Urgent! L2l ASA 5005 & 1841 VPN, publishes QM WSF error

Hi all

We are facing a problem on a l2l between Asa 5005 & 1841 router vpn connection.

crypto ISAKMP policy 100

BA 3des

md5 hash

preshared authentication

Group 2

ISAKMP crypto key * address aaa.aaa.aaa.aaa

Crypto ipsec transform-set $$ _ $ $ esp-3des esp-md5-hmac

BG 100 ipsec-isakmp crypto map

the value of aaa.aaa.aaa.aaa peer

Set security-association second life 28800

the transform-set value $$ _ $$$

set the pfs Group 2

match address 111

interface FastEthernet0/0.2

encapsulation dot1Q 3338

IP address aaa.aaa.aaa.aaa 255.255.255.252

NAT outside IP

IP virtual-reassembly

card crypto BG 100

IP nat pool nat_pool xx.xx.xx.xx xx.xx.xx.xx prefix length 29

# NOTE: 10.70.200.0/24 is correctly exempted from NAT translation above

access-list 101 deny ip 10.70.200.0 0.0.0.255 any

access-list 101 permit ip 10.70.0.0 0.0.255.255 everything

# NOTE: crypto ACL is correct

access-list 111 allow ip 10.70.200.0 0.0.0.255 host 172.40.10.100

I'm going to

enjoy emergency assistance.

Thank you.

Your crypto acl must be exact mirror of the other.

If your router acl is

access-list 111 allow ip 10.70.200.0 0.0.0.255 host 172.40.10.100

then your ASA acl should be

outside_cryptomap_320 list extended access allowed host ip 172.40.10.100 10.70.200.0 255.255.255.0

Just give it a shot and see if it helps.

Tags: Cisco Security

Similar Questions

  • ASA to 1841 VPN Tunnel

    Hello

    I am trying to establish a VPN tunnel from site to site between 2 offices. An agency has a Cisco 1841 and the other a pair of ASA 5510. I get the tunnel to establish without problem. The problem is that traffic will the intended to the ASA 1841 will not encrypt to this particular tunnel. I get decaps on the session, but no program. I've reconfigured the tunnel several times but keep getting the same result:

    Interface: FastEthernet0/1
    The session state: UP-ACTIVE
    Peer: 202.41.148.5 port fvrf 500: (none) ivrf: (none)
    Phase1_id: 202.41.148.5
    DESC: (none)
    IKE SA: local 81.218.42.130/500 remote 202.41.148.5/500 Active
    Capabilities: (None) connid:98 life time: 23:45:02
    FLOW IPSEC: allowed ip 192.168.5.0/255.255.255.0 10.0.96.0/255.255.240.0
    Active sAs: 2, origin: card crypto
    On arrival: dec #pkts'ed 17 drop 0 life (KB/s) 4569995/2704
    Outbound: #pkts enc'ed drop 0 0 life (KB/s) 4569996/2704

    Any suggestions would be greatly appreciated.

    Andy

    Your ACL 100 is not exempt traffic 192.168.5.0-> 10.0.96.0 of the NAT process.  Please add the line below above the permit statement and test again.

    access-list 100 deny ip 192.168.5.0 0.0.0.255 10.0.96.0 0.0.15.255

  • How to configure ASA as EZ - vpn client?

    How can I configure ASA as Ez - vpn client?

    Only ASA 5505 can be configured as a client VPN EZ.

    Here's a few example configuration:

    http://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/ezvpn505.html

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00808a61f4.shtml

    Hope that helps.

  • ASA 5520: Remote VPN Clients cannot ping LAN, Internet

    I've set up a few of them in my time, but I am confused with this one.  Can I establish connect via VPN tunnel but I can't ping or go on the internet.  I searched the forum for similar and found a little issues, but none of the fixes seem to match.  I noticed a strange thing is when I run ipconfig/all of the vpn client, the IP address that has been leased over the Pool of the VPN is also the default gateway!

    I have attached the config.  Help, please.

    Thank you!

    Exemption of NAT ACL has not yet been applied.

    NAT (inside) 0-list of access Inside_nat0_outbound

    In addition, you have not split tunnel, not sure you were using internet ASA for the vpn client internet browsing.

    You can also enable icmp inspection if you test in scathing:

    Policy-map global_policy
    class inspection_default

    inspect the icmp

    Hope that helps.

