Site to Site VPN is in place, but no traffic passes through.
Hello. I'm sure this is a lot but I tear my hear and do not have cisco skills to solve this problem. I hope someone here can identify what's wrong in my setup.
Using the Cisco Configuration professional software, I created a VPN connection from site to site (between a cisco 1841 and 1811).
The tunnel seems to be upward, as routers are concerned, but I can't ping anything on the remote networks. I thought that road maps have had something to do with it, but I don't see what is worng with them.
Just to let you know, the device of 1841 has already a VPN tunnel works to another site, in case that confuses everyone. Peers that I am concerned about are 141.0.59.x and 109.238.78.x.
Thank you very much.
Hi Haydin,
You have the following:
IP extended access list redirects the port
deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
ip permit 192.168.1.0 0.0.0.255 any
!
Not sure why you have the entire network here with any keyword, it is better to create a static translation of one by one.
Could you please remove it and give it a try?
IP extended access list redirects the port
no permit ip 192.168.1.0 0.0.0.255 any
Thanks in advance.
Tags: Cisco Security
Similar Questions
-
S2S VPN Asa 5510 to 5505 no traffic passing (hair Pulling)
I have one site to another configured between a 5505 and ASA 5510, the tunnel is in place but can not pass any traffic one way or another. A 5510, 8.4.3 while the 5505 was 8.2. I find the version 8.2 the less confusing when configure the VPN. The new NAT throws me for a loop on the 5510. I have 1 tunnel upward and will already and it works fine. But when I do a new online, it won't pass any traffic.
The traffic I'm EFS is 5510 (192.168.180.0/24, 172.25.11.0/24)<-------> 5505 (192.168.197.0/24) many thanks in advance!
Here's the configs for the two.
main site of 5510
ASA Version 8.4(3) ! hostname ASA5510 domain-name fphc.us enable password dmbm8Lq9pBST.0kk encrypted passwd dmbm8Lq9pBST.0kk encrypted names ! interface Ethernet0/0 nameif Outside security-level 0 ip address x.x.x.130 255.255.255.240 ! interface Ethernet0/1 nameif Inside security-level 100 ip address 192.168.180.253 255.255.254.0 ! interface Ethernet0/2 speed 100 duplex full shutdown no nameif no security-level no ip address ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 no ip address management-only ! boot system disk0:/asa843-k8.bin ftp mode passive clock timezone CST -6 clock summer-time CDT recurring dns domain-lookup Inside dns server-group DefaultDNS name-server 192.168.180.231 name-server 192.168.180.232 name-server 192.168.180.233 domain-name fphc.us same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network obj-192.168.180.0 subnet 192.168.180.0 255.255.254.0 object network obj-192.168.188.0 subnet 192.168.188.0 255.255.255.0 object network obj-216.86.7.128 subnet x.x.x.128 255.255.255.240 object network Mobile_Unit subnet 192.168.193.0 255.255.255.0 object network obj-172.27.0.0 subnet 172.27.0.0 255.255.255.0 object network obj_any subnet 0.0.0.0 0.0.0.0 object network obj-172.25.11.0 subnet 172.25.11.0 255.255.255.0 object network obj-172.35.0.0 subnet 172.35.0.0 255.255.254.0 object network SpamBox_1 host 192.168.180.244 object network SpamBox_2 host 192.168.180.248 object network Exchange host 192.168.180.235 object network PMG subnet 192.168.178.0 255.255.255.0 object network Outside_Gateway host x.x.x.129 object network AHCCN subnet 172.35.0.0 255.255.254.0 object network MM subnet 10.90.254.0 255.255.255.0 object network NETWORK_OBJ_172.27.0.0_25 subnet 172.27.0.0 255.255.255.128 object network NETWORK_OBJ_172.27.0.0_26 subnet 172.27.0.0 255.255.255.192 object network obj-172.35.1.199 host 172.35.1.199 object network obj-192.168.51.5 host 192.168.51.5 object service 6004 service udp destination eq 6004 object network AT_Remote subnet 192.168.197.0 255.255.255.0 object-group service DM_INLINE_SERVICE_2 service-object icmp echo service-object icmp echo-reply service-object tcp-udp destination eq domain service-object tcp-udp destination eq www object-group network DM_INLINE_NETWORK_1 network-object object obj-172.25.11.0 network-object object obj-172.35.0.0 network-object object obj-192.168.180.0 object-group network DM_INLINE_NETWORK_2 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 object-group network DM_INLINE_NETWORK_3 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 object-group network DM_INLINE_NETWORK_16 network-object object MM network-object object obj-172.25.11.0 network-object object obj-172.35.0.0 network-object object obj-192.168.180.0 object-group protocol TCPUDP protocol-object udp protocol-object tcp object-group icmp-type DM_INLINE_ICMP_1 icmp-object echo icmp-object source-quench object-group network DM_INLINE_NETWORK_5 network-object object AHCCN network-object object MM network-object object obj-172.25.11.0 network-object object obj-172.35.0.0 network-object object obj-192.168.180.0 object-group network DM_INLINE_NETWORK_6 network-object object obj-172.25.11.0 network-object object obj-172.35.0.0 network-object object obj-192.168.180.0 object-group service DM_INLINE_SERVICE_4 service-object icmp service-object icmp echo service-object icmp echo-reply object-group service DM_INLINE_SERVICE_5 service-object tcp-udp destination eq domain service-object tcp destination eq smtp service-object tcp destination eq ssh service-object icmp echo service-object icmp echo-reply service-object udp destination eq ntp service-object udp destination eq time object-group service DM_INLINE_SERVICE_6 service-object tcp-udp destination eq domain service-object tcp destination eq smtp service-object tcp destination eq ssh service-object icmp echo service-object icmp echo-reply service-object udp destination eq ntp service-object udp destination eq time object-group service DM_INLINE_SERVICE_0 service-object icmp echo service-object icmp echo-reply service-object tcp destination eq www service-object tcp destination eq https service-object tcp destination eq smtp service-object tcp-udp destination eq domain service-object object 6004 object-group network DM_INLINE_NETWORK_7 network-object object MM network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 network-object object obj-172.35.0.0 object-group network DM_INLINE_NETWORK_8 network-object 172.25.11.0 255.255.255.0 network-object 172.35.0.0 255.255.254.0 object-group service DM_INLINE_SERVICE_7 service-object tcp-udp destination eq domain service-object object 6004 service-object icmp echo service-object icmp echo-reply service-object tcp destination eq www service-object tcp destination eq https service-object tcp destination eq smtp object-group network DM_INLINE_NETWORK_10 network-object 172.25.11.0 255.255.255.0 network-object 172.35.0.0 255.255.254.0 object-group network DM_INLINE_NETWORK_9 network-object object obj-172.25.11.0 network-object object obj-172.35.0.0 object-group network DM_INLINE_NETWORK_11 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 object-group service DM_INLINE_SERVICE_1 service-object tcp-udp destination eq domain service-object tcp destination eq smtp service-object udp destination eq ntp object-group network DM_INLINE_NETWORK_13 network-object object AHCCN network-object object obj-172.25.11.0 object-group network DM_INLINE_NETWORK_14 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 object-group network DM_INLINE_NETWORK_12 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 object-group service DM_INLINE_SERVICE_3 service-object tcp-udp destination eq domain service-object tcp destination eq smtp service-object udp destination eq ntp object-group service DM_INLINE_SERVICE_8 service-object tcp-udp destination eq domain service-object tcp destination eq smtp service-object udp destination eq ntp object-group service Exchange-6001 udp port-object range 6001 6004 object-group network DM_INLINE_NETWORK_15 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 object-group service DM_INLINE_SERVICE_10 service-object ip service-object icmp echo service-object icmp echo-reply object-group service DM_INLINE_SERVICE_9 service-object ip service-object icmp echo service-object icmp echo-reply service-object tcp-udp destination eq domain service-object tcp destination eq citrix-ica service-object tcp destination eq www service-object tcp destination eq https object-group network DM_INLINE_NETWORK_18 network-object object AHCCN network-object object obj-172.25.11.0 object-group network DM_INLINE_NETWORK_19 network-object object obj-172.25.11.0 network-object object obj-172.35.0.0 network-object object obj-192.168.180.0 object-group network DM_INLINE_NETWORK_20 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 object-group network DM_INLINE_NETWORK_17 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_10 object PMG access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1 192.168.188.0 255.255.255.0 access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_7 object obj-172.27.0.0 access-list Outside_1_cryptomap extended permit ip 192.168.188.0 255.255.255.0 object-group DM_INLINE_NETWORK_14 access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_9 object AT_Remote object-group DM_INLINE_NETWORK_15 access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any any access-list Outside_access_in extended permit ip object Mobile_Unit object-group DM_INLINE_NETWORK_12 log debugging access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_7 object PMG object-group DM_INLINE_NETWORK_8 access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_0 any object Exchange access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_5 any object SpamBox_1 access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_6 any object SpamBox_2 access-list Outside_access_in extended permit ip 192.168.188.0 255.255.255.0 object-group DM_INLINE_NETWORK_2 access-list Outside_access_in extended deny ip 127.0.0.0 255.255.255.0 any log access-list Outside_access_in extended deny ip 10.0.0.0 255.255.255.0 any log access-list Outside_access_in extended deny ip 169.254.0.0 255.255.0.0 any log access-list Outside_access_in extended deny ip 224.0.0.0 255.0.0.0 any log access-list Outside_access_in extended deny ip 239.0.0.0 255.0.0.0 any log access-list Outside_access_in extended deny ip 173.0.0.0 255.0.0.0 any log debugging access-list Outside_access_in extended deny ip 224.0.0.0 255.255.255.31 any access-list Outside_access_in extended deny ip 192.168.0.0 255.255.0.0 any access-list Outside_access_in extended deny ip any any access-list global_mpc extended permit ip any any access-list global_access extended permit udp object obj-172.35.1.199 any eq snmp log disable access-list global_access extended permit ip object obj-172.27.0.0 any access-list splitTunnelAcl standard permit 192.168.180.0 255.255.254.0 access-list splitTunnelAcl standard permit 172.35.0.0 255.255.254.0 access-list splitTunnelAcl standard permit 