Unable to phase 1 estabislt of site to site VPN

Similar Questions

• remote VPN and vpn site to site vpn remote users unable to access the local network

  As per below config remote vpn and vpn site to site vpn remote users unable to access the local network please suggest me a required config

  The local 192.168.215.4 not able ping server IP this server connectivity remote vpn works fine but not able to ping to the local network vpn users.

  ASA Version 8.2 (2)
  !
  host name
  domain kunchevrolet
  activate r8xwsBuKsSP7kABz encrypted password
  r8xwsBuKsSP7kABz encrypted passwd
  names of
  !
  interface Ethernet0/0
  nameif outside
  security-level 0
  PPPoE client vpdn group dataone
  IP address pppoe
  !
  interface Ethernet0/1
  nameif inside
  security-level 50
  IP 192.168.215.2 255.255.255.0
  !
  interface Ethernet0/2
  nameif Internet
  security-level 0
  IP address dhcp setroute
  !
  interface Ethernet0/3
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Management0/0
  Shutdown
  No nameif
  no level of security
  no ip address
  management only
  !
  passive FTP mode
  clock timezone IST 5 30
  DNS server-group DefaultDNS
  domain kunchevrolet
  permit same-security-traffic intra-interface
  object-group network GM-DC-VPN-Gateway
  object-group, net-LAN
  access extensive list ip 192.168.215.0 sptnl allow 255.255.255.0 192.168.2.0 255.255.255.0
  192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0
  tunnel of splitting allowed access list standard 192.168.215.0 255.255.255.0
  pager lines 24
  Enable logging
  asdm of logging of information
  Outside 1500 MTU
  Within 1500 MTU
  MTU 1500 Internet
  IP local pool VPN_Users 192.168.2.1 - 192.168.2.250 mask 255.255.255.0
  ICMP unreachable rate-limit 1 burst-size 1
  enable ASDM history
  ARP timeout 14400
  NAT-control
  Global 1 interface (outside)
  NAT (inside) 1 0.0.0.0 0.0.0.0
  Route outside 0.0.0.0 0.0.0.0 59.90.214.1 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-registration DfltAccessPolicy
  the ssh LOCAL console AAA authentication
  AAA authentication LOCAL telnet console
  AAA authentication http LOCAL console
  AAA authentication enable LOCAL console
  LOCAL AAA authentication serial console
  Enable http server
  x.x.x.x 255.255.255.252 out http
  http 192.168.215.0 255.255.255.252 inside
  http 192.168.215.0 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  Crypto-map dynamic dynmap 65500 transform-set RIGHT
  card crypto 10 VPN ipsec-isakmp dynamic dynmap
  card crypto VPN outside interface
  card crypto 10 ASA-01 set peer 221.135.138.130
  card crypto 10 ASA - 01 the transform-set RIGHT value
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  crypto ISAKMP policy 65535
  preshared authentication
  the Encryption
  sha hash
  Group 2
  lifetime 28800
  Telnet 192.168.215.0 255.255.255.0 inside
  Telnet timeout 5
  SSH 0.0.0.0 0.0.0.0 outdoors
  SSH timeout 5
  Console timeout 0
  management-access inside
  VPDN group dataone request dialout pppoe
  VPDN group dataone localname bb4027654187_scdrid
  VPDN group dataone ppp authentication chap
  VPDN username bb4027654187_scdrid password * local store
  interface for identifying DHCP-client Internet customer
  dhcpd dns 218.248.255.141 218.248.245.1
  !
  dhcpd address 192.168.215.11 - 192.168.215.254 inside
  dhcpd allow inside
  !
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  Des-sha1 encryption SSL
  WebVPN
  allow outside
  tunnel-group-list activate
  internal kun group policy
  kun group policy attributes
  VPN - connections 8
  Protocol-tunnel-VPN IPSec
  Split-tunnel-policy tunnelspecified
  Split-tunnel-network-list value split tunnel
  kunchevrolet value by default-field
  test P4ttSyrm33SV8TYp encrypted password username
  username kunauto password bSHrKTGl8PUbvus / encrypted privilege 15
  username kunauto attributes
  Strategy Group-VPN-kun
  Protocol-tunnel-VPN IPSec
  tunnel-group vpngroup type remote access
  tunnel-group vpngroup General attributes
  address pool VPN_Users
  Group Policy - by default-kun
  tunnel-group vpngroup webvpn-attributes
  the vpngroup group alias activation
  vpngroup group tunnel ipsec-attributes
  pre-shared key *.
  type tunnel-group test remote access
  tunnel-group x.x.x.x type ipsec-l2l
  tunnel-group ipsec-attributes x.x.x.x
  pre-shared key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  Review the ip options
  inspect the netbios
  inspect the rsh
  inspect the rtsp
  inspect the skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect the tftp
  inspect the sip
  inspect xdmcp
  inspect the icmp
  !
  global service-policy global_policy
  context of prompt hostname
  call-home
  Profile of CiscoTAC-1
  no active account
  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
  email address of destination [email protected] / * /
  destination-mode http transport
  Subscribe to alert-group diagnosis
  Subscribe to alert-group environment
  Subscribe to alert-group monthly periodic inventory
  monthly periodicals to subscribe to alert-group configuration
  daily periodic subscribe to alert-group telemetry
  Cryptochecksum:0d2497e1280e41ab3875e77c6b184cf8
  : end
  kunauto #.

