UC520 VPN Site-to-Site

Hi all

I have a very weird problem (at least for me)

I have a UC520 connected to an ASA5510 via the VPN Site to Site.

I can ping from clients behind customer UC520 behind ASA5510.

I can ping from clients behind ASA5510 customer behind UC520

I can access services (such as RDP) clients behind customer UC520 behind ASA5510

I can't go to services (such as RDP, HTTP) clients behind customer ASA5510 behind UC520

Does anyone have an idea where I should look? I tried to remove any access list by (temporarily) to a permit ip everything any line in these.

I think it must be some sort of NAT problem, but I'm not sure.

Thanks in advance

You said your UC logs revealed nothing trying to connect a.11 et.12, this means that traffic is never achieved to the CPU at all, got to the UC and was abandoned before entering the LAN or traffic got to the hosts but never returned.

Internal hosts to other outgoing routes defined on them (unlikely but possible), and you can check that traffic is through the UC outside interface at least?

Tags: Cisco Support

Similar Questions

  • Use the remote website via VPN site-to-site

    Hi all

    We have two sites, the site has and B. At site A, we have a Web site we want to share with all of site B. Currently, site B can access the site via the VPN site-to site on X 0, which is their LAN. Nothing outside X 0 cannot access or ping to the address.

    We added access rules to allow access from the DMZ to this interface, but again, no ping and no communication at all. The other strange thing is that we see that no trip package for these access rules either.

    Any help is appreciated. Thank you.

    It seems that the demilitarized zone is not part of the VPN tunnel.

    Can you confirm that the DMZ subnet is part of local destinations on the site B and a part of the local destinations on site?

    Kevin

  • Cisco ASA 5505 VPN Site to Site

    Hi all

    First post on the forums. I have worked with Cisco ASA 5505 for a few months and I recently bought a 2nd ASA to implement tunnel VPN Site to Site. It seems so simple in the number of videos watched on the internet. But when I did he surprise it did work for me... I've removed the tunnels, a number of times and tried to recreate. I use the VPN Wizard in the SMA to create the tunnel. Both the asa 5505 of are and have the same firmware even etc..

    I'd appreciate any help that can be directed to this problem please.  Slowly losing my mind

    Please see details below:

    Two ADMS are 7.1

    IOS

    ASA 1

    Nadia

    :

    ASA Version 9.0 (1)

    !

    hostname PAYBACK

    activate the encrypted password of HSMurh79NVmatjY0

    volatile xlate deny tcp any4 any4

    volatile xlate deny tcp any4 any6

    volatile xlate deny tcp any6 any4

    volatile xlate deny tcp any6 any6

    volatile xlate deny udp any4 any4 eq field

    volatile xlate deny udp any4 any6 eq field

    volatile xlate deny udp any6 any4 eq field

    volatile xlate deny udp any6 any6 eq field

    2KFQnbNIdI.2KYOU encrypted passwd

    names of

    local pool VPN1 192.168.50.1 - 192.168.50.254 255.255.255.0 IP mask

    !

    interface Ethernet0/0

    switchport access vlan 2

    Speed 100

    full duplex

    !

    interface Ethernet0/1

    link Trunk Description of SW1

    switchport trunk allowed vlan 1,10,20,30,40

    switchport trunk vlan 1 native

    switchport mode trunk

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    !

    interface Ethernet0/4

    !

    interface Ethernet0/5

    !

    interface Ethernet0/6

    !

    interface Ethernet0/7

    !

    interface Vlan1

    No nameif

    no level of security

    no ip address

    !

    interface Vlan2

    nameif outside

    security-level 0

    IP 92.51.193.158 255.255.255.252

    !

    interface Vlan10

    nameif inside

    security-level 100

    IP 192.168.10.1 255.255.255.0

    !

    interface Vlan20

    nameif servers

    security-level 100

    address 192.168.20.1 255.255.255.0

    !

    Vlan30 interface

    nameif printers

    security-level 100

    192.168.30.1 IP address 255.255.255.0

    !

    interface Vlan40

    nameif wireless

    security-level 100

    192.168.40.1 IP address 255.255.255.0

    !

    connection line banner welcome to the Payback loyalty systems

    boot system Disk0: / asa901 - k8.bin

    passive FTP mode

    summer time clock GMT/IDT recurring last Sun Mar 01:00 last Sun Oct 02:00

    DNS domain-lookup outside

    DNS lookup field inside

    domain-lookup DNS servers

    DNS lookup domain printers

    DNS domain-lookup wireless

    DNS server-group DefaultDNS

    Server name 83.147.160.2

    Server name 83.147.160.130

    permit same-security-traffic inter-interface

    network obj_any object

    subnet 0.0.0.0 0.0.0.0

    ftp_server network object

    network of the Internal_Report_Server object

    Home 192.168.20.21

    Description address internal automated report server

    network of the Report_Server object

    Home 89.234.126.9

    Description of server automated reports

    service object RDP

    service destination tcp 3389 eq

    Description RDP to the server

    network of the Host_QA_Server object

    Home 89.234.126.10

    Description QA host external address

    network of the Internal_Host_QA object

    Home 192.168.20.22

    host of computer virtual Description for QA

    network of the Internal_QA_Web_Server object

    Home 192.168.20.23

    Description Web Server in the QA environment

    network of the Web_Server_QA_VM object

    Home 89.234.126.11

    Server Web Description in the QA environment

    service object SQL_Server

    destination eq 1433 tcp service

    network of the Demo_Server object

    Home 89.234.126.12

    Description server set up for the product demo

    network of the Internal_Demo_Server object

    Home 192.168.20.24

    Internal description of the demo server IP address

    network of the NETWORK_OBJ_192.168.20.0_24 object

    subnet 192.168.20.0 255.255.255.0

    network of the NETWORK_OBJ_192.168.50.0_26 object

    255.255.255.192 subnet 192.168.50.0

    network of the NETWORK_OBJ_192.168.0.0_16 object

    Subnet 192.168.0.0 255.255.0.0

    service object MSSQL

    destination eq 1434 tcp service

    MSSQL port description

    VPN network object

    192.168.50.0 subnet 255.255.255.0

    network of the NETWORK_OBJ_192.168.50.0_24 object

    192.168.50.0 subnet 255.255.255.0

    service object TS

    tcp destination eq 4400 service

    service of the TS_Return object

    tcp source eq 4400 service

    network of the External_QA_3 object

    Home 89.234.126.13

    network of the Internal_QA_3 object

    Home 192.168.20.25

    network of the Dev_WebServer object

    Home 192.168.20.27

    network of the External_Dev_Web object

    Home 89.234.126.14

    network of the CIX_Subnet object

    255.255.255.0 subnet 192.168.100.0

    network of the NETWORK_OBJ_192.168.10.0_24 object

    192.168.10.0 subnet 255.255.255.0

    network of the NETWORK_OBJ_84.39.233.50 object

    Home 84.39.233.50

    network of the NETWORK_OBJ_92.51.193.158 object

    Home 92.51.193.158

    network of the NETWORK_OBJ_192.168.100.0_24 object

    255.255.255.0 subnet 192.168.100.0

    network of the NETWORK_OBJ_192.168.1.0_24 object

    subnet 192.168.1.0 255.255.255.0

    object-group service DM_INLINE_SERVICE_1

    the tcp destination eq ftp service object

    the purpose of the tcp destination eq netbios-ssn service

    the purpose of the tcp destination eq smtp service

    service-object TS

    the Payback_Internal object-group network

    object-network 192.168.10.0 255.255.255.0

    object-network 192.168.20.0 255.255.255.0

    object-network 192.168.40.0 255.255.255.0

    object-group service DM_INLINE_SERVICE_3

    the purpose of the service tcp destination eq www

    the purpose of the tcp destination eq https service

    service-object TS

    service-object, object TS_Return

    object-group service DM_INLINE_SERVICE_4

    service-object RDP

    the purpose of the service tcp destination eq www

    the purpose of the tcp destination eq https service

    object-group service DM_INLINE_SERVICE_5

    purpose purpose of the MSSQL service

    service-object RDP

    service-object TS

    object-group Protocol TCPUDP

    object-protocol udp

    object-tcp protocol

    object-group service DM_INLINE_SERVICE_6

    service-object TS

    service-object, object TS_Return

    the purpose of the service tcp destination eq www

    the purpose of the tcp destination eq https service

    Note to outside_access_in to access list that this rule allows Internet the interal server.

