Tunnel of IPSec site to Site - port-based ACL

I saw crypto that ACLs will be created but still allowing all (IP).

What happens if I want to allow hosts on siteA to only access servers in siteB web. In this scenario, I only want to allow port 80 to reach hosts on the siteA. Is this possible? is based on the port ACL allow site to site tunnels?

Hello.

Seems to work for me very well:

Opened up just port 80 - expecting encapsulation.

R0#telnet 192.2.0.2 80
Trying 192.2.0.2, 80 ... Open
GET /
HTTP/1.1 400 Bad Request
Date: Fri, 01 Mar 2002 00:05:31 GMT
Server: cisco-IOS
Connection: close
Accept-Ranges: none

400 Bad Request

[Connection to 192.2.0.2 closed by foreign host]
R0#sh cry
R0#sh crypto ipsec sa | i caps|ident
   local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/0)
   remote ident (addr/mask/prot/port): (192.2.0.2/255.255.255.255/6/80)
    #pkts encaps: 11, #pkts encrypt: 11, #pkts digest: 11
    #pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7
R0#

Ping should not go over tunnel.

R0#ping 192.2.0.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.2.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R0#sh crypto ipsec sa | i caps|ident
   local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/0)
   remote ident (addr/mask/prot/port): (192.2.0.2/255.255.255.255/6/80)
    #pkts encaps: 11, #pkts encrypt: 11, #pkts digest: 11
    #pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7

Config:

R0#sh run | s crypto
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set TRA esp-aes esp-sha-hmac
crypto map MAP 10 ipsec-isakmp
set peer 1.1.1.3
set transform-set TRA
match address PACL
crypto map MAP
R0#sh ip access-l PACL
Extended IP access list PACL
10 permit tcp any host 192.2.0.2 eq www (19 matches)

Distance:

R1#sh run | s crypto
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set TRA esp-aes esp-sha-hmac
crypto map MAP 10 ipsec-isakmp
set peer 1.1.1.2
set transform-set TRA
match address PACL
crypto map MAP
R1#sh ip access-l PACL
Extended IP access list PACL
10 permit tcp host 192.2.0.2 eq www any (18 matches)

This has been tested on the main road to 12.4.25.

Note the ID of remote proxy:

   remote ident (addr/mask/prot/port): (192.2.0.2/255.255.255.255/6/80)

192.2.0.2 is the IP address

255.255.255.255 is the subnet mask

6 is the number of IP - TCP protocol (ref: http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml )

80 is the destination port number.

Marcin

Tags: Cisco Security

Similar Questions

Tunnel VPN IPSEC site 2 Site will not appear.

Hello Experts,

I was wondering if I can get help on creating an IPSEC VPN between a Cisco 2921 and ASA 550 x tunnel. Here is the config

See the race | s crypto

Crypto pki token removal timeout default 0

crypto ISAKMP policy 1

BA aes

preshared authentication

Group 2

lifetime 28800

ISAKMP crypto key address A.A.A.A xxxxxxxxxxxxxxxxxxxxxx

Crypto ipsec transform-set ESP-AES128-SHA aes - esp esp-sha-hmac

transport mode

ICQ-2-ILAND 1 ipsec-isakmp crypto map

defined by peer A.A.A.A

game of transformation-ESP-AES128-SHA

match the address iland_london_s2s_vpn

ICQ-2-ILAND crypto card

The config on the remote end has not been shared with me, so I don't know if I'm doing something wrong locally, or if the remote end is configured incorrectly.

The command Sh crypto isakmp its the following message

ISAKMP crypto to show his
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
A.A.A.A B.B.B.B MM_NO_STATE 1231 ACTIVE (deleted)

IPv6 Crypto ISAKMP Security Association

See the session encryption
Current state of the session crypto

Interface: GigabitEthernet0/0
The session state: DOWN-NEGOTIATION
Peer: Port A.A.A.A 500
IKEv1 SA: local B.B.B.Bremote 500 A.A.A.A500 inactive
IKEv1 SA: local B.B.B.Bremote 500 A.A.A.A500 inactive
FLOW IPSEC: allowed ip 10.20.111.0/255.255.255.0 10.120.1.0/255.255.255.0
Active sAs: 0, origin: card crypto
FLOW IPSEC: allowed ip 10.10.0.0/255.255.0.0 10.120.1.0/255.255.255.0
Active sAs: 0, origin: card crypto

The command debug crypto isakmp debug logs are listed below.

ISAKMP: (0): pre-shared key local found
08:51:52.019 on 6 Dec: ISAKMP: analysis of the profiles for xauth...
08:51:52.019 on 6 Dec: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1
08:51:52.019 on 6 Dec: ISAKMP: AES - CBC encryption
08:51:52.019 on 6 Dec: ISAKMP: keylength 128
08:51:52.019 on 6 Dec: ISAKMP: SHA hash
08:51:52.019 on 6 Dec: ISAKMP: group by default 2
08:51:52.019 on 6 Dec: ISAKMP: pre-shared key auth
08:51:52.019 on 6 Dec: ISAKMP: type of life in seconds
08:51:52.019 on 6 Dec: ISAKMP: life (basic) of 28800
08:51:52.019 on 6 Dec: ISAKMP: (0): atts are acceptable. Next payload is 0
08:51:52.019 on 6 Dec: ISAKMP: (0): Acceptable atts: real life: 0
08:51:52.019 on 6 Dec: ISAKMP: (0): Acceptable atts:life: 0
08:51:52.019 on 6 Dec: ISAKMP: (0): base life_in_seconds:28800
08:51:52.019 on 6 Dec: ISAKMP: (0): return real life: 28800
08:51:52.019 on 6 Dec: ISAKMP: (0): timer life Started: 28800.

DEC 6 08:51:52.019: ISAKMP: (0): load useful vendor id of treatment
DEC 6 08:51:52.019: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
DEC 6 08:51:52.019: ISAKMP: (0): provider ID is NAT - T v2
DEC 6 08:51:52.019: ISAKMP: (0): load useful vendor id of treatment
DEC 6 08:51:52.019: ISAKMP: (0): IKE frag vendor processing id payload
08:51:52.019 on 6 Dec: ISAKMP: (0): IKE Fragmentation support not enabled
08:51:52.019 on 6 Dec: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
08:51:52.019 on 6 Dec: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM2

DEC 6 08:51:52.019: ISAKMP: (0): A packet is sent. A.A.A my_port 500 peer_port 500 (I) MM_SA_SETUP
08:51:52.019 on 6 Dec: ISAKMP: (0): sending a packet IPv4 IKE.
08:51:52.019 on 6 Dec: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
08:51:52.019 on 6 Dec: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM3

08:51:52.155 on 6 Dec: ISAKMP (0): packet received dport 500 sport Global 500 (I) MM_SA_SETUP A.A.A.A
08:51:52.155 on 6 Dec: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
08:51:52.155 on 6 Dec: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_I_MM4

DEC 6 08:51:52.155: ISAKMP: (0): processing KE payload. Message ID = 0
DEC 6 08:51:52.175: ISAKMP: (0): processing NONCE payload. Message ID = 0
08:51:52.175 on 6 Dec: ISAKMP: (0): pre-shared key found peer corresponding to A.A.A.A
DEC 6 08:51:52.175: ISAKMP: (1227): load useful vendor id of treatment
DEC 6 08:51:52.175: ISAKMP: (1227): provider ID is the unit
DEC 6 08:51:52.175: ISAKMP: (1227): load useful vendor id of treatment
DEC 6 08:51:52.175: ISAKMP: (1227): provider ID seems the unit/DPD but major incompatibility of 92
DEC 6 08:51:52.175: ISAKMP: (1227): provider ID is XAUTH
DEC 6 08:51:52.175: ISAKMP: (1227): load useful vendor id of treatment
DEC 6 08:51:52.175: ISAKMP: (1227): addressing another box of IOS!
DEC 6 08:51:52.175: ISAKMP: (1227): load useful vendor id of treatment
08:51:52.175 on 6 Dec: ISAKMP: (1227): vendor ID seems the unit/DPD but hash mismatch
08:51:52.175 on 6 Dec: ISAKMP: receives the payload type 20
08:51:52.175 on 6 Dec: ISAKMP (1227): sound not hash no match - this node outside NAT
08:51:52.175 on 6 Dec: ISAKMP: receives the payload type 20
08:51:52.175 on 6 Dec: ISAKMP (1227): No. NAT found for oneself or peer
08:51:52.175 on 6 Dec: ISAKMP: (1227): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
08:51:52.179 on 6 Dec: ISAKMP: (1227): former State = new State IKE_I_MM4 = IKE_I_MM4

