Site to IP - sec site ASA 9.1 worm problem vs IOS

Hi all

I'm trying to set up the vpn site-to site between ASA and IOS, but unsuccessfully router,

newspapers are:

(1) this is not behind a nat device

(2) an encrypted packet received with no counterparty SA

networks are:

172.25.0.0 (inside ASA) A.A.A.A (outside of ASA) is required to connect to the address B.B.B.B router IOS with inside the network 192.168.1.0

Here are the configs:

ASA:

ASA 5505 # sh run
: Saved
:
ASA Version 9.0 (1)
!
hostname ASA 5505
KZ 1 domain name.
names of
vpn_pool_ASA-5505 192.168.172.2 mask - 255.255.255.0 IP local pool 192.168.172.100
local pool SAME_NET_ALA 172.25.66.200 - 172.25.66.210 255.255.255.0 IP mask
!
interface Ethernet0/0
switchport access vlan 2
10 speed
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 172.25.66.15 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
address IP A.A.A.A 255.255.255.252
!
passive FTP mode
clock timezone ALMST 6
summer time clock ALMDT recurring last Dim Mar 0:00 last Sun Oct 0:00
DNS server-group DefaultDNS
KZ 1 domain name.
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
network of the NETWORK_OBJ_172.25.66.0_24 object
172.25.66.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.172.0_25 object
subnet 192.168.172.0 255.255.255.128
network of the NETWORK_OBJ_172.25.66.192_27 object
subnet 172.25.66.192 255.255.255.224
network of the ALA_office object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_172.25.0.0_16 object
172.25.0.0 subnet 255.255.0.0
Standard access list SAME_NET_ALA_splitTunnelAcl allow 172.25.66.0 255.255.255.0
SAME_NET_ALA_splitTunnelAcl list standard access allowed 10.0.0.0 255.0.0.0
Standard access list SAME_NET_ALA_splitTunnelAcl allow 172.0.0.0 255.0.0.0
list access VPN-OUT-INS scope ip 192.168.172.0 255.255.255.0 allow no matter what paper
VPN-IN-INS scope any allowed ip access list no matter what paper
extended VPN OUTPUT access list permits all ip 192.168.172.0 255.255.255.0 connect
access list permit VPN OUT ALL standard any4
standard access list net172 allow 172.25.0.0 255.255.0.0
access-list standard net10 allowed 10.0.0.0 255.0.0.0
outside_cryptomap list extended access permitted ip NETWORK_OBJ_172.25.66.0_24 object ALA_office
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source NETWORK_OBJ_172.25.66.0_24 NETWORK_OBJ_172.25.66.0_24 NETWORK_OBJ_192.168.172.0_25 NETWORK_OBJ_192.168.172.0_25 non-proxy-arp-search of route static destination
NAT (inside, outside) source static obj_any obj_any NETWORK_OBJ_172.25.66.192_27 NETWORK_OBJ_172.25.66.192_27 non-proxy-arp-search of route static destination
NAT (inside, outside) static source NETWORK_OBJ_172.25.66.0_24 NETWORK_OBJ_172.25.66.0_24 ALA_office ALA_office non-proxy-arp-search of route static destination
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
!
NAT source auto after (indoor, outdoor) dynamic one interface
group-access VPN-IN-INS in the interface inside
group-access VPN-IN-INS interface inside
Route outside 0.0.0.0 0.0.0.0 88.204.136.165 1
Route inside 10.0.0.0 255.0.0.0 172.25.66.1 2
Route inside 172.0.0.0 255.0.0.0 172.25.66.1 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.1.0 255.255.255.0 inside
http 172.25.66.16 255.255.255.255 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 Alma-series esp - aes esp-sha-hmac
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto outside_map 1 match address outside_cryptomap
outside_map game 1 card crypto peer B.B.B.B
card crypto outside_map 1 set ikev1 Alma-set transform-set
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
inside crypto map inside_map interface
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
IKEv1 crypto policy 5
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 inside
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 5
Console timeout 0

dhcpd outside auto_config
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
allow outside
No anyconnect essentials
internal web_access group policy
attributes of the strategy of group web_access
clientless ssl VPN tunnel-Protocol
WebVPN
the value of the URL - list PRTG
internal SAME_NET_ALA group policy
SAME_NET_ALA group policy attributes
value of server DNS 8.8.8.8
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list SAME_NET_ALA_splitTunnelAcl
internal GroupPolicy1 group strategy
attributes of Group Policy GroupPolicy1
Ikev1 VPN-tunnel-Protocol
internal GroupPolicy_to_ALA group strategy
type tunnel-group SAME_NET_ALA remote access
attributes global-tunnel-group SAME_NET_ALA
address SAME_NET_ALA pool
Group Policy - by default-SAME_NET_ALA
IPSec-attributes tunnel-group SAME_NET_ALA
IKEv1 pre-shared-key *.
type tunnel-group web_access remote access
tunnel-group web_access General-attributes
Group Policy - by default-web_access
tunnel-group B.B.B.B type ipsec-l2l
attributes global-tunnel-group B.B.B.B
Group Policy - by default-GroupPolicy1
IPSec-attributes tunnel-Group B.B.B.B
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the icmp
inspect the http
!
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:932099620805dc22d9e48a5e04314887
: end

and router IOS:

R1921_center #sh run
Building configuration...

Current configuration: 6881 bytes
!
! Last configuration change to 12:22:45 UTC Friday, August 29, 2014 by yerzhan
version 15.2
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname R1921_center
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
AAA new-model
!
!
AAA authentication login userauthen local
AAA authorization groupauthor LAN
!
!
!
!
!
AAA - the id of the joint session
!
IP cef
!
!
!
!

