question links to site 2 site VPN with authentication cert

Similar Questions

• Is site to site VPN with sufficiently secure router?

  Hello

  I have a question about the site to site VPN with router.

  Internet <> router <> LAN

  If I have a VPN site-to-site configured on the router above with another site. I configured to block incoming Internet connections with the exception of VPN to access list. What are the risks of the LAN is exposed to threats from the Internet? Recommend that you put in a firewall between the router and the LAN, or replace the router with a firewall?

  Thank you

  Hi Amanda,.

  Assuming your L2L looks like this:

  LAN - router - INTERNET - Router_Remote - LAN

  |-------------------------------------------------------------------------------|

  L2L

  Traffic between the two local area networks is protected by the VPN tunnel. It is recommended to use the recommended security (strong encryption settings) to ensure that the encrypted traffic would not be compromised through the Internet.

  On the other hand, if you talk about outbound plaintext to the Internet, as when a user acceses google.com, then you just make out traffic, but never allow all incoming connections.

  If you want to protect your network with advanced security as a FW features, you can consider ZBF, which is the available in IOS Firewall/set function:

  Design of the area Guide of Application and firewall policies

  If you consider that this is not enough, check the ASA5500 series.

  HTH.

  Portu.

  Please note all useful posts

• Site to site VPN with router IOS

  I want to create a VPN site-to site on the Internet. On the remote site, aside from the VPN to the head office, there should be no traffic not allowed in internal from the Internet to the network and that there should be no traffic from the internal network to the Internet allowed. The internal network will run a private 192.168.x.x address range.

  I'm going to use a Cisco 2811 router integrated of services on the remote site and this will last an IPSec VPN that will end a hub at Headquarters. I understand that this router has an IOS and IPS firewall built in.

  Would I be right in thinking that because I don't want to have access to the Internet (except VPN) or should I configure IOS firewall features on the router? And there is no point in the configuration of the features IPS wouldn't?

  My thought is that only an entry in list of unique access to deny pi a whole applied inbound to the interface that connects to the Internet would be the best strategy. I think that the command "sysopt connection permit-ipsec" should allow the VPN to form even with the ip address to deny any any ACL (or is it just a Pix command? If Yes, then I have to allow ESP and UDP 500 (ISAKMP) from the public address of the hub at Headquarters to allow the VPN to form wouldn't I?).

  Think I'll probably expand slightly the access list to allow the icmp Protocol, ssh and https traffic from the IP address of firewall seat outside so that I can monitor the remote site and access it safely if the fail VPN.

  And I wouldn't need one access list on the interface connected to the internal network I would like because the range of addresses would be not routable, so they would not be able to initiate connections to the Internet (all the trffic to the remote site is specified under a valuable traffic to bring up the VPN)

  Use one of the IOS Firewall inspect commands or the IPS would be useless and have no effect in this case wouldn't it?

  I really just need to know if the ip address to deny any any ACL on the external interface on the remote site is the best solution (and the simplest), and whether it will be safe.

  We used to use fiewalls Pix for remote VPN site to site, Amazon refuse incoming connections on the external interface by default but now I have been informed that these series 2800 routers will be used later, so I would get my thoughts straight and be able to build safe to do the same work all existing PIX are doing (they are all installed for just the VPN at Headquarters as in) the first paragraph).

  I would like any advice or thoughts on the subject. I don't know there must be a ton of people who put routers for the same purpose.

  Thank you in advance.

  Pete.

  Pete

  I did a lot of implementations site VPN to another using IOS routers. They work very well. Based on my experience I offer these comments and I hope that they will help you:

  -you don't want a list of incoming access on the external interface, but you want more in it than simply refuse an ip. There is no permit-ipsec sysopt connection in IOS so you want to certainly allowed ISAKMP and IPSec/ESP. I suggest that you also want to allow SSH. I would like to allow ICMP but only starting from the address space of the network head end. I do not allow HTTPS since I generally do not allow the http server on the router. If you want HTTPS then certainly enable it. To facilitate the ping and traceroute on the remote I frequently allow icmp echo-reply, timeout and unreachable port from any source.

  -I want to put an inside interface access list. There are certain types of traffic that I don't want to send from the Remote LAN. I have usually refuse any trap SNMP or snmp for LAN devices and refuse out of the local network icmp redirects. I also often configure RPF controls inside interface to catch any device which is misconfigured.

