Site to site VPN: addition of new networks

I have a VPN S2S install these last two running between a pair of ASAs (5510 and 5505). Works very well and connects 3 vLANs the on the remote site, which has a 24 subnet. When I try and add a fourth subnet local it takes, but I can't seem to pass traffic to and from the new subnet.

Any ideas what I am ' % s '?

More details:

5510 172.100.0.2/22

Switch (Juniper) 172.100.0.1/22 base

vLAN 10 172.100.10.0/24 Handled by Juniper. X.x.x.254 DEF GW (work)

by default vLAN 172.100.0.0/22 (works)

PCI vLAN 172.100.50.0/24 Handled by the ASA 5505 (work)

vLAN 20 172.100.20.0/24 Handled by Juniper. X.x.x.254 DEF GW (recently added, does not)

5505 192.168.100.1/24

Network local 192.168.100.0/24

I added vLAN 20 as a remote network as a local network and the 5505 of the 5510. Applied, has broken the connection and applied again.

When I ping from vLAN 20 I get destination is not reachable from a router upstream ISP and when I tracert, I get DEF GW, the next hop of the ASA to the internet and a jump over far where I get an inaccessible message since (3 hops and a fourth "hop" who says that he cannot reach)

When I ping from vLAN 10, it returns a ping. When I tracert it hits the vLAN Def GW, and then directly on the server I ping to the remote location (two sections).

I can ping local form of all things the VLAN 10 & 20 and out to the internet fine.

Any help appreciated.

Hello

You must ensure that it ASA 5510 has a statement more in the crypto acl indicating "ip 172.100.20.0 255.255.255.0 allow 192.168.100.0 255.255.255.0.

"with an exemption of nat ACL ACE" ip 172.100.20.0 255.255.255.0 allow 192.168.100.0 255.255.255.0.

On ASA 5505, you must make a statement more in the crypto acl indicating "ip 192.168.100.0 allow 255.255.255.0 172.100.20.0 255.255.255.0.

"and an exemption from nat ACL ACE" ip 192.168.100.0 allow 255.255.255.0 172.100.20.0 255.255.255.0.

I hope this helps.

Kind regards

Anisha

P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.

Tags: Cisco Security

Similar Questions

site to site vpn - internal network even on both sides of the tunnel

Hi all

I have the following questions about the Site Site VPN using ASA 5510 and 5505

Scenerio is

1. we have five branches & headquarters

2. we want to establish a vpn between branches & Head Office (VPN from Site to Site)

3. all branches & head office using the same internal network (192.168.150.0 255.255.255.0)

My question is

How can I configure VPN site-to-site between branches & head office with the same internal network (192.168.150.0/24)

Please help me with the configuration steps & explanation

I have experience on setting up vpn site to site between branches with differnet internal network (for example: 192.168.1.0/24 and 192.168.2.0/24)

Waiting for your valuable response

Hello

Here are a few links on policy nat

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a008046f31a.shtml#T10

http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00807d2874.shtml

Concerning

remote VPN and vpn site to site vpn remote users unable to access the local network

As per below config remote vpn and vpn site to site vpn remote users unable to access the local network please suggest me a required config

The local 192.168.215.4 not able ping server IP this server connectivity remote vpn works fine but not able to ping to the local network vpn users.

ASA Version 8.2 (2)
!
host name
domain kunchevrolet
activate r8xwsBuKsSP7kABz encrypted password
r8xwsBuKsSP7kABz encrypted passwd
names of
!
interface Ethernet0/0
nameif outside
security-level 0
PPPoE client vpdn group dataone
IP address pppoe
!
interface Ethernet0/1
nameif inside
security-level 50
IP 192.168.215.2 255.255.255.0
!
interface Ethernet0/2
nameif Internet
security-level 0
IP address dhcp setroute
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
No nameif
no level of security
no ip address
management only
!
passive FTP mode
clock timezone IST 5 30
DNS server-group DefaultDNS
domain kunchevrolet
permit same-security-traffic intra-interface
object-group network GM-DC-VPN-Gateway
object-group, net-LAN
access extensive list ip 192.168.215.0 sptnl allow 255.255.255.0 192.168.2.0 255.255.255.0
192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0
tunnel of splitting allowed access list standard 192.168.215.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
MTU 1500 Internet
IP local pool VPN_Users 192.168.2.1 - 192.168.2.250 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
enable ASDM history
ARP timeout 14400
NAT-control
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 59.90.214.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
AAA authentication http LOCAL console
AAA authentication enable LOCAL console
LOCAL AAA authentication serial console
Enable http server
x.x.x.x 255.255.255.252 out http
http 192.168.215.0 255.255.255.252 inside
http 192.168.215.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic dynmap 65500 transform-set RIGHT
card crypto 10 VPN ipsec-isakmp dynamic dynmap
card crypto VPN outside interface
card crypto 10 ASA-01 set peer 221.135.138.130
card crypto 10 ASA - 01 the transform-set RIGHT value
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 65535
preshared authentication
the Encryption
sha hash
Group 2
lifetime 28800
Telnet 192.168.215.0 255.255.255.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 5
Console timeout 0
management-access inside
VPDN group dataone request dialout pppoe
VPDN group dataone localname bb4027654187_scdrid
VPDN group dataone ppp authentication chap
VPDN username bb4027654187_scdrid password * local store
interface for identifying DHCP-client Internet customer
dhcpd dns 218.248.255.141 218.248.245.1
!
dhcpd address 192.168.215.11 - 192.168.215.254 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
Des-sha1 encryption SSL
WebVPN
allow outside
tunnel-group-list activate
internal kun group policy
kun group policy attributes
VPN - connections 8
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value split tunnel
kunchevrolet value by default-field
test P4ttSyrm33SV8TYp encrypted password username
username kunauto password bSHrKTGl8PUbvus / encrypted privilege 15
username kunauto attributes
Strategy Group-VPN-kun
Protocol-tunnel-VPN IPSec
tunnel-group vpngroup type remote access
tunnel-group vpngroup General attributes
address pool VPN_Users
Group Policy - by default-kun
tunnel-group vpngroup webvpn-attributes
the vpngroup group alias activation
vpngroup group tunnel ipsec-attributes
pre-shared key *.
type tunnel-group test remote access
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:0d2497e1280e41ab3875e77c6b184cf8
: end
kunauto #.

Hello

Looking at the configuration, there is an access list this nat exemption: -.

192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0

But it is not applied in the States of nat.

Send the following command to the nat exemption to apply: -.

NAT (inside) 0 access-list sheep

Kind regards

Dinesh Moudgil

P.S. Please mark this message as 'Responded' If you find this information useful so that it brings goodness to other users of the community

only one statement of site-to-site VPN remote network?

Hello

I wonder on in case of site to site vpn, we can define only a single declaration of network for the Branch Office peer network?

