Troubleshooting IPSec Site to Site VPN between ASA and 1841

Hi all

in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.

I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).

I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.

It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),

On the ASA:

Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.

address of the peers: 217.86.154.120
Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.cc

access extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
current_peer: 217.xx.yy.zz

#pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0

local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz

Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: 39135054
current inbound SPI: B2E9E500

SAS of the esp on arrival:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4374000/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
outgoing esp sas:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4373976/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001

Output of the command: "sh crypto isakmp his."

HIS active: 4
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 4

IKE Peer: 217.xx.yy.zz
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE

On the 1841

1841 crypto isakmp #sh its
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE

1841 crypto ipsec #sh its

Interface: Dialer1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors

local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2

SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

outgoing ah sas:

outgoing CFP sas:

Interface: virtual Network1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors

local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2

SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

outgoing ah sas:

outgoing CFP sas:

It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.

Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto.      (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.

I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!

It's the running of the 1841 configuration

!
version 15.1
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
host name 1841
!
boot-start-marker
start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
boot-end-marker
!
logging buffered 51200 notifications
!
AAA new-model
!
!
AAA authentication login default local
!
AAA - the id of the joint session
!
iomem 20 memory size
clock timezone PCTime 1
PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
dot11 syslog
IP source-route
!
No dhcp use connected vrf ip
!
IP cef
no ip bootp Server
IP domain name test
name of the IP-server 194.25.2.129
name of the IP-server 194.25.2.130
name of the IP-server 194.25.2.131
name of the IP-server 194.25.2.132
name of the IP-server 194.25.2.133
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
object-group network phone
VoIP phone description
Home 172.20.2.50
Home 172.20.2.51
!
redundancy
!
!
controller LAN 0/0/0
atm mode
Annex symmetrical shdsl DSL-mode B
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
isakmp encryption key * address 62.aa.bb.cc
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
map SDM_CMAP_1 1 ipsec-isakmp crypto
Description Tunnel to62.aa.bb.cc
the value of 62.aa.bb.cc peer
game of transformation-ESP-3DES-SHA
PFS group2 Set
match address 100
!
!
!
interface FastEthernet0/0
DMZ description $ FW_OUTSIDE$
10.10.10.254 IP address 255.255.255.0
IP nat inside
IP virtual-reassembly
automatic duplex
automatic speed
!
interface FastEthernet0/1
Description $ETH - LAN$ $FW_INSIDE$
IP 172.20.2.254 255.255.255.0
IP access-group 100 to
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1412
automatic duplex
automatic speed
!
ATM0/0/0 interface
no ip address
No atm ilmi-keepalive
!
point-to-point interface ATM0/0/0.1
PVC 1/32
PPPoE-client dial-pool-number 1
!
!
interface Dialer1
Description $FW_OUTSIDE$
the negotiated IP address
IP mtu 1452
NAT outside IP
IP virtual-reassembly
encapsulation ppp
Dialer pool 1
Dialer-Group 2
PPP authentication chap callin pap
PPP chap hostname xxxxxxx
PPP chap password 7 xxxxxxx8
PPP pap sent-name of user password xxxxxxx xxxxxxx 7
map SDM_CMAP_1 crypto
!
IP forward-Protocol ND
IP http server
local IP http authentication
IP http secure server
!
!
The dns server IP
IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
!
logging trap notifications
Note category of access list 1 = 2 CCP_ACL
access-list 1 permit 172.20.2.0 0.0.0.255
Note access-list category 2 CCP_ACL = 2
access-list 2 allow 10.10.10.0 0.0.0.255
Note access-list 100 category CCP_ACL = 4
Note access-list 100 IPSec rule
access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
Note CCP_ACL the access list 101 = 2 category
Note access-list 101 IPSec rule
access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 101 permit ip 172.20.2.0 0.0.0.255 any
Note access-list 102 CCP_ACL category = 2
Note access-list 102 IPSec rule
access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
!

!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 101
!
allowed SDM_RMAP_2 1 route map
corresponds to the IP 102
!
!
control plan
!
!
Line con 0
line to 0
line vty 0 4
length 0
transport input telnet ssh
!
Scheduler allocate 20000 1000
NTP-Calendar Update
NTP 172.20.2.250 Server prefer
end

As I mentioned previously: suspicion is much appreciated!

Best regards

Joerg

Joerg,

ASA receives not all VPN packages because IOS does not send anything.

Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)

The problem seems so on the side of the router.

I think that is a routing problem, but you only have one default gateway (no other channels on the router).

The ACL 100 is set to encrypt the traffic between the two subnets.

It seems that the ACL 101 is also bypassing NAT for VPN traffic.

Follow these steps:

Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.

I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.

Federico.

Tags: Cisco Security

Similar Questions

  • Problem with IPsec VPN between ASA and router Cisco - ping is not response

    Hello

    I don't know because the IPsec VPN does not work. This is my setup (IPsec VPN between ASA and R2):

    my network topology data:

    LAN 1 connect ASA - 1 (inside the LAN)

    PC - 10.0.1.3 255.255.255.0 10.0.1.1

    ASA - GigabitEthernet 1: 10.0.1.1 255.255.255.0

    -----------------------------------------------------------------

    ASA - 1 Connect (LAN outide) R1

    ASA - GigabitEthernet 0: 172.30.1.2 255.255.255.252

    R1 - FastEthernet 0/0: 172.30.1.1 255.255.255.252

    ---------------------------------------------------------------------

    R1 R2 to connect

    R1 - FastEthernet 0/1: 172.30.2.1 255.255.255.252

    R2 - FastEthernet 0/1: 172.30.2.2 255.255.255.252

    R2 for lan connection 2

    --------------------------------------------------------------------

    R2 to connect LAN2

    R2 - FastEthernet 0/0: 10.0.2.1 255.255.255.0

    PC - 10.0.2.3 255.255.255.0 10.0.2.1

    ASA configuration:

    1 GigabitEthernet interface
    nameif inside
    security-level 100
    IP 10.0.1.1 255.255.255.0
    no downtime
    interface GigabitEthernet 0
    nameif outside
    security-level 0
    IP 172.30.1.2 255.255.255.252
    no downtime
    Route outside 0.0.0.0 0.0.0.0 172.30.1.1

    ------------------------------------------------------------

    access-list scope LAN1 to LAN2 ip 10.0.1.0 allow 255.255.255.0 10.0.2.0 255.255.255.0
    object obj LAN
    subnet 10.0.1.0 255.255.255.0
    object obj remote network
    10.0.2.0 subnet 255.255.255.0
    NAT (inside, outside) 1 static source obj-local obj-local destination obj-remote control remote obj non-proxy-arp static

    -----------------------------------------------------------
    IKEv1 crypto policy 10
    preshared authentication
    aes encryption
    sha hash
    Group 2
    life 3600
    Crypto ikev1 allow outside
    crypto isakmp identity address

