Site to Site VPN 1800 to ASA (8.4) the two peers DHCP

Hi all

I'm putting a VPN site-to-site between a 1841 router and an ASA5510 running 8.4. Both ends negotiate their outside interface IP via DHCP addresses and are connected to the ADSL lines.

I installed the 1841 an ASA with a fixed IP address, using aggressive mode and that works fine, but when I try to reproduce the config on the ASA with the negotiated IP address, it is as if there is no interesting traffic for the field of encryption and it fails to Phase 1.

I re-used the same cryptographic cards, cards dynamics, games of transformation, ACL format and static NAT exception as the fixed work off ASA addressed, but I can't seem to get the tunnel opening on both sides.

Since the end of the ASA debugging I see

(crypto_map_check)-1: error: no card mapped crypto.

Since the end of 1841, I see

August 6, 15:57:39.268: ISAKMP:(0:104:SW:1): retransmit phase 1 AG_INIT_EXCH...

15:57:39.268 August 6: ISAKMP (0:134217832): increment the count of errors on his, try 4 out 5: retransmit the phase 1

August 6, 15:57:39.268: ISAKMP:(0:104:SW:1): retransmit phase 1 AG_INIT_EXCH

August 6, 15:57:39.268: ISAKMP:(0:104:SW:1): sending package to x.x.x.x my_port 500 peer_port 500 (I) AG_INIT_EXCH

Is it even possible to Setup both ends after negotiating addresses? I've seen a few posts that seem to suggest not.

Please see attached for configurations,

Thank you very much

Stuart

No, you guessed correctly.

You cannot have two ends with this dynamic IP is setup with VPN tunnel because if the two ends don't know what IP address, it will not be able to establish the VPN tunnel.

You can have 1 dynamic side, and the other end to static IP address.

Tags: Cisco Security

Similar Questions

remote VPN and vpn site to site vpn remote users unable to access the local network

As per below config remote vpn and vpn site to site vpn remote users unable to access the local network please suggest me a required config

The local 192.168.215.4 not able ping server IP this server connectivity remote vpn works fine but not able to ping to the local network vpn users.

ASA Version 8.2 (2)
!
host name
domain kunchevrolet
activate r8xwsBuKsSP7kABz encrypted password
r8xwsBuKsSP7kABz encrypted passwd
names of
!
interface Ethernet0/0
nameif outside
security-level 0
PPPoE client vpdn group dataone
IP address pppoe
!
interface Ethernet0/1
nameif inside
security-level 50
IP 192.168.215.2 255.255.255.0
!
interface Ethernet0/2
nameif Internet
security-level 0
IP address dhcp setroute
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
No nameif
no level of security
no ip address
management only
!
passive FTP mode
clock timezone IST 5 30
DNS server-group DefaultDNS
domain kunchevrolet
permit same-security-traffic intra-interface
object-group network GM-DC-VPN-Gateway
object-group, net-LAN
access extensive list ip 192.168.215.0 sptnl allow 255.255.255.0 192.168.2.0 255.255.255.0
192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0
tunnel of splitting allowed access list standard 192.168.215.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
MTU 1500 Internet
IP local pool VPN_Users 192.168.2.1 - 192.168.2.250 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
enable ASDM history
ARP timeout 14400
NAT-control
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 59.90.214.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
AAA authentication http LOCAL console
AAA authentication enable LOCAL console
LOCAL AAA authentication serial console
Enable http server
x.x.x.x 255.255.255.252 out http
http 192.168.215.0 255.255.255.252 inside
http 192.168.215.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic dynmap 65500 transform-set RIGHT
card crypto 10 VPN ipsec-isakmp dynamic dynmap
card crypto VPN outside interface
card crypto 10 ASA-01 set peer 221.135.138.130
card crypto 10 ASA - 01 the transform-set RIGHT value
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 65535
preshared authentication
the Encryption
sha hash
Group 2
lifetime 28800
Telnet 192.168.215.0 255.255.255.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 5
Console timeout 0
management-access inside
VPDN group dataone request dialout pppoe
VPDN group dataone localname bb4027654187_scdrid
VPDN group dataone ppp authentication chap
VPDN username bb4027654187_scdrid password * local store
interface for identifying DHCP-client Internet customer
dhcpd dns 218.248.255.141 218.248.245.1
!
dhcpd address 192.168.215.11 - 192.168.215.254 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
Des-sha1 encryption SSL
WebVPN
allow outside
tunnel-group-list activate
internal kun group policy
kun group policy attributes
VPN - connections 8
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value split tunnel
kunchevrolet value by default-field
test P4ttSyrm33SV8TYp encrypted password username
username kunauto password bSHrKTGl8PUbvus / encrypted privilege 15
username kunauto attributes
Strategy Group-VPN-kun
Protocol-tunnel-VPN IPSec
tunnel-group vpngroup type remote access
tunnel-group vpngroup General attributes
address pool VPN_Users
Group Policy - by default-kun
tunnel-group vpngroup webvpn-attributes
the vpngroup group alias activation
vpngroup group tunnel ipsec-attributes
pre-shared key *.
type tunnel-group test remote access
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:0d2497e1280e41ab3875e77c6b184cf8
: end
kunauto #.