  Hello

  Looking at the configuration, there is an access list this nat exemption: -.

  192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0

  But it is not applied in the States of nat.

  Send the following command to the nat exemption to apply: -.

  NAT (inside) 0 access-list sheep

  Kind regards

  Dinesh Moudgil

  P.S. Please mark this message as 'Responded' If you find this information useful so that it brings goodness to other users of the community

• Unable to connect to a Web site? used several times before. says the dns server is incorrect or does not exsist?

  Unable to connect to a Web site? used several times before. says the dns server is incorrect or does not exsist? help someone?

  If it is hosted by GoDaddy, it's maybe out of service. There is a DDoS (denial of Service) attack to GoDaddy for the moment.

  You could try again later and see if it returns.

• Unable to pass traffic between ASA Site to Site VPN Tunnel

  Hello

  I have problems passing traffic between two ASA firewall. The VPN tunnel is up with a dynamic IP and static IP address. I have attached a diagram of the VPN connection. I'm not sure where the problem lies and what to check next. I think I have all the roads and in the access lists are needed.

  I've also attached the ASA5505 config and the ASA5510.

  This is the first time that I've set up a VPN connection any guidance would be greatly appreciated.

  Thank you

  Adam

  Hello

  Regarding your opinion of configuration Remote Site ASA that you have not added the internal networks of the Central Site VPN L2L configurations at all so the traffic does not pass through the VPN.

   access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.0.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.170.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.172.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 140.15.0.0 255.255.*.* 

  Take a look at ACL configurations above. The 'exempt' ACL is used in configurations NAT0 and tells the ASA what traffic of exempting from NAT. "outside_1_cryptomap" ACL is used to tell the traffic between the subnets should be using the L2L VPN connection.

  So in short on the Remote Site ASA these ACLs should be identical. Make additions to the LIST of VPN L2L, then try again.

  I would also like to point out that to ensure that the Central ASAs L2L VPN ACL Site contains the same networks. The ACL on the Central Site will, of course, its internal subnets as the source and the site LAN remote destination.

  THW out of ' crypto ipsec to show his " shows you that only the SA between binding Site Central network and the Remote Site LAN was established. Others have not formed as the configuration is lacking at LEAST on the Remote Site ASA. Can also be the Central Site.

  -Jouni

• Troubleshooting IPSec Site to Site VPN between ASA and 1841

  Hi all

  in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.

  I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).

  I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.

  It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),

  On the ASA:

  Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.

  address of the peers: 217.86.154.120
  Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.cc

  access extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
  local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
  current_peer: 217.xx.yy.zz

  #pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz

  Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
  current outbound SPI: 39135054
  current inbound SPI: B2E9E500

  SAS of the esp on arrival:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, PFS 2 group}
  slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
  calendar of his: service life remaining (KB/s) key: (4374000/1598)
  Size IV: 8 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001
  outgoing esp sas:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, PFS 2 group}
  slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
  calendar of his: service life remaining (KB/s) key: (4373976/1598)
  Size IV: 8 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001

  Output of the command: "sh crypto isakmp his."

  HIS active: 4
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 4

  IKE Peer: 217.xx.yy.zz
  Type: L2L role: initiator
  Generate a new key: no State: MM_ACTIVE

  On the 1841

  1841 crypto isakmp #sh its
  IPv4 Crypto ISAKMP Security Association
  DST CBC conn-State id
  217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE

  1841 crypto ipsec #sh its

  Interface: Dialer1
  Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
  current_peer 62.153.156.163 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
  current outbound SPI: 0xB2E9E500 (3001672960)
  PFS (Y/N): Y, Diffie-Hellman group: group2

  SAS of the esp on arrival:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505068/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505118/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  Interface: virtual Network1
  Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
  current_peer 62.153.156.163 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
  current outbound SPI: 0xB2E9E500 (3001672960)
  PFS (Y/N): Y, Diffie-Hellman group: group2

  SAS of the esp on arrival:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505068/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505118/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.

  Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto.      (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.

  I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!

