Unable to Ping IP across 2 IPsec Tunnels

Hello world

Here's the Setup program

Server1 - layer 2 switch-ASA1 -L2 tunnel-ASA2 -Layer2 tunnel-ASA3- layer 2 switch - Server2.

Server1 IP 10.31.2.83/28

Server2 IP 10.31.2.35/28

Server1 has its default gateway to ASA1

Server1 can ping the ASA1 but cannot ping the Server2.

ASA1 is also unable to ping server2.

Ping 10.31.2.35
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 10.31.2.35, wait time is 2 seconds:
?????
Success rate is 0% (0/5)

ASA2 can ping the Server2

Ping 10.31.2.35
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 10.31.2.35, wait time is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = ms 02/01/10

ASA2 can ping Server1

Ping 10.31.2.83
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 10.31.2.83, wait time is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = ms 02/01/10

ACL is allowing traffic, routing, crypto card also allows the traffic.

What else can I check?

Any help is appreciated.

Concerning

Mahesh

I don't understand what you mean with Tunnel of Layer2. Is it relevant to this question?

IPsec is involved?

Do you have any troubleshooting basic Layer 3? Check the routing information?

(1) the ASA2 has 2 interfaces, one for each tunnel?

  • ASA2 there transatlantic lines?

    • 10.31.2.80 255.255.255.240 to ASA1
    • 10.31.2.32 to ASA3 255.255.255.240

(2) ASA2 has only one interface for the two tunnels?

  • You same-security-traffic allow intra-interface?
  • If IPsec is involved, understanding Cryptography ACLs on ASA2
    • 10.31.2.80/28-> 10.31.2.32/28 to ASA3
    • 10.31.2.32/28-> 10.31.2.80/28 to ASA1

The following command will help all three ASAs:

SH, route

HS card crypto

SH crypto ipsec his (look for the counters of packets on the SAs)

Best regards, MiKa

Tags: Cisco Security

Similar Questions

  • Unable to Ping hosts through IPSec Tunnel

    I have a configuration of lab home with a PIX 515 running code 8.03.  I've made several changes over the last week and now when I finish a VPN connection to the external interface, I'm unable to hit all internal resources.  My VPN connection comes from a 10.22.254.0/24 trying to knock the internal nodes to 10.22.1.0/24, see below.  When I finish a VPN connection with the inside interface works, so I guess that I'm dealing with a NAT problem?   I have not idea why Phase 9 is a failure:-------.  Any help would be great!

    -------

    IP 10.22.254.0 allow Access-list extended sheep 255.255.255.0 10.22.1.0 255.255.255.0

    NAT (inside) 0 access-list sheep

    -------

    Global 1 interface (outside)

    -------

    access-list extended split allow ip 10.22.1.0 255.255.255.0 10.22.254.0 255.255.255.0

    -------

    Packet-trace entry inside tcp 10.22.1.15 1025 10.22.254.15 3389 detailed

    Phase: 1

    Type: FLOW-SEARCH

    Subtype:

    Result: ALLOW

    Config:

    Additional information:

    Not found no corresponding stream, creating a new stream

    Phase: 2

    Type:-ROUTE SEARCH

    Subtype: entry

    Result: ALLOW

    Config:

    Additional information:

    in 0.0.0.0 0.0.0.0 outdoors

    Phase: 3

    Type: IP-OPTIONS

    Subtype:

    Result: ALLOW

    Config:

    Additional information:

    Direct flow from returns search rule:

    ID = 0x2bb3450, priority = 0, sector = option-ip-enabled, deny = true

    hits = 17005, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

    SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

    DST ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

    Phase: 4

    Type: VPN

    Subtype: ipsec-tunnel-flow

    Result: ALLOW

    Config:

    Additional information:

    Direct flow from returns search rule:

    ID = 0x304ae48, priority = 12, area = ipsec-tunnel-flow, deny = true

    hits = 17005, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol

    SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

    DST ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

    Phase: 5

    Type: NAT-FREE

    Subtype:

    Result: ALLOW

    Config:

    NAT (inside) 0 access-list sheep

    NAT-control

    is the intellectual property inside 10.22.1.0 outside 10.22.254.0 255.255.255.0 255.255.255.0

    Exempt from NAT

    translate_hits = 6, untranslate_hits = 5

    Additional information:

    Direct flow from returns search rule:

    ID = 0x2be2a00, priority = 6, free = area of nat, deny = false

    Hits = 5, user_data is 0x2be2960, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol

    SRC ip = 10.22.1.0, mask is 255.255.255.0, port = 0

    DST ip = 10.22.254.0, mask is 255.255.255.0, port = 0

    Phase: 6

    Type: NAT

    Subtype: host-limits

    Result: ALLOW

    Config:

    static (inside, DMZ) 10.22.1.0 10.22.1.0 netmask 255.255.255.0

    NAT-control

    is the intellectual property inside 10.22.1.0 255.255.255.0 DMZ all

    static translation at 10.22.1.0

    translate_hits = 10, untranslate_hits = 0

    Additional information:

    Direct flow from returns search rule:

    ID = 0x2d52800, priority = 5, area = host, deny = false

    hits = 21654, user_data = 0x2d51dc8, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

    SRC ip = 10.22.1.0, mask is 255.255.255.0, port = 0

    DST ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

    Phase: 7

    Type: NAT

    Subtype:

    Result: ALLOW

    Config:

    NAT (inside) 1 0.0.0.0 0.0.0.0

    NAT-control

    is the intellectual property inside everything outside of any

    dynamic translation of hen 1 (192.168.20.20 [Interface PAT])

    translate_hits = 2909, untranslate_hits = 9

    Additional information:

    Direct flow from returns search rule:

    ID = 0x2d4a7d0, priority = 1, sector = nat, deny = false

    hits = 16973, user_data = 0x2d4a730, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol

    SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

    DST ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

    Phase: 8

    Type: VPN

    Subtype: encrypt

    Result: ALLOW

    Config:

    Additional information:

    Direct flow from returns search rule:

    ID = 0 x 3328000, priority = 70, domain = encrypt, deny = false

    hits = 0, user_data is 0x1efa0cc, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

    SRC ip = 10.22.1.0, mask is 255.255.255.0, port = 0

    DST ip = 10.0.0.0, mask is 255.0.0.0, port = 0

    Phase: 9

    Type: ACCESS-LIST

    Subtype: ipsec-user

    Result: DECLINE

    Config:

    Additional information:

    Direct flow from returns search rule:

    ID = 0x3329a48, priority = 69, domain = ipsec - user, deny = true

    Hits = 37, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol

    SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

    DST ip = 10.0.0.0, mask is 255.0.0.0, port = 0

    Result:

    input interface: inside

    entry status: to the top

    entry-line-status: to the top

    output interface: outside

    the status of the output: to the top

    output-line-status: to the top

    Action: drop

    Drop-reason: flow (acl-drop) is denied by the configured rule

    No, the sheep ACL requires that defining the internal network traffic to the

    Pool VPN.  You must remove the other entries.

    Delete:

    allowed to Access-list sheep line 8 extended ip 10.22.254.0 255.255.255.0 DM_INLINE_NETWORK_18 object-group
    allowed to Access-list sheep line 8 extended ip 10.22.254.0 255.255.255.0 10.22.1.0 255.255.255.0

  • ASA 8.6 - l2l IPsec tunnel established - not possible to ping

    Hello world

    I have a problem of configuration of the CISCO ASA 5512-x (IOS 8.6).

    The IPsec tunnel is created between ASA and an another non-CISCO router (hereinafter "router"). I can send packets ping from router to ASA, but ASA is NOT able to meet these demands. Sending requests of ASA is also NOT possible.

    I'm trying to interconnect with the network 192.168.2.0/24 (CISCO, interface DMZ) premises and 192.168.3.0/24 (router).

    The CISCO ASA has a static public IP address. The router has a dynamic IP address, so I use the dynamic-map option...

    Here is the output of "show run":

    ---------------------------------------------------------------------------------------------------------------------------------------------

    ASA 1.0000 Version 2

    !

    ciscoasa hostname

    activate oBGOJTSctBcCGoTh encrypted password

    2KFQnbNIdI.2KYOU encrypted passwd

    names of

    !

    interface GigabitEthernet0/0

    nameif outside

    security-level 0

    address IP X.X.X.X 255.255.255.0

    !

    interface GigabitEthernet0/1

    nameif inside

    security-level 100

    the IP 192.168.0.1 255.255.255.0

    !

    interface GigabitEthernet0/2

    nameif DMZ

    security-level 50

    IP 192.168.2.1 255.255.255.0

    !

    interface GigabitEthernet0/3

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    interface GigabitEthernet0/4

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    interface GigabitEthernet0/5

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    interface Management0/0

    nameif management

    security-level 100

    IP 192.168.1.1 255.255.255.0

    management only

    !

    passive FTP mode

    internal subnet object-

    192.168.0.0 subnet 255.255.255.0

    object Web Server external network-ip

    host Y.Y.Y.Y

    Network Web server object

    Home 192.168.2.100

    network vpn-local object - 192.168.2.0

    Subnet 192.168.2.0 255.255.255.0

    network vpn-remote object - 192.168.3.0

    subnet 192.168.3.0 255.255.255.0

    outside_acl list extended access permit tcp any object Web server

    outside_acl list extended access permit tcp any object webserver eq www

    access-list l2l-extensive list allowed ip, vpn-local - 192.168.2.0 vpn-remote object - 192.168.3.0

    dmz_acl access list extended icmp permitted an echo

    pager lines 24

    asdm of logging of information

    Outside 1500 MTU

    Within 1500 MTU

    MTU 1500 DMZ

    management of MTU 1500

    ICMP unreachable rate-limit 1 burst-size 1

    don't allow no asdm history

    ARP timeout 14400

    NAT (DMZ, outside) static static vpn-local destination - 192.168.2.0 vpn-local - 192.168.2.0, 192.168.3.0 - remote control-vpn vpn-remote control - 192.168.3.0

    !

    internal subnet object-

    NAT dynamic interface (indoor, outdoor)

    Network Web server object

    NAT (DMZ, outside) Web-external-ip static tcp www www Server service

    Access-Group global dmz_acl

    Route outside 0.0.0.0 0.0.0.0 Z.Z.Z.Z 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    Floating conn timeout 0:00:00

    dynamic-access-policy-registration DfltAccessPolicy

    identity of the user by default-domain LOCAL

    Enable http server

    http 192.168.1.0 255.255.255.0 management

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

    IKEv1 crypto ipsec transform-set ikev1-trans-set esp-3des esp-md5-hmac

    Crypto ipsec ikev2 proposal ipsec 3des-GNAT

    Esp 3des encryption protocol

    Esp integrity md5 Protocol

    Crypto dynamic-map dynMidgeMap 1 match l2l-address list

    Crypto dynamic-map dynMidgeMap 1 set pfs

    Crypto dynamic-map dynMidgeMap 1 set ikev1 ikev1-trans-set transform-set

    Crypto dynamic-map dynMidgeMap 1 set ikev2 ipsec-proposal 3des-GNAT

    Crypto dynamic-map dynMidgeMap 1 life span of seconds set association security 28800

    Crypto dynamic-map dynMidgeMap 1 the value reverse-road

    midgeMap 1 card crypto ipsec-isakmp dynamic dynMidgeMap

    midgeMap interface card crypto outside

    ISAKMP crypto identity hostname

    IKEv2 crypto policy 1

    3des encryption

    the md5 integrity

    Group 2

    FRP md5

    second life 86400

    Crypto ikev2 allow outside

    Crypto ikev1 allow outside

    IKEv1 crypto policy 1

    preshared authentication

    3des encryption

    md5 hash

    Group 2

    life 86400

    Telnet timeout 5

    SSH timeout 5

    Console timeout 0

    management of 192.168.1.2 - dhcpd address 192.168.1.254

    enable dhcpd management

    !

