Tunnel VPN IPSEC Gre of the router in the branch office by Pix to the router HQ
Hi all
I tried to get this scenario to work before I put implement but am getting the error on router B.
01:05:38: % CRYPTO-6-IKMP_MODE_FAILURE: fast processing mode failed with the peer to 83.1.16.1
Here are the following details for networks
Router B
Address series 82.12.45.1/30
fast ethernet 192.168.20.1/24 address
PIX
outside the 83.1.16.1/30 interface eth0
inside 192.168.50.1/30 eth1 interface
Router
Fast ethernet (with Pix) 192.168.50.2/30 address
Loopback (A network) 192.168.100.1/24 address
Loopback (Network B) 192.168.200.1/24 address
Loopback (Network C) 192.168.300.1/24 address
Is could someone please tell me where im going wrong as I read the explanation of the error and it points to political unmaching. This has confused me like the two counterparts seem to have the same settings.
Config router B
======================
name of host B
!
Select the 5 secret goat.
!
username 7 privilege 15 password badger badger
iomem 15 memory size
IP subnet zero
!
!
no ip domain-lookup
IP - test.local domain name
!
property intellectual ssh delay 30
property intellectual ssh authentication-2 retries
!
crypto ISAKMP policy 5
md5 hash
preshared authentication
Group 2
ISAKMP crypto key VPN2VPN address 83.1.16.1
!
86400 seconds, duration of life crypto ipsec security association
!
Crypto ipsec transform-set esp - esp-md5-hmac VPN
!
crypto map 5 VPN ipsec-isakmp
defined by peer 83.1.16.1
PFS group2 Set
match address VPN
!
call the rsvp-sync
!
interface Loopback10
20.0.2.2 the IP 255.255.255.255
!
interface Tunnel0
bandwidth 1544000
20.0.0.1 IP address 255.255.255.0
source of Loopback10 tunnel
tunnel destination 20.0.2.1
!
interface FastEthernet0/0
Description * inside the LAN CONNECTION *.
address 192.168.20.1 255.255.255.0
IP nat inside
automatic duplex
automatic speed
!
interface Serial0/0
Description * INTERNET ACCESS *.
IP 88.12.45.1 255.255.255.252
NAT outside IP
VPN crypto card
!
interface FastEthernet0/1
no ip address
Shutdown
automatic duplex
automatic speed
!
Router eigrp 1
network 20.0.0.0
No Auto-resume
!
overload of IP nat inside source list NAT interface Serial0/0
IP classless
IP route 0.0.0.0 0.0.0.0 Serial0/0
no ip address of the http server
!
!
NAT extended IP access list
deny ip 192.168.20.0 0.0.0.255 192.168.200.0 0.0.0.255
deny ip 192.168.20.0 0.0.0.255 192.168.300.0 0.0.0.255
deny ip 192.168.20.0 0.0.0.255 192.168.100.0 0.0.0.255
ip licensing 192.168.20.0 0.0.0.255 any
list of IP - VPN access scope
permit ip host 20.0.2.2 20.0.2.1
!
Config PIX
====================
PIX Version 7.2 (4)
!
pixfirewall hostname
names of
name 20.0.2.2 B_LOOP
name 88.12.45.1 B_WANIP
!
interface Ethernet0
Description * LINK to ISP *.
nameif outside
security-level 0
IP 83.1.16.1 255.255.255.252
!
interface Ethernet1
Description * LINK TO LAN *.
nameif inside
security-level 100
IP 192.168.50.1 255.255.255.252
!
passive FTP mode
the ROUTER_LOOPS object-group network
network-object 20.0.2.0 255.255.255.252
access allowed extended VPN ip host 20.0.2.1 B_LOOP list
access-list extended SHEEP permit ip host 20.0.2.1 ROUTER_LOOPS object-group
Access ip allowed any one extended list ACL_OUT
pager lines 24
Outside 1500 MTU
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global (1 interface external)
NAT (inside) 0 access-list SHEEP
NAT (inside) 1 192.168.50.0 255.255.255.252
NAT (inside) 1 192.168.50.0 255.255.255.0
Access to the interface inside group ACL_OUT
Route outside 0.0.0.0 0.0.0.0 83.1.16.2 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp - esp-md5-hmac VPN
86400 seconds, duration of life crypto ipsec security association
VPN 5 crypto card matches the VPN address
card crypto VPN 5 set pfs
card crypto VPN 5 set peer B_WANIP
VPN 5 value transform-set VPN crypto card
card crypto VPN 5 defined security-association life seconds 28800
card crypto VPN outside interface
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 5
preshared authentication
the Encryption
md5 hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
tunnel-group 88.12.45.1 type ipsec-l2l
IPSec-attributes tunnel-group 88.12.45.1
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
When you create a GRE tunnel between two routers, there should be a routing decision to reach the Remote LAN through local (rather than exit directly the physical interface) tunnel interface.
This could be accomplished by EIGRP, but you can check if the adjacency is built.
As a test, what happens if you add a static route saying (reach remote LAN, sending traffic to the tunnel interface).
Check if the GRE tunnel comes up with sh interface tunnel
Federico.
Tags: Cisco Security
Similar Questions
-
GRE tunnels will not come on VPN IPsec/GRE
Hi all
We have 400 + remote sites that connect to our central location (and a backup site) using Cisco routers with vpn IPSec/GRE tunnels. We use a basic model for the creation of tunnels, so there is very little chance of a bad configuration on each router. Remote sites use Cisco 831 s, central sites use Cisco 2821 s. There is a site where the tunnels WILL refuse just to come.
Routers are able to ping their public IP addresses, so it is not a routing problem, but gre endpoints cannot ping. There is no NATing involved, two routers directly accessing the Internet. The assorded display orders seem to indicate that the SAs are properly built, but newspapers, it seems that last part just don't is finished, and the GRE tunnels come not only upward.
The attached log file, it seems that both its IPSEC & ISAKMP are created @ 00:25:14, then QM_PHASE2 end @ 00:25:15.
00:25:15: ISAKMP: (0:10:HW:2): node error 1891573546 FALSE reason for deletion "(wait) QM.
00:25:15: ISAKMP: (0:10:HW:2): entrance, node 1891573546 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
00:25:15: ISAKMP: (0:10:HW:2): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
00:25:15: ISAKMP (0:268435467): received 208.XX packet. Dport 500 sport Global 500 (I) QM_IDLE yy.11
00:25:15: IPSEC (key_engine): had an event of the queue with 1 kei messages
00:25:15: IPSEC (key_engine_enable_outbound): rec would prevent ISAKMP
00:25:15: IPSEC (key_engine_enable_outbound): select SA with spinnaker 1572231461/50
00:25:15: ISAKMP: (0:11:HW:2): error in node-1931380074 FALSE reason for deletion "(wait) QM.
00:25:15: ISAKMP: (0:11:HW:2): entrance, node-1931380074 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
00:25:15: ISAKMP: (0:11:HW:2): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
00:25:15: IPSEC (key_engine): had an event of the queue with 1 kei messages
00:25:15: IPSEC (key_engine_enable_outbound): rec would prevent ISAKMP
00:25:15: IPSEC (key_engine_enable_outbound): select SA with spinnaker 310818168/50I don't have the remote router log file, and is very long, so I joined her. Before that I captured the log file, I enabled debugging ipsec & isakmp and immediately authorized the SAs.
Assorted useful details and matching orders of show results:
Cisco IOS Software, C831 (C831-K9O3SY6-M), Version 12.4 (25), RELEASE SOFTWARE (fc1)
There are 2 connections of IPSEC/GRE tunnel:
Tunnel101: KC (208.YY. ZZ.11) - remote control (74.WW. XX.35)
Tunnel201: Dallas (208.XX. YY.11) - remote control (74.WW. XX.35)Site-382-831 #sho ip int br
Interface IP-Address OK? Method State Protocol
FastEthernet1 unassigned YES unset down down
FastEthernet2 unassigned YES unset upward, upward
FastEthernet3 unassigned YES unset upward, upward
FastEthernet4 unassigned YES unset upward, upward
Ethernet0 10.3.82.10 YES NVRAM up up
Ethernet1 74.WW. XX.35 YES NVRAM up up
Ethernet2 172.16.1.10 YES NVRAM up up
Tunnel101 1.3.82.46 YES NVRAM up toward the bottom<>
Tunnel201 1.3.82.62 YES NVRAM up toward the bottom<==== ="">====>
NVI0 unassigned don't unset upward upwardsSite-382-831 #.
Site-382-831 #sho run int tunnel101
Building configuration...Current configuration: 277 bytes
!
interface Tunnel101
Description % connected to the 2nd KC BGP 2821 - PRI - B
IP 1.3.82.46 255.255.255.252
IP mtu 1500
IP virtual-reassembly
IP tcp adjust-mss 1360
KeepAlive 3 3
source of tunnel Ethernet1
destination of the 208.YY tunnel. ZZ.11
endSite-382-831 #.
Site-382-831 #show isakmp crypto his
status of DST CBC State conn-id slot
208.XX. YY.11 74.WW. XX.35 QM_IDLE ASSETS 0 11
208.YY. ZZ.11 74.WW. XX.35 QM_IDLE 10 0 ACTIVE
Site-382-831 #.Site-382-831 #.
Site-382-831 #show detail of the crypto isakmp
Code: C - IKE configuration mode, D - Dead Peer Detection
NAT-traversal - KeepAlive, N - K
X - IKE extended authentication
PSK - GIPR pre-shared key - RSA signature
renc - RSA encryptionC - id Local Remote I have VRF status BA hash Auth DH lifetime limit.
11 74.WW. XX.35 208.XX. YY.11 ACTIVE 3des sha psk 1 23:56:09
Connection-id: motor-id = 11:2 (hardware)
74.WW 10. XX.35 208.YY. ZZ.11 ACTIVE 3des sha psk 1 23:56:09
Connection-id: motor-id = 10:2 (hardware)
Site-382-831 #.Site-382-831 #.