  It's the running of the 1841 configuration

  !
  version 15.1
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  encryption password service
  !
  host name 1841
  !
  boot-start-marker
  start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
  boot-end-marker
  !
  logging buffered 51200 notifications
  !
  AAA new-model
  !
  !
  AAA authentication login default local
  !
  AAA - the id of the joint session
  !
  iomem 20 memory size
  clock timezone PCTime 1
  PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
  dot11 syslog
  IP source-route
  !
  No dhcp use connected vrf ip
  !
  IP cef
  no ip bootp Server
  IP domain name test
  name of the IP-server 194.25.2.129
  name of the IP-server 194.25.2.130
  name of the IP-server 194.25.2.131
  name of the IP-server 194.25.2.132
  name of the IP-server 194.25.2.133
  No ipv6 cef
  !
  Authenticated MultiLink bundle-name Panel
  !
  !
  object-group network phone
  VoIP phone description
  Home 172.20.2.50
  Home 172.20.2.51
  !
  redundancy
  !
  !
  controller LAN 0/0/0
  atm mode
  Annex symmetrical shdsl DSL-mode B
  !
  !
  crypto ISAKMP policy 1
  BA 3des
  preshared authentication
  Group 2
  isakmp encryption key * address 62.aa.bb.cc
  !
  !
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  !
  map SDM_CMAP_1 1 ipsec-isakmp crypto
  Description Tunnel to62.aa.bb.cc
  the value of 62.aa.bb.cc peer
  game of transformation-ESP-3DES-SHA
  PFS group2 Set
  match address 100
  !
  !
  !
  interface FastEthernet0/0
  DMZ description $ FW_OUTSIDE$
  10.10.10.254 IP address 255.255.255.0
  IP nat inside
  IP virtual-reassembly
  automatic duplex
  automatic speed
  !
  interface FastEthernet0/1
  Description $ETH - LAN$ $FW_INSIDE$
  IP 172.20.2.254 255.255.255.0
  IP access-group 100 to
  IP nat inside
  IP virtual-reassembly
  IP tcp adjust-mss 1412
  automatic duplex
  automatic speed
  !
  ATM0/0/0 interface
  no ip address
  No atm ilmi-keepalive
  !
  point-to-point interface ATM0/0/0.1
  PVC 1/32
  PPPoE-client dial-pool-number 1
  !
  !
  interface Dialer1
  Description $FW_OUTSIDE$
  the negotiated IP address
  IP mtu 1452
  NAT outside IP
  IP virtual-reassembly
  encapsulation ppp
  Dialer pool 1
  Dialer-Group 2
  PPP authentication chap callin pap
  PPP chap hostname xxxxxxx
  PPP chap password 7 xxxxxxx8
  PPP pap sent-name of user password xxxxxxx xxxxxxx 7
  map SDM_CMAP_1 crypto
  !
  IP forward-Protocol ND
  IP http server
  local IP http authentication
  IP http secure server
  !
  !
  The dns server IP
  IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
  IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
  IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
  IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
  IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
  !
  logging trap notifications
  Note category of access list 1 = 2 CCP_ACL
  access-list 1 permit 172.20.2.0 0.0.0.255
  Note access-list category 2 CCP_ACL = 2
  access-list 2 allow 10.10.10.0 0.0.0.255
  Note access-list 100 category CCP_ACL = 4
  Note access-list 100 IPSec rule
  access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  Note CCP_ACL the access list 101 = 2 category
  Note access-list 101 IPSec rule
  access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  access-list 101 permit ip 172.20.2.0 0.0.0.255 any
  Note access-list 102 CCP_ACL category = 2
  Note access-list 102 IPSec rule
  access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  access-list 102 permit ip 10.10.10.0 0.0.0.255 any
  !

  !
  allowed SDM_RMAP_1 1 route map
  corresponds to the IP 101
  !
  allowed SDM_RMAP_2 1 route map
  corresponds to the IP 102
  !
  !
  control plan
  !
  !
  Line con 0
  line to 0
  line vty 0 4
  length 0
  transport input telnet ssh
  !
  Scheduler allocate 20000 1000
  NTP-Calendar Update
  NTP 172.20.2.250 Server prefer
  end

  As I mentioned previously: suspicion is much appreciated!

  Best regards

  Joerg

  Joerg,

  ASA receives not all VPN packages because IOS does not send anything.

  Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)

  The problem seems so on the side of the router.

  I think that is a routing problem, but you only have one default gateway (no other channels on the router).

  The ACL 100 is set to encrypt the traffic between the two subnets.

  It seems that the ACL 101 is also bypassing NAT for VPN traffic.

  Follow these steps:

  Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.

  I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.

  Federico.

