Site to Site VPN problem ASA 5505

Similar Questions

• Troubleshooting IPSec Site to Site VPN between ASA and 1841

  Hi all

  in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.

  I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).

  I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.

  It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),

  On the ASA:

  Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.

  address of the peers: 217.86.154.120
  Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.cc

  access extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
  local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
  current_peer: 217.xx.yy.zz

  #pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz

  Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
  current outbound SPI: 39135054
  current inbound SPI: B2E9E500

  SAS of the esp on arrival:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, PFS 2 group}
  slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
  calendar of his: service life remaining (KB/s) key: (4374000/1598)
  Size IV: 8 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001
  outgoing esp sas:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, PFS 2 group}
  slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
  calendar of his: service life remaining (KB/s) key: (4373976/1598)
  Size IV: 8 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001

  Output of the command: "sh crypto isakmp his."

  HIS active: 4
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 4

  IKE Peer: 217.xx.yy.zz
  Type: L2L role: initiator
  Generate a new key: no State: MM_ACTIVE

  On the 1841

  1841 crypto isakmp #sh its
  IPv4 Crypto ISAKMP Security Association
  DST CBC conn-State id
  217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE

  1841 crypto ipsec #sh its

  Interface: Dialer1
  Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
  current_peer 62.153.156.163 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
  current outbound SPI: 0xB2E9E500 (3001672960)
  PFS (Y/N): Y, Diffie-Hellman group: group2

  SAS of the esp on arrival:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505068/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505118/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  Interface: virtual Network1
  Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
  current_peer 62.153.156.163 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
  current outbound SPI: 0xB2E9E500 (3001672960)
  PFS (Y/N): Y, Diffie-Hellman group: group2

  SAS of the esp on arrival:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505068/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505118/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.

  Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto.      (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.

  I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!

  It's the running of the 1841 configuration

  !
  version 15.1
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  encryption password service
  !
  host name 1841
  !
  boot-start-marker
  start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
  boot-end-marker
  !
  logging buffered 51200 notifications
  !
  AAA new-model
  !
  !
  AAA authentication login default local
  !
  AAA - the id of the joint session
  !
  iomem 20 memory size
  clock timezone PCTime 1
  PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
  dot11 syslog
  IP source-route
  !
  No dhcp use connected vrf ip
  !
  IP cef
  no ip bootp Server
  IP domain name test
  name of the IP-server 194.25.2.129
  name of the IP-server 194.25.2.130
  name of the IP-server 194.25.2.131
  name of the IP-server 194.25.2.132
  name of the IP-server 194.25.2.133
  No ipv6 cef
  !
  Authenticated MultiLink bundle-name Panel
  !
  !
  object-group network phone
  VoIP phone description
  Home 172.20.2.50
  Home 172.20.2.51
  !
  redundancy
  !
  !
  controller LAN 0/0/0
  atm mode
  Annex symmetrical shdsl DSL-mode B
  !
  !
  crypto ISAKMP policy 1
  BA 3des
  preshared authentication
  Group 2
  isakmp encryption key * address 62.aa.bb.cc
  !
  !
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  !
  map SDM_CMAP_1 1 ipsec-isakmp crypto
  Description Tunnel to62.aa.bb.cc
  the value of 62.aa.bb.cc peer
  game of transformation-ESP-3DES-SHA
  PFS group2 Set
  match address 100
  !
  !
  !
  interface FastEthernet0/0
  DMZ description $ FW_OUTSIDE$
  10.10.10.254 IP address 255.255.255.0
  IP nat inside
  IP virtual-reassembly
  automatic duplex
  automatic speed
  !
  interface FastEthernet0/1
  Description $ETH - LAN$ $FW_INSIDE$
  IP 172.20.2.254 255.255.255.0
  IP access-group 100 to
  IP nat inside
  IP virtual-reassembly
  IP tcp adjust-mss 1412
  automatic duplex
  automatic speed
  !
  ATM0/0/0 interface
  no ip address
  No atm ilmi-keepalive
  !
  point-to-point interface ATM0/0/0.1
  PVC 1/32
  PPPoE-client dial-pool-number 1
  !
  !
  interface Dialer1
  Description $FW_OUTSIDE$
  the negotiated IP address
  IP mtu 1452
  NAT outside IP
  IP virtual-reassembly
  encapsulation ppp
  Dialer pool 1
  Dialer-Group 2
  PPP authentication chap callin pap
  PPP chap hostname xxxxxxx
  PPP chap password 7 xxxxxxx8
  PPP pap sent-name of user password xxxxxxx xxxxxxx 7
  map SDM_CMAP_1 crypto
  !
  IP forward-Protocol ND
  IP http server
  local IP http authentication
  IP http secure server
  !
  !
  The dns server IP
  IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
  IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
  IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
  IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
  IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
  !
  logging trap notifications
  Note category of access list 1 = 2 CCP_ACL
  access-list 1 permit 172.20.2.0 0.0.0.255
  Note access-list category 2 CCP_ACL = 2
  access-list 2 allow 10.10.10.0 0.0.0.255
  Note access-list 100 category CCP_ACL = 4
  Note access-list 100 IPSec rule
  access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  Note CCP_ACL the access list 101 = 2 category
  Note access-list 101 IPSec rule
  access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  access-list 101 permit ip 172.20.2.0 0.0.0.255 any
  Note access-list 102 CCP_ACL category = 2
  Note access-list 102 IPSec rule
  access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  access-list 102 permit ip 10.10.10.0 0.0.0.255 any
  !

  !
  allowed SDM_RMAP_1 1 route map
  corresponds to the IP 101
  !
  allowed SDM_RMAP_2 1 route map
  corresponds to the IP 102
  !
  !
  control plan
  !
  !
  Line con 0
  line to 0
  line vty 0 4
  length 0
  transport input telnet ssh
  !
  Scheduler allocate 20000 1000
  NTP-Calendar Update
  NTP 172.20.2.250 Server prefer
  end

  As I mentioned previously: suspicion is much appreciated!

  Best regards

  Joerg

  Joerg,

  ASA receives not all VPN packages because IOS does not send anything.

  Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)

  The problem seems so on the side of the router.

  I think that is a routing problem, but you only have one default gateway (no other channels on the router).

  The ACL 100 is set to encrypt the traffic between the two subnets.

  It seems that the ACL 101 is also bypassing NAT for VPN traffic.

  Follow these steps:

  Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.

  I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.

  Federico.

• Order of operations NAT on Site to Site VPN Cisco ASA

  Hello

  I have a question about the order of operations NAT on Site to Site VPN Cisco ASA 8.2.x. I have a scenario where the internal IP address of the range 10.17.128.x are NATTED IP public 31.10.10.x. below is the config:

  Tunnel normally passes traffic to dmz - 31.10.11.10, 31.10.11.11 servers.

  But the servers NATTED (10.17.128.x <->31.10.10.x) does not work.

  inside_map crypto 50 card value transform-set ESP-3DES-SHA

  tunnel-group 100.1.1.1 type ipsec-l2l

  tunnel-group 100.1.1.1 General-attributes

  Group Policy - by default-PHX_HK

  IPSec-attributes tunnel-group 100.1.1.1

  pre-shared key *.

  internal PHX_HK group policy

  PHX_HK group policy attributes

  VPN-filter no

  Protocol-tunnel-VPN IPSec svc webvpn

  card crypto inside_map 50 match address outside_cryptomap_50

  peer set card crypto inside_map 50 100.1.1.1

  inside_map crypto 50 card value transform-set ESP-3DES-SHA

  inside_map crypto 50 card value reverse-road

  the PHX_Local object-group network

  host of the object-Network 31.10.11.10

  host of the object-Network 31.10.11.11

  host of the object-Network 31.10.10.10

  host of the object-Network 31.10.10.11

  host of the object-Network 31.10.10.12

  host of the object-Network 31.10.10.13

  host of the object-Network 10.17.128.20

  host of the object-Network 10.17.128.21

  host of the object-Network 10.17.128.22

  host of the object-Network 10.17.128.23

  the HK_Remote object-group network

  host of the object-Network 102.1.1.10

  inside_nat0_outbound list extended access permitted ip object-group PHX_Local-group of objects HK_Remote

  ACL_INSIDE list extended access permitted ip object-group PHX_Local-group of objects HK_Remote

  ACL_OUTSIDE list extended access permitted ip object-group HK_Remote-group of objects PHX_Local

  outside_cryptomap_50 list extended access permitted ip object-group PHX_Local-group of objects HK_Remote

  Route outside 102.1.1.10 255.255.255.255 30.1.1.1 1

  public static 31.10.10.10 (Interior, exterior) 10.17.128.20 netmask 255.255.255.255

  public static 31.10.10.11 (Interior, exterior) 10.17.128.21 netmask 255.255.255.255

  public static 31.10.10.12 (Interior, exterior) 10.17.128.22 netmask 255.255.255.255

  public static 31.10.10.13 (Interior, exterior) 10.17.128.23 netmask 255.255.255.255

  He started to work when I did another group of object by name PHX_Local1 and added to the list of access inside_nat0_outbound, instead of the object group PHX_Local, as below:

  the PHX_Local1 object-group network

  host of the object-Network 31.10.10.10

  host of the object-Network 31.10.10.11

  host of the object-Network 31.10.10.12

  host of the object-Network 31.10.10.13

  No inside_nat0_outbound access list extended only to allowed ip object-group PHX_Local-group of objects HK_Remote

  inside_nat0_outbound list extended access permitted ip object-group PHX_Local1-group of objects HK_Remote

  Can you please help me understand why group object PHX_Local failed with access-list inside_nat0_outbound, but he began to work with the Group of objects PHX_Local1.

