Site to site VPN works only on Cisco 881
I have 2 problems with a cisco 881. The first problem is that Vlan2 (192.168.5.xx) cannot access the internet on the outside. But I know that the router has internet, because I can ping the external ip address. The 2nd problem is that I have a set of site to another upward, but when I test the Site to site I get this error:
destination of traffic of the tunnel must be channelled through the crypto map interface. The destination following (s) doesn't have a routing entry in the routing table
192.168.2.0
I copied the config form this router from another cisco 881 work, where everything works. The only difference is that this router needs a site to site vpn connection.
My question is how I can get internet on vlan2 and who can I solve the connection to site to site.
Here's the running configuration:
Building configuration...
Current configuration: 12698 bytes
!
version 15.3
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname Cisco_881
!
boot-start-marker
boot-end-marker
!
AQM-registry-fnf
!
logging buffered 51200 warnings
!
AAA new-model
!
!
AAA authentication login default local
AAA authorization exec default local
AAA authorization network default local
!
!
!
!
!
AAA - the id of the joint session
!
Crypto pki trustpoint TP-self-signed-1151531093
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 1151531093
revocation checking no
rsakeypair TP-self-signed-1151531093
!
Crypto pki trustpoint TP-self-signed-2011286623
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 2011286623
revocation checking no
rsakeypair TP-self-signed-2011286623
!
!
TP-self-signed-1151531093 crypto pki certificate chain
certificate self-signed 01
3082022B 30820194 02020101 300 D 0609 2A 864886 F70D0101 05050030 A0030201
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
69666963 31313531 35333130 6174652D 3933301E 170 3135 30343031 31363230
34315A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 31353135 65642D
33313039 3330819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
8100AC6E E7FA8AFD 9D4E206C 2B23DFC1 990AFDB3 98CD84A7 37697253 A7EF2520
0C45190E 298B6E9F E2711580 80DCFBFB 05A6A0BA 347B960B D9DA17FC B1543B9D
FBC048F3 063EBBC5 02391432 F0232A73 EAC7278E 8CB83005 D13A1D47 BEF18198
A 547469, 2 F65ED0E6 249BF517 1E74117D C94BE542 46EE487D A3843F12 364639B 4
0B 090203 010001 HAS 3 53305130 1 130101 FF040530 030101FF 301F0603 0F060355
551 2304 18301680 147996F4 3E6D0EE2 2D9065BB D726137C 2DF42ABE 01301D 06
03551D0E 04160414 7996F43E 6D0EE22D 9065BBD7 26137C2D F42ABE01 300 D 0609
2A 864886 F70D0101 8181002A 05050003 677B9BE6 CB60D188 73227C4B 2DC33101
BD448017 EDEF0296 FF7438A3 4C46519B 144C775F 1429CF06 7DB29F2D EB16EE75
22100B 63 0D75511A 98DC57DC EF87BED2 1C1635C8 B5352706 3963037A 4E9B739A
3A1EC9BE 8431BD70 116D3B31 E4A2AC4C 0F934B3F 196AF829 AD537005 6935B 451
EB31DB3F A9BA6D70 65B70D19 D00158
quit smoking
TP-self-signed-2011286623 crypto pki certificate chain
no ip source route
!
!
!
!
!
DHCP excluded-address IP 10.10.10.1
DHCP excluded-address IP 192.168.5.1 192.168.5.49
DHCP excluded-address IP 192.168.5.150 192.168.5.254
!
DHCP IP CCP-pool
import all
Network 10.10.10.0 255.255.255.248
default router 10.10.10.1
Rental 2 0
!
IP dhcp Internet pool
network 192.168.5.0 255.255.255.0
router by default - 192.168.5.254
DNS-Server 64.59.135.133 64.59.128.120
lease 6 0
!
!
!
no ip domain search
"yourdomain.com" of the IP domain name
name of the IP-Server 64.59.135.133
name of the IP-Server 64.59.128.120
IP cef
No ipv6 cef
!
!
!
!
!
Authenticated MultiLink bundle-name Panel
!
!
!
!
!
!
!
udi pid C881-K9 sn FTX18438503 standard license
!
!
Archives
The config log
hidekeys
username * privilege 15 secret 5 $1$IBY.$X5/iqYy47a5vAWWuG4/Oa/
username * secret 5 $1$ 17 ST$ QzJMvQnZ9Q.1y7u0rYXFa0
username * secret 5 $1$ L4W9$ zBKpawZ3i5nXxwyS9H6Lf1
!
!
!
!
!
no passive ftp ip
!