172.25.11.0 255.255.255.0 access-list splitTunnelAcl standard permit 10.90.254.0 255.255.255.0 access-list Outside_cryptomap_1 extended permit ip object PMG object-group DM_INLINE_NETWORK_13 access-list Inside_access_in extended permit ip object obj_any any access-list Inside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1 log disable access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_8 object Exchange any log access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_1 object SpamBox_1 any log access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_3 object SpamBox_2 any log access-list Inside_access_in extended deny ip any any access-list Outside_cryptomap_2 extended permit ip object-group DM_INLINE_NETWORK_17 object AT_Remote access-list Outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_18 object PMG log access-list Outside_cryptomap_4 extended permit ip object-group DM_INLINE_NETWORK_3 object Mobile_Unit pager lines 24 logging enable logging timestamp logging emblem logging rate-limit unlimited level 1 logging rate-limit unlimited level 6 logging rate-limit unlimited level 7 mtu Outside 1500 mtu Inside 1500 mtu management 1500 ip local pool Client_Pool 172.27.0.50-172.27.0.100 mask 255.255.255.0 ip local pool RA_POOL 172.27.0.1-172.27.0.49 mask 255.255.255.0 ip verify reverse-path interface Outside ip verify reverse-path interface Inside no failover icmp unreachable rate-limit 1 burst-size 1 icmp permit any Outside icmp permit any Inside asdm history enable arp timeout 14400 nat (Inside,Outside) source static DM_INLINE_NETWORK_9 DM_INLINE_NETWORK_9 destination static PMG PMG no-proxy-arp route-lookup nat (Inside,Outside) source static DM_INLINE_NETWORK_20 DM_INLINE_NETWORK_20 destination static AT_Remote AT_Remote no-proxy-arp route-lookup nat (Inside,Outside) source static DM_INLINE_NETWORK_5 DM_INLINE_NETWORK_5 destination static NETWORK_OBJ_172.27.0.0_25 NETWORK_OBJ_172.27.0.0_25 no-proxy-arp route-lookup nat (Inside,Outside) source static DM_INLINE_NETWORK_16 DM_INLINE_NETWORK_16 destination static NETWORK_OBJ_172.27.0.0_26 NETWORK_OBJ_172.27.0.0_26 no-proxy-arp route-lookup nat (Inside,Outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static obj-192.168.188.0 obj-192.168.188.0 no-proxy-arp nat (Inside,Outside) source static DM_INLINE_NETWORK_19 DM_INLINE_NETWORK_19 destination static Mobile_Unit Mobile_Unit no-proxy-arp route-lookup nat (Inside,Outside) source static DM_INLINE_NETWORK_11 DM_INLINE_NETWORK_11 destination static AT_Remote AT_Remote no-proxy-arp route-lookup ! object network obj_any nat (Inside,Outside) dynamic interface object network SpamBox_1 nat (Inside,Outside) static x.x.x.132 object network SpamBox_2 nat (Inside,Outside) static x.x.x.133 object network Exchange nat (Inside,Outside) static x.x.x.131 dns access-group Outside_access_in in interface Outside access-group Inside_access_in in interface Inside access-group global_access global route Outside 0.0.0.0 0.0.0.0 x.x.x..129 1 route Inside 10.90.254.0 255.255.255.0 192.168.180.1 1 route Inside 172.16.200.0 255.255.255.0 192.168.180.200 1 route Inside 172.25.10.0 255.255.255.0 192.168.180.200 1 route Inside 172.25.11.0 255.255.255.0 192.168.180.200 1 route Inside 172.25.12.0 255.255.255.0 192.168.180.200 1 route Inside 172.27.0.0 255.255.255.0 192.168.180.200 1 route Inside 172.29.0.0 255.255.0.0 192.168.180.200 1 route Inside 172.35.0.0 255.255.254.0 192.168.180.200 1 route Inside 192.168.182.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.183.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.184.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.185.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.186.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.187.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.189.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.190.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.191.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.192.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.194.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.195.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.196.0 255.255.255.0 192.168.180.200 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy aaa-server DC's protocol radius max-failed-attempts 5 aaa-server DC's (Inside) host 192.168.180.231 timeout 5 key ***** user-identity default-domain LOCAL http server enable http 192.168.180.0 255.255.255.0 Inside http 0.0.0.0 0.0.0.0 Inside http 172.27.0.0 255.255.255.0 Outside http 172.27.0.0 255.255.255.0 Inside snmp-server group Authentication&Encryption v3 priv snmp-server user trap Authentication&Encryption v3 encrypted auth md5 87:1d:3a:bd:50:49:7d:dc:45:89:a0:dc:c9:66:ed:78 priv 3des 87:1d:3a:bd:50:49:7d:dc:45:89:a0:dc:c9:66:ed:78:08:c6:ef:b2:7e:89:45:f2:6f:78:b5:01:33:47:68:c9 snmp-server host Inside 172.35.1.199 community ***** version 2c snmp-server host Inside 192.168.180.7 community ***** version 2c snmp-server location MLK snmp-server contact xxxxxxxx snmp-server community ***** snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart snmp-server enable traps syslog snmp-server enable traps ipsec start stop snmp-server enable traps entity config-change fru-insert fru-remove snmp-server enable traps remote-access session-threshold-exceeded snmp-server enable traps cpu threshold rising snmp-server enable traps ikev2 start no sysopt connection reclassify-vpn sysopt connection preserve-vpn-flows crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec security-association lifetime seconds 43200 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map Outside_map 1 match address Outside_1_cryptomap crypto map Outside_map 1 set peer 173.10.204.46 crypto map Outside_map 1 set ikev1 phase1-mode aggressive crypto map Outside_map 1 set ikev1 transform-set ESP-3DES-SHA crypto map Outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256 crypto map Outside_map 1 set ikev2 pre-shared-key ***** crypto map Outside_map 1 set security-association lifetime seconds 460800 crypto map Outside_map 4 match address Outside_cryptomap_1 crypto map Outside_map 4 set peer 207.190.237.254 crypto map Outside_map 4 set ikev1 phase1-mode aggressive group5 crypto map Outside_map 4 set ikev1 transform-set ESP-AES-128-SHA crypto map Outside_map 4 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256 crypto map Outside_map 4 set security-association lifetime seconds 460800 crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map 1 match address Outside_cryptomap_2 crypto map outside_map 1 set peer x.x.x.201 crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 2 match address Outside_cryptomap crypto map outside_map 2 set peer x.x.x.254 crypto map outside_map 2 set ikev1 phase1-mode aggressive group5 crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 2 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256 crypto map outside_map 3 match address Outside_cryptomap_4 crypto map outside_map 3 set peer x.x.216.130 crypto map outside_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface Outside crypto ca trustpoint LOCAL-CA-SERVER keypair LOCAL-CA-SERVER crl configure crypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=FPHC-ASA serial-number keypair LOCAL-CA-SERVER crl configure crypto ca server shutdown crypto ca certificate chain LOCAL-CA-SERVER certificate ca 01 308201ff 30820168 a0030201 02020101 300d0609 2a864886 f70d0101 05050030 13311130 0f060355 04031308 46504843 2d415341 301e170d 31323039 32303232 34393034 5a170d31 35303932 30323234 3930345a 30133111 300f0603 55040313 08465048 432d4153 4130819f 300d0609 2a864886 f70d0101 01050003 818d0030 81890281 8100e841 eeca425c 20c47a19 3b335924 30281111 cff571d7 0bb63dd8 5f3194f5 59d99cb1 60269694 aa13c591 505e0575 2de5ebb1 92d7c931 807f807b 6e84ee54 1da4ccaf 1f109f53 94c6e567 a8064e27 e27f3ea0 94f7bf32 2fe6064c c2bbcd0d 7b0f8806 8614fcf9 80c6e4e1 83da75c5 080c7117 09e1d574 f17de8ac 1da4f2f9 f6e10203 010001a3 63306130 0f060355 1d130101 ff040530 030101ff 300e0603 551d0f01 01ff0404 03020186 301f0603 551d2304 18301680 144cb3da 6b6a5a14 c4b78674 49609b6b 8e58ea5f a3301d06 03551d0e 04160414 4cb3da6b 6a5a14c4 b7867449 609b6b8e 58ea5fa3 300d0609 2a864886 f70d0101 05050003 818100e0 7c9e15c3 13068614 788ff4d3 f282a4f4 fde72b00 3b05748f 0a4f68ec 6a7eb5fb 40c6d505 b1c35372 87102173 bb017e4b 2697c8f5 b66395f2 1418c77c 3e959343 84674b96 33558a08 629336c8 39c742bf 6b727b00 388a7102 8619cb5a e4227aaf b58e267c 9e8b23d6 94cdc789 eb29cd96 1e579770 a2aa58ab 40694bb9 12888d quit crypto ca certificate chain ASDM_TrustPoint0 certificate bd555b50 308201f7 30820160 a0030201 020204bd 555b5030 0d06092a 864886f7 0d010105 05003040 3111300f 06035504 03130846 5048432d 41534131 2b301206 03550405 130b4a4d 58313632 33583130 51301506 092a8648 86f70d01 09021608 46504843 2d415341 301e170d 31323039 32303232 35383434 5a170d32 32303931 38323235 3834345a 30403111 300f0603 55040313 08465048 432d4153 41312b30 12060355 0405130b 4a4d5831 36323358 31305130 1506092a 864886f7 0d010902 16084650 48432d41 53413081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100e8 41eeca42 5c20c47a 193b3359 24302811 11cff571 d70bb63d d85f3194 f559d99c b1602696 94aa13c5 91505e05 752de5eb b192d7c9 31807f80 7b6e84ee 541da4cc af1f109f 5394c6e5 67a8064e 27e27f3e a094f7bf 322fe606 4cc2bbcd 0d7b0f88 068614fc f980c6e4 e183da75 c5080c71 1709e1d5 74f17de8 ac1da4f2 f9f6e102 03010001 300d0609 2a864886 f70d0101 05050003 8181008b c7a3e119 f1c6f60c 56ab7fd4 5096cfdf abb44331 fe3a0249 7f5fe79b 38a044c2 9a8b907d 12feba5d 6298a414 c4973369 040585b8 26b8b29e dfe7e226 0b10d08e 03658648 2fb0233e 27204339 c5a1c270 a0fec5b4 834340ac 9afefe75 4f802cb6 fb21b89c 9016e32c 2e772c00 191d23e0 036c4321 93a43b48 a6b682af 5dd5c0 quit crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable Outside crypto ikev1 enable Outside crypto ikev1 enable management crypto ikev1 policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet 192.168.180.0 255.255.255.0 Inside telnet 172.27.0.0 255.255.255.0 Inside telnet timeout 10 ssh 192.168.180.0 255.255.255.0 Inside ssh 172.27.0.0 255.255.255.0 Inside ssh timeout 20 console timeout 0 management-access Inside vpn load-balancing interface lbpublic Outside interface lbprivate Inside threat-detection basic-threat threat-detection scanning-threat threat-detection statistics host threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp authenticate ntp server 50.77.217.185 source Outside prefer ntp server 216.171.120.36 source Outside webvpn group-policy "S2S-RA-Group Policy" internal group-policy "S2S-RA-Group Policy" attributes vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client group-policy DfltGrpPolicy attributes vpn-filter value Inside_nat0_outbound vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless group-policy GroupPolicy_x.x.x.46 internal group-policy GroupPolicy_x.x.x.46 attributes vpn-filter value Outside_1_cryptomap vpn-tunnel-protocol ikev1 ikev2 group-policy GroupPolicy_x.x.x.254 