• SSL vpn site to site vpn

  I have a couple of site to site VPN working properly on an ASA 5515. Don't know what is on the other side, as I haven't seen them. I configured a SSL vpn for remote users who must be able to access resources on remote sites. I got access to the network of site without any problems and and have added the range of IP addresses for remote users to links from site to site, but I am unable to connect. Anyone who has this performance, it would be greatly appreciated if you can help.

  Hi mbluemel,

  You need to configure the remote side to allow traffic from the remote side for SSL VPN users.
  This list of documents the measures taken to achieve this: -.

  http://www.petenetlive.com/kb/article/0000040.htm

  For more information: -.
  http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.

• problem of site 2 site vpn

  Greetings. We have a site 2 site vpn 2 asa5510-based work. The two sites are accessible internel network hosts, but we are unable to access all the services (such as the TFTP or CA)? or even ping hosts in the remote site of our local asa5510 network. It seems that ASA attempts to send packets directly through the default gw, bypasing the vpn tunnel. Any help would be very appreciate.

  PS We checked the ACLs on both devices, so more than likely, this is not the problem.

  Hello

  Since you did not include public ip address of the external interface in the Crypto ACL, it's why he's not going in the tunnel.

  Add Crypto ACL a statement where qualify you this statement outside the public ip address of the interface source and mirror image in the remote device.

  HTH

  Sangaré

  Pls rate helpful messages

• Site to Site VPN Cisco IOS 1941 15.0 (1) M1

  Hello

  I am currently developing a Site VPN site between an ASA and a router in 1941. Configuring VPN on the SAA seems to be ok, because it works without problem with router 1841 with IOS 12.4 to the other site. The same VPN configuration on the new router in 1941 with M1 IOS 15.0 (1) does not work. It seems that the access to the crypto map list is the problem. The router never start the VPN connection. When the ASA attempts to establish the VPN, the debugging of the router log shows:

  ...

  * 14:37:52.263 may 5: ISAKMP: (1007): proposal of IPSec checking 1
  * 14:37:52.263 may 5: ISAKMP: turn 1, ESP_3DES
  * 14:37:52.263 may 5: ISAKMP: attributes of transformation:
  * 14:37:52.263 may 5: ISAKMP: type of life in seconds
  * 14:37:52.263 may 5: ISAKMP: life of HIS (basic) of 28800
  * 14:37:52.263 may 5: ISAKMP: type of life in kilobytes
  * 14:37:52.263 may 5: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
  * 14:37:52.263 may 5: ISAKMP: program is 1 (Tunnel)
  * 14:37:52.263 may 5: ISAKMP: authenticator is HMAC-SHA
  * 14:37:52.263 may 5: ISAKMP: group is 2
  * 14:37:52.263 may 5: ISAKMP: (1007): atts are acceptable.
  * 5 May 14:37:52.263: ISAKMP: (1007): IPSec policy invalidated proposal with error 32
  * 5 May 14:37:52.263: ISAKMP: (1007): politics of ITS phase 2 is not acceptable! (local... remote control...)

  ...

  Any clue?

  Concerning

  Claudia

  The configuration of the router:

  version 15.0
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  no password encryption service
  !
  hostname Cisco1941
  !
  No aaa new-model
  !
  No ipv6 cef
  no ip source route
  IP cef
  !
  IP domain name xyz.de
  !
  Authenticated MultiLink bundle-name Panel
  !
  Crypto pki trustpoint TP-self-signature-...
  !
  TP-self-signature-... crypto pki certificate chain
  quit smoking
  license udi pid CISCO1941/K9 sn...
  !
  username privilege 15 secret 5 xyz $1$...
  !
  redundancy
  !
  session of crypto consignment
  !
  crypto ISAKMP policy 10
  BA 3des
  preshared authentication
  Group 2
  ISAKMP crypto key... address 1.2.3.4
  invalid-spi-recovery crypto ISAKMP
  !
  Crypto ipsec transform-set esp-3des esp-sha-hmac tsAsa
  !
  ASA 10 ipsec-isakmp crypto map
  defined peer 1.2.3.4
  Set transform-set tsAsa
  PFS group2 Set
  match address 100
  !
  interface GigabitEthernet0/0
  Description * inside *.
  IP 10.100.100.1 255.255.255.0
  automatic duplex
  automatic speed
  !
  !
  interface GigabitEthernet0/1
  IP 5.6.7.8 255.255.255.240
  IP access-group 111 to
  no ip-cache cef route
  no ip route cache
  automatic duplex
  automatic speed
  card crypto asa
  !
  !
  ATM0/0/0 interface
  no ip address
  Shutdown
  No atm ilmi-keepalive
  !
  !
  IP forward-Protocol ND
  !
  IP route 0.0.0.0 0.0.0.0 1.2.3.5
  !
  access-list 100 permit ip 10.100.100.0 0.0.0.255 10.10.10.0 0.0.0.255
  access-list 111 allow esp 1.2.3.4 host 5.6.7.8
  access-list 111 permit udp host 1.2.3.4 host 5.6.7.8 eq isakmp
  access-list 111 allow ahp host 1.2.3.4 5.6.7.8
  access-list 111 deny ip any any newspaper

  ....

  end

  Try to do this:

  IP route 10.10.10.0 255.255.255.0 interface Ge0/1

  Route IP 1.2.3.4 255.255.255.255 by default-gateway-to-Ge0/1

  The rest of your config looks very good.