    Notice on the outside_access_in of the access-list allowed:

    Comment from outside_access_in-list of FTP access

    Comment from outside_access_in-RDP access list

    Comment from outside_access_in-list of SMTP access

    Note to outside_access_in to access list Net Bios

    Comment from outside_access_in-SQL access list

    Comment from outside_access_in-list to access TS - 4400

    outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_1 any4 Internal_Report_Server

    access host access-list outside_access_in note rule internal QA

    Notice on the outside_access_in of the access-list allowed:

    Comment from outside_access_in-HTTP access list

    Comment from outside_access_in-RDP access list

    outside_access_in list extended access permitted tcp any4 object Internal_Host_QA eq www

    Notice on the outside_access_in of the access-list access to the internal Web server:

    Notice on the outside_access_in of the access-list allowed:

    Comment from outside_access_in-HTTP access list

    Comment from outside_access_in-RDP access list

    outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_3 any4 Internal_QA_Web_Server

    Note to outside_access_in to access list rule allowing access to the demo server

    Notice on the outside_access_in of the access-list allowed:

    Comment from outside_access_in-RDP access list

    Comment from outside_access_in-list to access MSSQL

    outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_4 any4 Internal_Demo_Server

    outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_5 any object Internal_QA_3

    Note to outside_access_in access to the development Web server access list

    outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_6 any object Dev_WebServer

    AnyConnect_Client_Local_Print deny any4 any4 ip extended access list

    AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq lpd

    Note AnyConnect_Client_Local_Print of access list IPP: Internet Printing Protocol

    AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq 631

    print the access-list AnyConnect_Client_Local_Print Note Windows port

    AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq 9100

    access-list AnyConnect_Client_Local_Print mDNS Note: multicast DNS protocol

    AnyConnect_Client_Local_Print list extended access permit udp host 224.0.0.251 any4 eq 5353

    AnyConnect_Client_Local_Print of access list LLMNR Note: link Local Multicast Name Resolution protocol

    AnyConnect_Client_Local_Print list extended access permit udp host 224.0.0.252 any4 eq 5355

    Note access list TCP/NetBIOS protocol AnyConnect_Client_Local_Print

    AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 EQ. 137

    AnyConnect_Client_Local_Print list extended access permitted udp any4 any4 eq netbios-ns

    Payback_VPN_splitTunnelAcl list standard access allowed 192.168.20.0 255.255.255.0

    permit outside_cryptomap to access extended list ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0

    pager lines 24

    Enable logging

    information recording console

    asdm of logging of information

    address record

    [email protected] / * /.

    the journaling recipient

    [email protected] / * /.

    level alerts

    Outside 1500 MTU

    Within 1500 MTU

    MTU 1500 servers

    MTU 1500 printers

    MTU 1500 wireless

    no failover

    ICMP unreachable rate-limit 1 burst-size 1

    ASDM image disk0: / asdm-711 - 52.bin

    don't allow no asdm history

    ARP timeout 14400

    no permit-nonconnected arp

    NAT (inside, outside) source Dynamics one interface

    NAT (wireless, outdoors) source Dynamics one interface

    NAT (servers, outside) no matter what source dynamic interface

    NAT (servers, external) static source Internal_Report_Server Report_Server

    NAT (servers, external) static source Internal_Host_QA Host_QA_Server

    NAT (servers, external) static source Internal_QA_Web_Server Web_Server_QA_VM

    NAT (servers, external) static source Internal_Demo_Server Demo_Server

    NAT (servers, external) static source NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 non-proxy-arp-search of route static destination

    NAT (servers, external) static source Internal_QA_3 External_QA_3

    NAT (servers, external) static source Dev_WebServer External_Dev_Web

    NAT (inside, outside) static source NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

    NAT (inside, outside) static source NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 non-proxy-arp-search of route static destination

    Access-group outside_access_in in interface outside

    Route outside 0.0.0.0 0.0.0.0 92.51.193.157 1

    Timeout xlate 03:00

    Pat-xlate timeout 0:00:30

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    Floating conn timeout 0:00:00

    dynamic-access-policy-registration DfltAccessPolicy

    identity of the user by default-domain LOCAL
    the ssh LOCAL console AAA authentication
    Enable http server
    http 192.168.10.0 255.255.255.0 inside
    http 192.168.40.0 255.255.255.0 wireless
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
    Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
    Crypto ipsec ikev2 AES256 ipsec-proposal
    Protocol esp encryption aes-256
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal AES192
    Protocol esp encryption aes-192
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal AES
    Esp aes encryption protocol
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 proposal ipsec 3DES
    Esp 3des encryption protocol
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal OF
    encryption protocol esp
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec pmtu aging infinite - the security association
    card crypto outside_map 1 match address outside_cryptomap
    card crypto outside_map 1 set pfs
    peer set card crypto outside_map 1 84.39.233.50
    card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
    outside_map card crypto 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
    outside_map interface card crypto outside
    trustpool crypto ca policy
    IKEv2 crypto policy 1
    aes-256 encryption
    integrity sha
    Group 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 10
    aes-192 encryption
    integrity sha
    Group 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 20
    aes encryption
    integrity sha
    Group 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 30
    3des encryption
    integrity sha
    Group 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 40
    the Encryption
    integrity sha
    Group 5
    FRP sha
    second life 86400
    Crypto ikev2 activate out of service the customer port 443
    Crypto ikev1 allow outside
    IKEv1 crypto policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    Telnet timeout 5
    SSH 77.75.100.208 255.255.255.240 outside
    SSH 192.168.10.0 255.255.255.0 inside
    SSH 192.168.40.0 255.255.255.0 wireless
    SSH timeout 5
    Console timeout 0

