Redirect VPN traffic to a single ip LAN
Hello world
I have this problem: my company needs profiles of access for VPN connections because different users have reach the different internal host.
To do this, I have configured a group policy and assigned a standard ACLs that allow only a single ip address in my local network.
But when I opened the tunnel, I can't reach this ip address.
How can I do to achieve this?
TNX
Like this:
https://supportforums.Cisco.com/document/44566/ASA-83-NAT-exemption-exam...
Tags: Cisco Security
Similar Questions
-
Cisco ipsec Vpn connects but cannot communicate with lan
I have a version of cisco 1921 15.2 (4) M3 I install vpn ipsec and may have customers to connect but cannot ping anything inside. A glimpse of what could be wrong with my config would be greatly appreciated. I posted the configuration as well as running a few outings of ipsec. I also tried with multiple operating systems using cisco vpn client and shrewsoft. I am able to connect to the other VPN ipsec running 1921 both of these computers by using a client.
Thanks for any assistance
SH run
!
AAA new-model
!
!
AAA authentication login radius_auth local radius group
connection of AAA VPN_AUTHEN group local RADIUS authentication
AAA authorization network_vpn_author LAN
!
!
!
!
!
AAA - the id of the joint session
clock timezone PST - 8 0
clock to summer time recurring PST
!
no ip source route
decline of the IP options
IP cef
!
!
!
!
!
!
no ip bootp Server
no ip domain search
domain IP XXX.local
inspect the high IP 3000 max-incomplete
inspect the low IP 2800 max-incomplete
IP inspect a low minute 2800
IP inspect a high minute 3000
inspect the IP icmp SDM_LOW name
inspect the IP name SDM_LOW esmtp
inspect the tcp IP SDM_LOW name
inspect the IP udp SDM_LOW name
IP inspect name SDM_LOW ssh
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
Crypto pki trustpoint TP-self-signed-2909270577
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 2909270577
revocation checking no
rsakeypair TP-self-signed-2909270577
!
!
TP-self-signed-2909270577 crypto pki certificate chain
certificate self-signed 01
license udi pid CISCO1921/K9 sn FTX1715818R
!
!
Archives
The config log
Enable logging
size of logging 1000
notify the contenttype in clear syslog
the ADMIN_HOSTS object-group network
71.X.X.X 71.X.X.X range
!
name of user name1 secret privilege 15 4 XXXXXXX!
redundancy
!
!
!
!
!
property intellectual ssh time 60
property intellectual ssh authentication-2 retries
property intellectual ssh event logging
property intellectual ssh version 2
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
ISAKMP crypto client configuration group roaming_vpn
key XXXXX
DNS 192.168.10.10 10.1.1.1
XXX.local field
pool VPN_POOL_1
ACL client_vpn_traffic
netmask 255.255.255.0
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
tunnel mode
!
!
!
crypto dynamic-map VPN_DYNMAP_1 1
Set the security association idle time 1800
game of transformation-ESP-3DES-SHA
market arriere-route
!
!
list of authentication of card crypto SDM_CMAP_1 client VPN_AUTHEN
map SDM_CMAP_1 isakmp authorization list network_vpn_author crypto
client configuration address map SDM_CMAP_1 crypto answer
map SDM_CMAP_1 65535-isakmp dynamic VPN_DYNMAP_1 ipsec crypto
!
!
!
!
!
the Embedded-Service-Engine0/0 interface
no ip address
Shutdown
!
interface GigabitEthernet0/0
IP 76.W.E.R 255.255.255.248
IP access-group ATT_Outside_In in
no ip redirection
no ip unreachable
no ip proxy-arp
NAT outside IP
inspect the SDM_LOW over IP
IP virtual-reassembly in
load-interval 30
automatic duplex
automatic speed
No cdp enable
No mop enabled
map SDM_CMAP_1 crypto
!
interface GigabitEthernet0/1
no ip address
load-interval 30
automatic duplex
automatic speed
!
interface GigabitEthernet0/1.10
encapsulation dot1Q 1 native
IP 192.168.10.1 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
property intellectual accounting-access violations
IP nat inside
IP virtual-reassembly in
!
interface GigabitEthernet0/1.100
encapsulation dot1Q 100
10.1.1.254 IP address 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
IP virtual-reassembly in
!
interface GigabitEthernet0/1,200
encapsulation dot1Q 200
IP 10.1.2.254 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
IP virtual-reassembly in
IP tcp adjust-mss 1452
!
local IP VPN_POOL_1 192.168.168.193 pool 192.168.168.254
IP forward-Protocol ND
!
IP http server
IP http authentication aaa-authentication of connection ADMIN_AUTHEN
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
IP nat inside source map route ATT_NAT_LIST interface GigabitEthernet0/0 overload
IP nat inside source static tcp 192.168.10.10 25 expandable 25 76.W.E.R
IP nat inside source static tcp 192.168.10.10 80 76.W.E.R 80 extensible
IP nat inside source static tcp 192.168.10.10 76.W.E.R expandable 443 443
IP nat inside source static tcp 192.168.10.10 76.W.E.R expandable 987 987
IP route 0.0.0.0 0.0.0.0 76.W.E.F
!
ATT_Outside_In extended IP access list
permit tcp object-group ADMIN_HOSTS any eq 22
allow any host 76.W.E.R eq www tcp
allow any host 76.W.E.R eq 443 tcp
allow 987 tcp any host 76.W.E.R eq
allow any host 76.W.E.R eq tcp smtp
permit any any icmp echo response
allow icmp a whole
allow udp any any eq isakmp
allow an esp
allow a whole ahp
permit any any eq non500-isakmp udp
deny ip 10.0.0.0 0.255.255.255 everything
deny ip 172.16.0.0 0.15.255.255 all
deny ip 192.168.0.0 0.0.255.255 everything
deny ip 127.0.0.0 0.255.255.255 everything
refuse the ip 255.255.255.255 host everything
refuse the host ip 0.0.0.0 everything
NAT_LIST extended IP access list
IP 10.1.0.0 allow 0.0.255.255 everything
permit ip 192.168.10.0 0.0.0.255 any
deny ip 192.168.10.0 0.0.0.255 192.168.168.192 0.0.0.63
refuse the 10.1.1.0 ip 0.0.0.255 192.168.168.192 0.0.0.63
deny ip 10.1.2.0 0.0.0.255 192.168.168.192 0.0.0.63
client_vpn_traffic extended IP access list
permit ip 192.168.10.0 0.0.0.255 192.168.168.192 0.0.0.63
ip licensing 10.1.1.0 0.0.0.255 192.168.168.192 0.0.0.63
IP 10.1.2.0 allow 0.0.0.255 10.1.1.0 0.0.0.255
!
radius of the IP source-interface GigabitEthernet0/1.10
Logging trap errors
logging source hostname id
logging source-interface GigabitEthernet0/1.10
!