• You try to run a Site to site VPN and remote VPN from the same IP remotely

  We currently have a site to site VPN configuration between our offices call center and a 3rd party that allows them to access our training to their employees to use environment while being trained on our systems. This tunnel is running between our ASA and their ASA without problem; However, when we have managers come out to the call center, they are unable to use remote VPN to access our office.

  Apparently the same IP peer remote that we use for our site to the other tunnel is the same IP that our managers use to access the internet when they are on-site with the customer. When I look at the logs it shows the VPN attempt and then I get treatment Information Exchange has failed. So from what I can understand when our managers are trying to connect to our firewall from the same IP address as the counterpart of site to site it automatically tries to create a tunnel, according to the information of the site to the other tunnel. If our managers are anywhere else, they can connect through remote VPN with no problems.

  My question is if anyone knows of a way to make the firewall allow VPN site to site and remote connections with the same remote IP address.

  Hi John,.

  Basically, in older versions, when you hit a static encryption card and you does not match this static encryption completely map the connection continues until the dynamic encryption card. For this reason, you can connect your IPSec clients before. A bug has been opened on this vulnerability.

  CSCuc75090  Details of bug

  The crypto IPSec Security Association are created by dynamic crypto map to static peers

  Symptom:

  When a static VPN peer adds all traffic to the ACL crypto, a surveillance society is based even if the pair IP is not allowed in the acl to the main façade encryption. Are these SA finally put in correspondence and commissioning the dynamic crypto map instance.

  Conditions:

  It was a planned design since the first day that allowed customers to fall through in the case of static crypto map did not provide a necessary cryptographic services.

  The SA must be made from a peer configured statically and a dynamic crypto map instance must be configured on the receiving end.

  Workaround solution:

  N/A

  Some possible workarounds are:

  Configure a static nat device when you try to use the remote VPN if the firewall remotely will be hit with a different public IP address. It would be a good solution, but it will depend on how many ip addresses public you have available, if you really want one of these ip addresses for that access.

  Also, I thought you could use AnyConnect instead of the IPSec VPN client. I don't know how many users need to connect from your PC to the remote site, but the ASA has 2 licenses SSL available that you could use. Because Anyconnect uses the SSL protocol, it won't have a problem on your environment.

  Below some information:

  http://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa84/configuration/guide/asa_84_cli_config/vpn_anyconnect.html

  Hope this helps,

  Luis.

• Site to Site VPN number

  Hello

  I am facing a problem in my site to site VPN configuration, router management site gets the address public IP of the DHCP server as I have built a dynamic crypto map on the router HQ

  First phase ISAKMP is operational running, I am trying to ping the LAN 192.168.85.0 for the HQ 172.16.12.0 LAN but it won't go through and when I check the ipsec security associations I can see that packets are encrypted on the side of the branch and decrypted on the side of HQ but the HQ router no PING response at all and he saw not encrypted packets

  I have attached my configurations, I had to hide some information just for safety

  Help, please!

  Mostafa

  Hello Mustafa,

  Havinf a glance at your config, it seems you have not correctly configured on your HQ NAT exemption.

   ip access-list extended NAT deny ip 172.16.12.0 0.0.0.255 192.168.75.0 0.0.0.255 deny ip 172.16.12.0 0.0.0.255 172.16.20.0 0.0.0.255 permit ip 172.16.12.0 0.0.0.255 any deny ip 172.16.12.0 0.0.0.255 192.168.85.0 0.0.0.255

  In this interesting ACL traffic is refused in the last. So it is not exempted from NAT, as ACL are processed in top-down, your valuable traffic is already matching permit statement in NAT ACL therefore subject to NAT on HQ. Refuse the declaration of exemption, interesting traffic NAT should precede the statement of license.

  HTH

  "Please note useful posts.

• 887 site to Site VPN

  Hi all

  After you follow the guides on the site to site VPN and NAT I am very close with this, but suspect a minor error here. It was difficult to apply some of the examples of cisco worked the additional complexity here (VLANS, routing to an address static IP), as well as due to inexperience with some routing commands.