08:51:52.179 on 6 Dec: ISAKMP: (1227): send initial contact
08:51:52.179 on 6 Dec: ISAKMP: (1227): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
08:51:52.179 on 6 Dec: ISAKMP (1227): payload ID
next payload: 8
type: 1
address: B.B.B.B
Protocol: 17
Port: 500
Length: 12
08:51:52.179 on 6 Dec: ISAKMP: (1227): the total payload length: 12
DEC 6 08:51:52.179: ISAKMP: (1227): A packet is sent. A.A.A my_port 500 peer_port 500 (I) MM_KEY_EXCH
08:51:52.179 on 6 Dec: ISAKMP: (1227): sending a packet IPv4 IKE.
08:51:52.179 on 6 Dec: ISAKMP: (1227): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
08:51:52.179 on 6 Dec: ISAKMP: (1227): former State = new State IKE_I_MM4 = IKE_I_MM5

08:51:52.315 on 6 Dec: ISAKMP (1227): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH A.A.A.A
DEC 6 08:51:52.315: ISAKMP: (1227): payload ID for treatment. Message ID = 0
08:51:52.315 on 6 Dec: ISAKMP (1227): payload ID
next payload: 8
type: 1
address: A.A.A.A
Protocol: 17
Port: 0
Length: 12
DEC 6 08:51:52.315: ISAKMP: (0): peer games * no * profiles
DEC 6 08:51:52.315: ISAKMP: (1227): HASH payload processing. Message ID = 0
08:51:52.315 on 6 Dec: ISAKMP: received payload type 17
DEC 6 08:51:52.315: ISAKMP: (1227): load useful vendor id of treatment
DEC 6 08:51:52.315: ISAKMP: (1227): provider ID is DPD
08:51:52.315 on 6 Dec: ISAKMP: (1227): SA authentication status:
authenticated
08:51:52.315 on 6 Dec: ISAKMP: (1227): SA has been authenticated with A.A.A.A
08:51:52.315 on 6 Dec: ISAKMP: try to insert a B.B.B.B/A.A.A.A/500/ peer and inserted 2B79E8BC successfully.
08:51:52.315 on 6 Dec: ISAKMP: (1227): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
08:51:52.315 on 6 Dec: ISAKMP: (1227): former State = new State IKE_I_MM5 = IKE_I_MM6

08:51:52.315 on 6 Dec: ISAKMP: (1227): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
08:51:52.315 on 6 Dec: ISAKMP: (1227): former State = new State IKE_I_MM6 = IKE_I_MM6

08:51:52.315 on 6 Dec: ISAKMP: (1227): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
08:51:52.315 on 6 Dec: ISAKMP: (1227): former State = new State IKE_I_MM6 = IKE_P1_COMPLETE

08:51:52.315 on 6 Dec: ISAKMP: (1227): start Quick Mode Exchange, M - ID 1511581970
08:51:52.315 on 6 Dec: ISAKMP: (1227): initiator QM gets spi
DEC 6 08:51:52.315: ISAKMP: (1227): A packet is sent. A.A.A my_port 500 peer_port 500 (I) QM_IDLE
08:51:52.315 on 6 Dec: ISAKMP: (1227): sending a packet IPv4 IKE.
08:51:52.315 on 6 Dec: ISAKMP: (1227): entrance, node 1511581970 = IKE_MESG_INTERNAL, IKE_INIT_QM
08:51:52.315 on 6 Dec: ISAKMP: (1227): former State = new State IKE_QM_READY = IKE_QM_I_QM1
08:51:52.315 on 6 Dec: ISAKMP: (1227): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
08:51:52.315 on 6 Dec: ISAKMP: (1227): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

08:51:52.455 on 6 Dec: ISAKMP (1227): packet received dport 500 sport Global 500 (I) QM_IDLE A.A.A.A
08:51:52.455 on 6 Dec: ISAKMP: node set-1740216573 to QM_IDLE
DEC 6 08:51:52.455: ISAKMP: (1227): HASH payload processing. Message ID = 2554750723
DEC 6 08:51:52.455: ISAKMP: (1227): treatment protocol NOTIFIER PROPOSAL_NOT_CHOSEN 3
0, message ID SPI = 2554750723, a = 0x2B78D574
08:51:52.455 on 6 Dec: ISAKMP: (1227): node-1740216573 error suppression FALSE reason 'informational (en) State 1.
08:51:52.455 on 6 Dec: ISAKMP: (1227): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
08:51:52.455 on 6 Dec: ISAKMP: (1227): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

08:51:52.455 on 6 Dec: ISAKMP (1227): packet received dport 500 sport Global 500 (I) QM_IDLE A.A.A.A
08:51:52.455 on 6 Dec: ISAKMP: node set 1297146574 to QM_IDLE
DEC 6 08:51:52.455: ISAKMP: (1227): HASH payload processing. Message ID = 1297146574
DEC 6 08:51:52.455: ISAKMP: (1227): treatment of payload to DELETE. Message ID = 1297146574
08:51:52.455 on 6 Dec: ISAKMP: (1227): peer does not paranoid KeepAlive.

08:51:52.455 on 6 Dec: ISAKMP: (1227): removal of HIS State "No reason" why (I) QM_IDLE (post A.A.A.A)
08:51:52.455 on 6 Dec: ISAKMP: (1227): error suppression node 1297146574 FALSE reason 'informational (en) State 1.
08:51:52.455 on 6 Dec: ISAKMP: node set-1178304129 to QM_IDLE
DEC 6 08:51:52.455: ISAKMP: (1227): A packet is sent. A.A.A my_port 500 peer_port 500 (I) QM_IDLE
08:51:52.455 on 6 Dec: ISAKMP: (1227): sending a packet IPv4 IKE.
08:51:52.455 on 6 Dec: ISAKMP: (1227): purge the node-1178304129
08:51:52.455 on 6 Dec: ISAKMP: (1227): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
08:51:52.455 on 6 Dec: ISAKMP: (1227): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA

08:51:52.455 on 6 Dec: ISAKMP: (1227): removal of HIS State "No reason" why (I) QM_IDLE (post A.A.A.A)
08:51:52.455 on 6 Dec: ISAKMP: Unlocking counterpart struct 0x2B79E8BC for isadb_mark_sa_deleted(), count 0
08:51:52.455 on 6 Dec: ISAKMP: delete peer node by peer_reap for A.A.A.A: 2B79E8BC
08:51:52.455 on 6 Dec: ISAKMP: (1227): error suppression node 1511581970 FALSE reason 'IKE deleted.
08:51:52.455 on 6 Dec: ISAKMP: (1227): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
08:51:52.455 on 6 Dec: ISAKMP: (1227): former State = new State IKE_DEST_SA = IKE_DEST_SA

Would appreciate any help you can provide.

Kind regards

Sidney Dsouza

The phase 2 does not complete since there is no visible SPI value. In addition, depending on your configuration Transport mode is configured for phase 2 However, debug displays the tunnel mode.

Thus, as suggested earlier to debug this further and find the root cause we need to match the configuration settings in Phase 2 with regard to the remote device.

Hope that helps.

Kind regards

Anuj

Troubleshooting IPSec Site to Site VPN between ASA and 1841

Hi all

in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.

I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).

I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.

It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),

On the ASA:

Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.

address of the peers: 217.86.154.120
Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.cc

access extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
current_peer: 217.xx.yy.zz

#pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0

local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz

Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: 39135054
current inbound SPI: B2E9E500

SAS of the esp on arrival:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4374000/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
outgoing esp sas:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4373976/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001

Output of the command: "sh crypto isakmp his."