!
!
!
!
"yourdomain.com" of the IP domain name
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
Crypto pki trustpoint TP-self-signed-260502430
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 260502430
revocation checking no
rsakeypair TP-self-signed-260502430
!
!
TP-self-signed-260502430 crypto pki certificate chain
certificate self-signed 01
30820229 30820192 A0030201 02020101 300 D 0609 2A 864886 F70D0101 05050030
2 060355 04031325 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 30312E30
69666963 32363035 30323433 30301E17 313331 31323630 35343131 0D 6174652D
355A170D 2E302C06 1325494F 03550403 32303031 30313030 30303030 5A 303031
532D 5365 6C662D53 69676E65 642D 4365 72746966 69636174 652 3236 30353032
06092A 86 4886F70D 01010105 34333030 819F300D 00308189 02818100 0003818D
C178A16C 26637 HAS 32 E2FE6EB2 DE63FC5D 2F4096D2 1A223CAF 52A122A1 F152F0E0
D2305008 FA312D36 E055D09C 487A01D5 629F8DE4 42FF0444 4B3B107A 730111B 6
F6439BA2 970EFE71 C9127F72 F93603E0 11B3F622 73DB1D7C 1889D57C 88C3B141
ED39B0EA 377CE1F7 610F9C76 FC9C843F A81AEFFE 07917A4B 2946032B 207160B 9
02030100 01A 35330 03551 D 13 51300F06 0101FF04 05300301 01FF301F 0603551D
23041830 1680146B B9F671FA BDD822DF 76802EEA 161D18D6 1 060355 9B8C4030
1D0E0416 04146BB9 F671FABD D822DF76 802EEA16 1D18D69B 8C40300D A 06092, 86
01010505 00038181 00B0C56F F1F4F85C 5FE7BF24 27D1DF41 7E9BB9CE 4886F70D
0447910A E780FA0D 07209827 3A969CD0 14AAA496 12929830 0D17F684 7F841261
56365D9C AA15019C ABC74D0A 3CD4E002 F63AA181 B3CC4461 4E56E58D C8237899
29F48CFA 67C4B84B 95D456C3 F0CF858D 43C758C3 C285FEF1 C002E2C5 DCFB9A8A
6A1DF7E3 EE675EAF 7A608FB7 88
quit smoking
license udi pid CISCO1921/K9 sn FCZ1748C14U
!
redundancy
!
!
!
!
!
!
!
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
!
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 5
BA aes 256
preshared authentication
Group 2
PSK - KEY key crypto isakmp A.A.A.A address
PSK - KEY crypto isakmp key address 6 0.0.0.0
!
Configuration group crypto isakmp ALA-EMP-VPN client
key *. *. *. *
DNS 8.8.8.8
domain cisco.com
pool ippool
ACL 101
netmask 255.255.255.0
!
!
Crypto ipsec transform-set esp-3des esp-md5-hmac dmvpn_alad
transport mode
Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
tunnel mode
Crypto ipsec transform-set esp-3des esp-md5-hmac TRIPSECMAX
transport mode
Crypto ipsec transform-set AES - SHA aes - esp esp-sha-hmac
tunnel mode
!
Profile of crypto ipsec MAXPROFILE
game of transformation-TRIPSECMAX
!
!
Crypto ipsec profile dmvpn_profile
Set transform-set dmvpn_alad
!
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
market arriere-route
!
!
!
map clientmap client to authenticate crypto list userauthen
card crypto clientmap isakmp authorization list groupauthor
client configuration address map clientmap crypto answer
20 ipsec-isakmp crypto map clientmap
defined by peer A.A.A.A
game of transformation-AES-SHA
match address VPN_ASA_PAV
!
!
!
!
!
interface Loopback1
IP 10.10.10.10 address 255.255.255.255
!

interface tunnels2
IP 192.168.101.1 255.255.255.240
no ip redirection
authentication of the PNDH IP NHRPMAX
dynamic multicast of IP PNDH map
PNDH id network IP-4679
dissemination of IP ospf network
IP ospf hello-interval 30
IP ospf priority 10
source of tunnel GigabitEthernet0/1
multipoint gre tunnel mode
tunnel key 4679
!
the Embedded-Service-Engine0/0 interface
no ip address
Shutdown
!
interface GigabitEthernet0/0
Description to_LAN
IP 192.168.1.253 255.255.255.0
IP nat inside
IP virtual-reassembly in
automatic duplex
automatic speed
!
interface GigabitEthernet0/1
Description to_ISP
address IP B.B.B.B 255.255.255.252
NAT outside IP
IP virtual-reassembly in
automatic duplex
automatic speed
clientmap card crypto
!
router ospf 100
Auto-cout reference-bandwidth 1000
0 message digest authentication box
area 192.168.1.0 digest authentication message
redistribute static subnets
passive-interface default
no passive-interface Tunnel1
network of 10.10.10.10 0.0.0.0 area 192.168.1.0
network 192.168.1.0 0.0.0.255 area 192.168.1.0
192.168.222.0 network 0.0.0.15 area 0
!
router ospf 1
router ID 1.1.1.1
redistribute static subnets
passive-interface default
no passive-interface tunnels2
network of 10.10.10.10 0.0.0.0 area 192.168.1.0
network 192.168.1.0 0.0.0.255 area 192.168.1.0
192.168.101.0 network 0.0.0.15 area 0
!
IP local pool ippool 192.168.33.1 192.168.33.20
IP forward-Protocol ND
!
IP http server
23 class IP http access
local IP http authentication
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
overload of IP nat inside source list 111 interface GigabitEthernet0/1
IP nat inside source static tcp 192.168.1.11 22 Expandable 8022 B.B.B.B
IP route 0.0.0.0 0.0.0.0 B.B.B.C
!
extended ACL - NAT IP access list
deny ip 192.168.1.0 0.0.0.255 172.25.0.0 0.0.255.255
allow an ip
IP extended ACL - VPN access list
ip permit 192.168.1.0 0.0.0.255 172.25.0.0 0.0.255.255
VPN_ASA_PAV extended IP access list
ip permit 192.168.1.0 0.0.0.255 172.25.66.0 0.0.0.255
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.33.0 0.0.0.255
access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.33.0 0.0.0.255
access ip-list 111 allow a whole
!
!
!
!
!
control plan
!
!
!
Line con 0
line to 0
line 2
no activation-character
No exec
preferred no transport
transport output pad rlogin lapb - your MOP v120 udptn ssh telnet
StopBits 1
line vty 0 4
exec-timeout 0 0
privilege level 15
transport input telnet ssh
line vty 5 15
exec-timeout 0 0
privilege level 15
transport input telnet ssh
!
Scheduler allocate 20000 1000
!
end

The biggest problem is the incompatibility in the VPN access lists.

The ASA said

outside_cryptomap list extended access permitted ip NETWORK_OBJ_172.25.66.0_24 object ALA_office

The router said

ip permit 192.168.1.0 0.0.0.255 172.25.0.0 0.0.255.255

Match them. If it still does not work then please post the revised configurations.

HTH

Rick

Tags: Cisco Security

Similar Questions

  • VPN Site to Site ASA (only happens with interesting traffic)

    Is anyway to get an ASA to VPN site-to-site ASA addition interesting traffic?  I need to keep this tunnel independently of traffic is anyway to do this?

    Unfortunately, no such feature has been developed on the SAA. You need to deceive the ASA with a host located in the "interesting" part of the network to constantly generate interesting traffic. Here are a few suggestions:

    -Use the IP SLA on a Cisco device

    -Perform a host TCP ping

    -Setting up a host of the site has press site B as a NTP source ASA

    Thank you for evaluating useful messages!

  • Microsoft l2tp IPSec VPN site to site ASA on top

    I have a specialized applications casino that requires end-to-end encryption. I'm under the stack of Microsoft IPSec l2tp between my XP machine and my Windows 2003 server on the LAN. Can I use the same type of protocol stack Microsoft l2tp IPSec between my XP machine and the Windows Server 2003 a branch on the SAA to site to site ASA VPN tunnel? The VPN site-to site ASA is a type of key Preshare IPSec VPN tunnelle traffic between our head office and a branch in distance.

    In other words, the ASA site-to-site IPSec VPN will allow Microsoft l2tp through IPSec encrypted traffic? My ACL tunnel would allow full IP access between site. Something like:

    name 192.168.100.0 TexasSubnet

    name 192.168.200.0 RenoSubnet

    IP TexasSubnet 255.255.255.0 RenoSubnet 255.255.255.0 allow Access-list extended nat_zero

    Hello

    Yes, the L2TP can be encapsulated in IPSEC as all other traffic.

