Tunnel of Volition on OSPF

Hello

I am configuring a GRE Tunnel on OSPF. The VPN is in place and the Gre Tunnel is up, but when I do a debug ip ospf Wo all that I see is that its not have passed the stage of change/exstart. I don't know why its not making is not a contiguity and only say suggestions I have far to look at the MTU size, but these are all default values.

W6D: OSPF: RRs DBD 172.18.111.100 on Tunnel0 seq 0x1A42 opt 0 x 52 indicator 0 x 7
Len 32 mtu 1400 State EXCHANGE
4w6d: OSPF: Nbr 172.18.111.100 has smaller interface MTU
4w6d: OSPF: Send DBD to 172.18.111.100 on Tunnel0 seq 0x1A42 opt 0 x 52 indicator 0 x 2 l
in 1452
4w6d: OSPF: RRs DBD 172.18.111.100 on Tunnel0 seq 0x1A42 opt 0 x 52 indicator 0 x 7
Len 32 mtu 1400 State EXCHANGE
4w6d: OSPF: Nbr 172.18.111.100 has smaller interface MTU
4w6d: OSPF: Send DBD to 172.18.111.100 on Tunnel0 seq 0x1A42 opt 0 x 52 indicator 0 x 2 l
in 1452
4w6d: OSPF: RRs DBD 172.18.111.100 on Tunnel0 seq 0x1A42 opt 0 x 52 indicator 0 x 7
Len 32 mtu 1400 State EXCHANGE
4w6d: OSPF: Nbr 172.18.111.100 has smaller interface MTU
4w6d: OSPF: Send DBD to 172.18.111.100 on Tunnel0 seq opt fla 0 x 52 0x1A42

Kind regards

Kevin

We will first check if your VPN tunnel is up without problem.

See the isa crypto his

Crypto ipsec to show his

I took a quick glance to your configuration, the ACL used for VPN traffic must be mirror on both peers. I know that you only need to encode the GRE traffic. So you can change your ACL as follows.

1. the TDNVPN01

change

access-list 160 permit ip host 172.18.47.100 172.18.47.1
access-list 160 permit ip host 172.18.47.1 172.18.47.100
access-list 160 permit ip host 172.18.46.1 172.18.46.2
access-list 160 permit ip host 172.18.46.2 172.18.46.1

access-list 160 allow accord 172.18.47.100 host 172.18.47.1

2. on the SAA,

change

access list ACL-VPN600 extended permit ip host 172.18.47.1 172.18.47.100
access list ACL-VPN600 extended permit ip host 172.18.111.1 172.18.111.100
access list ACL-VPN600 extended permit ip host 172.18.46.1 172.18.46.2
access list ACL-VPN600 extended permit ip host 172.18.46.2 172.18.46.1
access list ACL-VPN600 extended permit ip host 172.18.47.100 172.18.47.1

extended access list ACL-VPN600 allow accord 172.18.47.1 host 172.18.47.100

3. on the SAA, you might need ignore NAT for this traffic. (maybe not since I have not seen nat-control is enabled, but you have not a "nat 0 ' configured)

INSIDE_nat0_outbound list of allowed access host ip 172.18.47.1 172.18.47.100

After making the above change, use "show crypto isa his ' and ' show crypto ipsec his" on both sides to verify if IPSec is implemented.

If so, use "crypto ipsec to show his" to check if the two encryption and decipher the County are incrementing.

Tags: Cisco Security

Similar Questions

Multicast over GRE tunnel traffic

Hi guys,.

I have a connection via ISP connection point to point BGP on a connection of 100 Mbps between the branch and the central office.

I set up in two cisco routers with ios security advance 2801 a tunnel WILL running the ospf Protocol so I can share the multicast traffic for streaming between the two sites, but I am only able to get 6 Mbps out of the tunnel between the sites. I have configured multicast PIM sparc-mode to transport video traffic above the tunnel.

Is there a limit on the GRE tunnel, could it be MTU, or perhaps other issues anyone can help me solve this question guys?

Hello

There is a lot of discussion about the limitations of bandwidth on the tunnel interface. But most of the discussions flow seems to be linked to the limitation of the software on the device.

Issues could be related to MTU. Have you enabled PMTUD on the tunnel interface? If this is not the case, turn it on, as it recommended on the tunnel interface.

HTH.

Evaluate the useful ticket.

Kind regards

Terence

GRE with VPN IPSec with OSPF

Gents,

This is my first post ever here, on this platform, I have a problem to Setup GRE tunnel with IPSEC with OSPF tunnel... I have 2 sites connected to my HQ (Media is VSAT). I want all the encriptación data + Multicast Ospf enabled...

Can I do it with DWVPN using SDM - I did a single document to this topic but its all about IEGRP OSPF not...

Anyone please help me with this problem... If anyone NEED any other information please update me... I'll be happy to do...

Thanking you in anticipation.

Tabuk router is misconfigured:

defined by peer 172.31.111.93

This should be

defined by peer 172.31.111.97

Concerning

Farrukh

VTI & OSPF tunnel

Hi all

I have configured the interfaces of tunnel VTI (ipv4 ipsec tunnel mode) and OSPF on which interacts.

VTI is encrypt all traffic data. But what about the OSPF traffic?

Is encrypted as OSPF traffic or I need to configure OSPF authentication?

Thank you

OSPF Exchange is already encrypted inside the tunnel, so u don't have to use the ospf authentication. OSPF uses IPs of tunnel for the communications and traffic between these two addresses is possible only through the secure tunnel.

Routing OSPF on a VRF with Tunnel GRE ISAKMP

Hello

I'm trying to implement a routing OSPF on a VRF using GRE Tunnel with ISAKMP encryption.

Almost everything works fine:

1 OSPF routing incl. VRF - perfect

2. distribution of routing OSPF using the GRE Tunnel and VRF - perfect

3 ISAKMP encryption - I think I've done one or several mistackes.

On the attaced file, you might find the Excel sheet, which includes router configurations and a scetch of netzwork.

I would be very happy if someone could solve my problem or give me a hint.

Thank you very much.

Hi Kai,

your key ring is not in the good vrf - note that there is a difference between the FVRF and the IVRF, see

In case you, ISAKMP traffic is sent on / arriving on the interface F0/1.10 so the FVRF is the global vrf, and therefore the set of keys should be in global vrf.

In other words replace this:

VRF crypto keyring Customer_10_Keyring Customer_10

with:

door-key crypto Customer_10_Keyring

BTW, the above document also has an example on how to use 'tunnel of protection', so you no longer have to use a card encryption. Actually I'm not 100% if it is supported to the GRE/IPsec with VRF without using protection tunnel, so maybe try that if you still have problems.

HTH

Herbert

Using OSPF on entirely mesh VPN L2L

We have four sites linked together (full mesh) over VPN tunnels on the features of the NSA. The traffic from a given site can use a VPN tunnel to connect directly with any other peer on the network. We want to use OSPF to redirect traffic when the VPN tunnel between two sites goes down.

For example, if the VPN between sites A and B goes down we want to redirect the traffic from site A, (designed for Site B) to be diverted to site C, and site C traffic would then cross the tunnel to B.

How can we define it?

Hi Christine,

In the course of Network Security Advanced Administration (SSSC), hands-on exercise Guide (NS-202-EG-A) on page 61, you'll find a VPN type exercise road using OSPF. Works great!

IGP and GRE Tunnel

GRE.png

Please see the photo above two connected sites using FA 0/1 R1 and R2 and a GRE Tunnel is formed.

Case 1:

We have a point-to-point connection between two routers and the IP address assigned to FA 0/1 on R1 and R2 belong to the same subnet. We then configure a GRE Tunnel on these as indicated in the topology:
- Using such as eigrp and ospf IGP we can peer routers R1 and R2 using the tunnel and the point-to-point connections.
- This will make the redundant paths between two routers
- This will form the double equal relationship between the two routers (for example for EIGRP or OSPF).
- Or we can tunnel just for the exchange of traffic between two routers.
My Question:
1. What is the standard in this topology using the two connection for iGP peering or just tunnel in the real world?
2. What is the standard in this topology using the two connection for iGP peering or tunnel just in a review?
Case 2:

If Fa 0/1 on both routers is all public IPs and in fact do not belong to the same subnet. So I think that we have to create a Tunnel between the two routers and then use the tunnel both routers for iGP peer.

My Question:
- I just want to know there is a valid case and also do we get this case in a review?
What comments can you do on both cases freely, I just create these two cases to clear my mind.

Basically the tunnel's link to Point Virtual Point between two routers. When you have two router physically connected by Point to point the link for this tunnel has no utility, but if you have two routers separate my many network jumps then GRE and IPsec tunnel is useful, and in this case tunnel gives you the ease of the logical Point to Point network.

