Routing of PIX VPN site to Site?

I just configured my PIX to establish VPN site to site with my Linksys (1710 to follow).

Looks like my SA and IPSec are set up, but I get no routing. When I do a tracert, my PIX transmits all traffic to my internet router and not through the tunnel.

Any ideas?

Here's my chiseled config (subnet/ip have been changed)

access-list 101 permit ip 10.11.101.0 255.255.255.0 172.16.0.0 255.255.0.0

NAT (inside) 1 101 access list 0 0

Permitted connection ipsec sysopt

Crypto ipsec transform-set esp - esp-md5-hmac mytransform

MYmap 1 ipsec-isakmp crypto map

correspondence address 1 card crypto mymap 101

card crypto mymap 1 peer set 1.2.3.4

mymap 1 transform-set mytransform crypto card

mymap outside crypto map interface

ISAKMP allows outside

ISAKMP key * address 1.2.3.4 netmask 255.255.255.255

part of pre authentication ISAKMP policy 1

of ISAKMP policy 1 encryption

ISAKMP policy 1 md5 hash

1 1 ISAKMP policy group

ISAKMP policy 1 lifetime 1000

But, for some reason, my pix custody transfer of VPN traffic to the internet rather than through my tunnel. I'm doing something wrong?

Aaron,

I've replied to you offline, try adding the following command on the pix (in configuration mode):

ISAKMP nat-traversal

And now try to ping to your customers of the remote peer, let me know the results.

Jay

Tags: Cisco Security

Similar Questions

Next hop for the static route on the VPN site to site ASA?

Hi all

I would be grateful if someone could help me with my problem ASA/misunderstanding. I have a VPN site-to site on a SAA. I want to add a floating static route to point to the VPN on the ASA. Note that the traffic in this way is not with in subnets cryptographic ACL that is used to bring up the VPN. This VPN is used only as a backup.

The static route with the next hop add local public address or the remote public address of the VPN? The next break maybe local ASA isp internet facing interface? I intend to do on the ASDM. I'm sorry if it's a simple question but I found no material that explains this?

Concerning

Ahh, ok, makes sense.

The next hop should be the next jump to the interface that ends the VPN connection, essentially the same as your Internet connection / outside the next hop interface.

Example of topology:

Site B (outside interface - 1.1.1.1) - (next hop: 1.1.1.2) Internet

The static route must tell:

outdoor 10.2.2.2 255.255.255.255 1.1.1.2 200

I hope this helps.

Routing of traffic between two VPN Site-to-Site Tunnels

Hi people,

I am trying to establish routing between two vpn Site-to-Site tunnels which are destined for the same outside the interface of my Cisco ASA.

Please find attached flowchart for the same thing. All used firewalls are Cisco ASA 5520.

Two VPN tunnels between Point A and Point B, Point B and Point C is too much upward. I activated same command to permit security level interface also intra.

How can I activate the LAN subnets traffic behind Point to join LAN subnets behind C Point without having to create a tunnel separated between Point A and Point C

Thank you very much.

Hello

Basically, you will need to NAT0 and VPN rules on each site to allow this traffic.

I think that the configurations should look something like below. Naturally you will already probably a NAT0 configuration and certainly the L2L VPN configuration

Site has

access-list NAT0 note NAT0 rule for SiteA SiteC traffic

access-list allowed NAT0 ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

NAT (inside) 0 access-list NAT0

Note L2L-VPN-CRYPTO-SITEB access-list interesting traffic for SiteA to SiteC

access-list L2L-VPN-CRYPTO-SITEB permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

Where
- NAT0 = is the ACL to be used in the NAT0 rules that will exempt SiteA SiteC NAT traffic
- NAT = is the line of configuration NAT0
- L2l-VPN-CRYPTO-SITEB = LCA in configurations VPN L2L that defines the SiteA LAN to LAN SiteC traffic must use the VPN L2L existing SiteB
Site B

access list OUTSIDE-NAT0 note NAT0 rule for SiteA SiteC traffic

OUTSIDE-NAT0 allowed 192.168.1.0 ip access list 255.255.255.0 192.168.3.0 255.255.255.0

NAT (outside) 0-list of access OUTSIDE-NAT0

Note L2L-VPN-CRYPTO-SITEA access-list traffic for SiteA to SiteC through a Tunnel between A - B

access-list L2L-VPN-CRYPTO-SITEA ip 192.168.3.0 allow 255.255.255.0 192.168.1.0 255.255.255.0

Note L2L-VPN-CRYPTO-SITEC access-list traffic for SiteA to SiteC through a Tunnel between B - C

access-list L2L-VPN-CRYPTO-SITEC permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

Where
- OUTSIDE-NAT0 = is the ACL to be used in the NAT0 rules that will exempt SiteA SiteC NAT traffic. It is this time tied to the 'outer' interface, as traffic will be coming in and out through this interface to SiteB
- NAT = is the line of configuration NAT0
- L2l-VPN-CRYPTO-SITEA (and SITEC) = are the ACL in the configurations of VPN L2L that defines the SiteA LAN to LAN SiteC traffic should use existing VPN L2L connections.
Site C

access-list NAT0 note NAT0 rule for SiteC SiteA traffic

NAT0 192.168.3.0 ip access list allow 255.255.255.0 192.168.1.0 255.255.255.0

NAT (inside) 0 access-list NAT0

Note list-access-L2L-VPN-CRYPTO-SITEB SiteC to SiteA interesting traffic

L2L-VPN-CRYPTO-SITEB 192.168.3.0 ip access list allow 255.255.255.0 192.168.1.0 255.255.255.0

Where
- NAT0 = is the ACL to be used in the NAT0 rules that will exempt SiteC to SiteA NAT traffic
- NAT = is the line of configuration NAT0
- L2l-VPN-CRYPTO-SITEB = LCA in configurations VPN L2L that defines the SiteC LAN to LAN SiteA traffic must use the VPN L2L existing SiteB
To my knowledge, the foregoing must manage the selection NAT0 and traffic for VPN L2L connections. Naturally, the Interface/ACL names may be different depending on your current configuration.

