SGE2010 customers have need to route through ASA 5505 &; 3750
Please see the included diagram.
I need to move out of the 3750 client machines (and DHCP dependence on it) to the SGE2010 and absolutely to carry their internet traffic on through the external interface on the 5505. They must also be able to communicate in the internal environment to communicate with the production servers.
Customers use actuellement.254 speaking through a silent dell in the 3750 switch, but I'm trying to migrate more slowly at la.253. I know that the 2010 will not DHCP, so I put a DHCP server on this switch now. The 5505 will not let me add a statement additional nameif on one of the other eth0 / x interfaces and I don't know if this has something to do with its capacity to act as a DHCP server (it is not an option in the ASDM) or he has ability to use internet gateway for customers in 2010. (Quick notes: The 5505 has a base license and is currently also site to 1 VPN connection.) As the 5520, then all its interfaces are used as well).
I have statically assigned a customer moved with an adresse.253 and plugged into the 2010. I tried to give the 2010 both an adresse.4 and an adresse.253 but neither will allow me to ping on the 5505 addresses. The 2010 auto shows routes to two subnets and I put its default route to 253.1.
The link between 2010 and the 3750 works - clients receive an adresse.254 of the 3750 and can get out to the internet via the 5505 and reach as well production servers.
Why don't the 2010 see the 5505 as a gateway and allow customers to access the internet and also browse the 3750 when they need to access the production network?
Now, the key to monkey. The reason why I am not "just connect both cheating and call a day is because I need also Always go out production servers / web applications via the interface of 5520 out outside/inside."
I have such a package of wire trouble my head around why I can't get my customers moved to the new switch, I have not yet figured out how I'll do it again.
Any help would be greatly appreciated.
Scott
Hi Scott,.
OK, you'll have several IP networks connected on the SGE2010... that's fine that the switch can operate in Layer 3 mode.
But the ASA5505 or the SGE2010 may only be granted to PC customers who are hooked the switch SGE2010 default gateway ports?
If the SGE2010 is made the default gateway for the PC clients, the SGE2010 will go to layer 3 packets between appropriate subnets.
(depending on whether you have added a few static routes inside your SGE2010)
If the SAA is the gateway to the host PC, the ASA will route traffic accordingly.
Best regards, Dave
Tags: Cisco Support
Similar Questions
-
VPN between 878 router and ASA 5505
Hello world
I struggled for a few days now to get a VPN connection works.
The situation
Two offices needs to be connected to eachother with a VPN. The two parties have a WAN connection.
The tunnel between locations rises very well but the communication fails in almost any way.
The host cannot ping each other and also the inside of the router and ASA pings fail.
The only ping works is from inside Site2 to the inside interface of the router side 1 (192.168.1.100 to 192.168.0.250)
NAT works very well on both sites behind the router / asa.
I think I'm doing something wrong with the roads or access lists but after 7 days, many refills, restores, driving from one end of the State to the other to reset stupid moves break and resolder my cable from the console and things completely with default start for 10 times, I'm through, I honestly don't know where to look for more...
Tech Specs:
Site1: has a cable modem that gives a WAN IP with DHCP address
This modem connects to the Cisco 878 (Fastethernet0) router
The router acts as a DHCP server and NAT gateway for the office and offers vpn connectivity to the other office
Site2: has a cable-modem/router (Cisco 3925), which made the NAT, this modem/router gives an IP private class-C (192.168.178.x)
This modem/router connects to a Cisco ASA 5505 (Fastethernet0)
The ASA also server as a DHCP server and NAT gateway for the office and offers vpn connectivity to the other office.
Online, it looks like this:
Office 1--> Cisco878--> WAN Cloud<---cablemodemrouter>---cablemodemrouter><--- asa5505="">---><--- office="">--->
IP address ranges:
Office 1
Network 192.168.0.0
Subnet mask 255.255.255.0
Gateway 192.168.0.250
IP WAN XXXX
Office 2
Network 192.168.1.0
Subnetmak 255.255.255.0
Gateway 192.168.1.1
IP WAN XXXX
On the location of office 2, there is a NAT between ASA and WAN router. between 192.168.178.x 255.255.255.0
The modemrouter is a Cisco 3925, on which IPSEC passthrough is enabled.
Configs:
Site 1:
CISCO 878 router
Site 2
ASA 5505
I hope someone has a chance to look through my config and tell me what I did wrong this week
Even if you can not help me but still read here: Thank YOU!
(As my problem has been resolved, I removed the configs of this post. If for any reason, you want to work for these devices configuration, please send me a PM)
Post edited by: taaa lijf - reason: problem solved, removed configs and stuff private for obvious reasons ;)
Hello
Ping client customer site 1 site2 and make sh crypto isakmp his and sh crypto ipsec his on the router.
If sh crypto isakmp gives QM_Idle and ping fails and you have no package in the HS cypto ipsec his and then do a debug crypto ipsec
If sh crypto isakmp gives MM_NoState can do a debug crypto isakmp
One note however, you should have ip addresses static at least on the side, initiating the tunnel, otherwise it will not work when ip address changes.
Kind regards.
Alain.
-
VPN connects not to Linksys 10/100 4-port VPN Router with ASA 5505
We are trying to get a new ASA 5505 implemented on our network after the untimely demise of our router from 1841. One of the functions of the router that we go back to the top and the race is a pair of VPN for employees that we were working outside. These are site-to-site virtual private networks.
They worked with the 1841 in place, so I know the other end works. I just have configuration problems the ASA to match. I have been through the wizard in ASDM a couple of times, but have yet to have a bit of luck that it connects.