  • ASA encrypt interesting VPN traffic

    Hello everybody out there using ASA.

    I had a few IPSEC VPN tunnels between the company's central site and remote sites.

    Two dsl lines were connected to the ASA, one for VPN traffic and the other for the internet.

    The default gateway has been configured online internet, some static while insured roads as traffic to the sites of the company was sent through the other line.

    A few days ago we changed the configuration of ASA to use only a single dsl connection, then the line serving the internet has been cut, while the other will become the gateway default and static routes have been removed.

    The VPN connections instant stopped working and trying to send packets to the remote lan, it seems that ASA will not recognize that the traffic is encrypted. Obviousely we checked cryptomap, acl, ecc, but we find no problem... do you have any suggestions?

    Thanks in advance,

    Matt

    -----------------------------------------------------------------------------------------------------------------------------------------------------------------

    XNetwork object network
    10.10.0.0 subnet 255.255.255.0

    network of the YNetwork object
    172.0.1.0 subnet 255.255.255.0

    card crypto RB1ITSHDSL001_map2 1 corresponds to the address RB1ITSHDSL001_1_cryptomap
    card crypto RB1ITSHDSL001_map2 1 set peer a.b.c.186
    RB1ITSHDSL001_map2 1 transform-set ESP-3DES-SHA crypto card game

    RB1ITSHDSL001_1_cryptomap list extended access permitted ip XNetwork object YNetwork

    -------------------------------------------------------------------------------------------------------------------------------------------------------------------

    Hello

    Your exit the ASA must be encrypting the traffic between XNetwork and YNetwork.

    If the ASA does not encrypt this traffic, it could be because there is a problem with the NAT configuration.

    When the ASA receives a packet, it must first check if there are ACLs that allows traffic, passes through the inspection engine and check that the associated NAT. For example, if the package is coordinated, then the private IP encryption will never take place.

    Could ensure you that packets from the XNetwork are really reach the ASA, the NAT rule is correct and you may be looking for "debugging cry isa 127" and "scream ips 127" debug to check for errors of incompatibility.

    In addition, what is the condition of the tunnel trying to communicate: "sh cry isa his"

    Federico.

  • ASA 5505 ipsec vpn connection fails

    Hello

    I'm trying to configure a Cisco ASA 5505 for Remote Clients.

    I use the ASDM interface and used assistants start and ipsec for my setup, but im hit a stumbling block.

    To last make it work 2 days I have tried a number of configuration changes to try to make this work but didn't, so I did a factory reset and passed by the assistants, once again, I have a clean Setup that I hope someone can help me.

    Currently I have an IP public static 81.137.x.x and I use a Netgear ADSL router, which transfers (UDP 500) VPN traffic to 192.168.171.35 (port wan on the ASA 5505).

    The Cisco ASA has a default address of 192.168.1.1

    I use the Cisco Client 5.0.06.0160.

    I have configured the client to use authentication group with the same credentials as configuration through the wizard and im using Transparent Tunneling IPSec over UDP.

    I have attached 2 documents

    running_config.txt - what is shows the current configuration of ASA

    Journal - View.txt - display of error messages displayed in the real-time log viewer when I try to connect from the remote client.

    I'm not sure if I need to do on the other that additional configurations for my setup simply run the wizards.

    Any help would be appreciated.

    Thank you

    Hello Philippe,

    According to the lines in the journal, there is a problem of routing for ip vpn applicant address. ASA couldn't find the definition of route suitable for the return traffic. Add a default route to unknown destinations could solve this problem. As I see you are using modem netgear as a default gateway for your ASA. I write example of command line for this purpose.

    Route outside 0.0.0.0 0.0.0.0 NetGear_LAN_IP_Address 1

    Ufuk Güler

  • I have windows vista Enterprise edition and trying to connect to a PPTP VPN, I get an error 691.

    I have windows vista Enterprise edition and trying to connect to a PPTP VPN, I get an error 691 name of user and password are fine, I can connect to the VPN on XP without problem.

    original title: VPN Error 691

    I was able to find a solution by the way that the domain has been configured. I was adding the complete domain name and extension (i.e. domain.local). The .local was me screwing up. I edited the domain field to only reflect the domain name without any extensions. One that I did this it worked like a charm. I have been using a VPN PPTP on a computer Server 2003 domain mixed with 2000 and 2003 domain controllers and Windows 7 Pro laptop computers. Hope this helps someone.