HIS active: 4
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 4

IKE Peer: 217.xx.yy.zz
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE

On the 1841

1841 crypto isakmp #sh its
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE

1841 crypto ipsec #sh its

Interface: Dialer1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors

local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2

SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

outgoing ah sas:

outgoing CFP sas:

Interface: virtual Network1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors

local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2

SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

outgoing ah sas:

outgoing CFP sas:

It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.

Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto. (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.

I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!

It's the running of the 1841 configuration

!
version 15.1
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
host name 1841
!
boot-start-marker
start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
boot-end-marker
!
logging buffered 51200 notifications
!
AAA new-model
!
!
AAA authentication login default local
!
AAA - the id of the joint session
!
iomem 20 memory size
clock timezone PCTime 1
PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
dot11 syslog
IP source-route
!
No dhcp use connected vrf ip
!
IP cef
no ip bootp Server
IP domain name test
name of the IP-server 194.25.2.129
name of the IP-server 194.25.2.130
name of the IP-server 194.25.2.131
name of the IP-server 194.25.2.132
name of the IP-server 194.25.2.133
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
object-group network phone
VoIP phone description
Home 172.20.2.50
Home 172.20.2.51
!
redundancy
!
!
controller LAN 0/0/0
atm mode
Annex symmetrical shdsl DSL-mode B
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
isakmp encryption key * address 62.aa.bb.cc
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
map SDM_CMAP_1 1 ipsec-isakmp crypto
Description Tunnel to62.aa.bb.cc
the value of 62.aa.bb.cc peer
game of transformation-ESP-3DES-SHA
PFS group2 Set
match address 100
!
!
!
interface FastEthernet0/0
DMZ description $ FW_OUTSIDE$
10.10.10.254 IP address 255.255.255.0
IP nat inside
IP virtual-reassembly
automatic duplex
automatic speed
!
interface FastEthernet0/1
Description $ETH - LAN$ $FW_INSIDE$
IP 172.20.2.254 255.255.255.0
IP access-group 100 to
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1412
automatic duplex
automatic speed
!
ATM0/0/0 interface
no ip address
No atm ilmi-keepalive
!
point-to-point interface ATM0/0/0.1
PVC 1/32
PPPoE-client dial-pool-number 1
!
!
interface Dialer1
Description $FW_OUTSIDE$
the negotiated IP address
IP mtu 1452
NAT outside IP
IP virtual-reassembly
encapsulation ppp
Dialer pool 1
Dialer-Group 2
PPP authentication chap callin pap
PPP chap hostname xxxxxxx
PPP chap password 7 xxxxxxx8
PPP pap sent-name of user password xxxxxxx xxxxxxx 7
map SDM_CMAP_1 crypto
!
IP forward-Protocol ND
IP http server
local IP http authentication
IP http secure server
!
!
The dns server IP
IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
!
logging trap notifications
Note category of access list 1 = 2 CCP_ACL
access-list 1 permit 172.20.2.0 0.0.0.255
Note access-list category 2 CCP_ACL = 2
access-list 2 allow 10.10.10.0 0.0.0.255
Note access-list 100 category CCP_ACL = 4
Note access-list 100 IPSec rule
access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
Note CCP_ACL the access list 101 = 2 category
Note access-list 101 IPSec rule
access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 101 permit ip 172.20.2.0 0.0.0.255 any
Note access-list 102 CCP_ACL category = 2
Note access-list 102 IPSec rule
access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
!

!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 101
!
allowed SDM_RMAP_2 1 route map
corresponds to the IP 102
!
!
control plan
!
!
Line con 0
line to 0
line vty 0 4
length 0
transport input telnet ssh
!
Scheduler allocate 20000 1000
NTP-Calendar Update
NTP 172.20.2.250 Server prefer
end

As I mentioned previously: suspicion is much appreciated!

Best regards

Joerg

Joerg,

ASA receives not all VPN packages because IOS does not send anything.

Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)

The problem seems so on the side of the router.

I think that is a routing problem, but you only have one default gateway (no other channels on the router).

The ACL 100 is set to encrypt the traffic between the two subnets.

It seems that the ACL 101 is also bypassing NAT for VPN traffic.

Follow these steps:

Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.

I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.

Federico.

Question of phase 2 in IPSEC site-to-site

Hi all

I had a problem when creating a VPN site-to site IPSEC between cisco2901 - 15.2 (4) M3---> cisco861 - 12.4

The phase #1 is correctly updated, but when I am trying to order #show crypto ipsec his I can't see encry & decry packages.

Here is the race-conifgs and see the output encryption for both sides

cisco2901: -.

Current configuration: 5668 bytes

!

! Last configuration change to 17:08:59 PCTime on Monday, February 3, 2014 by ciscodxb

version 15.2

horodateurs service debug datetime msec

Log service timestamps datetime msec

no password encryption service

!

DXB - CIT hostname

!

boot-start-marker

boot-end-marker

!

!

logging buffered 52000

!

AAA new-model

!

!

AAA authentication login default local

AAA authentication login ciscocp_vpn_xauth_ml_1 local

AAA authorization exec default local

AAA authorization ciscocp_vpn_group_ml_1 LAN

!

!

!

!

!

AAA - the id of the joint session

clock timezone PCTime 4 0

!

IP cef

!

!

!

DHCP excluded-address IP 10.10.10.1

DHCP excluded-address IP 192.168.10.1 192.168.10.9

DHCP excluded-address IP 192.168.10.101 192.168.10.254

!

Dxb-IP dhcp pool pool

network 192.168.10.0 255.255.255.0

default router 192.168.10.1

Server DNS 80.xxx.xx.xx 213.xxx.xxx.xx

!

!

!

IP domain name channelit

name of the server IP 80.XX.XX.XX

name of the server IP 213.XX.XX.XX

No ipv6 cef

!

Authenticated MultiLink bundle-name Panel

!

!

!

!

!

!

Crypto pki trustpoint TP-self-signed-1231038404

enrollment selfsigned

name of the object cn = IOS - Self - signed - certificate - 1231038404

revocation checking no

rsakeypair TP-self-signed-1231038404

!

!

TP-self-signed-1231038404 crypto pki certificate chain

certificate self-signed 01

3082022B 30820194 02020101 300 D 0609 2A 864886 F70D0101 05050030 A0030201

2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30

69666963 31323331 30333834 6174652D 3034301E 170 3134 30313331 31333230

30375A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D

4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 32333130 65642D

33383430 3430819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101

8100ECF1 71B270A3 EFBC3609 C136BC9B 7D54A077 33286BF1 45558928 6DF96244

2DAF0A50 E5DA03C6 E87AD7AE 4544C6B0 2649AE20 83C5F9F1 FA73B5BF 5CC421DE

1FA66C70 FD39938F 8E46AA22 2996FBF9 6C739C35 13F1A287 651A 1904 57898B3F

F076A50E F4955677 6D0BD4B3 57FB590D 851500DC D789A175 FA0F18BD 1 HAS 982438

63730203 010001A 3 53305130 1 130101 FF040530 030101FF 301F0603 0F060355

551 2304 18301680 14546BDB F740F993 E0A596EF 93D4991E C 751 7F301D06 4240

03551D0E 04160414 546BDBF7 40F993E0 A596EF93 D4991E75 1C42407F 300 D 0609

2A 864886 8181000E F70D0101 05050003 1FDDF0E2 8D04EFD3 850F2417 B49E1B6B

04CFFED3 D89C032E FEB03641 B5BC830B D60E8F8A 8EB28EA4 1242ECB5 01E91511

08A 59585 27260A9F C8470C48 0E5797F8 3C04DE38 3213CF77 ADCACC53 D6771D55

6E6C0027 F11BE11E 06F9BC8A 1C7C3874 9C4B937D 35D0DB0F 0328 38 DE9916AC CF

FE4AD16D 316146 5 A960DB 1EA2CF64

quit smoking

voice-card 0

!

!

!

!

!

!

!

!

license udi pid CISCO2901/K9 sn FCZ1716C4QT

HW-module pvdm 0/0

!