    However, make sure that no NAT is performed on each end. L2TP is a default header protection which will see NAT as a falsification of package and reject it.

    See you soon,.

    Daniel

  • No available connection to "Microsoft difficulty it Center Online"-"this site may be experiencing a problem.

    Login page Microsoft Fix It says:

    • This site may be experiencing a problem
    • The site may not be a member of the Windows Live network

    You can:

    • You can connect or sign up at other sites on the Windows Live network, or try again later at this site.

    There is no way to connect.   I have personally observed this situation is the case for a few days.  So maybe this problem, please?

    the URL for this page is: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1312745636&rver=6.0.5285.0&wp=MBI&wreply=http:%2F%2Ffixitcenter.support.microsoft.com%2FPortal&lc=1033&id=266967

    Hello

    There is a forum dedicated to issues related to Microsoft fix it Center: http://social.microsoft.com/Forums/en-US/fixitcenter/threads

    I suggest post you your query in Microsoft fix it in the forum for better assistance Center.

  • I have an old record of creative adobe 4 elements but it is scratched, but I still have the serial number and it is registered on the site Web of adobe, the problem is that I can't find a way to download version 4

    I have an old record of creative adobe 4 elements but it is scratched, but I still have the serial number and it is registered on the site Web of adobe, the problem is that I can't find a way to download version 4

    on the website it starts only from 9

    If anyone knows a site were I can download this program again post in the comments

    Yves pauwels

    kglad links in response to #1 here can help https://forums.adobe.com/thread/2081216

    If your version is not included in the above link, I don't know any other source

  • I have a problem to download a Web of Muse - the following site seems to be the problem - unable to validate the specified domain is associated with the FTP server and folder. Continue nevertheless helps Adobe told me to download and extract the f

    I have a problem to download a Web of Muse - the following site seems to be the problem - unable to validate the specified domain is associated with the FTP server and folder. Still

    In Adobe help, it tells me to download and extract the ftppefs.xml file - it's supposed to be found in the Mac/Library/Preferences/Adobe/Adobe Muse CC/20141 and paste this folder GO.

    I checked this place and there is no file. I have re-installed Muse but preference file doesn't show up - where I can get it?

    Daryl

    Please check the used domain in the domain and the server is entered, it can be the reason for the absence of the field.

    Thank you

    Sanjit

  • VPN Site to Site ASA

    Recently, I set up a VPN from Site to Site using a Cisco ASA 5505 to a Cisco 2691 and works a lot but internet no longer works for clients behind the ASA. I know how to get online, but it disconnects the VPN. Can someone please advice to see what I've done wrong or Miss? I know that acl 110 blocks them but am breaking my head by trying different things.

    Thanks in advance,

    ASA # sh run
    : Saved
    :
    ASA Version 8.0 (4)
    !
    domain XXXX
    activate the encrypted password for XXXXX
    passwd encrypted xxxxxx
    names of
    !
    interface Vlan1
    nameif inside
    security-level 100
    the IP 192.168.0.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    address IP XXXXXX.173 255.255.254.0
    !
    interface Ethernet0/0
    Description link to router Comcast
    switchport access vlan 2
    !
    interface Ethernet0/1
    Description LINK to Linksys SR2024
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    boot system Disk0: / asa804 - k8.bin
    passive FTP mode
    clock timezone CST - 6
    clock to summer time recurring CDT
    DNS server-group DefaultDNS
    domain xxx.com
    permit same-security-traffic intra-interface
    access-list 110 extended permit tcp any host XXX eq 3389
    access-list 110 extended permit tcp any host XXX eq www
    access-list 110 extended permit tcp any host XXX eq smtp
    access-list 110 extended allow tcp no matter what field of eq host XXX
    access-list 110 extended permit tcp any host XXX eq https
    access-list 110 extended permit tcp any host XXX eq ftp
    access-list 110 extended allow icmp a whole
    access-list 110 extended permit tcp any host XXX eq 3389
    access-list 110 extended permit tcp any host XXX eq www
    access-list 110 extended permit tcp any host XXX eq smtp
    access-list 110 extended allow tcp no matter what field of eq host XXX
    access-list 110 extended permit tcp any host XXX eq https
    access-list 110 extended permit tcp any host XXX eq ftp
    access-list 110 extended permit tcp any host XXX eq 3389
    access-list 110 extended permit tcp any host XXX eq www
    access-list 110 extended allow tcp no matter what field of eq host XXX
    access-list 110 extended permit tcp any host XXX eq https
    access-list 110 extended permit tcp any host XXX eq pptp
    access-list 110 extended allow accord any host XXX
    access-list 110 extended permit udp any host XXX eq 1701
    access-list 110 extended allow esp any host XXX
    access-list 110 extended allow ah any host XXX1
    permit access ip 192.168.0.0 scope list Inside_nat0_outbound 255.255.255.0 any
    permit access ip 192.168.0.0 scope list outside_1_cryptomap 255.255.255.0 any
    pager lines 24
    Enable logging
    asdm of logging of information
    Within 1500 MTU
    Outside 1500 MTU
    ICMP unreachable rate-limit 1 burst-size 1
    ASDM image disk0: / asdm - 613.bin
    don't allow no asdm history
    ARP timeout 14400
    Global interface 5 (external)
    NAT (inside) 0-list of access Inside_nat0_outbound
    NAT (inside) 5 0.0.0.0 0.0.0.0
    public static xxx.169 (Interior, exterior) 192.168.0.14 netmask 255.255.255.255
    static (inside, outside) xxx.171 192.168.0.17 netmask 255.255.255.255
    public static xxx.172 (Interior, exterior) 192.168.0.12 netmask 255.255.255.255
    Access-group 110 in external interface
    Route outside 0.0.0.0 0.0.0.0 XXX.174 1
    Timeout xlate 03:00
    Timeout conn 0 half-closed 10:00:10: 00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    dynamic-access-policy-registration DfltAccessPolicy
    the ssh LOCAL console AAA authentication
    Enable http server
    http 192.168.0.0 255.255.255.0 inside
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    card crypto outside_map 1 match address outside_1_cryptomap
    card crypto outside_map 1 counterpart set xxx
    card crypto outside_map 1 set of transformation-ESP-DES-SHA
    outside_map map 1 lifetime of security association set seconds 28800 crypto
    card crypto outside_map 1 set security-association life kilobytes 4608000
    outside_map interface card crypto outside
    crypto ISAKMP allow outside
    crypto ISAKMP policy 5
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    crypto ISAKMP policy 10
    preshared authentication
    the Encryption
    sha hash
    Group 2
    life 86400
    Telnet timeout 5
    SSH 0.0.0.0 0.0.0.0 outdoors
    SSH timeout 10
    Console timeout 0
    dhcpd 192.168.0.14 dns 68.87.72.130
    dhcpd wins 192.168.0.14
    dhcpd field xxxxx
    !
    dhcpd address 192.168.0.50 - 192.168.0.81 inside
    dhcpd allow inside
    !