ATT_NAT_LIST allowed 20 route map
corresponds to the IP NAT_LIST
is the interface GigabitEthernet0/0
!
!
SNMP-server community [email protected] / * /! s RO
Server enable SNMP traps snmp authentication linkdown, linkup warmstart cold start
Server enable SNMP traps vrrp
Server SNMP enable transceiver traps all the
Server enable SNMP traps ds1
Enable SNMP-Server intercepts the message-send-call failed remote server failure
Enable SNMP-Server intercepts ATS
Server enable SNMP traps eigrp
Server enable SNMP traps ospf-change of State
Enable SNMP-Server intercepts ospf errors
SNMP Server enable ospf retransmit traps
Server enable SNMP traps ospf lsa
Server enable SNMP traps ospf nssa-trans-changes state cisco-change specific
SNMP server activate interface specific cisco-ospf traps shamlink state change
SNMP Server enable neighbor traps cisco-specific ospf to the State shamlink change
Enable SNMP-Server intercepts specific to cisco ospf errors
SNMP server activate specific cisco ospf retransmit traps
Server enable SNMP traps ospf cisco specific lsa
SNMP server activate license traps
Server enable SNMP traps envmon
traps to enable SNMP-Server ethernet cfm cc mep-top low-mep Dispatcher loop config
Enable SNMP-Server intercepts ethernet cfm overlap missing mep mep-unknown service-up
Server enable SNMP traps auth framework sec-violation
Server enable SNMP traps c3g
entity-sensor threshold traps SNMP-server enable
Server enable SNMP traps adslline
Server enable SNMP traps vdsl2line
Server enable SNMP traps icsudsu
Server enable SNMP traps ISDN call-information
Server enable SNMP traps ISDN layer2
Server enable SNMP traps ISDN chan-not-available
Server enable SNMP traps ISDN ietf
Server enable SNMP traps ds0-busyout
Server enable SNMP traps ds1-loopback
SNMP-Server enable traps energywise
Server enable SNMP traps vstack
SNMP traps enable mac-notification server
Server enable SNMP traps bgp cbgp2
Enable SNMP-Server intercepts isis
Server enable SNMP traps ospfv3-change of State
Enable SNMP-Server intercepts ospfv3 errors
Server enable SNMP traps aaa_server
Server enable SNMP traps atm subif
Server enable SNMP traps cef resources-failure-change of State peer peer-fib-state-change inconsistency
Server enable SNMP traps memory bufferpeak
Server enable SNMP traps cnpd
Server enable SNMP traps config-copy
config SNMP-server enable traps
Server enable SNMP traps config-ctid
entity of traps activate SNMP Server
Server enable SNMP traps fru-ctrl
SNMP traps-policy resources enable server
Server SNMP enable traps-Manager of event
Server enable SNMP traps frames multi-links bundle-incompatibility
SNMP traps-frame relay enable server
Server enable SNMP traps subif frame relay
Server enable SNMP traps hsrp
Server enable SNMP traps ipmulticast
Server enable SNMP traps msdp
Server enable SNMP traps mvpn
Server enable SNMP traps PNDH nhs
Server enable SNMP traps PNDH nhc
Server enable SNMP traps PNDH PSN
Server enable SNMP traps PNDH exceeded quota
Server enable SNMP traps pim neighbor-rp-mapping-change invalid-pim-message of change
Server enable SNMP traps pppoe
Enable SNMP-server holds the CPU threshold
SNMP Server enable rsvp traps
Server enable SNMP traps syslog
Server enable SNMP traps l2tun session
Server enable SNMP traps l2tun pseudowire status
Server enable SNMP traps vtp
Enable SNMP-Server intercepts waas
Server enable SNMP traps ipsla
Server enable SNMP traps bfd
Server enable SNMP traps gdoi gm-early-registration
Server enable SNMP traps gdoi full-save-gm
Server enable SNMP traps gdoi gm-re-register
Server enable SNMP traps gdoi gm - generate a new key-rcvd
Server enable SNMP traps gdoi gm - generate a new key-fail
Server enable SNMP traps gdoi ks - generate a new key-pushed
Enable SNMP traps gdoi gm-incomplete-cfg Server
Enable SNMP-Server intercepts gdoi ks-No.-rsa-keys
Server enable SNMP traps gdoi ks-new-registration
Server enable SNMP traps gdoi ks-reg-complete
Enable SNMP-Server Firewall state of traps
SNMP-Server enable traps ike policy add
Enable SNMP-Server intercepts removal of ike policy
Enable SNMP-Server intercepts start ike tunnel
Enable SNMP-Server intercepts stop ike tunnel
SNMP server activate ipsec cryptomap add traps
SNMP server activate ipsec cryptomap remove traps
SNMP server activate ipsec cryptomap attach traps
SNMP server activate ipsec cryptomap detach traps
Server SNMP traps enable ipsec tunnel beginning
SNMP-Server enable traps stop ipsec tunnel
Enable SNMP-server holds too many associations of ipsec security
Enable SNMP-Server intercepts alarm ethernet cfm
Enable SNMP-Server intercepts rf
Server enable SNMP traps vrfmib vrf - up low-vrf vnet-trunk-up low-trunk-vnet
Server RADIUS dead-criteria life 2
RADIUS-server host 192.168.10.10
Server RADIUS 2 timeout
Server RADIUS XXXXXXX key
!
!
!
control plan
!
!Line con 0
privilege level 15
connection of authentication radius_auth
line to 0
line 2
no activation-character
No exec
preferred no transport
transport of entry all
transport output pad rlogin lapb - your MOP v120 udptn ssh telnet
StopBits 1
line vty 0 4
privilege level 15
connection of authentication radius_auth
entry ssh transport
line vty 5 15
privilege level 15
connection of authentication radius_auth
entry ssh transport
!