    dhcpd 192.168.0.1 dns
    dhcpd outside auto_config
    !
    dhcpd address 192.168.10.21 - 192.168.10.240 inside
    dhcpd dns 192.168.20.21 83.147.160.2 interface inside
    paybackloyalty.com dhcpd option 15 inside ascii interface
    dhcpd allow inside
    !
    dhcpd address 192.168.40.21 - 192.168.40.240 Wireless
    dhcpd dns 192.168.20.21 83.147.160.2 wireless interface
    dhcpd update dns of the wireless interface
    dhcpd option 15 ascii paybackloyalty.com wireless interface
    dhcpd activate wireless
    !
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    internal Payback_VPN group strategy
    attributes of Group Policy Payback_VPN
    VPN - 10 concurrent connections
    Ikev1 VPN-tunnel-Protocol
    Split-tunnel-policy tunnelspecified
    value of Split-tunnel-network-list Payback_VPN_splitTunnelAcl
    attributes of Group Policy DfltGrpPolicy
    value of 83.147.160.2 DNS server 83.147.160.130
    VPN-tunnel-Protocol ikev1, ikev2 clientless ssl
    internal GroupPolicy_84.39.233.50 group strategy
    attributes of Group Policy GroupPolicy_84.39.233.50
    VPN-tunnel-Protocol ikev1, ikev2
    Noelle XB/IpvYaATP.2QYm username encrypted password
    Noelle username attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    username Éanna encrypted password privilege 0 vXILR9ZZQIsd1Naw
    Éanna attributes username
    VPN-group-policy Payback_VPN
    type of remote access service
    Michael qpbleUqUEchRrgQX of encrypted password username
    user name Michael attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    username, password from Danny .7fEXdzESUk6S/cC encrypted privilege 0
    user name Danny attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    Aileen tytrelqvV5VRX2pz encrypted password privilege 0 username
    user name Aileen attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    Aidan aDu6YH0V5XaxpEPg encrypted password privilege 0 username
    Aidan username attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    username password 6e6Djaz3W/XH59zX gordon encrypted privilege 15
    shane.c iqGMoWOnfO6YKXbw encrypted password username
    username shane.c attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    Shane uYePLcrFadO9pBZx of encrypted password username
    user name Shane attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    username, encrypted James TdYPv1pvld/hPM0d password
    user name James attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    Mark yruxpddqfyNb.qFn of encrypted password username
    user name brand attributes
    type of service admin
    username password of Mary XND5FTEiyu1L1zFD encrypted
    user name Mary attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    Massimo vs65MMo4rM0l4rVu encrypted password privilege 0 username
    Massimo username attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    type tunnel-group Payback_VPN remote access
    attributes global-tunnel-group Payback_VPN
    VPN1 address pool
    Group Policy - by default-Payback_VPN
    IPSec-attributes tunnel-group Payback_VPN
    IKEv1 pre-shared-key *.
    tunnel-group 84.39.233.50 type ipsec-l2l
    tunnel-group 84.39.233.50 General-attributes
    Group - default policy - GroupPolicy_84.39.233.50
    IPSec-attributes tunnel-group 84.39.233.50
    IKEv1 pre-shared-key *.
    remote control-IKEv2 pre-shared-key authentication *.
    pre-shared-key authentication local IKEv2 *.
    !
    Global class-card class
    match default-inspection-traffic
    !
    !
    World-Policy policy-map
    Global category
    inspect the dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    Review the ip options
    inspect the netbios
    inspect the pptp
    inspect the rsh
    inspect the rtsp
    inspect the sip
    inspect the snmp
    inspect sqlnet
    inspect sunrpc
    inspect the tftp
    inspect xdmcp
    inspect the icmp error
    inspect the icmp
    !
    service-policy-international policy global
    192.168.20.21 SMTP server
    context of prompt hostname
    no remote anonymous reporting call
    call-home
    Profile of CiscoTAC-1
    no active account
    http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
    email address of destination [email protected] / * /
    destination-mode http transport
    Subscribe to alert-group diagnosis
    Subscribe to alert-group environment
    Subscribe to alert-group monthly periodic inventory
    monthly periodicals to subscribe to alert-group configuration
    daily periodic subscribe to alert-group telemetry
    Cryptochecksum:d06974501eb0327a5ed229c8445f4fe1

    ASA 2

    ASA Version 9.0 (1)

    !

    Payback-CIX hostname

    activate the encrypted password of HSMurh79NVmatjY0

    2KFQnbNIdI.2KYOU encrypted passwd

    names of

    !

    interface Ethernet0/0

    switchport access vlan 2

    Speed 100

    full duplex

    !

    interface Ethernet0/1

    Description this port connects to the local network VIRTUAL 100

    switchport access vlan 100

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    switchport access vlan 100

    !

    interface Ethernet0/4

    switchport access vlan 100

    !

    interface Ethernet0/5

    switchport access vlan 100

    !

    interface Ethernet0/6

    switchport access vlan 100

    !

    interface Ethernet0/7

    switchport access vlan 100

    !

    interface Vlan2

    nameif outside

    security-level 0

    IP 84.39.233.50 255.255.255.240

    !

    interface Vlan100

    nameif inside

    security-level 100

    IP 192.168.100.1 address 255.255.255.0

    !

    banner welcome to Payback loyalty - CIX connection line

    passive FTP mode

    summer time clock gmt/idt recurring last Sun Mar 01:00 last Sun Oct 02:00

    DNS domain-lookup outside

    DNS lookup field inside

    DNS server-group defaultDNS

    Name-Server 8.8.8.8

    Server name 8.8.4.4

    permit same-security-traffic inter-interface

    network obj_any object

    subnet 0.0.0.0 0.0.0.0

    network of the host-CIX-1 object

    host 192.168.100.2

    Description This is the VM server host machine

    network object host-External_CIX-1

    Home 84.39.233.51

    Description This is the external IP address of the server the server VM host

    service object RDP

    source between 1-65535 destination eq 3389 tcp service

    network of the Payback_Office object

    Home 92.51.193.158

    service object MSQL

    destination eq 1433 tcp service

    network of the Development_OLTP object

    Home 192.168.100.10

    Description for Eiresoft VM

    network of the External_Development_OLTP object

    Home 84.39.233.52

    Description This is the external IP address for the virtual machine for Eiresoft

    network of the Eiresoft object

    Home 146.66.160.70

    Contractor s/n description

    network of the External_TMC_Web object

    Home 84.39.233.53

    Description Public address to the TMC Web server

    network of the TMC_Webserver object

    Home 192.168.100.19

    Internal description address TMC Webserver

    network of the External_TMC_OLTP object

    Home 84.39.233.54

    External targets OLTP IP description

    network of the TMC_OLTP object

    Home 192.168.100.18

    description of the interal target IP address

    network of the External_OLTP_Failover object

    Home 84.39.233.55

    IP failover of the OLTP Public description

    network of the OLTP_Failover object

    Home 192.168.100.60

    Server failover OLTP description

    network of the servers object

    subnet 192.168.20.0 255.255.255.0

    being Wired network

    192.168.10.0 subnet 255.255.255.0

    the subject wireless network

    192.168.40.0 subnet 255.255.255.0

    network of the NETWORK_OBJ_192.168.100.0_24 object

    255.255.255.0 subnet 192.168.100.0

    network of the NETWORK_OBJ_192.168.10.0_24 object

    192.168.10.0 subnet 255.255.255.0

    network of the Eiresoft_2nd object

    Home 137.117.217.29

    Description 2nd Eiresoft IP

    network of the Dev_Test_Webserver object

    Home 192.168.100.12

    Description address internal to the Test Server Web Dev

    network of the External_Dev_Test_Webserver object

    Home 84.39.233.56

    Description This is the PB Dev Test Webserver

    network of the NETWORK_OBJ_192.168.1.0_24 object

    subnet 192.168.1.0 255.255.255.0

    object-group service DM_INLINE_SERVICE_1

    service-object MSQL

    service-object RDP

    object-group service DM_INLINE_SERVICE_2

    service-object MSQL

    service-object RDP

    object-group service DM_INLINE_SERVICE_3

    service-object MSQL

    service-object RDP

    object-group service DM_INLINE_SERVICE_4

    service-object MSQL

    service-object RDP

    the tcp destination eq ftp service object

    object-group service DM_INLINE_SERVICE_5

    service-object MSQL

    service-object RDP

    the tcp destination eq ftp service object

    object-group service DM_INLINE_SERVICE_6

    service-object MSQL

    service-object RDP

    the Payback_Intrernal object-group network

    object-network servers

    Wired network-object

    wireless network object

    object-group service DM_INLINE_SERVICE_7

    service-object MSQL

    service-object RDP

    object-group service DM_INLINE_SERVICE_8

    service-object MSQL

    service-object RDP

    object-group service DM_INLINE_SERVICE_9

    service-object MSQL

    service-object RDP

    object-group service DM_INLINE_SERVICE_10

    service-object MSQL

    service-object RDP

    the tcp destination eq ftp service object

    object-group service DM_INLINE_SERVICE_11

    service-object RDP

    the tcp destination eq ftp service object

    outside_access_in list extended access allow object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-host-1

