site to cisco1811 VPN

Similar Questions

• Help with VPN site-to-site under another VPN

  Hello guys,.

  I need a help to this scenario.

  Branch--> HQ--> Remote Site, where:

  Branch: Internal = 192.168.50.0/24

  HQ: Internal = 192.168.40.0/24

  Distance from the site = 10.175.26.0/24

  Branch HQ plus the two ASA with ESP-3DES-MD5. (Here, we use the actual LAN IP range for field of encryption)

  HQ + remote place = my side ASA with ESP-AES-256-SHA. (Here, to reach the Remote Site 10.175.26.0/24 we are NAT our LAN IP range at 172.18.0.10, so the field of encryption is 172.18.0.10--> 10.175.26.0/24)

  Now we have this branch reachs the Remote Site, under the VPN with branch HQ HQ at Remote Site.

  My actions:

  Directorate-General for the firewall:

  -In the VPN Site to Site configuration, I added the 10.175.26.0/24 of the tunnel between the branch and the headquarters of the remote network.

  -J' added the EXEMPTION for 10.175.26.0/24 inside.

  HQ of firewall:

  -In the VPN Site to Site configuration, I added the 10.175.26.0/24 of the tunnel between the branch and the headquarters of the remote network.

  -J' have created a dynamic policy outside source = IP range of branch to Remote Site IP range = translated into 172.18.0.10.

  I already work for another Remote Site, but that the other has proposal IPsec ESP-3DES-MD5. (the same branch) I don't know if this is the problem, but I tried to use two proposal together, 3DES-MD5 and SHA-256-AES.

  Firewall rules are ok too.

  Where is the error in this configuration?

  Thank you

  Diego

  good

  be solved in this post

• Site to cause VPN - problem with IOS 12.4 of the site?

  I have a site with several VPN is configured. Sites with routers (Cisco all) running IOS 12.3 or down are fine. New routers with IOS 12.4 may establish the VPN connection and I can ping the remote networks. When I try to access the Intranet homepage from a remote site, the home page is displayed, but I am not able to access all pages. The same thing is happening with another application (SQL Server program). The clent (remote site) can connect to the SQL database and perform a task, and then get a connectivity error. Sites running IOS 12.3 not have these problems.

  ANY IDEAS please?

  Looks like an MTU problem.

  see if you can clear the df bit in the packet encrypted using the command

  Crypto ipsec df - bit clear

  or

  On the output interface, use the ip tcp adjust-mss command 1400.

  Let me know if it helps

• Site to Site and Site to the VPN Client

  Hi all

  I have installed VPN Site to Site that works very well. then set up the Site to the VPN Client, which also worked well, but the VPN Site to Site offline. If I take off after 3 lines on the Site to the Client VPN Site to Site VPN start working.

  card crypto client vpn authentication list vpnuser

  card crypto vpn isakmp authorization list groupauthor

  card crypto vpn client configuration address respond

  Here is my Config complete. Please suggest.

  crypto ISAKMP policy 9

  BA 3des

  preshared authentication

  Group 2

  ISAKMP crypto key Cisco address 203.13.x.x

  !

  ISAKMP crypto client configuration group vpnclient

  key cisco123

  DNS 192.168.10.15

  domain ic.com

  pool ippool

  !

  86400 seconds, duration of life crypto ipsec security association

  !

  Crypto ipsec transform-set esp-3des esp-sha-hmac CISCOSET

  !

  Crypto-map dynamic dynmap 10

  game of transformation-CISCOSET

  !

  !

  !

  card crypto client vpn authentication list vpnuser

  card crypto vpn isakmp authorization list groupauthor

  card crypto vpn client configuration address respond

  card crypto ipsec vpn 1 isakmp

  the value of 203.13.x.x peer

  game of transformation-CISCOSET

  match the address acl_ncsvpn

  Map 10-isakmp ipsec vpn crypto dynamic dynmap

  local pool IP 10.10.10.1 ippool 10.10.10.10

  acl_internet extended IP access list

  deny ip 192.168.0.0 0.0.255.255 10.10.10.0 0.0.0.255

  deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

  IP 192.168.0.0 allow 0.0.255.255 everything

  acl_natisp1 extended IP access list

  deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

  IP 192.168.0.0 allow 0.0.255.255 everything

  acl_natisp2 extended IP access list

  deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

  IP 192.168.0.0 allow 0.0.255.255 everything

  acl_ncsvpn extended IP access list

  IP 192.168.0.0 allow 0.0.255.255 192.168.4.0 0.0.0.255

  acl_vpn extended IP access list

  IP 192.168.0.0 allow 0.0.255.255 192.168.0.0 0.0.255.255

  IP 192.168.0.0 allow 0.0.255.255 10.10.10.0 0.0.0.255

  
  

  
  