Hope this helps

-Jouni

Router vpn site to site PIX and vpn client

I have two on one interface on the pix vpn connections that terminate VPN. client vpn and VPN site-to-site have passed phase one and two and decrypt and encrypt the packets. However as in another post I can not ping through the l2l vpn. I checked this isn't a nat problem a nd two NAT 0 on the pix and the NAT on the router access lists work correctly.

ISAKMP crypto RTR #show its
IPv4 Crypto ISAKMP Security Association
status of DST CBC State conn-id slot
66.x.x.x 89.x.x.x QM_IDLE 2001 0 ACTIVE

IPv6 Crypto ISAKMP Security Association

local ident (addr, mask, prot, port): (192.168.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.10.0/255.255.255.0/0/0)
current_peer 66.x.x.x port 500
LICENCE, flags is {origin_is_acl},
#pkts program: 23583, #pkts encrypt: 23583 #pkts digest: 23583
#pkts decaps: 18236, #pkts decrypt: 18236, #pkts check: 18236
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
#send 40, #recv errors 0

local crypto endpt. : 89.x.x.x, remote Start crypto. : 66.x.x.x
Path mtu 1380, ip mtu 1380, ip mtu BID Dialer0
current outbound SPI: 0xC4BAC5E (206285918)

SAS of the esp on arrival:
SPI: 0xD7848FB (225986811)
transform: aes - esp esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 3, flow_id: Motorola SEC 1.0:3, card crypto: PIX_MAP
calendar of his: service life remaining (k/s) key: (4573083/78319)
Size IV: 16 bytes
support for replay detection: Y
Status: ACTIVE

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:
SPI: 0xC4BAC5E (206285918)
transform: aes - esp esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 4, flow_id: Motorola SEC 1.0:4, card crypto: PIX_MAP
calendar of his: service life remaining (k/s) key: (4572001/78319)
Size IV: 16 bytes
support for replay detection: Y
Status: ACTIVE

outgoing ah sas:

outgoing CFP sas:

Expand the IP NAT access list
10 deny ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255 (21396 matches)
20 permit ip 192.168.2.0 0.0.0.255 everything (362 matches)
Expand the IP VPN_ACCESS access list
10 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 (39724 matches)

I looked on the internet and that it points to a routing error when packets are being encrypted and decrypted, but you can't do a ping on the binding. However when I test the connection I did not enter any of the static routes that networks are connected directly on each side of the pix and the router. any help would be a preciated as I think there's maybe something is blocking the ping to reach the internal network at the end of pix with a configured access list.

is ping failure of the only thing between the site to site VPN? and assuming that all other traffic works fine since it decrypts and encrypts the packets.

If it's just ping, then activate pls what follows on the PIX:

If it is version 6.3 and below: fixup protocol icmp

If it is version 7.0 and higher: select "inspect icmp" under your political map of the world.

Config complete hand and on the other could help determine if it's a configuration problem or another problem.

VPN site-to-site between two PIX 501 with Client VPN access

Site A and site B are connected with VPN Site to Site between two PIX 501.

Also, site A is configured for remote access VPN client. If a remote client connects to Site A, it can only get access to the LAN of Site A, it cannot access anything whatsoever behind PIX on Site B.

How is that possible for a VPN client connected to Site A to Site B?

Thank you very much.

Alex

Bad and worse news:

Bad: Not running the 7.0 series PIX cannot route traffic on the same interface, the traffic is recived. Version 7.0 solves this ipsec traffic.

Even worse: PIX 501 can not be upgraded to 7.0...

A couple of things to think about would be the upgrade to hardware that can run the new IOS or allowing a VPN R.A. on site B.

HTH Please assess whether this is the case.

Thank you

VPN site to site of simple laboratory works no - pix to pix

Hi all I have a lab at home configuring vpn site to site between 2 cisco pix 501 devices, but it does not work. Can anyone help, I have attached the followign run configs. Thank you

PIX Version 6.2 (1)

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

activate the encrypted password of NuLKvvWGg.x9HEKO

2KFQnbNIdI.2KYOU encrypted passwd

hostname CiscoPix2

domain ciscopix.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol they 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol 2000 skinny

names of

access-list ping_acl allow icmp a whole

access-list 90 allow ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list 100 permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

Outside 1500 MTU

Within 1500 MTU

IP 10.0.0.2 255.255.255.0 outside

IP address 192.168.1.100 within 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

history of PDM activate

ARP timeout 14400

NAT (inside) - 0-90 access list

Access-group ping_acl in interface outside

ping_acl access to the interface inside group

Route outside 0.0.0.0 0.0.0.0 10.0.0.1 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

RADIUS Protocol RADIUS AAA server

AAA-server local LOCAL Protocol

Enable http server

http 0.0.0.0 0.0.0.0 inside

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

enable floodguard

Permitted connection ipsec sysopt

No sysopt route dnat

Crypto ipsec transform-set strong esp-3des esp-sha-hmac

20 topix1 of ipsec-isakmp crypto map

correspondence address 20 card crypto topix1 100

crypto topix1 20 card set peer 10.0.0.1

20 strong crypto topix1 transform-set card game

topix1 interface card crypto outside

ISAKMP allows outside

ISAKMP key * address 10.0.0.1 netmask 255.255.255.255

part of pre authentication ISAKMP policy 8

encryption of ISAKMP strategy 8

ISAKMP strategy 8 sha hash

8 1 ISAKMP policy group

ISAKMP life duration strategy 8 the 86400

Telnet timeout 5

SSH timeout 5

Terminal width 80

Cryptochecksum:81f37c16401555abe7299b5a95e69d3d

: end

//////////////////////////////////////////////////////////////

6.3 (3) version PIX

interface ethernet0 car

interface ethernet1 100full

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

activate the encrypted password of NuLKvvWGg.x9HEKO

NuLKvvWGg.x9HEKO encrypted passwd

pixfirewall hostname

domain ciscopix.com

fixup protocol dns-length maximum 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol 2000 skinny

