site-to-site ipsec VPN

Similar Questions

• ISA500 site by site ipsec VPN with Cisco IGR

  Hello

  I tried a VPN site by site work with Openswan and Cisco 2821 router configuration an Ipsec tunnel to site by site with Cisco 2821 and ISA550.

  But without success.

  my config for openswan, just FYI, maybe not importand for this problem

  installation of config

  protostack = netkey

  nat_traversal = yes

  virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%4:!$RIGHT_SUBNET

  nhelpers = 0

  Conn rz1

  IKEv2 = no

  type = tunnel

  left = % all

  leftsubnet=192.168.5.0/24

  right =.

  rightsourceip = 192.168.1.2

  rightsubnet=192.168.1.0/24

  Keylife 28800 = s

  ikelifetime 28800 = s

  keyingtries = 3

  AUTH = esp

  ESP = aes128-sha1

  KeyExchange = ike

  authby secret =

  start = auto

  IKE = aes128-sha1; modp1536

  dpdaction = redΘmarrer

  dpddelay = 30

  dpdtimeout = 60

  PFS = No.

  aggrmode = no

  Config Cisco 2821 for dynamic dialin:

  crypto ISAKMP policy 1

  BA aes

  sha hash

  preshared authentication

  Group 5

  lifetime 28800

  !

  card crypto CMAP_1 1-isakmp dynamic ipsec DYNMAP_1

  !

  access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255

  !

  Crypto ipsec transform-set ESP-AES-SHA1 esp - aes esp-sha-hmac

  crypto dynamic-map DYNMAP_1 1

  game of transformation-ESP-AES-SHA1

  match address 102

  !

  ISAKMP crypto key address 0.0.0.0 0.0.0.0

  ISAKMP crypto keepalive 30 periodicals

  !

  life crypto ipsec security association seconds 28800

  !

  interface GigabitEthernet0/0.4002

  card crypto CMAP_1

  !

  I tried ISA550 a config with the same constelations, but without suggesting.

  Anyone has the same problem?

  And had anyone has a tip for me, or has someone expirense with a site-by-site with ISA550 and Cisco 2821 ipsec tunnel?

  I can successfully establish a tunnel between openswan linux server and the isa550.

  Patrick,

  as you can see on newspapers, the software behind ISA is also OpenSWAN

  I have a facility with a 892 SRI running which should be the same as your 29erxx.

  Use your IOS Config dynmap, penny, you are on the average nomad. If you don't have any RW customer you shoul go on IOS "No.-xauth" after the isakmp encryption key.

  Here is my setup, with roardwarrior AND 2, site 2 site.

  session of crypto consignment

  logging crypto ezvpn

  !

  crypto ISAKMP policy 1

  BA 3des

  preshared authentication

  Group 2

  lifetime 28800

  !

  crypto ISAKMP policy 2

  BA 3des

  md5 hash

  preshared authentication

  Group 2

  lifetime 28800

  !

  crypto ISAKMP policy 3

  BA 3des

  preshared authentication

  Group 2

  !

  crypto ISAKMP policy 4

  BA 3des

  md5 hash

  preshared authentication

  Group 2

  !

  crypto ISAKMP policy 5

  BA 3des

  preshared authentication

  Group 2

  life 7200

  ISAKMP crypto address XXXX XXXXX No.-xauth key

  XXXX XXXX No.-xauth address isakmp encryption key

  !

  ISAKMP crypto client configuration group by default

  key XXXX

  DNS XXXX

  default pool

  ACL easyvpn_client_routes

  PFS

  !

  !

  Crypto ipsec transform-set esp-3des esp-sha-hmac FEAT

  !

  dynamic-map crypto VPN 20

  game of transformation-FEAT

  market arriere-route

  !

  !

  card crypto client VPN authentication list by default

  card crypto VPN isakmp authorization list by default

  crypto map VPN client configuration address respond

  10 VPN ipsec-isakmp crypto map

  Description of VPN - 1

  defined peer XXX

  game of transformation-FEAT

  match the address internal_networks_ipsec

  11 VPN ipsec-isakmp crypto map

  VPN-2 description

  defined peer XXX

  game of transformation-FEAT

  PFS group2 Set

  match the address internal_networks_ipsec2

  card crypto 20-isakmp dynamic VPN ipsec VPN

  !

  !

  Michael

  Please note all useful posts

• Site IPSec VPN configuration

  Hi guys,.

  I'm trying to get the Site working on two 5505 VPN of Site I have in my lab.

  Attached image...

  I used the Setup Assistant, and I think that sounds good. However, this does not work when I run the following command:

  Community-Site # sh ipsec his

  There is no ipsec security associations

  I think I generate traffic, then I tried to ping and access IIS from one laptop to the other without a bit of luck.

  Ping between ASAs works very well.

  ASAs are 5505 8.2 (5)

  Config is:

  Community site

  interface Ethernet0/0
  Outside description
  switchport access vlan 2
  !
  interface Ethernet0/1
  Inside description
  !
  interface Ethernet0/2
  !

