Troubleshooting IPSec Site to Site VPN between ASA and 1841
Hi all
in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.
I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).
I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.
It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),
On the ASA:
Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.
address of the peers: 217.86.154.120
Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.cc
access extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
current_peer: 217.xx.yy.zz
#pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0
local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz
Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: 39135054
current inbound SPI: B2E9E500
SAS of the esp on arrival:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4374000/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
outgoing esp sas:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4373976/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
Output of the command: "sh crypto isakmp his."
HIS active: 4
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 4
IKE Peer: 217.xx.yy.zz
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE
On the 1841
1841 crypto isakmp #sh its
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE
1841 crypto ipsec #sh its
Interface: Dialer1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120
protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors
local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2
SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE
the arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE
outgoing ah sas:
outgoing CFP sas:
Interface: virtual Network1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120
protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors
local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2
SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE
the arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE
outgoing ah sas:
outgoing CFP sas:
It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.
Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto. (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.
I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!
It's the running of the 1841 configuration
!
version 15.1
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
host name 1841
!
boot-start-marker
start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
boot-end-marker
!
logging buffered 51200 notifications
!
AAA new-model
!
!
AAA authentication login default local
!
AAA - the id of the joint session
!
iomem 20 memory size
clock timezone PCTime 1
PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
dot11 syslog
IP source-route
!
No dhcp use connected vrf ip
!
IP cef
no ip bootp Server
IP domain name test
name of the IP-server 194.25.2.129
name of the IP-server 194.25.2.130
name of the IP-server 194.25.2.131
name of the IP-server 194.25.2.132
name of the IP-server 194.25.2.133
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
object-group network phone
VoIP phone description
Home 172.20.2.50
Home 172.20.2.51
!
redundancy
!
!
controller LAN 0/0/0
atm mode
Annex symmetrical shdsl DSL-mode B
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
isakmp encryption key * address 62.aa.bb.cc
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
map SDM_CMAP_1 1 ipsec-isakmp crypto
Description Tunnel to62.aa.bb.cc
the value of 62.aa.bb.cc peer
game of transformation-ESP-3DES-SHA
PFS group2 Set
match address 100
!
!
!
interface FastEthernet0/0
DMZ description $ FW_OUTSIDE$
10.10.10.254 IP address 255.255.255.0
IP nat inside
IP virtual-reassembly
automatic duplex
automatic speed
!
interface FastEthernet0/1
Description $ETH - LAN$ $FW_INSIDE$
IP 172.20.2.254 255.255.255.0
IP access-group 100 to
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1412
automatic duplex
automatic speed
!
ATM0/0/0 interface
no ip address
No atm ilmi-keepalive
!
point-to-point interface ATM0/0/0.1
PVC 1/32
PPPoE-client dial-pool-number 1
!
!
interface Dialer1
Description $FW_OUTSIDE$
the negotiated IP address
IP mtu 1452
NAT outside IP
IP virtual-reassembly
encapsulation ppp
Dialer pool 1
Dialer-Group 2
PPP authentication chap callin pap
PPP chap hostname xxxxxxx
PPP chap password 7 xxxxxxx8
PPP pap sent-name of user password xxxxxxx xxxxxxx 7
map SDM_CMAP_1 crypto
!
IP forward-Protocol ND
IP http server
local IP http authentication
IP http secure server
!
!
The dns server IP
IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
!
logging trap notifications
Note category of access list 1 = 2 CCP_ACL
access-list 1 permit 172.20.2.0 0.0.0.255
Note access-list category 2 CCP_ACL = 2
access-list 2 allow 10.10.10.0 0.0.0.255
Note access-list 100 category CCP_ACL = 4
Note access-list 100 IPSec rule
access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
Note CCP_ACL the access list 101 = 2 category
Note access-list 101 IPSec rule
access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 101 permit ip 172.20.2.0 0.0.0.255 any
Note access-list 102 CCP_ACL category = 2
Note access-list 102 IPSec rule
access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
!
!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 101
!
allowed SDM_RMAP_2 1 route map
corresponds to the IP 102
!
!
control plan
!
!
Line con 0
line to 0
line vty 0 4
length 0
transport input telnet ssh
!
Scheduler allocate 20000 1000
NTP-Calendar Update
NTP 172.20.2.250 Server prefer
end
As I mentioned previously: suspicion is much appreciated!
Best regards
Joerg
Joerg,
ASA receives not all VPN packages because IOS does not send anything.
Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)
The problem seems so on the side of the router.
I think that is a routing problem, but you only have one default gateway (no other channels on the router).
The ACL 100 is set to encrypt the traffic between the two subnets.
It seems that the ACL 101 is also bypassing NAT for VPN traffic.
Follow these steps:
Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.
I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.
Federico.