In the tunnel you can run any routing protocol ospf, eigrp, BGP route smiler or Sttic as interface point-to-point between two routers.

Answer to your question on my opinion are as below

case 1
1. What is the standard in this topology using the two connection for iGP peering or just tunnel in the real world? -No use of the tunnel in this case in the real world so he will use any routing protocol between physical point-to-point interface.
2. What is the standard in this topology using the two connection for iGP peering or tunnel just in a review? -Same as above point Exam are mostly due to the scenario of the real world (not sure what you're talking about what exam).
Case 2
- I just want to know there is a valid case and also do we get this case in a review? -Yes, this is valid in the real world, but also optical examination specially DMVPN and Ipsec tunnel in the CCIE exam.
Please always evaluate the useful post!

Kind regards

Pawan (CCIE # 52104)

Redistribution of Routes between OSPF and EIGRP

We have a network of test with the topology below. We have two networks connected to a L3 switch. Both networks have an ASA firewall with a tunnel from site to site between them. They also have a connection in conjunction with each other. We want to implement a scenerio where the concert connection is the main route but if that route fails, then it switches to the routethat is above the tunnel from site to site. We have eigrp running on two basic switches so that the roads on the concert connection function properly. However Networking cannot be learned on the second road that goes over the vpn tunnel. We have running ospf on the asa and we are redistrubuting routes in eigrp. Which apparently correct? Look like the SAA they learn on ospf routes correctly however when we go to basic switches and show ip eigrp topology we do not see the routes possible successor. Any ideas on how to make this work?

Hello

The initial Setup looks that you have summarized automatic enabled on core switches, also to the asa eigrp process your redistribution measures doesn't look right about the delay/load/reliability-whats the reasoning behind this? Could you try the following:

Switch main 1 & 2

Router eigrp 100

No Auto-resume

ASA 1 & 2

Router eigrp 100

Redistribute ospf 1 100000 1 255 1 1500 metric

Could you also post the out-of - show ip eigrp topology all-links

RES

Paul

Please do not forget to note all messages that have been useful.

Thank you.

A Site with IPsec without restoring a new tunnel

Hello, I have a question about IPSec S2S.

Network.PNG

In this topoloy, I would like to that IPSec S2S between 172.21.0.0/24 and 172.22.0.0/24.

The serial line is the first priority and route on ISP is the second priority for routing.

The question is how can I create the IPsec Site to Site connection without restore when the routing path changes?

The AR configuration:

!
version 15.1
no service the timestamps don't log datetime msec
no service timestamps debug datetime msec
no password encryption service
!
hostname AR
!
!
!
!
!
!
!
!
no ip cef
No ipv6 cef
!
!
!
username cisco password 0 BR
!
!
license udi pid CISCO2901/K9 sn FTX1524YO05
licence start-up module c2900 technology-package securityk9
!
!
!
crypto ISAKMP policy 10
BA 3des
md5 hash
preshared authentication
Group 2
!
cisco key crypto isakmp 10.0.0.2 address
address of cisco crypto isakmp 200.200.200.2 keys
!
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac TS
!
CMAP 10 ipsec-isakmp crypto card
defined peer 10.0.0.2
defined by peer 200.200.200.2
game of transformation-TS
match the vpn address
!
!
!
!
!
!
pvst spanning-tree mode
!
!
!
!
!
!
interface GigabitEthernet0/0
IP 100.100.100.2 255.255.255.252
automatic duplex
automatic speed
card crypto WCPA
!
interface GigabitEthernet0/1
IP 172.21.0.254 255.255.255.0
automatic duplex
automatic speed
!
interface Serial0/0/0
the IP 10.0.0.1 255.255.255.252
encapsulation ppp
Chap PPP authentication protocol
2000000 clock frequency
card crypto WCPA
!
interface Serial0/0/1
no ip address
2000000 clock frequency
Shutdown
!
interface Vlan1
no ip address
Shutdown
!
router ospf 1
Log-adjacency-changes
Network 10.0.0.0 0.0.0.3 area 0
network 172.21.0.0 0.0.0.255 area 0
!
router RIP
version 2
network 100.0.0.0
network 172.21.0.0
No Auto-resume
!
IP classless
!
IP flow-export version 9
!
!
list of IP - vpn access scope
IP 172.21.0.0 allow 0.0.0.255 172.22.0.0 0.0.0.255
!
!
!
!
!
Line con 0
!
line to 0
!
line vty 0 4
opening of session
!
!
!
end

Configuration of BR:

!
version 15.1
no service the timestamps don't log datetime msec
no service timestamps debug datetime msec
no password encryption service
!
hostname BR
!
!
!
!
!
!
!
!
no ip cef
No ipv6 cef
!
!
!
Cisco spends 0 username AR
!
!
license udi pid CISCO2901/K9 sn FTX1524L63A
licence start-up module c2900 technology-package securityk9
!
!
!
crypto ISAKMP policy 10
BA 3des
md5 hash
preshared authentication
Group 2
!
cisco key crypto isakmp 10.0.0.1 address
address of cisco crypto isakmp 100.100.100.2 keys
!
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac TS
!
CMAP 10 ipsec-isakmp crypto card
defined peer 10.0.0.1
defined by peer 100.100.100.2
game of transformation-TS
match the vpn address
!
!
!
!
!
!
pvst spanning-tree mode
!
!
!
!
!
!
interface GigabitEthernet0/0
IP 200.200.200.2 255.255.255.252
automatic duplex
automatic speed
card crypto WCPA
!
interface GigabitEthernet0/1
IP 172.22.0.254 255.255.255.0
automatic duplex
automatic speed
!
interface Serial0/0/0
the IP 10.0.0.2 255.255.255.252
encapsulation ppp
Chap PPP authentication protocol
card crypto WCPA
!
interface Serial0/0/1
no ip address
2000000 clock frequency
Shutdown
!
interface Vlan1
no ip address
Shutdown
!
router ospf 1
Log-adjacency-changes
Network 10.0.0.0 0.0.0.3 area 0
network 172.22.0.0 0.0.0.255 area 0
!
router RIP
version 2
network 172.22.0.0
network 200.200.200.0
No Auto-resume
!
IP classless
!
IP flow-export version 9
!
!
list of IP - vpn access scope
IP 172.22.0.0 allow 0.0.0.255 172.21.0.0 0.0.0.255
!
!
!
!
!
Line con 0
!
line to 0
!
line vty 0 4
opening of session
!
!
!
end

Thank you very much!

Although you might go this route, I wouldn't.

I would use VTI (GRE tunnels that run over IPSec) interfaces. One on the series circuit and the other on the circuit of the ISP.

You can then either use GRE KeepAlive to detect which tunnels are in place and use static routes or dynamic routing as EIGRP Protocol (put a higher value of the 'bandwidth' with the 'bandwidth' command on the favorite tunnel).

HTTPS protocol between the client vpn and host of the internet through tunnel ipsec-parody

Hello

We have a cisco ASA 5505 and try to get the next job:

ip (192.168.75.5) - connected to the Cisco ASA 5505 VPN client

the customer gets a specific route for an internet address (79.143.218.35 255.255.255.255 192.168.75.1 192.168.75.5 100)

When I try to access the url of the client, I get a syn sent with netstat

When I try trace ASA package, I see the following:

1

FLOW-SEARCH

ALLOW

Not found no corresponding stream, creating a new stream

2

ROUTE SEARCH

entry

ALLOW

in 0.0.0.0 0.0.0.0 outdoors

3

ACCESS-LIST

Journal

ALLOW

Access-group outside_access_in in interface outside

outside_access_in list extended access permitted tcp everything any https eq

access-list outside_access_in note hyperion outside inside

4

IP-OPTIONS

ALLOW

5

CP-PUNT

ALLOW

6

VPN

IPSec-tunnel-flow

ALLOW

7

IP-OPTIONS

ALLOW

8

VPN

encrypt

ALLOW

outdoors

upward

upward

outdoors

upward

upward

drop

(ipsec-parody) Parody of detected IPSEC

When I try the reverse (i.e. from the internet host to vpn client), it seems to work:

1

FLOW-SEARCH

ALLOW

Not found no corresponding stream, creating a new stream

2

ROUTE SEARCH

entry

ALLOW

in 192.168.75.5 255.255.255.255 outside

3

ACCESS-LIST

Journal

ALLOW

Access-group outside_access_in in interface outside

outside_access_in of access allowed any ip an extended list

4

IP-OPTIONS

ALLOW

5

VPN

IPSec-tunnel-flow

ALLOW

6

VPN

encrypt

ALLOW

My question is why this phenomenon happens and how solve us this problem?