internal group-policy GroupPolicy_x.x.x.254 attributes vpn-filter value Outside_cryptomap_1 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec group-policy GroupPolicy_x.x.x.201 internal group-policy GroupPolicy_x.x.x.201 attributes vpn-filter value Outside_cryptomap_2 vpn-tunnel-protocol ikev1 group-policy GroupPolicy_x.x.216.130 internal group-policy GroupPolicy_x.x.216.130 attributes vpn-tunnel-protocol ikev1 group-policy VPN-GROUP2 internal group-policy VPN-GROUP2 attributes dns-server value 192.168.180.231 192.168.180.232 vpn-tunnel-protocol ikev1 split-tunnel-policy tunnelspecified split-tunnel-network-list value splitTunnelAcl default-domain value fphc.us group-policy VPN-GROUP internal group-policy VPN-GROUP attributes dns-server value 192.168.180.231 192.168.180.232 vpn-filter value splitTunnelAcl vpn-tunnel-protocol ikev1 l2tp-ipsec split-tunnel-policy tunnelspecified split-tunnel-network-list value splitTunnelAcl default-domain value fphc.us username mark password YTp0IwzeNwb5kS8J encrypted privilege 15 tunnel-group DefaultRAGroup general-attributes default-group-policy VPN-GROUP tunnel-group x.x.x.46 type ipsec-l2l tunnel-group x.x.x.46 general-attributes default-group-policy GroupPolicy_x.x.x.46 tunnel-group x.x.x.46 ipsec-attributes ikev1 pre-shared-key ***** ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** tunnel-group x.x.x.201 type ipsec-l2l tunnel-group x.x.x.201 general-attributes default-group-policy GroupPolicy_x.x.x.201 tunnel-group x.x.x.201 ipsec-attributes ikev1 pre-shared-key ***** tunnel-group VPN-GROUP type remote-access tunnel-group VPN-GROUP general-attributes address-pool Client_Pool authentication-server-group DC's default-group-policy VPN-GROUP tunnel-group VPN-GROUP ipsec-attributes ikev1 pre-shared-key ***** tunnel-group x.x.x.254 type ipsec-l2l tunnel-group x.x.x.254 general-attributes default-group-policy GroupPolicy_x.x.x.254 tunnel-group x.x.x.254 ipsec-attributes ikev1 pre-shared-key ***** ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** tunnel-group VPN-GROUP2 type remote-access tunnel-group VPN-GROUP2 general-attributes address-pool RA_POOL authentication-server-group DC's default-group-policy VPN-GROUP2 tunnel-group VPN-GROUP2 ipsec-attributes ikev1 pre-shared-key ***** tunnel-group x.x.x.130 type ipsec-l2l tunnel-group x.x.x.130 general-attributes default-group-policy GroupPolicy_x.x.x.130 tunnel-group x.x.x.130 ipsec-attributes ikev1 pre-shared-key ***** tunnel-group PMG type ipsec-l2l tunnel-group PMG general-attributes default-group-policy GroupPolicy_x.x.x.254 tunnel-group PMG ipsec-attributes ikev1 pre-shared-key ***** ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** tunnel-group-map default-group DefaultL2LGroup ! class-map global-class match access-list global_mpc class-map inspection_default match default-inspection-traffic class-map http_https description http_https match access-list Outside_access_in ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options class global-class user-statistics accounting policy-map http_https class http_https set connection timeout idle 1:15:00 reset user-statistics accounting ! service-policy global_policy global service-policy http_https interface Outside smtp-server 192.168.180.235 prompt hostname context no call-home reporting anonymous Cryptochecksum:fcb4c2d9a982c11054c31ee4db778012 : end
5505 remote site
ASA Version 8.2(5) ! hostname AT-Remote domain-name fphc.us enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names name 172.35.0.0 AHCCN name 172.25.11.0 AHCCN-1 name 192.168.180.0 FPHC ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 switchport trunk allowed vlan 1,30 switchport trunk native vlan 1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.197.250 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address x.x.x.201 255.255.255.252 ! ! boot system disk0:/asa825-k8.bin ftp mode passive dns domain-lookup inside dns domain-lookup outside dns server-group DefaultDNS name-server 68.87.68.162 name-server 68.87.74.162 domain-name fphc.us dns server-group DNS_Internal name-server 192.168.180.231 name-server 192.168.180.232 domain-name fphc.us same-security-traffic permit inter-interface same-security-traffic permit intra-interface object-group network obj_any object-group network 172.25.11.0 object-group network 172.35.0.0 object-group network 192.168.180.0 object-group network ASA-FW object-group network Comcast_Outside object-group network AT_Local object-group network NETWORK_OBJ_192.168.197.0_24 object-group icmp-type DM_INLINE_ICMP_1 icmp-object echo icmp-object echo-reply object-group service DM_INLINE_SERVICE_3 service-object ip service-object icmp echo service-object icmp echo-reply object-group service DM_INLINE_SERVICE_2 service-object ip service-object icmp object-group network obj_remote object-group network Franklin_Remote network-object AHCCN-1 255.255.255.0 network-object AHCCN 255.255.254.0 network-object FPHC 255.255.254.0 access-list outside_access_in extended permit ip object-group Franklin_Remote 192.168.197.0 255.255.255.0 access-list outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1 log debugging access-list inside_access_in extended permit ip any any log access-list inside_access_in extended permit icmp any any echo log access-list outside_1_cryptomap extended permit ip 192.168.197.0 255.255.255.0 object-group Franklin_Remote access-list inside_nat0_outbound extended permit ip 192.168.197.0 255.255.255.0 object-group Franklin_Remote access-list inside_nat_outbound extended permit ip any interface outside pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 mtu dmz 1500 no failover icmp unreachable rate-limit 1 burst-size 1 icmp permit any outside asdm image disk0:/asdm-645.bin no asdm history enable arp timeout 14400 global (outside) 101 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 101 access-list inside_nat_outbound access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 x.x.x.202 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy http server enable http 0.0.0.0 0.0.0.0 inside http 192.168.197.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart sysopt connection preserve-vpn-flows sysopt noproxyarp inside sysopt noproxyarp dmz crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 43200 crypto ipsec security-association lifetime kilobytes 4608000 crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set peer 216.86.7.130 crypto map outside_map 1 set transform-set ESP-3DES-SHA crypto map outside_map interface outside crypto ca trustpoint _SmartCallHome_ServerCA crl configure crypto ca certificate chain _SmartCallHome_ServerCA certificate ca 6ecc7aa5a7032009b8cebcf4e952d491 308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130 0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117 30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b 13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504 0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72 20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56 65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043 65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31 30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b 30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20 496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65 74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420 68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329 3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365 63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7 0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597 a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10 9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc 7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b 15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845 63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8 18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced 4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f 81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201 db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868 7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101 ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8 45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a 1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406 03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973 69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403 02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969 6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973 69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30 1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603 551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355 1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609 2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80 4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a 6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc 481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16 b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0 5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8 6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28 6c2527b9 deb78458 c61f381e a4c4cb66 quit crypto isakmp enable outside crypto isakmp policy 10 authentication crack encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 40 authentication crack encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 70 authentication crack encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 100 authentication crack encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 130 authentication crack encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 telnet 0.0.0.0 0.0.0.0 inside telnet x.x.x.130 255.255.255.255 outside telnet timeout 5 ssh timeout 5 console timeout 0 management-access inside dhcpd address 192.168.197.25-192.168.197.100 inside dhcpd dns 192.168.180.232 68.87.74.162 interface inside dhcpd domain fphc.us interface inside dhcpd enable inside ! dhcprelay timeout 60 threat-detection basic-threat threat-detection statistics host threat-detection statistics protocol threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn group-policy DfltGrpPolicy attributes vpn-filter value outside_1_cryptomap group-policy GroupPolicy_216.86.7.130 internal group-policy GroupPolicy_216.86.7.130 attributes vpn-filter value inside_nat0_outbound vpn-tunnel-protocol IPSec l2tp-ipsec tunnel-group x.x.x.130 type ipsec-l2l tunnel-group x.x.x.130 general-attributes default-group-policy GroupPolicy_216.86.7.130 tunnel-group x.x.x.130 ipsec-attributes pre-shared-key ***** tunnel-group-map default-group DefaultL2LGroup ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect dns ! service-policy global_policy global prompt hostname context : end
Hello
The reason for the DECLINE suggests that the ASA has still attached to the L2L VPN VPN filter configuration that prevents traffic.