    Note to access list OLTP Development Office of recovery outside_access_in

    outside_access_in list extended access allow DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP object-group

    Comment from outside_access_in-access Eiresoft access list

    outside_access_in list extended access allow DM_INLINE_SERVICE_3 object Eiresoft object Development_OLTP object-group

    outside_access_in list extended access allow DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver object-group

    Note to outside_access_in access to OLTP for target recovery Office Access list

    outside_access_in list extended access allow DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP object-group

    outside_access_in list extended access allow DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover object-group

    Note to outside_access_in access-list that's allowing access of the Eiresoft on the failover OLTP server

    outside_access_in list extended access allow DM_INLINE_SERVICE_7 object Eiresoft object OLTP_Failover object-group

    Comment from outside_access_in-access list access for the 2nd period of INVESTIGATION of Eiresoft

    outside_access_in list extended access allow DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP object-group

    Note to outside_access_in access from the 2nd IP Eiresoft access list

    outside_access_in list extended access allow DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover object-group

    outside_access_in list extended access allow DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver object-group

    outside_access_in list extended access allow DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP object-group

    outside_cryptomap to access extended list ip 192.168.100.0 allow 255.255.255.0 192.168.10.0 255.255.255.0

    pager lines 24

    Enable logging

    asdm of logging of information

    Outside 1500 MTU

    Within 1500 MTU

    ICMP unreachable rate-limit 1 burst-size 1

    don't allow no asdm history

    ARP timeout 14400

    no permit-nonconnected arp

    NAT (inside, outside) source Dynamics one interface

    NAT (inside, outside) static source CIX-host-1 External_CIX-host-1

    NAT (inside, outside) static source Development_OLTP External_Development_OLTP

    NAT (inside, outside) static source TMC_Webserver External_TMC_Web

    NAT (inside, outside) static source TMC_OLTP External_TMC_OLTP

    NAT (inside, outside) static source OLTP_Failover External_OLTP_Failover

    NAT (inside, outside) static source Dev_Test_Webserver External_Dev_Test_Webserver

    NAT (inside, outside) static source NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 non-proxy-arp-search of route static destination

    NAT (inside, outside) static source NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

    Access-group outside_access_in in interface outside

    Route outside 0.0.0.0 0.0.0.0 84.39.233.49 1

    Timeout xlate 03:00

    Pat-xlate timeout 0:00:30

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    Floating conn timeout 0:00:00

    dynamic-access-policy-registration DfltAccessPolicy

    identity of the user by default-domain LOCAL

    the ssh LOCAL console AAA authentication

    Enable http server

    http 92.51.193.156 255.255.255.252 outside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac

    Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit

    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac

    Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit

    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

    Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit

    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

    Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit

    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

    Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit

    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

    Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit

    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

    Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit

    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

    Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit

    Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

    Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac

    Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit

    Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac

    Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit

    Crypto ipsec ikev2 ipsec-proposal OF

    encryption protocol esp
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 proposal ipsec 3DES
    Esp 3des encryption protocol
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal AES
    Esp aes encryption protocol
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal AES192
    Protocol esp encryption aes-192
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 AES256 ipsec-proposal
    Protocol esp encryption aes-256
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec pmtu aging infinite - the security association
    card crypto outside_map 1 match address outside_cryptomap
    card crypto outside_map 1 set pfs
    peer set card crypto outside_map 1 92.51.193.158
    card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
    outside_map card crypto 1jeu ikev2 AES AES192 AES256 3DES ipsec-proposal
    outside_map interface card crypto outside
    trustpool crypto ca policy
    IKEv2 crypto policy 1
    aes-256 encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 10
    aes-192 encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 20
    aes encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 30
    3des encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 40
    the Encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    Crypto ikev2 allow outside
    Crypto ikev1 allow outside
    IKEv1 crypto policy 10
    authentication crack
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 20
    authentication rsa - sig
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 30
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 40
    authentication crack
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 50
    authentication rsa - sig
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 60
    preshared authentication
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 70
    authentication crack
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 80
    authentication rsa - sig
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 90
    preshared authentication
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 100
    authentication crack
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 110
    authentication rsa - sig
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 120
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 130
    authentication crack
    the Encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 140
    authentication rsa - sig
    the Encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 150
    preshared authentication
    the Encryption
    sha hash
    Group 2
    life 86400
    Telnet timeout 5
    SSH 77.75.100.208 255.255.255.240 outside
    SSH 92.51.193.156 255.255.255.252 outside
    SSH timeout 5
    Console timeout 0

    dhcpd outside auto_config
    !
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    internal GroupPolicy_92.51.193.158 group strategy
    attributes of Group Policy GroupPolicy_92.51.193.158
    VPN-tunnel-Protocol ikev1, ikev2
    username password 6e6Djaz3W/XH59zX gordon encrypted privilege 15
    tunnel-group 92.51.193.158 type ipsec-l2l
    tunnel-group 92.51.193.158 General-attributes
    Group - default policy - GroupPolicy_92.51.193.158
    IPSec-attributes tunnel-group 92.51.193.158
    IKEv1 pre-shared-key *.
    remote control-IKEv2 pre-shared-key authentication *.
    pre-shared-key authentication local IKEv2 *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    Review the ip options
    inspect the icmp
    !
    global service-policy global_policy
    context of prompt hostname
    no remote anonymous reporting call
    Cryptochecksum:83b2069fa311e6037163ae74f9b2bec2
    : end

    Hello

    There are some clear problems I see on a quick glance. These are not related to the actual VPN configuration but rather the NAT configurations.

    All your configuration of NAT CLI format above are configured as manual NAT / double NAT in Section 1. This means that the appliance NAT configurations have been added to the same section of the NAT configurations and scheduling of the NAT inside this Section rules is the cause of the problem for the L2L VPN connection for some.

    Here are a few suggestions on what to change

    ASA1

    Minimal changes

    the object of the LAN network

    192.168.10.0 subnet 255.255.255.0

    being REMOTE-LAN network

    255.255.255.0 subnet 192.168.100.0

    NAT (inside, outside) 1 static source LAN LAN to static destination REMOTE - LAN LAN

    no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 non-proxy-arp-search of route static destination

    That means foregoing is first of all create 'object' that contain the local LAN and remote LANs. Then, it creates a NAT0 rule and adds to the top rules NAT. (number 1). It is essentially of at least one of the problems preventing the VPN operation or traffic that cross.

    Finally, we remove the old rule that generated the ASDM. It would do the same thing if it has been moved to the top, but I generally find the creation of the 'object' with descriptive names easier on the eyes in the long term.

    Other suggestions

    These changes are not necessary with regard to the VPN L2L. Here are some suggestions how to clean a part of NAT configurations.

