Site to Site VPN connection

I have trouble getting a connection from site to site between a site that I am owner and a seller at a distance. (neither of us are experts)

Can someone tell me what Miss them us?

I hope I understood the situation correctly.

With the changes below all your LAN traffic should flow through the VPN L2L at the Remote Site connection. However, I can't say what is happening in the traffic from there in. Internet traffic should work just fine.

Your ASA Site

10.4.200.0 IP Access-list extended siteA 255.255.248.0 allow all

no extended siteA LocalNetwork 255.255.248.0 ip access list allow 10.4.0.0 255.255.0.0

Note of the access-list NAT0 for VPN L2L traffic INSIDE-NAT0

IP 10.4.200.0 allow to Access-list INTERIOR-NAT0 255.255.248.0 all

NAT (inside) 0-list of access to the INTERIOR-NAT0

crypto Outside_map2 1 game card address siteA

Supplier of ASA site

permit same-security-traffic intra-interface

access-list siteA extended permits all ip 10.4.200.0 255.255.248.0

no extended siteA 10.4.0.0 ip access list do not allow 255.255.0.0 10.4.200.0 255.255.248.0

NAT (outside) 1 10.4.200.0 255.255.248.0

This should forward traffic from your site to the remote site if the destination address of the connections is nothing other than your LAN.

It should also allow your site to use the connection of remote sites ASAs since we allow traffic to make a u-turn on the interface of the ASA "outside" remote and dynamic to the ' outside ' interface IP address be also participated.

-Jouni

Tags: Cisco Security

vpn_over_gre_tunnel.jpg

Router config VPN 1

 crypto isakmp policy 1 encr 3des authentication pre-share group 2 lifetime 500 crypto isakmp key test_key1 address 192.168.30.1 crypto isakmp key test_key1 address 192.168.30.2 crypto isakmp keepalive 60 20 crypto isakmp aggressive-mode disable ! ! crypto ipsec transform-set high esp-3des esp-sha-hmac mode tunnel ! ! ! crypto map CRYP_MAP_IPSEC 10 ipsec-isakmp set peer 192.168.20.1 set security-association lifetime seconds 4000 set transform-set high set pfs group2 match address 110 crypto map CRYP_MAP_IPSEC 20 ipsec-isakmp set peer 192.168.20.2 set security-association lifetime seconds 4000 set transform-set high set pfs group2 match address 111 ! interface Loopback0 description IPsec_Tunnel0 ip address 192.168.30.1 255.255.255.255 ! interface Loopback1 description IPsec_Tunnel1 ip address 192.168.30.2 255.255.255.255 ! interface Loopback2 description BGP_Peer1 ip address 192.168.40.1 255.255.255.255 ! interface Loopback3 description BGP_Peer2 ip address 192.168.40.2 255.255.255.255 ! interface Tunnel0 ip unnumbered Loopback0 tunnel source Loopback0 tunnel destination 192.168.20.1 crypto map CRYP_MAP_IPSEC ! interface Tunnel1 ip unnumbered Loopback1 tunnel source Loopback1 tunnel destination 192.168.20.2 crypto map CRYP_MAP_IPSEC ! interface gi0 description #### CONNECTED TO Internet #### ip address 10.1.1.1 255.255.255.252 ip access-group 100 in duplex auto speed auto ! router bgp 64851 bgp log-neighbor-changes neighbor BGP_PEER_1 peer-group neighbor BGP_PEER_1 remote-as 64859 neighbor BGP_PEER_1 ebgp-multihop 255 neighbor BGP_PEER_1 update-source Loopback2 neighbor BGP_PEER_1 version 4 neighbor BGP_PEER_1 next-hop-self neighbor BGP_PEER_2 peer-group neighbor BGP_PEER_2 remote-as 64859 neighbor BGP_PEER_2 ebgp-multihop 255 neighbor BGP_PEER_2 update-source Loopback3 neighbor BGP_PEER_2 version 4 neighbor BGP_PEER_2 next-hop-self neighbor 192.168.10.1 peer-group BGP_PEER_1 neighbor 192.168.10.2 peer-group BGP_PEER_2 ! ip route 192.168.10.1 255.255.255.255 Tunnel0 ip route 192.168.10.2 255.255.255.255 Tunnel1 ip route 192.168.20.1 255.255.255.255 GigabitEthernet0 ip route 192.168.20.2 255.255.255.255 GigabitEthernet0 ! access-list 100 permit ip any any access-list 110 permit gre host 192.168.30.1 host 192.168.20.1 access-list 110 permit gre host 192.168.20.1 host 192.168.30.1 access-list 111 permit gre host 192.168.30.2 host 192.168.20.2 access-list 111 permit gre host 192.168.20.2 host 192.168.30.2 ======================================================================

Router config VPN 2

 crypto isakmp policy 1 encr 3des authentication pre-share group 2 lifetime 500 crypto isakmp key test_key1 address 192.168.30.1 crypto isakmp key test_key1 address 192.168.30.2 crypto isakmp keepalive 60 20 crypto isakmp aggressive-mode disable ! ! crypto ipsec transform-set high esp-3des esp-sha-hmac mode tunnel ! ! ! crypto map CRYP_MAP_IPSEC 10 ipsec-isakmp set peer 192.168.30.1 set security-association lifetime seconds 4000 set transform-set high set pfs group2 match address 110 crypto map CRYP_MAP_IPSEC 20 ipsec-isakmp set peer 192.168.30.2 set security-association lifetime seconds 4000 set transform-set high set pfs group2 match address 111 ! interface Loopback0 description IPsec_Tunnel0 ip address 192.168.20.1 255.255.255.255 ! interface Loopback1 description IPsec_Tunnel1 ip address 192.168.20.2 255.255.255.255 ! interface Loopback2 description BGP_Peer1 ip address 192.168.10.1 255.255.255.255 ! interface Loopback3 description BGP_Peer2 ip address 192.168.10.2 255.255.255.255 ! interface Tunnel0 ip unnumbered Loopback0 tunnel source Loopback0 tunnel destination 192.168.30.1 crypto map CRYP_MAP_IPSEC ! interface Tunnel1 ip unnumbered Loopback1 tunnel source Loopback1 tunnel destination 192.168.30.2 crypto map CRYP_MAP_IPSEC ! interface gi0 description #### CONNECTED TO Internet #### ip address 10.1.1.2 255.255.255.252 ip access-group 100 in duplex auto speed auto ! router bgp 64859 bgp log-neighbor-changes neighbor BGP_PEER_1 peer-group neighbor BGP_PEER_1 remote-as 64851 neighbor BGP_PEER_1 ebgp-multihop 255 neighbor BGP_PEER_1 update-source Loopback2 neighbor BGP_PEER_1 version 4 neighbor BGP_PEER_1 next-hop-self neighbor BGP_PEER_2 peer-group neighbor BGP_PEER_2 remote-as 64851 neighbor BGP_PEER_2 ebgp-multihop 255 neighbor BGP_PEER_2 update-source Loopback3 neighbor BGP_PEER_2 version 4 neighbor BGP_PEER_2 next-hop-self neighbor 192.168.40.1 peer-group BGP_PEER_1 neighbor 192.168.40.2 peer-group BGP_PEER_2 ! ip route 192.168.40.1 255.255.255.255 Tunnel0 ip route 192.168.40.2 255.255.255.255 Tunnel1 ip route 192.168.30.1 255.255.255.255 gi0 ip route 192.168.30.2 255.255.255.255 gi0 ! access-list 100 permit ip any any access-list 110 permit gre host 192.168.20.1 host 192.168.30.1 access-list 110 permit gre host 192.168.30.1 host 192.168.20.1 access-list 111 permit gre host 192.168.20.2 host 192.168.30.2 access-list 111 permit gre host 192.168.30.2 host 192.168.20.2 ======================================================================

Encryption of your Tunnel configuration is incorrect... you need to do something about the following at both ends.

crypto ISAKMP policy 10

aes encryption

sha hash

preshared authentication

Group 5

cisco crypto isakmp key address

Crypto ipsec transform-set esp - aes 256 esp-sha-hmac RIGHT

Profile of crypto ipsec MYPROFILE

transformation-RIGHT game

interface tunnel 10

Unnumbered IP gig0/0

tunnel source gig0/0

tunnel destination

ipv4 ipsec tunnel mode

Profile of tunnel MYPROFILE ipsec protection

Please do not forget to select a correct answer and rate useful posts

Help! Several problem of the setup of site-to-site VPN connection

Recently, I place ASA 5505 on 3 sites and communicate with VPN site-to-site. I am able to connect HQ for two offices without any problem. And each office connect as weel. However, I can't do desktop connection remote at camp. Please see below for each configuration of office and thanks to any part of your experience.

(Pri:172.29.88.254 remote desktop; Pub: 173.190.234.138; Subnet:172.29.88.0/24)

|

| (VPN)

|

HQ office (Pri: 172.29.8.254;) Pub: 173.111.222.140; Subnet: 172.29.8.0/24)

|

| (VPN)

|

Colo (Pri: 172.29.168.254;) Pub: 111.167.239.218; Subnet: 172.29.168.0/24)

Configuration of HQ ASA5505-

ASA 4,0000 Version 1

!

hostname jtfw-AC

domain jollytech.com

activate the encrypted password of Yr4Jr0JzJxYTTQQu

GCdiui.2NH7n52DU encrypted passwd

names of

!

interface Ethernet0/0

switchport access vlan 2

Speed 100

!

interface Ethernet0/1

switchport access vlan 2

Speed 100

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

IP 172.29.8.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

IP 173.111.222.140 255.255.255.248

!

