site to cisco1811 VPN
Hi all
Here is my setup vpn site to site on cisco1811. It seems that nat exemption is not configured, but still my vpn works. Can you advise how I can configure nat exemption. Thks in advance.
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
ISAKMP crypto key address 11.x.x.x xxxxxx
ISAKMP crypto key address 11.x.x.x xxxxxx
ISAKMP crypto keepalive 10 3
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac test
!
test 50 map ipsec-isakmp crypto
the value of 11.x.x.x peer
Set security-association second life 28800
Set transform-set test
PFS group2 Set
is the test address
!
!
!
!
interface FastEthernet0
Description: connection to the Public Internet
IP x.x.x.x 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
NAT outside IP
IP virtual-reassembly
route IP cache flow
automatic duplex
automatic speed
HP card crypto
!
interface FastEthernet1
no ip address
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
IP virtual-reassembly
route IP cache flow
Shutdown
automatic duplex
automatic speed
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
FastEthernet6 interface
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
Description: subnet LAN Local
IP x.x.x.x 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
IP virtual-reassembly
route IP cache flow
IP tcp adjust-mss 1452
!
interface Async1
no ip address
no ip redirection
no ip unreachable
no ip proxy-arp
encapsulation sheet
!
IP route 0.0.0.0 0.0.0.0 x.x.x.x
!
!
IP http server
local IP http authentication
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
overload of IP nat inside source list 101 interface FastEthernet0
!
IP access-list extended tests
permit ip x.x.x.0 0.0.0.255 x.0.0.0 0.255.255.255
permit ip x.x.x.0 0.0.0.255 x.0.0.0 0.255.255.255
!
recording of debug trap
access-list 10 permit x.x.x.x
access-list 101 permit ip x.x.x.0 0.0.0.255 x.x.x.x 0.0.0.3
You are absolutely right on your understanding.
Tags: Cisco Security
Similar Questions
-
Help with VPN site-to-site under another VPN
Hello guys,.
I need a help to this scenario.
Branch--> HQ--> Remote Site, where:
Branch: Internal = 192.168.50.0/24
HQ: Internal = 192.168.40.0/24
Distance from the site = 10.175.26.0/24
Branch HQ plus the two ASA with ESP-3DES-MD5. (Here, we use the actual LAN IP range for field of encryption)
HQ + remote place = my side ASA with ESP-AES-256-SHA. (Here, to reach the Remote Site 10.175.26.0/24 we are NAT our LAN IP range at 172.18.0.10, so the field of encryption is 172.18.0.10--> 10.175.26.0/24)
Now we have this branch reachs the Remote Site, under the VPN with branch HQ HQ at Remote Site.
My actions:
Directorate-General for the firewall:
-In the VPN Site to Site configuration, I added the 10.175.26.0/24 of the tunnel between the branch and the headquarters of the remote network.
-J' added the EXEMPTION for 10.175.26.0/24 inside.
HQ of firewall:
-In the VPN Site to Site configuration, I added the 10.175.26.0/24 of the tunnel between the branch and the headquarters of the remote network.
-J' have created a dynamic policy outside source = IP range of branch to Remote Site IP range = translated into 172.18.0.10.
I already work for another Remote Site, but that the other has proposal IPsec ESP-3DES-MD5. (the same branch) I don't know if this is the problem, but I tried to use two proposal together, 3DES-MD5 and SHA-256-AES.
Firewall rules are ok too.
Where is the error in this configuration?
Thank you
Diego
good
be solved in this post
-
Site to cause VPN - problem with IOS 12.4 of the site?
I have a site with several VPN is configured. Sites with routers (Cisco all) running IOS 12.3 or down are fine. New routers with IOS 12.4 may establish the VPN connection and I can ping the remote networks. When I try to access the Intranet homepage from a remote site, the home page is displayed, but I am not able to access all pages. The same thing is happening with another application (SQL Server program). The clent (remote site) can connect to the SQL database and perform a task, and then get a connectivity error. Sites running IOS 12.3 not have these problems.
ANY IDEAS please?
Looks like an MTU problem.
see if you can clear the df bit in the packet encrypted using the command
Crypto ipsec df - bit clear
or
On the output interface, use the ip tcp adjust-mss command 1400.
Let me know if it helps
-
Site to Site and Site to the VPN Client
Hi all
I have installed VPN Site to Site that works very well. then set up the Site to the VPN Client, which also worked well, but the VPN Site to Site offline. If I take off after 3 lines on the Site to the Client VPN Site to Site VPN start working.
card crypto client vpn authentication list vpnuser
card crypto vpn isakmp authorization list groupauthor
card crypto vpn client configuration address respond
Here is my Config complete. Please suggest.
crypto ISAKMP policy 9
BA 3des
preshared authentication
Group 2
ISAKMP crypto key Cisco address 203.13.x.x
!