Site-382-831 #show crypto ipsec hisInterface: Ethernet1
Tag crypto map: IPVPN_MAP, local addr 74.WW. XX.35protégé of the vrf: (none)
ident (addr, mask, prot, port) local: (74.WW. XX.35/255.255.255.255/47/0)
Remote ident (addr, mask, prot, port): (208.YY. ZZ.11/255.255.255.255/47/0)
current_peer 208.YY. ZZ.11 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: 2333, #pkts encrypt: 2333, #pkts digest: 2333
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
#send 21, #recv errors 0local crypto endpt. : 74.WW. XX.35, remote Start crypto. : 208.YY. ZZ.11
Path mtu 1500, mtu 1500 ip, ip mtu IDB Ethernet1
current outbound SPI: 0x45047D1D (1157922077)SAS of the esp on arrival:
SPI: 0x15B97AEA (364477162)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: C83X_MBRD:4, crypto card: IPVPN_MAP
calendar of his: service life remaining (k/s) key: (4486831/1056)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0x45047D1D (1157922077)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: C83X_MBRD:3, crypto card: IPVPN_MAP
calendar of his: service life remaining (k/s) key: (4486744/1056)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
protégé of the vrf: (none)
ident (addr, mask, prot, port) local: (74.WW. XX.35/255.255.255.255/47/0)
Remote ident (addr, mask, prot, port): (208.XX. YY.11/255.255.255.255/47/0)
current_peer 208.XX. YY.11 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: 2333, #pkts encrypt: 2333, #pkts digest: 2333
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
#send 21, #recv errors 0local crypto endpt. : 74.WW. XX.35, remote Start crypto. : 208.XX. YY.11
Path mtu 1500, mtu 1500 ip, ip mtu IDB Ethernet1
current outbound SPI: 0xE82A86BC (3895101116)SAS of the esp on arrival:
SPI: 0x539697CA (1402378186)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2008, flow_id: C83X_MBRD:8, crypto card: IPVPN_MAP
calendar of his: service life remaining (k/s) key: (4432595/1039)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0xE82A86BC (3895101116)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2001, flow_id: C83X_MBRD:1, crypto card: IPVPN_MAP
calendar of his: service life remaining (k/s) key: (4432508/1039)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
Site-382-831 #.Site-382-831 #.
Site-382-831 #show crypto ipsec his | Pkts Inc. | life
#pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
calendar of his: service life remaining (k/s) key: (4486831/862)
calendar of his: service life remaining (k/s) key: (4486738/862)
#pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
calendar of his: service life remaining (k/s) key: (4432595/846)
calendar of his: service life remaining (k/s) key: (4432501/846)
Site-382-831 #.Site-382-831 #.
Site-382-831 #show crypto isakmp policyWorld IKE policy
Priority protection Suite 10
encryption algorithm: three key triple a
hash algorithm: Secure Hash Standard
authentication method: pre-shared Key
Diffie-Hellman group: #1 (768 bits)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: - Data Encryption STANDARD (56-bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bits)
lifetime: 86400 seconds, no volume limit
Site-382-831 #.Site-382-831 #show crypto card
"IPVPN_MAP" 101-isakmp ipsec crypto map
Description: at the 2nd KC BGP 2821 - PRI - B
Peer = 208.YY. ZZ.11
Extend the PRI - B IP access list
access list PRI - B allowed will host 74.WW. XX.35 the host 208.YY. ZZ.11
Current counterpart: 208.YY. ZZ.11
Life safety association: 4608000 Kbytes / 3600 seconds
PFS (Y/N): N
Transform sets = {}
IPVPN,
}"IPVPN_MAP" 201-isakmp ipsec crypto map
Description: 2nd Dallas BGP 2821 - s-B
Peer = 208.XX. YY.11
Expand the list of IP SEC-B access
s - B allowed will host 74.WW access list. XX.35 the host 208.XX. YY.11
Current counterpart: 208.XX. YY.11
Life safety association: 4608000 Kbytes / 3600 seconds
PFS (Y/N): N
Transform sets = {}
IPVPN,
}
Interfaces using crypto card IPVPN_MAP:
Ethernet1
Site-382-831 #.Tunnel between KC & the remote site configuration is:
Distance c831 - KC
crypto ISAKMP policy 10
BA 3des
preshared authentication
!
PRI-B-382 address 208.YY isakmp encryption key. ZZ.11
!
Crypto ipsec transform-set esp-3des esp-sha-hmac IPVPN
transport mode
!
IPVPN_MAP 101 ipsec-isakmp crypto map
Description of 2nd KC BGP 2821 - PRI - B
set of peer 208.YY. ZZ.11
game of transformation-IPVPN
match address PRI - B
!
interface Tunnel101
Description % connected to the 2nd KC BGP 2821 - PRI - B
IP 1.3.82.46 255.255.255.252
IP mtu 1500
KeepAlive 3 3
IP virtual-reassembly
IP tcp adjust-mss 1360
source of tunnel Ethernet1
destination of the 208.YY tunnel. ZZ.11
!
interface Ethernet0
private network Description
IP 10.3.82.10 255.255.255.0
IP mtu 1500
no downtime
!
interface Ethernet1
IP 74.WW. XX.35 255.255.255.248
IP mtu 1500
automatic duplex
IP virtual-reassembly
card crypto IPVPN_MAP
no downtime
!
PRI - B extended IP access list
allow accord 74.WW the host. XX.35 the host 208.YY. ZZ.11
!KC-2821 *.
PRI-B-382 address 74.WW isakmp encryption key. XX.35
!
PRI-B-382 extended IP access list
allow accord 208.YY the host. ZZ.11 the host 74.WW. XX.35
!
IPVPN_MAP 382 ipsec-isakmp crypto map
Description % connected to the 2nd KC BGP 2821
set of peer 74.WW. XX.35
game of transformation-IPVPN
match address PRI-B-382
!
interface Tunnel382
Description %.
IP 1.3.82.45 255.255.255.252
KeepAlive 3 3
IP virtual-reassembly
IP tcp adjust-mss 1360
IP 1400 MTU
delay of 40000
tunnel of 208.YY origin. ZZ.11
destination of the 74.WW tunnel. XX.35
!
endAny help would be much appreciated!
Mark
Hello
logs on Site-382-831, only see the crypt but none decrypts, could you check a corresponding entry on the peer and see if has any questions send return traffic?
Site-382-831 #show crypto ipsec his | Pkts Inc. | life
#pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
calendar of his: service life remaining (k/s) key: (4486831/862)
calendar of his: service life remaining (k/s) key: (4486738/862)
#pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
calendar of his: service life remaining (k/s) key: (4432595/846)
calendar of his: service life remaining (k/s) key: (4432501/846)
Site-382-831 #.Kind regards
Averroès.
-
Command to check the tunnel VPN S2S awhile in the cisco router
Dear all,
Please share the command check S2S tunnel of time that is configured on the router.
There are commands that define the lifetimes of (his) IPSec Security Associations, ISAKMP.
For example:
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
life 3600life 3599 seconds crypto ipsec security association
... and you can determine the remaining lifetime for these SAs with the following commands:
SH detail session crypto
SH in detail its crypto isakmp
SH crypto ipsec his
The delta between the lifetime (s) configured and remaining life will tell you how much time has passed since the last regeneration, but that is as close you are likely to have to determine when the tunnel came first.
You could use other means as States of syslog for you say when a Tunnel is a transitioning upwards or downwards.
Best regards
Mike
-
Blocks VIRTUAL local network access to a tunnel VPN IPSec on WRV200?
I have two identical WRV200 wireless routers which are connected by a VPN IPSec tunnel. This goes to my LAN LAN of my parents. Everything works well.
But I also have my WRV200 configured for two VLANS. Vlan1 for my network and secure wireless access. VLAN2 for a WiFi not secure for customers.
My problem is that my guest on VLAN2 slips through the VPN devices and access on LAN of my parents. I'm looking for a way to block to do this.
I use the version of the software on the two routers (v1.0.39).
For what it's worth, I know that my receive an IP address in the range 192.168.x.101 DHCP - 199. I could assign a different range if that helps. I thought that I could block this beach on the remote router firewall, but I see there is blocking a single IP address at the time, maximum of 8. Am I missing something?
Or could I put something weird in the routing tables somewhere to get the IPs guest out of lala land?
Any suggestions are appreciated. I can't be the only one in this boat.
Steve
Try to check local and remote, vpn under safe group settings if you change the ip address range subnet. Don't include the range of ip addresses of the computers wireless comments so that it will not pass through the vpn tunnel. If there is no ip range option, you must to the subnet of the network in order to control the ip address you want to allow on the vpn tunnel.
-
Tunnel VPN IPSEC (LAN to LAN) not succeeded traffic
I had a temporary scenario I need to establish an IPSEC VPN between branch (cisco router) and HQ (VPN concentrator).
The tunnel is established end but traffic stop happening after some 5-10 minutes. I have to manually clear the session encryption and then connectivity is fine. To test the above, I'll send branch ICMP packets to HQ. I can see ' cryto isakmp his ' and ' crytpo ipsec his ' active and fine.
Share your opinion on this guy!
Hello
Make sure that this life corresponds to the router and the hub.
This is a doc for IPSEC troubleshooting: -.
http://www.Cisco.com/en/us/customer/products/ps6120/products_tech_note09186a00807e0aca.shtml
Parminder Sian
-
How to establish a tunnel vpn ipsec using DNS with ASA 5505?
Hello
I m get a dynamic IP address public and what I m trying to do is establish a tunnnel remote vpn using IPSec, which I realize my provider but each time resets of sessions or ASA 5505 reset, I get a new public IP and I need to put the new IP address on the remote client, so I can establish the vpn...
How can I establish a vpn ipsec using DNS? For this scenario, the remote client vpn is a vpn phone, but it could be any vpn client.
Private private Public IP IP IP
PBX - Telephone (LAN) - ASA 5505-(Internet)-(router) Remote Site-(LAN) VPN-
Kind regards!
Ah ok I see, Yes in this case there is no that you can do other than request a static IP address from your ISP.
Kind regards.
PS: Don't forget to mark this question as answered. Thank you!
-
Tunnel VPN IPSEC site 2 Site will not appear.
Hello Experts,
I was wondering if I can get help on creating an IPSEC VPN between a Cisco 2921 and ASA 550 x tunnel. Here is the config
See the race | s crypto
Crypto pki token removal timeout default 0
crypto ISAKMP policy 1
BA aes
preshared authentication
Group 2
lifetime 28800
ISAKMP crypto key address A.A.A.A xxxxxxxxxxxxxxxxxxxxxx
Crypto ipsec transform-set ESP-AES128-SHA aes - esp esp-sha-hmac
transport mode
ICQ-2-ILAND 1 ipsec-isakmp crypto map
defined by peer A.A.A.A
game of transformation-ESP-AES128-SHA
match the address iland_london_s2s_vpn
ICQ-2-ILAND crypto card
The config on the remote end has not been shared with me, so I don't know if I'm doing something wrong locally, or if the remote end is configured incorrectly.