    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    tunnel-group xxx type ipsec-l2l
    tunnel-group xxx ipsec-attributes
    pre-shared-key *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the netbios
    inspect the rsh
    inspect the rtsp
    inspect the skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect the tftp
    inspect the sip
    inspect xdmcp
    !
    global service-policy global_policy
    context of prompt hostname
    Cryptochecksum:a075331231f1242d1101745d15d84afa
    : end

    Hello

    I guess that a number of things here:

    First is your ASA is directly connected to the internet, and the VPN is happening via internet.

    And also your users trying to access the internet are in the subnet 192.168.0.0 255.255.255.0.

    If they are both true, then it looks like the problem is with your ACL of proxy/field of encryption.

    Your crypto acl has a match any destination in this document, which is a bad habit when virtual private networks using site-to-site.

    permit access ip 192.168.0.0 scope list outside_1_cryptomap 255.255.255.0 any

    It's basically saying take whatever passing from 192.168.0.0/24 to any destination and to quantify through the vpn.

    So which includes your internet traffic. Make sure that you are specific using src and dst systems int these ACLs.

    i.e. outside_1_cryptomap list extended access permitted ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

    Where 192.168.1.0/24 is the remote network on the 2691. This acl should then be reversed, one exact mirror on the other homologous (2961).

    You must also match this acl with your not acl nat, to ensure that your internet traffic is natted, but vpn traffic is not.

    The acl blocking traffic either, because you have not an acl interface all traffic inside will be allowed to default outside inside.

    HTH let me know if there are problems.

    Stu

  • My facebook does not work on my laptop. theres a delay of 10 to 20 sec and it freezes.it works on my phone and kindle fine.and fair facebook is the only site that I have a problem with the help!

    My facebook is not loading properly it freezes and theres a delay.it of 10-20 sec worked very well for any other device.and that my laptop works properly on another site

    Hi Bobbi,

    The issue can be caused if the date and time is not properly defined.

    1. what browser do you use on your computer?

    2. you receive an error code or message?

    3. have you checked the issue with a different browser?

    First of all, let us try to launch the tool Internet and network by right clicking on the network in the notification area icon, click on solveand click Internet Connections. This utility can you ask questions or reset common settings as he tries to solve the problem. If running the tool network and Internet did not resolve this problem, follow the steps described in the following link and check if you are using Internet Explorer.

    Can't access some Web sites in Internet Explorer:

    http://support.Microsoft.com/kb/967897

    Note: Reset the Internet Explorer settings can reset security settings or privacy settings that you have added to the list of Trusted Sites. Reset the Internet Explorer settings can also reset parental control settings. We recommend that you note these sites before you use the reset Internet Explorer settings.

    If you need further assistance on this topic, let know us and we will be happy to help you.

  • Tunnel from site to site ASA with U turn to config

    Hello

    I have a VPN tunnel site race between ASA 5510 (8.2) and Cisco PIX506 (remote site). I need allow remote users to surf the net. I was looking for in the documentation here and circulation activated to enter/exit the same interface on the ASA (same-security-traffic intra-interface permit), however it still something lack. I don't know how to fix this...

    ASA is configured for NAT inside customers to a single public IP address (VPN tunnel ends also at this interface)

    ASA:

    Global 1 208.x.x.x (outside)
    NAT (inside) - 0 no.-Nat-VPN access list
    NAT (inside) 1 0.0.0.0 0.0.0.0

    So when packets Internet comes through the tunnel, there need be sent on the same interface and NATted (but for the tunnel at work I had to exempt intrested NAT traffic). What is the cause of a problem?

    Hello

    NAT rules should be like this:

    Global 1 208.x.x.x (outside)
    NAT (outside) 1 mask x.x.x.x--> pool VPN

    With the foregoing, you are from the VPN clients out to the Internet.

    You can always leave the SHEEP ACL for the VPN itself traffic.

    Federico.

  • VPN site to Site ASA 5510 and 871 w / dynamic IP

    What is the best method of creating a VPN site-to site between an ASA 5510 and a router 871 where the 5510 has a static IP address and has 871, a dynamic IP address?

    My ASA is running ASA software version 7.0 (5) and I can't find how to create a tunnel for a dynamic IP address via the ASDM. I have currently a tunnel between these two arrangements in place, but it was done by specifying the remote IP address, even if it is dynamic.

    Any suggestions or pointers would be * very * appreciated.

    -Adam

    This can help but it does not show ASDM.

    http://Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml

  • VPN site to Site - ASA to PIX - same subnet on the inside

    Chaps,

    I have a unusual scenario, whereby case I need a tunnel vpn site-to-site between a pix of cisco version 7 and version 8 cisco asa, which have the same subnet ip to each endpoint.  Is it possible to create such a tunnel from site to site or do I change one of the remote endpoints?

    Thank you

    Nick

    Hi Nicolas,.

    To allow the traffic through the tunnel when having the same at both ends addressing scheme, you should NAT VPN traffic.

    That is to say.

    Site a 10.1.1.0/24 LAN

    Site B LAN 10.1.1.0/24

    The site config:

    NAT permit list to access ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0

    (in, out) static 192.168.1.0 access-list NAT

    license of crypto list to access ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

    Site B config:

    NAT permit list to access ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

    (in, out) static 192.168.2.0 access-list NAT

    license of crypto list to access ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

    The idea is that Site A will to 192.168.1.0 translatefd when you go to Site B, and Site B will result to 192.168.2.0 when you go to the Site A.

    Hope that makes sense.

    Federico.

  • Site to site ASA 5505 VPN does not

    Hello

    We have configuration problems our VPN site-to-site with our ASA 5505. We ran the assistants who seem to be straight forward, but we have no chance for them to communicate with each other via ping or anything else. If someone could help us, our configs for our two sites:

    Site A:

    Output of the command: "sho run".

    : Saved
    :
    ASA Version 7.2 (4)
    !
    ciscoasa hostname
    domain default.domain.invalid