passive FTP mode

clock timezone GMT 0

DNS server-group DefaultDNS

domain jollytech.com

permit same-security-traffic inter-interface

network obj_any object

subnet 0.0.0.0 0.0.0.0

service object RDP

source eq 3389 tcp service

Orange network object

Home 172.29.8.151

network of the WAN_173_111_222_138 object

Home 173.111.222.138

SMTP service object

tcp source eq smtp service

service object PPTP

tcp source eq pptp service

service of the JT_WWW object

tcp source eq www service

service of the JT_HTTPS object

tcp source eq https service

network obj_lex object

172.29.88.0 subnet 255.255.255.0

network of offices of Lexington Description

network obj_HQ object

172.29.8.0 subnet 255.255.255.0

guava network object

Home 172.29.8.3

network obj_HQVPN object

192.168.8.0 subnet 255.255.255.0

jt-fn68zv1 network object

Home 172.29.8.71

service of the JT_FTP object

tcp source eq ftp service

network obj_colo object

172.29.168.0 subnet 255.255.255.0

Standard access list VPN_Tunnel_User allow 172.29.8.0 255.255.255.0

VPN_Tunnel_User standard access list allow 192.168.8.0 255.255.255.0

inside_access_in list extended access permit icmp any one

inside_access_in tcp extended access list deny any any eq idle 135

inside_access_in tcp extended access list refuse any eq 135 all idle state

inside_access_in list extended access deny udp any what eq 135 all idle state

inside_access_in list extended access deny udp any any eq idle 135

inside_access_in tcp extended access list deny any any eq 1591

inside_access_in tcp extended access list refuse any eq 1591 everything

inside_access_in list extended access deny udp any eq which 1591 everything

inside_access_in list extended access deny udp any any eq 1591

inside_access_in tcp extended access list deny any any eq 1214

inside_access_in tcp extended access list refuse any eq 1214 all

inside_access_in list extended access deny udp any any eq 1214

inside_access_in list extended access deny udp any what eq 1214 all

inside_access_in of access allowed any ip an extended list

inside_access_in list extended access permit tcp any any eq www

inside_access_in list extended access permit tcp any eq www everything

outside_access_in list extended access permit icmp any one

outside_access_in list extended access permit tcp any host 173.111.222.138 eq 3389

outside_access_in list extended access permit tcp any host 173.111.222.138 eq smtp

outside_access_in list extended access permit tcp any host 173.111.222.138 eq pptp

outside_access_in list extended access permit tcp any host 173.111.222.138 eq www

outside_access_in list extended access permit tcp any host 173.111.222.138 eq https

outside_access_in of access allowed any ip an extended list

inside_access_out list extended access permit icmp any one

inside_access_out of access allowed any ip an extended list

access extensive list ip 172.29.8.0 outside_cryptomap allow 255.255.255.0 172.29.88.0 255.255.255.0

permit access list extended ip object obj_colo object obj_lex outside_cryptomap

inside_in list extended access permit icmp any one

inside_in of access allowed any ip an extended list

inside_in list extended access udp allowed any any eq isakmp

inside_in list extended access udp allowed any isakmp eq everything

inside_in list extended access udp allowed a whole

inside_in list extended access permitted tcp a whole

permit access list extended ip object obj_HQ object obj_colo outside_cryptomap_1

permit access list extended ip object obj_lex object obj_colo outside_cryptomap_1

pager lines 24

Enable logging

timestamp of the record

logging trap information

asdm of logging of information

address record [email protected] / * /

host of logging inside the 172.29.8.89

Within 1500 MTU

Outside 1500 MTU

mask 192.168.8.100 - 192.168.8.150 255.255.255.0 IP local pool Jolly_HQVPN_DHCP

ICMP unreachable rate-limit 1 burst-size 1

enable ASDM history

ARP timeout 14400

NAT static orange interface (inside, outside) source RDP RDP service

NAT (inside, outside) source obj_HQ destination obj_HQ static static obj_lex obj_lex-route search

NAT (inside, outside) source obj_HQ destination obj_HQ static static obj_colo obj_colo-route search

NAT (inside, outside) source obj_colo destination obj_colo static static obj_lex obj_lex-route search

NAT (inside, outside) source obj_lex destination obj_lex static static obj_colo obj_colo-route search

NAT guava Shared source (internal, external) WAN_173_164_222_138 service JT_WWW JT_WWW

NAT guava Shared source (internal, external) WAN_173_164_222_138 service JT_HTTPS JT_HTTPS

NAT guava Shared source (internal, external) WAN_173_164_222_138 service RDP RDP

NAT guava Shared source (internal, external) WAN_173_164_222_138 SMTP SMTP service

NAT guava Shared source (internal, external) WAN_173_164_222_138 PPTP PPTP service

NAT interface service (Interior, exterior) source static jt-fn68zv1 JT_FTP JT_FTP

NAT (inside, outside) source obj_HQ destination obj_HQ static static obj_HQVPN obj_HQVPN

!

network obj_any object

NAT dynamic interface (indoor, outdoor)

inside_access_in access to the interface inside group

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 173.111.222.142 1

Timeout xlate 03:00

Pat-xlate timeout 0:00:30

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

AAA-server protocol nt guava

AAA-server host 172.29.8.3 guava (inside)

Timeout 15

guava auth - NT domain controller

identity of the user by default-domain LOCAL

identity of the user inactive-user-timer minutes 360

Enable http server

http 172.29.8.0 255.255.255.0 inside

SNMP-server host within the 172.29.8.89 community * version 2 c

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

Crypto ipsec transform-set esp-3des esp-md5-hmac Remote_VPN_Set ikev1

Crypto ipsec ikev2 ipsec-proposal OF

encryption protocol esp

Esp integrity sha - 1, md5 Protocol

Crypto ipsec ikev2 proposal ipsec 3DES

Esp 3des encryption protocol

Esp integrity sha - 1, md5 Protocol

Crypto ipsec ikev2 ipsec-proposal AES

Esp aes encryption protocol

Esp integrity sha - 1, md5 Protocol

Crypto ipsec ikev2 ipsec-proposal AES192

Protocol esp encryption aes-192

Esp integrity sha - 1, md5 Protocol

Crypto ipsec ikev2 AES256 ipsec-proposal

Protocol esp encryption aes-256

Esp integrity sha - 1, md5 Protocol

Crypto-map Dynamics 20 ikev1 transform-set Remote_VPN_Set set outside_dyn_map

Crypto-map dynamic outside_dyn_map 20 the value reverse-road

card crypto outside_map 1 match address outside_cryptomap

card crypto outside_map 1 set pfs

peer set card crypto outside_map 1 173.190.234.138

card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5

ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA'RE

P-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

outside_map card crypto 1jeu ikev2 AES AES192 AES256 3DES ipsec-proposal

card crypto outside_map 2 match address outside_cryptomap_1

card crypto outside_map 2 set pfs

peer set card crypto outside_map 2 111.167.239.218

card crypto outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5

ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA'RE

P-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

outside_map card crypto 2 set AES AES192 AES256 3DES ipsec-proposal ikev2

map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

outside_map interface card crypto outside

IKEv2 crypto policy 1

aes-256 encryption

integrity sha

Group 2 of 5

FRP sha

second life 86400

IKEv2 crypto policy 10

aes-192 encryption

integrity sha

Group 2 of 5

FRP sha

second life 86400

IKEv2 crypto policy 20

aes encryption

integrity sha

Group 2 of 5

FRP sha

second life 86400

IKEv2 crypto policy 30

3des encryption

integrity sha

Group 2 of 5

FRP sha

second life 86400

IKEv2 crypto policy 40

the Encryption

integrity sha

Group 2 of 5

FRP sha

second life 86400

Crypto ikev2 allow outside

Crypto ikev1 allow outside

IKEv1 crypto policy 10

authentication crack

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 20

authentication rsa - sig

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 30

preshared authentication

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 40

authentication crack

aes-192 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 50

authentication rsa - sig

aes-192 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 60

preshared authentication

aes-192 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 70

authentication crack

aes encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 80

authentication rsa - sig

aes encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 90

preshared authentication

aes encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 100

authentication crack

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 110

authentication rsa - sig

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 120

preshared authentication

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 130

authentication crack

the Encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 140

authentication rsa - sig

the Encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 150

preshared authentication

the Encryption

sha hash

Group 2

life 86400

Telnet 172.29.8.0 255.255.255.0 inside

Telnet timeout 5

SSH timeout 5

SSH group dh-Group1-sha1 key exchange

Console timeout 0

dhcpd auto_config off vpnclient-wins-override

!

dhcprelay Server 172.29.8.3 on the inside

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

allow outside

internal Jolleytech_VPN group strategy

attributes of Group Policy Jolleytech_VPN

value of server DNS 172.29.8.3

Ikev1 VPN-tunnel-Protocol

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list VPN_Tunnel_User

jollytech.local value by default-field

internal GroupPolicy_10.8.8.1 group strategy

attributes of Group Policy GroupPolicy_10.8.8.1

L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2

name of user who encrypted password eicyrfJBrqOaxQvS

type tunnel-group jollytech remote access

tunnel-group jollytech General-attributes

address pool Jolly_HQVPN_DHCP

authentication-server-group guava

Group Policy - by default-Jolleytech_VPN

jollytech group of tunnel ipsec-attributes

IKEv1 pre-shared-key *.

tunnel-group 111.167.239.218 type ipsec-l2l

tunnel-group 111.167.239.218 General-attributes

Group - default policy - GroupPolicy_10.8.8.1

IPSec-attributes tunnel-group 111.167.239.218

IKEv1 pre-shared-key *.

remote control-IKEv2 pre-shared-key authentication *.

remotely IKEv2 authentication certificate

pre-shared-key authentication local IKEv2 *.

tunnel-group 173.190.234.138 type ipsec-l2l

tunnel-group 173.190.234.138 General-attributes

Group - default policy - GroupPolicy_10.8.8.1

IPSec-attributes tunnel-group 173.190.234.138

IKEv1 pre-shared-key *.

remote control-IKEv2 pre-shared-key authentication *.

remotely IKEv2 authentication certificate

pre-shared-key authentication local IKEv2 *.

!

class-map inspection_default

match default-inspection-traffic

!

!

Policy-map global_policy

class inspection_default

inspect the pptp

inspect the ftp

inspect the netbios

inspect the http

!

global service-policy global_policy

172.29.8.3 SMTP server

context of prompt hostname

no remote anonymous reporting call

Cryptochecksum:2da829cf9fd3d4901e8131c2ae32b679

: end

Configuration of remote desktop-

ASA Version 8.4 (3)

!

hostname jtfw-lex

activate the encrypted password of Yr4Jr0JzJxYTTQQu

GCdiui.2NH7n52DU encrypted passwd

names of

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 2

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

IP 172.29.88.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

IP 173.190.234.138 255.255.255.248

!