Scheduler allocate 20000 1000
NTP-Calendar Update
Server NTP 192.168.10.10
NTP 64.250.229.100 Server
!
endRouter ipsec crypto #sh her
Interface: GigabitEthernet0/0
Tag crypto map: SDM_CMAP_1, local addr 76.W.E.Rprotégé of the vrf: (none)
local ident (addr, mask, prot, port): (0.0.0.0/0.0.0.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.168.213/255.255.255.255/0/0)
current_peer 75.X.X.X port 2642
LICENCE, flags is {}
#pkts program: 1953, #pkts encrypt: 1953, #pkts digest: 1953
#pkts decaps: 1963, #pkts decrypt: 1963, #pkts check: 1963
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorslocal crypto endpt. : 76.W.E.R, remote Start crypto. : 75.X.X.X
Path mtu 1500, mtu 1500 ip, ip mtu IDB GigabitEthernet0/0
current outbound SPI: 0x5D423270 (1564619376)
PFS (Y/N): N, Diffie-Hellman group: noSAS of the esp on arrival:
SPI: 0x2A5177DD (709982173)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel UDP-program}
Conn ID: 2115, flow_id: VPN:115 on board, sibling_flags 80000040, crypto card: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4301748/2809)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE (ACTIVE)the arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0x5D423270 (1564619376)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel UDP-program}
Conn ID: 2116, flow_id: VPN:116 on board, sibling_flags 80000040, crypto card: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4301637/2809)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE (ACTIVE)outgoing ah sas:
outgoing CFP sas:
Routing crypto isakmp #sh its
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
76.W.E.R 75.X.X.X QM_IDLE 1055 ACTIVEIPv6 Crypto ISAKMP Security Association
In your acl, nat, you will need to refuse your VPN traffic before you allow the subnet at all. Just put all the declarations of refusal before the declarations of licence.
Sent by Cisco Support technique iPhone App
-
ASA encrypt interesting VPN traffic
Hello everybody out there using ASA.
I had a few IPSEC VPN tunnels between the company's central site and remote sites.
Two dsl lines were connected to the ASA, one for VPN traffic and the other for the internet.
The default gateway has been configured online internet, some static while insured roads as traffic to the sites of the company was sent through the other line.
A few days ago we changed the configuration of ASA to use only a single dsl connection, then the line serving the internet has been cut, while the other will become the gateway default and static routes have been removed.
The VPN connections instant stopped working and trying to send packets to the remote lan, it seems that ASA will not recognize that the traffic is encrypted. Obviousely we checked cryptomap, acl, ecc, but we find no problem... do you have any suggestions?
Thanks in advance,
Matt
-----------------------------------------------------------------------------------------------------------------------------------------------------------------
XNetwork object network
10.10.0.0 subnet 255.255.255.0network of the YNetwork object
172.0.1.0 subnet 255.255.255.0card crypto RB1ITSHDSL001_map2 1 corresponds to the address RB1ITSHDSL001_1_cryptomap
card crypto RB1ITSHDSL001_map2 1 set peer a.b.c.186
RB1ITSHDSL001_map2 1 transform-set ESP-3DES-SHA crypto card gameRB1ITSHDSL001_1_cryptomap list extended access permitted ip XNetwork object YNetwork
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
Hello
Your exit the ASA must be encrypting the traffic between XNetwork and YNetwork.
If the ASA does not encrypt this traffic, it could be because there is a problem with the NAT configuration.
When the ASA receives a packet, it must first check if there are ACLs that allows traffic, passes through the inspection engine and check that the associated NAT. For example, if the package is coordinated, then the private IP encryption will never take place.
Could ensure you that packets from the XNetwork are really reach the ASA, the NAT rule is correct and you may be looking for "debugging cry isa 127" and "scream ips 127" debug to check for errors of incompatibility.
In addition, what is the condition of the tunnel trying to communicate: "sh cry isa his"
Federico.
-
Remote access VPN users unable to see local lan or internet
We implement an ASA5510. Now our users can connect to the vpn but cannot access the internal Lan or internet.
Here is the config. Any help or idea would be greatly appreciated. Thank you
Cryptochecksum: dd11079f e4fe7597 4a8657ba 1e7b287f
: Saved
: Written by enable_15 at 11:04:57.005 UTC Wednesday, April 22, 2015
!
ASA Version 9.0 (3)
!
CP-ASA-TOR1 hostname
activate m.EmhnDT1BILmiAY encrypted password
names of
local pool CPRAVPN 10.10.60.1 - 10.10.60.40 255.255.255.0 IP mask
!
interface Ethernet0/0
nameif outside
security-level 0
IP 63.250.109.211 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
10.10.10.254 IP address 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
management only
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
!
passive FTP mode
the local object of net network
10.10.10.0 subnet 255.255.255.0
net remote object network
10.10.1.0 subnet 255.255.255.0
network of the NETWORK_OBJ_10.10.10.0_24 object
10.10.10.0 subnet 255.255.255.0
network of the NETWORK_OBJ_10.10.60.0_26 object
255.255.255.192 subnet 10.10.60.0
Outside_1_cryptomap to access extended list ip 10.10.10.0 allow 255.255.255.0 net object / distance
CPRemoteVPN_splitTunnelAcl list standard access allowed 10.10.10.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
management of MTU 1500
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm-731 - 101.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) local static source net net-local destination static net distance net-distance
NAT (inside, outside) static source NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.60.0_26 NETWORK_OBJ_10.10.60.0_26 non-proxy-arp-search of route static destination
!
NAT (inside, outside) source after-service dynamic automatic one interface
Route outside 0.0.0.0 0.0.0.0 63.250.109.209 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 192.168.1.0 255.255.255.0 management
http 10.10.10.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto Outside_map 1 corresponds to the address Outside_1_cryptomap
card crypto Outside_map 1 set pfs Group1
card crypto Outside_map 1 set peer 209.171.34.91
card crypto Outside_map 1 set transform-set ESP-3DES-SHA ikev1
card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
card crypto Outside_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
Outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
internal CPRemoteVPN group strategy
attributes of Group Policy CPRemoteVPN
Server DNS 10.10.10.12 value
L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
value of Split-tunnel-network-list CPRemoteVPN_splitTunnelAcl
carepath.local value by default-field
Split-dns value carepath.ca
activate dns split-tunnel-all
no method of MSIE-proxy-proxy
the address value CPRAVPN pools
roys jjiV7E.dmZNdBlFQ encrypted password privilege 0 username
roys username attributes
VPN-group-policy CPRemoteVPN
tunnel-group 209.171.34.91 type ipsec-l2l
IPSec-attributes tunnel-group 209.171.34.91
IKEv1 pre-shared-key *.
type tunnel-group CPRemoteVPN remote access
attributes global-tunnel-group CPRemoteVPN
address CPRAVPN pool
Group Policy - by default-CPRemoteVPN
IPSec-attributes tunnel-group CPRemoteVPN
IKEv1 pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:dd11079fe4fe75974a8657ba1e7b287f: end
Hello
A couple of things set this:
-crypto isakmp nat-traversal 20
-management-access inside
Can you run a packet tracer and attach it here, to see what are the phases that crosses the package.
