Question of P2P VPN One Way
Hello support,
I'm having a problem with a P2P VPN. Our side is a Cisco ASA 5512 and peripheral supplier is a firewall of some sort. When launch us the VPN from Cisco ASA end 5512, the VPN is fine without problem and communication goes on both sides. If I take the VPN down and then he tries to launch the VPN, I never see same traffic come into our firewall, and it does not come to the top. When we do a trace of their inside network inside our network (when you start their end), the trace goes to some edge devices at their end and outside the ISP. There are actually a few public IPs in the traceroute, but when launch us the VPN to our end and before you run a trace on their end, these same public IPs do not show in the trace.
It almost seems like they have a device on their end which does not correctly handle the NAT or SHEEP for private subnets. Does this sound accurate?
Just to remind, when launch us the VPN, look clean and only private IPs see traces on both ends. When they start the VPN, traffic never hit our firewalls and traces of their late show public IPs on the route.
From now on, we keep a ping running to keep alive the VPN, but it's not ideal. Here, any help would be greatly appreciated.
Hey John,
are you sure that when they start their home subnet traffic, it is hitting the vpn.
Please ask them to run debug crypto since their end and if the first protocol udp 500 is even sent to their end.
Now, in order to follow the tunnel, you can configure SLA monitoring on the ASA:
Please follow the discussion below to set up the same:
https://supportforums.Cisco.com/discussion/11012751/IP-SLA-monitor-VPN
Tags: Cisco Security
Similar Questions
-
Traffic permitted only one-way for VPN-connected computers
Hello
I currently have an ASA 5505. I put up as a remote SSL VPN access. My computers can connect to the VPN very well. They just cannot access the internal network (192.168.250.0). They cannot ping the inside interface of the ASA, nor any of the machines. It seems that all traffic is blocked for them. The strange thing is that when someone is connected to the VPN, I can ping this ASA VPN connection machine and other machines inside the LAN. It seems that the traffic allows only one way. I messed up with ACL with nothing doesn't. Any suggestions please?
Pool DHCP-192.168.250.20 - 50--> for LAN
Pool VPN: 192.168.250.100 and 192.168.250.101
Outside interface to get the modem DHCP
The inside interface: 192.168.1.1
Courses Running Config:
: Saved
:
ASA Version 8.2 (5)
!
hostname HardmanASA
activate the password # encrypted
passwd # encrypted
names of
!
interface Ethernet0/0
switchport access vlan 20
!
interface Ethernet0/1
switchport access vlan 10
!
interface Ethernet0/2
switchport access vlan 10
!
interface Ethernet0/3
Shutdown
!
interface Ethernet0/4
Shutdown
!
interface Ethernet0/5
Shutdown
!
interface Ethernet0/6
Shutdown
!
interface Ethernet0/7
switchport access vlan 10
!
interface Vlan1
No nameif
no level of security
no ip address
!
interface Vlan10
nameif inside
security-level 100
IP 192.168.250.1 255.255.255.0
!
interface Vlan20
nameif outside
security-level 0
IP address dhcp setroute
!
passive FTP mode
DNS lookup field inside
DNS domain-lookup outside
pager lines 24
Within 1500 MTU
Outside 1500 MTU
mask 192.168.250.100 - 192.168.250.101 255.255.255.0 IP local pool VPN_Pool
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global interface 10 (external)
NAT (inside) 10 192.168.250.0 255.255.255.0
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.250.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Telnet timeout 5
SSH 192.168.250.0 255.255.255.0 inside
SSH timeout 5
SSH version 2
Console timeout 0
dhcpd dns 8.8.8.8
!
dhcpd address 192.168.250.20 - 192.168.250.50 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
allow outside
SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 1 image
SVC disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2 image
Picture disk0:/anyconnect-linux-2.5.2014-k9.pkg 3 SVC
enable SVC
tunnel-group-list activate
attributes of Group Policy DfltGrpPolicy
value of server DNS 8.8.8.8
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
tunnel-group AnyConnect type remote access
tunnel-group AnyConnect General attributes
address pool VPN_Pool
tunnel-group AnyConnect webvpn-attributes
enable AnyConnect group-alias
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:30fadff4b400e42e73e17167828e046f
: end
Hello
No worries
As we change the config I would do as well as possible.
First, it is strongly recommended to use a different range of IP addresses for VPN clients and the internal network
No VPN_Pool 192.168.250.100 - 192.168.250.101 255.255.255.0 ip local pool mask
mask 192.168.251.100 - 192.168.251.101 255.255.255.0 IP local pool VPN_Pool
NAT_0 ip 192.168.250.0 access list allow 255.255.255.0 192.168.251.0 255.255.255.0
NAT (inside) 0-list of access NAT_0
Then give it a try and it work note this post hehe
-
How to set up a one-way IPSec-L2L tunnel
This may be a silly question, since VPN for communications between the parties of confidence and that most people would try to correct a unidirectional tunnel.