!
crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 2
!
crypto ISAKMP policy 2
BA 3des
preshared authentication
Group 2
isakmp encryption key * address 208.98.212.xx
!
Configuration group crypto isakmp MPE client
key *.
pool VPN_IP_POOL
ACL 100
include-local-lan
10 Max-users
netmask 255.255.255.0
banner ^ practive entered the field
This area is reserved for administrators of control systems.
If you are here by mistake, please disconnect immediately.
You have full access to 192.168.125.0 / 0.0.0.255
Support on continue to start your session. ^ C
!
Configuration group customer crypto isakmp PALL
key *.
pool VPN_IP_POOL_PALL
ACL 101
include-local-lan
Max - 1 users
netmask 255.255.255.0
banner ^ practive entered the field
This area is limited to the PALL access only.
If you are here by mistake, please disconnect immediately.
You have full access to 192.168.125.0 / 0.0.0.255
Support on continue to start your session. ^ C
ISAKMP crypto profile vpn_isakmp_profile
game of identity EMT group
client authentication list default
Default ISAKMP authorization list
client configuration address respond
virtual-model 1
ISAKMP crypto profile vpn_isakmp_profile_2
match of group identity PALL
client authentication list default
Default ISAKMP authorization list
client configuration address respond
virtual-model 2
!
!
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac VPN_TRANSFORM
tunnel mode
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
tunnel mode
!
Profile of crypto ipsec VPN_PROFILE_MPE
Set the security association idle time 3600
game of transformation-VPN_TRANSFORM
vpn_isakmp_profile Set isakmp-profile
!
Profile of crypto ipsec VPN_PROFILE_PALL
Set the security association idle time 1800
game of transformation-VPN_TRANSFORM
vpn_isakmp_profile_2 Set isakmp-profile
!
!
!
map SDM_CMAP_1 1 ipsec-isakmp crypto
Description Tunnel to208.98.212.xx
the value of 208.98.212.xx peer
game of transformation-ESP-3DES-SHA
match address 102
!
!
!
!
!
!
interface Loopback0
IP 192.168.40.254 255.255.255.0
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
switchport access vlan 2
no ip address
!
interface FastEthernet3
switchport access vlan 2
no ip address
!
interface FastEthernet4
IP address 208.98.213.xx 255.255.255.224
IP access-group 111 to
NAT outside IP
IP virtual-reassembly in
automatic duplex
automatic speed
map SDM_CMAP_1 crypto
!
type of interface virtual-Template1 tunnel
IP unnumbered Loopback0
ipv4 ipsec tunnel mode
Tunnel VPN_PROFILE_MPE ipsec protection profile
!
tunnel type of interface virtual-Template2
IP unnumbered Loopback0
ipv4 ipsec tunnel mode
Tunnel VPN_PROFILE_PALL ipsec protection profile
!
interface Vlan1
Description of control network
IP 192.168.125.254 255.255.255.0
IP access-group CONTROL_IN in
IP access-group out CONTROL_OUT
IP nat inside
IP virtual-reassembly in
IP tcp adjust-mss 1452
!
interface Vlan2
Description Internet network
IP 192.168.5.254 255.255.255.0
IP access-group INTERNET_IN in
IP access-group out INTERNET_OUT
IP nat inside
IP virtual-reassembly in
!
local IP VPN_IP_POOL 192.168.40.100 pool 192.168.40.150
local IP VPN_IP_POOL_PALL 192.168.40.151 pool 192.168.40.152
IP forward-Protocol ND
IP http server
23 class IP http access
local IP http authentication
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
!
IP nat inside source static tcp 192.168.125.2 25000 25000 FastEthernet4 interface
IP nat inside source overload map route SDM_RMAP_1 interface FastEthernet4
IP route 0.0.0.0 0.0.0.0 FastEthernet4 permanent 208.98.236.xx
!