Hello

Looking at the configuration, there is an access list this nat exemption: -.

192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0

But it is not applied in the States of nat.

Send the following command to the nat exemption to apply: -.

NAT (inside) 0 access-list sheep

Kind regards

Dinesh Moudgil

P.S. Please mark this message as 'Responded' If you find this information useful so that it brings goodness to other users of the community

Site to Site VPN between Cisco ASA 5505 and Sonicwall TZ170

I'm trying to implement a VPN site-to site between our data center and office. The data center has a Cisco ASA 5505 and the Office has a Sonicwall TZ170. I managed to configure the two so that the vpn connects. Each of the firewall I ping the IP Address of the internet firewall on the other side and a desktop computer I can ping the IP Address of the firewall internal datacenter but I can't carry traffic between private subnets datacenter and desktop. Can anyone help?

The config below has had IPs/passwords has changed.

External Datacenter: 1.1.1.4

External office: 1.1.1.1

Internal data center: 10.5.0.1/24

Internal office: 10.10.0.1/24

: Saved
:
ASA Version 8.2 (1)
!
hostname datacenterfirewall
mydomain.tld domain name
activate the password encrypted
passwd encrypted
names of
name 10.10.0.0 OfficeNetwork
10.5.0.0 DatacenterNetwork name
!
interface Vlan1
nameif inside
security-level 100
10.5.0.1 IP address 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
1.1.1.4 IP address 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
DNS server-group DefaultDNS
buydomains.com domain name
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
inside_access_in list extended access permit icmp any one
inside_access_in list extended access permitted tcp a whole
inside_access_in list extended access udp allowed a whole
inside_access_in of access allowed any ip an extended list
outside_access_in list extended access permit icmp any one
outside_access_in list extended access udp allowed any any eq isakmp
IP DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0 allow Access-list extended pixtosw
pixtosw list extended access allow icmp DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0
IP OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0 allow Access-list extended pixtosw
pixtosw list extended access allow icmp OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0
outside_cryptomap_66.1 list of allowed ip extended access all OfficeNetwork 255.255.255.0
outside_cryptomap_66.1 ip OfficeNetwork 255.255.255.0 allowed extended access list all
outside_cryptomap_66.1 list extended access permit icmp any OfficeNetwork 255.255.255.0
outside_cryptomap_66.1 list extended access allowed icmp OfficeNetwork 255.255.255.0 everything
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
IP verify reverse path to the outside interface
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 623.bin
don't allow no asdm history
ARP timeout 14400
NAT-control
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0
inside_access_in access to the interface inside group
Access-group outside_access_in in interface outside
Route inside 0.0.0.0 0.0.0.0 1.1.1.1 1
Route OfficeNetwork 255.255.255.0 outside 1.1.1.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 10.5.0.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-aes-256 walthamoffice, esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto dynamic-map ciscopix 1 corresponds to the address outside_cryptomap_66.1
Crypto dynamic-map ciscopix 1 transform-set walthamoffice
Crypto dynamic-map ciscopix 1 the value reverse-road
map dynmaptosw 66-isakmp ipsec crypto dynamic ciscopix
dynmaptosw interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 13
preshared authentication
aes-256 encryption
sha hash
Group 2
lifetime 28800
crypto ISAKMP policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
No encryption isakmp nat-traversal
Telnet 10.5.0.0 255.255.255.0 inside
Telnet timeout 5
SSH 10.5.0.0 255.255.255.0 inside
SSH timeout 5
Console timeout 0
management-access inside
dhcpd address 10.5.0.2 - 10.5.0.254 inside
dhcpd allow inside
!

a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP server 66.250.45.2 source outdoors
NTP server 72.18.205.157 source outdoors
NTP server 208.53.158.34 source outdoors
WebVPN
attributes of Group Policy DfltGrpPolicy
VPN-idle-timeout no
username admin password encrypted
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *.
!
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
!
context of prompt hostname
Cryptochecksum:7f319172e5de9c0e550804a263f8e49e
: end

Mattew, obvious lack of education is the rule exempt from nat for your tunnel, your access list pixtosw is similar on this example, I assume that you have gone through this link, if it does not see the configs on both sides.

Add the statement of rule sheep in asa and try again.

NAT (inside) 0-list of access pixtosw

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a008052c9d4.shtml

Concerning

Site-to-Site VPN - road on ASA (8.4.2)

ASA-SiteA-

Outside the int: 4,5,6,7

inside the int: 10.1.1.1

DMZ:192.168.0.1 255.255.255.0

National-SiteA routes-

Route outside 0.0.0.0 0.0.0.0 4,5,6,7 - road by default

Route inside 172.10.1.0 255.255.255.0 10.1.1.1 - road join the ASA-SiteB-inside interface

ASA-SiteB-

Int - 50.1.2.3 outdoor

inside the int: 172.10.1.1

DMZ:192.168.87.1 255.255.255.0

routes on ASA-SiteB-

Route outside 0.0.0.0 0.0.0.0 50.1.2.3 - road by default

Route inside 10.1.1.0 255.255.255.0 172.10.1.1 - road join the ASA-SiteA-inside interface

Inside the two ASAs interfaces can communicate with each other through circuits MPLS. We want to create a VPN tunnel between two DMZ networks so that traffic passes through a tunnel through the local network. You can check the config below and indicate if any changes are needed.