Check the configuration and remove atleast VPN filter temporarily for testing purposes.
-Jouni
-
Remote VPN on 2801 upward but no traffic
I decided to set up a remote vpn on 2801 router. so, after some time a get my VPN tunnel to the top and State QM_IDLE but all traffic on VPN Client work around or ignored so I can't access my internal network via the VPN tunnel.can you please help?Ahhhhhhhhhhhhhhhhhhh, now I know, k first of all if it is the card top debit MOBILE, it is not supported by the vpn client
Now we have a work around, Setup your 3 g as a connection by modem and boom, it should start working
Kind regards
Rebecca
-
Tunnel established but no traffic passing on the Site 2 Site VPN
I have a cisco 2900 series construction of a site-2-site of the ASA 5510 vpn tunnel. The tunnel works out very well, but I can't get the traffic through the tunnel. I have read several other posts and tried a lot of suggestion (probably to break things in the process). I don't know if I'm not nat all messed up or if my access lists on the router are goofy. Any help is greatly appreciated.
THE ASA CONFIG:
ASA 4,0000 Version 1
!
hostname test-fw
domain ficticious.localnames of
!
interface Ethernet0/0
nameif outside
security-level 0
IP address *. *. * 255.255.255. *.
!
interface Ethernet0/1
nameif inside
security-level 100
IP 192.168.3.2 255.255.255.0
!
interface Ethernet0/2
nameif DMZ - TNS
security-level 10
IP 192.168.31.1 255.255.255.0
interface Ethernet0/3
nameif DMZ-SMTP
security-level 9
192.168.32.1 IP address 255.255.255.0
!
interface Management0/0
nameif cradelpoint
security-level 1
192.168.254.1 IP address 255.255.255.0
!
boot system Disk0: / asa844-1 - k8.bin
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
DNS server-group DefaultDNS
domain ficticious.local
network object obj - 172.16.3.2
host 172.16.3.2
network object obj - 172.16.7.2
Home 172.16.7.2
network object obj - 172.16.10.2
Home 172.16.10.2
network object obj - 172.16.13.2
Home 172.16.13.2
network object obj - 192.168.3.0
subnet 192.168.3.0 255.255.255.0
network object obj - 192.168.4.0
subnet 192.168.4.0 255.255.255.0
network object obj - 192.168.5.0
192.168.5.0 subnet 255.255.255.0
network object obj - 192.168.6.0
192.168.6.0 subnet 255.255.255.0
network object obj - 192.168.7.0
192.168.7.0 subnet 255.255.255.0
network object obj - 192.168.8.0
192.168.8.0 subnet 255.255.255.0
network object obj - 192.168.9.0
192.168.9.0 subnet 255.255.255.0
network object obj - 192.168.10.0
192.168.10.0 subnet 255.255.255.0
network object obj - 192.168.12.0
255.255.255.0 subnet 192.168.12.0
network object obj - 192.168.13.0
192.168.13.0 subnet 255.255.255.0
network object obj - 192.168.15.0
192.168.15.0 subnet 255.255.255.0
network object obj - 192.168.16.0
192.168.16.0 subnet 255.255.255.0
network object obj - 10.1.0.0
10.1.0.0 subnet 255.255.0.0
network object obj - 192.168.32.10
Home 192.168.32.10
network of the NETWORK_OBJ_192.168.20.0 object
host 192.168.20.0
network of the NETWORK_OBJ_192.168.20.0_24 object
subnet 192.168.20.0 255.255.255.0
network of the NETWORK_OBJ_192.168.3.0_24 object
subnet 192.168.3.0 255.255.255.0
network object obj - 192.168.0.0_16
Subnet 192.168.0.0 255.255.0.0
network of the NETWORK_OBJ_192.168.0.0_24 object
192.168.0.0 subnet 255.255.255.0network of the NETWORK_OBJ_192.168.3.0 object
host 192.168.3.0
network of the NETWORK_OBJ_192.168.3.144_28 object
subnet 192.168.3.144 255.255.255.240
network object obj - 192.168.50.11
network object obj - 192.168.30.10
host 192.168.30.10
network object obj - 192.168.40.10
Home 192.168.40.10
network object obj - 192.168.70.10
Home 192.168.70.10
network object obj - 192.168.150.10
Home 192.168.150.10
network object obj - 192.168.160.10
Home 192.168.160.10
network object obj - 10.10.10.10
host 10.10.10.10
network object obj - 192.168.120.10
Home 192.168.120.10access-list extended Out-In deny an ip
outside_1_cryptomap to access extended list ip 192.168.3.0 allow 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
Enable logging
timestamp of the record
information recording console
registration of information monitor
debug logging in buffered memory
recording of debug trap
debugging in the history record
asdm of logging of informationOutside 1500 MTU
Within 1500 MTU
MTU 1500 DMZ - TNS
MTU 1500 DMZ-SMTP
cradelpoint MTU 1500no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP deny everything outside
ICMP deny any inside
ICMP deny all DMZ - TNSARP timeout 14400
NAT (inside, outside) static source any any static destination NETWORK_OBJ_192.168.3.144_28 NETWORK_OBJ_192.168.3.144_28 non-proxy-arp-search to itinerary
NAT (inside, outside) static source all all NETWORK_OBJ_192.168.0.0_24 of NETWORK_OBJ_192.168.0.0_24 static destination
!
network object obj - 172.16.3.2
NAT dynamic interface (indoor, outdoor)
network object obj - 172.16.7.2
NAT dynamic interface (indoor, outdoor)
network object obj - 172.16.10.2
NAT dynamic interface (indoor, outdoor)
network object obj - 172.16.13.2
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.3.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.4.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.5.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.6.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.7.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.8.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.9.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.10.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.12.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.13.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.15.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.16.0
NAT dynamic interface (indoor, outdoor)
network object obj - 10.1.0.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.32.10
NAT (DMZ-SMTP, outside) static 12.200.89.172
network object obj - 192.168.50.11Route outside 0.0.0.0 0.0.0.0 *. *. *. * 1
Route inside 10.1.0.0 255.255.0.0 192.168.3.1 1
Route inside 10.10.0.0 255.255.0.0 192.168.3.1 1
Route inside 10.200.0.0 255.255.0.0 192.168.3.1 1
Route inside 172.16.3.2 255.255.255.255 192.168.3.1 1
Route inside 172.16.7.2 255.255.255.255 192.168.3.1 1
Route inside 172.16.10.2 255.255.255.255 192.168.3.1 1
Route inside 172.16.13.2 255.255.255.255 192.168.3.1 1
Route inside 192.168.4.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.5.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.6.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.7.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.8.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.9.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.10.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.12.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.13.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.15.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.16.0 255.255.255.0 192.168.3.1 1
external route 192.168.20.0 255.255.255.0 *. *. *. * 1
Route inside 192.168.30.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.40.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.50.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.70.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.100.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.120.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.150.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.160.0 255.255.255.0 192.168.3.1 1card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set peer 1.1.1.1
card crypto 1 ikev1 transform-set cradelpoint_vpn set outside_map
card crypto outside_map 1 the value reverse-road
outside_map interface card crypto outsideTelnet timeout 5
SSH timeout 5
Console timeout 0
management-access inside
a basic threat threat detection
host of statistical threat detection
statistical threat detection port
Statistical threat detection Protocol
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP 10.1.2.13 Server prefer
SSL-trust outside ASDM_TrustPoint0 pointtunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
IKEv1 pre-shared-key *.
!
class-map IPSclass
match any
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map IPSpolicy
class IPSclass
IPS inline help
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
class class by default
Statistical accounting of user
!Router config:
Current configuration: 2605 bytes
!
! Last modification of the configuration at 18:39:30 UTC Tuesday, August 7, 2012
! NVRAM config update at 19:50:03 UTC Monday, August 6, 2012
! NVRAM config update at 19:50:03 UTC Monday, August 6, 2012
version 15.1
horodateurs service debug datetime msec
Log service timestamps datetime msec!
router host name
!
boot-start-marker
boot-end-marker
!
!
activate the bonnefin password
!
No aaa new-model
!
!
No ipv6 cef
IP source-route
IP cef
!
!
!
!
!
name-server IP 192.168.100.1
!
Authenticated MultiLink bundle-name Panel
!
!
Crypto pki token removal timeout default 0
!!
!