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names of

access-list ping_acl allow icmp a whole

access-list 90 allow ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list 100 permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0

pager lines 24

Outside 1500 MTU

Within 1500 MTU

IP 10.0.0.1 255.255.255.0 outside

IP address inside 192.168.0.100 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

history of PDM activate

ARP timeout 14400

NAT (inside) - 0-90 access list

Access-group ping_acl in interface outside

ping_acl access to the interface inside group

Route outside 0.0.0.0 0.0.0.0 10.0.0.2 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

RADIUS Protocol RADIUS AAA server

AAA-server local LOCAL Protocol

Enable http server

http 0.0.0.0 0.0.0.0 outdoors

http 0.0.0.0 0.0.0.0 inside

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

enable floodguard

Permitted connection ipsec sysopt

Crypto ipsec transform-set strong esp-3des esp-sha-hmac

20 topix2 of ipsec-isakmp crypto map

correspondence address 20 card crypto topix2 100

crypto topix2 20 card set peer 10.0.0.2

20 strong crypto topix2 transform-set card game

topix2 interface card crypto outside

ISAKMP allows outside

ISAKMP key * address 10.0.0.2 netmask 255.255.255.255

part of pre authentication ISAKMP policy 8

encryption of ISAKMP strategy 8

ISAKMP strategy 8 sha hash

8 1 ISAKMP policy group

ISAKMP life duration strategy 8 the 86400

Telnet timeout 5

SSH timeout 5

Console timeout 0

Terminal width 80

Cryptochecksum:4558d14bca52c36021eeab79729ee63b

: end

The first problem I see is that the access list that is used to identify the VPN traffic allows traffic from your home subnet for the external subnet of the peer but not inside the subnet of the peer.

HTH

Rick

VPN site to Site btw Pix535 and 2811 router, can't get to work

Hi, everyone, I spent a few days doing a VPN site-to site between PIX535 and 2811 router but returned empty-handed, I followed the instructions here:

http://www.Cisco.com/en/us/products/ps9422/products_configuration_example09186a0080b4ae61.shtml

#1: config PIX:

: Saved

: Written by enable_15 to the 18:05:33.678 EDT Saturday, October 20, 2012

!

8.0 (4) version PIX

!

hostname pix535

!

interface GigabitEthernet0

Description to cable-modem

nameif outside

security-level 0

address IP X.X.138.132 255.255.255.0

OSPF cost 10

!

interface GigabitEthernet1

Description inside 10/16

nameif inside

security-level 100

IP 10.1.1.254 255.255.0.0

OSPF cost 10

!

outside_access_in of access allowed any ip an extended list

access extensive list ip 10.1.0.0 inside_nat0_outbound allow 255.255.0.0 10.20.0.0 255.255.0.0

inside_nat0_outbound list of allowed ip extended access all 10.1.1.192 255.255.255.248

outside_cryptomap_dyn_60 list of allowed ip extended access all 10.1.1.192 255.255.255.248

access extensive list ip 10.1.0.0 outside_1_cryptomap allow 255.255.0.0 10.20.0.0 255.255.0.0

pager lines 24

cnf-8-ip 10.1.1.192 mask - 10.1.1.199 IP local pool 255.255.0.0

Global interface 10 (external)

15 1.2.4.5 (outside) global

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 15 10.1.0.0 255.255.0.0

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 X.X.138.1 1

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA MD5-ESP-3DES ESP-DES-MD5

life together - the association of security crypto dynamic-map outside_dyn_map 20 28800 seconds

Crypto-map dynamic outside_dyn_map 20 kilobytes of life together - the association of safety 4608000

Crypto-map dynamic outside_dyn_map 40 value transform-set ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA

life together - the association of security crypto dynamic-map outside_dyn_map 40 28800 seconds

Crypto-map dynamic outside_dyn_map 40 kilobytes of life together - the association of safety 4608000

Dynamic crypto map outside_dyn_map 60 match address outside_cryptomap_dyn_60

Crypto-map dynamic outside_dyn_map 60 value transform-set ESP-3DES-MD5 ESP-3DES-SHA ESP-DES-MD5 ESP-DES-SHA

life together - the association of security crypto dynamic-map outside_dyn_map 60 28800 seconds

Crypto-map dynamic outside_dyn_map 60 kilobytes of life together - the association of safety 4608000

Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-SHA-3DES ESP-MD5-3DES ESP-DES-SHA ESP-DES-MD5

Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define security association lifetime 28800 seconds

cryptographic kilobytes 4608000 life of the set - the association of security of the 65535 SYSTEM_DEFAULT_CRYPTO_MAP of the dynamic-map

card crypto outside_map 1 match address outside_1_cryptomap

outside_map game 1 card crypto peer X.X.21.29

card crypto outside_map 1 set of transformation-ESP-DES-SHA

outside_map map 1 lifetime of security association set seconds 28800 crypto

card crypto outside_map 1 set security-association life kilobytes 4608000

outside_map card crypto 65534 isakmp ipsec dynamic SYSTEM_DEFAULT_CRYPTO_MAP

map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

outside_map interface card crypto outside

ISAKMP crypto identity hostname

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

the Encryption

sha hash

Group 1

life 86400

crypto ISAKMP policy 20

preshared authentication

3des encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 65535

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Crypto isakmp nat-traversal 3600

internal GroupPolicy1 group strategy

cnf-vpn-cls group policy internal

attributes of cnf-vpn-cls-group policy

value of 10.1.1.7 WINS server

value of 10.1.1.7 DNS server 10.1.1.205

Protocol-tunnel-VPN IPSec l2tp ipsec

field default value x.com

sean U/h5bFVjXlIDx8BtqPFrQw password user name is nt encrypted

IPSec-attributes tunnel-group DefaultRAGroup

pre-shared-key secret1

RADIUS-sdi-xauth

tunnel-group DefaultRAGroup ppp-attributes

ms-chap-v2 authentication

tunnel-group cnf-vpn-cls type remote access

tunnel-group global cnf-vpn-cls-attributes

cnf-8-ip address pool

Group Policy - by default-cnf-vpn-cls

tunnel-group cnf-CC-vpn-ipsec-attributes

pre-shared-key secret2

ISAKMP ikev1-user authentication no

tunnel-group cnf-vpn-cls ppp-attributes

ms-chap-v2 authentication

tunnel-group X.X.21.29 type ipsec-l2l

IPSec-attributes tunnel-Group X.X.21.29

Pre-shared key SECRET

!

class-map inspection_default

match default-inspection-traffic

!

