Site to Site ASA translation problem
Hello
I would like to ask how to solve this problem:
Site A is ASA5520 (v7.2) with:
Interface backwards
External interface
On site B is ASA5520 (v8.2) with:
Interface backwards
External interface
DMZ interface
There's a L2L IPSec tunnel between network ASAs - tunnel is and the correct work of the networks within the ASA networks inside the ASA B.
-----------------
I can do a ping to the server (172.25.106.221) on UI inside the ASA A for server (192.168.1.5) within the Interface of the ASA b.
But I can't do a ping to the server (172.25.106.221) on the UI inside the ASA A server (192.168.0.31) on the Interface of the DMZ of ASA B with a pattern of ASA B: log % ASA-3-305005: no outside group translation not found for icmp src: 172.25.106.221 DMZ:192.168.0.31 (type 8, code 0) dst
No doubt is there a problem with the static translation on ASA B, so im looking how to solve this problem.
I posted configuration files (I omitted a few unnecessary configuration line to resolve this problem, I think).
Thank you much for the help.
Hey there,
Checked the config and I noticed he was missing a sheep of the DMZ, there is one for the inside very well.
: so you can add the following to the ASA B
NAT (DMZ) 0-list of access ACL_NONAT
Let me know how it goes, if it helped you can give then replied
See you soon,.
MB
Tags: Cisco Security
Similar Questions
-
The financial company Web site www.gmo.com will not appear in Firefox 32.0.02. Server not found is the only result. Safari loads Web site without any problem and Firefox for Windows computer in the House support the site without problem. All the other sites I have access, including banks, Amazon, etc. loads normally.
What/why the Mac of Firefox version would not be able to to connect/load this site?
The company of people told me that no one else has reported this problem and other people in my company can access the site. And they cannot reproduce the problem.
My ISP provider could not see anything from their point of view. And access all computers to the modem/router in the House everything without any problems.
Anyone have any ideas on what would cause this or how to go about troubleshooting?
Thank you for your time.
Looks like it's something on the computer. There are cookies that must be removed individually from the Firefox profile.
To do this, go to the Firefox Menu, tap Preferences, then tap privacy and then delete cookies or cookies see the. You can search the sites that gives you problems and remove them. Restart Firefox.
It could also be that you add a DNS server for your connection. 8.8.8.8 is google, but I don't know if this would affect given that the server is not found, not that there is no link, that's why it does not sound like a connection problem, but a cache problem. Use the Profile Manager to create and delete profiles Firefox
-
the site theme is problem with firefox, but not any problem of chrome with!
the site theme is problem with firefox, but not any problem of chrome with!
for ex: http://haftegy.ir
How to fix?Wow sorry! IM update firefox to the latest version and my problem is solved.
Thank you very much. -
can't install or update anything get the message "The site encountered A Problem"... I am trying to get windows xp service pack 3
Hello!
Try these stepsRename the Catroot2 folder, and then try again to install the program.
To rename the Catroot2 folder, follow these steps:- Click Start, click run, type cmd, and then click OK.
- At the command prompt, type the following commands and press ENTER after each line:net stop cryptsvc
Ren %systemroot%\System32\Catroot2 oldcatroot2
net start cryptsvc
output
try to download Sp3 manually from this link;also perform the software clean bootand then install updates.Thank youMakoi -
VPN Site to Site ASA (only happens with interesting traffic)
Is anyway to get an ASA to VPN site-to-site ASA addition interesting traffic? I need to keep this tunnel independently of traffic is anyway to do this?
Unfortunately, no such feature has been developed on the SAA. You need to deceive the ASA with a host located in the "interesting" part of the network to constantly generate interesting traffic. Here are a few suggestions:
-Use the IP SLA on a Cisco device
-Perform a host TCP ping
-Setting up a host of the site has press site B as a NTP source ASA
Thank you for evaluating useful messages!
-
Microsoft l2tp IPSec VPN site to site ASA on top
I have a specialized applications casino that requires end-to-end encryption. I'm under the stack of Microsoft IPSec l2tp between my XP machine and my Windows 2003 server on the LAN. Can I use the same type of protocol stack Microsoft l2tp IPSec between my XP machine and the Windows Server 2003 a branch on the SAA to site to site ASA VPN tunnel? The VPN site-to site ASA is a type of key Preshare IPSec VPN tunnelle traffic between our head office and a branch in distance.
In other words, the ASA site-to-site IPSec VPN will allow Microsoft l2tp through IPSec encrypted traffic? My ACL tunnel would allow full IP access between site. Something like:
name 192.168.100.0 TexasSubnet
name 192.168.200.0 RenoSubnet
IP TexasSubnet 255.255.255.0 RenoSubnet 255.255.255.0 allow Access-list extended nat_zero
Hello
Yes, the L2TP can be encapsulated in IPSEC as all other traffic.
However, make sure that no NAT is performed on each end. L2TP is a default header protection which will see NAT as a falsification of package and reject it.
See you soon,.
Daniel
-
I have Lightroom 4.4 on my Mac laptop. It came with the purchase of a Leica camera. When I check the updates, the answer is that there is no update available. Download Version 5.7 of Adobe's Web site with no problems?
Your license for the 4.4 release will not work with version 5.7, you can download it without doubt, but if you do not have version 5.7 download then it won't do much good. If you do not have a license for it so you won't be able to use it beyond use of the trial.
-
I just installed Adobe Acrobat Reader DC on my Windows 7 computer and can't download a PDF from a government site. I was able to download the pdf of the year last of this site without any problems. How can I handle this?
The PDF Viewer for Firefox supports not only this type of form PDF (XFA) or any PDF form really. You must download the file and open it in Acrobat or Adobe Reader, and it will work. You can download the PDF file right click on this link and selecting "save target as".
-
Export a Final Cut Pro XML file problem any translation problem
When I export the XML pro final cut, there is always a problem of translation like this "Transition... not translated, chained <>used instead."
Most of type transition can cause translation problems, except the wipe and cross dissolve.
Is there any body know the reason? Is it OK?
Also, I use the trial version of cs5
Hey Ani_,.
I work for a long time with Adobe products and generally when you encounter an error that has nothing to with an XML file export problem its due to such things as the effects you may have added in, color correction, bland Crusaders or any type of video transitions between clips. Don't forget that your workflow must be
Import your videos into Premiere Pro
Name your clips (help to find things later)
Place the clips on the timeline in the order you want (DO CUP that DO not add anything, transitions effects color nothing)
Then once all of your clips are placed on the timeline in your voucher order you then EXPORT > Final Cut Pro XMLNow you can put this in other programs for adjustment of colors, or whatever it is you do. You will find there is no error on export.