  Please try the following command

  ISAKMP crypto key Cisco address 203.13.x.x No.-xauth

  and then give it a try

• Unable to connect to the site Web SSL VPN with firewall zone configured

  I recently updated my 2911 company and set up a firewall area.  This is my first experience with this and I used Cisco Configuration Professional to build the configuration of the firewall first and then edited the names to make it readable by humans.  The only problem I can't solve is to learn site Web SSL VPN from outside.  I can navigate the website and connect without problem from the inside, and even if it was useful to verify that the Routing and the site work properly it is really not what I.  I don't get anything on the syslog for drops because of the firewall server, or for any other reason but packet capture show that no response is received when you try to navigate to the outside Web site.  I am currently using a customer VPN IPSEC solution until I can get this to work and have no problem with it.  I have attached a sanitized with the included relevant lines configuration (deleted ~ 400 lines including logging, many inspections on the movement of the area to the area and the ipsec vpn, which I already mentioned).  I searched anything about this problem and no one has no problem connecting to their Web site, just to get other features to work correctly.  All thoughts are welcome.

  See the security box

  area to area

  Members of Interfaces:

  GigabitEthernet0/0.15

  GigabitEthernet0/0.30

  GigabitEthernet0/0.35

  GigabitEthernet0/0.45

  area outside zone

  Members of Interfaces:

  GigabitEthernet0/1

  sslvpn area area

  Members of Interfaces:

  Virtual-Template1

  SSLVPN-VIF0

  I tried to change the composition of the area on the interface virtual-Template1 to the outside the area nothing helps.

  See the pair area security

  Name of the pair area SSLVPN - AUX-in

  Source-Zone sslvpn-area-zone of Destination in the area

  Service-SSLVPN-AUX-IN-POLICY

  Name of the pair area IN SSLVPN

  Source-Zone in the Destination zone sslvpn-zone

  service-policy IN SSLVPN-POLICY

  Name of the pair area SELF SSLVPN

  Source-Zone sslvpn-area free-zone Destination schedule

  Service-SELF-to-SSLVPN-POLICY

  Zone-pair name IN-> AUTO

  Source-Zone in the Destination zone auto

  Service-IN-to-SELF-POLICY policy

  Name of the pair IN-> IN box

  In the Destination area source-Zone in the area

  service-policy IN IN-POLICY

  Zone-pair name SELF-> OUT

  Source-Zone auto zone of Destination outside the area

  Service-SELF-AUX-OUT-POLICY

  Name of the pair OUT zone-> AUTO

  Source-Zone out-area Destination-area auto

  Service-OUT-to-SELF-POLICY

  Zone-pair name IN-> OUT

  Source-Zone in the Destination area outside zone

  service-strategy ALLOW-ALL

  The pair OUT zone name-> IN

  Source-out-zone-time zone time Zone of Destination in the area

  Service-OUT-to-IN-POLICY

  Name of the pair area SSLVPN-to-SELF

  Source-Zone-Zone of sslvpn-area auto

  Service-SSLVPN-FOR-SELF-POLICY

  I also tried to add a pair of area for the outside zone sslvpn-zone passing all traffic and it doesn't change anything.

  The area of networks

  G0/0.15

  172.16.0.1 26

  G0/0.30

  172.16.0.65/26

  G0/0.35

  172.16.0.129/25

  G0/0.45

  172.18.0.1 28

  Pool of SSL VPN

  172.20.0.1 - 172.20.0.14

  Latest Version of IOS:

  Cisco IOS software, software C2900 (C2900-UNIVERSALK9-M), Version 15.0 (1) M10, RELEASE SOFTWARE (fc1)

  Glad works now. Weird question, no doubt.

  I guess that on the deployment guide said that the firewall will not support inspection of TCP to the free zone, however, class nested maps are used to accomplish this, to be completely honest, I think it's a mess and the best thing to do is action past to auto for the protocols that you want and then drop the rest.

  Let us know if you have any other problems.

  Mike

• Routing of a VPN from Site to site to remote VPN users

  Hello

  We have a site and remote vpn site configured in the same interface in ASA 5520 (software version 8.3). When the remote vpn users try to connect to the computers located at the far end of the site to site VPN, their request has failed. I tried No.-Nat between remote vpn IP private to the private IP address of remote site, also said the same split tunneling. I can't find even the tracert, ping has also expired.

  Is there any solution to make this live thing.

  Shankar.

  There are a few things that need to be added to make it work:

  (1) on the SAA where remote vpn users connect to, you must add "permit same-security-traffic intra-interface"

  (2) you mention that you have added the LAN of remote site-to-site in the list of split tunnel, so that's good.