!

!

global service-policy global_policy

context of prompt hostname

Cryptochecksum:9780edb09bc7debe147db1e7d52ec39c

: end

#2: 2811 router config:

!

! Last configuration change to 09:15:32 PST Friday, October 19, 2012 by cnfla

! NVRAM config update at 13:45:03 PST Tuesday, October 16, 2012

!

version 12.4

horodateurs service debug datetime msec

Log service timestamps datetime msec

no password encryption service

!

hostname THE-2800

!

!

Crypto pki trustpoint TP-self-signed-1411740556

enrollment selfsigned

name of the object cn = IOS - Self - signed - certificate - 1411740556

revocation checking no

rsakeypair TP-self-signed-1411740556

!

!

TP-self-signed-1411740556 crypto pki certificate chain

certificate self-signed 01

308201A 8 A0030201 02020101 3082023F 300 D 0609 2A 864886 F70D0101 04050030

2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30

69666963 31343131 37343035 6174652D 3536301E 170 3132 31303136 32303435

30335A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D

4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 34313137 65642D

34303535 3630819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101

8100F75F F1BDAD9B DE9381FD 7EAF9685 CF15A317 165B 5188 1 B 424825 9C66AA28

C990B2D3 D69A2F0F D745DB0E 2BB4995D 73415AC4 F01B2019 C4BCF9E0 84373199

E599B86C 17DBDCE6 47EBE0E3 8DBC90B2 9B4E217A 87F04BF7 A182501E 24381019

A61D2C05 5404DE88 DA2A1ADC A81B7F65 C318B697 7ED69DF1 2769E4C8 F3449B33

010001A 3 67306530 1 130101 FF040530 030101FF 30120603 0F060355 35AF0203

1104 B 0 300982 074C412D 32383030 551D 551 2304 18301680 14B56EEB 301F0603

88054CCA BB8CF8E8 F44BFE2C B77954E1 52301 D 06 04160414 B56EEB88 03551D0E

054CCABB 8CF8E8F4 4BFE2CB7 7954E152 300 D 0609 2A 864886 F70D0101 04050003

81810056 58755 56 331294F8 BEC4FEBC 54879FF5 0FCC73D4 B964BA7A 07D 20452

E7F40F42 8B 355015 77156C9F AAA45F9F 59CDD27F 89FE7560 F08D953B FC19FD2D

310DA96E A5F3E83B 52D515F8 7B4C99CF 4CECC3F7 1A0D4909 BD08C373 50BB53CC

659 4246 2CB7B79F 43D94D96 586F9103 9B4659B6 5C8DDE4F 7CC5FC68 C4AD197A 4EC322 C

quit smoking

!

!

!

crypto ISAKMP policy 1

preshared authentication

ISAKMP crypto key address SECRET X.X.138.132 No.-xauth

!

!

Crypto ipsec transform-set the-2800-trans-set esp - esp-sha-hmac

!

map 1 la-2800-ipsec policy ipsec-isakmp crypto

ipsec vpn Description policy

defined by peer X.X.138.132

the transform-set the-2800-trans-set value

match address 101

!

!

!

!

!

!

interface FastEthernet0/0

Description WAN side

address IP X.X.216.29 255.255.255.248

NAT outside IP

IP virtual-reassembly

automatic duplex

automatic speed

No cdp enable

No mop enabled

card crypto 2800-ipsec-policy

!

interface FastEthernet0/1

Description side LAN

IP 10.20.1.1 255.255.255.0

IP nat inside

IP virtual-reassembly

full duplex

automatic speed

No mop enabled

!

IP nat inside source map route sheep interface FastEthernet0/0 overload

access-list 10 permit X.X.138.132

access-list 99 allow 64.236.96.53

access-list 99 allow 98.82.1.202

access list 101 remark vpn tunnerl acl

Note access-list 101 category SDM_ACL = 4

policy of access list 101 remark tunnel

access-list 101 permit ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255

access-list 110 deny ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255

access-list 110 permit ip 10.20.0.0 0.0.0.255 any

public RO SNMP-server community

!

!

!

sheep allowed 10 route map

corresponds to the IP 110

!

!

!

!

WebVPN gateway gateway_1

IP address X.X.216.29 port 443

SSL trustpoint TP-self-signed-1411740556

development

!

WebVPN install svc flash:/webvpn/svc.pkg

!

WebVPN gateway-1 context

title 'b '.

secondary-color white

color of the title #CCCC66

text-color black

SSL authentication check all

!

!

policy_1 political group

functions compatible svc

SVC-pool of addresses "WebVPN-Pool."

SVC Dungeon-client-installed

SVC split include 10.20.0.0 255.255.0.0

Group Policy - by default-policy_1

Gateway gateway_1

development

!

!

end

#3: test Pix to the router:

ITS enabled: 1

Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)

Total SA IKE: 1

1 peer IKE: X.X.21.29

Type: user role: initiator

Generate a new key: no State: MM_WAIT_MSG2

> DEBUG:

12:07:14 pix535:Oct 22 Oct 22 12:20:28 EDT: % PIX-vpn-3-713902: IP = X.X.21.29, Removing peer to peer table has not, no match
!
22 Oct 12:07:14 pix535: 22 Oct 12:20:28 EDT: % PIX-vpn-4-713903: IP = X.X.21.29, error: cannot delete PeerTblEntry

#4: test the router to pix:

LA - 2800 #sh crypto isakmp his

IPv4 Crypto ISAKMP Security Association

status of DST CBC State conn-id slot

X.X.138.132 X.X.216.29 MM_KEY_EXCH 1017 ASSETS 0

> debug

LA - 2800 #ping 10.1.1.7 source 10.20.1.1

Type to abort escape sequence.