  -If you want to allow SSH when the VPN is not active (and I highly recommend that you do) then you will probably need to configure at least 1 (and maybe more) users and password of the router ID. And you want to configure authentication on the vty use local authentication if the head end authentication server is not available.

  -I'm not clear from your description if you plan to run a dynamic routing via the VPN Protocol. I wish I had a dynamic routing protocol because I want to announce a default route to the remote control via the VPN. I do not locally configure a default route on the remote router. This way if the VPN tunnel is up there is a default route pointing to the tunnel and if the VPN tunnel is not up then there is no local route by default and users on the remote database can not access the Internet. It is a simple and very effective method to ensure that all user traffic must pass through the central site.

  -regarding the routes defined on the remote router, my approach is that I define a static route for the endpoint of the tunnel to allow the tunnel to implement and I set up static routes for the subnet to the head of line I can SSH. And I do not configure other static routes the on the remote router.

  -You probably want to disable cdp on the external interface and also to disable the proxy-arp (and I don't make any ip unreachable).

  -There is frequently a problem when using VPN site-to-site with fragmentation. If a device on the local network sends a frame of maximum size, and then the router needs to add additional headers for IPSec, then the frame is too large and requires fragmentation. I like to use tcp adjust-mss ip to control the chunk size for TCP traffic and avoid any problems with fragmentation.

  -I don't think you want to set up the firewall or IPS from the features of IOS on the 2811.

  I hope that your application is fine and that my suggestions could be useful.

  [edit] after posting my response, I read through your post again and realize that you make to a VPN concentrator. The approach I have proposed on the execution of a routing protocol works for me because I usually have a router IOS in mind. It would not work to connect to a hub.

  HTH

  Rick

• Problems with site-to-site vpn with of the asa 2

  I tried different ways so that this works, but failed. After 8 hours, I literally have a bad headache and have to step away for a minute.  I realize I need to ping between the tunnels mentioned, but still can not to. can someone take a look and tell me where I have gone wrong?  Im trying to configure a site to site vpn between:

  ASA_A

  external interface 5.179.17.66

  inside the interface 10.1.1.1

  ASA B

  external interface 5.81.57.19

  inside the 10.1.2.1 interface

  Frist why do you have two DGs on box -

  Route outside 0.0.0.0 0.0.0.0 5.179.121.65 1

  Route outside 0.0.0.0 0.0.0.0 5.179.17.65 1

  Attach the two end then it should work.

  Thank you

  Ajay

• site to site vpn with pix multiple tunnels

  Hello

  I have a vpn site-to-site between two PIX firewall tunnel.

  Is it possible to build on one side, another tunnel vpn site to site with the third PIX?

  Thank you

  Robert

  Robert

  You can use one card encryption on an interface, but you may have within your crypto card so your config sequence numbers

  The existing tunnel

  mykink1 card crypto ipsec isakmp 1

  correspondence address 1 card crypto mykink1 101

  mykink1 card crypto 1jeu peer 21.21.21.21

  mykink1 card crypto 1 set transform-set aesonly

  Your new tunnel

  mykink1 map ipsec-isakmp crypto 2

  card crypto mykink1 game 2 address "LCD number".

  mykink1 crypto map peer set 2 "new peer address.

  card crypto mykink1 2 the value transform-set "new transform set.

  card crypto mykink1 2 security association second life "number of seconds.

  You must complete the good values in the "" marks.

  Note that the sequence number is incremented by 1 in your first entry for 2 in the second entry.

  You can specify the duration of security association in the crypto map config that overrides the global settings.

  Add this config should not affect your existing tunnel.

  HTH

  Jon

• site to site vpn with ASA 5500 series SSL?

  We have routers DLink DIR - 130 5505 s ASA and PIXen, all work well with our PIX 515E, we need to replace.

  We also have Internet satellite in two places. High latency makes IPsec VPN to DLinks on these very slow sites.

  We were informed by HughesNet that a SSL VPN will mitigate some of the problems of latency.

  However, we cannot use a VPN client for the biometric timeclocks in these places, the clocks need static IP addresses and are more or less "dumb terminals".

  The machine of series 5000 ASA VPN site to site similar to OpenVPN or only the most comment client-server type SSL VPN connections?

  Thank you, Tom

  Hi Thomas,

  The SSL VPN on ASAs feature is a client/server relationship where the remote computer can connect without client (browser) or clientbased (AnyConnect) to the ASA.

  Federico.

• multi-site VPN with just the cisco vpn client

  Hello everyone

  Please I need your help.

