Tunnel VPN IPSEC Gre of the router in the branch office by Pix to the router HQ

Similar Questions

• GRE tunnels will not come on VPN IPsec/GRE

  Hi all

  We have 400 + remote sites that connect to our central location (and a backup site) using Cisco routers with vpn IPSec/GRE tunnels.  We use a basic model for the creation of tunnels, so there is very little chance of a bad configuration on each router.  Remote sites use Cisco 831 s, central sites use Cisco 2821 s.  There is a site where the tunnels WILL refuse just to come.

  Routers are able to ping their public IP addresses, so it is not a routing problem, but gre endpoints cannot ping.  There is no NATing involved, two routers directly accessing the Internet.  The assorded display orders seem to indicate that the SAs are properly built, but newspapers, it seems that last part just don't is finished, and the GRE tunnels come not only upward.

  The attached log file, it seems that both its IPSEC & ISAKMP are created @ 00:25:14, then QM_PHASE2 end @ 00:25:15.

  00:25:15: ISAKMP: (0:10:HW:2): node error 1891573546 FALSE reason for deletion "(wait) QM.
  00:25:15: ISAKMP: (0:10:HW:2): entrance, node 1891573546 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
  00:25:15: ISAKMP: (0:10:HW:2): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
  00:25:15: ISAKMP (0:268435467): received 208.XX packet. Dport 500 sport Global 500 (I) QM_IDLE yy.11
     
  00:25:15: IPSEC (key_engine): had an event of the queue with 1 kei messages
  00:25:15: IPSEC (key_engine_enable_outbound): rec would prevent ISAKMP
  00:25:15: IPSEC (key_engine_enable_outbound): select SA with spinnaker 1572231461/50
  00:25:15: ISAKMP: (0:11:HW:2): error in node-1931380074 FALSE reason for deletion "(wait) QM.
  00:25:15: ISAKMP: (0:11:HW:2): entrance, node-1931380074 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
  00:25:15: ISAKMP: (0:11:HW:2): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
  00:25:15: IPSEC (key_engine): had an event of the queue with 1 kei messages
  00:25:15: IPSEC (key_engine_enable_outbound): rec would prevent ISAKMP
  00:25:15: IPSEC (key_engine_enable_outbound): select SA with spinnaker 310818168/50

  I don't have the remote router log file, and is very long, so I joined her.  Before that I captured the log file, I enabled debugging ipsec & isakmp and immediately authorized the SAs.

  Assorted useful details and matching orders of show results:

  Cisco IOS Software, C831 (C831-K9O3SY6-M), Version 12.4 (25), RELEASE SOFTWARE (fc1)

  There are 2 connections of IPSEC/GRE tunnel:

  Tunnel101: KC (208.YY. ZZ.11) - remote control (74.WW. XX.35)
  Tunnel201: Dallas (208.XX. YY.11) - remote control (74.WW. XX.35)

  Site-382-831 #sho ip int br
  Interface IP-Address OK? Method State Protocol
  FastEthernet1 unassigned YES unset down down
  FastEthernet2 unassigned YES unset upward, upward
  FastEthernet3 unassigned YES unset upward, upward
  FastEthernet4 unassigned YES unset upward, upward
  Ethernet0 10.3.82.10 YES NVRAM up up
  Ethernet1 74.WW. XX.35 YES NVRAM up up
  Ethernet2 172.16.1.10 YES NVRAM up up
  Tunnel101 1.3.82.46 YES NVRAM up toward the bottom<>
  Tunnel201 1.3.82.62 YES NVRAM up toward the bottom<====  ="">
  NVI0 unassigned don't unset upward upwards

  Site-382-831 #.
  Site-382-831 #sho run int tunnel101
  Building configuration...

  Current configuration: 277 bytes
  !
  interface Tunnel101
  Description % connected to the 2nd KC BGP 2821 - PRI - B
  IP 1.3.82.46 255.255.255.252
  IP mtu 1500
  IP virtual-reassembly
  IP tcp adjust-mss 1360
  KeepAlive 3 3
  source of tunnel Ethernet1
  destination of the 208.YY tunnel. ZZ.11
  end

  Site-382-831 #.

  Site-382-831 #show isakmp crypto his
  status of DST CBC State conn-id slot
  208.XX. YY.11 74.WW. XX.35 QM_IDLE ASSETS 0 11
  208.YY. ZZ.11 74.WW. XX.35 QM_IDLE 10 0 ACTIVE
  Site-382-831 #.

  Site-382-831 #.
  Site-382-831 #show detail of the crypto isakmp
  Code: C - IKE configuration mode, D - Dead Peer Detection
  NAT-traversal - KeepAlive, N - K
  X - IKE extended authentication
  PSK - GIPR pre-shared key - RSA signature
  renc - RSA encryption

  C - id Local Remote I have VRF status BA hash Auth DH lifetime limit.
  11 74.WW. XX.35 208.XX. YY.11 ACTIVE 3des sha psk 1 23:56:09
  Connection-id: motor-id = 11:2 (hardware)
  74.WW 10. XX.35 208.YY. ZZ.11 ACTIVE 3des sha psk 1 23:56:09
  Connection-id: motor-id = 10:2 (hardware)
  Site-382-831 #.

  Site-382-831 #.
  Site-382-831 #show crypto ipsec his

  Interface: Ethernet1
  Tag crypto map: IPVPN_MAP, local addr 74.WW. XX.35

  protégé of the vrf: (none)
  ident (addr, mask, prot, port) local: (74.WW. XX.35/255.255.255.255/47/0)
  Remote ident (addr, mask, prot, port): (208.YY. ZZ.11/255.255.255.255/47/0)
  current_peer 208.YY. ZZ.11 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: 2333, #pkts encrypt: 2333, #pkts digest: 2333
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  #send 21, #recv errors 0

  local crypto endpt. : 74.WW. XX.35, remote Start crypto. : 208.YY. ZZ.11
  Path mtu 1500, mtu 1500 ip, ip mtu IDB Ethernet1
  current outbound SPI: 0x45047D1D (1157922077)

  SAS of the esp on arrival:
  SPI: 0x15B97AEA (364477162)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2004, flow_id: C83X_MBRD:4, crypto card: IPVPN_MAP
  calendar of his: service life remaining (k/s) key: (4486831/1056)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0x45047D1D (1157922077)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2003, flow_id: C83X_MBRD:3, crypto card: IPVPN_MAP
  calendar of his: service life remaining (k/s) key: (4486744/1056)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  protégé of the vrf: (none)
  ident (addr, mask, prot, port) local: (74.WW. XX.35/255.255.255.255/47/0)
  Remote ident (addr, mask, prot, port): (208.XX. YY.11/255.255.255.255/47/0)
  current_peer 208.XX. YY.11 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: 2333, #pkts encrypt: 2333, #pkts digest: 2333
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  #send 21, #recv errors 0

  local crypto endpt. : 74.WW. XX.35, remote Start crypto. : 208.XX. YY.11
  Path mtu 1500, mtu 1500 ip, ip mtu IDB Ethernet1
  current outbound SPI: 0xE82A86BC (3895101116)

  SAS of the esp on arrival:
  SPI: 0x539697CA (1402378186)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2008, flow_id: C83X_MBRD:8, crypto card: IPVPN_MAP
  calendar of his: service life remaining (k/s) key: (4432595/1039)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xE82A86BC (3895101116)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2001, flow_id: C83X_MBRD:1, crypto card: IPVPN_MAP
  calendar of his: service life remaining (k/s) key: (4432508/1039)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:
  Site-382-831 #.

  Site-382-831 #.
  Site-382-831 #show crypto ipsec his | Pkts Inc. | life
  #pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  calendar of his: service life remaining (k/s) key: (4486831/862)
  calendar of his: service life remaining (k/s) key: (4486738/862)
  #pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  calendar of his: service life remaining (k/s) key: (4432595/846)
  calendar of his: service life remaining (k/s) key: (4432501/846)
  Site-382-831 #.

  Site-382-831 #.
  Site-382-831 #show crypto isakmp policy

  World IKE policy
  Priority protection Suite 10
  encryption algorithm: three key triple a
  hash algorithm: Secure Hash Standard
  authentication method: pre-shared Key
  Diffie-Hellman group: #1 (768 bits)
  lifetime: 86400 seconds, no volume limit
  Default protection suite
  encryption algorithm: - Data Encryption STANDARD (56-bit keys).
  hash algorithm: Secure Hash Standard
  authentication method: Rivest-Shamir-Adleman Signature
  Diffie-Hellman group: #1 (768 bits)
  lifetime: 86400 seconds, no volume limit
  Site-382-831 #.

  Site-382-831 #show crypto card
  "IPVPN_MAP" 101-isakmp ipsec crypto map
  Description: at the 2nd KC BGP 2821 - PRI - B
  Peer = 208.YY. ZZ.11
  Extend the PRI - B IP access list
  access list PRI - B allowed will host 74.WW. XX.35 the host 208.YY. ZZ.11
  Current counterpart: 208.YY. ZZ.11
  Life safety association: 4608000 Kbytes / 3600 seconds
  PFS (Y/N): N
  Transform sets = {}
  IPVPN,
  }

  "IPVPN_MAP" 201-isakmp ipsec crypto map
  Description: 2nd Dallas BGP 2821 - s-B
  Peer = 208.XX. YY.11
  Expand the list of IP SEC-B access
  s - B allowed will host 74.WW access list. XX.35 the host 208.XX. YY.11
  Current counterpart: 208.XX. YY.11
  Life safety association: 4608000 Kbytes / 3600 seconds
  PFS (Y/N): N
  Transform sets = {}
  IPVPN,
  }
  Interfaces using crypto card IPVPN_MAP:
  Ethernet1
  Site-382-831 #.

  Tunnel between KC & the remote site configuration is:

  Distance c831 - KC

  crypto ISAKMP policy 10
  BA 3des
  preshared authentication
  !
  PRI-B-382 address 208.YY isakmp encryption key. ZZ.11
  !
  Crypto ipsec transform-set esp-3des esp-sha-hmac IPVPN
  transport mode
  !
  IPVPN_MAP 101 ipsec-isakmp crypto map
  Description of 2nd KC BGP 2821 - PRI - B
  set of peer 208.YY. ZZ.11
  game of transformation-IPVPN
  match address PRI - B
  !
  interface Tunnel101
  Description % connected to the 2nd KC BGP 2821 - PRI - B
  IP 1.3.82.46 255.255.255.252
  IP mtu 1500
  KeepAlive 3 3
  IP virtual-reassembly
  IP tcp adjust-mss 1360
  source of tunnel Ethernet1
  destination of the 208.YY tunnel. ZZ.11
  !
  interface Ethernet0
  private network Description
  IP 10.3.82.10 255.255.255.0
  IP mtu 1500
  no downtime
  !
  interface Ethernet1
  IP 74.WW. XX.35 255.255.255.248
  IP mtu 1500
  automatic duplex
  IP virtual-reassembly
  card crypto IPVPN_MAP
  no downtime
  !
  PRI - B extended IP access list
  allow accord 74.WW the host. XX.35 the host 208.YY. ZZ.11
  !