Tags: Cisco Security
Similar Questions
-
Problem with IPsec VPN between ASA and router Cisco - ping is not response
Hello
I don't know because the IPsec VPN does not work. This is my setup (IPsec VPN between ASA and R2):
my network topology data:
LAN 1 connect ASA - 1 (inside the LAN)
PC - 10.0.1.3 255.255.255.0 10.0.1.1
ASA - GigabitEthernet 1: 10.0.1.1 255.255.255.0
-----------------------------------------------------------------
ASA - 1 Connect (LAN outide) R1
ASA - GigabitEthernet 0: 172.30.1.2 255.255.255.252
R1 - FastEthernet 0/0: 172.30.1.1 255.255.255.252
---------------------------------------------------------------------
R1 R2 to connect
R1 - FastEthernet 0/1: 172.30.2.1 255.255.255.252
R2 - FastEthernet 0/1: 172.30.2.2 255.255.255.252
R2 for lan connection 2
--------------------------------------------------------------------
R2 to connect LAN2
R2 - FastEthernet 0/0: 10.0.2.1 255.255.255.0
PC - 10.0.2.3 255.255.255.0 10.0.2.1
ASA configuration:
1 GigabitEthernet interface
nameif inside
security-level 100
IP 10.0.1.1 255.255.255.0
no downtime
interface GigabitEthernet 0
nameif outside
security-level 0
IP 172.30.1.2 255.255.255.252
no downtime
Route outside 0.0.0.0 0.0.0.0 172.30.1.1------------------------------------------------------------
access-list scope LAN1 to LAN2 ip 10.0.1.0 allow 255.255.255.0 10.0.2.0 255.255.255.0
object obj LAN
subnet 10.0.1.0 255.255.255.0
object obj remote network
10.0.2.0 subnet 255.255.255.0
NAT (inside, outside) 1 static source obj-local obj-local destination obj-remote control remote obj non-proxy-arp static-----------------------------------------------------------
IKEv1 crypto policy 10
preshared authentication
aes encryption
sha hash
Group 2
life 3600
Crypto ikev1 allow outside
crypto isakmp identity address------------------------------------------------------------
tunnel-group 172.30.2.2 type ipsec-l2l
tunnel-group 172.30.2.2 ipsec-attributes
IKEv1 pre-shared-key cisco123
Crypto ipsec transform-set esp-aes-192 ASA1TS, esp-sha-hmac ikev1-------------------------------------------------------------
card crypto ASA1VPN 10 is the LAN1 to LAN2 address
card crypto ASA1VPN 10 set peer 172.30.2.2
card crypto ASA1VPN 10 set transform-set ASA1TS ikev1
card crypto ASA1VPN set 10 security-association life seconds 3600
ASA1VPN interface card crypto outsideR2 configuration:
interface fastEthernet 0/0
IP 10.0.2.1 255.255.255.0
no downtime
interface fastEthernet 0/1
IP 172.30.2.2 255.255.255.252
no downtime-----------------------------------------------------
router RIP
version 2
Network 10.0.2.0
network 172.30.2.0------------------------------------------------------
access-list 102 permit ahp 172.30.1.2 host 172.30.2.2
access-list 102 permit esp 172.30.1.2 host 172.30.2.2
access-list 102 permit udp host 172.30.1.2 host 172.30.2.2 eq isakmp
interface fastEthernet 0/1
IP access-group 102 to------------------------------------------------------
crypto ISAKMP policy 110
preshared authentication
aes encryption
sha hash
Group 2
life 42300------------------------------------------------------
ISAKMP crypto key cisco123 address 172.30.1.2-----------------------------------------------------
Crypto ipsec transform-set esp - aes 128 R2TS------------------------------------------------------
access-list 101 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
------------------------------------------------------
R2VPN 10 ipsec-isakmp crypto map
match address 101
defined by peer 172.30.1.2
PFS Group1 Set
R2TS transformation game
86400 seconds, life of security association set
interface fastEthernet 0/1
card crypto R2VPNI don't know what the problem
Thank you
If the RIP is not absolutely necessary for you, try adding the default route to R2:
IP route 0.0.0.0 0.0.0.0 172.16.2.1
If you want to use RIP much, add permissions ACL 102:
access-list 102 permit udp any any eq 520
-
VPN between ASA and cisco router [phase2 question]
Hi all
I have a problem with IPSEC VPN between ASA and cisco router
I think that there is a problem in the phase 2
Can you please guide me where could be the problem.
I suspect questions ACL on the router, but I cannot fix. ACL on the router is specified belowLooking forward for your help
Phase 1 is like that
Cisco_router #sh crypto isakmp his
IPv4 Crypto ISAKMP Security Association
status of DST CBC State conn-id slot
78.x.x.41 87.x.x.4 QM_IDLE 2006 0 ACTIVEand ASA
ASA # sh crypto isakmp his
ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 11 peer IKE: 78.x.x.41
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVEPhase 2 on SAA
ASA # sh crypto ipsec his
Interface: Outside
Tag crypto map: Outside_map, seq num: 20, local addr: 87.x.x.4Outside_cryptomap_20 ip 172.19.209.0 access list allow 255.255.255.0 172.
19.194.0 255.255.255.0
local ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
current_peer: 78.x.x.41#pkts program: 8813, #pkts encrypt: 8813, #pkts digest: 8813
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 8813, model of #pkts failed: 0, #pkts Dang failed: 0
#send errors: 0, #recv errors: 0local crypto endpt. : 87.x.x.4, remote Start crypto. : 78.x.x.41
Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: C96393ABSAS of the esp on arrival:
SPI: 0x3E9D820B (1050509835)
transform: esp-3des esp-md5-hmac no
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 7, crypto-card: Outside_map
calendar of his: service life remaining (KB/s) key: (4275000/3025)
Size IV: 8 bytes
support for replay detection: Y
outgoing esp sas:
SPI: 0xC96393AB (3378746283)
transform: esp-3des esp-md5-hmac no
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 7, crypto-card: Outside_map
calendar of his: service life remaining (KB/s) key: (4274994/3023)
Size IV: 8 bytes
support for replay detection: YPhase 2 on cisco router
protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
current_peer 87.x.x.4 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorslocal crypto endpt. : 78.x.x.41, remote Start crypto. : 87.x.x.4
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer0
current outbound SPI: 0x0 (0)SAS of the esp on arrival:
the arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
outgoing ah sas:
outgoing CFP sas:
protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
current_peer 87.x.x.4 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 8947, #pkts decrypt: 8947, #pkts check: 8947
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorslocal crypto endpt. : 78.x.x.41, remote Start crypto. : 87.x.x.4
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer0
current outbound SPI: 0x3E9D820B (1050509835)SAS of the esp on arrival:
SPI: 0xC96393AB (3378746283)
transform: esp-3des esp-md5-hmac.
running parameters = {Tunnel}
Conn ID: 29, flow_id: Motorola SEC 1.0:29, card crypto: mycryptomap
calendar of his: service life remaining (k/s) key: (4393981/1196)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0x3E9D820B (1050509835)
transform: esp-3des esp-md5-hmac.
running parameters = {Tunnel}
Conn ID: 30, flow_id: Motorola SEC 1.0:30, card crypto: mycryptomap
calendar of his: service life remaining (k/s) key: (4394007/1196)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
VPN configuration is less in cisco router
access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
access-list 101 permit ip 172.19.206.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
access-list 101 permit ip 172.19.203.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect
access-list 101 permit ip 172.19.209.0 0.0.0.255 172.19.194.0 0.0.0.255 connectaccess-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
access-list 105 deny ip 172.19.206.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
access-list 105 deny ip 172.19.203.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect
access-list 105 deny ip 172.19.209.0 0.0.0.255 172.19.194.0 0.0.0.255 connectsheep allowed 10 route map
corresponds to the IP 105Crypto ipsec transform-set esp-3des esp-md5-hmac mytransformset
mycryptomap 100 ipsec-isakmp crypto map
the value of 87.x.x.4 peer
Set transform-set mytransformset
match address 101crypto ISAKMP policy 100
BA 3des
md5 hash
preshared authentication
Group 2
ISAKMP crypto key xxx2011 address 87.x.x.4Your permit for 105 ACL statement should be down is changed to match because it is the most general ACL.