Thanks in advance, Sipke

our running-config:

: Saved

:

ASA Version 8.0 (4)

!

ciscoasa hostname

domain somedomain

activate the password - encrypted

passwd - encrypted

names of

name 10.10.1.0 Hyperion

name 164.140.159.x xxxx

name 192.168.72.25 xxxx

name 192.168.72.24 xxxx

name 192.168.72.196 xxxx

name 192.168.75.0 vpn clients

name 213.206.236.0 xxxx

name 143.47.160.0 xxxx

name 141.143.32.0 xxxx

name 141.143.0.0 xxxx

name 192.168.72.27 xxxx

name 10.1.11.0 xxxx

name 10.1.2.240 xxxx

name 10.1.1.0 xxxx

name 10.75.2.1 xxxx

name 10.75.2.23 xxxx

name 192.168.72.150 xxxx

name 192.168.33.0 xxxx

name 192.168.72.26 xxxx

name 192.168.72.5 xxxx

name 192.168.23.0 xxxx

name 192.168.34.0 xxxx

name 79.143.218.35 inethost

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.72.254 255.255.255.0

OSPF cost 10

!

interface Vlan2

nameif outside

security-level 0

IP address 193.173.x.x 255.255.255.240

OSPF cost 10

!

interface Vlan3

Shutdown

nameif dmz

security-level 50

192.168.50.1 IP address 255.255.255.0

OSPF cost 10

!

interface Vlan23

nameif wireless

security-level 80

192.168.40.1 IP address 255.255.255.0

OSPF cost 10

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 3

!

interface Ethernet0/6

switchport access vlan 23

!

interface Ethernet0/7

!

passive FTP mode

clock timezone THATS 1

clock to summer time CEDT recurring last Sun Mar 02:00 last Sun Oct 03:00

DNS lookup field inside

DNS server-group DefaultDNS

domain pearle.local

permit same-security-traffic inter-interface

permit same-security-traffic intra-interface

object-group Protocol TCPUDP

object-protocol udp

object-tcp protocol

object-group service RDP - tcp

Remote Desktop Protocol Description

EQ port 3389 object

object-group service UDP - udp VC

range of object-port 60000 60039

object-group VC - TCP tcp service

60000 60009 object-port Beach

object-group service tcp Fortis

1501 1501 object-port Beach

Beach of port-object 1502-1502

Beach of port-object sqlnet sqlnet

1584 1584 object-port Beach

1592 1592 object-port Beach

object-group service tcp fortis

1592 1592 object-port Beach

Beach of port-object 1502-1502

1584 1584 object-port Beach

Beach of port-object sqlnet sqlnet

1501 1501 object-port Beach

1500 1500 object-port Beach

the DM_INLINE_NETWORK_1 object-group network

object-network 192.168.50.0 255.255.255.0

object-network 192.168.72.0 255.255.255.0

object-network 192.168.40.0 255.255.255.0

object-network VPN_Pool_2 255.255.255.0

the DM_INLINE_NETWORK_2 object-group network

object-network 192.168.50.0 255.255.255.0

object-network 192.168.72.0 255.255.255.0

object-group network inside-networks

object-network 192.168.72.0 255.255.255.0

WingFTP_TCP tcp service object-group

Secure FTP description

port-object eq 989

port-object eq 990

DM_INLINE_TCP_1 tcp service object-group

port-object eq ftp

port-object eq ftp - data

Group object WingFTP_TCP

DM_INLINE_TCP_2 tcp service object-group

port-object eq ftp

port-object eq ftp - data

Group object WingFTP_TCP

the DM_INLINE_NETWORK_3 object-group network

object-network 192.168.72.0 255.255.255.0

object-network VPN_Pool_2 255.255.255.0

the DM_INLINE_NETWORK_4 object-group network

object-network 192.168.72.0 255.255.255.0

object-network VPN_Pool_2 255.255.255.0

object-group network Oracle

network-object OracleTwo 255.255.224.0

network-object OracleOne 255.255.240.0

network-object OracleThree 255.255.224.0

the DM_INLINE_NETWORK_5 object-group network

network-object Grandvision 255.255.255.0

network-object Grandvision2 255.255.255.240

object-network Grandvision3 255.255.255.0

host of the object-Network Grandvision4

host of the object-Network GrandVision_PC

the DM_INLINE_NETWORK_6 object-group network

network-object Grandvision 255.255.255.0

network-object Grandvision2 255.255.255.240

object-network Grandvision3 255.255.255.0

host of the object-Network Grandvision4

host of the object-Network GrandVision_PC

the DM_INLINE_NETWORK_7 object-group network

network-object Grandvision 255.255.255.0

network-object Grandvision2 255.255.255.240

object-network Grandvision3 255.255.255.0

host of the object-Network GrandVision_PC

the DM_INLINE_NETWORK_8 object-group network

network-object Grandvision 255.255.255.0

network-object Grandvision2 255.255.255.240

object-network Grandvision3 255.255.255.0

host of the object-Network GrandVision_PC

object-group service DM_INLINE_SERVICE_2

the purpose of the ip service

EQ-3389 tcp service object

the DM_INLINE_NETWORK_9 object-group network

network-object OracleThree 255.255.0.0

network-object OracleTwo 255.255.224.0

network-object OracleOne 255.255.240.0

object-group service DM_INLINE_SERVICE_3

the purpose of the ip service

EQ-3389 tcp service object

Atera tcp service object-group

Atera Webbased monitoring description

8001 8001 object-port Beach

8002 8002 object-port Beach

8003 8003 object-port Beach

WingFTP_UDP udp service object-group

port-object eq 989

port-object eq 990

WingFTP tcp service object-group

Description range of ports for the transmission of data

object-port range 1024-1054

HTTPS_redirected tcp service object-group

Description redirect WingFTP Server

port-object eq 40200

Note to inside_access_in to access list ICMP test protocol inside outside

inside_access_in list extended access allow icmp 192.168.72.0 255.255.255.0 any

Note to inside_access_in to access list ICMP test protocol inside outside

access-list inside_access_in note HTTP inside outside

inside_access_in list extended access allowed object-group TCPUDP 192.168.72.0 255.255.255.0 any eq www

access-list inside_access_in note queries DNS inside to outside

inside_access_in list extended access allowed object-group TCPUDP 192.168.72.0 255.255.255.0 no matter what eq field

access-list inside_access_in note the HTTPS protocol inside and outside

inside_access_in list extended access permitted tcp 192.168.72.0 255.255.255.0 any https eq

Note to inside_access_in to access list ICMP test protocol inside outside

access-list inside_access_in note 7472 Epo-items inside outside

inside_access_in list extended access permitted tcp 192.168.72.0 255.255.255.0 any eq 7472

access-list inside_access_in note POP3 inside outside

inside_access_in list extended access permitted tcp 192.168.72.0 255.255.255.0 any eq pop3

inside_access_in list extended access permit udp host LifeSize-PE-HQ any object-group UDP - VC

inside_access_in list extended access permit tcp host LifeSize-PE-HQ all eq h323

access-list inside_access_in note video conference services

inside_access_in list extended access permit tcp host LifeSize-PE-HQ any object-group VC - TCP

inside_access_in list extended access permitted tcp 192.168.72.0 255.255.255.0 any

Note to inside_access_in to access list Fortis

inside_access_in list extended access permitted tcp 192.168.72.0 255.255.255.0 any object-group Fortis

access extensive list ip 192.168.40.0 inside_access_in allow 255.255.255.0 any

inside_access_in list extended access permitted tcp 192.168.40.0 255.255.255.0 any

inside_access_in list extended access permitted tcp 192.168.40.0 255.255.255.0 any eq www

inside_access_in list extended access permitted tcp 192.168.40.0 255.255.255.0 any https eq

inside_access_in allowed all Hyperion 255.255.255.0 ip extended access list

inside_access_in list extended access udp allowed any any eq isakmp

inside_access_in list extended access udp allowed any any eq ntp

inside_access_in list extended access udp allowed any any eq 4500

inside_access_in list of allowed ip extended access any Oracle object-group

inside_access_in list extended access udp allowed any any eq 10000

access-list inside_access_in note PPTP inside outside

inside_access_in list extended access permit tcp any any eq pptp

access-list inside_access_in note WILL inside outside

inside_access_in list extended access will permit a full

Note to inside_access_in to access the Infrastructure of the RIM BES server list

inside_access_in list extended access permit tcp host BESServer any eq 3101

inside_access_in list extended access permit tcp any any DM_INLINE_TCP_2 object-group

inside_access_in list extended access permit tcp any any HTTPS_redirected object-group

access extensive list ip Hyperion 255.255.255.0 inside_access_in 255.255.255.0 allow VPN_Pool_2