!

!

username cisco

0 username ciscodxb privilege 15 password Cisco

username secret privilege 15 compumate 4 YCR80zERMiSH2RJpMWWOYdaDiHRm0U6p9mGMCktErQ2

!

redundancy

!

!

!

!

!

!

Crypto ctcp

!

crypto ISAKMP policy 1

BA 3des

md5 hash

preshared authentication

Group 2

ISAKMP crypto key address 41.xxx.xx.xx xxxxxxxxx

!

Configuration group customer isakmp crypto CITDXB

key xxxxxx

pool SDM_POOL_1

ISAKMP crypto ciscocp-ike-profile-1 profile

correspond to identity group xxxxx

client authentication list ciscocp_vpn_xauth_ml_1

ISAKMP authorization list ciscocp_vpn_group_ml_1

client configuration address respond

virtual-model 1

!

!

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

tunnel mode

Crypto ipsec transform-set-Dxb-Nigeria-esp-3des esp-md5-hmac

tunnel mode

!

Profile of crypto ipsec CiscoCP_Profile1

game of transformation-ESP-3DES-SHA

set of isakmp - profile ciscocp-ike-profile-1

!

!

!

dynamic-map crypto hq - vpn 11

86400 seconds, life of security association set

game of transformation-CHANNEL-DUBAI

!

!

card crypto ipsec Dxb-to-Nigeria 1 - isakmp

defined by peer 41.xxx.xxx.xxx

transformation-Dxb-to-Nigeria game

match address 110

!

!

!

crypto map 1 VPN ipsec-isakmp dynamic hq - vpn

!

!

!

!

!

!

the Embedded-Service-Engine0/0 interface

no ip address

Shutdown

!

interface GigabitEthernet0/0

Description $ETH - SW - LAUNCH$ $INTF - INFO - GE $0/0 $ES_LAN$ $$ of ETH - WAN

IP 192.168.10.1 255.255.255.0

IP nat inside

IP virtual-reassembly in

automatic duplex

automatic speed

!

interface GigabitEthernet0/1

Description $ES_WAN$

IP address 80.xxx.xxx.xxx 255.255.255.252

penetration of the IP stream

stream IP output

NAT outside IP

IP virtual-reassembly in

automatic duplex

automatic speed

card crypto Dxb-to-Nigeria

!

type of interface virtual-Template1 tunnel

IP unnumbered GigabitEthernet0/1

ipv4 ipsec tunnel mode

Tunnel CiscoCP_Profile1 ipsec protection profile

!

local IP SDM_POOL_1 192.168.20.20 pool 192.168.20.50

IP forward-Protocol ND

!

IP http server

local IP http authentication

IP http secure server

!

IP nat source list 100 interface GigabitEthernet0/1 overload

IP nat inside source map route SDM_RMAP_1 interface GigabitEthernet0/1 overload

IP route 0.0.0.0 0.0.0.0 GigabitEthernet0/1

!

auto discovering IP sla

Note category of access list 1 = 2 CCP_ACL

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 101 deny ip 192.168.10.0 0.0.0.255 41.206.13.192 0.0.0.7

access-list 101 permit ip 192.168.10.0 0.0.0.255 any

access-list 110 permit ip 192.168.10.0 0.0.0.255 41.206.13.192 0.0.0.7

!

allowed SDM_RMAP_1 1 route map

corresponds to the IP 101

!

!

!

!

!

control plan

!

!

!

!

!

!

!

profile MGCP default

!

!

!

!

!

access controller

Shutdown

!

!

!

Line con 0

Synchronous recording

line to 0

line 2

no activation-character

No exec

preferred no transport

transport of entry all

transport output pad rlogin lapb - your MOP v120 udptn ssh telnet

StopBits 1

line vty 0 4

transport input telnet ssh

line vty 5 15

access-class 23 in

transport input telnet ssh

!

Scheduler allocate 20000 1000

!

end

DXB - CIT #show cry

DXB - CIT #show crypto isa

DXB - CIT isakmp crypto #show her

IPv4 Crypto ISAKMP Security Association

DST CBC conn-State id

41.xxx.xxx.XX 80.xxx.xx.xx QM_IDLE 1011 ACTIVE

IPv6 Crypto ISAKMP Security Association

DXB - CIT #show cry

DXB - CIT #show crypto ips

DXB - CIT #show crypto ipsec his

Interface: GigabitEthernet0/1

Tag crypto map: addr Dxb to Nigeria, local 80.xxx.xx.xx

protégé of the vrf: (none)

local ident (addr, mask, prot, port): (192.168.10.0/255.255.255.0/0/0)

Remote ident (addr, mask, prot, port): (41.xxx.xx.xx/255.255.255.248/0/0)

current_peer 41.xxx.xx.xxx port 500

LICENCE, flags is {origin_is_acl},

#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

compressed #pkts: 0, unzipped #pkts: 0

#pkts uncompressed: 0, #pkts compr. has failed: 0

#pkts not unpacked: 0, #pkts decompress failed: 0

Errors #send 1467, #recv errors 0

local crypto endpt. : 80.xxx.xxx.xx, remote Start crypto. : 41.xxx.xx.xx

Path mtu 1500, mtu 1500 ip, ip mtu IDB GigabitEthernet0/1

current outbound SPI: 0x0 (0)

PFS (Y/N): N, Diffie-Hellman group: no

SAS of the esp on arrival:

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:

outgoing ah sas:

outgoing CFP sas:

cisco861: -.

Crypto pki trustpoint TP-self-signed-2499926077

enrollment selfsigned

name of the object cn = IOS - Self - signed - certificate - 2499926077

revocation checking no

rsakeypair TP-self-signed-2499926077

!

Crypto pki trustpoint test_trustpoint_config_created_for_sdm

name of the object [email protected] / * /

crl revocation checking

!

!

TP-self-signed-2499926077 crypto pki certificate chain

certificate self-signed 01

308201B 5 A0030201 02020101 3082024C 300 D 0609 2A 864886 F70D0101 04050030

2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30

69666963 32343939 39323630 6174652D 3737301E 170 3032 30333031 30303036

32315A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D

4F532D53 5369676E 656C662D 43 65727469 66696361 74652 32 34393939 65642D

32363037 3730819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101

8100C1D0 0C45FD24 19ECECA0 9F7686A4 42B81E39 F6485ED8 66EBFBF3 4F3DCD64

25D4C2C7 5B56E7EF 7BF1963F F0406CBB 9B782A92 7925BA63 C761D92A 9E97CA4A

4D83CDD3 4B9811B9 734D84AB EFD85F9D 4C2B580F E3302B67 97F93286 82541A 09

6D908B49 D936A0D1 78AB3829 9008E8EC 56896990 0333B1F1 8AACD0B2 4BCE81E3

010001A 3 74307230 1 130101 FF040530 030101FF 301F0603 0F060355 A4A10203

551 1104 18301682 14434954 5F322E79 6F757264 6F6D6169 6E2E636F 6D301F06

23 04183016 8014E7CE C4274196 DE068815 09907466 C9987EDF 4712301 D 03551D

0603551D 0E041604 14E7CEC4 27419609 907466DE 068815C 9 12300 06 987EDF47

092A 8648 86F70D01 01040500 03818100 B546F76E B5A79129 95 HAS 37822 132F6685

E5541CD5 0818A4FE 83AD17AC 9C18AAC2 C137AF00 43FB787C 30534B0C 7D494FA8

ACC28C3E 7CBC3BB5 92FAFD2C 5D1766FF 2C8CACE0 E523C53E 7617A9AF 7AD8FDF3

35CD 6184 8BB076E4 FBDF86B3 92EA9488 B173ABBD F42B1CA1 ECCB586B 882CC097

DEE688A7 E04797CB 7ED73ED3 E9FFC8D0

quit smoking

for the crypto pki certificate chain test_trustpoint_config_created_for_sdm

IP source-route

DHCP excluded-address IP 10.10.10.1

!

!

IP cef

"yourdomain.com" of the IP domain name

!

!

!