    ------------------------------------------------------------
    tunnel-group 172.30.2.2 type ipsec-l2l
    tunnel-group 172.30.2.2 ipsec-attributes
    IKEv1 pre-shared-key cisco123
    Crypto ipsec transform-set esp-aes-192 ASA1TS, esp-sha-hmac ikev1

    -------------------------------------------------------------
    card crypto ASA1VPN 10 is the LAN1 to LAN2 address
    card crypto ASA1VPN 10 set peer 172.30.2.2
    card crypto ASA1VPN 10 set transform-set ASA1TS ikev1
    card crypto ASA1VPN set 10 security-association life seconds 3600
    ASA1VPN interface card crypto outside

    R2 configuration:

    interface fastEthernet 0/0
    IP 10.0.2.1 255.255.255.0
    no downtime
    interface fastEthernet 0/1
    IP 172.30.2.2 255.255.255.252
    no downtime

    -----------------------------------------------------

    router RIP
    version 2
    Network 10.0.2.0
    network 172.30.2.0

    ------------------------------------------------------
    access-list 102 permit ahp 172.30.1.2 host 172.30.2.2
    access-list 102 permit esp 172.30.1.2 host 172.30.2.2
    access-list 102 permit udp host 172.30.1.2 host 172.30.2.2 eq isakmp
    interface fastEthernet 0/1
    IP access-group 102 to

    ------------------------------------------------------
    crypto ISAKMP policy 110
    preshared authentication
    aes encryption
    sha hash
    Group 2
    life 42300

    ------------------------------------------------------
    ISAKMP crypto key cisco123 address 172.30.1.2

    -----------------------------------------------------
    Crypto ipsec transform-set esp - aes 128 R2TS

    ------------------------------------------------------

    access-list 101 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255

    ------------------------------------------------------

    R2VPN 10 ipsec-isakmp crypto map
    match address 101
    defined by peer 172.30.1.2
    PFS Group1 Set
    R2TS transformation game
    86400 seconds, life of security association set
    interface fastEthernet 0/1
    card crypto R2VPN

    I don't know what the problem

    Thank you

    If the RIP is not absolutely necessary for you, try adding the default route to R2:

    IP route 0.0.0.0 0.0.0.0 172.16.2.1

    If you want to use RIP much, add permissions ACL 102:

    access-list 102 permit udp any any eq 520

  • VPN between ASA and cisco router [phase2 question]

    Hi all

    I have a problem with IPSEC VPN between ASA and cisco router

    I think that there is a problem in the phase 2

    Can you please guide me where could be the problem.
    I suspect questions ACL on the router, but I cannot fix. ACL on the router is specified below

    Looking forward for your help

    Phase 1 is like that

    Cisco_router #sh crypto isakmp his

    IPv4 Crypto ISAKMP Security Association
    status of DST CBC State conn-id slot
    78.x.x.41 87.x.x.4 QM_IDLE 2006 0 ACTIVE

    and ASA

    ASA # sh crypto isakmp his

    ITS enabled: 1
    Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
    Total SA IKE: 1

    1 peer IKE: 78.x.x.41
    Type: L2L role: initiator
    Generate a new key: no State: MM_ACTIVE

    Phase 2 on SAA

    ASA # sh crypto ipsec his
    Interface: Outside
    Tag crypto map: Outside_map, seq num: 20, local addr: 87.x.x.4

    Outside_cryptomap_20 ip 172.19.209.0 access list allow 255.255.255.0 172.
    19.194.0 255.255.255.0
    local ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
    current_peer: 78.x.x.41

    #pkts program: 8813, #pkts encrypt: 8813, #pkts digest: 8813
    #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 8813, model of #pkts failed: 0, #pkts Dang failed: 0
    #send errors: 0, #recv errors: 0

    local crypto endpt. : 87.x.x.4, remote Start crypto. : 78.x.x.41

    Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
    current outbound SPI: C96393AB

    SAS of the esp on arrival:
    SPI: 0x3E9D820B (1050509835)
    transform: esp-3des esp-md5-hmac no
    running parameters = {L2L, Tunnel}
    slot: 0, id_conn: 7, crypto-card: Outside_map
    calendar of his: service life remaining (KB/s) key: (4275000/3025)
    Size IV: 8 bytes
    support for replay detection: Y
    outgoing esp sas:
    SPI: 0xC96393AB (3378746283)
    transform: esp-3des esp-md5-hmac no
    running parameters = {L2L, Tunnel}
    slot: 0, id_conn: 7, crypto-card: Outside_map
    calendar of his: service life remaining (KB/s) key: (4274994/3023)
    Size IV: 8 bytes
    support for replay detection: Y

    Phase 2 on cisco router

    protégé of the vrf: (none)
    local ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
    current_peer 87.x.x.4 port 500
    LICENCE, flags is {origin_is_acl},
    #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    Errors #send 0, #recv 0 errors

    local crypto endpt. : 78.x.x.41, remote Start crypto. : 87.x.x.4
    Path mtu 1452, ip mtu 1452, ip mtu BID Dialer0
    current outbound SPI: 0x0 (0)

    SAS of the esp on arrival:

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:

    outgoing ah sas:

    outgoing CFP sas:

    protégé of the vrf: (none)
    local ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
    current_peer 87.x.x.4 port 500
    LICENCE, flags is {origin_is_acl},
    #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
    #pkts decaps: 8947, #pkts decrypt: 8947, #pkts check: 8947

    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    Errors #send 0, #recv 0 errors

    local crypto endpt. : 78.x.x.41, remote Start crypto. : 87.x.x.4
    Path mtu 1452, ip mtu 1452, ip mtu BID Dialer0
    current outbound SPI: 0x3E9D820B (1050509835)

    SAS of the esp on arrival:
    SPI: 0xC96393AB (3378746283)
    transform: esp-3des esp-md5-hmac.
    running parameters = {Tunnel}
    Conn ID: 29, flow_id: Motorola SEC 1.0:29, card crypto: mycryptomap
    calendar of his: service life remaining (k/s) key: (4393981/1196)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:
    SPI: 0x3E9D820B (1050509835)
    transform: esp-3des esp-md5-hmac.
    running parameters = {Tunnel}
    Conn ID: 30, flow_id: Motorola SEC 1.0:30, card crypto: mycryptomap
    calendar of his: service life remaining (k/s) key: (4394007/1196)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    outgoing ah sas:

    outgoing CFP sas:

    VPN configuration is less in cisco router

    access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
    access-list 101 permit ip 172.19.206.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
    access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
    access-list 101 permit ip 172.19.203.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
    access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect
    access-list 101 permit ip 172.19.209.0 0.0.0.255 172.19.194.0 0.0.0.255 connect

    access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
    access-list 105 deny ip 172.19.206.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
    access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
    access-list 105 deny ip 172.19.203.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
    access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect
    access-list 105 deny ip 172.19.209.0 0.0.0.255 172.19.194.0 0.0.0.255 connect

    sheep allowed 10 route map
    corresponds to the IP 105

    Crypto ipsec transform-set esp-3des esp-md5-hmac mytransformset

    mycryptomap 100 ipsec-isakmp crypto map
    the value of 87.x.x.4 peer
    Set transform-set mytransformset
    match address 101

    crypto ISAKMP policy 100
    BA 3des
    md5 hash
    preshared authentication
    Group 2
    ISAKMP crypto key xxx2011 address 87.x.x.4

    Your permit for 105 ACL statement should be down is changed to match because it is the most general ACL.