  • Troubleshooting IPSec Site to Site VPN between ASA and 1841

    Hi all

    in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.

    I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).

    I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.

    It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),

    On the ASA:

    Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.

    address of the peers: 217.86.154.120
    Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.cc

    access extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
    local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
    current_peer: 217.xx.yy.zz

    #pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
    #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
    success #frag before: 0, failures before #frag: 0, #fragments created: 0
    Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
    #send errors: 0, #recv errors: 0

    local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz

    Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
    current outbound SPI: 39135054
    current inbound SPI: B2E9E500

    SAS of the esp on arrival:
    SPI: 0xB2E9E500 (3001672960)
    transform: esp-3des esp-sha-hmac no compression
    running parameters = {L2L, Tunnel, PFS 2 group}
    slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
    calendar of his: service life remaining (KB/s) key: (4374000/1598)
    Size IV: 8 bytes
    support for replay detection: Y
    Anti-replay bitmap:
    0x00000000 0x00000001
    outgoing esp sas:
    SPI: 0 x 39135054 (957567060)
    transform: esp-3des esp-sha-hmac no compression
    running parameters = {L2L, Tunnel, PFS 2 group}
    slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
    calendar of his: service life remaining (KB/s) key: (4373976/1598)
    Size IV: 8 bytes
    support for replay detection: Y
    Anti-replay bitmap:
    0x00000000 0x00000001

    Output of the command: "sh crypto isakmp his."

    HIS active: 4
    Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
    Total SA IKE: 4

    IKE Peer: 217.xx.yy.zz
    Type: L2L role: initiator
    Generate a new key: no State: MM_ACTIVE

    On the 1841

    1841 crypto isakmp #sh its
    IPv4 Crypto ISAKMP Security Association
    DST CBC conn-State id
    217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE

    1841 crypto ipsec #sh its

    Interface: Dialer1
    Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

    protégé of the vrf: (none)
    local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
    current_peer 62.153.156.163 port 500
    LICENCE, flags is {origin_is_acl},
    #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
    #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    Errors #send 0, #recv 0 errors

    local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
    Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
    current outbound SPI: 0xB2E9E500 (3001672960)
    PFS (Y/N): Y, Diffie-Hellman group: group2

    SAS of the esp on arrival:
    SPI: 0 x 39135054 (957567060)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
    calendar of his: service life remaining (k/s) key: (4505068/1306)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:
    SPI: 0xB2E9E500 (3001672960)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
    calendar of his: service life remaining (k/s) key: (4505118/1306)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    outgoing ah sas:

    outgoing CFP sas:

    Interface: virtual Network1
    Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

    protégé of the vrf: (none)
    local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
    current_peer 62.153.156.163 port 500
    LICENCE, flags is {origin_is_acl},
    #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
    #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    Errors #send 0, #recv 0 errors

    local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
    Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
    current outbound SPI: 0xB2E9E500 (3001672960)
    PFS (Y/N): Y, Diffie-Hellman group: group2

    SAS of the esp on arrival:
    SPI: 0 x 39135054 (957567060)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
    calendar of his: service life remaining (k/s) key: (4505068/1306)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:
    SPI: 0xB2E9E500 (3001672960)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
    calendar of his: service life remaining (k/s) key: (4505118/1306)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    outgoing ah sas:

    outgoing CFP sas:

    It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.

    Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto.      (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.

    I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!