1 tunnel VPN to work, not the traffic must match a route on the ASA or simply to match the access-list(interesting traffic) for example after the configuration of the VPN tunnel between 192.168.0.0 and 192.168.87.0 networks when I ping 192.168.87.1 route IP made it reveal the tunnel because it fits to the interesting traffic or packets go to 4,5,6,7 where they correspond to the default?

2. virtue normal Site VPN to Site traffic scenarios run on high security interface (DMZ or inside) and goes to the interface (outside) low security, but in the case above traffic intiates on low security interface (DMZ) and goes to the high safety (inside) interface which usually gets blocked unless there is an access list entry to allow that traffic. We must therefore have an IP address a whole (on the access list applied to UI in DMZ) entered between the two dmz networks

Config on ASA-SiteA-

Political IKEv1

ASA - SiteA (config) #crypto ikev1 allow inside - Does allowing ikev1 on UI interrupts traffic?

Ikev1 crypto policy of ASA - SiteA (config) # 100

ASA - SiteA(config-ikev1-policy) preshared #authentication

ASA - SiteA(config-ikev1-policy) #encryption 3des

ASA - SiteA(config-ikev1-policy) #hash sha

ASA - SiteA(config-ikev1-policy) #group 2

ASA - SiteA(config-ikev1-policy) #lifetime 86400

IPSEC tunnel

ASA - SiteA (config) # crypto ipsec ikev1 transform-set VPN MPLS esp-3des esp-sha-hmac

ASA - SiteA(cfg-crypto-trans) #mode transport

Tunnel group

ASA - SiteA (config) # tunnel - group172.10.1.1 type ipsec-l2l

ASA - SiteA (config) # group172.10.1.1 - tunnel ipsec-attributes

ASA - SiteA(config-tunnel-ipsec) # test pre-shared key

Interesting traffic

ASA - SiteA (config) #object Network Site-A-DMZ

ASA - SiteA(config-network-object) #subnet 192.168.0.0 255.255.255.0

ASA - SiteA (config) #object Network Site-B-DMZ

ASA - SiteA(config-network-object) #subnet 192.168.87.0 255.255.255.0

ASA - SiteA (config) #access - list - INTERESTING - VPN TRAFFIC extended permitted ip object SN-A-Site B-Site-SN

ASA - SiteA (config) #nat (demilitarized zone, inside) static static destination source Site-A-DMZ DMZ-A-Site B-Site-DMZ Site-B-DMZ

Crypto MAP

ASA - SiteA (config) # 100 LAN VPN ipsec-isakmp crypto map

ASA - SiteA(config-crypto-map) # address of correspondence-INTERESTING-TRAFFIC VPN
ASA - SiteA(config-crypto-map) # set pfs group2

ASA - SiteA(config-crypto-map) #set peer 172.10.1.1

ASA - SiteA(config-crypto-map) #set transform-set ESP-3DES-SHA

ASA - SiteA(config-crypto-map) #crypto interface of VPN - LAN card inside

Yes, you need the correct route otherwise it will be just forwarded through the default gateway.

So, on A Site, you should have:

Route inside 192.168.87.0 255.255.255.0 10.1.1.x--> x should be the next jump of the SAA within the interface

On Site B, you should have:

Route inside 192.168.0.0 255.255.255.0 172.10.1.x--> x should be the next jump of the SAA within the interface

Delete "transport mode" of two ASA.

To answer your questions:

1. Yes, it would be necessary to match a route, otherwise it will be routed through the default gateway.

2. Yes, you must have access-list to allow high traffic of low level of security. If you want a full IP access, you can configure IP allowed between 2 LANs.

How to pass the traffic of a site VPN S2S by ASA to another S2S VPN site?

I have a need for hosts on separate VPN networks connected to my ASA corp to communicate among themselves. Example: Host A site 1 a need to communicate with host B on the site 2. Both sites 1 & 2 are connected via the VPN S2S. I would get every site traffic to flow through the ASA at the other site. Where should I start my configuration? NAT? ACL?

I can ping each host in the network Corp. but cannot ping from one site to the other. I set up same-security-traffic permit intra-interface and addition of NAT and rules the ACL to allow/permit 1 Site to contact Site 2. When I do a trace of package through Deputy Ministers DEPUTIES, packets are allowed to pass. I read different that tell no NAT y at - it something at the other end of the VPN to do? should NAT and ACLs rules be mirrored? Just in case, a site is an instance of MS Azure VM and the other is a 3rd party VM instance.

On the HubASA, can I set up a new card encryption that selects the Site1 Site2 traffic and protect the traffic and value her counterpart Site2 public IP or just add this selection of traffic to the existing encryption card for the existing tunnel between HubASA and Site2?

Just add this traffic to the existing encryption card.

Remember that this should be added on three routers (two hubs and there has been talk).