passive FTP mode

network obj_any object

subnet 0.0.0.0 0.0.0.0

service object RDP

source eq 3389 tcp service

SMTP service object

tcp source eq smtp service

service object PPTP

tcp source eq pptp service

service of the JT_WWW object

tcp source eq www service

service of the JT_HTTPS object

tcp source eq https service

jt-dc01 network object

Home 172.29.88.151

network of the object WAN_jt-dc01

Home 10.8.8.3

network obj_lex object

172.29.88.0 subnet 255.255.255.0

network of offices of Lexinton Description

network obj_HQ object

172.29.8.0 subnet 255.255.255.0

network Jollytech HQ Description

network obj_colo object

172.29.168.0 subnet 255.255.255.0

network of colo Jollytech Description

inside_access_in list extended access permit icmp any one

inside_access_in tcp extended access list deny any any eq idle netbios-ssn

inside_access_in tcp extended access list refuse any netbios-ssn eq all idle state

inside_access_in list extended access deny udp any what eq 139 all

inside_access_in list extended access deny udp any any eq 139

inside_access_in tcp extended access list deny any any eq 135

inside_access_in tcp extended access list refuse any eq 135 everything

inside_access_in list extended access deny udp any what eq 135 everything

inside_access_in list extended access deny udp any any eq 135

inside_access_in tcp extended access list deny any any eq 1591

inside_access_in tcp extended access list refuse any eq 1591 everything

inside_access_in list extended access deny udp any eq which 1591 everything

inside_access_in list extended access deny udp any any eq 1591

inside_access_in tcp extended access list deny any any eq 1214

inside_access_in tcp extended access list refuse any eq 1214 all

inside_access_in list extended access deny udp any what eq 1214 all

inside_access_in list extended access deny udp any any eq 1214

inside_access_in of access allowed any ip an extended list

outside_access_in list extended access permit icmp any one

outside_access_in list extended access permit tcp any host 10.8.8.3 eq smtp

outside_access_in list extended access permit tcp any host 10.8.8.3 eq pptp

outside_access_in list extended access permit tcp any host 10.8.8.3 eq www

outside_access_in list extended access permit tcp any host 10.8.8.3 eq https

outside_access_in list extended access permit tcp any host 10.8.8.3 eq 3389

outside_access_in of access allowed any ip an extended list

inside_access_out list extended access permit icmp any one

access extensive list ip 172.29.88.0 outside_cryptomap allow 255.255.255.0 object obj_HQ

permit access list extended ip object obj_lex object obj_colo outside_cryptomap

Standard access list VPN_Tunnel_user allow 172.29.88.0 255.255.255.0

Standard access list VPN_Tunnel_user allow 172.29.8.0 255.255.255.0

Standard access list VPN_Tunnel_user allow 172.29.168.0 255.255.255.0

Standard access list VPN_Tunnel_user allow 192.168.88.0 255.255.255.0

pager lines 24

Enable logging

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

IP local pool jolly_lex_DHCP 192.168.88.100 - 192.168.88.120 mask 255.255.255.0

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

NAT WAN_jt-dc01 service (Interior, exterior) source static jt-dc01 RDP RDP

NAT static (inside, outside) source JT_WWW JT_WWW WAN_jt-dc01 jt-dc01 service

NAT (inside, outside) source obj_lex destination obj_lex static static obj_HQ obj_HQ-route search

NAT (inside, outside) source obj_lex destination obj_lex static static obj_colo obj_colo-route search

!

network obj_any object

NAT dynamic interface (indoor, outdoor)

inside_access_in access to the interface inside group

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 173.190.234.137 1

Timeout xlate 03:00

Pat-xlate timeout 0:00:30

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

identity of the user by default-domain LOCAL

Enable http server

http 172.29.88.0 255.255.255.0 inside

SNMP-server host within the 172.29.88.30 community * version 2 c

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

Crypto ipsec transform-set esp-3des esp-md5-hmac Remote_VPN_set ikev1

Crypto ipsec ikev2 ipsec-proposal OF

encryption protocol esp

Esp integrity sha - 1, md5 Protocol

Crypto ipsec ikev2 proposal ipsec 3DES

Esp 3des encryption protocol

Esp integrity sha - 1, md5 Protocol

Crypto ipsec ikev2 ipsec-proposal AES

Esp aes encryption protocol

Esp integrity sha - 1, md5 Protocol

Crypto ipsec ikev2 ipsec-proposal AES192

Protocol esp encryption aes-192

Esp integrity sha - 1, md5 Protocol

Crypto ipsec ikev2 AES256 ipsec-proposal

Protocol esp encryption aes-256

Esp integrity sha - 1, md5 Protocol

card crypto outside_map 1 match address outside_cryptomap

card crypto outside_map 1 set pfs

peer set card crypto outside_map 1 173.111.222.140

card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5

ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA'RE

P-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

outside_map card crypto 1jeu ikev2 AES AES192 AES256 3DES ipsec-proposal

outside_map interface card crypto outside

IKEv2 crypto policy 1

aes-256 encryption

integrity sha

Group 2 of 5

FRP sha

second life 86400

IKEv2 crypto policy 10

aes-192 encryption

integrity sha

Group 2 of 5

FRP sha

second life 86400

IKEv2 crypto policy 20

aes encryption

integrity sha

Group 2 of 5

FRP sha

second life 86400

IKEv2 crypto policy 30

3des encryption

integrity sha

Group 2 of 5

FRP sha

second life 86400

IKEv2 crypto policy 40

the Encryption

integrity sha

Group 2 of 5

FRP sha

second life 86400

Crypto ikev2 allow outside

Crypto ikev1 allow outside

IKEv1 crypto policy 10

authentication crack

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 20

authentication rsa - sig

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 30

preshared authentication

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 40

authentication crack

aes-192 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 50

authentication rsa - sig

aes-192 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 60

preshared authentication

aes-192 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 70

authentication crack

aes encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 80

authentication rsa - sig

aes encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 90

preshared authentication

aes encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 100

authentication crack

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 110

authentication rsa - sig

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 120

preshared authentication

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 130

authentication crack

the Encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 140

authentication rsa - sig

the Encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 150

preshared authentication

the Encryption

sha hash

Group 2

life 86400

Telnet 172.29.88.0 255.255.255.0 inside

Telnet timeout 5

SSH timeout 5

Console timeout 0

dhcpd address 172.29.88.50 - 172.29.88.100 inside

dhcpd dns 172.29.8.3 166.102.165.11 interface inside

dhcpd jollytech.local area inside interface

dhcpd allow inside

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

internal GroupPolicy_173.164.222.140 group strategy

attributes of Group Policy GroupPolicy_173.164.222.140

L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2

name of user who has encrypted password JOYSoaqW4x32VHKB

tunnel-group 173.111.222.140 type ipsec-l2l

tunnel-group 173.111.222.140 general-attributes

Group - default policy - GroupPolicy_173.164.222.140

IPSec-attributes tunnel-group 173.111.222.140

IKEv1 pre-shared-key *.

remote control-IKEv2 pre-shared-key authentication *.

remotely IKEv2 authentication certificate

pre-shared-key authentication local IKEv2 *.

!

class-map inspection_default

match default-inspection-traffic

!

!

Policy-map global_policy

class inspection_default

inspect the pptp

inspect the ftp

inspect the netbios

!

global service-policy global_policy

172.29.8.3 SMTP server

context of prompt hostname

no remote anonymous reporting call

Cryptochecksum:0a0cf040a1f0f979ff55f0ef7e15c452

: end

Configuration Colo-

ASA Version 8.4 (3)

!

hostname jtfw-colo

domain jollytech.com

activate the encrypted password of Yr4Jr0JzJxYTTQQu

GCdiui.2NH7n52DU encrypted passwd

names of

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 2

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

IP 172.29.168.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

IP 111.167.239.218 255.255.255.248

!

passive FTP mode

clock timezone GMT 0

DNS server-group DefaultDNS

domain jollytech.com

network obj_any object

subnet 0.0.0.0 0.0.0.0

service object RDP

source eq 3389 tcp service

SMTP service object

tcp source eq smtp service

service object PPTP

tcp source eq pptp service

service of the JT_WWW object

tcp source eq www service

service of the JT_HTTPS object

tcp source eq https service

network obj_lex object

172.29.88.0 subnet 255.255.255.0

network of offices of Lexington Description

network obj_HQ object

172.29.8.0 subnet 255.255.255.0

network Jollytech HQ Description

guava network object

Home 172.29.8.3

network obj_HQVPN object

192.168.8.0 subnet 255.255.255.0

Description Jollytech HQ VPN network

network of the WAN_111_167_239_220 object

Home 111.167.239.220

jt-dc01 network object

Home 172.29.168.3

jt-exch2010 network object

Home 172.29.168.25

network obj_colo object

172.29.168.0 subnet 255.255.255.0

network of colo Jollytech Description

network of the object RC_jt-r610

Home 172.29.168.8

network of the WAN_111_167_239_221 object

Home 111.167.239.221

inside_access_in list extended access permit icmp any one

inside_access_in tcp extended access list deny any any eq idle 135

inside_access_in tcp extended access list refuse any eq 135 all idle state

inside_access_in list extended access deny udp any what eq 135 everything

inside_access_in list extended access deny udp any any eq 135

inside_access_in tcp extended access list deny any any eq 1591

inside_access_in tcp extended access list refuse any eq 1591 everything

inside_access_in list extended access deny udp any eq which 1591 everything

inside_access_in list extended access deny udp any any eq 1591

inside_access_in tcp extended access list deny any any eq 1214

inside_access_in tcp extended access list refuse any eq 1214 all

inside_access_in list extended access deny udp any any eq 1214

inside_access_in list extended access deny udp any what eq 1214 all

inside_access_in list extended access permit tcp any any eq www

inside_access_in list extended access permit tcp any eq www everything

inside_access_in of access allowed any ip an extended list

outside_access_in list extended access permit icmp any one

outside_access_in list extended access permit tcp any object WAN_198_167_239_220 eq 3389

outside_access_in list extended access permit tcp any object WAN_198_167_239_220 eq www

outside_access_in list extended access permit tcp any object https eq WAN_198_167_239_220

outside_access_in list extended access permit tcp any object WAN_198_167_239_221 eq www

outside_access_in list extended access permit tcp any object https eq WAN_198_167_239_221

outside_access_in list extended access permit tcp any object WAN_198_167_239_221 eq 3389

outside_access_in of access allowed any ip an extended list

inside_access_out list extended access permit icmp any one

inside_access_out of access allowed any ip an extended list

permit access list extended ip object obj_colo object obj_HQ outside_cryptomap

permit access list extended ip object obj_colo object obj_lex outside_cryptomap

pager lines 24

Enable logging

asdm of logging of information

address record [email protected] / * /

exploitation forest-address recipient [email protected] / * / level of errors

host of logging inside the 172.29.168.89

Within 1500 MTU

Outside 1500 MTU

mask 192.168.168.100 - 192.168.168.110 255.255.255.0 IP local pool Jolly_coloVPN_DHCP

ICMP unreachable rate-limit 1 burst-size 1

enable ASDM history

ARP timeout 14400

NAT of the service interface to the Shared source (internal, external) JT_WWW JT_WWW RC_jt-r610

NAT of the service interface to the Shared source (internal, external) JT_HTTPS JT_HTTPS RC_jt-r610

NAT service of WAN_111_167_239_220 jt-dc01 Shared source (internal, external) JT_HTTPS JT_HTTPS

NAT service of WAN_111_167_239_220 jt-dc01 Shared source (internal, external) JT_WWW JT_WWW

NAT service of WAN_111_167_239_220 jt-dc01 Shared source (inside, outside) RDP RDP

NAT service of WAN_111_167_239_221 jt-exch2010 static source (inside, outside) RDP RDP

NAT source service (Interior, exterior) static jt-exch2010 WAN_111_167_239_221 JT_WWW JT_WWW

NAT source service (Interior, exterior) static jt-exch2010 WAN_111_167_239_221 JT_HTTPS JT_HTTPS