  KC-2821 *.

  PRI-B-382 address 74.WW isakmp encryption key. XX.35
  !
  PRI-B-382 extended IP access list
  allow accord 208.YY the host. ZZ.11 the host 74.WW. XX.35
  !
  IPVPN_MAP 382 ipsec-isakmp crypto map
  Description % connected to the 2nd KC BGP 2821
  set of peer 74.WW. XX.35
  game of transformation-IPVPN
  match address PRI-B-382
  !
  interface Tunnel382
  Description %.
  IP 1.3.82.45 255.255.255.252
  KeepAlive 3 3
  IP virtual-reassembly
  IP tcp adjust-mss 1360
  IP 1400 MTU
  delay of 40000
  tunnel of 208.YY origin. ZZ.11
  destination of the 74.WW tunnel. XX.35
  !
  end

  Any help would be much appreciated!

  Mark

  Hello

  logs on Site-382-831, only see the crypt but none decrypts, could you check a corresponding entry on the peer and see if has any questions send return traffic?

  Site-382-831 #show crypto ipsec his | Pkts Inc. | life
  #pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  calendar of his: service life remaining (k/s) key: (4486831/862)
  calendar of his: service life remaining (k/s) key: (4486738/862)
  #pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  calendar of his: service life remaining (k/s) key: (4432595/846)
  calendar of his: service life remaining (k/s) key: (4432501/846)
  Site-382-831 #.

  Kind regards

  Averroès.

• Command to check the tunnel VPN S2S awhile in the cisco router

  Dear all,

  Please share the command check S2S tunnel of time that is configured on the router.

  There are commands that define the lifetimes of (his) IPSec Security Associations, ISAKMP.

  For example:

  crypto ISAKMP policy 1
  BA 3des
  preshared authentication
  Group 2
  life 3600

  life 3599 seconds crypto ipsec security association

  ... and you can determine the remaining lifetime for these SAs with the following commands:

  SH detail session crypto

  SH in detail its crypto isakmp

  SH crypto ipsec his

  The delta between the lifetime (s) configured and remaining life will tell you how much time has passed since the last regeneration, but that is as close you are likely to have to determine when the tunnel came first.

  You could use other means as States of syslog for you say when a Tunnel is a transitioning upwards or downwards.

  Best regards

  Mike

• Blocks VIRTUAL local network access to a tunnel VPN IPSec on WRV200?

  I have two identical WRV200 wireless routers which are connected by a VPN IPSec tunnel.  This goes to my LAN LAN of my parents.  Everything works well.

  But I also have my WRV200 configured for two VLANS.  Vlan1 for my network and secure wireless access.  VLAN2 for a WiFi not secure for customers.

  My problem is that my guest on VLAN2 slips through the VPN devices and access on LAN of my parents.  I'm looking for a way to block to do this.

  I use the version of the software on the two routers (v1.0.39).

  For what it's worth, I know that my receive an IP address in the range 192.168.x.101 DHCP - 199.  I could assign a different range if that helps.  I thought that I could block this beach on the remote router firewall, but I see there is blocking a single IP address at the time, maximum of 8.  Am I missing something?

  Or could I put something weird in the routing tables somewhere to get the IPs guest out of lala land?

  Any suggestions are appreciated.  I can't be the only one in this boat.

  Steve

  Try to check local and remote, vpn under safe group settings if you change the ip address range subnet. Don't include the range of ip addresses of the computers wireless comments so that it will not pass through the vpn tunnel. If there is no ip range option, you must to the subnet of the network in order to control the ip address you want to allow on the vpn tunnel.

• Tunnel VPN IPSEC (LAN to LAN) not succeeded traffic

  I had a temporary scenario I need to establish an IPSEC VPN between branch (cisco router) and HQ (VPN concentrator).

  The tunnel is established end but traffic stop happening after some 5-10 minutes. I have to manually clear the session encryption and then connectivity is fine. To test the above, I'll send branch ICMP packets to HQ. I can see ' cryto isakmp his ' and ' crytpo ipsec his ' active and fine.

  Share your opinion on this guy!

  Hello

  Make sure that this life corresponds to the router and the hub.

  This is a doc for IPSEC troubleshooting: -.

  http://www.Cisco.com/en/us/customer/products/ps6120/products_tech_note09186a00807e0aca.shtml

  Parminder Sian

• How to establish a tunnel vpn ipsec using DNS with ASA 5505?

  Hello

  I m get a dynamic IP address public and what I m trying to do is establish a tunnnel remote vpn using IPSec, which I realize my provider but each time resets of sessions or ASA 5505 reset, I get a new public IP and I need to put the new IP address on the remote client, so I can establish the vpn...

  How can I establish a vpn ipsec using DNS?  For this scenario, the remote client vpn is a vpn phone, but it could be any vpn client.

  Private private Public IP IP IP

  PBX - Telephone (LAN) - ASA 5505-(Internet)-(router) Remote Site-(LAN) VPN-

  Kind regards!

  Ah ok I see, Yes in this case there is no that you can do other than request a static IP address from your ISP.

  Kind regards.

  PS: Don't forget to mark this question as answered. Thank you!

• Tunnel VPN IPSEC site 2 Site will not appear.

  Hello Experts,

  I was wondering if I can get help on creating an IPSEC VPN between a Cisco 2921 and ASA 550 x tunnel. Here is the config

  See the race | s crypto

  Crypto pki token removal timeout default 0

  crypto ISAKMP policy 1

  BA aes

  preshared authentication

  Group 2

  lifetime 28800

  ISAKMP crypto key address A.A.A.A xxxxxxxxxxxxxxxxxxxxxx

  Crypto ipsec transform-set ESP-AES128-SHA aes - esp esp-sha-hmac

  transport mode

  ICQ-2-ILAND 1 ipsec-isakmp crypto map

  defined by peer A.A.A.A

  game of transformation-ESP-AES128-SHA

  match the address iland_london_s2s_vpn

  ICQ-2-ILAND crypto card

  The config on the remote end has not been shared with me, so I don't know if I'm doing something wrong locally, or if the remote end is configured incorrectly.

  The command Sh crypto isakmp its the following message

  ISAKMP crypto to show his
  IPv4 Crypto ISAKMP Security Association
  DST CBC conn-State id
  A.A.A.A B.B.B.B MM_NO_STATE 1231 ACTIVE (deleted)      

  IPv6 Crypto ISAKMP Security Association

  See the session encryption
  Current state of the session crypto

  Interface: GigabitEthernet0/0
  The session state: DOWN-NEGOTIATION
  Peer: Port A.A.A.A 500
  IKEv1 SA: local B.B.B.Bremote 500 A.A.A.A500 inactive
  IKEv1 SA: local B.B.B.Bremote 500 A.A.A.A500 inactive
  FLOW IPSEC: allowed ip 10.20.111.0/255.255.255.0 10.120.1.0/255.255.255.0
  Active sAs: 0, origin: card crypto
  FLOW IPSEC: allowed ip 10.10.0.0/255.255.0.0 10.120.1.0/255.255.255.0
  Active sAs: 0, origin: card crypto

  The command debug crypto isakmp debug logs are listed below.

  ISAKMP: (0): pre-shared key local found
  08:51:52.019 on 6 Dec: ISAKMP: analysis of the profiles for xauth...
  08:51:52.019 on 6 Dec: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1
  08:51:52.019 on 6 Dec: ISAKMP: AES - CBC encryption
  08:51:52.019 on 6 Dec: ISAKMP: keylength 128
  08:51:52.019 on 6 Dec: ISAKMP: SHA hash
  08:51:52.019 on 6 Dec: ISAKMP: group by default 2
  08:51:52.019 on 6 Dec: ISAKMP: pre-shared key auth
  08:51:52.019 on 6 Dec: ISAKMP: type of life in seconds
  08:51:52.019 on 6 Dec: ISAKMP: life (basic) of 28800
  08:51:52.019 on 6 Dec: ISAKMP: (0): atts are acceptable. Next payload is 0
  08:51:52.019 on 6 Dec: ISAKMP: (0): Acceptable atts: real life: 0
  08:51:52.019 on 6 Dec: ISAKMP: (0): Acceptable atts:life: 0
  08:51:52.019 on 6 Dec: ISAKMP: (0): base life_in_seconds:28800
  08:51:52.019 on 6 Dec: ISAKMP: (0): return real life: 28800
  08:51:52.019 on 6 Dec: ISAKMP: (0): timer life Started: 28800.

  DEC 6 08:51:52.019: ISAKMP: (0): load useful vendor id of treatment
  DEC 6 08:51:52.019: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
  DEC 6 08:51:52.019: ISAKMP: (0): provider ID is NAT - T v2
  DEC 6 08:51:52.019: ISAKMP: (0): load useful vendor id of treatment
  DEC 6 08:51:52.019: ISAKMP: (0): IKE frag vendor processing id payload
  08:51:52.019 on 6 Dec: ISAKMP: (0): IKE Fragmentation support not enabled
  08:51:52.019 on 6 Dec: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  08:51:52.019 on 6 Dec: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM2

  DEC 6 08:51:52.019: ISAKMP: (0): A packet is sent. A.A.A my_port 500 peer_port 500 (I) MM_SA_SETUP
  08:51:52.019 on 6 Dec: ISAKMP: (0): sending a packet IPv4 IKE.
  08:51:52.019 on 6 Dec: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  08:51:52.019 on 6 Dec: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM3

  08:51:52.155 on 6 Dec: ISAKMP (0): packet received dport 500 sport Global 500 (I) MM_SA_SETUP A.A.A.A
  08:51:52.155 on 6 Dec: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  08:51:52.155 on 6 Dec: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_I_MM4