Site1

CRYPTO ip access list allow Site2 subnet >

CRYPTO ip access list allow subnet training3 >

CRYPTO ip access list allow subnet HUB >

Site2

CRYPTO ip access list allow Site1 subnet >

CRYPTO ip access list allow subnet training3 >

CRYPTO ip access list allow subnet HUB >

Training3

CRYPTO ip access list allow Site1 subnet >

CRYPTO ip access list allow Site2 subnet >

CRYPTO ip access list allow subnet HUB >

HUB

CRYPTO_1 ip access list allow Site1 subnet >

CRYPTO_1 ip access list allow Site1 subnet >

CRYPTO_1 ip access list allow Site1 subnet >

CRYPTO_2 ip access list allow Site2 subnet >

CRYPTO_2 ip access list allow Site2 subnet >

CRYPTO_2 ip access list allow Site2 subnet >

CRYPTO_3 ip access list allow subnet training3 >

CRYPTO_3 ip access list allow subnet training3 >

CRYPTO_3 ip access list allow subnet training3 >

Each of these ACLs is attributed to their respective crypto cards. CRYPTO_1 is assigned the site1 crypto map, CRYPTO_2 is assigned to the site2 crypto card... etc.

I hope that's clear

In addition to this, you need to configure identity NAT / NAT provides both the HUB and the spokes of sites.

--

Please do not forget to select a correct answer and rate useful posts

Site to site VPN routing via ASA

Need help setting up routing through the tunnel. We have a bunch of remote sites in the 192.168.0.0 16 passing through a central site 192.168.137.0

How can I get all the traffic goes 192.168.0.0 to cross the tunnel. I have the tunnel upward, but no traffic passes through. Here is the config.

XXXX # show run
: Saved
:
ASA Version 8.2 (1)
!
xxxxx host name
xxxx.xxx domain name
activate the xxxxxxxx password
passwd xxxxxxxxxxxxx
names of
!
interface Vlan1
Description =-= - on the INSIDE of the INTERFACE =-=-
nameif inside
security-level 100
192.168.33.1 IP address 255.255.255.0
!
interface Vlan2
Description =-= - CABLE EXTERNAL INTERFACE =-=-
nameif outside
security-level 0
IP address aaa.bbb.ccc.202 255.255.255.252
!
interface Ethernet0/0
Description =-= - CABLE EXTERNAL INTERFACE =-=-
switchport access vlan 2
!
interface Ethernet0/1
Description =-= - on the INSIDE of the INTERFACE =-=-
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system Disk0: / asa821 - k8.bin
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
DNS domain-lookup outside
DNS server-group DefaultDNS
Server name 24.92.226.12
Server name 24.92.226.11
Domain xxxxxx.xxx
object-group NETWORK-OUR network
object-network 10.254.1.0 255.255.255.0
network-object 172.22.0.0 255.255.0.0
object-network 192.168.0.0 255.255.0.0
access-list SHEEP note-=-=-= = =-=-=-= -
access-list SHEEP note is-ACCESS LIST for EXEMPTION NAT =-=-
access-list SHEEP note-=-=-= = =-=-=-= -
IP 192.168.33.0 allow Access - list extended SHEEP 255.255.255.0 object-group NETWORK-OUR
access INTERESTING list Remarque-=-=-=-=-=-= = =-=-=-=-=-=-=-=-= -.
access list INTERESTING note is-ACCESS LIST for INTERESTING TRAFFIC =-=-
access INTERESTING list Remarque-=-=-=-=-=-= = =-=-=-=-=-=-=-=-= -.
INTERESTING list extended ip access 192.168.33.0 allow 255.255.255.0 object-group NETWORK-OUR
access-list ICMP note =--= =-= = =-=-=-= -
access-list ICMP note is - to ALLOW ICMP to the OUTSIDE INTERFACE =-=-
access-list ICMP note =--= =-= = =-=-=-= -
ICMP access list extended icmp permitted no echo of aaa.bbb.ccc.201 host
no pager
Enable logging
timestamp of the record
exploitation forest-size of the buffer 38400
logging buffered stored alerts
logging of debug asdm
Within 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 621.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0 access-list SHEEP
NAT (inside) 1 0.0.0.0 0.0.0.0
Access-group ICMP in interface outside
Route outside 0.0.0.0 0.0.0.0 aaa.bbb.ccc.201 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
LOCAL AAA authentication serial console
AAA authentication http LOCAL console
Enable http server
http xx.xx.xx.xx 255.255.255.0 outside
xxx.xxx.xxx.xxx http 255.255.192.0 outside
http xxx.xxx.0.0 255.255.0.0 inside
xxx.xxx.xxx.xxx http 255.255.255.255 outside
Server SNMP location xxxxxx
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-HMAC-SHA-ESP-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
86400 seconds, duration of life crypto ipsec security association
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto L2LMAP 10 INTERESTING address correspondence
card crypto L2LMAP 10 set pfs
card crypto L2LMAP 10 set peer ddd.eee.fff.32
10 L2LMAP transform-set ESP-3DES-MD5 crypto card game
card crypto L2LMAP set 10 security-association life seconds 86400
card crypto L2LMAP 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
L2LMAP interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
Telnet timeout 5
SSH enable ibou
SSH xxx.xxx.0.0 255.255.0.0 inside
SSH xxx.xxx.0.0 255.255.0.0 outside
SSH xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx outside
SSH timeout 60
Console timeout 0
management-access inside
dhcpd dns 192.168.137.225 24.92.226.12
dhcpd field arc.com
dhcpd outside auto_config
dhcpd option 150 ip 172.22.137.5
!
dhcpd address 192.168.33.2 - 192.168.33.33 inside
dhcpd allow inside
!