The command Sh crypto isakmp its the following message
ISAKMP crypto to show his
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
A.A.A.A B.B.B.B MM_NO_STATE 1231 ACTIVE (deleted)IPv6 Crypto ISAKMP Security Association
See the session encryption
Current state of the session cryptoInterface: GigabitEthernet0/0
The session state: DOWN-NEGOTIATION
Peer: Port A.A.A.A 500
IKEv1 SA: local B.B.B.Bremote 500 A.A.A.A500 inactive
IKEv1 SA: local B.B.B.Bremote 500 A.A.A.A500 inactive
FLOW IPSEC: allowed ip 10.20.111.0/255.255.255.0 10.120.1.0/255.255.255.0
Active sAs: 0, origin: card crypto
FLOW IPSEC: allowed ip 10.10.0.0/255.255.0.0 10.120.1.0/255.255.255.0
Active sAs: 0, origin: card cryptoThe command debug crypto isakmp debug logs are listed below.
ISAKMP: (0): pre-shared key local found
08:51:52.019 on 6 Dec: ISAKMP: analysis of the profiles for xauth...
08:51:52.019 on 6 Dec: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1
08:51:52.019 on 6 Dec: ISAKMP: AES - CBC encryption
08:51:52.019 on 6 Dec: ISAKMP: keylength 128
08:51:52.019 on 6 Dec: ISAKMP: SHA hash
08:51:52.019 on 6 Dec: ISAKMP: group by default 2
08:51:52.019 on 6 Dec: ISAKMP: pre-shared key auth
08:51:52.019 on 6 Dec: ISAKMP: type of life in seconds
08:51:52.019 on 6 Dec: ISAKMP: life (basic) of 28800
08:51:52.019 on 6 Dec: ISAKMP: (0): atts are acceptable. Next payload is 0
08:51:52.019 on 6 Dec: ISAKMP: (0): Acceptable atts: real life: 0
08:51:52.019 on 6 Dec: ISAKMP: (0): Acceptable atts:life: 0
08:51:52.019 on 6 Dec: ISAKMP: (0): base life_in_seconds:28800
08:51:52.019 on 6 Dec: ISAKMP: (0): return real life: 28800
08:51:52.019 on 6 Dec: ISAKMP: (0): timer life Started: 28800.DEC 6 08:51:52.019: ISAKMP: (0): load useful vendor id of treatment
DEC 6 08:51:52.019: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
DEC 6 08:51:52.019: ISAKMP: (0): provider ID is NAT - T v2
DEC 6 08:51:52.019: ISAKMP: (0): load useful vendor id of treatment
DEC 6 08:51:52.019: ISAKMP: (0): IKE frag vendor processing id payload
08:51:52.019 on 6 Dec: ISAKMP: (0): IKE Fragmentation support not enabled
08:51:52.019 on 6 Dec: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
08:51:52.019 on 6 Dec: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM2DEC 6 08:51:52.019: ISAKMP: (0): A packet is sent. A.A.A my_port 500 peer_port 500 (I) MM_SA_SETUP
08:51:52.019 on 6 Dec: ISAKMP: (0): sending a packet IPv4 IKE.
08:51:52.019 on 6 Dec: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
08:51:52.019 on 6 Dec: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM308:51:52.155 on 6 Dec: ISAKMP (0): packet received dport 500 sport Global 500 (I) MM_SA_SETUP A.A.A.A
08:51:52.155 on 6 Dec: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
08:51:52.155 on 6 Dec: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_I_MM4DEC 6 08:51:52.155: ISAKMP: (0): processing KE payload. Message ID = 0
DEC 6 08:51:52.175: ISAKMP: (0): processing NONCE payload. Message ID = 0
08:51:52.175 on 6 Dec: ISAKMP: (0): pre-shared key found peer corresponding to A.A.A.A
DEC 6 08:51:52.175: ISAKMP: (1227): load useful vendor id of treatment
DEC 6 08:51:52.175: ISAKMP: (1227): provider ID is the unit
DEC 6 08:51:52.175: ISAKMP: (1227): load useful vendor id of treatment
DEC 6 08:51:52.175: ISAKMP: (1227): provider ID seems the unit/DPD but major incompatibility of 92
DEC 6 08:51:52.175: ISAKMP: (1227): provider ID is XAUTH
DEC 6 08:51:52.175: ISAKMP: (1227): load useful vendor id of treatment
DEC 6 08:51:52.175: ISAKMP: (1227): addressing another box of IOS!
DEC 6 08:51:52.175: ISAKMP: (1227): load useful vendor id of treatment
08:51:52.175 on 6 Dec: ISAKMP: (1227): vendor ID seems the unit/DPD but hash mismatch
08:51:52.175 on 6 Dec: ISAKMP: receives the payload type 20
08:51:52.175 on 6 Dec: ISAKMP (1227): sound not hash no match - this node outside NAT
08:51:52.175 on 6 Dec: ISAKMP: receives the payload type 20
08:51:52.175 on 6 Dec: ISAKMP (1227): No. NAT found for oneself or peer
08:51:52.175 on 6 Dec: ISAKMP: (1227): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
08:51:52.179 on 6 Dec: ISAKMP: (1227): former State = new State IKE_I_MM4 = IKE_I_MM408:51:52.179 on 6 Dec: ISAKMP: (1227): send initial contact
08:51:52.179 on 6 Dec: ISAKMP: (1227): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
08:51:52.179 on 6 Dec: ISAKMP (1227): payload ID
next payload: 8
type: 1
address: B.B.B.B
Protocol: 17
Port: 500
Length: 12
08:51:52.179 on 6 Dec: ISAKMP: (1227): the total payload length: 12
DEC 6 08:51:52.179: ISAKMP: (1227): A packet is sent. A.A.A my_port 500 peer_port 500 (I) MM_KEY_EXCH
08:51:52.179 on 6 Dec: ISAKMP: (1227): sending a packet IPv4 IKE.
08:51:52.179 on 6 Dec: ISAKMP: (1227): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
08:51:52.179 on 6 Dec: ISAKMP: (1227): former State = new State IKE_I_MM4 = IKE_I_MM508:51:52.315 on 6 Dec: ISAKMP (1227): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH A.A.A.A
DEC 6 08:51:52.315: ISAKMP: (1227): payload ID for treatment. Message ID = 0
08:51:52.315 on 6 Dec: ISAKMP (1227): payload ID
next payload: 8
type: 1
address: A.A.A.A
Protocol: 17
Port: 0
Length: 12
DEC 6 08:51:52.315: ISAKMP: (0): peer games * no * profiles
DEC 6 08:51:52.315: ISAKMP: (1227): HASH payload processing. Message ID = 0
08:51:52.315 on 6 Dec: ISAKMP: received payload type 17
DEC 6 08:51:52.315: ISAKMP: (1227): load useful vendor id of treatment
DEC 6 08:51:52.315: ISAKMP: (1227): provider ID is DPD
08:51:52.315 on 6 Dec: ISAKMP: (1227): SA authentication status:
authenticated
08:51:52.315 on 6 Dec: ISAKMP: (1227): SA has been authenticated with A.A.A.A
08:51:52.315 on 6 Dec: ISAKMP: try to insert a B.B.B.B/A.A.A.A/500/ peer and inserted 2B79E8BC successfully.
08:51:52.315 on 6 Dec: ISAKMP: (1227): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
08:51:52.315 on 6 Dec: ISAKMP: (1227): former State = new State IKE_I_MM5 = IKE_I_MM608:51:52.315 on 6 Dec: ISAKMP: (1227): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
08:51:52.315 on 6 Dec: ISAKMP: (1227): former State = new State IKE_I_MM6 = IKE_I_MM608:51:52.315 on 6 Dec: ISAKMP: (1227): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
08:51:52.315 on 6 Dec: ISAKMP: (1227): former State = new State IKE_I_MM6 = IKE_P1_COMPLETE08:51:52.315 on 6 Dec: ISAKMP: (1227): start Quick Mode Exchange, M - ID 1511581970
08:51:52.315 on 6 Dec: ISAKMP: (1227): initiator QM gets spi
DEC 6 08:51:52.315: ISAKMP: (1227): A packet is sent. A.A.A my_port 500 peer_port 500 (I) QM_IDLE
08:51:52.315 on 6 Dec: ISAKMP: (1227): sending a packet IPv4 IKE.
08:51:52.315 on 6 Dec: ISAKMP: (1227): entrance, node 1511581970 = IKE_MESG_INTERNAL, IKE_INIT_QM
08:51:52.315 on 6 Dec: ISAKMP: (1227): former State = new State IKE_QM_READY = IKE_QM_I_QM1
08:51:52.315 on 6 Dec: ISAKMP: (1227): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
08:51:52.315 on 6 Dec: ISAKMP: (1227): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE08:51:52.455 on 6 Dec: ISAKMP (1227): packet received dport 500 sport Global 500 (I) QM_IDLE A.A.A.A
08:51:52.455 on 6 Dec: ISAKMP: node set-1740216573 to QM_IDLE
DEC 6 08:51:52.455: ISAKMP: (1227): HASH payload processing. Message ID = 2554750723
DEC 6 08:51:52.455: ISAKMP: (1227): treatment protocol NOTIFIER PROPOSAL_NOT_CHOSEN 3
0, message ID SPI = 2554750723, a = 0x2B78D574
08:51:52.455 on 6 Dec: ISAKMP: (1227): node-1740216573 error suppression FALSE reason 'informational (en) State 1.
08:51:52.455 on 6 Dec: ISAKMP: (1227): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
08:51:52.455 on 6 Dec: ISAKMP: (1227): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE08:51:52.455 on 6 Dec: ISAKMP (1227): packet received dport 500 sport Global 500 (I) QM_IDLE A.A.A.A
08:51:52.455 on 6 Dec: ISAKMP: node set 1297146574 to QM_IDLE
DEC 6 08:51:52.455: ISAKMP: (1227): HASH payload processing. Message ID = 1297146574
DEC 6 08:51:52.455: ISAKMP: (1227): treatment of payload to DELETE. Message ID = 1297146574
08:51:52.455 on 6 Dec: ISAKMP: (1227): peer does not paranoid KeepAlive.08:51:52.455 on 6 Dec: ISAKMP: (1227): removal of HIS State "No reason" why (I) QM_IDLE (post A.A.A.A)
08:51:52.455 on 6 Dec: ISAKMP: (1227): error suppression node 1297146574 FALSE reason 'informational (en) State 1.
08:51:52.455 on 6 Dec: ISAKMP: node set-1178304129 to QM_IDLE
DEC 6 08:51:52.455: ISAKMP: (1227): A packet is sent. A.A.A my_port 500 peer_port 500 (I) QM_IDLE
08:51:52.455 on 6 Dec: ISAKMP: (1227): sending a packet IPv4 IKE.