CONTROL_IN extended IP access list
Note the access control
Note the category CCP_ACL = 17
allow any host 192.168.125.254 eq non500-isakmp udp
allow any host 192.168.125.254 eq isakmp udp
allow any host 192.168.125.254 esp
allow any host 192.168.125.254 ahp
IP 192.168.125.0 allow 0.0.0.255 192.168.125.0 0.0.0.255
Note the VPN access
IP 192.168.125.0 allow 0.0.0.255 192.168.40.0 0.0.0.255
Note Access VNC
permit tcp host 192.168.125.2 eq 25000 one
Comment by e-mail to WIN911
permit tcp host 192.168.125.2 any eq smtp
Note DNS traffic
permit udp host 192.168.125.2 host 64.59.135.133 eq field
permit udp host 192.168.125.2 host 64.59.128.120 eq field
Note Everything Else block
refuse an entire ip
CONTROL_OUT extended IP access list
Note the access control
IP 192.168.125.0 allow 0.0.0.255 192.168.125.0 0.0.0.255
Note the VPN access
ip permit 192.168.40.0 0.0.0.255 192.168.125.0 0.0.0.255
Note Access VNC
allow any host 192.168.125.2 eq 25000 tcp
Comment by e-mail to WIN911
allow any host 192.168.125.2 eq smtp tcp
Note DNS responses
allowed from any host domain eq 192.168.125.2 udp
Note deny all other traffic
refuse an entire ip
INTERNET_IN extended IP access list
Note Access VNC on VLAN
allow any host 192.168.125.2 eq 25000 tcp
Note block all other controls and VPN
deny ip any 192.168.125.0 0.0.0.255
deny ip any 192.168.40.0 0.0.0.255
Note leave all other traffic
allow an ip
INTERNET_OUT extended IP access list
Note a complete outbound Internet access
allow an ip
WAN_IN extended IP access list
allow an ip host 207.229.14.xx
Note PERMIT ESTABLISHED TCP connections
allow any tcp smtp created everything eq
Note ALLOW of DOMAIN CONNECTIONS
permit udp host 64.59.135.133 eq field all
permit udp host 64.59.128.120 eq field all
Note ALLOW ICMP WARNING RETURNS
allow all all unreachable icmp
permit any any icmp parameter problem
allow icmp all a package-too-big
allow a whole icmp administratively prohibited
permit icmp any any source-quench
allow icmp all once exceed
refuse a whole icmp
allow an ip
!
auto discovering IP sla
not run cdp
!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 103
!
access-list 1 remark out to WAN routing
Note CCP_ACL the access list 1 = 16 category
access-list 1 permit 192.168.125.2
access-list 1 permit 192.168.5.0 0.0.0.255
Note access-list 23 SSH and HTTP access permissions
access-list 23 permit 192.168.125.0 0.0.0.255
access-list 23 permit 192.168.40.0 0.0.0.255
access-list 23 allow one
Note access-list 100 VPN traffic
access-list 100 permit ip 192.168.125.0 0.0.0.255 any
access-list 100 permit ip 192.168.40.0 0.0.0.255 any
Note access-list 101 for PALL VPN traffic
access-list 101 permit ip 192.168.125.0 0.0.0.255 any
Note access-list 102 CCP_ACL category = 4
Note access-list 102 IPSec rule
access-list 102 permit ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.1.255
Note access-list 103 CCP_ACL category = 2
Note access-list 103 IPSec rule
access-list 103 deny ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.1.255
access-list 103 allow ip 192.168.5.0 0.0.0.255 any
access-list 103 allow the host ip 192.168.125.2 all
Note access-list 111 CCP_ACL category = 17
access-list 111 permit udp any host 208.98.213.xx eq non500-isakmp
access-list 111 permit udp any host 208.98.213.xx eq isakmp
access-list 111 allow esp any host 208.98.213.xx
access-list 111 allow ahp any host 208.98.213.xx
Note access-list 111 IPSec rule
access-list 111 permit ip 192.168.2.0 0.0.1.255 192.168.5.0 0.0.0.255
Note access-list 111 IPSec rule
access-list 111 permit ip 192.168.2.0 0.0.1.255 192.168.4.0 0.0.1.255
access-list 111 permit udp host 208.98.212.xx host 208.98.213.xx eq non500-isakmp
access-list 111 permit udp host 208.92.12.xx host 208.92.13.xx eq isakmp
access-list 111 allow esp host 208.92.12.xx host 208.92.13.xx
access-list 111 allow ahp host 208.92.12.xx host 208.92.13.xx
access-list 111 permit icmp any host 208.92.13.xx
access-list 111 permit tcp any host 208.92.13.xx eq 25000
access-list 111 permit tcp any host 208.92.13.xx eq 22
access-list 111 permit tcp any host 208.92.13.xx eq telnet
access-list 111 permit tcp any host 208.92.13.xx eq www
!
!
!
control plan
!
!
!
MGCP behavior considered range tgcp only
MGCP comedia-role behavior no
disable the behavior MGCP comedia-check-media-src
disable the behavior of MGCP comedia-sdp-force
!
profile MGCP default
!
!
!
!
exec banner ^ C
% Warning of password expiration.
-----------------------------------------------------------------------
Unplug IMMEDIATELY if you are not an authorized user
^ C
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
access-class 23 in
password *.
transport input telnet ssh
transportation out all
line vty 5 15
access-class 160 in
password *.
transport of entry all
transportation out all
!
max-task-time 5000 Planner
Scheduler allocate 20000 1000
!
end
Thank you.