    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    WebVPN

    internal midgeTrialPol group policy

    attributes of the strategy of group midgeTrialPol

    L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2

    enable IPSec-udp

    tunnel-group midgeVpn type ipsec-l2l

    tunnel-group midgeVpn General-attributes

    Group Policy - by default-midgeTrialPol

    midgeVpn group of tunnel ipsec-attributes

    IKEv1 pre-shared-key *.

    remote control-IKEv2 pre-shared-key authentication *.

    pre-shared-key authentication local IKEv2 *.

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    maximum message length automatic of customer

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the rsh

    inspect the rtsp

    inspect esmtp

    inspect sqlnet

    inspect the skinny

    inspect sunrpc

    inspect xdmcp

    inspect the sip

    inspect the netbios

    inspect the tftp

    Review the ip options

    !

    global service-policy global_policy

    context of prompt hostname

    no remote anonymous reporting call

    Cryptochecksum:fa02572f9ff8add7bbfe622a4801e606

    : end

    ------------------------------------------------------------------------------------------------------------------------------

    X.X.X.X - ASA public IP

    Y.Y.Y.Y - a web server

    Z.Z.Z.Z - default gateway

    -------------------------------------------------------------------------------------------------------------------------------

    ASA PING:

    ciscoasa # ping DMZ 192.168.3.1

    Type to abort escape sequence.

    Send 5, echoes ICMP 100 bytes to 192.168.3.1, time-out is 2 seconds:

    ?????

    Success rate is 0% (0/5)

    PING from router (debug on CISCO):

    NAT ciscoasa #: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0

    NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0

    NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0

    Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 0 len = 40

    Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 1 len = 40

    Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 2 len = 40

    Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = len 3 = 40

    -------------------------------------------------------------------------------------------------------------------------------

    ciscoasa # show the road outside

    Code: C - connected, S - static, RIP, M - mobile - IGRP, R - I, B - BGP

    D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone

    N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2

    E1 - OSPF external type 1, E2 - external OSPF of type 2, E - EGP

    i - IS - L1 - IS - IS level 1, L2 - IS - IS IS level 2, AI - IS inter zone

    * - candidate by default, U - static route by user, o - ODR

    P periodical downloaded static route

    Gateway of last resort is Z.Z.Z.Z to network 0.0.0.0

    C Z.Z.Z.0 255.255.255.0 is directly connected to the outside of the

    S 192.168.3.0 255.255.255.0 [1/0] via Z.Z.Z.Z, outdoors

    S * 0.0.0.0 0.0.0.0 [1/0] via Z.Z.Z.Z, outdoors

    -------------------------------------------------------------------------------------------------------------------------------

    Do you have an idea that I am wrong? Probably some bad NAT/ACL I suppose, but I could always find something only for 8.4 iOS and not 8.6... Perhaps and no doubt I already missed the configuration with the unwanted controls, but I've tried various things...

    Please, if you have an idea, let me know! Thank you very much!

    Hello

    I've never used "global" option in ACL, but it looks to be the origin of the problem. Cisco doc.

    "The global access rules are defined as a special ACL that is processed for each interface on the device for incoming traffic in the interface. Thus, although the ACL is configured once on the device, it acts as an ACL defined for Management In secondary interface-specific. (Global rules are always in the direction of In, never Out Management). "

    You ACL: access-list extended dmz_acl to any any icmp echo

    For example, when you launch the ASA, there is an echo response from the router on the external interface--> global can block.

    Then to initiate router, the ASA Launches echo-reply being blocked again.

    Try to add permit-response to echo as well.

    In addition, you can use both "inspect icmp" in world politics than the ACL.

    If none does not work, you can run another t-shoot with control packet - trace on SAA.

    THX

    MS

  • IPSec tunnel is disabled

    We have 3 IPSec tunnel set up between the cisco 1760 router and PIX 515e. IPSec tunnel is down by intermittent & son come only after compensation isakmp crypto & clear crypto its next to the router.

    do we need to configure something else in router and end of pix so that tunnels are still in Active state (QM_IDLE).

    Looks like the PIX loses its connection and the router is unable to say that the PIX has dropped.

    Try the isakmp keepalive on both devices configuration but also check network links extended features.

    See you soon,.

    Paul.

  • How to troubleshoot an IPSec tunnel GRE?

    Hello

    My topology includes two firewalls connected through the Internet "" (router) and behind each firewall, there is a router.

    The routers I configured a GRE tunnel that is successful, then I configured an IPsec tunnel on the firewall.

    I does not change the mode to transport mode in the transform-set configuration.

    Everything works; If I connect a PC to the router, it can ping another PC on the other router. However if I change mode of transport mode that they cannot.

    I was wondering how can I ensure that the IPSec tunnel WILL really works? How can I fix it or package tracking?

    Thank you.

    I was wondering how can I ensure that the IPSec tunnel WILL really works? How can I fix it or package tracking?

    To verify that the VPN tunnel works well, check the output of
    ISAKMP crypto to show his
    Crypto ipsec to show his

    Here are the commands of debug
    Debug condition crypto x.x.x.x, where x.x.x.x IP = peer peer
    Debug crypto isakmp 200
    Debug crypto ipsec 200

    You will see ACTIVE int the first output and program non-zero and decaps on the output of the latter.

    For the GRE tunnel.
    check the condition of the tunnel via "int ip see the brief.

    In addition, you can configure keepalive via the command:

    Router # configure terminal
    Router (config) #interface tunnel0
    Router(Config-if) 5 4 #keepalive

    and then run "debug keepalive tunnel" to see packets hello tunnel going and coming from the router.