If there is a local network to peer site, then, how to set those for the local subnet peer?

Can anyone answer my question?

Thank you.

If I understand your question, wondering how to add a different subnet to an existing site-to-site VPN tunnel?

If that is correct, you can add this network to the crypto ACL of the tunnel at a site. But you have to demolish and rebuild the tunnel before it takes effect.

Once you have added the required configuration, run the following commands to shoot down the tunnel. Do not forget that this disconnects all users on the VPN, so it is best to let users know when you go to so that they are not connected at this time here.

ISAKMP crypto claire

clear crypto ipsec his

problem with users to access remote vpn site to site vpn network

I did the Setup: asa 5510 configured remote access vpn. My vpn users receive asa 5510 range 192.168.50.0/24 addresses and users access my local lan 192.168.0.0/24. the second side of the local lan 192.168.0.0/24 on asa 5505, I did a vpn site-to-site with network 192.168.5.0/24.on that both sides of a site are asa 5505. inside the interface asa 5510 Elise 192.168.0.10 and inside the interface asa 5505 have address 192.168.0.17.third asa 5505 networked 192.168.5.0/24 address 192.168.5.1. I want my remote access vpn users can access resources on network 192.168.5.0/24. I create the static route on inside the asa 5510 static route 192.168.5.0 interface 255.255.255.0 192.168.0.17 and a static route on inside the asa 5505 static route 192.168.50.0 interface 255.255.255.0 192.168.0.10, but it's not working. What do I do?

execution of the configuration of my asa 5510 is

Result of the command: "show run"

: Saved
:
ASA Version 8.4(2)
!
hostname asa5510
domain-name dri.local
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.178 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.10 255.255.255.0
!
interface Ethernet0/2
description Mreza za virtualne masine- mail server, wsus....
nameif DMZ
security-level 50
ip address 172.16.20.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name dri.local
object network VPN-POOL
subnet 192.168.50.0 255.255.255.0
description VPN Client pool
object network LAN-NETWORK
subnet 192.168.0.0 255.255.255.0
description LAN Network
object network NETWORK_OBJ_192.168.0.0_24
subnet 192.168.0.0 255.255.255.0
object network 192.168.0.10
host 192.168.0.10
object service ssl
service tcp destination eq 465
object service tls
service tcp destination eq 995
object network mail_server
host 172.16.20.201
object service StartTLS
service tcp destination eq 587
object service admin_port
service tcp destination eq 444
object service ODMR
service tcp destination eq 366
object service SSL-IMAP
service tcp destination eq 993
object network remote
host 172.16.20.200
object network test
host 192.168.0.22
object network mail
host 172.16.20.200
object network DMZ
host 172.16.20.200
object network Inside_DMZ
host 192.168.0.20
object service rdp
service tcp destination eq 3389
object network DRI_PS99
host 192.168.0.54
object service microsoft_dc
service tcp destination eq 445
object service https448
service tcp destination eq 448
object network mail_server_internal
host 172.16.20.201
object service Acronis_remote
service tcp destination eq 9876
object service Acronis_25001
service tcp destination eq 25001
object service HTTP3000
service tcp destination eq 3000
object network VPNPOOL
subnet 192.168.50.0 255.255.255.0
object-group network PAT-SOURCE-NETWORKS
description Source networks for PAT
network-object 192.168.0.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object object admin_port
service-object object ssl
service-object object tls
service-object object https448
object-group service DM_INLINE_SERVICE_2
service-object object admin_port
service-object object https448
service-object object ssl
service-object object tls
service-object tcp destination eq pop3
service-object tcp destination eq smtp
object-group service DM_INLINE_SERVICE_3
service-object object admin_port
service-object object https448
service-object object ssl
service-object tcp destination eq smtp
service-object object tls
service-object object Acronis_remote
service-object tcp destination eq www
service-object object Acronis_25001
service-object object microsoft_dc
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object tcp
object-group service DM_INLINE_SERVICE_4
service-object object Acronis_25001
service-object object Acronis_remote
service-object object microsoft_dc
service-object tcp destination eq www
service-object tcp
service-object ip
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any object mail_server
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object mail
access-list Split_Tunnel_List extended permit ip 192.168.0.0 255.255.255.0 any
access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list DMZ extended permit object-group DM_INLINE_SERVICE_4 172.16.20.0 255.255.255.0 any
access-list DMZ extended permit object-group DM_INLINE_SERVICE_3 host 172.16.20.201 any
access-list DMZ extended permit object-group DM_INLINE_PROTOCOL_1 172.16.20.0 255.255.255.0 any inactive
access-list DMZ extended deny tcp any any eq smtp
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
ip local pool vpnadrese 192.168.50.1-192.168.50.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static LAN-NETWORK LAN-NETWORK destination static VPN-POOL VPN-POOL
!
object network mail_server
nat (DMZ,outside) static x.x.x.179
object network mail
nat (DMZ,outside) static x.x.x.180
access-group outside_access_in in interface outside
access-group DMZ in interface DMZ
route outside 0.0.0.0 0.0.0.0 178.254.133.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
action terminate
dynamic-access-policy-record dripolisa
aaa-server DRI protocol ldap
aaa-server DRI (inside) host 192.168.0.20
ldap-base-dn DC=dri,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=dragan urukalo,OU=novisad,OU=sektor2,OU=REVIZIJA,DC=dri,DC=local
server-type microsoft
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
virtual telnet 192.168.1.12
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 195.222.96.223
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.0.14-192.168.0.45 inside
!
dhcpd address 172.16.20.2-172.16.20.150 DMZ
dhcpd dns x.x.x.177 interface DMZ
dhcpd auto_config outside interface DMZ
dhcpd option 6 ip x.x.x.177 interface DMZ
dhcpd enable DMZ
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy GroupPolicy_x.x.x.223 internal
group-policy GroupPolicy_x.x.x.223 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy drivpn internal
group-policy drivpn attributes
dns-server value 192.168.0.20 192.168.0.254
vpn-simultaneous-logins 10
vpn-idle-timeout 30
vpn-tunnel-protocol ikev1 l2tp-ipsec
split-tunnel-network-list value Split_Tunnel_List
default-domain value dri.local
username driadmin password AojCAMO/soZo8W.W encrypted privilege 15
tunnel-group drivpn type remote-access
tunnel-group drivpn general-attributes
address-pool vpnadrese
authentication-server-group DRI
default-group-policy drivpn
tunnel-group drivpn ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group x.x.x.223 type ipsec-l2l
tunnel-group x.x.x.223 general-attributes
default-group-policy GroupPolicy_x.x.x.223
tunnel-group x.x.x.223 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect tftp
inspect ip-options
inspect netbios
inspect icmp
inspect http
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:69c651e94663fc570b67e0c4c0dcbae1
: end

running config asa 5505

Result of the command: "show run"

