Site to site VPN (ASA->; router IOS, with two interfaces) help
Dear,
I need help to configure VPN from Site to Site of cisco ASA to the IOS router, the router has 2 WAN links, a primary and secondary backup.
There was only a single week of link there is, now we have installed the second link as a backup, we use OSPF as the routing protocol.
VPN with simple link worked fine, now, when the main link fails the network is down.
Waiting for response.
There is an easy solution. On the router, you must terminate the VPN on the loopback interface.
something like this:
interface lo0
IP x.x.x.x where x.x.x.x
card crypto-address lo0
interface wan_1
vpn crypto card
interface wan_2
vpn crypto card
One condition is that the loopback interface has accessible by the device of the SAA.
Tags: Cisco Security
Similar Questions
-
Site to Site VPN - ASA 5510 / 851 router - no Sas?
We have installed an ASA 5510, version 1.0000 software running. In a remote area, we have a Cisco router to 851 with tunneling IPSec VPN for a PIX 515e. I try to open a backup between the 851 and ASA connection new, and I have a problem. I used ASDM on the side of the ASA and CCP on the side 851 and created a new VPN site to site on both, with PSK encryption algorithms, etc.. I checked the connectivity between the external interfaces of the two devices, and the associated ACLs are simple, because they allow all IP traffic on the internal side of the two devices to talk with each other.
When I do a "crypto isakmp to show his" on the SAA, I get "there is no its isakmp. When I do the same on the 851 router, I see only the existing connection to the PIX. It seems that the tunnel does not run again. I turned on debug various crypto and sent a series of pings, and I don't see any tunnel initiaion even be attempted.
CCP has a VPN to test the tool built in to the router. ASDM has a similar feature? Here's the relevant configs (at least I think... the SAA is enough Greek to me):
ASA 5510 (within the network of 10.20.0.0/16. The perfectly functional PIX is also on this network, with a different public IP address)
access-list ATTOutside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 10.192.0.0 255.255.0.0 !
nat (Inside,ATTOutside) source static NETWORK_OBJ_10.20.0.0_16 NETWORK_OBJ_10.20.0.0_16 destination static NETWORK_OBJ_10.192.0.0_16 NETWORK_OBJ_10.192.0.0_16
!crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto map ATTOutside_map 2 match address ATTOutside_2_cryptomap crypto map ATTOutside_map 2 set peer 24.140.152.144 crypto map ATTOutside_map 2 set transform-set ESP-3DES-MD5 crypto map ATTOutside_map interface ATTOutside
!crypto isakmp enable ATTOutside crypto isakmp enable Inside crypto isakmp policy 10 authentication crack encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 40 authentication crack encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 70 authentication crack encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 100 authentication crack encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 130 authentication crack encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 170 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400
!tunnel-group 24.140.152.144 type ipsec-l2l tunnel-group 24.140.152.144 ipsec-attributes
!
851 router (within the 10.192.4.0/24 network)
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key si9bw1u8woaz address 65.42.15.142
crypto isakmp key 123 address 12.49.251.3
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP_3DES_MD5 esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to65.42.15.142
set peer 65.42.15.142
set transform-set ESP-3DES-SHA1
match address 102
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to12.49.251.3
set peer 12.49.251.3
set transform-set ESP_3DES_MD5
match address 102
!
access-list 102 permit ip 10.192.4.0 0.0.0.255 10.20.0.0 0.0.255.255
access-list 102 permit ip 10.192.4.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 102 permit ip 10.192.4.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 102 permit ip 10.192.4.0 0.0.0.255 10.11.0.0 0.0.255.255
access-list 102 permit ip 10.192.4.0 0.0.0.255 10.12.0.0 0.0.255.255
access-list 102 permit ip 10.192.4.0 0.0.0.255 10.13.0.0 0.0.255.255
access-list 102 permit ip 10.192.4.0 0.0.0.255 10.14.0.0 0.0.255.255
access-list 102 permit ip 10.192.4.0 0.0.0.255 10.18.0.0 0.0.255.255
access-list 102 permit ip 10.192.4.0 0.0.0.255 10.19.0.0 0.0.255.255
access-list 102 permit ip 10.192.4.0 0.0.0.255 10.22.0.0 0.0.255.255
access-list 102 permit ip 10.192.4.0 0.0.0.255 10.23.0.0 0.0.255.255
Michael,
Since you are using the same ACL, subnets, even and even while on your router to your VPN 1 tunnels config and 2, your second VPN tunnel will not succeed because the router already has a tunnel with the PIX for the same traffic.
If you want to configure the ASA as peer backup scratch the second card encryption and instead, add the public IP ASA as a second peer under the original crypto configuration.
Like this:
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to65.42.15.142
set peer 65.42.15.142
set peer 12.49.251.3
match address 102
The router will attempt to connect to the PIX and if this fails (which means that the PIX has never responded) then it will try to connect to the ASA.