    PAT-SOURCE network object-group

    source networks internal PAT Description

    object-network 192.168.10.0 255.255.255.0

    object-network 192.168.20.0 255.255.255.0

    object-network 192.168.40.0 255.255.255.0

    NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source

    No source (indoor, outdoor) nat Dynamics one interface

    no nat (wireless, outdoors) source Dynamics one interface

    no nat (servers, outside) no matter what source dynamic interface

    The above configuration creates a "object-group" that lists all internal networks that you have dynamic PAT configured so far. It then uses the ' object-group ' in a command unique 'nat' to manage the dynamic PAT for all internal networks (with the exception of printers who had nothing at first). Then we remove the old PAT dynamic configurations.

    Contains the command "nat" "car after" because it moving this "nat" configuration to the bottom of the NAT rules. For this reason its less likely to cause problems in the future.

    network of the SERVERS object

    subnet 192.168.20.0 255.255.255.0

    network of the VPN-POOL object

    192.168.50.0 subnet 255.255.255.0

    NAT (servers, external) 2 static static source of destination of SERVERS SERVERS VPN-VPN-POOL

    no nat (servers, external) static source NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 non-proxy-arp-search of route static destination

    The above configuration is supposed to create a NAT0 configuration for traffic between the network and the pool of Client VPN server. To my knowledge the old configuration that remove us is not used because the traffic would have matched PAT rule dynamic server yet rather than this rule which is later in the NAT configurations and would not be addressed.

    no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

    It seems to me that network 192.168.1.0/24 is not configured from anywhere in your network. Therefore, the above 'nat' configuration seems useless, can be deleted. If I missed something and its use in then of course do not remove it.

    ASA2

    Minimal changes

    the object of the LAN network

    255.255.255.0 subnet 192.168.100.0

    being REMOTE-LAN network

    192.168.10.0 subnet 255.255.255.0

    NAT (inside, outside) 1 static source LAN LAN to static destination REMOTE - LAN LAN

    no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 non-proxy-arp-search of route static destination

    That means foregoing is first of all create 'object' that contain the local LAN and remote LANs. Then, it creates a NAT0 rule and adds to the top rules NAT. (number 1). It is essentially of at least one of the problems preventing the VPN operation or traffic that cross.

    Finally, we remove the old rule that generated the ASDM.

    Other suggestions

    PAT-SOURCE network object-group

    object-network 192.168.100.0 255.255.255.0

    NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source

    No source (indoor, outdoor) nat Dynamics one interface

    The above configuration is supposed to do the same thing with the other ASA. Although given that this network contains only a single subnet it cleans the "nat" configurations exist that much. But the order of the "nat" configurations is changed to avoid further problems with the NAT order.

    no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

    It seems to me that network 192.168.1.0/24 is not configured from anywhere in your network. Therefore, the above 'nat' configuration seems useless, can be deleted. If I missed something and its use in then of course do not remove it.

    I suggest trying the changes related to VPN L2L first NAT0 configurations and test traffic. So who gets the work of connectivity, then you could consider changing other NAT configurations. There are other things that could be changed also in what concerns THAT static NAT servers but that probably better left for another time.

    Hope this makes any sense and has helped

    Remember to mark a reply as the answer if it answered your question.

    Feel free to ask more if necessary

    -Jouni

  • VPN site to Site from one-way data (need help)

    Hello

    Scenario:

    VPN site to Site with Cisco 837 routers:

    Place: Clients and printers

    Site B: server queues and Print

    Site A can communicate via VPN using RDP to site B, very well.

    Question:

    Site B cannot send print jobs to printers on the Site A. also unable to telnet and other access devices on the Site A of the Site (B) Pings work correctly but to all devices.

    Debugging on site an access-list 110 showed no response traffic to the Site B via the VPN?

    I tried change ip tcp adjust 1452 but not good...

    Attached configs.

    An IOS - c837-k9o3y6 - mz.123 - 4.T3.bin site

    SITE B IOS - c837-k9o3sy6 - mz.123 - 2.XC2.bin

    Any help would be appreciated.

    Thank you very much...

    Thank you for including the configs and IOS versions. Looks like you hit a bug known to FW IOS (http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCec78231&Submit=Search), you can perform debugging as described in details to see for sure. It is difficult to understand what router would be the culprit in a scenario when both run on a tunnel L2L CBAC, but probably RouterA is dropping packets. This would also explain why pings work but TCP connections are not.

    I would upgrade TWO routers to be the same version anyway, you encounter far fewer problems in this way, but make sure that you upgrade to one fixed-In version (or later version), has to work around the problem.

  • VPN site to Site with restrictions (vpn-filter)

    VPN site to site, I installed and it works fine and two site can meet but I question after the vpn enforcement - run under Group Policy

    restrict users in the local site for dial-up networking with specific tcp ports, the vpn does not not like after order question «sh l2l vpn-sessiondb»

    This works but users can't access something in the remote site

    Note > after rising online in ACL at the end with this

    US_SITE ip access list allow a whole

    new to works well again

    example of a line of Access-List

    US_SITE list extended access permit tcp host 10.68.22.50 host 192.168.10.23 HTTP_HTTPS object-group
    US_SITE list extended access permit tcp host 10.68.22.50 host 192.168.10.24 HTTP_HTTPS object-group

    local network: 10.68.22.50

    remote network: 192.168.10.24

    is that correct or not?

    attributes of the strategy group x.x.x.x
    value of VPN-filer US_SITE

    tunnel-group General y.y.y.y
    x.x.x.x by default-group-policy

    Note: allowed sysopt active vpn connection

    The syntax on ACL that is used as a vpn-filter is different from what is normally expected. These VPN filters is not a direction, it should be noted the traffic we want to allow incoming and outgoing of the VPN in an ACL. The syntax for this is:

    access-list X permit/deny REMOTE-DEFINITION LOCAL-DEFINITION

    Example: You want to allow local users to access the RDP on the remote site:

    access-list VPN-ACL permit tcp host 192.168.10.24 eq 3389 10.68.22.0 255.255.255.0
    Disadvantage: This is all really confusing, and you can't afford things like Ping in one direction.
  • Problem with the VPN site to site for the two cisco asa 5505

    Starting with cisco asa. I wanted to do a vpn site-to site of cisco. I need help. I can't ping from site A to site B and vice versa.