  Requirements:

  -Provide internet access for three local networks (10.10.10.0/29 for the management of the router, 192.168.1.0/24 for the most of the PC, 172.22.81.160/28 for a PC for VPN and wireless)

  -Set up a VPN site-to site between 172.22.81.160 and a remote VPN router to 194.73. ***. ***

  -Transfer all 172.22.81.160 traffic destined to the 195.218 IP only. ***. (cited to me as 195.218.***.***/32) over the site to site VPN

  MBM may be confusing that 195.218. ***. is a public IP address, where I would normally expect a private IP address. This has been checked and confirmed. It's certainly accessible only via the VPN tunnel. So far, everything works as expected, except for the VPN. Cisco diagnosis report that everything is going well except for the tunnel are declining and no traffic going back 195.218. ***. ***

  I have not spotted the error, help appreciated!

  My next step would be to simplify the config by removing unnecessary commands one by one and then check again against examples and manual. Attached config.

  Kind regards

  John

  References:

  http://www.Cisco.com/c/en/us/support/docs/security-VPN/IPSec-negotiation...

  http://www.Cisco.com/c/en/us/support/docs/security-VPN/IPSec-negotiation...

  Requirements of VPN:

  IKE Phase 1
  Diffie-Hellman group: 2
  Version of IKE: IKEv1
  IKE Lifetime: 86400
  Aggressive mode: No.
  Encryption: AES 256
  Integrity: SHA2-256
  Authetication method: pre-shared

  IKE Phase 2
  PFS: Yes
  PFS DH group: 2
  Life: 3600
  Encryption: AES 256
  Integrity: SHA2-256

  Good things! Happy that you guessed it sorted.

• AnyConnect VPN full tunnel could not access the site to site VPN

  I have a set of AnyConnect VPN upward with no split tunneling (U-turning/crossed traffic), running 8.2.5 code.

  It works fine, but I want to allow customers to AnyConnect VPN site to site, which I was unable to access.

  I checked the IP addresses of network anyconnect are part of the tunnel on both sides.

  My logic tells me that I must not turn back traffic from the network anyconnect for the site to site VPN, but I don't know how to do this.

  Any help would be appreciated.

  Here are the relevant parts of my config:

  (Domestic network is 192.168.0.0/24,

  the AnyConnect network is 192.168.10.0/24,

  site to site VPN network is 192.168.2.0/24)

  --------------------------------------------------------------------------------------

  permit same-security-traffic inter-interface
  permit same-security-traffic intra-interface

  the DM_INLINE_NETWORK_1 object-group network
  object-network 192.168.0.0 255.255.255.0
  object-network 192.168.10.0 255.255.255.0
  inside_nat0_outbound list extended access allowed object-group ip DM_INLINE_NETWORK_1 192.168.2.0 255.255.255.0
  permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.10.0 255.255.255.0

  outside_1_cryptomap list extended access allowed object-group ip DM_INLINE_NETWORK_1 192.168.2.0 255.255.255.0

  mask 192.168.10.2 - 192.168.10.254 255.255.255.0 IP local pool AnyConnectPool
  Global 1 interface (outside)
  NAT (inside) 0-list of access inside_nat0_outbound
  NAT (inside) 1 0.0.0.0 0.0.0.0
  NAT (outside) 1 192.168.10.0 255.255.255.0
  access-outside group access component software snap-in interface outside
  Route outside 0.0.0.0 0.0.0.0 (the gateway IP) 1
  WebVPN
  allow outside
  AnyConnect essentials
  SVC disk0:/anyconnect-win-3.1.05152-k9.pkg 1 image
  SVC profiles AnyConnectProfile disk0: / anyconnect_client.xml
  enable SVC
  tunnel-group-list activate
  internal AnyConnectGrpPolicy group strategy
  attributes of Group Policy AnyConnectGrpPolicy
  WINS server no
  value of 192.168.0.33 DNS server 192.168.2.33
  VPN-session-timeout no
  Protocol-tunnel-VPN l2tp ipsec svc
  Split-tunnel-policy tunnelall
  the address value AnyConnectPool pools
  type tunnel-group AnyConnectGroup remote access
  attributes global-tunnel-group AnyConnectGroup
  address pool AnyConnectPool
  authentication-server-group SERVER1_AD
  Group Policy - by default-AnyConnectGrpPolicy
  tunnel-group AnyConnectGroup webvpn-attributes
  the aaa authentication certificate
  activation of the Group _AnyConnect alias

  Your dial-up VPN traffic as originating apears on the external interface, so I think you need to exonerate NAT pool PN traffic directed to the site to site VPN. Something like this:

   global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 nat (outside) 0 access-list outside_nat0 nat (outside) 1 192.168.10.0 255.255.255.0 access-list outside_nat0 extended permit ip any 192.168.10.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0