inside_access_in list extended access permit udp any host 86.109.255.177 eq 1194

access extensive list ip 192.168.72.0 inside_access_in allow 255.255.255.0 DM_INLINE_NETWORK_7 object-group

access extensive list ip VPN_Pool_2 inside_access_in allow 255.255.255.0 any

inside_access_in list extended access deny ip any any inactive debug log

Note to outside_access_in to access list ICMP test protocol outside inside

outside_access_in list extended access permit icmp any one

access-list outside_access_in Note SMTP outside inside

outside_access_in list extended access permit tcp any any eq smtp

outside_access_in list extended access udp allowed any any eq ntp disable journal

access-list outside_access_in note 7472 EPO-items outside inside

outside_access_in list extended access permit tcp any any eq 7472

outside_access_in list extended access permit tcp any any object-group inactive RDP

outside_access_in list extended access permit tcp any any eq www

outside_access_in list extended access permit tcp any any HTTPS_redirected object-group

outside_access_in list extended access permitted tcp everything any https eq

access-list outside_access_in note hyperion outside inside

outside_access_in list extended access permitted tcp Hyperion 255.255.255.0 DM_INLINE_NETWORK_4 object-group

outside_access_in to access Hyperion 255.255.255.0 ip extended list object-group DM_INLINE_NETWORK_3 allow

outside_access_in list extended access permit tcp any host LifeSize-PE-HQ eq h323

outside_access_in list extended access permit tcp any host LifeSize-PE-HQ object-group VC - TCP

outside_access_in list extended access permit udp any host group-object-LifeSize-PE-HQ UDP - VC

outside_access_in of access allowed any ip an extended list

outside_access_in list extended access udp allowed any any eq 4500

outside_access_in list extended access udp allowed any any eq isakmp

outside_access_in list extended access udp allowed any any eq 10000

outside_access_in list extended access will permit a full

outside_access_in list extended access permit tcp any any eq pptp

outside_access_in list extended access permit tcp any any DM_INLINE_TCP_1 object-group

outside_access_in list extended access allowed object-group ip DM_INLINE_NETWORK_8 192.168.72.0 255.255.255.0 inactive

outside_access_in list extended access permit tcp any any Atera object-group

outside_access_in list extended access deny ip any any inactive debug log

outside_1_cryptomap list extended access allowed object-group Hyperion DM_INLINE_NETWORK_2 255.255.255.0 ip

outside_1_cryptomap to access extended list ip 192.168.50.0 allow Hyperion 255.255.255.0 255.255.255.0

access extensive list ip 192.168.72.0 inside_nat0_outbound allow Hyperion 255.255.255.0 255.255.255.0

inside_nat0_outbound list of allowed ip extended access all 193.172.182.64 255.255.255.240

inside_nat0_outbound list of allowed ip extended access all 192.168.72.192 255.255.255.192

inside_nat0_outbound list of allowed ip extended access all 192.168.72.0 255.255.255.0

access extensive list ip 192.168.72.0 inside_nat0_outbound allow 255.255.255.0 VPN_Pool_2 255.255.255.0

access extensive list ip 192.168.72.0 inside_nat0_outbound allow 255.255.255.0 DM_INLINE_NETWORK_5 object-group

inside_nat0_outbound list of allowed ip extended access all GrandVisionSoesterberg 255.255.255.0

inside_nat0_outbound list of allowed ip extended access any Swabach 255.255.255.0

access-list 200 scope allow tcp all fortis of fortis host object-group

access extensive list ip VPN_Pool_2 outside_nat0_outbound allow 255.255.255.0 DM_INLINE_NETWORK_9 object-group

outside_cryptomap_2 list extended access allowed object-group Hyperion DM_INLINE_NETWORK_1 255.255.255.0 ip

outside_cryptomap_2 to access extended list ip 192.168.50.0 allow Hyperion 255.255.255.0 255.255.255.0

Note Wireless_access_in of access list, select Hyperion / wifi access NAT rule.

Access extensive list ip 192.168.40.0 Wireless_access_in allow Hyperion inactive 255.255.255.0 255.255.255.0

Wireless_access_in list extended access deny ip 192.168.40.0 255.255.255.0 192.168.72.0 255.255.255.0

Comment by Wireless_access_in-list of the traffic Internet access

Access extensive list ip 192.168.40.0 Wireless_access_in allow 255.255.255.0 any

standard access list splittunnelclientvpn allow 192.168.72.0 255.255.255.0

splittunnelclientvpn list standard access allowed Hyperion 255.255.255.0

standard access list splittunnelclientvpn allow Pearleshare 255.255.255.0

splittunnelclientvpn list standard access allowed host 85.17.235.22

splittunnelclientvpn list standard access allowed OracleThree 255.255.224.0

standard access list splittunnelclientvpn allow 143.47.128.0 255.255.240.0

splittunnelclientvpn list standard access allowed host inethost

Standard access list SplittnlHyperion allow OracleThree 255.255.0.0

Standard access list SplittnlOOD allow OracleThree 255.255.0.0

Standard access list SplittnlOOD allow 143.47.128.0 255.255.240.0

access extensive list ip 192.168.72.0 outside_cryptomap allow 255.255.255.0 DM_INLINE_NETWORK_6 object-group

outside_cryptomap_1 list of allowed ip extended access all GrandVisionSoesterberg 255.255.255.0

outside_cryptomap_3 list of allowed ip extended access any Swabach 255.255.255.0

192.168.72.0 IP Access-list extended sheep 255.255.255.0 GrandVisionSoesterberg 255.255.255.0 allow

192.168.72.0 IP Access-list extended sheep 255.255.255.0 VPN_Pool_2 255.255.255.0 allow

pager lines 24

Enable logging

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

MTU 1500 dmz

MTU 1500 wireless

local pool VPN_DHCP 192.168.72.220 - 192.168.72.235 255.255.255.0 IP mask

mask 192.168.75.1 - 192.168.75.50 255.255.255.0 IP local pool VPN_Range_2

no failover

ICMP unreachable rate-limit 1 burst-size 1

ICMP allow any inside

ICMP allow all outside

ASDM image disk0: / asdm - 613.bin

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0 access-list sheep

NAT (inside) 1 0.0.0.0 0.0.0.0

NAT (wireless) 1 192.168.40.0 255.255.255.0

public static tcp (indoor, outdoor) interface smtp smtp Mailsrv_Pearle_Europe netmask 255.255.255.255

public static tcp (indoor, outdoor) interface ftp ftp netmask 255.255.255.255 Pearle-DC02

public static 990 Pearle-DC02 990 netmask 255.255.255.255 interface tcp (indoor, outdoor)

static (inside, outside) tcp 3389 3389 Mailsrv_Pearle_Europe netmask 255.255.255.255 interface

public static tcp (indoor, outdoor) interface www Pearle-DC02 www netmask 255.255.255.255

public static 40200 Pearle-DC02 40200 netmask 255.255.255.255 interface tcp (indoor, outdoor)

public static tcp (indoor, outdoor) interface https Exchange2010 https netmask 255.255.255.255

public static tcp (indoor, outdoor) interface h323 h323 LifeSize-PE-HQ netmask 255.255.255.255

public static 60000 60000 LifeSize-PE-HQ netmask 255.255.255.255 interface tcp (indoor, outdoor)

public static 60001 LifeSize-PE-HQ 60001 netmask 255.255.255.255 interface tcp (indoor, outdoor)

public static 60002 LifeSize-PE-HQ 60002 netmask 255.255.255.255 interface tcp (indoor, outdoor)

public static 60003 LifeSize-PE-HQ 60003 netmask 255.255.255.255 interface tcp (indoor, outdoor)

public static 60004 LifeSize-PE-HQ 60004 netmask 255.255.255.255 interface tcp (indoor, outdoor)

public static 60005 LifeSize-PE-HQ 60005 netmask 255.255.255.255 interface tcp (indoor, outdoor)

public static 60006 LifeSize-PE-HQ 60006 netmask 255.255.255.255 interface tcp (indoor, outdoor)

public static 60007 LifeSize-PE-HQ 60007 netmask 255.255.255.255 interface tcp (indoor, outdoor)

public static 60008 LifeSize-PE-HQ 60008 netmask 255.255.255.255 interface tcp (indoor, outdoor)

public static 60009 LifeSize-PE-HQ 60009 netmask 255.255.255.255 interface tcp (indoor, outdoor)

public static (inside, outside) udp interface 60001 LifeSize-PE-HQ 60001 netmask 255.255.255.255

public static (inside, outside) udp interface 60002 LifeSize-PE-HQ 60002 netmask 255.255.255.255

public static (inside, outside) udp interface 60003 LifeSize-PE-HQ 60003 netmask 255.255.255.255

