Site to site, two ASAs

Similar Questions

• Problems between 2 - a Site, two ASA

  Hello

  I have big problems to configure the site to site tunnel between ASA (ASA5510 STI second ASA5505)

  After 8 hours of work I have no results

  show cryto say anything, here my config file I hope that everything could help me

  Kind regards

  Alen

  No need to have the IKEv2 configuration on the Group of the tunnel you use v1.

  Now,.

  Follow these steps:

  On FW GR

  fixup protocol icmp

  Then make 2 tracers of packages and provide me with all of the output of the second is

  Packet-trace entry within the icmp 10.43.81.10 8 010.43.11.15

  entry Packet-trace within the icmp 10.43.81.10 8 10.43.11.15 0

  On FW LIFE

  fixup protocol icmp

  Then make 2 tracers of packages and provide me with all of the output of the second is

  entry Packet-trace within the icmp 10.43.11.15 8 10.43.81.10 0

  entry Packet-trace within the icmp 10.43.11.15 8 10.43.81.10 0

  Note all useful posts!

  Kind regards

  Jcarvaja

  Follow me on http://laguiadelnetworking.com

• site-to-site between two ASA firewall

  Hello

  I have two ASA and I have set up the two ASA til S2S. ASA1 is in HQ and ASA2 is in Office of Brunch. HQ ASA has multi S2S connection and Brunch ASA has only S2S to Headquarters. The Senario is I want to send all traffic (both Internet and LAN in the ASA HQ) ASA2 throug the tunnel. The problem is that when the tunnel is up and there is ASA2 connevtivity (brunch office) for the network local behinde ASA1 (HQ), but the client behinde ASA2 has no conectivity when they try to go to the Internet. Tanks a lot in advance for any help!

  ASA HQ extern ip 192.x.y.z/24, LAN 10.70.0.0/16

  Brunch of the ASA Office a extern ip 168.x.y.z/24, LAN 10.79.1.0/24

  This should help you:

  Global 1 interface (outside)
  NAT (inside) 1 0.0.0.0 0.0.0.0

  access extensive list ip 10.79.1.0 inside_nat0_outbound allow 255.255.255.0 255.255.255.0 x.x.x.x
  access extensive list ip 10.79.1.0 outside_1_cryptomap allow 255.255.255.0 255.255.255.0 x.x.x.x

  x.x.x.x = subnet HQ, in the ASA HQ you need of the opposite ACL:

  permit inside_nat0_outbound to access extended list ip x.x.x.x 255.255.255.0 10.79.1.0 255.255.255.0
  permit outside_1_cryptomap to access extended list ip x.x.x.x 255.255.255.0 10.79.1.0 255.255.255.0

  This way to the internet traffic will be coordinated because it turns off and traffic to the VPN will be
  not be translated as she goes down the tunnel

• VPN site to Site with ASA 5520 * please help *.

  I am using two ASA 5520, and try to put up a site to site VPN.  This seems to be pretty simple, but I'm on my third day of train this is up and running. Both 5520's are running the latest 9.1 (5) IOS.

  Please note: I replaced it with [#1-WAN IP] and [#2-WAN IP] for WAN IP of the ASA addresses.

  Thanks in advance for any help you may have.

  -------------------------------------------------------------------------------------------------------------------------------------------------

  ASA 5520 # 1:

  Crypto ikev1 allow outside

  the local object of net network
  10.0.0.0 subnet 255.255.255.0

  net remote object network
  172.20.0.0 subnet 255.255.255.0

  outside_1_cryptomap list of allowed ip object local net net access / remote

  tunnel-group [IP #2-WAN] type ipsec-l2l

  IPSec-attributes tunnel-group [#2-WAN IP]
  pre-shared-key cisco123

  IKEv1 crypto policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400

  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

  card crypto oustide_map 1 match address outside_1_cryptomap
  card crypto oustide_map 1 set transform-set ESP-3DES-SHA ikev1
  card crypto outside_map 1 set pfs Group1
  map 1 set outside_map crypto peer [#2-WAN IP]
  outside_map interface card crypto outside