You currently have:
Extend the 105 IP access list
5 permit ip 172.19.194.0 0.0.0.255 (18585 matches)
10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connectIt should be:
Extend the 105 IP access list
10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connectIP 172.19.194.0 allow 60 0.0.0.255 (18585 matches)
To remove it and add it to the bottom:
105 extended IP access list
not 5
IP 172.19.194.0 allow 60 0.0.0.255 any
Then ' delete ip nat trans. "
and it should work now.
-
S - S VPN between ASA and ASR1001
Hello
We have 2 routers ASR to connected to ISP headquarters and there are new remote sites that must be connected to the AC over the site to site VPN. Each remote branch will be ASA, IPs outside of these two recommendations are in the same subnet.
1. is it possible to reach redudancy beside HQ in this design?
2. can I create L2L tunnels to two ASR? If yes how can I do 1 active tunnel and other secondary?
| ASR1
Users---L3SW---ASA---ISP---CPE---|
| ASR2
Any suggestions are welcome
Thank you
There are two ways:
- IPSec stateful failover
http://www.Cisco.com/c/en/us/TD/docs/iOS-XML/iOS/sec_conn_vpnav/configuration/15-Mt/sec-VPN-availability-15-Mt-book/Sec-State-fail-IPSec.html
http://packetlife.net/blog/2009/Aug/17/fun-IPSec-stateful-failover/ - VPN config with two counterparts one ASA.
Here you have two individual bridges on the HQ and the ASA has two tunnel-groups en the two bridges but only a single sequence in the crypto plan. Peer education has two HQ - IPs configured.
- IPSec stateful failover
-
Hello
I'm setting up a VPN router between 871 and ASA 5505 for the first time and having a problem. I have attached my network diagram as well as the configuration of 871 and ASA. Although the VPN tunnel is coming for example sh crypto isakmp his watch QM_IDLE and Exchange ipsec SA is successuful as well, but none of the machine can access each other. Please help as I am in desperate need to operate.
Thank you all,.
Jérôme
Hello
It seems that you are missing some required configuration. See the link below...
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805e8c80.shtml
HTH
MS
* Rate of useful messages *.
-
LAN to lan vpn between ASA and router 7200
Hi friends,
I need to configure the lan to lan between ASA vpn (remote location) and router 7200 (on our network).
<7200 router="" (ip="" add:="" 10.10.5.2)="">-(Internet) -<(IP add:="" 192.168.12.2)="" asa(5510)="">---192.135.5.0/24 network
I will have the following configuration:
7200 router:
crypto ISAKMP policy 80
the enc
AUTH pre-shared
Group 1
life 3600
ISAKMP crypto key cisco123 address 192.168.12.2
Cryto ipsec transform-set esp - esp-md5-hmac VPNtrans
map VPNTunnel 80 ipsec-isakmp crypto
defined by peer 192.168.12.2
game of transformation-VPNtrans
match address 110
int fa0/0
IP add 10.10.5.2 255.255.255.192
IP virtual-reassembly
no ip route cache
Speed 100
full duplex
card crypto VPNTunnel
access-list 110 permit ip any 192.135.5.0 0.0.0.255
ASA:
int e0/0
nameif inside
security-level 100
192.135.5.254 Add IP 255.255.255.0
int e0/1
nameif outside
security-level 0
IP add 192.168.12.2 255.255.255.240
access-list ACL extended ip 192.135.5.0 allow 255.255.255.0 any
Route outside 0.0.0.0 0.0.0.0.0 192.168.12.3 1
"pre-shared key auth" ISAKMP policy 10
ISAKMP policy 10-enc
ISAKMP policy 10 md5 hash
10 1 ISAKMP policy group
ISAKMP duration strategy of life 10-3600
Crypto ipsec transform-set esp - esp-md5-hmac VPNtran
card crypto VPN 10 matches the ACL address
card crypto VPN 10 set peer 10.10.5.2
card crypto VPN 10 the transform-set VPNtran value
tunnel-group 10.10.5.2 type ipsec-l2l
IPSec-attributes of type tunnel-group 10.10.5.2
cisco123 pre-shared key
card crypto VPN outside interface
ISAKMP allows outside
dhcpd address 192.135.5.1 - 192.135.5.250 inside
dhcpd dns 172.15.4.5 172.15.4.6
dhcpd wins 172.15.76.5 172.15.74.5
dhcpd lease 14400
dhcpd ping_timeout 500
dhcpd allow inside
Please check the configuration, please correct me if I missed something. I'm in a critical situation at the moment...
Please advise...
Thank you very much...
Where it fails at the present time?
Can you share out of after trying to establish the VPN tunnel:
See the isa scream his
See the ipsec scream his
Please also run the following debug to see where it is a failure:
debugging cry isa
debugging ipsec cry
(IP>7200> -
Site to Site VPN between 5510 and 5505
Am trying to get a VPN site-to site and the race between a branch office and our main office. I have the settings in place, but I'm trying to determine if it's my settings or the provider DSL, Verizon.
They have a 5505 with a static IP is connected by cable modem. Their 5505 I can ping external IP of my 5510 without problem. All the settings are correct on both sides; they reflect the same settings and yet static VPN is not launched.
Is there some sort of CLI command I must issue to bring it?
Also, I was wondering if maybe my 2821 prevents all VPN traffic because it doesn't have to be re - NAT'ed to the 192.168.250.0/23 and 192.168.252.0/24 subnets.
Simply to traffic of their 192.168.40.0 in our 192.168.250.0/23 VOIP subnet subnet.
