Site to SIte VPN through a NAT device

Similar Questions

• Cisco ASA Site to Site VPN IPSEC and NAT question

  Hi people,

  I have a question about the two Site to Site VPN IPSEC and NAT. basically what I want to achieve is to do the following:

  ASA2 is at HQ and ASA1 is a remote site. I have no problem setting a static static is a Site to IPSEC VPN between sites. Guests residing in 10.1.0.0/16 are able to communicate with hosts in 192.168.1.0/24, but what I want is to configure the NAT with IPSEC VPN for this host to 10.1.0.0/16 will communicate with hosts in 192.168.1.0/24 with translated addresses

  Just an example:

  N2 host (10.1.0.1/16) contacted N1 192.168.1.5 with destination host say 10.23.1.5 No 192.168.1.5 (notice the last byte is the same in the present case,.5)

  The translation still for the rest of the communication (host pings ip destination host 10.23.1.6 N3 N2 not 192.168.1.6 new last byte is the same)

  It sounds a bit confusing to me, but I've seen this type of configuration before when I worked for the supplier of managed services where we have given our customers (Ipsec Site to Site VPN with NAT, don't know how it was setup)

  Basically we contact the customer via site-to-site VPN hosts but their real address were hidden and we used as translated address more high 10.23.1.0/24 instead of (real) 192.168.1.0/24, last byte must be the same.

  Grateful if someone can shed some light on this subject.

  Hello

  OK so went with the old format of NAT configuration

  It seems to me that you could do the following:

  • Configure the ASA1 with static NAT strategy
    • access-list L2LVPN-POLICYNAT allowed ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
    • public static 10.23.1.0 (inside, outside) access-list L2LVPN-POLICYNAT
  • Because the above is a static NAT of the policy, this means that the translation will be made only when the destination network is 10.1.0.0/16
  • If you have for example a PAT basic configuration to inside-> external traffic, the above NAT configuration and the custom of the actual configuration of PAT interfere with eachother
  • ASA2 side, you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
    • Note of the INTERIOR-SHEEP access-list SHEEP L2LVPN
    • the permitted INSIDE SHEEP 10.1.0.0 ip access list 255.255.0.0 10.23.1.0 255.255.255.0
    • NAT (inside) 0-list of access to the INTERIOR-SHEEP
  • You will need to consider that your access-list defining the VPN encrypted L2L traffic must reflect the new NAT network
    • ASA1: allowed to access-list L2LVPN-ENCRYPTIONDOMAIN ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
    • ASA2: list L2LVPN-ENCRYPTIONDOMAIN allowed ip 10.1.0.0 access 255.255.0.0 10.23.1.0 255.255.255.0

  I could test this configuration to work tomorrow but I would like to know if it works.

  Please rate if this was helpful

  -Jouni

• PAT/NAT and VPN through a PIX

  "PPTP through the PIX with Port address translation (PAT) does not work because there is no concept of ports in GRE"-this is an excerpt from a config PIX version 6.2 and below.

  1. how this problem has been fixed in 6.3? GRE is encapsulated in udp or tcp to use ports to follow the connection?

  2. is it "fixup protocol esp-ike" use the same technology - the source port created by the IKE protocol? -ISAKMP cannot be enabled when you use this command

  3. What is "isakmp nat-traversal? How is this different from fixup protocol esp-ike"

  Thank you

  RJ

  1. when the PIX sees outgoing PPTP (TCP 1723 port) packets it now opens holes for them to return, as well as opening a hole for the GRE packets, it has never done this before. The PPTP TCP packets can be PAT would be fine because they are TCP packets. GRE packets, I believe, are followed by the id field only tunnel in the package.

  2. we use the source port of the ISAKMP packet for ESP packets as well. The current limitation is that if you have this option, you cannot use the PIX to close the IPSec sessions, so you can not turn on ISAKMP any interface. You can also have only a single IPSec client internal to use this feature.

  3 NAT - T is a new standard for IPSec to work through a NAT device peers, because they detect changes of address during the negotiation of tunnel and automatically encapsulate packets in UDP 4500. This market allows the PIX and the other device (if it supports it) to automatically detect a NAT/PAT device between them. This differs from the "esp - ike correction '' that the PIX ends not in fact the IPSec tunnel with esp - ike, but it is the endpoint in nat - t.

