key *.
Furthermore, I have problems with my racoon and freeswan extranet... Did someone recently updated with success and other gateways VPN provider (i.e. checkpoint, Freeswan and Racoon) work?
We found the solution for this problem. It appeared that the perfect forward secrecy is enabled at the other side. If a 'card crypto outside_map 10 set pfs' is necessary. With the pix 6.3 version that appears not to make the difference, the vpn works even with pfs disabled on the side of pix.
-
Publish a server with NAT anchored through a tunnel VPN with ASA
Hi all
Thanks in advance for helping me out - I know somebody did, and I have trouble finding how do. I don't know that I'm missing something simple.
I have a client who wants to view a DVR device through a VPN tunnel that is published through the public firewall to collocation. Endpoint DVR is endpoint ip assigned dynamically which tunnelle the host on demand (I know that the tunnel could fall).
So I think / thought I could hairpin hair/policy nat this, but I'm not the best at this.
Let's see if I can get this
IP public 1.1.1.1\
> External interface of ASA
2.2.2.2 / private ip
My config as I know it is pertinant is as follows:
permit same-security-traffic intra-interface
list of allowed incoming access extended ip any host 168.215.x.x
Access-group interface incoming outside
public static 168.215.x.x (outside, outside) 10.10.x.xnetmask 255.255.255.255
I am running version 8.2.5 of the image of the SAA.
If you could take a look and let me know what Miss me you please.
Thank you
Hello
The problem here is of course the fact that we can not configure NAT0 without causing all traffic from the remote Internet can flow through the VPN connection.
So I wonder if another type of NAT configuration would actually work.
I would call it static political identity NAT if such a name exists yet.
Something like that
Note of DVR-POLICY-NAT-list of Direct HTTP access to VPN traffic
allow to Access-list DVR-POLICY-NAT tcp host 10.10.2.253 eq 80 a
public static 10.10.2.53 (inside, outside) access list DVR-POLICY-NAT
This should basically do what
- When the DVR is sending any traffic source TCP TCP/80 (essentially the traffic back to the connection from the main site) to ANY destination address (The Internet) then the host must translate to himself.
- If we consider that NAT is performed before the VPN rules are processed this should mean that since we have concerns address itself, it must match the VPN rule only in this particular case where the traffic is TCP/80, which could only be the result of her replying to a link any destination TCP/80)
- Which leads me to believe it shouldn't cause any problems with the Central connection on remote site (NAT0 is processed before political static NAT) or the RECORDER to Internet
- Unless the DVR must be accessible directly via the Internet connection of the remote site. (He would send his answers to these HTTP connections outside with the originating source IP address) Or maybe even completely before connecting the phase failure. I have not tested.
Hope this helps
Be sure to mark it as answered in the affirmative. And/or useful response rate.
Ask more if necessary.
EDIT: typos
-Jouni
-
Original title: teredo tunneling adapter error number 10 on windows 8
on my acer travel mate 6292 which I just upgraded to windows 8 pro recently got a problem with teredo tunneling adapter.
It says error code 10 and that the device cannot start, it made me unable to use wifi on my laptop
I tried to reinstall the driver but it just says: windows encountered a problem installing and he says its error code 10
Please help me
Thanks in advance
Hi Samuel,.
We appreciate your efforts to solve this problem. We will put all our efforts in order to solve the problem.
Teredo is a tunneling protocol designed to grant IPv6 connectivity to nodes that are located behind IPv6 NAT (network address translation) not compatible devices. It defines a way of encapsulating IPv6 packets in IPv4 UDP (User Datagram Protocol) datagrams can be routed through NAT devices, on the IPv4 internet.
I wish to inform you that Acer has not released Windows 8 compatible drivers for Acer 6292 travel companion.
I suggest you try to install the drivers for the card wireless in compatibility mode and check if it works. Check out the following link to download and install drivers in compatibility mode.
Make the programs more compatible with this version of Windows
http://Windows.Microsoft.com/en-us/Windows-8/older-programs-compatible-version-Windows
The link below to download the drivers for the wireless card: http://us.acer.com/ac/en/US/content/drivers
A Code 10 error is generated in the Device Manager in one of the following situations:
1. the Device Manager cannot start the device.
2. one of the pilots who needs the unit does not start.
3 device Manager has sufficient information to recognize the error that spread upwards by the device driver.
We could try following common resolutions to solve the problem:
1. update the drivers for this device
2 launch a service of automated troubleshooting
3 contact material supplier technical support
For more information, please see the following article:
FIX: "this device cannot start" error Code 10 in the Device Manager in Windows
http://support.Microsoft.com/kb/943104/en-us
In addition, this article could also be designated:
How can I troubleshoot network card?
http://Windows.Microsoft.com/en-in/Windows/fix-network-adapter-problems#1TC=Windows-8
Please answer us on the State of the question to help you further.