ISAKMP crypto client configuration group vpnclient
key cisco123
DNS 192.168.10.15
domain ic.com
pool ippool
!
86400 seconds, duration of life crypto ipsec security association
!
Crypto ipsec transform-set esp-3des esp-sha-hmac CISCOSET
!
Crypto-map dynamic dynmap 10
game of transformation-CISCOSET
!
!
!
card crypto client vpn authentication list vpnuser
card crypto vpn isakmp authorization list groupauthor
card crypto vpn client configuration address respond
card crypto ipsec vpn 1 isakmp
the value of 203.13.x.x peer
game of transformation-CISCOSET
match the address acl_ncsvpn
Map 10-isakmp ipsec vpn crypto dynamic dynmap
local pool IP 10.10.10.1 ippool 10.10.10.10
acl_internet extended IP access list
deny ip 192.168.0.0 0.0.255.255 10.10.10.0 0.0.0.255
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
IP 192.168.0.0 allow 0.0.255.255 everything
acl_natisp1 extended IP access list
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
IP 192.168.0.0 allow 0.0.255.255 everything
acl_natisp2 extended IP access list
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
IP 192.168.0.0 allow 0.0.255.255 everything
acl_ncsvpn extended IP access list
IP 192.168.0.0 allow 0.0.255.255 192.168.4.0 0.0.0.255
acl_vpn extended IP access list
IP 192.168.0.0 allow 0.0.255.255 192.168.0.0 0.0.255.255
IP 192.168.0.0 allow 0.0.255.255 10.10.10.0 0.0.0.255
Please try the following command
ISAKMP crypto key Cisco address 203.13.x.x No.-xauth
and then give it a try
-
Unable to connect to the site Web SSL VPN with firewall zone configured
I recently updated my 2911 company and set up a firewall area. This is my first experience with this and I used Cisco Configuration Professional to build the configuration of the firewall first and then edited the names to make it readable by humans. The only problem I can't solve is to learn site Web SSL VPN from outside. I can navigate the website and connect without problem from the inside, and even if it was useful to verify that the Routing and the site work properly it is really not what I. I don't get anything on the syslog for drops because of the firewall server, or for any other reason but packet capture show that no response is received when you try to navigate to the outside Web site. I am currently using a customer VPN IPSEC solution until I can get this to work and have no problem with it. I have attached a sanitized with the included relevant lines configuration (deleted ~ 400 lines including logging, many inspections on the movement of the area to the area and the ipsec vpn, which I already mentioned). I searched anything about this problem and no one has no problem connecting to their Web site, just to get other features to work correctly. All thoughts are welcome.
See the security box
area to area
Members of Interfaces:
GigabitEthernet0/0.15
GigabitEthernet0/0.30
GigabitEthernet0/0.35
GigabitEthernet0/0.45
area outside zone
Members of Interfaces:
GigabitEthernet0/1
sslvpn area area
Members of Interfaces:
Virtual-Template1
SSLVPN-VIF0
I tried to change the composition of the area on the interface virtual-Template1 to the outside the area nothing helps.
See the pair area security
Name of the pair area SSLVPN - AUX-in
Source-Zone sslvpn-area-zone of Destination in the area
Service-SSLVPN-AUX-IN-POLICY
Name of the pair area IN SSLVPN
Source-Zone in the Destination zone sslvpn-zone
service-policy IN SSLVPN-POLICY
Name of the pair area SELF SSLVPN
Source-Zone sslvpn-area free-zone Destination schedule
Service-SELF-to-SSLVPN-POLICY
Zone-pair name IN-> AUTO
Source-Zone in the Destination zone auto
Service-IN-to-SELF-POLICY policy
Name of the pair IN-> IN box
In the Destination area source-Zone in the area
service-policy IN IN-POLICY
Zone-pair name SELF-> OUT
Source-Zone auto zone of Destination outside the area
Service-SELF-AUX-OUT-POLICY
Name of the pair OUT zone-> AUTO
Source-Zone out-area Destination-area auto
Service-OUT-to-SELF-POLICY
Zone-pair name IN-> OUT
Source-Zone in the Destination area outside zone
service-strategy ALLOW-ALL
The pair OUT zone name-> IN
Source-out-zone-time zone time Zone of Destination in the area
Service-OUT-to-IN-POLICY
Name of the pair area SSLVPN-to-SELF
Source-Zone-Zone of sslvpn-area auto
Service-SSLVPN-FOR-SELF-POLICY
I also tried to add a pair of area for the outside zone sslvpn-zone passing all traffic and it doesn't change anything.