a basic threat threat detection
statistical threat detection port
Statistical threat detection Protocol
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP server 206.246.122.250 source outdoors
NTP server 96.47.67.105 prefer external source
WebVPN
xxxx xxxx password username
IPSec-attributes tunnel-group DefaultL2LGroup
pre-shared-key *.
tunnel-group ddd.eee.fff.32 type ipsec-l2l
ddd.EEE.fff.32 group of tunnel ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
context of prompt hostname

Thank you

Mike

As I suspected unmatched.

Remote side is set to 3des/sha. You are set to 3des/md5.

change the following:

10 L2LMAP transform-set ESP-3DES-MD5 crypto card game

TO

10 L2LMAP transform-set ESP-3DES-SHA crypto card game

Assuming that the things ACL match should be fine.

Let me know.

Site VPN to IPsec with PAT through the tunnel configuration example

Hello

as I read a lot about vpn connections site-2-site
and pass by PAT through it I still haven't found an example configuration for it on e ASA 55xx.

now, I got suite facility with two locations A and B.

192.168.0.0/24 Site has - ipsec - Site B 192.168.200.0/24
172.16.16.0/24 Site has

---------------------------------------------------------------------------

Host--> participated in IP 192.168.0.4: 192.168.0.3-> to 192.168.200.20
Host 192.168.0.127--> participated in IP: 192.168.0.3-> to 192.168.200.20
Host 192.168.0.129--> participated in IP: 192.168.0.3-> to 192.168.200.20
Host 192.168.0.253--> participated in IP: 192.168.0.3-> to 192.168.200.20

Host 172.16.16.127--> participated in IP: 192.168.0.3-> to 192.168.200.20
Host 172.16.16.253--> participated in IP: 192.168.0.3-> to 192.168.200.20

---------------------------------------------------------------------------

Now that I have guests autour within networks 172.16.16.0 like 192.168.0.0,
witch need to access a server terminal server on the SITE b.

As I have no influence on where and when guests pop up in my Site.
I would like to hide them behind a single ip address to SITE B.

If in the event that a new hosts need access, or old hosts can be deleted,
its as simple as the ACL or conviniently inlet remove the object from the network.

so I guess that the acl looks like this:

---------------------------------------------------------------------------

access VPN-PARTICIPATED-HOSTS list allow ip 192.168.0.4 host 192.168.200.20
VPN-PARTICIPATED-HOSTS access list permit ip host 192.168.0.127 192.168.200.20
VPN-PARTICIPATED-HOSTS access list permit ip host 192.168.0.129 192.168.200.20
access VPN-PARTICIPATED-HOSTS list allow ip 192.168.0.253 host 192.168.200.20
VPN-PARTICIPATED-HOSTS access list permit ip host 172.16.16.127 192.168.200.20
VPN-PARTICIPATED-HOSTS access list permit ip host 172.16.16.253 192.168.200.20

---------------------------------------------------------------------------

But, now, my big question is, how do I said the asa to use: 192.168.0.3 as the
address for the translation of PAT?

something like this he will say, it must be treated according to the policy:

NAT (1-access VPN INVOLVED-HOST internal list)

Now how do I do that?
The rest of the config, I guess that will be quite normal as follows:

card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set of AA peers. ABM CC. DD
card crypto outside_map 1 set of transformation-ESP-AES-256-SHA
outside_map card crypto 1 lifetime of security set association, 3600 seconds

permit access list extended ip 192.168.0.3 outside_1_cryptomap host 192.168.200.20

---------------------------------------------------------------------------

On SITE B

the config is pretty simple:

card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set of peer SITE has IP
card crypto outside_map 1 set of transformation-ESP-AES-256-SHA
outside_map card crypto 1 lifetime of security set association, 3600 seconds

outside_1_cryptomap list extended access allowed host host 192.168.200.20 IP 192.168.0.3

inside_nat0_outbound list extended access allowed host host 192.168.200.20 IP 192.168.0.3

---------------------------------------------------------------------------

Thank you for you're extra eyes and precious time!

Colin

You want to PAT the traffic that goes through the tunnel?

list of access allowed PAT ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.255.0

PAT 172.16.16.0 permit ip access list 255.255.255.0 192.168.200.0 255.255.255.0

NAT (inside) 1 access list PAT

Global (outside) 1 192.168.0.3 255.255.255.255

Then, the VPN ACL applied to the card encryption:

list of access allowed vpn host ip 192.168.0.3 192.168.200.0 255.255.255.0

Thus, all traffic from Site A will be PATed when you remotely 192.168.200.0/24

The interesting thing is that traffic can only be activated from your end.

The remote end cannot initialize traffic to 192.168.0.3 if there is not a version of dynamic translation on your side.

Is that what you are looking for?