NAT (inside, outside) source obj_colo destination obj_colo static static obj_HQ obj_HQ-route search

NAT (inside, outside) source obj_colo destination obj_colo static static obj_lex obj_lex-route search

!

network obj_any object

NAT dynamic interface (indoor, outdoor)

inside_access_in access to the interface inside group

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 111.167.239.217 1

Timeout xlate 03:00

Pat-xlate timeout 0:00:30

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

identity of the user by default-domain LOCAL

Enable http server

http 172.29.168.0 255.255.255.0 inside

http 172.29.8.0 255.255.255.0 inside

SNMP-server host within the 172.29.168.89 community * version 2 c

location of SNMP server it Fremont Colo

SNMP Server contact [email protected] / * /

Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

Crypto ipsec transform-set esp-3des esp-md5-hmac Remote_VPN_Set ikev1

Crypto ipsec transform-set esp-3des esp-md5-hmac Remote_vpn_set ikev1

Crypto ipsec ikev2 AES256 ipsec-proposal

Protocol esp encryption aes-256

Esp integrity sha - 1, md5 Protocol

Crypto ipsec ikev2 ipsec-proposal AES192

Protocol esp encryption aes-192

Esp integrity sha - 1, md5 Protocol

Crypto ipsec ikev2 ipsec-proposal AES

Esp aes encryption protocol

Esp integrity sha - 1, md5 Protocol

Crypto ipsec ikev2 proposal ipsec 3DES

Esp 3des encryption protocol

Esp integrity sha - 1, md5 Protocol

Crypto ipsec ikev2 ipsec-proposal OF

encryption protocol esp

Esp integrity sha - 1, md5 Protocol

Crypto-map Dynamics 20 ikev1 transform-set Remote_VPN_Set set outside_dyn_map

Crypto-map dynamic outside_dyn_map 20 the value reverse-road

card crypto outside_map 1 match address outside_cryptomap

card crypto outside_map 1 set pfs

peer set card crypto outside_map 1 173.111.222.140

card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5

ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA'RE

P-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

outside_map card crypto 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF

map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

outside_map interface card crypto outside

IKEv2 crypto policy 1

aes-256 encryption

integrity sha

Group 2 of 5

FRP sha

second life 86400

IKEv2 crypto policy 10

aes-192 encryption

integrity sha

Group 2 of 5

FRP sha

second life 86400

IKEv2 crypto policy 20

aes encryption

integrity sha

Group 2 of 5

FRP sha

second life 86400

IKEv2 crypto policy 30

3des encryption

integrity sha

Group 2 of 5

FRP sha

second life 86400

IKEv2 crypto policy 40

the Encryption

integrity sha

Group 2 of 5

FRP sha

second life 86400

Crypto ikev2 allow outside

Crypto ikev1 allow outside

IKEv1 crypto policy 1

preshared authentication

3des encryption

sha hash

Group 2

life 43200

IKEv1 crypto policy 10

authentication crack

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 20

authentication rsa - sig

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 30

preshared authentication

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 40

authentication crack

aes-192 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 50

authentication rsa - sig

aes-192 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 60

preshared authentication

aes-192 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 70

authentication crack

aes encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 80

authentication rsa - sig

aes encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 90

preshared authentication

aes encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 100

authentication crack

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 110

authentication rsa - sig

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 120

preshared authentication

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 130

authentication crack

the Encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 140

authentication rsa - sig

the Encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 150

preshared authentication

the Encryption

sha hash

Group 2

life 86400

Telnet 172.29.8.0 255.255.255.0 inside

Telnet 172.29.168.0 255.255.255.0 inside

Telnet timeout 5

SSH timeout 5

Console timeout 0

dhcpd auto_config off vpnclient-wins-override

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

allow outside

internal GroupPolicy_173.111.222.140 group strategy

attributes of Group Policy GroupPolicy_173.111.222.140

L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2

name of user who encrypted password eicyrfJBrqOaxQvS

tunnel-group 173.111.222.140 type ipsec-l2l

tunnel-group 173.111.222.140 general-attributes

Group - default policy - GroupPolicy_173.111.222.140

IPSec-attributes tunnel-group 173.111.222.140

IKEv1 pre-shared-key *.

remote control-IKEv2 pre-shared-key authentication *.

remotely IKEv2 authentication certificate

pre-shared-key authentication local IKEv2 *.

!

class-map inspection_default

match default-inspection-traffic

!

!

Policy-map global_policy

class inspection_default

inspect the pptp

inspect the ftp

inspect the netbios

!

global service-policy global_policy

172.29.8.3 SMTP server

context of prompt hostname

no remote anonymous reporting call

Cryptochecksum:a45d9f3e7b23713c34d13d5a8ac5ece5

: end

Hello

I think that these NAT configurations must change in the ASA HQ

NAT (inside, outside) source obj_colo destination obj_colo static static obj_lex obj_lex-route search

NAT (inside, outside) source obj_lex destination obj_lex static static obj_colo obj_colo-route search

Note that you must configure to use 'inside' and 'outside' interface.

However if two remote sites put an end to the ASA HQ "outside" interface and the traffic between these remote sites (that go through this ASA HQ) actually must a NAT between 'outside' and 'outside '.

You will need to use the (outside, outside) in the NAT configurations.

NAT (outside, outside) source obj_colo destination obj_colo static static obj_lex obj_lex-route search

NAT (outside, outside) source obj_lex destination obj_lex static static obj_colo obj_colo-route search

You could actually be fine with either NAT 2 only two-way configurations as it should.

-Jouni

Site to site VPN connectivity

Just set up VPN site-to site for ASA 5515 x and 5505. The tunnel is in place, but could not ping to the other site 5505 and vice versa. This is the condition of the tunnel and ASA configs. Any help or comment is appreciated. Thank you!

ASA5515X # sh crypto ipsec his

Interface: outside

Tag crypto map: outside_map, seq num: 10, local addr: 211.24.X.X

permit access ip 192.168.0.0 scope list outside_cryptomap_10 255.255.255.0 192.168.2.0 255.255.255.0

local ident (addr, mask, prot, port): (192.168.0.0/255.255.255.0/0/0)

Remote ident (addr, mask, prot, port): (192.168.2.0/255.255.255.0/0/0)

current_peer: 175.141.X.X

#pkts program: 1595, #pkts encrypt: 1595, #pkts digest: 1595

#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

compressed #pkts: 0, unzipped #pkts: 0

#pkts uncompressed: 1595, #pkts comp failed: 0, #pkts Dang failed: 0

success #frag before: 0, failures before #frag: 0, #fragments created: 0

Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0

#TFC rcvd: 0, #TFC sent: 0

#Valid errors ICMP rcvd: 0, #Invalid ICMP errors received: 0

#send errors: 0, #recv errors: 0

local crypto endpt. : 211.24.X.X/4500, remote Start crypto. : 175.141.X.X/4500

Path mtu 1492, ipsec 66 (44) generals, media, mtu 1500

PMTU time remaining: 0, political of DF: copy / df

Validation of ICMP error: disabled, TFC packets: disabled

current outbound SPI: FC699E19

current inbound SPI: FFFCF744

SAS of the esp on arrival:

SPI: 0xFFFCF744 (4294768452)

transform: esp-3des esp-sha-hmac no compression

running parameters = {L2L, Tunnel, NAT-T-programme, PFS Group1, IKEv1}

slot: 0, id_conn: 462848, crypto-card: outside_map

calendar of his: service life remaining (KB/s) key: (3915000/22042)

Size IV: 8 bytes

support for replay detection: Y

Anti-replay bitmap:

0x00000000 0x00000001

outgoing esp sas:

SPI: 0xFC699E19 (4234780185)

transform: esp-3des esp-sha-hmac no compression

running parameters = {L2L, Tunnel, NAT-T-programme, PFS Group1, IKEv1}

slot: 0, id_conn: 462848, crypto-card: outside_map

calendar of his: service life remaining (KB/s) key: (3914825/22042)

Size IV: 8 bytes

support for replay detection: Y

Anti-replay bitmap:

0x00000000 0x00000001

ASA5515X

ASA Version 9.1 (1)

!

hostname ASA5515X

!

interface GigabitEthernet0/0

Description TIMEFibre

nameif outside

security-level 0

Group Navision PPPoE client vpdn

IP address pppoe setroute

!

interface GigabitEthernet0/1

Description internal LAN

nameif inside

security-level 100

the IP 192.168.0.1 255.255.255.0

!

interface GigabitEthernet0/2

Shutdown

No nameif

no level of security

no ip address

!

interface GigabitEthernet0/3

Shutdown

No nameif

no level of security

no ip address

!

interface GigabitEthernet0/4

Shutdown

No nameif

no level of security

no ip address

!

interface GigabitEthernet0/5

Shutdown

No nameif

no level of security

no ip address

!

interface Management0/0

management only

nameif management

security-level 100

the IP 10.0.0.1 255.255.255.0

!

passive FTP mode

DNS lookup field inside

DNS server-group DefaultDNS

Name-Server 8.8.8.8

192.168.0.10 server name

network of the SVR001 object

host 192.168.0.13

Hyper-V server description

network of the SVR002 object

host 192.168.0.12

Server SQL Description

network of the SVR003 object

host 192.168.0.10

Domain controller description

network of the SVR004 object

host 192.168.0.11

Server Terminal server Description

network of the local object

192.168.0.0 subnet 255.255.255.0

MFW description

object remote-A network

subnet 192.168.1.0 255.255.255.0

FWSG description

the network remote-B object

Subnet 192.168.2.0 255.255.255.0

FWWW description

network remote-C object

subnet 192.168.3.0 255.255.255.0

Description FWFM

network remote-D object

subnet 192.168.4.0 255.255.255.0

Description PGRHF

object-group Protocol TCPUDP

object-protocol udp

object-tcp protocol

outside_cryptomap_10 list extended access permitted ip object local object at distance-B

inside_access_in list extended access allow TCPUDP of object-group a

inside_access_in list extended access allowed icmp any4 no echo

outside_access_in list extended access allow TCPUDP of object-group a

inside_authentication list extended access permit tcp any any eq ssh

pager lines 24

Enable logging

timestamp of the record

debug logging in buffered memory

asdm of logging of information

Outside 1500 MTU

Within 1500 MTU

management of MTU 1500

no failover

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

no permit-nonconnected arp

NAT (inside, outside) source destination local local static static remote-A distance-A non-proxy-arp-search of route inactive

NAT (inside, outside) source destination local local static static remote-B remote-B non-proxy-arp-search to itinerary

!

network of the SVR001 object

NAT (all, outside) interface static service tcp 3389 50013

network of the SVR002 object

NAT (all, outside) interface static service tcp 3389 50012

network of the SVR003 object

NAT (all, outside) interface static service tcp 3389 50010

network of the SVR004 object

NAT (all, outside) interface static service tcp 3389 50011

!

