Unable to Ping hosts through IPSec Tunnel
I have a configuration of lab home with a PIX 515 running code 8.03. I've made several changes over the last week and now when I finish a VPN connection to the external interface, I'm unable to hit all internal resources. My VPN connection comes from a 10.22.254.0/24 trying to knock the internal nodes to 10.22.1.0/24, see below. When I finish a VPN connection with the inside interface works, so I guess that I'm dealing with a NAT problem? I have not idea why Phase 9 is a failure:-------. Any help would be great!
-------
IP 10.22.254.0 allow Access-list extended sheep 255.255.255.0 10.22.1.0 255.255.255.0
NAT (inside) 0 access-list sheep
-------
Global 1 interface (outside)
-------
access-list extended split allow ip 10.22.1.0 255.255.255.0 10.22.254.0 255.255.255.0
-------
Packet-trace entry inside tcp 10.22.1.15 1025 10.22.254.15 3389 detailed
Phase: 1
Type: FLOW-SEARCH
Subtype:
Result: ALLOW
Config:
Additional information:
Not found no corresponding stream, creating a new stream
Phase: 2
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
in 0.0.0.0 0.0.0.0 outdoors
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0x2bb3450, priority = 0, sector = option-ip-enabled, deny = true
hits = 17005, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
DST ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
Phase: 4
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0x304ae48, priority = 12, area = ipsec-tunnel-flow, deny = true
hits = 17005, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
DST ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
Phase: 5
Type: NAT-FREE
Subtype:
Result: ALLOW
Config:
NAT (inside) 0 access-list sheep
NAT-control
is the intellectual property inside 10.22.1.0 outside 10.22.254.0 255.255.255.0 255.255.255.0
Exempt from NAT
translate_hits = 6, untranslate_hits = 5
Additional information:
Direct flow from returns search rule:
ID = 0x2be2a00, priority = 6, free = area of nat, deny = false
Hits = 5, user_data is 0x2be2960, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
SRC ip = 10.22.1.0, mask is 255.255.255.0, port = 0
DST ip = 10.22.254.0, mask is 255.255.255.0, port = 0
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside, DMZ) 10.22.1.0 10.22.1.0 netmask 255.255.255.0
NAT-control
is the intellectual property inside 10.22.1.0 255.255.255.0 DMZ all
static translation at 10.22.1.0
translate_hits = 10, untranslate_hits = 0
Additional information:
Direct flow from returns search rule:
ID = 0x2d52800, priority = 5, area = host, deny = false
hits = 21654, user_data = 0x2d51dc8, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
SRC ip = 10.22.1.0, mask is 255.255.255.0, port = 0
DST ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT-control
is the intellectual property inside everything outside of any
dynamic translation of hen 1 (192.168.20.20 [Interface PAT])
translate_hits = 2909, untranslate_hits = 9
Additional information:
Direct flow from returns search rule:
ID = 0x2d4a7d0, priority = 1, sector = nat, deny = false
hits = 16973, user_data = 0x2d4a730, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
DST ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0 x 3328000, priority = 70, domain = encrypt, deny = false
hits = 0, user_data is 0x1efa0cc, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
SRC ip = 10.22.1.0, mask is 255.255.255.0, port = 0
DST ip = 10.0.0.0, mask is 255.0.0.0, port = 0
Phase: 9
Type: ACCESS-LIST
Subtype: ipsec-user
Result: DECLINE
Config:
Additional information:
Direct flow from returns search rule:
ID = 0x3329a48, priority = 69, domain = ipsec - user, deny = true
Hits = 37, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
DST ip = 10.0.0.0, mask is 255.0.0.0, port = 0
Result:
input interface: inside
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: drop
Drop-reason: flow (acl-drop) is denied by the configured rule
No, the sheep ACL requires that defining the internal network traffic to the
Pool VPN. You must remove the other entries.
Delete:
allowed to Access-list sheep line 8 extended ip 10.22.254.0 255.255.255.0 DM_INLINE_NETWORK_18 object-group
allowed to Access-list sheep line 8 extended ip 10.22.254.0 255.255.255.0 10.22.1.0 255.255.255.0
Tags: Cisco Security
Similar Questions
-
ASA 5505 9.1 Unable to ping inside the IPSec VPN network
To give some background that the asa has been reloaded and upgranded from 8.2 to 9.1. I am able to connect to vpn, but unable to reach anything inside, including of the asa. I didn't unfortunately not much experience with 8.3 +, but I thought that I had nat made appropriately. Nothing else is currently configured for the asa, as it's just an asa test currently, so I could of just missed something odvious.
ASA Version 9.1 (3)
!
hostname testasa
activate the encrypted password of Ry5/Pmodu2QL1Xe3
volatile xlate deny tcp any4 any4
volatile xlate deny tcp any4 any6
volatile xlate deny tcp any6 any4
volatile xlate deny tcp any6 any6
volatile xlate deny udp any4 any4 eq field
volatile xlate deny udp any4 any6 eq field
volatile xlate deny udp any6 any4 eq field
volatile xlate deny udp any6 any6 eq field
names of
mask 192.168.3.1 - 192.168.3.200 255.255.255.0 IP local pool VPNPool
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
switchport access vlan 2
!
interface Ethernet0/4
switchport access vlan 2
!
interface Ethernet0/5
switchport access vlan 2
!
interface Ethernet0/6
switchport access vlan 2
!
interface Ethernet0/7
switchport access vlan 2
!
interface Vlan1
nameif outside
security-level 0
IP address dhcp setroute
!
interface Vlan2
nameif inside
security-level 100
IP 192.168.2.252 255.255.255.0
!
passive FTP mode
network of the NETWORK_OBJ_192.168.2.0_24 object
Subnet 192.168.2.0 255.255.255.0
network of the NETWORK_OBJ_192.168.3.0_24 object
subnet 192.168.3.0 255.255.255.0
network of object obj-Interior
Subnet 192.168.2.0 255.255.255.0
object obj - vpn network
subnet 192.168.3.0 255.255.255.0
VPNGroup_splitTunnelAcl list standard access allowed 192.168.2.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source inside obj obj-indoor destination static obj - vpn obj - vpn
!