Once your fact is do what you do for the clips in another program (for example: the Divinci Resolve color adjustment) you can then export to your main project, and then add your effects and transitions.
-
IPsec VPN site to site between router problem Cisco ASA. Help, please
Hello community,
I'm stuck in configuring VPN site to site between ASA (OS 9.1) and router Cisco IOS (IOS 15, 2 - 4.M4)
Attachment is router configuration and ASA. I also include the router debug output.
It seems that the two parties must isakmp missmatch configuration, but I have already disabled the KeepAlive parameters. I also turn off PFS setting on both sides. But it does not work. I have no idea on this problem.
Please help me. Any help appreciated.
Thank you
I didn't look any further, but this may be a reason:
crypto map mymap 1 ipsec-isakmp dynamic dyn1
The dynamic CM must always be the last sequence in a card encryption:
no crypto map mymap 1 ipsec-isakmp dynamic dyn1 crypto map mymap 65000 ipsec-isakmp dynamic dyn1
Try this first, then we can look further.
-
Site to IP - sec site ASA 9.1 worm problem vs IOS
Hi all
I'm trying to set up the vpn site-to site between ASA and IOS, but unsuccessfully router,
newspapers are:
(1) this is not behind a nat device
(2) an encrypted packet received with no counterparty SA
networks are:
172.25.0.0 (inside ASA) A.A.A.A (outside of ASA) is required to connect to the address B.B.B.B router IOS with inside the network 192.168.1.0
Here are the configs:
ASA:
ASA 5505 # sh run
: Saved
:
ASA Version 9.0 (1)
!
hostname ASA 5505
KZ 1 domain name.
names of
vpn_pool_ASA-5505 192.168.172.2 mask - 255.255.255.0 IP local pool 192.168.172.100
local pool SAME_NET_ALA 172.25.66.200 - 172.25.66.210 255.255.255.0 IP mask
!
interface Ethernet0/0
switchport access vlan 2
10 speed
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 172.25.66.15 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
address IP A.A.A.A 255.255.255.252
!
passive FTP mode
clock timezone ALMST 6
summer time clock ALMDT recurring last Dim Mar 0:00 last Sun Oct 0:00
DNS server-group DefaultDNS
KZ 1 domain name.
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
network of the NETWORK_OBJ_172.25.66.0_24 object
172.25.66.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.172.0_25 object
subnet 192.168.172.0 255.255.255.128
network of the NETWORK_OBJ_172.25.66.192_27 object
subnet 172.25.66.192 255.255.255.224
network of the ALA_office object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_172.25.0.0_16 object
172.25.0.0 subnet 255.255.0.0
Standard access list SAME_NET_ALA_splitTunnelAcl allow 172.25.66.0 255.255.255.0
SAME_NET_ALA_splitTunnelAcl list standard access allowed 10.0.0.0 255.0.0.0
Standard access list SAME_NET_ALA_splitTunnelAcl allow 172.0.0.0 255.0.0.0
list access VPN-OUT-INS scope ip 192.168.172.0 255.255.255.0 allow no matter what paper
VPN-IN-INS scope any allowed ip access list no matter what paper
extended VPN OUTPUT access list permits all ip 192.168.172.0 255.255.255.0 connect
access list permit VPN OUT ALL standard any4
standard access list net172 allow 172.25.0.0 255.255.0.0
access-list standard net10 allowed 10.0.0.0 255.0.0.0
outside_cryptomap list extended access permitted ip NETWORK_OBJ_172.25.66.0_24 object ALA_office
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source NETWORK_OBJ_172.25.66.0_24 NETWORK_OBJ_172.25.66.0_24 NETWORK_OBJ_192.168.172.0_25 NETWORK_OBJ_192.168.172.0_25 non-proxy-arp-search of route static destination
NAT (inside, outside) source static obj_any obj_any NETWORK_OBJ_172.25.66.192_27 NETWORK_OBJ_172.25.66.192_27 non-proxy-arp-search of route static destination
NAT (inside, outside) static source NETWORK_OBJ_172.25.66.0_24 NETWORK_OBJ_172.25.66.0_24 ALA_office ALA_office non-proxy-arp-search of route static destination
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
!
NAT source auto after (indoor, outdoor) dynamic one interface
group-access VPN-IN-INS in the interface inside
group-access VPN-IN-INS interface inside
Route outside 0.0.0.0 0.0.0.0 88.204.136.165 1
Route inside 10.0.0.0 255.0.0.0 172.25.66.1 2
Route inside 172.0.0.0 255.0.0.0 172.25.66.1 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.1.0 255.255.255.0 inside
http 172.25.66.16 255.255.255.255 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 Alma-series esp - aes esp-sha-hmac
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto outside_map 1 match address outside_cryptomap
outside_map game 1 card crypto peer B.B.B.B
card crypto outside_map 1 set ikev1 Alma-set transform-set
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
inside crypto map inside_map interface
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
IKEv1 crypto policy 5
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 inside
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 5
Console timeout 0dhcpd outside auto_config
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
allow outside
No anyconnect essentials
internal web_access group policy
attributes of the strategy of group web_access
clientless ssl VPN tunnel-Protocol
WebVPN
the value of the URL - list PRTG
internal SAME_NET_ALA group policy
SAME_NET_ALA group policy attributes
value of server DNS 8.8.8.8
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list SAME_NET_ALA_splitTunnelAcl
internal GroupPolicy1 group strategy
attributes of Group Policy GroupPolicy1
Ikev1 VPN-tunnel-Protocol
internal GroupPolicy_to_ALA group strategy
type tunnel-group SAME_NET_ALA remote access
attributes global-tunnel-group SAME_NET_ALA
address SAME_NET_ALA pool
Group Policy - by default-SAME_NET_ALA
IPSec-attributes tunnel-group SAME_NET_ALA
IKEv1 pre-shared-key *.
type tunnel-group web_access remote access
tunnel-group web_access General-attributes
Group Policy - by default-web_access
tunnel-group B.B.B.B type ipsec-l2l
attributes global-tunnel-group B.B.B.B
Group Policy - by default-GroupPolicy1
IPSec-attributes tunnel-Group B.B.B.B
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the icmp
inspect the http
!
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:932099620805dc22d9e48a5e04314887
: endand router IOS:
R1921_center #sh run
Building configuration...Current configuration: 6881 bytes
!
! Last configuration change to 12:22:45 UTC Friday, August 29, 2014 by yerzhan
version 15.2
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname R1921_center
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
AAA new-model
!