08:51:52.455 on 6 Dec: ISAKMP: (1227): purge the node-1178304129
08:51:52.455 on 6 Dec: ISAKMP: (1227): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
08:51:52.455 on 6 Dec: ISAKMP: (1227): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA08:51:52.455 on 6 Dec: ISAKMP: (1227): removal of HIS State "No reason" why (I) QM_IDLE (post A.A.A.A)
08:51:52.455 on 6 Dec: ISAKMP: Unlocking counterpart struct 0x2B79E8BC for isadb_mark_sa_deleted(), count 0
08:51:52.455 on 6 Dec: ISAKMP: delete peer node by peer_reap for A.A.A.A: 2B79E8BC
08:51:52.455 on 6 Dec: ISAKMP: (1227): error suppression node 1511581970 FALSE reason 'IKE deleted.
08:51:52.455 on 6 Dec: ISAKMP: (1227): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
08:51:52.455 on 6 Dec: ISAKMP: (1227): former State = new State IKE_DEST_SA = IKE_DEST_SAWould appreciate any help you can provide.
Kind regards
Sidney Dsouza
The phase 2 does not complete since there is no visible SPI value. In addition, depending on your configuration Transport mode is configured for phase 2 However, debug displays the tunnel mode.
Thus, as suggested earlier to debug this further and find the root cause we need to match the configuration settings in Phase 2 with regard to the remote device.
Hope that helps.
Kind regards
Anuj
-
HTTPS protocol between the client vpn and host of the internet through tunnel ipsec-parody
Hello
We have a cisco ASA 5505 and try to get the next job:
ip (192.168.75.5) - connected to the Cisco ASA 5505 VPN client
the customer gets a specific route for an internet address (79.143.218.35 255.255.255.255 192.168.75.1 192.168.75.5 100)
When I try to access the url of the client, I get a syn sent with netstat
When I try trace ASA package, I see the following:
1 FLOW-SEARCH ALLOW Not found no corresponding stream, creating a new stream
2 ROUTE SEARCH entry ALLOW in 0.0.0.0 0.0.0.0 outdoors
3 ACCESS-LIST Journal ALLOW Access-group outside_access_in in interface outside
outside_access_in list extended access permitted tcp everything any https eq
access-list outside_access_in note hyperion outside inside
4 IP-OPTIONS ALLOW 5 CP-PUNT ALLOW 6 VPN IPSec-tunnel-flow ALLOW 7 IP-OPTIONS ALLOW 8 VPN encrypt ALLOW outdoors upward upward outdoors upward upward drop (ipsec-parody) Parody of detected IPSEC When I try the reverse (i.e. from the internet host to vpn client), it seems to work:
1 FLOW-SEARCH ALLOW Not found no corresponding stream, creating a new stream
2 ROUTE SEARCH entry ALLOW in 192.168.75.5 255.255.255.255 outside
3 ACCESS-LIST Journal ALLOW Access-group outside_access_in in interface outside
outside_access_in of access allowed any ip an extended list
4 IP-OPTIONS ALLOW 5 VPN IPSec-tunnel-flow ALLOW 6 VPN encrypt ALLOW My question is why this phenomenon happens and how solve us this problem?
Thanks in advance, Sipke
our running-config:
: Saved
:
ASA Version 8.0 (4)
!
ciscoasa hostname
domain somedomain
activate the password - encrypted
passwd - encrypted
names of
name 10.10.1.0 Hyperion
name 164.140.159.x xxxx
name 192.168.72.25 xxxx
name 192.168.72.24 xxxx
name 192.168.72.196 xxxx
name 192.168.75.0 vpn clients
name 213.206.236.0 xxxx
name 143.47.160.0 xxxx
name 141.143.32.0 xxxx
name 141.143.0.0 xxxx
name 192.168.72.27 xxxx
name 10.1.11.0 xxxx
name 10.1.2.240 xxxx
name 10.1.1.0 xxxx
name 10.75.2.1 xxxx
name 10.75.2.23 xxxx
name 192.168.72.150 xxxx
name 192.168.33.0 xxxx
name 192.168.72.26 xxxx
name 192.168.72.5 xxxx
name 192.168.23.0 xxxx
name 192.168.34.0 xxxx
name 79.143.218.35 inethost
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.72.254 255.255.255.0
OSPF cost 10
!
interface Vlan2
nameif outside
security-level 0
IP address 193.173.x.x 255.255.255.240
OSPF cost 10
!
interface Vlan3
Shutdown
nameif dmz
security-level 50
192.168.50.1 IP address 255.255.255.0
OSPF cost 10
!
interface Vlan23
nameif wireless
security-level 80
192.168.40.1 IP address 255.255.255.0
OSPF cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
switchport access vlan 23
!
interface Ethernet0/7
!
passive FTP mode
clock timezone THATS 1
clock to summer time CEDT recurring last Sun Mar 02:00 last Sun Oct 03:00
DNS lookup field inside
DNS server-group DefaultDNS
domain pearle.local
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
object-group service RDP - tcp
Remote Desktop Protocol Description
EQ port 3389 object
object-group service UDP - udp VC
range of object-port 60000 60039
object-group VC - TCP tcp service
60000 60009 object-port Beach
object-group service tcp Fortis
1501 1501 object-port Beach
Beach of port-object 1502-1502
Beach of port-object sqlnet sqlnet
1584 1584 object-port Beach
1592 1592 object-port Beach
object-group service tcp fortis
1592 1592 object-port Beach
Beach of port-object 1502-1502
1584 1584 object-port Beach
Beach of port-object sqlnet sqlnet
1501 1501 object-port Beach
1500 1500 object-port Beach
the DM_INLINE_NETWORK_1 object-group network
object-network 192.168.50.0 255.255.255.0
object-network 192.168.72.0 255.255.255.0
object-network 192.168.40.0 255.255.255.0
object-network VPN_Pool_2 255.255.255.0
the DM_INLINE_NETWORK_2 object-group network
object-network 192.168.50.0 255.255.255.0
object-network 192.168.72.0 255.255.255.0
object-group network inside-networks
object-network 192.168.72.0 255.255.255.0
WingFTP_TCP tcp service object-group
Secure FTP description
port-object eq 989
port-object eq 990
DM_INLINE_TCP_1 tcp service object-group
port-object eq ftp
port-object eq ftp - data
Group object WingFTP_TCP
DM_INLINE_TCP_2 tcp service object-group
port-object eq ftp
port-object eq ftp - data
Group object WingFTP_TCP
the DM_INLINE_NETWORK_3 object-group network
object-network 192.168.72.0 255.255.255.0
object-network VPN_Pool_2 255.255.255.0
the DM_INLINE_NETWORK_4 object-group network
object-network 192.168.72.0 255.255.255.0
object-network VPN_Pool_2 255.255.255.0
object-group network Oracle
network-object OracleTwo 255.255.224.0
network-object OracleOne 255.255.240.0
network-object OracleThree 255.255.224.0
the DM_INLINE_NETWORK_5 object-group network
network-object Grandvision 255.255.255.0
network-object Grandvision2 255.255.255.240
object-network Grandvision3 255.255.255.0
host of the object-Network Grandvision4
host of the object-Network GrandVision_PC
the DM_INLINE_NETWORK_6 object-group network
network-object Grandvision 255.255.255.0
network-object Grandvision2 255.255.255.240
object-network Grandvision3 255.255.255.0
host of the object-Network Grandvision4
host of the object-Network GrandVision_PC
the DM_INLINE_NETWORK_7 object-group network
network-object Grandvision 255.255.255.0
network-object Grandvision2 255.255.255.240
object-network Grandvision3 255.255.255.0
host of the object-Network GrandVision_PC
the DM_INLINE_NETWORK_8 object-group network
network-object Grandvision 255.255.255.0
network-object Grandvision2 255.255.255.240
object-network Grandvision3 255.255.255.0
host of the object-Network GrandVision_PC
object-group service DM_INLINE_SERVICE_2
the purpose of the ip service
EQ-3389 tcp service object
the DM_INLINE_NETWORK_9 object-group network
network-object OracleThree 255.255.0.0
network-object OracleTwo 255.255.224.0
network-object OracleOne 255.255.240.0
object-group service DM_INLINE_SERVICE_3
the purpose of the ip service
EQ-3389 tcp service object
Atera tcp service object-group
Atera Webbased monitoring description
8001 8001 object-port Beach
8002 8002 object-port Beach
8003 8003 object-port Beach
WingFTP_UDP udp service object-group
port-object eq 989
port-object eq 990
WingFTP tcp service object-group
Description range of ports for the transmission of data
object-port range 1024-1054
HTTPS_redirected tcp service object-group
Description redirect WingFTP Server
port-object eq 40200
Note to inside_access_in to access list ICMP test protocol inside outside
inside_access_in list extended access allow icmp 192.168.72.0 255.255.255.0 any
Note to inside_access_in to access list ICMP test protocol inside outside
access-list inside_access_in note HTTP inside outside
inside_access_in list extended access allowed object-group TCPUDP 192.168.72.0 255.255.255.0 any eq www
access-list inside_access_in note queries DNS inside to outside
inside_access_in list extended access allowed object-group TCPUDP 192.168.72.0 255.255.255.0 no matter what eq field
access-list inside_access_in note the HTTPS protocol inside and outside
inside_access_in list extended access permitted tcp 192.168.72.0 255.255.255.0 any https eq
Note to inside_access_in to access list ICMP test protocol inside outside
access-list inside_access_in note 7472 Epo-items inside outside
inside_access_in list extended access permitted tcp 192.168.72.0 255.255.255.0 any eq 7472
access-list inside_access_in note POP3 inside outside
inside_access_in list extended access permitted tcp 192.168.72.0 255.255.255.0 any eq pop3
inside_access_in list extended access permit udp host LifeSize-PE-HQ any object-group UDP - VC
inside_access_in list extended access permit tcp host LifeSize-PE-HQ all eq h323
access-list inside_access_in note video conference services
inside_access_in list extended access permit tcp host LifeSize-PE-HQ any object-group VC - TCP
inside_access_in list extended access permitted tcp 192.168.72.0 255.255.255.0 any
Note to inside_access_in to access list Fortis
inside_access_in list extended access permitted tcp 192.168.72.0 255.255.255.0 any object-group Fortis
access extensive list ip 192.168.40.0 inside_access_in allow 255.255.255.0 any
inside_access_in list extended access permitted tcp 192.168.40.0 255.255.255.0 any
inside_access_in list extended access permitted tcp 192.168.40.0 255.255.255.0 any eq www
inside_access_in list extended access permitted tcp 192.168.40.0 255.255.255.0 any https eq
inside_access_in allowed all Hyperion 255.255.255.0 ip extended access list
inside_access_in list extended access udp allowed any any eq isakmp
inside_access_in list extended access udp allowed any any eq ntp
inside_access_in list extended access udp allowed any any eq 4500
inside_access_in list of allowed ip extended access any Oracle object-group