• 2 one-Site VPN Cisco 2801 and with crossing NAT

  Hi guys,.

  I would like to configure two Cisco 2801 using IPSEC/IKE. Both routers are connected to the internet through DSL lines. The DSL line have RFC1918 address side LAN where routers connected to the internet face. I can do NAT on DSL modems.

  Cisco IOS 2801 routers allow to configure site-2-site VPN with NAT crossing?

  Here is a model of physics/IP configuration:

  LAN<->2801 Modem DSL<-Internet->DSL modem<-Priv ip-=""> 2801<-Priv ip-=""><-> LAN

  Thank you

  Gonçalo

  Yes, you're good to go only if one or both of the sites has an IP address which is natted with private IP address statically. The implementation of IPSec on SRI NAT support in most crosses so that shouldn't be a concern

• SSL vpn through the same internet connection to another site

  Hi, I have a network with a box of Juniper SSL that connect to port DMZ ASA5510, wher outside the ASA is the same outside the box of SSL vpn.

  To access issues eno hav network internal at all.

  Now, I need VPN SSL Juniper box remote users and internal conenct o my remote sites, who take the client connection through an internet router (Cisco throug site to site vpn IPSec) again to the th eremote site.

  Is it possible, my hunch is Yes "can be done."

  Currently, I'm fitting get no where, I get no hits ASA DMZ ACL if I try to access the remote site of the SSL vpn client resources.

  Schema attached

  Any help would be appreciated

  Shouldn't be a problem.

  On the Juniper SSL, you must check if the roads has been added to the remote IPSec LAN point to the ip address DMZ ASA instead of pointing to the internet through the Juniper SSL box.

  You need to configure NAT exemption on the ASA box between the pool SSL subnet to the Remote LAN of IPSec. As a result, you must also include the SSL subnet to Remote LAN subnets in the crypto ACL and mirror image ACL on the remote site ACL Cryptography.

  Hope that helps.

• Design site to Site VPN w/NAT traversal issue

  Hi, I have a number of site to site VPN that end on a PIX. I intend to migrate these VPN to a router that sits on a demilitarized zone connected to the PIX. Before doing that I'm going to set up a private network new virtual to end on the router but I also need than VPNS that end on the PIX to be not affected.

  If I configure NAT traversal on the PIX, affected my other VPN?

  Thanks in advance

  DOM

  Hi Dom,

  Why do you want to configure NAT-Traversal on PIX, if you wish to terminate your VPN router (which is on the DMZ).

  Do you do any NAT on PIX thru the router?

  If you want to configure NAT-Traversal, it must be configured on the end (on the router in your case) devices.

  Example:

  When a user with Cisco client or Cisco router behind NAT wants to connect to another device (such as PIX, ASA, or router) NAT - T must be configured on the machine (which will be the PIX or ASA)

  Hope that helps.

  * Please indicate the post

• Site to Site VPN of IOS - impossible route after VPN + NAT

  Hello

  I have problems with a VPN on 2 routers access 8xx: I am trying to set up a quick and dirty VPN Site to Site with a source NAT VPN tunnel endpoint. This configuration is only intended to run from one day only inter. I managed to do the work of VPN and I traced the translations of NAT VPN tunnel endpoint, but I couldn't make these translated packages which must move outside the access router, because intended to be VPN traffic network is not directly connected to leave the router. However, I can ping the hosts directly connected to the router for access through the VPN.

  Something done routing not to work, I don't think the NATing, because I tried to remove the NAT and I couldn't follow all outgoing packets that must be sent, so I suspect this feature is not included in the IOS of the range of routers Cisco 8xx.

  I'm that extends the features VPN + NAT + routing too, or is there a configuration error in my setup?

  This is the configuration on the router from Cisco 8xx (I provided only the VPN endpoint, as the works of VPN endpoint)

  VPN endpoints: 10.20.1.2 and 10.10.1.2

  routing to 192.168.2.0 is necessary to 192.168.1.2 to 192.168.1.254

  From 172.31.0.x to 192.168.1.x

  !

  version 12.4

  no service button

  horodateurs service debug datetime msec

  Log service timestamps datetime msec

  encryption password service

  !

  hostname INSIDEVPN

  !

  boot-start-marker

  boot-end-marker

  !

  enable secret 5 xxxxxxxxxxxxxxx

  !