    Kind regards
    Dinesh Moudgil

    PS Please rate helpful messages.

  • ASA: VPN IPSEC Tunnel from 5505(ver=8.47) to 5512 (ver = 9.23)

    Hi-

    We have connected tunnel / VPN configuration between an ASA 5505 - worm = 8.4 (7) and 5512 - worm = 9.2 (3).
    We can only ping in a sense - 5505 to the 5512, but not of vice-versa(5512 to 5505).

    Networks:

    Local: 192.168.1.0 (answering machine)
    Distance: 192.168.54.0 (initiator)

    See details below on our config:

    SH run card cry

    card crypto outside_map 2 match address outside_cryptomap_ibfw
    card crypto outside_map 2 pfs set group5
    outside_map 2 peer XX crypto card game. XX.XXX.XXX
    card crypto outside_map 2 set transform-set ESP-AES-256-SHA ikev1
    crypto map outside_map 2 set ikev2 AES256 ipsec-proposal

    outside_map interface card crypto outside

    Note:
    Getting to hit numbers below on rules/ACL...

    SH-access list. I have 54.0

    permit for access list 6 outside_access_out line scope ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0 (hitcnt = 15931) 0x01aecbcc
    permit for access list 1 outside_cryptomap_ibfw line extended ip object NETWORK_OBJ_192.168.1.0_24 object NETWORK_OBJ_192.168.54.0_24 (hitcnt = 3) 0xa75f0671
    access-list 1 permit line outside_cryptomap_ibfw extended ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0 (hitcnt = 3) 0xa75f0671

    SH run | I have access-group
    Access-group outside_access_out outside interface

    NOTE:
    WE have another working on the 5512 - VPN tunnel we use IKE peer #2 below (in BOLD)...

    HS cry his ikev1

    IKEv1 SAs:

    HIS active: 2
    Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
    Total SA IKE: 2

    1 peer IKE: XX. XX.XXX.XXX
    Type: L2L role: answering machine
    Generate a new key: no State: MM_ACTIVE
    2 IKE peers: XXX.XXX.XXX.XXX
    Type: L2L role: answering machine
    Generate a new key: no State: MM_ACTIVE

    SH run tunnel-group XX. XX.XXX.XXX
    tunnel-group XX. XX.XXX.XXX type ipsec-l2l
    tunnel-group XX. XX.XXX.XXX General-attributes
    Group - default policy - GroupPolicy_XX.XXX.XXX.XXX
    tunnel-group XX. XX.XXX.XXX ipsec-attributes
    IKEv1 pre-shared-key *.
    remote control-IKEv2 pre-shared-key authentication *.

    SH run | I have political ikev1

    ikev1 160 crypto policy
    preshared authentication
    aes-256 encryption
    Group 5
    life 86400

    SH run | I Dynamics
    NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
    NAT source auto after (indoor, outdoor) dynamic one interface

    NOTE:
    To from 5512 at 5505-, we can ping a host on the remote network of ASA local

    # ping inside the 192.168.54.20
    Type to abort escape sequence.
    Send 5, echoes ICMP 100 bytes to 192.168.54.20, wait time is 2 seconds:
    !!!!!
    Success rate is 100 per cent (5/5), round-trip min/avg/max = 30/32/40 ms

    Determination of 192.168.1.79 - local host route to 192.168.54.20 - remote host - derivation tunnel?

    The IPSEC tunnel check - seems OK?

    SH crypto ipsec his
    Interface: outside
    Tag crypto map: outside_map, seq num: 2, local addr: XX.XXX.XXX.XXX

    outside_cryptomap_ibfw to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.54.0 255.255.255.0
    local ident (addr, mask, prot, port): (192.168.1.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (192.168.54.0/255.255.255.0/0/0)
    current_peer: XX. XX.XXX.XXX

    #pkts program: 4609, #pkts encrypt: 4609, #pkts digest: 4609
    #pkts decaps: 3851, #pkts decrypt: 3851, #pkts check: 3851
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 4609, model of #pkts failed: 0, #pkts Dang failed: 0
    success #frag before: 0, failures before #frag: 0, #fragments created: 0
    Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
    #TFC rcvd: 0, #TFC sent: 0
    #Valid errors ICMP rcvd: 0, #Invalid ICMP errors received: 0
    #send errors: 0, #recv errors: 0

    local crypto endpt. : XX.XXX.XXX.XXX/0, remote Start crypto. : XX. XX.XXX.XXX/0
    Path mtu 1500, ipsec 74 (44) generals, media, mtu 1500
    PMTU time remaining: 0, political of DF: copy / df
    Validation of ICMP error: disabled, TFC packets: disabled
    current outbound SPI: CDC99C9F
    current inbound SPI: 06821CBB

    SAS of the esp on arrival:
    SPI: 0x06821CBB (109190331)
    transform: aes-256-esp esp-sha-hmac no compression
    running parameters = {L2L, Tunnel, group 5 PFS, IKEv1}
    slot: 0, id_conn: 339968, crypto-card: outside_map
    calendar of his: service life remaining (KB/s) key: (3914789/25743)
    Size IV: 16 bytes
    support for replay detection: Y
    Anti-replay bitmap:
    0xFFFFFFFF to 0xFFFFFFFF
    outgoing esp sas:
    SPI: 0xCDC99C9F (3452542111)
    transform: aes-256-esp esp-sha-hmac no compression
    running parameters = {L2L, Tunnel, group 5 PFS, IKEv1}
    slot: 0, id_conn: 339968, crypto-card: outside_map
    calendar of his: service life remaining (KB/s) key: (3913553/25743)
    Size IV: 16 bytes
    support for replay detection: Y
    Anti-replay bitmap:
    0x00000000 0x00000001

    --> The local ASA 5512 - where we have questions - tried Packet Tracer... seems we receive requests/responses...