NAT source auto after (indoor, outdoor) dynamic one interface
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 192.168.2.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec pmtu aging infinite - the security association
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
trustpool crypto ca policy
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
interface ID client DHCP-client to the outside
dhcpd address 192.168.2.50 - 192.168.2.100 inside
dhcpd dns 208.67.222.222 198.153.192.40 interface inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
AnyConnect essentials
internal VPNGroup group strategy
Group Policy attributes VPNGroup
value of server DNS 208.67.222.222 198.153.192.40
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPNGroup_splitTunnelAcl
disable the split-tunnel-all dns
no method of MSIE-proxy-proxy
VLAN no
NAC settings no
test I9znLlryc6yq.BN4 encrypted privilege 15 password username
tunnel-group VPNGroup type remote access
attributes global-tunnel-group VPNGroup
address pool VPNPool
Group Policy - by default-VPNGroup
IPSec-attributes tunnel-group VPNGroup
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the icmp
inspect the icmp error
!
global service-policy global_policy
context of prompt hostname
Hello
To be honest, I can't see anything in the configuration that should be a problem.
Your NAT settings seem to be correct.
You have the global setting of "sysopt connection permit - vpn" who does not appear in this form in the CLI configuration. This configuration means essentially that the SAA would allow traffic from a VPN connection to work around interface ACL of the interface when the VPN connection is completed (outside)
Your ACL Split Tunnel is also correct.
You might connect with VPN Client and run a continuous ICMP to a host of LAN and provide an output of the following command after a the ICMP has run a few seconds
Crypto ipsec to show his
Should see the counters of VPN.
You can also try adding
management-access inside
This should allowed you to the 'internal' to the ASA IP ICMP and also manage ASA through the VPN connection by using the 'internal' the IP address provided you have enabled it. But for this you need to change the configuration of "nat" in this
NAT (inside, outside) static source inside obj obj-indoor destination static obj - vpn vpn-obj-research route
Hope this helps
-Jouni
-
AnyConnect SSL VPN through IPSEC Tunnel
Everyone was able to set up and connect using Cisco anyconnect vpn ssl on a Cisco IPSEC's tunnel. I used this in the past from a Windows XP system in the past but its not working now. None of my users are able to cooect using the Anyconnect on IPSEC. IPSEC on its own works very well.
The Anyconnect is also able to create the connection to its ASA firewall however its not able to route all traffic through. Do you have any suggestions?
Thanks for the update.
-
Virtual MACHINE is unable to ping host and vice versa
It is a very strange problem. VMWare support tried to understand this output as Dell. So, I just throw it to the community to see if anyone else has experienced this problem and may have a solution. I have 3 identical Dell R720 servers. 2 work with no problem, but 1 (let's call it vm8) gave me problems since day 1. Reference verified Dell equipment today and has updated me the BIOS, firmware and drivers on vm8, which did not solve the problem. VMWare technicians checked each parameter network in recent weeks and currently, they are not the cause.
VM8 have ESXi installed 5.5.0. The Server 4 has 2 NICs with 4 ports each. Current configuration is vmnic 0-3 is connected to our LAN, 4-5 on our DMZ and 6-7 in our SAN (iSCSI). The AP will go up and down because VM8 loses connectivity to our isolation address (gateway).
VM8 (Mgmt IP network is 172.20.100.9) has only 1 VM (172.20.100.40). Same subnet (255.255.255.0). .9 happens to ping expiration.40 using vmkping. When I ping.9 de.40, the first package gets a quick response, then all following packets timeout. According to VMWare, when you ping in (VM to host) it does not go out through the card physical network to the physical switch. Everything is internal with vmnic and vSwitch. When I ping my gateway (172.20.100.1), the ping is successful. When I ping.9 from my workstation, the first packet times out, then answered the following packages. It is the exact opposite of ping the virtual computer.
Here's a better ventilation-
.9 VM8 host
.40 VM on the host VM8
.1 gateway
.122 workstation over LAN
.25 vRanger connection (physical server on LAN)
Ping
.9 40 (100% packet loss)
first package de.40 a.9 (75% packet loss) Gets the response, then 3 timeout
.9 a.122 good ping (0 packet loss)
.122 a.9 (0 packet loss) good ping
vmkping (75% loss).9 a.25 does not appear each packet that it is sent. But other results, can I assume first package times out.
first package de.25 a.9 (75% loss) has expired, the following 3 got a response
.40 a.122 good ping (0 packet loss)
. 122. 40 (100% packet loss)
The 3 can ping a.1 (every 20 minutes on VM8 I get a "vSphere HA agent on this host failed isolation address 172.20.100.1"
Also, throughout the day, I get the message - "vSphere HA agent on this host cannot reach some of the management of the addresses of network of other hosts, and HA is perhaps not able to restart the virtual computer if a failure of the host is displayed." I came to work in the morning, and all my VMS on VM8 migrated to my other 2 hosts. My backups don't work on VM on VM8. I use vRanger connection and when I ping connection vRanger VM8 (physical server), the first package expires and the following packages get a response. Then, when connection vRanger goes to back up my VM, runs aground due to loss of original packet.