Join a basic outline. I can provide the configs for almost everything
Hello
you have two instances of sequence card crypto with parameters similar (except transform set). Get rid of the rest of sequences card crypto:
On the ASA Satellite:
no card crypto outside_map 2 match address outside_cryptomap
no card crypto outside_map 2 set pfs
no card crypto outside_map 2 peers set smivpn.sorensonmedia.com
no card crypto outside_map 2 the transform-set ESP-3DES-MD5 value
No crypto outside_map 2 set security-association life card seconds 28800
No kilobytes of life card crypto outside_map 2 set security-association 4608000
no card crypto outside_map 2 the value reverse-road
About the ASA company:
No crypto outside_map 1 game card address outside_1_cryptomap_1
no card crypto outside_map 1 set pfs
no card crypto outside_map 1 set cda.asa5505 counterpart
no card crypto outside_map 1 the value transform-set ESP-3DES-SHA
no card crypto outside_map 1 lifetime of security association set seconds 28800
No kilobytes of life card crypto outside_map 1 set security-association 4608000
no card crypto outside_map 1 the value reverse-road
Then check and capture debugs.
HTH
Sangaré
-
Site to Site VPN between PIX and Linksys RV042
I am trying to create a tunnel between a 506th PIX and a Linksys RV042 vpn . I configured the Phase 1 and Phase 2 as well as the transformation defined and interested traffic and connected to the external interface, but it will not create the tunnel. Configurations are as follows:
506th PIX running IOS 6.3
part of pre authentication ISAKMP policy 40
ISAKMP policy 40 cryptographic 3des
ISAKMP policy 40 sha hash
40 2 ISAKMP policy group
ISAKMP duration strategy of life 40 86400
ISAKMP key * address 96.10.xxx.xxx netmask 255.255.255.255
access-list 101 permit ip 192.168.21.0 255.255.255.0 192.168.1.0 255.255.255.0crypto map Columbia_to_Office 10 ipsec-isakmp
crypto Columbia_to_Office 10 card matches the address 101
card crypto Columbia_to_Office 10 set peer 96.10.xxx.xxx
10 Columbia_to_Office transform-set ESP-3DES-SHA crypto card game
Columbia_to_Office interface card crypto outsideLinksys RV042
Configuration of local groups
IP only
IP address: 96.10.xxx.xxx
Type of local Security group: subnet
IP address: 192.168.1.0
Subnet mask: 255.255.255.0Configuration of the remote control groups
IP only
IP address: 66.192.xxx.xxx
Security remote control unit Type: subnet
IP address: 192.168.21.0
Subnet mask: 255.255.255.0IPSec configuration
Input mode: IKE with preshared key
Group Diffie-Hellman phase 1: group2
Phase 1 encryption: 3DES
Authentication of the phase 1: SHA1
Life of ITS phase 1: 86400
Phase2 encryption: 3DES
Phase2 authentication: SHA1
Phase2 life expectancy: 3600 seconds
Pre-shared key *.I'm a novice on the VPN. Thanks in advance for your expertise.
Yes, version PIX 6.3 does not support HS running nat or sh run crypto.
Please please post the complete config if you don't mind.
Please also try to send traffic between subnets 2 and get the output of:
See the isa scream his
See the ipsec scream his
-
Hi all
First of all, I would like to say I'm trying to implement this on Packet trace. I would like to set up a VPN using an ASA 5505 and a Cisco router 1841 (both available on Packet trace).
The devices can ping external IP address on the other.
The problem is that the VPN is not established. If I run sh crypto control its isakmp on the SAA, he said: there are no SAs IKEv1
Configurations for both devices are attached.
No idea why it doesn't work? Sorry if it is not the right forum for this, is the first time I post. I've searched the forums and I checked some of the proposed solutions, but I have not found the answer to my problem :-(
Thanks in advance,
Patty
- On the router, there is no crypto card. Need in a manner consistent with the SAA.
- Your policy of phase 1 is not compatible. They settings must match on both sides (router: 3des, ASA: aes)
- You can adjust your NAT on both devices that tunnel traffic does not get teeth. Remember that NAT is made prior to IPsec. If you do not exempt NAT traffic, then it will not match the ACL crypto more after NAT.
- Yes, the forum is perfectly fine! ;-)
-
Private of IPSec VPN-private network between ASA and router
Hello community,
This is first time for me to configure IPSec VPN between ASA and router. I have an ASA 5540 at Headquarters and 877 router to EH Branch
Headquarters ASA summary.
Peer IP: 111.111.111.111
Local network: 10.0.0.0
Branch
Peer IP: 123.123.123.123
LAN: 192.168.1.0/24
Please can someone help me set up the vpn.
Hello
This guide covers exactly what you need:
Establishment of ASDM and SDM - http://www.netcraftsmen.net/resources/archived-articles/273.html
Tunnel VPN - ASA to the router configuration:
http://www.Cisco.com/en/us/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml#ASDM
Kind regards
Jimmy
-
Order of operations NAT on Site to Site VPN Cisco ASA
Hello
I have a question about the order of operations NAT on Site to Site VPN Cisco ASA 8.2.x. I have a scenario where the internal IP address of the range 10.17.128.x are NATTED IP public 31.10.10.x. below is the config:
Tunnel normally passes traffic to dmz - 31.10.11.10, 31.10.11.11 servers.