To test it, you could do either of two things: 1. taking the internet conection low PIX will make the router try to connect to the secondary host. 2: change (temporarily) on the router address peer of the PIX to a bogus IP that won't respond, when only one omits the router must try to negotiate with the ASA.
I hope this helps.
Raga
-
Site to Site VPN IPSEC for multisite with dual ISP failover
Hello world
I have total 6 ASA 5505, I already built failover with double tis. Now, I want to configure site 2 site VPN for all 3 sites. Each site has 2 firewall.
I just built a config for 2 a site WHAT VPN here is the config for a single site.
local ip address: 172.16.100.0
IP of the pubis: 10.5.1.101, 10.6.1.101
Remote local ip: 172.16.101.0
Remote public ip: 10.3.1.101, 10.4.1.101
Remote local ip: 192.168.0.0
Remote public ip: 10.1.1.101, 10.2.1.101
the tunnel on the first 2 firewall configuration:
IP 172.16.100.0 allow Access-list vpn1 255.255.255.0 172.16.101.0 255.255.255.0
backupvpn1 ip 172.16.100.0 access list allow 255.255.255.0 172.16.101.0 255.255.255.0
ip 172.16.100.0 access VPN2 list allow 255.255.255.0 192.168.0.0 255.255.255.0
backupvpn2 ip 172.16.100.0 access list allow 255.255.255.0 192.168.0.0 255.255.255.0
IP 172.16.100.0 allow Access-list sheep 255.255.255.0 172.16.101.0 255.255.255.0
172.16.100.0 IP Access-list sheep 255.255.255.0 allow 192.168.0.0 255.255.255.0
!
!
NAT (inside) 0 access-list sheep
NAT (inside) 1 0.0.0.0 0.0.0.0
!
!
!
crypto ISAKMP allow outside
ISAKMP crypto enable backup
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
!
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac my-set1
card crypto outside_map 1 match for vpn1
peer set card crypto outside_map 1 10.3.1.101
My outside_map 1 transform-set-set1 crypto card
outside_map interface card crypto outside
!
!
card crypto outside_map 2 match address backupvpn1
peer set card crypto outside_map 2 10.4.1.101
My outside_map 2 transform-set-set1 crypto card
backup of crypto outside_map interface card
!
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac my-set2
crypto outside_map 3 game card address vpn2
peer set card crypto outside_map 3 10.1.1.101
My outside_map 3 transform-set-set2 crypto card
outside_map interface card crypto outside
!
!
card crypto 4 correspondence address backupvpn2 outside_map
peer set card crypto outside_map 4 10.2.1.101
My outside_map 4 transform-set-set2 crypto card
backup of crypto outside_map interface card
!
!
!
tunnel-group 10.3.1.101 type ipsec-l2l
IPSec-attribute Tunnel-Group 10.3.1.101
pre-shared key cisco
ISAKMP keepalive retry 20 3 threshold
!
!
tunnel-group 10.4.1.101 type ipsec-l2l
IPSec-attribute Tunnel-Group 10.4.1.101
pre-shared key cisco
ISAKMP keepalive retry 20 3 threshold
!
!
tunnel-group 10.1.1.101 type ipsec-l2l
IPSec-attribute Tunnel-Group 10.1.1.101
pre-shared key cisco
ISAKMP keepalive retry 20 3 threshold
!
!
tunnel-group 10.2.1.101 type ipsec-l2l
IPSec-attribute Tunnel-Group 10.2.1.101
pre-shared key cisco
ISAKMP keepalive retry 20 3 threshold
!
!
backup of MTU 1500
If this correct what should I configure other side that I want to finish in front of it. Is my address name vpn1 crypto card must match on the other side or not?
any suggestion is good...
Thank you...
What I mean with the routing is a routing protocol or static routes the SAA can choose between interfaces to establish the tunnel.
If the ASA has the card encryption applied to two interfaces, then one should be used as primary and the other as backup.
How will be the ASA choose which is better? Via the routing.
If you use a routing protocol, the ASA will be known which interface to send packets every time, but if using static routes, you need to change the metric and configuring IP SLA.
Federico.
-
OK my forehead is painful to all keyboard strokes that I know that it must be something simple, but I am brand new to the SAA. I had a site to site VPN configuration via routers 1751 that worked very well, but we're looking to add some more remote field offices, and I felt that it would be easier to maintain several sites is on the ASA 5510. I have the VPN configured on the SAA and he said that the tunnel is up. I can telnet to the ASA and ping the remote gateway on the even side of VPN and it pings fine. If I try to ping on a local computer, I get a "Request timed out". If I makes no changes apart from go to the computer room and replace the network cable the 1751 and then through the 1751 I can now ping the remote door way to my computer. The remote router works obviously very well, my statement of route on my router for vpn push through the ASA (same ip address) IP traffic that has been used by the 1751 works obviously. It seems so just like ASA is not being pushed in the ethernet0/0 VPN traffic or at least it is not encrypted. I also noticed that the ACL for NAT seems to increase in number of access either it seems, there is really just one small thing missing to make the ASA except and encrypt incoming traffic on ethernet0/0:
My network is not configured with a DMZ is something like that, the ASA ethernet0/0 and my local network on the same subnet:
Router (Cisco 2811)
|
Layer switch 2 (ProCurve)
| |
ASA5510 LAN computers
I'm trying to except both sides of the VPN in and out on Ethernet0/0 traffic I saw there was a framework for this "permit communication between VPN peers connected to the same interface' and I've activated this option.