  Also, if you could tell me the order of operations to NAT via VPN Site to Site, it would be useful.

  Thank you

  Kind regards

  Thomas

  Hello

  I think you could have said the original question in a way that could be missleading. In other words, if I understand now.

  From what I understand now, you have the DMZ set up the server that are measured with a public IP address on the real servers. And for those that you have configured NAT0.

  Then you have other servers that do not have public IP addresses themselves, but they are translated on the SAA.

  If this is the case, then the next question would be. The server with the NAT should attend the L2L VPN connection with their real IP or address IP NAT.

  Of course if you configure static NAT for the same servers and NAT0 the NAT0 will always win.

  You have these guests who were not able to use the VPN L2L

  31.10.10.10 10.17.128.20

  31.10.10.11 10.17.128.21

  31.10.10.12 10.17.128.22

  31.10.10.13 10.17.128.23

  IF you want them to go to the VPN L2L with their original IP address then you must configure

  object-group, LAN

  host of the object-Network 10.17.128.20

  host of the object-Network 10.17.128.21

  host of the object-Network 10.17.128.22

  host of the object-Network 10.17.128.23

  object-group, REMOTE network

  host of the object-Network 102.1.1.10

  inside_nat0_outbound list extended access allowed ip-group of objects LOCAL object-group remote

  outside_cryptomap_50 list extended access allowed ip-group of objects LOCAL object-group remote

  IF you want to use the L2L VPN with the public IP address, then you must configure

  object-group, LAN

  host of the object-Network 31.10.10.10

  host of the object-Network 31.10.10.11

  host of the object-Network 31.10.10.12

  host of the object-Network 31.10.10.13

  object-group, REMOTE network

  host of the object-Network 102.1.1.10

  outside_cryptomap_50 list extended access allowed ip-group of objects LOCAL object-group remote

  EDIT: in this case you naturally do not configure any NAT0 for actual IP addresses we want precisely the IP addresses to be visible to the L2L VPN with the IP NAT address.

  Or you can of course use the same "object-group" as currently but change the content in an appropriate manner

  Be sure to mark it as answered if it was answered.

  Ask more if necessary

  -Jouni

• site to site vpn with ASA 5500 series SSL?

  We have routers DLink DIR - 130 5505 s ASA and PIXen, all work well with our PIX 515E, we need to replace.

  We also have Internet satellite in two places. High latency makes IPsec VPN to DLinks on these very slow sites.

  We were informed by HughesNet that a SSL VPN will mitigate some of the problems of latency.

  However, we cannot use a VPN client for the biometric timeclocks in these places, the clocks need static IP addresses and are more or less "dumb terminals".

  The machine of series 5000 ASA VPN site to site similar to OpenVPN or only the most comment client-server type SSL VPN connections?

  Thank you, Tom

  Hi Thomas,

  The SSL VPN on ASAs feature is a client/server relationship where the remote computer can connect without client (browser) or clientbased (AnyConnect) to the ASA.

  Federico.

• Problem with remote access VPN on ASA 5505

  I currently have a problem of an ASA 5505 configuration to connect via VPN remote access by using the Cisco VPN Client 5.0.07.0440 under Windows 8 Pro x 64. The VPN client will prompt you for the user name and password during the connection process, but fails soon after.

  The VPN client connects is as follows:

  ---------------------------------------------------------------------------------------------------------------------------------------

  Cisco Systems VPN Client Version 5.0.07.0440

  Copyright (C) 1998-2010 Cisco Systems, Inc.. All rights reserved.

  Customer type: Windows, Windows NT

  Running: 6.2.9200

  2 15:09:21.240 11/12/12 Sev = Info/4 CM / 0 x 63100002

  Start the login process

  3 15:09:21.287 11/12/12 Sev = Info/4 CM / 0 x 63100004

  Establish a secure connection

  4 15:09:21.287 11/12/12 Sev = Info/4 CM / 0 x 63100024

  Attempt to connect with the server "*." **. ***. *** »

  5 15:09:21.287 11/12/12 Sev = Info/6 IKE/0x6300003B

  Try to establish a connection with *. **. ***. ***.

  6 15:09:21.287 11/12/12 Sev = Info/4 IKE / 0 x 63000001

  From IKE Phase 1 negotiation

  7 15:09:21.303 11/12/12 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) to *. **. ***. ***

  8 15:09:21.365 11/12/12 Sev = Info/6 GUI/0x63B00012

  Attributes of the authentication request is 6: 00.

  9 15:09:21.334 11/12/12 Sev = Info/5 IKE/0x6300002F

  Received packet of ISAKMP: peer = *. **. ***. ***

  10 15:09:21.334 11/12/12 Sev = Info/4 IKE / 0 x 63000014

  RECEIVING< isakmp="" oak="" ag="" (sa,="" ke,="" non,="" id,="" hash,="" vid(unity),="" vid(xauth),="" vid(dpd),="" vid(nat-t),="" nat-d,="" nat-d,="" vid(frag),="" vid(?))="" from="">

  11 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000001

  Peer is a compatible peer Cisco-Unity

  12 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000001

  Peer supports XAUTH

  13 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000001

  Peer supports the DPD

  14 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000001

  Peer supports NAT - T

  15 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000001

  Peer supports fragmentation IKE payloads

  16 15:09:21.334 11/12/12 Sev = Info/6 IKE / 0 x 63000001

  IOS Vendor ID successful construction

  17 15:09:21.334 11/12/12 Sev = Info/4 IKE / 0 x 63000013

  SENDING > ISAKMP OAK AG * (HASH, NOTIFY: NAT - D, NAT - D, VID (?), STATUS_INITIAL_CONTACT, VID (Unity)) to *. **. ***. ***

  18 15:09:21.334 11/12/12 Sev = Info/6 IKE / 0 x 63000055

  Sent a keepalive on the IPSec Security Association

  19 15:09:21.334 11/12/12 Sev = Info/4 IKE / 0 x 63000083

  IKE port in use - Local Port = 0xFBCE, Remote Port = 0 x 1194

  20 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000072

  Automatic NAT detection status:

  Remote endpoint is NOT behind a NAT device

  This effect is behind a NAT device

  21 15:09:21.334 11/12/12 Sev = Info/4 CM/0x6310000E

  ITS established Phase 1.  1 crypto IKE Active SA, 0 IKE SA authenticated user in the system

  22 15:09:21.365 11/12/12 Sev = Info/5 IKE/0x6300002F

  Received packet of ISAKMP: peer = *. **. ***. ***

  23 15:09:21.365 11/12/12 Sev = Info/4 IKE / 0 x 63000014

  RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">

  24 15:09:21.365 11/12/12 Sev = Info/4 CM / 0 x 63100015

  Launch application xAuth

  25 15:09:21.474 11/12/12 Sev = Info/4 IPSEC / 0 x 63700008

  IPSec driver started successfully

  26 15:09:21.474 11/12/12 Sev = Info/4 IPSEC / 0 x 63700014

  Remove all keys

  27 15:09:27.319 11/12/12 Sev = Info/4 CM / 0 x 63100017

  xAuth application returned

  28 15:09:27.319 11/12/12 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***

  29 15:09:27.365 11/12/12 Sev = Info/5 IKE/0x6300002F

  Received packet of ISAKMP: peer = *. **. ***. ***

  30 15:09:27.365 11/12/12 Sev = Info/4 IKE / 0 x 63000014

  RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">

  31 15:09:27.365 11/12/12 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***

  32 15:09:27.365 11/12/12 Sev = Info/4 CM/0x6310000E

  ITS established Phase 1.  1 crypto IKE Active SA, 1 IKE SA authenticated user in the system

  33 15:09:27.365 11/12/12 Sev = Info/5 IKE/0x6300005E

  Customer address a request from firewall to hub

  34 15:09:27.365 11/12/12 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***