Attached are the configuration files for the 1841 (with two virtual private networks) and the 5505 (with only 1 VPN in place). Can someone help me with what I may be missing to get this working?
A note: I am having trouble with my NAT (another post in the meantime) configurations, but I think they are close enough that I hope that is not interfering with the VPN.
If I can get one running, the other has an almost identical game, so I should be able to get the second pretty easily.
Any thoughts?
Thank you
Matt James
Hello Mjames,
We hope that you do very well, just to confirm the previous post that I answer for you.
You need to change the NAT 0 configuration
NAT (outside) 0-list of access outside_nat0_outbound
This is the rule against the nat for VPN, please change it to:
NAT (inside) 0-list of access outside_nat0_outbound
I spent reviewing the configuration of both devices and which seems to be the only problem
Please evaluate the useful messages.
Julio
-
Outgoing Microsoft VPN via a device ASA 5505
Hi all
I installed an ASA 5505 device for a client just now and they were delighted by improving stability VPN, he provided them, as they work for the most distance and VPN in all day to access their servers at the office. Recently, however, some staff members have spent more time at the office and where they discovered that they are unable to establish a VPN out to customers that are running Microsoft based on virtual private networks. The nature of their activity forced him to regularly establish the VPN to the servers of their customers to download data. They can establish successful Cisco VPN clients when they are in the office or working remotely, but they are not able to connect to the MS VPNs outside the office. What configuration changes I have to do on the ASA 5505 in order to solve this problem for them? Any help would be greatly appreciated.
See you soon,.
John
Hello
If the clients are connecting to a Microsoft VPN through the ASA using PPTP, you need to allow outgoing traffic (if there is an ACL that is applied to the inside interface) and also to activate the inspection of PPTP.
Policy-map global_policy
class inspection_defaultinspect the pptp
Let us know how it goes.
Federico.
-
ASA 5505 AnyConnect 8.2 connect other subnets from site to site
Hello
I'm somehwat new Cisco and routing. I have an installation of two ASA 5505 that are configured for the site to site vpn and AnyConnect. The AnyConnect subnet can connect to inside VLANs to the SiteA but I can't for the remote to Site B subnet when you use AnyConnect. Any ideas? I have to add the subnet of 10.0.7.0/24 to the site to site policy? Do I need to set up several NAT rules? Details below.
Site A: ASA 5505 8.2
Outside: 173.X.X.X/30
Inside: 10.0.5.0/24
AnyConnect: 10.0.7.0/24
Site b: ASA 5505 8.2
Outsdie: 173.X.X.X/30
Inside: 10.0.6.0/24
The AnyConnect subnet cannot access the network of 10.0.6.0/24.
Any help would be greatly appreciated! Thank you!
Hello Kevin,
You must go back to identity (outdoors, outdoor) identity NAT (essentially for two subnets (Anyconnect and Remote_IPSec).
And of course to include traffic in the ACL for IPSec crypto and (if used) split with the Anyconnect tunnel.
Note all useful posts!
Kind regards
Jcarvaja
Follow me on http://laguiadelnetworking.com
-
ASA 5505 VPN remote cannot access with my local network
Hello guys, I have a problem with my asa 5505 remote VPN access to the local network, the VPn connection works well and connected, but the problem is that I can't reach my inside connection network of 192.168.30.x, here's my setup, please can you help me
ASA Version 8.2 (1)
!
!
interface Vlan1
nameif inside
security-level 100
192.168.30.1 IP address 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 155.155.155.10 255.255.255.0
!
interface Vlan5
No nameif
no level of security
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
inside_nat0_outbound list of allowed ip extended access any 192.168.100.0 255.255.255.240
pager lines 24
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
IP local pool vpn-pool 192.168.100.1 - 192.168.100.10 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
Mull strategy of Group internal
attributes of the Group mull strategy
Protocol-tunnel-VPN IPSec
username privilege 0 encrypted password eKJj9owsQwAIk6Cw xxx
VPN-group-policy Mull
type mull tunnel-group remote access
tunnel-group mull General attributes
address vpn-pool pool
Group Policy - by default-mull
Mull group tunnel ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
context of prompt hostname
Yes, you will need to either configure split tunnel so that internet traffic goes out through your local Internet service provider, GOLD / directed by configuration current you are tunneling all traffic (internet traffic Inc.) to the ASA, then you will need to create NAT for internet traffic.
To set up a tunnel from split:
split-acl access-list allowed 192.168.30.0 255.255.255.0
attributes of the Group mull strategy
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value split-acl
I hope this helps.
-
Problem with remote access VPN on ASA 5505
I currently have a problem of an ASA 5505 configuration to connect via VPN remote access by using the Cisco VPN Client 5.0.07.0440 under Windows 8 Pro x 64. The VPN client will prompt you for the user name and password during the connection process, but fails soon after.
The VPN client connects is as follows:
---------------------------------------------------------------------------------------------------------------------------------------
Cisco Systems VPN Client Version 5.0.07.0440
Copyright (C) 1998-2010 Cisco Systems, Inc.. All rights reserved.
Customer type: Windows, Windows NT
Running: 6.2.9200
2 15:09:21.240 11/12/12 Sev = Info/4 CM / 0 x 63100002
Start the login process
3 15:09:21.287 11/12/12 Sev = Info/4 CM / 0 x 63100004
Establish a secure connection
4 15:09:21.287 11/12/12 Sev = Info/4 CM / 0 x 63100024
Attempt to connect with the server "*." **. ***. *** »
5 15:09:21.287 11/12/12 Sev = Info/6 IKE/0x6300003B
Try to establish a connection with *. **. ***. ***.