!
AAA authentication login userauthen local
AAA authorization groupauthor LAN
!
!
!
!
!
AAA - the id of the joint session
!
IP cef
!
!
!
!!
!
!
!
"yourdomain.com" of the IP domain name
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
Crypto pki trustpoint TP-self-signed-260502430
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 260502430
revocation checking no
rsakeypair TP-self-signed-260502430
!
!
TP-self-signed-260502430 crypto pki certificate chain
certificate self-signed 01
30820229 30820192 A0030201 02020101 300 D 0609 2A 864886 F70D0101 05050030
2 060355 04031325 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 30312E30
69666963 32363035 30323433 30301E17 313331 31323630 35343131 0D 6174652D
355A170D 2E302C06 1325494F 03550403 32303031 30313030 30303030 5A 303031
532D 5365 6C662D53 69676E65 642D 4365 72746966 69636174 652 3236 30353032
06092A 86 4886F70D 01010105 34333030 819F300D 00308189 02818100 0003818D
C178A16C 26637 HAS 32 E2FE6EB2 DE63FC5D 2F4096D2 1A223CAF 52A122A1 F152F0E0
D2305008 FA312D36 E055D09C 487A01D5 629F8DE4 42FF0444 4B3B107A 730111B 6
F6439BA2 970EFE71 C9127F72 F93603E0 11B3F622 73DB1D7C 1889D57C 88C3B141
ED39B0EA 377CE1F7 610F9C76 FC9C843F A81AEFFE 07917A4B 2946032B 207160B 9
02030100 01A 35330 03551 D 13 51300F06 0101FF04 05300301 01FF301F 0603551D
23041830 1680146B B9F671FA BDD822DF 76802EEA 161D18D6 1 060355 9B8C4030
1D0E0416 04146BB9 F671FABD D822DF76 802EEA16 1D18D69B 8C40300D A 06092, 86
01010505 00038181 00B0C56F F1F4F85C 5FE7BF24 27D1DF41 7E9BB9CE 4886F70D
0447910A E780FA0D 07209827 3A969CD0 14AAA496 12929830 0D17F684 7F841261
56365D9C AA15019C ABC74D0A 3CD4E002 F63AA181 B3CC4461 4E56E58D C8237899
29F48CFA 67C4B84B 95D456C3 F0CF858D 43C758C3 C285FEF1 C002E2C5 DCFB9A8A
6A1DF7E3 EE675EAF 7A608FB7 88
quit smoking
license udi pid CISCO1921/K9 sn FCZ1748C14U
!
redundancy
!
!
!
!
!
!
!
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
!
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 5
BA aes 256
preshared authentication
Group 2
PSK - KEY key crypto isakmp A.A.A.A address
PSK - KEY crypto isakmp key address 6 0.0.0.0
!
Configuration group crypto isakmp ALA-EMP-VPN client
key *. *. *. *
DNS 8.8.8.8
domain cisco.com
pool ippool
ACL 101
netmask 255.255.255.0
!
!
Crypto ipsec transform-set esp-3des esp-md5-hmac dmvpn_alad
transport mode
Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
tunnel mode
Crypto ipsec transform-set esp-3des esp-md5-hmac TRIPSECMAX
transport mode
Crypto ipsec transform-set AES - SHA aes - esp esp-sha-hmac
tunnel mode
!
Profile of crypto ipsec MAXPROFILE
game of transformation-TRIPSECMAX
!
!
Crypto ipsec profile dmvpn_profile
Set transform-set dmvpn_alad
!
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
market arriere-route
!
!
!
map clientmap client to authenticate crypto list userauthen
card crypto clientmap isakmp authorization list groupauthor
client configuration address map clientmap crypto answer
20 ipsec-isakmp crypto map clientmap
defined by peer A.A.A.A
game of transformation-AES-SHA
match address VPN_ASA_PAV
!
!
!
!
!
interface Loopback1
IP 10.10.10.10 address 255.255.255.255
!interface tunnels2
IP 192.168.101.1 255.255.255.240
no ip redirection
authentication of the PNDH IP NHRPMAX
dynamic multicast of IP PNDH map
PNDH id network IP-4679
dissemination of IP ospf network
IP ospf hello-interval 30
IP ospf priority 10
source of tunnel GigabitEthernet0/1
multipoint gre tunnel mode
tunnel key 4679
!
the Embedded-Service-Engine0/0 interface
no ip address
Shutdown
!
interface GigabitEthernet0/0
Description to_LAN
IP 192.168.1.253 255.255.255.0
IP nat inside
IP virtual-reassembly in
automatic duplex
automatic speed
!
interface GigabitEthernet0/1
Description to_ISP
address IP B.B.B.B 255.255.255.252
NAT outside IP
IP virtual-reassembly in
automatic duplex
automatic speed
clientmap card crypto
!
router ospf 100
Auto-cout reference-bandwidth 1000
0 message digest authentication box
area 192.168.1.0 digest authentication message
redistribute static subnets
passive-interface default
no passive-interface Tunnel1
network of 10.10.10.10 0.0.0.0 area 192.168.1.0
network 192.168.1.0 0.0.0.255 area 192.168.1.0
192.168.222.0 network 0.0.0.15 area 0
!
router ospf 1
router ID 1.1.1.1
redistribute static subnets
passive-interface default
no passive-interface tunnels2
network of 10.10.10.10 0.0.0.0 area 192.168.1.0
network 192.168.1.0 0.0.0.255 area 192.168.1.0
192.168.101.0 network 0.0.0.15 area 0
!
IP local pool ippool 192.168.33.1 192.168.33.20
IP forward-Protocol ND
!
IP http server
23 class IP http access
local IP http authentication
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
overload of IP nat inside source list 111 interface GigabitEthernet0/1
IP nat inside source static tcp 192.168.1.11 22 Expandable 8022 B.B.B.B
IP route 0.0.0.0 0.0.0.0 B.B.B.C
!
extended ACL - NAT IP access list
deny ip 192.168.1.0 0.0.0.255 172.25.0.0 0.0.255.255
allow an ip
IP extended ACL - VPN access list
ip permit 192.168.1.0 0.0.0.255 172.25.0.0 0.0.255.255
VPN_ASA_PAV extended IP access list
ip permit 192.168.1.0 0.0.0.255 172.25.66.0 0.0.0.255
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.33.0 0.0.0.255
access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.33.0 0.0.0.255
access ip-list 111 allow a whole
!
!
!
!
!
control plan
!
!
!