    You currently have:

    Extend the 105 IP access list
    5 permit ip 172.19.194.0 0.0.0.255 (18585 matches)
    10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
    30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
    50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect

    It should be:

    Extend the 105 IP access list
    10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
    30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
    50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect

    IP 172.19.194.0 allow 60 0.0.0.255 (18585 matches)

    To remove it and add it to the bottom:

    105 extended IP access list

    not 5

    IP 172.19.194.0 allow 60 0.0.0.255 any

    Then ' delete ip nat trans. "

    and it should work now.

  • S - S VPN between ASA and ASR1001

    Hello

    We have 2 routers ASR to connected to ISP headquarters and there are new remote sites that must be connected to the AC over the site to site VPN. Each remote branch will be ASA, IPs outside of these two recommendations are in the same subnet.

    1. is it possible to reach redudancy beside HQ in this design?

    2. can I create L2L tunnels to two ASR? If yes how can I do 1 active tunnel and other secondary?

    | ASR1

    Users---L3SW---ASA---ISP---CPE---|

    | ASR2

    Any suggestions are welcome

    Thank you

    There are two ways:

    1. IPSec stateful failover
      http://www.Cisco.com/c/en/us/TD/docs/iOS-XML/iOS/sec_conn_vpnav/configuration/15-Mt/sec-VPN-availability-15-Mt-book/Sec-State-fail-IPSec.html
      http://packetlife.net/blog/2009/Aug/17/fun-IPSec-stateful-failover/
    2. VPN config with two counterparts one ASA.
      Here you have two individual bridges on the HQ and the ASA has two tunnel-groups en the two bridges but only a single sequence in the crypto plan. Peer education has two HQ - IPs configured.
  • VPN between ASA and 871

    Hello

    I'm setting up a VPN router between 871 and ASA 5505 for the first time and having a problem. I have attached my network diagram as well as the configuration of 871 and ASA. Although the VPN tunnel is coming for example sh crypto isakmp his watch QM_IDLE and Exchange ipsec SA is successuful as well, but none of the machine can access each other. Please help as I am in desperate need to operate.

    Thank you all,.

    Jérôme

    Hello

    It seems that you are missing some required configuration. See the link below...

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805e8c80.shtml

    HTH

    MS

    * Rate of useful messages *.

  • LAN to lan vpn between ASA and router 7200

    Hi friends,

    I need to configure the lan to lan between ASA vpn (remote location) and router 7200 (on our network).

    <7200 router="" (ip="" add:="" 10.10.5.2)="">-(Internet) -<(IP add:="" 192.168.12.2)="" asa(5510)="">---192.135.5.0/24 network

    I will have the following configuration:

    7200 router:

    crypto ISAKMP policy 80

    the enc

    AUTH pre-shared

    Group 1

    life 3600

    ISAKMP crypto key cisco123 address 192.168.12.2

    Cryto ipsec transform-set esp - esp-md5-hmac VPNtrans

    map VPNTunnel 80 ipsec-isakmp crypto

    defined by peer 192.168.12.2

    game of transformation-VPNtrans

    match address 110

    int fa0/0

    IP add 10.10.5.2 255.255.255.192

    IP virtual-reassembly

    no ip route cache

    Speed 100

    full duplex

    card crypto VPNTunnel

    access-list 110 permit ip any 192.135.5.0 0.0.0.255

    ASA:

    int e0/0

    nameif inside

    security-level 100

    192.135.5.254 Add IP 255.255.255.0

    int e0/1

    nameif outside

    security-level 0

    IP add 192.168.12.2 255.255.255.240

    access-list ACL extended ip 192.135.5.0 allow 255.255.255.0 any

    Route outside 0.0.0.0 0.0.0.0.0 192.168.12.3 1

    "pre-shared key auth" ISAKMP policy 10

    ISAKMP policy 10-enc

    ISAKMP policy 10 md5 hash

    10 1 ISAKMP policy group

    ISAKMP duration strategy of life 10-3600

    Crypto ipsec transform-set esp - esp-md5-hmac VPNtran

    card crypto VPN 10 matches the ACL address

    card crypto VPN 10 set peer 10.10.5.2

    card crypto VPN 10 the transform-set VPNtran value

    tunnel-group 10.10.5.2 type ipsec-l2l

    IPSec-attributes of type tunnel-group 10.10.5.2

    cisco123 pre-shared key

    card crypto VPN outside interface

    ISAKMP allows outside

    dhcpd address 192.135.5.1 - 192.135.5.250 inside

    dhcpd dns 172.15.4.5 172.15.4.6

    dhcpd wins 172.15.76.5 172.15.74.5

    dhcpd lease 14400

    dhcpd ping_timeout 500

    dhcpd allow inside

    Please check the configuration, please correct me if I missed something. I'm in a critical situation at the moment...

    Please advise...

    Thank you very much...

    Where it fails at the present time?

    Can you share out of after trying to establish the VPN tunnel:

    See the isa scream his

    See the ipsec scream his

    Please also run the following debug to see where it is a failure:

    debugging cry isa

    debugging ipsec cry

  • Site to Site VPN between 5510 and 5505

    Am trying to get a VPN site-to site and the race between a branch office and our main office. I have the settings in place, but I'm trying to determine if it's my settings or the provider DSL, Verizon.

    They have a 5505 with a static IP is connected by cable modem. Their 5505 I can ping external IP of my 5510 without problem. All the settings are correct on both sides; they reflect the same settings and yet static VPN is not launched.

    Is there some sort of CLI command I must issue to bring it?

    Also, I was wondering if maybe my 2821 prevents all VPN traffic because it doesn't have to be re - NAT'ed to the 192.168.250.0/23 and 192.168.252.0/24 subnets.

    Simply to traffic of their 192.168.40.0 in our 192.168.250.0/23 VOIP subnet subnet.