6 15:09:21.287 11/12/12 Sev = Info/4 IKE / 0 x 63000001
From IKE Phase 1 negotiation
7 15:09:21.303 11/12/12 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) to *. **. ***. ***
8 15:09:21.365 11/12/12 Sev = Info/6 GUI/0x63B00012
Attributes of the authentication request is 6: 00.
9 15:09:21.334 11/12/12 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
10 15:09:21.334 11/12/12 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" ag="" (sa,="" ke,="" non,="" id,="" hash,="" vid(unity),="" vid(xauth),="" vid(dpd),="" vid(nat-t),="" nat-d,="" nat-d,="" vid(frag),="" vid(?))="" from="">
11 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000001
Peer is a compatible peer Cisco-Unity
12 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000001
Peer supports XAUTH
13 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000001
Peer supports the DPD
14 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000001
Peer supports NAT - T
15 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000001
Peer supports fragmentation IKE payloads
16 15:09:21.334 11/12/12 Sev = Info/6 IKE / 0 x 63000001
IOS Vendor ID successful construction
17 15:09:21.334 11/12/12 Sev = Info/4 IKE / 0 x 63000013
SENDING > ISAKMP OAK AG * (HASH, NOTIFY: NAT - D, NAT - D, VID (?), STATUS_INITIAL_CONTACT, VID (Unity)) to *. **. ***. ***
18 15:09:21.334 11/12/12 Sev = Info/6 IKE / 0 x 63000055
Sent a keepalive on the IPSec Security Association
19 15:09:21.334 11/12/12 Sev = Info/4 IKE / 0 x 63000083
IKE port in use - Local Port = 0xFBCE, Remote Port = 0 x 1194
20 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000072
Automatic NAT detection status:
Remote endpoint is NOT behind a NAT device
This effect is behind a NAT device
21 15:09:21.334 11/12/12 Sev = Info/4 CM/0x6310000E
ITS established Phase 1. 1 crypto IKE Active SA, 0 IKE SA authenticated user in the system
22 15:09:21.365 11/12/12 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
23 15:09:21.365 11/12/12 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">
24 15:09:21.365 11/12/12 Sev = Info/4 CM / 0 x 63100015
Launch application xAuth
25 15:09:21.474 11/12/12 Sev = Info/4 IPSEC / 0 x 63700008
IPSec driver started successfully
26 15:09:21.474 11/12/12 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
27 15:09:27.319 11/12/12 Sev = Info/4 CM / 0 x 63100017
xAuth application returned
28 15:09:27.319 11/12/12 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***
29 15:09:27.365 11/12/12 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
30 15:09:27.365 11/12/12 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">
31 15:09:27.365 11/12/12 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***
32 15:09:27.365 11/12/12 Sev = Info/4 CM/0x6310000E
ITS established Phase 1. 1 crypto IKE Active SA, 1 IKE SA authenticated user in the system
33 15:09:27.365 11/12/12 Sev = Info/5 IKE/0x6300005E
Customer address a request from firewall to hub
34 15:09:27.365 11/12/12 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***
35 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
36 15:09:27.397 11/12/12 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">
37 15:09:27.397 11/12/12 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS:, value = 192.168.2.70
38 15:09:27.397 11/12/12 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK:, value = 255.255.255.0
39 15:09:27.397 11/12/12 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (1):, value = 192.168.2.1
40 15:09:27.397 11/12/12 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (2):, value = 8.8.8.8
41 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD:, value = 0x00000001
42 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN:, value = NCHCO
43 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS:, value = 0x00000000
44 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc. ASA5505 Version 8.2 (5) built by manufacturers on Saturday, May 20, 11 16:00
45 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT:, value = 0x00000001
46 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = received and by using the NAT - T port number, value = 0 x 00001194
47 15:09:27.397 11/12/12 Sev = Info/4 CM / 0 x 63100019
Data in mode Config received
48 15:09:27.412 11/12/12 Sev = Info/4 IKE / 0 x 63000056
Received a request from key driver: local IP = 192.168.2.70, GW IP = *. **. ***. remote IP address = 0.0.0.0
49 15:09:27.412 11/12/12 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK QM * (HASH, SA, NO, ID, ID) to *. **. ***. ***
50 15:09:27.444 11/12/12 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
51 15:09:27.444 11/12/12 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:status_resp_lifetime)="" from="">
52 15:09:27.444 11/12/12 Sev = Info/5 IKE / 0 x 63000045
Answering MACHINE-LIFE notify has value of 86400 seconds
53 15:09:27.444 11/12/12 Sev = Info/5 IKE / 0 x 63000047
This SA was already alive for 6 seconds, setting expiration 86394 seconds now
54 15:09:27.459 11/12/12 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
55 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:no_proposal_chosen)="" from="">
56 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK INFO *(HASH, DEL) to *. **. ***. ***
57 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000049
IPsec security association negotiation made scrapped, MsgID = CE99A8A8
58 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000017
Marking of IKE SA delete (I_Cookie = A3A341F1C7606AD5 R_Cookie = F1F403018625E924) reason = DEL_REASON_IKE_NEG_FAILED
59 15:09:27.459 11/12/12 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
60 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000058
Received an ISAKMP for a SA message no assets, I_Cookie = A3A341F1C7606AD5 R_Cookie = F1F403018625E924
61 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" info="" *(dropped)="" from="">
62 15:09:27.490 11/12/12 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
63 15:09:30.475 11/12/12 Sev = Info/4 IKE/0x6300004B
IKE negotiation to throw HIS (I_Cookie = A3A341F1C7606AD5 R_Cookie = F1F403018625E924) reason = DEL_REASON_IKE_NEG_FAILED
64 15:09:30.475 11/12/12 Sev = Info/4 CM / 0 x 63100012
ITS phase 1 deleted before first Phase 2 SA is caused by "DEL_REASON_IKE_NEG_FAILED". Crypto 0 Active IKE SA, 0 IKE SA authenticated user in the system
65 15:09:30.475 11/12/12 Sev = Info/5 CM / 0 x 63100025
Initializing CVPNDrv
66 15:09:30.475 11/12/12 Sev = Info/6 CM / 0 x 63100046
Set indicator established tunnel to register to 0.