    Cisco Config asa1

    interface Ethernet0/0
    switchport access vlan 1
    !
    interface Ethernet0/1
    switchport access vlan 2
    !
    interface Vlan1
    nameif outside
    security-level 0
    IP address 172.xxx.xx.4 255.255.240.0
    !
    interface Vlan2
    nameif inside
    security-level 100
    IP 192.168.60.2 255.255.255.0
    !
    passive FTP mode
    network of the Lan_Outside object
    192.168.60.0 subnet 255.255.255.0
    network of the NETWORK_OBJ_192.168.1.0_24 object
    subnet 192.168.1.0 255.255.255.0
    network of the NETWORK_OBJ_192.168.60.0_24 object
    192.168.60.0 subnet 255.255.255.0
    object-group Protocol DM_INLINE_PROTOCOL_1
    ip protocol object
    icmp protocol object
    object-group Protocol DM_INLINE_PROTOCOL_2
    ip protocol object
    icmp protocol object
    object-group Protocol DM_INLINE_PROTOCOL_3
    ip protocol object
    icmp protocol object
    Access extensive list ip 192.168.60.0 Outside_cryptomap allow 255.255.255.0 192.168.1.0 255.255.255.0
    Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
    Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
    Inside_access_in list extended access allow DM_INLINE_PROTOCOL_2 of object-group a
    network of the Lan_Outside object
    NAT (inside, outside) interface dynamic dns
    Access-group Outside_access_in in interface outside
    Inside_access_in access to the interface inside group
    Route outside 0.0.0.0 0.0.0.0 172.110.xx.1 1
    Timeout xlate 03:00
    Pat-xlate timeout 0:00:30
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    Floating conn timeout 0:00:00
    dynamic-access-policy-registration DfltAccessPolicy
    identity of the user by default-domain LOCAL
    AAA authentication http LOCAL console
    Enable http server
    http 192.168.60.0 255.255.255.0 inside
    http 96.xx.xx.222 255.255.255.255 outside
    No snmp server location
    No snmp Server contact
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
    Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
    Crypto ipsec ikev2 ipsec-proposal OF
    encryption protocol esp
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 proposal ipsec 3DES
    Esp 3des encryption protocol
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal AES
    Esp aes encryption protocol
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal AES192
    Protocol esp encryption aes-192
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 AES256 ipsec-proposal
    Protocol esp encryption aes-256
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec pmtu aging infinite - the security association
    card crypto Outside_map 1 corresponds to the address Outside_cryptomap
    card crypto Outside_map 1 set peer 96.88.75.222
    card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
    card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
    Outside_map interface card crypto outside
    trustpool crypto ca policy
    IKEv2 crypto policy 1
    aes-256 encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 10
    aes-192 encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 20
    aes encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 30
    3des encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 40
    the Encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    Crypto ikev2 allow outside
    Crypto ikev1 allow outside
    IKEv1 crypto policy 10
    authentication crack
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 20
    authentication rsa - sig
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 30
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 40
    authentication crack
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 50
    authentication rsa - sig
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 60
    preshared authentication
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 70
    authentication crack
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 80
    authentication rsa - sig
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 90
    preshared authentication
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 100
    authentication crack
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 110
    authentication rsa - sig
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 120
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 130
    authentication crack
    the Encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 140
    authentication rsa - sig
    the Encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 150
    preshared authentication
    the Encryption
    sha hash
    Group 2
    life 86400
    Telnet timeout 5
    SSH stricthostkeycheck
    SSH timeout 5
    SSH group dh-Group1-sha1 key exchange
    Console timeout 0
    inside access management

    dhcpd address 192.168.60.50 - 192.168.60.100 inside
    dhcpd allow inside
    !
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    WebVPN
    AnyConnect essentials
    internal GroupPolicy_96.xx.xx.222 group strategy
    attributes of Group Policy GroupPolicy_96.xx.xx.222
    VPN-tunnel-Protocol ikev1, ikev2
    username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
    tunnel-group 96.xx.xx.222 type ipsec-l2l
    tunnel-group 96.xx.xx.222 General-attributes
    Group - default policy - GroupPolicy_96.xx.xx.222
    96.XX.XX.222 group of tunnel ipsec-attributes
    IKEv1 pre-shared-key *.
    remote control-IKEv2 pre-shared-key authentication *.
    pre-shared-key authentication local IKEv2 *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    Review the ip options
    inspect the icmp
    inspect the icmp error

    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    Cisco ASA 2 config

    interface Ethernet0/0
    switchport access vlan 1
    !
    interface Ethernet0/1
    switchport access vlan 2
    !
    interface Vlan1
    nameif outside
    security-level 0
    IP address 96.xx.xx.222 255.255.255.248
    !
    interface Vlan2
    nameif inside
    security-level 100
    IP 192.168.1.254 255.255.255.0
    !
    passive FTP mode
    permit same-security-traffic inter-interface
    permit same-security-traffic intra-interface
    network of the Lan_Outside object
    subnet 192.168.1.0 255.255.255.0
    network of the NETWORK_OBJ_192.168.60.0_24 object
    192.168.60.0 subnet 255.255.255.0
    network of the NETWORK_OBJ_192.168.1.0_24 object
    subnet 192.168.1.0 255.255.255.0
    object-group Protocol DM_INLINE_PROTOCOL_1
    ip protocol object
    icmp protocol object
    object-group Protocol DM_INLINE_PROTOCOL_2
    ip protocol object
    icmp protocol object
    object-group Protocol DM_INLINE_PROTOCOL_3
    ip protocol object
    icmp protocol object
    object-group Protocol DM_INLINE_PROTOCOL_4
    ip protocol object
    icmp protocol object
    Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_2 of object-group 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0
    Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
    Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
    Inside_access_in list extended access allow DM_INLINE_PROTOCOL_4 of object-group a
    pager lines 24
    Enable logging
    asdm of logging of information
    Outside 1500 MTU
    Within 1500 MTU
    no failover
    ICMP unreachable rate-limit 1 burst-size 1
    don't allow no asdm history
    ARP timeout 14400
    no permit-nonconnected arp
    NAT (inside, outside) static source NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.60.0_24 NETWORK_OBJ_192.168.60.0_24 non-proxy-arp-search of route static destination
    !
    network of the Lan_Outside object
    dynamic NAT (all, outside) interface
    Access-group Outside_access_in in interface outside
    Inside_access_in access to the interface inside group
    Route outside 0.0.0.0 0.0.0.0 96.xx.xx.217 1
    Timeout xlate 03:00
    Pat-xlate timeout 0:00:30
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    Floating conn timeout 0:00:00
    dynamic-access-policy-registration DfltAccessPolicy
    identity of the user by default-domain LOCAL
    AAA authentication http LOCAL console
    Enable http server
    http 192.168.1.0 255.255.255.0 inside
    http 172.xxx.xx.4 255.255.255.255 outside
    No snmp server location
    No snmp Server contact
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
    Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
    Crypto ipsec ikev2 ipsec-proposal OF
    encryption protocol esp
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 proposal ipsec 3DES
    Esp 3des encryption protocol
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal AES
    Esp aes encryption protocol
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal AES192
    Protocol esp encryption aes-192
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 AES256 ipsec-proposal
    Protocol esp encryption aes-256
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec pmtu aging infinite - the security association
    card crypto Outside_map 1 corresponds to the address Outside_cryptomap
    card crypto Outside_map 1 set peer 172.110.74.4
    card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
    card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
    Outside_map interface card crypto outside
    trustpool crypto ca policy
    IKEv2 crypto policy 1
    aes-256 encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 10
    aes-192 encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 20
    aes encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 30
    3des encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 40
    the Encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    Crypto ikev2 allow outside
    Crypto ikev1 allow outside
    IKEv1 crypto policy 10
    authentication crack
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 20
    authentication rsa - sig
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 30
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 40
    authentication crack
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 50
    authentication rsa - sig
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 60
    preshared authentication
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 70
    authentication crack
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 80
    authentication rsa - sig
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 90
    preshared authentication
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 100
    authentication crack
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 110
    authentication rsa - sig
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 120
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 130
    authentication crack
    the Encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 140
    authentication rsa - sig
    the Encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 150
    preshared authentication
    the Encryption
    sha hash
    Group 2
    life 86400
    Telnet timeout 5
    SSH stricthostkeycheck
    SSH timeout 5
    SSH group dh-Group1-sha1 key exchange
    Console timeout 0

    dhcpd address 192.168.1.50 - 192.168.1.100 inside
    dhcpd allow inside
    !
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    WebVPN
    AnyConnect essentials
    internal GroupPolicy_172.xxx.xx.4 group strategy
    attributes of Group Policy GroupPolicy_172.xxx.xx.4
    L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
    username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
    tunnel-group 172.xxx.xx.4 type ipsec-l2l
    tunnel-group 172.xxx.xx.4 General-attributes
    Group - default policy - GroupPolicy_172.xxx.xx.4
    172.xxx.XX.4 group of tunnel ipsec-attributes
    IKEv1 pre-shared-key *.
    remote control-IKEv2 pre-shared-key authentication *.
    pre-shared-key authentication local IKEv2 *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    Review the ip options
    inspect the icmp
    inspect the icmp error
    inspect the http

    For IKEv2 configuration: (example config, you can change to encryption, group,...)