: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password csq7sfr0bQJqMGET encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.5.0 PALATA
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.17 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.13.74.33 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp
service-object icmp echo
service-object icmp echo-reply
service-object tcp eq domain
service-object tcp eq ldap
service-object tcp eq smtp
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object tcp eq domain
service-object tcp eq www
service-object tcp eq https
service-object tcp eq smtp
object-group service Sharepoint8080 tcp
port-object eq 8080
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 192.168.0.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 PALATA 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.0.0 255.255.255.0 PALATA 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 192.168.0.0 255.255.255.0 PALATA 255.255.255.0
pager lines 24
logging enable
logging asdm informational
logging mail errors
logging from-address
logging recipient-address level debugging
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 192.168.0.0 255.255.255.0
static (inside,outside) 10.13.74.35 192.168.0.22 netmask 255.255.255.255
static (inside,outside) 10.13.74.34 192.168.0.20 netmask 255.255.255.255 dns
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.13.74.1 1
route inside 0.0.0.0 0.0.0.0 192.168.0.17 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
http server enable
http 10.13.74.0 255.255.255.0 outside
http 192.168.0.0 255.255.255.0 inside
http 10.15.100.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
virtual telnet 192.168.0.53
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_2_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 10.15.100.15
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username driadmin password AojCAMO/soZo8W.W encrypted privilege 15
tunnel-group 10.15.100.15 type ipsec-l2l
tunnel-group 10.15.100.15 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
smtp-server 173.194.79.109
prompt hostname context
Cryptochecksum:4767b6764cb597f0a7b8b138587d4192
: end

Thank you

Hello

I have previously edited the my initial response was in fact not necessary since you were actually using full Tunnel

EDIT: Actually just noticed the the VPN client isnt using Split Tunnel. Its Full Tunnel at the moment since it doesnt have the "split-tunnel-policy tunnelspecified"

So you don't really have any of those.

Please mark the question answers and/or assess response

Ask more if necessary

-Jouni

VPN - PC (vpn client) problem-> router-> (site to site vpn)-> local network

Hello

is it possible to install?

I have a pc and I want to connect to the Remote LAN.

PC (using vpn client) - vpn (internet)---> ROUTER1 - a vpn (MPLS network)---> ROUTER2---> SERVER site

How can I connect to a remote server? Is there an easy way?

I did the configuration of the vpn client (I can connect ROUTER1 and access a LAN via vpn with 192.168.1.x), but I can't connect to the server, even if I set the subnet (192.168.1.x) under the access list of site to site vpn (access list for traffic that must pass between ROUTER1 and ROUTER2).

Please advise! Thanks in advance.

Looks like I've not well explained.

On ROUTER1

===================

1 ACL VNC_acl is used to split tunnel, so you should include IP server_NET it NOT vpn IP pool.

2 ACL najavorbel is used to set the lan lan traffic between ROUTER1 and ROUTER2, 2 you should inlcude

IP 192.168.133.0 allow 0.0.0.255 0.0.0.255

You must change the crypto ROUTER2 ACL of the minor or the najavorbel of the ACL

The other way to is to the client VPN NAT IP to a local area network lan IP ROUTER1, in this way, you don't need any changes on ROUTER2. But I have to take a look at your configuration to make the suggestion.

Impossible to get to the beach for additional IP addresses on IPSec Site to Site VPN

Hello
I am trying to set up a free IPSec Site to Site VPN between an ASA 5510 (ASA Version 8.2 (3)) to the AC and a Cisco 877 (12.4 (24) T3) to a branch.

At the end of the branch, I have the 192.168.244.0/24 subnet.
At the end of HQ, I have the 172.16.0.0/22 and the 10.0.0.0/8 subnets
The inside interface of the ASA at Headquarters is 172.16.0.15/22

When installing VPN Wizard I ticked the box NAT - T, and I included the additional subnet in the list of protected LANs.

I can sucessfully all the subnets 172.16.0.0/22 but not access anything in the 10.0.0.0/8 subnets.
The Packet Trace ASA tool shows the traffic inside the interface of 172.16.0.0/22 in the direction of 192.168.244.0/24 through the outside interface properly spend, but the 10.0.0.0/8 does not work. He gives no precise information why the 10.0.0.0/8 traffic is dropped.

[HQ_LAN]---10.0.0.0/8 & 172.16.0.0/22---172.16.0.15(inside_int)-[ASA 5510] - IPSEC-[RTR 877]---192.168.244.0/24---[BRANCH_LAN]

I suspect it might have something to do with NAT?

Help, please.

Hello

Peer VPN you do not accept the LAN between these two peers of vpn segment.

On your ASA

inside_outbound_nat0_acl list of allowed ip extended access all <> 255.255.255.0

and

Router:

access-list 100 permit ip 192.168.244.0 0.0.0.255 172.16.0.0 0.0.3.255

access-list 100 permit ip 192.168.244.0 0.0.0.255 10.0.0.0 0.255.255.255

Please make the same statement subnet explicitly between two vpn peers and finally please add this route on SAA.

Same question on this ACL so, statement of not identical subnet between two peers of vpn, please make sure it identical at both ends.

outside_cryptomap_2 list extended access allowed object-group ip <> <> 255.255.255.0

Route outside 192.168.244.0 255.255.255.0 ASA_EXTERNAL_GW

Let me know the result.

Thank you

Rizwan James

Site to Site VPN on AZURE

I have a VPN site-to-site existing on Azure and Azure a new subnet created on the local network that must be able to reach.

I added the new subnet within azure for the VPN and add a static route on the RRAS server win 2012 for routing.

On the initial installation of a RRAS-Site VPN site (I didn't configure it) I think the interesting traffic specified must be sent through the VPN Tunnel, but I knew how to specify the new subnet via RRAS, I don't want to delete and re-create the VPN Site to Site.

Y at - there anyone who can help please.

Thank you

Philippe

Hello

Your question is beyond the scope of this community.

I suggest that repost you on the Azure MSDN Forums:

https://social.msdn.Microsoft.com/forums/azure/en-us/home?category=windowsazureplatform

TechNet forums Azure:

https://social.technet.Microsoft.com/forums/azure/en-us/home?category=windowsazureplatform

TechNet Server forums.

http://social.technet.Microsoft.com/forums/WindowsServer/en-us/home?category=WindowsServer

TechNet forums:

https://social.technet.Microsoft.com/forums/en-us/home

MSDN forums:

https://social.msdn.Microsoft.com/forums/en-us/home

See you soon.

SBS 2008 office1 Serv2008 Office 2 need to share assets between them via a site to site VPN tunnel

Hi all.

I really need help on this one.

The office 1 installer running SBS2008 Office 2 running Server 2008.