In short, I need to understand why the VPN tunnel shows that upward and I can ping the remote of the SAA, but peripheral gateway on my network can not ping to the remote gateway through the int Ethernet0/0 on the SAA.
From the console of the ASA, I get this:
ASA5510 # ping 192.52.128.1
Send 5, echoes ICMP 100 bytes to 192.52.128.1, wait time is 2 seconds:
!!!!!
Success rate is 100 per cent (5/5), round-trip min/avg/max = 100/108/120 msASA5510 # show crypto ipsec his
Interface: *.
Tag crypto map: * _map, local addr: 10.52.120.23local ident (addr, mask, prot, port): (10.52.120.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.52.128.0/255.255.255.0/0/0)
current_peer: x.x.x.204program #pkts: 9, #pkts encrypt: 9, #pkts digest: 9
decaps #pkts: 9, #pkts decrypt: 9, #pkts check: 9
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 9, #pkts comp failed: 0, #pkts Dang failed: 0
#send errors: 0, #recv errors: 0local crypto endpt. : 10.52.120.23, remote Start crypto. : x.x.x.204
Path mtu 1500, fresh ipsec generals 60, media, mtu 1500
current outbound SPI: C49EF75FSAS of the esp on arrival:
SPI: 0x21FDBB9D (570276765)
transform: esp-3des esp-md5-hmac
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 1, crypto-map: * _map
calendar of his: service life remaining (KB/s) key: (3824999/3529)
Size IV: 8 bytes
support for replay detection: Y
outgoing esp sas:
SPI: 0xC49EF75F (3298752351)
transform: esp-3des esp-md5-hmac
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 1, crypto-map: * _map
calendar of his: service life remaining (KB/s) key: (3824999/3527)
Size IV: 8 bytes
support for replay detection: YFrom my office on the 10.52.120.0 even the etherenet0/0 interface on the ASA network I get this:
C:\Users\***>ping 192.52.128.1
Ping 192.52.128.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.Ping statistics for 192.52.128.1:
Packets: Sent = 4, received = 0, lost = 4 (100% loss)C:\Users\***>ping 10.52.120.23
Ping 10.52.120.23 with 32 bytes of data:
Reply from 10.52.120.23: bytes = 32 time = 5ms TTL = 255
Reply from 10.52.120.23: bytes = 32 time = 3ms TTL = 255
Reply from 10.52.120.23: bytes = 32 time = 1ms TTL = 255
Reply from 10.52.120.23: bytes = 32 time = 1ms TTL = 255Ping statistics for 10.52.120.23:
Packets: Sent = 4, received = 4, lost = 0 (0% loss),
Time approximate round trip in milli-seconds:
Minimum = 1ms, Maximum = 5ms, average = 2msCount on VPN Tunnel ACL does not increase when I try to ping the address of the remote gateway.
Here is the running of the ASA configuration:
ASA Version 7.0 (2)
names of
!
interface Ethernet0/0
nameif InsideNetwork
security-level 100
IP 10.52.120.23 255.255.255.0
!
interface Ethernet0/1
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
activate the encrypted password of XXXXXXXXXXXXXXXX
passwd encrypted XXXXXXXXXXXXXXXXXXX
ciscoasa hostname
domain default.domain.invalid
passive FTP mode
permit same-security-traffic intra-interface
Access extensive list ip 10.52.120.0 InsideNetwork_nat0_outbound allow 255.255.25
5.0 192.52.128.0 255.255.255.0
Access extensive list ip 10.52.120.0 InsideNetwork_cryptomap_20 allow 255.255.255
.0 192.52.128.0 255.255.255.0
pager lines 24
asdm of logging of information
management of MTU 1500
MTU 1500 InsideNetwork
management of the interface of the monitor
the interface of the monitor InsideNetwork
ASDM image disk0: / asdm - 502.bin
don't allow no asdm history
ARP timeout 14400
NAT (InsideNetwork) 0-list of access InsideNetwork_nat0_outbound
Route InsideNetwork 0.0.0.0 0.0.0.0 10.52.120.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00
Timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
Enable http server
http 192.168.1.0 255.255.255.0 management
http 10.52.120.0 255.255.255.0 InsideNetwork
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
card crypto InsideNetwork_map 20 corresponds to the address InsideNetwork_cryptomap_20
card crypto InsideNetwork_map 20 set peer x.x.x.204
InsideNetwork_map 20 transform-set ESP-3DES-MD5 crypto card game
InsideNetwork_map InsideNetwork crypto map interface
ISAKMP enable InsideNetwork
part of pre authentication ISAKMP policy 10
ISAKMP policy 10 3des encryption
ISAKMP policy 10 md5 hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
Telnet 10.52.120.0 255.255.255.0 InsideNetwork
Telnet timeout 5
SSH timeout 5
Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
dhcpd lease 3600
dhcpd ping_timeout 50
enable dhcpd management
tunnel-group x.x.x.204 type ipsec-l2l
x.x.x.204 group of tunnel ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
Policy-map global_policy
class inspection_default
inspect the dns-length maximum 512
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
Cryptochecksum:7e478b60b3e406091de466675c52eaaa
: endI haven't added anything to the config except what seemed necessary to get the job of VPN tunnel. It should be fairly clean.