  !
  interface Vlan1
  Description Community Site
  nameif inside
  security-level 100
  address 192.168.20.1 255.255.255.0
  !
  interface Vlan2
  nameif outside
  security-level 50
  IP 10.181.10.2 255.255.255.0

  the obj_any object-group network
  inside_access_in list extended access permit icmp any one
  inside_access_in of access allowed any ip an extended list
  outside_access_in of access allowed any ip an extended list
  outside_access_in list extended access permit icmp any one
  outside_1_cryptomap to access extended list ip 192.168.20.0 allow 255.255.255.0 255.255.255.0 network-remote control
  inside_nat0_outbound to access extended list ip 192.168.20.0 allow 255.255.255.0 255.255.255.0 network-remote control

  Global 1 interface (outside)
  NAT (inside) 0-list of access inside_nat0_outbound
  NAT (inside) 1 0.0.0.0 0.0.0.0

  inside_access_in access to the interface inside group
  Access-group outside_access_in in interface outside
  Route outside 0.0.0.0 0.0.0.0 10.181.10.1 1

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  card crypto outside_map 1 match address outside_1_cryptomap
  card crypto outside_map 1 set pfs Group1
  peer set card crypto outside_map 1 10.181.1.1
  card crypto outside_map 1 set of transformation-ESP-3DES-SHA
  outside_map interface card crypto outside
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2

  tunnel-group 10.181.1.1 type ipsec-l2l
  IPSec-attributes tunnel-group 10.181.1.1

  Config on the other side is:

  Corporate

  description of remote control-network name 192.168.20.0 Community Network
  !
  interface Ethernet0/0
  Outside description
  switchport access vlan 2
  !
  interface Ethernet0/1
  Inside description
  !
  interface Ethernet0/2
  !

  !
  interface Vlan1
  Torbay Corp description
  nameif inside
  security-level 100
  IP 192.168.10.1 255.255.255.0
  !
  interface Vlan2
  nameif outside
  security-level 50
  IP 10.181.10.1 255.255.0.0
  !
  passive FTP mode
  outside_access_in_1 of access allowed any ip an extended list
  outside_access_in_1 list extended access permit icmp any one
  inside_access_in_1 of access allowed any ip an extended list
  inside_access_in_1 list extended access permit icmp any one
  permit outside_1_cryptomap to access extended list ip 192.168.10.0 255.255.255.0 255.255.255.0 network-remote control
  permit inside_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 255.255.255.0 network-remote control
  pager lines 24

  Access-group outside_access_in_1 in interface outside
  inside_access_in_1 access to the interface inside group
  Route outside 0.0.0.0 0.0.0.0 10.181.10.2 1

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  card crypto outside_map 1 match address outside_1_cryptomap
  card crypto outside_map 1 set pfs Group1
  peer set card crypto outside_map 1 10.181.10.2
  card crypto outside_map 1 set of transformation-ESP-3DES-SHA
  outside_map interface card crypto outside
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  tunnel-group 10.181.10.2 type ipsec-l2l
  IPSec-attributes tunnel-group 10.181.10.2
  pre-shared key *.
  !

  Hi haidar_alm,

  After a quick glance to the configuration, I found an error with the vpn peer on the Community Site:

  peer set card crypto outside_map 1 10.181.1.1

  tunnel-group 10.181.1.1 type ipsec-l2l
  IPSec-attributes tunnel-group 10.181.1.1

  The public ip address of morality is 10.181.10.1.

  Correct configuration:

  peer set card crypto outside_map 1 10.181.10.1

  tunnel-group 10.181.10.1 type ipsec-l2l
  IPSec-attributes tunnel-group 10.181.10.1

  -JP-

• Router 886VA Site to site ipsec vpn fqdn

  Hello

  I would like to create a vpn site-to site with a crypto fqdn on the side of the branch.

  The reason is in our head office in the wan IP will be hungry for change, and I want the branch office router to reconnect as soon as they get the new ip address.

  How could a which?

  Here is my Config:

   ip domain lookup source-interface Dialer0 crypto isakmp policy 10 encr aes authentication pre-share group 2 lifetime 14400 crypto isakmp key MyKey address 22.22.22.22 crypto ipsec transform-set MySET esp-3des esp-md5-hmac crypto map BranchMap 10 ipsec-isakmp description HDG set peer 22.22.22.22 set transform-set MySET match address 110 int Dialer 0 ip access-group 101 in cryptop map BranchMap access-list 101 remark INT DIALER0 INCOMING access-list 101 permit udp host 62.2.24.162 eq domain host 11.11.11.11 access-list 101 permit udp host 62.2.17.60 eq domain host 11.11.11.11 access-list 101 permit udp host 22.22.22.22 host 11.11.11.11 eq non500-isakmp access-list 101 permit udp host 22.22.22.22 host 11.11.11.11 eq isakmp access-list 101 permit esp host 22.22.22.22 host 11.11.11.11 access-list 101 permit ahp host 22.22.22.22 host 11.11.11.11 access-list 101 permit tcp any any established access-list 101 permit udp host 129.132.2.21 eq ntp host 11.11.11.11 eq ntp access-list 101 permit udp host 130.60.75.52 eq ntp host 11.11.11.11 eq ntp access-list 101 permit udp host 8.8.8.8 eq domain host 11.11.11.11 access-list 101 remark INT DIALER0 INCOMING

  11.11.11.11 = > local WAN IP Branch

  22.22.22.22-online distance seat WAN IP

  Thank you

  If your HQ has a (rare) dynamic IP address, you must do 3 things:

  1. set up a dynamic DNS host name for your HQ VPN peer (dyndns.org, etc..)

  2. your counterpart dynamic crypto map using "dynamic peer hqddns.company.com defined".

  3. your isakmp for the peer key a wildcard character ("crypto isakmp key addr 0.0.0.0")

  If you say that it is an IP change single opposite HQ, then maybe:

  1 Add the new IP address to your 'access-list 101' ACL (remember to use a name instead of ACL numbered for readability)

  2. Add another encryption with the new IP address isakmp key

  3. Add the new IP address as secondary peer:

  map BranchMap 10 ipsec-isakmp crypto
  the default peer 22.22.22.22
  defined peer 3.3.3.3

• Problem with the Site to Site IPSec VPN using ADSL and PPPoE

  I have an IPSec site to Site VPN between a 2805 and an 1841. Both have fixed IP, but the end of 1841 uses a PPPoE and ADSL connection. The MTU that is displayed on the Dialer0 interface is 1454.