    names of
    DNS-guard
    !
    interface Vlan1
    nameif inside
    security-level 100
    IP 192.168.45.20 255.255.255.0
    OSPF cost 10
    !
    interface Vlan2
    nameif outside
    security-level 0
    IP address 173.xxx.xxx.249 255.255.255.252
    OSPF cost 10
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    passive FTP mode
    clock timezone EST - 5
    clock to summer time EDT recurring
    DNS server-group DefaultDNS
    domain default.domain.invalid
    permit same-security-traffic inter-interface
    extended incoming access permit tcp host 173.xxx.xxx.249 eq www list everything
    list of extended inbound icmp permitted access a whole
    list of allowed inbound tcp extended access any host 173.xxx.xxx.249 eq www
    extended incoming access permit tcp host 173.xxx.xxx.249 eq https list everything
    list of allowed inbound tcp extended access any host 173.xxx.xxx.249 eq https
    access extensive list ip 192.168.45.0 outside_20_cryptomap allow 255.255.255.0 192.168.42.0 255.255.255.0
    access extensive list ip 192.168.45.0 inside_nat0_outbound allow 255.255.255.0 192.168.42.0 255.255.255.0
    pager lines 24
    Enable logging
    asdm of logging of information
    Within 1500 MTU
    Outside 1500 MTU
    ICMP unreachable rate-limit 1 burst-size 1
    ICMP allow any inside
    ICMP allow all outside
    ASDM image disk0: / asdm - 524.bin
    don't allow no asdm history
    ARP timeout 14400
    Global 1 interface (outside)
    NAT (inside) 0-list of access inside_nat0_outbound
    NAT (inside) 1 0.0.0.0 0.0.0.0
    Access-group interface incoming outside
    Route inside 192.168.0.0 255.255.255.0 192.168.45.20 1
    Route inside 192.168.0.0 255.255.0.0 192.168.45.20 1
    Route outside 0.0.0.0 0.0.0.0 173.xxx.xxx.250 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    GANYMEDE + Protocol Ganymede + AAA-server
    RADIUS Protocol RADIUS AAA server
    Enable http server
    http 192.168.45.0 255.255.255.0 inside
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    card crypto outside_map 20 match address outside_20_cryptomap
    card crypto outside_map 20 set pfs
    card crypto outside_map 20 peers set 50.xxx.xxx.89
    outside_map crypto 20 card value transform-set ESP-3DES-SHA
    outside_map interface card crypto outside
    crypto ISAKMP allow outside
    crypto ISAKMP policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    Telnet 192.168.45.0 255.255.255.0 inside
    Telnet timeout 5
    SSH 0.0.0.0 0.0.0.0 inside
    SSH 0.0.0.0 0.0.0.0 outdoors
    SSH timeout 5
    Console timeout 0
    68.xxx.xxx.194 dns 192.168.45.20 dhcpd
    dhcpd outside auto_config
    !

    tunnel-group 50.xxx.xxx.89 type ipsec-l2l
    50.xxx.xxx.89 group of tunnel ipsec-attributes
    pre-shared-key * (key is the same on the two ASA)
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    message-length maximum 1500
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    inspect the icmp
    !
    global service-policy global_policy
    context of prompt hostname
    Cryptochecksum: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    : end

    Site b:

    Output of the command: "sho run".

    : Saved
    :
    ASA Version 7.2 (4)
    !
    host name
    domain default.domain.invalid

    names of
    DNS-guard
    !
    interface Vlan1
    nameif inside
    security-level 100
    IP 192.168.42.12 255.255.255.0
    OSPF cost 10
    !
    interface Vlan2
    nameif outside
    security-level 0
    IP address 50.xxx.xxx.89 255.255.255.248
    OSPF cost 10
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    passive FTP mode
    clock timezone IS - 5
    clock to summer time EDT recurring
    DNS server-group DefaultDNS
    domain default.domain.invalid
    permit same-security-traffic inter-interface
    list of allowed inbound tcp interface out eq 3389 home 192.168.42.26 extended access
    list of extended inbound icmp permitted access a whole
    list of allowed inbound tcp interface out eq 39000 home 192.168.42.254 extended access
    list of allowed inbound tcp interface out eq 39001 home 192.168.42.254 extended access
    list of allowed inbound tcp interface out eq 39002 home 192.168.42.254 extended access
    list of allowed inbound udp out eq 39000 home 192.168.42.254 interface extended access
    list of allowed inbound udp out eq 39001 home 192.168.42.254 interface extended access
    list of allowed inbound udp out eq 39002 home 192.168.42.254 interface extended access
    list of incoming access permit tcp host 50.xxx.xxx.89 eq 3389 everything
    list of allowed inbound tcp extended access any host 50.xxx.xxx.89 eq 3389
    extended incoming access permit tcp host 50.xxx.xxx.89 eq www list everything
    list of allowed inbound tcp extended access any host 50.xxx.xxx.89 eq www
    extended incoming access permit tcp host 50.xxx.xxx.89 eq https list everything
    list of allowed inbound tcp extended access any host 50.xxx.xxx.89 eq https
    extended incoming access permit tcp host 50.xxx.xxx.89 eq 39000 list everything
    list of allowed inbound tcp extended access any host 50.xxx.xxx.89 eq 39000
    extended incoming access permit tcp host 50.xxx.xxx.89 eq 16450 list everything
    list of allowed inbound tcp extended access any host 50.xxx.xxx.89 eq 16450
    access extensive list ip 192.168.42.0 outside_20_cryptomap allow 255.255.255.0 192.168.45.0 255.255.255.0
    access extensive list ip 192.168.42.0 inside_nat0_outbound allow 255.255.255.0 192.168.45.0 255.255.255.0
    pager lines 24
    Enable logging
    asdm of logging of information

    Within 1500 MTU
    Outside 1500 MTU
    ICMP unreachable rate-limit 1 burst-size 1
    ICMP allow any inside
    ICMP allow all outside
    ASDM image disk0: / asdm - 524.bin
    don't allow no asdm history
    ARP timeout 14400
    Global 1 interface (outside)
    NAT (inside) 0-list of access inside_nat0_outbound
    NAT (inside) 1 0.0.0.0 0.0.0.0
    static (inside, outside) tcp 3389 192.168.42.26 interface 3389 netmask 255.255.255.255
    public static tcp (indoor, outdoor) interface 39000 192.168.42.254 39000 netmask 255.255.255.255
    public static (inside, outside) udp interface 39000 192.168.42.254 39000 netmask 255.255.255.255
    public static tcp (indoor, outdoor) interface 39001 192.168.42.254 39001 netmask 255.255.255.255
    public static (inside, outside) udp interface 39001 192.168.42.254 39001 netmask 255.255.255.255
    public static tcp (indoor, outdoor) interface 39002 192.168.42.254 39002 netmask 255.255.255.255
    public static (inside, outside) udp interface 39002 192.168.42.254 39002 netmask 255.255.255.255
    public static tcp (indoor, outdoor) interface 16450 192.168.42.254 16450 netmask 255.255.255.255
    Access-group interface incoming outside
    Route inside 192.168.0.0 255.255.255.0 192.168.42.12 1
    Route inside 192.168.0.0 255.255.0.0 192.168.42.12 1
    Route outside 0.0.0.0 0.0.0.0 50.xxx.xxx.94 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    GANYMEDE + Protocol Ganymede + AAA-server
    RADIUS Protocol RADIUS AAA server
    Enable http server
    http 192.168.42.0 255.255.255.0 inside
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    card crypto outside_map 20 match address outside_20_cryptomap
    card crypto outside_map 20 set pfs
    card crypto outside_map 20 peers set 173.xxx.xxx.249
    outside_map crypto 20 card value transform-set ESP-3DES-SHA
    outside_map interface card crypto outside
    crypto ISAKMP allow outside
    crypto ISAKMP policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    Telnet 192.168.42.0 255.255.255.0 inside
    Telnet timeout 5
    SSH 0.0.0.0 0.0.0.0 inside
    SSH 0.0.0.0 0.0.0.0 outdoors
    SSH timeout 5
    Console timeout 0
    dhcpd outside auto_config
    !
    dhcpd address 192.168.42.13 - 192.168.42.44 inside
    !

    tunnel-group 173.xxx.xxx.249 type ipsec-l2l
    173.xxx.xxx.249 group of tunnel ipsec-attributes
    pre-shared-key * (same as the other ASA)
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    message-length maximum 1500
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    inspect the icmp
    !
    global service-policy global_policy
    context of prompt hostname
    Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    : end

    Thank you very much as I apperciate your all of the help.