Thanks in advance for any help... I really hope that it is something really simple as a recruit ASA just forgot
Strange, but good news. Thanks for the update. I'm glad everything is working.
THX
MS
-
2 one-Site VPN Cisco 2801 and with crossing NAT
Hi guys,.
I would like to configure two Cisco 2801 using IPSEC/IKE. Both routers are connected to the internet through DSL lines. The DSL line have RFC1918 address side LAN where routers connected to the internet face. I can do NAT on DSL modems.
Cisco IOS 2801 routers allow to configure site-2-site VPN with NAT crossing?
Here is a model of physics/IP configuration:
LAN<->2801 Modem DSL<-Internet->DSL modem<-Priv ip-=""> 2801<-Priv ip-=""><-> LAN
Thank you
Gonçalo
Yes, you're good to go only if one or both of the sites has an IP address which is natted with private IP address statically. The implementation of IPSec on SRI NAT support in most crosses so that shouldn't be a concern
->-Priv>-Priv>-Internet->-> -
I set up a site to Site VPN using ASA 5505, but when I submit the order
"sh crypto ipsec his ' it says 'there are no ipsec security associations.
I have attached the configurations.
Hello
I saw you nat nat of entry (inside) 2-list of access limenat, would you change to, nat (inside) 0-list of access limenat. See which make all the difference.
Do you want to take a capture of packets when the remote IP address ping?
course list (Local subnet) host (remote subnet) host allowed access
Cap list of allowed access host host (remote subnet) (Local subnet)
Course access-list in hidden inside
Show Cap Hat
Now you can see the list of access capture
Debug crypto isakmp 200
Debug crypto ipsec 200
-
Termination of VPN on Pix behind router IOS with private subnet
OK, basically, I wonder if it is possible to terminate a VPN connection on a Pix 506 Firewall which is behind a router IOS. The public interface of the Pix 506 have a private on a 29 ip address will IOS within the interface. Network is configured as follows:
Internet as 10Base T
| (5 public - X.X.X.34. 38)
| (In WIC-1ENET)
| (.34 assigned to interface)
Cisco 1760
| (Pomp) | (WIC-4PORTSWITCH)
| | (10.0.0.1 29 on 1760)
Net private Pix 506
(192.168.1.0) (10.0.0.2 29 on Pix)
Now, two internal interfaces of the 1760 are configured to PAT on the IP of the interface of the 1760 and all internet traffic goes perfectly. None of the access lists are currently applied anywhere on the 1760 and a static translation on the 1760 is configured pour.35 to 10.0.0.2 ('public' ip pix). RDP and other services authorized in the pix access list work perfectly well from the outside world when you enter a.35, but if I try to terminate a VPN from a pix 501 for the pix 506 offsite using the Intellectuelle.35 property, it does not work.
Is it possible to do this type of work setting.
I realize I could put an external switch to 1760 and run the public subnet directly and individually in the 1760 and Pix 506, however, I really would prefer not no need to do so if it is possible to avoid it.
Remove the crypto map to the interface on the PIX and reapply.
-
Newbie Help Needed: Cisco 1941 router site to site VPN traffic routing issue
Hello
Please I need help with a VPN site-to site, I installed a router Cisco 1941 and a VPN concentrator based on Linux (Sophos UTM).
The VPN is established between them, but I can't say the cisco router to send and receive traffic through the tunnel.
Please, what missing am me?