67 15:09:30.475 11/12/12 Sev = Info/4 IKE / 0 x 63000001
Signal received IKE to complete the VPN connection
68 15:09:30.475 11/12/12 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
69 15:09:30.475 11/12/12 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
70 15:09:30.475 11/12/12 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
71 15:09:30.475 11/12/12 Sev = Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
---------------------------------------------------------------------------------------------------------------------------------------
The running configuration is the following (there is a VPN site-to-site set up as well at an another ASA 5505, but that works perfectly):
: Saved
:
ASA Version 8.2 (5)
!
hostname NCHCO
Select hTjwXz/V8EuTw9p9 of encrypted password
hTjwXz/V8EuTw9p9 of encrypted passwd
names of
description of NCHCO name 192.168.2.0 City offices
name 192.168.2.80 VPN_End
name 192.168.2.70 VPN_Start
!
interface Ethernet0/0
switchport access vlan 2
Speed 100
full duplex
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address **. ***. 255.255.255.248
!
boot system Disk0: / asa825 - k8.bin
passive FTP mode
access extensive list ip NCHCO 255.255.255.0 outside_nat0_outbound allow 192.168.1.0 255.255.255.0
access extensive list ip NCHCO 255.255.255.0 inside_nat0_outbound allow 192.168.1.0 255.255.255.0
inside_nat0_outbound list of allowed ip extended access all 192.168.2.64 255.255.255.224
access extensive list ip NCHCO 255.255.255.0 outside_1_cryptomap allow 192.168.1.0 255.255.255.0
access extensive list ip NCHCO 255.255.255.0 outside_1_cryptomap_1 allow 192.168.1.0 255.255.255.0
Standard access list LAN_Access allow NCHCO 255.255.255.0
LAN_Access list standard access allowed 0.0.0.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
mask of VPN_Pool VPN_Start VPN_End of local pool IP 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 645.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (outside) 0-list of access outside_nat0_outbound
Route outside 0.0.0.0 0.0.0.0 74.219.208.49 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
network-acl outside_nat0_outbound
WebVPN
SVC request to enable default svc
Enable http server
http 192.168.1.0 255.255.255.0 inside
http *. **. ***. 255.255.255.255 outside
http 74.218.158.238 255.255.255.255 outside
http NCHCO 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac l2tp-transform
Crypto ipsec transform-set l2tp-transformation mode transit
Crypto ipsec transform-set vpn-transform esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA
Crypto ipsec transform-set transit mode TRANS_ESP_3DES_SHA
Crypto ipsec transform-set esp-3des esp-md5-hmac TRANS_ESP_3DES_MD5
Crypto ipsec transform-set transit mode TRANS_ESP_3DES_MD5
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map dyn-map 10 set pfs Group1
crypto dynamic-map dyn-map transform 10-set, vpn l2tp-transformation-transformation
dynamic-map encryption dyn-map 10 value reverse-road
Crypto-map dynamic outside_dyn_map 20 game of transformation-TRANS_ESP_3DES_MD5
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs Group1
peer set card crypto outside_map 1 74.219.208.50
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
map outside_map 20-isakmp ipsec crypto dynamic outside_dyn_map
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
inside crypto map inside_map interface
card crypto vpn-map 1 match address outside_1_cryptomap_1
card crypto vpn-card 1 set pfs Group1
set vpn-card crypto map peer 1 74.219.208.50
card crypto vpn-card 1 set of transformation-ESP-3DES-SHA
dynamic vpn-map 10 dyn-map ipsec isakmp crypto map
crypto isakmp identity address
crypto ISAKMP allow inside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 15
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 35
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP ipsec-over-tcp port 10000
enable client-implementation to date
Telnet 192.168.1.0 255.255.255.0 inside
Telnet NCHCO 255.255.255.0 inside
Telnet timeout 5
SSH 192.168.1.0 255.255.255.0 inside
SSH NCHCO 255.255.255.0 inside
SSH timeout 5
Console timeout 0
dhcpd address 192.168.2.150 - 192.168.2.225 inside
dhcpd dns 216.68.4.10 216.68.5.10 interface inside
lease interface 64000 dhcpd inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal DefaultRAGroup group strategy
attributes of Group Policy DefaultRAGroup
value of server DNS 192.168.2.1
Protocol-tunnel-VPN IPSec l2tp ipsec
nchco.local value by default-field
attributes of Group Policy DfltGrpPolicy
value of server DNS 192.168.2.1
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
allow password-storage
enable IPSec-udp
enable dhcp Intercept 255.255.255.0
the address value VPN_Pool pools
internal NCHVPN group policy
NCHVPN group policy attributes
value of 192.168.2.1 DNS Server 8.8.8.8
Protocol-tunnel-VPN IPSec l2tp ipsec
value by default-field NCHCO
admin LbMiJuAJjDaFb2uw encrypted privilege 15 password username
username privilege 15 encrypted password yB1lHEVmHZGj5C2Z 8njferg
username, encrypted NCHvpn99 QhZZtJfwbnowceB7 password
attributes global-tunnel-group DefaultRAGroup
address (inside) VPN_Pool pool
address pool VPN_Pool
authentication-server-group (inside) LOCAL
authentication-server-group (outside LOCAL)
LOCAL authority-server-group
authorization-server-group (inside) LOCAL
authorization-server-group (outside LOCAL)
Group Policy - by default-DefaultRAGroup
band-Kingdom
band-band
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared key *.