Line con 0
line to 0
line 2
no activation-character
No exec
preferred no transport
transport output pad rlogin lapb - your MOP v120 udptn ssh telnet
StopBits 1
line vty 0 4
exec-timeout 0 0
privilege level 15
transport input telnet ssh
line vty 5 15
exec-timeout 0 0
privilege level 15
transport input telnet ssh
!
Scheduler allocate 20000 1000
!
endThe biggest problem is the incompatibility in the VPN access lists.
The ASA said
outside_cryptomap list extended access permitted ip NETWORK_OBJ_172.25.66.0_24 object ALA_office
The router said
ip permit 192.168.1.0 0.0.0.255 172.25.0.0 0.0.255.255
Match them. If it still does not work then please post the revised configurations.
HTH
Rick
-
ASA IPSEC site-to-site with NAT problem
Hello
I have what I thought was a simple configuration, but I saw the questions and could use a second set of eyes.
I have a site-to-site between two locations:
Site A is 192.168.0.0/24
Site B is 192.168.4.0/24
I was requested to NAT all communications between these sites for 10.57.4.0/24 and for a single static 192.168.0.112 NAT host at 10.57.4.50.
Tunnel is running, and I can ping through the link at the end to 192.168.4.20 host; no problems. But I'm having a problem application where it will be established communications. I suspect it's the reverse NAT, but I went through the configuration several times. All NAT connections would be 10.57.4.50 address should given to 192.168.0.112, no restrictions. All connections to 192.168.4.20, should be NAT should 10.57.4.50 to transverse tunnel.
The system of site B can also ping 10.57.4.50.
Here's the running configuration:
ASA 8.3 Version (2)
!
hostname fw1
domain name
activate the
password encrypted passwd
encrypted names of
!
interface Vlan1
Description city network internal
nameif inside
security-level 100
IP 192.168.9.1 255.255.255.0
!
interface Vlan2
Description Internet Public
nameif outside
security-level 0
IP 173.166.117.186 255.255.255.248
!
interface Vlan3
DMZ (CaTV) description
nameif dmz
security-level 50
IP 192.168.2.1 255.255.255.0
!
interface Vlan5
PD Network description
nameif PDNet
security level 95
the IP 192.168.0.1 255.255.255.0
!
interface Vlan10
Description Network Infrastructure
nameif InfraNet
security-level 100
IP 192.168.10.1 255.255.255.0
!
interface Vlan13
Description wireless comments
nameif Wireless-comments
security-level 25
IP 192.168.1.1 255.255.255.0
!
interface Vlan23
nameif StateNet
security-level 75
IP 10.63.198.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport trunk allowed vlan 1,5,10,13
switchport trunk vlan 1 native
switchport mode trunk
Speed 100
full duplex
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
switchport trunk allowed vlan 1,10,13
switchport trunk vlan 1 native
switchport mode trunk
!
interface Ethernet0/5
switchport access vlan 23
!
interface Ethernet0/6
Shutdown
!
interface Ethernet0/7
switchport trunk allowed vlan 1
switchport trunk vlan 1 native
switchport mode trunk
Shutdown
!
exec banner restricted access
banner restricted access connection
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
DNS server-group DefaultDNS
domain name
permit same-security-traffic inter-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
service of the IMAPoverSSL object
destination eq 993 tcp service
IMAP over SSL description
service of the POPoverSSL object
tcp destination eq 995 service
POP3 over SSL description
service of the SMTPwTLS object
tcp destination eq 465 service
SMTP with TLS description
network object obj - 192.168.9.20
Home 192.168.9.20
object obj-claggett-https network
Home 192.168.9.20
network of object obj-claggett-imap4
Home 192.168.9.20
network of object obj-claggett-pop3
Home 192.168.9.20
network of object obj-claggett-smtp
Home 192.168.9.20
object obj-claggett-imapoverssl network
Home 192.168.9.20
object obj-claggett-popoverssl network
Home 192.168.9.20
object obj-claggett-smtpwTLS network
Home 192.168.9.20
network object obj - 192.168.9.120
Home 192.168.9.120
network object obj - 192.168.9.119
Home 192.168.9.119
network object obj - 192.168.9.121
Home 192.168.9.121
object obj-wirelessnet network
subnet 192.168.1.0 255.255.255.0
network of the Clients_sans_fil object
subnet 192.168.1.0 255.255.255.0
object obj-dmznetwork network
Subnet 192.168.2.0 255.255.255.0
network of the FD_Firewall object
Home 74.94.142.229
network of the FD_Net object
192.168.6.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.10.0_24 object
192.168.10.0 subnet 255.255.255.0
object obj-TownHallNet network
192.168.9.0 subnet 255.255.255.0
network obj_InfraNet object
192.168.10.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.0.0_24 object
192.168.0.0 subnet 255.255.255.0
network of the NHDOS_Firewall object
Home 72.95.124.69
network of the NHDOS_SpotsHub object
Home 192.168.4.20
network of the IMCMOBILE object
Home 192.168.0.112
network of the NHDOS_Net object
subnet 192.168.4.0 255.255.255.0
network of the NHSPOTS_Net object
10.57.4.0 subnet 255.255.255.0
network of the IMCMobile_NAT_IP object
Home 10.57.4.50
service EmailServices object-group
Description of e-mail Exchange Services / Normal
service-object, object IMAPoverSSL
service-object, object POPoverSSL
service-object, object SMTPwTLS
the purpose of the tcp destination eq https service
the purpose of the tcp destination eq imap4 service
the purpose of the tcp destination eq pop3 service
the purpose of the tcp destination eq smtp service
object-group service DM_INLINE_SERVICE_1
service-object, object IMAPoverSSL
service-object, object POPoverSSL
service-object, object SMTPwTLS
the purpose of the tcp destination eq pop3 service
the purpose of the tcp destination eq https service
the purpose of the tcp destination eq smtp service
object-group service DM_INLINE_SERVICE_2
service-object, object IMAPoverSSL
service-object, object POPoverSSL
service-object, object SMTPwTLS
the purpose of the tcp destination eq https service
the purpose of the tcp destination eq pop3 service
the purpose of the tcp destination eq smtp service
the obj_clerkpc object-group network
PCs of the clerk Description
network-object object obj - 192.168.9.119
network-object object obj - 192.168.9.120
network-object object obj - 192.168.9.121
the TownHall_Nets object-group network
object-network 192.168.10.0 255.255.255.0
network-object object obj-TownHallNet
the DM_INLINE_NETWORK_1 object-group network
object-network 192.168.10.0 255.255.255.0
object-network 192.168.9.0 255.255.255.0
the DOS_Networks object-group network
network-object 10.56.0.0 255.255.0.0
network-object, object NHDOS_Net
outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_2 any external interface
outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_1 any host 192.168.9.20
StateNet_access_in list extended access permitted ip object-group obj_clerkpc one
permit access ip 192.168.0.0 scope list PDNet_access_in 255.255.255.0 192.168.10.0 255.255.255.0
PDNet_access_in list extended access allowed object IMCMobile_NAT_IP object-group DOS_Networks debug log ip
PDNet_access_in list extended access permitted ip object IMCMOBILE object-group DOS_Networks
outside_2_cryptomap extended access list permit ip DM_INLINE_NETWORK_1 object FD_Net object-group
outside_1_cryptomap extended access list permit ip object NHSPOTS_Net object-group DOS_Networks
pager lines 24
Enable logging
Test1 logging level list class debug vpn
logging of debug asdm
E-mail logging errors
address record
logging level
-l errors ' address of the recipient Within 1500 MTU
Outside 1500 MTU
MTU 1500 dmz
MTU 1500 Wireless-comments
MTU 1500 StateNet
MTU 1500 InfraNet
MTU 1500 PDNet
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 635.bin
don't allow no asdm history
ARP timeout 14400
NAT (InfraNet, outside) static static source to destination TownHall_Nets TownHall_Nets FD_Net FD_Net
NAT static TownHall_Nets TownHall_Nets destination (indoor, outdoor) static source FD_Net FD_Net
public static IMCMOBILE IMCMobile_NAT_IP destination NAT (all, outside) static source DOS_Networks DOS_Networks
!