    It's the running of the 1841 configuration

    !
    version 15.1
    horodateurs service debug datetime msec
    Log service timestamps datetime msec
    encryption password service
    !
    host name 1841
    !
    boot-start-marker
    start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
    boot-end-marker
    !
    logging buffered 51200 notifications
    !
    AAA new-model
    !
    !
    AAA authentication login default local
    !
    AAA - the id of the joint session
    !
    iomem 20 memory size
    clock timezone PCTime 1
    PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
    dot11 syslog
    IP source-route
    !
    No dhcp use connected vrf ip
    !
    IP cef
    no ip bootp Server
    IP domain name test
    name of the IP-server 194.25.2.129
    name of the IP-server 194.25.2.130
    name of the IP-server 194.25.2.131
    name of the IP-server 194.25.2.132
    name of the IP-server 194.25.2.133
    No ipv6 cef
    !
    Authenticated MultiLink bundle-name Panel
    !
    !
    object-group network phone
    VoIP phone description
    Home 172.20.2.50
    Home 172.20.2.51
    !
    redundancy
    !
    !
    controller LAN 0/0/0
    atm mode
    Annex symmetrical shdsl DSL-mode B
    !
    !
    crypto ISAKMP policy 1
    BA 3des
    preshared authentication
    Group 2
    isakmp encryption key * address 62.aa.bb.cc
    !
    !
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    !
    map SDM_CMAP_1 1 ipsec-isakmp crypto
    Description Tunnel to62.aa.bb.cc
    the value of 62.aa.bb.cc peer
    game of transformation-ESP-3DES-SHA
    PFS group2 Set
    match address 100
    !
    !
    !
    interface FastEthernet0/0
    DMZ description $ FW_OUTSIDE$
    10.10.10.254 IP address 255.255.255.0
    IP nat inside
    IP virtual-reassembly
    automatic duplex
    automatic speed
    !
    interface FastEthernet0/1
    Description $ETH - LAN$ $FW_INSIDE$
    IP 172.20.2.254 255.255.255.0
    IP access-group 100 to
    IP nat inside
    IP virtual-reassembly
    IP tcp adjust-mss 1412
    automatic duplex
    automatic speed
    !
    ATM0/0/0 interface
    no ip address
    No atm ilmi-keepalive
    !
    point-to-point interface ATM0/0/0.1
    PVC 1/32
    PPPoE-client dial-pool-number 1
    !
    !
    interface Dialer1
    Description $FW_OUTSIDE$
    the negotiated IP address
    IP mtu 1452
    NAT outside IP
    IP virtual-reassembly
    encapsulation ppp
    Dialer pool 1
    Dialer-Group 2
    PPP authentication chap callin pap
    PPP chap hostname xxxxxxx
    PPP chap password 7 xxxxxxx8
    PPP pap sent-name of user password xxxxxxx xxxxxxx 7
    map SDM_CMAP_1 crypto
    !
    IP forward-Protocol ND
    IP http server
    local IP http authentication
    IP http secure server
    !
    !
    The dns server IP
    IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
    IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
    IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
    IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
    IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
    !
    logging trap notifications
    Note category of access list 1 = 2 CCP_ACL
    access-list 1 permit 172.20.2.0 0.0.0.255
    Note access-list category 2 CCP_ACL = 2
    access-list 2 allow 10.10.10.0 0.0.0.255
    Note access-list 100 category CCP_ACL = 4
    Note access-list 100 IPSec rule
    access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
    Note CCP_ACL the access list 101 = 2 category
    Note access-list 101 IPSec rule
    access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
    access-list 101 permit ip 172.20.2.0 0.0.0.255 any
    Note access-list 102 CCP_ACL category = 2
    Note access-list 102 IPSec rule
    access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
    access-list 102 permit ip 10.10.10.0 0.0.0.255 any
    !

    !
    allowed SDM_RMAP_1 1 route map
    corresponds to the IP 101
    !
    allowed SDM_RMAP_2 1 route map
    corresponds to the IP 102
    !
    !
    control plan
    !
    !
    Line con 0
    line to 0
    line vty 0 4
    length 0
    transport input telnet ssh
    !
    Scheduler allocate 20000 1000
    NTP-Calendar Update
    NTP 172.20.2.250 Server prefer
    end

    As I mentioned previously: suspicion is much appreciated!

    Best regards

    Joerg

    Joerg,

    ASA receives not all VPN packages because IOS does not send anything.

    Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)

    The problem seems so on the side of the router.

    I think that is a routing problem, but you only have one default gateway (no other channels on the router).

    The ACL 100 is set to encrypt the traffic between the two subnets.

    It seems that the ACL 101 is also bypassing NAT for VPN traffic.

    Follow these steps:

    Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.

    I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.

    Federico.

  • l2l ASA vpn issues

    Hi all

    I have two firewalls that I'm trying to implement VPNs l2l between them. Once of them is an old wall of sonic and the other 5505.

    I put in all and ends the phase 1/2 and the tunnel rises however no traffic passes through

    Here is my configuration

    ASA (outside, 192.168.30.1) asa internal 192.168.10.0/25

    (Outside 192.168.30.2) SonicWALL sonicwall 192.168.20.0/24

    I have an accesslist that is configured on the asa and applied to the cypto card using card crypto XXXX 1, atch address YYY

    However when I watch the news ebugging on the console it says: "cannot locate the output for UDP of XXXX interface: 192.168.10.10/1 to 192.178.20.1/0.

    any ideas why this is?