NOCHECK Peer-id-validate
tunnel-group DefaultRAGroup ppp-attributes
No chap authentication
no authentication ms-chap-v1
ms-chap-v2 authentication
tunnel-group DefaultWEBVPNGroup ppp-attributes
PAP Authentication
ms-chap-v2 authentication
tunnel-group 74.219.208.50 type ipsec-l2l
IPSec-attributes tunnel-group 74.219.208.50
pre-shared key *.
type tunnel-group NCHVPN remote access
attributes global-tunnel-group NCHVPN
address pool VPN_Pool
Group Policy - by default-NCHVPN
IPSec-attributes tunnel-group NCHVPN
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:15852745977ff159ba808c4a4feb61fa
: end
ASDM image disk0: / asdm - 645.bin
ASDM VPN_Start 255.255.255.255 inside location
ASDM VPN_End 255.255.255.255 inside location
don't allow no asdm history
Anyone have any idea why this is happening?
Thank you!
Add, crypto dynamic-map outside_dyn_map 20 value reverse-road.
With respect,
Safwan
-
Site to site VPN routing via ASA
Need help setting up routing through the tunnel. We have a bunch of remote sites in the 192.168.0.0 16 passing through a central site 192.168.137.0
How can I get all the traffic goes 192.168.0.0 to cross the tunnel. I have the tunnel upward, but no traffic passes through. Here is the config.
XXXX # show run
: Saved
:
ASA Version 8.2 (1)
!
xxxxx host name
xxxx.xxx domain name
activate the xxxxxxxx password
passwd xxxxxxxxxxxxx
names of
!
interface Vlan1
Description =-= - on the INSIDE of the INTERFACE =-=-
nameif inside
security-level 100
192.168.33.1 IP address 255.255.255.0
!
interface Vlan2
Description =-= - CABLE EXTERNAL INTERFACE =-=-
nameif outside
security-level 0
IP address aaa.bbb.ccc.202 255.255.255.252
!
interface Ethernet0/0
Description =-= - CABLE EXTERNAL INTERFACE =-=-
switchport access vlan 2
!
interface Ethernet0/1
Description =-= - on the INSIDE of the INTERFACE =-=-
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system Disk0: / asa821 - k8.bin
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
DNS domain-lookup outside
DNS server-group DefaultDNS
Server name 24.92.226.12
Server name 24.92.226.11
Domain xxxxxx.xxx
object-group NETWORK-OUR network
object-network 10.254.1.0 255.255.255.0
network-object 172.22.0.0 255.255.0.0
object-network 192.168.0.0 255.255.0.0
access-list SHEEP note-=-=-= = =-=-=-= -
access-list SHEEP note is-ACCESS LIST for EXEMPTION NAT =-=-
access-list SHEEP note-=-=-= = =-=-=-= -
IP 192.168.33.0 allow Access - list extended SHEEP 255.255.255.0 object-group NETWORK-OUR
access INTERESTING list Remarque-=-=-=-=-=-= = =-=-=-=-=-=-=-=-= -.
access list INTERESTING note is-ACCESS LIST for INTERESTING TRAFFIC =-=-
access INTERESTING list Remarque-=-=-=-=-=-= = =-=-=-=-=-=-=-=-= -.
INTERESTING list extended ip access 192.168.33.0 allow 255.255.255.0 object-group NETWORK-OUR
access-list ICMP note =--= =-= = =-=-=-= -
access-list ICMP note is - to ALLOW ICMP to the OUTSIDE INTERFACE =-=-
access-list ICMP note =--= =-= = =-=-=-= -
ICMP access list extended icmp permitted no echo of aaa.bbb.ccc.201 host
no pager
Enable logging
timestamp of the record
exploitation forest-size of the buffer 38400
logging buffered stored alerts
logging of debug asdm
Within 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 621.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0 access-list SHEEP
NAT (inside) 1 0.0.0.0 0.0.0.0
Access-group ICMP in interface outside
Route outside 0.0.0.0 0.0.0.0 aaa.bbb.ccc.201 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
LOCAL AAA authentication serial console
AAA authentication http LOCAL console
Enable http server
http xx.xx.xx.xx 255.255.255.0 outside
xxx.xxx.xxx.xxx http 255.255.192.0 outside
http xxx.xxx.0.0 255.255.0.0 inside
xxx.xxx.xxx.xxx http 255.255.255.255 outside
Server SNMP location xxxxxx
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-HMAC-SHA-ESP-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
86400 seconds, duration of life crypto ipsec security association
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto L2LMAP 10 INTERESTING address correspondence
card crypto L2LMAP 10 set pfs
card crypto L2LMAP 10 set peer ddd.eee.fff.32
10 L2LMAP transform-set ESP-3DES-MD5 crypto card game
card crypto L2LMAP set 10 security-association life seconds 86400
card crypto L2LMAP 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
L2LMAP interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
Telnet timeout 5
SSH enable ibou
SSH xxx.xxx.0.0 255.255.0.0 inside
SSH xxx.xxx.0.0 255.255.0.0 outside
SSH xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx outside
SSH timeout 60
Console timeout 0
management-access inside
dhcpd dns 192.168.137.225 24.92.226.12
dhcpd field arc.com
dhcpd outside auto_config
dhcpd option 150 ip 172.22.137.5
!
dhcpd address 192.168.33.2 - 192.168.33.33 inside
dhcpd allow inside
!a basic threat threat detection
statistical threat detection port
Statistical threat detection Protocol
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP server 206.246.122.250 source outdoors
NTP server 96.47.67.105 prefer external source
WebVPN
xxxx xxxx password username
IPSec-attributes tunnel-group DefaultL2LGroup
pre-shared-key *.
tunnel-group ddd.eee.fff.32 type ipsec-l2l
ddd.EEE.fff.32 group of tunnel ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
context of prompt hostnameThank you
Mike
As I suspected unmatched.