  NAT (inside, outside) 1 local static source net net-local destination static remote net net / remote

  -------------------------------------------------------------------------------------------------------------------------------------------------

  ASA 5520 #2:

  Crypto ikev1 allow outside

  the local object of net network
  172.20.0.0 subnet 255.255.255.0

  net remote object network
  10.0.0.0 subnet 255.255.255.0

  outside_1_cryptomap list of allowed ip object local net net access / remote

  tunnel-group [#1-WAN IP] type ipsec-l2l

  IPSec-attributes tunnel-group [#1-WAN IP]
  pre-shared-key cisco123

  IKEv1 crypto policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400

  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

  card crypto oustide_map 1 match address outside_1_cryptomap
  card crypto oustide_map 1 set transform-set ESP-3DES-SHA ikev1
  card crypto outside_map 1 set pfs Group1
  map 1 set outside_map crypto peer [#1-WAN IP]
  outside_map interface card crypto outside

  NAT (inside, outside) 1 local static source net net-local destination static remote net net / remote

  Try to correct the mistakes in the two configs.

  In some places, you have 'oustide_map' where you need "outside_map".

• Impossible to establish vpn site to site between asa 5505 5510 year

  Hi all experts

  We are now plan to form an IPSec VPN tunnel from site to site between ASA 5505 (ASA Version 8.4) and ASA 5510 (ASA Version 8.0) but failed, would you please show me how to establish? A reference guide?

  Hugo

  Here are the links to the guides-cisco config:

  http://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/site2sit.html

  http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/vpn_site2site.html

  In addition to VPN, you need to consider in NAT exemption:

  http://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/cfgnat.html#wp1043541

  http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/nat_overview.html#wpxref25608

  http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/nat_rules.html#wp1232160

  And many examples:

  http://www.Cisco.com/en/us/products/ps6120/prod_configuration_examples_list.html

  --
  Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
  http://www.Kiva.org/invitedBy/karsteni

• VPN SITE-TO-SITE BETWEEN ASA 5505 ASN 5510 DISORDERS

  Hello everyone, I have a problem with my vpn between two ASAs, I will review the configuration of the two devices running, but I couldn't see anything out of the normal.

  As you can see in the image, that the VPN is upward, but in the ASA 5510 I bytes of Rx (ZERO), I tried to config ASAs yet but I have the same problem, I don't know what I can do, please help me...

  

  Hello

  You should make sure that

  • Remote ends of NAT configurations are correct
    • NAT0 or another type of translation is not configured
    • A NAT rule is the substitution of the rule that you have configured for the VPN L2L?
  • Make sure that you have allowed the circulation/connection you are trying
    • VPN traffic is allowed to bypass the 'external' ACL interface on the remote end or the traffic should be allowed in the 'outer' interface ACL?
  • Make sure that the remote host responds to the same type of its local network connection attempt before trying the same thing from a remote location through VPN L2L
    • If a tested service does not work, try another. For example ICMP is not always the best thing to test connections.

  Can you also give us additional context information.

  • This VPN L2L worked, or did it stop working at some point?
  • I assume that you have administrator access to two ASA? Can you perhaps share some configurations
  • What kind of connections you attempt by the L2L VPN?
    • TCP/UDP/ICMP?
    • IP source and destination?
  • You monitor the newspapers of the SAA through the ASDM on the other end? The device at the remote end which does not send anything back on the L2L VPN connection.

  And as a last post a very common configuration that is absent of configurations of ASA during the test with ICMP

  Make sure you two ASAs have below "icmp inspect" configured

  Policy-map global_policy

  class inspection_default

  inspect the icmp

  -Jouni

• Easy VPN between two ASA 9.5 - Split tunnel does not

  Hi guys,.