public static (inside, outside) udp interface 60004 LifeSize-PE-HQ 60004 netmask 255.255.255.255

public static (inside, outside) udp interface 60005 LifeSize-PE-HQ 60005 netmask 255.255.255.255

public static (inside, outside) udp interface 60006 LifeSize-PE-HQ 60006 netmask 255.255.255.255

public static (inside, outside) udp interface 60007 LifeSize-PE-HQ 60007 netmask 255.255.255.255

public static (inside, outside) udp interface 60008 LifeSize-PE-HQ 60008 netmask 255.255.255.255

public static (inside, outside) udp interface 60009 LifeSize-PE-HQ 60009 netmask 255.255.255.255

public static (inside, outside) udp interface 60010 LifeSize-PE-HQ 60010 netmask 255.255.255.255

public static (inside, outside) udp interface 60011 LifeSize-PE-HQ 60011 netmask 255.255.255.255

public static (inside, outside) udp interface 60012 LifeSize-PE-HQ 60012 netmask 255.255.255.255

public static (inside, outside) udp interface 60013 LifeSize-PE-HQ 60013 netmask 255.255.255.255

public static (inside, outside) udp interface 60014 LifeSize-PE-HQ 60014 netmask 255.255.255.255

public static (inside, outside) udp interface 60015 LifeSize-PE-HQ 60015 netmask 255.255.255.255

public static (inside, outside) udp interface 60016 LifeSize-PE-HQ 60016 netmask 255.255.255.255

public static (inside, outside) udp interface 60017 LifeSize-PE-HQ 60017 netmask 255.255.255.255

public static (inside, outside) udp interface 60018 LifeSize-PE-HQ 60018 netmask 255.255.255.255

public static (inside, outside) udp interface 60019 LifeSize-PE-HQ 60019 netmask 255.255.255.255

public static (inside, outside) udp interface 60020 LifeSize-PE-HQ 60020 netmask 255.255.255.255

public static (inside, outside) udp interface 60021 60021 LifeSize-PE-HQ netmask 255.255.255.255

public static (inside, outside) udp interface 60022 LifeSize-PE-HQ 60022 netmask 255.255.255.255

public static (inside, outside) udp interface 60023 LifeSize-PE-HQ 60023 netmask 255.255.255.255

public static (inside, outside) udp interface 60024 LifeSize-PE-HQ 60024 netmask 255.255.255.255

public static (inside, outside) udp interface 60025 LifeSize-PE-HQ 60025 netmask 255.255.255.255

public static (inside, outside) udp interface 60026 LifeSize-PE-HQ 60026 netmask 255.255.255.255

public static (inside, outside) udp interface 60027 LifeSize-PE-HQ 60027 netmask 255.255.255.255

public static (inside, outside) udp interface 60028 LifeSize-PE-HQ 60028 netmask 255.255.255.255

public static (inside, outside) udp interface 60029 LifeSize-PE-HQ 60029 netmask 255.255.255.255

public static (inside, outside) udp interface 60030 LifeSize-PE-HQ 60030 netmask 255.255.255.255

public static (inside, outside) udp interface 60031 LifeSize-PE-HQ 60031 netmask 255.255.255.255

public static (inside, outside) udp interface 60032 LifeSize-PE-HQ 60032 netmask 255.255.255.255

public static (inside, outside) udp interface 60033 LifeSize-PE-HQ 60033 netmask 255.255.255.255

public static (inside, outside) udp interface 60034 LifeSize-PE-HQ 60034 netmask 255.255.255.255

public static (inside, outside) udp interface 60035 LifeSize-PE-HQ 60035 netmask 255.255.255.255

public static (inside, outside) udp interface 60036 LifeSize-PE-HQ 60036 netmask 255.255.255.255

public static (inside, outside) udp interface 60037 LifeSize-PE-HQ 60037 netmask 255.255.255.255

public static (inside, outside) udp interface 60038 LifeSize-PE-HQ 60038 netmask 255.255.255.255

public static (inside, outside) udp interface 60039 LifeSize-PE-HQ 60039 netmask 255.255.255.255

public static (inside, outside) udp interface 60040 60040 LifeSize-PE-HQ netmask 255.255.255.255

public static Mailsrv_Pearle_Europe 7472 netmask 255.255.255.255 7472 interface tcp (indoor, outdoor)

public static LanSweep-XP netmask 255.255.255.255 8001 8001 interface tcp (indoor, outdoor)

public static 8002 8002 LanSweep-XP netmask 255.255.255.255 interface tcp (indoor, outdoor)

public static LanSweep-XP netmask 255.255.255.255 8003 8003 interface tcp (indoor, outdoor)

static (inside, outside) 193.173.12.194 tcp https Pearle-DC02 https netmask 255.255.255.255

inside_access_in access to the interface inside group

Access-group outside_access_in in interface outside

Access-group Wireless_access_in in wireless interface

Route outside 0.0.0.0 0.0.0.0 193.173.12.206 1

Route outside OracleThree 255.255.224.0 193.173.12.198 1

Route outside 143.47.128.0 255.255.240.0 193.173.12.198 1

Route inside 172.27.0.0 255.255.255.0 Pearle-DC02 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-registration DfltAccessPolicy

AAA authentication LOCAL telnet console

the ssh LOCAL console AAA authentication

Enable http server

http 192.168.40.0 255.255.255.0 Wireless

http 192.168.1.0 255.255.255.0 inside

http 192.168.72.0 255.255.255.0 inside

http GrandVisionSoesterberg 255.255.255.0 inside

SNMP-server host inside 192.168.33.29 survey community public version 2 c

location of Server SNMP Schiphol

contact Server SNMP SSmeekes

SNMP-Server Public community

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set esp-aes-256 GRANDVISION esp-md5-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define security association lifetime 28800 seconds

cryptographic kilobytes 4608000 life of the set - the association of security of the 65535 SYSTEM_DEFAULT_CRYPTO_MAP of the dynamic-map

card crypto outside_map0 1 match address outside_cryptomap_1

outside_map0 card crypto 1jeu pfs

outside_map0 card crypto 1jeu peer 212.78.223.182

outside_map0 card crypto 1jeu transform-set ESP ESP-3DES-SHA-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-ESP ESP-3DES-MD5 MD5-DES-SHA ESP-DES-MD5

outside_map0 map 1 lifetime of security association set seconds 28800 crypto

card crypto outside_map0 1 set security-association life kilobytes 4608000

card crypto game 2 outside_map0 address outside_cryptomap_2

outside_map0 crypto map peer set 2 193.173.12.193

card crypto outside_map0 2 game of transformation-ESP ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5-DES-SHA ESP-DES-MD5

life card crypto outside_map0 2 set security-association seconds 28800

card crypto outside_map0 2 set security-association life kilobytes 4608000

card crypto outside_map0 3 match address outside_1_cryptomap

outside_map0 card crypto 3 set pfs

outside_map0 card crypto 3 peers set 193.172.182.66

outside_map0 crypto map 3 the value transform-set ESP-3DES-SHA

life card crypto outside_map0 3 set security-association seconds 28800

card crypto outside_map0 3 set security-association life kilobytes 4608000

card crypto outside_map0 game 4 address outside_cryptomap

outside_map0 card crypto 4 peers set 213.56.81.58

outside_map0 4 set transform-set GRANDVISION crypto card

life card crypto outside_map0 4 set security-association seconds 28800

card crypto outside_map0 4 set security-association life kilobytes 4608000

card crypto outside_map0 5 match address outside_cryptomap_3

outside_map0 card crypto 5 set pfs

outside_map0 crypto card 5 peers set 86.109.255.177

outside_map0 card crypto 5 game of transformation-ESP ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5-DES-SHA ESP-DES-MD5

life card crypto outside_map0 5 set security-association seconds 28800

card crypto outside_map0 5 set security-association life kilobytes 4608000

Crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

outside_map0 interface card crypto outside

crypto ISAKMP allow inside

crypto ISAKMP allow outside

crypto ISAKMP enable dmz

crypto ISAKMP enable wireless

crypto ISAKMP policy 5

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Telnet 192.168.72.0 255.255.255.0 inside

Telnet timeout 5

SSH 192.168.72.0 255.255.255.0 inside

SSH GrandVisionSoesterberg 255.255.255.0 inside

SSH 213.144.239.0 255.255.255.192 outside

SSH timeout 5

Console timeout 0

management-access inside

dhcpd dns 194.151.228.18 is 10.10.1.100

dhcpd outside auto_config

!

dhcpd address 192.168.72.253 - 192.168.72.253 inside

!

dhcpd address dmz 192.168.50.10 - 192.168.50.50

dhcpd enable dmz

!