!
redundancy
crypto ISAKMP policy 2
preshared authentication
address of crypto isakmp key 6 IBETYOUCANTGUESS *. *. *. *
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac cradelpoint_vpn
!
map SDM_CMAP_1 1 ipsec-isakmp crypto
Description Tunnel to *. *. *. *
set peer *. *. *. *
Set transform-set cradelpoint_vpn
match address 100
!
!
!
!
!
the Embedded-Service-Engine0/0 interface
no ip address
Shutdown
!
interface GigabitEthernet0/0
no ip addressShutdown
!
interface GigabitEthernet0/0
no ip address
IP nat inside
IP virtual-reassembly in
automatic duplex
automatic speed
No cdp enable
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
the IP 192.168.0.1 255.255.255.0
IP nat inside
IP virtual-reassembly in
No cdp enable
!
interface GigabitEthernet0/0.2
encapsulation dot1Q 2
No cdp enable
!
interface GigabitEthernet0/0.3
encapsulation dot1Q 3
No cdp enable
!
interface GigabitEthernet0/1
DHCP IP address
automatic duplex
automatic speed
No cdp enable
map SDM_CMAP_1 crypto
!
interface Serial0/0/0
no ip address
Shutdown
no fair queue
!
IP forward-Protocol ND
!
no ip address of the http server
no ip http secure server
!
overload of IP nat inside source list 110 interface GigabitEthernet0/1
overload of IP nat inside source list sheep interface GigabitEthernet0/1
IP route 0.0.0.0 0.0.0.0 192.168.100.1 254
IP route 0.0.0.0 0.0.0.0 192.168.100.1 254
IP route 192.168.3.0 255.255.255.0 192.168.3.1
!
Access-list 100 = 4 SDM_ACL category note
Note access-list 100 IPSec rule
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 110 deny ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
!
!
!
!
sheep allowed 10 route map
corresponds to the IP 110
!
!
!
control plan
!
!
!
Line con 0
line to 0
line 2
no activation-character
No exec
preferred no transport
transport of entry all
transport output pad rlogin lapb - your MOP v120 udptn ssh telnet
StopBits 1
line vty 0 4
opening of session
transport of entry all
!
Scheduler allocate 20000 1000
endAhh, looks like the CradelPoint router could have dropped the ESP package, as we can see the router is to encrypt the packets, but the ASA receives nothing / decrypts, which means it does not even reach the ASA.
Activate the NAT - T, so ESP is encapsulated in UDP/4500.
On ASA:
Crypto isakmp nat-traversal 30
-
Site to site VPN, can ping router but not customers
I set up a site to site between an ASA5505 (company) and a router of the 871w (remote control). The tunnel is up, and I can ping anything on the remote network business network. However, with the passage of the company remotely, I am only able to ping the router, but no clients are connected on it. The IP address for the router is on the same subnet as the rest of the guests (192.168.1.0/24). I looked at the logs on the ASA5505 and it seems to be the way the traffic fine, so the problem seems to sit on the 871. To reinforce this, to actually start the tunnel linking the corporate network using a ping to one of these customers (even if the ping command:------)
I'll be happy to provide any additional information necessary. Thank you.
Hey Marshall.
Can you confirm for me that there is no firewall on clients that might be blocking pings? The problem description that you provided it seems that as long as the clients initiate the ping, it is successful, but the reverse is not true. This seems to indicate something about customers may be blocking traffic. Also since you say that you are able to ping the router with the ip address in the same subnet as the clients it further strengthens my conviction that the issue could be with the customers.
Kind regards
ATRI.
-
VPN Tunnel to the TOP but no traffic passing (PIX515)
I'll put up a remote engineers access to off-site to access my network (using the cisco vpn client). I use PIX 515E software version 7.0 (3) 20 as a vpn server. I can establish a tunnel, but I can't access network resources. I can ping the external interface of the PIX. This is my setup: internet-router-pix-dmz(server farm). Please find attached my setup. Thanks in advance.
After a glance at your policy, it seems that the Pool of IP, that is assigned to the clients behind the outside interface, runs behind the DMZ. I don't think it will work.
In addition, defined distribution policy seems to be backward. Im sure that you intend to send traffic FROM the IP pool to 196.26.12.64/26. Your acl split is the opposite.
In addition, your routing table does not contain a route for the 196 network, so the firewall will use the default route to the outside. If this is intentional, the clients and dst are on the outside, which is considered to be crossed. This is allowed on the SAA only with the same security setting configured.
-
877W customer VPN to the top, but no traffic
Hi guru of cisco
Help me please to solve the problem of traffic of VPN client. I am able to connect to cisco, but failed to get a network, except the router access.
I also want to block all P2P traffic except 1 IP 192.168.10.7.
Thank you
He is out of #show cry ipsec his
Interface: virtual-Access4
Tag crypto map: addr virtual-Access4-head-0, local a.a.a.aprotégé of the vrf: (none)
local ident (addr, mask, prot, port): (0.0.0.0/0.0.0.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.10.251/255.255.255.255/0/0)
current_peer b.b.b.b port 56604
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 26, #pkts decrypt: 26, #pkts check: 26
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors-More - local crypto endpt. : a.a.a.a, remote Start crypto. : b.b.b.b
-More - path mtu 1500, mtu 1500 ip, ip mtu IDB virtual-Access4
-More - spi outgoing current: 0 x 66870874 (1720125556)
-More-
-More - esp sas on arrival:
-More - spi: 0xBDA0E6DE (3181438686)
-More - transform: esp-3des esp-sha-hmac.
-Other - running parameters = {Tunnel,}
-More - conn id: 369, flow_id: Motorola SEC 1.0:369, card crypto: Virtual-Access4-head-0
-More calendar - its: service life remaining (k/s) key: (4543855/3494)
-More size - IV: 8 bytes
-More - support for replay detection: Y
-Other - status: ACTIVE
-More-
-Other - arrival ah sas:
-More-
-More - CFP sas on arrival:
-More-
-More - outgoing esp sas:
-More - spi: 0 x 66870874 (1720125556)
-More - transform: esp-3des esp-sha-hmac.
-Other - running parameters = {Tunnel,}
-More - conn id: 370, flow_id: Motorola SEC 1.0:370, card crypto: Virtual-Access4-head-0
-More calendar - its: service life remaining (k/s) key: (4543859/3494)
-More size - IV: 8 bytes
-More - support for replay detection: Y
-Other - status: ACTIVE
-More-
-More - out ah sas:
-More-
-More - out CFP sas:And the config of the router:
version 12.4
no service button
tcp KeepAlive-component snap-in service
a tcp-KeepAlive-quick service
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
sequence numbers service
No dhcp service
!
router host name
!
boot-start-marker
boot-end-marker
!
Security of authentication failure rate 3 log
logging buffered 52000
recording console critical
enable secret 5
!
AAA new-model
!
!
AAA authentication login default local
AAA authentication login ciscocp_vpn_xauth_ml_1 local
AAA authentication login ciscocp_vpn_xauth_ml_2 local
AAA of authentication ppp default local
AAA authorization exec default local
AAA authorization network default authenticated if
AAA authorization ciscocp_vpn_group_ml_1 LAN
AAA authorization network if authenticated local_auth
AAA authorization ciscocp_vpn_group_ml_2 LAN
!
!
AAA - the id of the joint session
!
Crypto pki trustpoint TP-self-signed-1933852417
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 1933852417
revocation checking no
rsakeypair TP-self-signed-1933852417
!
!
TP-self-signed-1933852417 crypto pki certificate chain
certificate self-signed 01
30820252 308201BB A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
69666963 31393333 38353234 6174652D 3137301E 170 3130 30383137 31323438
31365A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 39333338 65642D
35323431 3730819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
8100C0D8 05ECA4BC 68540261 576BAD7D 23F29679 B60A7B38 35211BCF 78F2271C
2FDB24CC B 949640, 9 D68C9308 58BAAB0A 5FBD8123 42 12922 F2AE7C93 6EF24910
AD777AB3 DD923F06 CB6B6106 9C08AA81 E7CEB073 1F6BC114 B0B1756D ECF976CC
C0073FB2 2C056FD9 7F361152 0DCB08C4 3EA559F5 575EF2F4 1A5FD373 552348B 0
010001A 3 7 509F0203 HAS 1 130101 FF040530 030101FF 30250603 307830 0F060355
551D 1104 1E301C82 1A6A6572 6963686F 2 D 727472 72696368 6F2E636F 312E6A65
2E6E7A30 1 230418 30168014 E1FAAC42 678187 3 D2BFEF05 6F70C504 1F060355
00D12F67 301D 0603 551D0E04 160414E1 FAAC426F 678187 2 BFEF0500 70C5043D
D12F6730 0D06092A 864886F7 0D DFC4C826 E8C4CD12 010104 05000381 8100A 630
4D8C4BB8 B9928B43 4C8B91A2 F6A400B5 97EB0BF7 7ACFE10A BA90056B 6E34FE2F
DAC133EC F0E847DD A7AA6B78 C01AE543 597E7149 85 HAS 17614 EEFEFF4B 076E1758
44A250D9 3DE2EF88 63233AF0 7D2DD2BD 1221D59C 0731CFE3 26B31F88 13F48ACC
ED2972C5 FCCF6D43 681BF350 CE01C5E9 41E9705A CJF
quit smoking
dot11 syslog
!
dot11 WIFI ssid
open authentication
authentication wpa key management
Comments-mode
ascii secret 7 WPA - psk
!
no ip source route
IP cef
!
!
!
!
no ip bootp Server
no ip domain search
IP domain name of domain
Server dhcp IP 192.168.10.10
!
Authenticated MultiLink bundle-name Panel
VPDN enable
!
VPDN-Group 1
! Default L2TP VPDN group
accept-dialin
L2tp Protocol
virtual-model 1
receive window 256-tunnel L2TP
!
aes encryption password
!