    SH cap CAP

    34 packets captured

    1: 16:41:08.120477 192.168.1.79 > 192.168.54.20: icmp: echo request
    2: 16:41:08.278138 192.168.54.20 > 192.168.1.79: icmp: echo request
    3: 16:41:08.278427 192.168.1.79 > 192.168.54.20: icmp: echo reply
    4: 16:41:09.291992 192.168.54.20 > 192.168.1.79: icmp: echo request
    5: 16:41:09.292282 192.168.1.79 > 192.168.54.20: icmp: echo reply

    --> On the ASA 5505 distance - we can ping through the 5512 to the local host (192.168.1.79)

    SH cap A2

    42 packets captured

    1: 16:56:16.136559 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
    2: 16:56:16.168860 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
    3: 16:56:17.140434 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
    4: 16:56:17.171652 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
    5: 16:56:18.154426 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
    6: 16:56:18.186178 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
    7: 16:56:19.168417 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request

    --> Package trace on 5512 does no problem... but we cannot ping from host to host?

    entry Packet-trace within the icmp 192.168.1.79 8 0 detailed 192.168.54.20

    Phase: 4
    Type: CONN-SETTINGS
    Subtype:
    Result: ALLOW
    Config:
    class-map default class
    match any
    Policy-map global_policy
    class class by default
    Decrement-ttl connection set
    global service-policy global_policy
    Additional information:
    Direct flow from returns search rule:
    ID = 0x7fffa2d0ba90, priority = 7, area = conn-set, deny = false
    hits = 4417526, user_data = 0x7fffa2d09040, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
    IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
    IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
    input_ifc = output_ifc = any to inside,

    Phase: 5
    Type: NAT
    Subtype:
    Result: ALLOW
    Config:
    NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
    Additional information:
    Definition of dynamic 192.168.1.79/0 to XX.XXX.XXX.XXX/43904
    Direct flow from returns search rule:
    ID = 0x7fffa222d130, priority = 6, area = nat, deny = false
    hits = 4341877, user_data = 0x7fffa222b970, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
    IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
    IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
    input_ifc = inside, outside = output_ifc

    ...

    Phase: 14
    Type: CREATING STREAMS
    Subtype:
    Result: ALLOW
    Config:
    Additional information:
    New workflow created with the 7422689 id, package sent to the next module
    Information module for forward flow...
    snp_fp_tracer_drop
    snp_fp_inspect_ip_options
    snp_fp_inspect_icmp
    snp_fp_translate
    snp_fp_adjacency
    snp_fp_fragment
    snp_ifc_stat

    Information for reverse flow...
    snp_fp_tracer_drop
    snp_fp_inspect_ip_options
    snp_fp_translate
    snp_fp_inspect_icmp
    snp_fp_adjacency
    snp_fp_fragment
    snp_ifc_stat

    Result:
    input interface: inside
    entry status: to the top
    entry-line-status: to the top
    output interface: outside
    the status of the output: to the top
    output-line-status: to the top
    Action: allow

    --> On remote ASA 5505 - Packet track is good and we can ping remote host very well... dunno why he "of Nations United-NAT?

    Destination - initiator:
     
    entry Packet-trace within the icmp 192.168.54.20 8 0 detailed 192.168.1.79
     
    ...
    Phase: 4
    Type: UN - NAT
    Subtype: static
    Result: ALLOW
    Config:
    NAT (inside, outside) static source NETWORK_OBJ_192.168.54.0_24 NETWORK_OBJ_192.168.54.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
    Additional information:
    NAT divert on exit to the outside interface
    Untranslate 192.168.1.79/0 to 192.168.1.79/0
    ...

    Summary:
    We "don't" ping from a host (192,168.1.79) on 5512 - within the network of the 5505 - inside the network host (192.168.54.20).
    But we can ping the 5505 - inside the network host (192.168.54.20) 5512 - inside the network host (192.168.1.79).

    Please let us know what other details we can provide to help solve, thanks for any help in advance.

    -SP

    Well, I think it is a NAT ordering the issue.

    Basically as static and this NAT rule-

    NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)

    are both in article 1 and in this article, it is done on the order of the rules so it does match the dynamic NAT rule rather than static because that seems to be higher in the order.

    To check just run a 'sh nat"and this will show you what order everthing is in.

    The ASA is working its way through the sections.

    You also have this-

    NAT source auto after (indoor, outdoor) dynamic one interface

    which does the same thing as first statement but is in section 3, it is never used.

    If you do one of two things-

    (1) configure the static NAT statement is above the dynamic NAT in section 1 that is to say. You can specify the command line

    or

    (2) remove the dynamic NAT of section 1 and then your ASA will use the entry in section 3.

    There is a very good document on this site for NAT and it is recommended to use section 3 for your general purpose NAT dynamic due precisely these questions.

    It is interesting on your ASA 5505 you duplicated your instructions of dynamic NAT again but this time with article 2 and the instructions in section 3 that is why your static NAT works because he's put in correspondence before all your dynamic rules.

    The only thing I'm not sure of is you remove the dynamic NAT statement in article 1 and rely on the statement in section 3, if she tears the current connections (sorry can't remember).

    Then you can simply try to rearrange so your static NAT is above it just to see if it works.

    Just in case you want to see the document here is the link-

    https://supportforums.Cisco.com/document/132066/ASA-NAT-83-NAT-operation-and-configuration-format-CLI

    Jon

  • IPSEC tunnel between 2 7606 PE

    I am creating an IPSec tunnel between two 7606 PE routers... get this error when I ping everywhere and if I start using the path descends LDP.