dhcpd address wireless 192.168.40.10 - 192.168.40.99

dhcpd dns 194.151.228.18 wireless interface

dhcpd activate wireless

!

a basic threat threat detection

host of statistical threat detection

statistical threat detection port

Statistical threat detection Protocol

Statistics-list of access threat detection

no statistical threat detection tcp-interception

Group Policy "pearle_vpn_Hyp only" internal

attributes of Group Policy "pearle_vpn_Hyp only".

value of server WINS 192.168.72.25

value of server DNS 192.168.72.25

Protocol-tunnel-VPN IPSec l2tp ipsec

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list SplittnlHyperion

Split-dns value pearle.local

internal pearle_vpn_OOD_only group policy

attributes of the strategy of group pearle_vpn_OOD_only

value of Split-tunnel-network-list SplittnlOOD

internal pearle_vpn group policy

attributes of the strategy of group pearle_vpn

value of server WINS 192.168.72.25

value of server DNS 192.168.72.25

Protocol-tunnel-VPN IPSec l2tp ipsec svc

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list splittunnelclientvpn

Pearle.local value by default-field

Split-dns value pearle.local

username anyone password encrypted password

username something conferred

VPN-group-policy pearle_vpn_OOD_only

type of remote access service

tunnel-group 193 type ipsec-l2l

tunnel-group 193 ipsec-attributes

pre-shared-key *.

tunnel-group 193.173.12.193 type ipsec-l2l

IPSec-attributes tunnel-group 193.173.12.193

pre-shared-key *.

NOCHECK Peer-id-validate

type tunnel-group pearle_vpn remote access

tunnel-group pearle_vpn General-attributes

address pool VPN_Range_2

Group Policy - by default-pearle_vpn

pearle_vpn group of tunnel ipsec-attributes

pre-shared-key *.

type tunnel-group Pearle_VPN_2 remote access

attributes global-tunnel-group Pearle_VPN_2

address pool VPN_Range_2

strategy-group-by default "pearle_vpn_Hyp only".

IPSec-attributes tunnel-group Pearle_VPN_2

pre-shared-key *.

tunnel-group 213.56.81.58 type ipsec-l2l

IPSec-attributes tunnel-group 213.56.81.58

pre-shared-key *.

tunnel-group 212.78.223.182 type ipsec-l2l

IPSec-attributes tunnel-group 212.78.223.182

pre-shared-key *.

tunnel-group 86.109.255.177 type ipsec-l2l

IPSec-attributes tunnel-group 86.109.255.177

pre-shared-key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

inspect the pptp

!

global service-policy global_policy

context of prompt hostname

Cryptochecksum:7d4d9c7ca7c865d9e40f5d77ed1238eb

: end

ASDM image disk0: / asdm - 613.bin

ASDM BESServer 255.255.255.255 inside location

ASDM VPN_Pool_2 255.255.255.0 inside location

ASDM OracleTwo 255.255.224.0 inside location

ASDM OracleOne 255.255.240.0 inside location

ASDM OracleThree 255.255.224.0 inside location

ASDM location Exchange2010 255.255.255.255 inside

ASDM location Grandvision 255.255.255.0 inside

ASDM Grandvision2 255.255.255.240 inside location

ASDM Grandvision3 255.255.255.0 inside location

ASDM Grandvision4 255.255.255.255 inside location

ASDM GrandVision_PC 255.255.255.255 inside location

ASDM location LanSweep-XP 255.255.255.255 inside

ASDM GrandVisionSoesterberg 255.255.255.0 inside location

ASDM location Pearle-DC02 255.255.255.255 inside

ASDM location Pearle-WDS 255.255.255.255 inside

ASDM location Swabach 255.255.255.0 inside

ASDM GrandVisionSoesterberg2 255.255.255.0 inside location

don't allow no asdm history

Where is that host (inethost)? Inside of the ASA, or on the internet (on the outside)?

If it is outside, you must configure the NAT for the pool of vpn as you turn on the SAA.

NAT (outside) 1 192.168.75.0 255.255.255.0

FlexVPN and OSPF question

I have a problem with rountig OSPF on the routers configured in the hub-and-spoke topology.

One question is on a course that OSPF don't advertise hub to rays.

Created on a hub, router subnets are not seen on the rays, but new added subnet on talk appears in the table of routing hub.

The addition of broadcast command network ip ospf on a virtual-template interface hub causes OSPF adjacency downstairs.

Also, EIGRP works very well.

A that someone has experienced this problem with OSPF.

Please, look at a few config below;

-----------------------HUB-------------------------------

IKEv2 crypto by default authorization policy

Road enabled interface

!

Crypto ikev2 proposal ikev2_prop

encryption aes-cbc-256

integrity sha512

Group 16

!

IKEv2 crypto policy ikev2_policy

proposal ikev2_prop

!

Crypto ikev2 keyring Flex_key

Rays peer

address 192.168.50.197

pre-shared key local 12345

pre-shared key remote 12345

!

peer RTB

address 192.168.50.199

pre-shared key local 12345

pre-shared key remote 12345

!

Profile of ikev2 crypto Flex_IKEv2

match one address remote identity 192.168.50.197 255.255.255.255

match one address remote identity 192.168.50.199 255.255.255.255

sharing front of remote authentication

sharing of local meadow of authentication

local Flex_key keychain

virtual-model 1

!

no default isakmp crypto policy

!

Crypto ipsec transform-set esp - aes 256 esp-sha512-hmac ipsec_trans

tunnel mode

!

by default the crypto ipsec profile

Set transform-set ipsec_trans

Flex_IKEv2 Set ikev2-profile

!

interface Loopback1

address 172.16.10.1 IP 255.255.255.0

IP ospf 10 area 0

!

interface Loopback10

10.1.1.1 IP address 255.255.255.0

IP ospf 10 area 0

!

interface Loopback50

IP 50.1.1.1 255.255.255.0

IP 10 50 ospf area

!

the Embedded-Service-Engine0/0 interface

no ip address

!

interface GigabitEthernet0/1

bandwidth 100000

IP 192.168.50.198 255.255.255.0

automatic duplex

automatic speed

!

type of interface virtual-Template1 tunnel

IP unnumbered Loopback1

IP 1400 MTU

IP tcp adjust-mss 1360

source of tunnel GigabitEthernet0/1

ipv4 ipsec tunnel mode

tunnel path-mtu-discovery

tunnel protection ipsec default profile

!

router ospf 10

redistribute connected subnets

Network 10.1.1.0 0.0.0.255 area 0

SH cryp ike his

IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf status

1 192.168.50.198/500 192.168.50.197/500 no/no LOAN

BA: AES - CBC, keysize: 256, Hash: SHA512, DH Grp:16, Auth sign: PSK, Auth check: PSK

Duration of life/active: 86400/77565 sec

Tunnel-id Local Remote fvrf/ivrf status

2 192.168.50.198/500 192.168.50.199/500 no/no LOAN

BA: AES - CBC, keysize: 256, Hash: SHA512, DH Grp:16, Auth sign: PSK, Auth check: PSK

Duration of life/active: 86400/77542 sec

IPv6 Crypto IKEv2 SA

SH ip rou

S * 0.0.0.0/0 [1/0] via 192.168.50.1

10.0.0.0/8 is variably divided into subnets, 2 subnets, 2 masks

C 10.1.1.0/24 is directly connected, Loopback10

L 10.1.1.1/32 is directly connected, Loopback10

50.0.0.0/8 is variably divided into subnets, 2 subnets, 2 masks

C 50.1.1.0/24 is directly connected, Loopback50

L 50.1.1.1/32 is directly connected, Loopback50

100.0.0.0/32 is divided into subnets, subnets 1

AI 100.1.1.1 [110/2] via 172.16.10.254, 21:32:58, Virtual Network1

172.16.0.0/16 is variably divided into subnets, 2 subnets, 2 masks

172.16.10.0/24 C is directly connected, Loopback1

L 172.16.10.1/32 is directly connected, Loopback1

192.168.50.0/24 is variably divided into subnets, 2 subnets, 2 masks

C 192.168.50.0/24 is directly connected, GigabitEthernet0/1

The 192.168.50.198/32 is directly connected, GigabitEthernet0/1

200.1.1.0/32 is divided into subnets, subnets 1

AI 200.1.1.1 [110/2] via 172.16.10.253, 21:32:38, Access2-virtual

201.1.1.0/32 is divided into subnets, subnets 1

AI 201.1.1.1 [110/2] via 172.16.10.253, 21:32:38, Access2-virtual

220.1.1.0/32 is divided into subnets, subnets 1

AI 220.1.1.1 [110/2] via 172.16.10.253, 00:06:11, Access2-virtual

---------------------------SPOKE---------------------------------------------

Crypto ikev2 proposal ikev2_prop

encryption aes-cbc-256

integrity sha512

Group 16

!