Each firm has its own FQDN Office 1 CompanyABC 2 A_B_C of the company office.

Each firm has its own internal IP address pool Office 1 192.168.69.xxx and office 192.168.20.xxx 2.

Site to site VPN tunnel between 2 office routers Netgear SRX5308 1 and 2 Netgear FVS318G Office established and working.

Each firm has its own DNS server and acts as a domain controller

How to configure the 2 networks to see each other and be able to use assets on every network (files, printers)?

Is it so simple that the addition of another pool internal IP for each DNS server?

Thanks in advance for your help.

Hello

Your Question is beyond the scope of this community.

I suggest that repost you your question in the Forums of SBS.

https://social.technet.Microsoft.com/forums/en-us/home?Forum=smallbusinessserver

"Windows Small Business Server 2011 Essentials online help"

https://msdn.Microsoft.com/en-us/library/home-client.aspx

TechNet Server forums.

http://social.technet.Microsoft.com/forums/WindowsServer/en-us/home?category=WindowsServer

See you soon.

Troubleshooting IPSec Site to Site VPN between ASA and 1841

Hi all

in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.

I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).

I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.

It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),

On the ASA:

Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.

address of the peers: 217.86.154.120
Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.cc

access extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
current_peer: 217.xx.yy.zz

#pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0

local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz

Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: 39135054
current inbound SPI: B2E9E500

SAS of the esp on arrival:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4374000/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
outgoing esp sas:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4373976/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001

Output of the command: "sh crypto isakmp his."

HIS active: 4
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 4

IKE Peer: 217.xx.yy.zz
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE

On the 1841

1841 crypto isakmp #sh its
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE

1841 crypto ipsec #sh its

Interface: Dialer1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors

local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2

SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

outgoing ah sas:

outgoing CFP sas:

Interface: virtual Network1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors

local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2

SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

outgoing ah sas:

outgoing CFP sas:

It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.

Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto. (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.

I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!

It's the running of the 1841 configuration

!
version 15.1
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
host name 1841
!
boot-start-marker
start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
boot-end-marker
!
logging buffered 51200 notifications
!
AAA new-model
!
!
AAA authentication login default local
!
AAA - the id of the joint session
!
iomem 20 memory size
clock timezone PCTime 1
PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
dot11 syslog
IP source-route
!
No dhcp use connected vrf ip
!
IP cef
no ip bootp Server
IP domain name test
name of the IP-server 194.25.2.129
name of the IP-server 194.25.2.130
name of the IP-server 194.25.2.131
name of the IP-server 194.25.2.132
name of the IP-server 194.25.2.133
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
object-group network phone
VoIP phone description
Home 172.20.2.50
Home 172.20.2.51
!
redundancy
!
!
controller LAN 0/0/0
atm mode
Annex symmetrical shdsl DSL-mode B
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
isakmp encryption key * address 62.aa.bb.cc
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
map SDM_CMAP_1 1 ipsec-isakmp crypto
Description Tunnel to62.aa.bb.cc
the value of 62.aa.bb.cc peer
game of transformation-ESP-3DES-SHA
PFS group2 Set
match address 100
!
!
!
interface FastEthernet0/0
DMZ description $ FW_OUTSIDE$
10.10.10.254 IP address 255.255.255.0
IP nat inside
IP virtual-reassembly
automatic duplex
automatic speed
!
interface FastEthernet0/1
Description $ETH - LAN$ $FW_INSIDE$
IP 172.20.2.254 255.255.255.0
IP access-group 100 to
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1412
automatic duplex
automatic speed
!
ATM0/0/0 interface
no ip address
No atm ilmi-keepalive
!
point-to-point interface ATM0/0/0.1
PVC 1/32
PPPoE-client dial-pool-number 1
!
!
interface Dialer1
Description $FW_OUTSIDE$
the negotiated IP address
IP mtu 1452
NAT outside IP
IP virtual-reassembly
encapsulation ppp
Dialer pool 1
Dialer-Group 2
PPP authentication chap callin pap
PPP chap hostname xxxxxxx
PPP chap password 7 xxxxxxx8
PPP pap sent-name of user password xxxxxxx xxxxxxx 7
map SDM_CMAP_1 crypto
!
IP forward-Protocol ND
IP http server
local IP http authentication
IP http secure server
!
!
The dns server IP
IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
!
logging trap notifications
Note category of access list 1 = 2 CCP_ACL
access-list 1 permit 172.20.2.0 0.0.0.255
Note access-list category 2 CCP_ACL = 2
access-list 2 allow 10.10.10.0 0.0.0.255
Note access-list 100 category CCP_ACL = 4
Note access-list 100 IPSec rule
access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
Note CCP_ACL the access list 101 = 2 category
Note access-list 101 IPSec rule
access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 101 permit ip 172.20.2.0 0.0.0.255 any
Note access-list 102 CCP_ACL category = 2
Note access-list 102 IPSec rule
access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
!

!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 101
!
allowed SDM_RMAP_2 1 route map
corresponds to the IP 102
!
!
control plan
!
!
Line con 0
line to 0
line vty 0 4
length 0
transport input telnet ssh
!
Scheduler allocate 20000 1000
NTP-Calendar Update
NTP 172.20.2.250 Server prefer
end

As I mentioned previously: suspicion is much appreciated!

Best regards

Joerg

Joerg,

ASA receives not all VPN packages because IOS does not send anything.

Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)

The problem seems so on the side of the router.

I think that is a routing problem, but you only have one default gateway (no other channels on the router).

The ACL 100 is set to encrypt the traffic between the two subnets.

It seems that the ACL 101 is also bypassing NAT for VPN traffic.

Follow these steps:

Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.

I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.

Federico.

Site to Site VPN filter

I've set up a site to site VPN and I can't seem to get the VPN filter works. I've followed this document:

http://www.Cisco.com/image/gif/paws/99103/PIX-ASA-VPN-filter.PDF

I created an ACL and created an ACE with only traffic I want to allow. Then, I went to the site to site group policy and apply this filter. However, I can still ping remote network from a customer who should not be allowed. Remote network is 192.168.2.0/24.Here is my partial config:

permit Test access extended list ip 192.168.2.0 255.255.255.0 192.168.1.2 host
Trying to deny a range ip extended access list

Group Policy internal Test
Test group policy attributes
value of VPN-Filter Test

tunnel-group Test_tunnel type ipsec-l2l
attributes global-tunnel-group Test_tunnel
Group Policy - by default-Test

Hello

First of all I would like to clarify that the group name used for one site to the other tunnel tunnel must be the ip address of the host "at least for the tunnels l2l static" it's tunnel-g were you must apply this "Test" group policy, configuring the filter seems perfect, but you must make sure that you apply the strategy of Group accordingly. Now, once you apply group policy to the correct you have to bounce the tunnel tunnel-g otherwise the new filter will not take effect, you can use the command "erase the crypto ipsec his counterpart x.x.x.x" generate some traffic and bring up the tunnel is again he should have the filter.