  DEC 6 08:51:52.155: ISAKMP: (0): processing KE payload. Message ID = 0
  DEC 6 08:51:52.175: ISAKMP: (0): processing NONCE payload. Message ID = 0
  08:51:52.175 on 6 Dec: ISAKMP: (0): pre-shared key found peer corresponding to A.A.A.A
  DEC 6 08:51:52.175: ISAKMP: (1227): load useful vendor id of treatment
  DEC 6 08:51:52.175: ISAKMP: (1227): provider ID is the unit
  DEC 6 08:51:52.175: ISAKMP: (1227): load useful vendor id of treatment
  DEC 6 08:51:52.175: ISAKMP: (1227): provider ID seems the unit/DPD but major incompatibility of 92
  DEC 6 08:51:52.175: ISAKMP: (1227): provider ID is XAUTH
  DEC 6 08:51:52.175: ISAKMP: (1227): load useful vendor id of treatment
  DEC 6 08:51:52.175: ISAKMP: (1227): addressing another box of IOS!
  DEC 6 08:51:52.175: ISAKMP: (1227): load useful vendor id of treatment
  08:51:52.175 on 6 Dec: ISAKMP: (1227): vendor ID seems the unit/DPD but hash mismatch
  08:51:52.175 on 6 Dec: ISAKMP: receives the payload type 20
  08:51:52.175 on 6 Dec: ISAKMP (1227): sound not hash no match - this node outside NAT
  08:51:52.175 on 6 Dec: ISAKMP: receives the payload type 20
  08:51:52.175 on 6 Dec: ISAKMP (1227): No. NAT found for oneself or peer
  08:51:52.175 on 6 Dec: ISAKMP: (1227): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  08:51:52.179 on 6 Dec: ISAKMP: (1227): former State = new State IKE_I_MM4 = IKE_I_MM4

  08:51:52.179 on 6 Dec: ISAKMP: (1227): send initial contact
  08:51:52.179 on 6 Dec: ISAKMP: (1227): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
  08:51:52.179 on 6 Dec: ISAKMP (1227): payload ID
  next payload: 8
  type: 1
  address: B.B.B.B
  Protocol: 17
  Port: 500
  Length: 12
  08:51:52.179 on 6 Dec: ISAKMP: (1227): the total payload length: 12
  DEC 6 08:51:52.179: ISAKMP: (1227): A packet is sent. A.A.A my_port 500 peer_port 500 (I) MM_KEY_EXCH
  08:51:52.179 on 6 Dec: ISAKMP: (1227): sending a packet IPv4 IKE.
  08:51:52.179 on 6 Dec: ISAKMP: (1227): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  08:51:52.179 on 6 Dec: ISAKMP: (1227): former State = new State IKE_I_MM4 = IKE_I_MM5

  08:51:52.315 on 6 Dec: ISAKMP (1227): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH A.A.A.A
  DEC 6 08:51:52.315: ISAKMP: (1227): payload ID for treatment. Message ID = 0
  08:51:52.315 on 6 Dec: ISAKMP (1227): payload ID
  next payload: 8
  type: 1
  address: A.A.A.A
  Protocol: 17
  Port: 0
  Length: 12
  DEC 6 08:51:52.315: ISAKMP: (0): peer games * no * profiles
  DEC 6 08:51:52.315: ISAKMP: (1227): HASH payload processing. Message ID = 0
  08:51:52.315 on 6 Dec: ISAKMP: received payload type 17
  DEC 6 08:51:52.315: ISAKMP: (1227): load useful vendor id of treatment
  DEC 6 08:51:52.315: ISAKMP: (1227): provider ID is DPD
  08:51:52.315 on 6 Dec: ISAKMP: (1227): SA authentication status:
  authenticated
  08:51:52.315 on 6 Dec: ISAKMP: (1227): SA has been authenticated with A.A.A.A
  08:51:52.315 on 6 Dec: ISAKMP: try to insert a B.B.B.B/A.A.A.A/500/ peer and inserted 2B79E8BC successfully.
  08:51:52.315 on 6 Dec: ISAKMP: (1227): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  08:51:52.315 on 6 Dec: ISAKMP: (1227): former State = new State IKE_I_MM5 = IKE_I_MM6

  08:51:52.315 on 6 Dec: ISAKMP: (1227): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  08:51:52.315 on 6 Dec: ISAKMP: (1227): former State = new State IKE_I_MM6 = IKE_I_MM6

  08:51:52.315 on 6 Dec: ISAKMP: (1227): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  08:51:52.315 on 6 Dec: ISAKMP: (1227): former State = new State IKE_I_MM6 = IKE_P1_COMPLETE

  08:51:52.315 on 6 Dec: ISAKMP: (1227): start Quick Mode Exchange, M - ID 1511581970
  08:51:52.315 on 6 Dec: ISAKMP: (1227): initiator QM gets spi
  DEC 6 08:51:52.315: ISAKMP: (1227): A packet is sent. A.A.A my_port 500 peer_port 500 (I) QM_IDLE
  08:51:52.315 on 6 Dec: ISAKMP: (1227): sending a packet IPv4 IKE.
  08:51:52.315 on 6 Dec: ISAKMP: (1227): entrance, node 1511581970 = IKE_MESG_INTERNAL, IKE_INIT_QM
  08:51:52.315 on 6 Dec: ISAKMP: (1227): former State = new State IKE_QM_READY = IKE_QM_I_QM1
  08:51:52.315 on 6 Dec: ISAKMP: (1227): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
  08:51:52.315 on 6 Dec: ISAKMP: (1227): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

  08:51:52.455 on 6 Dec: ISAKMP (1227): packet received dport 500 sport Global 500 (I) QM_IDLE A.A.A.A
  08:51:52.455 on 6 Dec: ISAKMP: node set-1740216573 to QM_IDLE
  DEC 6 08:51:52.455: ISAKMP: (1227): HASH payload processing. Message ID = 2554750723
  DEC 6 08:51:52.455: ISAKMP: (1227): treatment protocol NOTIFIER PROPOSAL_NOT_CHOSEN 3
  0, message ID SPI = 2554750723, a = 0x2B78D574
  08:51:52.455 on 6 Dec: ISAKMP: (1227): node-1740216573 error suppression FALSE reason 'informational (en) State 1.
  08:51:52.455 on 6 Dec: ISAKMP: (1227): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
  08:51:52.455 on 6 Dec: ISAKMP: (1227): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

  08:51:52.455 on 6 Dec: ISAKMP (1227): packet received dport 500 sport Global 500 (I) QM_IDLE A.A.A.A
  08:51:52.455 on 6 Dec: ISAKMP: node set 1297146574 to QM_IDLE
  DEC 6 08:51:52.455: ISAKMP: (1227): HASH payload processing. Message ID = 1297146574
  DEC 6 08:51:52.455: ISAKMP: (1227): treatment of payload to DELETE. Message ID = 1297146574
  08:51:52.455 on 6 Dec: ISAKMP: (1227): peer does not paranoid KeepAlive.

  08:51:52.455 on 6 Dec: ISAKMP: (1227): removal of HIS State "No reason" why (I) QM_IDLE (post A.A.A.A)
  08:51:52.455 on 6 Dec: ISAKMP: (1227): error suppression node 1297146574 FALSE reason 'informational (en) State 1.
  08:51:52.455 on 6 Dec: ISAKMP: node set-1178304129 to QM_IDLE
  DEC 6 08:51:52.455: ISAKMP: (1227): A packet is sent. A.A.A my_port 500 peer_port 500 (I) QM_IDLE
  08:51:52.455 on 6 Dec: ISAKMP: (1227): sending a packet IPv4 IKE.
  08:51:52.455 on 6 Dec: ISAKMP: (1227): purge the node-1178304129
  08:51:52.455 on 6 Dec: ISAKMP: (1227): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
  08:51:52.455 on 6 Dec: ISAKMP: (1227): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA

  08:51:52.455 on 6 Dec: ISAKMP: (1227): removal of HIS State "No reason" why (I) QM_IDLE (post A.A.A.A)
  08:51:52.455 on 6 Dec: ISAKMP: Unlocking counterpart struct 0x2B79E8BC for isadb_mark_sa_deleted(), count 0
  08:51:52.455 on 6 Dec: ISAKMP: delete peer node by peer_reap for A.A.A.A: 2B79E8BC
  08:51:52.455 on 6 Dec: ISAKMP: (1227): error suppression node 1511581970 FALSE reason 'IKE deleted.
  08:51:52.455 on 6 Dec: ISAKMP: (1227): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  08:51:52.455 on 6 Dec: ISAKMP: (1227): former State = new State IKE_DEST_SA = IKE_DEST_SA

  Would appreciate any help you can provide.

  Kind regards

  Sidney Dsouza

  The phase 2 does not complete since there is no visible SPI value. In addition, depending on your configuration Transport mode is configured for phase 2 However, debug displays the tunnel mode.

  Thus, as suggested earlier to debug this further and find the root cause we need to match the configuration settings in Phase 2 with regard to the remote device.

  Hope that helps.

  Kind regards

  Anuj

• HTTPS protocol between the client vpn and host of the internet through tunnel ipsec-parody

  Hello

  We have a cisco ASA 5505 and try to get the next job:

  ip (192.168.75.5) - connected to the Cisco ASA 5505 VPN client

  the customer gets a specific route for an internet address (79.143.218.35 255.255.255.255 192.168.75.1 192.168.75.5 100)

  When I try to access the url of the client, I get a syn sent with netstat

  When I try trace ASA package, I see the following:

  1

  FLOW-SEARCH

  ALLOW

  Not found no corresponding stream, creating a new stream

  2

  ROUTE SEARCH

  entry

  ALLOW

  in 0.0.0.0 0.0.0.0 outdoors

  3

  ACCESS-LIST

  Journal

  ALLOW

  Access-group outside_access_in in interface outside

  outside_access_in list extended access permitted tcp everything any https eq

  access-list outside_access_in note hyperion outside inside

  4

  IP-OPTIONS

  ALLOW

  5

  CP-PUNT

  ALLOW

  6

  VPN

  IPSec-tunnel-flow

  ALLOW

  7

  IP-OPTIONS

  ALLOW

  8

  VPN

  encrypt

  ALLOW

  outdoors

  upward

  upward

  outdoors

  upward

  upward

  drop

  (ipsec-parody) Parody of detected IPSEC

  When I try the reverse (i.e. from the internet host to vpn client), it seems to work:

  1

  FLOW-SEARCH

  ALLOW

  Not found no corresponding stream, creating a new stream

  2

  ROUTE SEARCH

  entry

  ALLOW

  in 192.168.75.5 255.255.255.255 outside

  3

  ACCESS-LIST

  Journal

  ALLOW

  Access-group outside_access_in in interface outside

  outside_access_in of access allowed any ip an extended list

  4

  IP-OPTIONS

  ALLOW

  5

  VPN

  IPSec-tunnel-flow

  ALLOW

  6

  VPN

  encrypt

  ALLOW

  My question is why this phenomenon happens and how solve us this problem?