    Join a basic outline. I can provide the configs for almost everything

    Hello

    you have two instances of sequence card crypto with parameters similar (except transform set). Get rid of the rest of sequences card crypto:

    On the ASA Satellite:

    no card crypto outside_map 2 match address outside_cryptomap

    no card crypto outside_map 2 set pfs

    no card crypto outside_map 2 peers set smivpn.sorensonmedia.com

    no card crypto outside_map 2 the transform-set ESP-3DES-MD5 value

    No crypto outside_map 2 set security-association life card seconds 28800

    No kilobytes of life card crypto outside_map 2 set security-association 4608000

    no card crypto outside_map 2 the value reverse-road

    About the ASA company:

    No crypto outside_map 1 game card address outside_1_cryptomap_1

    no card crypto outside_map 1 set pfs

    no card crypto outside_map 1 set cda.asa5505 counterpart

    no card crypto outside_map 1 the value transform-set ESP-3DES-SHA

    no card crypto outside_map 1 lifetime of security association set seconds 28800

    No kilobytes of life card crypto outside_map 1 set security-association 4608000

    no card crypto outside_map 1 the value reverse-road

    Then check and capture debugs.

    HTH

    Sangaré

  • Site to Site VPN between PIX and Linksys RV042

    I am trying to create a tunnel between a 506th PIX and a Linksys RV042 vpn .  I configured the Phase 1 and Phase 2 as well as the transformation defined and interested traffic and connected to the external interface, but it will not create the tunnel.  Configurations are as follows:

    506th PIX running IOS 6.3

    part of pre authentication ISAKMP policy 40
    ISAKMP policy 40 cryptographic 3des
    ISAKMP policy 40 sha hash
    40 2 ISAKMP policy group
    ISAKMP duration strategy of life 40 86400
    ISAKMP key * address 96.10.xxx.xxx netmask 255.255.255.255
    access-list 101 permit ip 192.168.21.0 255.255.255.0 192.168.1.0 255.255.255.0crypto map Columbia_to_Office 10 ipsec-isakmp
    crypto Columbia_to_Office 10 card matches the address 101
    card crypto Columbia_to_Office 10 set peer 96.10.xxx.xxx
    10 Columbia_to_Office transform-set ESP-3DES-SHA crypto card game
    Columbia_to_Office interface card crypto outside

    Linksys RV042

    Configuration of local groups
    IP only
         IP address: 96.10.xxx.xxx
    Type of local Security group: subnet
    IP address: 192.168.1.0
    Subnet mask: 255.255.255.0

    Configuration of the remote control groups
    IP only
    IP address: 66.192.xxx.xxx
    Security remote control unit Type: subnet
    IP address: 192.168.21.0
    Subnet mask: 255.255.255.0

    IPSec configuration
    Input mode: IKE with preshared key
    Group Diffie-Hellman phase 1: group2
    Phase 1 encryption: 3DES
    Authentication of the phase 1: SHA1
    Life of ITS phase 1: 86400
       
    Phase2 encryption: 3DES
    Phase2 authentication: SHA1
    Phase2 life expectancy: 3600 seconds
    Pre-shared key *.

    I'm a novice on the VPN. Thanks in advance for your expertise.

    Yes, version PIX 6.3 does not support HS running nat or sh run crypto.

    Please please post the complete config if you don't mind.

    Please also try to send traffic between subnets 2 and get the output of:

    See the isa scream his

    See the ipsec scream his

  • VPN between ASA and router

    Hi all

    First of all, I would like to say I'm trying to implement this on Packet trace. I would like to set up a VPN using an ASA 5505 and a Cisco router 1841 (both available on Packet trace).

    The devices can ping external IP address on the other.

    The problem is that the VPN is not established. If I run sh crypto control its isakmp on the SAA, he said: there are no SAs IKEv1

    Configurations for both devices are attached.

    No idea why it doesn't work? Sorry if it is not the right forum for this, is the first time I post. I've searched the forums and I checked some of the proposed solutions, but I have not found the answer to my problem :-(

    Thanks in advance,

    Patty

    1. On the router, there is no crypto card. Need in a manner consistent with the SAA.
    2. Your policy of phase 1 is not compatible. They settings must match on both sides (router: 3des, ASA: aes)
    3. You can adjust your NAT on both devices that tunnel traffic does not get teeth. Remember that NAT is made prior to IPsec. If you do not exempt NAT traffic, then it will not match the ACL crypto more after NAT.
    4. Yes, the forum is perfectly fine! ;-)
  • Private of IPSec VPN-private network between ASA and router

    Hello community,

    This is first time for me to configure IPSec VPN between ASA and router. I have an ASA 5540 at Headquarters and 877 router to EH Branch

    Headquarters ASA summary.

    Peer IP: 111.111.111.111

    Local network: 10.0.0.0

    Branch

    Peer IP: 123.123.123.123

    LAN: 192.168.1.0/24

    Please can someone help me set up the vpn.

    Hello

    This guide covers exactly what you need:

    Establishment of ASDM and SDM - http://www.netcraftsmen.net/resources/archived-articles/273.html

    Tunnel VPN - ASA to the router configuration:

    http://www.Cisco.com/en/us/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml#ASDM

    Kind regards

    Jimmy

  • Order of operations NAT on Site to Site VPN Cisco ASA

    Hello

    I have a question about the order of operations NAT on Site to Site VPN Cisco ASA 8.2.x. I have a scenario where the internal IP address of the range 10.17.128.x are NATTED IP public 31.10.10.x. below is the config:

    Tunnel normally passes traffic to dmz - 31.10.11.10, 31.10.11.11 servers.

    But the servers NATTED (10.17.128.x <->31.10.10.x) does not work.

    inside_map crypto 50 card value transform-set ESP-3DES-SHA

    tunnel-group 100.1.1.1 type ipsec-l2l

    tunnel-group 100.1.1.1 General-attributes

    Group Policy - by default-PHX_HK

    IPSec-attributes tunnel-group 100.1.1.1

    pre-shared key *.

    internal PHX_HK group policy

    PHX_HK group policy attributes

    VPN-filter no

    Protocol-tunnel-VPN IPSec svc webvpn

    card crypto inside_map 50 match address outside_cryptomap_50

    peer set card crypto inside_map 50 100.1.1.1

    inside_map crypto 50 card value transform-set ESP-3DES-SHA

    inside_map crypto 50 card value reverse-road

    the PHX_Local object-group network

    host of the object-Network 31.10.11.10

    host of the object-Network 31.10.11.11

    host of the object-Network 31.10.10.10

    host of the object-Network 31.10.10.11

    host of the object-Network 31.10.10.12

    host of the object-Network 31.10.10.13

    host of the object-Network 10.17.128.20

    host of the object-Network 10.17.128.21

    host of the object-Network 10.17.128.22

    host of the object-Network 10.17.128.23

    the HK_Remote object-group network

    host of the object-Network 102.1.1.10

    inside_nat0_outbound list extended access permitted ip object-group PHX_Local-group of objects HK_Remote

    ACL_INSIDE list extended access permitted ip object-group PHX_Local-group of objects HK_Remote