If you apply correctly and bounce the tunnel it will work.

You can check if the filter is applied with the command "show vpn-sessiondb detail l2l" and find the name of the ACL

Best regards, please rate.

Site to site VPN works only on Cisco 881

I have 2 problems with a cisco 881. The first problem is that Vlan2 (192.168.5.xx) cannot access the internet on the outside. But I know that the router has internet, because I can ping the external ip address. The 2nd problem is that I have a set of site to another upward, but when I test the Site to site I get this error:

destination of traffic of the tunnel must be channelled through the crypto map interface. The destination following (s) doesn't have a routing entry in the routing table
192.168.2.0

I copied the config form this router from another cisco 881 work, where everything works. The only difference is that this router needs a site to site vpn connection.

My question is how I can get internet on vlan2 and who can I solve the connection to site to site.

Here's the running configuration:

Building configuration...

Current configuration: 12698 bytes
!
version 15.3
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname Cisco_881
!
boot-start-marker
boot-end-marker
!
AQM-registry-fnf
!
logging buffered 51200 warnings
!
AAA new-model
!
!
AAA authentication login default local
AAA authorization exec default local
AAA authorization network default local
!
!
!
!
!
AAA - the id of the joint session
!
Crypto pki trustpoint TP-self-signed-1151531093
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 1151531093
revocation checking no
rsakeypair TP-self-signed-1151531093
!
Crypto pki trustpoint TP-self-signed-2011286623
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 2011286623
revocation checking no
rsakeypair TP-self-signed-2011286623
!
!
TP-self-signed-1151531093 crypto pki certificate chain
certificate self-signed 01
3082022B 30820194 02020101 300 D 0609 2A 864886 F70D0101 05050030 A0030201
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
69666963 31313531 35333130 6174652D 3933301E 170 3135 30343031 31363230
34315A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 31353135 65642D
33313039 3330819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
8100AC6E E7FA8AFD 9D4E206C 2B23DFC1 990AFDB3 98CD84A7 37697253 A7EF2520
0C45190E 298B6E9F E2711580 80DCFBFB 05A6A0BA 347B960B D9DA17FC B1543B9D
FBC048F3 063EBBC5 02391432 F0232A73 EAC7278E 8CB83005 D13A1D47 BEF18198
A 547469, 2 F65ED0E6 249BF517 1E74117D C94BE542 46EE487D A3843F12 364639B 4
0B 090203 010001 HAS 3 53305130 1 130101 FF040530 030101FF 301F0603 0F060355
551 2304 18301680 147996F4 3E6D0EE2 2D9065BB D726137C 2DF42ABE 01301D 06
03551D0E 04160414 7996F43E 6D0EE22D 9065BBD7 26137C2D F42ABE01 300 D 0609
2A 864886 F70D0101 8181002A 05050003 677B9BE6 CB60D188 73227C4B 2DC33101
BD448017 EDEF0296 FF7438A3 4C46519B 144C775F 1429CF06 7DB29F2D EB16EE75
22100B 63 0D75511A 98DC57DC EF87BED2 1C1635C8 B5352706 3963037A 4E9B739A
3A1EC9BE 8431BD70 116D3B31 E4A2AC4C 0F934B3F 196AF829 AD537005 6935B 451
EB31DB3F A9BA6D70 65B70D19 D00158
quit smoking
TP-self-signed-2011286623 crypto pki certificate chain
no ip source route
!
!
!
!

!
DHCP excluded-address IP 10.10.10.1
DHCP excluded-address IP 192.168.5.1 192.168.5.49
DHCP excluded-address IP 192.168.5.150 192.168.5.254
!
DHCP IP CCP-pool
import all
Network 10.10.10.0 255.255.255.248
default router 10.10.10.1
Rental 2 0
!
IP dhcp Internet pool
network 192.168.5.0 255.255.255.0
router by default - 192.168.5.254
DNS-Server 64.59.135.133 64.59.128.120
lease 6 0
!
!
!
no ip domain search
"yourdomain.com" of the IP domain name
name of the IP-Server 64.59.135.133
name of the IP-Server 64.59.128.120
IP cef
No ipv6 cef
!
!
!
!
!
Authenticated MultiLink bundle-name Panel
!
!
!
!
!
!
!
udi pid C881-K9 sn FTX18438503 standard license
!
!
Archives
The config log
hidekeys
username * privilege 15 secret 5 $1$IBY.$X5/iqYy47a5vAWWuG4/Oa/
username * secret 5 $1$ 17 ST$ QzJMvQnZ9Q.1y7u0rYXFa0
username * secret 5 $1$ L4W9$ zBKpawZ3i5nXxwyS9H6Lf1
!
!
!
!
!
no passive ftp ip
!
!
crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 2
!
crypto ISAKMP policy 2
BA 3des
preshared authentication
Group 2
isakmp encryption key * address 208.98.212.xx
!
Configuration group crypto isakmp MPE client
key *.
pool VPN_IP_POOL
ACL 100
include-local-lan
10 Max-users
netmask 255.255.255.0
banner ^ practive entered the field

This area is reserved for administrators of control systems.

If you are here by mistake, please disconnect immediately.

You have full access to 192.168.125.0 / 0.0.0.255

Support on continue to start your session. ^ C
!
Configuration group customer crypto isakmp PALL
key *.
pool VPN_IP_POOL_PALL
ACL 101
include-local-lan
Max - 1 users
netmask 255.255.255.0
banner ^ practive entered the field

This area is limited to the PALL access only.

If you are here by mistake, please disconnect immediately.