    Scott

    Hi Scott,.

    Configs looks very good. Don't know why you need ' route stmts in 192.168.0.0 255.255.0.0' network on both sides. They point to the inside of the ASA. Remove and try to reach the other end PC. If you need to keep it, then try to add specific routes...

    A:

    Route outside 192.168.42.0 255.255.255.0 173.xxx.xxx.250 1

    B:

    Route outside 192.168.45.0 255.255.255.0 50.xxx.xxx.94 1

    HTH

    MS

  • Next hop for the static route on the VPN site to site ASA?

    Hi all

    I would be grateful if someone could help me with my problem ASA/misunderstanding. I have a VPN site-to site on a SAA. I want to add a floating static route to point to the VPN on the ASA. Note that the traffic in this way is not with in subnets cryptographic ACL that is used to bring up the VPN. This VPN is used only as a backup.

    The static route with the next hop add local public address or the remote public address of the VPN? The next break maybe local ASA isp internet facing interface? I intend to do on the ASDM. I'm sorry if it's a simple question but I found no material that explains this?

    Concerning

    Ahh, ok, makes sense.

    The next hop should be the next jump to the interface that ends the VPN connection, essentially the same as your Internet connection / outside the next hop interface.

    Example of topology:

    Site B (outside interface - 1.1.1.1) - (next hop: 1.1.1.2) Internet

    The static route must tell:

    outdoor 10.2.2.2 255.255.255.255 1.1.1.2 200

    I hope this helps.

  • Site to Site ASA translation problem

    Hello

    I would like to ask how to solve this problem:

    Site A is ASA5520 (v7.2) with:
    Interface backwards
    External interface

    On site B is ASA5520 (v8.2) with:
    Interface backwards
    External interface
    DMZ interface

    There's a L2L IPSec tunnel between network ASAs - tunnel is and the correct work of the networks within the ASA networks inside the ASA B.
    -----------------
    I can do a ping to the server (172.25.106.221) on UI inside the ASA A for server (192.168.1.5) within the Interface of the ASA b.

    But I can't do a ping to the server (172.25.106.221) on the UI inside the ASA A server (192.168.0.31) on the Interface of the DMZ of ASA B with a pattern of ASA B: log % ASA-3-305005: no outside group translation not found for icmp src: 172.25.106.221 DMZ:192.168.0.31 (type 8, code 0) dst

    No doubt is there a problem with the static translation on ASA B, so im looking how to solve this problem.

    I posted configuration files (I omitted a few unnecessary configuration line to resolve this problem, I think).

    Thank you much for the help.

    Hey there,

    Checked the config and I noticed he was missing a sheep of the DMZ, there is one for the inside very well.

    : so you can add the following to the ASA B

    NAT (DMZ) 0-list of access ACL_NONAT

    Let me know how it goes, if it helped you can give then replied

    See you soon,.

    MB

  • Cannot access remote network by VPN Site to Site ASA

    Hello everyone

    First of all I must say that I have configured the VPN site-to site a million times before.  Stuck with it. First of all I can't ping outside the interface of my ASA remote. Secondly, VPN is in place, but no connectivity between local networks