inside_access_in list extended access udp allowed any any eq 10000
access-list inside_access_in note PPTP inside outside
inside_access_in list extended access permit tcp any any eq pptp
access-list inside_access_in note WILL inside outside
inside_access_in list extended access will permit a full
Note to inside_access_in to access the Infrastructure of the RIM BES server list
inside_access_in list extended access permit tcp host BESServer any eq 3101
inside_access_in list extended access permit tcp any any DM_INLINE_TCP_2 object-group
inside_access_in list extended access permit tcp any any HTTPS_redirected object-group
access extensive list ip Hyperion 255.255.255.0 inside_access_in 255.255.255.0 allow VPN_Pool_2
inside_access_in list extended access permit udp any host 86.109.255.177 eq 1194
access extensive list ip 192.168.72.0 inside_access_in allow 255.255.255.0 DM_INLINE_NETWORK_7 object-group
access extensive list ip VPN_Pool_2 inside_access_in allow 255.255.255.0 any
inside_access_in list extended access deny ip any any inactive debug log
Note to outside_access_in to access list ICMP test protocol outside inside
outside_access_in list extended access permit icmp any one
access-list outside_access_in Note SMTP outside inside
outside_access_in list extended access permit tcp any any eq smtp
outside_access_in list extended access udp allowed any any eq ntp disable journal
access-list outside_access_in note 7472 EPO-items outside inside
outside_access_in list extended access permit tcp any any eq 7472
outside_access_in list extended access permit tcp any any object-group inactive RDP
outside_access_in list extended access permit tcp any any eq www
outside_access_in list extended access permit tcp any any HTTPS_redirected object-group
outside_access_in list extended access permitted tcp everything any https eq
access-list outside_access_in note hyperion outside inside
outside_access_in list extended access permitted tcp Hyperion 255.255.255.0 DM_INLINE_NETWORK_4 object-group
outside_access_in to access Hyperion 255.255.255.0 ip extended list object-group DM_INLINE_NETWORK_3 allow
outside_access_in list extended access permit tcp any host LifeSize-PE-HQ eq h323
outside_access_in list extended access permit tcp any host LifeSize-PE-HQ object-group VC - TCP
outside_access_in list extended access permit udp any host group-object-LifeSize-PE-HQ UDP - VC
outside_access_in of access allowed any ip an extended list
outside_access_in list extended access udp allowed any any eq 4500
outside_access_in list extended access udp allowed any any eq isakmp
outside_access_in list extended access udp allowed any any eq 10000
outside_access_in list extended access will permit a full
outside_access_in list extended access permit tcp any any eq pptp
outside_access_in list extended access permit tcp any any DM_INLINE_TCP_1 object-group
outside_access_in list extended access allowed object-group ip DM_INLINE_NETWORK_8 192.168.72.0 255.255.255.0 inactive
outside_access_in list extended access permit tcp any any Atera object-group
outside_access_in list extended access deny ip any any inactive debug log
outside_1_cryptomap list extended access allowed object-group Hyperion DM_INLINE_NETWORK_2 255.255.255.0 ip
outside_1_cryptomap to access extended list ip 192.168.50.0 allow Hyperion 255.255.255.0 255.255.255.0
access extensive list ip 192.168.72.0 inside_nat0_outbound allow Hyperion 255.255.255.0 255.255.255.0
inside_nat0_outbound list of allowed ip extended access all 193.172.182.64 255.255.255.240
inside_nat0_outbound list of allowed ip extended access all 192.168.72.192 255.255.255.192
inside_nat0_outbound list of allowed ip extended access all 192.168.72.0 255.255.255.0
access extensive list ip 192.168.72.0 inside_nat0_outbound allow 255.255.255.0 VPN_Pool_2 255.255.255.0
access extensive list ip 192.168.72.0 inside_nat0_outbound allow 255.255.255.0 DM_INLINE_NETWORK_5 object-group
inside_nat0_outbound list of allowed ip extended access all GrandVisionSoesterberg 255.255.255.0
inside_nat0_outbound list of allowed ip extended access any Swabach 255.255.255.0
access-list 200 scope allow tcp all fortis of fortis host object-group
access extensive list ip VPN_Pool_2 outside_nat0_outbound allow 255.255.255.0 DM_INLINE_NETWORK_9 object-group
outside_cryptomap_2 list extended access allowed object-group Hyperion DM_INLINE_NETWORK_1 255.255.255.0 ip
outside_cryptomap_2 to access extended list ip 192.168.50.0 allow Hyperion 255.255.255.0 255.255.255.0
Note Wireless_access_in of access list, select Hyperion / wifi access NAT rule.
Access extensive list ip 192.168.40.0 Wireless_access_in allow Hyperion inactive 255.255.255.0 255.255.255.0
Wireless_access_in list extended access deny ip 192.168.40.0 255.255.255.0 192.168.72.0 255.255.255.0
Comment by Wireless_access_in-list of the traffic Internet access
Access extensive list ip 192.168.40.0 Wireless_access_in allow 255.255.255.0 any
standard access list splittunnelclientvpn allow 192.168.72.0 255.255.255.0
splittunnelclientvpn list standard access allowed Hyperion 255.255.255.0
standard access list splittunnelclientvpn allow Pearleshare 255.255.255.0
splittunnelclientvpn list standard access allowed host 85.17.235.22
splittunnelclientvpn list standard access allowed OracleThree 255.255.224.0
standard access list splittunnelclientvpn allow 143.47.128.0 255.255.240.0
splittunnelclientvpn list standard access allowed host inethost
Standard access list SplittnlHyperion allow OracleThree 255.255.0.0
Standard access list SplittnlOOD allow OracleThree 255.255.0.0
Standard access list SplittnlOOD allow 143.47.128.0 255.255.240.0
access extensive list ip 192.168.72.0 outside_cryptomap allow 255.255.255.0 DM_INLINE_NETWORK_6 object-group
outside_cryptomap_1 list of allowed ip extended access all GrandVisionSoesterberg 255.255.255.0
outside_cryptomap_3 list of allowed ip extended access any Swabach 255.255.255.0
192.168.72.0 IP Access-list extended sheep 255.255.255.0 GrandVisionSoesterberg 255.255.255.0 allow
192.168.72.0 IP Access-list extended sheep 255.255.255.0 VPN_Pool_2 255.255.255.0 allow
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
MTU 1500 dmz
MTU 1500 wireless
local pool VPN_DHCP 192.168.72.220 - 192.168.72.235 255.255.255.0 IP mask
mask 192.168.75.1 - 192.168.75.50 255.255.255.0 IP local pool VPN_Range_2
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow all outside
ASDM image disk0: / asdm - 613.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0 access-list sheep
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (wireless) 1 192.168.40.0 255.255.255.0
public static tcp (indoor, outdoor) interface smtp smtp Mailsrv_Pearle_Europe netmask 255.255.255.255
public static tcp (indoor, outdoor) interface ftp ftp netmask 255.255.255.255 Pearle-DC02
public static 990 Pearle-DC02 990 netmask 255.255.255.255 interface tcp (indoor, outdoor)
static (inside, outside) tcp 3389 3389 Mailsrv_Pearle_Europe netmask 255.255.255.255 interface
public static tcp (indoor, outdoor) interface www Pearle-DC02 www netmask 255.255.255.255
public static 40200 Pearle-DC02 40200 netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static tcp (indoor, outdoor) interface https Exchange2010 https netmask 255.255.255.255
public static tcp (indoor, outdoor) interface h323 h323 LifeSize-PE-HQ netmask 255.255.255.255
public static 60000 60000 LifeSize-PE-HQ netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 60001 LifeSize-PE-HQ 60001 netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 60002 LifeSize-PE-HQ 60002 netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 60003 LifeSize-PE-HQ 60003 netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 60004 LifeSize-PE-HQ 60004 netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 60005 LifeSize-PE-HQ 60005 netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 60006 LifeSize-PE-HQ 60006 netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 60007 LifeSize-PE-HQ 60007 netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 60008 LifeSize-PE-HQ 60008 netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 60009 LifeSize-PE-HQ 60009 netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static (inside, outside) udp interface 60001 LifeSize-PE-HQ 60001 netmask 255.255.255.255
public static (inside, outside) udp interface 60002 LifeSize-PE-HQ 60002 netmask 255.255.255.255
public static (inside, outside) udp interface 60003 LifeSize-PE-HQ 60003 netmask 255.255.255.255
public static (inside, outside) udp interface 60004 LifeSize-PE-HQ 60004 netmask 255.255.255.255
public static (inside, outside) udp interface 60005 LifeSize-PE-HQ 60005 netmask 255.255.255.255
public static (inside, outside) udp interface 60006 LifeSize-PE-HQ 60006 netmask 255.255.255.255
public static (inside, outside) udp interface 60007 LifeSize-PE-HQ 60007 netmask 255.255.255.255
public static (inside, outside) udp interface 60008 LifeSize-PE-HQ 60008 netmask 255.255.255.255
public static (inside, outside) udp interface 60009 LifeSize-PE-HQ 60009 netmask 255.255.255.255
public static (inside, outside) udp interface 60010 LifeSize-PE-HQ 60010 netmask 255.255.255.255
public static (inside, outside) udp interface 60011 LifeSize-PE-HQ 60011 netmask 255.255.255.255
public static (inside, outside) udp interface 60012 LifeSize-PE-HQ 60012 netmask 255.255.255.255
public static (inside, outside) udp interface 60013 LifeSize-PE-HQ 60013 netmask 255.255.255.255
public static (inside, outside) udp interface 60014 LifeSize-PE-HQ 60014 netmask 255.255.255.255
public static (inside, outside) udp interface 60015 LifeSize-PE-HQ 60015 netmask 255.255.255.255
public static (inside, outside) udp interface 60016 LifeSize-PE-HQ 60016 netmask 255.255.255.255
public static (inside, outside) udp interface 60017 LifeSize-PE-HQ 60017 netmask 255.255.255.255
public static (inside, outside) udp interface 60018 LifeSize-PE-HQ 60018 netmask 255.255.255.255
public static (inside, outside) udp interface 60019 LifeSize-PE-HQ 60019 netmask 255.255.255.255