  No aaa new-model

  !

  !

  dot11 syslog

  no ip cef

  !

  !

  !

  !

  IP domain name xxxx.xxxx

  !

  Authenticated MultiLink bundle-name Panel

  !

  !

  username root password 7 xxxxxxxxxxxxxx

  !

  !

  crypto ISAKMP policy 10

  BA 3des

  preshared authentication

  ISAKMP crypto key address 10.20.1.2 xxxxxxxxxxxxx

  !

  !

  Crypto ipsec transform-set esp-3des esp-sha-hmac VPN-TRANSFORMATIONS

  !

  CRYPTOMAP 10 ipsec-isakmp crypto map

  defined by peer 10.20.1.2

  game of transformation-VPN-TRANSFORMATIONS

  match address 100

  !

  Archives

  The config log

  hidekeys

  !

  !

  LAN controller 0

  line-run cpe

  !

  !

  !

  !

  interface BRI0

  no ip address

  encapsulation hdlc

  Shutdown

  !

  interface FastEthernet0

  switchport access vlan 12

  No cdp enable

  card crypto CRYPTOMAP

  !

  interface FastEthernet1

  switchport access vlan 2

  No cdp enable

  !

  interface FastEthernet2

  switchport access vlan 2

  No cdp enable

  !

  interface FastEthernet3

  switchport access vlan 2

  No cdp enable

  !

  interface Vlan1

  no ip address

  !

  interface Vlan2

  IP 192.168.1.1 255.255.255.248

  NAT outside IP

  IP virtual-reassembly

  !

  interface Vlan12

  10.10.1.2 IP address 255.255.255.0

  IP nat inside

  IP virtual-reassembly

  card crypto CRYPTOMAP

  !

  IP forward-Protocol ND

  IP route 192.168.2.0 255.255.255.0 192.168.1.254

  IP route 10.20.0.0 255.255.0.0 10.10.1.254

  Route IP 172.31.0.0 255.255.0.0 Vlan12

  !

  !

  no ip address of the http server

  no ip http secure server

  IP nat inside source static 172.31.0.2 192.168.1.11

  IP nat inside source 172.31.0.3 static 192.168.1.12

  !

  access-list 100 permit ip 192.168.1.0 0.0.0.255 172.31.0.0 0.0.255.255

  access-list 100 permit ip 192.168.2.0 0.0.0.255 172.31.0.0 0.0.255.255

  !

  !

  control plan

  !

  !

  Line con 0

  no activation of the modem

  line to 0

  line vty 0 4

  password 7 xxxxxxxxx

  opening of session

  !

  max-task-time 5000 Planner

  end

  Hi Jürgen,

  First of all, when I went through your config, I saw these lines,

  !
  

  interface Vlan2
  

  IP 192.168.1.1 255.255.255.248
  

  !

  !

  IP route 192.168.2.0 255.255.255.0 192.168.1.254
  

  !

  With 255.255.255.248 192.168.1.1 and 192.168.1.254 subnet will fall to different subnets. So I don't think you can join 192.168.2.0/24 subnet to the local router at this point. I think you should fix that first.

  Maybe have 192.168.1.2 255.255.255. 248 on the router connected (instead of 192.168.1.254)

  Once this has been done. We will have to look at routing.

  You are 172.31.0.2-> 192.168.1.11 natting

  
  

  Now, in order for that to work, make sure that a source addresses (192.168.1.11) NAT is outside the subnet router to router connected (if you go with 192.168.1.0/29 subnet router to router, with 192.168.1.1/29 on the local router and 192.168.1.2/29 on the connected router as suggested, it will be fine). So in this case 192.168.1.8/29 to the subnet that your NAT would be sources fall.

  Have a static route on the router connected (192.168.1.2) for the network 192.168.1.8/29 pointing 192.168.1.1,

  !

  IP route 192.168.1.8 255.255.255.248 192.168.1.1

  !

  If return packets will be correctly routed toward our local router.

  If you have an interface on the connected rotuer which includes the NAT would be source address range, let's say 192.168.1.254/24, even if you do your packages reach somehow 192.168.2.0/24, the package return never goes to the local router (192.168.1.1) because the connected router sees it as a connected subnet, so it will only expire

  I hope I understood your scenario. Pleae make changes and let me know how you went with it.