    I just need a static route to say all traffic on asa with 192 source... 10.0 should go through 192.168.30.2?

    I guess it's the work of crypto card

    Am I wrong?

    Hello

    Begins to seems to me you have a filter ACL configured for your L2L VPN VPN and also the ACL filter of VPN and Crypto ACLs are the same things, which means you use a simple both ACL.

    Why I think it's like this is the fact that you say that your VPN L2L cross trading in the "packet-tracer" VPN Phase means Crypto VPN L2L ACL was correct. At the same time say you that the connection was stopped to the Phase of the VPN USER. He points to a VPN filter ACL being configured.

    In view of the foregoing, I also know that the ACL of filter for the L2L VPN behave with a logic different than typical ACL interface. In VPN L2L the ACL filter ALWAYS mention the remote network as the source ALWAYS and your Local network as the destination.

    If add you an ACL rule with order switched networks appears this fixes the VPN filter ACL problems and finally allowed traffic. Naturally I can only guess that I saw actual configurations at this point (which, usually with release "packet - trace", help to solve a problem faster just guessing)

    If you indeed filter VPN, you may be able to track him down with the following commands

    See the tunnel-group race

    Check if a "group policy" is defined then the command

    See establishing group policy enforcement

    This output should list the name of the ACL filter VPN if its game

    Regarding the installantion auto road. The default setting for ASA, is that it will create NO static routes automatically depending on the VPN configurations. This must be enabled manually in "crypto map" configurations, or you can configure static routes manually.

    ASA tracking to default TCP and UDP connections. ICMP is inspected only if his permit. By default, it is NOT inspected.

    Hope this helps

    Remember to mark a reply as the answer if it answered your question.

    Feel free to ask more if necessary.

    -Jouni

  • Cisco ASA and dynamic VPN L2L Fortigate configuration

    I met a problem recently with an ASA 5510 (7.0) and a bunch of Fortigate 50 (3.0 MR7). The ASA is the hub and Fortigates are rays with a dynamic public IP.

    I followed this document on the site Web of Cisco (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml) to set up my ASA and the parameters passed to my counterparts to set up their Fortigates.

    However, the ASA journal reveals that attemtps Fortigate connection always tried with DefaultRAGroup before falling back to DefaultL2LGroup and finally died. Experience with putting in place a dynamic VPN between Cisco and Fortigate someone? Which could not fail at each end? Here's a typical piece of error log ASA. The ASA is currently having a static VPN tunnel and a site-2-client VPN in two groups by default.

    6. January 10, 2011 20:58:45 | 713905: Group DefaultL2LGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
    5. January 10, 2011 20:58:45 | 713201: Group = DefaultL2LGroup, IP = 116.230.243.205, in double Phase 1 detected package.  Retransmit the last packet.
    6. January 10, 2011 20:58:45 | 713905: Group DefaultL2LGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
    5. January 10, 2011 20:58:45 | 713201: Group = DefaultL2LGroup, IP = 116.230.243.205, in double Phase 1 detected package.  Retransmit the last packet.
    6. January 10, 2011 20:58:41 | 713905: Group DefaultL2LGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
    5. January 10, 2011 20:58:41 | 713201: Group = DefaultL2LGroup, IP = 116.230.243.205, in double Phase 1 detected package.  Retransmit the last packet.
    4. January 10, 2011 20:58:39 | 713903: Group = DefaultL2LGroup, IP = 116.230.243.205, ERROR, had decrypt packets, probably due to problems not match pre-shared key.  Abandonment
    5. January 10, 2011 20:58:39 | 713904: Group = DefaultL2LGroup, IP = 116.230.243.205, received the package of Mode main Oakley encrypted with invalid payloads, MessID = 0
    6. January 10, 2011 20:58:39 | 713905: Group = DefaultRAGroup, IP = 116.230.243.205, WARNING, had decrypt packets, probably due to problems not match pre-shared key.  User switching to the tunnel-group: DefaultL2LGroup
    5. January 10, 2011 20:58:39 | 713904: Group = DefaultRAGroup, IP = 116.230.243.205, received the package of Mode main Oakley encrypted with invalid payloads, MessID = 0
    4. January 10, 2011 20:58:33 | 713903: Group = DefaultRAGroup, IP = 116.230.243.205, error: cannot delete PeerTblEntry
    3. January 10, 2011 20:58:33 | 713902: Group = DefaultRAGroup, IP = 116.230.243.205, Removing peer to peer table has no, no match!
    6. January 10, 2011 20:58:33 | 713905: Group DefaultRAGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
    5. January 10, 2011 20:58:33 | 713201: Group = DefaultRAGroup, IP = 116.230.243.205, in double Phase 1 detected package.  Retransmit the last packet.
    6. January 10, 2011 20:58:25 | 713905: Group DefaultRAGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
    5. January 10, 2011 20:58:25 | 713201: Group = DefaultRAGroup, IP = 116.230.243.205, in double Phase 1 detected package.  Retransmit the last packet.
    6. January 10, 2011 20:58:21 | 713905: Group DefaultRAGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
    5. January 10, 2011 20:58:21 | 713201: Group = DefaultRAGroup, IP = 116.230.243.205, in double Phase 1 detected package.  Retransmit the last packet.
    5. January 10, 2011 20:58:19 | 713904: IP = 116.230.243.205, encrypted packet received with any HIS correspondent, drop