    ACL_OUTSIDE list extended access permitted ip object-group HK_Remote-group of objects PHX_Local

    outside_cryptomap_50 list extended access permitted ip object-group PHX_Local-group of objects HK_Remote

    Route outside 102.1.1.10 255.255.255.255 30.1.1.1 1

    public static 31.10.10.10 (Interior, exterior) 10.17.128.20 netmask 255.255.255.255

    public static 31.10.10.11 (Interior, exterior) 10.17.128.21 netmask 255.255.255.255

    public static 31.10.10.12 (Interior, exterior) 10.17.128.22 netmask 255.255.255.255

    public static 31.10.10.13 (Interior, exterior) 10.17.128.23 netmask 255.255.255.255

    He started to work when I did another group of object by name PHX_Local1 and added to the list of access inside_nat0_outbound, instead of the object group PHX_Local, as below:

    the PHX_Local1 object-group network

    host of the object-Network 31.10.10.10

    host of the object-Network 31.10.10.11

    host of the object-Network 31.10.10.12

    host of the object-Network 31.10.10.13

    No inside_nat0_outbound access list extended only to allowed ip object-group PHX_Local-group of objects HK_Remote

    inside_nat0_outbound list extended access permitted ip object-group PHX_Local1-group of objects HK_Remote

    Can you please help me understand why group object PHX_Local failed with access-list inside_nat0_outbound, but he began to work with the Group of objects PHX_Local1.

    Also, if you could tell me the order of operations to NAT via VPN Site to Site, it would be useful.

    Thank you

    Kind regards

    Thomas

    Hello

    I think you could have said the original question in a way that could be missleading. In other words, if I understand now.

    From what I understand now, you have the DMZ set up the server that are measured with a public IP address on the real servers. And for those that you have configured NAT0.

    Then you have other servers that do not have public IP addresses themselves, but they are translated on the SAA.

    If this is the case, then the next question would be. The server with the NAT should attend the L2L VPN connection with their real IP or address IP NAT.

    Of course if you configure static NAT for the same servers and NAT0 the NAT0 will always win.

    You have these guests who were not able to use the VPN L2L

    31.10.10.10 10.17.128.20

    31.10.10.11 10.17.128.21

    31.10.10.12 10.17.128.22

    31.10.10.13 10.17.128.23

    IF you want them to go to the VPN L2L with their original IP address then you must configure

    object-group, LAN

    host of the object-Network 10.17.128.20

    host of the object-Network 10.17.128.21

    host of the object-Network 10.17.128.22

    host of the object-Network 10.17.128.23

    object-group, REMOTE network

    host of the object-Network 102.1.1.10

    inside_nat0_outbound list extended access allowed ip-group of objects LOCAL object-group remote

    outside_cryptomap_50 list extended access allowed ip-group of objects LOCAL object-group remote

    IF you want to use the L2L VPN with the public IP address, then you must configure

    object-group, LAN

    host of the object-Network 31.10.10.10

    host of the object-Network 31.10.10.11

    host of the object-Network 31.10.10.12

    host of the object-Network 31.10.10.13

    object-group, REMOTE network

    host of the object-Network 102.1.1.10

    outside_cryptomap_50 list extended access allowed ip-group of objects LOCAL object-group remote

    EDIT: in this case you naturally do not configure any NAT0 for actual IP addresses we want precisely the IP addresses to be visible to the L2L VPN with the IP NAT address.

    Or you can of course use the same "object-group" as currently but change the content in an appropriate manner

    Be sure to mark it as answered if it was answered.

    Ask more if necessary

    -Jouni

  • Site to Site VPN between Cisco ASA 5505 and Sonicwall TZ170

    I'm trying to implement a VPN site-to site between our data center and office.  The data center has a Cisco ASA 5505 and the Office has a Sonicwall TZ170.  I managed to configure the two so that the vpn connects.  Each of the firewall I ping the IP Address of the internet firewall on the other side and a desktop computer I can ping the IP Address of the firewall internal datacenter but I can't carry traffic between private subnets datacenter and desktop.  Can anyone help?

    The config below has had IPs/passwords has changed.

    External Datacenter: 1.1.1.4

    External office: 1.1.1.1

    Internal data center: 10.5.0.1/24

    Internal office: 10.10.0.1/24

    : Saved
    :
    ASA Version 8.2 (1)
    !
    hostname datacenterfirewall
    mydomain.tld domain name
    activate the password encrypted
    passwd encrypted
    names of
    name 10.10.0.0 OfficeNetwork
    10.5.0.0 DatacenterNetwork name
    !
    interface Vlan1
    nameif inside
    security-level 100
    10.5.0.1 IP address 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    1.1.1.4 IP address 255.255.255.0
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    passive FTP mode
    clock timezone IS - 5
    clock to summer time EDT recurring
    DNS server-group DefaultDNS
    buydomains.com domain name
    permit same-security-traffic inter-interface
    permit same-security-traffic intra-interface
    inside_access_in list extended access permit icmp any one
    inside_access_in list extended access permitted tcp a whole
    inside_access_in list extended access udp allowed a whole
    inside_access_in of access allowed any ip an extended list
    outside_access_in list extended access permit icmp any one
    outside_access_in list extended access udp allowed any any eq isakmp
    IP DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0 allow Access-list extended pixtosw
    pixtosw list extended access allow icmp DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0
    IP OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0 allow Access-list extended pixtosw
    pixtosw list extended access allow icmp OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0
    outside_cryptomap_66.1 list of allowed ip extended access all OfficeNetwork 255.255.255.0
    outside_cryptomap_66.1 ip OfficeNetwork 255.255.255.0 allowed extended access list all
    outside_cryptomap_66.1 list extended access permit icmp any OfficeNetwork 255.255.255.0
    outside_cryptomap_66.1 list extended access allowed icmp OfficeNetwork 255.255.255.0 everything
    pager lines 24
    Enable logging
    asdm of logging of information
    Within 1500 MTU
    Outside 1500 MTU
    IP verify reverse path to the outside interface
    ICMP unreachable rate-limit 1 burst-size 1
    ASDM image disk0: / asdm - 623.bin
    don't allow no asdm history
    ARP timeout 14400
    NAT-control
    Global 1 interface (outside)
    NAT (inside) 1 0.0.0.0 0.0.0.0
    inside_access_in access to the interface inside group
    Access-group outside_access_in in interface outside
    Route inside 0.0.0.0 0.0.0.0 1.1.1.1 1
    Route OfficeNetwork 255.255.255.0 outside 1.1.1.1 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-registration DfltAccessPolicy
    Enable http server
    http 10.5.0.0 255.255.255.0 inside
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set esp-aes-256 walthamoffice, esp-sha-hmac
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    Crypto dynamic-map ciscopix 1 corresponds to the address outside_cryptomap_66.1
    Crypto dynamic-map ciscopix 1 transform-set walthamoffice
    Crypto dynamic-map ciscopix 1 the value reverse-road
    map dynmaptosw 66-isakmp ipsec crypto dynamic ciscopix
    dynmaptosw interface card crypto outside
    crypto isakmp identity address
    crypto ISAKMP allow outside
    crypto ISAKMP policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    crypto ISAKMP policy 13
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    lifetime 28800
    crypto ISAKMP policy 30
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    No encryption isakmp nat-traversal
    Telnet 10.5.0.0 255.255.255.0 inside
    Telnet timeout 5
    SSH 10.5.0.0 255.255.255.0 inside
    SSH timeout 5
    Console timeout 0
    management-access inside
    dhcpd address 10.5.0.2 - 10.5.0.254 inside
    dhcpd allow inside
    !