!

emma privilege 15 password username 0 PasemmaY

username admin privilege 15 secret 5 GHAV $1$ $ CuyCKFpaEVCRcTX4jTNzp.

!

!

crypto ISAKMP policy 1

BA 3des

preshared authentication

Group 2

!

crypto ISAKMP policy 3

BA 3des

md5 hash

preshared authentication

Group 2

!

crypto ISAKMP policy 5

BA 3des

md5 hash

preshared authentication

Group 2

lifetime 28800

!

crypto ISAKMP policy 7

BA 3des

md5 hash

preshared authentication

Group 2

lifetime 28800

ISAKMP crypto key & dtej4$ 41.xxx.xx.xxx address

ISAKMP crypto key [email protected] / * /#l! t address 41.xx.xx.xx

ISAKMP crypto key [email protected]/ * / & mtn address 196.xx.xx.xx

ISAKMP crypto key CITDENjan2014 address 80.xxx.xx.xx

!

!

Crypto ipsec transform-set esp-3des esp-sha-hmac MTN-TCWA

Crypto ipsec transform-set esp-3des esp-md5-hmac channelit

Crypto ipsec transform-set esp-3des esp-md5-hmac MTNG-TCWA

Crypto ipsec transform-set esp-3des esp-md5-hmac CHANNEL-DUBAI

!

map CHANNEL-DUBAI 14 ipsec-isakmp crypto

the value of 80.xxx.xx.xxx peer

game of transformation-CHANNEL-DUBAI

match address 160

!

card crypto MTNVPN address FastEthernet4

MTNVPN 10 ipsec-isakmp crypto map

the value of 41.xxx.xx.xx peer

transformation-MTN-TCWA play

match address 101

MTNVPN 11 ipsec-isakmp crypto map

the value of 41.xxx.xx.x peer

Set transform-set channelit

match address 150

MTNVPN 12 ipsec-isakmp crypto map

the value of 196.xxx.xx.xx peer

transformation-MTNG-TCWA play

match address MTNG

!

Archives

The config log

hidekeys

!

!

synwait-time of tcp IP 5

!

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

Description this connect MTN fiber interface

IP address 41.206.xx.xxx 255.255.255.252

automatic duplex

automatic speed

card crypto MTNVPN

!

interface Vlan1

Description this interface connects to the local network of CIT

IP address 41.xxx.xx.xxx 255.255.255.248

IP tcp adjust-mss 1452

!

IP forward-Protocol ND

IP route 0.0.0.0 0.0.0.0 41.xxx.xx.xx

IP route 10.93.128.128 255.255.255.224 41.xxx.xx.x

IP route 10.109.95.64 255.255.255.240 41.xxx.xx.xxx

IP route 10.135.45.0 255.255.255.224 196.xxx.xx.xx

IP route 10.199.174.225 255.255.255.255 41.xxx.xx.xxx

Route IP 192.168.10.0 255.255.255.0 80.xxx.xxx.xxx

IP http server

23 class IP http access

local IP http authentication

IP http secure server

IP http timeout policy slowed down 60 life 86400 request 10000

!

!

MTNG extended IP access list

permit ip 41.xxx.xx.xxx0.0.0.7 10.135.45.0 0.0.0.31

!

access-list 23 allow 10.10.10.0 0.0.0.7

access-list 23 allow one

access-list 101 permit ip 41.206.13.192 0.0.0.7 host 41.206.4.75

access-list 101 permit ip 41.206.13.192 0.0.0.7 10.109.95.64 0.0.0.15

access-list 101 permit ip 41.206.13.192 0.0.0.7 10.109.95.120 0.0.0.7

access-list 101 permit ip 41.206.13.192 0.0.0.7 host 10.199.174.225

access-list 101 permit ip 41.206.13.192 0.0.0.7 10.197.197.64 0.0.0.31

access-list 101 permit ip 41.206.13.192 0.0.0.7 10.197.197.96 0.0.0.31

access list 150 permit ip 41.206.13.193 host 10.197.212.224 0.0.0.31

access list 150 permit ip 41.206.13.194 host 10.197.212.224 0.0.0.31

access list 150 permit ip 41.206.13.195 host 10.197.212.224 0.0.0.31

access list 150 permit ip 41.206.13.196 host 10.197.212.224 0.0.0.31

access list 150 permit ip 41.206.13.197 host 10.197.212.224 0.0.0.31

access list 150 permit ip 41.206.13.198 host 10.197.212.224 0.0.0.31

access-list 160 allow 41.206.xx.xxx 0.0.0.7 ip 192.168.10.0 0.0.0.255

not run cdp

!

control plan

!

exec banner ^ C

% Warning of password expiration.

-----------------------------------------------------------------------

Professional configuration Cisco (Cisco CP) is installed on this device

and it provides the default username "cisco" single use. If you have

already used the username "cisco" to connect to the router and your IOS image

supports the option "unique" user, that user name is already expired.

You will not be able to connect to the router with the username when you leave

This session.

It is strongly recommended that you create a new user name with a privilege level

15 using the following command.

username secret privilege 15 0

Replace and with the username and password you

you want to use.

-----------------------------------------------------------------------

^ C

connection of the banner ^ C

-----------------------------------------------------------------------

Professional configuration Cisco (Cisco CP) is installed on this device.

This feature requires the unique use of the user name "cisco" with the

password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE

IDENTIFICATION INFORMATION PUBLICLY KNOWN

Here are the Cisco IOS commands.

username secret privilege 15 0

No username cisco

Replace and with the username and password

to use.

IF YOU DO NOT CHANGE THE IDENTIFICATION INFORMATION PUBLICLY KNOWN, YOU WILL HAVE

NOT BE ABLE TO CONNECT TO THE DEVICE AGAIN ONCE YOU HAVE DISCONNECTED.

For more information about Cisco CP, you follow the instructions of the

Of your router's QUICK START GUIDE or go to http://www.cisco.com/go/ciscocp

-----------------------------------------------------------------------

^ C

!

Line con 0

local connection

no activation of the modem

line to 0

line vty 0 4

access-class 23 in

privilege level 15

local connection

transport input telnet ssh

!

max-task-time 5000 Planner

end

CIT_2 cry #show

CIT_2 #show crypto isa

CIT_2 #show crypto isakmp his

IPv4 Crypto ISAKMP Security Association

status of DST CBC State conn-id slot

41.xxx.XX.xxx 80.xxx.xx.xxx QM_IDLE 2003 0 ACTIVE

IPv6 Crypto ISAKMP Security Association

CIT_2 cry #show

CIT_2 #show crypto ips

CIT_2 #show crypto ipsec his

Interface: FastEthernet4

Tag crypto map: MTNVPN, local addr 41.xxx.xx.xx

protégé of the vrf: (none)

local ident (addr, mask, prot, port): (41.xxx.xx.xxx/255.255.255.248/0/0)

Remote ident (addr, mask, prot, port): (41.xxx.x.xx/255.255.255.255/0/0)

current_peer 41.xxx.xx.xxxport 500

LICENCE, flags is {origin_is_acl},

#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

compressed #pkts: 0, unzipped #pkts: 0

#pkts uncompressed: 0, #pkts compr. has failed: 0

#pkts not unpacked: 0, #pkts decompress failed: 0

Errors #send 0, #recv 0 errors

local crypto endpt. : 41.xxx.xx.xx, remote Start crypto. : 41.xxx.xx.xxx

Path mtu 1500, mtu 1500 ip, ip mtu IDB FastEthernet4

current outbound SPI: 0x0 (0)

SAS of the esp on arrival:

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:

outgoing ah sas:

outgoing CFP sas:

protégé of the vrf: (none)

local ident (addr, mask, prot, port): (41.xxx.xx.xxx/255.255.255.248/0/0)

Remote ident (addr, mask, prot, port): (10.109.95.120/255.255.255.248/0/0)

current_peer 41.xxx.xx.xxx port 500

LICENCE, flags is {origin_is_acl},

#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

compressed #pkts: 0, unzipped #pkts: 0

#pkts uncompressed: 0, #pkts compr. has failed: 0

#pkts not unpacked: 0, #pkts decompress failed: 0

Errors #send 0, #recv 0 errors

local crypto endpt. : 41.xxx.xx.xx, remote Start crypto. : 41.xxx.xx.xx

Path mtu 1500, mtu 1500 ip, ip mtu IDB FastEthernet4

current outbound SPI: 0x0 (0)

SAS of the esp on arrival:

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:

outgoing ah sas:

outgoing CFP sas:

CHANNEL-DUBAI map crypto is not applied to any interface.