Federico.

problem of site 2 site vpn

Greetings. We have a site 2 site vpn 2 asa5510-based work. The two sites are accessible internel network hosts, but we are unable to access all the services (such as the TFTP or CA)? or even ping hosts in the remote site of our local asa5510 network. It seems that ASA attempts to send packets directly through the default gw, bypasing the vpn tunnel. Any help would be very appreciate.

PS We checked the ACLs on both devices, so more than likely, this is not the problem.

Hello

Since you did not include public ip address of the external interface in the Crypto ACL, it's why he's not going in the tunnel.

Add Crypto ACL a statement where qualify you this statement outside the public ip address of the interface source and mirror image in the remote device.

HTH

Sangaré

Pls rate helpful messages

Unable to pass traffic between ASA Site to Site VPN Tunnel

Hello

I have problems passing traffic between two ASA firewall. The VPN tunnel is up with a dynamic IP and static IP address. I have attached a diagram of the VPN connection. I'm not sure where the problem lies and what to check next. I think I have all the roads and in the access lists are needed.

I've also attached the ASA5505 config and the ASA5510.

This is the first time that I've set up a VPN connection any guidance would be greatly appreciated.

Thank you

Adam

Hello

Regarding your opinion of configuration Remote Site ASA that you have not added the internal networks of the Central Site VPN L2L configurations at all so the traffic does not pass through the VPN.
```
 access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.0.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.170.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.172.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 140.15.0.0 255.255.*.* 
```
Take a look at ACL configurations above. The 'exempt' ACL is used in configurations NAT0 and tells the ASA what traffic of exempting from NAT. "outside_1_cryptomap" ACL is used to tell the traffic between the subnets should be using the L2L VPN connection.

So in short on the Remote Site ASA these ACLs should be identical. Make additions to the LIST of VPN L2L, then try again.

I would also like to point out that to ensure that the Central ASAs L2L VPN ACL Site contains the same networks. The ACL on the Central Site will, of course, its internal subnets as the source and the site LAN remote destination.

THW out of ' crypto ipsec to show his " shows you that only the SA between binding Site Central network and the Remote Site LAN was established. Others have not formed as the configuration is lacking at LEAST on the Remote Site ASA. Can also be the Central Site.

-Jouni

Detection of site to Site VPN DPD

Hello everyone

We need your help with our VPN Site to Site

We have a connection from site to site VPN that customer remote has implemented the DPD on their side and requesting that do us the same thing on our Cisco ASA 5505 firewall.

My Question; is recommended by Cisco otherwise please give a full reason why, we can the top of the senior management for review

Can you help me with the command/syntax to add to our firewall Cisco ASA 5505 running IOS version 8.45; This will bring the tunnel down while we configure this DPD?

Thank you

Hello

It has advantages but also disadvantages.

Advantage is that it detects that the tunnel goes down well before the scenario by default.

Downside is if the other end behind the protected fw or device that blocks packets DPD customers creates a problem. But in your scenario, you should not have this kind of problems.

tunnel-group 10.90.244.26 type ipsec-l2l
IPSec-attributes tunnel-group 10.90.244.26
ISAKMP keepalive retry threshold 10 5

= This measure of the DPD... every 10 seconds it tries to detect the keepalive messages and try again initiates after 5 seconds...

Make sure that patterns must match at both ends.

http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

Concerning

Knockaert

Impossible to get to the beach for additional IP addresses on IPSec Site to Site VPN

Hello
I am trying to set up a free IPSec Site to Site VPN between an ASA 5510 (ASA Version 8.2 (3)) to the AC and a Cisco 877 (12.4 (24) T3) to a branch.

At the end of the branch, I have the 192.168.244.0/24 subnet.
At the end of HQ, I have the 172.16.0.0/22 and the 10.0.0.0/8 subnets
The inside interface of the ASA at Headquarters is 172.16.0.15/22

When installing VPN Wizard I ticked the box NAT - T, and I included the additional subnet in the list of protected LANs.

I can sucessfully all the subnets 172.16.0.0/22 but not access anything in the 10.0.0.0/8 subnets.
The Packet Trace ASA tool shows the traffic inside the interface of 172.16.0.0/22 in the direction of 192.168.244.0/24 through the outside interface properly spend, but the 10.0.0.0/8 does not work. He gives no precise information why the 10.0.0.0/8 traffic is dropped.

[HQ_LAN]---10.0.0.0/8 & 172.16.0.0/22---172.16.0.15(inside_int)-[ASA 5510] - IPSEC-[RTR 877]---192.168.244.0/24---[BRANCH_LAN]

I suspect it might have something to do with NAT?

Help, please.

Hello

Peer VPN you do not accept the LAN between these two peers of vpn segment.

On your ASA

inside_outbound_nat0_acl list of allowed ip extended access all <> 255.255.255.0

and

Router:

access-list 100 permit ip 192.168.244.0 0.0.0.255 172.16.0.0 0.0.3.255

access-list 100 permit ip 192.168.244.0 0.0.0.255 10.0.0.0 0.255.255.255

Please make the same statement subnet explicitly between two vpn peers and finally please add this route on SAA.

Same question on this ACL so, statement of not identical subnet between two peers of vpn, please make sure it identical at both ends.

outside_cryptomap_2 list extended access allowed object-group ip <> <> 255.255.255.0

Route outside 192.168.244.0 255.255.255.0 ASA_EXTERNAL_GW

Let me know the result.