!
username admin privilege 15 very secret 5 secret
username privilege 15 7 n1ck passes
!
!
crypto ISAKMP policy 1
preshared authentication
!
crypto ISAKMP policy 2
preshared authentication
!
crypto ISAKMP policy 3
preshared authentication
!
crypto ISAKMP policy 4
BA 3des
md5 hash
preshared authentication
Group 2
life 3600
crypto ISAKMP key 6 key address c.c.c.c
invalid-spi-recovery crypto ISAKMP
ISAKMP crypto nat keepalive 10
!
Configuration group customer isakmp crypto EasyVPN
key 6 key
DNS 192.168.10.10
domain domain
pool SDM_POOL_1
ACL 100
Save-password
include-local-lan
Max-users 2
netmask 255.255.255.0
!
Configuration group customer crypto isakmp ASA
key 6 key
pool SDM_POOL_1
Firewall are u there
include-local-lan
PFS
Max-users 2
Max-Connections 1
netmask 255.255.255.0
!
ISAKMP crypto group configuration of VPN client
key 6 key
DIAL-IN pool
ACL 103
include-local-lan
Max-users 2
netmask 255.255.255.0
ISAKMP crypto ciscocp-ike-profile-1 profile
Group of EasyVPN identity match
match of group identity ASA
client authentication list ciscocp_vpn_xauth_ml_1
ISAKMP authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-model 1
Crypto isakmp CiscoCP_Profile2-ike-profile-1 profile
identity VPN group match
client authentication list ciscocp_vpn_xauth_ml_2
ISAKMP authorization list ciscocp_vpn_group_ml_2
client configuration address respond
virtual-model 5
!
!
Crypto ipsec transform-set esp - esp-sha-hmac ASA-IPSEC
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
Crypto ipsec transform-set esp-SHA2-ESP-3DES-3des esp-sha-hmac
!
Profile of crypto ipsec CiscoCP_Profile1
security-association value 900 idle time
game of transformation-ESP-3DES-SHA
set of isakmp - profile ciscocp-ike-profile-1
!
Profile of crypto ipsec CiscoCP_Profile2
Set the security association idle time 1200
game of transformation-ESP-3DES-SHA1
set of isakmp - profile CiscoCP_Profile2-ike-profile-1
!
!
map SDM_CMAP_1 2 ipsec-isakmp crypto
the value of c.c.c.c peer
game of transformation-ASA-IPSEC
match address 160
!
Crypto ctcp
Archives
The config log
hidekeys
!
!
synwait-time of tcp IP 10
!
class-map match-all P2P
Description speed limit P2P
match the edonkey Protocol
bittorrent Protocol game
fasttrack Protocol game
gnutella Protocol game
match Protocol kazaa2
class-map correspondence-any BLOCK
match Protocol kazaa2
bittorrent Protocol game
match the edonkey Protocol
gnutella Protocol game
fasttrack Protocol game
!
!
Policy-map BLOCK_INTERNET
class BLOCK
bandwidth 8
!
!
Bridge IRB
!
!
interface Loopback0
no ip address
no ip redirection
no ip unreachable
no ip proxy-arp
route IP cache flow
!
Null0 interface
no ip unreachable
!
ATM0 interface
no ip address
no ip redirection
no ip unreachable
no ip proxy-arp
route IP cache flow
No atm ilmi-keepalive
DSL-automatic operation mode
!
point-to-point interface ATM0.1
Description $ES_WAN$
no ip redirection
no ip unreachable
no ip proxy-arp
PVC 0/100
aal5mux encapsulation ppp Dialer
Dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
switchport mode trunk
!
interface FastEthernet3
!
interface virtual-Template1
Description $FW_INSIDE$
BVI1 IP unnumbered
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
IP virtual-reassembly
route IP cache flow
peer default ip address dhcp
PPP mppe auto encryption required
ms-chap-v2, ms-chap PPP authentication PAP
!
interface virtual-Template2
no ip address
no ip redirection
no ip unreachable
no ip proxy-arp
route IP cache flow
!
type of interface virtual-Template3 tunnel
Description $FW_INSIDE$
Unnumbered IP Dialer0
no ip redirection
no ip unreachable
no ip proxy-arp
route IP cache flow
ipv4 ipsec tunnel mode
Tunnel CiscoCP_Profile1 ipsec protection profile
!
tunnel type of interface virtual-table 5
Description $FW_INSIDE$
BVI1 IP unnumbered
no ip redirection
no ip unreachable
no ip proxy-arp
route IP cache flow
ipv4 ipsec tunnel mode
Tunnel CiscoCP_Profile2 ipsec protection profile
!
interface Dot11Radio0
no ip address
penetration of the IP stream
route IP cache flow
!
algorithms for encryption tkip encryption mode
!
SSID WIFI
!
Speed basic - 1.0 basic - 2.0 basic - 5.5 Basic6.0 basic - 9.0 basic-11, 0-12, 0-basic basic-18, 0 24 basic, basic 0-36, 0 48 basic, basic 0-54, 0
root of station-role
No cdp enable
Bridge-Group 1
Bridge-group subscriber-loop-control 1
Bridge-Group 1 covering-disabled people
Bridge-Group 1 block-unknown-source
No source of bridge-Group 1-learning
unicast bridge-Group 1-floods
!
interface Vlan1
no ip address
IP nat inside
IP virtual-reassembly
Bridge-Group 1
Bridge-Group 1 covering-disabled people
!
interface Vlan2
Description $FW_INSIDE$
IP 192.168.11.254 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
route IP cache flow
!
interface Dialer0
Description $OUTSIDE$ $FW_OUTSIDE$
the negotiated IP address
IP access-group sdm_dialer0_in in
IP access-group 101 out
no ip redirection
no ip unreachable
no ip proxy-arp
NBAR IP protocol discovery
NAT outside IP
IP virtual-reassembly
encapsulation ppp
route IP cache flow
Dialer pool 1
Dialer-Group 1
PPP pap sent-name of user username 7 password password
PPP ipcp dns request
failure to track PPP ipcp
map SDM_CMAP_1 crypto
out of service-policy BLOCK_INTERNET
!
interface Dialer1
no ip address
no ip redirection
no ip unreachable
no ip proxy-arp
route IP cache flow
!
interface BVI1
Description $FW_INSIDE$
IP address 192.168.10.254 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
NBAR IP protocol discovery
IP nat inside
IP virtual-reassembly
route IP cache flow
!
local IP DIAL-IN 192.168.10.251 pool 192.168.10.253
local IP SDM_POOL_1 192.168.10.50 pool 192.168.10.51
no ip classless
IP forward-Protocol ND
!
IP flow-cache timeout active 1
The Dot11Radio0 flow-export source IP
IP flow-export version 9
192.168.10.200 IP flow-export destination 9996
!
IP http server
local IP http authentication
IP http secure server
The dns server IP
IP nat inside source static tcp 192.168.10.19 443 Dialer0 443 interface
IP nat inside source static tcp 192.168.10.8 Dialer0 5900 5900 interface
IP nat inside source udp static a.a.a.a 500 Dialer0 500 interface
IP nat inside source static tcp 192.168.10.130 9090 interface Dialer0 9090
overload of IP nat inside source list NAT_INTERNET interface Dialer0
IP nat inside source udp static a.a.a.a 4500 Dialer0 4500 interface
IP nat inside source static tcp 192.168.10.9 1723 1723 Dialer0 interface
IP nat inside source static udp 192.168.10.150 514 interface Dialer0 514
IP nat inside source static tcp 192.168.10.150 Dialer0 1468 1468 interface
!
NAT_INTERNET extended IP access list
deny ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 any
NAT_INTERNET_1 extended IP access list
deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 any
sdm_dialer0_in extended IP access list
Note the category CCP_ACL = 1
enable ahp c.c.c.c one host
Note allow all
allow an ip
allow a host c.c.c.c esp
permit any isakmp udp host c.c.c.c eq
all eq non500-isakmp udp host c.c.c.c permit
enable ahp c.c.c.c one host
allow a host c.c.c.c esp
IP 192.168.17.0 allow 0.0.0.255 192.168.10.0 0.0.0.255
ip permit 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
refuse the host ip 209.239.31.195 no matter what paper
refuse the host ip 98.108.59.171 no matter what paper
!
recording of debug trap
logging 192.168.10.150
Note access-list 1 #NAT INTERNET USERS.
access-list 1 permit 192.168.10.0 0.0.0.255
Note access-list 100 category CCP_ACL = 4
access-list 100 permit ip 192.168.10.0 host everything
Note access-list 101 RULES for FW to the INTERNET
access-list 101 deny ip no matter what newspaper to host 121.22.6.121
access-list 101 deny ip no matter what newspaper to host 74.120.10.51
access-list 101 deny ip no matter what newspaper to host 112.230.192.99
access-list 101 deny ip no matter what newspaper to host 61.55.167.19
access list 101 ip allow a whole
access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 192.168.17.0 0.0.0.255 any
Note access-list 101 Cisco_VPN_10000
access-list 101 permit tcp 119.224.0.0 0.0.255.255 connect any EQ 10000
Note access-list 101 Cisco_VPN_500
access-list 101 permit udp any any eq non500-isakmp log
Note access-list 101 Cisco_VPN_4500
access-list 101 permit udp any any eq isakmp newspaper
access-list 101 permit tcp any host a.a.a.a eq 81
access-list 101 deny ip 127.0.0.0 0.255.255.255 everything
access-list 101 deny ip 169.254.0.0 0.0.255.255 everything
access-list 101 deny ip 172.16.0.0 0.15.255.255 all
access-list 101 deny ip 192.0.2.0 0.0.0.255 any
access-list 101 deny ip 198.18.0.0 0.1.255.255 all
access-list 101 deny ip 224.0.0.0 0.15.255.255 all
Note access-list 101 OWA
access-list 101 permit tcp any any eq 443 newspaper
Note access-list 101 port VNC
access-list 101 permit tcp 119.224.0.0 0.0.255.255 connect any EQ 5900
Note access-list 101 service CRM 8081
access-list 101 permit tcp any any eq 8081 newspaper
Note access-list 101 Syslog to ASA1
access-list 101 permit udp host c.c.c.c eq syslog all eq syslog
Note access-list 101 Syslog for ASA2
access-list 101 permit udp any any eq syslog
access-list 102 tcp refuse any any eq 445 newspaper
Note access-list 103 CCP_ACL category = 4
access-list 103 permit ip 192.168.10.0 0.0.0.255 any
Note access-list 115 CCP_ACL category = 16
access-list 115 permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 130 refuse ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 130 allow ip 129.168.10.0 0.0.0.255 any
access-list 130 permit ip 192.168.10.0 0.0.0.255 any
access-list 140 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 150 deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 150 deny ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 150 permit ip 192.168.10.0 0.0.0.255 any
access-list 160 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 160 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
Server SNMP ifindex persist
not run cdp
!