These are things I've already tried. I tested individually each physical NETWORK adapter. I removed all the ports on the two NIC to try to isolate a specific port. All the 4 vmnic is active adapters in network properties NIC Teaming management and I moved each vmnic individually to unused to test each port. I replaced the Cat6 cables. I used different Dell switches and various ports of the switch. I even swapped the switch ports that host another employee, exclude a switch port configuration problem. In addition, port security is disabled on the ports. I upgraded ESXi 5.5.0 to a newer version. There is a known issue with the tg3 driver, which I've updated to the latest version without problem. I also used tg3 workaround by disabling NetQueue. And we do not use of VLAN. Dell technical support says that it is not a hardware problem and thinks it's a matter of layer 2, but does not know where. Basically, it's an internal problem (meaning strictly on VM8) with vSwitches or vmnic or it's a material gremlin in our Dell R720 box.
The final recommendation of Dell is to blow the ESXi server and install a clean copy. It's extremely frustrating and I'm out of ideas.
Thanks in advance.
Any luck that you have an IP address that is duplicated on your network?
-
Virtual machine is unable to ping host ESX
I have a server host to ESX 3.5 Update 4 and I had a weird problem. I searched for days and can't find an answer then perhaps someone could help me.
My ESX host works perfectly. I can manage it by Internet or by customer VI. Setting up and installation of virtual computer very well market. The problem occus with the networking of several virtual machines. I have a group of virtual ports for the virtual machine that is connected to a virtual switch that is bound to a physical card. The service console is also connected to a single virtual switch. The problem is that only the first virtual machine that is put on will be able to connect to the internet and other devices and computers on the network. I have 5 different VM with different operating systems and the same network settings. Any one that I first start will work, but only that one first. The rest of the virtual machine can ping only this virtual machine that was started first. They don't ping to the ESX host or anything on the network.
The network gateway is 192.168.1.254, the ESX host is 192.168.1.110 and the VM is 192.168.1.111 - 115, the DNS is 192.168.1.50
All virtual machines have static IP. They each have their own respective intellectual property, the walkways are all set to 192.168.1.254 and DNS to 192.168.1.50
Yet even as the first market works, and it works perfectly, can see everything on the network and connect to the internet.
SuryaVMware is absolutely perfect with his suggestion. I went through the same scenario on the 3750's a few months back myself.
If you found this helpful, please consider awarding points
-
I can't do FTP through IPsec Tunnel
users at the branch office (perth) cannot do FTP to a server on the internet. We simply want to change on NAT/rules to get there.
We have head office is in Sydney that this router's IPsec VPN to other areas including Melbourne, Perth,...
we want just difficulty centimeters FTP for users of Perth not on all the other branches.
All things are IPsec router to router. routers to perth and sydney, I ping address FTP (203.171.5.4) but from a client in perth, I can't ping or telnet to this IP address.
I downloaded routers routers from sydney and perth configs.
Please ask me for more picture of the environment.
Thanks in advance,
Reza
Reza,
Is because we are dealing with two different concepts of the ACL here.
160 ACL is applied to an interface (path to Ethernet0), so this ACL is permit/deny traffic).
The 150 ACL is applied to a NAT rule (you cannot delete it because you will lose Internet).I asked remove ACL filtering which is only 160.
The test I was asking was to remove the 160 ACL or add a line like this:
access ip-list 160 allow a whole
And check if everything works.Federico.
-
Virtual machine is unable to ping host on vSphere5.1 fresh install
Hello
I did a new install of vSphere 5.1 (previously 4.1 installed that works well). No vCenter for now.
Running a virtual machine on LAN Paessler PRTG under Win 2 k 3 x 64.
This virtual machine has been moved from 4.1 to 5.1, nothing has changed.
This virtual machine can't ping the host. No monitoring WMI class too.
A physical computer on the LAN can ping on host vSphere with no problems.
What's wrong?
Thank you
Vincent
According to the screenshots, the subnet mask, you use in your local network is 255.255.0.0. As a first step, please run ipconfig / all in the virtual machine to verify that the virtual machine is configured with the same subnet mask. Secondly, run the ping command from the virtual machine, rattling of its own IP to see if it succeeds.
BTW. What type/model of virtual network adapter is configured for the virtual computer?
André
-
Set address management
Unable to ping host on the same network segment
Checked firewallDear Madlabs
Please activate the correct network card as part of management network of DCUI
-
Unable to Ping IP across 2 IPsec Tunnels
Hello world
Here's the Setup program
Server1 - layer 2 switch-ASA1 -L2 tunnel-ASA2 -Layer2 tunnel-ASA3- layer 2 switch - Server2.
Server1 IP 10.31.2.83/28
Server2 IP 10.31.2.35/28
Server1 has its default gateway to ASA1
Server1 can ping the ASA1 but cannot ping the Server2.
ASA1 is also unable to ping server2.
Ping 10.31.2.35
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 10.31.2.35, wait time is 2 seconds:
?????
Success rate is 0% (0/5)ASA2 can ping the Server2
Ping 10.31.2.35
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 10.31.2.35, wait time is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = ms 02/01/10ASA2 can ping Server1
Ping 10.31.2.83
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 10.31.2.83, wait time is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = ms 02/01/10ACL is allowing traffic, routing, crypto card also allows the traffic.
What else can I check?
Any help is appreciated.
Concerning
Mahesh
I don't understand what you mean with Tunnel of Layer2. Is it relevant to this question?
IPsec is involved?
Do you have any troubleshooting basic Layer 3? Check the routing information?
(1) the ASA2 has 2 interfaces, one for each tunnel?
- ASA2 there transatlantic lines?
- 10.31.2.80 255.255.255.240 to ASA1
- 10.31.2.32 to ASA3 255.255.255.240
(2) ASA2 has only one interface for the two tunnels?
- You same-security-traffic allow intra-interface?