Send 5, echoes ICMP 100 bytes to 10.1.1.7, time-out is 2 seconds:

Packet sent with a source address of 10.20.1.1

Oct 22 16:24:33.945: ISAKMP: (0): profile of THE request is (NULL)

22 Oct 16:24:33.945: ISAKMP: created a struct peer X.X.138.132, peer port 500

22 Oct 16:24:33.945: ISAKMP: new created position = 0x488B25C8 peer_handle = 0 x 80000013

22 Oct 16:24:33.945: ISAKMP: lock struct 0x488B25C8, refcount 1 to peer isakmp_initiator

22 Oct 16:24:33.945: ISAKMP: 500 local port, remote port 500

22 Oct 16:24:33.945: ISAKMP: set new node 0 to QM_IDLE

22 Oct 16:24:33.945: ISAKMP: find a dup her to the tree during the isadb_insert his 487720 A 0 = call BVA

22 Oct 16:24:33.945: ISAKMP: (0): cannot start aggressive mode, try the main mode.

22 Oct 16:24:33.945: ISAKMP: (0): pair found pre-shared key matching 70.169.138.132

Oct 22 16:24:33.945: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID

Oct 22 16:24:33.945: ISAKMP: (0): built the seller-07 ID NAT - t

Oct 22 16:24:33.945: ISAKMP: (0): built of NAT - T of the seller-03 ID

Oct 22 16:24:33.945: ISAKMP: (0): built the seller-02 ID NAT - t

22 Oct 16:24:33.945: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

22 Oct 16:24:33.945: ISAKMP: (0): former State = new State IKE_READY = IKE_I_MM1

Oct 22 16:24:33.945: ISAKMP: (0): Beginner Main Mode Exchange

Oct 22 16:24:33.945: ISAKMP: (0): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_NO_STATE

22 Oct 16:24:33.945: ISAKMP: (0): sending a packet IPv4 IKE.

22 Oct 16:24:34.049: ISAKMP (0:0): packet received dport 500 sport Global 500 (I) MM_NO_STATE X.X.138.132

22 Oct 16:24:34.049: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH

22 Oct 16:24:34.049: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_I_MM2

Oct 22 16:24:34.049: ISAKMP: (0): treatment ITS payload. Message ID = 0

Oct 22 16:24:34.049: ISAKMP: (0): load useful vendor id of treatment

Oct 22 16:24:34.049: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123

Oct 22 16:24:34.049: ISAKMP: (0): provider ID is NAT - T v2

Oct 22 16:24:34.049: ISAKMP: (0): load useful vendor id of treatment

Oct 22 16:24:34.049: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 194

22 Oct 16:24:34.053: ISAKMP: (0): pair found pre-shared key matching 70.169.138.132

Oct 22 16:24:34.053: ISAKMP: (0): pre-shared key local found

22 Oct 16:24:34.053: ISAKMP: analysis of the profiles for xauth...

22 Oct 16:24:34.053: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1

22 Oct 16:24:34.053: ISAKMP: DES-CBC encryption

22 Oct 16:24:34.053: ISAKMP: SHA hash

22 Oct 16:24:34.053: ISAKMP: default group 1

22 Oct 16:24:34.053: ISAKMP: pre-shared key auth

22 Oct 16:24:34.053: ISAKMP: type of life in seconds

22 Oct 16:24:34.053: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x80

22 Oct 16:24:34.053: ISAKMP: (0): atts are acceptable
. Next payload is 0
22 Oct 16:24:34.053: ISAKMP: (0): Acceptable atts: real life: 0

22 Oct 16:24:34.053: ISAKMP: (0): Acceptable atts:life: 0

22 Oct 16:24:34.053: ISAKMP: (0): fill atts in his vpi_length:4

22 Oct 16:24:34.053: ISAKMP: (0): fill atts in his life_in_seconds:86400

22 Oct 16:24:34.053: ISAKMP: (0): return real life: 86400

22 Oct 16:24:34.053: ISAKMP: (0): timer life Started: 86400.

Oct 22 16:24:34.053: ISAKMP: (0): load useful vendor id of treatment

Oct 22 16:24:34.053: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123

Oct 22 16:24:34.053: ISAKMP: (0): provider ID is NAT - T v2

Oct 22 16:24:34.053: ISAKMP: (0): load useful vendor id of treatment

Oct 22 16:24:34.053: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 194

22 Oct 16:24:34.053: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

22 Oct 16:24:34.053: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM2

Oct 22 16:24:34.057: ISAKMP: (0): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_SA_SETUP

22 Oct 16:24:34.057: ISAKMP: (0): sending a packet IPv4 IKE.

22 Oct 16:24:34.057: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

22 Oct 16:24:34.057: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM3

22 Oct 16:24:34.181: ISAKMP (0:0): packet received dport 500 sport Global 500 (I) MM_SA_SETUP X.X.138.132

22 Oct 16:24:34.181: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH

22 Oct 16:24:34.181: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_I_MM4

Oct 22 16:24:34.181: ISAKMP: (0): processing KE payload. Message ID = 0

Oct 22 16:24:34.217: ISAKMP: (0): processing NONCE payload. Message ID = 0

22 Oct 16:24:34.217: ISAKMP: (0): pre-shared key found peer corresponding to X.X.138.132

Oct 22 16:24:34.217: ISAKMP: (1018): load useful vendor id of treatment

Oct 22 16:24:34.217: ISAKMP: (1018): provider ID is the unit

Oct 22 16:24:34.217: ISAKMP: (1018): load useful vendor id of treatment

Oct 22 16:24:34.217: ISAKMP: (1018): provider ID seems the unit/DPD but major incompatibility of 55