The area of networks
G0/0.15
172.16.0.1 26
G0/0.30
172.16.0.65/26
G0/0.35
172.16.0.129/25
G0/0.45
172.18.0.1 28
Pool of SSL VPN
172.20.0.1 - 172.20.0.14
Latest Version of IOS:
Cisco IOS software, software C2900 (C2900-UNIVERSALK9-M), Version 15.0 (1) M10, RELEASE SOFTWARE (fc1)
Glad works now. Weird question, no doubt.
I guess that on the deployment guide said that the firewall will not support inspection of TCP to the free zone, however, class nested maps are used to accomplish this, to be completely honest, I think it's a mess and the best thing to do is action past to auto for the protocols that you want and then drop the rest.
Let us know if you have any other problems.
Mike
-
Routing of a VPN from Site to site to remote VPN users
Hello
We have a site and remote vpn site configured in the same interface in ASA 5520 (software version 8.3). When the remote vpn users try to connect to the computers located at the far end of the site to site VPN, their request has failed. I tried No.-Nat between remote vpn IP private to the private IP address of remote site, also said the same split tunneling. I can't find even the tracert, ping has also expired.
Is there any solution to make this live thing.
Shankar.
There are a few things that need to be added to make it work:
(1) on the SAA where remote vpn users connect to, you must add "permit same-security-traffic intra-interface"
(2) you mention that you have added the LAN of remote site-to-site in the list of split tunnel, so that's good.
(3) on the SAA ending the vpn for remote access, you must also add the following text:
-Crypto ACL for the site to site VPN must include the following:
permit ip access list
(4) on the ASA site to remote site, you must add:
-Crypto ACL for the site to site VPN must include the following:
permit ip access list
-No - Nat: ip access list allow
-
VPN site to Site with restrictions (vpn-filter)
VPN site to site, I installed and it works fine and two site can meet but I question after the vpn enforcement - run under Group Policy
restrict users in the local site for dial-up networking with specific tcp ports, the vpn does not not like after order question «sh l2l vpn-sessiondb»
This works but users can't access something in the remote site
Note > after rising online in ACL at the end with this
US_SITE ip access list allow a whole
new to works well again
example of a line of Access-List
US_SITE list extended access permit tcp host 10.68.22.50 host 192.168.10.23 HTTP_HTTPS object-group
US_SITE list extended access permit tcp host 10.68.22.50 host 192.168.10.24 HTTP_HTTPS object-grouplocal network: 10.68.22.50
remote network: 192.168.10.24
is that correct or not?
attributes of the strategy group x.x.x.x
value of VPN-filer US_SITEtunnel-group General y.y.y.y
x.x.x.x by default-group-policyNote: allowed sysopt active vpn connection
The syntax on ACL that is used as a vpn-filter is different from what is normally expected. These VPN filters is not a direction, it should be noted the traffic we want to allow incoming and outgoing of the VPN in an ACL. The syntax for this is:
access-list X permit/deny REMOTE-DEFINITION LOCAL-DEFINITION
Example: You want to allow local users to access the RDP on the remote site:
access-list VPN-ACL permit tcp host 192.168.10.24 eq 3389 10.68.22.0 255.255.255.0
Disadvantage: This is all really confusing, and you can't afford things like Ping in one direction. -
ASA from Site to Site and SSL VPN stop working
Thanks in advance for any advice
We have an ASA 5510, users were able to connect via to all connect without any problems. We opened a new office with an ASA 5505 and decided to give VPN site-to-site on IPSec. We used the basic wizard and everything went smoothly at both ends. However, users who always used SSL VPN says so that they can connect to the original site, they are no longer in their RDP virtual machines or get anywhere on the network. I don't know why something like this can happen.
You can change the SSL VPN DHCP scope to give a different subnet for IP addresses. Maybe try 192.168.10.0 255.255.255.0. Let me know if you can and if that corrects the issue.
Sent by Cisco Support technique iPhone App
-
PIX-Sonicwall Site-to-Site and Cisco VPN Client
I have a firewall 506th PIX with a VPN site-to site for a firewall Sonicwall 330 Pro which works perfectly. I would like to add the functionality of remote users connecting to the network using the client VPN from Cisco PIX. I'm under the question of having only a single card encryption applied to the external interface. I need the feature to have the tunnel between the site to site VPN can be undertaken on other, so I can't use a dynamic encryption card. Does anyone have suggestions or knowledge on how to achieve this?
Thank you.