But I'm interested to transform a regular one-way only, tunnel that traffic to my side can initiate the tunnel.
Recently, we built this tunnel between our ASA5510 and ASA5510 of our biz partner to run critical applications on their web servers not connected to the Internet. I want to tie down so that they cannot launch the VPN. I have the crypto ACL set to limit to a port address, so they can only come from this port once the tunnel is established. We also have a personal firewall installed on each host.
Any idea on how to make the one-way tunnel and protect also us better once the tunnel is mounted?
Hello
You can use the following command:
defined card crypto seq - num connection-type name {only answer | only | two-way}
This command defines whether the tunnel is come only or single answer. If you set the tunnel on your side to come alone, the asa will never accept the installation of tunnel from your business partner. However, you can still start the configuration of the vpn tunnel.
Check:
http://www.Cisco.com/en/us/partner/docs/security/ASA/asa80/command/reference/C5.html#wp2152576
Even if the reference is to ASA8.0 I know it works for 7.2.x so
Hope this helps
Kind regards
Pieter-Jan
-
Hello
We have two expressways and we have received a report of a company, call one of our sites had issues with one-way video. The appellant could not see the person they had composed, but they could see the appellant. Audio was OK. They were ordered to place a new call through our other expressway and all audio and video works just fine. So, I'm trying to understand if there is a difference between highways and why this happens. They run every two X8.1.1. The strange thing is that we only received from an enterprise report then having this problem through this "faulty" highway is us or them? Apparently, they do not have problems with one another that they make calls...
Looks like maybe it's time to collect newspapers... but everyone else encountered this? No I well confused everyone :)
Thank you!
In general I really wouldn't expect things to need to a few reboots to register.
Well sure a typical tech & response of the TAC will be "upgrading to the last" which I also recommended,.
but your symptoms still its a bit sketchy.
Its a good start to check if your firewall/network/dns /... are ok as well. A lot of questions
are hidden there. It is difficult to see the full extend of here.
Please get some internal or as a good Cisco partner or network resources.
And Yes, look in the upgrade to CUCM!
But the network / the environment should still be ok for that as well :-)
Please note the messages with the stars below and define the thread if it is a response.
-
LCCS P2P includes one to several institutions?
Hello
Just to confirm the CAC includes Stratus as one of many multicast, or only one by one.
For example, in one of many video chat, for example a user streaming to customers 7. With LCC if P2P is available to it use the multicast for P2P or switch to hub and spoke server is streaming?
See you soon
Just to be clear, Stratus se not give you the multicast and/or client management. It's
the Stratus documentation page:
"Stratus is a beta, the meeting hosted service that helps establish communication between endpoints from Flash Player."
Therefore, rtmfp protocol that allows, among other things, the multicast. To do this the multicast, you need a way to identify the connected clients. One way is to use a complete implementation for rtmfp, because it will be provided by future of FMS, versions is to use the Stratus, providing this feature.
Once you have that you can write a Flash application that connect to as many clients as you want, but you will know after a certain number of customers, according to your network configuration, bandwidth, etc. of your application will become unresponsive.
LCCS uses FMS as a mechanism for communication, and when it is configured for Protocol "rtmfp" a pre-release version of FMS rtmfp-activated. When working in mode p2p, LCC handles all the stuff of 'management' to some customers to speak, keep alive connection, reconnect if necessary and swtich in non - p2p mode if network conditions worsen or if you have too many clients for a session reliable p2p.
Currently, we limit the number of clients connected to the session of p2p, and the maximum number is currently not configurable. Not sure what the number (I don't have handy source code), but we asked the engineers rtmfp a reasonable number.
Still, if you implement your own on top of Stratus p2p messaging you can experiment and see what the actual limit for your particular configuration is (and know which may or may not be higher than what we use). You can probably use one of the Stratus examples to see what you get and then decide which product is best suited to your use case.
-
One way or another on my email print size has decreased to the point I can hardly read it.
One way or another on my email print size has decreased to the point I can hardly read it. Can any of you tell me please what keys hold and scroll to get the largest print size. Thank you very much.
original title: Email printing sizeSorry, but being the Webmail of Yahoo leaves me without a clue. Maybe Internet Explorer forum or Yahoo support might be more useful.
Internet Explorer forums
http://answers.Microsoft.com/en-us/IE -
Hello support,
I would like to just confirm that an ASA 5505 with two providers of Internet services on this subject, can build a P2P VPN off the coast of the backup ISP automatically once the main ISP goes down. It has only a single P2P VPN necessary, but if the main ISP goes down, and IP SLA detects failover, can the P2P VPn stand on the backup ISP?