David Castro,
Concerning
-
Configuration of the router to allow VPN traffic through
I would like to ask for assistance with a specific configuration to allow VPN traffic through a router from 1721.
The network configuration is the following:
Internet - Cisco 1721 - Cisco PIX 506th - LAN
Remote clients connect from the internet by using the Cisco VPN client. The 1721 should just pass the packets through to the PIX, which is 192.168.0.2. Inside of the interface of the router is 192.168.0.1.
The pix was originally configured with a public ip address and has been tested to work well to authenticate VPN connections and passing traffic in the local network. Then, the external ip address was changed to 192.168.0.2 and the router behind.
The 1721 is configured with an ADSL connection, with fall-over automatic for an asynchronous connection. This configuration does not work well, and in the local network, users have normal internet access. I added lists of access for udp, esp and the traffic of the ahp.
Cisco VPN clients receive an error indicating that the remote control is not responding.
I have attached the router for reference, and any help would be greatly apreciated.
Manual.
Brian
For VPN clients reach the PIX to complete their VPN the PIX needs to an address that is accessible from the outside where the customers are. When the PIX was a public address was obviously easy for guests to reach the PIX. When you give the PIX one address private, then he must make a translation. And this becomes a problem if the translation is dynamic.
You have provided a static translation that is what is needed. But you have restricted the TCP 3389. I don't know why you restricted it in this way. What is supposed to happen for ISAKMP and ESP, AHP traffic? How is it to be translated?
If there is not a static translation for ISAKMP traffic, ESP and AHP so clients don't know how to reach the server. Which brings me to the question of what the address is configured in the client to the server?
HTH
Rick
-
Offbox activate PRSM CX Redirection of traffic
Hello
IV ' e had installed (Offbox) 9.3 PRSM.
I imported a pair of tilting ASA5585-X - each with a (big) inside CX module
How the hell you set a policy of redirection of traffic to send traffic through the modules CX!
IM pulling my hair out, if you add the tab 'traffic redirection' is said "no element is found."
Im not surprised, its not allowed - I want to put on with PRSM!
This software is terrible!
Pete
Hi Pete. A break on what hair you have left and check the CX Module Quick Start Guide for the ASDM method.
Short answer is that you use a rule of service strategy (policy-map). The CLI so that it is further explained in the User Guide for the ASA CX.
You can set this bit on the PRSM ASA technically but you would have to first import and manage the SAA itself (not just the modules CX). I have not tried this method as PRSM is a bad tool to manage an ASA. Same Cisco directs you little far this option in their documentation
-
7.2 ASA5520 - filters VPN traffic
Hi all,
I would like to know how can I filter out VPN traffic with a list of access, by using the source address and port of destination as filters.
I tried with "no sysopt permit vpn connection" but it is to filter the traffic through the VPN tunnel and I want to filter the host which can establish the VPN tunnel.
I did it in a router with this access list:
Note access-list 101 VPN
access-list 101 permit ahp host x.x.x.x everything
access-list 101 permit esp host x.x.x.x any newspaper
access-list 101 permit host x.x.x.x esp all
access-list 101 permit udp host x.x.x.x any eq isakmp
access-list 101 permit udp host x.x.x.x any eq non500-isakmp
But I tried the same thing in the ASA and does not work, I think it's because the ASA does not apply the access list for VPN traffic.
Sincerely, Fernando.
Fernando
You can disable it with "no crypto isakmp are outside", but then even if you apply an acl to the outside which allows all IP, ESP, AH it still does not allow an IPSEC connection.
So for the moment I see no way to do this without using an acl on your router upstream.
I'll do a reading just in case I missed something.
Jon
-
VPN between 2 routers Cisco 1841 (LAN to LAN)
Hello
I need to connect two offices (two different LAN) using routers cisco 1841 at both ends.
Currently the two cisco router are in working condition and refer the internet LAN clients. (making the NAT).
Can someone please tell us what is the easiest way to set up a VPN between two sites, so that LAN users to an office to access mail servers electronic/request to the office LAN.
I understand that I need IPSec Site to Site VPN (I think).
Anyonce can you please advise.
Kind regards.
s.nasheet wrote:
Hi ,
I need to connect two offices ( two different LAN's) together using cisco 1841 routers at both end.
Currently both cisco router are in working order and acting as a internet gateway to the LAN clients. ( doing NAT).
Can anybody please advise what is the easiest method to configure VPN between two sites so that LAN users at one office be able to access the email/application servers at the other LAN office.
I understand I need IPSec Site to Site VPN ( i think).
Can anyonce please advise.
Regards.
Yes, you need a VPN site-to site. Start with this link which gives a number of examples to set up a VPN S2S between 2 routers Cisco.
http://www.Cisco.com/en/us/Tech/tk583/TK372/tech_configuration_examples_list.html#anchor16
Jon
-
Capture packets for VPN traffic
Hi team,
Please help me to set the ACL and capture for remote access VPN traffic.
To see the amount of traffic flows from this IP Source address.
Source: Remote VPN IP (syringe) 10.10.10.10 access
Destination: any
That's what I've done does not
extended VPN permit tcp host 10.10.10.10 access list all
interface captures CAP_VPN VPN access to OUTSIDE gross-list data type
Hello
If you have configured capture with this access list, you filter all TCP traffic, so you will not be able to see the UDP or ICMP traffic too, I would recommend using the ACL, although only with intellectual property:
list of allowed extended VPN ip host 10.10.10.10 access everything
Capture interface outside access, VPN CAP_VPN-list
Then with:
See the capture of CAP_VPN
You will be able to see the packet capture on the SAA, you can export the capture of a sniffer of packages as follows:
-
Hello everyone, I need help in a vpn configuration, this is the problem that I need nat all vpn traffic because I net to put into place a vpn but I already have another vpn with the same network, so that overlap with the new one, then how I can nat overlaps all traffic to another network in order to avoid the network?.