  We have a headquarters office and up to 60 is BranchOffice, we want to create VPN network between its. so let's deploy 2 router cisco esy vpn server with HA (HSRP) at the Headquarters Office and all branches have Connection ADSL and they will use just the cisco vpn client to connect to the Headquarters Office.

  My question is: is it possible to do it just with the client vpn cisco without purchased for any exercise bracnh a cisco router to create an ipsec tunnel because it is so expensive?

  It depends on if the routers to offices can handle NAT with several internal VPN clients to 1 IP address. Most of the new material should be fine. Keep in mind the maximum limit of the VPN client, with 60 agencies and 5 people each of whom you are above the limit.

  Michael

  Please note all useful posts

• Site to site VPN with the VPN Client for both sites access?

  Current situation:

  Scenario is remote to the main office. Site IPSEC tunnel site (netscreen) remote in hand (506th pix). Cisco VPN Client of main office of remote access to users.

  It's that everything works perfectly.

  Problem:

  Now we want remote users who connect to the seat to also be able to access resources in the remote offices.

  This seems like it would be easy to implement, but I can't understand it.

  Thanks in advance.

  Rollo

  ----------

  #10.10.10.0 = Network1

  #10.10.11.0 = Network2

  #172.16.1.0 = vpn pool

  6.3 (4) version PIX

  access-list 101 permit ip 10.10.10.0 255.255.255.0 172.16.1.0 255.255.255.0

  access-list 101 permit ip 10.10.10.0 255.255.255.0 10.10.11.0 255.255.255.0

  splitTunnel 10.10.10.0 ip access list allow 255.255.255.0 any

  splitTunnel ip 10.10.11.0 access list allow 255.255.255.0 any

  access-list 115 permit ip any 172.16.1.0 255.255.255.0

  access-list 116 allow ip 10.10.10.0 255.255.255.0 10.10.11.0 255.255.255.0

  IP access-list 116 allow all 10.10.11.0 255.255.255.0

  access-list 116 allow ip 10.10.11.0 255.255.255.0 10.10.10.0 255.255.255.0

  ICMP allow all outside

  ICMP allow any inside

  Outside 1500 MTU

  Within 1500 MTU

  IP address outside 209.x.x.x 255.255.255.224

  IP address inside 10.10.10.1 255.255.255.0

  alarm action IP verification of information

  alarm action attack IP audit

  IP local pool 172.16.1.0 vpnpool - 172.16.1.50

  Global 1 interface (outside)

  Global (outside) 10 209.x.x.x 255.255.255.224

  (Inside) NAT 0-list of access 101

  NAT (inside) 10 10.10.10.0 255.255.255.0 0 0

  Access-group outside_access_in in interface outside

  Route outside 0.0.0.0 0.0.0.0 209.x.x.x 1

  Timeout xlate 01:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

  Timeout, uauth 0:05:00 absolute

  enable floodguard

  Permitted connection ipsec sysopt

  Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

  crypto dynamic-map Clients_VPN-dynmap 10 transform-set RIGHT

  35 Myset1 ipsec-isakmp crypto map

  correspondence address 35 Myset1 map cryptographic 116

  card crypto Myset1 35 counterpart set x.x.x.x

  card crypto Myset1 35 set transform-set Myset1

  Myset1 card crypto ipsec 90-isakmp dynamic dynmap Clients_VPN

  client configuration address card crypto Myset1 launch

  client configuration address card crypto Myset1 answer

  interface Myset1 card crypto outside

  ISAKMP allows outside

  ISAKMP key * address x.x.x.x 255.255.255.255 netmask No.-xauth-no-config-mode

  ISAKMP identity address

  ISAKMP nat-traversal 20

  part of pre authentication ISAKMP policy 15

  ISAKMP policy 15 3des encryption

  ISAKMP policy 15 sha hash

  15 1 ISAKMP policy group

  ISAKMP duration strategy of life 15 28800

  part of pre authentication ISAKMP policy 20

  ISAKMP policy 20 3des encryption

  ISAKMP policy 20 chopping sha

  20 2 ISAKMP policy group

  ISAKMP duration strategy of life 20 3600

  part of pre authentication ISAKMP policy 25

  encryption of ISAKMP policy 25

  ISAKMP policy 25 md5 hash

  25 2 ISAKMP policy group

  ISAKMP living 25 3600 duration strategy

  part of pre authentication ISAKMP policy 30

  ISAKMP policy 30 aes-256 encryption

  ISAKMP policy 30 sha hash

  30 2 ISAKMP policy group

  ISAKMP duration strategy of life 30 86400

  vpngroup address vpnpool pool mygroup

  vpngroup dns-server dns1 dns2 mygroup

  vpngroup mygroup wins1 wins2 wins server

  vpngroup mygroup by default-domain mydomain

  vpngroup split splitTunnel tunnel mygroup

  vpngroup idle time 64000 mygroup

  mygroup vpngroup password *.