But the servers NATTED (10.17.128.x <->31.10.10.x) does not work.
inside_map crypto 50 card value transform-set ESP-3DES-SHA
tunnel-group 100.1.1.1 type ipsec-l2l
tunnel-group 100.1.1.1 General-attributes
Group Policy - by default-PHX_HK
IPSec-attributes tunnel-group 100.1.1.1
pre-shared key *.
internal PHX_HK group policy
PHX_HK group policy attributes
VPN-filter no
Protocol-tunnel-VPN IPSec svc webvpn
card crypto inside_map 50 match address outside_cryptomap_50
peer set card crypto inside_map 50 100.1.1.1
inside_map crypto 50 card value transform-set ESP-3DES-SHA
inside_map crypto 50 card value reverse-road
the PHX_Local object-group network
host of the object-Network 31.10.11.10
host of the object-Network 31.10.11.11
host of the object-Network 31.10.10.10
host of the object-Network 31.10.10.11
host of the object-Network 31.10.10.12
host of the object-Network 31.10.10.13
host of the object-Network 10.17.128.20
host of the object-Network 10.17.128.21
host of the object-Network 10.17.128.22
host of the object-Network 10.17.128.23
the HK_Remote object-group network
host of the object-Network 102.1.1.10
inside_nat0_outbound list extended access permitted ip object-group PHX_Local-group of objects HK_Remote
ACL_INSIDE list extended access permitted ip object-group PHX_Local-group of objects HK_Remote
ACL_OUTSIDE list extended access permitted ip object-group HK_Remote-group of objects PHX_Local
outside_cryptomap_50 list extended access permitted ip object-group PHX_Local-group of objects HK_Remote
Route outside 102.1.1.10 255.255.255.255 30.1.1.1 1
public static 31.10.10.10 (Interior, exterior) 10.17.128.20 netmask 255.255.255.255
public static 31.10.10.11 (Interior, exterior) 10.17.128.21 netmask 255.255.255.255
public static 31.10.10.12 (Interior, exterior) 10.17.128.22 netmask 255.255.255.255
public static 31.10.10.13 (Interior, exterior) 10.17.128.23 netmask 255.255.255.255
He started to work when I did another group of object by name PHX_Local1 and added to the list of access inside_nat0_outbound, instead of the object group PHX_Local, as below:
the PHX_Local1 object-group network
host of the object-Network 31.10.10.10
host of the object-Network 31.10.10.11
host of the object-Network 31.10.10.12
host of the object-Network 31.10.10.13
No inside_nat0_outbound access list extended only to allowed ip object-group PHX_Local-group of objects HK_Remote
inside_nat0_outbound list extended access permitted ip object-group PHX_Local1-group of objects HK_Remote
Can you please help me understand why group object PHX_Local failed with access-list inside_nat0_outbound, but he began to work with the Group of objects PHX_Local1.
Also, if you could tell me the order of operations to NAT via VPN Site to Site, it would be useful.
Thank you
Kind regards
Thomas
Hello
I think you could have said the original question in a way that could be missleading. In other words, if I understand now.
From what I understand now, you have the DMZ set up the server that are measured with a public IP address on the real servers. And for those that you have configured NAT0.
Then you have other servers that do not have public IP addresses themselves, but they are translated on the SAA.
If this is the case, then the next question would be. The server with the NAT should attend the L2L VPN connection with their real IP or address IP NAT.
Of course if you configure static NAT for the same servers and NAT0 the NAT0 will always win.
You have these guests who were not able to use the VPN L2L
31.10.10.10 10.17.128.20
31.10.10.11 10.17.128.21
31.10.10.12 10.17.128.22
31.10.10.13 10.17.128.23
IF you want them to go to the VPN L2L with their original IP address then you must configure
object-group, LAN->
host of the object-Network 10.17.128.20
host of the object-Network 10.17.128.21
host of the object-Network 10.17.128.22
host of the object-Network 10.17.128.23
object-group, REMOTE network
host of the object-Network 102.1.1.10
inside_nat0_outbound list extended access allowed ip-group of objects LOCAL object-group remote
outside_cryptomap_50 list extended access allowed ip-group of objects LOCAL object-group remote
IF you want to use the L2L VPN with the public IP address, then you must configure
object-group, LAN
host of the object-Network 31.10.10.10
host of the object-Network 31.10.10.11
host of the object-Network 31.10.10.12
host of the object-Network 31.10.10.13
object-group, REMOTE network
host of the object-Network 102.1.1.10
outside_cryptomap_50 list extended access allowed ip-group of objects LOCAL object-group remote
EDIT: in this case you naturally do not configure any NAT0 for actual IP addresses we want precisely the IP addresses to be visible to the L2L VPN with the IP NAT address.
Or you can of course use the same "object-group" as currently but change the content in an appropriate manner
Be sure to mark it as answered if it was answered.
Ask more if necessary
-Jouni
-
Site to Site VPN between Cisco ASA 5505 and Sonicwall TZ170
I'm trying to implement a VPN site-to site between our data center and office. The data center has a Cisco ASA 5505 and the Office has a Sonicwall TZ170. I managed to configure the two so that the vpn connects. Each of the firewall I ping the IP Address of the internet firewall on the other side and a desktop computer I can ping the IP Address of the firewall internal datacenter but I can't carry traffic between private subnets datacenter and desktop. Can anyone help?
The config below has had IPs/passwords has changed.
External Datacenter: 1.1.1.4
External office: 1.1.1.1
Internal data center: 10.5.0.1/24
Internal office: 10.10.0.1/24
: Saved
:
ASA Version 8.2 (1)
!
hostname datacenterfirewall
mydomain.tld domain name
activate thepassword encrypted
passwdencrypted
names of
name 10.10.0.0 OfficeNetwork
10.5.0.0 DatacenterNetwork name
!