  35 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300002F

  Received packet of ISAKMP: peer = *. **. ***. ***

  36 15:09:27.397 11/12/12 Sev = Info/4 IKE / 0 x 63000014

  RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">

  37 15:09:27.397 11/12/12 Sev = Info/5 IKE / 0 x 63000010

  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS:, value = 192.168.2.70

  38 15:09:27.397 11/12/12 Sev = Info/5 IKE / 0 x 63000010

  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK:, value = 255.255.255.0

  39 15:09:27.397 11/12/12 Sev = Info/5 IKE / 0 x 63000010

  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (1):, value = 192.168.2.1

  40 15:09:27.397 11/12/12 Sev = Info/5 IKE / 0 x 63000010

  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (2):, value = 8.8.8.8

  41 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000D

  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD:, value = 0x00000001

  42 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000E

  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN:, value = NCHCO

  43 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000D

  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS:, value = 0x00000000

  44 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000E

  MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc. ASA5505 Version 8.2 (5) built by manufacturers on Saturday, May 20, 11 16:00

  45 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000D

  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT:, value = 0x00000001

  46 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000D

  MODE_CFG_REPLY: Attribute = received and by using the NAT - T port number, value = 0 x 00001194

  47 15:09:27.397 11/12/12 Sev = Info/4 CM / 0 x 63100019

  Data in mode Config received

  48 15:09:27.412 11/12/12 Sev = Info/4 IKE / 0 x 63000056

  Received a request from key driver: local IP = 192.168.2.70, GW IP = *. **. ***. remote IP address = 0.0.0.0

  49 15:09:27.412 11/12/12 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK QM * (HASH, SA, NO, ID, ID) to *. **. ***. ***

  50 15:09:27.444 11/12/12 Sev = Info/5 IKE/0x6300002F

  Received packet of ISAKMP: peer = *. **. ***. ***

  51 15:09:27.444 11/12/12 Sev = Info/4 IKE / 0 x 63000014

  RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:status_resp_lifetime)="" from="">

  52 15:09:27.444 11/12/12 Sev = Info/5 IKE / 0 x 63000045

  Answering MACHINE-LIFE notify has value of 86400 seconds

  53 15:09:27.444 11/12/12 Sev = Info/5 IKE / 0 x 63000047

  This SA was already alive for 6 seconds, setting expiration 86394 seconds now

  54 15:09:27.459 11/12/12 Sev = Info/5 IKE/0x6300002F

  Received packet of ISAKMP: peer = *. **. ***. ***

  55 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000014

  RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:no_proposal_chosen)="" from="">

  56 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK INFO *(HASH, DEL) to *. **. ***. ***

  57 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000049

  IPsec security association negotiation made scrapped, MsgID = CE99A8A8

  58 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000017

  Marking of IKE SA delete (I_Cookie = A3A341F1C7606AD5 R_Cookie = F1F403018625E924) reason = DEL_REASON_IKE_NEG_FAILED

  59 15:09:27.459 11/12/12 Sev = Info/5 IKE/0x6300002F

  Received packet of ISAKMP: peer = *. **. ***. ***

  60 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000058

  Received an ISAKMP for a SA message no assets, I_Cookie = A3A341F1C7606AD5 R_Cookie = F1F403018625E924

  61 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000014

  RECEIVING< isakmp="" oak="" info="" *(dropped)="" from="">

  62 15:09:27.490 11/12/12 Sev = Info/4 IPSEC / 0 x 63700014

  Remove all keys

  63 15:09:30.475 11/12/12 Sev = Info/4 IKE/0x6300004B

  IKE negotiation to throw HIS (I_Cookie = A3A341F1C7606AD5 R_Cookie = F1F403018625E924) reason = DEL_REASON_IKE_NEG_FAILED

  64 15:09:30.475 11/12/12 Sev = Info/4 CM / 0 x 63100012

  ITS phase 1 deleted before first Phase 2 SA is caused by "DEL_REASON_IKE_NEG_FAILED".  Crypto 0 Active IKE SA, 0 IKE SA authenticated user in the system

  65 15:09:30.475 11/12/12 Sev = Info/5 CM / 0 x 63100025

  Initializing CVPNDrv

  66 15:09:30.475 11/12/12 Sev = Info/6 CM / 0 x 63100046

  Set indicator established tunnel to register to 0.

  67 15:09:30.475 11/12/12 Sev = Info/4 IKE / 0 x 63000001

  Signal received IKE to complete the VPN connection

  68 15:09:30.475 11/12/12 Sev = Info/4 IPSEC / 0 x 63700014

  Remove all keys

  69 15:09:30.475 11/12/12 Sev = Info/4 IPSEC / 0 x 63700014

  Remove all keys

  70 15:09:30.475 11/12/12 Sev = Info/4 IPSEC / 0 x 63700014

  Remove all keys

  71 15:09:30.475 11/12/12 Sev = Info/4 IPSEC/0x6370000A

  IPSec driver successfully stopped

  ---------------------------------------------------------------------------------------------------------------------------------------

  The running configuration is the following (there is a VPN site-to-site set up as well at an another ASA 5505, but that works perfectly):

  : Saved

  :

  ASA Version 8.2 (5)

  !

  hostname NCHCO

  Select hTjwXz/V8EuTw9p9 of encrypted password

  hTjwXz/V8EuTw9p9 of encrypted passwd

  names of

  description of NCHCO name 192.168.2.0 City offices

  name 192.168.2.80 VPN_End

  name 192.168.2.70 VPN_Start

  !

  interface Ethernet0/0

  switchport access vlan 2

  Speed 100

  full duplex

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 192.168.2.1 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP address **. ***. 255.255.255.248

  !

  boot system Disk0: / asa825 - k8.bin

  passive FTP mode

  access extensive list ip NCHCO 255.255.255.0 outside_nat0_outbound allow 192.168.1.0 255.255.255.0

  access extensive list ip NCHCO 255.255.255.0 inside_nat0_outbound allow 192.168.1.0 255.255.255.0

  inside_nat0_outbound list of allowed ip extended access all 192.168.2.64 255.255.255.224

  access extensive list ip NCHCO 255.255.255.0 outside_1_cryptomap allow 192.168.1.0 255.255.255.0

  access extensive list ip NCHCO 255.255.255.0 outside_1_cryptomap_1 allow 192.168.1.0 255.255.255.0

  Standard access list LAN_Access allow NCHCO 255.255.255.0

  LAN_Access list standard access allowed 0.0.0.0 255.255.255.0

  pager lines 24

  Enable logging

  asdm of logging of information

  Within 1500 MTU

  Outside 1500 MTU

  mask of VPN_Pool VPN_Start VPN_End of local pool IP 255.255.255.0

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm - 645.bin

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 1 0.0.0.0 0.0.0.0

  NAT (outside) 0-list of access outside_nat0_outbound

  Route outside 0.0.0.0 0.0.0.0 74.219.208.49 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  network-acl outside_nat0_outbound

  WebVPN

  SVC request to enable default svc

  Enable http server

  http 192.168.1.0 255.255.255.0 inside

  http *. **. ***. 255.255.255.255 outside

  http 74.218.158.238 255.255.255.255 outside

  http NCHCO 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

  Crypto ipsec transform-set esp-3des esp-sha-hmac l2tp-transform

  Crypto ipsec transform-set l2tp-transformation mode transit

  Crypto ipsec transform-set vpn-transform esp-aes-256 esp-sha-hmac

  Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA

  Crypto ipsec transform-set transit mode TRANS_ESP_3DES_SHA

  Crypto ipsec transform-set esp-3des esp-md5-hmac TRANS_ESP_3DES_MD5

  Crypto ipsec transform-set transit mode TRANS_ESP_3DES_MD5

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  crypto dynamic-map dyn-map 10 set pfs Group1

  crypto dynamic-map dyn-map transform 10-set, vpn l2tp-transformation-transformation

  dynamic-map encryption dyn-map 10 value reverse-road

  Crypto-map dynamic outside_dyn_map 20 game of transformation-TRANS_ESP_3DES_MD5

  card crypto outside_map 1 match address outside_1_cryptomap

  card crypto outside_map 1 set pfs Group1

  peer set card crypto outside_map 1 74.219.208.50

  card crypto outside_map 1 set of transformation-ESP-3DES-SHA

  map outside_map 20-isakmp ipsec crypto dynamic outside_dyn_map

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map interface card crypto outside

  inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  inside crypto map inside_map interface

  card crypto vpn-map 1 match address outside_1_cryptomap_1

  card crypto vpn-card 1 set pfs Group1

  set vpn-card crypto map peer 1 74.219.208.50

  card crypto vpn-card 1 set of transformation-ESP-3DES-SHA

  dynamic vpn-map 10 dyn-map ipsec isakmp crypto map

  crypto isakmp identity address

  crypto ISAKMP allow inside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  crypto ISAKMP policy 15