Hi Anthony,.
Indeed, if the ISP main goes down the backup ISP will be used based on the configured IP SLA. Many customers have usually the SPLM in the primary and the secondary of a site. However, it is also supported.
You can find information about the backup of a site here.
Also a simple set up for the Site to site with backup here
Please note and mark it as correct this Post!
David Castro,
Kind regards
-
Problems with P2P VPN with interface DHCP
I have properly configured a P2P VPN with two Cisco 888 using the static IP address. If I put a single interface to DHCP and the unit is power cycling it won't ask an IP address, until I have don't deliver "no card crypto
-
Is there one way other than to_char to get the month of the date field
Is there one way other than to_char to get the month of the date field
Hello
raj4tech wrote:
Is there one way other than to_char to get the month of the date field
EXTRACT is one:
SELECT INTERESTED (SYSDATE MONTHS) AS curr_month
DOUBLE;
-
I asked a question this morning and he is now 23:13 and I noticed that my question was the only one who has not received a response. My first time here, so I guess I'll have to continue to look elsewhere. My client site is screwed on all cell phones touch using the Chrome browser, so if anyone knows the answer, it would be very appreciated to receive an answer:
Hello
I created desktop, Tablet and mobile versions of a Web site. I looked at the site on my Surface Pro 3 and half left of the screen shows the site, the right half is empty. What happens on other touchscreen tablets as well. After searching through a large number of forums, I realized that the problem is with Chrome. I looked on the Surface Pro 3 with I.E. site and it fills the screen and looks like it should. I have not found a solution to this on the forums, I see responses by Adobe on some forums saying "it is a matter of Chrome. Chrome is used by about 70% of users, then it is a big problem. Is there a fix for this yet? By releasing sensitive Muse I can redo this site but meanwhile I need a fix, the site is unacceptable to my client when saw touch-screen computers laptop thank you.
Go to the properties of the Site. Select the tablet. Uncheck the box "redirect office" and re - publish.
-
Is it only a one-way sync?
It does not appear the changes I do either Illustrator or Indesign gets returned to the application? It would be really great. Maybe I'm not saving correctly? In any case, looks very promising!
J.
It is one-way. The application of the model is to make a model, a "global," sketching a layout.
The file is sent to InDesign/Illustrator/Photoshop for the realization of the project.
He actually quite brilliantly designed and implemented, especially for a 1.0 release.
-
In the bpel process one-way transaction management
Hello
I created a one-way bpel process with oneWayDeliveryPolicy property - property Sync and transaction - required. When I exposed this service as a SOAP service, I see well The Participation of Transaction in the Web Service adapter in the way of exposed Services configured as EVER. Is this to say that BPELCallee would not participate in the same transaction as the appellant BPEL?
AdityaHello
Properties refer to the support of different transactions "contexts", as you can see in the documents below. The bpel.config.transaction refers to the semantics of Transaction BPEL Process Manager, while the 'Participation of the operation' refers to WS-AT , which provides interoperability of transaction between Oracle WebLogic Server and transaction of other providers services... I've never tested it myself, but I guess that if you process BPEL transactions, the bpel.config.transaction will prevail...
http://docs.Oracle.com/CD/E23943_01/dev.1111/e10224/soa_transactions.htm#CHDEHCFE
http://docs.Oracle.com/CD/E23943_01/dev.1111/e10224/sca_bindingcomps.htm#SOASE86071See you soon,.
Vlad -
Configuration very base one-way Golden Gate
Version of DB: Oracle 11.2.0.3
Golden Gate version: 11.2 (last one dated September 22, 2012)
Platform: Solaris x 86 64-bit
Currently learning Golden Gate by googling and I'll install Golden Gate for the first time.
That's what I'm planning.
I intend to set up a very basic one-way GG, where in SCOTT and HR in source DB schemas is replicated in the target DB.Source DB : fncdev Target DB : sgntgt What needs to be replicated : SCOTT and HR schemas from source has to be replicated to Target ( Unidirectional )
I would like to know 2 things.
1. what should be the content of the parameter file?
2. after have I properly configure GG, what would be the output of command all THE INFO in the source and target database-- Source database GGSCI > info all -- Target database GGSCI > info all
Basic extract and replicat content parameter of the file.
Extract E_TEST1
SETENV (ORACLE_SID = OGGTEST)GGADMIN username password *.
Exttrail/goldengate/gg_trail/trail/test/and-Add below lines only if DDL replication is configured.