  Thanks in advance, Sipke

  our running-config:

  : Saved

  :

  ASA Version 8.0 (4)

  !

  ciscoasa hostname

  domain somedomain

  activate the password - encrypted

  passwd - encrypted

  names of

  name 10.10.1.0 Hyperion

  name 164.140.159.x xxxx

  name 192.168.72.25 xxxx

  name 192.168.72.24 xxxx

  name 192.168.72.196 xxxx

  name 192.168.75.0 vpn clients

  name 213.206.236.0 xxxx

  name 143.47.160.0 xxxx

  name 141.143.32.0 xxxx

  name 141.143.0.0 xxxx

  name 192.168.72.27 xxxx

  name 10.1.11.0 xxxx

  name 10.1.2.240 xxxx

  name 10.1.1.0 xxxx

  name 10.75.2.1 xxxx

  name 10.75.2.23 xxxx

  name 192.168.72.150 xxxx

  name 192.168.33.0 xxxx

  name 192.168.72.26 xxxx

  name 192.168.72.5 xxxx

  name 192.168.23.0 xxxx

  name 192.168.34.0 xxxx

  name 79.143.218.35 inethost

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 192.168.72.254 255.255.255.0

  OSPF cost 10

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP address 193.173.x.x 255.255.255.240

  OSPF cost 10

  !

  interface Vlan3

  Shutdown

  nameif dmz

  security-level 50

  192.168.50.1 IP address 255.255.255.0

  OSPF cost 10

  !

  interface Vlan23

  nameif wireless

  security-level 80

  192.168.40.1 IP address 255.255.255.0

  OSPF cost 10

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  switchport access vlan 3

  !

  interface Ethernet0/6

  switchport access vlan 23

  !

  interface Ethernet0/7

  !

  passive FTP mode

  clock timezone THATS 1

  clock to summer time CEDT recurring last Sun Mar 02:00 last Sun Oct 03:00

  DNS lookup field inside

  DNS server-group DefaultDNS

  domain pearle.local

  permit same-security-traffic inter-interface

  permit same-security-traffic intra-interface

  object-group Protocol TCPUDP

  object-protocol udp

  object-tcp protocol

  object-group service RDP - tcp

  Remote Desktop Protocol Description

  EQ port 3389 object

  object-group service UDP - udp VC

  range of object-port 60000 60039

  object-group VC - TCP tcp service

  60000 60009 object-port Beach

  object-group service tcp Fortis

  1501 1501 object-port Beach

  Beach of port-object 1502-1502

  Beach of port-object sqlnet sqlnet

  1584 1584 object-port Beach

  1592 1592 object-port Beach

  object-group service tcp fortis

  1592 1592 object-port Beach

  Beach of port-object 1502-1502

  1584 1584 object-port Beach

  Beach of port-object sqlnet sqlnet

  1501 1501 object-port Beach

  1500 1500 object-port Beach

  the DM_INLINE_NETWORK_1 object-group network

  object-network 192.168.50.0 255.255.255.0

  object-network 192.168.72.0 255.255.255.0

  object-network 192.168.40.0 255.255.255.0

  object-network VPN_Pool_2 255.255.255.0

  the DM_INLINE_NETWORK_2 object-group network

  object-network 192.168.50.0 255.255.255.0

  object-network 192.168.72.0 255.255.255.0

  object-group network inside-networks

  object-network 192.168.72.0 255.255.255.0

  WingFTP_TCP tcp service object-group

  Secure FTP description

  port-object eq 989

  port-object eq 990

  DM_INLINE_TCP_1 tcp service object-group

  port-object eq ftp

  port-object eq ftp - data

  Group object WingFTP_TCP

  DM_INLINE_TCP_2 tcp service object-group

  port-object eq ftp

  port-object eq ftp - data

  Group object WingFTP_TCP

  the DM_INLINE_NETWORK_3 object-group network

  object-network 192.168.72.0 255.255.255.0

  object-network VPN_Pool_2 255.255.255.0

  the DM_INLINE_NETWORK_4 object-group network

  object-network 192.168.72.0 255.255.255.0

  object-network VPN_Pool_2 255.255.255.0

  object-group network Oracle

  network-object OracleTwo 255.255.224.0

  network-object OracleOne 255.255.240.0

  network-object OracleThree 255.255.224.0

  the DM_INLINE_NETWORK_5 object-group network

  network-object Grandvision 255.255.255.0

  network-object Grandvision2 255.255.255.240

  object-network Grandvision3 255.255.255.0

  host of the object-Network Grandvision4

  host of the object-Network GrandVision_PC

  the DM_INLINE_NETWORK_6 object-group network

  network-object Grandvision 255.255.255.0

  network-object Grandvision2 255.255.255.240

  object-network Grandvision3 255.255.255.0

  host of the object-Network Grandvision4

  host of the object-Network GrandVision_PC

  the DM_INLINE_NETWORK_7 object-group network

  network-object Grandvision 255.255.255.0

  network-object Grandvision2 255.255.255.240

  object-network Grandvision3 255.255.255.0

  host of the object-Network GrandVision_PC

  the DM_INLINE_NETWORK_8 object-group network

  network-object Grandvision 255.255.255.0

  network-object Grandvision2 255.255.255.240

  object-network Grandvision3 255.255.255.0

  host of the object-Network GrandVision_PC

  object-group service DM_INLINE_SERVICE_2

  the purpose of the ip service

  EQ-3389 tcp service object

  the DM_INLINE_NETWORK_9 object-group network

  network-object OracleThree 255.255.0.0

  network-object OracleTwo 255.255.224.0

  network-object OracleOne 255.255.240.0

  object-group service DM_INLINE_SERVICE_3

  the purpose of the ip service

  EQ-3389 tcp service object

  Atera tcp service object-group

  Atera Webbased monitoring description

  8001 8001 object-port Beach

  8002 8002 object-port Beach

  8003 8003 object-port Beach

  WingFTP_UDP udp service object-group

  port-object eq 989

  port-object eq 990

  WingFTP tcp service object-group

  Description range of ports for the transmission of data

  object-port range 1024-1054

  HTTPS_redirected tcp service object-group

  Description redirect WingFTP Server

  port-object eq 40200

  Note to inside_access_in to access list ICMP test protocol inside outside

  inside_access_in list extended access allow icmp 192.168.72.0 255.255.255.0 any

  Note to inside_access_in to access list ICMP test protocol inside outside

  access-list inside_access_in note HTTP inside outside

  inside_access_in list extended access allowed object-group TCPUDP 192.168.72.0 255.255.255.0 any eq www

  access-list inside_access_in note queries DNS inside to outside

  inside_access_in list extended access allowed object-group TCPUDP 192.168.72.0 255.255.255.0 no matter what eq field

  access-list inside_access_in note the HTTPS protocol inside and outside

  inside_access_in list extended access permitted tcp 192.168.72.0 255.255.255.0 any https eq

  Note to inside_access_in to access list ICMP test protocol inside outside

  access-list inside_access_in note 7472 Epo-items inside outside

  inside_access_in list extended access permitted tcp 192.168.72.0 255.255.255.0 any eq 7472

  access-list inside_access_in note POP3 inside outside

  inside_access_in list extended access permitted tcp 192.168.72.0 255.255.255.0 any eq pop3

  inside_access_in list extended access permit udp host LifeSize-PE-HQ any object-group UDP - VC

  inside_access_in list extended access permit tcp host LifeSize-PE-HQ all eq h323

  access-list inside_access_in note video conference services

  inside_access_in list extended access permit tcp host LifeSize-PE-HQ any object-group VC - TCP

  inside_access_in list extended access permitted tcp 192.168.72.0 255.255.255.0 any

  Note to inside_access_in to access list Fortis

  inside_access_in list extended access permitted tcp 192.168.72.0 255.255.255.0 any object-group Fortis

  access extensive list ip 192.168.40.0 inside_access_in allow 255.255.255.0 any

  inside_access_in list extended access permitted tcp 192.168.40.0 255.255.255.0 any

  inside_access_in list extended access permitted tcp 192.168.40.0 255.255.255.0 any eq www

  inside_access_in list extended access permitted tcp 192.168.40.0 255.255.255.0 any https eq

  inside_access_in allowed all Hyperion 255.255.255.0 ip extended access list

  inside_access_in list extended access udp allowed any any eq isakmp

  inside_access_in list extended access udp allowed any any eq ntp

  inside_access_in list extended access udp allowed any any eq 4500

  inside_access_in list of allowed ip extended access any Oracle object-group

  inside_access_in list extended access udp allowed any any eq 10000

  access-list inside_access_in note PPTP inside outside

  inside_access_in list extended access permit tcp any any eq pptp

  access-list inside_access_in note WILL inside outside

  inside_access_in list extended access will permit a full

  Note to inside_access_in to access the Infrastructure of the RIM BES server list

  inside_access_in list extended access permit tcp host BESServer any eq 3101

  inside_access_in list extended access permit tcp any any DM_INLINE_TCP_2 object-group

  inside_access_in list extended access permit tcp any any HTTPS_redirected object-group

  access extensive list ip Hyperion 255.255.255.0 inside_access_in 255.255.255.0 allow VPN_Pool_2

  inside_access_in list extended access permit udp any host 86.109.255.177 eq 1194

  access extensive list ip 192.168.72.0 inside_access_in allow 255.255.255.0 DM_INLINE_NETWORK_7 object-group

  access extensive list ip VPN_Pool_2 inside_access_in allow 255.255.255.0 any

  inside_access_in list extended access deny ip any any inactive debug log

  Note to outside_access_in to access list ICMP test protocol outside inside

  outside_access_in list extended access permit icmp any one

  access-list outside_access_in Note SMTP outside inside

  outside_access_in list extended access permit tcp any any eq smtp

  outside_access_in list extended access udp allowed any any eq ntp disable journal

  access-list outside_access_in note 7472 EPO-items outside inside

  outside_access_in list extended access permit tcp any any eq 7472

  outside_access_in list extended access permit tcp any any object-group inactive RDP

  outside_access_in list extended access permit tcp any any eq www

  outside_access_in list extended access permit tcp any any HTTPS_redirected object-group

  outside_access_in list extended access permitted tcp everything any https eq

  access-list outside_access_in note hyperion outside inside

  outside_access_in list extended access permitted tcp Hyperion 255.255.255.0 DM_INLINE_NETWORK_4 object-group

  outside_access_in to access Hyperion 255.255.255.0 ip extended list object-group DM_INLINE_NETWORK_3 allow

  outside_access_in list extended access permit tcp any host LifeSize-PE-HQ eq h323

  outside_access_in list extended access permit tcp any host LifeSize-PE-HQ object-group VC - TCP

  outside_access_in list extended access permit udp any host group-object-LifeSize-PE-HQ UDP - VC

  outside_access_in of access allowed any ip an extended list

  outside_access_in list extended access udp allowed any any eq 4500

  outside_access_in list extended access udp allowed any any eq isakmp

  outside_access_in list extended access udp allowed any any eq 10000

  outside_access_in list extended access will permit a full

  outside_access_in list extended access permit tcp any any eq pptp

  outside_access_in list extended access permit tcp any any DM_INLINE_TCP_1 object-group