  Also, please don't forget to rate this post so useful.

  Shamal

• asa himself through site to site vpn access server

  Hello

  I have problem with access to the servers through site to site vpn to ASA that makes this vpn site-to-site and Clientless VPN enablerd.

  Reason why I need it / what I do:

  ASA 5510 enabled Clientless VPN and on this Portal allows users to access internal servers through bookmars URL. We use it when someone wouldn't access IPSec VPN or in an internet café. If this user connects to clientless vpn and click on the bookmark to access for example mail server. But there is problem, asa cannot access this server through VPN site-to-site.

  Network:

  Here's a quick design of my network.

  

  I don't have server access to the problem in the VLAN 159 of VLAN 10, or 100. But I need to be able to access the server in Vlan 159 of ASA 5510, who owns the IP 192.168.1.4.

  I have this subnet ASA owned by FRONT-NAT object in the same place that VLAN 10 to 100 are and vpn Site-to-Site profile.

  What I makeover or how can I solve it?

  Thank you

  Clientless VPN when accessing internal servers, it will use the closest to the source of the connection interface and if you connect to via clientless SSL VPN ASA5510 and need access ASA5505 LAN via the site to site VPN, the interface closest to the ASA5510 to ASA5505 LAN is ASA5510 outside interface, therefore, the vpn of site-to-site crypto ACL must match on ASA5510 outside the ip address of the interface.

  Here's what you need on each ASA:

  ASA5510:

  permit same-security-traffic intra-interface

  ip 192.168.159.0 external interface allowed access list 255.255.255.0

  ASA5505:

  ip 192.168.159.0 access list allow 255.255.255.0 host

  In addition, also need to add the same ACL for access-list of exemptions on ASA5505 NAT:

  ip 192.168.159.0 access list allow 255.255.255.0 host

  Hope that helps.

• SA520w routing through site-to-site VPN tunnels

  I have several offices that are connected using site-to-site VPN tunnels and all will use the SA520W (firmware 2.1.18). I currently have 3 routers in place, router tunnels created for the router B and c of router. I need assistance with the configuration to allow the guests to router site B get to the router site C. I have attempted to add a static route, but get a destination unreachable host trying to ping. Also, if I connect to the router site has via the Cisco VPN client, I'm not able to get resources on each site, B, or C.

  A - the site 10.10.0.0/24

  Site B - 10.0.0.0/24

  Site of the C - 10.25.0.0/24

  Any help is greatly appreciated.

  So, that's what you have configured correctly?

  RTR_A

  ||

  _____________ || ___________

  ||                                            ||

  RTR_B                                RTR_C

  Since there is no tunnel between B and C there is no way for us past that traffic through RTR_A for two reasons. The most important reason is that subnet 10.25.0.0/24 (rtr_c) is not allowed to pass through the IPSec tunnel (it's okay to IPSec?) of rtr_a ==> rtr_b. You can't just add a statement of road because your addresses are not routable which is the reason why it fails.

  Your only option is to create another tunnel between rtr_b and rtr_c. This may not be the ONLY option, but you should get what you need.

  I hope this helps.

• NAT and Site to site VPN

  Hi all

  We currently have a PIX in our local network. There is a Site to site VPN tunnel between this PIX and another network abroad.

  We have several networks in our local network.

  The VPN tunnel is on a single network: 192.50.175.0 / 24.

  and the network of the other site is:

  192.100.24.0 21

  Part of the configuration:

  inside_nat0_outbound ip 192.50.175.0 access list allow 255.255.255.0 192.100.24.0 255.255.248.0

  NAT (inside) 0-list of access inside_nat0_outbound

  As I said before, we have several networks.

  In particular, we have 192.50.160.0/24 too.

  And we would like that this network can use the VPN tunnel also.

  But the other site does not want to carry our another network in their LAN.

  They suggest we 192.50.160.0 NAT / 24 to an IP address on the 192.50.175.0 / 24, users in a network 192.50.160.0 / 24 can also use the VPN tunnel.

  Do you know if it is possible to do it with my PIX? And how?

  It's a PIX-515-DMZ, v6.3 (5).