  I can get the packets through the Tunnel without problem (standard pings), but don't spend larger packages.

  Any suggestions?

  You can apply on both. Here's a URL that explain the problem of MTU and option in detail.

  http://www.Cisco.com/en/us/Tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

  Kind regards

  Arul

  * Please Note If this can help *.

• site IPSec VPN help!

  I im doing site vpn to the other for the first time on a 891 to an rv 120 (gui), but it doesn't connect. I think it could be my list of access on the 891. the error I get in the rv120 is

  08/12/02 18:15:35: [rv120w] [IKE] ERROR: Phase 1 negotiation failed because the time for xx.xx.xx.xx [500]. ea65b6c91b9e73de:0000000000000000

  2012-08-02 18:16:11: [rv120w] [IKE] INFO: Configuration found for xx.xx.xx.xx.

  2012-08-02 18:16:11: [rv120w] [IKE] INFO: opening new phase 1 negotiation: xx.xx.xx.xx [500]<=>xx.xx.xx.xx [500]

  2012-08-02 18:16:11: [rv120w] [IKE] INFO: Start Identity Protection mode.

  2012-08-02 18:16:11: [rv120w] [IKE] INFO: [ident_i1send:180]: XXX: NUMNATTVENDORIDS: 3

  2012-08-02 18:16:11: [rv120w] [IKE] INFO: [ident_i1send:184]: XXX: definition of vendorid: 4

  2012-08-02 18:16:11: [rv120w] [IKE] INFO: [ident_i1send:184]: XXX: definition of vendorid: 8

  2012-08-02 18:16:11: [rv120w] [IKE] INFO: [ident_i1send:184]: XXX: definition of vendorid: 9

  2012-08-02 18:16:11: [rv120w] [IKE] ERROR: ignore the information because the message has no payload hash.

  2012-08-02 18:16:42: [rv120w] [IKE] ERROR: invalid protocol SA type: 0

  2012-08-02 18:16:42: [rv120w] [IKE] ERROR: failure of the Phase 2 negotiation because of the waiting time for the phase 1.

  2012-08-02 18:17: [rv120w] [IKE] INFO: accept a request to establish IKE - SA: 71.32.110.24

  2012-08-02 18:17: [rv120w] [IKE] WARNING: schedular is already planned for the creation of the SA for outside: 'xx.xx.xx.xx' 2012-08-02 18:17: [rv120w] [IKE] ERROR: could not attach schedSaCreate in IKE configuraion

  891 config

  =====================================================

  pool dhcp IP test

  Network 10.10.10.0 255.255.255.0

  default router 10.10.10.1

  Server DNS 8.8.8.8 8.8.4.4

  !

  !

  IP cef

  8.8.8.8 IP name-server

  IP-server names 8.8.4.4

  No ipv6 cef

  !

  !

  crypto ISAKMP policy 1

  preshared authentication

  Group 2

  lifetime 28800

  ISAKMP crypto key Testingkey address xx.xx.xx.xxx

  !

  !

  Crypto ipsec transform-set test1 ah-md5-hmac esp-3des

  !

  maptest1 map ipsec-isakmp crypto 2

  defined peer xx.xx.xx.xx

  Set transform-set test1

  match address 100

  !

  !

  interface FastEthernet8

  Qwest connection description

  no ip address

  NAT outside IP

  IP virtual-reassembly

  automatic duplex

  automatic speed

  PPPoE enable global group

  PPPoE-client dial-pool-number 1

  maptest1 card crypto

  !

  !

  interface Vlan1

  Quest description

  IP 10.10.10.1 255.255.255.0

  IP nat inside

  IP virtual-reassembly

  !

  interface Dialer1

  the negotiated IP address

  IP mtu 1492

  NAT outside IP

  IP virtual-reassembly

  encapsulation ppp

  IP tcp adjust-mss 1452

  Dialer pool 1

  Dialer-Group 1

  PPP authentication chap callin pap

  PPP chap hostname xxxxxxxxx

  PPP chap password 0 xxxxxxxx

  !

  IP forward-Protocol ND

  no ip address of the http server

  no ip http secure server

  !

  !

  the IP nat inside source 1 list overload of the Dialer1 interface

  IP route 0.0.0.0 0.0.0.0 Dialer1

  !

  access-list 1 permit 10.10.10.0 0.0.0.255

  category of access list 100 remark maptest1 = 4

  Note access-list 100 IPSec rule

  access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

  Dialer-list 1 ip protocol allow

  Dialer-list 100 ip protocol allow

  =======================================================================

  Hi Manny,

  Thanks for the debug output! I believe that we are making some progress and was able to establish phase 1 of IKE. The problem is now to establish IPsec SA or a phase of IKE 2. Could you do the following again once more, and view the results?

  int f8

  no card crypto maptest1

  int d1

  maptest1 card crypto

  Claire crypto his

  Debug crypto ISAKMP

  Debug crypto ipsec

  ISAKMP crypto to show his

  Crypto ipsec to show his

  Sent by Cisco Support technique iPhone App

• Site IPSec VPN

  Hello

  I'll get an ASA 5520, and put it in our main office as a VPN router. also, we have 20 to 25 remote users who need VPN access to HQ. some of them have already Sonicwall TZ-100 and some are already using VPN client. I get a Cisco router for remote users. Could you please let me know which device cisco (Hardware) is better for end users?  also, most of them have dynamic IP on their DSL lines. is this ok with Cisco to establish a tunnel with a device that has a dynamic IP address?