  Telnet timeout 5

  dhcpd lease 3600

  dhcpd ping_timeout 750

  dhcpd outside auto_config

  Hi Rollo,

  You can not be implemented for a simple reason, it is not supported on the version 6.x PIX. It relies on the PIX 7.x worm but 7.x is not supported on PIX 506. Thus, in a Word, it can be reached on a PIX 506. If you have an ASA, a PIX 515 running 7.x, a router or a hub as well, it can be reached.

  HTH,

  Please rate if this helps,

  Kind regards

  Kamal

• Question 2-one-Site VPN

  NetPro dear gurus,.

  A router upstream with IOS 15 plays a role by not allowing s2s vpn

  a 5520 ASA to pass through traffic. If this is the case, so how to solve this problem.

  Concerning

  Faiz

  Nothing should be done to get through the VPN traffic regarding the licensing of fears on IOS 15.0.

  If you actually cancel the IPSec VPN tunnel on the router IOS 15.0, then Yes, you would need security K9 license, but to cross the traffic, there is no additional license required.

• Cisco ASA Site to Site VPN IPSEC and NAT question

  Hi people,

  I have a question about the two Site to Site VPN IPSEC and NAT. basically what I want to achieve is to do the following:

  ASA2 is at HQ and ASA1 is a remote site. I have no problem setting a static static is a Site to IPSEC VPN between sites. Guests residing in 10.1.0.0/16 are able to communicate with hosts in 192.168.1.0/24, but what I want is to configure the NAT with IPSEC VPN for this host to 10.1.0.0/16 will communicate with hosts in 192.168.1.0/24 with translated addresses

  Just an example:

  N2 host (10.1.0.1/16) contacted N1 192.168.1.5 with destination host say 10.23.1.5 No 192.168.1.5 (notice the last byte is the same in the present case,.5)

  The translation still for the rest of the communication (host pings ip destination host 10.23.1.6 N3 N2 not 192.168.1.6 new last byte is the same)

  It sounds a bit confusing to me, but I've seen this type of configuration before when I worked for the supplier of managed services where we have given our customers (Ipsec Site to Site VPN with NAT, don't know how it was setup)

  Basically we contact the customer via site-to-site VPN hosts but their real address were hidden and we used as translated address more high 10.23.1.0/24 instead of (real) 192.168.1.0/24, last byte must be the same.

  Grateful if someone can shed some light on this subject.

  Hello

  OK so went with the old format of NAT configuration

  It seems to me that you could do the following:

  • Configure the ASA1 with static NAT strategy
    • access-list L2LVPN-POLICYNAT allowed ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
    • public static 10.23.1.0 (inside, outside) access-list L2LVPN-POLICYNAT
  • Because the above is a static NAT of the policy, this means that the translation will be made only when the destination network is 10.1.0.0/16
  • If you have for example a PAT basic configuration to inside-> external traffic, the above NAT configuration and the custom of the actual configuration of PAT interfere with eachother
  • ASA2 side, you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
    • Note of the INTERIOR-SHEEP access-list SHEEP L2LVPN
    • the permitted INSIDE SHEEP 10.1.0.0 ip access list 255.255.0.0 10.23.1.0 255.255.255.0
    • NAT (inside) 0-list of access to the INTERIOR-SHEEP
  • You will need to consider that your access-list defining the VPN encrypted L2L traffic must reflect the new NAT network
    • ASA1: allowed to access-list L2LVPN-ENCRYPTIONDOMAIN ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
    • ASA2: list L2LVPN-ENCRYPTIONDOMAIN allowed ip 10.1.0.0 access 255.255.0.0 10.23.1.0 255.255.255.0

  I could test this configuration to work tomorrow but I would like to know if it works.

  Please rate if this was helpful

  -Jouni

• 2 one-Site VPN Cisco 2801 and with crossing NAT

  Hi guys,.

  I would like to configure two Cisco 2801 using IPSEC/IKE. Both routers are connected to the internet through DSL lines. The DSL line have RFC1918 address side LAN where routers connected to the internet face. I can do NAT on DSL modems.