interface Vlan1
nameif inside
security-level 100
10.5.0.1 IP address 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
1.1.1.4 IP address 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
DNS server-group DefaultDNS
buydomains.com domain name
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
inside_access_in list extended access permit icmp any one
inside_access_in list extended access permitted tcp a whole
inside_access_in list extended access udp allowed a whole
inside_access_in of access allowed any ip an extended list
outside_access_in list extended access permit icmp any one
outside_access_in list extended access udp allowed any any eq isakmp
IP DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0 allow Access-list extended pixtosw
pixtosw list extended access allow icmp DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0
IP OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0 allow Access-list extended pixtosw
pixtosw list extended access allow icmp OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0
outside_cryptomap_66.1 list of allowed ip extended access all OfficeNetwork 255.255.255.0
outside_cryptomap_66.1 ip OfficeNetwork 255.255.255.0 allowed extended access list all
outside_cryptomap_66.1 list extended access permit icmp any OfficeNetwork 255.255.255.0
outside_cryptomap_66.1 list extended access allowed icmp OfficeNetwork 255.255.255.0 everything
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
IP verify reverse path to the outside interface
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 623.bin
don't allow no asdm history
ARP timeout 14400
NAT-control
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0
inside_access_in access to the interface inside group
Access-group outside_access_in in interface outside
Route inside 0.0.0.0 0.0.0.0 1.1.1.1 1
Route OfficeNetwork 255.255.255.0 outside 1.1.1.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 10.5.0.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-aes-256 walthamoffice, esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto dynamic-map ciscopix 1 corresponds to the address outside_cryptomap_66.1
Crypto dynamic-map ciscopix 1 transform-set walthamoffice
Crypto dynamic-map ciscopix 1 the value reverse-road
map dynmaptosw 66-isakmp ipsec crypto dynamic ciscopix
dynmaptosw interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 13
preshared authentication
aes-256 encryption
sha hash
Group 2
lifetime 28800
crypto ISAKMP policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
No encryption isakmp nat-traversal
Telnet 10.5.0.0 255.255.255.0 inside
Telnet timeout 5
SSH 10.5.0.0 255.255.255.0 inside
SSH timeout 5
Console timeout 0
management-access inside
dhcpd address 10.5.0.2 - 10.5.0.254 inside
dhcpd allow inside
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP server 66.250.45.2 source outdoors
NTP server 72.18.205.157 source outdoors
NTP server 208.53.158.34 source outdoors
WebVPN
attributes of Group Policy DfltGrpPolicy
VPN-idle-timeout no
username admin passwordencrypted
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *.
!
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
!
context of prompt hostname
Cryptochecksum:7f319172e5de9c0e550804a263f8e49e
: endMattew, obvious lack of education is the rule exempt from nat for your tunnel, your access list pixtosw is similar on this example, I assume that you have gone through this link, if it does not see the configs on both sides.
Add the statement of rule sheep in asa and try again.
NAT (inside) 0-list of access pixtosw
Concerning
-
problem setting up vpn site-to-site between asa and 1811 router
I get the following error.
3. January 8, 2008 | 15: 47:31 | 710003 | 192.168.0.45 | 192.168.0.50. TCP access denied by ACL to 192.168.0.45/3698 to LAN:192.168.0.50/80
3. January 8, 2008 | 15:47:28 | 710003 | 192.168.0.45 | 192.168.0.50. TCP access denied by ACL to 192.168.0.45/3698 to LAN:192.168.0.50/80
6. January 8, 2008 | 15:47:28 | 302021 | 192.168.0.45 | 192.168.0.50. Connection of disassembly for faddr gaddr laddr 192.168.0.50/0 192.168.0.50/0 192.168.0.45/1024 ICMP
6. January 8, 2008 | 15:47:28 | 302020 | 192.168.0.45 | 192.168.0.50. Built of ICMP incoming connections for faddr gaddr laddr 192.168.0.50/0 192.168.0.50/0 192.168.0.45/1024
5. January 8, 2008 | 15: 47:03 | 713904 | IP = public IP address, encrypted packet received with any HIS correspondent, drop
4. January 8, 2008 | 15: 47:03 | 113019 | Group = public IP address, Username = public IP address, IP = IP address public, disconnected Session. Session type: IPSecLAN2LAN, duration: 0 h: 00 m: 00s, xmt bytes: 0, RRs bytes: 0, right: Phase 2 Mismatch
3. January 8, 2008 | 15: 47:03 | 713902 | Group = public IP address, IP = public IP address, peer table correlator withdrawal failed, no match!
3. January 8, 2008 | 15: 47:03 | 713902 | Group = public IP address, IP = IP address public, error QM WSF (P2 struct & 0x4969c90, mess id 0xf3d044e8).
5. January 8, 2008 | 15: 47:03 | 713904 | Group = public IP address, IP = IP proposals public, IPSec Security Association all found unacceptable.
3. January 8, 2008 | 15: 47:03 | 713119 | Group = public IP address, IP = IP address public, PHASE 1 COMPLETED
6. January 8, 2008 | 15: 47:03 | 113009 | AAA recovered in group policy by default (DfltGrpPolicy) to the user = public IP address
4. January 8, 2008 | 15: 47:03 | 713903 | Group = public IP address, IP = IP address public, previously allocated memory release for authorization-dn-attributes
I do not think that because of the incompatibility of encryption. Any help is appreciated.
Thank you
Nilesh
You have PFS (Perfect Forward Secrecy) configured on the ASA and not the router. This could be one of the reasons why the tunnel fails in Phase 2.
If you do not need a PFS, can you not make a 'no encryption card WAN_map 1 set pfs' the configuration of the ASA and make appear the tunnel.
Kind regards
Arul
-
2 one-Site VPN between HQ, Site A and Site B
Dear brothers,
Really I need your kindly help on Site 2 Site VPN.
We have a HQ and 2 Sites (Site A Site & B), and we think to set up VPN Site-2-Site between them now.
HQ--> 3845 router (will be the hub)--> a given vlan 11 & vlan voice 21
Site A--> router 2901 (will be the Spoke1)--> a given vlan 12 & vlan voice 22
Site B--> router 1941 (will be the Spoke2)--> a given vlan 13 & vlan voice 23
So my questions are:
1 - when the VPN going up, are only the HQ VLAN data & voice will be able to reach the Site & A B data & Voice VLAN and Vice versa?
2 - when the VPN is going up, are that the Site has data & Voice VLAN will be able to reach the Site B Data & Voice VLAN and Vice versa?
Thank you
Hello
I think this example explains what you need:http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation...
Kind regards
Averroès.
-
Site to Site VPN problem ASA 5505
Hello
I have a strange problem with a site to site VPN. I configured it completely and I added 3 of my internal networks to be encrypted and access the remote network across the tunnel.
For some reason, I can access the remote network of only two of the three internal networkls that I've specified.
Here is a copy of my config - if anyone has any info I would be happy of course.