network obj_any object
NAT static interface (indoor, outdoor)
object obj-claggett-https network
NAT (inside, outside) interface static tcp https https service
network of object obj-claggett-imap4
NAT (inside, outside) interface static tcp imap4 imap4 service
network of object obj-claggett-pop3
NAT (inside, outside) interface static tcp pop3 pop3 service
network of object obj-claggett-smtp
NAT (inside, outside) interface static tcp smtp smtp service
object obj-claggett-imapoverssl network
NAT (inside, outside) interface static tcp 993 993 service
object obj-claggett-popoverssl network
NAT (inside, outside) interface static tcp 995 995 service
object obj-claggett-smtpwTLS network
NAT (inside, outside) interface static tcp 465 465 service
network object obj - 192.168.9.120
NAT (inside, StateNet) 10.63.198.12 static
network object obj - 192.168.9.119
NAT (all, StateNet) 10.63.198.10 static
network object obj - 192.168.9.121
NAT (all, StateNet) 10.63.198.11 static
object obj-wirelessnet network
NAT (Wireless-Guest, outside) static interface
object obj-dmznetwork network
interface static NAT (all, outside)
network obj_InfraNet object
NAT (InfraNet, outside) static interface
Access-group outside_access_in in interface outside
Access-group StateNet_access_in in the StateNet interface
Access-group PDNet_access_in in interface PDNet
Route outside 0.0.0.0 0.0.0.0 173.x.x.x 1
Route StateNet 10.x.x.x 255.255.0.0 10.63.198.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
http server enable 5443
http 192.x.x.x 255.255.255.0 inside
http 7.x.x.x 255.255.255.255 outside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set 72.x.x.x counterpart
map outside_map 1 set of transformation-ESP-3DES-MD5 crypto
card crypto outside_map 2 match address outside_2_cryptomap
card crypto outside_map 2 set pfs
card crypto outside_map 2 peers set 173.x.x.x
card crypto outside_map 2 game of transformation-ESP-3DES-SHA
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
Telnet 192.168.9.0 255.255.255.0 inside
Telnet timeout 5
SSH 192.168.9.0 255.255.255.0 inside
SSH timeout 5
Console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd lease 10800
dhcpd outside auto_config
!
dhcpd address dmz 192.168.2.100 - 192.168.2.254
dhcpd dns 8.8.8.8 8.8.4.4 dmz interface
dhcpd enable dmz
!
dhcpd address 192.168.1.100 - 192.168.1.254 Wireless-comments
dhcpd enable Wireless-comments
!
a basic threat threat detection
a statistical threat detection host number rate 2
statistical threat detection port
Statistical threat detection Protocol
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP server 63.240.161.99 prefer external source
NTP server 207.171.30.106 prefer external source
NTP server 70.86.250.6 prefer external source
WebVPN
attributes of Group Policy DfltGrpPolicy
internal FDIPSECTunnel group strategy
attributes of Group Policy FDIPSECTunnel
VPN-idle-timeout no
Protocol-tunnel-VPN IPSec l2tp ipsec
support for username
password encrypted privilege 15 tunnel-group 72.x.x.x type ipsec-l2l
72.x.x.x group of tunnel ipsec-attributes
pre-shared key *.
tunnel-group 173.x.x.x type ipsec-l2l
tunnel-group 173.x.x.x General-attributes
Group Policy - by default-FDIPSECTunnel
173.x.x.x group of tunnel ipsec-attributes
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns migrated_dns_map_1
parameters
message-length maximum 1024
Policy-map global_policy
class inspection_default
inspect the migrated_dns_map_1 dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the icmp
!
global service-policy global_policy
192.168.9.20 SMTP server
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:ad0f9ad192c3ee212172f5b00b12ce76
: end
If you do not have access to the remote site, you participate themselves to network and compare each other configurations. You will need to make sure that they see as 10.57.4.50 192.168.0.112 and their server responds to that and NOT the 192.168.0.112.
-
Problem with Telnet VPN site to site ASA - ASA
Hi techies,.
I created a site to site through ASA VPN... An ASA 5505 and other ASA 5510 East. 5510 have 3 interfaces. both of them is on the inside. No DMZ. and it is outside the interface. one of the inside interface has 100 security level and other has 90. The 5510 is client-side. We can telnet to this ASA through the interface with the security level of 100... We enabled telnet via the lowest (90) with security-level interface, even if we can not telnet to this interface. We just change the security level of 90 to 100, but it did not work... so changed to 90. the telnet configuration is also even any other interface...
but it did not work... If someone please suggest a fair solution ASAP...
Thank you & best regards
Vipin Raj
You can only manage 1 inside the ASA by the VPN interface, and it is activated by the command "access management".
Why do you need to manage the ASA via all interfaces from the inside by the VPN?
ASA cannot be managed from the interface where you connect since with the exception of the 1 cross interface when you VPN in.
Example:
If you are connected to the ASA inside the interface, you can only manage the ASA inside the interface, not the DMZ or outside the interface.