Remote side is set to 3des/sha. You are set to 3des/md5.
change the following:
10 L2LMAP transform-set ESP-3DES-MD5 crypto card game
TO
10 L2LMAP transform-set ESP-3DES-SHA crypto card game
Assuming that the things ACL match should be fine.
Let me know.
-
VPN site to Site with dynamic routing on ASAs
I'm planning a backup connection to a primary site if our link main broken through two ASAs using site to site vpn.
This is what I have resulted to date and just need to work through some issues and best practices.
##Regular connectivity and Internet traffic flow "> Primary_Internet".
Backup_Internet - ASA - CoreA - router-->> Private_Wan<>
?? If Private_Wan a link down, use via ASA l2l Internet VPN to connect sites
x - router - CoreA - ASA-->> VPN l2l<>
?? Once the link is available, preferred over the private Wan path must be used.
A few questions,
1. can I use a routing via the l2l VPN Protocol? VTI, GRE?
2. If I enter OSPF or EIGRP, will be the last static use of each work in the ASA redistibuting?
3. in execution of VPN l2l, using 'show the way' does not show available via the vpn routes, only "crypto ipsec to show his" watch info. Is this correct? If yes how metric would work for routes registered if all the links are up and there are many paths to the same subnet?
Welllll,
(2) I would keep as simple as possible, you can put all one VPN perhaps NSSA, if your ASA touch BB.
(3) IPP on ASA is always the insertion of static routes, it is not the best way to generate the backup.
Marcin
-
Cannot access my router through the Explorer configuration page
I need to do a port forwarding on my router. My internet connection works (even if she falls occasionally) and I can also connect to other computers on my network. However, I cannot access my router through IE page (I get a message saying: page not found). When I go see the map in the options Vista network, the router is not displayed and when I clikc on "See the whole map", I get a message saying that Windows cannot detect any computer or devices.
My connection to the router is connected, and it is a WRT54G Lyinksys. Any ideas how I can see my router or go to its page layout? Another thing, I went to CMD and the ping command returns a default gateway 192.168.1.1, which is what I have my using the address of the webb page.
Thanks for any help.
Hi JBHPUser,
(a) other router configuration page, you are able to access other Web sites?(b) what operating system and Internet Explorer version do you use?This article can be very useful.You receive an error message in Internet Explorer: "Internet Explorer cannot display the webpage".
http://support.Microsoft.com/kb/956196You can also access these links, which is primarily for Windows Vista, but are also applies to Windows 7
Solve problems with computers not appearing is not in the network map
http://Windows.Microsoft.com/en-us/Windows-Vista/troubleshoot-problems-with-computers-not-appearing-on-the-network-mapNetwork connection problems
http://Windows.Microsoft.com/en-us/Windows-Vista/troubleshoot-network-connection-problems
Aziz Nadeem - Microsoft Support -
Cisco SG300 / ASA 5505 intervlan routing problem
Dear all
I have a problem with the configuration correctly sg300 layer 3 behind the ASA 5505 switch (incl. license more security)
The configuration is the following:
CISCO SG300 is configured as a layer 3 switch
VLAN native 1: 192.168.1.254, default route ip address (inside interface ASA 192.168.1.1)
VLAN defined additional switch
VLAN 100 with 192.168.100.0/24, default gateway 192.168.100.254
VLAN 110 with 192.168.110.0/24, default gateway 192.168.110.254
VLAN 120 with 172.16.0.0/16, default gateway 172.16.10.254
Of the VLANS (100,110,120) different, I am able to connect to all devices on the other VIRTUAL local networks (with the exception of Native VLAN 1; is not the ping requests)
From the switch cli I can ping my firewall (192.168.1.1) and all the other gateways of VLANs and vlan (VLAN1, 100, 110, 120) devices
Asa cli I can only ping my switch (192.168.1.254) port, but no other devices in other VLAN
My question is this. What should I change or installation in the switch configuration or asa so that other VLANs to access the Internet through the ASA. I will not use the ASA as intervlan routing device, because the switch does this for me
I tried to change the asa int e0/1 in trunkport (uplink port switch also), to enable all the VLANS, but as soon as I do that, I can not ping 192.168.1.254 ASA cli more.
Any help is greatly appreciated
Concerning
Edwin
Hi Edwin, because the switch is layer 3, the only necessary behavior is to ensure that default gateways to the computer are set on the SVI interface connection to the switch to make sure that the switch is transfer traffic wished to the ASA.
The configuration between the ASA and the switch must stay true by dot1q, such as the vlan all other, unidentified native VLAN tagged.
Also, if I'm not wrong, on the SAA you must set the security level of the port to 100.
-Tom
Please evaluate the useful messages -
ASA 5505 VPN works great but can't access internet via the tunnel to customers
We have an ASA 5505 ASA 8.2.1 running and using IPSec for Remote access clients in the main office. Remote access is a lot of work, with full access to network resources in the main office and the only thing I can't get to work is access to internet through the tunnel. I don't want to use split tunneling. I use ASDM 6.2.1 for configuration. Any help is appreciated. I'm probably missing something simple and it looked so much, I'm probably looking at right beyond the error. Thanks in advance for your time and help! Jim
Add a statement of nat for your segment of customer on the external interface
NAT (outside) - access list
then allow traffic routing back on the same interface, it is entered in the
permit same-security-traffic intra-interface
*
*
* more than information can be found here:
http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a00807...