  outside_access_in list extended access allowed object-group ip DM_INLINE_NETWORK_8 192.168.72.0 255.255.255.0 inactive

  outside_access_in list extended access permit tcp any any Atera object-group

  outside_access_in list extended access deny ip any any inactive debug log

  outside_1_cryptomap list extended access allowed object-group Hyperion DM_INLINE_NETWORK_2 255.255.255.0 ip

  outside_1_cryptomap to access extended list ip 192.168.50.0 allow Hyperion 255.255.255.0 255.255.255.0

  access extensive list ip 192.168.72.0 inside_nat0_outbound allow Hyperion 255.255.255.0 255.255.255.0

  inside_nat0_outbound list of allowed ip extended access all 193.172.182.64 255.255.255.240

  inside_nat0_outbound list of allowed ip extended access all 192.168.72.192 255.255.255.192

  inside_nat0_outbound list of allowed ip extended access all 192.168.72.0 255.255.255.0

  access extensive list ip 192.168.72.0 inside_nat0_outbound allow 255.255.255.0 VPN_Pool_2 255.255.255.0

  access extensive list ip 192.168.72.0 inside_nat0_outbound allow 255.255.255.0 DM_INLINE_NETWORK_5 object-group

  inside_nat0_outbound list of allowed ip extended access all GrandVisionSoesterberg 255.255.255.0

  inside_nat0_outbound list of allowed ip extended access any Swabach 255.255.255.0

  access-list 200 scope allow tcp all fortis of fortis host object-group

  access extensive list ip VPN_Pool_2 outside_nat0_outbound allow 255.255.255.0 DM_INLINE_NETWORK_9 object-group

  outside_cryptomap_2 list extended access allowed object-group Hyperion DM_INLINE_NETWORK_1 255.255.255.0 ip

  outside_cryptomap_2 to access extended list ip 192.168.50.0 allow Hyperion 255.255.255.0 255.255.255.0

  Note Wireless_access_in of access list, select Hyperion / wifi access NAT rule.

  Access extensive list ip 192.168.40.0 Wireless_access_in allow Hyperion inactive 255.255.255.0 255.255.255.0

  Wireless_access_in list extended access deny ip 192.168.40.0 255.255.255.0 192.168.72.0 255.255.255.0

  Comment by Wireless_access_in-list of the traffic Internet access

  Access extensive list ip 192.168.40.0 Wireless_access_in allow 255.255.255.0 any

  standard access list splittunnelclientvpn allow 192.168.72.0 255.255.255.0

  splittunnelclientvpn list standard access allowed Hyperion 255.255.255.0

  standard access list splittunnelclientvpn allow Pearleshare 255.255.255.0

  splittunnelclientvpn list standard access allowed host 85.17.235.22

  splittunnelclientvpn list standard access allowed OracleThree 255.255.224.0

  standard access list splittunnelclientvpn allow 143.47.128.0 255.255.240.0

  splittunnelclientvpn list standard access allowed host inethost

  Standard access list SplittnlHyperion allow OracleThree 255.255.0.0

  Standard access list SplittnlOOD allow OracleThree 255.255.0.0

  Standard access list SplittnlOOD allow 143.47.128.0 255.255.240.0

  access extensive list ip 192.168.72.0 outside_cryptomap allow 255.255.255.0 DM_INLINE_NETWORK_6 object-group

  outside_cryptomap_1 list of allowed ip extended access all GrandVisionSoesterberg 255.255.255.0

  outside_cryptomap_3 list of allowed ip extended access any Swabach 255.255.255.0

  192.168.72.0 IP Access-list extended sheep 255.255.255.0 GrandVisionSoesterberg 255.255.255.0 allow

  192.168.72.0 IP Access-list extended sheep 255.255.255.0 VPN_Pool_2 255.255.255.0 allow

  pager lines 24

  Enable logging

  asdm of logging of information

  Within 1500 MTU

  Outside 1500 MTU

  MTU 1500 dmz

  MTU 1500 wireless

  local pool VPN_DHCP 192.168.72.220 - 192.168.72.235 255.255.255.0 IP mask

  mask 192.168.75.1 - 192.168.75.50 255.255.255.0 IP local pool VPN_Range_2

  no failover

  ICMP unreachable rate-limit 1 burst-size 1

  ICMP allow any inside

  ICMP allow all outside

  ASDM image disk0: / asdm - 613.bin

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0 access-list sheep

  NAT (inside) 1 0.0.0.0 0.0.0.0

  NAT (wireless) 1 192.168.40.0 255.255.255.0

  public static tcp (indoor, outdoor) interface smtp smtp Mailsrv_Pearle_Europe netmask 255.255.255.255

  public static tcp (indoor, outdoor) interface ftp ftp netmask 255.255.255.255 Pearle-DC02

  public static 990 Pearle-DC02 990 netmask 255.255.255.255 interface tcp (indoor, outdoor)

  static (inside, outside) tcp 3389 3389 Mailsrv_Pearle_Europe netmask 255.255.255.255 interface

  public static tcp (indoor, outdoor) interface www Pearle-DC02 www netmask 255.255.255.255

  public static 40200 Pearle-DC02 40200 netmask 255.255.255.255 interface tcp (indoor, outdoor)

  public static tcp (indoor, outdoor) interface https Exchange2010 https netmask 255.255.255.255

  public static tcp (indoor, outdoor) interface h323 h323 LifeSize-PE-HQ netmask 255.255.255.255

  public static 60000 60000 LifeSize-PE-HQ netmask 255.255.255.255 interface tcp (indoor, outdoor)

  public static 60001 LifeSize-PE-HQ 60001 netmask 255.255.255.255 interface tcp (indoor, outdoor)

  public static 60002 LifeSize-PE-HQ 60002 netmask 255.255.255.255 interface tcp (indoor, outdoor)

  public static 60003 LifeSize-PE-HQ 60003 netmask 255.255.255.255 interface tcp (indoor, outdoor)

  public static 60004 LifeSize-PE-HQ 60004 netmask 255.255.255.255 interface tcp (indoor, outdoor)

  public static 60005 LifeSize-PE-HQ 60005 netmask 255.255.255.255 interface tcp (indoor, outdoor)

  public static 60006 LifeSize-PE-HQ 60006 netmask 255.255.255.255 interface tcp (indoor, outdoor)

  public static 60007 LifeSize-PE-HQ 60007 netmask 255.255.255.255 interface tcp (indoor, outdoor)

  public static 60008 LifeSize-PE-HQ 60008 netmask 255.255.255.255 interface tcp (indoor, outdoor)

  public static 60009 LifeSize-PE-HQ 60009 netmask 255.255.255.255 interface tcp (indoor, outdoor)

  public static (inside, outside) udp interface 60001 LifeSize-PE-HQ 60001 netmask 255.255.255.255

  public static (inside, outside) udp interface 60002 LifeSize-PE-HQ 60002 netmask 255.255.255.255

  public static (inside, outside) udp interface 60003 LifeSize-PE-HQ 60003 netmask 255.255.255.255

  public static (inside, outside) udp interface 60004 LifeSize-PE-HQ 60004 netmask 255.255.255.255

  public static (inside, outside) udp interface 60005 LifeSize-PE-HQ 60005 netmask 255.255.255.255

  public static (inside, outside) udp interface 60006 LifeSize-PE-HQ 60006 netmask 255.255.255.255

  public static (inside, outside) udp interface 60007 LifeSize-PE-HQ 60007 netmask 255.255.255.255

  public static (inside, outside) udp interface 60008 LifeSize-PE-HQ 60008 netmask 255.255.255.255

  public static (inside, outside) udp interface 60009 LifeSize-PE-HQ 60009 netmask 255.255.255.255

  public static (inside, outside) udp interface 60010 LifeSize-PE-HQ 60010 netmask 255.255.255.255

  public static (inside, outside) udp interface 60011 LifeSize-PE-HQ 60011 netmask 255.255.255.255

  public static (inside, outside) udp interface 60012 LifeSize-PE-HQ 60012 netmask 255.255.255.255

  public static (inside, outside) udp interface 60013 LifeSize-PE-HQ 60013 netmask 255.255.255.255

  public static (inside, outside) udp interface 60014 LifeSize-PE-HQ 60014 netmask 255.255.255.255

  public static (inside, outside) udp interface 60015 LifeSize-PE-HQ 60015 netmask 255.255.255.255

  public static (inside, outside) udp interface 60016 LifeSize-PE-HQ 60016 netmask 255.255.255.255

  public static (inside, outside) udp interface 60017 LifeSize-PE-HQ 60017 netmask 255.255.255.255

  public static (inside, outside) udp interface 60018 LifeSize-PE-HQ 60018 netmask 255.255.255.255

  public static (inside, outside) udp interface 60019 LifeSize-PE-HQ 60019 netmask 255.255.255.255

  public static (inside, outside) udp interface 60020 LifeSize-PE-HQ 60020 netmask 255.255.255.255

  public static (inside, outside) udp interface 60021 60021 LifeSize-PE-HQ netmask 255.255.255.255

  public static (inside, outside) udp interface 60022 LifeSize-PE-HQ 60022 netmask 255.255.255.255

  public static (inside, outside) udp interface 60023 LifeSize-PE-HQ 60023 netmask 255.255.255.255

  public static (inside, outside) udp interface 60024 LifeSize-PE-HQ 60024 netmask 255.255.255.255

  public static (inside, outside) udp interface 60025 LifeSize-PE-HQ 60025 netmask 255.255.255.255

  public static (inside, outside) udp interface 60026 LifeSize-PE-HQ 60026 netmask 255.255.255.255

  public static (inside, outside) udp interface 60027 LifeSize-PE-HQ 60027 netmask 255.255.255.255

  public static (inside, outside) udp interface 60028 LifeSize-PE-HQ 60028 netmask 255.255.255.255

  public static (inside, outside) udp interface 60029 LifeSize-PE-HQ 60029 netmask 255.255.255.255

  public static (inside, outside) udp interface 60030 LifeSize-PE-HQ 60030 netmask 255.255.255.255

  public static (inside, outside) udp interface 60031 LifeSize-PE-HQ 60031 netmask 255.255.255.255

  public static (inside, outside) udp interface 60032 LifeSize-PE-HQ 60032 netmask 255.255.255.255

  public static (inside, outside) udp interface 60033 LifeSize-PE-HQ 60033 netmask 255.255.255.255

  public static (inside, outside) udp interface 60034 LifeSize-PE-HQ 60034 netmask 255.255.255.255

  public static (inside, outside) udp interface 60035 LifeSize-PE-HQ 60035 netmask 255.255.255.255

  public static (inside, outside) udp interface 60036 LifeSize-PE-HQ 60036 netmask 255.255.255.255

  public static (inside, outside) udp interface 60037 LifeSize-PE-HQ 60037 netmask 255.255.255.255

  public static (inside, outside) udp interface 60038 LifeSize-PE-HQ 60038 netmask 255.255.255.255

  public static (inside, outside) udp interface 60039 LifeSize-PE-HQ 60039 netmask 255.255.255.255

  public static (inside, outside) udp interface 60040 60040 LifeSize-PE-HQ netmask 255.255.255.255

  public static Mailsrv_Pearle_Europe 7472 netmask 255.255.255.255 7472 interface tcp (indoor, outdoor)

  public static LanSweep-XP netmask 255.255.255.255 8001 8001 interface tcp (indoor, outdoor)

  public static 8002 8002 LanSweep-XP netmask 255.255.255.255 interface tcp (indoor, outdoor)

  public static LanSweep-XP netmask 255.255.255.255 8003 8003 interface tcp (indoor, outdoor)

  static (inside, outside) 193.173.12.194 tcp https Pearle-DC02 https netmask 255.255.255.255

  inside_access_in access to the interface inside group

  Access-group outside_access_in in interface outside

  Access-group Wireless_access_in in wireless interface

  Route outside 0.0.0.0 0.0.0.0 193.173.12.206 1

  Route outside OracleThree 255.255.224.0 193.173.12.198 1

  Route outside 143.47.128.0 255.255.240.0 193.173.12.198 1

  Route inside 172.27.0.0 255.255.255.0 Pearle-DC02 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  dynamic-access-policy-registration DfltAccessPolicy