You don't need to add another card encryption to the external interface. You simply add customer information to your existing card for example:
Crypto ipsec transform-set esp-3des esp-sha-hmac YOURSET
YOURMAP 10 ipsec-isakmp crypto map
card crypto YOURMAP 10 corresponds to 100 address
card crypto YOURMAP 10 set counterpart x.x.x.x
crypto YOURMAP 10 the transform-set YOURSET value card
set of 10 CUSTOMERS crypto dynamic-map transform-set YOURSET
card crypto YOURMAP 90-isakmp dynamic ipsec CLIENTS
-
Site to Site between ASA VPN connection and router 2800
I'm trying to get a L2L VPN working between a ASA code 8.4 and a 2800 on 12.4.
I first saw the following errors in the debug logs on the side of the ASA:
Error message % PIX | ASA-6-713219: KEY-GAIN message queues to deal with when
ITS P1 is complete.I see the following on the end of 2800:
ISAKMP: (0): treatment charge useful vendor id
ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 157
ISAKMP: (0): provider ID is NAT - T v3
ISAKMP: (0): treatment charge useful vendor id
ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
ISAKMP (0): provider ID is NAT - T RFC 3947
ISAKMP: (0): treatment charge useful vendor id
ISAKMP: (0): treatment of frag vendor id IKE payload
ISAKMP: (0): IKE Fragmentation support not enabled
ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM1ISAKMP: (0): built NAT - T of the seller-rfc3947 ID
ISAKMP: (0): send package to x.x.x.x my_port 500 peer_po0 (R) MM_SA_SETUP
ISAKMP: (0): sending a packet IPv4 IKE.
ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM2ISAKMP (0): packet received from x.x.x.x dport 500 sports global (R)
MM_SA_SETUP
ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP: (0): former State = new State IKE_R_MM2 = IKE_R_MM3ISAKMP: (0): processing KE payload. Message ID = 0
ISAKMP: (0): processing NONCE payload. Message ID = 0
ISAKMP: (0): found peer pre-shared key x.x.x.x corresponding
ISAKMP: (2345): treatment charge useful vendor id
ISAKMP: (2345): provider ID is the unit
ISAKMP: (2345): treatment charge useful vendor id
ISAKMP: (2345): provider ID seems the unit/DPD but major incompatibility of 54
ISAKMP: (2345): provider ID is XAUTH
ISAKMP: (2345): treatment charge useful vendor id
ISAKMP: (2345): addressing another box of IOS!
ISAKMP: (2345): treatment charge useful vendor id
ISAKMP: (2345): vendor ID seems the unit/DPD but hash mismatch
ISAKMP: receives the payload type 20
ISAKMP (2345): sound not hash no match - this node outside NAT
ISAKMP: receives the payload type 20
ISAKMP (2345): no NAT found for oneself or peer
ISAKMP: (2345): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP: (2345): former State = new State IKE_R_MM3 = IKE_R_MM3ISAKMP: (2345): sending package x.x.x.x my_port Exchange 500 500 (R)
MM_KEY_EXCH
----------
This is part of the configuration of the ASA:
network of the ABCD object
10.20.30.0 subnet 255.255.255.0
network of the ABCD-Net object
172.16.10.0 subnet 255.255.255.0
cry-map-77-ip object-group XXXX object abc-site_Network allowed extended access list
access list abc-site extended permitted ip object-group XXXX object abc-site_Network
ip access list of abc-site allowed extended object abc-site_Network object-group XXXX-60
NAT (any, any) static source 20 XXXX XXXX-20 destination static abc-site_Network abc-site_Network
NAT (any, any) static source 20 XXXX XXXX-20 destination static abc-site_Network abc-site_Network
XXXX-20
object-group network XXXX-20
ABCD-Net network object
object-abcd-Int-Net Group
XXXX_127
object-group network XXXX-20
ABCD-Net network object
object-abcd-Int-Net Group
ip access list of abc-site allowed extended object abc-site_Network object-group XXXX-60
Crypto card off-map-44 11 match address cry-map-77
card crypto out-map-44 11 counterpart set 62.73.52.xxx
card crypto out-map-44 11 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5cry-map-77-ip object-group XXXX object abc-site_Network allowed extended access list
Crypto card off-map-44 11 match address cry-map-77
card crypto out-map-44 11 counterpart set 62.73.52.xxx
card crypto out-map-44 11 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5card crypto out-map-44 11 set transform-set ESP-3DES-SHA ikev1
object-group network XXXX
ABCD-Net network object
object-abcd-Int-Net Group------------------------
Here is a part of the 2800:
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
ISAKMP crypto key r2374923 address 72.15.21.xxx
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
card crypto cry-map-1 1 ipsec-isakmp
the value of 72.15.21.xxx peer
game of transformation-ESP-3DES-SHA
match address VPN
!
type of class-card inspect match class-map-vpn
game group-access 100
type of class-card inspect cm-inspect-1 correspondence
group-access name inside-out game
type of class-card inspect correspondence cm-inspect-2
match the name of group-access outside
!