  Thank you

  Mike

  Hello

  To find out which platform would be ideal, please check that:

  http://www.Cisco.com/en/us/products/ps6120/prod_models_comparison.html

  Usually for small offices a 5505 works very well, but it depends on your needs.

  On the other hand, it does not matter if the remote end has a dynamic IP address, please check that:

  Dynamic IPsec Tunnel between a statically addressed ASA and dynamically addressed Cisco IOS router that uses the example of Configuration of CCP

  Thank you.

  Portu.

  Please note any workstation that will be useful.

• site IPSec VPN do not receive

  I have configure ipsec-isakmp but do not

  R2 #sh crypto isakmp his
  conn-id State DST CBC slot

  R2 #sh crypto isakmp saaccounting databasefce
  table alias State conn-id slotes IP src DST
  RA #con

  R2 #sh crypto ipsec his IP ARP

  #pkts program: encrypt 0, #pkts: 0, #pkts 0 digest
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  endpt local crypto. : 172.16.1.2, remote Start crypto. : 172.16.1.1
  Path mtu 1500, mtu 1500 ip, ip mtu interface FastEthernet0/0
  current outbound SPI: 0

  SAS of the esp on arrival:

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:

  outgoing ah sas:

  outgoing CFP sas:

  Please post your configuration with a bit of explanation on how the network is set up.

• Microsoft l2tp IPSec VPN site to site ASA on top

  I have a specialized applications casino that requires end-to-end encryption. I'm under the stack of Microsoft IPSec l2tp between my XP machine and my Windows 2003 server on the LAN. Can I use the same type of protocol stack Microsoft l2tp IPSec between my XP machine and the Windows Server 2003 a branch on the SAA to site to site ASA VPN tunnel? The VPN site-to site ASA is a type of key Preshare IPSec VPN tunnelle traffic between our head office and a branch in distance.

  In other words, the ASA site-to-site IPSec VPN will allow Microsoft l2tp through IPSec encrypted traffic? My ACL tunnel would allow full IP access between site. Something like:

  name 192.168.100.0 TexasSubnet

  name 192.168.200.0 RenoSubnet

  IP TexasSubnet 255.255.255.0 RenoSubnet 255.255.255.0 allow Access-list extended nat_zero

  Hello

  Yes, the L2TP can be encapsulated in IPSEC as all other traffic.

  However, make sure that no NAT is performed on each end. L2TP is a default header protection which will see NAT as a falsification of package and reject it.

  See you soon,.

  Daniel

• Establish a IPsec VPN connection, but remote site can't ping main office

  Hi, I set up connection from site to site IPsec VPN between cisco 892 (main site) router and linksys router wrv210 (remote site). My problem is that I can ping network router wrv210 lan of my main office where is cisco 892 router, but I cannot ping the main site of linksys wrv210 lan (my remote site).

  My configuration on the cisco 892 router:

  type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-1

  game group-access 103

  type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-3

  game group-access 106

  type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-2

  game group-access 105

  type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-5

  game group-access 108

  type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-4

  game group-access 107

  type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-7

  group-access 110 match

  type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-6

  game group-access 109

  type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-9

  game group-access 112

  type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-8

  game group-access 111

  type of class-card inspect entire game SDM_AH

  match the name of group-access SDM_AH

  type of class-card inspect entire game SDM_ESP

  match the name of group-access SDM_ESP

  type of class-card inspect entire game SDM_VPN_TRAFFIC

  match Protocol isakmp

  match Protocol ipsec-msft

  corresponds to the SDM_AH class-map

  corresponds to the SDM_ESP class-map

  type of class-card inspect the correspondence SDM_VPN_PT

  game group-access 102

  corresponds to the SDM_VPN_TRAFFIC class-map

  type of class-card inspect entire game PAC-cls-insp-traffic

  match Protocol cuseeme

  dns protocol game

  ftp protocol game

  h323 Protocol game

  https protocol game

  match icmp Protocol

  match the imap Protocol

  pop3 Protocol game

  netshow Protocol game

  Protocol shell game

  match Protocol realmedia

  match rtsp Protocol

  smtp Protocol game

  sql-net Protocol game

  streamworks Protocol game

  tftp Protocol game

  vdolive Protocol game

  tcp protocol match

  udp Protocol game

  inspect the class-map match PAC-insp-traffic type

  corresponds to the class-map PAC-cls-insp-traffic

  type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-10

  game group-access 113

  type of class-card inspect all sdm-service-ccp-inspect-1 game

  http protocol game

  https protocol game

  type of class-card inspect entire game PAC-cls-icmp-access

  match icmp Protocol

  tcp protocol match

  udp Protocol game

  type of class-card inspect correspondence ccp-invalid-src

  game group-access 100

  type of class-card inspect correspondence ccp-icmp-access

  corresponds to the class-ccp-cls-icmp-access card

  type of class-card inspect correspondence ccp-Protocol-http

  match class-map sdm-service-ccp-inspect-1

  !