It seems that DNS has failed, because it is indeed happened to internet, but it does not work when internet DNS resolution.
Go ahead and try to ping this 157.166.226.25, and it's on the browser http://157.166.226.25/, CNN.com. Let's try those. Also just in case where to configure a DNS SERVER on your router.
- http://www.cisco.com/c/en/us/support/docs/ip/domain-name-system-dns/2418...
Disable any ZBF just in case.
David Castro,
Kind regards
Tags: Cisco Security
Similar Questions
-
Hello
I can't get my work vpn site-to-site. Not only that but I am unable to get an internet connection through my ASA. I need to use the IP address public for my local network provided by IPS = 99.143.97.186 - 190 = 255.255.255.248 subnet mask
I followed this tutorial: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-nex...
can someone please take a look at my settings and help out me? Very much appreciated. Thank you.
See the ciscoasa config (config) #.
: Saved
: Written by enable_15 at 01:12:15.869 UTC Thu Sep 4 2008
!
ASA Version 8.2 (5)
!
ciscoasa hostname
activate 8Ry2YjIyt7RRXU24 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 99.143.97.186 255.255.255.248
!
interface Vlan2
nameif outside
security-level 0
IP 192.168.1.84 255.255.255.0
!
interface Vlan3
No nameif
no level of security
no ip address
!
passive FTP mode
access-list extended 100 permit ip 99.143.97.184 255.255.255.248 host 206.127.20.63
99.143.97.184 IP Access-list extended sheep 255.255.255.248 allow host 206.127.20.63
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0 access-list sheep
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 206.127.20.63 255.255.255.255 192.168.1.254 1
Route outside 206.127.21.3 255.255.255.255 192.168.1.254 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 99.143.97.184 255.255.255.248 inside
http 99.143.97.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
correspondence address card crypto outside_map 20 100
peer set card crypto outside_map 20 206.127.21.3
card crypto outside_map 20 transform-set RIGHT
outside_map interface card crypto outside
Crypto ca trustpoint _SmartCallHome_ServerCA
Configure CRL
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!
dhcpd address 99.143.97.187 - 99.143.97.190 inside
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
tunnel-group 206.127.21.3 type ipsec-l2l
IPSec-attributes tunnel-group 206.127.21.3
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
anonymous reporting remote call
Cryptochecksum:0ab759de3926ddb63f79f18a8422409eciscoasa (config) # show crypto isakmp his
There is no isakmp sas
ciscoasa (config) # show ip performance
!
interface Vlan1
nameif inside
security-level 100
IP 99.143.97.186 255.255.255.248
!
interface Vlan2
nameif outside
security-level 0
IP 192.168.1.84 255.255.255.0
!You have an interface incorrect configuration: -.
Add these lines and share how it rates:
interface Vlan1
no address ip 99.143.97.186 255.255.255.248
IP 192.168.1.84 255.255.255.0interface Vlan2
no address ip 192.168.1.84 255.255.255.0
IP 99.143.97.186 255.255.255.248Kind regards
Dinesh MoudgilPS Please rate helpful messages.
-
Site to Site VPN working without Crypto Card (ASA 8.2 (1))
Hi all
Find a strange situation on our firewall to ASA5540:
We have a few Site to Site VPN and also activate on the ASA VPN cleint, all are working properly. But finding that a VPN from Site to Site is running without crypto map configuration. Is this possible?
I tried to erase isa his and claire ipsec his then VPN came once again. Tested too, it's the ping requests to a remote site through the VPN.
I saw there are config tunnel-group for VPN but saw no card crypto and ACL.
How is the firewall knows what traffic should be encrypted for this VPN tunnel without crypto card?
This is the bug?
Thanks in advance,
It can be an easy vpn configuration.
Could you post output config operation remove any sensitive information. This could help us answer your question more specifically.
-
I have windows 7 professional 64 bit. I can't VPN works with the Iphone. I don't have another computer to try out it. Someone at - it a good guide?
I think that the VPN is not configured on my win7. Any guide or help will be appreciated.