Thank you

Rizwan James

SA520w routing through site-to-site VPN tunnels

I have several offices that are connected using site-to-site VPN tunnels and all will use the SA520W (firmware 2.1.18). I currently have 3 routers in place, router tunnels created for the router B and c of router. I need assistance with the configuration to allow the guests to router site B get to the router site C. I have attempted to add a static route, but get a destination unreachable host trying to ping. Also, if I connect to the router site has via the Cisco VPN client, I'm not able to get resources on each site, B, or C.

A - the site 10.10.0.0/24

Site B - 10.0.0.0/24

Site of the C - 10.25.0.0/24

Any help is greatly appreciated.

So, that's what you have configured correctly?

RTR_A

||

_____________ || ___________

|| ||

RTR_B RTR_C

Since there is no tunnel between B and C there is no way for us past that traffic through RTR_A for two reasons. The most important reason is that subnet 10.25.0.0/24 (rtr_c) is not allowed to pass through the IPSec tunnel (it's okay to IPSec?) of rtr_a ==> rtr_b. You can't just add a statement of road because your addresses are not routable which is the reason why it fails.

Your only option is to create another tunnel between rtr_b and rtr_c. This may not be the ONLY option, but you should get what you need.

I hope this helps.

Convert the VPN Site-to-Site of PIX to ASA 8.2

I worked on the conversion of a config above a PIX an ASA 8.2 but I am running into trouble with the site to site vpn. The PIX has a VPN client and site to site. Given that some of the configs for the cross from site to site on the VPN client I'm confuse. Any help would be apperciated.

Below are excerpts from just the PIX VPN related orders.

permit access ip 192.168.0.0 list Remote_splitTunnelAcl 255.255.0.0 any

inside_outbound_nat0_acl ip access list allow any 192.168.0.160 255.255.255.240

inside_outbound_nat0_acl Zenoss_OS CNP 255.255.255.0 ip host allowed access list

inside_outbound_nat0_acl SilverBack NOC 255.255.255.0 ip host allowed access list

inside_outbound_nat0_acl allowed host NOC 255.255.255.0 enoss_Hardware ip access-list

outside_cryptomap_dyn_20 ip access list allow any 192.168.0.160 255.255.255.240

outside_cryptomap_20 Zenoss_OS CNP 255.255.255.0 ip host allowed access list

outside_cryptomap_20 SilverBack NOC 255.255.255.0 ip host allowed access list

outside_cryptomap_20 Zenoss_Hardware CNP 255.255.255.0 ip host allowed access list

IP pool local DHCP_Pool 192.168.0.161 - 192.168.0.174

NAT (inside) 0-list of access inside_outbound_nat0_acl

Sysopt connection permit VPN

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Dynamic crypto map outside_dyn_map 20 match address outside_cryptomap_dyn_20

Crypto-map dynamic outside_dyn_map 20 the transform-set ESP-DES-MD5 value

outside_map 20 ipsec-isakmp crypto map

card crypto outside_map 20 match address outside_cryptomap_20

card crypto outside_map 20 peers set 205.x.29.41

outside_map crypto 20 card value transform-set ESP-DES-SHA

map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

client authentication card crypto outside_map LOCAL

outside_map interface card crypto outside

ISAKMP allows outside

ISAKMP key address 205.x.29.41 netmask 255.255.255.255 No.-xauth-config-mode no.

ISAKMP nat-traversal 180

part of pre authentication ISAKMP policy 20

encryption of ISAKMP policy 20

ISAKMP policy 20 md5 hash

20 2 ISAKMP policy group

ISAKMP duration strategy of life 20 86400

part of pre authentication ISAKMP policy 40

encryption of ISAKMP policy 40

ISAKMP policy 40 sha hash

40 2 ISAKMP policy group

ISAKMP duration strategy of life 40 86400

vpngroup address pool DHCP_Pool GHA_Remote

vpngroup dns 192.168.0.11 server GHA_Remote

vpngroup wins 192.168.0.11 GHA_Remote-Server

vpngroup GHA_Remote by default-field x.org

vpngroup split tunnel Remote_splitTunnelAcl GHA_Remote

vpngroup idle 1800 GHA_Remote-time

vpngroup password KEY GHA_Remote

I guess what I really wonder is if someone can convert the version of site to site of this VPN ASA 8.2 config so I can compare it to what I have. I need to have this, so I can just fall into place and work.

Also, it does appear that political isakmp 40 are used, correct?

On your ASA in Setup mode, simply type vpnsetup steps for remote access ipsec or vpnsetup site - not and it lists what it takes or you can download the PIX of the ASA migration tool.

ASA 5510 Auth for site-to-site VPN users

Hello

is there a way we can get the ASA to prompt users VPN site-to-site to authenticate on ASA/RADIUS before access resources head behind ASA such as Sharepoint etc allowed in via respective VPN ACL?

I never did, but you should be able to use authentication 'Cut Through'.

http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-next-generation-firewalls/113363-ASA-cut-through-config-00.html

Basically, the user has little or no access, and the ASA intercepts a request, such as via HTTP and then authenticates the session. After that the user can access all that you allow them.