  !

  type of policy-card inspect PCB-permits-icmpreply

  class type inspect PCB-icmp-access

  inspect

  class class by default

  Pass

  type of policy-card inspect sdm-pol-VPNOutsideToInside-1

  class type inspect sdm-cls-VPNOutsideToInside-1

  inspect

  class type inspect sdm-cls-VPNOutsideToInside-2

  Pass

  class type inspect sdm-cls-VPNOutsideToInside-3

  Pass

  class type inspect sdm-cls-VPNOutsideToInside-4

  Pass

  class type inspect sdm-cls-VPNOutsideToInside-5

  Pass

  class type inspect sdm-cls-VPNOutsideToInside-6

  inspect

  class type inspect sdm-cls-VPNOutsideToInside-7

  Pass

  class type inspect sdm-cls-VPNOutsideToInside-8

  Pass

  class type inspect sdm-cls-VPNOutsideToInside-9

  inspect

  class type inspect sdm-cls-VPNOutsideToInside-10

  Pass

  class class by default

  drop

  type of policy-map inspect PCB - inspect

  class type inspect PCB-invalid-src

  Drop newspaper

  class type inspect PCB-Protocol-http

  inspect

  class type inspect PCB-insp-traffic

  inspect

  class class by default

  drop

  type of policy-card inspect PCB-enabled

  class type inspect SDM_VPN_PT

  Pass

  class class by default

  drop

  !

  security of the area outside the area

  safety zone-to-zone

  zone-pair security PAC-zp-self-out source destination outside zone auto

  type of service-strategy inspect PCB-permits-icmpreply

  zone-pair security PAC-zp-in-out source in the area of destination outside the area

  type of service-strategy inspect PCB - inspect

  source of PAC-zp-out-auto security area outside zone destination auto pair

  type of service-strategy inspect PCB-enabled

  sdm-zp-VPNOutsideToInside-1 zone-pair security source outside the area of destination in the area

  type of service-strategy inspect sdm-pol-VPNOutsideToInside-1

  !

  !

  crypto ISAKMP policy 1

  BA 3des

  md5 hash

  preshared authentication

  Group 2

  lifetime 28800

  ISAKMP crypto key address 83.xx.xx.50 xxxxxxxxxxx

  !

  !

  Crypto ipsec transform-set ESP-3DES esp-3des esp-md5-hmac

  !

  map SDM_CMAP_1 1 ipsec-isakmp crypto

  Description NY_NJ

  the value of 83.xx.xx.50 peer

  game of transformation-ESP-3DES

  match address 101

  !

  !

  !

  !

  !

  interface BRI0

  no ip address

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  penetration of the IP stream

  encapsulation hdlc

  Shutdown

  Multidrop ISDN endpoint

  !

  !

  interface FastEthernet0

  !

  !

  interface FastEthernet1

  !

  !

  interface FastEthernet2

  !

  !

  interface FastEthernet3

  !

  !

  interface FastEthernet4

  !

  !

  interface FastEthernet5

  !

  !

  FastEthernet6 interface

  !

  !

  interface FastEthernet7

  !

  !

  interface FastEthernet8

  no ip address

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  penetration of the IP stream

  automatic duplex

  automatic speed

  !

  !

  interface GigabitEthernet0

  Description $ES_WAN$ $FW_OUTSIDE$

  IP address 89.xx.xx.4 255.255.255.xx

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  penetration of the IP stream

  NAT outside IP

  IP virtual-reassembly

  outside the area of security of Member's area

  automatic duplex

  automatic speed

  map SDM_CMAP_1 crypto

  !

  !

  interface Vlan1

  Description $ETH - SW - LAUNCH INTF-INFO-FE 1 to $$$ $ES_LAN$ $FW_INSIDE$

  IP 192.168.0.253 255.255.255.0

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  penetration of the IP stream

  IP nat inside

  IP virtual-reassembly

  Security members in the box area

  IP tcp adjust-mss 1452

  !

  !

  IP forward-Protocol ND

  IP http server

  local IP http authentication

  IP http secure server

  IP http timeout policy slowed down 60 life 86400 request 10000

  !

  !

  IP nat inside source overload map route SDM_RMAP_1 interface GigabitEthernet0

  IP route 0.0.0.0 0.0.0.0 89.xx.xx.1

  !

  SDM_AH extended IP access list

  Note the category CCP_ACL = 1

  allow a whole ahp

  SDM_ESP extended IP access list

  Note the category CCP_ACL = 1

  allow an esp

  !

  recording of debug trap

  Note access-list 1 INSIDE_IF = Vlan1

  Note category of access list 1 = 2 CCP_ACL

  access-list 1 permit 192.168.0.0 0.0.0.255

  Access-list 100 category CCP_ACL = 128 note

  access-list 100 permit ip 255.255.255.255 host everything

  access-list 100 permit ip 127.0.0.0 0.255.255.255 everything

  access-list 100 permit ip 89.xx.xx.0 0.0.0.7 everything

  Note access-list 101 category CCP_ACL = 4

  Note access-list 101 IPSec rule

  access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255

  Note access-list 102 CCP_ACL category = 128

  access-list 102 permit ip host 83.xx.xx.50 all

  Note access-list 103 CCP_ACL category = 0

  Note access-list 103 IPSec rule

  access-list 103 allow ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255

  Note access-list 104 CCP_ACL category = 2

  Note access-list 104 IPSec rule

  access-list 104 deny ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255

  access-list 104. allow ip 192.168.0.0 0.0.0.255 any

  Note access-list 105 CCP_ACL category = 0

  Note access-list 105 IPSec rule

  access-list 105 allow ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255

  Note access-list 106 CCP_ACL category = 0

  Note access-list 106 IPSec rule

  access-list 106 allow ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255

  Note access-list 107 CCP_ACL category = 0

  Note access-list 107 IPSec rule

  access-list 107 allow ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255

  Note access-list 108 CCP_ACL category = 0

  Note access-list 108 IPSec rule

  access-list 108 allow ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255

  Note access-list 109 CCP_ACL category = 0

  Note access-list 109 IPSec rule

  access-list 109 allow ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255

  Note access-list 110 CCP_ACL category = 0

  Note access-list 110 IPSec rule

  access-list 110 permit ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255

  Note access-list 111 CCP_ACL category = 0

  Note access-list 111 IPSec rule

  access-list 111 allow ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255

  Note access-list 112 CCP_ACL category = 0

  Note access-list 112 IPSec rule

  access-list 112 allow ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255

  Note access-list 113 CCP_ACL category = 0

  Note access-list 113 IPSec rule

  access-list 113 allow ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255

  not run cdp

  !