  (3) on the SAA ending the vpn for remote access, you must also add the following text:

  -Crypto ACL for the site to site VPN must include the following:

  permit ip access list

  (4) on the ASA site to remote site, you must add:

  -Crypto ACL for the site to site VPN must include the following:

  permit ip access list

  -No - Nat: ip access list allow

• VPN site to Site with restrictions (vpn-filter)

  VPN site to site, I installed and it works fine and two site can meet but I question after the vpn enforcement - run under Group Policy

  restrict users in the local site for dial-up networking with specific tcp ports, the vpn does not not like after order question «sh l2l vpn-sessiondb»

  This works but users can't access something in the remote site

  Note > after rising online in ACL at the end with this

  US_SITE ip access list allow a whole

  new to works well again

  example of a line of Access-List

  US_SITE list extended access permit tcp host 10.68.22.50 host 192.168.10.23 HTTP_HTTPS object-group
  US_SITE list extended access permit tcp host 10.68.22.50 host 192.168.10.24 HTTP_HTTPS object-group

  local network: 10.68.22.50

  remote network: 192.168.10.24

  is that correct or not?

  attributes of the strategy group x.x.x.x
  value of VPN-filer US_SITE

  tunnel-group General y.y.y.y
  x.x.x.x by default-group-policy

  Note: allowed sysopt active vpn connection

  The syntax on ACL that is used as a vpn-filter is different from what is normally expected. These VPN filters is not a direction, it should be noted the traffic we want to allow incoming and outgoing of the VPN in an ACL. The syntax for this is:

  access-list X permit/deny REMOTE-DEFINITION LOCAL-DEFINITION

  Example: You want to allow local users to access the RDP on the remote site:

  access-list VPN-ACL permit tcp host 192.168.10.24 eq 3389 10.68.22.0 255.255.255.0

  Disadvantage: This is all really confusing, and you can't afford things like Ping in one direction.

• ASA from Site to Site and SSL VPN stop working

  Thanks in advance for any advice

  We have an ASA 5510, users were able to connect via to all connect without any problems. We opened a new office with an ASA 5505 and decided to give VPN site-to-site on IPSec. We used the basic wizard and everything went smoothly at both ends. However, users who always used SSL VPN says so that they can connect to the original site, they are no longer in their RDP virtual machines or get anywhere on the network. I don't know why something like this can happen.

  You can change the SSL VPN DHCP scope to give a different subnet for IP addresses. Maybe try 192.168.10.0 255.255.255.0. Let me know if you can and if that corrects the issue.

  Sent by Cisco Support technique iPhone App

• PIX-Sonicwall Site-to-Site and Cisco VPN Client

  I have a firewall 506th PIX with a VPN site-to site for a firewall Sonicwall 330 Pro which works perfectly. I would like to add the functionality of remote users connecting to the network using the client VPN from Cisco PIX. I'm under the question of having only a single card encryption applied to the external interface. I need the feature to have the tunnel between the site to site VPN can be undertaken on other, so I can't use a dynamic encryption card. Does anyone have suggestions or knowledge on how to achieve this?

  Thank you.

  You don't need to add another card encryption to the external interface. You simply add customer information to your existing card for example:

  Crypto ipsec transform-set esp-3des esp-sha-hmac YOURSET

  YOURMAP 10 ipsec-isakmp crypto map

  card crypto YOURMAP 10 corresponds to 100 address

  card crypto YOURMAP 10 set counterpart x.x.x.x

  crypto YOURMAP 10 the transform-set YOURSET value card

  set of 10 CUSTOMERS crypto dynamic-map transform-set YOURSET

  card crypto YOURMAP 90-isakmp dynamic ipsec CLIENTS

• Site to Site between ASA VPN connection and router 2800

  I'm trying to get a L2L VPN working between a ASA code 8.4 and a 2800 on 12.4.

  I first saw the following errors in the debug logs on the side of the ASA:

  Error message % PIX | ASA-6-713219: KEY-GAIN message queues to deal with when
  ITS P1 is complete.

  I see the following on the end of 2800:

  ISAKMP: (0): treatment charge useful vendor id
  ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 157
  ISAKMP: (0): provider ID is NAT - T v3
  ISAKMP: (0): treatment charge useful vendor id
  ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
  ISAKMP (0): provider ID is NAT - T RFC 3947
  ISAKMP: (0): treatment charge useful vendor id
  ISAKMP: (0): treatment of frag vendor id IKE payload
  ISAKMP: (0): IKE Fragmentation support not enabled
  ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM1

  ISAKMP: (0): built NAT - T of the seller-rfc3947 ID
  ISAKMP: (0): send package to x.x.x.x my_port 500 peer_po0 (R) MM_SA_SETUP
  ISAKMP: (0): sending a packet IPv4 IKE.
  ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM2

  ISAKMP (0): packet received from x.x.x.x dport 500 sports global (R)

  MM_SA_SETUP
  ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  ISAKMP: (0): former State = new State IKE_R_MM2 = IKE_R_MM3