Please I really need help
Thank you
You say that the 192.168.1.100 is able to go through the tunnel and the internet now?
Try to add another...
IP nat inside source static 192.168.1.101 10.10.44.101 map route VPN
for example.
Federico.
-
VPN needs access to all external internal vpn traffic traffic all in tunnel
Hello
Could someone help me find the problem?
I am ASA configuration as firewall + vpn server, essentially outside of the device's access T1 (there are two VLANS in inside via an iptables, outside of iptables is on the same vlan as insdie of ASA (192.168.5.1 and 192.168.5.2).) VPN users are authenticated via authentication 2 factors (SDI, ip is 192.168.5.5) and get the ACL by local database. pool of VPN is 192.168.6.1 - 192.168.6.15. pool of VPN is coordinated to the external IP address
trying to access a remote host A from the host a is open for the IP and one specific Protocol. all vpn traffic are in the tunnel. the VPN user can connected and ACL vpnuser1_ONLY not working does not as expected.
Here is the part of configuration:
ASA Version 8.2 (2)
...........Route outside 0.0.0.0 0.0.0.0 xx.10.194.193 1
Route inside companynet1 255.255.255.0 192.168.5.2 1
Route inside companynet2 255.255.255.0 192.168.5.2 1
Route inside companynet3 255.255.255.0 192.168.5.2 1
Route inside companynet4 255.255.255.0 192.168.5.2 1
...............
Route inside companynetn 255.255.255.0 192.168.5.2 1
NAT (inside) 4 vpnpool 255.255.255.0 outside <--------- is="" this="">
Global (outside) 4 xx.10.194.238 netmask 255.255.255.255
Split-tunnel-policy tunnelall
.....................
vpnuser1_ONLY list extended access permitted tcp vpnpool 255.255.255.0 192.168.1.28 host 255.255.255.255 eq ssh connect
vpnuser1_ONLY list extended access permitted tcp vpnpool 255.255.255.0 74.2.23.195 host 255.255.255.255 eq ssh connect
............
enable SVC
tunnel-group-list activate
attributes of Group Policy DfltGrpPolicy
VPN - connections 8
VPN-idle-timeout 10
VPN-session-timeout 60
Protocol-tunnel-VPN l2tp ipsec
WebVPN
SVC Dungeon - install any
time to generate a new key of SVC 8
SVC generate a new method ssl key
SVC request no svc default
internal GroupPolicy1 group strategy
attributes of Group Policy GroupPolicy1
VPN - connections 1
VPN-idle-timeout 9
VPN-session-timeout 45
VPN-tunnel-Protocol svc
Split-tunnel-policy tunnelall
WebVPN
SVC Dungeon - install any
time to generate a new key of SVC 15
SVC generate a new method ssl key
client of dpd-interval SVC 30
dpd-interval SVC 30 bridge
value of deny message connection succeeded, but because some criteria have not been met, or because of a specific group policy, you are not allowed to use the VPN features. For more information, contact your COMPUTER administrator.
disable the SVC routing-filtering-ignore
username vpnuser1 encrypted password xxxxxxx
username vpnuser1 attributes
VPN-group-policy GroupPolicy1
VPN-idle-timeout 6
VPN-session-timeout 20
VPN-filter value vpnuser1_ONLY
VPN-tunnel-Protocol svc
value of group-lock COMAVPN
type of remote access service
tunnel-group DefaultRAGroup webvpn-attributes
Disable group companyvpn aliases
type tunnel-group COMAVPN remote access
attributes global-tunnel-group COMAVPN
address (inside) vpnpool pool
address vpnpool pool
SDI Group-authentication server
authentication-server-group (inside) SDI
LOCAL authority-server-group
Group Policy - by default-GroupPolicy1
tunnel-group COMAVPN webvpn-attributes
activation of the Group companyremote alias
I did anything wrong / missing?
Thank you
Yijun
First of all, you can set "no nat-control" because once you have relieved of NAT, 'no nat-control' becomes disable anyway. 'No nat-control' is useful if you have no statement of NAT at all on the interface.
Second, if you can't access the outside inside which is because you must configure the NAT exemption. Not sure if you have configured it.
Here's the command:
access-list allowed sheep ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0
NAT (inside) 0 access-list sheep
You can then add all other subnets that are internal to the ACL sheep if you need VPN access.
Finally, for the error message deny on access-group "OUTSIDE", you would need check if you have configured "sysopt connection VPN-enabled'. If it is disabled, it will also check the "OUTSIDE" interface for VPN traffic.
-
VPN traffic via a secondary access provider
Hello world
I have been asked by a client to implement this topology:
where:
ISP 1 is used as primary internet connection.
2 ISP will be used to connect remote users by IPsec VPN.
Currently, I'm not looking for the Active/Backup feature, I need to know if I can use both ISP connections (as I've written before) an ISP for the Internet company and the other for the user remote access VPN.
I read some post where, said, it's possible, but I want to be sure.
Kind regards
Jose
ASA must add the static route in the routing table automatically when the VPN client is connected. So, in general, you don't need to do anything. But if not, you can just manually configure who will forward a VPN client IP packet to ISP2.
With respect to NAT, in general, VPN traffic must ignore the NAT. You can use "nat (inside_interface_name) 0-list of access ' with an ACL that define the vpn traffic to do so.
-
Return VPN traffic flows do not on the tunnel
Hello.
I tried to find something on the internet for this problem, but am fails miserably. I guess I don't really understand how the cisco decides on the road.
In any case, I have a Cisco 837 which I use for internet access and to which I would like to be able to complete a VPN on. When I vpn (using vpnc in a Solaris box as it happens which is connected to the cisco ethernet interface), I can establish a VPN and when I ping a host on the inside, I see this package ping happen, however, the return package, the cisco 837 is trying to send via the public internet facing interface Dialer1 without encryption. I can't work for the life of me why.
(Also note: I can also establish a tunnel to the public internet, but again, I don't can not all traffic through the tunnel.) I guess I'm having the same problem, IE back of packages are not going where it should be, but I do know that for some, on the host being ping well, I can see the ping arriving packets and the host responds with a response to ICMP echo).