- If IPsec is involved, understanding Cryptography ACLs on ASA2
- 10.31.2.80/28-> 10.31.2.32/28 to ASA3
- 10.31.2.32/28-> 10.31.2.80/28 to ASA1
The following command will help all three ASAs:
SH, route
HS card crypto
SH crypto ipsec his (look for the counters of packets on the SAs)
Best regards, MiKa
- ASA2 there transatlantic lines?
-
GRE over IPSec tunnel cannot pass traffic through it
I am trying to configure a GRE over IPSec tunnel between sites, we use the router cisco 7613 SUP720 (IOS: s72033-advipservicesk9_wan - mz.122 - 18.SXF15a.bin) and 3845 router (IOS:c3845 - advsecurityk9 - mz.124 - 25c.bin), we are facing problems when we use the tunnel because traffic is not passing through it. the configuration was working when we were using two routers cisco 3845 (IOS:c3845 - advsecurityk9 - mz.124 - 25c.bin), but for some reason, it doesn't work anymore when I paste the configuration on the new 7613 router.
Head office
crypto ISAKMP policy 10
BA aes
preshared authentication
Group 5
ISAKMP crypto key T3ST001 address 0.0.0.0 0.0.0.0
!
!
Crypto ipsec transform-set IPSec_PLC aes - esp esp-sha-hmac
transport mode
!
map PLC - CUM 10 ipsec-isakmp crypto
defined by peer 167.134.216.89
game of transformation-IPSec_PLC
match address 100
!
!
!
Tunnel1 interface
bandwidth 1984
IP 167.134.216.94 255.255.255.252
Mtu 1476 IP
load-interval 30
source of tunnel Serial0/1/0:0
tunnel destination 167.134.216.89interface Serial0/1/0:0
IP 167.134.216.90 255.255.255.252
card crypto PLC - CUMaccess-list 100 permit gre 167.134.216.90 host 167.134.216.8
Router eigrp 100
network 167.134.216.92 0.0.0.3Directorate-General of the
crypto ISAKMP policy 10
BA aes
preshared authentication
Group 5
ISAKMP crypto key T3ST001 address 0.0.0.0 0.0.0.0
!
!
Crypto ipsec transform-set IPSec_PLC aes - esp esp-sha-hmac
transport mode
!
map PLC - CUM 10 ipsec-isakmp crypto
defined by peer 167.134.216.90
game of transformation-IPSec_PLC
match address 100Tunnel1 interface
bandwidth 1984
IP 167.134.216.93 255.255.255.252
Mtu 1476 IP
load-interval 30
source of tunnel Serial1/0/0:1
tunnel destination 167.134.216.90interface Serial1/0/0:1
bandwidth 1984
IP 167.134.216.89 255.255.255.252
IP access-group 101 in
load-interval 30
no fair queue
card crypto PLC - CUMaccess-list 100 permit gre 167.134.216.89 host 167.134.216.90
ER-7600 #sh crypto isakmp his
conn-id State DST CBC slot
167.134.216.89 167.134.216.90 QM_IDLE 3 0ER-3845 #sh crypto isakmp his
status of DST CBC State conn-id slot
167.134.216.89 167.134.216.90 QM_IDLE 3 0 ACTIVEER-3845 #sh active cryptographic engine connections
Algorithm of address State IP Interface ID encrypt decrypt
3 Serial0/1/0: 167.134.216.90 0 HMAC_SHA + AES_CBC 0 0 value
3001 Serial0/1/0: 167.134.216.90 0 set AES + SHA 0 0
3002 Serial0/1/0: 167.134.216.90 0 set AES + SHA 61 0ER-7600 #sh active cryptographic engine connections
Algorithm of address State IP Interface ID encrypt decrypt
3 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + AES_CBC 0 0
2000 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + 0 66 AES_CBC
2001 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + AES_CBC 0 0I had this error on the er-3845: % CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd package not an IPSEC packet and this one on the IPSEC (epa_des_crypt) UH-7600: decrypted packet has no control of his identity
Please help, it's so frustrating...
Thanks in advance
Oscar
Here is a document from cisco, mentioning clearly for a card encryption on the two physical as tunnel interface well.
http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a008009438e.shtml
It may be useful
Manish
-
Site VPN to IPsec with PAT through the tunnel configuration example
Hello
as I read a lot about vpn connections site-2-site
and pass by PAT through it I still haven't found an example configuration for it on e ASA 55xx.now, I got suite facility with two locations A and B.
192.168.0.0/24 Site has - ipsec - Site B 192.168.200.0/24
172.16.16.0/24 Site has---------------------------------------------------------------------------
Host--> participated in IP 192.168.0.4: 192.168.0.3-> to 192.168.200.20
Host 192.168.0.127--> participated in IP: 192.168.0.3-> to 192.168.200.20
Host 192.168.0.129--> participated in IP: 192.168.0.3-> to 192.168.200.20
Host 192.168.0.253--> participated in IP: 192.168.0.3-> to 192.168.200.20Host 172.16.16.127--> participated in IP: 192.168.0.3-> to 192.168.200.20
Host 172.16.16.253--> participated in IP: 192.168.0.3-> to 192.168.200.20---------------------------------------------------------------------------
Now that I have guests autour within networks 172.16.16.0 like 192.168.0.0,
witch need to access a server terminal server on the SITE b.As I have no influence on where and when guests pop up in my Site.