On Wednesday, 27 January 2010, at 23:12, jimcanova
-
PIX: Dialin routing through a different VPN VPN
Here's the scenario: I have 2 PIX firewall on various sites connected to the internet with public (PIX A and B PIX) IP addresses.
There is a permanent VPN site to site between the two and there is a clear separation between subnets between the two sites (internal network behind PIX is 10.10.4.0/24 and the internal network behind PIX B 192.168.0.0/16).
I created dialin VPDN access to PIX for laptops to dialin via VPN - it currently allows access to the subnet 10.10.4.0/24 without problem.
Now - I need these users of portable computers, when connects via the VPN to PIX has to be able to access the other remote site and access the subnet 192.168.0.0/16 of routing through the VPN site to site of PIX B.
Is this possible? I would be grateful to anyone who helps with that. Thank you...
This is currently not possible on the PIX as the PIX will not route traffic back on the same interface, it is entered in the.
This feature will be available in the upcoming v7.0 version, which is currently in beta, so look out for it and you're ready to go.
-
Need help! ASA 5505 not PPTP passthrough to the Server internal
Hello:
Recently, I add a new Cisco ASA 5505 like Firewall of the company network. I found that the PPTP authentication has not obtained through internal Microsoft Server. Any help and answer are appriciated.
Please see my setup as below. Thank you!
ASA Version 8.4 (3)
!
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 172.29.8.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 177.164.222.140 255.255.255.248
!
passive FTP mode
clock timezone GMT 0
DNS server-group DefaultDNS
domain ABCtech.com
permit same-security-traffic inter-interface
network obj_any object
172.29.8.0 subnet 255.255.255.0
service object RDP
source eq 3389 tcp service
Orange network object
Home 172.29.8.151
network of the WAN_173_164_222_138 object
Home 177.164.222.138
SMTP service object
tcp source eq smtp service
service object PPTP
tcp source eq pptp service
service of the JT_WWW object
tcp source eq www service
service of the JT_HTTPS object
tcp source eq https service
network obj_lex object
172.29.88.0 subnet 255.255.255.0
network of offices of Lexington Description
network obj_HQ object
172.29.8.0 subnet 255.255.255.0
guava network object
Home 172.29.8.3
service object L2TP
Service udp source 1701 eq
Standard access list VPN_Tunnel_User allow 172.29.8.0 255.255.255.0
Standard access list VPN_Tunnel_User allow 172.29.88.0 255.255.255.0
inside_access_in list extended access permit icmp any one
inside_access_in tcp extended access list deny any any eq 135
inside_access_in tcp extended access list refuse any eq 135 everything
inside_access_in list extended access deny udp any what eq 135 everything
inside_access_in list extended access deny udp any any eq 135
inside_access_in tcp extended access list deny any any eq 1591
inside_access_in tcp extended access list refuse any eq 1591 everything
inside_access_in list extended access deny udp any eq which 1591 everything
inside_access_in list extended access deny udp any any eq 1591
inside_access_in tcp extended access list deny any any eq 1214
inside_access_in tcp extended access list refuse any eq 1214 all
inside_access_in list extended access deny udp any any eq 1214
inside_access_in list extended access deny udp any what eq 1214 all
inside_access_in of access allowed any ip an extended list
inside_access_in list extended access permit tcp any any eq www
inside_access_in list extended access permit tcp any eq www everything
outside_access_in list extended access permit icmp any one
outside_access_in list extended access permit tcp any host 177.164.222.138 eq 3389
outside_access_in list extended access permit tcp any host 177.164.222.138 eq smtp
outside_access_in list extended access permit tcp any host 177.164.222.138 eq pptp
outside_access_in list extended access permit tcp any host 177.164.222.138 eq www
outside_access_in list extended access permit tcp any host 177.164.222.138 eq https
outside_access_in list extended access allowed grateful if any host 177.164.222.138
outside_access_in list extended access permit udp any host 177.164.222.138 eq 1701
outside_access_in of access allowed any ip an extended list
inside_access_out list extended access permit icmp any one
inside_access_out of access allowed any ip an extended list
access extensive list ip 172.29.8.0 outside_cryptomap allow 255.255.255.0 172.29.88.0 255.255.255.0
inside_in list extended access permit icmp any one
inside_in of access allowed any ip an extended list
inside_in list extended access udp allowed any any eq isakmp
inside_in list extended access udp allowed any isakmp eq everything
inside_in list extended access udp allowed a whole
inside_in list extended access permitted tcp a whole
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
local pool ABC_HQVPN_DHCP 172.29.8.210 - 172.29.8.230 255.255.255.0 IP mask
ICMP unreachable rate-limit 1 burst-size 1
enable ASDM history
ARP timeout 14400
NAT static orange interface (inside, outside) source RDP RDP service
NAT (inside, outside) source obj_HQ destination obj_HQ static static obj_lex obj_
Lex-route search
NAT guava Shared source (internal, external) WAN_173_164_222_138 service JT_WWW JT_WWW
NAT guava Shared source (internal, external) WAN_173_164_222_138 service JT_HTTPS JT_HTTPS
NAT guava Shared source (internal, external) WAN_173_164_222_138 service RDP RDP
NAT guava Shared source (internal, external) WAN_173_164_222_138 SMTP SMTP service
NAT guava Shared source (internal, external) WAN_173_164_222_138 PPTP PPTP service
NAT guava Shared source (internal, external) WAN_173_164_222_138 service L2TP L2TP
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
inside_in access to the interface inside group
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 177.164.222.142 1
Route inside 172.29.168.0 255.255.255.0 172.29.8.253 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
AAA-server protocol nt guava
AAA-server host 172.29.8.3 guava (inside)
Timeout 15
guava auth - NT domain controller
identity of the user by default-domain LOCAL
Enable http server
http 172.29.8.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-md5-hmac Remote_VPN_Set ikev1
Crypto ipsec transform-set esp-3des esp-md5-hmac Remote_vpn_set ikev1
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto-map Dynamics 20 ikev1 transform-set Remote_VPN_Set set outside_dyn_map
Crypto-map dynamic outside_dyn_map 20 the value reverse-road
card crypto outside_map 1 match address outside_cryptomap
peer set card crypto outside_map 1 173.190.123.138
card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5
ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA'RE
P-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 43200
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet 192.168.1.0 255.255.255.0 inside
Telnet 172.29.8.0 255.255.255.0 inside
Telnet timeout 5
SSH timeout 5
Console timeout 0dhcpd auto_config off vpnclient-wins-override
!