  AAA authentication LOCAL telnet console

  the ssh LOCAL console AAA authentication

  Enable http server

  http 192.168.40.0 255.255.255.0 Wireless

  http 192.168.1.0 255.255.255.0 inside

  http 192.168.72.0 255.255.255.0 inside

  http GrandVisionSoesterberg 255.255.255.0 inside

  SNMP-server host inside 192.168.33.29 survey community public version 2 c

  location of Server SNMP Schiphol

  contact Server SNMP SSmeekes

  SNMP-Server Public community

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto ipsec transform-set esp-aes-256 GRANDVISION esp-md5-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define security association lifetime 28800 seconds

  cryptographic kilobytes 4608000 life of the set - the association of security of the 65535 SYSTEM_DEFAULT_CRYPTO_MAP of the dynamic-map

  card crypto outside_map0 1 match address outside_cryptomap_1

  outside_map0 card crypto 1jeu pfs

  outside_map0 card crypto 1jeu peer 212.78.223.182

  outside_map0 card crypto 1jeu transform-set ESP ESP-3DES-SHA-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-ESP ESP-3DES-MD5 MD5-DES-SHA ESP-DES-MD5

  outside_map0 map 1 lifetime of security association set seconds 28800 crypto

  card crypto outside_map0 1 set security-association life kilobytes 4608000

  card crypto game 2 outside_map0 address outside_cryptomap_2

  outside_map0 crypto map peer set 2 193.173.12.193

  card crypto outside_map0 2 game of transformation-ESP ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5-DES-SHA ESP-DES-MD5

  life card crypto outside_map0 2 set security-association seconds 28800

  card crypto outside_map0 2 set security-association life kilobytes 4608000

  card crypto outside_map0 3 match address outside_1_cryptomap

  outside_map0 card crypto 3 set pfs

  outside_map0 card crypto 3 peers set 193.172.182.66

  outside_map0 crypto map 3 the value transform-set ESP-3DES-SHA

  life card crypto outside_map0 3 set security-association seconds 28800

  card crypto outside_map0 3 set security-association life kilobytes 4608000

  card crypto outside_map0 game 4 address outside_cryptomap

  outside_map0 card crypto 4 peers set 213.56.81.58

  outside_map0 4 set transform-set GRANDVISION crypto card

  life card crypto outside_map0 4 set security-association seconds 28800

  card crypto outside_map0 4 set security-association life kilobytes 4608000

  card crypto outside_map0 5 match address outside_cryptomap_3

  outside_map0 card crypto 5 set pfs

  outside_map0 crypto card 5 peers set 86.109.255.177

  outside_map0 card crypto 5 game of transformation-ESP ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5-DES-SHA ESP-DES-MD5

  life card crypto outside_map0 5 set security-association seconds 28800

  card crypto outside_map0 5 set security-association life kilobytes 4608000

  Crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map0 interface card crypto outside

  crypto ISAKMP allow inside

  crypto ISAKMP allow outside

  crypto ISAKMP enable dmz

  crypto ISAKMP enable wireless

  crypto ISAKMP policy 5

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Telnet 192.168.72.0 255.255.255.0 inside

  Telnet timeout 5

  SSH 192.168.72.0 255.255.255.0 inside

  SSH GrandVisionSoesterberg 255.255.255.0 inside

  SSH 213.144.239.0 255.255.255.192 outside

  SSH timeout 5

  Console timeout 0

  management-access inside

  dhcpd dns 194.151.228.18 is 10.10.1.100

  dhcpd outside auto_config

  !

  dhcpd address 192.168.72.253 - 192.168.72.253 inside

  !

  dhcpd address dmz 192.168.50.10 - 192.168.50.50

  dhcpd enable dmz

  !

  dhcpd address wireless 192.168.40.10 - 192.168.40.99

  dhcpd dns 194.151.228.18 wireless interface

  dhcpd activate wireless

  !

  a basic threat threat detection

  host of statistical threat detection

  statistical threat detection port

  Statistical threat detection Protocol

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  Group Policy "pearle_vpn_Hyp only" internal

  attributes of Group Policy "pearle_vpn_Hyp only".

  value of server WINS 192.168.72.25

  value of server DNS 192.168.72.25

  Protocol-tunnel-VPN IPSec l2tp ipsec

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list SplittnlHyperion

  Split-dns value pearle.local

  internal pearle_vpn_OOD_only group policy

  attributes of the strategy of group pearle_vpn_OOD_only

  value of Split-tunnel-network-list SplittnlOOD

  internal pearle_vpn group policy

  attributes of the strategy of group pearle_vpn

  value of server WINS 192.168.72.25

  value of server DNS 192.168.72.25

  Protocol-tunnel-VPN IPSec l2tp ipsec svc

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list splittunnelclientvpn

  Pearle.local value by default-field

  Split-dns value pearle.local

  username anyone password encrypted password

  username something conferred

  VPN-group-policy pearle_vpn_OOD_only

  type of remote access service

  tunnel-group 193 type ipsec-l2l

  tunnel-group 193 ipsec-attributes

  pre-shared-key *.

  tunnel-group 193.173.12.193 type ipsec-l2l

  IPSec-attributes tunnel-group 193.173.12.193

  pre-shared-key *.

  NOCHECK Peer-id-validate

  type tunnel-group pearle_vpn remote access

  tunnel-group pearle_vpn General-attributes

  address pool VPN_Range_2

  Group Policy - by default-pearle_vpn

  pearle_vpn group of tunnel ipsec-attributes

  pre-shared-key *.

  type tunnel-group Pearle_VPN_2 remote access

  attributes global-tunnel-group Pearle_VPN_2

  address pool VPN_Range_2

  strategy-group-by default "pearle_vpn_Hyp only".

  IPSec-attributes tunnel-group Pearle_VPN_2

  pre-shared-key *.

  tunnel-group 213.56.81.58 type ipsec-l2l

  IPSec-attributes tunnel-group 213.56.81.58

  pre-shared-key *.

  tunnel-group 212.78.223.182 type ipsec-l2l

  IPSec-attributes tunnel-group 212.78.223.182

  pre-shared-key *.

  tunnel-group 86.109.255.177 type ipsec-l2l

  IPSec-attributes tunnel-group 86.109.255.177

  pre-shared-key *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  inspect the pptp

  !

  global service-policy global_policy

  context of prompt hostname

  Cryptochecksum:7d4d9c7ca7c865d9e40f5d77ed1238eb

  : end

  ASDM image disk0: / asdm - 613.bin

  ASDM BESServer 255.255.255.255 inside location

  ASDM VPN_Pool_2 255.255.255.0 inside location

  ASDM OracleTwo 255.255.224.0 inside location

  ASDM OracleOne 255.255.240.0 inside location

  ASDM OracleThree 255.255.224.0 inside location

  ASDM location Exchange2010 255.255.255.255 inside

  ASDM location Grandvision 255.255.255.0 inside

  ASDM Grandvision2 255.255.255.240 inside location

  ASDM Grandvision3 255.255.255.0 inside location

  ASDM Grandvision4 255.255.255.255 inside location

  ASDM GrandVision_PC 255.255.255.255 inside location

  ASDM location LanSweep-XP 255.255.255.255 inside

  ASDM GrandVisionSoesterberg 255.255.255.0 inside location

  ASDM location Pearle-DC02 255.255.255.255 inside

  ASDM location Pearle-WDS 255.255.255.255 inside

  ASDM location Swabach 255.255.255.0 inside

  ASDM GrandVisionSoesterberg2 255.255.255.0 inside location

  don't allow no asdm history

  Where is that host (inethost)? Inside of the ASA, or on the internet (on the outside)?

  If it is outside, you must configure the NAT for the pool of vpn as you turn on the SAA.

  NAT (outside) 1 192.168.75.0 255.255.255.0

• client ipSec VPN and NAT on the router Cisco = FAIL

  I have a Cisco 3825 router that I have set up for a Cisco VPN ipSec client.  The same router is NAT.

  ipSec logs, but can not reach the internal network unless NAT is disabled on the inside interface.  But I need both at the same time.

  Suggestions?

  crypto ISAKMP policy 3

  BA 3des

  preshared authentication

  Group 2

  !

  ISAKMP crypto client configuration group myclient

  key password!

  DNS 1.1.1.1

  Domain name

  pool myVPN

  ACL 111

  !

  !

  Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT

  !

  Crypto-map dynamic dynmap 10

  Set transform-set RIGHT

  market arriere-route

  !

  !
  list of card crypto clientmap client VPN - AAA authentication
  card crypto clientmap AAA - VPN isakmp authorization list
  client configuration address map clientmap crypto answer
  10 ipsec-isakmp crypto map clientmap Dynamics dynmap
  !

  interface Loopback0
  IP 10.88.0.1 255.255.255.0
  !
  interface GigabitEthernet0/0
  / / DESC it's external interface

  IP 192.168.168.5 255.255.255.0
  NAT outside IP
  IP virtual-reassembly
  automatic duplex
  automatic speed
  media type rj45
  clientmap card crypto
  !
  interface GigabitEthernet0/1

  / / DESC it comes from inside interface
  10.0.1.10 IP address 255.255.255.0
  IP nat inside<=================ipSec client="" connects,="" but="" cannot="" reach="" interior="" network="" unless="" this="" is="">
  IP virtual-reassembly
  the route cache same-interface IP
  automatic duplex
  automatic speed
  media type rj45

  !