I would like to hide them behind a single ip address to SITE B.If in the event that a new hosts need access, or old hosts can be deleted,
its as simple as the ACL or conviniently inlet remove the object from the network.so I guess that the acl looks like this:
---------------------------------------------------------------------------
access VPN-PARTICIPATED-HOSTS list allow ip 192.168.0.4 host 192.168.200.20
VPN-PARTICIPATED-HOSTS access list permit ip host 192.168.0.127 192.168.200.20
VPN-PARTICIPATED-HOSTS access list permit ip host 192.168.0.129 192.168.200.20
access VPN-PARTICIPATED-HOSTS list allow ip 192.168.0.253 host 192.168.200.20
VPN-PARTICIPATED-HOSTS access list permit ip host 172.16.16.127 192.168.200.20
VPN-PARTICIPATED-HOSTS access list permit ip host 172.16.16.253 192.168.200.20---------------------------------------------------------------------------
But, now, my big question is, how do I said the asa to use: 192.168.0.3 as the
address for the translation of PAT?something like this he will say, it must be treated according to the policy:
NAT (1-access VPN INVOLVED-HOST internal list)
Now how do I do that?
The rest of the config, I guess that will be quite normal as follows:card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set of AA peers. ABM CC. DD
card crypto outside_map 1 set of transformation-ESP-AES-256-SHA
outside_map card crypto 1 lifetime of security set association, 3600 secondspermit access list extended ip 192.168.0.3 outside_1_cryptomap host 192.168.200.20
---------------------------------------------------------------------------
On SITE B
the config is pretty simple:
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set of peer SITE has IP
card crypto outside_map 1 set of transformation-ESP-AES-256-SHA
outside_map card crypto 1 lifetime of security set association, 3600 secondsoutside_1_cryptomap list extended access allowed host host 192.168.200.20 IP 192.168.0.3
inside_nat0_outbound list extended access allowed host host 192.168.200.20 IP 192.168.0.3
---------------------------------------------------------------------------
Thank you for you're extra eyes and precious time!
Colin
You want to PAT the traffic that goes through the tunnel?
list of access allowed PAT ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.255.0
PAT 172.16.16.0 permit ip access list 255.255.255.0 192.168.200.0 255.255.255.0
NAT (inside) 1 access list PAT
Global (outside) 1 192.168.0.3 255.255.255.255
Then, the VPN ACL applied to the card encryption:
list of access allowed vpn host ip 192.168.0.3 192.168.200.0 255.255.255.0
Thus, all traffic from Site A will be PATed when you remotely 192.168.200.0/24
The interesting thing is that traffic can only be activated from your end.
The remote end cannot initialize traffic to 192.168.0.3 if there is not a version of dynamic translation on your side.
Is that what you are looking for?
Federico.
-
Any traffic sent through my IPsec tunnel
Hi support community,
I've been struggling for days which is - I guess - something very basic.
I have a router that I want to connect to my ASA via the VPN. This router has a dynamic IP, so I managed to make it appear the tunnel with a dynamic crypto map, and the router falls into the DefaultL2LGroup (I guess I have no choice anyway, at me if I'm wrong). So that part is OK now, the tunnel is UP.
However, SAA, I can see packets entering the tunnel but no package is removed from the ASA to the router.
ASA is a private network router and 192.168.250.0/24 has 192.168.242.0/24.
And here is the : configuration
Allow OPT_cryptomap_2 to access extended list ip 192.168.242.0 255.255.255.0
Dynamic crypto map CIPAC-ENERGY-VALE3 2 match address OPT_cryptomap_2
map OPT_map 2-isakmp dynamic ipsec CIPAC-ENERGY-VALE3 crypto
I do not understand what Miss me. I can not ping to the interface on the ASA (I have a permit icmp any one on the interface), but without success.
This means that packets are decpasulated and do not yet reach the virtual interface on the ASA?
Tunnel is UP:
Show the details of its crypto isakmp
IKE Peer: 180.214.xx.102
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE
Encryption: aes - 256 Hash: SHA
AUTH: preshared Lifetime: 86400
See the crypto
address of the peers: 180.214.xx.102
Tag crypto map: CIPAC-ENERGY-VALE3, seq num: 2, local addr: 202.xxx.xx.14
Access extensive list ip 192.168.250.0 OPT_cryptomap_2 allow 255.255.255.0 192.168.242.0 255.255.255.0
local ident (addr, mask, prot, port): (192.168.250.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.242.0/255.255.255.0/0/0)
current_peer: 180.214.xx.102
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 90, #pkts decrypt: 80, #pkts check: 10
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#pkts not his (send): 0, invalid #pkts his (RRs): 0
#pkts program failed (send): 0, #pkts decaps failed (RRs): 0
#pkts invalid prot (RRs): 0, #pkts check failed: 0
invalid identity #pkts (RRs): #pkts invalid len (RRs), 5: 0
#pkts incorrect key (RRs): 0,
#pkts invalid ip version (RRs): 0,
replay reversal (send) #pkts: 0, #pkts replay reversal (RRs): 0
#pkts replay failed (RRs): 0
#pkts min frag mtu failed (send): bad frag offset 0, #pkts (RRs): 0
#pkts internal err (send): 0, #pkts internal err (RRs): 0
local crypto endpt. : 202.xxx.xx.14/0, remote Start crypto. : 180.214.xx.102/0
Path mtu 1500, fresh ipsec generals 74, media, mtu 1500
current outbound SPI: B30EBC2B
current inbound SPI: 52DD8189
Ping from the ASA interface to the router:
# Ping ASA001
TCP Ping [n]:
Interface: CLT-CIPAC-VALE (192.168.250.1)
Target IP address: 192.168.242.254
County of repeat: [5]
Datagram size: [100]
Timeout in seconds: [2]
Extended commands [n]:
Scan the range of sizes [n]:
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.242.254, wait time is 2 seconds:
?????
Success rate is 0% (0/5)
And still no traffic sent through the tunnel.
As I'm not familiar with IPSEC to help or guidelines of troubleshhot would be really appreciated, I've been through a lot of documentation (forums, guides for cisco and other items).