!
type of policy-card inspect policy-map-inspect
class type inspect cm-inspect-1
inspect
class class by default
drop
type of policy-card inspect policy-map-inspect-2
class type inspect class-map-vpn
inspect
class type inspect cm-inspect-2
class class by default
drop
!!
interface FastEthernet0
IP address 74.25.89.xxx 255.255.255.252
NAT outside IP
IP virtual-reassembly
security of the outside Member area
automatic duplex
automatic speed
crypto cry-card-1 card
!
interface FastEthernet1
no ip address
Shutdown
automatic duplex
automatic speed
!
IP nat inside source overload map route route-map-1 interface FastEthernet0
!
IP access-list extended inside-out
IP 172.16.10.0 allow 0.0.0.255 any
IP nat - acl extended access list
deny ip 192.168.0.0 0.0.255.255 172.16.10.0 0.0.0.255
deny ip 10.200.0.0 0.0.255.255 172.16.10.0 0.0.0.255
deny ip 192.168.0.0 0.0.255.255 172.16.10.0 0.0.0.255
deny ip 0.0.255.255 28.20.14.xxx.0.0 172.16.10.0 0.0.0.255
refuse the 10.10.10.0 ip 0.0.0.255 172.16.10.0 0.0.0.255
refuse the 172.16.10.0 ip 0.0.0.255 192.168.0.0 0.0.255.255
refuse the 172.16.10.0 ip 0.0.0.255 10.200.0.0 0.0.255.255
refuse the 172.16.10.0 ip 0.0.0.255 192.168.0.0 0.0.255.255
refuse the 172.16.10.0 ip 0.0.0.255 28.20.14.xxx.0.0 0.0.255.255
refuse the 172.16.10.0 ip 0.0.0.255 10.10.10.0 0.0.0.255
allow an ip
outside extended IP access list
allow an ip
list of IP - VPN access scope
IP 172.16.10.0 allow 0.0.0.255 192.168.0.0 0.0.255.255
IP 172.16.10.0 allow 0.0.0.255 10.200.0.0 0.0.255.255
IP 172.16.10.0 allow 0.0.0.255 192.168.0.0 0.0.255.255
IP 172.16.10.0 allow 0.0.0.255 28.20.14.xxx.0.0 0.0.255.255
IP 172.16.10.0 allow 0.0.0.255 10.10.10.0 0.0.0.255
IP 192.168.0.0 allow 0.0.255.255 172.16.10.0 0.0.0.255
IP 10.200.0.0 allow 0.0.255.255 172.16.10.0 0.0.0.255
IP 192.168.0.0 allow 0.0.255.255 172.16.10.0 0.0.0.255
28.20.14.xxx.0.0 0.0.255.255 ip permit 172.16.10.0 0.0.0.255
ip licensing 10.10.10.0 0.0.0.255 172.16.10.0 0.0.0.255access-list 23 allow 192.168.0.0 0.0.255.255
access-list 23 allow 10.200.0.0 0.0.255.255
access-list 23 allow 172.16.10.0 0.0.0.255
access-list 123 note category class-map-LCA-4 = 0
access-list 123 allow ip 192.168.0.0 0.0.255.255 172.16.10.0 0.0.0.255
access-list 123 allow ip 10.200.0.0 0.0.255.255 172.16.10.0 0.0.0.255
access-list 123 allow ip 192.168.0.0 0.0.255.255 172.16.10.0 0.0.0.255
access-list 123 allow ip 0.0.255.255 28.20.14.xxx.0.0 172.16.10.0 0.0.0.255
access-list 123 allow ip 10.10.10.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 123 allow ip 172.16.10.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 123 allow ip 172.16.10.0 0.0.0.255 10.200.0.0 0.0.255.255
access-list 123 allow ip 172.16.10.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 123 allow ip 172.16.10.0 0.0.0.255 28.20.14.xxx.0.0 0.0.255.255
access-list 123 allow ip 172.16.10.0 0.0.0.255 10.10.10.0 0.0.0.255
!
!
!!
route-map-1 allowed route map 1
match the IP nat - acl
!Hello
I quickly browsed your config and I could notice is
your game of transformation (iskamp) on SAA and router are not the same, try to configure the same on both sides.
in the statement of the ASA NAT you gave (any, any) try to give the name of the interface instead of a whole.
-
PIX from Site to Site w / remote VPN Clients
I posted accidentally this question in the wrong forum earlier today. I couldn't find a way to move it or delete it, so I apologize for the duplication.