  !

  !

  !

  allowed SDM_RMAP_1 1 route map

  corresponds to the IP 104

  --------------------------------------------------------

  I only give your router cisco 892 because there is nothnig much to change on linksys wrv210 router.

  Hope someone can help me. See you soon

  You can run a "ip inspect log drop-pkt" and see if get you any what FW-DROP session corresponding to the traffic you send Linksys to the main site. Zone based firewall could be blocking traffic initiated from outside to inside.

• Need help with the configuration of the Site with crossed on Cisco ASA5510 8.2 IPSec VPN Client (1)

  Need urgent help in the configuration of the Client VPN IPSec Site with crossed on Cisco ASA5510 - 8.2 (1).

  Here is the presentation:

  

  There are two leased lines for Internet access - a route 1.1.1.1 and 2.2.2.2, the latter being the default Standard, old East for backup.

  I was able to configure the Client VPN IPSec Site

  (1) with access to the outside so that the internal network (172.16.0.0/24) behind the asa

  (2) with Split tunnel with simultaneous assess internal LAN and Internet on the outside.

  But I was not able to make the tradiotional model Hairpinng to work in this scenario.

  I followed every possible suggestions made on this subject in many topics of Discussion but still no luck. Can someone help me here please?

  Here is the race-Conf with Normal Client to Site IPSec VPN configured with no access boarding:

  LIMITATION: Cannot boot into any other image ios for unavoidable reasons, must use 8.2 (1)

  race-conf - Site VPN Customer normal work without internet access/split tunnel

  : ASA Version 8.2 (1) ! ciscoasa hostname domain cisco.campus.com enable the encrypted password xxxxxxxxxxxxxx XXXXXXXXXXXXXX encrypted passwd names of ! interface GigabitEthernet0/0 nameif outside internet1 security-level 0 IP 1.1.1.1 255.255.255.240 ! interface GigabitEthernet0/1 nameif outside internet2 security-level 0 IP address 2.2.2.2 255.255.255.224 ! interface GigabitEthernet0/2 nameif dmz interface security-level 0 IP 10.0.1.1 255.255.255.0 ! interface GigabitEthernet0/3 nameif campus-lan security-level 0 IP 172.16.0.1 255.255.0.0 ! interface Management0/0 nameif CSC-MGMT security-level 100 the IP 10.0.0.4 address 255.255.255.0 ! boot system Disk0: / asa821 - k8.bin boot system Disk0: / asa843 - k8.bin passive FTP mode DNS server-group DefaultDNS domain cisco.campus.com permit same-security-traffic inter-interface permit same-security-traffic intra-interface object-group network cmps-lan the object-group CSC - ip network object-group network www-Interior object-group network www-outside object-group service tcp-80 object-group service udp-53 object-group service https object-group service pop3 object-group service smtp object-group service tcp80 object-group service http-s object-group service pop3-110 object-group service smtp25 object-group service udp53 object-group service ssh object-group service tcp-port port udp-object-group service object-group service ftp object-group service ftp - data object-group network csc1-ip object-group service all-tcp-udp access list INTERNET1-IN extended permit ip host 1.2.2.2 2.2.2.3 access-list extended SCC-OUT permit ip host 10.0.0.5 everything list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq www list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any https eq list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq ssh list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 no matter what eq ftp list of access CAMPUS-LAN extended permitted udp 172.16.0.0 255.255.0.0 no matter what eq field list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq smtp list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq pop3 access CAMPUS-wide LAN ip allowed list a whole access-list CSC - acl note scan web and mail traffic access-list CSC - acl extended permit tcp any any eq smtp access-list CSC - acl extended permit tcp any any eq pop3 access-list CSC - acl note scan web and mail traffic access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq 993 access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq imap4 access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq 465

  access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq www

  access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq https

  access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq smtp

  access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq pop3

  access-list extended INTERNET2-IN permit ip any host 1.1.1.2

  access-list sheep extended ip 172.16.0.0 allow 255.255.0.0 172.16.0.0 255.255.0.0

  access list DNS-inspect extended permit tcp any any eq field

  access list DNS-inspect extended permit udp any any eq field

  access-list extended capin permit ip host 172.16.1.234 all

  access-list extended capin permit ip host 172.16.1.52 all

  access-list extended capin permit ip any host 172.16.1.52

  Capin list extended access permit ip host 172.16.0.82 172.16.0.61

  Capin list extended access permit ip host 172.16.0.61 172.16.0.82

  access-list extended capout permit ip host 2.2.2.2 everything

  access-list extended capout permit ip any host 2.2.2.2

  Access campus-lan_nat0_outbound extended ip 172.16.0.0 list allow 255.255.0.0 192.168.150.0 255.255.255.0