  preshared authentication

  aes-256 encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP policy 35

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP ipsec-over-tcp port 10000

  enable client-implementation to date

  Telnet 192.168.1.0 255.255.255.0 inside

  Telnet NCHCO 255.255.255.0 inside

  Telnet timeout 5

  SSH 192.168.1.0 255.255.255.0 inside

  SSH NCHCO 255.255.255.0 inside

  SSH timeout 5

  Console timeout 0

  dhcpd address 192.168.2.150 - 192.168.2.225 inside

  dhcpd dns 216.68.4.10 216.68.5.10 interface inside

  lease interface 64000 dhcpd inside

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  WebVPN

  internal DefaultRAGroup group strategy

  attributes of Group Policy DefaultRAGroup

  value of server DNS 192.168.2.1

  Protocol-tunnel-VPN IPSec l2tp ipsec

  nchco.local value by default-field

  attributes of Group Policy DfltGrpPolicy

  value of server DNS 192.168.2.1

  Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn

  allow password-storage

  enable IPSec-udp

  enable dhcp Intercept 255.255.255.0

  the address value VPN_Pool pools

  internal NCHVPN group policy

  NCHVPN group policy attributes

  value of 192.168.2.1 DNS Server 8.8.8.8

  Protocol-tunnel-VPN IPSec l2tp ipsec

  value by default-field NCHCO

  admin LbMiJuAJjDaFb2uw encrypted privilege 15 password username

  username privilege 15 encrypted password yB1lHEVmHZGj5C2Z 8njferg

  username, encrypted NCHvpn99 QhZZtJfwbnowceB7 password

  attributes global-tunnel-group DefaultRAGroup

  address (inside) VPN_Pool pool

  address pool VPN_Pool

  authentication-server-group (inside) LOCAL

  authentication-server-group (outside LOCAL)

  LOCAL authority-server-group

  authorization-server-group (inside) LOCAL

  authorization-server-group (outside LOCAL)

  Group Policy - by default-DefaultRAGroup

  band-Kingdom

  band-band

  IPSec-attributes tunnel-group DefaultRAGroup

  pre-shared key *.

  NOCHECK Peer-id-validate

  tunnel-group DefaultRAGroup ppp-attributes

  No chap authentication

  no authentication ms-chap-v1

  ms-chap-v2 authentication

  tunnel-group DefaultWEBVPNGroup ppp-attributes

  PAP Authentication

  ms-chap-v2 authentication

  tunnel-group 74.219.208.50 type ipsec-l2l

  IPSec-attributes tunnel-group 74.219.208.50

  pre-shared key *.

  type tunnel-group NCHVPN remote access

  attributes global-tunnel-group NCHVPN

  address pool VPN_Pool

  Group Policy - by default-NCHVPN

  IPSec-attributes tunnel-group NCHVPN

  pre-shared key *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  !

  global service-policy global_policy

  context of prompt hostname

  no remote anonymous reporting call

  Cryptochecksum:15852745977ff159ba808c4a4feb61fa

  : end

  ASDM image disk0: / asdm - 645.bin

  ASDM VPN_Start 255.255.255.255 inside location

  ASDM VPN_End 255.255.255.255 inside location

  don't allow no asdm history

  Anyone have any idea why this is happening?

  Thank you!

  Add, crypto dynamic-map outside_dyn_map 20 value reverse-road.

  With respect,

  Safwan

• Multi-site VPN problem

  Greetings,

  I practice implementation of VPN and it seems to have fallen on a small issue that solution eludes me.  Everything works in my current topology with the exception of a multi-site vpn.  I have 3 ASA, which is outside the interface is connected via a switch.  The inside interface is connected to a local area network that contains a workstation on each subnet.  I'm trying to set up a solution where I can have all 3 ASA related between them via a VPN.  The question I have is when I raise a single tunnel, scathing from a workstation behind the ASA, I can't set up a second tunnel scathing from a different network.  To explain that better, here is an explanation:

  ASA #1

  outdoors: 10.0.1.1/24

  inside: 192.168.0.1/24

  workstation: 192.168.0.100

  ASA #2

  outside: 10.0.1.2/24

  inside: 192.168.1.1/24

  workstation: 192.168.1.100

  ASA #3

  outside: 10.0.1.3/24

  inside: 192.168.2.1/24

  workstation: 192.168.2.100

  If I ping 192.168.0.100 192.168.1.100, the tunnel opens very well and I get answers.  If I can try and ping 192.168.0.100 192.168.2.100, does not open the tunnel to 192.168.2.0.  If I clear all its on ASA #1 and then ping 192.168.0.100 192.168.2.100, the tunnel opens very well and I get a response.  Then I try and ping 192.168.0.100 192.168.1.100 and the same thing happens, no tunnel and no response.  When I enabled logging on ASA #1 seems that it sends the ping for the different network on the tunnel open instead of opening a new tunnel to the correct network.  Can someone tell me what is happening here and if I just missed something simple with routing?  Or is it maybe a problem with VPN?

  Craig,

  You have default route badly configured on all the ASA. Here's what you have configured

  ASA1

  Route outside 0.0.0.0 0.0.0.0 192.168.0.1 1

  It's sendning the package for outside inside IP address. Here's what you need to do on the ASA

  ASA1

  No route outside 0.0.0.0 0.0.0.0 192.168.0.1 1

  Route outside 0.0.0.0 0.0.0.0 10.0.1.2

  ASA2

  No route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

  Route outside 0.0.0.0 0.0.0.0 10.0.1.1

  ASA3

  No route outside 0.0.0.0 0.0.0.0 192.168.2.1 1

  Route outside 0.0.0.0 0.0.0.0 10.0.1.1

  Also delete icmp access list crypto that you allowed to what IP is the same access list. IP covers both the ICMP.

  Kindly let me know change default allows traffic.

  Kind regards

  Bad Boy

  P.S. Please mark this message as 'Responded' If you find this information useful so that it brings goodness to other users of the community

• Site to site VPN problems

  Hello, I'm having a problem with my VPN configuration. I have two locations each with she is has a subnett. I have a VPN site-to site between the two locations. The site to site VPN is up and fully functional without any problem. Now if I'm away from work and to connect with the site A VPN client, I cannot ping or connect what either on site B. Or if I am connected to site B by a VPN I can't ping or connect what to site A.

  I hope that makes sense, but I'll be happy to give more details on Setup if necessary.

  I think that the command you need is:

  same-security-traffic permit Intra-interface (not inter-interface)

  The remote VPN and VPN site - to use the same outside interface, so this command allows VPN traffic out this interface pin

  Sent by Cisco Support technique iPad App

• Remote VPN site to site vpn on ASA?

  Hello

  I would like to know if it is possible to have this configuration with an ASA5510:

  (1) - remote access VPN (access by the external interface)

  (2) - site to site VPN (same access interface)

  The goal: users of vpn (1) can access the server remote vpn (2) and vice versa.

  Is it possible? and what is the best practice to do?

  Thank you very much!

  J.

  Yes, you can do it.

  Same-security-traffic command traffic to enter and leave the interface even when used with the

  keyword intra-interface, that allows the VPN support has spoke-to-spoke.

  Here are a few examples.

  http://www.Cisco.com/en/us/products/ps6120/prod_configuration_examples_list.html

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00807f9a89.shtml

  PIX / ASA 7.X: Add a new Tunnel or remote access to an existing L2L VPN

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

  PIX / ASA 7.x enhanced has spoken-to-Client VPN with the example of setting up authentication GANYMEDE +.

• Impossible to establish a VPN to ASA 5505

  I'm trying to set up a network VPN from Site to Site. Right now I'm doing this work in the laboratory. I have the Internet port on the Linksys connected directly to port 0 on the cisco that has been set up as the internet port.

  My configuration is:

  Remote site

  Laptop 1 - IP 192.168.2.100 address 255.255.255.0 GW 192.168.2.1

  The Router 1 (Linksys BEFSX41) - LAN IP 192.168.2.1 255.255.255.0

  209.168.145.49 WAN IP address 255.255.255.0 GW 209.168.145.50

  Host site

  Laptop 2 - address 192.168.1.100 IP 255.255.255.0 GW 192.168.1.1

  Router 2 (Cisco ASA 5505) - LAN IP 0 address 192.168.1.1 255.255.255.0

  IP WAN (Port 0) 209.168.145.50 255.255.255.0

  My problems:

  I use ASDM 5.2 to configure the router of the SAA. With the configuration I currently have my linksys is not able to establish a VPN connection. The journal of ASA reported via the ASDM is as shown in the attachment ciscolog.txt.

  My linksys journal is as listed in the attachment linksyslog.txt.

  I also tried to create a Cisco VPN client connection using the cisco client software and a laptop connected directly to the internet port of the router cisco (port 0) and was not able to establish a connection with that either. I used the wizard of ASDM VPN to try to implement the Site-site as well as the scenarios of connection remotely. This has been unsuccessful in both cases.

  The only one, I am really interested in getting to work is the site to site.

  My current configuration of cisco is shown in the attachment cisco.txt.