  Cisco IOS 2801 routers allow to configure site-2-site VPN with NAT crossing?

  Here is a model of physics/IP configuration:

  LAN<->2801 Modem DSL<-Internet->DSL modem<-Priv ip-=""> 2801<-Priv ip-=""><-> LAN

  Thank you

  Gonçalo

  Yes, you're good to go only if one or both of the sites has an IP address which is natted with private IP address statically. The implementation of IPSec on SRI NAT support in most crosses so that shouldn't be a concern

• Site to Site VPN using an interface to Peer and LAN

  Hello

  I have an ASA 5580 to the site to site VPN with our partner. VPN connection is through my external interface and Local for the VPN network comes from the external interface too. Is it possible to do? Thank you.

  drawing2.jpg

  

  The layout you describe is contrary to the concept of basic firewall of the approved facility and no approved interfaces (upper and lower security level).

  If your LAN is on the external interface, which is to stop remote users simply access it directly?

• Question about ACL's with the 2621 when using site to site VPN

  I set up two site to site vpn. We have an ASA at our headquarters and branches will IOS routers - one is a 1811 and the other 2621. Both are running the latest versions of IOS, respectively. The two VPN site-to-site do not work. I have a list of inbound on the external interfaces of both routers, access that allows only the IP address of the ASA IP traffic. All other traffic is denied. I put NAT overload upward in the typical form, and I use ip outgoing inspection on the same interface, to allow incoming traffic back to surfing the internet. This configuration works very well with the 1811, where all traffic is blocked except traffic IP (IPSEC) coming from the ASA. Guests at our headquarters can reach hosts behind the 1811 and vice versa.

  Here's my problem: the 2621 is processing traffic encapsulated on the external interface and block this traffic because it does not match. I know because when I turn on logging / debugging on the 2621, I see inbound traffic blocked by the ACL. Technically, I guess that it does not, but to this interface, the traffic is always encapsulated so I think it fits to this access list and then go to the Cryptography decapsulation card and be sent to the destination host. Just as it does on the 1811. I have not 'wan' t to create another line in the access list for all subnets to Headquarters. Why is not it works the same way as it does on the 1811? Is there something else I need to activate?

  ------------------------------------------------------------------------

  Config of 1811:

  !
  version 12.4
  horodateurs service debug datetime msec
  Log service timestamps datetime localtime show-timezone msec
  encryption password service
  !
  hostname BranchVPN1
  !
  boot-start-marker
  boot-end-marker
  !
  logging buffered 51200 notifications
  !
  AAA new-model
  !
  !
  AAA authentication login default local
  activate the default AAA authentication no
  authorization AAA console
  AAA authorization exec default local
  !
  AAA - the id of the joint session
  no ip source route
  IP cef
  !
  !
  IP inspect the audit trail
  inspect the IP dns-timeout 10
  inspect the name IP internet udp timeout 30
  inspect the name IP internet tcp timeout 30
  inspect the name IP internet ftp timeout 30
  inspect the name IP internet http timeout 30
  inspect the name firewall tcp IP
  inspect the name IP firewall udp
  inspect the name IP firewall icmp
  IP inspect the dns name of the firewall
  inspect the name IP firewall ftp
  inspect the name IP firewall http
  inspect the name IP firewall https
  inspect the IP firewall name ftps
  property intellectual auth-proxy max-nodata-& 3
  property intellectual admission max-nodata-& 3
  !
  !
  IP domain name xxxx
  !
  !
  !
  !
  username xxxxxxxxxx
  !
  !
  !
  class-map correspondence vpn_traffic
  police name of group-access game
  !
  !
  VPN policy-map
  class vpn_traffic
  in line-action police 2000000 37500 pass drop exceeds-action
  !
  !
  !
  crypto ISAKMP policy 10
  BA aes 256
  preshared authentication
  Group 2
  ISAKMP crypto key address xxxx xxxxxx
  ISAKMP crypto keepalive 10
  !
  life crypto ipsec security association seconds 28800
  !
  Crypto ipsec transform-set esp - aes 256 esp-sha-hmac xxtransform
  !
  xxmap 10 ipsec-isakmp crypto map
  defined peer xxxx
  Set transform-set xxtransform
  PFS group2 Set
  match the address tunnelnetworks
  static inverse-road
  !
  !
  !
  interface Loopback0
  172.16.99.1 the IP 255.255.255.255
  !
  interface FastEthernet0/0
  Description Connection to Internet (DHCP)
  DHCP IP address
  IP access-group outside_in in
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  inspect the firewall on IP
  NAT outside IP
  IP virtual-reassembly
  automatic duplex
  automatic speed
  No cdp enable
  xxmap card crypto
  !
  interface FastEthernet0/1
  Description of the connection to the local network
  address 172.20.1.1 IP 255.255.255.0
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  IP nat inside
  IP virtual-reassembly
  automatic duplex
  automatic speed
  No cdp enable
  VPN service-policy input
  !
  interface Serial0/0/0
  no ip address
  Shutdown
  No cdp enable
  !
  interface Serial0/1/0
  no ip address
  Shutdown
  !
  IP forward-Protocol ND
  IP route 0.0.0.0 0.0.0.0 dhcp
  !
  no ip address of the http server
  local IP http authentication
  no ip http secure server
  IP nat inside source list nat - acl interface FastEthernet0/0 overload
  !
  IP nat - acl extended access list
  refuse any 10.0.0.0 0.255.255.255 ip
  allow an ip
  outside_in extended IP access list
  allow udp any eq bootps host 255.255.255.255 eq bootpc
  allow an ip host (ASA IPADDR)
  deny ip any any newspaper
  IP extended access list police
  deny ip host xxxx any
  deny ip any host xxxx
  IP 172.20.1.0 allow 0.0.0.255 10.0.0.0 0.255.255.255
  tunnelnetworks extended IP access list
  permit host 172.16.99.1 ip 10.0.0.0 0.255.255.255
  IP 172.20.1.0 allow 0.0.0.255 10.0.0.0 0.255.255.255
  !
  recording of debug trap
  logging source-interface Loopback0
  exploitation forest xxxx
  access-list 160 note t is
  not run cdp
  !
  !
  control plan
  !
  Banner motd ^ CC