  pager lines 24

  Enable logging

  debug logging in buffered memory

  asdm of logging of information

  Internet1-outside of MTU 1500

  Internet2-outside of MTU 1500

  interface-dmz MTU 1500

  Campus-lan of MTU 1500

  MTU 1500 CSC-MGMT

  IP local pool 192.168.150.2 - 192.168.150.250 mask 255.255.255.0 vpnpool1

  IP check path reverse interface internet2-outside

  IP check path reverse interface interface-dmz

  IP check path opposite campus-lan interface

  IP check path reverse interface CSC-MGMT

  no failover

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm - 621.bin

  don't allow no asdm history

  ARP timeout 14400

  interface of global (internet1-outside) 1

  interface of global (internet2-outside) 1

  NAT (campus-lan) 0-campus-lan_nat0_outbound access list

  NAT (campus-lan) 1 0.0.0.0 0.0.0.0

  NAT (CSC-MGMT) 1 10.0.0.5 255.255.255.255

  static (CSC-MGMT, internet2-outside) 2.2.2.3 10.0.0.5 netmask 255.255.255.255

  Access-group INTERNET2-IN interface internet1-outside

  group-access INTERNET1-IN interface internet2-outside

  group-access CAMPUS-LAN in campus-lan interface

  CSC-OUT access-group in SCC-MGMT interface

  Internet2-outside route 0.0.0.0 0.0.0.0 2.2.2.5 1

  Route internet1-outside 0.0.0.0 0.0.0.0 1.1.1.5 2

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  dynamic-access-policy-registration DfltAccessPolicy

  the ssh LOCAL console AAA authentication

  AAA authentication enable LOCAL console

  Enable http server

  http 10.0.0.2 255.255.255.255 CSC-MGMT

  http 10.0.0.8 255.255.255.255 CSC-MGMT

  HTTP 1.2.2.2 255.255.255.255 internet2-outside

  HTTP 1.2.2.2 255.255.255.255 internet1-outside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs set group5

  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  Crypto map internet2-outside_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  crypto internet2-outside_map outside internet2 network interface card

  Crypto ca trustpoint _SmartCallHome_ServerCA

  Configure CRL

  Crypto ca certificate chain _SmartCallHome_ServerCA

  certificate ca xyzxyzxyzyxzxyzxyzxyzxxyzyxzyxzy

  a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

  a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

  a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

  a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

  a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

  a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

  a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

  a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

  a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

  a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

  a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

  a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

  a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

  a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

  a67a897as a67a897as a67a897as a67a897as a67a897as

  quit smoking

  ISAKMP crypto enable internet2-outside

  crypto ISAKMP policy 10

  preshared authentication

  aes encryption

  md5 hash

  Group 2

  life 86400

  Telnet 10.0.0.2 255.255.255.255 CSC-MGMT

  Telnet 10.0.0.8 255.255.255.255 CSC-MGMT

  Telnet timeout 5

  SSH 1.2.3.3 255.255.255.240 internet1-outside

  SSH 1.2.2.2 255.255.255.255 internet1-outside

  SSH 1.2.2.2 255.255.255.255 internet2-outside

  SSH timeout 5

  Console timeout 0

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  WebVPN

  internal VPN_TG_1 group policy

  VPN_TG_1 group policy attributes

  Protocol-tunnel-VPN IPSec

  username ssochelpdesk encrypted password privilege 15 xxxxxxxxxxxxxx

  privilege of encrypted password username administrator 15 xxxxxxxxxxxxxx

  username vpnuser1 encrypted password privilege 0 xxxxxxxxxxxxxx

  username vpnuser1 attributes

  VPN-group-policy VPN_TG_1

  type tunnel-group VPN_TG_1 remote access

  attributes global-tunnel-group VPN_TG_1

  address vpnpool1 pool

  Group Policy - by default-VPN_TG_1

  IPSec-attributes tunnel-group VPN_TG_1

  pre-shared-key *.

  !

  class-map cmap-DNS

  matches the access list DNS-inspect

  CCS-class class-map

  corresponds to the CSC - acl access list

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  message-length maximum 512

  Policy-map global_policy

  CCS category

  CSC help

  cmap-DNS class

  inspect the preset_dns_map dns

  !

  global service-policy global_policy

  context of prompt hostname

  Cryptochecksum: y0y0y0y0y0y0y0y0y0y0y0y0y0y

  : end

  Adding dynamic NAT for 192.168.150.0/24 on the external interface works, or works the sysopt connection permit VPN

  Please tell what to do here, to pin all of the traffic Internet from VPN Clients.

  That is, that I need clients connected via VPN tunnel, when connected to the internet, should have their addresses IP NAT'ted against the address of outside internet2 network 2.2.2.2 interface, as it happens for the customers of Campus (172.16.0.0/16)

  I am well aware of all involved in here, so please be elaborative in your answers. Please let me know if you need more information about this configuration to respond to my request.

  Thank you & best regards

  MAXS

  
  

  Hello

  If possible, I'd like to see that a TCP connection attempt (e.g. http://www.google.com) in the ASDM logging of the VPN Client when you set up the dynamic NAT for the VPN Pool also.

  I'll try also the command "packet - trace" on the SAA, while the VPN Client is connected to the ASA.

  The command format is

  packet-tracer intput tcp

  That should tell what the SAA for this kind of package entering its "input" interface

  Still can not see something wrong with the configuration (other than the statement of "nat" missing Dynamics PAT)

  -Jouni

• Context with IPSec VPN

  Hi friends,

  I have a question for the scenario below.

  I need to create a Site-Site IPSec VPN in the firewall mode.

  Is it possible to create the tunnel.

  I have ASA 5510 Security Plus with Ver 8.3

  Thanks in advance.

  In your case, you ASA in multiple-context to allow VPN to the amp.

  There is no problem with that.

  The only restrictions are that an ASA in multiple context will not work as a VPN endpoint (apart from a tunnel admin)... but you can pass the traffic or VPN traffic as in ASAs in simple mode.