Best regards
Florian
If you try to ping the inside interface try 'management-access to inside' and see if it works.
Thank you
Tarik Admani
* Please note the useful messages *. -
ASA 8.6 - l2l IPsec tunnel established - not possible to ping
Hello world
I have a problem of configuration of the CISCO ASA 5512-x (IOS 8.6).
The IPsec tunnel is created between ASA and an another non-CISCO router (hereinafter "router"). I can send packets ping from router to ASA, but ASA is NOT able to meet these demands. Sending requests of ASA is also NOT possible.
I'm trying to interconnect with the network 192.168.2.0/24 (CISCO, interface DMZ) premises and 192.168.3.0/24 (router).
The CISCO ASA has a static public IP address. The router has a dynamic IP address, so I use the dynamic-map option...
Here is the output of "show run":
---------------------------------------------------------------------------------------------------------------------------------------------
ASA 1.0000 Version 2
!
ciscoasa hostname
activate oBGOJTSctBcCGoTh encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface GigabitEthernet0/0
nameif outside
security-level 0
address IP X.X.X.X 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
the IP 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
IP 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
passive FTP mode
internal subnet object-
192.168.0.0 subnet 255.255.255.0
object Web Server external network-ip
host Y.Y.Y.Y
Network Web server object
Home 192.168.2.100
network vpn-local object - 192.168.2.0
Subnet 192.168.2.0 255.255.255.0
network vpn-remote object - 192.168.3.0
subnet 192.168.3.0 255.255.255.0
outside_acl list extended access permit tcp any object Web server
outside_acl list extended access permit tcp any object webserver eq www
access-list l2l-extensive list allowed ip, vpn-local - 192.168.2.0 vpn-remote object - 192.168.3.0
dmz_acl access list extended icmp permitted an echo
pager lines 24
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
MTU 1500 DMZ
management of MTU 1500
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT (DMZ, outside) static static vpn-local destination - 192.168.2.0 vpn-local - 192.168.2.0, 192.168.3.0 - remote control-vpn vpn-remote control - 192.168.3.0
!
internal subnet object-
NAT dynamic interface (indoor, outdoor)
Network Web server object
NAT (DMZ, outside) Web-external-ip static tcp www www Server service
Access-Group global dmz_acl
Route outside 0.0.0.0 0.0.0.0 Z.Z.Z.Z 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 192.168.1.0 255.255.255.0 management
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
IKEv1 crypto ipsec transform-set ikev1-trans-set esp-3des esp-md5-hmac
Crypto ipsec ikev2 proposal ipsec 3des-GNAT
Esp 3des encryption protocol
Esp integrity md5 Protocol
Crypto dynamic-map dynMidgeMap 1 match l2l-address list
Crypto dynamic-map dynMidgeMap 1 set pfs
Crypto dynamic-map dynMidgeMap 1 set ikev1 ikev1-trans-set transform-set
Crypto dynamic-map dynMidgeMap 1 set ikev2 ipsec-proposal 3des-GNAT
Crypto dynamic-map dynMidgeMap 1 life span of seconds set association security 28800
Crypto dynamic-map dynMidgeMap 1 the value reverse-road
midgeMap 1 card crypto ipsec-isakmp dynamic dynMidgeMap
midgeMap interface card crypto outside
ISAKMP crypto identity hostname
IKEv2 crypto policy 1
3des encryption
the md5 integrity
Group 2
FRP md5
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal midgeTrialPol group policy
attributes of the strategy of group midgeTrialPol
L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
enable IPSec-udp
tunnel-group midgeVpn type ipsec-l2l
tunnel-group midgeVpn General-attributes
Group Policy - by default-midgeTrialPol
midgeVpn group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:fa02572f9ff8add7bbfe622a4801e606
: end
------------------------------------------------------------------------------------------------------------------------------
X.X.X.X - ASA public IP
Y.Y.Y.Y - a web server
Z.Z.Z.Z - default gateway
-------------------------------------------------------------------------------------------------------------------------------
ASA PING:
ciscoasa # ping DMZ 192.168.3.1
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.3.1, time-out is 2 seconds:
?????
Success rate is 0% (0/5)
PING from router (debug on CISCO):
NAT ciscoasa #: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0
NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0
NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 0 len = 40
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 1 len = 40
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 2 len = 40
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = len 3 = 40
-------------------------------------------------------------------------------------------------------------------------------
ciscoasa # show the road outside
Code: C - connected, S - static, RIP, M - mobile - IGRP, R - I, B - BGP
D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone
N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2
E1 - OSPF external type 1, E2 - external OSPF of type 2, E - EGP
i - IS - L1 - IS - IS level 1, L2 - IS - IS IS level 2, AI - IS inter zone
* - candidate by default, U - static route by user, o - ODR
P periodical downloaded static route
Gateway of last resort is Z.Z.Z.Z to network 0.0.0.0
C Z.Z.Z.0 255.255.255.0 is directly connected to the outside of the
S 192.168.3.0 255.255.255.0 [1/0] via Z.Z.Z.Z, outdoors
S * 0.0.0.0 0.0.0.0 [1/0] via Z.Z.Z.Z, outdoors
-------------------------------------------------------------------------------------------------------------------------------
Do you have an idea that I am wrong? Probably some bad NAT/ACL I suppose, but I could always find something only for 8.4 iOS and not 8.6... Perhaps and no doubt I already missed the configuration with the unwanted controls, but I've tried various things...
Please, if you have an idea, let me know! Thank you very much!
Hello
I've never used "global" option in ACL, but it looks to be the origin of the problem. Cisco doc.