A few exits:
ISAKMP crypto to show her:
isakmp crypto #show her
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
62.173.32.122 62.173.32.50 QM_IDLE 1045 ACTIVE
IPv6 Crypto ISAKMP Security Association
Crypto ipsec to show her:
Interface: GigabitEthernet0/0
Tag crypto map: QRIOSMAP, local addr 62.173.32.122
protégé of the vrf: (none)
local ident (addr, mask, prot, port): (192.168.20.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.2.0/255.255.255.0/0/0)
current_peer 62.173.32.50 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 52, #pkts decrypt: 52, #pkts check: 52
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors
local crypto endpt. : 62.173.32.122, remote Start crypto. : 62.173.32.50
Path mtu 1500, mtu 1500 ip, ip mtu IDB GigabitEthernet0/0
current outbound SPI: 0x4D7E4817 (1300121623)
PFS (Y/N): Y, Diffie-Hellman group: group2
SAS of the esp on arrival:
SPI: 0xEACF9A (15388570)
transform: esp-3des esp-md5-hmac.
running parameters = {Tunnel}
Conn ID: 2277, flow_id: VPN:277 on board, sibling_flags 80000046, crypto card: QRIOSMAP
calendar of his: service life remaining (k/s) key: (4491222/1015)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE
Please see my config:
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
encryption... isakmp key address 62.X.X... 50
ISAKMP crypto keepalive 10 periodicals
!
!
Crypto ipsec transform-set esp-3des esp-md5-hmac TS-QRIOS
!
QRIOSMAP 10 ipsec-isakmp crypto map
peer 62.X.X set... 50
transformation-TS-QRIOS game
PFS group2 Set
match address 100
!
!
!
!
!
interface GigabitEthernet0/0
Description WAN CONNECTION
62.X.X IP... 124 255.255.255.248 secondary
62.X.X IP... 123 255.255.255.248 secondary
62.X.X IP... 122 255.255.255.248
NAT outside IP
IP virtual-reassembly in
automatic duplex
automatic speed
card crypto QRIOSMAP
!
interface GigabitEthernet0/0.2
!
interface GigabitEthernet0/1
LAN CONNECTION description $ES_LAN$
address 192.168.20.1 255.255.255.0
IP nat inside
IP virtual-reassembly in
automatic duplex
automatic speed
!
IP nat pool mypool 62.X.X... ... Of 122 62.X.X 122 30 prefix length
IP nat inside source list 1 pool mypool overload
overload of IP nat inside source list 100 interface GigabitEthernet0/0
!
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 2 allow 10.2.0.0 0.0.0.255
Note access-list 100 category QRIOSVPNTRAFFIC = 4
Note access-list 100 IPSec rule
access-list 100 permit ip 192.168.20.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit esp 62.X.X host... 50 62.X.X host... 122
access list 101 permit udp host 62.X.X... 50 62.X.X... host isakmp EQ. 122
access-list 101 permit ahp host 62.X.X... 50 62.X.X host... 122
access-list 101 deny ip any any newspaper
access-list 110 deny ip 192.168.20.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 permit ip 192.168.20.0 0.0.0.255 any
!
!
!
!
sheep allowed 10 route map
corresponds to the IP 110
The parts of the configuration you posted seem better than earlier versions of the config. The initial problem was that traffic was not in the VPN tunnel. That works now?
Here are the things I see in your config
I don't understand the relationship of these 2 static routes by default. It identifies completely the next hop and a mask the bytes of Middleweight of the next hop. Sort of, it seems that they might be the same. But if they were the same, I don't understand why they both make their appearance in the config. Can provide you details?
IP route 0.0.0.0 0.0.0.0 62.X.X... 121
IP route 0.0.0.0 0.0.0.0 62.172.32.121
This static route implies that there is another network (10.2.0/24) connected through the LAN. But there is no other reference to it and especially not for this translation. So I wonder how it works?
IP route 10.2.0.0 255.255.255.0 192.168.20.2
In this pair of static routes, the second route is a specific subnet more and would be included in the first and routes for the next of the same break. So I wonder why they are there are. There is not necessarily a problem, but is perhaps something that could be cleaned up.
IP route 172.17.0.0 255.255.0.0 Tunnel20
IP route 172.17.2.0 255.255.255.0 Tunnel20
And these 2 static routes are similar. The second is a more precise indication and would be included in the first. And it is referred to the same next hop. So why have the other?
IP route 172.18.0.0 255.255.0.0 Tunnel20
IP route 172.18.0.0 Tunnel20 255.255.255.252
HTH
Rick
-
NAT IPSEC site to site VPN ASA 8.4
My goal is to create a VPN to me (61.227.106.64) to a seller (9.105.8.204) using an ASA 5510 with 8.4 on it. Local private networks of the seller is 10.134.115.0/24 and 10.135.115.0/24. My private LAN is 10.11.102.0/24 but I want NAT it to 61.227.106.70.
The following configuration is correct?
ASA Version 8.4 (2)
interface Ethernet0/0
nameif LAN
security-level 0
IP 10.241.1.61 255.255.255.0
!
interface Ethernet0/1
nameif WAN
security-level 0
IP 61.227.106.64 255.255.255.0
!