How about you just to add a new entry to MTNVPN that is already applied to the F4.

ASA IPSEC site-to-site with NAT problem

Hello

I have what I thought was a simple configuration, but I saw the questions and could use a second set of eyes.

I have a site-to-site between two locations:

Site A is 192.168.0.0/24

Site B is 192.168.4.0/24

I was requested to NAT all communications between these sites for 10.57.4.0/24 and for a single static 192.168.0.112 NAT host at 10.57.4.50.

Tunnel is running, and I can ping through the link at the end to 192.168.4.20 host; no problems. But I'm having a problem application where it will be established communications. I suspect it's the reverse NAT, but I went through the configuration several times. All NAT connections would be 10.57.4.50 address should given to 192.168.0.112, no restrictions. All connections to 192.168.4.20, should be NAT should 10.57.4.50 to transverse tunnel.

The system of site B can also ping 10.57.4.50.

Here's the running configuration:

ASA 8.3 Version (2)

!

hostname fw1

domain name

activate the password encrypted

passwd encrypted

names of

!

interface Vlan1

Description city network internal

nameif inside

security-level 100

IP 192.168.9.1 255.255.255.0

!

interface Vlan2

Description Internet Public

nameif outside

security-level 0

IP 173.166.117.186 255.255.255.248

!

interface Vlan3

DMZ (CaTV) description

nameif dmz

security-level 50

IP 192.168.2.1 255.255.255.0

!

interface Vlan5

PD Network description

nameif PDNet

security level 95

the IP 192.168.0.1 255.255.255.0

!

interface Vlan10

Description Network Infrastructure

nameif InfraNet

security-level 100

IP 192.168.10.1 255.255.255.0

!

interface Vlan13

Description wireless comments

nameif Wireless-comments

security-level 25

IP 192.168.1.1 255.255.255.0

!

interface Vlan23

nameif StateNet

security-level 75

IP 10.63.198.2 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport trunk allowed vlan 1,5,10,13

switchport trunk vlan 1 native

switchport mode trunk

Speed 100

full duplex

!

interface Ethernet0/2

switchport access vlan 3

!

interface Ethernet0/3

!

interface Ethernet0/4

switchport trunk allowed vlan 1,10,13

switchport trunk vlan 1 native

switchport mode trunk

!

interface Ethernet0/5

switchport access vlan 23

!

interface Ethernet0/6

Shutdown

!

interface Ethernet0/7

switchport trunk allowed vlan 1

switchport trunk vlan 1 native

switchport mode trunk

Shutdown

!

exec banner restricted access

banner restricted access connection

passive FTP mode

clock timezone IS - 5

clock to summer time EDT recurring

DNS server-group DefaultDNS

domain name

permit same-security-traffic inter-interface

network obj_any object

subnet 0.0.0.0 0.0.0.0

service of the IMAPoverSSL object

destination eq 993 tcp service

IMAP over SSL description

service of the POPoverSSL object

tcp destination eq 995 service

POP3 over SSL description

service of the SMTPwTLS object

tcp destination eq 465 service

SMTP with TLS description

network object obj - 192.168.9.20

Home 192.168.9.20

object obj-claggett-https network

Home 192.168.9.20

network of object obj-claggett-imap4

Home 192.168.9.20

network of object obj-claggett-pop3

Home 192.168.9.20

network of object obj-claggett-smtp

Home 192.168.9.20

object obj-claggett-imapoverssl network

Home 192.168.9.20

object obj-claggett-popoverssl network

Home 192.168.9.20

object obj-claggett-smtpwTLS network

Home 192.168.9.20

network object obj - 192.168.9.120

Home 192.168.9.120

network object obj - 192.168.9.119

Home 192.168.9.119

network object obj - 192.168.9.121

Home 192.168.9.121

object obj-wirelessnet network

subnet 192.168.1.0 255.255.255.0

network of the Clients_sans_fil object

subnet 192.168.1.0 255.255.255.0

object obj-dmznetwork network

Subnet 192.168.2.0 255.255.255.0

network of the FD_Firewall object

Home 74.94.142.229

network of the FD_Net object

192.168.6.0 subnet 255.255.255.0

network of the NETWORK_OBJ_192.168.10.0_24 object

192.168.10.0 subnet 255.255.255.0

object obj-TownHallNet network

192.168.9.0 subnet 255.255.255.0

network obj_InfraNet object

192.168.10.0 subnet 255.255.255.0

network of the NETWORK_OBJ_192.168.0.0_24 object

192.168.0.0 subnet 255.255.255.0

network of the NHDOS_Firewall object

Home 72.95.124.69

network of the NHDOS_SpotsHub object

Home 192.168.4.20

network of the IMCMOBILE object

Home 192.168.0.112

network of the NHDOS_Net object

subnet 192.168.4.0 255.255.255.0

network of the NHSPOTS_Net object

10.57.4.0 subnet 255.255.255.0

network of the IMCMobile_NAT_IP object

Home 10.57.4.50

service EmailServices object-group

Description of e-mail Exchange Services / Normal

service-object, object IMAPoverSSL

service-object, object POPoverSSL

service-object, object SMTPwTLS

the purpose of the tcp destination eq https service

the purpose of the tcp destination eq imap4 service

the purpose of the tcp destination eq pop3 service

the purpose of the tcp destination eq smtp service

object-group service DM_INLINE_SERVICE_1

service-object, object IMAPoverSSL

service-object, object POPoverSSL

service-object, object SMTPwTLS

the purpose of the tcp destination eq pop3 service

the purpose of the tcp destination eq https service

the purpose of the tcp destination eq smtp service

object-group service DM_INLINE_SERVICE_2

service-object, object IMAPoverSSL

service-object, object POPoverSSL

service-object, object SMTPwTLS

the purpose of the tcp destination eq https service

the purpose of the tcp destination eq pop3 service

the purpose of the tcp destination eq smtp service

the obj_clerkpc object-group network

PCs of the clerk Description

network-object object obj - 192.168.9.119

network-object object obj - 192.168.9.120

network-object object obj - 192.168.9.121

the TownHall_Nets object-group network

object-network 192.168.10.0 255.255.255.0

network-object object obj-TownHallNet

the DM_INLINE_NETWORK_1 object-group network

object-network 192.168.10.0 255.255.255.0

object-network 192.168.9.0 255.255.255.0

the DOS_Networks object-group network

network-object 10.56.0.0 255.255.0.0

network-object, object NHDOS_Net

outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_2 any external interface

outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_1 any host 192.168.9.20

StateNet_access_in list extended access permitted ip object-group obj_clerkpc one

permit access ip 192.168.0.0 scope list PDNet_access_in 255.255.255.0 192.168.10.0 255.255.255.0

PDNet_access_in list extended access allowed object IMCMobile_NAT_IP object-group DOS_Networks debug log ip

PDNet_access_in list extended access permitted ip object IMCMOBILE object-group DOS_Networks

outside_2_cryptomap extended access list permit ip DM_INLINE_NETWORK_1 object FD_Net object-group

outside_1_cryptomap extended access list permit ip object NHSPOTS_Net object-group DOS_Networks

pager lines 24

Enable logging

Test1 logging level list class debug vpn

logging of debug asdm

E-mail logging errors

address record

logging level -l errors ' address of the recipient

Within 1500 MTU

Outside 1500 MTU

MTU 1500 dmz

MTU 1500 Wireless-comments

MTU 1500 StateNet

MTU 1500 InfraNet

MTU 1500 PDNet

no failover

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm - 635.bin

don't allow no asdm history

ARP timeout 14400

NAT (InfraNet, outside) static static source to destination TownHall_Nets TownHall_Nets FD_Net FD_Net