  Authorized technician!

  ^ C
  !
  Line con 0
  line to 0
  line vty 0 4
  exec-timeout 5 0
  Synchronous recording
  entry ssh transport
  line vty 5 15
  exec-timeout 5 0
  Synchronous recording
  entry ssh transport
  !
  Scheduler allocate 20000 1000
  end

  ------------------------------------------------------------------------

  2621 Config:

  !
  version 12.3
  horodateurs service debug datetime msec
  Log service timestamps datetime localtime show-timezone msec
  encryption password service
  !
  hostname BranchVPN2
  !
  boot-start-marker
  boot-end-marker
  !
  logging buffered 51200 notifications
  no console logging
  !
  AAA new-model
  !
  !
  AAA authentication login default local
  activate the default AAA authentication no
  authorization AAA console
  AAA authorization exec default local
  AAA - the id of the joint session
  IP subnet zero
  no ip source route
  IP cef
  !
  !
  IP domain name xxxx
  !
  IP inspect the audit trail
  inspect the IP dns-timeout 10
  inspect the name IP internet udp timeout 30
  inspect the name IP internet tcp timeout 30
  inspect the name IP internet ftp timeout 30
  inspect the name IP internet http timeout 30
  inspect the name firewall tcp IP
  inspect the name IP firewall udp
  inspect the name IP firewall icmp
  inspect the name IP firewall ftp
  inspect the name IP firewall http
  Max-events of po verification IP 100
  !
  !
  !
  !
  !
  !
  !
  !
  !
  !
  !
  !
  username xxxxxxxxxxxx
  !
  !
  !
  class-map correspondence vpn_traffic
  police name of group-access game
  !
  !
  VPN policy-map
  class vpn_traffic
  in line-action police 2000000 37500 pass drop exceeds-action
  !
  !
  !
  crypto ISAKMP policy 10
  BA aes 256
  preshared authentication
  Group 2
  ISAKMP crypto key address xxxx xxxxx
  ISAKMP crypto keepalive 10
  !
  life crypto ipsec security association seconds 28800
  !
  Crypto ipsec transform-set esp - aes 256 esp-sha-hmac xxtransform
  !
  xxmap 10 ipsec-isakmp crypto map
  defined peer xxxx
  Set transform-set xxtransform
  PFS group2 Set
  match the address tunnelnetworks
  reverse-road remote-peer
  !
  !
  !
  !
  interface Loopback0
  172.16.99.2 the IP 255.255.255.255
  !
  interface FastEthernet0/0
  Description Connection to Internet (DHCP)
  DHCP IP address
  IP access-group outside_in in
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  NAT outside IP
  inspect the firewall on IP
  automatic duplex
  automatic speed
  No cdp enable
  xxmap card crypto
  !
  interface Serial0/0
  no ip address
  Shutdown
  No cdp enable
  !
  interface FastEthernet0/1
  Description of the connection to the local network
  IP 172.20.2.1 255.255.255.0
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  IP nat inside
  automatic duplex
  automatic speed
  No cdp enable
  VPN service-policy input
  !
  interface Serial0/1
  no ip address
  Shutdown
  No cdp enable
  !
  IP nat inside source list nat - acl interface FastEthernet0/0 overload
  no ip address of the http server
  local IP http authentication
  no ip http secure server
  IP classless
  IP route 0.0.0.0 0.0.0.0 dhcp
  !
  !
  !
  IP nat - acl extended access list
  refuse any 10.0.0.0 0.255.255.255 ip
  allow an ip
  outside_in extended IP access list
  allow udp any eq bootps host 255.255.255.255 eq bootpc
  allow an ip host (ASA IPADDR)
  deny ip any any newspaper
  IP extended access list police
  deny ip host xxxx any
  deny ip any host xxxx
  IP 172.20.2.0 allow 0.0.0.255 10.0.0.0 0.255.255.255
  tunnelnetworks extended IP access list
  permit host 172.16.99.2 ip 10.0.0.0 0.255.255.255
  IP 172.20.2.0 allow 0.0.0.255 10.0.0.0 0.255.255.255
  recording of debug trap
  logging source-interface Loopback0
  exploitation forest xxxx
  not run cdp
  !
  !
  !
  !
  !
  Banner motd ^ CCC