-
I notice that I need to solve problems for my computer. The message said: there is a problem with the Microsoft Teredo Tunneling adapter driver. The driver must be installed. One of the options is to reinstall the driver. I tried, but it did not. What is this adapter, and how should I do if the error message goes away?
There is a problem with the Microsoft Teredo Tunneling adapter driver. The driver must be reinstalled.The device informationName: Microsoft Teredo Tunneling adapter ID: ROOT\ * TEREDO\0000 Error code: 10 Reinstall the device driver CompletedThere is a problem with the Microsoft Teredo Tunneling adapter driver. Reinstall the driver may resolve this issue.Problem with the PnP devices DetectedThere are problems with some devices PnP. Windows will take additional steps to continue troubleshooting these devices.It is a known problem if you have Zone alarm installed. If you have installed remove it at least to checkTo disable Teredo tunneling 6to4 interface open an elevated command prompt and type
netsh interface set terredo disabled state.To re - install- Click on start.
- Type Device Manager in the start search box, and then open it.
- Click the Action tab on top and click Add legacy hardware
then click next and next again, he will then scan and find nothing then click on the screen after that.
Wait a minute and you will see a list of devices appear, scroll and select network adapters and click Next, then in the left column choose Microsoft then in the right hand column scroll down and choose Microsoft Teredo Tunneling adapter, and then click Next and it will install it.
To check simply do as it is set to show hidden devices right click on the Device Manager right click view, then show hidden devices.
-
Client VPN with tunneling IPSEC over TCP transport does not
Hello world
Client VPN works well with tunneling IPSEC over UDP transport.
I test to see if it works when I chose the VPN client with ipsec over tcp.
Under the group policy, I disabled the IPSEC over UDP and home port 10000
But the VPN connection has failed.
What should I do to work VPN using IPSEC over TCP
Concerning
MAhesh
Mahesh,
You must use "ikev1 crypto ipsec-over-tcp port 10000.
As crypto isakmp ipsec-over-tcp work on image below 8.3
HTH
-
Static NAT problem with PIX501
Hi all
We have problems with our PIX firewall. We have configured PIX 501 with static NAT for our Web server. Here's the running configuration.
6.3 (4) version PIX
interface ethernet0 car
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
pixfirewall hostname
domain ciscopix.com
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
access-list 101 permit tcp any host x.x.x.26 eq www
access-list 101 permit tcp any host x.x.x.26 EQ field
access-list 101 permit udp any host x.x.x.26 EQ field
pager lines 24
Outside 1500 MTU
Within 1500 MTU
IP address outside x.x.x.28 255.255.255.248
IP address inside 192.168.90.1 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
location of PDM 192.168.90.0 255.255.255.0 inside
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside, outside) x.x.x.26 192.168.90.3 netmask 255.255.255.255 0 0
Access-group 101 in external interface
Route outside 0.0.0.0 0.0.0.0 x.x.x.25 1
Route inside 192.168.1.0 255.255.255.0 192.168.90.2 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-server local LOCAL Protocol
Enable http server
http 192.168.90.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Telnet timeout 5
SSH timeout 5
Console timeout 0
Terminal width 80
: end
the problem is the configuration, we are unable to access the web server both inside and outside the network.
All input will be greatly appreciated.
Kind regards
udimpas
activate icmp backtrace and then ping the x.x.x.26 of the internet. the output should be as below:
3363574:-out ICMP echo request: ID = 21834 seq = 1202 length = 80
3363575: ICMP echo request: external untranslating: inside: 192.168.90.3
3363576: ICMP echo-reply from the inside: 192.168.90.3 ID = 21834 seq = 1202 length = 80
3363577: response to ICMP echo -: translate inside: 192.168.90.3 out:
by doing this, you can 1. Check the nat 2. If the server responds to the internet.
do not forget to allow incoming icmp:
access-l 101 permit icmp any one
Maybe you are looking for
-
I received a bill from iTunes saying: I bought an album that wasn't me. I'm suspicious that the e-mail address doesn't look like an address from apple is a phishing email? He was sent by the sender below - [email protected] I changed my p
-
Including complex.h fails
I want to use the functions of complex numbers in C99 that this pagehttp://digital.ni.com/public.nsf/allkb/73AEAD30C8AF681A86257BBB0054A26B , should be possible. However, Labwindows cannot find the header complex.h file in the #include statement. How
-
2000 HP ethernet controller drivers
I can't find the right drivers for these someone can help? Winows 7 OS. laptop HP 2000 Ethernet controllerPCI\VEN_10EC & DEV_8136 & SUBSYS_3577103C & REV_05PCI\VEN_10EC & DEV_8136 & SUBSYS_3577103CPCI\VEN_10EC & DEV_8136 & CC_020000PCI\VEN_10EC & DEV
-
HP5514 printer - black not printing
Due to no black printing, can be changed on a HP5514 printer printheads? The ink cartridges have been replaced. No error message is displayed.
-
Windows 7 and windeos 10 can be used together on the same PC?
Windows 7 and windeos 10 can be used together on the same PC?