  Federico.

• A Site at IOS IPSEC VPN and EIGRP

  Hello

  I have a connection of remote site to base via a VPN IPSEC router. I don't want to run EIGRP accoss VPN. Howerver I want adverstise the rest of the network from the router of core of the subnet to the remote site.

  The remote VPN subnet is managed as a route connected on the router base?

  Configuriguring a statement of network to the remote site on the router base will cause EIGRP announce the road?

  You are right.

  RRI (reverse Route Injection) is the correct way to announce remote routes as static routes on the HUB, and all what you need to do is redistribute static in EIGRP, so she is redistributed in your EIGRP.

  Here is an example configuration:

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00809d07de.shtml

  (It's about OSPF and IPSec VPN dynamics, however, the concept is the same for ipsec site-to-site and redistribution in EIGRP)

  Hope that helps.

• Easy VPN with IPSec VPN L2L (Site - to - Site) in the same ASA 5505

  Hi Experts,

  We have an ASA 5505 in our environment, and currently two IPSec VPN L2L tunnels are established. But we intend to connect with VPN (Network Extension Mode) easy to another site as a customer. Is it possible to configure easy VPN configurations by keeping the currently active IPSec L2L VPN(Site-to-Site) tunnels? If not possible is there any work around?

  Here's the warning we get then tried to configure the easy VPN Client.

  NOCMEFW1 (config) # vpnclient enable

  * Delete "nat (inside) 0 S2S - VPN"

  * Detach crypto card attached to the outside interface

  * Remove the tunnel groups defined by the user

  * Remove the manual configuration of ISA policies

  CONFLICT of CONFIG: Configuration that would prevent the Cisco Easy VPN Remo success

  you

  operation was detected and listed above. Please solve the

  above a configuration and re - activate.

  Thanks and greetings

  ANUP sisi

  "Dynamic crypto map must be installed on the server device.

  Yes, dynamic crypto is configured on the EasyVPN server.

  Thank you

• Site to Site PIX VPN problems

  Hi, I currently have a site to site vpn upward and running and it works fine. I try to put the other two online and just cannot make them work. I used the same configuration of one operation but I cannot get the next tunnel. I saw several errors when debugging isakmp and ipsec and they are at the end of my configs. Anyone have any ideas? Thank you

  Main site - a vpn clients connecting too it and pt to pt vpn to 3 endpoints

  Cisco PIX Firewall Version 6.3 (3)

  * Main Site Config *.

  client_vpn 10.10.0.0 ip access list allow 255.255.0.0 192.168.0.0 255.255.255.0

  VPN_to_Site2 10.10.0.0 ip access list allow 255.255.0.0 192.168.0.0 255.255.255.0

  NAT (inside) 0-list of access client_vpn

  Permitted connection ipsec sysopt

  Crypto ipsec transform-set esp-3des esp-md5-hmac fws_encry_set

  outside_map 60 ipsec-isakmp crypto map

  address for correspondence card crypto outside_map 60 VPN_to_Site2

  crypto outside_map 60 peer 64.X.X.19 card game

  card crypto outside_map 60 transform-set fws_encry_set

  outside_map interface card crypto outside

  ISAKMP allows outside

  ISAKMP key * address 64.X.X.19 netmask 255.255.255.255 No.-xauth-no-config-mode

  ISAKMP identity address

  ISAKMP nat-traversal 20

  part of pre authentication ISAKMP policy 10

  ISAKMP policy 10 3des encryption

  ISAKMP policy 10 md5 hash

  10 2 ISAKMP policy group

  ISAKMP life duration strategy 10 86400

  Site 2 config

  * only because the pt to pt does not work I have it set up to allow vpn clients to cross to connect to the main site.

  Cisco PIX Firewall Version 6.3 (5) *.

  permit access ip 192.168.0.0 list VPN_to_Main 255.255.255.0 10.10.0.0 255.255.0.0

  NAT (inside) 0-list of access VPN_to_Main

  Permitted connection ipsec sysopt

  Crypto ipsec transform-set esp-3des esp-md5-hmac fws_encry_set

  outside_map 10 ipsec-isakmp crypto map

  outside_map card crypto 10 corresponds to the address VPN_to_Main

  crypto outside_map 10 peer 207.X.X.13 card game

  card crypto outside_map 10 transform-set fws_encry_set

  outside_map interface card crypto outside

  ISAKMP allows outside

  ISAKMP key * address 207.X.X.13 netmask 255.255.255.255 No.-xauth-no-config-mode

  ISAKMP identity address

  ISAKMP nat-traversal 20

  part of pre authentication ISAKMP policy 10

  ISAKMP policy 10 3des encryption

  ISAKMP policy 10 md5 hash

  10 2 ISAKMP policy group

  ISAKMP life duration strategy 10 86400

  Errors

  PIX (config) # IPSEC (sa_initiate): ACL = deny; No its created

  authenticator is HMAC-MD5IPSEC (validate_proposal): invalid local address

  I have a link that works very well. I have copied the config from there, changed the ip info and it does not work. The only differences in the configs are no sysopt route dnat and it's on Version 6.2 (2)

  IPSec (sa_initiate): ACL = deny; No its created

  I think that you have configured a VPN tunnel without removing the cryptographic card of the external interface. The message above is the error we get in such situation.

  I suggest the following solution:

  -remove the external interface (the two pix) cryptographic card

  -Cree claire isa his and trendy clear ipsec his (the two pix)

  -Reapply the card encryption on external interfaces.

  If this doesn't solve the problem, restart the equipment.

  Kind regards

  Ajit