    -You must add the declaration of exemption nat (see previous answer).

    -set your encryption domain ACLs:

    access-list-TRAFFIC IPSEC allowed extended LOCAL REMOTE - LAN LAN ip

    -Set the Phase 1:

    Crypto ikev2 allow outside
    IKEv2 crypto policy 10
    3des encryption
    the sha md5 integrity
    Group 5
    FRP sha
    second life 86400

    -Set the Phase 2:

    Crypto ipsec ikev2 ipsec IKEV2-PROPOSAL
    Esp aes encryption protocol
    Esp integrity sha-1 protocol

    -set the Group of tunnel

    tunnel-group REMOTE-PUBLIC-IP type ipsec-l2l
    REMOTE-PUBLIC-IP tunnel-group ipsec-attributes
    IKEv2 authentication remote pre-shared-key cisco123


    IKEv2 authentication local pre-shared-key cisco123

    -Define the encryption card

    address for correspondence CRYPTOMAP 10 - TRAFFIC IPSEC crypto map
    card crypto CRYPTOMAP 10 peer set REMOTE-PUBLIC-IP
    card crypto CRYPTOMAP 10 set ipsec ikev2-IKEV2-PROPOSAL
    CRYPTOMAP interface card crypto outside
    crypto isakmp identity address

    On your config, you have all these commands but on your VPN config, you mix ikev1 and ikev2. You have also defined political different ikev2. Just do a bit of cleaning and reached agreement on a 1 strategy for the two site (encryption, hash,...)

    Thank you

  • VPN site to Site using the router and ASA

    Hello

    I have a Cisco 1812 router that is configured for remote access VPN using IPSec (Cisco VPN Client), my question is if I can configure a Cisco ASA 5505 to connect to the router as a VPN from site to site.

    Thank you

    Karl

    Dear Karl,

    Yor are right, in this case you can create a tunnel vpn site-to-site between devices or you can configure your ASA as hardware VPN client. That is to say; Easy VPN.

    For the same thing, you can consult the document below.

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00808a61f4.shtml

    Kind regards

    Shijo.

  • Clustering for VPN site-to-site VPN concentrator?

    Hi all

    I think the grouping of the Concentrator VPN configuration guide is only good for the VPN site-to-customer, that is to say that the grouping option cannot be deployed in VPN site-to-site of HA and load balancing?

    Thank you and best regards,

    MAK

    OK, the function was only ever for clients of SW and HW, not the L2L tunnels.

    L2L tunnels, you can configure the settings of tunnel on two of the hubs of the cluster and then just "defined by peer" two statements under the card encryption of the remote device, these statements point to each of the specific IP addresses hubs (not the cluster address).

    Does not give you true balance as do customers SW, but it gives you redundancy.

  • Issue of ASA vpn site to site isakmp

    Hello

    He has been asked to configure on ASA a new vpn site-to-site. For that vpn should I put:

    crypto isakmp identity address
    crypto ISAKMP allow outside

    .. the configuration of my identity crypto isakmp is automatic and isakmp crypto is not enabled on any interface. I love vpn with ike enabled on the external interface. My question is: why should I enable isakmp on the external interface and especially can create disturbances to ike vpn that are already in place?

    By elsewhere-group or tunnel-group strategy, it was me asked to set up, the two do not have indication of ike. Never seen this kind of configuration before vpn, something new.

    Thank you

    Hi, Giuseppe.

    The crypto isakmp command activate outside changed ikev1 crypto Enable outside in the new ASA versions you need not enable this.

    There is also no need configure isakmp crypto identity address such that it is set to auto.

    This command indicates that the tunnel would be negotiated on the basis of the IP address but since it is set to auto it on it own will therefore not need to specify this command.

    Yes, you can create a new group policy group for this new tunnel and tunnel and there should be no impact on other tunnels of work.

    Kind regards

    Aditya

    Please evaluate the useful messages and mark the correct answers.

  • VPN site to site UP, but no traffic

    Dear friends,

    I did a VPN site to site using ASA 5555 02 in each site running the Version of the software 9.2 (4).

    The VPN is UP, as shown below:

    ASA-SSP-Pri (config) # sh isak his

    There are no SAs IKEv1

    IKEv2 SAs:

    Session-id: 1, State: UP-ACTIVE, IKE County: 1, number of CHILDREN: 1

    Tunnel-id Local remote status role
    201.23.100.130/500 268373031 200.174.36.19/500 LOAN MACHINE
    BA: AES - CBC, keysize: 256, Hash: SHA96, Grp:5 DH, Auth sign: PSK, Auth check: PSK
    Duration of life/active: 86400/272 sec
    His child: selector local 10.69.0.0/0 - 10.69.0.255/65535
    selector of distance 10.12.20.0/0 - 10.12.20.255/65535
    SPI ESP/output: 0xf89430e6/0x86a5cd8f

    But when I try to ping from one site to another, is not possible, the result of the ping command is '?

    I did some research on this problem and a lot of people say that Miss crypto isakmp nat-traversal 20 command, but this command is already enabled.

    Exempt from NAT is enabled and I did tests of deactivation as well.

    Hello

    The last thing I think is that there is a SPINNAKER twice on the table of the asp and that is why the traffic is not encrypted everything seems correct, run the following command on the ASA:

    clear crypto ipsec its inactive

    test again

  • Routing of traffic between two VPN Site-to-Site Tunnels

    Hi people,

    I am trying to establish routing between two vpn Site-to-Site tunnels which are destined for the same outside the interface of my Cisco ASA.

    Please find attached flowchart for the same thing. All used firewalls are Cisco ASA 5520.

    Two VPN tunnels between Point A and Point B, Point B and Point C is too much upward. I activated same command to permit security level interface also intra.

    How can I activate the LAN subnets traffic behind Point to join LAN subnets behind C Point without having to create a tunnel separated between Point A and Point C

    Thank you very much.

    Hello

    Basically, you will need to NAT0 and VPN rules on each site to allow this traffic.