  We have set up a site to site vpn using easy configuration vpn between ver 9.5 race (1) two ASA. The tunnels are up and ping is reached between sites. I also configured split tunnel for internet traffic under the overall strategy of the ASA easy vpn server. But for some unknown reason all the customer same internet traffic is sent to the primary site. I have configured NAT to relieve on the side of server and client-side. Please advise if no limitation so that the installation program.

  Thank you and best regards,

  Arjun T P

  I have the same question and open a support case.

  It's a bug in the software 9.5.1. See the bug: CSCuw22886

• How is used to monitor two ASA (active/stby) with modules IPS Cisco MARCH?

  Hello

  The two ASA with IPS modules are in Active mode / standby. When I try to add both the two IP (active / standby) in MARCH, the MARCH will complain of duplicate names.

  How set up in MARCH to monitor the ASA with IPS with topology standby active?

  Thank you!

  Hello

  The fundamental problem with this scenario is that you have modules able non-basculement in a tipping chassis - think of the pair of failover ASA as a device and modules IPS as two completely separate devices.

  Then, as we have already mentioned, add only the ASA elementary school. (High school will never be passing traffic in standby mode so it is not really necessary in MARCH) Then, with the first IPS module you can add it as a module of ASA or as a standalone device (MARCH doesn't care). With the second module IPS, the only option is to add it as a separate unit anyway.

  In a failover scenario of the SAA swap IP but SPI considering you'll ever messages from ASA active you will get messages from the intellectual property of these two IPS depending on whether you are in the ASA active at the time.

  Remember that you must manually reproduce all IPS configuration whenever you make a change.

  HTH

  Andrew.

• IPSec Tunnel permanent between two ASA

  Hello

  I configured a VPN IPSec tunnel between two ASA 5505 firewall. I want to assure you as the IPSec tunnel (this is why the security association) is permanent and do not drop due to the idle state.

  What should I do?

  Thanks for any help

  Yves

  Disables keepalive IKE processing, which is enabled by default.

  (config) #tunnel - 10.165.205.222 group ipsec-attributes

  KeepAlive (ipsec-tunnel-config) #isakmp disable

  Set a maximum time for VPN connections with the command of vpn-session-timeout in group policy configuration mode or username configuration mode:

  attributes of hostname (config) #-Group Policy DfltGrpPolicy
  hostname (Group Policy-config) #vpn - idle - timeout no

  attributes of hostname (config) #-Group Policy DfltGrpPolicy
  hostname (Group Policy-config) #vpn - session - timeout no

  Thank you

  Ajay

• Cisco ASA 5515 two asa firewall ipsec vpn tunnel is not coming

  HelloW everyone.

  I configured ipsec vpn tunnel between Singapore and Malaysia with asa firewall.

  but the vpn does not come to the top. can someone tell me what can be the root cause?

  Here is the configuration of twa asa: (I changed the ip address all the)

  Singapore:

  See the race
  ASA 2.0000 Version 4
  !
  ASA5515-SSG520M hostname
  activate the encrypted password of PVSASRJovmamnVkD
  names of
  !
  interface GigabitEthernet0/0
  nameif inside
  security-level 100
  IP 192.168.15.4 255.255.255.0
  !
  interface GigabitEthernet0/1
  nameif DMZ
  security-level 50
  IP 192.168.5.3 255.255.255.0
  !
  interface GigabitEthernet0/2
  nameif outside
  security-level 0
  IP 160.83.172.8 255.255.255.224
  <--- more="" ---="">
                