You have full access to 192.168.125.0 / 0.0.0.255

Support on continue to start your session. ^ C
ISAKMP crypto profile vpn_isakmp_profile
game of identity EMT group
client authentication list default
Default ISAKMP authorization list
client configuration address respond
virtual-model 1
ISAKMP crypto profile vpn_isakmp_profile_2
match of group identity PALL
client authentication list default
Default ISAKMP authorization list
client configuration address respond
virtual-model 2
!
!
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac VPN_TRANSFORM
tunnel mode
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
tunnel mode
!
Profile of crypto ipsec VPN_PROFILE_MPE
Set the security association idle time 3600
game of transformation-VPN_TRANSFORM
vpn_isakmp_profile Set isakmp-profile
!
Profile of crypto ipsec VPN_PROFILE_PALL
Set the security association idle time 1800
game of transformation-VPN_TRANSFORM
vpn_isakmp_profile_2 Set isakmp-profile
!
!
!
map SDM_CMAP_1 1 ipsec-isakmp crypto
Description Tunnel to208.98.212.xx
the value of 208.98.212.xx peer
game of transformation-ESP-3DES-SHA
match address 102
!
!
!
!
!
!
interface Loopback0
IP 192.168.40.254 255.255.255.0
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
switchport access vlan 2
no ip address
!
interface FastEthernet3
switchport access vlan 2
no ip address
!
interface FastEthernet4
IP address 208.98.213.xx 255.255.255.224
IP access-group 111 to
NAT outside IP
IP virtual-reassembly in
automatic duplex
automatic speed
map SDM_CMAP_1 crypto
!
type of interface virtual-Template1 tunnel
IP unnumbered Loopback0
ipv4 ipsec tunnel mode
Tunnel VPN_PROFILE_MPE ipsec protection profile
!
tunnel type of interface virtual-Template2
IP unnumbered Loopback0
ipv4 ipsec tunnel mode
Tunnel VPN_PROFILE_PALL ipsec protection profile
!
interface Vlan1
Description of control network
IP 192.168.125.254 255.255.255.0
IP access-group CONTROL_IN in
IP access-group out CONTROL_OUT
IP nat inside
IP virtual-reassembly in
IP tcp adjust-mss 1452
!
interface Vlan2
Description Internet network
IP 192.168.5.254 255.255.255.0
IP access-group INTERNET_IN in
IP access-group out INTERNET_OUT
IP nat inside
IP virtual-reassembly in
!
local IP VPN_IP_POOL 192.168.40.100 pool 192.168.40.150
local IP VPN_IP_POOL_PALL 192.168.40.151 pool 192.168.40.152
IP forward-Protocol ND
IP http server
23 class IP http access
local IP http authentication
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
!
IP nat inside source static tcp 192.168.125.2 25000 25000 FastEthernet4 interface
IP nat inside source overload map route SDM_RMAP_1 interface FastEthernet4
IP route 0.0.0.0 0.0.0.0 FastEthernet4 permanent 208.98.236.xx
!
CONTROL_IN extended IP access list
Note the access control
Note the category CCP_ACL = 17
allow any host 192.168.125.254 eq non500-isakmp udp
allow any host 192.168.125.254 eq isakmp udp
allow any host 192.168.125.254 esp
allow any host 192.168.125.254 ahp
IP 192.168.125.0 allow 0.0.0.255 192.168.125.0 0.0.0.255
Note the VPN access
IP 192.168.125.0 allow 0.0.0.255 192.168.40.0 0.0.0.255
Note Access VNC
permit tcp host 192.168.125.2 eq 25000 one
Comment by e-mail to WIN911
permit tcp host 192.168.125.2 any eq smtp
Note DNS traffic
permit udp host 192.168.125.2 host 64.59.135.133 eq field
permit udp host 192.168.125.2 host 64.59.128.120 eq field
Note Everything Else block
refuse an entire ip
CONTROL_OUT extended IP access list
Note the access control
IP 192.168.125.0 allow 0.0.0.255 192.168.125.0 0.0.0.255
Note the VPN access
ip permit 192.168.40.0 0.0.0.255 192.168.125.0 0.0.0.255
Note Access VNC
allow any host 192.168.125.2 eq 25000 tcp
Comment by e-mail to WIN911
allow any host 192.168.125.2 eq smtp tcp
Note DNS responses
allowed from any host domain eq 192.168.125.2 udp
Note deny all other traffic
refuse an entire ip
INTERNET_IN extended IP access list
Note Access VNC on VLAN
allow any host 192.168.125.2 eq 25000 tcp
Note block all other controls and VPN
deny ip any 192.168.125.0 0.0.0.255
deny ip any 192.168.40.0 0.0.0.255
Note leave all other traffic
allow an ip
INTERNET_OUT extended IP access list
Note a complete outbound Internet access
allow an ip
WAN_IN extended IP access list
allow an ip host 207.229.14.xx
Note PERMIT ESTABLISHED TCP connections
allow any tcp smtp created everything eq
Note ALLOW of DOMAIN CONNECTIONS
permit udp host 64.59.135.133 eq field all
permit udp host 64.59.128.120 eq field all
Note ALLOW ICMP WARNING RETURNS
allow all all unreachable icmp
permit any any icmp parameter problem
allow icmp all a package-too-big
allow a whole icmp administratively prohibited
permit icmp any any source-quench
allow icmp all once exceed
refuse a whole icmp
allow an ip
!
auto discovering IP sla
not run cdp
!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 103
!
access-list 1 remark out to WAN routing
Note CCP_ACL the access list 1 = 16 category
access-list 1 permit 192.168.125.2
access-list 1 permit 192.168.5.0 0.0.0.255
Note access-list 23 SSH and HTTP access permissions
access-list 23 permit 192.168.125.0 0.0.0.255
access-list 23 permit 192.168.40.0 0.0.0.255
access-list 23 allow one
Note access-list 100 VPN traffic
access-list 100 permit ip 192.168.125.0 0.0.0.255 any
access-list 100 permit ip 192.168.40.0 0.0.0.255 any
Note access-list 101 for PALL VPN traffic
access-list 101 permit ip 192.168.125.0 0.0.0.255 any
Note access-list 102 CCP_ACL category = 4
Note access-list 102 IPSec rule
access-list 102 permit ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.1.255
Note access-list 103 CCP_ACL category = 2
Note access-list 103 IPSec rule
access-list 103 deny ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.1.255
access-list 103 allow ip 192.168.5.0 0.0.0.255 any
access-list 103 allow the host ip 192.168.125.2 all
Note access-list 111 CCP_ACL category = 17
access-list 111 permit udp any host 208.98.213.xx eq non500-isakmp
access-list 111 permit udp any host 208.98.213.xx eq isakmp
access-list 111 allow esp any host 208.98.213.xx
access-list 111 allow ahp any host 208.98.213.xx
Note access-list 111 IPSec rule
access-list 111 permit ip 192.168.2.0 0.0.1.255 192.168.5.0 0.0.0.255
Note access-list 111 IPSec rule
access-list 111 permit ip 192.168.2.0 0.0.1.255 192.168.4.0 0.0.1.255
access-list 111 permit udp host 208.98.212.xx host 208.98.213.xx eq non500-isakmp
access-list 111 permit udp host 208.92.12.xx host 208.92.13.xx eq isakmp
access-list 111 allow esp host 208.92.12.xx host 208.92.13.xx
access-list 111 allow ahp host 208.92.12.xx host 208.92.13.xx
access-list 111 permit icmp any host 208.92.13.xx
access-list 111 permit tcp any host 208.92.13.xx eq 25000
access-list 111 permit tcp any host 208.92.13.xx eq 22
access-list 111 permit tcp any host 208.92.13.xx eq telnet
access-list 111 permit tcp any host 208.92.13.xx eq www
!
!
!
control plan
!
!
!
MGCP behavior considered range tgcp only
MGCP comedia-role behavior no
disable the behavior MGCP comedia-check-media-src
disable the behavior of MGCP comedia-sdp-force
!
profile MGCP default
!
!
!
!
exec banner ^ C
% Warning of password expiration.
-----------------------------------------------------------------------

Unplug IMMEDIATELY if you are not an authorized user
^ C
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
access-class 23 in
password *.
transport input telnet ssh
transportation out all
line vty 5 15
access-class 160 in
password *.
transport of entry all
transportation out all
!
max-task-time 5000 Planner
Scheduler allocate 20000 1000
!
end

Thank you.