If you are connected to the ASA outside interface, you can only manage the ASA outside interface, with the exception of when you VPN, you can handle the 1 other interfaces, but you will have to enable it with the command "access management".
Hope that makes sense.
-
Connectivity problems from site to Site - ASA and PIX
I'm trying to set up a tunnel between the ASA and PIX but I have some difficulty.
On the side of the ASA
June 29 at 08:09:44 [IKEv1]: Group = 190.213.57.203, IP = 190.213.57.203, error QM WSF (P2 struct & 0xc9309260, mess id 0x7e79b74e).
June 29 at 08:09:44 [IKEv1]: Group = 190.213.57.203, IP = 190.213.57.203, peer table correlator Removing failed, no match!
June 29 at 08:09:44 [IKEv1]: Group = 190.213.57.203, IP = 190.213.57.203, Session is be demolished. Reason: Phase 2
On the side of PIX
ISAKMP (0): the total payload length: 37
to return to the State is IKMP_NO_ERROR
crypto_isakmp_process_block:src:63.143.77.114, dest:190.213.57.203 spt:500 dpt:500
Exchange OAK_MM
ISAKMP (0): processing ID payload. Message ID = 0
ISAKMP (0): HASH payload processing. Message ID = 0
ISAKMP (0): load useful treatment vendor idISAKMP (0): Peer Remote supports dead peer detection
ISAKMP (0): SA has been authenticated.
ISAKMP (0): start Quick Mode Exchange, M - ID - 813626169:cf810cc7IPSEC (key_engine): had an event of the queue...
IPSec (spi_response): spi 0xbb1797c2 graduation (3138885570) for SA
from 63.143.77.114 to 190.213.57.203 for prot 3to return to the State is IKMP_NO_ERROR
ISAKMP (0): send to notify INITIAL_CONTACT
ISAKMP (0): sending message 24578 NOTIFY 1 protocol
Peer VPN: ISAKMP: approved new addition: ip:63.143.77.114/500 Total VPN peers: 2
Peer VPN: ISAKMP: ip:63.143.77.114/500 Ref cnt is incremented to peers: 1 Total VPN peers: 2
crypto_isakmp_process_block:src:63.143.77.114, dest:190.213.57.203 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 14 Protocol 3
SPI 0, message ID = 2038434904
to return to the State is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:63.143.77.114, dest:190.213.57.203 spt:500 dpt:500
ISAKMP (0): processing DELETE payload. Message ID = 1798094647, spi size = 16
ISAKMP (0): delete SA: src 190.213.57.203 dst 63.143.77.114
to return to the State is IKMP_NO_ERR_NO_TRANS
ISADB: Reaper checking HIS 0x11fa6fc, id_conn = 0
ISADB: Reaper checking HIS 0x121ac3c, id_conn = 0 DELETE IT!Peer VPN: ISAKMP: ip:63.143.77.114/500 Ref cnt decremented to peers: 0 Total of VPN peers: 2
Peer VPN: ISAKMP: deleted peer: ip:63.143.77.114/500 VPN Total peers:1IPSEC (key_engine): had an event of the queue...
IPSec (key_engine_delete_sas): rec would remove the ISAKMP notify
IPSec (key_engine_delete_sas): remove all SAs shared with 63.143.77.114The ASA configuration
ASA Version 8.2 (5)
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.102.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 63.143.77.114 255.255.255.252
!
passive FTP mode
clock timezone IS - 5
DNS lookup field inside
DNS domain-lookup outside
DNS server-group DefaultDNS
domain lexlocal
object-group service DM_INLINE_SERVICE_3
the eq https tcp service object
the eq telnet tcp service object
ICMP service object
the purpose of the service tcp - udp eq www
the udp service object
object-group service DM_INLINE_SERVICE_5
the udp service object
the tcp service object
the purpose of the service tcp - udp eq www
the purpose of the service tcp eq www
the purpose of the service udp eq www
ICMP service object
object-group service DM_INLINE_SERVICE_8
the eq https tcp service object
the purpose of the service tcp - udp eq www
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
object-protocol udp
object-tcp protocol
object-group service DM_INLINE_SERVICE_4
the purpose of the service tcp - udp eq www
the eq https tcp service object
EQ-tcp smtp service object
the purpose of the udp eq snmp service
the purpose of the ip service
ICMP service object
object-group Protocol DM_INLINE_PROTOCOL_2
ip protocol object
object-protocol udp
object-tcp protocol
object-group Protocol DM_INLINE_PROTOCOL_3
ip protocol object
object-protocol udp
object-tcp protocol
inside_nat0_outbound list of allowed ip extended access all VPN_Access 255.255.255.240
access extensive list ip 192.168.102.0 inside_nat0_outbound allow Barbado-internal 255.255.255.0 255.255.255.0
inside_nat0_outbound list of allowed ip extended access all VPN_Access 255.255.255.192
access extensive list ip 192.168.102.0 inside_nat0_outbound allow 255.255.255.0 JA_Office_Internal 255.255.255.0
access extensive list ip 192.168.102.0 inside_nat0_outbound allow 255.255.255.0 P.O.S_Office_internal 255.255.255.0
outside_authentication list extended access allowed object-group DM_INLINE_PROTOCOL_3 all all idle state
inside_access_in access-list extended ip any any idle state to allow
inside_access_in list extended access allowed object-group host Jeremy DM_INLINE_SERVICE_5 all
inside_access_in list extended access allowed object-group DM_INLINE_SERVICE_3 192.168.102.0 255.255.255.0 any
inside_access_in list extended access allowed object-group DM_INLINE_PROTOCOL_1 192.168.102.0 255.255.255.0 192.168.102.0 255.255.255.0
outside_access_in list extended access allowed object-groups DM_INLINE_PROTOCOL_2 host interface idle outside Jeremy
outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_4 any external interface
extended access list ip 255.255.255.0 Barbado-internal outside_access_in allow 192.168.102.0 255.255.255.0
outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_8 any inactive external interface
IP JA_Office_Internal 255.255.255.0 JA_Office_Internal 255.255.255.0 allow Access-list extended outside_access_in
IP P.O.S_Office_internal 255.255.255.0 P.O.S_Office_internal 255.255.255.0 allow Access-list extended outside_access_in
access extensive list ip 192.168.102.0 outside_1_cryptomap allow Barbado-internal 255.255.255.0 255.255.255.0
access extensive list ip 192.168.102.0 outside_2_cryptomap allow 255.255.255.0 JA_Office_Internal 255.255.255.0
access extensive list ip 192.168.102.0 outside_3_cryptomap allow 255.255.255.0 P.O.S_Office_internal 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
mask of local pool remote_users 192.168.200.1 - 192.168.200.10 IP 255.255.255.0
mask of local pool VPN_IPs 192.168.200.25 - 192.168.200.50 IP 255.255.255.248
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
inside_access_in access to the interface inside group
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 63.143.77.113 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
AAA authentication match outside the LOCAL outside_authentication
Enable http server
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Sysopt connection timewait
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA
Crypto ipsec transform-set transit mode TRANS_ESP_3DES_SHA
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 200.50.87.198
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
card crypto outside_map 2 match address outside_2_cryptomap
card crypto outside_map 2 set pfs
peer set card crypto outside_map 2 66.54.113.191
card crypto outside_map 2 game of transformation-ESP-3DES-SHA
card crypto outside_map 3 match address outside_3_cryptomap
card crypto outside_map 3 set pfs
peer set card crypto outside_map 3 190.213.57.203
card crypto outside_map 3 game of transformation-ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
authentication crack
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 50
preshared authentication
the Encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP disconnect - notify
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd address 192.168.102.30 - 192.168.102.50 inside
dhcpd dns 66.54.116.4 66.54.116.5 interface inside
dhcpd allow inside
!