  If anyone has any input I would appreciate it a lot. I have been through the manuals of cisco as to scouring the internet and am unable to find an answer.

  I enclose 3 files, cisco log (ciscolog.txt), linksys (linksyslog.txt) log and config cisco (cisco.txt) in the form of text files.

  Thank you.

  Sean

  I hope that path statement solves your problem.

  -Gilbert

  Good job, Adam!

• Install two the separate IPSec VPNS on ASA 5505

  Hello

  I'll have set up a second tunnel IPSec VPN on my Cisco ASA 5505 to another office.  I was able to configure one without problem through the ASDM, but were not able to get the second.

  The IPSec tunnel connects to a WRVS4400N router to the other office.  I tried the debug crypto isakmp and ipsec crypto, but I get nothing.  Here is the config.  Something seems wrong on my end?   I've also attached a screenshot of the configuration settings on the remote router.

  Output of the command: "show run".

  : Saved
  :
  ASA Version 8.2 (5)
  !
  hostname WayneASA

  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  interface Vlan1
  nameif inside
  security-level 100
  IP 192.168.1.1 255.255.255.0
  !
  interface Vlan2
  nameif outside
  security-level 0
  IP 70.91.18.205 255.255.255.252
  !
  interface Vlan5
  Shutdown
  No nameif
  security-level 50
  IP 192.168.10.1 255.255.255.0
  !
  passive FTP mode
  clock timezone IS - 5
  clock to summer time EDT recurring
  DNS lookup field inside
  DNS domain-lookup outside
  DNS server-group DefaultDNS
  75.75.75.75 server name
  75.75.76.76 server name
  domain 3gtms.com
  object-group Protocol TCPUDP
  object-protocol udp
  object-tcp protocol
  inside_access_in of access allowed any ip an extended list
  IPSec_Access to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.2.0 255.255.255.0
  inside_nat0 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.10.0 255.255.255.224
  inside_nat0 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.2.0 255.255.255.0
  inside_nat0 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.5.0 255.255.255.0
  TunnelSplit1 list standard access allowed 192.168.10.0 255.255.255.224
  TunnelSplit1 list standard access allowed 192.168.1.0 255.255.255.0
  outside_1_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.2.0 255.255.255.0
  outside_2_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.5.0 255.255.255.0
  outside_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.5.0 255.255.255.0
  RemoteTunnel_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0
  RemoteTunnel_splitTunnelAcl_1 list standard access allowed 192.168.1.0 255.255.255.0

  pager lines 24
  Enable logging
  Within 1500 MTU
  Outside 1500 MTU
  IP mask 255.255.255.224 local pool VPNPool 192.168.10.1 - 192.168.10.30
  ICMP unreachable rate-limit 1 burst-size 1
  don't allow no asdm history
  ARP timeout 14400
  Global 1 interface (outside)
  NAT (inside) 0-list of access inside_nat0
  NAT (inside) 1 0.0.0.0 0.0.0.0

  inside_access_in access to the interface inside group
  Access-group out_access_in in interface outside
  Route outside 0.0.0.0 0.0.0.0 70.91.18.206 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  the ssh LOCAL console AAA authentication
  Enable http server
  http 0.0.0.0 0.0.0.0 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  Crypto ipsec transform-set esp-3des esp-md5-hmac VPNTransformSet
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
  card crypto IPSec_map 1 corresponds to the address IPSec_Access
  card crypto IPSec_map 1 set peer 50.199.234.229
  card crypto IPSec_map 1 the transform-set VPNTransformSet value
  card crypto IPSec_map 2 corresponds to the address outside_2_cryptomap
  card crypto IPSec_map 2 set pfs Group1
  card crypto IPSec_map 2 set peer 98.101.139.210
  card crypto IPSec_map 2 the transform-set VPNTransformSet value
  card crypto IPSec_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
  IPSec_map interface card crypto outside
  card crypto outside_map 1 match address outside_1_cryptomap
  peer set card crypto outside_map 1 50.199.234.229

  crypto ISAKMP allow outside
  crypto ISAKMP policy 1
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 43200
  Telnet 192.168.1.0 255.255.255.0 inside
  Telnet timeout 5
  SSH 0.0.0.0 0.0.0.0 inside
  SSH timeout 60
  Console timeout 0
  management-access inside
  dhcpd outside auto_config
  !
  dhcpd address 192.168.1.100 - 192.168.1.199 inside
  dhcpd dns 75.75.75.75 75.75.76.76 interface inside
  dhcpd allow inside
  !

  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  WebVPN
  internal RemoteTunnel group strategy
  attributes of Group Policy RemoteTunnel
  value of server DNS 75.75.75.75 75.75.76.76
  Protocol-tunnel-VPN IPSec
  Split-tunnel-policy tunnelspecified
  value of Split-tunnel-network-list RemoteTunnel_splitTunnelAcl_1
  3gtms.com value by default-field
  eric 0vcSd5J/TLsFy7nU password user name encrypted privilege 15
  username password encrypted URsSXKLozQMSeCBk privilege 5 lestofts
  username lestofts attributes
  type of remote access service
  algobel lBWy5eNbHMCDPzuL encrypted password username
  username algobel attributes
  type of remote access service
  type tunnel-group RemoteTunnel remote access
  attributes global-tunnel-group RemoteTunnel
  address pool VPNPool
  Group Policy - by default-RemoteTunnel
  IPSec-attributes tunnel-group RemoteTunnel
  pre-shared key *.
  tunnel-group 50.199.234.229 type ipsec-l2l
  IPSec-attributes tunnel-group 50.199.234.229
  pre-shared key *.
  tunnel-group 98.101.139.210 type ipsec-l2l
  IPSec-attributes tunnel-group 98.101.139.210
  pre-shared key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the icmp
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the netbios
  inspect the tftp
  Review the ip options
  inspect the dns
  inspect the pptp
  inspect the sip
  !
  global service-policy global_policy
  context of prompt hostname
  anonymous reporting remote call
  Cryptochecksum:a86adc4b23977672679b6fb72d0bc187
  : end

  You are also missing the NAT0 rule

  inside_nat0 to access extended list ip 192.168.2.0 allow 255.255.255.0 192.168.5.0 255.255.255.0

  -Jouni

• Cannot connect to internet after connecting to VPN Cisco ASA 5505

  Hi all

  I am an engineer of network, but haven't had any Experinece in the firewall for the moment, I'm under pressure to take care of a ASA 5505 were all VPN and incoming and out of bounds have been set up, recently I've had a few changes and re made the change, but unfortunately, he took some configurations that are ment for VPN now I am facing a problem,

  VPN connection, but impossible to navigate on the internet is my problem, I tried inheriting tunneli Split, but I coudnt get through it seems, I did something in a bad way, I use here for most ASDM,.

  I paste the Configuration for the investigation, although he's trying to help me.