• Several subnets in the site to Site VPN

  Hi guys,.
  I would like to set up a site of tunnel VPN stie with several subnets. I could not find a configuration which is my problem. I hope you can help me with the solution.
  You can find my design network attach to this subject.
  This is my setup on the ASA:

  (1) NAT excemption for network traffic, go to the Site to site VPN.
  NAT (MGMTLAN, INT STSVPN) static source 192.168.10.0 192.168.10.0 static destination 192.168.31.0 192.168.31.0
  NAT (inside, INT STSVPN) static source 192.168.15.0 192.168.15.0 static destination 192.168.38.0 192.168.38.0

  (2) the Accesslist with traffic to encrypt
  object-group network 192.168.10.0
  object-network 192.168.10.0 255.255.255.0

  object-group network 192.168.15.0
  object-network 192.168.15.0 255.255.255.0

  the 192.168.38.0 object-group network
  object-network 192.168.38.0 255.255.255.0

  the 192.168.31.0 object-group network
  object-network 192.168.31.0 255.255.255.0

  object-group network STSVPN-LOCAL
  Group-object 192.168.10.0
  purpose of group - 192.168.15.0

  object-group network STSVPN-US
  purpose of group - 192.168.38.0
  purpose of group - 192.168.31.0

  ACL_STSVPN-US allowed extended ip access-list object-STSVPN-LOCAL object group STSVPN-American

  (3) proposal phase 1
  IKEv2 crypto policy 10
  aes-256 encryption
  sha256 integrity
  Group 14
  FRP sha256
  second life 86400

  (4) proposal phase 2
  Crypto ipsec ikev2 proposal ipsec IKEV2-IPSEC-ESP-AES-SHA
  Protocol esp encryption aes-256
  Protocol esp integrity sha-256

  (5) group tunnel
  tunnel-group 4.4.4.4 type ipsec-l2l
  tunnel-group 4.4.4.4 General attributes
  Group Policy - by default-GrpPolicy-STSVPN-US
  IPSec-attributes tunnel-group 14.4.4.4
  IKEv2 remote-authentication pre-shared key abcd
  IKEv2 authentication local pre-shared key abcd

  GroupPolicy
  Group Policy GrpPolicy-STSVPN-US internal
  Group Policy attributes GrpPolicy-STSVPN-US
  value of VPN-filter STSVPN-US
  Ikev2 VPN-tunnel-Protocol

  (5) crypto card
  10 CM-STSVPN crypto card matches the address STSVPN-US
  10 CM - STSVPN peer set 4.4.4.4 crypto card
  card crypto 10 CM-STSVPN set ikev2 proposal ipsec IKEV2-IPSEC-ESP-AES-SHA
  interface card crypto INT-STSVPN CM-STSVPN
  Crypto ikev2 enable INT-STSVPN
   
  /////////////////////////////////////////////////////////////////////

  The router configuration:

  (1) part SA

  proposal of crypto ikev2 ki2. PROP
  encryption aes-cbc-256
  sha256 integrity
  Group 14
  IKEv2 crypto policy ki2. POL
  proposal ki2. PROP
  ikev2 KR1 encryption keys
  peer ASALAB
  address 2.2.2.2
  pre-shared key local abcd
  pre-shared key remote abcd
  Profile of crypto ikev2 ki2. TEACHER
  match one address remote identity 2.2.2.2 255.255.255.255
  address local identity 4.4.4.4
  sharing front of remote authentication
  sharing of local meadow of authentication
  door-key local KR1
   
  (2) Transformset

  Crypto ipsec transform-set TS. VPN2, esp esp - aes hmac-sha256-256
  tunnel mode

  (3) access-list

  IP ACL extended access list. VPNIKE2
  IP 192.168.31.0 allow 0.0.0.255 192.168.10.0 0.0.0.255
  IP 192.168.38.0 allow 0.0.0.255 192.168.15.0 0.0.0.255
   
  (5) crypto card

  crypto CM card. 30 VPN ipsec-isakmp
  defined peer 2.2.2.2
  the transform-set TS value. VPN2
  group14 Set pfs
  ki2 ikev2-profile value. TEACHER
  match address ACL. VPNIKE2
   
  //////////////////////////////////////////////////////////////////////

  This configuration is correct to allow both subnets on each side of the VPN tunnel to communicate with each other.