  ISAKMP: (0): processing KE payload. Message ID = 0
  ISAKMP: (0): processing NONCE payload. Message ID = 0
  ISAKMP: (0): found peer pre-shared key x.x.x.x corresponding
  ISAKMP: (2345): treatment charge useful vendor id
  ISAKMP: (2345): provider ID is the unit
  ISAKMP: (2345): treatment charge useful vendor id
  ISAKMP: (2345): provider ID seems the unit/DPD but major incompatibility of 54
  ISAKMP: (2345): provider ID is XAUTH
  ISAKMP: (2345): treatment charge useful vendor id
  ISAKMP: (2345): addressing another box of IOS!
  ISAKMP: (2345): treatment charge useful vendor id
  ISAKMP: (2345): vendor ID seems the unit/DPD but hash mismatch
  ISAKMP: receives the payload type 20
  ISAKMP (2345): sound not hash no match - this node outside NAT
  ISAKMP: receives the payload type 20
  ISAKMP (2345): no NAT found for oneself or peer
  ISAKMP: (2345): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  ISAKMP: (2345): former State = new State IKE_R_MM3 = IKE_R_MM3

  ISAKMP: (2345): sending package x.x.x.x my_port Exchange 500 500 (R)

  MM_KEY_EXCH

  ----------

  This is part of the configuration of the ASA:

  network of the ABCD object
  10.20.30.0 subnet 255.255.255.0
   
  network of the ABCD-Net object
  172.16.10.0 subnet 255.255.255.0
   
  cry-map-77-ip object-group XXXX object abc-site_Network allowed extended access list
   
  access list abc-site extended permitted ip object-group XXXX object abc-site_Network
   
  ip access list of abc-site allowed extended object abc-site_Network object-group XXXX-60
   
  NAT (any, any) static source 20 XXXX XXXX-20 destination static abc-site_Network abc-site_Network
   
  NAT (any, any) static source 20 XXXX XXXX-20 destination static abc-site_Network abc-site_Network
   
  XXXX-20
   
  object-group network XXXX-20
  ABCD-Net network object
  object-abcd-Int-Net Group
   
  XXXX_127
   
  object-group network XXXX-20
  ABCD-Net network object
  object-abcd-Int-Net Group
   
  ip access list of abc-site allowed extended object abc-site_Network object-group XXXX-60
   
   
  Crypto card off-map-44 11 match address cry-map-77
  card crypto out-map-44 11 counterpart set 62.73.52.xxx
  card crypto out-map-44 11 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  cry-map-77-ip object-group XXXX object abc-site_Network allowed extended access list

  Crypto card off-map-44 11 match address cry-map-77
  card crypto out-map-44 11 counterpart set 62.73.52.xxx
  card crypto out-map-44 11 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  card crypto out-map-44 11 set transform-set ESP-3DES-SHA ikev1

  object-group network XXXX
  ABCD-Net network object
  object-abcd-Int-Net Group

  ------------------------

  Here is a part of the 2800:

  !
  crypto ISAKMP policy 1
  BA 3des
  preshared authentication
  Group 2
  ISAKMP crypto key r2374923 address 72.15.21.xxx
  !
  !
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  !
  card crypto cry-map-1 1 ipsec-isakmp
  the value of 72.15.21.xxx peer
  game of transformation-ESP-3DES-SHA
  match address VPN
  !
  type of class-card inspect match class-map-vpn
  game group-access 100
  type of class-card inspect cm-inspect-1 correspondence
  group-access name inside-out game
  type of class-card inspect correspondence cm-inspect-2
  match the name of group-access outside
  !
  !
  type of policy-card inspect policy-map-inspect
  class type inspect cm-inspect-1
  inspect
  class class by default
  drop
   
  type of policy-card inspect policy-map-inspect-2
  class type inspect class-map-vpn
  inspect
  class type inspect cm-inspect-2
  class class by default
  drop
  !