IKEv2 crypto policy ikev2_policy

proposal ikev2_prop

!

Crypto ikev2 keyring Flex_key

Rays peer

address 192.168.50.198

pre-shared key local 12345

pre-shared key remote 12345

!

Profile of ikev2 crypto Flex_IKEv2

match one address remote identity 192.168.50.198 255.255.255.0

sharing front of remote authentication

sharing of local meadow of authentication

local Flex_key keychain

virtual-model 1

!

no default isakmp crypto policy

!

!

Crypto ipsec transform-set esp - aes 256 esp-sha512-hmac ipsec_trans

tunnel mode

!

by default the crypto ipsec profile

Set transform-set ipsec_trans

Flex_IKEv2 Set ikev2-profile

!

interface Loopback200

200.1.1.1 IP address 255.255.255.0

IP ospf 10 200 area

!

interface Loopback201

IP 201.1.1.1 255.255.255.0

IP ospf 10 201 area

!

interface Loopback220

IP 220.1.1.1 255.255.255.0

IP ospf 10 220 area

!

Tunnel1 interface

IP 172.16.10.253 255.255.255.0

IP 1400 MTU

IP tcp adjust-mss 1360

source of tunnel GigabitEthernet0/1

ipv4 ipsec tunnel mode

tunnel destination 192.168.50.198

tunnel path-mtu-discovery

tunnel protection ipsec shared default profile

!

interface GigabitEthernet0/1

IP 192.168.50.199 255.255.255.0

automatic duplex

automatic speed

!

router ospf 10

network 172.16.10.0 0.0.0.255 area 0

SH cryp ike his

IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf status

1 192.168.50.199/500 192.168.50.198/500 no/no LOAN

BA: AES - CBC, keysize: 256, Hash: SHA512, DH Grp:16, Auth sign: PSK, Auth check: PSK

Duration of life/active: 77852/86400 sec

IPv6 Crypto IKEv2 SA

SH ip route

S * 0.0.0.0/0 [1/0] via 192.168.50.1

172.16.0.0/16 is variably divided into subnets, 2 subnets, 2 masks

172.16.10.0/24 C is directly connected, Tunnel1

L 172.16.10.253/32 is directly connected, Tunnel1

192.168.50.0/24 is variably divided into subnets, 2 subnets, 2 masks

C 192.168.50.0/24 is directly connected, GigabitEthernet0/1

The 192.168.50.199/32 is directly connected, GigabitEthernet0/1

200.1.1.0/24 is variably divided into subnets, 2 subnets, 2 masks

C 200.1.1.0/24 is directly connected, Loopback200

L 200.1.1.1/32 is directly connected, Loopback200

201.1.1.0/24 is variably divided into subnets, 2 subnets, 2 masks

C 201.1.1.0/24 is directly connected, Loopback201

L 201.1.1.1/32 is directly connected, Loopback201

220.1.1.0/24 is variably divided into subnets, 2 subnets, 2 masks

C 220.1.1.0/24 is directly connected, Loopback220

L 220.1.1.1/32 is directly connected, Loopback220

SH ip ospf database ro 172.16.10.1

Router OSPF with ID (200.1.1.1) (the process ID of 10)

Router link States (zone 0)

ADV router is accessible via is not in the Base with MTID topology 0

LS age: 336

Options: (no TOS-capability, DC)

LS type: Router links

Link state ID: 172.16.10.1

Advertising router: 172.16.10.1

LS number of Seq: 80000065

Checksum: 0x4B6E

Length: 60

Area border router

ROUTER limits

Number of links: 3

Link to: a Stub network

(Link ID) Network/subnet number: 10.1.1.1

(Data link) Network mask: 255.255.255.255

Number of parameters MTID: 0

TOS 0 metric: 1

Link to: another router (point to point)

(Link ID) Neighbors router ID: 100.1.1.1

(Data link) Address of the router Interface: 0.0.0.18

Number of parameters MTID: 0

TOS 0 metric: 1

Link to: another router (point to point)

(Link ID) The router ID neighbors: 200.1.1.1

(Data link) Address of the router Interface: 0.0.0.17

Number of parameters MTID: 0

TOS 0 metric: 1

Kamil,

A tunnel in this deployment (and VT / going also) is an interface point to point, there is really no good reason to keep anything other than 32 (I might not be aware of some subtleties in more complex deployment).

'Set interface route' is your greatest friend ;-)

M.

I can weight of the IPSec Tunnels between ASAs

Hello

Remote site: link internet NYC 150 MB/s

Local site: link internet Baltimore 400 MB/s

Backup site: link internet Washington 200 Mb/s

My main site and my backup site are connected via a gigabit Ethernet circuit between the respective base site switches. Each site has its own internet connection and my OSPF allows to switch their traffic to the backup site if the main website is down. We are opening an office in New York with one ASA unique connected to 150 Mbps FIOS internet circuit. We want to set up an IPSec tunnel on the main site and the backup on the remote site, but want the remote site to prefer the tunnel in Baltimore, except if it is down.

Interesting traffic would be the same for the two tunnels

I know that ASA cannot be a GRE endpoint. How can I force the New York traffic through the tunnel in Baltimore as long as it works? An IPSec tunnel can be weighted?

Thank you

It is not in itself weighting, but you can create up to 10 backup over LAN to LAN VPN IPsec peers.

For each tunnel, the security apparatus tried to negotiate with the first peer in the list. If this peer does not respond, the security apparatus made his way to the bottom of the list until a peer responds, or there is no peer more in the list.

Reference.

Impossible to pass traffic through the VPN tunnel

I have an ASA 5505 9.1 running. I have the VPN tunnel connection, but I am not able to pass traffic. through the tunnel. Ping through the internet works fine.