    ASA local:
    hostname gyd - asa
    domain bct.az
    activate the encrypted password of XeY1QWHKPK75Y48j
    XeY1QWHKPK75Y48j encrypted passwd
    names of
    DNS-guard
    !
    interface GigabitEthernet0/0
    Shutdown
    nameif vpnswc
    security-level 0
    IP 10.254.17.41 255.255.255.248
    !
    interface GigabitEthernet0/1
    Vpn-turan-Baku description
    nameif outside Baku
    security-level 0
    IP 10.254.17.9 255.255.255.248
    !
    interface GigabitEthernet0/2
    Vpn-ganja description
    nameif outside-Ganja
    security-level 0
    IP 10.254.17.17 255.255.255.248
    !
    interface GigabitEthernet0/2.30
    Description remote access
    VLAN 30
    nameif remote access
    security-level 0
    IP 85.*. *. * 255.255.255.0
    !
    interface GigabitEthernet0/3
    Description BCT_Inside
    nameif inside-Bct
    security-level 100
    IP 10.40.50.65 255.255.255.252
    !
    interface Management0/0
    nameif management
    security-level 100
    IP 192.168.251.1 255.255.255.0
    management only
    !
    boot system Disk0: / asa823 - k8.bin
    passive FTP mode
    DNS server-group DefaultDNS
    name-server 192.168.1.3
    domain bct.az
    permit same-security-traffic intra-interface
    object-group network obj - 192.168.121.0
    object-group network obj - 10.40.60.0
    object-group network obj - 10.40.50.0
    object-group network obj - 192.168.0.0
    object-group network obj - 172.26.0.0
    object-group network obj - 10.254.17.0
    object-group network obj - 192.168.122.0
    object-group service obj-tcp-eq-22
    object-group network obj - 10.254.17.18
    object-group network obj - 10.254.17.10
    object-group network obj - 10.254.17.26
    access-list 110 scope ip allow a whole
    NAT list extended access permit tcp any host 10.254.17.10 eq ssh
    NAT list extended access permit tcp any host 10.254.17.26 eq ssh
    access-list extended ip allowed any one sheep
    icmp_inside list extended access permit icmp any one
    icmp_inside of access allowed any ip an extended list
    access list nat-ganja extended permit tcp any host 10.254.17.18 eq ssh
    RDP list extended access permit tcp any host 192.168.45.3 eq 3389
    rdp extended permitted any one ip access list
    sheep-vpn access-list extended permits all ip 192.168.121.0 255.255.255.0
    NAT-vpn-internet access-list extended ip 192.168.121.0 allow 255.255.255.0 any
    NAT-vpn-internet access-list extended ip 172.26.0.0 allow 255.255.255.0 any
    NAT-vpn-internet access-list extended ip 192.168.122.0 allow 255.255.255.0 any
    access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 10.40.60.0 255.255.255.0
    access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 10.40.50.0 255.255.255.0
    access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 192.168.0.0 255.255.0.0
    access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 172.26.0.0 255.255.255.0
    access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 10.254.17.0 255.255.255.0
    GHC-ganja-internet access-list extended ip 192.168.45.0 allow 255.255.255.0 any
    Standard access list Split_Tunnel_List allow 192.168.16.0 255.255.255.0
    azans 192.168.69.0 ip extended access-list allow 255.255.255.0 any
    permit inside_nat0_outbound to access extended list ip 192.168.0.0 255.255.0.0 192.168.121.0 255.255.255.0
    permit inside_nat0_outbound to access extended list ip 192.168.0.0 255.255.0.0 192.168.80.0 255.255.255.0
    pager lines 24
    Enable logging
    emblem of logging
    recording of debug console
    recording of debug trap
    asdm of logging of information
    Interior-Bct 192.168.1.27 host connection
    flow-export destination inside-Bct 192.168.1.27 9996
    vpnswc MTU 1500
    outside Baku MTU 1500
    outside-Ganja MTU 1500
    MTU 1500 remote access
    Interior-Bct MTU 1500
    management of MTU 1500
    IP local pool raccess 192.168.121.60 - 192.168.121.120 mask 255.255.255.0
    IP local pool ssl 192.168.121.130 - 192.168.121.200 mask 255.255.255.0
    no failover
    ICMP unreachable rate-limit 1 burst-size 1
    ICMP allow any outside Baku
    ICMP allow access remotely
    ICMP allow any interior-Bct
    ASDM image disk0: / asdm - 621.bin
    don't allow no asdm history
    ARP timeout 14400
    global (outside-Baku) 1 interface
    global (outside-Ganja) interface 2
    3 overall (RAS) interface
    azans access-list NAT 3 (outside-Ganja)
    NAT (remote access) 0 access-list sheep-vpn-city
    NAT 3 list nat-vpn-internet access (remote access)
    NAT (inside-Bct) 0-list of access inside_nat0_outbound
    NAT (inside-Bct) 2-nat-ganja access list
    NAT (inside-Bct) 1 access list nat
    Access-group rdp on interface outside-Ganja
    !
    Router eigrp 2008
    No Auto-resume
    neighbor 10.254.17.10 interface outside Baku
    neighbor 10.40.50.66 Interior-Bct interface
    Network 10.40.50.64 255.255.255.252
    Network 10.250.25.0 255.255.255.0
    Network 10.254.17.8 255.255.255.248
    Network 10.254.17.16 255.255.255.248
    redistribute static
    !
    Access remote 0.0.0.0 0.0.0.0 85.*. *. * 1
    Outside-Baku route 10.0.11.0 255.255.255.0 10.254.17.10 1
    Outside-Baku route 10.0.33.0 255.255.255.0 10.254.17.10 1
    Outside-Baku route 10.0.150.0 255.255.255.0 10.254.17.10 1
    Outside-Baku route 10.0.170.0 255.255.255.0 10.254.17.10 1
    Route outside Baku 10.254.17.24 255.255.255.248 10.254.17.10 1
    Route outside Baku 10.254.17.32 255.255.255.248 10.254.17.10 1
    Route outside Baku 192.1.1.0 255.255.255.0 10.254.17.10 1
    Outside-Baku route 192.168.27.0 255.255.255.0 10.254.17.10 1
    Outside-Baku route 192.168.39.0 255.255.255.0 10.254.17.10 1
    Route outside-Ganja 192.168.45.0 255.255.255.0 10.254.17.18 1
    Route outside-Ganja 192.168.66.0 255.255.255.0 10.254.17.18 1
    Route outside-Ganja 192.168.69.0 255.255.255.0 10.254.17.18 1
    Outside-Baku route 192.168.80.0 255.255.255.0 10.254.17.11 1
    Access remote 192.168.121.0 255.255.255.0 85.132.43.1 1
    Route outside-Ganja 192.168.184.0 255.255.255.0 10.254.17.18 1
    Route outside Baku 192.168.208.16 255.255.255.240 10.254.17.10 1
    Route outside-Ganja 192.168.208.112 255.255.255.240 10.254.17.18 1
    Route inside-Bct 192.168.254.0 255.255.255.0 10.40.50.66 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-registration DfltAccessPolicy
    AAA-server protocol Ganymede GANYMEDE +.
    AAA-server GANYMEDE (Interior-Bct) 192.168.1.8
    key *.
    AAA-server GANYMEDE (Interior-Bct) 192.168.22.46
    key *.
    RADIUS protocol AAA-server TACACS1
    AAA-server TACACS1 (Interior-Bct) host 192.168.1.8
    key *.
    AAA-server TACACS1 (Interior-Bct) host 192.168.22.46
    key *.
    authentication AAA ssh console LOCAL GANYMEDE
    Console to enable AAA authentication RADIUS LOCAL
    Console Telnet AAA authentication RADIUS LOCAL
    AAA accounting ssh console GANYMEDE
    Console Telnet accounting AAA GANYMEDE
    Enable http server
    http 192.168.1.0 255.255.255.0 management
    http 192.168.1.0 255.255.255.0 Interior-Bct
    http 192.168.139.0 255.255.255.0 Interior-Bct
    http 192.168.0.0 255.255.255.0 Interior-Bct
    Survey community SNMP-server host inside-Bct 192.168.1.27
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
    Crypto ipsec transform-set newset aes - esp esp-md5-hmac
    Crypto ipsec transform-set esp-3des esp-sha-hmac myset2
    Crypto ipsec transform-set esp-3des esp-md5-hmac raccess
    Crypto ipsec transform-set esp-3des esp-sha-hmac vpnclienttrans
    Crypto ipsec transform-set vpnclienttrans transport mode
    life crypto ipsec security association seconds 2147483646
    Crypto ipsec kilobytes of life security-association 2147483646
    raccess 1 set transform-set vpnclienttrans crypto dyn1 dynamic-map
    correspondence address card crypto mymap 10 110
    card crypto mymap 10 peers set 10.254.17.10
    card crypto mymap 10 transform-set RIGHT
    correspondence address card crypto mymap 20 110
    card crypto mymap 20 peers set 10.254.17.11
    mymap 20 transform-set myset2 crypto card
    card crypto mymap interface outside Baku
    correspondence address card crypto ganja 10 110
    10 ganja crypto map peer set 10.254.17.18
    card crypto ganja 10 transform-set RIGHT
    card crypto interface outside-Ganja ganja
    correspondence address card crypto vpntest 20 110
    peer set card crypto vpntest 20 10.250.25.1
    newset vpntest 20 transform-set card crypto
    card crypto vpntest interface vpnswc
    vpnclientmap 30 card crypto ipsec-isakmp dynamic dyn1
    card crypto interface for remote access vpnclientmap
    Crypto ca trustpoint ASDM_TrustPoint0
    registration auto
    name of the object CN = gyd - asa .az .bct
    sslvpnkeypair key pair
    Configure CRL
    map of crypto DefaultCertificateMap 10 ca certificate