  !
  interface FastEthernet0
  IP address 74.25.89.xxx 255.255.255.252
  NAT outside IP
  IP virtual-reassembly
  security of the outside Member area
  automatic duplex
  automatic speed
  crypto cry-card-1 card
  !
  interface FastEthernet1
  no ip address
  Shutdown
  automatic duplex
  automatic speed
  !
  IP nat inside source overload map route route-map-1 interface FastEthernet0
  !
  IP access-list extended inside-out
  IP 172.16.10.0 allow 0.0.0.255 any
  IP nat - acl extended access list
  deny ip 192.168.0.0 0.0.255.255 172.16.10.0 0.0.0.255
  deny ip 10.200.0.0 0.0.255.255 172.16.10.0 0.0.0.255
  deny ip 192.168.0.0 0.0.255.255 172.16.10.0 0.0.0.255
  deny ip 0.0.255.255 28.20.14.xxx.0.0 172.16.10.0 0.0.0.255
  refuse the 10.10.10.0 ip 0.0.0.255 172.16.10.0 0.0.0.255
  refuse the 172.16.10.0 ip 0.0.0.255 192.168.0.0 0.0.255.255
  refuse the 172.16.10.0 ip 0.0.0.255 10.200.0.0 0.0.255.255
  refuse the 172.16.10.0 ip 0.0.0.255 192.168.0.0 0.0.255.255
  refuse the 172.16.10.0 ip 0.0.0.255 28.20.14.xxx.0.0 0.0.255.255
  refuse the 172.16.10.0 ip 0.0.0.255 10.10.10.0 0.0.0.255
  allow an ip
  outside extended IP access list
  allow an ip
  list of IP - VPN access scope
  IP 172.16.10.0 allow 0.0.0.255 192.168.0.0 0.0.255.255
  IP 172.16.10.0 allow 0.0.0.255 10.200.0.0 0.0.255.255
  IP 172.16.10.0 allow 0.0.0.255 192.168.0.0 0.0.255.255
  IP 172.16.10.0 allow 0.0.0.255 28.20.14.xxx.0.0 0.0.255.255
  IP 172.16.10.0 allow 0.0.0.255 10.10.10.0 0.0.0.255
  IP 192.168.0.0 allow 0.0.255.255 172.16.10.0 0.0.0.255
  IP 10.200.0.0 allow 0.0.255.255 172.16.10.0 0.0.0.255
  IP 192.168.0.0 allow 0.0.255.255 172.16.10.0 0.0.0.255
  28.20.14.xxx.0.0 0.0.255.255 ip permit 172.16.10.0 0.0.0.255
  ip licensing 10.10.10.0 0.0.0.255 172.16.10.0 0.0.0.255

  access-list 23 allow 192.168.0.0 0.0.255.255
  access-list 23 allow 10.200.0.0 0.0.255.255
  access-list 23 allow 172.16.10.0 0.0.0.255
  access-list 123 note category class-map-LCA-4 = 0
  access-list 123 allow ip 192.168.0.0 0.0.255.255 172.16.10.0 0.0.0.255
  access-list 123 allow ip 10.200.0.0 0.0.255.255 172.16.10.0 0.0.0.255
  access-list 123 allow ip 192.168.0.0 0.0.255.255 172.16.10.0 0.0.0.255
  access-list 123 allow ip 0.0.255.255 28.20.14.xxx.0.0 172.16.10.0 0.0.0.255
  access-list 123 allow ip 10.10.10.0 0.0.0.255 172.16.10.0 0.0.0.255
  access-list 123 allow ip 172.16.10.0 0.0.0.255 192.168.0.0 0.0.255.255
  access-list 123 allow ip 172.16.10.0 0.0.0.255 10.200.0.0 0.0.255.255
  access-list 123 allow ip 172.16.10.0 0.0.0.255 192.168.0.0 0.0.255.255
  access-list 123 allow ip 172.16.10.0 0.0.0.255 28.20.14.xxx.0.0 0.0.255.255
  access-list 123 allow ip 172.16.10.0 0.0.0.255 10.10.10.0 0.0.0.255
  !
  !
  !

  !
  route-map-1 allowed route map 1
  match the IP nat - acl
  !

  Hello

  I quickly browsed your config and I could notice is

  your game of transformation (iskamp) on SAA and router are not the same, try to configure the same on both sides.

  in the statement of the ASA NAT you gave (any, any) try to give the name of the interface instead of a whole.

• PIX from Site to Site w / remote VPN Clients

  I posted accidentally this question in the wrong forum earlier today. I couldn't find a way to move it or delete it, so I apologize for the duplication.

  I set up a VPN site-to site between 2 Pix 506e. I have install the tunnle VPN using the VPN Wizard, and it seems to work fine.

  However, I also have users that VPN directly in the PIX via PPTP or a Cisco VPN client. These users are not able to access resources that are on the other end of the VPN tunnel. It seems that map ACL that triggers sending in the tunnel of the packages is not be matched, but I was not able to understand how to make this work correctly.

  PIX has a local subnet of 192.168.1.x/24. PIX B has a local subnet of 192.168.2.x/24. Traffic between these 2 subnets through the tunnel flow. However, when a person sets up a VPN on PIX B, they are also placed in the 192.168.2.x/24 subnet, but they are unable to access anything whatsoever in the 192.168.1.x/24 subnet. Is something like this? Config PIX B is attached. 

Any help you could offer would be greatly appreciated.

  Thank you

  -Steve

  This is not possible with Pix and 6.3 version of the code.

  If you are running 7.0 or higher on the Pix, so, yes it is possible. Please see the below URL for more configuration information. The feature you're looking for is called 'intra-interface.