  ASA Version 8.0(4)16 ! hostname yantraind domain-name yantra.intra enable password vD1.re9JLbigXJxz encrypted passwd hVjSWvtgvNN21M./ encrypted names ! interface Vlan2 nameif outside security-level 0 ip address Outside_Interface 255.255.255.240 ospf cost 10 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 switchport access vlan 2 ! interface Ethernet0/6 switchport access vlan 2 shutdown ! interface Ethernet0/7 switchport access vlan 2 shutdown ! boot system disk0:/asa804-16-k8.bin boot system disk0:/asa724-k8.bin ftp mode passive clock timezone GMT 0 dns domain-lookup inside dns domain-lookup outside dns server-group DefaultDNS name-server 192.168.0.106 name-server 192.168.0.10 domain-name yantra.intra same-security-traffic permit intra-interface object-group service Email_In tcp port-object eq https port-object eq pop3 port-object eq smtp object-group service DM_INLINE_TCP_2 tcp port-object eq ftp port-object eq ftp-data port-object eq www object-group service RDP tcp port-object eq 3389 object-group service DM_INLINE_SERVICE_1 service-object icmp service-object icmp traceroute object-group protocol TCPUDP protocol-object udp protocol-object tcp object-group service voip udp port-object eq domain object-group service DM_INLINE_TCP_1 tcp port-object eq ftp port-object eq ftp-data access-list outside_access_in extended permit tcp any host  object-group Email_In access-list outside_access_in extended permit tcp any host FTP_Server_Ext object-group DM_INLINE_TCP_1 access-list outside_access_in extended permit icmp any any echo-reply access-list outside_access_in extended permit tcp any host ForSLT eq www access-list outside_access_in extended permit tcp any host Search object-group DM_INLINE_TCP_2 access-list outside_access_in extended permit tcp any host IMIPublic eq www access-list outside_access_in extended permit tcp any host eq www access-list outside_access_in extended permit tcp any host SLT_New_Public eq www access-list outside_access_in extended permit object-group TCPUDP any host 202.133.48.68 eq www access-list rvpn_stunnel standard permit 192.168.0.0 255.255.255.0 access-list rvpn_stunnel standard permit 192.168.1.0 255.255.255.0 access-list nat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0 access-list nat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list nat0 extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list nat0 extended permit ip 192.168.0.0 255.255.255.0 COLO 255.255.255.0 access-list nat0 extended permit ip host IT_DIRECT 192.168.0.0 255.255.255.0 access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any access-list inside_access_in extended permit ip any any access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 202.133.48.64 255.255.255.240 access-list inside_access_in extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list inside_access_in extended deny object-group TCPUDP host 192.168.0.252 202.133.48.64 255.255.255.240 access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 COLO 255.255.255.0 access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0 pager lines 24 logging enable logging timestamp logging console debugging logging buffered debugging logging trap debugging logging history emergencies logging asdm debugging logging host inside 192.168.0.187 logging permit-hostdown logging class ip buffered emergencies mtu inside 1500 mtu outside 1500 ip local pool rvpn-ip 192.168.100.1-192.168.100.25 mask 255.255.255.0 ip verify reverse-path interface inside ip verify reverse-path interface outside no failover icmp unreachable rate-limit 1 burst-size 1 icmp permit any traceroute outside asdm image disk0:/asdm-61551.bin no asdm history enable arp timeout 14400 nat-control global (outside) 1 interface nat (inside) 0 access-list nat0 nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) netmask 255.255.255.255 dns static (inside,outside) FTP_Server_Ext FTP_Server_Int netmask 255.255.255.255 dns static (inside,outside) ForSLT SLT_New netmask 255.255.255.255 static (inside,outside) Search LocalSearch netmask 255.255.255.255 static (inside,outside) IMIPublic IMI netmask 255.255.255.255 static (inside,outside) SLT_New_Public SLT_Local netmask 255.255.255.255 static (inside,outside) netmask 255.255.255.255 access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 202.133.48.65 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy aaa authentication http console LOCAL aaa authentication ssh console LOCAL http server enable http 192.168.0.0 255.255.255.0 inside http 0.0.0.0 0.0.0.0 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map rvpn_map 65535 set pfs crypto dynamic-map rvpn_map 65535 set transform-set ESP-3DES-SHA crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set pfs crypto map outside_map 1 set peer  crypto map outside_map 1 set transform-set ESP-3DES-SHA crypto map outside_map 2 match address outside_cryptomap crypto map outside_map 2 set pfs crypto map outside_map 2 set peer crypto map outside_map 2 set transform-set ESP-3DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic rvpn_map crypto map outside_map interface outside crypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=yantraind proxy-ldc-issuer crl configure crypto ca server shutdown crypto ca certificate chain ASDM_TrustPoint0 certificate f8684749     30820252 308201bb a0030201 020204f8 68474930 0d06092a 864886f7 0d010104     0500303b 31123010 06035504 03130979 616e7472 61696e64 31253023 06092a86     4886f70d 01090216 1679616e 74726169 6e642e79 616e7472 612e696e 74726130     1e170d30 38313231 36303833 3831365a 170d3138 31323134 30383338 31365a30     3b311230 10060355 04031309 79616e74 7261696e 64312530 2306092a 864886f7     0d010902 16167961 6e747261 696e642e 79616e74 72612e69 6e747261 30819f30     0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00f6d1d0 d536624d     de9e4a2e 215a3986 98087e65 be9f6c0f b8f6dc3e 151c5603 21afdebe 85b2917b     297b1d1c b3abf5c6 628afbbe dda1ca27 01282aff 6514f62f 2965c87c 8aab0273     ab59dac6 aa9f549b 846d93fd 44c7f84f b29545bb d0db8bbb 060dfbbf 592a15e3     3db126be 541003c4 38754847 0b472e62 d092fec2 d556f9e3 09020301 0001a363     3061300f 0603551d 130101ff 04053003 0101ff30 0e060355 1d0f0101 ff040403     02018630 1f060355 1d230418 30168014 9f66b685 2ebf0d5a 97a684ba 9a9518ca     a8ed637e 301d0603 551d0e04 1604149f 66b6852e bf0d5a97 a684ba9a 9518caa8     ed637e30 0d06092a 864886f7 0d010104 05000381 81003b49 2a7ee503 79b47792     6ce90453 70cf200e 943eccd7 deab53e0 2348d566 fe6aa8e0 302b922c 12df802d     398674f3 b1bc55f2 fe2646d5 c59689c2 c6693b0f 14081661 bafb233b 1b296708     fc2b6cbb ba1a005e 37073d72 4156b582 4521e673 ba6c7f7d 2d6941c4 9e076c39     73de21b9 712f69ed 7aab4bda 365d7eb3 39c05d27 e2dd   quit crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet timeout 5 ssh 192.168.0.0 255.255.255.0 inside ssh 0.0.0.0 0.0.0.0 outside ssh timeout 15 ssh version 2 console timeout 0 dhcpd address 192.168.0.126-192.168.0.150 inside dhcpd dns 192.168.0.106 192.168.0.10 interface inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics port threat-detection statistics protocol threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 webvpn group-policy DfltGrpPolicy attributes dns-server value 192.168.0.106 vpn-tunnel-protocol IPSec l2tp-ipsec svc split-dns value 192.168.0.106 group-policy rvpn internal group-policy rvpn attributes dns-server value 192.168.0.106 vpn-tunnel-protocol IPSec webvpn split-tunnel-policy tunnelspecified split-tunnel-network-list value rvpn_stunnel default-domain value yantra.intra username rreddy password 6p4HjBmf02hqbnrL encrypted privilege 15 username bsai password 41f5/8EINw6VQ5Os encrypted username bsai attributes service-type remote-access username Telnet password U.eMKTkIYZQA83Al encrypted privilege 15 username prashantt password BdrzfvDcOsnHBIdz encrypted username prashantt attributes service-type remote-access username m.shiva password p5YdC3kTJcnceaT/ encrypted username m.shiva attributes service-type remote-access username Senthil password qKYIiJ9NmC8NYvCA encrypted username Senthil attributes service-type remote-access username agupta password p3slrWEH1ye5/P2u encrypted username agupta attributes service-type remote-access username Yogesh password uQ3pfHI2wLvg8B8. encrypted username Yogesh attributes service-type remote-access username phanik password inZN0zXToeeR9bx. encrypted username phanik attributes service-type remote-access username murali password Ckpxwzhdj5RRu2tF encrypted privilege 15 username mgopi password stAEoJodb2CfgruZ encrypted privilege 15 username bill password Z1KSXIEPQkLN3OdQ encrypted username bill attributes service-type remote-access username Shantala password aCvfO5/PcsZc3Z5S encrypted username Shantala attributes service-type remote-access username maheshm password Fry56.leIsT9VHsv encrypted username maheshm attributes service-type remote-access username dhanj password zotUI9D6WWrMAh8T encrypted username dhanj attributes service-type remote-access username npatel password vOfMuOZg0vSkICyF encrypted username npatel attributes service-type remote-access username bmandakini password Y5UZuahgr6vd6ccE encrypted username bmandakini attributes service-type remote-access tunnel-group rvpn type remote-access tunnel-group rvpn general-attributes address-pool rvpn-ip tunnel-group rvpn ipsec-attributes pre-shared-key * tunnel-group  type ipsec-l2l tunnel-group  ipsec-attributes pre-shared-key * tunnel-group type ipsec-l2l tunnel-group  ipsec-attributes pre-shared-key * ! class-map global-class match default-inspection-traffic class-map inspection_default ! ! policy-map global_policy policy-map global-policy class global-class   inspect esmtp   inspect sip    inspect pptp   inspect ftp   inspect ipsec-pass-thru ! service-policy global-policy global prompt hostname context Cryptochecksum:7042504fefd0d22ce4de7f6fa4da14fa : end 

  Thanking you in advance

  Hello

  If you want to have Split-tunnelin in use. One you have patterns for.

  Then you will need to fix the configured "private group policy" under the "tunnel - private-group

  tunnel-group private general-attributes

  strategy - by default-private group

  Then reconnect the VPN Client connection and try again.

  After that the VPN Client connection only transmits traffic directed to the LAN on the VPN Client connection and all Internet traffic beyond the VPN connection directly to the Internet through the current connection of the users.

  -Jouni

• Client VPN Cisco ASA 5505 Cisco 1841 router

  Hello. I'm doing a connection during a cisco vpn client and a vpn on one server asa 5505 behind a 1841 router (internet adsl2 + and NAT router).

  My topology is almost as follows

  customer - tunnel - 1841 - ASA - PC

  ASA is the endpoint vpn (outside interface) device. I forward udp port 500 and 4500 on my router to the ASA and the tunnel rises. I exempt nat'ting on the asa and the router to the IP in dhcp vpn pool. I can connect to my tunnel but I can't "see" anything in the internal network. I allowed all traffic from the outside inwards buy from the ip vpn pool and I still send packets through the tunnel and I get nothing. I take a look at the statistics on the vpn client and I 2597 bytes (ping traffic) and there are no bytes. Any idea?