NAT source auto after (indoor, outdoor) dynamic one interface

Access-group outside_access_in in interface outside

inside_access_in access to the interface inside group

Route outside 0.0.0.0 0.0.0.0 211.24.199.129 1

Timeout xlate 03:00

Pat-xlate timeout 0:00:30

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

identity of the user by default-domain LOCAL

the ssh LOCAL console AAA authentication

AAA authentication match inside_authentication indoor

LOCAL AAA authorization command

Enable http server

http 10.0.0.0 255.255.255.0 management

inside http authentication certificate

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

Crypto ipsec ikev2 ipsec-proposal OF

encryption protocol esp

Esp integrity sha - 1, md5 Protocol

Crypto ipsec ikev2 proposal ipsec 3DES

Esp 3des encryption protocol

Esp integrity sha - 1, md5 Protocol

Crypto ipsec ikev2 ipsec-proposal AES

Esp aes encryption protocol

Esp integrity sha - 1, md5 Protocol

Crypto ipsec ikev2 ipsec-proposal AES192

Protocol esp encryption aes-192

Esp integrity sha - 1, md5 Protocol

Crypto ipsec ikev2 AES256 ipsec-proposal

Protocol esp encryption aes-256

Esp integrity sha - 1, md5 Protocol

Crypto ipsec pmtu aging infinite - the security association

card crypto outside_map 10 correspondence address outside_cryptomap_10

card crypto outside_map pfs set 10 Group1

crypto outside_map 10 peer 175.141.X.X card game

card crypto outside_map 10 set transform-set ESP-3DES-SHA ikev1

outside_map interface card crypto outside

trustpool crypto ca policy

IKEv2 crypto policy 1

aes-256 encryption

integrity sha

Group 2 of 5

FRP sha

second life 86400

IKEv2 crypto policy 10

aes-192 encryption

integrity sha

Group 2 of 5

FRP sha

second life 86400

IKEv2 crypto policy 20

aes encryption

integrity sha

Group 2 of 5

FRP sha

second life 86400

IKEv2 crypto policy 30

3des encryption

integrity sha

Group 2 of 5

FRP sha

second life 86400

IKEv2 crypto policy 40

the Encryption

integrity sha

Group 2 of 5

FRP sha

second life 86400

Crypto ikev2 allow outside

Crypto ikev1 allow outside

IKEv1 crypto policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 20

authentication rsa - sig

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 30

preshared authentication

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 40

authentication crack

aes-192 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 50

authentication rsa - sig

aes-192 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 60

preshared authentication

aes-192 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 70

authentication crack

aes encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 80

authentication rsa - sig

aes encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 90

preshared authentication

aes encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 100

authentication crack

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 110

authentication rsa - sig

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 130

authentication crack

the Encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 140

authentication rsa - sig

the Encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 150

preshared authentication

the Encryption

sha hash

Group 2

life 86400

Telnet timeout 5

SSH 0.0.0.0 0.0.0.0 outdoors

SSH 0.0.0.0 0.0.0.0 inside

SSH timeout 5

SSH version 2

Console timeout 0

VPDN group navision request dialout pppoe

VPDN group navision localname [email protected] / * /

VPDN group navision ppp authentication pap

VPDN username [email protected] / * / password * local store

dhcpd address 192.168.0.100 - 192.168.0.200 inside

dhcpd 192.168.0.10 dns 8.8.8.8 interface inside

interface of victories 192.168.0.10 dhcpd inside

dhcpd allow inside

!

management of 10.0.0.100 - dhcpd addresses 10.0.0.110

enable dhcpd management

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

tunnel-group 175.141.X.X type ipsec-l2l

IPSec-attributes tunnel-group 175.141.X.X

IKEv1 pre-shared-key *.

!

ICMP-class class-map

match default-inspection-traffic

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map icmp_policy

icmp category

inspect the icmp

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

service-policy icmp_policy to the inside interface

context of prompt hostname

(Behind a router)

ASA5505 # sh crypto ipsec his

Interface: outside

Tag crypto map: outside_map, seq num: 1, local addr: 172.16.10.200

outside_1_cryptomap to access extended list ip 192.168.2.0 allow 255.255.255.0 192.168.0.0 255.255.255.0

local ident (addr, mask, prot, port): (192.168.2.0/255.255.255.0/0/0)

Remote ident (addr, mask, prot, port): (192.168.0.0/255.255.255.0/0/0)

current_peer: 211.24.X.X

#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

#pkts decaps: 1539, #pkts decrypt: 1539, #pkts check: 1539

compressed #pkts: 0, unzipped #pkts: 0

#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0

success #frag before: 0, failures before #frag: 0, #fragments created: 0

Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0

#send errors: 0, #recv errors: 0

local crypto endpt. : 172.16.10.200/4500, remote Start crypto. : 211.24.X.X/4500

Path mtu 1500, fresh ipsec generals 66, media, mtu 1500

current outbound SPI: FFFCF744

current inbound SPI: FC699E19

SAS of the esp on arrival:

SPI: 0xFC699E19 (4234780185)

transform: esp-3des esp-sha-hmac no compression

running parameters = {L2L, Tunnel, NAT-T-programme, PFS Group1}

slot: 0, id_conn: 348160, crypto-card: outside_map

calendar of his: service life remaining (KB/s) key: (4373831/22284)

Size IV: 8 bytes

support for replay detection: Y

Anti-replay bitmap:

0xFFFFFFFF to 0xFFFFFFFF

outgoing esp sas:

SPI: 0xFFFCF744 (4294768452)

transform: esp-3des esp-sha-hmac no compression

running parameters = {L2L, Tunnel, NAT-T-programme, PFS Group1}

slot: 0, id_conn: 348160, crypto-card: outside_map

calendar of his: service life remaining (KB/s) key: (4374000/22284)

Size IV: 8 bytes

support for replay detection: Y

Anti-replay bitmap:

0x00000000 0x00000001

ASA5505

ASA Version 8.2 (5)

!

ASA5505 hostname

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 3

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.2.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

IP 172.16.10.200 255.255.255.0

!

interface Vlan3

no interface before Vlan2

nameif management

security-level 0

the IP 10.0.0.1 255.255.255.0

management only

!

passive FTP mode

outside_1_cryptomap to access extended list ip 192.168.2.0 allow 255.255.255.0 192.168.0.0 255.255.255.0

inside_nat0_outbound to access extended list ip 192.168.2.0 allow 255.255.255.0 192.168.0.0 255.255.255.0

pager lines 24

Enable logging

timestamp of the record

debug logging in buffered memory

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

management of MTU 1500

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 1 0.0.0.0 0.0.0.0

Route outside 0.0.0.0 0.0.0.0 172.16.10.1 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

AAA authentication enable LOCAL console

AAA authentication http LOCAL console

the ssh LOCAL console AAA authentication

Enable http server

http 192.168.2.0 255.255.255.0 inside

http 10.0.0.0 255.255.255.0 management

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

card crypto outside_map 1 match address outside_1_cryptomap

card crypto outside_map 1 set pfs Group1

outside_map game 1 card crypto peer 211.24.X.X

card crypto outside_map 1 set of transformation-ESP-3DES-SHA

outside_map interface card crypto outside

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Telnet timeout 5

SSH 192.168.2.0 255.255.255.0 inside

SSH 0.0.0.0 0.0.0.0 outdoors

SSH timeout 5

Console timeout 0

dhcpd outside auto_config

!

dhcpd address 192.168.2.100 - 192.168.2.130 inside

dhcpd 192.168.2.1 dns 8.8.8.8 interface inside

dhcpd allow inside

!

management of 10.0.0.100 - dhcpd addresses 10.0.0.110

enable dhcpd management

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

tunnel-group 211.24.X.X type ipsec-l2l

IPSec-attributes tunnel-group 211.24.X.X

pre-shared key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

Update:

Traffic to the other end is abandoned by the implicit rule, but there is already an access list configured No.?

ASA5515X # sh crypto ipsec his

Interface: outside

Tag crypto map: outside_map, seq num: 10, local addr: 211.24.X.X

permit access ip 192.168.0.0 scope list outside_cryptomap_10 255.255.255.0 192.168.2.0 255.255.255.0

local ident (addr, mask, prot, port): (192.168.0.0/255.255.255.0/0/0)

Remote ident (addr, mask, prot, port): (192.168.2.0/255.255.255.0/0/0)

current_peer: 175.141.X.X

#pkts program: 30188, #pkts encrypt: 30188, #pkts digest: 30188

#pkts decaps: 25550, #pkts decrypt: 25550, #pkts check: 25550

compressed #pkts: 0, unzipped #pkts: 0

#pkts uncompressed: 30188, model of #pkts failed: 0, #pkts Dang failed: 0

success #frag before: 0, failures before #frag: 0, #fragments created: 0

Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0

#TFC rcvd: 0, #TFC sent: 0

#Valid errors ICMP rcvd: 0, #Invalid ICMP errors received: 0

#send errors: 0, #recv errors: 0

local crypto endpt. : 211.24.X.X/4500, remote Start crypto. : 175.141.X.X/4500

Path mtu 1492, ipsec 66 (44) generals, media, mtu 1500

PMTU time remaining: 0, political of DF: copy / df

Validation of ICMP error: disabled, TFC packets: disabled

current outbound SPI: 7D03CD30

current inbound SPI: B2B16E15

SAS of the esp on arrival:

SPI: 0xB2B16E15 (2997972501)

transform: esp-3des esp-sha-hmac no compression

running parameters = {L2L, Tunnel, NAT-T-programme, PFS Group1, IKEv1}

slot: 0, id_conn: 516096, crypto-card: outside_map

calendar of his: service life remaining (KB/s) key: (4371272/24996)

Size IV: 8 bytes

support for replay detection: Y

Anti-replay bitmap:

0xFFFFFFFF to 0xFFFFFFFF

outgoing esp sas:

SPI: 0x7D03CD30 (2097401136)

transform: esp-3des esp-sha-hmac no compression

running parameters = {L2L, Tunnel, NAT-T-programme, PFS Group1, IKEv1}

slot: 0, id_conn: 516096, crypto-card: outside_map

calendar of his: service life remaining (KB/s) key: (4367450/24996)

Size IV: 8 bytes

support for replay detection: Y

Anti-replay bitmap:

0x00000000 0x00000001

ASA5515X # entry packet - trace within the icmp 192.168.0.1 0 8 detailed 192.168.2.1

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit rule

Additional information:

Direct flow from returns search rule:

ID = 0x7fff2a320c70, priority = 1, domain = allowed, deny = false

hits = 3417800, user_data = 0 x 0, cs_id = 0 x 0, l3_type = 0 x 8

Mac SRC = 0000.0000.0000, mask is 0000.0000.0000

DST = 0000.0000.0000 Mac, mask is 0100.0000.0000

input_ifc = output_ifc = any to inside,

Phase: 2

Type:-ROUTE SEARCH

Subtype: entry

Result: ALLOW

Config:

Additional information:

in 0.0.0.0 0.0.0.0 outdoors

Phase: 3

Type: UN - NAT

Subtype: static

Result: ALLOW

Config:

NAT (inside, outside) source destination local local static static remote-B remote-B non-proxy-arp-search to itinerary

Additional information:

NAT divert on exit to the outside interface

Untranslate 192.168.2.1/0 to 192.168.2.1/0

Phase: 4

Type: ACCESS-LIST

Subtype:

Result: DECLINE

Config:

Implicit rule

Additional information:

Direct flow from returns search rule:

ID = 0x7fff2a2b5580, priority = 500, area = allowed, deny = true

hits = 6, user_data = 0 x 6, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

IP/ID=192.168.0.1 SRC, mask = 255.255.255.255, port = 0, = 0 tag

IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = dscp 0 = 0 x 0

input_ifc = output_ifc = any to inside,

Result:

input interface: inside

entry status: to the top

entry-line-status: to the top

output interface: outside

the status of the output: to the top

output-line-status: to the top

Action: drop

Drop-reason: flow (acl-drop) is denied by the configured rule

Hello

I noticed that you are using the wrong format of the command "packet - trace" actually

entry Packet-trace within the icmp 8 0

And with regard to the external ACL ASA5505. But there is not a need that by default the ASA allows all incoming traffic from the VPN to bypass the ACL interface. I don't see the configuration with the command would change this default behavior.