I set up a VPN site-to site between 2 Pix 506e. I have install the tunnle VPN using the VPN Wizard, and it seems to work fine.
However, I also have users that VPN directly in the PIX via PPTP or a Cisco VPN client. These users are not able to access resources that are on the other end of the VPN tunnel. It seems that map ACL that triggers sending in the tunnel of the packages is not be matched, but I was not able to understand how to make this work correctly.
PIX has a local subnet of 192.168.1.x/24. PIX B has a local subnet of 192.168.2.x/24. Traffic between these 2 subnets through the tunnel flow. However, when a person sets up a VPN on PIX B, they are also placed in the 192.168.2.x/24 subnet, but they are unable to access anything whatsoever in the 192.168.1.x/24 subnet. Is something like this? Config PIX B is attached. Any help you could offer would be greatly appreciated.
Thank you
-Steve
This is not possible with Pix and 6.3 version of the code.
If you are running 7.0 or higher on the Pix, so, yes it is possible. Please see the below URL for more configuration information. The feature you're looking for is called 'intra-interface.
In addition, 7.0 and above are not supported on Pix 501, 506, and 520.
Kind regards
Arul
* Please note all useful messages *.
-
two links to remote sites (an eigrp, vpn)
I have an eigrp existing link to the remote site, now I'm going to set up a tunnel using ASA vpn to ASA. Website allows full access to site B, Site B allows access to site a. If my link down EIGRP, can take the VPN link?
How to start the VPN connection?
Paul
I am attaching a schema for you please take a look. That's what I would have done it. Don't know if it reflects what your management. Keep things simple and not very complicated. If a site has multiple internet connection uses one. First step get up the network and stable using a connection once your sites are converted burn in during a few weeks before you do add vpn double gre tunnels
I can't really say what would be best in your case, as I don't know your business is or how things effect users. Everything so I can give a suggestion that you may have to change as a result of your needs and objectives
Thank you
NH
-
Site to site ASA 5505 VPN does not
Hello
We have configuration problems our VPN site-to-site with our ASA 5505. We ran the assistants who seem to be straight forward, but we have no chance for them to communicate with each other via ping or anything else. If someone could help us, our configs for our two sites:
Site A:
Output of the command: "sho run".
: Saved
:
ASA Version 7.2 (4)
!
ciscoasa hostname
domain default.domain.invalidnames of
DNS-guard
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.45.20 255.255.255.0
OSPF cost 10
!
interface Vlan2
nameif outside
security-level 0
IP address 173.xxx.xxx.249 255.255.255.252
OSPF cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
clock timezone EST - 5
clock to summer time EDT recurring
DNS server-group DefaultDNS
domain default.domain.invalid
permit same-security-traffic inter-interface
extended incoming access permit tcp host 173.xxx.xxx.249 eq www list everything
list of extended inbound icmp permitted access a whole
list of allowed inbound tcp extended access any host 173.xxx.xxx.249 eq www
extended incoming access permit tcp host 173.xxx.xxx.249 eq https list everything
list of allowed inbound tcp extended access any host 173.xxx.xxx.249 eq https
access extensive list ip 192.168.45.0 outside_20_cryptomap allow 255.255.255.0 192.168.42.0 255.255.255.0
access extensive list ip 192.168.45.0 inside_nat0_outbound allow 255.255.255.0 192.168.42.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow all outside
ASDM image disk0: / asdm - 524.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
Access-group interface incoming outside
Route inside 192.168.0.0 255.255.255.0 192.168.45.20 1
Route inside 192.168.0.0 255.255.0.0 192.168.45.20 1
Route outside 0.0.0.0 0.0.0.0 173.xxx.xxx.250 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
Enable http server
http 192.168.45.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
card crypto outside_map 20 match address outside_20_cryptomap
card crypto outside_map 20 set pfs
card crypto outside_map 20 peers set 50.xxx.xxx.89
outside_map crypto 20 card value transform-set ESP-3DES-SHA
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet 192.168.45.0 255.255.255.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 inside
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 5
Console timeout 0
68.xxx.xxx.194 dns 192.168.45.20 dhcpd
dhcpd outside auto_config
!tunnel-group 50.xxx.xxx.89 type ipsec-l2l
50.xxx.xxx.89 group of tunnel ipsec-attributes
pre-shared-key * (key is the same on the two ASA)
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 1500
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
: endSite b:
Output of the command: "sho run".