  Where you you logged in when you took the "crypto ipsec to show his"? If this isn't the case then try again, also this option allows IPSEC over UDP 4500 and it is disabled, enable it.

  ISAKMP nat-traversal crypto

  Just enter the command as it is, then try to connect again after activation of this option and get the same result to see the.

• Error of customer Cisco VPN connection ASA 5505

  I am unable to connect to the vpn I created on my ASA 5505 using the Cisco VPN Client on a Windows machine. The log of the vpn client and the config of the ASA 5505 is lower. Any help to solve this is appreciated.

  CISCO VPN CLIENT LOG

  Cisco Systems VPN Client Version 5.0.06.0160

  Copyright (C) 1998-2009 Cisco Systems, Inc.. All rights reserved.

  Customer type: Windows, Windows NT

  Running: 6.1.7600

  Config files directory: C:\Program Cisco Systems Client\

  1 09:34:23.030 13/04/11 Sev = Info/4 CM / 0 x 63100002

  Start the login process

  2 09:34:23.061 13/04/11 Sev = Info/4 CM / 0 x 63100004

  Establish a secure connection

  3 09:34:23.061 13/04/11 Sev = Info/4 CM / 0 x 63100024

  Attempt to connect with the server "71.xx.xx.253".

  4 09:34:23.061 13/04/11 Sev = Info/6 IKE/0x6300003B

  Attempts to establish a connection with 71.xx.xx.253.

  5 09:34:23.061 13/04/11 Sev = Info/4 IKE / 0 x 63000001

  From IKE Phase 1 negotiation

  6 09:34:23.077 13/04/11 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) at 71.xx.xx.253

  7 09:34:23.170 13/04/11 Sev = Info/5 IKE/0x6300002F

  Received packet of ISAKMP: peer = 71.xx.xx.253

  8 09:34:23.170 13/04/11 Sev = Info/4 IKE / 0 x 63000014

  RECEIVING< isakmp="" oak="" ag="" (sa,="" ke,="" non,="" id,="" hash,="" vid(unity),="" vid(xauth),="" vid(dpd),="" vid(nat-t),="" nat-d,="" nat-d,="" vid(frag),="" vid(?))="" from="">

  9 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001

  Peer is a compatible peer Cisco-Unity

  10 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001

  Peer supports XAUTH

  11 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001

  Peer supports the DPD

  12 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001

  Peer supports NAT - T

  13 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001

  Peer supports fragmentation IKE payloads

  14 09:34:23.170 13/04/11 Sev = Info/6 IKE / 0 x 63000001

  IOS Vendor ID successful construction

  15 09:34:23.170 13/04/11 Sev = Info/4 IKE / 0 x 63000013

  SENDING > ISAKMP OAK AG * (HASH, NOTIFY: NAT - D, NAT - D, VID (?), STATUS_INITIAL_CONTACT, VID (Unity)) at 71.xx.xx.253

  16 09:34:23.170 13/04/11 Sev = Info/6 IKE / 0 x 63000055

  Sent a keepalive on the IPSec Security Association

  17 09:34:23.170 13/04/11 Sev = Info/4 IKE / 0 x 63000083

  IKE port in use - Local Port = 0xEB07, Remote Port = 0 x 1194

  18 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000072

  Automatic NAT detection status:

  Remote endpoint is NOT behind a NAT device

  This effect is behind a NAT device

  19 09:34:23.170 13/04/11 Sev = Info/4 CM/0x6310000E

  ITS established Phase 1.  1 crypto IKE Active SA, 0 IKE SA authenticated user in the system

  20 09:34:23.170 13/04/11 Sev = Info/4 CM/0x6310000E

  ITS established Phase 1.  1 crypto IKE Active SA, 1 IKE SA authenticated user in the system

  21 09:34:23.186 13/04/11 Sev = Info/5 IKE/0x6300005E

  Customer address a request from firewall to hub

  22 09:34:23.186 13/04/11 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to 71.xx.xx.253

  23 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300002F

  Received packet of ISAKMP: peer = 71.xx.xx.253

  24 09:34:23.248 13/04/11 Sev = Info/4 IKE / 0 x 63000014

  RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">

  25 09:34:23.248 13/04/11 Sev = Info/5 IKE / 0 x 63000010

  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS:, value = 172.26.6.1

  26 09:34:23.248 13/04/11 Sev = Info/5 IKE / 0 x 63000010

  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK:, value = 255.255.0.0

  27 09:34:23.248 13/04/11 Sev = Info/5 IKE / 0 x 63000010

  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (1):, value = 172.26.0.250

  28 09:34:23.248 13/04/11 Sev = Info/5 IKE / 0 x 63000010

  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (2):, value = 172.26.0.251

  29 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000D

  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD:, value = 0x00000000

  30 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000E

  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN:, value = TLCUSA

  31 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000D

  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS:, value = 0x00000000

  32 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000E

  MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc. ASA5505 Version 8.2 (1) built by manufacturers on Wednesday 5 May 09 22:45

  33 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000D

  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT:, value = 0x00000001

  34 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000D

  MODE_CFG_REPLY: Attribute = received and by using the NAT - T port number, value = 0 x 00001194

  35 09:34:23.248 13/04/11 Sev = Info/4 CM / 0 x 63100019

  Data in mode Config received

  36 09:34:23.264 13/04/11 Sev = Info/4 IKE / 0 x 63000056

  Received a request from key driver: local IP = 172.26.6.1, GW IP = 71.xx.xx.253, Remote IP = 0.0.0.0

  37 09:34:23.264 13/04/11 Sev = Info/4 IKE / 0 x 63000013

  SEND to > QM ISAKMP OAK * (HASH, SA, NO, ID, ID) to 71.xx.xx.253

  38 09:34:23.326 13/04/11 Sev = Info/5 IKE/0x6300002F

  Received packet of ISAKMP: peer = 71.xx.xx.253

  39 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000014

  RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:status_resp_lifetime)="" from="">

  40 09:34:23.326 13/04/11 Sev = Info/5 IKE / 0 x 63000045

  Answering MACHINE-LIFE notify has value of 86400 seconds

  41 09:34:23.326 13/04/11 Sev = Info/5 IKE / 0 x 63000047

  This AA is already living from 0 seconds, setting the expiration to 86400 seconds right now

  42 09:34:23.326 13/04/11 Sev = Info/5 IKE/0x6300002F

  Received packet of ISAKMP: peer = 71.xx.xx.253

  43 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000014

  RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:no_proposal_chosen)="" from="">

  44 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK INFO *(HASH, DEL) to 71.xx.xx.253

  45 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000049

  IPsec security association negotiation made scrapped, MsgID = 89EE7032

  46 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000017

  Marking of IKE SA delete (I_Cookie = 2617522400DC1763 R_Cookie = 029325381036CCD8) reason = DEL_REASON_IKE_NEG_FAILED

  47 09:34:23.326 13/04/11 Sev = Info/5 IKE/0x6300002F

  Received packet of ISAKMP: peer = 71.xx.xx.253

  48 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000058

  Received an ISAKMP for a SA message no assets, I_Cookie = 2617522400DC1763 R_Cookie = 029325381036CCD8

  49 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000014

  RECEIVING< isakmp="" oak="" info="" *(dropped)="" from="">

  50 09:34:26.696 13/04/11 Sev = Info/4 IKE/0x6300004B

  IKE negotiation to throw HIS (I_Cookie = 2617522400DC1763 R_Cookie = 029325381036CCD8) reason = DEL_REASON_IKE_NEG_FAILED

  51 09:34:26.696 13/04/11 Sev = Info/4 CM / 0 x 63100012

  ITS phase 1 deleted before first Phase 2 SA is caused by "DEL_REASON_IKE_NEG_FAILED".  Crypto 0 Active IKE SA, 0 IKE SA authenticated user in the system

  52 09:34:26.696 13/04/11 Sev = Info/5 CM / 0 x 63100025

  Initializing CVPNDrv

  53 09:34:26.696 13/04/11 Sev = Info/6 CM / 0 x 63100046

  Set indicator established tunnel to register to 0.