Oct 22 16:24:34.217: ISAKMP: (1018): provider ID is XAUTH

Oct 22 16:24:34.217: ISAKMP: (1018): load useful vendor id of treatment

Oct 22 16:24:34.217: ISAKMP: (1018): addressing another box of IOS
!
Oct 22 16:24:34.221: ISAKMP: (1018): load useful vendor id of treatment

22 Oct 16:24:34.221: ISAKMP: (1018): vendor ID seems the unit/DPD but hash mismatch

22 Oct 16:24:34.221: ISAKMP: receives the payload type 20

22 Oct 16:24:34.221: ISAKMP: receives the payload type 20

22 Oct 16:24:34.221: ISAKMP: (1018): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

22 Oct 16:24:34.221: ISAKMP: (1018): former State = new State IKE_I_MM4 = IKE_I_MM4

22 Oct 16:24:34.221: ISAKMP: (1018): send initial contact

22 Oct 16:24:34.221: ISAKMP: (1018): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication

22 Oct 16:24:34.221: ISAKMP (0:1018): payload ID

next payload: 8

type: 1

address: X.X.216.29

Protocol: 17

Port: 500

Length: 12

22 Oct 16:24:34.221: ISAKMP: (1018): the total payload length: 12

Oct 22 16:24:34.221: ISAKMP: (1018): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH

22 Oct 16:24:34.221: ISAKMP: (1018): sending a packet IPv4 IKE.

22 Oct 16:24:34.225: ISAKMP: (1018): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

22 Oct 16:24:34.225: ISAKMP: (1018): former State = new State IKE_I_MM4 = IKE_I_MM5

...

22 Oct 16:24:38.849: ISAKMP: (1017): purge the node 198554740

22 Oct 16:24:38.849: ISAKMP: (1017): purge the node 812380002

22 Oct 16:24:38.849: ISAKMP: (1017): purge node 773209335...

Success rate is 0% (0/5)

# THE-2800

Oct 22 16:24:44.221: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...

22 Oct 16:24:44.221: ISAKMP (0:1018): increment the count of errors on his, try 1 5: retransmit the phase 1

Oct 22 16:24:44.221: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH

Oct 22 16:24:44.221: ISAKMP: (1018): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH

22 Oct 16:24:44.221: ISAKMP: (1018): sending a packet IPv4 IKE.

22 Oct 16:24:44.317: ISAKMP (0:1018): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH X.X.138.132

Oct 22 16:24:44.317: ISAKMP: (1018): package of phase 1 is a duplicate of a previous package.

Oct 22 16:24:44.321: ISAKMP: (1018): retransmission jumped to the stage 1 (time elapsed since the last transmission 96)

22 Oct 16:24:48.849: ISAKMP: (1017): serving SA., his is 469BAD60, delme is 469BAD60

22 Oct 16:24:52.313: ISAKMP (0:1018): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH X.X.138.132

Oct 22 16:24:52.313: ISAKMP: (1018): package of phase 1 is a duplicate of a previous package.

Oct 22 16:24:52.313: ISAKMP: (1018): retransmission due to phase 1 of retransmission

Oct 22 16:24:52.813: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...

22 Oct 16:24:52.813: ISAKMP (0:1018): increment the count of errors on his, try 2 of 5: retransmit the phase 1

Oct 22 16:24:52.813: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH

Oct 22 16:24:52.813: ISAKMP: (1018): package X.X138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH

22 Oct 16:24:52.813: ISAKMP: (1018): sending a packet IPv4 IKE.

Oct 22 16:24:52.913: ISAKMP: (1018): package of phase 1 is a duplicate of a previous package.

Oct 22 16:24:52.913: ISAKMP: (1018): retransmission jumped to the stage 1 (time elapsed since the last transmission of 100)

22 Oct 16:25:00.905: ISAKMP (0:1018): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH X.X.138.132

22 Oct 16:25:00.905: ISAKMP: node set 422447177 to QM_IDLE

....

22 Oct 16:25:03.941: ISAKMP: (1018): SA is still budding. New application of ipsec in the annex
. (local 1 X. X.216.29, remote X.X.138.132)
22 Oct 16:25:03.941: ISAKMP: error during the processing of HIS application: failed to initialize SA

22 Oct 16:25:03.941: ISAKMP: error while processing message KMI 0, error 2.

Oct 22 16:25:12.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...

22 Oct 16:25:12.814: ISAKMP (0:1018): increment the count of errors on his, try 4 out 5: retransmit the phase 1

Oct 22 16:25:12.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH

Oct 22 16:25:12.814: ISAKMP: (1018): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH

22 Oct 16:25:12.814: ISAKMP: (1018): sending a packet IPv4 IKE.

Oct 22 16:25:22.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...

22 Oct 16:25:22.814: ISAKMP (0:1018): increment the count of errors on his, try 5 of 5: retransmit the phase 1

Oct 22 16:25:22.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH

Oct 22 16:25:22.814: ISAKMP: (1018): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH

22 Oct 16:25:22.814: ISAKMP: (1018): sending a packet IPv4 IKE.

Oct 22 16:25:32.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...

22 Oct 16:25:32.814: ISAKMP: (1018): peer does not paranoid KeepAlive.

......