Problem with the VPN site to site for the two cisco asa 5505

Starting with cisco asa. I wanted to do a vpn site-to site of cisco. I need help. I can't ping from site A to site B and vice versa.

Cisco Config asa1

interface Ethernet0/0
switchport access vlan 1
!
interface Ethernet0/1
switchport access vlan 2
!
interface Vlan1
nameif outside
security-level 0
IP address 172.xxx.xx.4 255.255.240.0
!
interface Vlan2
nameif inside
security-level 100
IP 192.168.60.2 255.255.255.0
!
passive FTP mode
network of the Lan_Outside object
192.168.60.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.60.0_24 object
192.168.60.0 subnet 255.255.255.0
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_2
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_3
ip protocol object
icmp protocol object
Access extensive list ip 192.168.60.0 Outside_cryptomap allow 255.255.255.0 192.168.1.0 255.255.255.0
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
Inside_access_in list extended access allow DM_INLINE_PROTOCOL_2 of object-group a
network of the Lan_Outside object
NAT (inside, outside) interface dynamic dns
Access-group Outside_access_in in interface outside
Inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 172.110.xx.1 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
Enable http server
http 192.168.60.0 255.255.255.0 inside
http 96.xx.xx.222 255.255.255.255 outside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto Outside_map 1 corresponds to the address Outside_cryptomap
card crypto Outside_map 1 set peer 96.88.75.222
card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
Outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
inside access management

dhcpd address 192.168.60.50 - 192.168.60.100 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
AnyConnect essentials
internal GroupPolicy_96.xx.xx.222 group strategy
attributes of Group Policy GroupPolicy_96.xx.xx.222
VPN-tunnel-Protocol ikev1, ikev2
username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
tunnel-group 96.xx.xx.222 type ipsec-l2l
tunnel-group 96.xx.xx.222 General-attributes
Group - default policy - GroupPolicy_96.xx.xx.222
96.XX.XX.222 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Cisco ASA 2 config

interface Ethernet0/0
switchport access vlan 1
!
interface Ethernet0/1
switchport access vlan 2
!
interface Vlan1
nameif outside
security-level 0
IP address 96.xx.xx.222 255.255.255.248
!
interface Vlan2
nameif inside
security-level 100
IP 192.168.1.254 255.255.255.0
!
passive FTP mode
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network of the Lan_Outside object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.60.0_24 object
192.168.60.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_2
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_3
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_4
ip protocol object
icmp protocol object
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_2 of object-group 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
Inside_access_in list extended access allow DM_INLINE_PROTOCOL_4 of object-group a
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.60.0_24 NETWORK_OBJ_192.168.60.0_24 non-proxy-arp-search of route static destination
!
network of the Lan_Outside object
dynamic NAT (all, outside) interface
Access-group Outside_access_in in interface outside
Inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 96.xx.xx.217 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
Enable http server
http 192.168.1.0 255.255.255.0 inside
http 172.xxx.xx.4 255.255.255.255 outside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto Outside_map 1 corresponds to the address Outside_cryptomap
card crypto Outside_map 1 set peer 172.110.74.4
card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
Outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0

dhcpd address 192.168.1.50 - 192.168.1.100 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
AnyConnect essentials
internal GroupPolicy_172.xxx.xx.4 group strategy
attributes of Group Policy GroupPolicy_172.xxx.xx.4
L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
tunnel-group 172.xxx.xx.4 type ipsec-l2l
tunnel-group 172.xxx.xx.4 General-attributes
Group - default policy - GroupPolicy_172.xxx.xx.4
172.xxx.XX.4 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error
inspect the http

For IKEv2 configuration: (example config, you can change to encryption, group,...)

-You must add the declaration of exemption nat (see previous answer).

-set your encryption domain ACLs:

access-list-TRAFFIC IPSEC allowed extended LOCAL REMOTE - LAN LAN ip

-Set the Phase 1:

Crypto ikev2 allow outside
IKEv2 crypto policy 10
3des encryption
the sha md5 integrity
Group 5
FRP sha
second life 86400

-Set the Phase 2:

Crypto ipsec ikev2 ipsec IKEV2-PROPOSAL
Esp aes encryption protocol
Esp integrity sha-1 protocol

-set the Group of tunnel

tunnel-group REMOTE-PUBLIC-IP type ipsec-l2l
REMOTE-PUBLIC-IP tunnel-group ipsec-attributes
IKEv2 authentication remote pre-shared-key cisco123

IKEv2 authentication local pre-shared-key cisco123

-Define the encryption card

address for correspondence CRYPTOMAP 10 - TRAFFIC IPSEC crypto map
card crypto CRYPTOMAP 10 peer set REMOTE-PUBLIC-IP
card crypto CRYPTOMAP 10 set ipsec ikev2-IKEV2-PROPOSAL
CRYPTOMAP interface card crypto outside
crypto isakmp identity address

On your config, you have all these commands but on your VPN config, you mix ikev1 and ikev2. You have also defined political different ikev2. Just do a bit of cleaning and reached agreement on a 1 strategy for the two site (encryption, hash,...)

Thank you

Site to Site VPN 1800 to ASA (8.4) the two peers DHCP

Similar Questions

Maybe you are looking for