  IP local pool myVPN 10.88.0.2 10.88.0.10

  p route 0.0.0.0 0.0.0.0 192.168.168.1
  IP route 10.0.0.0 255.255.0.0 10.0.1.4
  !

  IP nat inside source list 1 interface GigabitEthernet0/0 overload
  !
  access-list 1 permit 10.0.0.0 0.0.255.255
  access-list 111 allow ip 10.0.0.0 0.0.255.255 10.88.0.0 0.0.0.255
  access-list 111 allow ip 10.88.0.0 0.0.0.255 10.0.0.0 0.0.255.255

  Hello

  I think that you need to configure the ACL default PAT so there first statemts 'decline' for traffic that is NOT supposed to be coordinated between the local network and VPN pool

  For example, to do this kind of configuration, ACL and NAT

  Note access-list 100 NAT0 customer VPN
  

  access-list 100 deny ip 10.0.1.0 0.0.0.255 10.88.0.0 0.0.0.255
  

  Note access-list 100 default PAT for Internet traffic
  

  access-list 100 permit ip 10.0.1.0 0.0.0.255 ay

  overload of IP nat inside source list 100 interface GigabitEthernet0/0

  
  EDIT: seem to actually you could have more than 10 networks behind the router

  Then you could modify the ACL on this

  Note access-list 100 NAT0 customer VPN
  

  access-list 100 deny ip 10.0.1.0 0.0.255.255 10.88.0.0 0.0.0.255
  

  Note access-list 100 default PAT for Internet traffic
  

  access-list 100 permit ip 10.0.1.0 0.0.255.255 ay

  Don't forget to mark the answers correct/replys and/or useful answers to rate

  -Jouni

• L2l VPN between ASA with the IP address public and CISCO2911 behind the ISP router with port forwarding

  Hi all

  My apologies if this is a trivial question, but I spent considerable time trying to search and had no luck.

  I encountered a problem trying to set up a temporary L2L VPN from a Subscriber with CISCO2911 sitting behind the router of the ISP of an ASA. ISP has informed that I can't ignore their device and complete the circuit Internet on the Cisco for a reason, so I'm stuck with it. The Setup is:

  company 10.1.17.1 - y.y.y.y - router Internet - z.z.z.z - ISP - LAN - 10.x.x.2 - XXX1 - ASA - 10.1.17.2 - CISCO2911 - 10.1.15.1 LAN

  where 10.x.x.x is a corporate LAN Beach private network, y.y.y.y is a public ip address assigned to the external interface of the ASA and the z.z.z.z is the public IP address of the ISP router.

  I have forwarded ports 500, 4500 and ESP on the ISP router for 10.1.17.2. The 2911 config attached below, what I can't understand is what peer IP address to configure on the SAA, because if I use z.z.z.z it will be a cause of incompatibility of identity 2911 identifies himself as 10.1.17.2...

  ! ^ ^ ^ ISAKMP (Phase 1) ^ ^ ^!
  crypto ISAKMP policy 5
  BA 3des
  md5 hash
  preshared authentication
  Group 2
  lifetime 28800
  isakmp encryption key * address no.-xauth y.y.y.y

  ! ^ ^ ^ IPSEC (Phase 2) ^ ^ ^!
  crymap extended IP access list
  IP 10.1.15.0 allow 0.0.0.255 10.0.0.0 0.255.255.255
  Crypto ipsec transform-set ESP-3DES-SHA 3rd-esp esp-sha-hmac
  card crypto 1 TUNNEL VPN ipsec-isakmp
  defined peer y.y.y.y
  game of transformation-ESP-3DES-SHA
  match the address crymap

  Gi0/2 interface
  card crypto VPN TUNNEL

  Hello

  debug output, it seems he's going on IPSEC States at the tunnel of final bud QM_IDLE's.

  What I noticed in your configuration of ASA box, it's that you're usig PFS but not on 2911 router.

  So I suggest:

  no card crypto OUTSIDE_map 4 don't set pfs <-- this="" will="" disable="" pfs="" on="" asa="">

  Then try tunnel initiate.

  Kind regards

  Jan

• ASA ASA from Site to Site VPN IPSec Tunnel

  Any help would be greatly appreciated...

  I have two devices Cisco ASA with a Site for the configuration of the tunnel VPN IPSec Site as follows: -.

  Site #1 - Cisco ASA running version 8.2 (1) with an internal range of 10.0.0.x/24

  Site #2 - Cisco ASA running version 8.2 (1) with an internal range of 10.1.1.x/24

  Site #1 is simple and has a dynamic NAT rule which translates all of the inside and the outside (public IP) of the SAA.

  Internet access works very well in all workstations of this site.  A static route is configured to redirect all traffic to a public router upstream.

  Site #2 is slightly more complicated; the Cisco ASA is configured with 10.1.1.254/24 as its interior IP address and 10.1.2.254/24 as its external IP address.  A dynamic NAT rule is configured to translate everything inside as the 10.1.2.254 (outside) address of the ASA.  A default static route is then configured to redirect all traffic to a Draytek device on 10.1.2.253.  This device then performs its own private Public NAT.  Again the Internet works fine all hosts inside the Cisco ASA (10.1.1.x)

  The IPSec tunnel is created with the networks local and remote endpoint as above (10.0.0.x/24) and (10.1.1.x/24).  The Draytek at the Site #2 device is configured with a form of DMZ that allows essentially ALL traffic toward the front directly on the external interface of the ASA (10.1.2.254).  The Phase 1 and Phase 2 negotiation of the tunnel ends correctly, and the tunnel is formed without any problem.  However, all traffic passing on networks ICMP does not end and the Syslog reports the following-

  Site #1-

  6

  January 19, 2011

  15:27:21

  302020

  ZEFF-SB-01_LAN

  1

  10.1.1.51

  0

  Built of outbound ICMP connection for faddr 10.1.1.51/0 gaddr ZEFF-SB-01_LAN/1 laddr ZEFF-SB-01_LAN/1

  6

  January 19, 2011

  15:27:23

  302021

  10.1.1.51

  0

  ZEFF-SB-01_LAN

  1

  Connection of ICMP disassembly for faddr 10.1.1.51/0 gaddr ZEFF-SB-01_LAN/1 laddr ZEFF-SB-01_LAN/1

  Site #2-

  6

  January 19, 2011

  15:24:47

  302020

  10.1.1.51

  0

  10.0.0.30

  1

  Built of outbound ICMP connection for faddr gaddr laddr 10.1.1.51/0 10.1.1.51/0 10.0.0.30/1

  6

  January 19, 2011

  15:24:49

  302021

  10.0.0.30

  1

  10.1.1.51

  0

  Connection of disassembly for faddr gaddr laddr 10.1.1.51/0 10.1.1.51/0 10.0.0.30/1 ICMP

  It's the same for any form of traffic passing over the tunnel.  The ACL is configured to allow segments of LAN out to any destination.  At this point, I left scratching my head, as my original theory was to blame the Draytek, but after reading the documentation given to the DMZ host configuration, it appears this parameter is configured all traffic is simply forwarded to the IP address (in this case, the Cisco ASA interface outside).

  Anyone can shed light on a possible cause of this problem?

  Thank you

  Nick

  did you bypass the vpn traffic between 10.0.0 and 10.1.1 to be NAT - ed on the two ASA?

  Please provide the following information

  -set up the tunnel

  -show the isa cry his

  -show the ipsec cry his

  -ping of the site 1 site 2 via tunnel

  -capture "crypto ipsec to show his" once again

  -ping from site 2 to 1 by the tunnel of the site

  -capture "crypto ipsec to show his" once again

  -two ASA configuration.

• Impossible to access them Internert through the split tunneling VPN client.

  I divided tunnel configured on a PIX 515. The remote VPN client connects to the PIX very well and can ping hosts on the internal network, but cannot access the Internet. Am I missing something? My config as shown below.

  In addition, I don't see the routes on the VPN client via statistics (screenshot below)

  

  All opinions are appreciated.

  Rob

  --------------------------------------------------------------------------------------------------------------------------------------------------------------------------

  8.0 (3) version PIX

  !

  hostname PIX-to-250

  enable the encrypted password xxxxx

  names of

  !

  interface Ethernet0

  nameif outside

  security-level 0

  IP address x.x.x.250 255.255.255.240

  !

  interface Ethernet1

  nameif inside

  security-level 100

  IP 192.168.9.1 255.255.255.0

  !

  XXXXX encrypted passwd

  passive FTP mode

  DNS domain-lookup outside

  DNS server-group Ext_DNS

  Server name 194.72.6.57

  Server name 194.73.82.242

  the LOCAL_LAN object-group network

  object-network 192.168.9.0 255.255.255.0

  object-network 192.168.88.0 255.255.255.0

  Internet_Services tcp service object-group

  port-object eq www

  area of port-object eq

  EQ object of the https port

  port-object eq ftp

  EQ object of port 8080

  port-object eq telnet

  the WAN_Network object-group network

  object-network 192.168.200.0 255.255.255.0

  ACLOUT list extended access allowed object-group LOCAL_LAN udp any eq log field

  ACLOUT list extended access allow icmp object-group LOCAL_LAN no matter what paper

  ACLOUT list extended access permitted tcp object-group LOCAL_LAN connect to any object-group Internet_Services

  access-list extended ACLIN all permit icmp any what newspaper echo-reply

  access-list extended ACLIN all permit icmp any how inaccessible journal

  access-list extended ACLIN allowed icmp no matter what newspaper has exceeded the time

  Comment by split_tunnel_list-LAN Local access list

  split_tunnel_list list standard access allowed 192.168.9.0 255.255.255.0

  access-list extended SHEEP allowed object-group ip LOCAL_LAN 192.168.100.0 255.255.255.0

  pager lines 24

  Enable logging

  Outside 1500 MTU

  Within 1500 MTU

  IP local pool testvpn 192.168.100.1 - 192.168.100.99

  no failover

  ICMP unreachable rate-limit 1 burst-size 1

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0 access-list SHEEP

  NAT (inside) 1 0.0.0.0 0.0.0.0

  Access-group ACLIN in interface outside

  ACLOUT access to the interface inside group

  Route outside 0.0.0.0 0.0.0.0 195.171.252.45 1

  Route inside 192.168.88.0 255.255.255.0 192.168.88.254 1

  Route inside 192.168.199.0 255.255.255.0 192.168.199.254 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout, uauth 0:05:00 absolute

  dynamic-access-policy-registration DfltAccessPolicy

  Enable http server

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-3des esp-sha-hmac Set_1

  Crypto-map dynamic outside_dyn_map 10 game of transformation-Set_1

  life together - the association of security crypto dynamic-map outside_dyn_map 10 seconds 280000

  Crypto-map dynamic outside_dyn_map 10 the value reverse-road

  outside_map 10 card crypto ipsec-isakmp dynamic outside_dyn_map

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 1

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 43200

  crypto ISAKMP policy 65535

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  a basic threat threat detection

  Statistics-list of access threat detection

  internal testvpn group policy

  attributes of the strategy of group testvpn

  Protocol-tunnel-VPN IPSec

  Split-tunnel-policy tunnelspecified

  name of user testuser encrypted password xxxxxx

  type tunnel-group testvpn remote access

  tunnel-group testvpn General-attributes

  address testvpn pool

  Group Policy - by default-testvpn

  testvpn group of tunnel ipsec-attributes

  pre-shared-key *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the netbios

  inspect the rsh

  inspect the rtsp

  inspect the skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect the tftp

  inspect the sip

  inspect xdmcp

  inspect the icmp

  !

  global service-policy global_policy

  context of prompt hostname

  Cryptochecksum:5dcb5dcdff277e1765a9a0c366b88b9e

  : end

  # 250 A - PIX

  You have not assigned the ACL split tunnel to your strategy.