OK... as test that I have connected to this free PPTP VPN service to make sure that my iPod touch VPN features work.
http://www.bestfreevpn.com/iPhone-iPad-free-VPN/
After configuring the server settings that I could with success to connect, check my iPod Touch IP had changed to the IP address assigned by their PPTP VPN server and I could surf the internet, check email, etc. etc.
http://CID-25ab668da65c8fbe.photos.live.com/self.aspx/Windows%20images/iPodVPN-status-1.PNG
http://CID-25ab668da65c8fbe.photos.live.com/self.aspx/Windows%20images/iPodVPN-status-2.PNG
This screen, on the http://www.whatismyip.com site, verified for me as all my iPod Touch traffic was routed through the VPN tunnel to their server and back again. The reported public IP address is different from what I see of my Win 7 laptop at the same time even if the laptop and iPod Touch are vascular on the same local LAN here.
http://CID-25ab668da65c8fbe.photos.live.com/self.aspx/Windows%20images/iPodVPN-whatismyip.PNG
http://theillustratednetwork.MVPs.org/LAN/CurrentHomeLAN.PNG
So getting back to your original problem, that I don't really know what is happening with Win 7, at least on my machine and its function of PPTP VPN server integrated. I'm not home now so I have no way to test this functionality with a Windows VPN client.
However, the key is that the PPTP VPN functionality in my iPod Touch works as I expect on your iPhone. It boils down to a problem with the server.
I suggest test you your iPhone against this free VPN server to make sure in your own mind that his work and then figure out what you want to do next. What exactly do you want to do with VPN, if you can get this to work on Win 7 PC server, IE. access to the files, remote and secure web surfing, etc.?
Please NOTE: The free VPN service changes their password access every 12 to 24 hours and idle sessions for more than 4 hours are disconnected automatically. See the note at the bottom of their homepage.
http://www.bestfreevpn.com/free-VPN/
MS - MVP Windows Expert - consumer
"When all else fails try what the captain suggested before you started...". » -
multi-site VPN with just the cisco vpn client
Hello everyone
Please I need your help.
We have a headquarters office and up to 60 is BranchOffice, we want to create VPN network between its. so let's deploy 2 router cisco esy vpn server with HA (HSRP) at the Headquarters Office and all branches have Connection ADSL and they will use just the cisco vpn client to connect to the Headquarters Office.
My question is: is it possible to do it just with the client vpn cisco without purchased for any exercise bracnh a cisco router to create an ipsec tunnel because it is so expensive?
It depends on if the routers to offices can handle NAT with several internal VPN clients to 1 IP address. Most of the new material should be fine. Keep in mind the maximum limit of the VPN client, with 60 agencies and 5 people each of whom you are above the limit.
Michael
Please note all useful posts
-
Cisco IPSec VPN works only one way.
I'm hitting my head against the wall for more than 2 weeks now. I can't get this figured out.
We have 2 locations and a server with an Internet service provider. Currently, we are connecting to our Internet service provider via a vpn ipsec to our headquarters. later, we will add the 1 direction.
The problem is the following. My vpn is in place, I can ping my local ip address, my IP of the tunnel, the remote tunnel interface, the vlan remote or the gateway, but I can't ping anything you wanted. The branch to the ISP I ping the router in the Internet service provider's domain controller and the server very well. but I can't ping or talk about anything either at the Office on the side of the IAF. and so I can not communicate with any host on the LAN. Can someone please help me with this?
Can I unload the configs of the two routers here someone watching?
Thanks in advance.
Exemption from the NAT on the end server must include the following reject order:
NAT extended IP access list
5 deny ip 10.1.20.0 0.0.0.255 10.178.164.128 0.0.0.127
Disable the ip nat translation before testing again.
-
S2S VPN works only in one direction
I am very new to cisco devices, but we have recently acquired a catalyst 2911 device for our co - lo cabinet and I will try to get a vpn connection from site to site between installation and my network of offices as well as a remote access VPN for me to use in case I need to fix something then that apart from Labour Bureau.
Gateway to the Office is 66.119.163.2 and the device is a TZ210 with his network is 192.168.1.0/24
Co bridge is 204.244.50.254 and the device is 2911 ASR with its LAN network in 10.0.10.0/24
The VPN S2S connection is in place between the two locations and 2911 device and servers LAN can ping and RDP for office machines. Office network can only ping the IP Address of the LAN interface on the 2911 that is 10.0.10.1 but not the servers on the network. the VPN site-to-site was created with the wizard CCP.
How can I allow the network 192.168.1.0/24 see 10.0.10.1/24 network and why I only see now the gateway?
If need be I can post my file running-config with the redacted pre-shared keys.
You need only the first line of the ACL 125, well pls wanted to remove the 2nd line:
- access-list 125 allow ip 10.0.10.0 0.0.0.255 192.168.1.0 0.0.0.255
- access-list 125 allow ip 192.168.1.0 0.0.0.255 10.0.10.0 0.0.0.255
Also change the action of 'pass' to 'inspect' for the following
class type inspect sdm-cls-VPNOutsideToInside-3
Pass
Hope that solves this problem.