"The global access rules are defined as a special ACL that is processed for each interface on the device for incoming traffic in the interface. Thus, although the ACL is configured once on the device, it acts as an ACL defined for Management In secondary interface-specific. (Global rules are always in the direction of In, never Out Management). "
You ACL: access-list extended dmz_acl to any any icmp echo
For example, when you launch the ASA, there is an echo response from the router on the external interface--> global can block.
Then to initiate router, the ASA Launches echo-reply being blocked again.
Try to add permit-response to echo as well.
In addition, you can use both "inspect icmp" in world politics than the ACL.
If none does not work, you can run another t-shoot with control packet - trace on SAA.
THX
MS
-
Cannot reach the destination of an IPSec tunnel through another IPSec tunnel
Hi all
I have a PIX 515E version 8.0 (2).
I have two remote sites connected to this PIX via IPSec tunnels.
Each remote site can reach local networks behind the PIX, but I can't reach remoteSiteB remoteSiteA.
Thus,.
SiteA <----- ipsec="" -----="">PIX1 SiteX <---------------->10.0.8.1 10.30.8.254
SiteB <----- ipsec="" -----="">PIX1 SiteX <---------------->10.0.8.1 10.138.34.21
SiteA can ping SiteX
SiteB can ping SiteX
SiteA cannot ping SiteB
SiteB cannot ping SiteA
If I do not show crypto isakmp ipsec his I see appropriate subnets:
Tag crypto map: CRYPTO-MAP, seq num: 4, local addr: 203.166.1.1
permit access-list ACLVPN-TO_SITEA ip 10.138.34.16 255.255.255.240 host 10.30.8.254
local ident (addr, mask, prot, port): (10.138.34.16/255.255.255.240/0/0)
Remote ident (addr, mask, prot, port): (10.30.8.254/255.255.255.255/0/0)
current_peer: 104.86.2.4
Tag crypto map: CRYPTO-MAP, seq num: 5, local addr: 203.166.1.1
access-list ACLVPN-TO_SITEB allowed host ip 10.30.8.254 10.138.34.16 255.255.255.240
local ident (addr, mask, prot, port): (10.30.8.254/255.255.255.255/0/0)
Remote ident (addr, mask, prot, port): (10.138.34.16/255.255.255.240/0/0)
current_peer: 216.178.200.200
Journal messages that seem to point to the problem...
April 18, 2013 13:27:35: % PIX-4-402116: IPSEC: received a package of ESP (SPI = 0xD51BB13A, sequence number = 0x21A) 104.86.2.4 (user = 104.86.2.4) at 203.166.1.1. Inside the package décapsulés does not match policy negotiated in the SA. The package indicates its destination as 10.138.34.21, its source as 10.30.8.254 and its Protocol 6. SA specifies its local proxy like 10.0.8.0/255.255.255.0/0/0 and his remote_proxy as 10.30.8.254/255.255.255.255/0/0
My question is really what I have to do something funky to allow traffic to pass between the two tunnels?
Hello
This could be much easier if we have seen the real configurations.
But here are some things to be confirmed in the configurations (some of them you mentioned above, but I still quote once again)
- Make sure that each firewall, you set the appropriate VPN L2L ACL
- Make sure that you have configured NAT0 on the central PIX "outside" interface for the Site A and Site B
- Make sure the Central PIX has "same-security-traffic permit intra-interface" configured. This will allow the Site traffic to enter the Central PIX 'outside' interface and head back on the same interface to Site B. And vice versa.
To view some actual configurations that may be required provided everything else is ok. (I assume that all devices are Cisco)
Central PIX
permit same-security-traffic intra-interface
A connection to the site
SITE-A-CRYPTOMAP of the 10.0.8.0 ip access list allow 255.255.255.0 host 10.30.8.254
SITE-A-CRYPTOMAP of the 10.138.34.16 ip access list allow 255.255.255.240 host 10.30.8.254
Site B connection
SITE-B-CRYPTOMAP of the 10.0.8.0 ip access list allow 255.255.255.0 10.138.34.16 255.255.255.240
SITE-B-CRYPTOMAP to the list of allowed access host ip 10.30.8.254 10.138.34.16 255.255.255.240
NAT0
access list for the INTERIOR-NAT0 allowed ip 10.0.8.0 255.255.255.0 host 10.30.8.254
access list for the INTERIOR-NAT0 allowed ip 10.0.8.0 255.255.255.0 10.138.34.16 255.255.255.240
NAT (inside) 0-list of access to the INTERIOR-NAT0
OUTSIDE-NAT0 allowed host ip 10.30.8.254 access list 10.138.34.16 255.255.255.240
OUTSIDE-NAT0 allowed ip 10.138.34.16 access list 255.255.255.240 host 10.30.8.254
NAT (outside) 0-list of access OUTSIDE-NAT0
Site has
CENTRAL-SITE-CRYPTOMAP to the list of allowed access host ip 10.30.8.254 10.0.8.0 255.255.255.0
CENTRAL-SITE-CRYPTOMAP to the list of allowed access host ip 10.30.8.254 10.138.34.16 255.255.255.240
the INTERIOR-NAT0 allowed host ip 10.30.8.254 access list 10.0.8.0 255.255.255.0
the INTERIOR-NAT0 allowed host ip 10.30.8.254 access list 10.138.34.16 255.255.255.240
NAT (inside) 0-list of access to the INTERIOR-NAT0
Site B---------------->----->---------------->----->
CENTRAL-SITE-CRYPTOMAP of the 10.138.34.16 ip access list allow 255.255.255.240 10.0.8.0 255.255.255.0
CENTRAL-SITE-CRYPTOMAP of the 10.138.34.16 ip access list allow 255.255.255.240 host 10.30.8.254
the INTERIOR-NAT0 allowed host ip 10.138.34.16 access list 255.255.255.240 10.0.8.0 255.255.255.0
the INTERIOR-NAT0 allowed host ip 10.138.34.16 access list 255.255.255.240 host 10.30.8.254
NAT (inside) 0-list of access to the INTERIOR-NAT0
Hope this helps
-Jouni
-
Intercept-dhcp works to tunnel L2TP through IPsec ASA?