  Any help would be appreciated!

  Thank you

  Good point. You can be good then.

• Order of operations NAT on Site to Site VPN Cisco ASA

  Hello

  I have a question about the order of operations NAT on Site to Site VPN Cisco ASA 8.2.x. I have a scenario where the internal IP address of the range 10.17.128.x are NATTED IP public 31.10.10.x. below is the config:

  Tunnel normally passes traffic to dmz - 31.10.11.10, 31.10.11.11 servers.

  But the servers NATTED (10.17.128.x <->31.10.10.x) does not work.

  inside_map crypto 50 card value transform-set ESP-3DES-SHA

  tunnel-group 100.1.1.1 type ipsec-l2l

  tunnel-group 100.1.1.1 General-attributes

  Group Policy - by default-PHX_HK

  IPSec-attributes tunnel-group 100.1.1.1

  pre-shared key *.

  internal PHX_HK group policy

  PHX_HK group policy attributes

  VPN-filter no

  Protocol-tunnel-VPN IPSec svc webvpn

  card crypto inside_map 50 match address outside_cryptomap_50

  peer set card crypto inside_map 50 100.1.1.1

  inside_map crypto 50 card value transform-set ESP-3DES-SHA

  inside_map crypto 50 card value reverse-road

  the PHX_Local object-group network

  host of the object-Network 31.10.11.10

  host of the object-Network 31.10.11.11

  host of the object-Network 31.10.10.10

  host of the object-Network 31.10.10.11

  host of the object-Network 31.10.10.12

  host of the object-Network 31.10.10.13

  host of the object-Network 10.17.128.20

  host of the object-Network 10.17.128.21

  host of the object-Network 10.17.128.22

  host of the object-Network 10.17.128.23

  the HK_Remote object-group network

  host of the object-Network 102.1.1.10

  inside_nat0_outbound list extended access permitted ip object-group PHX_Local-group of objects HK_Remote

  ACL_INSIDE list extended access permitted ip object-group PHX_Local-group of objects HK_Remote

  ACL_OUTSIDE list extended access permitted ip object-group HK_Remote-group of objects PHX_Local

  outside_cryptomap_50 list extended access permitted ip object-group PHX_Local-group of objects HK_Remote

  Route outside 102.1.1.10 255.255.255.255 30.1.1.1 1

  public static 31.10.10.10 (Interior, exterior) 10.17.128.20 netmask 255.255.255.255

  public static 31.10.10.11 (Interior, exterior) 10.17.128.21 netmask 255.255.255.255

  public static 31.10.10.12 (Interior, exterior) 10.17.128.22 netmask 255.255.255.255

  public static 31.10.10.13 (Interior, exterior) 10.17.128.23 netmask 255.255.255.255

  He started to work when I did another group of object by name PHX_Local1 and added to the list of access inside_nat0_outbound, instead of the object group PHX_Local, as below:

  the PHX_Local1 object-group network

  host of the object-Network 31.10.10.10

  host of the object-Network 31.10.10.11

  host of the object-Network 31.10.10.12

  host of the object-Network 31.10.10.13

  No inside_nat0_outbound access list extended only to allowed ip object-group PHX_Local-group of objects HK_Remote

  inside_nat0_outbound list extended access permitted ip object-group PHX_Local1-group of objects HK_Remote

  Can you please help me understand why group object PHX_Local failed with access-list inside_nat0_outbound, but he began to work with the Group of objects PHX_Local1.

  Also, if you could tell me the order of operations to NAT via VPN Site to Site, it would be useful.

  Thank you

  Kind regards

  Thomas

  Hello

  I think you could have said the original question in a way that could be missleading. In other words, if I understand now.

  From what I understand now, you have the DMZ set up the server that are measured with a public IP address on the real servers. And for those that you have configured NAT0.

  Then you have other servers that do not have public IP addresses themselves, but they are translated on the SAA.

  If this is the case, then the next question would be. The server with the NAT should attend the L2L VPN connection with their real IP or address IP NAT.

  Of course if you configure static NAT for the same servers and NAT0 the NAT0 will always win.