    12 Nov 16:32:22.801 IS: IPSEC (key_engine): request timer shot: count = 1,.

    local (identity) = 10.10.135.1, distance = 10.10.135.2.

    local_proxy = 10.10.0.0/255.255.0.0/0/0 (type = 4),

    remote_proxy = 10.10.0.0/255.255.0.0/0/0 (type = 4)

    12 Nov 16:32:22.801 IS: IPSEC (sa_request):,.

    (Eng. msg key.) Local OUTGOING = 10.10.135.1, distance = 10.10.135.2.

    local_proxy = 10.10.0.0/255.255.0.0/0/0 (type = 4),

    remote_proxy = 10.10.0.0/255.255.0.0/0/0 (type = 4),

    Protocol = ESP, transform = NONE (Tunnel),

    lifedur = 190 s and 4608000 Ko,.

    SPI = 0 x 0 (0), id_conn = 0, keysize = 256, flags = 0 x 0

    12 Nov 16:32:22.801 IS: ISAKMP: (0): profile of ITS application is test

    12 Nov 16:32:22.801 IS: ISAKMP: created a struct peer 10.10.135.2, peer port 500

    12 Nov 16:32:22.801 IS: ISAKMP: new position created post = 0x5326A08C peer_handle = 0x8000001A

    12 Nov 16:32:22.801 IS: ISAKMP: lock struct 0x5326A08C, refcount 1 to peer isakmp_initiator

    12 Nov 16:32:22.801 IS: ISAKMP: 500 local port, remote port 500

    12 Nov 16:32:22.801 IS: ISAKMP: impossible to allocate IKE SA

    12 Nov 16:32:22.801 IS: ISAKMP: Unlocking counterpart struct 0x5326A08C for isadb_unlock_peer_delete_sa(), count 0

    12 Nov 16:32:22.801 IS: ISAKMP: delete peer node by peer_reap for 10.10.135.2: 5326A08C

    12 Nov 16:32:22.801 IS: ISAKMP: (0): purge SA., his = 0, delme = 532E8364

    PE2 #.

    12 Nov 16:32:22.801 IS: ISAKMP: error during the processing of HIS application: failed to initialize SA

    12 Nov 16:32:22.801 IS: ISAKMP: error while processing message KMI 0, error 2.

    12 Nov 16:32:22.801 IS: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)

    PE2 #.

    12 Nov 16:32:52.801 IS: IPSEC (key_engine): request timer shot: count = 2,.

    local (identity) = 10.10.135.1, distance = 10.10.135.2.

    local_proxy = 10.10.0.0/255.255.0.0/0/0 (type = 4),

    remote_proxy = 10.10.0.0/255.255.0.0/0/0 (type = 4)

    IPsec only is not supported on the 6500 and 7600 without module series IPsec (IPsec-SPA or VPNSM), sorry.

  • IPSec tunnels does not work

    I have 2 Cat6, with IPsec SPA card, while the other did not.

    I tried setting IPsec tunnel between them, but somehow can't bring up the tunnel, can someone help me to watch set it up?

    A (with SPA):

    crypto ISAKMP policy 1

    BA aes 256

    preshared authentication

    Group 5

    ISAKMP crypto cisco123 key address 0.0.0.0 0.0.0.0

    ISAKMP crypto keepalive 10

    Crypto ipsec transform-set esp - aes 256 esp-sha-hmac testT1

    !

    Crypto ipsec profile P1

    Set transform-set testT1

    !

    Crypto call admission limit ike his 3000

    !

    Crypto call admission limit ike in-negotiation-sa 115

    !

    interface Tunnel962

    Loopback962 IP unnumbered

    tunnel GigabitEthernet2/37.962 source

    tunnel destination 172.16.16.6

    ipv4 ipsec tunnel mode

    Profile of tunnel P1 ipsec protection

    interface GigabitEthernet2/37.962

    encapsulation dot1Q 962

    IP 172.16.16.5 255.255.255.252

    interface Loopback962

    1.1.4.200 the IP 255.255.255.255

    IP route 2.2.4.200 255.255.255.255 Tunnel962

    B (wuthout SPA):

    crypto ISAKMP policy 1

    BA aes 256

    preshared authentication

    Group 5

    ISAKMP crypto cisco123 key address 0.0.0.0 0.0.0.0

    !

    !

    Crypto ipsec transform-set esp - aes 256 esp-sha-hmac T1

    !

    Crypto ipsec profile P1

    game of transformation-T1

    interface Tunnel200

    Loopback200 IP unnumbered

    tunnel GigabitEthernet2/1.1 source

    tunnel destination 172.16.16.5

    ipv4 ipsec tunnel mode

    Profile of tunnel T1 ipsec protection

    interface Loopback200

    2.2.4.200 the IP 255.255.255.255

    interface GigabitEthernet2/1.1

    encapsulation dot1Q 962

    IP 172.16.16.6 255.255.255.252

    IP route 1.1.4.200 255.255.255.255 Tunnel200

    I can ping from 172.16.16.6 to 172.16.16.5, but the tunnel just can not upwards. When I turned on "debugging ipsec cry ' and ' debug cry isa", nothing comes out, when I trun on 'cry of debugging sciences', I got:

    "00:25:17: crypto_engine_select_crypto_engine: can't handle more."

    Hello

    You need a map of IPSEC SPA on chassis B do IPSEC encryption. Please see the below URL for more details.

    Without a SPA-IPSEC - 2G or IPsec VPN Services Module of acceleration, the IPsec network security feature (configured with the crypto ipsec command) is supported in the software only for administrative for Catalyst 6500 series switches and routers for the Cisco 7600 Series connections.

    http://www.Cisco.com/en/us/docs/switches/LAN/catalyst6500/IOS/12.2SXF/native/release/notes/OL_4164.html

    Kind regards

    Arul

    * Rate pls if it helps *.

  • Using Loopback Interface as Source GRE/IPSec tunnel

    Hi all:

    I need one to spend a working router to router VPN tunnel using an IP WAN IP interface loopback as a source.  I am able to ping the loopback from the other router.  As soon as I change the source of tunnel to use the loopback IP address, change the encryption ACL map, and move the cryptographic card of the WAN interface to the loopback interface, the tunnel will not come to the top.  If I remove all the crypto config, the tunnel comes up fine as just a GRE tunnel.  On the other router, I see the message that says that's not encrypting the traffic below.