-
VPN works only on Windows XP using VMware Player
Hi all
I have a windows 7 64-bit OS on my laptop. Unfortunately, having only 32-bit cisco VPN client. So, I installed VMware player and windows XP virtual machine. I have internet access on the virtual machine. but when I try to VPN, I get the message "connection SecureVPN over locally by the Client. Reason 412: the remote peer is not responding. "I turned my firewall off and tried again, done some windows updates, restart... nothing seems to work and do the same message. Can someone shed some light on this subject and help up the VPN.
THX
Shy
Maybe a MTU of network card setting must be adjusted. The installation of the Cisco VPN Client manipulates program usually change the MTU when installing, but sometimes this is not...
Check out my post on this topic for more details: http://communities.vmware.com/thread/160401
-
ASA550 VPN works do not, Cisco beginner needs help!
Hi people,
I have to spend at Cisco Juniper, and I can't get a VPN. I tried hollow CLI and ADSM, and in both cases, I don't see any incoming ipsec packets on the other end (Juniper SSG) when I ping a remote host on the other network.
Here is the config:
!
ASA Version 9.0 (1)
!
gw hostname
activate 7qkORHwefwefwefwefyAiVSEQH4Q encrypted password
7qkORHywefwefwefwefSEQH4Q encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 172.16.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address dhcp setroute
!
passive FTP mode
network obj_any object
subnet 0.0.0.0 0.0.0.0
network of the SDC_Beheer object
10.104.0.0 subnet 255.255.0.0
access extensive list ip 172.16.1.0 outside_cryptomap allow 255.255.255.0 object SDC_Beheer
access extensive list ip 172.16.1.0 inside_access_in allow 255.255.255.0 object SDC_Beheer
inside_access_in of access allowed any ip an extended list
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
inside_access_in access to the interface inside group
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
Enable http server
http 172.16.1.0 255.255.255.0 inside
Server SNMP location Bergen op Zoom
Server SNMP contact Joris Kemperman
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set esp - esp-sha-hmac DESSHA1 ikev1
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 1 match address outside_cryptomap
peer set card crypto outside_map 1 5.200.1.5
card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map interface card crypto outside
trustpool crypto ca policy
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 172.16.0.0 255.255.0.0 inside
SSH timeout 60
Console timeout 0dhcpd dns 8.8.8.8
dhcpd lease 3800
dhcpd field lindebaan73.local
dhcpd outside auto_config
!
dhcpd address 172.16.1.30 - 172.16.1.157 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
internal GroupPolicy_5.200.1.5 group strategy
attributes of Group Policy GroupPolicy_5.200.1.5
Ikev1 VPN-tunnel-Protocol
joris AewHowjZEPeq.vge encrypted privilege 15 password username
tunnel-group 5.200.1.5 type ipsec-l2l
tunnel-group 5.200.1.5 General-attributes
Group - default policy - GroupPolicy_5.200.1.5
IPSec-attributes tunnel-group 5.200.1.5
IKEv1 pre-shared-key D1nges!
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:2498ca347e17bcfa3a8a5ad9968e606c
: end______________
I think its either a NAT problem (ASA no tunnel traffic but simply translated and passed to the next router) or access list number.
It already took me a lot of time to spend on what goes wrong.
Anyone here who can help me?
Hello
You need to do no. NAT for the subnet you want to go through the tunnel.
Thus, to create a group of objects to destination as source allows src1 and dest 1
NAT (inside, outside) source static/dyn src1 CBC 1 destination dest1 dest1.
For more information:
https://supportforums.Cisco.com/document/44566/ASA-83-NAT-exemption-exam...
Kind regards
Kanwal
Note: Please check if they are useful.
-
A Site VPN PIX501 and CISCO router
Hello Experts,
I have an at home test lab, I set up a site to site vpn using a router Cisco PIX501 and CISCO2691, for configurations, I have just a few links on the internet, because my background on VPN configuration is not too good, for the configuration of routers, I followed this link:
www.Firewall.CX/Cisco-Technical-Knowledgebase/Cisco-Routers/867-Cisco-ro...
and for configuring pIX I just use the VPN Wizard of pix. All confgurations but ping failed. Hope you can help me with this, don't know what to do here (troubleshooting).
Joint here is the configuration of my router, topology, as well as the pix configuration. Hope you can help me with this. Thanks in advance.