  Authorized technician!

  ^ C
  !
  Line con 0
  line to 0
  line vty 0 4
  exec-timeout 5 0
  Synchronous recording
  entry ssh transport
  line vty 5 15
  exec-timeout 5 0
  Synchronous recording
  entry ssh transport
  !
  !
  end

  Please check if this helps:

  http://www.Cisco.com/en/us/docs/iOS/12_3t/12_3t8/feature/guide/gt_crpks.html

  Federico.

• Site to site VPN question: passing a public IP with IPSEC

  Hi all

  I need to create a VPN tunnel site to site using IPSEC between two offices on the Internet. The offices belong to two different companies.

  They gave me a series of 16 public IP addresses. One of these IP addresses is used on the ISP router and this is the next hop for my router. Another IP in the range is used on my router? s external interface (which is a Cisco 851) and he is also my site VPN endpoint. So far so good...

  Here's my problem: the IP source of encrypted traffic, is a public address from within the IPs public 16 I (not the one on my router interface). The actual application that needs to send the encrypted data is a server in my local network, and it has a private IP address. The other site, expects to receive data, however, the public IP address. I used NAT between the private IP address of the server and its public IP address, but no data goes through the tunnel. Moreover, the tunnel between the two end points established without problem. The problem is that the source of my encrypted data is the public IP address and I don't know how to get through the tunnel. I enclose my router configuration.

  Any help is appreciated.

  The access list "natted-traffic" should say:

  extended traffic natted IP access list

  deny ip host 192.168.0.160 BB. ABM ABM BD

  deny ip host 192.168.0.160 BB. ABM BB.BE

  output

  I hope this helps.

  -Kanishka

• Problems with site-to-site vpn

  Hello world

  I recently received the mission assigned to the site to site vpn configuration and this is my first time. I'm trying to set up a vpn with pix 501 but short questions site. I managed to get that below, but I'm stuck now and do not know what could be the problem. Here's the debug output.

  Any help is greatly appreciated on what could be the potential problem.

  -AK

  ISAKMP (0:0): sending of NAT - T vendor ID - rev 2 & 3
  ISAKMP (0): early changes of Main Mode
  crypto_isakmp_process_block:src:208.249.117.203, dest:70.91.20.245 spt:500 dpt:500
  Exchange OAK_MM
  ISAKMP (0): treatment ITS payload. Message ID = 0

  ISAKMP (0): audit ISAKMP transform 1 against 20 priority policy
  ISAKMP: 3DES-CBC encryption
  ISAKMP: hash SHA
  ISAKMP: default group 2
  ISAKMP: preshared auth
  ISAKMP: type of life in seconds
  ISAKMP: duration of life (basic) of 28800
  ISAKMP (0): atts are acceptable. Next payload is 0
  ISAKMP (0): load useful treatment vendor id

  ISAKMP (0): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication

  to return to the State is IKMP_NO_ERROR
  crypto_isakmp_process_block:src:208.249.117.203, dest:70.91.20.245 spt:500 dpt:5
  00
  Exchange OAK_MM
  ISAKMP (0): processing KE payload. Message ID = 0

  ISAKMP (0): processing NONCE payload. Message ID = 0

  ISAKMP (0): load useful treatment vendor id

  ISAKMP (0): load useful treatment vendor id

  ISAKMP (0): provider v6 code received xauth

  ISAKMP (0): load useful treatment vendor id

  ISAKMP (0): addressing another box of IOS!