!
!
sheep allowed 10 route map
corresponds to the IP 150
!
!
control plan
!!
Line con 0
no activation of the modem
line to 0
line vty 0 4
password password 7
authentication of the local connection
!
max-task-time 5000 Planner
Scheduler allocate 4000 1000
Scheduler interval 500
end1. use a "pool of ip" vpn client in a subnet that does not overlap with any of your internal network.
Currently two IP pools are overlapping with subnet of the interface BVI1.
2. ensure that VPN traffic is bypassed by NAT.
-
Site to site VPN routing via ASA
Need help setting up routing through the tunnel. We have a bunch of remote sites in the 192.168.0.0 16 passing through a central site 192.168.137.0
How can I get all the traffic goes 192.168.0.0 to cross the tunnel. I have the tunnel upward, but no traffic passes through. Here is the config.
XXXX # show run
: Saved
:
ASA Version 8.2 (1)
!
xxxxx host name
xxxx.xxx domain name
activate the xxxxxxxx password
passwd xxxxxxxxxxxxx
names of
!
interface Vlan1
Description =-= - on the INSIDE of the INTERFACE =-=-
nameif inside
security-level 100
192.168.33.1 IP address 255.255.255.0
!
interface Vlan2
Description =-= - CABLE EXTERNAL INTERFACE =-=-
nameif outside
security-level 0
IP address aaa.bbb.ccc.202 255.255.255.252
!
interface Ethernet0/0
Description =-= - CABLE EXTERNAL INTERFACE =-=-
switchport access vlan 2
!
interface Ethernet0/1
Description =-= - on the INSIDE of the INTERFACE =-=-
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system Disk0: / asa821 - k8.bin
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
DNS domain-lookup outside
DNS server-group DefaultDNS
Server name 24.92.226.12
Server name 24.92.226.11
Domain xxxxxx.xxx
object-group NETWORK-OUR network
object-network 10.254.1.0 255.255.255.0
network-object 172.22.0.0 255.255.0.0
object-network 192.168.0.0 255.255.0.0
access-list SHEEP note-=-=-= = =-=-=-= -
access-list SHEEP note is-ACCESS LIST for EXEMPTION NAT =-=-
access-list SHEEP note-=-=-= = =-=-=-= -
IP 192.168.33.0 allow Access - list extended SHEEP 255.255.255.0 object-group NETWORK-OUR
access INTERESTING list Remarque-=-=-=-=-=-= = =-=-=-=-=-=-=-=-= -.
access list INTERESTING note is-ACCESS LIST for INTERESTING TRAFFIC =-=-
access INTERESTING list Remarque-=-=-=-=-=-= = =-=-=-=-=-=-=-=-= -.
INTERESTING list extended ip access 192.168.33.0 allow 255.255.255.0 object-group NETWORK-OUR
access-list ICMP note =--= =-= = =-=-=-= -
access-list ICMP note is - to ALLOW ICMP to the OUTSIDE INTERFACE =-=-
access-list ICMP note =--= =-= = =-=-=-= -
ICMP access list extended icmp permitted no echo of aaa.bbb.ccc.201 host
no pager
Enable logging
timestamp of the record
exploitation forest-size of the buffer 38400
logging buffered stored alerts
logging of debug asdm
Within 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 621.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0 access-list SHEEP
NAT (inside) 1 0.0.0.0 0.0.0.0
Access-group ICMP in interface outside
Route outside 0.0.0.0 0.0.0.0 aaa.bbb.ccc.201 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
LOCAL AAA authentication serial console
AAA authentication http LOCAL console
Enable http server
http xx.xx.xx.xx 255.255.255.0 outside
xxx.xxx.xxx.xxx http 255.255.192.0 outside
http xxx.xxx.0.0 255.255.0.0 inside
xxx.xxx.xxx.xxx http 255.255.255.255 outside
Server SNMP location xxxxxx
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-HMAC-SHA-ESP-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
86400 seconds, duration of life crypto ipsec security association
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto L2LMAP 10 INTERESTING address correspondence
card crypto L2LMAP 10 set pfs
card crypto L2LMAP 10 set peer ddd.eee.fff.32
10 L2LMAP transform-set ESP-3DES-MD5 crypto card game
card crypto L2LMAP set 10 security-association life seconds 86400
card crypto L2LMAP 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
L2LMAP interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
Telnet timeout 5
SSH enable ibou
SSH xxx.xxx.0.0 255.255.0.0 inside
SSH xxx.xxx.0.0 255.255.0.0 outside
SSH xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx outside
SSH timeout 60
Console timeout 0
management-access inside
dhcpd dns 192.168.137.225 24.92.226.12
dhcpd field arc.com
dhcpd outside auto_config
dhcpd option 150 ip 172.22.137.5
!
dhcpd address 192.168.33.2 - 192.168.33.33 inside
dhcpd allow inside
!a basic threat threat detection
statistical threat detection port
Statistical threat detection Protocol
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP server 206.246.122.250 source outdoors
NTP server 96.47.67.105 prefer external source
WebVPN
xxxx xxxx password username
IPSec-attributes tunnel-group DefaultL2LGroup
pre-shared-key *.
tunnel-group ddd.eee.fff.32 type ipsec-l2l
ddd.EEE.fff.32 group of tunnel ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
context of prompt hostnameThank you
Mike
As I suspected unmatched.
Remote side is set to 3des/sha. You are set to 3des/md5.
change the following:
10 L2LMAP transform-set ESP-3DES-MD5 crypto card game
TO
10 L2LMAP transform-set ESP-3DES-SHA crypto card game
Assuming that the things ACL match should be fine.
Let me know.
-
Keep Site to Site VPN Tunnel active for monitoring
Hi all
I have a configured site-to-site VPN tunnel only happen when the traffic generated from the remote peer. is it possible to keep the still active tunnel once after the tunnel is established.
My requirement is to monitor VPN to see availability, so need to ping one of the natd(8) ip on the remote end, but it will come only when the traffic generated end peer. currently the timers of default on SA is configured
Help, please...
Thank you
Mikael
TARGET_GP group policy attributes
VPN-idle-timeout no
-
I set up a site to Site VPN using ASA 5505, but when I submit the order
"sh crypto ipsec his ' it says 'there are no ipsec security associations.
I have attached the configurations.
Hello
I saw you nat nat of entry (inside) 2-list of access limenat, would you change to, nat (inside) 0-list of access limenat. See which make all the difference.
Do you want to take a capture of packets when the remote IP address ping?
course list (Local subnet) host (remote subnet) host allowed access
Cap list of allowed access host host (remote subnet) (Local subnet)
Course access-list in hidden inside
Show Cap Hat
Now you can see the list of access capture
Debug crypto isakmp 200
Debug crypto ipsec 200
-
Site-to-Site VPN - road on ASA (8.4.2)
ASA-SiteA-
Outside the int: 4,5,6,7
inside the int: 10.1.1.1
DMZ:192.168.0.1 255.255.255.0
National-SiteA routes-
Route outside 0.0.0.0 0.0.0.0 4,5,6,7 - road by default
Route inside 172.10.1.0 255.255.255.0 10.1.1.1 - road join the ASA-SiteB-inside interface
ASA-SiteB-
Int - 50.1.2.3 outdoor
inside the int: 172.10.1.1
DMZ:192.168.87.1 255.255.255.0
routes on ASA-SiteB-
Route outside 0.0.0.0 0.0.0.0 50.1.2.3 - road by default
Route inside 10.1.1.0 255.255.255.0 172.10.1.1 - road join the ASA-SiteA-inside interface
Inside the two ASAs interfaces can communicate with each other through circuits MPLS. We want to create a VPN tunnel between two DMZ networks so that traffic passes through a tunnel through the local network. You can check the config below and indicate if any changes are needed.
1 tunnel VPN to work, not the traffic must match a route on the ASA or simply to match the access-list(interesting traffic) for example after the configuration of the VPN tunnel between 192.168.0.0 and 192.168.87.0 networks when I ping 192.168.87.1 route IP made it reveal the tunnel because it fits to the interesting traffic or packets go to 4,5,6,7 where they correspond to the default?