Here is the version of cisco:
version ADSL #show
Cisco IOS software, software C850 (C850-ADVSECURITYK9-M), Version 12.4 (15) T5, VERSION of the SOFTWARE (fc4)
Technical support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Updated Friday 1 May 08 02:07 by prod_rel_teamROM: System Bootstrap, Version 12.3 (8r) YI4, VERSION of the SOFTWARE
ADSL availability is 1 day, 19 hours, 27 minutes
System to regain the power ROM
System restarted at 17:20:56 CEST Sunday, October 10, 2010
System image file is "flash: c850-advsecurityk9 - mz.124 - 15.T5.bin".Cisco 857 (MPC8272) processor (revision 0 x 300) with 59392K / 6144K bytes of memory.
Card processor ID FCZ122391F5
MPC8272 CPU Rev: Part Number 0xC, mask number 0 x 10
4 interfaces FastEthernet
1 ATM interface
128 KB of non-volatile configuration memory.
20480 bytes K of on board flash system (Intel Strataflash) processorConfiguration register is 0 x 2102
And here is the cisco configuration (IP address, etc. changed of course):
Current configuration: 7782 bytes
!
! Last configuration change at 11:57:21 CEST Monday, October 11, 2010 by bautsche
! NVRAM config updated at 11:57:22 CEST Monday, October 11, 2010 by bautsche
!
version 12.4
no service button
tcp KeepAlive-component snap-in service
a tcp-KeepAlive-quick service
horodateurs service debug datetime localtime show-timezone msec
Log service timestamps datetime localtime show-timezone msec
encryption password service
sequence numbers service
!
hostname adsl
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
enable secret 5
!
AAA new-model
!
!
AAA authentication login local_authen local
AAA authentication login sdm_vpn_xauth_ml_1 local
AAA authorization exec local local_author
AAA authorization sdm_vpn_group_ml_1 LAN
!
!
AAA - the id of the joint session
clock timezone gmt 0
clock daylight saving time UTC recurring last Sun Mar 01:00 last Sun Oct 01:00
!
!
dot11 syslog
no ip source route
dhcp IP database dhcpinternal
No dhcp use connected vrf ip
DHCP excluded-address IP 10.10.7.1 10.10.7.99
DHCP excluded-address IP 10.10.7.151 10.10.7.255
!
IP dhcp pool dhcpinternal
import all
Network 10.10.7.0 255.255.255.0
router by default - 10.10.7.1
Server DNS 212.159.6.9 212.159.6.10 212.159.13.49 212.159.13.50
!
!
IP cef
property intellectual auth-proxy max-nodata-& 3
property intellectual admission max-nodata-& 3
no ip bootp Server
nfs1 host IP 10.10.140.207
name of the IP-server 212.159.11.150
name of the IP-server 212.159.13.150
!
!
!
username password cable 7
username password bautsche 7
vpnuser password username 7
!
!
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
!
crypto ISAKMP policy 2
BA aes 256
preshared authentication
Group 2
!
crypto ISAKMP policy 3
BA 3des
Prior authentication group part 2
the local address SDM_POOL_1 pool-crypto isakmp client configuration
!
ISAKMP crypto client configuration group groupname2
key
DNS 10.10.140.201 10.10.140.202
swangage.co.uk field
pool SDM_POOL_1
users of max - 3
netmask 255.255.255.0
!
ISAKMP crypto client configuration group groupname1
key
DNS 10.10.140.201 10.10.140.202
swangage.co.uk field
pool SDM_POOL_1
users of max - 3
netmask 255.255.255.0
ISAKMP crypto sdm-ike-profile-1 profile
groupname2 group identity match
client authentication list sdm_vpn_xauth_ml_1
ISAKMP authorization list sdm_vpn_group_ml_1
client configuration address respond
ISAKMP crypto profile sdm-ike-profile-2
groupname1 group identity match
ISAKMP authorization list sdm_vpn_group_ml_1
client configuration address respond
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set esp-3des esp-md5-hmac ESP_MD5_3DES
Crypto ipsec transform-set ESP-AES-256-SHA aes - esp esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
Set the security association idle time 3600
game of transformation-ESP-AES-256-SHA
market arriere-route
crypto dynamic-map SDM_DYNMAP_1 2
Set the security association idle time 3600
game of transformation-ESP-AES-256-SHA
market arriere-route
!
!
card crypto SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto
map SDM_CMAP_1 65535-isakmp dynamic SDM_DYNMAP_1 ipsec crypto
!
Crypto ctcp port 10000
Archives
The config log
hidekeys
!
!
synwait-time of tcp IP 10
!
!
!
Null0 interface
no ip unreachable
!
ATM0 interface
no ip address
no ip redirection
no ip unreachable
no ip proxy-arp
route IP cache flow
No atm ilmi-keepalive
PVC 0/38
aal5mux encapsulation ppp Dialer
Dialer pool-member 1
!
DSL-automatic operation mode
waiting-224 in
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
Description $FW_INSIDE$
10.10.7.1 IP address 255.255.255.0
IP access-group 121 to
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
IP virtual-reassembly
route IP cache flow
map SDM_CMAP_1 crypto
Hold-queue 100 on
!
interface Dialer1
Description $FW_OUTSIDE$
the negotiated IP address
IP access-group 121 to
no ip redirection
no ip unreachable
no ip proxy-arp
NAT outside IP
IP virtual-reassembly
encapsulation ppp
route IP cache flow
No cutting of the ip horizon
Dialer pool 1
Dialer idle-timeout 0
persistent Dialer
Dialer-Group 1
No cdp enable
Authentication callin PPP chap Protocol
PPP chap hostname
PPP chap password 7
map SDM_CMAP_1 crypto
!
local IP SDM_POOL_1 10.10.148.11 pool 10.10.148.20
IP local pool public_184 123.12.12.184
IP local pool public_186 123.12.12.186
IP local pool public_187 123.12.12.187
IP local pool internal_9 10.10.7.9
IP local pool internal_8 10.10.7.8
IP local pool internal_223 10.10.7.223
IP local pool internal_47 10.10.7.47
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 Dialer1
IP route 10.10.140.0 255.255.255.0 10.10.7.2
!
no ip address of the http server
no ip http secure server
IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
IP nat inside source static 10.10.7.9 123.12.12.184
IP nat inside source static tcp 10.10.7.8 22 123.12.12.185 22 Expandable
IP nat inside source static tcp 10.10.7.8 25 123.12.12.185 25 expandable
IP nat inside source static tcp 10.10.7.8 80 123.12.12.185 80 extensible
IP nat inside source static tcp 10.10.7.8 443 123.12.12.185 443 extensible
IP nat inside source static tcp 10.10.7.8 993 123.12.12.185 993 extensible
IP nat inside source static tcp 10.10.7.8 123.12.12.185 1587 1587 extensible
IP nat inside source static tcp 10.10.7.8 8443 123.12.12.185 8443 extensible
IP nat inside source static 10.10.7.223 123.12.12.186
IP nat inside source static 10.10.7.47 123.12.12.187
!