dhcpd dns 66.54.116.4 66.54.116.5 outside interface
!
a basic threat threat detection
Statistics-list of access threat detection
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
WebVPN
allow outside
internal DefaultRAGroup group strategy
attributes of Group Policy DefaultRAGroup
VPN-tunnel-Protocol svc
lexlocal value by default-field
WebVPN
SVC keepalive no
internal DefaultRAGroup_1 group strategy
attributes of Group Policy DefaultRAGroup_1
Protocol-tunnel-VPN l2tp ipsec
lexlocal value by default-field
WebVPN
SVC keepalive no
internal VPN_Tunnel_Client group strategy
attributes of Group Policy VPN_Tunnel_Client
value of server DNS 192.168.102.1
Protocol-tunnel-VPN IPSec l2tp ipsec svc
lexlocal value by default-field
username VPN_Connect password 6f7B + J8S2ADfQF4a/CJfvQ is nt encrypted
username VPN_Connect attributes
type of nas-prompt service
xxxxex iFxSRrE9uIWAFjJE encrypted password username
attributes global-tunnel-group DefaultRAGroup
address pool remote_users
address pool VPN_IPs
Group Policy - by default-DefaultRAGroup_1
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared key *.
tunnel-group 200.50.87.198 type ipsec-l2l
IPSec-attributes tunnel-group 200.50.87.198
pre-shared key *.
type tunnel-group VPN_Tunnel_Client remote access
attributes global-tunnel-group VPN_Tunnel_Client
address pool remote_users
Group Policy - by default-VPN_Tunnel_Client
IPSec-attributes tunnel-group VPN_Tunnel_Client
pre-shared key *.
tunnel-group 66.54.113.191 type ipsec-l2l
IPSec-attributes tunnel-group 66.54.113.191
pre-shared key *.
tunnel-group 190.213.57.203 type ipsec-l2l
IPSec-attributes tunnel-group 190.213.57.203
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
PIX configuration
lexmailserver name 192.168.1.3
name 192.168.1.120 Lextt-SF
name 192.168.1.6 Lextt-ms
name 192.168.100.0 Barbados
name 192.168.102.0 Data_Center_Internal
outside_access_in tcp allowed access list any interface outside eq smtp
outside_access_in tcp allowed access list any interface outside eq www
outside_access_in tcp allowed access list any interface outside eq https
inside_outbound_nat0_acl ip access list allow any 192.168.2.0 255.255.255.224
permit 192.168.1.0 ip access list inside_outbound_nat0_acl 255.255.255.0 Barbado
permit 192.168.1.0 ip access list inside_outbound_nat0_acl 255.255.255.0 Data_Ce
permit 192.168.1.0 ip access list outside_cryptomap_20 255.255.255.0 Barbados 25
permit 192.168.1.0 ip access list outside_cryptomap_40 255.255.255.0 Data_Center
pager lines 24
opening of session
debug logging in buffered memory
logging trap information
logging out of the 190.213.57.203 host
Outside 1500 MTU
Within 1500 MTU
external IP 190.213.57.203 255.255.255.0
IP address inside 192.168.1.1 255.255.255.0
IP verify reverse path to the outside interface
alarm action IP verification of information
alarm action attack IP audit
IP local pool vpn_pool 192.168.2.0 - 192.168.2.20
no failover
failover timeout 0:00:00
failover poll 15
No IP failover outdoors
No IP failover inside
PDM location lexmailserver 255.255.255.255 outside
location of PDM Lextt-ms 255.255.255.255 outside
location of PDM 192.168.2.0 255.255.255.224 outside
location of PDM 200.50.87.198 255.255.255.255 outside
PDM location Barbados 255.255.255.0 inside
location of PDM 255.255.255.255 Lextt-SF on the inside
PDM location 255.255.255.0 outside Barbados
location of PDM 255.255.255.255 Lextt-ms on the inside
location of PDM Data_Center_Internal 255.255.255.0 outside
PDM 100 logging alerts
history of PDM activate
ARP timeout 14400
Global interface 10 (external)
NAT (inside) 0-list of access inside_outbound_nat0_acl
NAT (inside) 10 192.168.1.0 255.255.255.0 0 0
public static tcp (indoor, outdoor) interface smtp smtp Lextt-SF netmask 255.255.255.255
public static tcp (indoor, outdoor) interface www Lextt-ms www netmask 255.255.255.255 0
public static tcp (indoor, outdoor) interface Lextt-ms https netmask 255.255.255.2 https
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 190.213.73.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-server local LOCAL Protocol
AAA authentication enable LOCAL console
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.1.0 255.255.255.0 inside
Barbados 255.255.255.0 HTTP inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
Sysopt connection permit-pptp
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
outside_map 20 ipsec-isakmp crypto map
card crypto outside_map 20 match address outside_cryptomap_20
peer set card crypto outside_map 20 200.50.87.198
outside_map card crypto 20 the transform-set ESP-DES-MD5 value
outside_map 40 ipsec-isakmp crypto map
card crypto outside_map 40 correspondence address outside_cryptomap_40
peer set card crypto outside_map 40 63.143.77.114
outside_map card crypto 40 the transform-set ESP-DES-MD5 value
outside_map interface card crypto outside
ISAKMP allows outside
ISAKMP key * address 200.50.87.198 netmask 255.255.255.255
ISAKMP key * address 63.143.77.114 netmask 255.255.255.255
part of pre authentication ISAKMP policy 20
encryption of ISAKMP policy 20
ISAKMP policy 20 md5 hash
20 2 ISAKMP policy group
ISAKMP duration strategy of life 20 86400
Telnet timeout 5
If you haven't already done so, you must clear the SAs Phase I on both sides after you make a change to the map. Once the Phase I SA has been cleared, he renegotiate and reset Phase II. If you alerady made this, the only other thing I can think is manually re-enter the secrets disclosed in advance on tunnel groups then erase both the Phase I and Phase II SAs.