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

  In addition, 7.0 and above are not supported on Pix 501, 506, and 520.

  Kind regards

  Arul

  * Please note all useful messages *.

• two links to remote sites (an eigrp, vpn)

  I have an eigrp existing link to the remote site, now I'm going to set up a tunnel using ASA vpn to ASA. Website allows full access to site B, Site B allows access to site a. If my link down EIGRP, can take the VPN link?

  How to start the VPN connection?

  Paul

  I am attaching a schema for you please take a look. That's what I would have done it. Don't know if it reflects what your management. Keep things simple and not very complicated. If a site has multiple internet connection uses one. First step get up the network and stable using a connection once your sites are converted burn in during a few weeks before you do add vpn double gre tunnels

  I can't really say what would be best in your case, as I don't know your business is or how things effect users. Everything so I can give a suggestion that you may have to change as a result of your needs and objectives

  Thank you

  NH

• Site to site ASA 5505 VPN does not

  Hello

  We have configuration problems our VPN site-to-site with our ASA 5505. We ran the assistants who seem to be straight forward, but we have no chance for them to communicate with each other via ping or anything else. If someone could help us, our configs for our two sites:

  Site A:

  Output of the command: "sho run".

  : Saved
  :
  ASA Version 7.2 (4)
  !
  ciscoasa hostname
  domain default.domain.invalid

  names of
  DNS-guard
  !
  interface Vlan1
  nameif inside
  security-level 100
  IP 192.168.45.20 255.255.255.0
  OSPF cost 10
  !
  interface Vlan2
  nameif outside
  security-level 0
  IP address 173.xxx.xxx.249 255.255.255.252
  OSPF cost 10
  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  passive FTP mode
  clock timezone EST - 5
  clock to summer time EDT recurring
  DNS server-group DefaultDNS
  domain default.domain.invalid
  permit same-security-traffic inter-interface
  extended incoming access permit tcp host 173.xxx.xxx.249 eq www list everything
  list of extended inbound icmp permitted access a whole
  list of allowed inbound tcp extended access any host 173.xxx.xxx.249 eq www
  extended incoming access permit tcp host 173.xxx.xxx.249 eq https list everything
  list of allowed inbound tcp extended access any host 173.xxx.xxx.249 eq https
  access extensive list ip 192.168.45.0 outside_20_cryptomap allow 255.255.255.0 192.168.42.0 255.255.255.0
  access extensive list ip 192.168.45.0 inside_nat0_outbound allow 255.255.255.0 192.168.42.0 255.255.255.0
  pager lines 24
  Enable logging
  asdm of logging of information
  Within 1500 MTU
  Outside 1500 MTU
  ICMP unreachable rate-limit 1 burst-size 1
  ICMP allow any inside
  ICMP allow all outside
  ASDM image disk0: / asdm - 524.bin
  don't allow no asdm history
  ARP timeout 14400
  Global 1 interface (outside)
  NAT (inside) 0-list of access inside_nat0_outbound
  NAT (inside) 1 0.0.0.0 0.0.0.0
  Access-group interface incoming outside
  Route inside 192.168.0.0 255.255.255.0 192.168.45.20 1
  Route inside 192.168.0.0 255.255.0.0 192.168.45.20 1
  Route outside 0.0.0.0 0.0.0.0 173.xxx.xxx.250 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  GANYMEDE + Protocol Ganymede + AAA-server
  RADIUS Protocol RADIUS AAA server
  Enable http server
  http 192.168.45.0 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  card crypto outside_map 20 match address outside_20_cryptomap
  card crypto outside_map 20 set pfs
  card crypto outside_map 20 peers set 50.xxx.xxx.89
  outside_map crypto 20 card value transform-set ESP-3DES-SHA
  outside_map interface card crypto outside
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  Telnet 192.168.45.0 255.255.255.0 inside
  Telnet timeout 5
  SSH 0.0.0.0 0.0.0.0 inside
  SSH 0.0.0.0 0.0.0.0 outdoors
  SSH timeout 5
  Console timeout 0
  68.xxx.xxx.194 dns 192.168.45.20 dhcpd
  dhcpd outside auto_config
  !

  tunnel-group 50.xxx.xxx.89 type ipsec-l2l
  50.xxx.xxx.89 group of tunnel ipsec-attributes
  pre-shared-key * (key is the same on the two ASA)
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  message-length maximum 1500
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  inspect the icmp
  !
  global service-policy global_policy
  context of prompt hostname
  Cryptochecksum: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  : end

  Site b:

  Output of the command: "sho run".