Hello
Is there anyone in the world operating a tunnel L2TP through IPsec on Cisco ASA for the native Windows clients and a Tunnel Split Configuration fully functional?
I created a tunnel L2TP through IPsec on the ASA 5520 9.1 (6) Version of the software running. My configuration is:
mask 172.23.32.1 - 172.23.33.255 255.255.252.0 IP local pool VPN_Users
ROUTING_SPLIT list standard access allowed 192.168.0.0 255.255.0.0
ROUTING_SPLIT list standard access allowed 172.16.0.0 255.248.0.0Crypto ipsec transform-set esp-aes-256 WIN10, esp-sha-hmac ikev1
transport mode encryption ipsec transform-set WIN10 ikev1
Crypto ipsec transform-set esp-3des esp-sha-hmac WIN7 ikev1
Crypto ipsec transform-set transport WIN7 using ikev1
Dynamic crypto map DYNMAP 10 set transform-set WIN10 WIN7 ikev1
Crypto dynamic-map DYNMAP 10 the value reverse-road
card crypto CMAP 99-isakmp dynamic ipsec DYNMAP
CMAP interface ipsec crypto mapCrypto isakmp nat-traversal 29
crypto ISAKMP disconnect - notify
Ikev1 enable ipsec crypto
IKEv1 crypto policy 10
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
output
IKEv1 crypto policy 20
preshared authentication
3des encryption
sha hash
Group 2
life 86400
outputinternal EIK_USERS_RA group policy
EIK_USERS_RA group policy attributes
value of 12.34.56.7 DNS Server 12.34.56.8
VPN - connections 2
L2TP ipsec VPN-tunnel-Protocol ikev1
disable the password-storage
enable IP-comp
enable PFS
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list ROUTING_SPLIT
ad.NYME.Hu value by default-field
Intercept-dhcp enable
the authentication of the user activation
the address value VPN_Users pools
outputattributes global-tunnel-group DefaultRAGroup
authentication-server-group challenger
accounting-server-group challenger
Group Policy - by default-EIK_USERS_RA
IPSec-attributes tunnel-group DefaultRAGroup
IKEv1 pre-shared-key *.
tunnel-group DefaultRAGroup ppp-attributes
No chap authentication
no authentication ms-chap-v1
ms-chap-v2 authentication
outputNow, the native Windows clients can connect using this group of tunnel:
our - asa # show remote vpn-sessiondb
Session type: IKEv1 IPsec
User name: w10vpn Index: 1
Assigned IP: 172.23.32.2 public IP address: 12.34.56.9
Protocol: IKEv1 IPsecOverNatT L2TPOverIPsecOverNatT
License: Another VPN
Encryption: IKEv1: (1) 3DES IPsecOverNatT: (1) L2TPOverIPsecOverNatT AES256: (1) no
Hash: IKEv1: (1) IPsecOverNatT SHA1: (1) L2TPOverIPsecOverNatT SHA1: (1) no
TX Bytes: 1233 bytes Rx: 10698
Group Policy: Group EIK_USERS_RA Tunnel: DefaultRAGroup
Connect time: 15:12:29 UTC Friday, April 8, 2016
Duration: 0: 00: 01:00
Inactivity: 0 h: 00 m: 00s
Result of the NAC: unknown
Map VLANS: VLAN n/a: noHowever, real communication takes place above the tunnel if I 'Gateway on remote network use default'. If I disable this option among the preferences of the IPv4 of the virtual interface of VPN in Control Panel as described in the section 'Configuration of Tunnel of Split' of This DOCUMENT then Windows sends all packets through the channel, because it fails to extract from the ASA routing table. Split routing works perfectly when using legacy Cisco VPN Client with the same group policy, but does not work with L2TP over IPsec.
As far as I can see, the 'intercept-dhcp' option is inefficient somehow. I even managed to intercept packets of the PPP virtual machine Windows XP interface, and I saw that windows sends its DHCP INFORM requests, but the ASA does not. My question is why?
-J' made a mistake in the above configuration?
-Can there be one option somewhere else in my config running that defuses intercept-dhcp?
- Or is there a software bug in my version of firmware ASA? (BTW, I tried with several versions of different software without success?
Hi, I have the same problem you have, but I was lucky enough to be able to install version 9.2 (4) on which this feature works very well. I'm suspecting that it is a bug, but I need to dig a little deeper. If I find something interesting I'll share it here.
Maybe you are looking for
-
Extra [in the subject of the e-mail
I look at a small number of positions in the community and the emails that I get start with two [] I'm not sure that the scale of that in the discussions, but wanted to highlight.
-
For example: if I'm on Amazon.com and click on an item to get more information, another window opens I have to not ask or open. I've then shut up, go back to my original page and select the item again. Also, I have pop ups blocked, and I'm still brin
-
ProBook 470 G0 network controller drivers
Hello. I have trouble with the drivers for the network for ProBook 470 controller. After the installation of new windows no driver does not match this device. Help, please.
-
M30: Could not find a Local network connection
Hi all, I really hope that someone can help me!I had a M30 Windows Home, it comes with a built-in wireless G connection (that's fine). However whenever I try to access my network via an ethernet cable, I can't find my LAN connection under--> network
-
I am using windows xp Sp3, which is a client of windows server 2008 AD.while try to change my user password show complexity of password error.but my password meets the password for you strategy. How can I overcome this error.