record 10.10.140.213
access-list 18 allow one
access-list 23 permit 10.10.140.0 0.0.0.255
access-list 23 permit 10.10.7.0 0.0.0.255
Access-list 100 category SDM_ACL = 2 Note
access-list 100 deny ip any 10.10.148.0 0.0.0.255
access ip-list 100 permit a whole
Note access-list 121 SDM_ACL category = 17
access-list 121 deny udp any eq netbios-dgm all
access-list 121 deny udp any eq netbios-ns everything
access-list 121 deny udp any eq netbios-ss all
access-list 121 tcp refuse any eq 137 everything
access-list 121 tcp refuse any eq 138 everything
access-list 121 tcp refuse any eq 139 all
access ip-list 121 allow a whole
access-list 125 permit tcp any any eq www
access-list 125 permit udp any eq isakmp everything
access-list 125 permit udp any any eq isakmp
access-list 194 deny udp any eq isakmp everything
access-list 194 deny udp any any eq isakmp
access-list 194 allow the host ip 123.12.12.184 all
IP access-list 194 allow any host 123.12.12.184
access-list 194 allow the host ip 10.10.7.9 all
IP access-list 194 allow any host 10.10.7.9
access-list 195 deny udp any eq isakmp everything
access-list 195 deny udp any any eq isakmp
access-list 195 allow the host ip 123.12.12.185 all
IP access-list 195 allow any host 123.12.12.185
access-list 195 allow the host ip 10.10.7.8 all
IP access-list 195 allow any host 10.10.7.8
not run cdp
public_185 allowed 10 route map
corresponds to the IP 195
!
public_184 allowed 10 route map
corresponds to the IP 194
!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 100
!
!
control plan
!
!
Line con 0
connection of authentication local_authen
no activation of the modem
preferred no transport
telnet output transport
StopBits 1
line to 0
connection of authentication local_authen
telnet output transport
StopBits 1
line vty 0 4
access-class 23 in
privilege level 15
authorization exec local_author
connection of authentication local_authen
length 0
preferred no transport
transport input telnet ssh
!
max-task-time 5000 Planner
Scheduler allocate 4000 1000
Scheduler interval 500
130.88.202.49 SNTP server
130.88.200.98 SNTP server
130.88.200.6 SNTP server
130.88.203.64 SNTP server
endAny help would be appreciated.
Thank you very much.
Ciao,.
Eric
Hi Eric,.
(Sorry for the late reply - needed some holidays)
So I see that you have a few steps away now. I think that there are 2 things we can try:
1)
I guess you have provided that:
IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
Since the routemap refers to ACL 100 to define the traffic to be translated, we can exclude traffic that initiates the router:
Access-list 100 category SDM_ACL = 2 Note
access-list 100 deny ip 123.12.12.185 host everything
access-list 100 deny ip any 10.10.148.0 0.0.0.255
access ip-list 100 permit a wholeWhich should prevent the source udp 4500 to 1029 changing port
OR
2)
If you prefer to use a different ip address for VPN,
Then, you can use a loop like this:
loopback interface 0
123.12.12.187 the IP 255.255.255.255
No tap
map SDM_CMAP_1 crypto local-address loopback 0
I don't think you should apply card encryption to the loopback interface, but it's been a while since I have configured something like that, so if you have problems first try and if still does not get the crypto debugs new (isakmp + ipsec on the vpn, nat router on the router of the client package).
HTH
Herbert
-
Hello
I have configured the client SSL VPN on SAA. I'm able to establish SSL VPN with the ASA and obtaining the IP address of subnet defined (CorporateVPN 172.16.0.100 - 172.16.0.110). But when I try to ping inside the property intellectual treats which is 172.16.0.1 and other machine in the range LAN getting loss of packets to the remote machine.
What could be the problem?
Below is the configuration of the SAA.
ASA Version 7.2 (1)
!
Cisco - ASA host name
test.com domain name
activate the password password
names of
DNS-guard
!
interface Ethernet0/0
Description connected to ISP
nameif outside
security-level 0
IP address "public IP".!
interface Ethernet0/1
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/2
Description connected to the local network
nameif inside
security-level 100
172.16.0.1 IP address 255.255.255.0
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 0
IP 192.168.1.1 255.255.255.0
management only
!
2KFQnbNIdI.2KYOU encrypted passwd
boot system Disk0: / asa721 - k8.bin
passive FTP mode
clock timezone GMT 3 30
management of the DNS domain-lookup service
DNS server-group DefaultDNS
Server name 203.123.165.75
test.com domain name
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
management of MTU 1500
mask 172.16.0.100 - 172.16.0.110 255.255.255.0 IP local pool CorporateVPN
IP verify reverse path to the outside interface
IP verify reverse path inside interface
no failover
ASDM image disk0: / asdm521.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 1 172.16.0.0 255.255.255.0
Route outside 0.0.0.0 0.0.0.0 Gateway 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
internal GroupPolicy1 group strategy
attributes of Group Policy GroupPolicy1
Protocol-tunnel-VPN IPSec l2tp ipsec webvpn
WebVPN
enable SVC
SVC Dungeon-Installer installed
time to generate a new key of SVC 30
SVC generate a new method ssl key
internal Netadmin group strategy
Group Policy attributes Netadmin
Protocol-tunnel-VPN IPSec l2tp ipsec webvpn
WebVPN
Required SVC
SVC Dungeon-Installer installed
time to generate a new key of SVC 30
generate a new key SVC new-tunnel method
dpd-interval SVC 500 customer
dpd-interval SVC 500 gateway
username cisco password encrypted privilege 15 ffIRPGpDSOJh9YLq
attributes username cisco
VPN-group-policy Netadmin
http server enable 444
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 outdoors
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
attributes global-tunnel-group DefaultWEBVPNGroup
address pool CorporateVPN
tunnel-group NetForceGroup type webvpn
attributes global-tunnel-group NetForceGroup
address (inside) CorporateVPN pool
address pool CorporateVPN
Group Policy - by default-Netadmin
No vpn-addr-assign aaa
No dhcp vpn-addr-assign
Telnet 192.168.1.0 255.255.255.0 management
Telnet timeout 10
SSH timeout 5
Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns migrated_dns_map_1
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the migrated_dns_map_1 dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
WebVPN
allow outside
SVC disk0:/crypto_archive/sslclient-win-1.1.1.164 2 image
enable SVC
context of prompt hostname
Cryptochecksum:13f5616c7345efb239d7996741ffa7b3
: endYes, 'inside access management' is only to manage/ping of the SAA within the interface. Without this command, they would still be able to access the internal network. This command is only used to manage the SAA within the interface itself.