Hi Mark,
I went in the Config of the ASA
I see that the dispensation of Nat is stil missing there
Please add the following
access-list allowed sheep ip 192.168.1.0 255.255.255.0 172.21.1.0 255.255.255.0
inside NAT) 0 access-list sheep
Then try it should work
Thank you
REDA
-
I have a couple of site to site VPN working properly on an ASA 5515. Don't know what is on the other side, as I haven't seen them. I configured a SSL vpn for remote users who must be able to access resources on remote sites. I got access to the network of site without any problems and and have added the range of IP addresses for remote users to links from site to site, but I am unable to connect. Anyone who has this performance, it would be greatly appreciated if you can help.
Hi mbluemel,
You need to configure the remote side to allow traffic from the remote side for SSL VPN users.
This list of documents the measures taken to achieve this: -.http://www.petenetlive.com/kb/article/0000040.htm
For more information: -.
http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...Kind regards
Dinesh MoudgilPS Please rate helpful messages.
-
Site to Site VPN. pick up DfltGrpPolicy instead of Tunnel-Group
Hello
Our ASA was set by a consultant some time ago to allow connectivity SSLVPN RSA backend. I am now trying to get a Site to Site VPN working but seem to get into a lot of difficulties. I get a load of the l2l VPN-related debugging messages which I believe is set up correctly. Here's what I think is of interest
"January 24, 2009 12:13:01: % ASA-6-113009: AAA recovered in group policy by default (DfltGrpPolicy) to the user = x.x.x.x".
The user specifies the IP address of the Cisco router remote that we try to get the VPN configuration.
I have to admit that I haven't done a lot with the side things SSLVPN so this part of the config is out of my depth, that's why I post here.
If anyone can help it would be really appreciated.
Here are the relevant details (I can post more if there isn't enough). My question is, how do I get the l2l using the tunnel-group and not the default group policy?
Thanks in advance for any help.
dynamic-access-policy-registration
DfltAccessPolicy
WebVPN
list of URLS no
SVC request no svc default
RADIUS protocol AAA-server VPNAUTH
AAA-server VPNAUTH *. *. *
interval before new attempt-5
timeout 3
key *.
AAA authentication enable LOCAL console
AAA authentication http LOCAL console
LOCAL AAA authentication serial console
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
LOCAL AAA authorization command
attributes of Group Policy DfltGrpPolicy
value of DNS server! !. !. !
VPN-idle-timeout no
VPN-tunnel-Protocol webvpn
enable IP-comp
enable IPSec-udp
field default value mondomaine.fr
the address value vpnpool pools
WebVPN
enable http proxy
SVC Dungeon - install any
SVC keepalive 60
SVC generate a new method ssl key
SVC request no svc default
disable ActiveX-relays
disable file entry
exploration of the disable files
disable the input URL
tunnel-group DefaultRAGroup webvpn-attributes
message of rejection-RADIUS-
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared-key *.
tunnel-group DefaultRAGroup ppp-attributes
PAP Authentication
ms-chap-v2 authentication
attributes global-tunnel-group DefaultWEBVPNGroup
address vpnpool pool
authentication-server-group VPNAUTH
tunnel-group DefaultWEBVPNGroup webvpn-attributes
message of rejection-RADIUS-
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
pre-shared-key *.
Wayne
Do "sh run all tunnel-group" you should see the strategy of group associated with it.
for example:
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 General attributes
no accounting server group
Group Policy - by default-DfltGrpPolicy
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *.
by the peer-id-validate req
no chain
no point of trust
ISAKMP retry threshold 10 keepalive 2
Let me know if it helps.
See you soon,.