Here is my config

LN-BLF-ASA5505 > en
Password: *.
ASA5505-BLF-LN # sho run
: Saved
:
: Serial number: JMX1216Z0SM
: Material: ASA5505, 256 MB RAM, 500 MHz Geode Processor
:
ASA 5,0000 Version 21
!
LN-BLF-ASA5505 hostname
domain lopeznegrete.com
activate the password
volatile xlate deny tcp any4 any4
volatile xlate deny tcp any4 any6
volatile xlate deny tcp any6 any4
volatile xlate deny tcp any6 any6
volatile xlate deny udp any4 any4 eq field
volatile xlate deny udp any4 any6 eq field
volatile xlate deny udp any6 any4 eq field
volatile xlate deny udp any6 any6 eq field
passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.116.254 255.255.255.0
OSPF cost 10
!
interface Vlan2
nameif outside
security-level 0
IP 50.201.218.69 255.255.255.224
OSPF cost 10
!
boot system Disk0: / asa915-21 - k8.bin
passive FTP mode
DNS server-group DefaultDNS
domain lopeznegrete.com
network obj_any object
subnet 0.0.0.0 0.0.0.0
the LNC_Local_TX_Nets object-group network
Description of internal networks Negrete Lopez (Texas)
object-network 192.168.1.0 255.255.255.0
object-network 192.168.2.0 255.255.255.0
object-network 192.168.3.0 255.255.255.0
object-network 192.168.4.0 255.255.255.0
object-network 192.168.5.0 255.255.255.0
object-network 192.168.51.0 255.255.255.0
object-network 192.168.55.0 255.255.255.0
object-network 192.168.52.0 255.255.255.0
object-network 192.168.20.0 255.255.255.0
object-network 192.168.56.0 255.255.255.0
object-network 192.168.59.0 255.255.255.0
object-network 10.111.14.0 255.255.255.0
object-network 10.111.19.0 255.255.255.0
the LNC_Blueleaf_Nets object-group network
object-network 192.168.116.0 255.255.255.0
access outside the permitted scope icmp any4 any4 list
extended outdoor access allowed icmp a whole list
outside_1_cryptomap list extended access permitted ip object-group LNC_Blueleaf_Nets-group of objects LNC_Local_TX_Nets
inside_nat0_outbound list extended access permitted ip object-group LNC_Blueleaf_Nets-group of objects LNC_Local_TX_Nets
LNC_BLF_HOU_VPN list extended access permitted ip object-group LNC_Blueleaf_Nets-group of objects LNC_Local_TX_Nets
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 741.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
outside access-group in external interface
!
router ospf 1
255.255.255.255 network 192.168.116.254 area 0
Journal-adj-changes
default-information originate always
!
Route outside 0.0.0.0 0.0.0.0 50.201.218.94 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
AAA authentication enable LOCAL console
Enable http server
http 192.168.2.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 1 match address outside_1_cryptomap
peer set card crypto outside_map 1 50.201.218.93
card crypto outside_map 1 set transform-set ESP-3DES-SHA ikev1
outside_map interface card crypto outside
Crypto ca trustpoint _SmartCallHome_ServerCA
no use of validation
Configure CRL
trustpool crypto ca policy
Crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
308204 4 a0030201 d 308205ec 0202106e cc7aa5a7 032009b 8 cebcf4e9 52d 49130
010105 05003081 09060355 04061302 55533117 ca310b30 0d 864886f7 0d06092a
30150603 55040 has 13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313 has 3038 06035504
0b 133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 7a 656420 75736520 6f6e6c79 31453043 06035504 03133c 56 686f7269
65726953 69676e20 436c 6173 73203320 5075626c 69632050 72696 72792043 61 d
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
30303230 38303030 3030305a 170d 3230 30323037 32333539 35395a 30 81b5310b
30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
496e632e 311f301d 06035504 0b 131656 65726953 69676e20 54727573 74204e65
74776f72 6b313b30 5465726d 20757365 20617420 73206f66 39060355 040b 1332
68747470 7777772e 733a2f2f 76657269 7369676e 2e636f6d 2f727061 20286329
302d 0603 55040313 26566572 69536967 61737320 33205365 6e20436c 3130312f
63757265 20536572 76657220 20473330 82012230 0d06092a 864886f7 4341202d
010101 05000382 010f0030 82010 0d has 02 b187841f 82010100 c20c45f5 bcab2597
a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
9c688b2e 957b899b 13cae234 34c1f35b f3497b62 d188786c 83488174 0253f9bc
7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8 63cd
18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 01 has 38201 02030100 df308201
082b 0601 05050701 01042830 26302406 082 b 0601 db303406 05050730 01861868
7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1 d 130101
ff040830 02010030 70060355 b 200469 30673065 060, 6086 480186f8 1 d 060101ff
45010717 03305630 2806082b 06010505 07020116 1 c 687474 70733a2f 2f777777
2e766572 69736967 6e2e636f 6d2f6370 73302 has 06 082 b 0601 05050702 02301e1a
1 c 687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
03551d1f 042d302b 3029 has 027 a0258623 68747470 3a2f2f63 726c2e76 65726973
69676e2e 636f6d2f 2d67352e 70636133 63726c 30 0e060355 1d0f0101 ff040403
02010630 6d06082b 06010505 07010c 59305730 55160969 5da05b30 04 61305fa1
6 d 616765 2f676966 3021301f 2b0e0302 30070605 1a04148f e5d31a86 ac8d8e6b
c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
1 b 311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301D 0603
445 1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355 c 1604140d 551d0e04
1 230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300 d 0609 d
2a 864886 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80 f70d0101
4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
b2227055 d9203340 3307c 265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
99 c 71928 8705 404167d 1 273aeddc 866d 24f78526 a2bed877 7d494aca 6decd018
481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
6c2527b9 deb78458 c61f381e a4c4cb66
quit smoking
crypto isakmp identity address
Crypto isakmp nat-traversal 1500
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
aes-256 encryption
sha hash
Group 5
life 86400
IKEv1 crypto policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH 0.0.0.0 0.0.0.0 inside
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 5
SSH version 2
SSH group dh-Group1-sha1 key exchange
Console timeout 0
management-access inside

a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
attributes of Group Policy DfltGrpPolicy
Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client
username
username
tunnel-group 50.201.218.93 type ipsec-l2l
IPSec-attributes tunnel-group 50.201.218.93
IKEv1 pre-shared-key *.
NOCHECK Peer-id-validate
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
call-home service
anonymous reporting remote call
call-home
contact-email-addr [email protected] / * /
Profile of CiscoTAC-1
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:e519f212867755f697101394f40d9ed7
: end
LN-BLF-ASA5505 #.

Assuming that you have an active IPSEC security association (i.e. "show crypto ipsec his" shows the tunnel is up), please perform a packet trace to see why it's a failure:
```
 packet-tracer input inside tcp 192.168.116.1 1025 192.168.1.1 80 detail
```
(simulating a hypothetical customer of blue LNC tries to navigate to a hypothetical LNC TX Local site server)

NAT & GRE Tunnel

Hello

I have a test installation routers 2 with a GRE tunnel which works very well in the test configuration. My question is if I transfer this config for direct mounting how I would exempt traffic over the tunnel WILL be natted? Everything else is the traffic destined for the internet should be tapped to the external interface. Would need a road map for this?

Thank you

R1

--

interface Tunnel0

IP 192.168.200.2 255.255.255.0

dissemination of IP ospf network

KeepAlive 10 3

source of tunnel FastEthernet0

tunnel destination 1.1.1.1

crypto mymap map

interface FastEthernet0

Outside of the Interface Description

1.1.1.2 IP 255.255.255.0

automatic speed

crypto mymap map

R2

--

Tunnel1 interface

192.168.200.1 IP address 255.255.255.0

dissemination of IP ospf network

KeepAlive 10 3

source of tunnel FastEthernet0

tunnel destination 1.1.1.2

crypto mymap map

interface FastEthernet0

Outside of the Interface Description

IP 1.1.1.1 255.255.255.0

automatic speed

crypto mymap map

Yes you are right.

Cisco ASA VPN tunnel question - DMZ interface

I am trying to build a tunnel to a customer with NAT and I'm able to get 3 of the 4 networks to communicate. The 1 that is not responding is a DMZ network. Excerpts from config below. What am I doing wrong with the 10.0.87.0/24 network? The error in the log is "routing cannot locate the next hop.

interface Ethernet0/1
Speed 100
half duplex
nameif inside
security-level 100
the IP 10.0.0.1 255.255.255.0
OSPF cost 10
send RIP 1 version
!
interface Ethernet0/2
nameif DMZ
security-level 4
IP 172.16.1.1 255.255.255.0
OSPF cost 10

network object obj - 172.16.1.0
subnet 172.16.1.0 255.255.255.0

object network comm - 10.240.0.0
10.240.0.0 subnet 255.255.0.0
network object obj - 10.0.12.0
10.0.12.0 subnet 255.255.255.0
network object obj - 10.0.14.0
10.0.14.0 subnet 255.255.255.0
network of the DNI-NAT1 object
10.0.84.0 subnet 255.255.255.0
network of the DNI-NAT2 object
10.0.85.0 subnet 255.255.255.0
network of the DNI-VIH3 object
10.0.86.0 subnet 255.255.255.0
network of the DNI-NAT4 object
10.0.87.0 subnet 255.255.255.0

the DNI_NAT object-group network
network-object DNI-NAT1
network-object DNI-NAT2
network-object ID-VIH3
network-object NAT4 DNI

DNI_VPN_NAT1 to access ip 10.0.0.0 scope list allow 255.255.255.0 object comm - 10.240.0.0
Access extensive list ip 10.0.12.0 DNI_VPN_NAT2 allow 255.255.255.0 object comm - 10.240.0.0
Access extensive list ip 10.0.14.0 DNI_VPN_NAT3 allow 255.255.255.0 object comm - 10.240.0.0
Access extensive list ip 172.16.1.0 DNI_VPN_NAT4 allow 255.255.255.0 object comm - 10.240.0.0
access-list extended DNI-VPN-traffic permit ip object-group, object DNI_NAT comm - 10.240.0.0

NAT (inside, outside) source static obj - 10.0.12.0 DNI-NAT2 destination static comm - 10.240.0.0 comm - net 10.240.0.0 to net non-proxy-arp
NAT (inside, outside) source static obj - 10.0.14.0 DNI-VIH3 destination static comm - 10.240.0.0 comm - net 10.240.0.0 to net non-proxy-arp
NAT (inside, outside) source static obj - 172.16.1.0 DNI-NAT4 destination static comm - 10.240.0.0 comm - net 10.240.0.0 to net non-proxy-arp

Hello

I see that the issue here is the declaration of NAT:

NAT (inside, outside) source static obj - 172.16.1.0 DNI-NAT4 destination static comm - 10.240.0.0 comm - net 10.240.0.0 to net non-proxy-arp

The correct statement would be:

NAT (DMZ, external) source static obj - 172.16.1.0 DNI-NAT4 destination static comm - 10.240.0.0 comm - net 10.240.0.0 to net non-proxy-arp

Go ahead and do a tracer of packages:

Packet-trace entry DMZ 172.16.1.15 tcp 443 detailed 10.240.X.X

Thus, you will see the exempt NAT works now.

I would like to know how it works!

Please don't forget to rate and score as correct the helpful post!

Kind regards

David Castro,

Tunnel of Volition on OSPF

Similar Questions

GRE.png

Network.PNG

Maybe you are looking for