22 Oct 16:25:32.814: ISAKMP: (1018): removal of reason ITS status of 'Death by retransmission P1' (I) MM_KEY_EXCH (post 70.169.138.132)

22 Oct 16:25:32.814: ISAKMP: (1018): removal of reason ITS status of 'Death by retransmission P1' (I) MM_KEY_EXCH (post 70.169.138.132)

22 Oct 16:25:32.814: ISAKMP: Unlocking counterpart struct 0x488B25C8 for isadb_mark_sa_deleted(), count 0

22 Oct 16:25:32.814: ISAKMP: delete peer node by peer_reap for X.X.138.132: 488B25C8

22 Oct 16:25:32.814: ISAKMP: (1018): error suppression node 1112432180 FALSE reason 'IKE deleted.

22 Oct 16:25:32.814: ISAKMP: (1018): error suppression node 422447177 FALSE reason 'IKE deleted.

22 Oct 16:25:32.814: ISAKMP: (1018): node-278980615 error suppression FALSE reason 'IKE deleted.

22 Oct 16:25:32.814: ISAKMP: (1018): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

22 Oct 16:25:32.814: ISAKMP: (1018): former State = new State IKE_I_MM5 = IKE_DEST_SA

22 Oct 16:26:22.816: ISAKMP: (1018): purge the node 1112432180

22 Oct 16:26:22.816: ISAKMP: (1018): purge the node 422447177

22 Oct 16:26:22.816: ISAKMP: (1018): purge the node-278980615

22 Oct 16:26:32.816: ISAKMP: (1018): serving SA., its A 487720, 0 =, delme = A 487720, 0

The PIX is also used VPN client, such as the VPN Cicso 5.0 client access, works very well. Router is used as a server SSL VPN, too much work

I know there are a lot of data here, I hope that these data may be useful for diagnostic purposes.

All suggestions and tips are greatly appreciated.

Sean

Recommended action:

On the PIX:

no card crypto outside_map 1

!

crypto ISAKMP policy 5

preshared authentication

3des encryption

sha hash

Group 2

life 86400

!

card crypto outside_map 10 correspondence address outside_1_cryptomap

crypto outside_map 10 peer X.X.216.29 card game

outside_map crypto 10 card value transform-set ESP-3DES-SHA

life safety association set card crypto outside_map 10 28800 seconds

card crypto outside_map 10 set security-association life kilobytes 4608000

!

tunnel-group X.X.216.29 type ipsec-l2l

IPSec-attributes tunnel-Group X.X.216.29

Pre-shared key SECRET

!

On the router:

crypto ISAKMP policy 10

preshared authentication

Group 2

3des encryption

!

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

output

!

card 10 la-2800-ipsec policy ipsec-isakmp crypto

ipsec vpn Description policy

defined by peer X.X.138.132

game of transformation-ESP-3DES-SHA

match address 101

!

No crypto card-2800-ipsec-policy 1

Let me know how it goes.

Portu.

Please note all useful posts

Post edited by: Javier Portuguez

PIX-Sonicwall Site-to-Site and Cisco VPN Client

I have a firewall 506th PIX with a VPN site-to site for a firewall Sonicwall 330 Pro which works perfectly. I would like to add the functionality of remote users connecting to the network using the client VPN from Cisco PIX. I'm under the question of having only a single card encryption applied to the external interface. I need the feature to have the tunnel between the site to site VPN can be undertaken on other, so I can't use a dynamic encryption card. Does anyone have suggestions or knowledge on how to achieve this?

Thank you.

You don't need to add another card encryption to the external interface. You simply add customer information to your existing card for example:

Crypto ipsec transform-set esp-3des esp-sha-hmac YOURSET

YOURMAP 10 ipsec-isakmp crypto map

card crypto YOURMAP 10 corresponds to 100 address

card crypto YOURMAP 10 set counterpart x.x.x.x

crypto YOURMAP 10 the transform-set YOURSET value card

set of 10 CUSTOMERS crypto dynamic-map transform-set YOURSET

card crypto YOURMAP 90-isakmp dynamic ipsec CLIENTS

VPN site to Site using the router and ASA

Hello

I have a Cisco 1812 router that is configured for remote access VPN using IPSec (Cisco VPN Client), my question is if I can configure a Cisco ASA 5505 to connect to the router as a VPN from site to site.

Thank you

Karl

Dear Karl,

Yor are right, in this case you can create a tunnel vpn site-to-site between devices or you can configure your ASA as hardware VPN client. That is to say; Easy VPN.

For the same thing, you can consult the document below.

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00808a61f4.shtml

Kind regards

Shijo.

It is possible to configure router CISCO1921/K9 from site to Site vpn behind a firewall?

I am looking to buy CISCO1921/K9 to configure vpn site to site with Amazon VPN. We are behind a firewall. I try to install the new CISCO1921/K9 router according to the scheme of quick text below. My setup work? and what are the ports will it transfer to my firewall?

INTERNET--> Modem to ISP---> firewall - CISCO1921/K9

Hi Paul,.

(192.168.1.0/24) - router (10.1.1.1)-(10.1.1.2) firewall(81.92.61.x/27)---Internet

The configuration is very simple...

1. There will be no modifications on the configuration of the VPN router with the exception that the interface of the router (turning to the firewall) will be to have private IP 10.1.1.1

2. you will need to take a public IP of your range of public (e.g. 81.92.61.2) and will share the same to your remote location which they set up as peers IP to their end.

3. now you have to configure 2 NAT type on your firewall.

NAT source:-when your router will initiate VPN

Before NAT: Destination - Source 10.1.1.1-(homologous remote IP)

After NAT: Destination - Source 81.92.61.2-(homologous remote IP)

Destination NAT:-when the remote location will launch the VPN

before NAT: Destination - Source (remote peer IP)-(81.92.61.2)

After NAT: Destination - Source (remote peer IP)-(10.1.1.1)

I hope this is clear :)

PIX from site to site VPN at the Juniper

Hello world

have a problem with the vpn site to site configuration beetween cisco pix and juniper firewall.

When I entered the command "show isakmp crypto its" Cisco Pix console displays the following status:

State

OAK_CONF_ADDR

But I don't know what it means that State

or what is the problem?.

l think my setup is corret.

I also have VPN clients configured on the network, and they run correctly.

can someone help me! Plase...

Thanks a lot. = D

If phase 1 is completed successfully, you will see QM_IDLE in "isakmp crypto to show his". Therefore, this suggests a problem of phase 1 - orders «isakmp...» ».

Check the policy, check the pre-shared key.

"CONF_ADDR" gives to think that one end looking for mode config (address IP etc) with the other.

See line «isakmp key...» « a »... No.-xauth No.-config-mode"at the end.