    I think that the configurations should look something like below. Naturally you will already probably a NAT0 configuration and certainly the L2L VPN configuration

    Site has

    access-list NAT0 note NAT0 rule for SiteA SiteC traffic

    access-list allowed NAT0 ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

    NAT (inside) 0 access-list NAT0

    Note L2L-VPN-CRYPTO-SITEB access-list interesting traffic for SiteA to SiteC

    access-list L2L-VPN-CRYPTO-SITEB permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

    Where

    • NAT0 = is the ACL to be used in the NAT0 rules that will exempt SiteA SiteC NAT traffic
    • NAT = is the line of configuration NAT0
    • L2l-VPN-CRYPTO-SITEB = LCA in configurations VPN L2L that defines the SiteA LAN to LAN SiteC traffic must use the VPN L2L existing SiteB

    Site B

    access list OUTSIDE-NAT0 note NAT0 rule for SiteA SiteC traffic

    OUTSIDE-NAT0 allowed 192.168.1.0 ip access list 255.255.255.0 192.168.3.0 255.255.255.0

    NAT (outside) 0-list of access OUTSIDE-NAT0

    Note L2L-VPN-CRYPTO-SITEA access-list traffic for SiteA to SiteC through a Tunnel between A - B

    access-list L2L-VPN-CRYPTO-SITEA ip 192.168.3.0 allow 255.255.255.0 192.168.1.0 255.255.255.0

    Note L2L-VPN-CRYPTO-SITEC access-list traffic for SiteA to SiteC through a Tunnel between B - C

    access-list L2L-VPN-CRYPTO-SITEC permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

    Where

    • OUTSIDE-NAT0 = is the ACL to be used in the NAT0 rules that will exempt SiteA SiteC NAT traffic. It is this time tied to the 'outer' interface, as traffic will be coming in and out through this interface to SiteB
    • NAT = is the line of configuration NAT0
    • L2l-VPN-CRYPTO-SITEA (and SITEC) = are the ACL in the configurations of VPN L2L that defines the SiteA LAN to LAN SiteC traffic should use existing VPN L2L connections.

    Site C

    access-list NAT0 note NAT0 rule for SiteC SiteA traffic

    NAT0 192.168.3.0 ip access list allow 255.255.255.0 192.168.1.0 255.255.255.0

    NAT (inside) 0 access-list NAT0

    Note list-access-L2L-VPN-CRYPTO-SITEB SiteC to SiteA interesting traffic

    L2L-VPN-CRYPTO-SITEB 192.168.3.0 ip access list allow 255.255.255.0 192.168.1.0 255.255.255.0

    Where

    • NAT0 = is the ACL to be used in the NAT0 rules that will exempt SiteC to SiteA NAT traffic
    • NAT = is the line of configuration NAT0
    • L2l-VPN-CRYPTO-SITEB = LCA in configurations VPN L2L that defines the SiteC LAN to LAN SiteA traffic must use the VPN L2L existing SiteB

    To my knowledge, the foregoing must manage the selection NAT0 and traffic for VPN L2L connections. Naturally, the Interface/ACL names may be different depending on your current configuration.

    Hope this helps

    -Jouni

  • Problem with VPN Site-to-Site between RV215W and ASA5510

    The RV215W is intended to connect a new branch via 3G, but fail.

    But when connected to the internet via a cable modem VPN works.

    I have set up with the FULL domain name and remote ip address.

    Please help me soon as soon as you can.

    Thaks a lot.

    Henriux2412.

    Dear Henry;

    Thank you to the small community of Support Business.

    I doubt that this VPN site-to-site is compatible with the USB modem broadband Mobile 3 G, but I have when even suggest to verify that the Status field of the map will show your mobile card is connected (status > Mobile network). I've seen a similar problem with a Verizon USB modem where the solution was to change a few settings in their access Manager software ("NDIS Mode - connect manually" has been selected and change this option to "Modem Mode - connect manually fixed), but if this is not your case then I suggest you to check with your service provider about supported VPN site to site on the WAN configuration.

    Except that I advise you to contact the Small Business Support Center for more information on this subject, although I don't think they will support

    https://supportforums.Cisco.com/community/NetPro/small-business/sbcountrysupport

    Do not hesitate to contact me if there is anything I can help you with in the meantime.

    Kind regards

    Jeffrey Rodriguez S... : | :. : | :.
    Support Engineer Cisco client

    * Please rate the Post so other will know when an answer has been found.

  • How to turn the notifications by e-mail to connect VPN Site to Site on ASA?

    How to activate the VPN Site to Site connection e-mail notifications?

    Maybe it's possible with the event Manager?

    Hi Mario

    I think this could work depending on your intent:

    logging list email level notifications class vpnlogging list email level notifications class vpnc!logging mail emaillogging from-address logging recipient-address  level notifications
    Cordially Véronique
  • IPSec VPN Site-to-Site router Cisco 837 to Firewall FortiGate 200 has

    I had a challege for a site to site vpn scenario that may need some brainstorming you guys.

    So far, I have had a prior configuration planned for this scenario, but I'm not very sure if the tunnel I created will work because I did not test it before with this scenario. I'll go next week on this project and hopefully get a solution of brainstorming you guys. Thanks in advance!

    Network diagram:

    http://cjunhan.multiply.com/photos/hi-res/5/3?xurl=%2Fphotos%2Fphoto%2F5%2F3

    Challenge:

    (1) configure CISCO R3 IPSec Site to Site VPN between 172.20.10.0 and 10.20.20.0 using cryptographic cards

    (2) IKE Phase I MainMode, lifetime 28000, md5, DH-Group1

    IKE Phase II: des-esp, hmac-md5, tunnel mode

    PSK: sitetositevpn

    Here is my setup for review:

    crypto ISAKMP policy 10

    the BA

    preshared authentication

    Group 1

    md5 hash

    ISAKMP crypto key sitetositevpn address 210.x.x.66

    !

    Crypto ipsec transform-set esp - esp-md5-hmac ciscoset

    !

    infotelmap 10 ipsec-isakmp crypto map

    the value of 210.x.x.66 peer

    Set transform-set ciscoset

    match address 111

    !

    !

    interface Ethernet0

    3 LAN description

    IP 10.20.20.1 255.255.255.0

    IP nat inside

    servers-exit of service-policy policy

    Hold-queue 100 on

    !

    ATM0 interface

    no ip address

    ATM vc-per-vp 64

    No atm ilmi-keepalive

    DSL-automatic operation mode

    !

    point-to-point interface ATM0.1

    IP address 210.x.20.x.255.255.252

    no ip redirection<-- disable="">

    no ip unreachable<-- disable="" icmp="" host="" unreachable="">

    no ip proxy-arp<-- disables="" ip="" directed="">

    NAT outside IP

    PVC 8/35

    aal5snap encapsulation

    !

    !

    IP nat inside source list 102 interface ATM0.1 overload

    IP classless

    IP route 0.0.0.0 0.0.0.0 ATM0.1

    IP route 0.0.0.0 0.x.0.x.190.60.66

    no ip http secure server

    !

    Note access-list 102 NAT traffic

    access-list 102 permit ip 10.20.20.0 0.0.0.255 any

    !

    access-list 111 note VPN Site-to-Site 3 LAN to LAN 2 network

    access-list 111 allow 0.0.0.x.x.10.0 ip 10.20.20.0 0.0.0.255

    Kind regards

    Junhan

    Hello

    Three changes required in this configuration.

    (1) change the NAT-list access 102 as below:

    access-list 102 deny ip 10.20.20.0 0.0.0.255 172.20.10.0 0.0.0.255

    access-list 102 permit ip 10.20.20.0 0.0.0.255 any

    (2) place the card encryption on interface point-to-point ATM.

    (3) remote all of a default route.

    Thank you

    Mustafa

  • VPN site to Site 5506 X

    How many sessions/users can go on a 5506 X with a dry more than the license?

    Any involved a VPN site-to site a 5506 a 5515 X X?  Or is this done as I have done in the past with of 5505?

    Thank you

    Pete

    Basic 5506 license not not limit the number of Interior hosts as did the former 5505. So, in this respect, you are not constrained.

    You do not have a limit on the number of connections VPN site to site on the 5506. Are those that fall of 'other VPN peers' are limited to 10 (licenses) or 50 (security more)-a site separate VPN tunnels. Reference.

Maybe you are looking for