You can issue the "package Tracker" with the right Type / Code above. You had the wrong way around the original order.

Could you also test the traffic between the real hosts and not the ASAs. Although the traffic between a host and the remote ASA 'inside' IP address should also work.

Regarding the above, it seems that you also changed the rules of default control on the unit of ASA5515-X, since it is not fastened on a global scale, but "inside" interface. Not sure if it has an effect, but I usually do not need to change the default value.

-Jouni

IPsec site to Site VPN on Wi - Fi router

Hello!

Can someone tell me if there is a router Netgear Wi - Fi that can form IPsec Site to Site VPN connection between 2 Wi - Fi routers via the WAN connection?

I know that this feature exists on the Netgear firewall, but can you have the same function on any Wi - Fi router?

See you soon!

Michael

I suspect that.

Thank you very much for the reply.

See you soon!

Site to site VPN works only on Cisco 881

I have 2 problems with a cisco 881. The first problem is that Vlan2 (192.168.5.xx) cannot access the internet on the outside. But I know that the router has internet, because I can ping the external ip address. The 2nd problem is that I have a set of site to another upward, but when I test the Site to site I get this error:

destination of traffic of the tunnel must be channelled through the crypto map interface. The destination following (s) doesn't have a routing entry in the routing table
192.168.2.0

I copied the config form this router from another cisco 881 work, where everything works. The only difference is that this router needs a site to site vpn connection.

My question is how I can get internet on vlan2 and who can I solve the connection to site to site.

Here's the running configuration:

Building configuration...

Current configuration: 12698 bytes
!
version 15.3
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname Cisco_881
!
boot-start-marker
boot-end-marker
!
AQM-registry-fnf
!
logging buffered 51200 warnings
!
AAA new-model
!
!
AAA authentication login default local
AAA authorization exec default local
AAA authorization network default local
!
!
!
!
!
AAA - the id of the joint session
!
Crypto pki trustpoint TP-self-signed-1151531093
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 1151531093
revocation checking no
rsakeypair TP-self-signed-1151531093
!
Crypto pki trustpoint TP-self-signed-2011286623
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 2011286623
revocation checking no
rsakeypair TP-self-signed-2011286623
!
!
TP-self-signed-1151531093 crypto pki certificate chain
certificate self-signed 01
3082022B 30820194 02020101 300 D 0609 2A 864886 F70D0101 05050030 A0030201
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
69666963 31313531 35333130 6174652D 3933301E 170 3135 30343031 31363230
34315A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 31353135 65642D
33313039 3330819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
8100AC6E E7FA8AFD 9D4E206C 2B23DFC1 990AFDB3 98CD84A7 37697253 A7EF2520
0C45190E 298B6E9F E2711580 80DCFBFB 05A6A0BA 347B960B D9DA17FC B1543B9D
FBC048F3 063EBBC5 02391432 F0232A73 EAC7278E 8CB83005 D13A1D47 BEF18198
A 547469, 2 F65ED0E6 249BF517 1E74117D C94BE542 46EE487D A3843F12 364639B 4
0B 090203 010001 HAS 3 53305130 1 130101 FF040530 030101FF 301F0603 0F060355
551 2304 18301680 147996F4 3E6D0EE2 2D9065BB D726137C 2DF42ABE 01301D 06
03551D0E 04160414 7996F43E 6D0EE22D 9065BBD7 26137C2D F42ABE01 300 D 0609
2A 864886 F70D0101 8181002A 05050003 677B9BE6 CB60D188 73227C4B 2DC33101
BD448017 EDEF0296 FF7438A3 4C46519B 144C775F 1429CF06 7DB29F2D EB16EE75
22100B 63 0D75511A 98DC57DC EF87BED2 1C1635C8 B5352706 3963037A 4E9B739A
3A1EC9BE 8431BD70 116D3B31 E4A2AC4C 0F934B3F 196AF829 AD537005 6935B 451
EB31DB3F A9BA6D70 65B70D19 D00158
quit smoking
TP-self-signed-2011286623 crypto pki certificate chain
no ip source route
!
!
!
!

!
DHCP excluded-address IP 10.10.10.1
DHCP excluded-address IP 192.168.5.1 192.168.5.49
DHCP excluded-address IP 192.168.5.150 192.168.5.254
!
DHCP IP CCP-pool
import all
Network 10.10.10.0 255.255.255.248
default router 10.10.10.1
Rental 2 0
!
IP dhcp Internet pool
network 192.168.5.0 255.255.255.0
router by default - 192.168.5.254
DNS-Server 64.59.135.133 64.59.128.120
lease 6 0
!
!
!
no ip domain search
"yourdomain.com" of the IP domain name
name of the IP-Server 64.59.135.133
name of the IP-Server 64.59.128.120
IP cef
No ipv6 cef
!
!
!
!
!
Authenticated MultiLink bundle-name Panel
!
!
!
!
!
!
!
udi pid C881-K9 sn FTX18438503 standard license
!
!
Archives
The config log
hidekeys
username * privilege 15 secret 5 $1$IBY.$X5/iqYy47a5vAWWuG4/Oa/
username * secret 5 $1$ 17 ST$ QzJMvQnZ9Q.1y7u0rYXFa0
username * secret 5 $1$ L4W9$ zBKpawZ3i5nXxwyS9H6Lf1
!
!
!
!
!
no passive ftp ip
!
!
crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 2
!
crypto ISAKMP policy 2
BA 3des
preshared authentication
Group 2
isakmp encryption key * address 208.98.212.xx
!
Configuration group crypto isakmp MPE client
key *.
pool VPN_IP_POOL
ACL 100
include-local-lan
10 Max-users
netmask 255.255.255.0
banner ^ practive entered the field

This area is reserved for administrators of control systems.

If you are here by mistake, please disconnect immediately.

You have full access to 192.168.125.0 / 0.0.0.255

Support on continue to start your session. ^ C
!
Configuration group customer crypto isakmp PALL
key *.
pool VPN_IP_POOL_PALL
ACL 101
include-local-lan
Max - 1 users
netmask 255.255.255.0
banner ^ practive entered the field

This area is limited to the PALL access only.

If you are here by mistake, please disconnect immediately.