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network of the CareOneTSFarm object
10.11.102.0 subnet 255.255.255.0
network of the Core_NAT object
Home 61.227.106.70
network of the NAT_to_outside object
subnet 0.0.0.0 0.0.0.0
the Core_LAN object-group network
object-network 10.134.115.0 255.255.255.0
object-network 10.135.115.0 255.255.255.0
VPNCore list extended access permitted ip object CareOneTSFarm object-group Core_LAN
public static CareOneTSFarm Core_NAT destination NAT (LAN, WAN) static source Core_LAN Core_LAN
!
network of the NAT_to_outside object
dynamic interface of NAT (LAN, WAN)
Route WAN 0.0.0.0 0.0.0.0 61.227.106.1 1
Route LAN 10.11.0.0 255.255.0.0 10.241.1.1 1
Crypto ipsec transform-set esp-aes-256 AES256_SHA, esp-sha-hmac ikev1
3600 seconds, duration of life crypto ipsec security association
card crypto VPN 50 corresponds to the address VPNCore
card crypto VPN 50 set peer 9.105.8.204
card crypto VPN 50 set transform-set AES256_SHA ikev1
IKEv1 crypto policy 10
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
card crypto VPN WAN interface
tunnel-group 9.105.8.204 type ipsec-l2l
IPSec-attributes tunnel-Group 9.105.8.204
IKEv1 pre-shared-key *.
This NAT line:
public static CareOneTSFarm Core_NAT destination NAT (LAN, WAN) static source Core_LAN Core_LAN
must be:
destination NAT (LAN, WAN) CareOneTSFarm Core_NAT Core_LAN Core_LAN static dynamic source
And the ACL VPNCore must correspond to the NATed IP instead of the real IP:
VPNCore list extended access permitted ip object Core_NAT object-group Core_LAN
-
Site to site VPN tunnel - cannot ping the second interface of the firewall peer inside2
I have two ASA 5505 firewall each with a basic license: FWa and FWb. currently there is a VPN tunnel between them work. I added a second (inside2) interface to the firewall, FWb, but I can't ping firewall FWa, so that I can ping the inside interface of FWa.
I can ping the FWb inside interface 192.168.20.1 from the FWa inside 172.16.1.1 interface, but I can not ping to the 10.52.100.10 of the FWa FWb inside2 interface. I can not ping the gateway host FWa 10.52.100.1.
I show the essential configuration of two firewalls as well as the debug icmp output on the two firewalls that I ping the internal interfaces and of FWa FWb inside2.
=========================================================Here is a skeleton of the FWa configuration:
name 172.16.1.0 network-inside
name 192.168.20.0 HprCnc Thesys
name 10.52.100.0 ring52-network
name 10.53.100.0 ring53-network
name S.S.S.S outside-interfaceinterface Vlan1
nameif inside
security-level 100
IP 172.16.1.1 255.255.255.0
!
interface Vlan2
Description Connection to 777 VLAN to work around static Comast external Modem and IP address.
nameif outside
security-level 0
outside interface IP address 255.255.255.240the DM_INLINE_NETWORK_5 object-group network
network-object HprCnc Thesys 255.255.255.0
ring52-network 255.255.255.0 network-object
ring53-network 255.255.255.0 network-objectthe DM_INLINE_NETWORK_3 object-group network
ring52-network 255.255.255.0 network-object
network-object HprCnc Thesys 255.255.255.0
ring53-network 255.255.255.0 network-objectoutside-interface of the access-list extended permitted Outside_5_cryptomap ip host object-group DM_INLINE_NETWORK_3
inside_nat_outbound list extended access allowed inside-network ip, 255.255.255.0 DM_INLINE_NETWORK_5 object-group
permit access list extended ip host 173.162.149.72 Outside_nat0_outbound aus_asx_uat 255.255.255.0NAT (inside) 0 access-list sheep
NAT (inside) 101-list of access inside_nat_outbound
NAT (inside) 101 0.0.0.0 0.0.0.0
NAT (outside) 0-list of access Outside_nat0_outboundcard crypto VPN 5 corresponds to the address Outside_5_cryptomap
card crypto VPN 5 set pfs Group1
VPN 5 set peer D.D.D.D crypto card
VPN 5 value transform-set VPN crypto card
tunnel-group D.D.D.D type ipsec-l2l
IPSec-attributes tunnel-Group D.D.D.D
pre-shared key *.=========================================================
FWb:
name 10.52.100.0 ring52-network
name 10.53.100.0 ring53-network
name 10.51.100.0 ring51-network
name 10.54.100.0 ring54-networkinterface Vlan1
nameif inside
security-level 100
address 192.168.20.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
address IP D.D.D.D 255.255.255.240
!