It seems that DNS has failed, because it is indeed happened to internet, but it does not work when internet DNS resolution.

Go ahead and try to ping this 157.166.226.25, and it's on the browser http://157.166.226.25/, CNN.com. Let's try those. Also just in case where to configure a DNS SERVER on your router.

- http://www.cisco.com/c/en/us/support/docs/ip/domain-name-system-dns/2418...

Disable any ZBF just in case.

David Castro,

Kind regards

Site to site VPN with router IOS

I want to create a VPN site-to site on the Internet. On the remote site, aside from the VPN to the head office, there should be no traffic not allowed in internal from the Internet to the network and that there should be no traffic from the internal network to the Internet allowed. The internal network will run a private 192.168.x.x address range.

I'm going to use a Cisco 2811 router integrated of services on the remote site and this will last an IPSec VPN that will end a hub at Headquarters. I understand that this router has an IOS and IPS firewall built in.

Would I be right in thinking that because I don't want to have access to the Internet (except VPN) or should I configure IOS firewall features on the router? And there is no point in the configuration of the features IPS wouldn't?

My thought is that only an entry in list of unique access to deny pi a whole applied inbound to the interface that connects to the Internet would be the best strategy. I think that the command "sysopt connection permit-ipsec" should allow the VPN to form even with the ip address to deny any any ACL (or is it just a Pix command? If Yes, then I have to allow ESP and UDP 500 (ISAKMP) from the public address of the hub at Headquarters to allow the VPN to form wouldn't I?).

Think I'll probably expand slightly the access list to allow the icmp Protocol, ssh and https traffic from the IP address of firewall seat outside so that I can monitor the remote site and access it safely if the fail VPN.

And I wouldn't need one access list on the interface connected to the internal network I would like because the range of addresses would be not routable, so they would not be able to initiate connections to the Internet (all the trffic to the remote site is specified under a valuable traffic to bring up the VPN)

Use one of the IOS Firewall inspect commands or the IPS would be useless and have no effect in this case wouldn't it?

I really just need to know if the ip address to deny any any ACL on the external interface on the remote site is the best solution (and the simplest), and whether it will be safe.

We used to use fiewalls Pix for remote VPN site to site, Amazon refuse incoming connections on the external interface by default but now I have been informed that these series 2800 routers will be used later, so I would get my thoughts straight and be able to build safe to do the same work all existing PIX are doing (they are all installed for just the VPN at Headquarters as in) the first paragraph).

I would like any advice or thoughts on the subject. I don't know there must be a ton of people who put routers for the same purpose.

Thank you in advance.

Pete.

Pete

I did a lot of implementations site VPN to another using IOS routers. They work very well. Based on my experience I offer these comments and I hope that they will help you:

-you don't want a list of incoming access on the external interface, but you want more in it than simply refuse an ip. There is no permit-ipsec sysopt connection in IOS so you want to certainly allowed ISAKMP and IPSec/ESP. I suggest that you also want to allow SSH. I would like to allow ICMP but only starting from the address space of the network head end. I do not allow HTTPS since I generally do not allow the http server on the router. If you want HTTPS then certainly enable it. To facilitate the ping and traceroute on the remote I frequently allow icmp echo-reply, timeout and unreachable port from any source.

-I want to put an inside interface access list. There are certain types of traffic that I don't want to send from the Remote LAN. I have usually refuse any trap SNMP or snmp for LAN devices and refuse out of the local network icmp redirects. I also often configure RPF controls inside interface to catch any device which is misconfigured.

-If you want to allow SSH when the VPN is not active (and I highly recommend that you do) then you will probably need to configure at least 1 (and maybe more) users and password of the router ID. And you want to configure authentication on the vty use local authentication if the head end authentication server is not available.

-I'm not clear from your description if you plan to run a dynamic routing via the VPN Protocol. I wish I had a dynamic routing protocol because I want to announce a default route to the remote control via the VPN. I do not locally configure a default route on the remote router. This way if the VPN tunnel is up there is a default route pointing to the tunnel and if the VPN tunnel is not up then there is no local route by default and users on the remote database can not access the Internet. It is a simple and very effective method to ensure that all user traffic must pass through the central site.

-regarding the routes defined on the remote router, my approach is that I define a static route for the endpoint of the tunnel to allow the tunnel to implement and I set up static routes for the subnet to the head of line I can SSH. And I do not configure other static routes the on the remote router.

-You probably want to disable cdp on the external interface and also to disable the proxy-arp (and I don't make any ip unreachable).

-There is frequently a problem when using VPN site-to-site with fragmentation. If a device on the local network sends a frame of maximum size, and then the router needs to add additional headers for IPSec, then the frame is too large and requires fragmentation. I like to use tcp adjust-mss ip to control the chunk size for TCP traffic and avoid any problems with fragmentation.

-I don't think you want to set up the firewall or IPS from the features of IOS on the 2811.

I hope that your application is fine and that my suggestions could be useful.

[edit] after posting my response, I read through your post again and realize that you make to a VPN concentrator. The approach I have proposed on the execution of a routing protocol works for me because I usually have a router IOS in mind. It would not work to connect to a hub.

HTH

Rick

Site to Site VPN configuration does not

Hello

I just tried to set up a test site to site VPN. Diagram of arrangement is attached. Router R2 is supposed to act as the 'Internet' to allow connectivity between the two networks.

My VPN on ASA1 and ASA2 configs are below:

ASA1

Note to outside_cryptomap_1 to access list VPN traffic to encrypt
outside_cryptomap_1 to access extended list ip 10.10.10.0 allow 255.255.255.0 172.16.10.0 255.225.255.0

Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
aes-256 encryption
sha hash
Group 5
life 86400

tunnel-group 11.11.11.2 type ipsec-l2l
IPSec-attributes tunnel-Group 11.11.11.2
Cisco pre-shared key IKEv1

Crypto ipsec transform-set ikev1 AES - SHA esp-aes-256 esp-sha-hmac
card crypto outside_map 1 match address outside_cryptomap_1
peer set card crypto outside_map 1 11.11.11.2
card crypto outside_map 1 set of transformation-AES-SHA
outside_map interface card crypto outside

ASA2

Note to outside_cryptomap_1 to access list VPN traffic to encrypt
permit access list extended ip 172.16.10.0 outside_cryptomap_1 255.255.255.0 10.10.10.0 255.225.255.0

Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
aes-256 encryption
sha hash
Group 5
life 86400

tunnel-group 12.12.12.2 type ipsec-l2l
IPSec-attributes tunnel-group 12.12.12.2
Cisco pre-shared key IKEv1

Crypto ipsec transform-set ikev1 AES - SHA esp-aes-256 esp-sha-hmac
card crypto outside_map 1 match address outside_cryptomap_1
peer set card crypto outside_map 1 12.12.12.2
card crypto outside_map 1 set of transformation-AES-SHA
outside_map interface card crypto outside

I can ping with the ASA2 ASA1, but when I try to test the VPN trying from one PC to another, I get nothing.