Thank you
Kevin
FK - U host name. S. - Raleigh - ASA
domain appdrugs.com
activate 08PI8zPL2UE41XdH encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
name Maridian-primary-Net 192.168.237.0
Meridian-backup-Net 192.168.237.128 name
name 10.239.192.141 AccessSwitch1IDFB
name 10.239.192.143 AccessSwitch1IDFC
name 10.239.192.140 AccessSwitch1MDFA
name 10.239.192.142 AccessSwitch2IDFB
name CiscoCallManager 10.195.64.206
name 10.239.192.2 CoreSwitch1
name 10.239.192.3 CoreSwitch2
name 10.195.64.17 UnityVM
name 140.239.116.162 Outside_Interface
name 65.118.69.251 Meridian-primary-VPN
name 65.123.23.194 Meridian_Backup_VPN
DNS-guard
!
interface Ethernet0/0
Shutdown
No nameif
security-level 100
no ip address
!
interface Ethernet0/1
nameif outside
security-level 60
address IP Outside_Interface 255.255.255.224
!
interface Ethernet0/2
nameif Inside1
security-level 100
IP 10.239.192.7 255.255.255.128
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 50
IP 192.168.1.1 255.255.255.0
management only
!
boot system Disk0: / asa804 - k8.bin
Disk0: / asa804.bin starting system
passive FTP mode
DNS domain-lookup outside
DNS domain-lookup Inside1
management of the DNS domain-lookup service
DNS server-group DefaultDNS
Server name 10.239.192.10
domain appdrugs.com
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
the DM_INLINE_NETWORK_1 object-group network
object-network 10.195.64.0 255.255.255.0
object-network 10.239.192.0 255.255.255.0
object-network 10.239.192.128 255.255.255.128
object-group service DM_INLINE_SERVICE_1
the purpose of the ip service
ICMP service object
the purpose of the echo icmp message service
response to echo icmp service object
the DM_INLINE_NETWORK_2 object-group network
object-network 10.195.64.0 255.255.255.0
object-network 10.239.192.0 255.255.255.128
object-network 10.239.192.128 255.255.255.128
the DM_INLINE_NETWORK_3 object-group network
network-object 10.195.64.0 255.255.255.192
object-network 10.239.192.0 255.255.255.128
object-network 10.239.192.128 255.255.255.128
the DM_INLINE_NETWORK_5 object-group network
Maridian-primary-Net network object 255.255.255.128
Meridian-backup-Net network object 255.255.255.128
the DM_INLINE_NETWORK_6 object-group network
Maridian-primary-Net network object 255.255.255.128
Meridian-backup-Net network object 255.255.255.128
object-group network Vital-network-hardware-access
host of the object-Network UnityVM
host of the CiscoCallManager object-Network
host of the object-Network AccessSwitch1MDFA
host of the object-Network AccessSwitch1IDFB
host of the object-Network AccessSwitch2IDFB
host of the object-Network AccessSwitch1IDFC
host of the object-Network CoreSwitch1
host of the object-Network CoreSwitch2
object-group service RDP - tcp
EQ port 3389 object
the DM_INLINE_NETWORK_7 object-group network
Maridian-primary-Net network object 255.255.255.128
Meridian-backup-Net network object 255.255.255.128
host of network-object Meridian-primary-VPN
host of the object-Network Meridian_Backup_VPN
the DM_INLINE_NETWORK_9 object-group network
host of the object-Network Outside_Interface
Group-object Vital-equipment-access to the network
object-group service DM_INLINE_SERVICE_2
will the service object
ESP service object
the purpose of the service ah
the eq isakmp udp service object
object-group service DM_INLINE_SERVICE_3
ICMP service object
the purpose of the echo icmp message service
response to echo icmp service object
the DM_INLINE_NETWORK_4 object-group network
object-network 10.195.64.0 255.255.255.0
object-network 10.239.192.0 255.255.255.128
object-network 10.239.192.128 255.255.255.128
the DM_INLINE_NETWORK_8 object-group network
object-network 10.195.64.0 255.255.255.0
object-network 10.239.192.0 255.255.255.128
object-network 10.239.192.128 255.255.255.128
Outside_access_in list extended access permit icmp any any echo response
Access extensive list Maridian-primary-Net ip Outside_access_in 255.255.255.128 DM_INLINE_NETWORK_8 object-group enable
Access extensive list Meridian-backup-Net ip Outside_access_in 255.255.255.128 DM_INLINE_NETWORK_3 object-group enable
Inside_nat0_outbound to access ip 10.0.0.0 scope list allow 255.0.0.0 10.0.0.0 255.0.0.0
Access extensive list ip 10.239.192.0 Inside_nat0_outbound allow Maridian-primary-Net 255.255.255.0 255.255.255.128
Inside_access_in to access ip 10.0.0.0 scope list allow 255.0.0.0 all
Inside1_nat0_outbound to access ip 10.0.0.0 scope list allow 255.0.0.0 10.0.0.0 255.0.0.0
Inside1_nat0_outbound list extended access allowed object-group DM_INLINE_NETWORK_1 Maridian-primary-Net 255.255.255.128 ip
Inside1_nat0_outbound list extended access permitted ip object-group Meridian-backup-Net DM_INLINE_NETWORK_2 255.255.255.128
Access extensive list ip 10.239.192.0 Inside1_nat0_outbound allow 255.255.255.0 10.239.199.0 255.255.255.192
Access extensive list ip 10.195.64.0 Inside1_nat0_outbound allow 255.255.255.192 10.239.199.0 255.255.255.192
Inside1_access_in to access ip 10.0.0.0 scope list allow 255.0.0.0 all
Outside_1_cryptomap list extended access allowed object-group DM_INLINE_SERVICE_1-DM_INLINE_NETWORK_1 Maridian-primary-Net 255.255.255.128 objects
Outside_2_cryptomap list extended access permitted ip object-group Meridian-backup-Net DM_INLINE_NETWORK_2 255.255.255.128
permitted access Vital-network-Access_splitTunnelAcl-list standard 10.239.192.0 255.255.255.128
permitted access Vital-network-Access_splitTunnelAcl-list standard 10.195.64.0 255.255.255.0
permitted access Vital-network-Access_splitTunnelAcl-list standard 10.239.192.128 255.255.255.128
Access extensive list ip 10.239.199.0 Vital_VPN allow 255.255.255.192 object-group Vital-equipment-access to the network
Vital_VPN list extended access allow icmp 10.239.199.0 255.255.255.192 object-group Vital-equipment-access to the network
Vital_VPN of access allowed any ip an extended list
Outside_cryptomap_1 list extended access allowed object-group DM_INLINE_NETWORK_4 Maridian-primary-Net 255.255.255.128 ip
access list Vital-Site-to-site access extended allow ip object-DM_INLINE_NETWORK_5 group Vital-network-hardware-access object