  ISAKMP (0): load useful treatment vendor id

  ISAKMP (0): addressing a VPN3000 concentrator

  ISAKMP (0): ID payload
  next payload: 8
  type: 1
  Protocol: 17
  Port: 0
  Length: 8
  ISAKMP (0): the total payload length: 12
  to return to the State is IKMP_NO_ERROR
  crypto_isakmp_process_block:src:208.249.117.203, dest:70.91.20.245 spt:500 dpt:5
  00
  Exchange OAK_MM
  ISAKMP (0): processing ID payload. Message ID = 0
  ISAKMP (0): HASH payload processing. Message ID = 0
  ISAKMP (0): keep treatment alive: proposal = 32767/32767 sec., real = 3276/2 sec.

  ISAKMP (0): load useful treatment vendor id

  ISAKMP (0): Peer Remote supports dead peer detection

  ISAKMP (0): SA has been authenticated.

  ISAKMP (0): start Quick Mode changes, 413131006:189fe0feIPSEC (key_e M - ID
  (Display): had an event of the queue...
  IPSec (spi_response): spi 0x3e9451fa graduation (1049907706) for SA
  from 208.249.117.203 to 70.91.20.245 for prot 3

  to return to the State is IKMP_NO_ERROR
  ISAKMP (0): send to notify INITIAL_CONTACT
  ISAKMP (0): sending message 24578 NOTIFY 1 protocol
  Peer VPN: ISAKMP: approved new addition: ip:208.249.117.203/500 Total VPN peer: 1
  Peer VPN: ISAKMP: ip:208.249.117.203/500 Ref cnt is incremented to peers: 1 Total VPN
  Peers: 1
  crypto_isakmp_process_block:src:208.249.117.203, dest:70.91.20.245 spt:500 dpt:5
  00
  ISAKMP (0): processing DELETE payload. Message ID = 3425658127, spi size = 16
  ISAKMP (0): delete SA: src 70.91.20.245 dst 208.249.117.203
  to return to the State is IKMP_NO_ERR_NO_TRANS
  ISADB: Reaper checking HIS 0xac149c, id_conn = 0 DELETE IT!

  Peer VPN: ISAKMP: ip:208.249.117.203/500 Ref cnt decremented to peers: 0 Total VPN
  Peers: 1
  Peer VPN: ISAKMP: deleted peer: ip:208.249.117.203/500 VPN peer Total: 0IPSEC (ke
  y_engine): got an event from the queue.
  IPSec (key_engine_delete_sas): rec would remove the ISAKMP notify
  IPSec (key_engine_delete_sas): remove all SAs shared with 208.249.117.203
  IPSec (key_engine): request timer shot: count = 2,.
  local (identity) = 70.91.20.245, distance = 208.249.117.203.
  local_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4),
  remote_proxy = 206.200.22.0/255.255.255.0/0/0 (type = 4)

  Hello

  Newspapers, I see you are using a VPN 3000 Concentrator as the remote vpn end point. Now, also of the debugs next section is interesting:

  local (identity) = 70.91.20.245, distance = 208.249.117.203.
  local_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4),
  remote_proxy = 206.200.22.0/255.255.255.0/0/0 (type = 4)

  -Looks like our traffic interesting PIX and the hub are not mirrors of each other, and does not. Can you please paste the PIX here cryptographic access lists, so that I can analyze the entries.

  -Also, please make sure that you have followed all the steps during the vpn configuration according to the following links:

  If your PIX is running at version 7.x and more: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008064a06f.shtml

  If your PIX is running version 6.3.x: http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800949d2.shtml

  Once you check the config on PIX and concentrator, please provide me with the output of "sh cry isa his" and "sh cry ipsec his ' of the PIX. With this release, we can continue to troubleshoot if there is more questions.

  Let me know if this can help,

  See you soon,.

  Christian V