    * 00:10:33.515 Mar 1: % CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd package not an IPSEC packet. (ip) vrf/adr_dest = 192.168.0.1, src_addr = 192.168.1.2, prot = 47

    What Miss me?  Is there something else that needs to be done to use the closure of a GRE/IPSec tunnel?

    I have install below config in the laboratory to see if I can get it even work in a non-production environment.

    R1 WAN IP: 192.168.0.1

    R2 WAN IP: 192.168.0.2

    R2 Closure: 192.168.1.2

    hostname R2

    !

    crypto ISAKMP policy 1

    BA 3des

    md5 hash

    preshared authentication

    Group 2

    ISAKMP crypto key abc123 address 192.168.0.1

    !

    Crypto ipsec transform-set esp-3des esp-md5-hmac T1

    transport mode

    !

    crypto map 1 VPN ipsec-isakmp

    Description remote control

    defined peer 192.168.0.1

    game of transformation-T1

    match address VPN1

    !

    interface Loopback0

    IP 192.168.1.2 255.255.255.255

    VPN crypto card

    !

    Tunnel1 interface

    IP 172.30.240.2 255.255.255.252

    IP mtu 1440

    KeepAlive 10 3

    tunnel source 192.168.1.2

    tunnel destination 192.168.0.1

    VPN crypto card

    !

    interface FastEthernet0

    IP 192.168.0.2 255.255.255.0

    !

    VPN1 extended IP access list

    allow ACCORD 192.168.1.2 host 192.168.0.1

    you have tried to add "card crypto VPN 1 - address Loopback0".

  • IPSec Tunnel upward, but not accessible from local networks

    Hello

    I have an ASA5520 and a Snapgear. The IPSec tunnel is in place and works very well. But I am not able to access the local LAN on both sides. Here are a few setups:

    SH crypt isakmp his

    Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 1

    1   IKE Peer: 10.10.10.2
    Type    : L2L             Role    : responder
    Rekey   : no              State   : AM_ACTIVE

    Crypto/isakmp:

    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto map IPSECTEST_map0 1 match address IPSECTEST_cryptomap
    crypto map IPSECTEST_map0 1 set peer 10.10.10.2
    crypto map IPSECTEST_map0 1 set transform-set ESP-3DES-SHA
    crypto map IPSECTEST_map0 1 set nat-t-disable
    crypto map IPSECTEST_map0 1 set phase1-mode aggressive
    crypto map IPSECTEST_map0 interface IPSECTEST
    crypto isakmp enable outside
    crypto isakmp enable IPSECTEST
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 3600

    Route SH:

    C    172.16.3.0 255.255.255.0 is directly connected, VLAN10
    C    10.10.10.0 255.255.255.0 is directly connected, IPSECTEST
    C    192.168.112.0 255.255.254.0 is directly connected, inside

    access-list:

    IPSECTEST_cryptomap list extended access allowed object-group DM_INLINE_PROTOCOL_1 172.16.3.0 255.255.255.0 object 172.20.20.0

    and here's the scenario:

    If I make a ping of the asa to the Remote LAN, I got this:

    ciscoasa (config) # ping 172.20.20.1
    Type to abort escape sequence.
    Send 5, echoes ICMP 100 bytes to 10.172.20.20.1, wait time is 2 seconds:
    No route to the host 172.20.20.1

    Success rate is 0% (0/1)

    No idea what I lack?

    Here's how to set up NAT ASA 8.3 exemption:

    network object obj - 172.16.3.0
    172.16.3.0 subnet 255.255.255.0

    network object obj - 172.20.20.0
    172.20.20.0 subnet 255.255.255.0

    NAT (inside, outside) source static obj - 172.16.3.0 obj - 172.16.3.0 destination static obj - 172.20.20.0 obj - 172.20.20.0

    Here's how it looks to the ASA 8.2 and below:

    Inside_nat0_outbound to access extended list ip 172.16.3.0 allow 255.255.255.0 172.20.20.0 255.255.255.0
    NAT (inside) 0-list of access Inside_nat0_outbound

  • IPSec tunnel and NetFlow packets

    I have a router 1841 IPSec running with an ASA. F0/0 is the source interface. I also set up NetFlow, which must be sent through the IPSec tunnel to the parser. The acl setting the IPSec interesting traffic covers addresses, source and destination of NetFlow. But NetFlow Traffic is not captured by the tunnel. When I ping the destination router, icmp traffic is picked up and goes through the tunnel. Are there ways to force NetFlow traffic to go to the tunnel?

    Thank you.

    Y at - it a route to the destination address of netflow? I have noted problems with traffic heading towards a destination that was not in the routing table is not made down a VPN.

  • force the IPSec tunnel to stay in place even if no traffic

    Hello

    We had exactly the same problem, as already described here;

    https://supportforums.Cisco.com/discussion/11666661/can-we-automatically...

    We actually run ASA 9.1 and the remote peer is a Fortigate. There is a new feature that has been introduced since the post on the forum above or fact creating an sla is the only way to follow IPsec tunnel.

    Concerning

    Nothing new was built in the SAA to take account of this requirement.

    I also had good results a script running on an internal host to send a "tcp" ping to a remote host, thus making sure traffic interesting was often enough to maintain the tunnel.

  • IPSec tunnel between 2 routers

    Hello

    I am trying to configure an IPSec VPN tunnel between 2 routers Cisco, connected to the internet via the ATM interface, my router is a 1841 with the network 10.200.36.0 address the remote router is a Cisco network 192.168.9.0 address with 877.

    I have tryied to follow some tutorials, unsuccessfully, because I can't always ping all IP addresses on the remote network and also the VPN tunnel is not up!

    Can help you please give me a configuration model, or maybe let me know how to configure step by step on mine and remote router?