dhcprelay Server 172.29.8.3 on the inside
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
allow outside
internal ABCtech_VPN group strategy
attributes of Group Policy ABCtech_VPN
value of server DNS 172.29.8.3
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPN_Tunnel_User
value by default-field ABCtech.local
internal GroupPolicy_10.8.8.1 group strategy
attributes of Group Policy GroupPolicy_10.8.8.1
VPN-tunnel-Protocol ikev1, ikev2
name of user who encrypted password eicyrfJBrqOaxQvS
tunnel-group 10.8.8.1 type ipsec-l2l
tunnel-group 10.8.8.1 General-attributes
Group - default policy - GroupPolicy_10.8.8.1
IPSec-attributes tunnel-group 10.8.8.1
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
remotely IKEv2 authentication certificate
pre-shared-key authentication local IKEv2 *.
tunnel-group ABCtech type remote access
attributes global-tunnel-group ABCtech
address ABC_HQVPN_DHCP pool
authentication-server-group guava
Group Policy - by default-ABCtech_VPN
IPSec-attributes tunnel-group ABCtech
IKEv1 pre-shared-key *.
tunnel-group 173.190.123.138 type ipsec-l2l
tunnel-group 173.190.123.138 General-attributes
Group - default policy - GroupPolicy_10.8.8.1
IPSec-attributes tunnel-group 173.190.123.138
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
remotely IKEv2 authentication certificate
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
Policy-map global_policy
class inspection_default
inspect the pptp
inspect the ftp
inspect the netbios
!
172.29.8.3 SMTP server
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:6a26676668b742900360f924b4bc80de
: endHello Wayne,
The first thing I noticed
In the ACL you are pointing to the broad public while it should be to the private sector (YOU HAVE A PERMIT IP ANY ANY to the end, so it's not bad. FYI, if you decide to take this one any allowed ip address then you should point to private servers ip addresses)
Now, the policy where the PPTP inspection, etc., will be used is not applied to any service-policy so add:
global service-policy global_policy
Don't forget not just for a PPTP connection to get established we should see 2 things:
-Trading is done on the TCP 1723 port and then traded on Appreciate data packets.
Follow my blog for more information on this topic:
http://laguiadelnetworking.com/2012/12/22/what-is-new-on-the-PPTP-inspection-on-the-ASA/
Try and let me know
Julio
-
Static routes through site to site tunnel
Hello
I use a Cisco ASA 5505
Here's a description of my topology.
Seat = 192.168.201.0
Customer X = 172.16.0.0
Datacenter = 10.12.0.0
A Site in Tunnels:
Seat---> data center
Data center---> customer X
I want to ability for the computers on the subnet of the central administration to access the subnet of the Client X.
I tried to configure a static route to push all the fate of traffic for 172.16.0.0 to the datacenter, but failed.
Does anyone know a solution to how I can route all 172.16.0.0 through the tunnel.
I tried ading a static route on my ASA but without success.
You cannot route just the traffic of HQ through the website of the client.
You enter the subnet of HQ and customer to the ACL crypto between the data center and the customer, as well as between Headquarters and data center.
You also need to configure NAT exemption on the client side.
Generally, the IPSec tunnel is configured with specific subnet, so you would need to include the additional subnet to be able to move HQ to the client and vice versa.
Maybe you are looking for
-
Error 403 when scanning to emil
I get a 403 Server "could not connect to Server" message when I try to scan to my HP 6520 e-mail. I've been scanning to email successfully for a month and suddenly get this error. I am connected to my wireless network. I also unplugged and rebooted
-
Service Pack 3 update fails error file ntkrnlpa.exe is open or in use by another program
Original title: Service Pack 3 update fails I'm trying to update windows xp with service pack 3. I have download the update. When I try to install, the update fails with an error message""File ntkrnlpa.exe is open or in use by another program", when
-
For no apparent reason, a few days ago my internet has completely stopped working. I was able to make it work again by connecting directly (cable) modem in my computer (it's what I do now) but as soon as I added the router into the mix, everything th
-
Original title: I have a laptop Toshiba Satellite L305-S5894 with Windows Vista Home Premium installed (32 bit). Unable to get a backup to a flash drive. After back back, very many updates of windows, my computer is full of problems and it is not re
-
How to control netstream audio?
Hai, I'm trying to control the audio in my file netstream video... I use soundTranform to control the audio. But it works only maximum and silent. Is a way to control netstream audo or sound device. Someone knows it please help me. Thank you Dembélé