public static (inside, outside) udp interface 60020 LifeSize-PE-HQ 60020 netmask 255.255.255.255
public static (inside, outside) udp interface 60021 60021 LifeSize-PE-HQ netmask 255.255.255.255
public static (inside, outside) udp interface 60022 LifeSize-PE-HQ 60022 netmask 255.255.255.255
public static (inside, outside) udp interface 60023 LifeSize-PE-HQ 60023 netmask 255.255.255.255
public static (inside, outside) udp interface 60024 LifeSize-PE-HQ 60024 netmask 255.255.255.255
public static (inside, outside) udp interface 60025 LifeSize-PE-HQ 60025 netmask 255.255.255.255
public static (inside, outside) udp interface 60026 LifeSize-PE-HQ 60026 netmask 255.255.255.255
public static (inside, outside) udp interface 60027 LifeSize-PE-HQ 60027 netmask 255.255.255.255
public static (inside, outside) udp interface 60028 LifeSize-PE-HQ 60028 netmask 255.255.255.255
public static (inside, outside) udp interface 60029 LifeSize-PE-HQ 60029 netmask 255.255.255.255
public static (inside, outside) udp interface 60030 LifeSize-PE-HQ 60030 netmask 255.255.255.255
public static (inside, outside) udp interface 60031 LifeSize-PE-HQ 60031 netmask 255.255.255.255
public static (inside, outside) udp interface 60032 LifeSize-PE-HQ 60032 netmask 255.255.255.255
public static (inside, outside) udp interface 60033 LifeSize-PE-HQ 60033 netmask 255.255.255.255
public static (inside, outside) udp interface 60034 LifeSize-PE-HQ 60034 netmask 255.255.255.255
public static (inside, outside) udp interface 60035 LifeSize-PE-HQ 60035 netmask 255.255.255.255
public static (inside, outside) udp interface 60036 LifeSize-PE-HQ 60036 netmask 255.255.255.255
public static (inside, outside) udp interface 60037 LifeSize-PE-HQ 60037 netmask 255.255.255.255
public static (inside, outside) udp interface 60038 LifeSize-PE-HQ 60038 netmask 255.255.255.255
public static (inside, outside) udp interface 60039 LifeSize-PE-HQ 60039 netmask 255.255.255.255
public static (inside, outside) udp interface 60040 60040 LifeSize-PE-HQ netmask 255.255.255.255
public static Mailsrv_Pearle_Europe 7472 netmask 255.255.255.255 7472 interface tcp (indoor, outdoor)
public static LanSweep-XP netmask 255.255.255.255 8001 8001 interface tcp (indoor, outdoor)
public static 8002 8002 LanSweep-XP netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static LanSweep-XP netmask 255.255.255.255 8003 8003 interface tcp (indoor, outdoor)
static (inside, outside) 193.173.12.194 tcp https Pearle-DC02 https netmask 255.255.255.255
inside_access_in access to the interface inside group
Access-group outside_access_in in interface outside
Access-group Wireless_access_in in wireless interface
Route outside 0.0.0.0 0.0.0.0 193.173.12.206 1
Route outside OracleThree 255.255.224.0 193.173.12.198 1
Route outside 143.47.128.0 255.255.240.0 193.173.12.198 1
Route inside 172.27.0.0 255.255.255.0 Pearle-DC02 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
AAA authentication LOCAL telnet console
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.40.0 255.255.255.0 Wireless
http 192.168.1.0 255.255.255.0 inside
http 192.168.72.0 255.255.255.0 inside
http GrandVisionSoesterberg 255.255.255.0 inside
SNMP-server host inside 192.168.33.29 survey community public version 2 c
location of Server SNMP Schiphol
contact Server SNMP SSmeekes
SNMP-Server Public community
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set esp-aes-256 GRANDVISION esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define security association lifetime 28800 seconds
cryptographic kilobytes 4608000 life of the set - the association of security of the 65535 SYSTEM_DEFAULT_CRYPTO_MAP of the dynamic-map
card crypto outside_map0 1 match address outside_cryptomap_1
outside_map0 card crypto 1jeu pfs
outside_map0 card crypto 1jeu peer 212.78.223.182
outside_map0 card crypto 1jeu transform-set ESP ESP-3DES-SHA-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-ESP ESP-3DES-MD5 MD5-DES-SHA ESP-DES-MD5
outside_map0 map 1 lifetime of security association set seconds 28800 crypto
card crypto outside_map0 1 set security-association life kilobytes 4608000
card crypto game 2 outside_map0 address outside_cryptomap_2
outside_map0 crypto map peer set 2 193.173.12.193
card crypto outside_map0 2 game of transformation-ESP ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5-DES-SHA ESP-DES-MD5
life card crypto outside_map0 2 set security-association seconds 28800
card crypto outside_map0 2 set security-association life kilobytes 4608000
card crypto outside_map0 3 match address outside_1_cryptomap
outside_map0 card crypto 3 set pfs
outside_map0 card crypto 3 peers set 193.172.182.66
outside_map0 crypto map 3 the value transform-set ESP-3DES-SHA
life card crypto outside_map0 3 set security-association seconds 28800
card crypto outside_map0 3 set security-association life kilobytes 4608000
card crypto outside_map0 game 4 address outside_cryptomap
outside_map0 card crypto 4 peers set 213.56.81.58
outside_map0 4 set transform-set GRANDVISION crypto card
life card crypto outside_map0 4 set security-association seconds 28800
card crypto outside_map0 4 set security-association life kilobytes 4608000
card crypto outside_map0 5 match address outside_cryptomap_3
outside_map0 card crypto 5 set pfs
outside_map0 crypto card 5 peers set 86.109.255.177
outside_map0 card crypto 5 game of transformation-ESP ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5-DES-SHA ESP-DES-MD5
life card crypto outside_map0 5 set security-association seconds 28800
card crypto outside_map0 5 set security-association life kilobytes 4608000
Crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
outside_map0 interface card crypto outside
crypto ISAKMP allow inside
crypto ISAKMP allow outside
crypto ISAKMP enable dmz
crypto ISAKMP enable wireless
crypto ISAKMP policy 5
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet 192.168.72.0 255.255.255.0 inside
Telnet timeout 5
SSH 192.168.72.0 255.255.255.0 inside
SSH GrandVisionSoesterberg 255.255.255.0 inside
SSH 213.144.239.0 255.255.255.192 outside
SSH timeout 5
Console timeout 0
management-access inside
dhcpd dns 194.151.228.18 is 10.10.1.100
dhcpd outside auto_config
!
dhcpd address 192.168.72.253 - 192.168.72.253 inside
!
dhcpd address dmz 192.168.50.10 - 192.168.50.50
dhcpd enable dmz
!
dhcpd address wireless 192.168.40.10 - 192.168.40.99
dhcpd dns 194.151.228.18 wireless interface
dhcpd activate wireless
!
a basic threat threat detection
host of statistical threat detection
statistical threat detection port
Statistical threat detection Protocol
Statistics-list of access threat detection
no statistical threat detection tcp-interception
Group Policy "pearle_vpn_Hyp only" internal
attributes of Group Policy "pearle_vpn_Hyp only".
value of server WINS 192.168.72.25
value of server DNS 192.168.72.25
Protocol-tunnel-VPN IPSec l2tp ipsec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list SplittnlHyperion
Split-dns value pearle.local
internal pearle_vpn_OOD_only group policy
attributes of the strategy of group pearle_vpn_OOD_only
value of Split-tunnel-network-list SplittnlOOD
internal pearle_vpn group policy
attributes of the strategy of group pearle_vpn
value of server WINS 192.168.72.25
value of server DNS 192.168.72.25
Protocol-tunnel-VPN IPSec l2tp ipsec svc
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list splittunnelclientvpn
Pearle.local value by default-field
Split-dns value pearle.local
username anyone password encrypted password
username something conferred
VPN-group-policy pearle_vpn_OOD_only
type of remote access service
tunnel-group 193 type ipsec-l2l
tunnel-group 193 ipsec-attributes
pre-shared-key *.
tunnel-group 193.173.12.193 type ipsec-l2l
IPSec-attributes tunnel-group 193.173.12.193
pre-shared-key *.
NOCHECK Peer-id-validate
type tunnel-group pearle_vpn remote access
tunnel-group pearle_vpn General-attributes
address pool VPN_Range_2
Group Policy - by default-pearle_vpn
pearle_vpn group of tunnel ipsec-attributes
pre-shared-key *.
type tunnel-group Pearle_VPN_2 remote access
attributes global-tunnel-group Pearle_VPN_2
address pool VPN_Range_2
strategy-group-by default "pearle_vpn_Hyp only".
IPSec-attributes tunnel-group Pearle_VPN_2
pre-shared-key *.
tunnel-group 213.56.81.58 type ipsec-l2l
IPSec-attributes tunnel-group 213.56.81.58
pre-shared-key *.
tunnel-group 212.78.223.182 type ipsec-l2l
IPSec-attributes tunnel-group 212.78.223.182
pre-shared-key *.
tunnel-group 86.109.255.177 type ipsec-l2l
IPSec-attributes tunnel-group 86.109.255.177
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the pptp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:7d4d9c7ca7c865d9e40f5d77ed1238eb
: end
ASDM image disk0: / asdm - 613.bin
ASDM BESServer 255.255.255.255 inside location
ASDM VPN_Pool_2 255.255.255.0 inside location
ASDM OracleTwo 255.255.224.0 inside location
ASDM OracleOne 255.255.240.0 inside location
ASDM OracleThree 255.255.224.0 inside location
ASDM location Exchange2010 255.255.255.255 inside
ASDM location Grandvision 255.255.255.0 inside
ASDM Grandvision2 255.255.255.240 inside location
ASDM Grandvision3 255.255.255.0 inside location
ASDM Grandvision4 255.255.255.255 inside location
ASDM GrandVision_PC 255.255.255.255 inside location
ASDM location LanSweep-XP 255.255.255.255 inside
ASDM GrandVisionSoesterberg 255.255.255.0 inside location
ASDM location Pearle-DC02 255.255.255.255 inside
ASDM location Pearle-WDS 255.255.255.255 inside
ASDM location Swabach 255.255.255.0 inside
ASDM GrandVisionSoesterberg2 255.255.255.0 inside location
don't allow no asdm history
Where is that host (inethost)? Inside of the ASA, or on the internet (on the outside)?
If it is outside, you must configure the NAT for the pool of vpn as you turn on the SAA.
NAT (outside) 1 192.168.75.0 255.255.255.0
-
client ipSec VPN and NAT on the router Cisco = FAIL
I have a Cisco 3825 router that I have set up for a Cisco VPN ipSec client. The same router is NAT.
ipSec logs, but can not reach the internal network unless NAT is disabled on the inside interface. But I need both at the same time.