-The DOF ARE MAPPED
DDLOPTIONS - ADDTRANDATA, REPORTTABLE HR.*;
TABLE SCOTT.*;
-------------------------------------------------------------------------------------------------REPLICAT R_TEST1
SETENV (ORACLE_SID = OGGTEST)GGADMIN username password *.
ASSUMETARGETDEFSDISCARDFILE oragg/11.1/dirrpt/R_TEST1.dsc, APPEND, 1024 MEGABYTES
MAP HR.*, TARGET HR.*;
MAP SCOTT.*, TARGET SCOTT.*;I hope that these samples help!
Kind regards
RB -
VPN site to Site from one-way data (need help)
Hello
Scenario:
VPN site to Site with Cisco 837 routers:
Place: Clients and printers
Site B: server queues and Print
Site A can communicate via VPN using RDP to site B, very well.
Question:
Site B cannot send print jobs to printers on the Site A. also unable to telnet and other access devices on the Site A of the Site (B) Pings work correctly but to all devices.
Debugging on site an access-list 110 showed no response traffic to the Site B via the VPN?
I tried change ip tcp adjust 1452 but not good...
Attached configs.
An IOS - c837-k9o3y6 - mz.123 - 4.T3.bin site
SITE B IOS - c837-k9o3sy6 - mz.123 - 2.XC2.bin
Any help would be appreciated.
Thank you very much...
Thank you for including the configs and IOS versions. Looks like you hit a bug known to FW IOS (http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCec78231&Submit=Search), you can perform debugging as described in details to see for sure. It is difficult to understand what router would be the culprit in a scenario when both run on a tunnel L2L CBAC, but probably RouterA is dropping packets. This would also explain why pings work but TCP connections are not.
I would upgrade TWO routers to be the same version anyway, you encounter far fewer problems in this way, but make sure that you upgrade to one fixed-In version (or later version), has to work around the problem.
-
Audio intermittent one-way via VPN NEM
I have a user who uses an ASA 5505 in NEM to have access to his laptop and home IP Cisco phone. The ASA 5505 establishes a tunnel to an ASA 5510, which is connected and speaking of EIGRP to our main switch. Off the main switch, we have our CCM cluster.
The problem occurs during the first call, after a long period of no appeal. After, if happening during the first call, he or she can continue to make calls without the question. I that it was a matter of time-out, but its ASA configuration is exactly the same. In addition, it uses the same group policy, the tunnel-group etc. that everyone with the same configuration.
When the problem occurs, it can not hear the other party but they can hear him/herself.
This problem occurs without worrying whether or not it has a PC behind the phone.
External and internal calls are affected.
I am aware that more one-audio questions are questions of RTP connectivity between two end points. I see clearly in the routing table of all our routers, that the path to the subnet his phone is on has not changed for days, and she got the question within this period.
I'm looking for a good place to begin troubleshooting that doesn't require me to a pcap. If all else fails, I'll do a pcap, but trying to be what some judicious with my time.
I am certainly able to accept that maybe it's his router at home since it is one of the unique things only on access at its facilities, compared to other people the 20 I only did this.
Thanks in advance.
Cisco IP Phone 7941
CCM 7.1.5.32900 - 2
ASA 5505 8.2 (5)
ASA 5510 8.2 (5)
Edit: Moved to the VPN
Hello
I suggest you ask if the number of packets increases during an ongoing call. (press on '?' twice).
Also, I think you asked this question in wrong discussion group, it must be under the lead of security instead of the voice.
Maybe you are looking for
-
The "Lenovo L9 tip for Generic USB (41R4317)" is in the photo on their website as: An overview of the States of Web site for Support & downloads of Lenovo: "Supports the standard USB cable comes with many consumer electronic devices. This cable has a
-
I can't install windows xp service pack 3.
I can't install windows xp service pack 3. My computer crashed and I had to reinstall all software. I have mcafee total protection 2011 installed with a firewall. The windows xp cd I had to reinstall had windows xp service pack 2 on it. It was insta
-
Windows vista mail socket 10013 error 0x800ccc0e error code: 2013
Windows Vistax64, Windows Mail: The connection to the server has failed. Are subject:', account: 'mail.comcast.net', server: 'smtp.comcast.net', Protocol: SMTP, Port: 25, secure (SSL): no, Socket error: 10013, error number: 0x800CCC0E The connection
-
Number value after using the space bar
When I press the number 3 on the keypad and use the SPACEBAR the number changes at number 4. Enter other values of number and pressing the space bar do not change the number. I have windows 7 and office 2010. This problem occurs using both Word an
-
A sudden power outage hit my Curve 8900 When answering an incoming call or outgoing call is made the exit turns into a clicking noise that is regular and breaks the sound out and the transmission of the caller's voice in. They cannot hear me and hear