    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    NTP server 66.250.45.2 source outdoors
    NTP server 72.18.205.157 source outdoors
    NTP server 208.53.158.34 source outdoors
    WebVPN
    attributes of Group Policy DfltGrpPolicy
    VPN-idle-timeout no
    username admin password encrypted
    tunnel-group 1.1.1.1 type ipsec-l2l
    tunnel-group 1.1.1.1 ipsec-attributes
    pre-shared-key *.
    !
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    message-length maximum 512
    !
    context of prompt hostname
    Cryptochecksum:7f319172e5de9c0e550804a263f8e49e
    : end

    Mattew, obvious lack of education is the rule exempt from nat for your tunnel, your access list pixtosw is similar on this example, I assume that you have gone through this link, if it does not see the configs on both sides.

    Add the statement of rule sheep in asa and try again.

    NAT (inside) 0-list of access pixtosw

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a008052c9d4.shtml

    Concerning

  • problem setting up vpn site-to-site between asa and 1811 router

    I get the following error.

    3. January 8, 2008 | 15: 47:31 | 710003 | 192.168.0.45 | 192.168.0.50. TCP access denied by ACL to 192.168.0.45/3698 to LAN:192.168.0.50/80

    3. January 8, 2008 | 15:47:28 | 710003 | 192.168.0.45 | 192.168.0.50. TCP access denied by ACL to 192.168.0.45/3698 to LAN:192.168.0.50/80

    6. January 8, 2008 | 15:47:28 | 302021 | 192.168.0.45 | 192.168.0.50. Connection of disassembly for faddr gaddr laddr 192.168.0.50/0 192.168.0.50/0 192.168.0.45/1024 ICMP

    6. January 8, 2008 | 15:47:28 | 302020 | 192.168.0.45 | 192.168.0.50. Built of ICMP incoming connections for faddr gaddr laddr 192.168.0.50/0 192.168.0.50/0 192.168.0.45/1024

    5. January 8, 2008 | 15: 47:03 | 713904 | IP = public IP address, encrypted packet received with any HIS correspondent, drop

    4. January 8, 2008 | 15: 47:03 | 113019 | Group = public IP address, Username = public IP address, IP = IP address public, disconnected Session. Session type: IPSecLAN2LAN, duration: 0 h: 00 m: 00s, xmt bytes: 0, RRs bytes: 0, right: Phase 2 Mismatch

    3. January 8, 2008 | 15: 47:03 | 713902 | Group = public IP address, IP = public IP address, peer table correlator withdrawal failed, no match!

    3. January 8, 2008 | 15: 47:03 | 713902 | Group = public IP address, IP = IP address public, error QM WSF (P2 struct & 0x4969c90, mess id 0xf3d044e8).

    5. January 8, 2008 | 15: 47:03 | 713904 | Group = public IP address, IP = IP proposals public, IPSec Security Association all found unacceptable.

    3. January 8, 2008 | 15: 47:03 | 713119 | Group = public IP address, IP = IP address public, PHASE 1 COMPLETED

    6. January 8, 2008 | 15: 47:03 | 113009 | AAA recovered in group policy by default (DfltGrpPolicy) to the user = public IP address

    4. January 8, 2008 | 15: 47:03 | 713903 | Group = public IP address, IP = IP address public, previously allocated memory release for authorization-dn-attributes

    I do not think that because of the incompatibility of encryption. Any help is appreciated.

    Thank you

    Nilesh

    You have PFS (Perfect Forward Secrecy) configured on the ASA and not the router. This could be one of the reasons why the tunnel fails in Phase 2.

    If you do not need a PFS, can you not make a 'no encryption card WAN_map 1 set pfs' the configuration of the ASA and make appear the tunnel.

    Kind regards

    Arul

  • 2 one-Site VPN between HQ, Site A and Site B

    Dear brothers,

    Really I need your kindly help on Site 2 Site VPN.

    We have a HQ and 2 Sites (Site A Site & B), and we think to set up VPN Site-2-Site between them now.

    HQ--> 3845 router (will be the hub)--> a given vlan 11 & vlan voice 21

    Site A--> router 2901 (will be the Spoke1)--> a given vlan 12 & vlan voice 22

    Site B--> router 1941 (will be the Spoke2)--> a given vlan 13 & vlan voice 23

    So my questions are:

    1 - when the VPN going up, are only the HQ VLAN data & voice will be able to reach the Site & A B data & Voice VLAN and Vice versa?

    2 - when the VPN is going up, are that the Site has data & Voice VLAN will be able to reach the Site B Data & Voice VLAN and Vice versa?

    Thank you

    Hello

    I think this example explains what you need:http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation...

    Kind regards

    Averroès.

  • Site to Site VPN problem ASA 5505

    Hello

    I have a strange problem with a site to site VPN. I configured it completely and I added 3 of my internal networks to be encrypted and access the remote network across the tunnel.

    For some reason, I can access the remote network of only two of the three internal networkls that I've specified.

    Here is a copy of my config - if anyone has any info I would be happy of course.