    Thank you very much!

    Concerning

    Riccardo

    Here is an example. x.x.x.x and y.y.y.y are the public IPs of routers:

    ROUTER1 hostname

    !

    crypto ISAKMP policy 10

    BA aes 256

    AUTH pre

    Group 5

    !

    ISAKMP crypto key cisco1234 address y.y.y.y

    !

    Crypto ipsec transform-set ESP-AES256-SHA1 esp - aes 256 esp-sha-hmac

    !

    Profile of crypto ipsec TunnelProfile

    the transform ESP-AES256-SHA1 value

    !

    interface Tunnel0

    IP 10.255.255.0 255.255.255.254

    tunnel Dialer source 0

    tunnel destination y.y.y.y

    ipv4 ipsec tunnel mode

    Tunnel TunnelProfile ipsec protection profile

    !

    interface Dialer0

    IP x.x.x.x

    !

    IP route 192.168.9.0 255.255.255.0 Tunnel0

    hostname ROUTER2

    !

    crypto ISAKMP policy 10

    BA aes 256

    AUTH pre

    Group 5

    !

    ISAKMP crypto cisco1234 key address x.x.x.x

    !

    Crypto ipsec ESP-AES256-SHA1 transform-set esp - aes 256 esp-sha-hmac

    !

    Profile of crypto ipsec TunnelProfile

    the transform ESP-AES256-SHA1 value

    !

    interface Tunnel0

    IP 10.255.255.1 255.255.255.254

    tunnel Dialer source 0

    tunnel destination x.x.x.x

    ipv4 ipsec tunnel mode

    Tunnel TunnelProfile ipsec protection profile

    !

    interface Dialer0

    IP address y.y.y.y

    !

    IP route 10.200.36.0 255.255.255.0 Tunnel0

    --
    Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
    http://www.Kiva.org/invitedBy/karsteni

  • IPSec tunnels between duplicate LAN subnets

    Hi all

    Please help to connect three sites with our Central site has all the resources for users, including internet access.

    The three sites will be the ASA 5505 like their WAN device.

    We need to know is - it possible, allowing to configure an IPsec Tunnel between the three ASA with duplicate LAN subnets.

    Central site two networks 192.168.1.x 24, 192.168.100.x 24

    Distance a 24 192.168.1.x subnet

    Two remote a subnet 192.168.100.x 24

    If it is possible we also do hair distance one ping, above two remote to the Central Site to access internet, what sites need are on the Central Site, including e-mail, network, other resource also records.

    We have no other way to make this network, as all security is on our Central Site, website filtering, Application filtering, filtering of network traffic all.

    We understand that we can change two remote sites to a different subnet from the Central Site, but we have so many host devices, it will take weeks or months, so to change the MS AD domain for all users, servers too.

    We really need your expertise to do this in a laboratory and then in production.

    Thank you

    Hello Stephen,

    You can check the following links for the subnets overlap talk to each other:-

    1 LAN-to-LAN IPsec VPN with overlapping networks

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080b37d0b.shtml

    2 IPsec between two IOS routers with overlapping of private networks

    http://www.Cisco.com/en/us/products/ps5855/products_configuration_example09186a0080a0ece4.shtml

    Important point is local network must connect to the remote network via the translated addresses.

    for example, you won't be ablt to use real IP of the communication.

    For haripinning or turning U:

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805734ae.shtml

    Hope that helps.

    Kind regards

    Dinesh Moudgil

  • VPN site to site - IPSEC TUNNEL

    I have 2 servers that communicate with each other, using a middleware which has no NAT support.

    This middleware, named RTI DDS uses multicast packets.

    I need to place the 2 servers in 2 different cities.

    On each location, I have a router connected to the other end with a dedicated line.

    The version of the IOS on the cisco routers is ADVANCED (the one with the cryptographic features)

    The middleware using NAT (which cache servers IP address) cannot work.

    A VPN between my two sites can solve my problems of communication?

    If so, I'll show what I did (maybe I did something wrong in the creation of VPN).

    Because I am tring to create a VPN with an IPSEC TUNNEL

    Thank you.

    Emanuele

    Emanuele

    The first several times I have lived these configs I was concentrating on the ISAKMP and IPSec - aspects and did not find a problem with them. Then after you posted my answer I went through the congfigs once again, and I think I see the problem. There is no routing information in the configs. If Site_Router does not know where 172.27.1.0/24. When the server on its local network attempts to ping the server else she has no way to transfer the package. And the same CO_Router don't know how to get to 172.27.2.0.

    If solve you the problem with the routing information, I think that the ISAKMP negotiation can work.

    HTH

    Rick

Maybe you are looking for

  • Reset the icloud

    I just buy a second hand iphone, after a few days, that I use when I want to install apps it requires the password for apple id... I already try a few steps to change the account, but he can't... so now the iphone already stuck on behalf of the owner

  • Cannot read the Camileo Pro HD files

    Hello! It's really frustrating. I filled out my SD card on my Camileo Pro and have fixed the camera my PC to extract the files. Windows guard saying new hardware found but will not recognize the device and keeps wanting to search for drivers. I was o

  • problem with value average.

    Hi, I had problems with the function of the average value, first of all, I have a very limited knowledge of labview, so this could be a very stupid question. The problem is that I want to have the average total value of a displayed sequence 'online',

  • Format of the crop sensor / subject remotely / calibration full AOV equivalent framework

    While using the crop sensor format, how can we adjust the distance of subjects to have the same field of view (AOV) in return, full frame, assuming that the current focal length in use has already been evaluated in order to take into account the stan

  • Adding two new Windows 7 work stations to the existing network of WinServer 2008

    I bought two new Windows 7 Professional - 64-bit (Dell Precision 3610) workstations. How to set up our server and domain? The server is running Windows Server 2008 R2 Standard. I must go to the permissions on the server to have new stations to be rec