  You have these guests who were not able to use the VPN L2L

  31.10.10.10 10.17.128.20

  31.10.10.11 10.17.128.21

  31.10.10.12 10.17.128.22

  31.10.10.13 10.17.128.23

  IF you want them to go to the VPN L2L with their original IP address then you must configure

  object-group, LAN

  host of the object-Network 10.17.128.20

  host of the object-Network 10.17.128.21

  host of the object-Network 10.17.128.22

  host of the object-Network 10.17.128.23

  object-group, REMOTE network

  host of the object-Network 102.1.1.10

  inside_nat0_outbound list extended access allowed ip-group of objects LOCAL object-group remote

  outside_cryptomap_50 list extended access allowed ip-group of objects LOCAL object-group remote

  IF you want to use the L2L VPN with the public IP address, then you must configure

  object-group, LAN

  host of the object-Network 31.10.10.10

  host of the object-Network 31.10.10.11

  host of the object-Network 31.10.10.12

  host of the object-Network 31.10.10.13

  object-group, REMOTE network

  host of the object-Network 102.1.1.10

  outside_cryptomap_50 list extended access allowed ip-group of objects LOCAL object-group remote

  EDIT: in this case you naturally do not configure any NAT0 for actual IP addresses we want precisely the IP addresses to be visible to the L2L VPN with the IP NAT address.

  Or you can of course use the same "object-group" as currently but change the content in an appropriate manner

  Be sure to mark it as answered if it was answered.

  Ask more if necessary

  -Jouni

• Site to Site VPN NAT conflicts

  I have a site to site vpn between my main office and an office.  Traffic between flow correctly with the exception of some protocols.  My main router has static NAT configured for port 25 and a few others.  For each of these protocols that have a static nat, I can't send the traffic from my office to the IP in the static nat

  either I can't access port 25 on 172.16.1.1 of my office of the branch of the 172.17.1.1, but I have remote desktop access

  It's like my list of NAT is excluding the static entries that follow.  I have posted below the configs.  Any help would be appreciated.

  Main office: 2811

  Branch: 1841

  Two routers connected to the internet.  VPN site to Site between them with the following config

  crypto ISAKMP policy 1

  BA 3des

  md5 hash

  preshared authentication

  Group 2

  isakmp encryption key * address *. ***. * *.116

  !

  !

  Crypto ipsec transform-set esp-3des esp-md5-hmac VPN - TS

  !

  map VPN-map 10 ipsec-isakmp crypto

  set peer *. ***. * *.116

  game of transformation-VPN-TS

  match address VPN-TRAFFIC

  I have two IP addresses on the router principal.122 et.123

  There is an installer from the list of the deny on the two routers - that's the main:

  overload of IP nat inside source list 100 interface FastEthernet0/0

  access-list 100 remark = [Service NAT] =-

  access-list 100 deny ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255

  access-list 100 permit ip 172.16.0.0 0.0.255.255 everything

  access-list 100 permit ip 172.24.0.0 0.0.255.255 everything

  To serve clients vpn no internet, the following nat is configured to send e-mail to exchamge

  IP nat inside source static tcp 172.16.1.1 25 *. ***. * expandable 25 *.122

  Try to use the nat policy to exclude traffic from your servers to be natted when switching to the branch office network.

  Sth like this

  STATIC_NAT extended IP access list

  deny ip 172.16.1.1 host 172.17.1.0 255.255.255.0 aka nat0 for traffic from the server

  allow the ip 172.16.1.1 host a

  policy-NAT route map

  corresponds to the IP STATIC_NAT

  IP nat inside source static tcp 172.16.1.1 25 *. ***. 25-card *.122 of extensible policy-NAT route

• devices to set up a site to site vpn

  I have a stupid question.  In a site to site vpn environment, can I do the installation program by using an asa5505 on one end and a router 1811 on the other end or do I need to have two asa5505 or two 1811 routers? Can another word, I mix and match devices and perform still a site to site vpn configuration or do I have to have the same features on the two end?

  You can mix and match all you want. To him my friend. Reference the link below.

  https://supportforums.Cisco.com/videos/2763

• Troubleshooting IPSec Site to Site VPN between ASA and 1841

  Hi all

  in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.

  I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).

  I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.