: Saved
:
ASA Version 7.2 (4)
!
host name
domain default.domain.invalidnames of
DNS-guard
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.42.12 255.255.255.0
OSPF cost 10
!
interface Vlan2
nameif outside
security-level 0
IP address 50.xxx.xxx.89 255.255.255.248
OSPF cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
DNS server-group DefaultDNS
domain default.domain.invalid
permit same-security-traffic inter-interface
list of allowed inbound tcp interface out eq 3389 home 192.168.42.26 extended access
list of extended inbound icmp permitted access a whole
list of allowed inbound tcp interface out eq 39000 home 192.168.42.254 extended access
list of allowed inbound tcp interface out eq 39001 home 192.168.42.254 extended access
list of allowed inbound tcp interface out eq 39002 home 192.168.42.254 extended access
list of allowed inbound udp out eq 39000 home 192.168.42.254 interface extended access
list of allowed inbound udp out eq 39001 home 192.168.42.254 interface extended access
list of allowed inbound udp out eq 39002 home 192.168.42.254 interface extended access
list of incoming access permit tcp host 50.xxx.xxx.89 eq 3389 everything
list of allowed inbound tcp extended access any host 50.xxx.xxx.89 eq 3389
extended incoming access permit tcp host 50.xxx.xxx.89 eq www list everything
list of allowed inbound tcp extended access any host 50.xxx.xxx.89 eq www
extended incoming access permit tcp host 50.xxx.xxx.89 eq https list everything
list of allowed inbound tcp extended access any host 50.xxx.xxx.89 eq https
extended incoming access permit tcp host 50.xxx.xxx.89 eq 39000 list everything
list of allowed inbound tcp extended access any host 50.xxx.xxx.89 eq 39000
extended incoming access permit tcp host 50.xxx.xxx.89 eq 16450 list everything
list of allowed inbound tcp extended access any host 50.xxx.xxx.89 eq 16450
access extensive list ip 192.168.42.0 outside_20_cryptomap allow 255.255.255.0 192.168.45.0 255.255.255.0
access extensive list ip 192.168.42.0 inside_nat0_outbound allow 255.255.255.0 192.168.45.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of informationWithin 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow all outside
ASDM image disk0: / asdm - 524.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
static (inside, outside) tcp 3389 192.168.42.26 interface 3389 netmask 255.255.255.255
public static tcp (indoor, outdoor) interface 39000 192.168.42.254 39000 netmask 255.255.255.255
public static (inside, outside) udp interface 39000 192.168.42.254 39000 netmask 255.255.255.255
public static tcp (indoor, outdoor) interface 39001 192.168.42.254 39001 netmask 255.255.255.255
public static (inside, outside) udp interface 39001 192.168.42.254 39001 netmask 255.255.255.255
public static tcp (indoor, outdoor) interface 39002 192.168.42.254 39002 netmask 255.255.255.255
public static (inside, outside) udp interface 39002 192.168.42.254 39002 netmask 255.255.255.255
public static tcp (indoor, outdoor) interface 16450 192.168.42.254 16450 netmask 255.255.255.255
Access-group interface incoming outside
Route inside 192.168.0.0 255.255.255.0 192.168.42.12 1
Route inside 192.168.0.0 255.255.0.0 192.168.42.12 1
Route outside 0.0.0.0 0.0.0.0 50.xxx.xxx.94 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
Enable http server
http 192.168.42.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
card crypto outside_map 20 match address outside_20_cryptomap
card crypto outside_map 20 set pfs
card crypto outside_map 20 peers set 173.xxx.xxx.249
outside_map crypto 20 card value transform-set ESP-3DES-SHA
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet 192.168.42.0 255.255.255.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 inside
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!
dhcpd address 192.168.42.13 - 192.168.42.44 inside
!tunnel-group 173.xxx.xxx.249 type ipsec-l2l
173.xxx.xxx.249 group of tunnel ipsec-attributes
pre-shared-key * (same as the other ASA)
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 1500
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
: endThank you very much as I apperciate your all of the help.
Scott
Hi Scott,.
Configs looks very good. Don't know why you need ' route stmts in 192.168.0.0 255.255.0.0' network on both sides. They point to the inside of the ASA. Remove and try to reach the other end PC. If you need to keep it, then try to add specific routes...
A:
Route outside 192.168.42.0 255.255.255.0 173.xxx.xxx.250 1
B:
Route outside 192.168.45.0 255.255.255.0 50.xxx.xxx.94 1
HTH
MS
-
Easy traffic between remote sites via Cisco VPN
We have a Cisco 2921 router at Headquarters (Easy VPN Server) and deployed Cisco 887VA (EasyVPN - Extension of remote network) for remote offices using EasyVPN. We allow voice traffic and data via VPN. Everything has been great to work until this problem has been discovered today:
When a remote user behind Cisco 887VA calls another remote user also behind Cisco 887VA, the call connects and Avaya IP phone rings but no voice in both feel.