Gilbert
-
fall of site to site vpn icmp packets
Hello
I test site to site vpn between ASA and cisco router with GNS3, topology is base the tunnel is up but the question when the remote host ping from both sides it is drops icmp, see router command and ASA do not include droppings. Here is a sample output from ping when I try to remote client ping. any help is appreciated :)
Instant topology is attached, also configs
Thank you
84 bytes from 10.20.20.5 icmp_seq = 59 ttl = 63 times = 79,004 ms
10.20.20.5 icmp_seq = timeout 60
84 bytes from 10.20.20.5 icmp_seq = 61 = ttl 63 times = 70,004 ms
10.20.20.5 icmp_seq = timeout 62
84 bytes from 10.20.20.5 icmp_seq = ttl 63 time = 63 = 59,004 ms
10.20.20.5 icmp_seq = 64 timeout
84 bytes from 10.20.20.5 icmp_seq = 65 = ttl 63 times = 50,003 ms
10.20.20.5 icmp_seq = timeout 66
84 bytes from 10.20.20.5 icmp_seq = 67 ttl = 63 times = 59,003 ms
10.20.20.5 icmp_seq = timeout 68
84 bytes from 10.20.20.5 icmp_seq = 69 = ttl 63 times = 50,003 ms
10.20.20.5 icmp_seq = timeout 70
84 bytes from 10.20.20.5 icmp_seq = 71 ttl = 63 times = 58,003 ms
10.20.20.5 icmp_seq = timeout 72
84 bytes from 10.20.20.5 icmp_seq = 73 = ttl 63 times = 50,003 ms
10.20.20.5 icmp_seq = timeout 74
84 bytes from 10.20.20.5 icmp_seq = 75 ttl = 63 times = 69,004 ms
10.20.20.5 icmp_seq = timeout 76
84 bytes from 10.20.20.5 icmp_seq = 77 ttl = 63 times = 237,013 ms
10.20.20.5 icmp_seq = timeout 78R1 ipsec crypto #sh her
Interface: FastEthernet0/0
Tag crypto map: map, local addr 100.100.100.2protégé of the vrf: (none)
local ident (addr, mask, prot, port): (10.20.20.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (10.20.10.0/255.255.255.0/0/0)
current_peer 100.100.100.1 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: 14, #pkts encrypt: 14, #pkts digest: 14
decaps #pkts: 28, #pkts decrypt: 28, #pkts check: 28
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorsciscoasa # sh crypto isakmp stats
Global statistics IKEv1
The active Tunnels: 1
Previous Tunnels: 1
In bytes: 1384
In the packages: 12
In packs of fall: 0
In Notifys: 8
In the constituencies of P2: 0
In P2 invalid Exchange: 0
In P2 Exchange rejects: 0
Requests for removal in his P2: 0
Bytes: 1576
Packet: 13
Fall packages: 0
NOTIFYs out: 16
Exchanges of P2: 1
The Invalides Exchange P2: 0
Exchange of P2 rejects: 0
Requests to remove on P2 Sa: 0
Tunnels of the initiator: 1
Initiator fails: 0
Answering machine fails: 0
Ability system breaks down: 0
AUTH failed: 0
Decrypt failed: 0
Valid hash fails: 0
No failure his: 0Hello
On router R1, you gave the default route as output interface. Instead of using the output interface replace the IP address of the next hop. It will solve the issue of the reduction of ping.
IP route 0.0.0.0 0.0.0.0 FastEthernet0/0
IP route 0.0.0.0 0.0.0.0 100.100.100.1
HTH
"Please note the useful messages and mark the correct answer if it solves the problem."
-
Keep Site to Site VPN Tunnel active for monitoring
Hi all
I have a configured site-to-site VPN tunnel only happen when the traffic generated from the remote peer. is it possible to keep the still active tunnel once after the tunnel is established.
My requirement is to monitor VPN to see availability, so need to ping one of the natd(8) ip on the remote end, but it will come only when the traffic generated end peer. currently the timers of default on SA is configured
Help, please...
Thank you
Mikael
TARGET_GP group policy attributes
VPN-idle-timeout no
-
Site to site VPN - cannot see host
Hi all
Site to site VPN is established by Cisco 887 (PPPoE) on the two site. The tunnel is UP.
Personnel (192.168.5.33) PC I can ping to 60.a.a.54.
But I cannot ping the inside interface (192.168.0.1).
I need to access the server site B (192.169.0.150).
How can I Access/ping to the server PC (192.168.5.33) staff (192.169.0.150)
Please see the attachment for the tree and conf for ASA 5510 Site has and B Site
Maybe I'm wrong, but I don't see a purpose for a tunnel between your routers c887. Instead, you need a tunnel between your routers asa.
Maybe you are looking for
-
Hello! I just updated my 1700-500 Satellite since the age of Pierre Windows Me middle ages Windows 2000 pro :-). Everything works much more sure now, but I can't use my DVD-rom. There is no hardware problem since the device is indicated in the system
-
WTAT is a X10Net
-
Card micro SD with Acer Tablet Android a-1
The micro card cannot be used with the camera is this ccorrect? Already discovered that the files of records that had been loaded from external sources may be transferred or used for the A1.
-
BlackBerry smartphones HELP! Locked out!
So this is my first Blackberry - I have always been a user of Palm (Boo to the PALM). I was set up on my new curve and be conditioned as I was in the past with my Palm Treo - I put in place a lock code on my curve. The first time that it is locked,
-
AoE3 does not work on my Windows 7 computer
AoE3 and the expansion of the WarCheifs used to work perfectly on my Windows 7 computer, but recently, when I try to run the game, it begins to run (Ocwa logo appears on the screen), but then Windows tells me that it was an error and the program must