  It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),

  On the ASA:

  Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.

  address of the peers: 217.86.154.120
  Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.cc

  access extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
  local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
  current_peer: 217.xx.yy.zz

  #pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz

  Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
  current outbound SPI: 39135054
  current inbound SPI: B2E9E500

  SAS of the esp on arrival:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, PFS 2 group}
  slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
  calendar of his: service life remaining (KB/s) key: (4374000/1598)
  Size IV: 8 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001
  outgoing esp sas:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, PFS 2 group}
  slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
  calendar of his: service life remaining (KB/s) key: (4373976/1598)
  Size IV: 8 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001

  Output of the command: "sh crypto isakmp his."

  HIS active: 4
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 4

  IKE Peer: 217.xx.yy.zz
  Type: L2L role: initiator
  Generate a new key: no State: MM_ACTIVE

  On the 1841

  1841 crypto isakmp #sh its
  IPv4 Crypto ISAKMP Security Association
  DST CBC conn-State id
  217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE

  1841 crypto ipsec #sh its

  Interface: Dialer1
  Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
  current_peer 62.153.156.163 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
  current outbound SPI: 0xB2E9E500 (3001672960)
  PFS (Y/N): Y, Diffie-Hellman group: group2

  SAS of the esp on arrival:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505068/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505118/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  Interface: virtual Network1
  Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
  current_peer 62.153.156.163 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
  current outbound SPI: 0xB2E9E500 (3001672960)
  PFS (Y/N): Y, Diffie-Hellman group: group2

  SAS of the esp on arrival:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505068/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505118/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.

  Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto.      (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.

  I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!

  It's the running of the 1841 configuration

  !
  version 15.1
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  encryption password service
  !
  host name 1841
  !
  boot-start-marker
  start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
  boot-end-marker
  !
  logging buffered 51200 notifications
  !
  AAA new-model
  !
  !
  AAA authentication login default local
  !
  AAA - the id of the joint session
  !
  iomem 20 memory size
  clock timezone PCTime 1
  PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
  dot11 syslog
  IP source-route
  !
  No dhcp use connected vrf ip
  !
  IP cef
  no ip bootp Server
  IP domain name test
  name of the IP-server 194.25.2.129
  name of the IP-server 194.25.2.130
  name of the IP-server 194.25.2.131
  name of the IP-server 194.25.2.132
  name of the IP-server 194.25.2.133
  No ipv6 cef
  !
  Authenticated MultiLink bundle-name Panel
  !
  !
  object-group network phone
  VoIP phone description
  Home 172.20.2.50
  Home 172.20.2.51
  !
  redundancy
  !
  !
  controller LAN 0/0/0
  atm mode
  Annex symmetrical shdsl DSL-mode B
  !
  !
  crypto ISAKMP policy 1
  BA 3des
  preshared authentication
  Group 2
  isakmp encryption key * address 62.aa.bb.cc
  !
  !
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  !
  map SDM_CMAP_1 1 ipsec-isakmp crypto
  Description Tunnel to62.aa.bb.cc
  the value of 62.aa.bb.cc peer
  game of transformation-ESP-3DES-SHA
  PFS group2 Set
  match address 100
  !
  !
  !
  interface FastEthernet0/0
  DMZ description $ FW_OUTSIDE$
  10.10.10.254 IP address 255.255.255.0
  IP nat inside
  IP virtual-reassembly
  automatic duplex
  automatic speed
  !
  interface FastEthernet0/1
  Description $ETH - LAN$ $FW_INSIDE$
  IP 172.20.2.254 255.255.255.0
  IP access-group 100 to
  IP nat inside
  IP virtual-reassembly
  IP tcp adjust-mss 1412
  automatic duplex
  automatic speed
  !
  ATM0/0/0 interface
  no ip address
  No atm ilmi-keepalive
  !
  point-to-point interface ATM0/0/0.1
  PVC 1/32
  PPPoE-client dial-pool-number 1
  !
  !
  interface Dialer1
  Description $FW_OUTSIDE$
  the negotiated IP address
  IP mtu 1452
  NAT outside IP
  IP virtual-reassembly
  encapsulation ppp
  Dialer pool 1
  Dialer-Group 2
  PPP authentication chap callin pap
  PPP chap hostname xxxxxxx
  PPP chap password 7 xxxxxxx8
  PPP pap sent-name of user password xxxxxxx xxxxxxx 7
  map SDM_CMAP_1 crypto
  !
  IP forward-Protocol ND
  IP http server
  local IP http authentication
  IP http secure server
  !
  !
  The dns server IP
  IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
  IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
  IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
  IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
  IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
  !
  logging trap notifications
  Note category of access list 1 = 2 CCP_ACL
  access-list 1 permit 172.20.2.0 0.0.0.255
  Note access-list category 2 CCP_ACL = 2
  access-list 2 allow 10.10.10.0 0.0.0.255
  Note access-list 100 category CCP_ACL = 4
  Note access-list 100 IPSec rule
  access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  Note CCP_ACL the access list 101 = 2 category
  Note access-list 101 IPSec rule
  access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  access-list 101 permit ip 172.20.2.0 0.0.0.255 any
  Note access-list 102 CCP_ACL category = 2
  Note access-list 102 IPSec rule
  access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  access-list 102 permit ip 10.10.10.0 0.0.0.255 any
  !