  !
  <--- more="" ---="">
                
  interface GigabitEthernet0/3
  <--- more="" ---="">
                
  Shutdown
  <--- more="" ---="">
                
  No nameif
  <--- more="" ---="">
                
  no level of security
  <--- more="" ---="">
                
  no ip address
  !
  interface GigabitEthernet0/4
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface GigabitEthernet0/5
  nameif test
  security-level 100
  IP 192.168.168.219 255.255.255.0
  !
  interface Management0/0
  management only
  nameif management
  security-level 100
  IP 192.168.1.1 255.255.255.0
  !
  connection of the banner ^ C please disconnect if you are unauthorized access ^ C
  connection of the banner please disconnect if you are unauthorized access
  boot system Disk0: / asa922-4-smp - k8.bin
  passive FTP mode
  network of the SG object
  <--- more="" ---="">
                
  192.168.15.0 subnet 255.255.255.0
  network of the MK object
  192.168.6.0 subnet 255.255.255.0
  service of the TCP_5938 object
  Service tcp destination eq 5938
  Team Viewer description
  service tcp_3306 object
  Service tcp destination eq 3306
  service tcp_465 object
  tcp destination eq 465 service
  service tcp_587 object
  Service tcp destination eq 587
  service tcp_995 object
  tcp destination eq 995 service
  service of the TCP_9000 object
  tcp destination eq 9000 service
  network of the Inside_host object
  Home 192.168.15.202
  service tcp_1111 object
  Service tcp destination eq 1111
  service tcp_7878 object
  Service tcp destination eq 7878
  service tcp_5060 object
  SIP, service tcp destination eq
  <--- more="" ---="">
                
  service tcp_5080 object
  Service tcp destination eq 5080
  network of the NETWORK_OBJ_192.168.15.0_24 object
  192.168.15.0 subnet 255.255.255.0
  inside_access_in list extended access allowed object SG ip everything
  OUTSIDE_IN list extended access permit tcp any newspaper EQ 9000 Inside_host object
  access extensive list ip 192.168.15.0 outside_cryptomap allow 255.255.255.0 object MK
  pager lines 24
  Enable logging
  timestamp of the record
  exploitation forest-size of the buffer of 30000
  debug logging in buffered memory
  recording of debug trap
  debugging in the history record
  asdm of logging of information
  host test 192.168.168.231 record
  host test 192.168.168.203 record
  Within 1500 MTU
  MTU 1500 DMZ
  Outside 1500 MTU
  test MTU 1500
  management of MTU 1500
  no failover
  <--- more="" ---="">
                
  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image disk0: / asdm - 7221.bin
  don't allow no asdm history
  ARP timeout 14400
  no permit-nonconnected arp
  NAT (inside, outside) static source SG SG static destination MK MK non-proxy-arp-search to itinerary
  !
  network of the SG object
  NAT dynamic interface (indoor, outdoor)
  network of the Inside_host object
  NAT (inside, outside) interface static 9000 9000 tcp service
  inside_access_in access to the interface inside group
  Access-group OUTSIDE_IN in interface outside
  Route outside 0.0.0.0 0.0.0.0 160.83.172.x 1
  Route inside 10.0.1.0 255.255.255.0 192.168.15.199 1
  Route inside 10.0.2.0 255.255.255.0 192.168.15.199 1
  Route inside 10.0.11.0 255.255.255.0 192.168.15.199 1
  Route inside 10.1.0.0 255.255.0.0 192.168.15.199 1
  Route inside 10.8.0.0 255.255.0.0 192.168.15.199 1
  Route inside 10.104.0.0 255.255.0.0 192.168.15.199 1
  Route inside 192.168.8.0 255.255.255.0 192.168.15.199 1
  Timeout xlate 03:00
  Pat-xlate timeout 0:00:30
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  <--- more="" ---="">
                
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  identity of the user by default-domain LOCAL
  the ssh LOCAL console AAA authentication
  Enable http server

  Community trap SNMP-server host test 192.168.168.231 *.
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps syslog
  Crypto ipsec transform-set ikev1 VPN-TRANSFORM esp-aes-256 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
  <--- more="" ---="">
                