    crypto isakmp identity address
    ISAKMP crypto enable vpnswc
    ISAKMP crypto enable outside-Baku
    ISAKMP crypto enable outside-Ganja
    crypto ISAKMP enable remote access
    ISAKMP crypto enable Interior-Bct
    crypto ISAKMP policy 10
    preshared authentication
    3des encryption
    md5 hash
    Group 2
    life 86400
    crypto ISAKMP policy 20
    preshared authentication
    aes encryption
    md5 hash
    Group 2
    life 86400
    crypto ISAKMP policy 30
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    crypto ISAKMP policy 40
    preshared authentication
    aes encryption
    sha hash
    Group 2
    life 86400
    Crypto isakmp nat-traversal 30
    No vpn-addr-assign aaa
    Telnet timeout 5
    SSH 192.168.0.0 255.255.255.0 Interior-Bct
    SSH timeout 35
    Console timeout 0
    priority queue outside Baku
    queue-limit 2046
    TX-ring-limit 254
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    Server NTP 192.168.1.3
    SSL encryption, 3des-sha1 rc4 - md5 aes128-sha1 sha1-aes256
    SSL-trust point ASDM_TrustPoint0 to vpnlb-ip remote access
    SSL-trust ASDM_TrustPoint0 remote access point
    WebVPN
    turn on remote access
    SVC disk0:/anyconnect-win-2.4.1012-k9.pkg 1 image
    enable SVC
    tunnel-group-list activate
    attributes of Group Policy DfltGrpPolicy
    Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
    internal group ssl policy
    attributes of group ssl policy
    banner welcome to SW value
    value of DNS-server 192.168.1.3
    Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
    group-lock value SSL
    WebVPN
    value of the SPS URL-list
    internal vpn group policy
    attributes of vpn group policy
    value of DNS-server 192.168.1.3
    Protocol-tunnel-VPN IPSec l2tp ipsec
    disable the PFS
    BCT.AZ value by default-field
    ssl VPN-group-strategy
    WebVPN
    value of the SPS URL-list
    IPSec-attributes tunnel-group DefaultL2LGroup
    ISAKMP retry threshold 20 keepalive 5
    attributes global-tunnel-group DefaultRAGroup
    raccess address pool
    Group-RADIUS authentication server
    Group Policy - by default-vpn
    IPSec-attributes tunnel-group DefaultRAGroup
    pre-shared key *.
    ISAKMP retry threshold 20 keepalive 5
    IPSec-attributes tunnel-group DefaultWEBVPNGroup
    ISAKMP retry threshold 20 keepalive 5
    tunnel-group 10.254.17.10 type ipsec-l2l
    IPSec-attributes tunnel-group 10.254.17.10
    pre-shared key *.
    ISAKMP retry threshold 20 keepalive 5
    type SSL tunnel-group remote access
    attributes global-group-tunnel SSL
    ssl address pool
    Authentication (remote access) LOCAL servers group
    Group Policy - by default-ssl
    certificate-use-set-name username
    Group-tunnel SSL webvpn-attributes
    enable SSL group-alias
    Group-url https://85. *. *. * / activate
    tunnel-group 10.254.17.18 type ipsec-l2l
    IPSec-attributes tunnel-group 10.254.17.18
    pre-shared key *.
    ISAKMP retry threshold 20 keepalive 5
    tunnel-group 10.254.17.11 type ipsec-l2l
    IPSec-attributes tunnel-group 10.254.17.11
    pre-shared key *.
    ISAKMP retry threshold 20 keepalive 5
    type tunnel-group DefaultSWITGroup remote access
    attributes global-tunnel-group DefaultSWITGroup
    raccess address pool
    Group-RADIUS authentication server
    Group Policy - by default-vpn
    IPSec-attributes tunnel-group DefaultSWITGroup
    pre-shared key *.
    !
    type of policy-card inspect dns migrated_dns_map_1
    parameters
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the migrated_dns_map_1 dns
    inspect the rsh
    inspect the rtsp
    inspect sqlnet
    inspect sunrpc
    inspect xdmcp
    inspect the netbios
    Review the ip options
    class flow_export_cl
    flow-export-type of event all the destination 192.168.1.27
    class class by default
    flow-export-type of event all the destination 192.168.1.27
    Policy-map Voicepolicy
    class voice
    priority
    The class data
    police release 80000000
    !
    global service-policy global_policy
    service-policy interface outside Baku Voicepolicy
    context of prompt hostname

    Cryptochecksum:4f35f975ba7a0c11f7f46dfd541d266f
    : end
    GYD - asa #.

    ASA remote:
    ASA Version 8.2 (3)
    !
    ciscoasa hostname
    activate the encrypted password of XeY1QWHKPK75Y48j
    2KFQnbNIdI.2KYOU encrypted passwd
    names of
    DNS-guard
    !
    interface Ethernet0/0
    nameif inside
    security-level 100
    IP 192.168.80.14 255.255.255.0
    !
    interface Ethernet0/1
    nameif outside
    security-level 0
    IP 10.254.17.11 255.255.255.248
    !
    interface Ethernet0/2
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface Ethernet0/3
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface Management0/0
    Shutdown
    nameif management
    security-level 100
    no ip address
    management only
    !
    boot system Disk0: / asa823 - k8.bin
    passive FTP mode
    access-list 110 scope ip allow a whole
    192.168.80.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.0.0 255.255.0.0
    pager lines 24
    Enable logging
    asdm of logging of information
    Outside 1500 MTU
    management of MTU 1500
    Within 1500 MTU
    no failover
    ICMP unreachable rate-limit 1 burst-size 1
    ICMP allow all outside
    ICMP allow any inside
    ASDM image disk0: / asdm - 621.bin
    don't allow no asdm history
    ARP timeout 14400
    NAT (inside) 0 access-list sheep
    Route outside 0.0.0.0 0.0.0.0 10.254.17.9 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-registration DfltAccessPolicy
    Enable http server
    http 192.168.1.0 255.255.255.0 management
    http 192.168.80.0 255.255.255.0 inside
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
    Crypto ipsec transform-set newset aes - esp esp-md5-hmac
    Crypto ipsec transform-set esp-3des esp-sha-hmac myset2
    life crypto ipsec security association seconds 2147483646
    Crypto ipsec kilobytes of life security-association 2147483646
    correspondence address card crypto mymap 10 110
    card crypto mymap 10 peers set 10.254.17.9
    mymap 10 transform-set myset2 crypto card
    mymap outside crypto map interface
    crypto ISAKMP allow outside
    crypto ISAKMP policy 10
    preshared authentication
    3des encryption
    md5 hash
    Group 2
    life 86400
    crypto ISAKMP policy 20
    preshared authentication
    aes encryption
    md5 hash
    Group 2
    life 86400
    crypto ISAKMP policy 30
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    crypto ISAKMP policy 40
    preshared authentication
    aes encryption
    sha hash
    Group 2
    life 86400
    Telnet timeout 5
    SSH timeout 5
    Console timeout 0
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    WebVPN

    tunnel-group 10.254.17.9 type ipsec-l2l
    IPSec-attributes tunnel-group 10.254.17.9
    pre-shared key *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns migrated_dns_map_1
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the migrated_dns_map_1 dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    Review the ip options
    !
    global service-policy global_policy
    context of prompt hostname

    Cryptochecksum:1c1ac60e2fb84f65269d15d53f27c21b
    : end
    ciscoasa # $

    Still, I can't ping ASA remote outside from outside of the Local interface. And there is no connectivity between the 192.168.80.0 distance and local don't say 192.168.1.0. I have run out of ideas

    Would appreciate any help. Thank you in advance...

    If the tunnel is up (phase 1), but no traffic passing the best test is the following:

    Add order management-access to the Interior , and then try to PING the intellectual property inside ASA counterpart.

    inside x.x.x.x ping --> x.x.x.x is the IP of the ASA peer inside

    The test above shows if the traffic passes through the tunnel (check encrypted/decrypted packets of sh cry ips its).

    Test on both directions.

    Please post the results.

    Federico.

Maybe you are looking for