  !
  allowed SDM_RMAP_1 1 route map
  corresponds to the IP 101
  !
  allowed SDM_RMAP_2 1 route map
  corresponds to the IP 102
  !
  !
  control plan
  !
  !
  Line con 0
  line to 0
  line vty 0 4
  length 0
  transport input telnet ssh
  !
  Scheduler allocate 20000 1000
  NTP-Calendar Update
  NTP 172.20.2.250 Server prefer
  end

  As I mentioned previously: suspicion is much appreciated!

  Best regards

  Joerg

  Joerg,

  ASA receives not all VPN packages because IOS does not send anything.

  Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)

  The problem seems so on the side of the router.

  I think that is a routing problem, but you only have one default gateway (no other channels on the router).

  The ACL 100 is set to encrypt the traffic between the two subnets.

  It seems that the ACL 101 is also bypassing NAT for VPN traffic.

  Follow these steps:

  Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.

  I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.

  Federico.

• You try to run a Site to site VPN and remote VPN from the same IP remotely

  We currently have a site to site VPN configuration between our offices call center and a 3rd party that allows them to access our training to their employees to use environment while being trained on our systems. This tunnel is running between our ASA and their ASA without problem; However, when we have managers come out to the call center, they are unable to use remote VPN to access our office.

  Apparently the same IP peer remote that we use for our site to the other tunnel is the same IP that our managers use to access the internet when they are on-site with the customer. When I look at the logs it shows the VPN attempt and then I get treatment Information Exchange has failed. So from what I can understand when our managers are trying to connect to our firewall from the same IP address as the counterpart of site to site it automatically tries to create a tunnel, according to the information of the site to the other tunnel. If our managers are anywhere else, they can connect through remote VPN with no problems.

  My question is if anyone knows of a way to make the firewall allow VPN site to site and remote connections with the same remote IP address.

  Hi John,.

  Basically, in older versions, when you hit a static encryption card and you does not match this static encryption completely map the connection continues until the dynamic encryption card. For this reason, you can connect your IPSec clients before. A bug has been opened on this vulnerability.

  CSCuc75090  Details of bug

  The crypto IPSec Security Association are created by dynamic crypto map to static peers

  Symptom:

  When a static VPN peer adds all traffic to the ACL crypto, a surveillance society is based even if the pair IP is not allowed in the acl to the main façade encryption. Are these SA finally put in correspondence and commissioning the dynamic crypto map instance.

  Conditions:

  It was a planned design since the first day that allowed customers to fall through in the case of static crypto map did not provide a necessary cryptographic services.

  The SA must be made from a peer configured statically and a dynamic crypto map instance must be configured on the receiving end.

  Workaround solution:

  N/A

  Some possible workarounds are:

  Configure a static nat device when you try to use the remote VPN if the firewall remotely will be hit with a different public IP address. It would be a good solution, but it will depend on how many ip addresses public you have available, if you really want one of these ip addresses for that access.

  Also, I thought you could use AnyConnect instead of the IPSec VPN client. I don't know how many users need to connect from your PC to the remote site, but the ASA has 2 licenses SSL available that you could use. Because Anyconnect uses the SSL protocol, it won't have a problem on your environment.

  Below some information:

  http://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa84/configuration/guide/asa_84_cli_config/vpn_anyconnect.html

  Hope this helps,

  Luis.