Vital-Site-to-Site-access extended access list permits object-group DM_INLINE_SERVICE_3-group of objects DM_INLINE_NETWORK_6 object-group Vital-equipment-access to the network
Vital-Site-to-Site-access extended access list permits object-group objects object-group DM_INLINE_NETWORK_9 DM_INLINE_NETWORK_7 DM_INLINE_SERVICE_2-group
pager lines 24
Enable logging
exploitation forest asdm warnings
Outside 1500 MTU
MTU 1500 Inside1
management of MTU 1500
mask IP local pool access remote 10.239.199.11 - 10.239.199.62 255.255.255.192
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 621.bin
don't allow no asdm history
ARP timeout 14400
Global (1 interface external)
NAT (Inside1) 0-list of access Inside1_nat0_outbound
NAT (Inside1) 1 10.0.0.0 255.0.0.0
Access-group Outside_access_in in interface outside
Access-group Inside1_access_in in interface Inside1
Route outside 0.0.0.0 0.0.0.0 140.239.116.161 1
Route Inside1 10.192.52.0 255.255.255.0 10.239.192.1 1
Route Inside1 10.195.64.0 255.255.240.0 10.239.192.1 1
Route Inside1 10.239.0.0 255.255.0.0 10.239.192.1 1
Route Inside1 10.239.192.0 255.255.248.0 10.239.192.1 1
Route out of the Maridian-primary-Net 255.255.255.0 Outside_Interface 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 66.104.209.192 255.255.255.224 outside
http 192.168.1.0 255.255.255.0 management
http 10.239.172.0 255.255.252.0 Inside1
SNMP-server host Inside1 10.239.132.225 community appfirestarter * #*.
location of Server SNMP Raleigh
contact Server SNMP Kevin mcdonald
Server SNMP community appfirestarter * #*.
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Server SNMP traps enable entity config change
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define security association lifetime 28800 seconds
cryptographic kilobytes 4608000 life of the set - the association of security of the 65535 SYSTEM_DEFAULT_CRYPTO_MAP of the dynamic-map
card crypto Outside_map 1 corresponds to the address Outside_cryptomap_1
card crypto Outside_map 1 peer set VPN-primary-Meridian
Outside_map 1 transform-set ESP-3DES-MD5 crypto card game
card crypto Outside_map 1 defined security-association life seconds 28800
card crypto Outside_map 1 set security-association kilobytes of life 4608000
card crypto Outside_map 2 corresponds to the address Outside_2_cryptomap
card crypto Outside_map 2 set peer Meridian_Backup_VPN
map Outside_map 2 game of transformation-ESP-3DES-MD5 crypto
card crypto Outside_map 2 defined security-association life seconds 28800
card crypto Outside_map 2 set security-association kilobytes of life 4608000
card crypto Outside_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
Outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 5
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
outside access management
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
allow outside
tunnel-group-list activate
internal strategy of State civil-access to the network group
Group Policy attributes Vital access to the network
value of server DNS 10.239.192.10
value of VPN-filter Vital_VPN
Protocol-tunnel-VPN IPSec webvpn
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value vital-network-Access_splitTunnelAcl
value of remote access address pools
internal state civil-Site-to-Site-GroupPolicy group strategy
Civil-site-a-site-grouppolicy-strategie status of group attributes
value of VPN-filter Vital-Site-to-Site-access
Protocol-tunnel-VPN IPSec l2tp ipsec webvpn
username APPRaleigh encrypted password m40Ls2r9N918trxp
username APPRaleigh attributes
VPN-group-policy Vital-network access
type of remote access service
username, password kmadmin u8urNz44/I.ugcF. encrypted privilege 15
tunnel-group 65.118.69.251 type ipsec-l2l
tunnel-group 65.118.69.251 General-attributes
Group Policy - by Defaut-vital-site-a-site-grouppolicy
IPSec-attributes tunnel-group 65.118.69.251
pre-shared-key *.
tunnel-group 65.123.23.194 type ipsec-l2l
tunnel-group 65.123.23.194 General-attributes
Group Policy - by Defaut-vital-site-a-site-grouppolicy
IPSec-attributes tunnel-group 65.123.23.194
pre-shared-key *.
remote access of type tunnel-group Vital access to the network
tunnel-group Vital access to the network general-attributes
Access to distance-address pool
Group Policy - by default-state civilian access to the network
tunnel-group Vital access to the network ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns migrated_dns_map_1
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the migrated_dns_map_1 dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:a080b1759b57190ba65d932785ad4967
: endcan you confirm if we have the exact reflection of crypto acl at the other end
I feel may be you have a 24 10.239.192.0 255.255.255.0 on the other end in the remote network
can you please confirm that
also a reason, why you use 10.239.192.0 255.255.255.128 and 10.239.192.128 255.255.255.128 instead of 10.239.192.0 255.255.255.0
Maybe you are looking for
-
I am not able to access any Web site that uses javascript. How can I fix it?
I can't access any Web site that is running of javascript. How to change this behavior in FireFox?
-
How to download the firefox msi package
Hello I would like to install Firefox in our network (windows 7 and windows xp) but I do not have a Firefox msi package. Can you help me where I could find one to download and push installation for our netbooks at Zurich International School? Eduardo
-
USB ports on my laptop has stopped working
Just like that, the USB ports on my DV4-1435DX just shrugged and stopped. I received messages that says USB device not recognized. I tried uninistalling and reinstall drivers for devices, thinking that somehow they were corrupt, but not go. When I
-
LV FPGA - Front Panel strict Typedefs are not flexible
Hello When using LabVIEW FPGA and implement a strict typedef on the Panel before the FPGA, this causes issues with the FPGA generated in the PC Code reference. I have attached a picture. In the code of my PC, I generate the ref FPGA, then use it. In
-
Error 1606 could not access network %APPDATA%\protector.exe
I recently received this error 1606 and I can't iTunes to update to 9.2 and my iPod touch is ios 4.0 and you need iTunes 9.2 to allow the iPod, someone please help me!