NAT static TownHall_Nets TownHall_Nets destination (indoor, outdoor) static source FD_Net FD_Net

public static IMCMOBILE IMCMobile_NAT_IP destination NAT (all, outside) static source DOS_Networks DOS_Networks

!

network obj_any object

NAT static interface (indoor, outdoor)

object obj-claggett-https network

NAT (inside, outside) interface static tcp https https service

network of object obj-claggett-imap4

NAT (inside, outside) interface static tcp imap4 imap4 service

network of object obj-claggett-pop3

NAT (inside, outside) interface static tcp pop3 pop3 service

network of object obj-claggett-smtp

NAT (inside, outside) interface static tcp smtp smtp service

object obj-claggett-imapoverssl network

NAT (inside, outside) interface static tcp 993 993 service

object obj-claggett-popoverssl network

NAT (inside, outside) interface static tcp 995 995 service

object obj-claggett-smtpwTLS network

NAT (inside, outside) interface static tcp 465 465 service

network object obj - 192.168.9.120

NAT (inside, StateNet) 10.63.198.12 static

network object obj - 192.168.9.119

NAT (all, StateNet) 10.63.198.10 static

network object obj - 192.168.9.121

NAT (all, StateNet) 10.63.198.11 static

object obj-wirelessnet network

NAT (Wireless-Guest, outside) static interface

object obj-dmznetwork network

interface static NAT (all, outside)

network obj_InfraNet object

NAT (InfraNet, outside) static interface

Access-group outside_access_in in interface outside

Access-group StateNet_access_in in the StateNet interface

Access-group PDNet_access_in in interface PDNet

Route outside 0.0.0.0 0.0.0.0 173.x.x.x 1

Route StateNet 10.x.x.x 255.255.0.0 10.63.198.1 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-registration DfltAccessPolicy

http server enable 5443

http 192.x.x.x 255.255.255.0 inside

http 7.x.x.x 255.255.255.255 outside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

card crypto outside_map 1 match address outside_1_cryptomap

card crypto outside_map 1 set 72.x.x.x counterpart

map outside_map 1 set of transformation-ESP-3DES-MD5 crypto

card crypto outside_map 2 match address outside_2_cryptomap

card crypto outside_map 2 set pfs

card crypto outside_map 2 peers set 173.x.x.x

card crypto outside_map 2 game of transformation-ESP-3DES-SHA

outside_map interface card crypto outside

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 30

preshared authentication

3des encryption

md5 hash

Group 2

life 86400

Telnet 192.168.9.0 255.255.255.0 inside

Telnet timeout 5

SSH 192.168.9.0 255.255.255.0 inside

SSH timeout 5

Console timeout 0

dhcpd dns 208.67.222.222 208.67.220.220

dhcpd lease 10800

dhcpd outside auto_config

!

dhcpd address dmz 192.168.2.100 - 192.168.2.254

dhcpd dns 8.8.8.8 8.8.4.4 dmz interface

dhcpd enable dmz

!

dhcpd address 192.168.1.100 - 192.168.1.254 Wireless-comments

dhcpd enable Wireless-comments

!

a basic threat threat detection

a statistical threat detection host number rate 2

statistical threat detection port

Statistical threat detection Protocol

Statistics-list of access threat detection

no statistical threat detection tcp-interception

NTP server 63.240.161.99 prefer external source

NTP server 207.171.30.106 prefer external source

NTP server 70.86.250.6 prefer external source

WebVPN

attributes of Group Policy DfltGrpPolicy

internal FDIPSECTunnel group strategy

attributes of Group Policy FDIPSECTunnel

VPN-idle-timeout no

Protocol-tunnel-VPN IPSec l2tp ipsec

support for username password encrypted privilege 15

tunnel-group 72.x.x.x type ipsec-l2l

72.x.x.x group of tunnel ipsec-attributes

pre-shared key *.

tunnel-group 173.x.x.x type ipsec-l2l

tunnel-group 173.x.x.x General-attributes

Group Policy - by default-FDIPSECTunnel

173.x.x.x group of tunnel ipsec-attributes

pre-shared key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns migrated_dns_map_1

parameters

message-length maximum 1024

Policy-map global_policy

class inspection_default

inspect the migrated_dns_map_1 dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

inspect the icmp

!

global service-policy global_policy

192.168.9.20 SMTP server

context of prompt hostname

call-home

Profile of CiscoTAC-1

no active account

http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

email address of destination [email protected] / * /

destination-mode http transport

Subscribe to alert-group diagnosis

Subscribe to alert-group environment

Subscribe to alert-group monthly periodic inventory

monthly periodicals to subscribe to alert-group configuration

daily periodic subscribe to alert-group telemetry

Cryptochecksum:ad0f9ad192c3ee212172f5b00b12ce76

: end

If you do not have access to the remote site, you participate themselves to network and compare each other configurations. You will need to make sure that they see as 10.57.4.50 192.168.0.112 and their server responds to that and NOT the 192.168.0.112.

IPsec Site to Site and the question of the IPsec remote access

Our remote access IPsec 3DES 168 bit encrption has the value

If we want to allow a remote user to get out of a tunnel to another site must be so 3DES encryption for the Tunnel?

This tunnel is currently defined by AES.

If I understand your question the answer is this:

The VPN client will connect to the ASA with any encryption method, he chose.

If the VPN client then runs through a tunnel from Site to Site to another location, it uses the encryption method specified in the tunnel from Site to Site.

This is because as the settings for the client VPN applies only when he puts an end VPN on the ASA.

When the customer traffic, passes through a different tunnel, the settings for this tunnel applies.

Hope I answered your question, if not please let me know.

Federico.

IPSec site to site VPN cisco VPN client routing problem and

Hello

I'm really stuck with the configuration of ipsec site to site vpn (hub to spoke, multiple rays) with cisco vpn remote client access to this vpn.

The problem is with remote access - cisco vpn client access - I can communicate with hub lan - but I need also communication of all lans speaks of the cisco vpn client.

There are on the shelves, there is no material used cisco - routers DLINK.

Someone told me that it is possible to use NAT to translate remote access IP-lan-HUB customers and thus allow communication - but I'm unable to set up and operate.

Can someone help me please?

Thank you

Peter

RAYS - not cisco devices / another provider

Cisco 1841 HSEC HUB:

crypto ISAKMP policy 1

BA 3des

preshared authentication

Group 2

ISAKMP crypto key x xx address no.-xauth

!

the group x crypto isakmp client configuration

x key

pool vpnclientpool

ACL 190

include-local-lan

!

86400 seconds, duration of life crypto ipsec security association

Crypto ipsec transform-set esp-3des esp-sha-hmac 1cisco

!

Crypto-map dynamic dynmap 10

Set transform-set 1cisco

!

card crypto ETH0 client authentication list userauthen

card crypto isakmp authorization list groupauthor ETH0

client configuration address card crypto ETH0 answer

ETH0 1 ipsec-isakmp crypto map

set peer x

Set transform-set 1cisco

PFS group2 Set

match address 180

card ETH0 10-isakmp ipsec crypto dynamic dynmap

!

!

interface FastEthernet0/1

Description $ES_WAN$

card crypto ETH0

!

IP local pool vpnclientpool 192.168.200.100 192.168.200.150

!

!

overload of IP nat inside source list LOCAL interface FastEthernet0/1

!

IP access-list extended LOCAL

deny ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

deny ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255

IP 192.168.7.0 allow 0.0.0.255 any

!

access-list 180 allow ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255

!

How the DLINK has been configured for traffic between the site to site VPN subnets? You are able to add multiple remote subnets on DLINK? If you can, then you must add the pool of Client VPN subnet.

Alternatively, if you cannot add multiple subnet on DLINK router, you can change the pool of Client VPN 192.168.6.0/24, and on the crypto ACL between the site to site VPN, you must edit the 180 existing ACL

DE:

access-list 180 allow ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 180 allow ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255

TO:

access-list 180 allow ip 192.168.6.0 0.0.1.255 192.168.1.0 0.0.0.255

Also change the ACL 190 split tunnel:

DE:

access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 190 allow ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255

TO:

access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 190 allow ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255

Finally, replace the remote subnet 192.168.7.0/255.255.255.0 192.168.6.0/255.255.254.0 DLINK.