  192.168.31.0 subnet cannot communicate with 192.168.10.0
  192.168.38.0 subnet cannot communicate with 192.168.15.0

  Hello Jay,

  I went during the configuration of the two aircraft and noticed a few errors on the configuration of the SAA. Details here:

  (1) the access list configured for VPN traffic is named ACL_STSVPN-US, however the address for correspondence configured on the map encryption uses a group of objects name instead:

  address for correspondence card crypto 10 CM - STSVPN STSVPN-US

  You must change this setting to avoid any problems with the negotiation of traffic:

  no matching address card crypto 10 CM-STSVPN STSVPN-US

  10 CM-STSVPN crypto card matches the address ACL_STSVPN-US

  (2) you also have the same error on the configured vpn filter. However, you could not use the access list ACL_STSVPN-United States for VPN filter since the ASA will filter incoming packets only. In this case the appropriate ACL will be configured for remote network (ROUTER) to local networks (ASA). It will look something like this:

  access-list VPN_filter extended permitted ip object-STSVPN-US group LOCAL STSVPN

  access-list VPN_filter extended permitted ip object-STSVPN-US group LOCAL STSVPN

  Group Policy attributes GrpPolicy-STSVPN-US
  VPN-Filter VPN_filter value

  Keep in mind that the VPN filter is in the rules that determine whether to allow or deny packets of data tunnelees coming through the device security, based on criteria such as the source, destination, and Protocol address address. If you want to use the IP Protocol, the filter will not make a difference.

  (3) group 14 of the PFS is configured on the router crypto map, but not on the SAA. You need to even add it in the card encryption ASA or remove it from the router.

  ASA:

  card crypto 10 CM-STSVPN set group14 pfs

  Router:

  crypto CM card. 30 VPN ipsec-isakmp

  No group14 set pfs

  Hope this help you to raise the tunnel,

  Luis.

• IPSec site to site VPN cisco VPN client routing problem and

  Hello

  I'm really stuck with the configuration of ipsec site to site vpn (hub to spoke, multiple rays) with cisco vpn remote client access to this vpn.

  The problem is with remote access - cisco vpn client access - I can communicate with hub lan - but I need also communication of all lans speaks of the cisco vpn client.

  There are on the shelves, there is no material used cisco - routers DLINK.

  Someone told me that it is possible to use NAT to translate remote access IP-lan-HUB customers and thus allow communication - but I'm unable to set up and operate.

  Can someone help me please?

  Thank you

  Peter

  RAYS - not cisco devices / another provider

  Cisco 1841 HSEC HUB:

  crypto ISAKMP policy 1

  BA 3des

  preshared authentication

  Group 2

  ISAKMP crypto key x xx address no.-xauth

  !

  the group x crypto isakmp client configuration

  x key

  pool vpnclientpool

  ACL 190

  include-local-lan

  !

  86400 seconds, duration of life crypto ipsec security association

  Crypto ipsec transform-set esp-3des esp-sha-hmac 1cisco

  !

  Crypto-map dynamic dynmap 10

  Set transform-set 1cisco

  !

  card crypto ETH0 client authentication list userauthen

  card crypto isakmp authorization list groupauthor ETH0

  client configuration address card crypto ETH0 answer

  ETH0 1 ipsec-isakmp crypto map

  set peer x

  Set transform-set 1cisco

  PFS group2 Set

  match address 180

  card ETH0 10-isakmp ipsec crypto dynamic dynmap

  !

  !

  interface FastEthernet0/1

  Description $ES_WAN$

  card crypto ETH0

  !

  IP local pool vpnclientpool 192.168.200.100 192.168.200.150

  !

  !

  overload of IP nat inside source list LOCAL interface FastEthernet0/1

  !

  IP access-list extended LOCAL

  deny ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

  deny ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255

  IP 192.168.7.0 allow 0.0.0.255 any

  !

  access-list 180 allow ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

  access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255

  !

  How the DLINK has been configured for traffic between the site to site VPN subnets? You are able to add multiple remote subnets on DLINK? If you can, then you must add the pool of Client VPN subnet.

  Alternatively, if you cannot add multiple subnet on DLINK router, you can change the pool of Client VPN 192.168.6.0/24, and on the crypto ACL between the site to site VPN, you must edit the 180 existing ACL

  DE:

  access-list 180 allow ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

  access-list 180 allow ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255

  TO:

  access-list 180 allow ip 192.168.6.0 0.0.1.255 192.168.1.0 0.0.0.255

  Also change the ACL 190 split tunnel:

  DE:

  access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255

  access-list 190 allow ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255

  TO:

  access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.6.0 0.0.0.255

  access-list 190 allow ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255

  Finally, replace the remote subnet 192.168.7.0/255.255.255.0 192.168.6.0/255.255.254.0 DLINK.

  Hope that helps.

• Question creating a site to site vpn

  I am trying to configure a site to site vpn to test and through http://www.ciscosecrets.info/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml still unable to establish a connection.  I have attached the config for both the 5520's that I use.   What Miss me.

  Try this if you are pinging from the ASA

  management-access inside