IPSec VPN Site-to-Site router Cisco 837 to Firewall FortiGate 200 has

I had a challege for a site to site vpn scenario that may need some brainstorming you guys.

So far, I have had a prior configuration planned for this scenario, but I'm not very sure if the tunnel I created will work because I did not test it before with this scenario. I'll go next week on this project and hopefully get a solution of brainstorming you guys. Thanks in advance!

Network diagram:

http://cjunhan.multiply.com/photos/hi-res/5/3?xurl=%2Fphotos%2Fphoto%2F5%2F3

Challenge:

(1) configure CISCO R3 IPSec Site to Site VPN between 172.20.10.0 and 10.20.20.0 using cryptographic cards

(2) IKE Phase I MainMode, lifetime 28000, md5, DH-Group1

IKE Phase II: des-esp, hmac-md5, tunnel mode

PSK: sitetositevpn

Here is my setup for review:

crypto ISAKMP policy 10

the BA

preshared authentication

Group 1

md5 hash

ISAKMP crypto key sitetositevpn address 210.x.x.66

!

Crypto ipsec transform-set esp - esp-md5-hmac ciscoset

!

infotelmap 10 ipsec-isakmp crypto map

the value of 210.x.x.66 peer

Set transform-set ciscoset

match address 111

!

!

interface Ethernet0

3 LAN description

IP 10.20.20.1 255.255.255.0

IP nat inside

servers-exit of service-policy policy

Hold-queue 100 on

!

ATM0 interface

no ip address

ATM vc-per-vp 64

No atm ilmi-keepalive

DSL-automatic operation mode

!

point-to-point interface ATM0.1

IP address 210.x.20.x.255.255.252

no ip redirection<-- disable="">

no ip unreachable<-- disable="" icmp="" host="" unreachable="">

no ip proxy-arp<-- disables="" ip="" directed="">

NAT outside IP

PVC 8/35

aal5snap encapsulation

!

!

IP nat inside source list 102 interface ATM0.1 overload

IP classless

IP route 0.0.0.0 0.0.0.0 ATM0.1

IP route 0.0.0.0 0.x.0.x.190.60.66

no ip http secure server

!

Note access-list 102 NAT traffic

access-list 102 permit ip 10.20.20.0 0.0.0.255 any

!

access-list 111 note VPN Site-to-Site 3 LAN to LAN 2 network

access-list 111 allow 0.0.0.x.x.10.0 ip 10.20.20.0 0.0.0.255

Kind regards

Junhan

Hello

Three changes required in this configuration.

(1) change the NAT-list access 102 as below:

access-list 102 deny ip 10.20.20.0 0.0.0.255 172.20.10.0 0.0.0.255

access-list 102 permit ip 10.20.20.0 0.0.0.255 any

(2) place the card encryption on interface point-to-point ATM.

(3) remote all of a default route.

Thank you

Mustafa

[VPN site to Site] Are route explicit LAN remote necessary?

Hello

I have configured the VPN Site to be used inside the interface of the ASA (9.4.1)

site2site_inside.jpg
1. The computer in the Zone 1 (192.168.1.1), I can access the Intranet all and it works without a problem--> all traffic through the VPN.
For example, I can use 10.0.0.1 on remote desktop.

2. in the other direction, 10.0.0.1, I try to use the remote desktop on 192.168.1.1, the traffic is not routed over the VPN.

Journal: ' build incoming TCP connections to inside:10.0.0.1/1539 outdoors: 192.168.1.1/3389.

In case 1 (when it worked), he says "build the incoming TCP connection for inside:192.168.1.1/2039 to inside:10.0.0.1/3389.

To fix it, I had to add specific route on ASA: 192.168.1.0/24 inside

It works on both directions.

Is this a normal behavior?

I thought that cryptomap and IPSec SPI would be sufficient.

Thank you

Patrick

Yes, because the cryptomap is mapped to the output interface. The research of the way occurs before you hit the cryptomap. The opposite lane works because you already have a connection (in which are defined interfaces to use).

IPsec VPN site to site between router problem Cisco ASA. Help, please

Hello community,

I'm stuck in configuring VPN site to site between ASA (OS 9.1) and router Cisco IOS (IOS 15, 2 - 4.M4)

Attachment is router configuration and ASA. I also include the router debug output.

It seems that the two parties must isakmp missmatch configuration, but I have already disabled the KeepAlive parameters. I also turn off PFS setting on both sides. But it does not work. I have no idea on this problem.

Please help me. Any help appreciated.

Thank you

I didn't look any further, but this may be a reason:
```
 crypto map mymap 1 ipsec-isakmp dynamic dyn1 
```
The dynamic CM must always be the last sequence in a card encryption:
```
 no crypto map mymap 1 ipsec-isakmp dynamic dyn1 crypto map mymap 65000 ipsec-isakmp dynamic dyn1
```
Try this first, then we can look further.

Route VPN site to site on one path other than the default gateway

I want to route VPN site-to-site on one path other than the default gateway

ASA 5510

OS 8.0 8.3 soon

1 (surf) adsl line interface default gateway

line 1 interface SDSL (10 VPN site-to-site)

1 LAN interface

What's possible?

Thank you

Sorry for my English

Here is the assumption that I will do:

-Your IP SHDL is 200.1.1.1, and the next hop is 200.1.1.2

-Your LAN-to-LAN ends on this interface (interface card crypto SHDL)

-VPN peer 1 - 150.1.1.1 and LAN is 192.168.1.0/24

-VPN peer 2 - 175.1.1.1 and LAN is 192.168.5.0/24

This is the routing based on the assumption above:

Route SHDL 150.1.1.1 255.255.255.255 200.1.1.2

Route SHDL 175.1.1.1 255.255.255.255 200.1.1.2

Route SHDL 192.168.1.0 255.255.255.0 200.1.1.2

Route SHDL 192.168.5.0 255.255.255.0 200.1.1.2

Hope that helps.

Routing of PIX VPN site to Site?

Similar Questions

site2site_inside.jpg

Maybe you are looking for