Hope that helps.

Failed to configure two AnyConnect & IPSEC site to site VPN

I have established a VPN IPSEC site-to-site

When I configure the AnyConnect (make it work) and I lose the tunnel from site to site and vice versa.

I think that my NAT syatements are incorrect.

Here is the config NAT when AnyConnect works properly...

Overall (101 outside interface)
NAT (inside) 0-list of access sslnonat
NAT (inside) 101 0.0.0.0 0.0.0.0

access extensive list ip 192.168.65.0 sslnonat allow 255.255.255.0 192.168.66.0 255.255.255.0

When the IPSEC tunnel site-to-site work properly, here's the NAT config...

Overall (101 outside interface)
NAT (inside) 0-list of access Inside_nat0_outbound
NAT (inside) 101 0.0.0.0 0.0.0.0

Access extensive list ip 192.168.65.0 Inside_nat0_outbound allow 255.255.255.0 ServerGroup object-group

How do I get to the AnyConnect and the IPSEC Site to site both to work properly? I need not reach on the other.

Network within 192.168.65.0/24

AnyCOnnect address pool 192.168.66.0/24

Any help would be appreciated.

Hello

Try this:

Overall (101 outside interface)
NAT (inside) 0-list of access Inside_nat0_outbound
NAT (inside) 101 0.0.0.0 0.0.0.0

Access extensive list ip 192.168.65.0 Inside_nat0_outbound allow 255.255.255.0 ServerGroup object-group
Access extensive list ip 192.168.65.0 Inside_nat0_outbound allow 255.255.255.0 192.168.66.0 255.255.255.0

The problem is that when you apply the IPsec NAT configuration, you remove the entry for the AnyConnect pool.
Try the above and we will see if it works.

Federico.

IPsec Site to Site VPN multisession?

Hi people.

I recently faced a problem at work. Customers want to dismiss ipsec site to site vpn. I have 2 asa 5520 working in a stack. Is it possible to configure the vpn site to site in a redundant mode, as the first ip address is x.x.x.x and secondary is y.y.y.y (backup)?

Thank you much in advance.

Hello

You can define several counterparts in the card encryption, see:

http://www.Cisco.com/en/us/docs/security/ASA/asa72/command/reference/c5_72.html#wp2066090

You can define several tunnels and leave the routing protocol to choose the best route.

Hope this helps,

Bastien.

IPsec site to Site VPN on Wi - Fi router

Hello!

Can someone tell me if there is a router Netgear Wi - Fi that can form IPsec Site to Site VPN connection between 2 Wi - Fi routers via the WAN connection?

I know that this feature exists on the Netgear firewall, but can you have the same function on any Wi - Fi router?

See you soon!

Michael

I suspect that.

Thank you very much for the reply.

See you soon!

IPSec Site to Site VPN Solution needed?

Hi all

I need a solution to provide full connectivity to one of my clients. I created two IPSEC Site to Site VPN, one between the INFO and RITA and second between NIDA and RITA. I can access RITA machine that is 172.16.36.101 at the INFO and 10.0.0.5 to NIDA.

Now, I need to give access to my customer INFORMATION to direct NIDA 10.0.0.5 without established VPN machine to NIDA 10.0.0.5 of 172.16.36.101 access.

Could you please give me the solution how is that possible?

Concerning

Uzair Hussain

Hi uzair.infotech,

Looks like you need to set up a grouping between the 3 sites, at the end of that your topology will look like this:

INFO - RITA - NIDA

You can check this guide that explains step by step how to configure grouping:

https://supportforums.Cisco.com/document/12752536/how-configure-site-sit...

Hope this info helps!

Note If you help!

-JP-

Impossible to get to the beach for additional IP addresses on IPSec Site to Site VPN

Hello
I am trying to set up a free IPSec Site to Site VPN between an ASA 5510 (ASA Version 8.2 (3)) to the AC and a Cisco 877 (12.4 (24) T3) to a branch.

At the end of the branch, I have the 192.168.244.0/24 subnet.
At the end of HQ, I have the 172.16.0.0/22 and the 10.0.0.0/8 subnets
The inside interface of the ASA at Headquarters is 172.16.0.15/22

When installing VPN Wizard I ticked the box NAT - T, and I included the additional subnet in the list of protected LANs.

I can sucessfully all the subnets 172.16.0.0/22 but not access anything in the 10.0.0.0/8 subnets.
The Packet Trace ASA tool shows the traffic inside the interface of 172.16.0.0/22 in the direction of 192.168.244.0/24 through the outside interface properly spend, but the 10.0.0.0/8 does not work. He gives no precise information why the 10.0.0.0/8 traffic is dropped.

[HQ_LAN]---10.0.0.0/8 & 172.16.0.0/22---172.16.0.15(inside_int)-[ASA 5510] - IPSEC-[RTR 877]---192.168.244.0/24---[BRANCH_LAN]

I suspect it might have something to do with NAT?

Help, please.

Hello

Peer VPN you do not accept the LAN between these two peers of vpn segment.

On your ASA

inside_outbound_nat0_acl list of allowed ip extended access all <> 255.255.255.0

and

Router:

access-list 100 permit ip 192.168.244.0 0.0.0.255 172.16.0.0 0.0.3.255

access-list 100 permit ip 192.168.244.0 0.0.0.255 10.0.0.0 0.255.255.255

Please make the same statement subnet explicitly between two vpn peers and finally please add this route on SAA.

Same question on this ACL so, statement of not identical subnet between two peers of vpn, please make sure it identical at both ends.

outside_cryptomap_2 list extended access allowed object-group ip <> <> 255.255.255.0

Route outside 192.168.244.0 255.255.255.0 ASA_EXTERNAL_GW

Let me know the result.

Thank you

Rizwan James

RVS4000, port forwarding - with - IP-based ACL

G ' Day!

I want to know if it is possible to enable port forwarding and paste an IP based ACL on the attacker.

Scenario:

I replaced my gateway linux with a RVS4000 and reinstalled my linux machine as a file server with sshd running (now residing on my network behind the RVS4000).

I have forwarded port 22 on the RVS4000 on my linux server - it works as expected. Now I want to restrict which IP addresses which may connect to port 22, that I can't go to work.

After I forward port 22 to the linux server I can't control it with IP based ACL. Even if I deny all traffic to port 22, it will leave borrowing at the server linux as long as the port is active.

I am doing something wrong or if this isn't just intended to work the way I want?

acl based port will not work with the port forwarding on the device. Once you transfer the port are all allowede to enter this port. the acl will not take effect. I think that what you want to do the port binding is not a feature of this device.

How do .1x port based authentication access network through ACS

How .1x port based authentication access network through ACS.

Hello

802. 1 x can authenticate the host or by the name of username/password, or either through the MAC address of the clients (PC, printers etc.). This process is called agentless network access that can be done via Mac Auth Bypass.

In this process, the switchport 802.1 x would send the address MAC PC's connected to the server radius for authentication. If the radius server has the MAC address in its database, authentication will be successful and the PC would be granted network access.

To check the configuration on GBA 4.x, you can go to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_ser...

To check the configuration on a CBS 5.x, you can go to http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_contro...

Kind regards

Kush

The groups C3750G and object based ACL

Hi all

East of the groups of objects based ACL Supportepar C3750G switches? I found nothing on the web site of Cisco on this subject.
```
Hi All,
Is Object Groups based ACLs supported on C3750G switches? I could not find anything on the Cisco web site about this.
```
Hello

Check out the link on the subject below Group ACL, it is supported with 12.4 (20) T realease but I do not think that it is supported with cisco 3750G switch series, what I see navigator in cisco. Hope Uncle helps!

http://www.Cisco.com/en/us/docs/iOS/sec_data_plane/configuration/guide/sec_object_group_acl.html#wp1055872

So useful note valauble post

Ganesh.H

Tunnel of IPSec site to Site - port-based ACL

Similar Questions

How .1x port based authentication access network through ACS.

Maybe you are looking for