  : Saved
  :
  ASA Version 7.2 (4)
  !
  host name
  domain default.domain.invalid

  names of
  DNS-guard
  !
  interface Vlan1
  nameif inside
  security-level 100
  IP 192.168.42.12 255.255.255.0
  OSPF cost 10
  !
  interface Vlan2
  nameif outside
  security-level 0
  IP address 50.xxx.xxx.89 255.255.255.248
  OSPF cost 10
  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  passive FTP mode
  clock timezone IS - 5
  clock to summer time EDT recurring
  DNS server-group DefaultDNS
  domain default.domain.invalid
  permit same-security-traffic inter-interface
  list of allowed inbound tcp interface out eq 3389 home 192.168.42.26 extended access
  list of extended inbound icmp permitted access a whole
  list of allowed inbound tcp interface out eq 39000 home 192.168.42.254 extended access
  list of allowed inbound tcp interface out eq 39001 home 192.168.42.254 extended access
  list of allowed inbound tcp interface out eq 39002 home 192.168.42.254 extended access
  list of allowed inbound udp out eq 39000 home 192.168.42.254 interface extended access
  list of allowed inbound udp out eq 39001 home 192.168.42.254 interface extended access
  list of allowed inbound udp out eq 39002 home 192.168.42.254 interface extended access
  list of incoming access permit tcp host 50.xxx.xxx.89 eq 3389 everything
  list of allowed inbound tcp extended access any host 50.xxx.xxx.89 eq 3389
  extended incoming access permit tcp host 50.xxx.xxx.89 eq www list everything
  list of allowed inbound tcp extended access any host 50.xxx.xxx.89 eq www
  extended incoming access permit tcp host 50.xxx.xxx.89 eq https list everything
  list of allowed inbound tcp extended access any host 50.xxx.xxx.89 eq https
  extended incoming access permit tcp host 50.xxx.xxx.89 eq 39000 list everything
  list of allowed inbound tcp extended access any host 50.xxx.xxx.89 eq 39000
  extended incoming access permit tcp host 50.xxx.xxx.89 eq 16450 list everything
  list of allowed inbound tcp extended access any host 50.xxx.xxx.89 eq 16450
  access extensive list ip 192.168.42.0 outside_20_cryptomap allow 255.255.255.0 192.168.45.0 255.255.255.0
  access extensive list ip 192.168.42.0 inside_nat0_outbound allow 255.255.255.0 192.168.45.0 255.255.255.0
  pager lines 24
  Enable logging
  asdm of logging of information

  Within 1500 MTU
  Outside 1500 MTU
  ICMP unreachable rate-limit 1 burst-size 1
  ICMP allow any inside
  ICMP allow all outside
  ASDM image disk0: / asdm - 524.bin
  don't allow no asdm history
  ARP timeout 14400
  Global 1 interface (outside)
  NAT (inside) 0-list of access inside_nat0_outbound
  NAT (inside) 1 0.0.0.0 0.0.0.0
  static (inside, outside) tcp 3389 192.168.42.26 interface 3389 netmask 255.255.255.255
  public static tcp (indoor, outdoor) interface 39000 192.168.42.254 39000 netmask 255.255.255.255
  public static (inside, outside) udp interface 39000 192.168.42.254 39000 netmask 255.255.255.255
  public static tcp (indoor, outdoor) interface 39001 192.168.42.254 39001 netmask 255.255.255.255
  public static (inside, outside) udp interface 39001 192.168.42.254 39001 netmask 255.255.255.255
  public static tcp (indoor, outdoor) interface 39002 192.168.42.254 39002 netmask 255.255.255.255
  public static (inside, outside) udp interface 39002 192.168.42.254 39002 netmask 255.255.255.255
  public static tcp (indoor, outdoor) interface 16450 192.168.42.254 16450 netmask 255.255.255.255
  Access-group interface incoming outside
  Route inside 192.168.0.0 255.255.255.0 192.168.42.12 1
  Route inside 192.168.0.0 255.255.0.0 192.168.42.12 1
  Route outside 0.0.0.0 0.0.0.0 50.xxx.xxx.94 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  GANYMEDE + Protocol Ganymede + AAA-server
  RADIUS Protocol RADIUS AAA server
  Enable http server
  http 192.168.42.0 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  card crypto outside_map 20 match address outside_20_cryptomap
  card crypto outside_map 20 set pfs
  card crypto outside_map 20 peers set 173.xxx.xxx.249
  outside_map crypto 20 card value transform-set ESP-3DES-SHA
  outside_map interface card crypto outside
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  Telnet 192.168.42.0 255.255.255.0 inside
  Telnet timeout 5
  SSH 0.0.0.0 0.0.0.0 inside
  SSH 0.0.0.0 0.0.0.0 outdoors
  SSH timeout 5
  Console timeout 0
  dhcpd outside auto_config
  !
  dhcpd address 192.168.42.13 - 192.168.42.44 inside
  !

  tunnel-group 173.xxx.xxx.249 type ipsec-l2l
  173.xxx.xxx.249 group of tunnel ipsec-attributes
  pre-shared-key * (same as the other ASA)
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  message-length maximum 1500
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  inspect the icmp
  !
  global service-policy global_policy
  context of prompt hostname
  Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  : end

  Thank you very much as I apperciate your all of the help.