    Thank you

    Kevin

    FK - U host name. S. - Raleigh - ASA
    domain appdrugs.com
    activate 08PI8zPL2UE41XdH encrypted password
    2KFQnbNIdI.2KYOU encrypted passwd
    names of
    name Maridian-primary-Net 192.168.237.0
    Meridian-backup-Net 192.168.237.128 name
    name 10.239.192.141 AccessSwitch1IDFB
    name 10.239.192.143 AccessSwitch1IDFC
    name 10.239.192.140 AccessSwitch1MDFA
    name 10.239.192.142 AccessSwitch2IDFB
    name CiscoCallManager 10.195.64.206
    name 10.239.192.2 CoreSwitch1
    name 10.239.192.3 CoreSwitch2
    name 10.195.64.17 UnityVM
    name 140.239.116.162 Outside_Interface
    name 65.118.69.251 Meridian-primary-VPN
    name 65.123.23.194 Meridian_Backup_VPN
    DNS-guard
    !
    interface Ethernet0/0
    Shutdown
    No nameif
    security-level 100
    no ip address
    !
    interface Ethernet0/1
    nameif outside
    security-level 60
    address IP Outside_Interface 255.255.255.224
    !
    interface Ethernet0/2
    nameif Inside1
    security-level 100
    IP 10.239.192.7 255.255.255.128
    !
    interface Ethernet0/3
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface Management0/0
    nameif management
    security-level 50
    IP 192.168.1.1 255.255.255.0
    management only
    !
    boot system Disk0: / asa804 - k8.bin
    Disk0: / asa804.bin starting system
    passive FTP mode
    DNS domain-lookup outside
    DNS domain-lookup Inside1
    management of the DNS domain-lookup service
    DNS server-group DefaultDNS
    Server name 10.239.192.10
    domain appdrugs.com
    permit same-security-traffic inter-interface
    permit same-security-traffic intra-interface
    the DM_INLINE_NETWORK_1 object-group network
    object-network 10.195.64.0 255.255.255.0
    object-network 10.239.192.0 255.255.255.0
    object-network 10.239.192.128 255.255.255.128
    object-group service DM_INLINE_SERVICE_1
    the purpose of the ip service
    ICMP service object
    the purpose of the echo icmp message service
    response to echo icmp service object
    the DM_INLINE_NETWORK_2 object-group network
    object-network 10.195.64.0 255.255.255.0
    object-network 10.239.192.0 255.255.255.128
    object-network 10.239.192.128 255.255.255.128
    the DM_INLINE_NETWORK_3 object-group network
    network-object 10.195.64.0 255.255.255.192
    object-network 10.239.192.0 255.255.255.128
    object-network 10.239.192.128 255.255.255.128
    the DM_INLINE_NETWORK_5 object-group network
    Maridian-primary-Net network object 255.255.255.128
    Meridian-backup-Net network object 255.255.255.128
    the DM_INLINE_NETWORK_6 object-group network
    Maridian-primary-Net network object 255.255.255.128
    Meridian-backup-Net network object 255.255.255.128
    object-group network Vital-network-hardware-access
    host of the object-Network UnityVM
    host of the CiscoCallManager object-Network
    host of the object-Network AccessSwitch1MDFA
    host of the object-Network AccessSwitch1IDFB
    host of the object-Network AccessSwitch2IDFB
    host of the object-Network AccessSwitch1IDFC
    host of the object-Network CoreSwitch1
    host of the object-Network CoreSwitch2
    object-group service RDP - tcp
    EQ port 3389 object
    the DM_INLINE_NETWORK_7 object-group network
    Maridian-primary-Net network object 255.255.255.128
    Meridian-backup-Net network object 255.255.255.128
    host of network-object Meridian-primary-VPN
    host of the object-Network Meridian_Backup_VPN
    the DM_INLINE_NETWORK_9 object-group network
    host of the object-Network Outside_Interface
    Group-object Vital-equipment-access to the network
    object-group service DM_INLINE_SERVICE_2
    will the service object
    ESP service object
    the purpose of the service ah
    the eq isakmp udp service object
    object-group service DM_INLINE_SERVICE_3
    ICMP service object
    the purpose of the echo icmp message service
    response to echo icmp service object
    the DM_INLINE_NETWORK_4 object-group network
    object-network 10.195.64.0 255.255.255.0
    object-network 10.239.192.0 255.255.255.128
    object-network 10.239.192.128 255.255.255.128
    the DM_INLINE_NETWORK_8 object-group network
    object-network 10.195.64.0 255.255.255.0
    object-network 10.239.192.0 255.255.255.128
    object-network 10.239.192.128 255.255.255.128
    Outside_access_in list extended access permit icmp any any echo response
    Access extensive list Maridian-primary-Net ip Outside_access_in 255.255.255.128 DM_INLINE_NETWORK_8 object-group enable
    Access extensive list Meridian-backup-Net ip Outside_access_in 255.255.255.128 DM_INLINE_NETWORK_3 object-group enable
    Inside_nat0_outbound to access ip 10.0.0.0 scope list allow 255.0.0.0 10.0.0.0 255.0.0.0
    Access extensive list ip 10.239.192.0 Inside_nat0_outbound allow Maridian-primary-Net 255.255.255.0 255.255.255.128
    Inside_access_in to access ip 10.0.0.0 scope list allow 255.0.0.0 all
    Inside1_nat0_outbound to access ip 10.0.0.0 scope list allow 255.0.0.0 10.0.0.0 255.0.0.0
    Inside1_nat0_outbound list extended access allowed object-group DM_INLINE_NETWORK_1 Maridian-primary-Net 255.255.255.128 ip
    Inside1_nat0_outbound list extended access permitted ip object-group Meridian-backup-Net DM_INLINE_NETWORK_2 255.255.255.128
    Access extensive list ip 10.239.192.0 Inside1_nat0_outbound allow 255.255.255.0 10.239.199.0 255.255.255.192
    Access extensive list ip 10.195.64.0 Inside1_nat0_outbound allow 255.255.255.192 10.239.199.0 255.255.255.192
    Inside1_access_in to access ip 10.0.0.0 scope list allow 255.0.0.0 all
    Outside_1_cryptomap list extended access allowed object-group DM_INLINE_SERVICE_1-DM_INLINE_NETWORK_1 Maridian-primary-Net 255.255.255.128 objects
    Outside_2_cryptomap list extended access permitted ip object-group Meridian-backup-Net DM_INLINE_NETWORK_2 255.255.255.128
    permitted access Vital-network-Access_splitTunnelAcl-list standard 10.239.192.0 255.255.255.128
    permitted access Vital-network-Access_splitTunnelAcl-list standard 10.195.64.0 255.255.255.0
    permitted access Vital-network-Access_splitTunnelAcl-list standard 10.239.192.128 255.255.255.128
    Access extensive list ip 10.239.199.0 Vital_VPN allow 255.255.255.192 object-group Vital-equipment-access to the network
    Vital_VPN list extended access allow icmp 10.239.199.0 255.255.255.192 object-group Vital-equipment-access to the network
    Vital_VPN of access allowed any ip an extended list
    Outside_cryptomap_1 list extended access allowed object-group DM_INLINE_NETWORK_4 Maridian-primary-Net 255.255.255.128 ip
    access list Vital-Site-to-site access extended allow ip object-DM_INLINE_NETWORK_5 group Vital-network-hardware-access object
    Vital-Site-to-Site-access extended access list permits object-group DM_INLINE_SERVICE_3-group of objects DM_INLINE_NETWORK_6 object-group Vital-equipment-access to the network
    Vital-Site-to-Site-access extended access list permits object-group objects object-group DM_INLINE_NETWORK_9 DM_INLINE_NETWORK_7 DM_INLINE_SERVICE_2-group
    pager lines 24
    Enable logging
    exploitation forest asdm warnings
    Outside 1500 MTU
    MTU 1500 Inside1
    management of MTU 1500
    mask IP local pool access remote 10.239.199.11 - 10.239.199.62 255.255.255.192
    ICMP unreachable rate-limit 1 burst-size 1
    ASDM image disk0: / asdm - 621.bin
    don't allow no asdm history
    ARP timeout 14400
    Global (1 interface external)
    NAT (Inside1) 0-list of access Inside1_nat0_outbound
    NAT (Inside1) 1 10.0.0.0 255.0.0.0
    Access-group Outside_access_in in interface outside
    Access-group Inside1_access_in in interface Inside1
    Route outside 0.0.0.0 0.0.0.0 140.239.116.161 1
    Route Inside1 10.192.52.0 255.255.255.0 10.239.192.1 1
    Route Inside1 10.195.64.0 255.255.240.0 10.239.192.1 1
    Route Inside1 10.239.0.0 255.255.0.0 10.239.192.1 1
    Route Inside1 10.239.192.0 255.255.248.0 10.239.192.1 1
    Route out of the Maridian-primary-Net 255.255.255.0 Outside_Interface 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    dynamic-access-policy-registration DfltAccessPolicy
    Enable http server
    http 66.104.209.192 255.255.255.224 outside
    http 192.168.1.0 255.255.255.0 management
    http 10.239.172.0 255.255.252.0 Inside1
    SNMP-server host Inside1 10.239.132.225 community appfirestarter * #*.
    location of Server SNMP Raleigh
    contact Server SNMP Kevin mcdonald
    Server SNMP community appfirestarter * #*.
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Server SNMP traps enable entity config change
    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
    Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
    Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define security association lifetime 28800 seconds
    cryptographic kilobytes 4608000 life of the set - the association of security of the 65535 SYSTEM_DEFAULT_CRYPTO_MAP of the dynamic-map
    card crypto Outside_map 1 corresponds to the address Outside_cryptomap_1
    card crypto Outside_map 1 peer set VPN-primary-Meridian
    Outside_map 1 transform-set ESP-3DES-MD5 crypto card game
    card crypto Outside_map 1 defined security-association life seconds 28800
    card crypto Outside_map 1 set security-association kilobytes of life 4608000
    card crypto Outside_map 2 corresponds to the address Outside_2_cryptomap
    card crypto Outside_map 2 set peer Meridian_Backup_VPN
    map Outside_map 2 game of transformation-ESP-3DES-MD5 crypto
    card crypto Outside_map 2 defined security-association life seconds 28800
    card crypto Outside_map 2 set security-association kilobytes of life 4608000
    card crypto Outside_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
    Outside_map interface card crypto outside
    crypto ISAKMP allow outside
    crypto ISAKMP policy 5
    preshared authentication
    3des encryption
    md5 hash
    Group 2
    life 86400
    crypto ISAKMP policy 30
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    Telnet timeout 5
    SSH timeout 5
    Console timeout 0
    outside access management
    management of 192.168.1.2 - dhcpd address 192.168.1.254
    enable dhcpd management
    !
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    WebVPN
    allow outside
    tunnel-group-list activate
    internal strategy of State civil-access to the network group
    Group Policy attributes Vital access to the network
    value of server DNS 10.239.192.10
    value of VPN-filter Vital_VPN
    Protocol-tunnel-VPN IPSec webvpn
    Split-tunnel-policy tunnelspecified
    Split-tunnel-network-list value vital-network-Access_splitTunnelAcl
    value of remote access address pools
    internal state civil-Site-to-Site-GroupPolicy group strategy
    Civil-site-a-site-grouppolicy-strategie status of group attributes
    value of VPN-filter Vital-Site-to-Site-access
    Protocol-tunnel-VPN IPSec l2tp ipsec webvpn
    username APPRaleigh encrypted password m40Ls2r9N918trxp
    username APPRaleigh attributes
    VPN-group-policy Vital-network access
    type of remote access service
    username, password kmadmin u8urNz44/I.ugcF. encrypted privilege 15
    tunnel-group 65.118.69.251 type ipsec-l2l
    tunnel-group 65.118.69.251 General-attributes
    Group Policy - by Defaut-vital-site-a-site-grouppolicy
    IPSec-attributes tunnel-group 65.118.69.251
    pre-shared-key *.
    tunnel-group 65.123.23.194 type ipsec-l2l
    tunnel-group 65.123.23.194 General-attributes
    Group Policy - by Defaut-vital-site-a-site-grouppolicy
    IPSec-attributes tunnel-group 65.123.23.194
    pre-shared-key *.
    remote access of type tunnel-group Vital access to the network
    tunnel-group Vital access to the network general-attributes
    Access to distance-address pool
    Group Policy - by default-state civilian access to the network
    tunnel-group Vital access to the network ipsec-attributes
    pre-shared-key *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns migrated_dns_map_1
    parameters
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the migrated_dns_map_1 dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    !
    global service-policy global_policy
    context of prompt hostname
    Cryptochecksum:a080b1759b57190ba65d932785ad4967
    : end