I tried a few commands show and they came out absolutely empty... as I have not configured:

SH in detail its crypto isakmp

There are no SAs IKEv1

There are no SAs IKEv2

SH crypto ipsec his

There is no ipsec security associations

Anyone have any ideas?

Hi martin,

Your configs are quite right. I tried your script, its works really well. Here's the configs & outputs.
What I mentioned in the previous note follow this.

--------------------

ASA1

ASA1 (config) # sh run
: Saved
:
ASA Version 8.0 (2)
!
hostname ASA1
activate 8Ry2YjIyt7RRXU24 encrypted password
names of
!
interface Ethernet0/0
nameif outside
security-level 0
IP 12.12.12.2 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
10.10.10.2 IP address 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/5
Shutdown
No nameif
no level of security
no ip address
!
2KFQnbNIdI.2KYOU encrypted passwd
passive FTP mode
extended vpn 10.10.10.0 ip access list allow 255.255.255.0 172.16.10.0 255.255.255.0
pager lines 24
Within 1500 MTU
Outside 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Route outside 0.0.0.0 0.0.0.0 12.12.12.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac tset
card crypto cmap 1 match for vpn
card crypto cmap 1 set peer 11.11.11.2
card crypto cmap 1 transform-set tset
cmap outside crypto map interface
crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
md5 hash
Group 5
life 86400
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
!
!
tunnel-group 11.11.11.2 type ipsec-l2l
IPSec-attributes tunnel-Group 11.11.11.2
pre-shared-key *.
context of prompt hostname
Cryptochecksum:00000000000000000000000000000000
: end
ASA1 (config) #.
---------------------

ASA2 (config) # sh run
: Saved
:
ASA Version 8.0 (2)
!
hostname ASA2
activate 8Ry2YjIyt7RRXU24 encrypted password
names of
!
interface Ethernet0/0
nameif outside
security-level 0
IP 11.11.11.2 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
IP 172.16.10.2 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/5
Shutdown
No nameif
no level of security
no ip address
!
2KFQnbNIdI.2KYOU encrypted passwd
passive FTP mode
extended vpn 172.16.10.0 ip access list allow 255.255.255.0 10.10.10.0 255.255.255.0
pager lines 24
Outside 1500 MTU
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Route outside 0.0.0.0 0.0.0.0 11.11.11.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac tset
card crypto cmap 1 match for vpn
card crypto cmap 1 set peer 12.12.12.2
card crypto cmap 1 transform-set tset
cmap outside crypto map interface
crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
md5 hash
Group 5
life 86400
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
!
!
!
tunnel-group 12.12.12.2 type ipsec-l2l
IPSec-attributes tunnel-group 12.12.12.2
pre-shared-key *.
context of prompt hostname
Cryptochecksum:00000000000000000000000000000000
: end
ASA2 (config) #.

-------------------------
OUTPUTS:

*********************

ASA1 (config) # sh crypto isakmp his

ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 1

1 peer IKE: 11.11.11.2
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE

---------------------

ASA1 (config) # sh crypto ipsec his
Interface: outside
Tag crypto map: cmap, seq num: 1, local addr: 12.12.12.2

access vpn ip 10.10.10.0 list allow 255.255.255.0 172.16.10.0 255.255.255.0
local ident (addr, mask, prot, port): (10.10.10.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.16.10.0/255.255.255.0/0/0)
current_peer: 11.11.11.2

#pkts program: 50, #pkts encrypt: 50, #pkts digest: 50
#pkts decaps: 49, #pkts decrypt: 49, #pkts check: 49
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 50, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0

local crypto endpt. : 12.12.12.2, remote Start crypto. : 11.11.11.2

------------------------
ASA2 (config) # sh crypto isakmp his

ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 1

1 peer IKE: 12.12.12.2
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE

------------------------

ASA2 (config) # sh crypto ipsec his
Interface: outside
Tag crypto map: cmap, seq num: 1, local addr: 11.11.11.2

access vpn ip 172.16.10.0 list allow 255.255.255.0 10.10.10.0 255.255.255.0
local ident (addr, mask, prot, port): (172.16.10.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (10.10.10.0/255.255.255.0/0/0)
current_peer: 12.12.12.2

#pkts program: 49, #pkts encrypt: 49, #pkts digest: 49
#pkts decaps: 50, #pkts decrypt: 50, #pkts check: 50
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 49, #pkts comp failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0

local crypto endpt. : 11.11.11.2, remote Start crypto. : 12.12.12.2
-------------------------

Unable to pass traffic between ASA Site to Site VPN Tunnel

Hello

I have problems passing traffic between two ASA firewall. The VPN tunnel is up with a dynamic IP and static IP address. I have attached a diagram of the VPN connection. I'm not sure where the problem lies and what to check next. I think I have all the roads and in the access lists are needed.

I've also attached the ASA5505 config and the ASA5510.

This is the first time that I've set up a VPN connection any guidance would be greatly appreciated.

Thank you

Adam

Hello

Regarding your opinion of configuration Remote Site ASA that you have not added the internal networks of the Central Site VPN L2L configurations at all so the traffic does not pass through the VPN.
```
 access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.0.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.170.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.172.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 140.15.0.0 255.255.*.* 
```
Take a look at ACL configurations above. The 'exempt' ACL is used in configurations NAT0 and tells the ASA what traffic of exempting from NAT. "outside_1_cryptomap" ACL is used to tell the traffic between the subnets should be using the L2L VPN connection.

So in short on the Remote Site ASA these ACLs should be identical. Make additions to the LIST of VPN L2L, then try again.

I would also like to point out that to ensure that the Central ASAs L2L VPN ACL Site contains the same networks. The ACL on the Central Site will, of course, its internal subnets as the source and the site LAN remote destination.

THW out of ' crypto ipsec to show his " shows you that only the SA between binding Site Central network and the Remote Site LAN was established. Others have not formed as the configuration is lacking at LEAST on the Remote Site ASA. Can also be the Central Site.

-Jouni

Site to site VPN: addition of new networks

Similar Questions

Maybe you are looking for