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
  <--- more="" ---="">
                
  Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
  Crypto ipsec pmtu aging infinite - the security association
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
  crypto CRYPTO - map 2 map corresponds to the address outside_cryptomap
  card crypto CRYPTO-map 2 set peer 103.246.3.54
  card crypto CRYPTO-map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
  card crypto CRYPTO-map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
  CRYPTO-card interface card crypto outside
  trustpool crypto ca policy
  Crypto ikev1 allow outside
  IKEv1 crypto policy 10
  preshared authentication
  aes-256 encryption
  sha hash
  Group 2
  life 86400

  Console timeout 0
  management of 192.168.1.2 - dhcpd address 192.168.1.254
  enable dhcpd management
  !
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  SSL encryption rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1
  internal GroupPolicy1 group strategy
  attributes of Group Policy GroupPolicy1
  Ikev1 VPN-tunnel-Protocol
  username, password admin eY/fQXw7Ure8Qrz7 encrypted privilege 15
  username gmsadmin password HS/VyK0jtJ/PANQT encrypted privilege 15
  tunnel-group 143.216.30.7 type ipsec-l2l
  tunnel-group 143.216.30.7 General-attributes
  Group Policy - by default-GroupPolicy1
  <--- more="" ---="">
                
  IPSec-attributes tunnel-group 143.216.30.7
  IKEv1 pre-shared-key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  Overall description
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  <--- more="" ---="">
                
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  !
  global service-policy global_policy
  context of prompt hostname
  no remote anonymous reporting call
  Cryptochecksum:ccce9a600b491c8db30143590825c01d
  : end

  Malaysia:

  :
  ASA 2.0000 Version 4
  !
  hostname ASA5515-SSG5-MK
  activate the encrypted password of PVSASRJovmamnVkD
  names of
  !
  interface GigabitEthernet0/0
  nameif inside
  security-level 100
  IP 192.168.6.70 255.255.255.0
  !
  interface GigabitEthernet0/1
  nameif DMZ
  security-level 50
  IP 192.168.12.2 255.255.255.0
  !
  interface GigabitEthernet0/2
  nameif outside
  security-level 0
  IP 143.216.30.7 255.255.255.248
  <--- more="" ---="">
                
  !
  interface GigabitEthernet0/3
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface GigabitEthernet0/4
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface GigabitEthernet0/5
  nameif test
  security-level 100
  IP 192.168.168.218 255.255.255.0
  !
  interface Management0/0
  management only
  nameif management
  security-level 100
  IP 192.168.1.1 255.255.255.0
  !
  <--- more="" ---="">
                
  Interface Port - Channel 1
  No nameif
  no level of security
  IP 1.1.1.1 255.255.255.0
  !
  boot system Disk0: / asa922-4-smp - k8.bin
  passive FTP mode
  clock timezone GMT + 8 8
  network of the SG object
  192.168.15.0 subnet 255.255.255.0
  network of the MK object
  192.168.6.0 subnet 255.255.255.0
  service of the TCP_5938 object
  Service tcp destination eq 5938
  Team Viewer description
  service tcp_3306 object
  Service tcp destination eq 3306
  service tcp_465 object
  tcp destination eq 465 service
  service tcp_587 object
  Service tcp destination eq 587
  service tcp_995 object
  tcp destination eq 995 service
  service of the TCP_9000 object
  <--- more="" ---="">
                
  tcp destination eq 9000 service
  network of the Inside_host object
  Home 192.168.6.23
  service tcp_1111 object
  Service tcp destination eq 1111
  service tcp_7878 object
  Service tcp destination eq 7878
  service tcp_5060 object
  SIP, service tcp destination eq
  service tcp_5080 object
  Service tcp destination eq 5080
  network of the NETWORK_OBJ_192.168.2.0_24 object
  192.168.6.0 subnet 255.255.255.0
  inside_access_in list extended access allowed object SG ip everything
  VPN-INTERESTING-TRAFFIC extended access list permit ip object MK SG
  OUTSIDE_IN list extended access permit tcp any newspaper EQ 9000 Inside_host object
  outside_cryptomap to access extended list ip 192.168.6.0 allow 255.255.255.0 object SG
  pager lines 24
  Enable logging
  timestamp of the record
  exploitation forest-size of the buffer of 30000
  debug logging in buffered memory
  recording of debug trap
  asdm of logging of information
  <--- more="" ---="">
                