    can you confirm if we have the exact reflection of crypto acl at the other end

    I feel may be you have a 24 10.239.192.0 255.255.255.0 on the other end in the remote network

    can you please confirm that

    also a reason, why you use 10.239.192.0 255.255.255.128 and 10.239.192.128 255.255.255.128 instead of 10.239.192.0 255.255.255.0

Maybe you are looking for

  • MBA on the same network arrested in connection and iMac

    I got an iMac and MBA on the same network more than 5 years. Today, he ceased to recognize each other. The MBA, the iMac is listed in the Finder window, but when I click it, window is empty and I have no Conneded. I click on connect as, again and aga

  • 20 GB of HDD is not recognized by Tecra 8100

    HelloI just got this laptop Tecra 8100 and I am trying to upgrade its 12 GB with a 20 GB hard drive, a. I formatted the drive of 20 GB of my office using a portable USB Caddy before putting it in the laptop.When I boot up to install XP, and before sh

  • Only 30 seconds to send files to computer because I activate bluetooth

    Can I send files to my computer, but just as soon as I turn on my bluetooth stack. I have the latest version of Toshiba and a Tecra 9100. If I turn on my bluetooth stack I must be quick at sending the files on my computer to my mobile. Within 30secs

  • Satellite C850-F211 - sound problems

    I bought this laptop 3 months ago and since then, I have sound problems. Today the noise decided to not work and I can't hear a thing. If I put on some headphones or external speakers, I can hear the sound. Can anyone help? I'm actually regretting ev

  • Microsoft Wireless Desktop 800 USB keyboard and Mouse Combo transceiver

    Dear Sir. where I can get the new transmitter/receiver for Microsoft Wireless Desktop 800 as my transmitter/receiver is lost.