2. virtue normal Site VPN to Site traffic scenarios run on high security interface (DMZ or inside) and goes to the interface (outside) low security, but in the case above traffic intiates on low security interface (DMZ) and goes to the high safety (inside) interface which usually gets blocked unless there is an access list entry to allow that traffic. We must therefore have an IP address a whole (on the access list applied to UI in DMZ) entered between the two dmz networks
Config on ASA-SiteA-
Political IKEv1
ASA - SiteA (config) #crypto ikev1 allow inside - Does allowing ikev1 on UI interrupts traffic?
Ikev1 crypto policy of ASA - SiteA (config) # 100
ASA - SiteA(config-ikev1-policy) preshared #authentication
ASA - SiteA(config-ikev1-policy) #encryption 3des
ASA - SiteA(config-ikev1-policy) #hash sha
ASA - SiteA(config-ikev1-policy) #group 2
ASA - SiteA(config-ikev1-policy) #lifetime 86400
IPSEC tunnel
ASA - SiteA (config) # crypto ipsec ikev1 transform-set VPN MPLS esp-3des esp-sha-hmac
ASA - SiteA(cfg-crypto-trans) #mode transport
Tunnel group
ASA - SiteA (config) # tunnel - group172.10.1.1 type ipsec-l2l
ASA - SiteA (config) # group172.10.1.1 - tunnel ipsec-attributes
ASA - SiteA(config-tunnel-ipsec) # test pre-shared key
Interesting traffic
ASA - SiteA (config) #object Network Site-A-DMZ
ASA - SiteA(config-network-object) #subnet 192.168.0.0 255.255.255.0
ASA - SiteA (config) #object Network Site-B-DMZ
ASA - SiteA(config-network-object) #subnet 192.168.87.0 255.255.255.0
ASA - SiteA (config) #access - list - INTERESTING - VPN TRAFFIC extended permitted ip object SN-A-Site B-Site-SN
ASA - SiteA (config) #nat (demilitarized zone, inside) static static destination source Site-A-DMZ DMZ-A-Site B-Site-DMZ Site-B-DMZ
Crypto MAP
ASA - SiteA (config) # 100 LAN VPN ipsec-isakmp crypto map
ASA - SiteA(config-crypto-map) # address of correspondence-INTERESTING-TRAFFIC VPN
ASA - SiteA(config-crypto-map) # set pfs group2ASA - SiteA(config-crypto-map) #set peer 172.10.1.1
ASA - SiteA(config-crypto-map) #set transform-set ESP-3DES-SHA
ASA - SiteA(config-crypto-map) #crypto interface of VPN - LAN card inside
Yes, you need the correct route otherwise it will be just forwarded through the default gateway.
So, on A Site, you should have:
Route inside 192.168.87.0 255.255.255.0 10.1.1.x--> x should be the next jump of the SAA within the interface
On Site B, you should have:
Route inside 192.168.0.0 255.255.255.0 172.10.1.x--> x should be the next jump of the SAA within the interface
Delete "transport mode" of two ASA.
To answer your questions:
1. Yes, it would be necessary to match a route, otherwise it will be routed through the default gateway.
2. Yes, you must have access-list to allow high traffic of low level of security. If you want a full IP access, you can configure IP allowed between 2 LANs.
-
Site to Site VPN, but I want only to simple traffic
I have 2 SonicWALLS a connection from site to site. I want the company to access all the resources on the Site of company B.
But I don't want to company B to access ONE of the assets of the company in addition to what I have 'ok '.
How can I go about it?
I thought about access rules already, but I was unable to change the rules, because it was created automatically.
I then noticed the post showing on repression.
I'll give these a try. Thanks to you two.
Note: For this to work the way I needed to:
Site to Site:
Create/configure VPN tunnels:
Hand-> Site 1
Hand-> Site 2
Under Advanced, select 'Remove automatic creation of VPN access rules political' (only should be on hand Sonicwall)
Firewall:
(Only on main façade)
VPN > LAN:
Source: Site 1 (2) Destination: (IP address must be seen from Sites 1 and 2) allow any Service.
LAN > VPN:
Source: Any Destination: Site 1 (2) Service all allow.
This allows my analysis (in hand) scan server all devices (Site 1/2) through the tunnel from site to site. It also allows me to RDP into any machine on the site 1 or 2. But they can't scan network or access all devices on the main site.
Thank you guys!
-
Problem with Site-to-Site VPN. VPN tunnel is broken but can ping
OK, so I am trying to understand why I can't not only appears when I sh crypto isakmp his or sh crypto ipsec his. I did the basic to site vpn settings to another and I can't ping on both networks fine no problem. So, when I ping from one pc to the address 172.16.0.0 192.168.0.0 network network there is no problem at all because the pings are very well received. But when I go to sh crypto isakmp sa, there's simply nothing and I can't for the life of understand me why. I watched my sh run for both routers and all seems well, but I guess I could be overlooking something. I would really appreciate if someone could help me to diagnose this problem.
I've attached my plotter file of package and two routers use the binary password. I also have the sh run two routers also attached.
I'm not on any of the router 172.16.0.0/24 only 172.16.0.0/16 and I think that is the question.
In Crypto ACL you have on the router of branch:
!
S2S-VPN-TRAFFIC extended IP access list
Licensing ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255
If it should not be:
!
S2S-VPN-TRAFFIC extended IP access list
Licensing ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.255.255
and coursed mirrored on the main router.
If this isn't the case, you are saying that some ping between 192.168.0.x and 172.16.0.x is going ok. Can you please indicate exactly that one? I could see that you have attached a package tracer, but I couldn't open it.
-
SA520w routing through site-to-site VPN tunnels
I have several offices that are connected using site-to-site VPN tunnels and all will use the SA520W (firmware 2.1.18). I currently have 3 routers in place, router tunnels created for the router B and c of router. I need assistance with the configuration to allow the guests to router site B get to the router site C. I have attempted to add a static route, but get a destination unreachable host trying to ping. Also, if I connect to the router site has via the Cisco VPN client, I'm not able to get resources on each site, B, or C.
A - the site 10.10.0.0/24
Site B - 10.0.0.0/24
Site of the C - 10.25.0.0/24
Any help is greatly appreciated.
So, that's what you have configured correctly?
RTR_A
||
_____________ || ___________
|| ||
RTR_B RTR_C
Since there is no tunnel between B and C there is no way for us past that traffic through RTR_A for two reasons. The most important reason is that subnet 10.25.0.0/24 (rtr_c) is not allowed to pass through the IPSec tunnel (it's okay to IPSec?) of rtr_a ==> rtr_b. You can't just add a statement of road because your addresses are not routable which is the reason why it fails.
Your only option is to create another tunnel between rtr_b and rtr_c. This may not be the ONLY option, but you should get what you need.
I hope this helps.
-
Site to Site VPN between 5510 and 5505
Am trying to get a VPN site-to site and the race between a branch office and our main office. I have the settings in place, but I'm trying to determine if it's my settings or the provider DSL, Verizon.
They have a 5505 with a static IP is connected by cable modem. Their 5505 I can ping external IP of my 5510 without problem. All the settings are correct on both sides; they reflect the same settings and yet static VPN is not launched.
Is there some sort of CLI command I must issue to bring it?
Also, I was wondering if maybe my 2821 prevents all VPN traffic because it doesn't have to be re - NAT'ed to the 192.168.250.0/23 and 192.168.252.0/24 subnets.
Simply to traffic of their 192.168.40.0 in our 192.168.250.0/23 VOIP subnet subnet.
Join a basic outline. I can provide the configs for almost everything
Hello
you have two instances of sequence card crypto with parameters similar (except transform set). Get rid of the rest of sequences card crypto:
On the ASA Satellite:
no card crypto outside_map 2 match address outside_cryptomap
no card crypto outside_map 2 set pfs
no card crypto outside_map 2 peers set smivpn.sorensonmedia.com
no card crypto outside_map 2 the transform-set ESP-3DES-MD5 value
No crypto outside_map 2 set security-association life card seconds 28800
No kilobytes of life card crypto outside_map 2 set security-association 4608000
no card crypto outside_map 2 the value reverse-road
About the ASA company:
No crypto outside_map 1 game card address outside_1_cryptomap_1
no card crypto outside_map 1 set pfs
no card crypto outside_map 1 set cda.asa5505 counterpart
no card crypto outside_map 1 the value transform-set ESP-3DES-SHA
no card crypto outside_map 1 lifetime of security association set seconds 28800
No kilobytes of life card crypto outside_map 1 set security-association 4608000
no card crypto outside_map 1 the value reverse-road
Then check and capture debugs.
HTH
Sangaré
Maybe you are looking for
-
I have a mini ipad 4 set up quite as much as I want it to be. Now, I want to put in place a new and transfer the settings and other customization on the second so that it looks like the first. You is a way to do this? Thank you.
-
Order of execution with waveform of reading
I'm trying to find a way to control the order in which the sound files are played when Set up like that. It does not run them up and down as I thought it might. How can I control this order? Im sure that there is a better way to connect as well, I'm
-
MSTSC.exe works intermittently on a PC, freezes on open almost every time
Hello I have a client PC that freezes up to 2 seconds after you connect to an application without flaw on a server terminal server. The seamless application displays, but cannot be controlled. Therefore, the RDP session will not close properly and mu
-
How to scan from C3180 on Mavericks 10.9.2
I recently bought a new Macbook Pro with the Mavericks 10.9.2. I downloaded the drivers for my C3180 All-in-One on the HP site and can now print without problem. However I can't scan and don't see any way to do it. There is no program of scanning H
-
1602i assertion failure and radio crash
Hello world I have 3 APs with some of the thorny issues. Here is the information below: Cisco IOS software, software C1600 (AP1G2-K9W8-M), Version 15.2 (2) JB2, RELEASE SOFTWARE (fc1) Product/model number: AIR-CAP1602I-C-K9 Controller: "Cisco 5500 Se