  host test 192.168.168.231 record
  host test 192.168.168.203 record
  Within 1500 MTU
  MTU 1500 DMZ
  Outside 1500 MTU
  test MTU 1500
  management of MTU 1500
  reverse IP check management interface path
  no failover
  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image disk0: / asdm - 7221.bin
  don't allow no asdm history
  ARP timeout 14400
  no permit-nonconnected arp
  NAT (inside, outside) static source MK MK static destination SG SG route no-proxy-arp-search
  NAT (inside, outside) static source NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 static destination SG SG route no-proxy-arp-search
  !
  network of the MK object
  NAT dynamic interface (indoor, outdoor)
  network of the Inside_host object
  NAT (inside, outside) interface static 9000 9000 tcp service
  inside_access_in access to the interface inside group
  Access-group OUTSIDE_IN in interface outside
  Route outside 0.0.0.0 0.0.0.0 143.216.30.x 1
  <--- more="" ---="">
                
  Route inside 10.2.0.0 255.255.0.0 192.168.6.200 1
  Route inside 10.6.0.0 255.255.0.0 192.168.6.200 1
  Route inside 192.168.254.0 255.255.255.0 192.168.6.200 1
  Timeout xlate 03:00
  Pat-xlate timeout 0:00:30
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  identity of the user by default-domain LOCAL
  AAA authentication http LOCAL console
  the ssh LOCAL console AAA authentication
  Enable http server

  No snmp server location
  No snmp Server contact
  Crypto ipsec transform-set ikev1 VPN-TRANSFORM esp-aes-256 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
  <--- more="" ---="">
                
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
  <--- more="" ---="">
                
  Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
  Crypto ipsec pmtu aging infinite - the security association
  crypto CRYPTO - map 2 map corresponds to the address outside_cryptomap
  card crypto CRYPTO-map 2 set peer 160.83.172.8
  card crypto CRYPTO-map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
  CRYPTO-card interface card crypto outside
  trustpool crypto ca policy
  Crypto ikev1 allow outside
  IKEv1 crypto policy 10
  preshared authentication
  aes-256 encryption
  sha hash
  Group 2
  life 86400
  SSH timeout 60
  SSH group dh-Group1-sha1 key exchange
  Console timeout 0
  management of 192.168.1.2 - dhcpd address 192.168.1.254
  enable dhcpd management
  !
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  SSL encryption rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1
  attributes of Group Policy DfltGrpPolicy
  Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client
  internal GroupPolicy1 group strategy
  attributes of Group Policy GroupPolicy1
  Ikev1 VPN-tunnel-Protocol
  username, password admin eY/fQXw7Ure8Qrz7 encrypted privilege 15
  username gmsadmin password HS/VyK0jtJ/PANQT encrypted privilege 15
  <--- more="" ---="">
                
  tunnel-group MK SG type ipsec-l2l
  IPSec-attributes tunnel-group MK-to-SG
  IKEv1 pre-shared-key *.
  tunnel-group 160.83.172.8 type ipsec-l2l
  tunnel-group 160.83.172.8 General-attributes
  Group Policy - by default-GroupPolicy1
  IPSec-attributes tunnel-group 160.83.172.8
  IKEv1 pre-shared-key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  <--- more="" ---="">
                
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  !
  global service-policy global_policy
  context of prompt hostname
  no remote anonymous reporting call
  Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
  : end

  Good news, that VPN has been implemented!

  According to the ping problem, my suggestion is to check, if some type of firewall based on host computers on both sides block ICMP requests.