You have full access to 192.168.125.0 / 0.0.0.255

Support on continue to start your session. ^ C
ISAKMP crypto profile vpn_isakmp_profile
game of identity EMT group
client authentication list default
Default ISAKMP authorization list
client configuration address respond
virtual-model 1
ISAKMP crypto profile vpn_isakmp_profile_2
match of group identity PALL
client authentication list default
Default ISAKMP authorization list
client configuration address respond
virtual-model 2
!
!
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac VPN_TRANSFORM
tunnel mode
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
tunnel mode
!
Profile of crypto ipsec VPN_PROFILE_MPE
Set the security association idle time 3600
game of transformation-VPN_TRANSFORM
vpn_isakmp_profile Set isakmp-profile
!
Profile of crypto ipsec VPN_PROFILE_PALL
Set the security association idle time 1800
game of transformation-VPN_TRANSFORM
vpn_isakmp_profile_2 Set isakmp-profile
!
!
!
map SDM_CMAP_1 1 ipsec-isakmp crypto
Description Tunnel to208.98.212.xx
the value of 208.98.212.xx peer
game of transformation-ESP-3DES-SHA
match address 102
!
!
!
!
!
!
interface Loopback0
IP 192.168.40.254 255.255.255.0
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
switchport access vlan 2
no ip address
!
interface FastEthernet3
switchport access vlan 2
no ip address
!
interface FastEthernet4
IP address 208.98.213.xx 255.255.255.224
IP access-group 111 to
NAT outside IP
IP virtual-reassembly in
automatic duplex
automatic speed
map SDM_CMAP_1 crypto
!
type of interface virtual-Template1 tunnel
IP unnumbered Loopback0
ipv4 ipsec tunnel mode
Tunnel VPN_PROFILE_MPE ipsec protection profile
!
tunnel type of interface virtual-Template2
IP unnumbered Loopback0
ipv4 ipsec tunnel mode
Tunnel VPN_PROFILE_PALL ipsec protection profile
!
interface Vlan1
Description of control network
IP 192.168.125.254 255.255.255.0
IP access-group CONTROL_IN in
IP access-group out CONTROL_OUT
IP nat inside
IP virtual-reassembly in
IP tcp adjust-mss 1452
!
interface Vlan2
Description Internet network
IP 192.168.5.254 255.255.255.0
IP access-group INTERNET_IN in
IP access-group out INTERNET_OUT
IP nat inside
IP virtual-reassembly in
!
local IP VPN_IP_POOL 192.168.40.100 pool 192.168.40.150
local IP VPN_IP_POOL_PALL 192.168.40.151 pool 192.168.40.152
IP forward-Protocol ND
IP http server
23 class IP http access
local IP http authentication
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
!
IP nat inside source static tcp 192.168.125.2 25000 25000 FastEthernet4 interface
IP nat inside source overload map route SDM_RMAP_1 interface FastEthernet4
IP route 0.0.0.0 0.0.0.0 FastEthernet4 permanent 208.98.236.xx
!
CONTROL_IN extended IP access list
Note the access control
Note the category CCP_ACL = 17
allow any host 192.168.125.254 eq non500-isakmp udp
allow any host 192.168.125.254 eq isakmp udp
allow any host 192.168.125.254 esp
allow any host 192.168.125.254 ahp
IP 192.168.125.0 allow 0.0.0.255 192.168.125.0 0.0.0.255
Note the VPN access
IP 192.168.125.0 allow 0.0.0.255 192.168.40.0 0.0.0.255
Note Access VNC
permit tcp host 192.168.125.2 eq 25000 one
Comment by e-mail to WIN911
permit tcp host 192.168.125.2 any eq smtp
Note DNS traffic
permit udp host 192.168.125.2 host 64.59.135.133 eq field
permit udp host 192.168.125.2 host 64.59.128.120 eq field
Note Everything Else block
refuse an entire ip
CONTROL_OUT extended IP access list
Note the access control
IP 192.168.125.0 allow 0.0.0.255 192.168.125.0 0.0.0.255
Note the VPN access
ip permit 192.168.40.0 0.0.0.255 192.168.125.0 0.0.0.255
Note Access VNC
allow any host 192.168.125.2 eq 25000 tcp
Comment by e-mail to WIN911
allow any host 192.168.125.2 eq smtp tcp
Note DNS responses
allowed from any host domain eq 192.168.125.2 udp
Note deny all other traffic
refuse an entire ip
INTERNET_IN extended IP access list
Note Access VNC on VLAN
allow any host 192.168.125.2 eq 25000 tcp
Note block all other controls and VPN
deny ip any 192.168.125.0 0.0.0.255
deny ip any 192.168.40.0 0.0.0.255
Note leave all other traffic
allow an ip
INTERNET_OUT extended IP access list
Note a complete outbound Internet access
allow an ip
WAN_IN extended IP access list
allow an ip host 207.229.14.xx
Note PERMIT ESTABLISHED TCP connections
allow any tcp smtp created everything eq
Note ALLOW of DOMAIN CONNECTIONS
permit udp host 64.59.135.133 eq field all
permit udp host 64.59.128.120 eq field all
Note ALLOW ICMP WARNING RETURNS
allow all all unreachable icmp
permit any any icmp parameter problem
allow icmp all a package-too-big
allow a whole icmp administratively prohibited
permit icmp any any source-quench
allow icmp all once exceed
refuse a whole icmp
allow an ip
!
auto discovering IP sla
not run cdp
!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 103
!
access-list 1 remark out to WAN routing
Note CCP_ACL the access list 1 = 16 category
access-list 1 permit 192.168.125.2
access-list 1 permit 192.168.5.0 0.0.0.255
Note access-list 23 SSH and HTTP access permissions
access-list 23 permit 192.168.125.0 0.0.0.255
access-list 23 permit 192.168.40.0 0.0.0.255
access-list 23 allow one
Note access-list 100 VPN traffic
access-list 100 permit ip 192.168.125.0 0.0.0.255 any
access-list 100 permit ip 192.168.40.0 0.0.0.255 any
Note access-list 101 for PALL VPN traffic
access-list 101 permit ip 192.168.125.0 0.0.0.255 any
Note access-list 102 CCP_ACL category = 4
Note access-list 102 IPSec rule
access-list 102 permit ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.1.255
Note access-list 103 CCP_ACL category = 2
Note access-list 103 IPSec rule
access-list 103 deny ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.1.255
access-list 103 allow ip 192.168.5.0 0.0.0.255 any
access-list 103 allow the host ip 192.168.125.2 all
Note access-list 111 CCP_ACL category = 17
access-list 111 permit udp any host 208.98.213.xx eq non500-isakmp
access-list 111 permit udp any host 208.98.213.xx eq isakmp
access-list 111 allow esp any host 208.98.213.xx
access-list 111 allow ahp any host 208.98.213.xx
Note access-list 111 IPSec rule
access-list 111 permit ip 192.168.2.0 0.0.1.255 192.168.5.0 0.0.0.255
Note access-list 111 IPSec rule
access-list 111 permit ip 192.168.2.0 0.0.1.255 192.168.4.0 0.0.1.255
access-list 111 permit udp host 208.98.212.xx host 208.98.213.xx eq non500-isakmp
access-list 111 permit udp host 208.92.12.xx host 208.92.13.xx eq isakmp
access-list 111 allow esp host 208.92.12.xx host 208.92.13.xx
access-list 111 allow ahp host 208.92.12.xx host 208.92.13.xx
access-list 111 permit icmp any host 208.92.13.xx
access-list 111 permit tcp any host 208.92.13.xx eq 25000
access-list 111 permit tcp any host 208.92.13.xx eq 22
access-list 111 permit tcp any host 208.92.13.xx eq telnet
access-list 111 permit tcp any host 208.92.13.xx eq www
!
!
!
control plan
!
!
!
MGCP behavior considered range tgcp only
MGCP comedia-role behavior no
disable the behavior MGCP comedia-check-media-src
disable the behavior of MGCP comedia-sdp-force
!
profile MGCP default
!
!
!
!
exec banner ^ C
% Warning of password expiration.
-----------------------------------------------------------------------

Unplug IMMEDIATELY if you are not an authorized user
^ C
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
access-class 23 in
password *.
transport input telnet ssh
transportation out all
line vty 5 15
access-class 160 in
password *.
transport of entry all
transportation out all
!
max-task-time 5000 Planner
Scheduler allocate 20000 1000
!
end

Thank you.

It seems that DNS has failed, because it is indeed happened to internet, but it does not work when internet DNS resolution.

Go ahead and try to ping this 157.166.226.25, and it's on the browser http://157.166.226.25/, CNN.com. Let's try those. Also just in case where to configure a DNS SERVER on your router.

- http://www.cisco.com/c/en/us/support/docs/ip/domain-name-system-dns/2418...

Disable any ZBF just in case.

David Castro,

Kind regards

RETURN to Site to Site VPN

Hello

I was wondering is it possible to create a backup for my site to site VPN connection? the remote end has a cisco router whiich currently has an an ASA 5500 VPN connection. How would I know set up the same router to use another VPN on a different ASA the ASA 5500 5500 shouldn't work? Putting simply add another address peer on the ISAKMP policy will or do I have to create a new card encryption or is it just not possible?

Thank you for your help in advance.

On the side of the router, it takes work to have a second defined peer in the isakmp policy and even the crypto map set. I might want to set up a second instance within your existing crypto card to put in place a second tunnel that would go toward the other ASA. I implemented a certain remote sites of customer with two tunnels to provide failover capability and two instances within the route card works fine.

HTH

Rick

Site to Site VPN issues

Hello

I have created a new site to site vpn connection and can't know why it does not work.

All other VPN site-to-site work properly. The news, the problem is MATCHJLS. Could anyone recommend measures to correct?

!

vpn hostname

domain name

activate the encrypted password of Pp6RUfdBBUU

ucU7iJnNlZ passwd / encrypted

names of

DNS-guard

!

interface Ethernet0/0

nameif outside

security-level 0

IP address 87.117.xxx.xx 255.255.255.252

!

interface Ethernet0/1

nameif inside

security-level 100

IP address 78.129.xxx.x 255.255.255.128

!

interface Ethernet0/2

Shutdown

No nameif

no level of security

no ip address

!

interface Ethernet0/3

Shutdown

No nameif

no level of security

no ip address

!

interface Management0/0

Shutdown

No nameif

no level of security

no ip address

!

boot system Disk0: / asa822 - k8.bin

passive FTP mode

DNS server-group DefaultDNS

domain msiuk.com

permit same-security-traffic inter-interface

DM_INLINE_TCP_1 tcp service object-group

EQ port 3389 object

EQ object of port 8080

port-object eq www

EQ object of the https port

Http81 tcp service object-group

port-object eq 81

DM_INLINE_TCP_3 tcp service object-group

port-object eq 81

port-object eq www

the DM_INLINE_NETWORK_1 object-group network

host of the object-Network 172.19.60.52

host of the object-Network 172.19.60.53

host of the object-Network 172.19.60.68

host of the object-Network 172.19.60.69

host of the object-Network 172.19.60.84

host of the object-Network 172.19.60.85

host of the object-Network 172.19.60.86

access-list extended basic permit icmp any any echo response

access-list extended basic permit icmp any one time exceed

access-list extended basic permit tcp any host 78.129.xxx.xx eq 8731

access-list extended basic permit tcp any host 78.129.xxx.xx eq www

access-list extended basic permit tcp any host 78.129.xxx.xx DM_INLINE_TCP_3 object-group

access-list extended basic permit tcp any host 78.129.xxx.xx eq www

access-list extended basic permit tcp any host 78.129.xxx.xx eq www

access-list extended basic permit tcp any host 78.129.xxx.xx eq www inactive

access-list extended basic permit tcp any host 78.129.xxx.xx eq www

access-list extended basic permit tcp any host 78.129.xxx.xx eq https

access-list extended basic permit tcp any host 78.129.xxx.xx eq https

access-list extended basic permit tcp any host 78.129.xxx.xx

permit access-list extended basic host tcp 94.128.xxx.xx 78.129.xxx.xx 255.255.255.128 DM_INLINE_TCP_1 object-group

access-list extended SHEEP allowed ip 10.1.1.0 255.255.255.0 10.255.255.0 255.255.255.0

Standard access list SPLITTUN allow 78.129.xxx.xx 255.255.255.128

SPLITTUN list standard access allowed 10.1.1.0 255.255.255.0

access list allow extended permit ip any one

MATCHVPN1 list extended access permit ip host host 78.129.xxx.xx 212.118.157.203

MATCHVPN2 list of allowed ip extended access all 212.118.xxx.xx 255.255.255.0

SMTP-NAT extended permit tcp host 78.129.xxx.xx access list any eq smtp

MATCHVPN3 list extended access permitted ip 78.129.xxx.xx 255.255.255.224 host 10.180.xxx.xx

MATCHVPN3 list extended access permitted ip 78.129.xxx.xx 255.255.255.224 host 10.180.xxx.xx

MATCHVPN3 list extended access permitted ip 78.129.xxx.xx 255.255.255.224 host 10.180.xxx.xx

MATCHVPN4 list extended access permit ip host 78.129.xxx.xx host 172.16.xxx.xx

MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.16.xxx.xx

MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.17.xxx.xx

MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.16.xxx.xx

MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.16.xxx.xx

Access list extended ip 78.129.151.0 MATCHJLS allow 255.255.255.128 DM_INLINE_NETWORK_1 object-group

pager lines 24

Enable logging

asdm of logging of information

Outside 1500 MTU

Within 1500 MTU

local IP LOCPOOL 10.255.255.1 pool - 10.255.255.254

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm-625 - 53.bin

don't allow no asdm history

ARP timeout 14400

Global (1 interface external)