interface Vlan52
prior to interface Vlan1
nameif inside2
security-level 100
IP 10.52.100.10 255.255.255.0the DM_INLINE_NETWORK_3 object-group network
ring52-network 255.255.255.0 network-object
ring53-network 255.255.255.0 network-objectthe DM_INLINE_NETWORK_2 object-group network
ring52-network 255.255.255.0 network-object
object-network 192.168.20.0 255.255.255.0
ring53-network 255.255.255.0 network-objectinside_nat0_outbound to access extended list ip 192.168.20.0 allow 255.255.255.0 host S.S.S.S
inside2_nat0_outbound list extended access allowed object-group DM_INLINE_NETWORK_3 S.S.S.S ip hostoutside_1_cryptomap list extended access allowed object-group DM_INLINE_NETWORK_2 S.S.S.S ip host
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
inside2_nat0_outbound (inside2) NAT 0 access list
NAT (inside2) 1 0.0.0.0 0.0.0.0Route inside2 network ring51 255.255.255.0 10.52.100.1 1
Route inside2 network ring53 255.255.255.0 10.52.100.1 1
Route inside2 network ring54 255.255.255.0 10.52.100.1 1card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs Group1
outside_map game 1 card crypto peer S.S.S.S
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
outside_map interface card crypto outsidetunnel-group S.S.S.S type ipsec-l2l
IPSec-attributes tunnel-group S.S.S.S
pre-shared key *.=========================================================================
I'm Tournai on icmp trace debugging on both firewalls and could see the traffic arriving at the inside2 interface, but never return to FWa.Ping Successul FWa inside the interface on FWb
FWa # ping 192.168.20.1
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.20.1, time-out is 2 seconds:
Echo request ICMP from outside-interface to 192.168.20.1 ID = 32068 seq = 23510 len = 72
! ICMP echo reply to 192.168.20.1 in outside-interface ID = 32068 seq = 23510 len = 72
....FWb #.
Echo ICMP of S.S.S.S to 192.168.20.1 ID request = 32068 seq = 23510 len = 72
ICMP echo reply 192.168.20.1 S.S.S.S ID = 32068 seq = 23510 len = 72
==============================================================================
Successful ping of Fwa on a host connected to the inside interface on FWbFWa # ping 192.168.20.15
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.20.15, wait time is 2 seconds:
Echo request ICMP from outside-interface to 192.168.20.15 ID = seq 50862 = 18608 len = 72
! ICMP echo reply to 192.168.20.15 in outside-interface ID = seq 50862 = 18608 len = 72
...FWb #.
Inside outside:S.S.S.S ICMP echo request: 192.168.20.15 ID = seq 50862 = 18608 len = 72
ICMP echo reply to Interior: 192.168.20.15 outside:S.S.S.S ID = seq 50862 = 18608 len = 72===========================
Unsuccessful ping of FWa to inside2 on FWb interfaceFWa # ping 10.52.100.10
Send 5, echoes ICMP 100 bytes to 10.52.100.10, wait time is 2 seconds:
Echo request ICMP from outside-interface to 10.52.100.10 ID = 19752 seq = 63173 len = 72
? Echo request ICMP from outside-interface to 10.52.100.10 ID = 19752 seq = 63173 len = 72
...FWb #.
10.52.100.10 ID of S.S.S.S ICMP echo request = 19752 seq = 63173 len = 72
10.52.100.10 ID of S.S.S.S ICMP echo request = 19752 seq = 63173 len = 72
....==================================================================================
Unsuccessful ping of Fwa to a host of related UI inside2 on FWb
FWa # ping 10.52.100.1
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 10.52.100.1, wait time is 2 seconds:
Echo request ICMP from outside-interface to 10.52.100.1 ID = 11842 seq = 15799 len = 72FWb #.
Echo request ICMP outside:S.S.S.S to inside2:10.52.100.1 ID = 11842 seq = 15799 len = 72
Echo request ICMP outside:S.S.S.S to inside2:10.52.100.1 ID = 11842 seq = 15799 len = 72=======================
Thank you
Hi odelaporte2,
Is very probably the "access management" command is not applied in the second inside, only inside primary (see the race management) which will confirm.
This command can be applied to an interface at a time, for example, if the law is now applied to the inside, it can not be applied to the inside2 at the same time.
It may be useful
-Randy-
-
3945 site VPN termination - not on p2p connect interface
Nice day!
Our border router connects to the ISP router with a subnet of p2p. The IP address on our router connect interface cannot be used for other services such as VPN. Provider filters all packets with this address defined in an IP header. Therefore, we must use the addresses of the other publicly routed subnet. I understand that we can place another router behind this border router and set his foreign address as an address on that subnet 'admitted '. But we want to offer this service on the same edge router. Is this possible? I tried to put the card encryption on a loopback interface and the traffic directly to it for encryption.
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
ISAKMP crypto key
address z.z.172.2 no-xauth crypto ipsec transform-set TRANS1 esp-3des esp-sha-hmac
crypto map VPN 10 ipsec-isakmpset peer z.z.172.2set transform-set TRANS1match address CRYPTO_ACLinterface loopback0
description -= VPN Termination =-
ip address x.x.127.111 255.255.255.255
crypto map VPN
interface GigabitEthernet0/0.10
description -= ISP Gateway =-
encapsulation dot1Q 10
ip address y.y.122.203 255.255.255.248
interface GigabitEthernet0/0.20
description -= LAN =-
encapsulation dot1Q 20
ip address 192.168.10.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 y.y.122.201
ip route 192.168.100.0 255.255.255.0 loopback 0
ip access-list extended CRYPTO_ACLpermit ip 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255I does not work. The packet does not get encrypted but simply routed to the ISP router.