  Scott

  Hi Scott,.

  Configs looks very good. Don't know why you need ' route stmts in 192.168.0.0 255.255.0.0' network on both sides. They point to the inside of the ASA. Remove and try to reach the other end PC. If you need to keep it, then try to add specific routes...

  A:

  Route outside 192.168.42.0 255.255.255.0 173.xxx.xxx.250 1

  B:

  Route outside 192.168.45.0 255.255.255.0 50.xxx.xxx.94 1

  HTH

  MS

• Easy traffic between remote sites via Cisco VPN

  We have a Cisco 2921 router at Headquarters (Easy VPN Server) and deployed Cisco 887VA (EasyVPN - Extension of remote network) for remote offices using EasyVPN. We allow voice traffic and data via VPN.  Everything has been great to work until this problem has been discovered today:

  When a remote user behind Cisco 887VA calls another remote user also behind Cisco 887VA, the call connects and Avaya IP phone rings but no voice in both feel.

  Calls from Headquarters and external mobile/fixed are very good. Only calls between two remote sites are affected.

  There is no need for DATA connection between the remote desktop, our only concern is the voice.

  By the looks of it, I think that "hair - pinning" traffic on the interface VPN is necessary. But need some advice on the configuration. (Examples configs etc.).

  Thanks in advance.

  Thanks for your quick response.

  I am sorry, I assumed that the clients have been configured in client mode.

  No need to remove the SDM_POOL_1, given that customers already have configured NEM.

  But add:

  Configuration group customer isakmp crypto CliniEasyVPN

  network extension mode

  You are able to ping to talked to the other?

  Please make this change:

  105 extended IP access list

  Licensing ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255

  * Of course free to do trafficking of translated on the shelves.

  Let me know if you have any questions.

  Thank you.

  Portu.

• Router vpn site to site PIX and vpn client

  I have two on one interface on the pix vpn connections that terminate VPN. client vpn and VPN site-to-site have passed phase one and two and decrypt and encrypt the packets. However as in another post I can not ping through the l2l vpn. I checked this isn't a nat problem a nd two NAT 0 on the pix and the NAT on the router access lists work correctly.

  ISAKMP crypto RTR #show its
  IPv4 Crypto ISAKMP Security Association
  status of DST CBC State conn-id slot
  66.x.x.x 89.x.x.x QM_IDLE 2001 0 ACTIVE

  IPv6 Crypto ISAKMP Security Association

  local ident (addr, mask, prot, port): (192.168.2.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.10.0/255.255.255.0/0/0)
  current_peer 66.x.x.x port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: 23583, #pkts encrypt: 23583 #pkts digest: 23583
  #pkts decaps: 18236, #pkts decrypt: 18236, #pkts check: 18236
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  #send 40, #recv errors 0

  local crypto endpt. : 89.x.x.x, remote Start crypto. : 66.x.x.x
  Path mtu 1380, ip mtu 1380, ip mtu BID Dialer0
  current outbound SPI: 0xC4BAC5E (206285918)

  SAS of the esp on arrival:
  SPI: 0xD7848FB (225986811)
  transform: aes - esp esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 3, flow_id: Motorola SEC 1.0:3, card crypto: PIX_MAP
  calendar of his: service life remaining (k/s) key: (4573083/78319)
  Size IV: 16 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xC4BAC5E (206285918)
  transform: aes - esp esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 4, flow_id: Motorola SEC 1.0:4, card crypto: PIX_MAP
  calendar of his: service life remaining (k/s) key: (4572001/78319)
  Size IV: 16 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  Expand the IP NAT access list
  10 deny ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255 (21396 matches)
  20 permit ip 192.168.2.0 0.0.0.255 everything (362 matches)
  Expand the IP VPN_ACCESS access list
  10 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 (39724 matches)

  I looked on the internet and that it points to a routing error when packets are being encrypted and decrypted, but you can't do a ping on the binding. However when I test the connection I did not enter any of the static routes that networks are connected directly on each side of the pix and the router. any help would be a preciated as I think there's maybe something is blocking the ping to reach the internal network at the end of pix with a configured access list.

  is ping failure of the only thing between the site to site VPN? and assuming that all other traffic works fine since it decrypts and encrypts the packets.

  If it's just ping, then activate pls what follows on the PIX:

  If it is version 6.3 and below: fixup protocol icmp

  If it is version 7.0 and higher: select "inspect icmp" under your political map of the world.

  Config complete hand and on the other could help determine if it's a configuration problem or another problem.