Suggestions?
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
!
ISAKMP crypto client configuration group myclient
key password!
DNS 1.1.1.1
Domain name
pool myVPN
ACL 111
!
!
Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
market arriere-route
!
!
list of card crypto clientmap client VPN - AAA authentication
card crypto clientmap AAA - VPN isakmp authorization list
client configuration address map clientmap crypto answer
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
!interface Loopback0
IP 10.88.0.1 255.255.255.0
!
interface GigabitEthernet0/0
/ / DESC it's external interfaceIP 192.168.168.5 255.255.255.0
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
media type rj45
clientmap card crypto
!
interface GigabitEthernet0/1/ / DESC it comes from inside interface
10.0.1.10 IP address 255.255.255.0
IP nat inside<=================ipSec client="" connects,="" but="" cannot="" reach="" interior="" network="" unless="" this="" is="">=================ipSec>
IP virtual-reassembly
the route cache same-interface IP
automatic duplex
automatic speed
media type rj45!
IP local pool myVPN 10.88.0.2 10.88.0.10
p route 0.0.0.0 0.0.0.0 192.168.168.1
IP route 10.0.0.0 255.255.0.0 10.0.1.4
!IP nat inside source list 1 interface GigabitEthernet0/0 overload
!
access-list 1 permit 10.0.0.0 0.0.255.255
access-list 111 allow ip 10.0.0.0 0.0.255.255 10.88.0.0 0.0.0.255
access-list 111 allow ip 10.88.0.0 0.0.0.255 10.0.0.0 0.0.255.255Hello
I think that you need to configure the ACL default PAT so there first statemts 'decline' for traffic that is NOT supposed to be coordinated between the local network and VPN pool
For example, to do this kind of configuration, ACL and NAT
Note access-list 100 NAT0 customer VPN
access-list 100 deny ip 10.0.1.0 0.0.0.255 10.88.0.0 0.0.0.255
Note access-list 100 default PAT for Internet traffic
access-list 100 permit ip 10.0.1.0 0.0.0.255 ay
overload of IP nat inside source list 100 interface GigabitEthernet0/0
EDIT: seem to actually you could have more than 10 networks behind the routerThen you could modify the ACL on this
Note access-list 100 NAT0 customer VPN
access-list 100 deny ip 10.0.1.0 0.0.255.255 10.88.0.0 0.0.0.255
Note access-list 100 default PAT for Internet traffic
access-list 100 permit ip 10.0.1.0 0.0.255.255 ay
Don't forget to mark the answers correct/replys and/or useful answers to rate
-Jouni
-
Hi all
My apologies if this is a trivial question, but I spent considerable time trying to search and had no luck.
I encountered a problem trying to set up a temporary L2L VPN from a Subscriber with CISCO2911 sitting behind the router of the ISP of an ASA. ISP has informed that I can't ignore their device and complete the circuit Internet on the Cisco for a reason, so I'm stuck with it. The Setup is:
company 10.1.17.1 - y.y.y.y - router Internet - z.z.z.z - ISP - LAN - 10.x.x.2 - XXX1 - ASA - 10.1.17.2 - CISCO2911 - 10.1.15.1 LAN
where 10.x.x.x is a corporate LAN Beach private network, y.y.y.y is a public ip address assigned to the external interface of the ASA and the z.z.z.z is the public IP address of the ISP router.
I have forwarded ports 500, 4500 and ESP on the ISP router for 10.1.17.2. The 2911 config attached below, what I can't understand is what peer IP address to configure on the SAA, because if I use z.z.z.z it will be a cause of incompatibility of identity 2911 identifies himself as 10.1.17.2...
! ^ ^ ^ ISAKMP (Phase 1) ^ ^ ^!
crypto ISAKMP policy 5
BA 3des
md5 hash
preshared authentication
Group 2
lifetime 28800
isakmp encryption key * address no.-xauth y.y.y.y! ^ ^ ^ IPSEC (Phase 2) ^ ^ ^!
crymap extended IP access list
IP 10.1.15.0 allow 0.0.0.255 10.0.0.0 0.255.255.255
Crypto ipsec transform-set ESP-3DES-SHA 3rd-esp esp-sha-hmac
card crypto 1 TUNNEL VPN ipsec-isakmp
defined peer y.y.y.y
game of transformation-ESP-3DES-SHA
match the address crymapGi0/2 interface
card crypto VPN TUNNELHello
debug output, it seems he's going on IPSEC States at the tunnel of final bud QM_IDLE's.
What I noticed in your configuration of ASA box, it's that you're usig PFS but not on 2911 router.
So I suggest:
no card crypto OUTSIDE_map 4 don't set pfs <-- this="" will="" disable="" pfs="" on="" asa="">-->
Then try tunnel initiate.
Kind regards
Jan
-
ASA ASA from Site to Site VPN IPSec Tunnel
Any help would be greatly appreciated...
I have two devices Cisco ASA with a Site for the configuration of the tunnel VPN IPSec Site as follows: -.
Site #1 - Cisco ASA running version 8.2 (1) with an internal range of 10.0.0.x/24
Site #2 - Cisco ASA running version 8.2 (1) with an internal range of 10.1.1.x/24
Site #1 is simple and has a dynamic NAT rule which translates all of the inside and the outside (public IP) of the SAA.
Internet access works very well in all workstations of this site. A static route is configured to redirect all traffic to a public router upstream.
Site #2 is slightly more complicated; the Cisco ASA is configured with 10.1.1.254/24 as its interior IP address and 10.1.2.254/24 as its external IP address. A dynamic NAT rule is configured to translate everything inside as the 10.1.2.254 (outside) address of the ASA. A default static route is then configured to redirect all traffic to a Draytek device on 10.1.2.253. This device then performs its own private Public NAT. Again the Internet works fine all hosts inside the Cisco ASA (10.1.1.x)
The IPSec tunnel is created with the networks local and remote endpoint as above (10.0.0.x/24) and (10.1.1.x/24). The Draytek at the Site #2 device is configured with a form of DMZ that allows essentially ALL traffic toward the front directly on the external interface of the ASA (10.1.2.254). The Phase 1 and Phase 2 negotiation of the tunnel ends correctly, and the tunnel is formed without any problem. However, all traffic passing on networks ICMP does not end and the Syslog reports the following-
Site #1-
6 January 19, 2011 15:27:21 302020 ZEFF-SB-01_LAN 1 10.1.1.51 0 Built of outbound ICMP connection for faddr 10.1.1.51/0 gaddr ZEFF-SB-01_LAN/1 laddr ZEFF-SB-01_LAN/1 6 January 19, 2011 15:27:23 302021 10.1.1.51 0 ZEFF-SB-01_LAN 1 Connection of ICMP disassembly for faddr 10.1.1.51/0 gaddr ZEFF-SB-01_LAN/1 laddr ZEFF-SB-01_LAN/1 Site #2-
6 January 19, 2011 15:24:47 302020 10.1.1.51 0 10.0.0.30 1 Built of outbound ICMP connection for faddr gaddr laddr 10.1.1.51/0 10.1.1.51/0 10.0.0.30/1 6 January 19, 2011 15:24:49 302021 10.0.0.30 1 10.1.1.51 0 Connection of disassembly for faddr gaddr laddr 10.1.1.51/0 10.1.1.51/0 10.0.0.30/1 ICMP It's the same for any form of traffic passing over the tunnel. The ACL is configured to allow segments of LAN out to any destination. At this point, I left scratching my head, as my original theory was to blame the Draytek, but after reading the documentation given to the DMZ host configuration, it appears this parameter is configured all traffic is simply forwarded to the IP address (in this case, the Cisco ASA interface outside).
Anyone can shed light on a possible cause of this problem?
Thank you
Nick
did you bypass the vpn traffic between 10.0.0 and 10.1.1 to be NAT - ed on the two ASA?
Please provide the following information
-set up the tunnel
-show the isa cry his
-show the ipsec cry his
-ping of the site 1 site 2 via tunnel
-capture "crypto ipsec to show his" once again
-ping from site 2 to 1 by the tunnel of the site
-capture "crypto ipsec to show his" once again
-two ASA configuration.
-
Impossible to access them Internert through the split tunneling VPN client.
I divided tunnel configured on a PIX 515. The remote VPN client connects to the PIX very well and can ping hosts on the internal network, but cannot access the Internet. Am I missing something? My config as shown below.
In addition, I don't see the routes on the VPN client via statistics (screenshot below)
All opinions are appreciated.
Rob
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
8.0 (3) version PIX
!
hostname PIX-to-250
enable the encrypted password xxxxx
names of
!
interface Ethernet0
nameif outside
security-level 0
IP address x.x.x.250 255.255.255.240
!
interface Ethernet1
nameif inside
security-level 100
IP 192.168.9.1 255.255.255.0
!
XXXXX encrypted passwd
passive FTP mode
DNS domain-lookup outside
DNS server-group Ext_DNS
Server name 194.72.6.57
Server name 194.73.82.242
the LOCAL_LAN object-group network
object-network 192.168.9.0 255.255.255.0
object-network 192.168.88.0 255.255.255.0
Internet_Services tcp service object-group
port-object eq www
area of port-object eq
EQ object of the https port
port-object eq ftp
EQ object of port 8080
port-object eq telnet
the WAN_Network object-group network
object-network 192.168.200.0 255.255.255.0
ACLOUT list extended access allowed object-group LOCAL_LAN udp any eq log field
ACLOUT list extended access allow icmp object-group LOCAL_LAN no matter what paper
ACLOUT list extended access permitted tcp object-group LOCAL_LAN connect to any object-group Internet_Services
access-list extended ACLIN all permit icmp any what newspaper echo-reply
access-list extended ACLIN all permit icmp any how inaccessible journal
access-list extended ACLIN allowed icmp no matter what newspaper has exceeded the time
Comment by split_tunnel_list-LAN Local access list
split_tunnel_list list standard access allowed 192.168.9.0 255.255.255.0
access-list extended SHEEP allowed object-group ip LOCAL_LAN 192.168.100.0 255.255.255.0
pager lines 24
Enable logging
Outside 1500 MTU
Within 1500 MTU
IP local pool testvpn 192.168.100.1 - 192.168.100.99
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0 access-list SHEEP
NAT (inside) 1 0.0.0.0 0.0.0.0
Access-group ACLIN in interface outside
ACLOUT access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 195.171.252.45 1
Route inside 192.168.88.0 255.255.255.0 192.168.88.254 1
Route inside 192.168.199.0 255.255.255.0 192.168.199.254 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac Set_1
Crypto-map dynamic outside_dyn_map 10 game of transformation-Set_1
life together - the association of security crypto dynamic-map outside_dyn_map 10 seconds 280000
Crypto-map dynamic outside_dyn_map 10 the value reverse-road
outside_map 10 card crypto ipsec-isakmp dynamic outside_dyn_map
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 43200
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
internal testvpn group policy
attributes of the strategy of group testvpn
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
name of user testuser encrypted password xxxxxx
type tunnel-group testvpn remote access
tunnel-group testvpn General-attributes
address testvpn pool
Group Policy - by default-testvpn
testvpn group of tunnel ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:5dcb5dcdff277e1765a9a0c366b88b9e
: end
# 250 A - PIX
You have not assigned the ACL split tunnel to your strategy.