-
Recently, I set up a VPN from Site to Site using a Cisco ASA 5505 to a Cisco 2691 and works a lot but internet no longer works for clients behind the ASA. I know how to get online, but it disconnects the VPN. Can someone please advice to see what I've done wrong or Miss? I know that acl 110 blocks them but am breaking my head by trying different things.
Thanks in advance,
ASA # sh run
: Saved
:
ASA Version 8.0 (4)
!
domain XXXX
activate the encrypted password for XXXXX
passwd encrypted xxxxxx
names of
!
interface Vlan1
nameif inside
security-level 100
the IP 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
address IP XXXXXX.173 255.255.254.0
!
interface Ethernet0/0
Description link to router Comcast
switchport access vlan 2
!
interface Ethernet0/1
Description LINK to Linksys SR2024
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system Disk0: / asa804 - k8.bin
passive FTP mode
clock timezone CST - 6
clock to summer time recurring CDT
DNS server-group DefaultDNS
domain xxx.com
permit same-security-traffic intra-interface
access-list 110 extended permit tcp any host XXX eq 3389
access-list 110 extended permit tcp any host XXX eq www
access-list 110 extended permit tcp any host XXX eq smtp
access-list 110 extended allow tcp no matter what field of eq host XXX
access-list 110 extended permit tcp any host XXX eq https
access-list 110 extended permit tcp any host XXX eq ftp
access-list 110 extended allow icmp a whole
access-list 110 extended permit tcp any host XXX eq 3389
access-list 110 extended permit tcp any host XXX eq www
access-list 110 extended permit tcp any host XXX eq smtp
access-list 110 extended allow tcp no matter what field of eq host XXX
access-list 110 extended permit tcp any host XXX eq https
access-list 110 extended permit tcp any host XXX eq ftp
access-list 110 extended permit tcp any host XXX eq 3389
access-list 110 extended permit tcp any host XXX eq www
access-list 110 extended allow tcp no matter what field of eq host XXX
access-list 110 extended permit tcp any host XXX eq https
access-list 110 extended permit tcp any host XXX eq pptp
access-list 110 extended allow accord any host XXX
access-list 110 extended permit udp any host XXX eq 1701
access-list 110 extended allow esp any host XXX
access-list 110 extended allow ah any host XXX1
permit access ip 192.168.0.0 scope list Inside_nat0_outbound 255.255.255.0 any
permit access ip 192.168.0.0 scope list outside_1_cryptomap 255.255.255.0 any
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 613.bin
don't allow no asdm history
ARP timeout 14400
Global interface 5 (external)
NAT (inside) 0-list of access Inside_nat0_outbound
NAT (inside) 5 0.0.0.0 0.0.0.0
public static xxx.169 (Interior, exterior) 192.168.0.14 netmask 255.255.255.255
static (inside, outside) xxx.171 192.168.0.17 netmask 255.255.255.255
public static xxx.172 (Interior, exterior) 192.168.0.12 netmask 255.255.255.255
Access-group 110 in external interface
Route outside 0.0.0.0 0.0.0.0 XXX.174 1
Timeout xlate 03:00
Timeout conn 0 half-closed 10:00:10: 00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.0.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 counterpart set xxx
card crypto outside_map 1 set of transformation-ESP-DES-SHA
outside_map map 1 lifetime of security association set seconds 28800 crypto
card crypto outside_map 1 set security-association life kilobytes 4608000
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 5
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 10
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 10
Console timeout 0
dhcpd 192.168.0.14 dns 68.87.72.130
dhcpd wins 192.168.0.14
dhcpd field xxxxx
!
dhcpd address 192.168.0.50 - 192.168.0.81 inside
dhcpd allow inside
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
tunnel-group xxx type ipsec-l2l
tunnel-group xxx ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:a075331231f1242d1101745d15d84afa
: endHello
I guess that a number of things here:
First is your ASA is directly connected to the internet, and the VPN is happening via internet.
And also your users trying to access the internet are in the subnet 192.168.0.0 255.255.255.0.
If they are both true, then it looks like the problem is with your ACL of proxy/field of encryption.
Your crypto acl has a match any destination in this document, which is a bad habit when virtual private networks using site-to-site.
permit access ip 192.168.0.0 scope list outside_1_cryptomap 255.255.255.0 any
It's basically saying take whatever passing from 192.168.0.0/24 to any destination and to quantify through the vpn.
So which includes your internet traffic. Make sure that you are specific using src and dst systems int these ACLs.
i.e. outside_1_cryptomap list extended access permitted ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
Where 192.168.1.0/24 is the remote network on the 2691. This acl should then be reversed, one exact mirror on the other homologous (2961).
You must also match this acl with your not acl nat, to ensure that your internet traffic is natted, but vpn traffic is not.
The acl blocking traffic either, because you have not an acl interface all traffic inside will be allowed to default outside inside.
HTH let me know if there are problems.
Stu
Maybe you are looking for
-
Hi people, I use the evaluation version of CD 11.0.1 and I encountered some problems. I don't know if they are my defects or bugs so I would ask some experts. This topic may be useful to others raise similar issues. The main problem is when I try to
-
Problems with a systems restore
I did a system restore on my laptop Dell Inspiron 9400, but she wiped my Logitech, camera and my HP, printer, model no: 5515. I down loaded the disc that came with the camera, and all was well until I got a blue page bring warning me that a serious e
-
Audio video players have an intermittent humming/freeze for 1-2 seconds - Dell Vostro 5470 Win 8.1
Help - all devices audio / video have intermittent hum and freeze the video on my new Dell Vostro system 5470 Win 8.1. This happens with Windows Media player, various audio players, even in Skype! I see messages on the removal of the center of suppor
-
my epson dx7450 will load on windows 7
I have windows 7 ultimateand recently tried to add my epson dx 7450 but said that the pilot does not?
-
Why are the new printers so noisy?
I read that the new HP printers are noisy.