  54 09:34:26.696 13/04/11 Sev = Info/4 IKE / 0 x 63000001

  Signal received IKE to complete the VPN connection

  ----------------------------------------------------------------------------------------

  ASA 5505 CONFIG

  : Saved

  :

  ASA Version 8.2 (1)

  !

  ciscoasa hostname

  domain masociete.com

  activate tdkuTUSh53d2MT6B encrypted password

  2KFQnbNIdI.2KYOU encrypted passwd

  names of

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 172.26.0.252 255.255.0.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP address 71.xx.xx.253 255.255.255.240

  !

  interface Ethernet0/0

  switchport access vlan 2

  Speed 100

  full duplex

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  passive FTP mode

  clock timezone IS - 5

  clock to summer time EDT recurring

  DNS server-group DefaultDNS

  domain masociete.com

  access-list LIMU_Split_Tunnel_List note the network of the company behind the ASA

  Standard access list LIMU_Split_Tunnel_List allow 172.26.0.0 255.255.0.0

  outside_access_in list extended access permit icmp any one

  outside_access_in list extended access udp allowed any any eq 4500

  outside_access_in list extended access udp allowed any any eq isakmp

  outside_access_in list extended access permit tcp any host 71.xx.xxx.251 eq ftp

  outside_access_in list extended access permit tcp any host 71.xx.xxx.244 eq 3389

  inside_outbound_nat0_acl list of allowed ip extended access all 172.26.5.192 255.255.255.240

  inside_outbound_nat0_acl list of allowed ip extended access all 172.26.6.0 255.255.255.128

  pager lines 24

  Enable logging

  asdm of logging of information

  Outside 1500 MTU

  Within 1500 MTU

  local pool VPN_POOL 172.26.6.1 - 172.26.6.100 255.255.0.0 IP mask

  ICMP unreachable rate-limit 1 burst-size 1

  enable ASDM history

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_outbound_nat0_acl

  NAT (inside) 1 0.0.0.0 0.0.0.0

  static (inside, outside) 71.xx.xxx.251 172.26.5.9 netmask 255.255.255.255

  static (inside, outside) 71.xx.xxx.244 172.26.0.136 netmask 255.255.255.255

  Access-group outside_access_in in interface outside

  Route outside 0.0.0.0 0.0.0.0 71.xx.xxx.241 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  dynamic-access-policy-registration DfltAccessPolicy

  GANYMEDE + Protocol Ganymede + AAA-server

  RADIUS Protocol RADIUS AAA server

  Enable http server

  http 172.26.0.0 255.255.0.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-3des esp-md5-hmac TRANS_ESP_3DES_MD5

  Crypto ipsec transform-set transit mode TRANS_ESP_3DES_MD5

  Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA

  Crypto ipsec transform-set transit mode TRANS_ESP_3DES_SHA

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  Crypto-map dynamic outside_dyn_map 20 game of transformation-TRANS_ESP_3DES_MD5

  map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  crypto ISAKMP policy 30

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  dhcpd outside auto_config

  !

  no basic threat threat detection

  no statistical access list - a threat detection

  no statistical threat detection tcp-interception

  WebVPN

  internal DefaultRAGroup group strategy

  attributes of Group Policy DefaultRAGroup

  value of server WINS 172.26.0.250 172.26.0.251

  value of 172.26.0.250 DNS server 172.26.0.251

  Protocol-tunnel-VPN IPSec l2tp ipsec svc

  value by default-field TLCUSA

  internal LIMUVPNPOL1 group policy

  LIMUVPNPOL1 group policy attributes

  value of 172.26.0.250 DNS server 172.26.0.251

  VPN-idle-timeout 30

  Protocol-tunnel-VPN IPSec l2tp ipsec

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list LIMU_Split_Tunnel_List

  the address value VPN_POOL pools

  internal TLCVPNGROUP group policy

  TLCVPNGROUP group policy attributes

  value of 172.26.0.250 DNS server 172.26.0.251

  Protocol-tunnel-VPN IPSec l2tp ipsec svc

  Re-xauth disable

  enable IPSec-udp

  value by default-field TLCUSA

  barry.julien YCkQv7rLwCSNRqra06 + QXg password user name is nt encrypted privilege 0

  username barry.julien attributes

  VPN-group-policy TLCVPNGROUP

  Protocol-tunnel-VPN IPSec l2tp ipsec

  bjulien bhKBinDUWhYqGbP4 encrypted password username

  username bjulien attributes

  VPN-group-policy TLCVPNGROUP

  attributes global-tunnel-group DefaultRAGroup

  address VPN_POOL pool

  Group Policy - by default-DefaultRAGroup

  IPSec-attributes tunnel-group DefaultRAGroup

  pre-shared-key *.

  tunnel-group DefaultRAGroup ppp-attributes

  no authentication ms-chap-v1

  ms-chap-v2 authentication

  type tunnel-group TLCVPNGROUP remote access

  attributes global-tunnel-group TLCVPNGROUP

  address VPN_POOL pool

  Group Policy - by default-TLCVPNGROUP

  IPSec-attributes tunnel-group TLCVPNGROUP

  pre-shared-key *.

  ISAKMP ikev1-user authentication no

  tunnel-group TLCVPNGROUP ppp-attributes

  PAP Authentication

  ms-chap-v2 authentication

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  !

  global service-policy global_policy

  context of prompt hostname

  Cryptochecksum:b94898c163c59cee6c143943ba87e8a4

  : end

  enable ASDM history

  can you try to change the transformation of dynamic value ESP-3DES-SHA map.

  for example

  remove the encryption scheme dynamic-map outside_dyn_map 20 transform-set TRANS_ESP_3DES_MD5

  and replace with

  Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA

• Site to site vpn problem

  Hello world

  I have a problem with the vpn site to site between two cisco routers. The configurations are:

  Site has

  crypto ISAKMP policy 10
  BA 3des
  preshared authentication
  Group 2
  life 86000
  ISAKMP crypto secrettestkey key address x.x.x.x
  !
  !
  Crypto ipsec transform-set esp-3des esp-sha-hmac S2S
  !
  S2S 10 ipsec-isakmp crypto map
  defined peer x.x.x.x
  game of transformation-S2S
  match address S2S

  interface FastEthernet4
  IP address y.y.y.y 255.255.255.252
  NAT outside IP
  IP virtual-reassembly
  automatic duplex
  automatic speed
  card crypto S2S
  !
  !
  interface Vlan1
  no ip address
  !
  !
  interface Vlan12
  IP 192.168.100.1 address 255.255.255.0
  IP nat inside
  IP virtual-reassembly
  !
  !
  IP forward-Protocol ND
  no ip address of the http server
  no ip http secure server
  !
  !
  overload of IP nat inside source list 100 interface FastEthernet4
  IP route 0.0.0.0 0.0.0.0 y.y.y.x
  IP route 192.168.14.0 255.255.255.0 y.y.y.x
  !
  S2S extended IP access list
  IP 192.168.100.0 allow 0.0.0.255 192.168.14.0 0.0.0.255
  !
  access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.14.0 0.0.0.255
  access-list 100 permit ip 192.168.100.0 0.0.0.255 any

  Site B

  crypto ISAKMP policy 20
  BA 3des
  preshared authentication
  Group 2
  life 86000

  ISAKMP crypto secrettestkey key address x.x.x.x

  Crypto ipsec transform-set esp-3des esp-sha-hmac testS2S

  DCMAP 20 ipsec-isakmp crypto map
  tunnel test Description
  defined peer x.x.x.x
  Set transform-set testS2S
  match the address testS2S

  interface GigabitEthernet0/0
  Description. : Outside:.
  IP address y.y.y.y 255.255.255.224
  IP access-group OUTSIDE2INSIDE in
  NAT outside IP
  IP virtual-reassembly
  automatic duplex
  automatic speed
  media type rj45
  card crypto DCMAP

  IP route 192.168.100.0 255.255.255.0 y.y.y.x

  testS2S extended IP access list
  IP 192.168.14.0 allow 0.0.0.255 192.168.100.0 0.0.0.255

  There is also a NAT - T configuration on this site

  Tunnel is not coming. The status is MM_NO_STATE

  What are the causes of the problem? Please notify.

  Hello

  Check out the link. Its for remote access IPSec. Try to remove the config and reapply the card encryption.

  Second in debugging, see router goes for x-auth.

  04:35:44.707 26 Jan: ISAKMP: Config payload REQUEST
  26 jan 04:35:44.707: ISAKMP: (2083): no provision of demand
  04:35:44.707 26 Jan: ISAKMP: Invalid configuration REQUEST
  04:35:44.707 26 Jan: ISAKMP (2083): action of WSF returned the error: 2
  04:35:44.707 26 Jan: ISAKMP: (2083): entry = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST

  You can disable using xauth No. in the end of statement isakmp key.

  # isakmp crypto key 0 abc address x.x.x.x No.-xauth

  HTH

• Site-2-Site VPn problem

  Guys,

  I'm new in the world of IP VPN. I am setting up a site 2 site between 2 routers Cisco 1841 vpn. I have SDSL connection on both ends and I am able to ping outside intellectual property both ok but with vpn configuration problems. The VPN tunnel is not come and show crypto isakmp its shows me nothing. I enabled debugging on isakmp and ipsec but no display of the trace. Attached is my router config, I have a similar config on the other end.

  Help, please!

  See you soon,.

  K

  This ping will never work, ping now you will from the dialer interface, go ahead and do

  source of ping 192.168.1.1 192.168.0.254