  Anyway, you can still use the capture of packets on the inside of the interfaces of the two ASAs, to check if the ICMP traffic is to reach the ASA.

  In addition, you can try to enable ICMP inspection:

  Policy-map global_policy
  class inspection_default

  inspect the icmp

  inspect the icmp error

• ASA 5505 - I can't create an IPSEC VPN between two ASA 5505

  Hello

  I have two ASA 5505 with basic license and I'm trying to create a VPN IPSEC using the CLI. Here are the steps I did:

  1 Configure ASA-1 (host name, vlan 1 and vlan 2).

  2. configure a static route

  3. create object network (local and remote)

  4. create the access list

  5. create ikev1 crypto

  6. create tunnel-group

  7 Configure nat

  and I repeat the steps above with the ASA but another change IP.

  Are to correct the above steps?

  Why can I not create an IPSEC VPN between devices?.

  No, you needn't. The ASA configuration is ok. Packet trace proved it. I think it can be a problem on the hosts. Please, check the firewall on the PC and try to put out of service, if it is running.

• Can build two ASA balancing as active/active mode?

  Hi, professionals

  I wonder if two ASA able to set up a balancing as active/active mode, balance the traffic?

  Thanks in advance,

  Yang

  Yes, that running in active/active ASA is so you can load balance traffic. Here is a link with more information.

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080834058.shtml

  It will be useful.

• IPSec tunnel do not come between two ASA - 5540 s.

  I've included the appropriate configuration of the two ASA lines - 5540 s that I'm trying to set up a tunnel of 2 lan lan between. The first few lines show the messages that are generated when I try to ping another host on each side.

  Did I miss something that will prevent the tunnel to come?

  4 IP = 10.10.1.147, error: cannot delete PeerTblEntry

  3 IP = 10.10.1.147, Removing peer to peer table has not, no match!

  6 IP = 10.10.1.147, P1 retransmit msg sent to the WSF MM

  5 IP is 10.10.1.147, in double Phase 1 detected package. Retransmit the last packet.

  6 IP = 10.10.1.147, P1 retransmit msg sent to the WSF MM

  5 IP is 10.10.1.147, in double Phase 1 detected package. Retransmit the last packet.

  4 IP = 10.10.1.147, error: cannot delete PeerTblEntry

  3 IP = 10.10.1.147, Removing peer to peer table has not, no match!

  6 IP = 10.10.1.147, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.

  6 IP = 10.10.1.147, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.

  6 IP = 10.10.1.147, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.

  5 IP = 10.10.1.147, IKE initiator: New Phase 1, Intf inside, IKE Peer 10.10.1.147 address Proxy local 10.10.1.135, Proxy address remote 10.10.1.155, Card Crypto (outside_map0)

  ROC-ASA5540-A # sh run

  !

  ASA Version 8.0 (3)

  !

  CRO-ASA5540-A host name

  names of

  10.10.1.135 GHC_Laptop description name to test the VPN

  10.10.1.155 SunMed_pc description name to test the VPN

  !

  interface GigabitEthernet0/0

  Speed 100

  full duplex

  nameif inside

  security-level 100

  IP 10.10.1.129 255.255.255.240

  !

  interface GigabitEthernet0/3

  nameif outside

  security-level 0

  IP 10.10.1.145 255.255.255.248

  !

  !

  outside_2_cryptomap list extended access permit ip host host GHC_Laptop SunMed_pc

  !

  ASDM image disk0: / asdm - 603.bin

  !

  Route outside 255.255.255.248 10.10.1.152 10.10.1.147 1

  !

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  card crypto game 2 outside_map0 address outside_2_cryptomap

  outside_map0 crypto map peer set 2 10.10.1.147

  card crypto outside_map0 2 the value transform-set ESP-3DES-SHA

  outside_map0 card crypto 2 set nat-t-disable

  outside_map0 interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 5

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  !