NAT (inside) 0 access-list SHEEP

Access SMTP-NAT NAT (inside) 1 list

NAT (inside) 1 10.1.1.0 255.255.255.0

NAT (inside) 1 10.2.2.0 255.255.255.0

Access-group basic in external interface

Access-group allow external interface

Access-group allow the interface inside

Access-group allow the interface inside

Route outside 0.0.0.0 0.0.0.0 87.117.213.65 1

Route inside 10.1.1.0 255.255.255.0 78.129.151.2 1

Route inside 10.2.2.0 255.255.255.0 78.129.151.2 1

Route inside 10.33.67.0 255.255.255.0 78.129.151.26 1

Route 172.20.xxx.xx 255.255.255.0 inside 78.129.xxx.xx 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-registration DfltAccessPolicy

AAA authentication enable LOCAL console

the ssh LOCAL console AAA authentication

Enable http server

http 0.0.0.0 0.0.0.0 outdoors

No snmp server location

No snmp Server contact

Crypto ipsec transform-set esp-3des esp-md5-hmac VPN3DES

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set esp-3des esp-sha-hmac asa2transform

Crypto ipsec transform-set esp-3des esp-md5-hmac kwset

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set esp-3des esp-sha-hmac jlstransformset

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

set of 10 DYNOMAP crypto dynamic-map transform-set VPN3DES

card crypto VPNPEER 1 corresponds to the address MATCHJLS

card crypto VPNPEER 1 set peer 94.128.xxx.xx

card crypto VPNPEER 1 the value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

card crypto VPNPEER 10 corresponds to the address MATCHVPN3

card crypto VPNPEER 10 set peer 94.128.xxx.xx

crypto VPNPEER 10 the transform-set jlstransformset value card

card crypto VPNPEER 10 set nat-t-disable

card crypto VPNPEER 30 corresponds to the address MATCHVPN2

card crypto VPNPEER 30 212.118.xxx.xx peer value

card crypto VPNPEER 30 value transform-set ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto VPNPEER 30 the value reverse-road map

card crypto VPNPEER 40 corresponds to the address MATCHVPN4

VPNPEER 40 crypto map set peer 94.128.xxx.xx

crypto VPNPEER 40 the transform-set kwset value card

card crypto VPNPEER 50 corresponds to the address MATCHVPN3

card crypto VPNPEER 50 set pfs

card crypto VPNPEER 50 set peer 94.128.xxx.xx

card crypto VPNPEER 50 set ESP ESP-3DES-SHA transform-set kwset DES-ESP-MD5-DES-SHA

card crypto VPNPEER 50 set nat-t-disable

card crypto VPNPEER 100-isakmp dynamic ipsec DYNOMAP

VPNPEER interface card crypto outside

crypto ISAKMP allow outside

crypto ISAKMP policy 1

preshared authentication

3des encryption

sha hash

Group 2

life 3600

Crypto isakmp nat-traversal 3600

crypto ISAKMP disconnect - notify

Telnet timeout 5

SSH 0.0.0.0 0.0.0.0 outdoors

SSH 0.0.0.0 0.0.0.0 inside

SSH timeout 60

SSH version 2

Console timeout 0

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

internal GroupPolicy1 group strategy

attributes of Group Policy GroupPolicy1

value of VPN-filter MATCHKW

Protocol-tunnel-VPN IPSec l2tp ipsec

internal CLIENTGROUP group policy

CLIENTGROUP group policy attributes

value of server DNS 10.1.1.10 10.1.1.2

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list SPLITTUN

msiuk.local value by default-field

Username admin privilege 15 encrypted password 9RG9xAvynJRd.Q

tunnel-group msi type remote access

msi General attributes tunnel-group

address LOCPOOL pool

Group Policy - by default-CLIENTGROUP

MSI group tunnel ipsec-attributes

pre-shared key *.

tunnel-group msi ppp-attributes

ms-chap-v2 authentication

tunnel-group 212.118.xxx.xx type ipsec-l2l

212.118.xxx.XX group of tunnel ipsec-attributes

pre-shared key *.

tunnel-group 94.128.xxx.xx type ipsec-l2l

94.128.xxx.XX group of tunnel ipsec-attributes

pre-shared key *.

tunnel-group 94.128.xxx.xx type ipsec-l2l

94.128.xxx.XX group of tunnel ipsec-attributes

pre-shared key *.

tunnel-group 94.128.xxx.xx type ipsec-l2l

94.128.xxx.XX group of tunnel ipsec-attributes

pre-shared key *.

!

class-map ftpdefault

match default-inspection-traffic

class-map default inspection

!

!

Policy-map global_policy

!

global service-policy global_policy

context of prompt hostname

call-home

Profile of CiscoTAC-1

no active account

http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

email address of destination [email protected] / * /

destination-mode http transport

Subscribe to alert-group diagnosis

Subscribe to alert-group environment

Subscribe to alert-group monthly periodic inventory

monthly periodicals to subscribe to alert-group configuration

daily periodic subscribe to alert-group telemetry

Cryptochecksum:b251877ef24a1dc161b594dc052c44

: end

ASDM image disk0: / asdm-625 - 53.bin

don't allow no asdm history

Hello

OK, given the above information, I would say that the VPN L2L your part should probably be fine for traffic you are trying with the packet - trace.

It seems that you get no traffic back from the remote end

This could mean one of the following things
- Remote site may not login either in their VPN appliance, firewall or the firewall of the real server (which I doubt since were talking about web service)
- Remote site has not configured routing properly for your source IP address / network. For example, your connection attempt can reach the remote server, but the return traffic could get transferred to the wrong place on the remote site. It is more likely when the remote end manages Internet traffic and VPN traffic on separate devices
- Remote site has not activated the service on the real server (which is still little provided this isn't a service only serve on the server you through this VPN L2L)
- etc.
As I said look it seems so VPN L2L is fine. Its place and running, but you can't get traffic back on the L2L VPN that suggest that the problem is at the remote site.

If you go ask about this since the admins of the remote site, let us know how to do the thing.

If you found this information useful, please note the answer/answers and naturally ask more if necessary

-Jouni

Redundancy of site to Site VPN

Hello

I have two ASA 5510 configured with tunnel from site to site. on both sides of the ASA 5510 I set up the links of redundancy (completed 2 ISP links) which works very well.

Now, I need to configure site-to-site vpn for the help link.

Please suggest me how to configure the redundancy of a site on both sites.

Kind regards

Ramanantsoa

I don't know exactly the topology of your network, but it is possible to define two peers for site-to-site VPN connection. You can do this in

toSanJose 20 ipsec-isakmp crypto map

correspondence address card crypto 20 90 toSanJose

toSanJose 20 set transformation-strong crypto card

card crypto toSanJose 20 peers set 209.165.200.229 125.126.127.22

The first pair is always given priority, in case if it is not available it failovers exchange of a second.

It will be useful.

Kind regards

Rohan

connect dynamic auto of site to site VPN

Hi all, I need to configure a site to site vpn (cisco asa and router), but the connection to the remote router must be set to auto.

Can someone help me?

Thank you

All have two IP addresses static or is on a dynamic ip?

Please clarify what you mean by "auto".

Connectivity between two site to site VPN

I have two remote sites that each connect to our main office using a site to site VPN. Remote offices have 831 routers. The main office has a PIX 515.

A remote office is 192.168.15.X and the other is 192.168.100.X. The main office is on a 10.X.X.X network.

Each remote office can contact the office with no problems. However, they cannot communicate with each other at all and I need this to work. I just want to be able to access the network 192.168.100.X network 192.168.15.X through the VPN tunnel that is already set up between each remote desktop.

I tried to add the other network to the ACL for the tunnel, but that did not work. I feel I'm missing something simple.

For example, the following ACL initially.

Note access-list 103 IPSec rule

access-list 103 allow ip 192.168.15.0 0.0.0.255 10.0.0.0 0.255.255.255

I added this line to this LIST.

access-list 103 allow ip 192.168.15.0 0.0.0.255 192.168.100.0 0.0.0.255

But that did not help.

Thanks in advance.

Hello

What code are you running on the Pix. Talk to talk IPSEC connectivity is supported only in version 7.0 and higher.

Enhanced support has spoke-to-Spoke VPN

Version 7.0 (1) improving support communications a spoke-to-spoke (customer-to-customer) VPN, providing the ability to traffic to enter and exit the same interface. In addition, remote access to splitting tunnel connections can be completed on the external interface of the security apparatus, enabling traffic destined to the Internet for remote user VPN tunnels to leave on the same interface as it happened (after that the firewall rules have been applied).

The same-security-traffic command permits traffic to enter and exit the same interface when it is used with the keyword a spoke-to-spoke VPN using intra-interface. For more information, see the section "Allows Intra-Interface traffic" in the in the command line Configuration Guide Cisco Security Appliance.

http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_sw/v_70/70_rn/pix_70rn.htm#wp162358

Example of Configuration:

http://www.Cisco.com/en/us/partner/products/HW/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml

Let me know if it helps.

Kind regards

Arul

* Please note all useful messages *.

VPN clients connecting to the site to site VPN

Hi all

I'm currently configured my firewall outside interface VPN closing the point for two clients VPN and Cisco VPN site-to-site. What I found is that when I Client VPN, I can't access the devices on the site-to-site VPN. I think that the PIX does not allow this kind of connections, because it requires routing on the same interface. Can someone point me to some docs on ORC who can help me in this situation. Thanks in advance for your help.

the restriction has been resolved with pix v7, and the related command is "permit same-security-traffic intra-interface".

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

AnyConnect VPN connection VPN site access to remote site

I need our VPN users to gain access to our remote site (Site to Site VPN), there is no problem to access the main site through the VPN. Crypto map sites have the VPN pool in the card encryption.

Any ideas?

Here is the main Site (ASA5520) config inside 192.168.50.0

crypto_vpn_remote-site access-list extended ip 192.168.50.0 allow 255.255.255.0 172.16.1.0 255.255.255.0

IP 192.168.99.0 allow Access-list extended site crypto_vpn_remote 255.255.255.0 172.16.1.0 255.255.255.0

inside_nat0_outbound to access extended list ip 192.168.50.0 allow 255.255.255.0 172.16.1.0 255.255.255.0

access extensive list ip 192.168.99.0 inside_nat0_outbound allow 255.255.255.0 172.16.1.0 255.255.255.0

Remote site (PIX 515E) inside 172.16.1.0

access-list crypto_vpn_main-site permit ip 172.16.1.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list crypto_vpn_main-site permit ip 172.16.1.0 255.255.255.0 192.168.99.0 255.255.255.0

access-list sheep permit ip 172.16.1.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list sheep permit ip 172.16.1.0 255.255.255.0 192.168.99.0 255.255.255.0

VPN (AnnyConnect) 192.168.99.0

On the main site, pls make sure that you have 'same-security-traffic permit intra-interface' active.

Also, if you have split tunnel configured, please also make sure that he understands the Remote LAN (172.16.1.0/24).

Hope that helps.

Site to Site VPN connection

Similar Questions

vpn_over_gre_tunnel.jpg

Maybe you are looking for