Calls from Headquarters and external mobile/fixed are very good. Only calls between two remote sites are affected.
There is no need for DATA connection between the remote desktop, our only concern is the voice.
By the looks of it, I think that "hair - pinning" traffic on the interface VPN is necessary. But need some advice on the configuration. (Examples configs etc.).
Thanks in advance.
Thanks for your quick response.
I am sorry, I assumed that the clients have been configured in client mode.
No need to remove the SDM_POOL_1, given that customers already have configured NEM.
But add:
Configuration group customer isakmp crypto CliniEasyVPN
network extension mode
You are able to ping to talked to the other?
Please make this change:
105 extended IP access list
Licensing ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255
* Of course free to do trafficking of translated on the shelves.
Let me know if you have any questions.
Thank you.
Portu.
-
Router vpn site to site PIX and vpn client
I have two on one interface on the pix vpn connections that terminate VPN. client vpn and VPN site-to-site have passed phase one and two and decrypt and encrypt the packets. However as in another post I can not ping through the l2l vpn. I checked this isn't a nat problem a nd two NAT 0 on the pix and the NAT on the router access lists work correctly.
ISAKMP crypto RTR #show its
IPv4 Crypto ISAKMP Security Association
status of DST CBC State conn-id slot
66.x.x.x 89.x.x.x QM_IDLE 2001 0 ACTIVEIPv6 Crypto ISAKMP Security Association
local ident (addr, mask, prot, port): (192.168.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.10.0/255.255.255.0/0/0)
current_peer 66.x.x.x port 500
LICENCE, flags is {origin_is_acl},
#pkts program: 23583, #pkts encrypt: 23583 #pkts digest: 23583
#pkts decaps: 18236, #pkts decrypt: 18236, #pkts check: 18236
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
#send 40, #recv errors 0local crypto endpt. : 89.x.x.x, remote Start crypto. : 66.x.x.x
Path mtu 1380, ip mtu 1380, ip mtu BID Dialer0
current outbound SPI: 0xC4BAC5E (206285918)SAS of the esp on arrival:
SPI: 0xD7848FB (225986811)
transform: aes - esp esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 3, flow_id: Motorola SEC 1.0:3, card crypto: PIX_MAP
calendar of his: service life remaining (k/s) key: (4573083/78319)
Size IV: 16 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0xC4BAC5E (206285918)
transform: aes - esp esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 4, flow_id: Motorola SEC 1.0:4, card crypto: PIX_MAP
calendar of his: service life remaining (k/s) key: (4572001/78319)
Size IV: 16 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
Expand the IP NAT access list
10 deny ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255 (21396 matches)
20 permit ip 192.168.2.0 0.0.0.255 everything (362 matches)
Expand the IP VPN_ACCESS access list
10 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 (39724 matches)I looked on the internet and that it points to a routing error when packets are being encrypted and decrypted, but you can't do a ping on the binding. However when I test the connection I did not enter any of the static routes that networks are connected directly on each side of the pix and the router. any help would be a preciated as I think there's maybe something is blocking the ping to reach the internal network at the end of pix with a configured access list.
is ping failure of the only thing between the site to site VPN? and assuming that all other traffic works fine since it decrypts and encrypts the packets.
If it's just ping, then activate pls what follows on the PIX:
If it is version 6.3 and below: fixup protocol icmp
If it is version 7.0 and higher: select "inspect icmp" under your political map of the world.
Config complete hand and on the other could help determine if it's a configuration problem or another problem.
Maybe you are looking for
-
I want to configure lightning with the time format 24 hours rather than the AM/PM format, but cannot find it in the options. Thanks for the help!
-
Upgrade memory Portege R500-100 for Windows 7
I would like to move from XP to Windows 7. The recommended RAM size is 2 GB. My R500 is equipped with 2 x 512 MB RAM modules. The manual says I can replace it with a 1 GB module. My question is if I can replace it by a 2 GB (or even 4 GB) module inst
-
Reinstall XP - Question about updates after
Updates how can I download both and those who should I update. An HP assistant was told that SP3 works well with XP and was one of the reasons for my computer running slow. I'm not sure which updates to download.
-
A process to save drive H F-Player performs actions writing on C drive?
Hello Windows 8.1 runs on my SSD - c drive. Every day, I create a backup of my drive f (data) to my h drive (backup) and my i-drive (backup of backup). This cause of action will write actions on my c drive? In other words, Windows copy the source dis
-
Need help with Windows Server Essentials 2012 R2
So I set up a server and I had a client computer to connect to the server without problem. I can disconnect and different users access to different folders on entry-level servers. On the following client computer, I did the same steps, but now, when