PLS, configure the following:
attributes of the strategy of group testvpn
value of Split-tunnel-network-list split_tunnel_list
-
Configuration of the client VPN IPSEC IOS question
Hello all, I just can't get my IOS Firewall to accept a client based vpn IPSEC connection. The Cisco client comes to expiration and Im never disputed a username and password. I checked my group and a pre-shared on the client and the router. I put my relevant config below. Any help would be greatly appreciated.
version 12.4
boot system flash: uc500-advipservicesk9 - mz.124 - 24.T.bin
AAA new-model
!
!
AAA authentication login default local
radius of group AAA authentication login userauthen
AAA authorization exec default local
radius of group AAA authorization network groupauthor
inspect the IP tcp outgoing name
inspect the IP udp outgoing name
inspect the name icmp outgoing IP
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
!
Configuration group customer isakmp crypto SMOVPN
key xxxxx
DNS 192.168.10.2
business.local field
pool vpnpool
ACL 108
Crypto isakmp VPNclient profile
match of group identity SMOVPN
client authentication list default
Default ISAKMP authorization list
client configuration address respond
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
Define VPNclient isakmp-profile
market arriere-route
!
!
map clientmap client to authenticate crypto list userauthen
card crypto clientmap isakmp authorization list groupauthor
client configuration address map clientmap crypto answer
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
interface FastEthernet0/0
IP 11.11.11.10 255.255.255.252
IP access-group outside_in in
no ip redirection
no ip unreachable
no ip proxy-arp
NAT outside IP
inspect the outgoing IP outside
IP virtual-reassembly
automatic duplex
automatic speed
clientmap card crypto
IP local pool vpnpool 192.168.109.1 192.168.109.254
IP nat inside source list 1 interface FastEthernet0/0 overload
outside_in extended IP access list
permit tcp object-group Yes_SMTP host 11.11.11.10 eq smtp
allow any host 74.143.215.138 esp
allow any host 74.143.215.138 eq isakmp udp
allow any host 74.143.215.138 eq non500-isakmp udp
allow any host 74.143.215.138 ahp
allow accord any host 74.143.215.138
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 108 allow ip 192.168.109.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 108 allow ip 192.168.109.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 108 allow ip 192.168.109.0 0.0.0.255 10.1.10.0 0.0.0.255
Here are a few suggestions:
change this:
radius of group AAA authorization network groupauthor
for this
AAA authorization groupauthor LAN
(unless you use the group permission for your radius server you need local)
Choose either on ISAKMP profiles and if you decide to go with and then get rid of these lines:
map clientmap client to authenticate crypto list userauthen
card crypto clientmap isakmp authorization list groupauthor
client configuration address map clientmap crypto answer
AND change the following items on your profile isakmp:
Crypto isakmp VPNclient profile
ISAKMP authorization list groupauthor
Also if you'll use a list for user authentication, I advise you to avoid using the default list so go ahead and change it too much under the isakmp profile
client authentication list userauthen.
If you do not use isakmp profiles change the following:
No crypto isakmp VPNclient profile
Crypto-map dynamic dynmap 10
No VPNclient set isakmp-profile
-
Hi all
I have 3 sites, the main site has a cisco firewall mikrotik router.
There is a vpn ipsec existing between the cisco router and another router cisco on the site of the 2nd and it works well.
Now, I've added an another vpn between a 3rd site and main site. The router on the 3rd site is a mikrotik firewall.
I had the vpn on the main site and the 3rd site where the mikrotik firewall is and it worked well.
then for some reason, the vpn with the 3rd site has failed and I could not get it working again.
When looking for answers, I see that the vpn for the 3rd site States the following:
#pkts program: 46, #pkts encrypt: 46, #pkts digest: 46
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0It seems that no traffic is coming back to the cisco
I also found the following output below to diagnose the problem.
It seems that there is communication, but if I read this right, it looks like the cisco established a new number but the other end is not the new number
new node-1868419487
node-1868419487 error suppression FALSE "Information (in) condition 1" pattern
Any help would be appreciated.
* 02:49:51.911 Jul 22: ISAKMP: (2060): purge the node-1140469772
* 02:49:59.723 Jul 22: ISAKMP: DPD received message KMI.
* 02:49:59.723 Jul 22: ISAKMP: node set 1053074288 to QM_IDLE
* 02:49:59.723 Jul 22: ISAKMP: (2060): Protocol for sending INFORMER DPD/R_U_THERE 1
SPI 2273844328, message ID = 1053074288
* 02:49:59.723 Jul 22: ISAKMP: (2060): seq. no 0x645EC368
* 02:49:59.723 Jul 22: ISAKMP: (2060): my_port of x.x.x.127 package sending 5
peer_port 00 500 (R) QM_IDLE
* 02:49:59.723 Jul 22: ISAKMP: (2060): sending a packet IPv4 IKE.
* 02:49:59.723 Jul 22: ISAKMP: (2060): purge the node 1053074288
* 02:49:59.767 Jul 22: ISAKMP (2060): packet received dport x.x.x.127
500 sport Global 500 (R) QM_IDLE
* 02:49:59.767 Jul 22: ISAKMP: node set-1868419487 to QM_IDLE
* 02:49:59.771 Jul 22: ISAKMP: (2060): HASH payload processing. Message ID = 24265
47809
* 02:49:59.771 Jul 22: ISAKMP: (2060): treatment of the NOTIFY DPD/R_U_THERE_ACK protoco
l 1
0, message ID SPI = 2426547809, a = 0x8705F854
* 02:49:59.771 Jul 22: ISAKMP: (2060): DPO/R_U_THERE_ACK received from the peer 125,23
6.211.127, sequence 0x645EC368
* 02:49:59.771 Jul 22: ISAKMP: (2060): node-1868419487 FALSE reason for deletion error
"Information (in) condition 1"
* 02:49:59.771 Jul 22: ISAKMP: (2060): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
* 02:49:59.771 Jul 22: ISAKMP: (2060): former State = new State IKE_P1_COMPLETE = IKE
_P1_COMPLETE
* 02:50:01.111 Jul 22: ISAKMP: (2060): purge the node-1201068805
Comparing encrypt of 46 to 47436 counters, it seems that router is ecncrypting the traffic, but we do not get any interesting traffic on the remote side.
Most likely, you might want to check on the remote site, if you see counters increment in parallel decryption and encryption of the counters are incrementing or not.
On the router IOS, if are incrementing counters encrypt, and confirm that you have not any tunnel existing before the router can be seen same proxy IDs, which is already negotiated with other peer.
Finally, please make sure that the ESP, 50 protocol traffic is not blocked in transit.
I hope this helps.Kind regards
Dinesh MoudgilPS Please rate helpful messages.
-
basic configuration question IPSec GRE
the Sub test config has been entered at R1 (router left mostly). R4 has a similar to the inverse IP address config. R1 is able to ping R4 loopback at the present time.
crypto ISAKMP policy 10
BA aes
preshared authentication
Group 2
life 120
address of cisco crypto isakmp 203.115.34.4 keys
!
!
Crypto ipsec transform-set MY_TRANSFORM ah-sha-hmac esp - aes
!
MY_MAP 10 ipsec-isakmp crypto map
defined by peer 203.115.34.4
game of transformation-MY_TRANSFORM
match address 100
!
!
!
!
interface Loopback0
192.168.10.1 IP address 255.255.255.255
!
interface Tunnel0
IP 192.168.14.1 255.255.255.0
source of tunnel Serial1/2
tunnel destination 203.115.34.4
card crypto MY_MAP!
!
interface Serial1/2
IP 203.115.12.1 255.255.255.0
series 0 restart delay
!
!
Router eigrp 100
network 192.168.0.0 0.0.255.255
Auto-resume
!
router ospf 100
router ID 1.1.1.1
Log-adjacency-changes
network 203.115.0.0 0.0.255.255 area 0
!!
access-list 100 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 connect
!
!
I see cisco samples configurations include an access list entry as follows...
access-list 100 permit gre 203.115.12.1 host 203.115.34.4
I understand the purpose of the ACL above regarding the test configuration that I posted here.
Let me explain.
LAN - router - WAN - router - LAN
Communication between the two LANs can be on a GRE tunnel to an IPsec tunnel or IPsec/GRE tunnel.
If you simply want to communicate between them unicast IP traffic, IPsec is recommended because it will encrypt the traffic.
If you need non-unicast or non - IP traffic through, then you can create a GRE tunnel.
If you want IPsec encryption for the GRE tunnel and then configure IPsec/GRE.
The ACL you mention will not work because the GRE traffic is only between tunnel endpoints.
The traffic that flows between local networks is the IP (not the GRE traffic) traffic where a permit GRE ACL will not work.
It will be useful.
Federico.
Maybe you are looking for
-
Qosmio G30 - 126 - hdd instaltion Win7 or Vista appears
Hi all I have a Qosmio g30-126 system.I don't have the recovery CD.I want to install the Win7 or Win Vista.It is not showing me the two 200 + 200 HARD drive. Please tell to me what I'm doing.
-
Drivers HP 15-f209wm win 7 64 bit
I'm going down mid laptop computer with win 10 for win 7 64 bit but I can't find any driver for win 7 could you help me please
-
Filling of the specific category of Signal on the range of functions
Hello Does anyone can help with advice on how to complete the specific category of signal on the palette of functions of block diagram? Thank you
-
I got a camera from Canon 650 EOS 35 mm with lens (70-210 mm EF 35-70mm EF, EF 50mm) and Canon Speedlite 420EZ. I begin to use them to take pictures. I hope I can find a digito camera that will work with the device I already have. It was my father, a
-
27xi and web printing does not work with Firefox
I just bought this HP 27xi monitor to Costco and thinking about buying another soon. I use Firefox and went to print this web page I printed before using my HP monitor HP desktop computers and smaller and had no problem. Last night, I try to print to