-
Newbie Help Needed: Cisco 1941 router site to site VPN traffic routing issue
Hello
Please I need help with a VPN site-to site, I installed a router Cisco 1941 and a VPN concentrator based on Linux (Sophos UTM).
The VPN is established between them, but I can't say the cisco router to send and receive traffic through the tunnel.
Please, what missing am me?
A few exits:
ISAKMP crypto to show her:
isakmp crypto #show her
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
62.173.32.122 62.173.32.50 QM_IDLE 1045 ACTIVE
IPv6 Crypto ISAKMP Security Association
Crypto ipsec to show her:
Interface: GigabitEthernet0/0
Tag crypto map: QRIOSMAP, local addr 62.173.32.122
protégé of the vrf: (none)
local ident (addr, mask, prot, port): (192.168.20.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.2.0/255.255.255.0/0/0)
current_peer 62.173.32.50 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 52, #pkts decrypt: 52, #pkts check: 52
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors
local crypto endpt. : 62.173.32.122, remote Start crypto. : 62.173.32.50
Path mtu 1500, mtu 1500 ip, ip mtu IDB GigabitEthernet0/0
current outbound SPI: 0x4D7E4817 (1300121623)
PFS (Y/N): Y, Diffie-Hellman group: group2
SAS of the esp on arrival:
SPI: 0xEACF9A (15388570)
transform: esp-3des esp-md5-hmac.
running parameters = {Tunnel}
Conn ID: 2277, flow_id: VPN:277 on board, sibling_flags 80000046, crypto card: QRIOSMAP
calendar of his: service life remaining (k/s) key: (4491222/1015)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE
Please see my config:
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
encryption... isakmp key address 62.X.X... 50
ISAKMP crypto keepalive 10 periodicals
!
!
Crypto ipsec transform-set esp-3des esp-md5-hmac TS-QRIOS
!
QRIOSMAP 10 ipsec-isakmp crypto map
peer 62.X.X set... 50
transformation-TS-QRIOS game
PFS group2 Set
match address 100
!
!
!
!
!
interface GigabitEthernet0/0
Description WAN CONNECTION
62.X.X IP... 124 255.255.255.248 secondary
62.X.X IP... 123 255.255.255.248 secondary
62.X.X IP... 122 255.255.255.248
NAT outside IP
IP virtual-reassembly in
automatic duplex
automatic speed
card crypto QRIOSMAP
!
interface GigabitEthernet0/0.2
!
interface GigabitEthernet0/1
LAN CONNECTION description $ES_LAN$
address 192.168.20.1 255.255.255.0
IP nat inside
IP virtual-reassembly in
automatic duplex
automatic speed
!
IP nat pool mypool 62.X.X... ... Of 122 62.X.X 122 30 prefix length
IP nat inside source list 1 pool mypool overload
overload of IP nat inside source list 100 interface GigabitEthernet0/0
!
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 2 allow 10.2.0.0 0.0.0.255
Note access-list 100 category QRIOSVPNTRAFFIC = 4
Note access-list 100 IPSec rule
access-list 100 permit ip 192.168.20.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit esp 62.X.X host... 50 62.X.X host... 122
access list 101 permit udp host 62.X.X... 50 62.X.X... host isakmp EQ. 122
access-list 101 permit ahp host 62.X.X... 50 62.X.X host... 122
access-list 101 deny ip any any newspaper
access-list 110 deny ip 192.168.20.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 permit ip 192.168.20.0 0.0.0.255 any
!
!
!
!
sheep allowed 10 route map
corresponds to the IP 110
The parts of the configuration you posted seem better than earlier versions of the config. The initial problem was that traffic was not in the VPN tunnel. That works now?
Here are the things I see in your config
I don't understand the relationship of these 2 static routes by default. It identifies completely the next hop and a mask the bytes of Middleweight of the next hop. Sort of, it seems that they might be the same. But if they were the same, I don't understand why they both make their appearance in the config. Can provide you details?
IP route 0.0.0.0 0.0.0.0 62.X.X... 121
IP route 0.0.0.0 0.0.0.0 62.172.32.121
This static route implies that there is another network (10.2.0/24) connected through the LAN. But there is no other reference to it and especially not for this translation. So I wonder how it works?
IP route 10.2.0.0 255.255.255.0 192.168.20.2
In this pair of static routes, the second route is a specific subnet more and would be included in the first and routes for the next of the same break. So I wonder why they are there are. There is not necessarily a problem, but is perhaps something that could be cleaned up.
IP route 172.17.0.0 255.255.0.0 Tunnel20
IP route 172.17.2.0 255.255.255.0 Tunnel20
And these 2 static routes are similar. The second is a more precise indication and would be included in the first. And it is referred to the same next hop. So why have the other?
IP route 172.18.0.0 255.255.0.0 Tunnel20
IP route 172.18.0.0 Tunnel20 255.255.255.252
HTH
Rick
Maybe you are looking for
-
Safari 9.1 macbook websites does not
Hello First of all, please excuse all of my ignorance showing this issue... even if I use a computer every day, I don't really know how it works... I notice only when things do not work! I have a MacBook Air and use OS X Yosemite, 10.10.5 version I t
-
HP officejet pro 8600 save as editable text (OCR) does not
HP officejet pro 8600 save as editable text (OCR) does not the printer reports: can not detect install OCR s/w...please IrisOCR 12.3.4.0 is indicated as being installed How can I get printer recognize/find OCR?
-
x 61 lights comes not at all on more battery so that the accused
Battery x 61 came down all the way empty. Don't use it for a week or two. Equip the charger to recharge the battery and I got none of the lights come at all. IM worried ive hit the x 61 and something has damaged the inside of the laptop. I did remove
-
LRT214 - OpenVPN - unable to connect
So, I've spent the last two days trying to get OpenVpn to work with zero success. I started by following the tutorial, exactly as the manual says. I export the configuration file and load it on a different device on a different network and attempt to
-
I ordered a set of recovery H8 - 1240T discs. They will work on both my 1240 t?