  Group Policy Lan-2-Lan_only internal

  attributes of Lan-2-Lan_only-group policy

  VPN-filter no

  Protocol-tunnel-VPN IPSec

  tunnel-group 10.10.1.147 type ipsec-l2l

  IPSec-attributes tunnel-group 10.10.1.147

  pre-shared-key *.

  !

  ROC-ASA5540-A #.

  ----------------------------------------------------------

  ROC-ASA5540-B # sh run

  : Saved

  :

  ASA Version 8.0 (3)

  !

  name of host ROC-ASA5540-B

  !

  names of

  name 10.10.1.135 GHC_laptop

  name 10.10.1.155 SunMed_PC

  !

  interface GigabitEthernet0/0

  Speed 100

  full duplex

  nameif inside

  security-level 100

  IP 10.10.1.153 255.255.255.248

  !

  interface GigabitEthernet0/3

  nameif outside

  security-level 0

  IP 10.10.1.147 255.255.255.248

  !

  outside_cryptomap list extended access permit ip host host SunMed_PC GHC_laptop

  !

  ASDM image disk0: / asdm - 603.bin

  !

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  card crypto outside_map2 1 match address outside_cryptomap

  outside_map2 card crypto 1jeu peer 10.10.1.145

  outside_map2 card crypto 1jeu transform-set ESP-3DES-SHA

  outside_map2 card crypto 1jeu nat-t-disable

  outside_map2 interface card crypto outside

  crypto ISAKMP allow inside

  crypto ISAKMP policy 5

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  !

  internal Lan-2-Lan group strategy

  Lan Lan 2-strategy of group attributes

  Protocol-tunnel-VPN IPSec

  tunnel-group 10.10.1.145 type ipsec-l2l

  IPSec-attributes tunnel-group 10.10.1.145

  pre-shared-key *.

  !

  ROC-ASA5540-B #.

  On the ASA of ROC-ASA5540-B, you have "isakmp allows inside", it should be "enable isakmp outside."

  Please reconfigure the ASA and let me know how it goes.

  Kind regards

  Arul

  * Please note the useful messages *.

• Site to Site VPN tunnel between two ASA

  I use the Site Wizard to Site on an ASA 5520, and ASA 5505 of the ADSM. Both are using 8.4 (5). When you create configurations. You follow the wizard configurations with manual what ACL s to allow the traffic of every subnet connected to talk to each other? Or they are automatically generated in the configuration file? Have not been to school yet to understand how to create the CLI VPN tunnels and what to look for.

  Thank you

  Carlos

  Hello

  First, I would like to say that I don't personally use ASDM for the configuration.

  But you should be able to configure all the necessary elements for a connection VPN L2L base through the wizard.

  I guess that typical problems to do so could relate to the lack of configuration NAT exempt or might not choose the setting "Bypass Interface Access List" that would mean you would allow traffic from the remote site in the 'external' ACL of ASA local interface. Like all other traffic coming from behind the 'outer' interface

  If you share format CLI configurations and say what networks must be able to connect via VPN L2L then I could give the required CLI format configurations.

  -Jouni

• Site to site VPN (ASA-&gt; router IOS, with two interfaces) help

  Dear,

  I need help to configure VPN from Site to Site of cisco ASA to the IOS router, the router has 2 WAN links, a primary and secondary backup.

  There was only a single week of link there is, now we have installed the second link as a backup, we use OSPF as the routing protocol.

  VPN with simple link worked fine, now, when the main link fails the network is down.

  Waiting for response.

  There is an easy solution.  On the router, you must terminate the VPN on the loopback interface.

  something like this:

  interface lo0

  IP x.x.x.x where x.x.x.x

  card crypto-address lo0

  interface wan_1

  vpn crypto card

  interface wan_2

  vpn crypto card

  One condition is that the loopback interface has accessible by the device of the SAA.