  PLS, configure the following:

  attributes of the strategy of group testvpn

  value of Split-tunnel-network-list split_tunnel_list

• Configuration of the client VPN IPSEC IOS question

  Hello all, I just can't get my IOS Firewall to accept a client based vpn IPSEC connection. The Cisco client comes to expiration and Im never disputed a username and password. I checked my group and a pre-shared on the client and the router. I put my relevant config below. Any help would be greatly appreciated.

  version 12.4

  boot system flash: uc500-advipservicesk9 - mz.124 - 24.T.bin

  AAA new-model

  !

  !

  AAA authentication login default local

  radius of group AAA authentication login userauthen

  AAA authorization exec default local

  radius of group AAA authorization network groupauthor

  inspect the IP tcp outgoing name

  inspect the IP udp outgoing name

  inspect the name icmp outgoing IP

  crypto ISAKMP policy 3

  BA 3des

  preshared authentication

  Group 2

  !

  Configuration group customer isakmp crypto SMOVPN

  key xxxxx

  DNS 192.168.10.2

  business.local field

  pool vpnpool

  ACL 108

  Crypto isakmp VPNclient profile

  match of group identity SMOVPN

  client authentication list default

  Default ISAKMP authorization list

  client configuration address respond

  !

  !

  Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

  Crypto-map dynamic dynmap 10

  Set transform-set RIGHT

  Define VPNclient isakmp-profile

  market arriere-route

  !

  !

  map clientmap client to authenticate crypto list userauthen

  card crypto clientmap isakmp authorization list groupauthor

  client configuration address map clientmap crypto answer

  10 ipsec-isakmp crypto map clientmap Dynamics dynmap

  interface FastEthernet0/0

  IP 11.11.11.10 255.255.255.252

  IP access-group outside_in in

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  NAT outside IP

  inspect the outgoing IP outside

  IP virtual-reassembly

  automatic duplex

  automatic speed

  clientmap card crypto

  IP local pool vpnpool 192.168.109.1 192.168.109.254

  IP nat inside source list 1 interface FastEthernet0/0 overload

  outside_in extended IP access list

  permit tcp object-group Yes_SMTP host 11.11.11.10 eq smtp

  allow any host 74.143.215.138 esp

  allow any host 74.143.215.138 eq isakmp udp

  allow any host 74.143.215.138 eq non500-isakmp udp

  allow any host 74.143.215.138 ahp

  allow accord any host 74.143.215.138

  access-list 1 permit 192.168.10.0 0.0.0.255

  access-list 1 permit 10.1.1.0 0.0.0.255

  access-list 108 allow ip 192.168.109.0 0.0.0.255 192.168.10.0 0.0.0.255

  access-list 108 allow ip 192.168.109.0 0.0.0.255 10.1.1.0 0.0.0.255

  access-list 108 allow ip 192.168.109.0 0.0.0.255 10.1.10.0 0.0.0.255

  Here are a few suggestions:

  change this:

  radius of group AAA authorization network groupauthor

  for this

  AAA authorization groupauthor LAN

  (unless you use the group permission for your radius server you need local)

  Choose either on ISAKMP profiles and if you decide to go with and then get rid of these lines:

  map clientmap client to authenticate crypto list userauthen

  card crypto clientmap isakmp authorization list groupauthor

  client configuration address map clientmap crypto answer

  AND change the following items on your profile isakmp:

  Crypto isakmp VPNclient profile

  ISAKMP authorization list groupauthor

  Also if you'll use a list for user authentication, I advise you to avoid using the default list so go ahead and change it too much under the isakmp profile

  client authentication list userauthen.

  If you do not use isakmp profiles change the following:

  No crypto isakmp VPNclient profile

  Crypto-map dynamic dynmap 10

  No VPNclient set isakmp-profile

• Cisco's VPN IPSec help please

  Hi all

  I have 3 sites, the main site has a cisco firewall mikrotik router.

  There is a vpn ipsec existing between the cisco router and another router cisco on the site of the 2nd and it works well.

  Now, I've added an another vpn between a 3rd site and main site. The router on the 3rd site is a mikrotik firewall.

  I had the vpn on the main site and the 3rd site where the mikrotik firewall is and it worked well.

  then for some reason, the vpn with the 3rd site has failed and I could not get it working again.

  When looking for answers, I see that the vpn for the 3rd site States the following:

  #pkts program: 46, #pkts encrypt: 46, #pkts digest: 46
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

  It seems that no traffic is coming back to the cisco

  I also found the following output below to diagnose the problem.

  It seems that there is communication, but if I read this right, it looks like the cisco established a new number but the other end is not the new number

  new node-1868419487

  node-1868419487 error suppression FALSE "Information (in) condition 1" pattern

  Any help would be appreciated.

  * 02:49:51.911 Jul 22: ISAKMP: (2060): purge the node-1140469772

  * 02:49:59.723 Jul 22: ISAKMP: DPD received message KMI.

  * 02:49:59.723 Jul 22: ISAKMP: node set 1053074288 to QM_IDLE

  * 02:49:59.723 Jul 22: ISAKMP: (2060): Protocol for sending INFORMER DPD/R_U_THERE 1

  SPI 2273844328, message ID = 1053074288

  * 02:49:59.723 Jul 22: ISAKMP: (2060): seq. no 0x645EC368

  * 02:49:59.723 Jul 22: ISAKMP: (2060): my_port of x.x.x.127 package sending 5

  peer_port 00 500 (R) QM_IDLE

  * 02:49:59.723 Jul 22: ISAKMP: (2060): sending a packet IPv4 IKE.

  * 02:49:59.723 Jul 22: ISAKMP: (2060): purge the node 1053074288

  * 02:49:59.767 Jul 22: ISAKMP (2060): packet received dport x.x.x.127

  500 sport Global 500 (R) QM_IDLE

  * 02:49:59.767 Jul 22: ISAKMP: node set-1868419487 to QM_IDLE

  * 02:49:59.771 Jul 22: ISAKMP: (2060): HASH payload processing. Message ID = 24265

  47809

  * 02:49:59.771 Jul 22: ISAKMP: (2060): treatment of the NOTIFY DPD/R_U_THERE_ACK protoco

  l 1

  0, message ID SPI = 2426547809, a = 0x8705F854

  * 02:49:59.771 Jul 22: ISAKMP: (2060): DPO/R_U_THERE_ACK received from the peer 125,23

  6.211.127, sequence 0x645EC368

  * 02:49:59.771 Jul 22: ISAKMP: (2060): node-1868419487 FALSE reason for deletion error

  "Information (in) condition 1"

  * 02:49:59.771 Jul 22: ISAKMP: (2060): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

  * 02:49:59.771 Jul 22: ISAKMP: (2060): former State = new State IKE_P1_COMPLETE = IKE

  _P1_COMPLETE

  * 02:50:01.111 Jul 22: ISAKMP: (2060): purge the node-1201068805

  Comparing encrypt of 46 to 47436 counters, it seems that router is ecncrypting the traffic, but we do not get any interesting traffic on the remote side.

  Most likely, you might want to check on the remote site, if you see counters increment in parallel decryption and encryption of the counters are incrementing or not.

  On the router IOS, if are incrementing counters encrypt, and confirm that you have not any tunnel existing before the router can be seen same proxy IDs, which is already negotiated with other peer.

  Finally, please make sure that the ESP, 50 protocol traffic is not blocked in transit.
  I hope this helps.

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.

• basic configuration question IPSec GRE

  

  the Sub test config has been entered at R1 (router left mostly). R4 has a similar to the inverse IP address config. R1 is able to ping R4 loopback at the present time.

  crypto ISAKMP policy 10
  BA aes
  preshared authentication
  Group 2
  life 120
  address of cisco crypto isakmp 203.115.34.4 keys
  !
  !
  Crypto ipsec transform-set MY_TRANSFORM ah-sha-hmac esp - aes
  !
  MY_MAP 10 ipsec-isakmp crypto map
  defined by peer 203.115.34.4
  game of transformation-MY_TRANSFORM
  match address 100
  !
  !
  !
  !
  interface Loopback0
  192.168.10.1 IP address 255.255.255.255
  !
  interface Tunnel0
  IP 192.168.14.1 255.255.255.0
  source of tunnel Serial1/2
  tunnel destination 203.115.34.4
  card crypto MY_MAP

  !

  !
  interface Serial1/2
  IP 203.115.12.1 255.255.255.0
  series 0 restart delay
  !
  !
  Router eigrp 100
  network 192.168.0.0 0.0.255.255
  Auto-resume
  !
  router ospf 100
  router ID 1.1.1.1
  Log-adjacency-changes
  network 203.115.0.0 0.0.255.255 area 0
  !

  !

  access-list 100 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 connect

  !

  !

  I see cisco samples configurations include an access list entry as follows...

  access-list 100 permit gre 203.115.12.1 host 203.115.34.4

  I understand the purpose of the ACL above regarding the test configuration that I posted here.

  Let me explain.

  LAN - router - WAN - router - LAN

  Communication between the two LANs can be on a GRE tunnel to an IPsec tunnel or IPsec/GRE tunnel.

  If you simply want to communicate between them unicast IP traffic, IPsec is recommended because it will encrypt the traffic.

  If you need non-unicast or non - IP traffic through, then you can create a GRE tunnel.

  If you want IPsec encryption for the GRE tunnel and then configure IPsec/GRE.

  The ACL you mention will not work because the GRE traffic is only between tunnel endpoints.

  The traffic that flows between local networks is the IP (not the GRE traffic) traffic where a permit GRE ACL will not work.

  It will be useful.

  Federico.