Please, help.
Thanks.
Viktor,
I believe crypto map on loopback interface is still unsupported but I have not been following this in the past.
The way we do it, is apply the actul crypto map to physical/logical interface facing the ISP BUT you tweak the crypto map to use loopback as it's local address.
In your case it'd look like this:
crypto map VPN local-address loopback0
In this place all everyone will think that this tunnel is established with the address assigned to the interface loopback0.
Hope this helps,
Marcin
-
Why this site did charge my account with two renewals auto when I'm not a customer
Why did take 2 automatic renewals annual my account when I am not a customer
What site? If you're referring to MS Answers, you're wrong. This site is totally free. Maybe your credit/identity card information was stolen as a result of malware on your computer...
-
Problems with site-to-site vpn with of the asa 2
I tried different ways so that this works, but failed. After 8 hours, I literally have a bad headache and have to step away for a minute. I realize I need to ping between the tunnels mentioned, but still can not to. can someone take a look and tell me where I have gone wrong? Im trying to configure a site to site vpn between:
ASA_A
external interface 5.179.17.66
inside the interface 10.1.1.1
ASA B
external interface 5.81.57.19
inside the 10.1.2.1 interface
Frist why do you have two DGs on box -
Route outside 0.0.0.0 0.0.0.0 5.179.121.65 1
Route outside 0.0.0.0 0.0.0.0 5.179.17.65 1
Attach the two end then it should work.
Thank you
Ajay
-
Cisco 3640 to the PIX 501 site 2 site VPN performance specifications.
I intend on creating a site-2-site VPN in Star configuration with a Cisco 3640 as the hub and PIX 501 at the remote sites. My question is around the plug that I read.
.
The specifications for a PIX-501-BUN-K9 tell PIX 501 3DES Bundle (chassis, SW, 10 users, 3DES).
.
A question is what really "10 users. Which is the limit of the number of concurrent sessions, I have on the VPN at a given time, or that it means something else?
.
I also read the specs say that the Maximum number of VPN tunnels that can support a PIX 501 is 5. Because I'm not going to make a tunnel between the PIX 501 at the remote site and the 3640 on the central site, I think I would be OK. Is that correct or is the max value talk the maximum number of concurrent sessions on the tunnel tunnels?
.
Thank you.
UDP traffic always creates a session in the PIX so that the return traffic will be allowed in. The UDP timeout is 2 minutes but IIRC. If you go around NAT with a statement of "nat 0" should not create an xlate I think.
The real time is hard to say really, probably around 2 minutes for a UDP-only user, you would probably make a few 'local sho' orders on the PIX to really see for sure however.
-
Hello
I am facing a problem in my site to site VPN configuration, router management site gets the address public IP of the DHCP server as I have built a dynamic crypto map on the router HQ
First phase ISAKMP is operational running, I am trying to ping the LAN 192.168.85.0 for the HQ 172.16.12.0 LAN but it won't go through and when I check the ipsec security associations I can see that packets are encrypted on the side of the branch and decrypted on the side of HQ but the HQ router no PING response at all and he saw not encrypted packets
I have attached my configurations, I had to hide some information just for safety
Help, please!
Mostafa
Hello Mustafa,
Havinf a glance at your config, it seems you have not correctly configured on your HQ NAT exemption.
ip access-list extended NAT deny ip 172.16.12.0 0.0.0.255 192.168.75.0 0.0.0.255 deny ip 172.16.12.0 0.0.0.255 172.16.20.0 0.0.0.255 permit ip 172.16.12.0 0.0.0.255 any deny ip 172.16.12.0 0.0.0.255 192.168.85.0 0.0.0.255
In this interesting ACL traffic is refused in the last. So it is not exempted from NAT, as ACL are processed in top-down, your valuable traffic is already matching permit statement in NAT ACL therefore subject to NAT on HQ. Refuse the declaration of exemption, interesting traffic NAT should precede the statement of license.
HTH
"Please note useful posts.
Maybe you are looking for
-
How to clear these latest research iOS10 cards?
I search when I finally used an iPhone I couple of years back.
-
How can I get my menu bar on my macbook pro? The dock also disappeared. I know I have to take my pointer upwards (or downwards), but it's a waste of time and that bothers me. Its only happens on Safari, and not on other applications.
-
Hello a question about tables. In my application I read data from a database to analyze; they are ordered by date, and the user can select the period they wish to analyze. When it selects a query runs and put the data in a table. I need to perform ca
-
How can I the language in windows XP?
Where can I go to change the language in Windows XP?