    Yes, sounds about right. He will try to match with the DefaultRAGroup first, and when you know that it's a dynamic IPSec in LAN-to-LAN, it will be

    then back to the DefaultL2LGroup, because he doesn't know if the VPN Client or L2L again when he is contacted fist as they are connecting from dynamic IP peer.

    You must ensure that your L2L tunnel-group by default has been configured with the corresponding pre-shared key.

    Assuming that you have configured the dynamic map and assign to the card encryption.

    Here is an example of configuration where ASA has a static and peripheral ip address pair has dynamic IP:

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml

    Hope that helps.

  • ASA IPP on VPN L2L w/NAT

    I have a tunnel VPN L2L on a Cisco ASA 5520 I am trying to get IPPS, to work on. On my ACL cryptomap I defined a local group object and a remote object-group, and I'm the one-to-one NAT scene on the local group. I also have a configured route map that will take the static routes and redistribute in my ACE. EIGRP two things - 1, I noticed, I don't see on my ASA static routes that point to remote subnets and 2, the ACL that I used in my definition of route map is not getting any hits on it.

    Any thoughts on where I can go wrong?

    Thank you

    Darren

    You have configured the following:

    crypto set reverse-road map

    If you do, can you remove and Add again and see if that fixes the problem?

  • Dynamic IP address of the remote VPN L2L ASA sites

    Hello

    I have a client who is to change their links to backup from ADSL to 4 G - LTE using Cisco 819 s.

    Unfortunately, access to 4G of PSI will have dynamic IP addressing. Online, I see configurations for one remote site with dynamic IP address, speaking to ASA, but I can't find anything on several sites of L2L linking to the ASA with dynamic addressing.

    Does anyone can help with examples of configuration

    concerning

    Richard

    Hi Richard,

    the next days I will also write a blogpost with triple recovery WAN by using this configuration.

    Michael

  • VPN L2L ASA with NAT

    Hello, I was hoping someone might have an example of a site to site VPN configuration where the ASA is statically NATting its internal network. Basically the same configuration like this, but instead of "not nat", the ASA is NATting. So instead of the remote site, connect to the local network 10.10.10.0/24, ASA would be NAT at 172.16.17.0/24 for example.

    http://www.Cisco.com/en/us/products/ps9422/products_configuration_example09186a0080b4ae61.shtml

    Thank you.

    Mike

    It's not very complicated, just keep in mind that NAT is done before the encryption.

    So if you your network 10.10.10.0/24 nat internal to 172.16.17.0/24:

    public static 172.16.17.0 (Interior, exterior) 10.10.10.0 netmask 255.255.255.0

    You can use the address translated into your crypto-ACL:

    REMOTE VPN ip 172.16.17.0 access list allow REMOTE-NET 255.255.255.0 255.255.255.0

    I suppose that you run ASA v8.3 + that you referred to an older document. If you have a more recent software, the logic is the same but the NAT commands differ.

    Sent by Cisco Support technique iPad App

  • MS CA for VPN L2L ASA

    What type of certifcates I should issueing bee in my ASA.

    Now I'm issueing IPSEC (offline) and I don't know if it's the right kind.

    I have ICP work for mobile users. simply not L2L

    Yes,

    Which can cause failure.

    Put command

    "ignore-ipsec-keyusage" under the CompanyTrustPoint

    That should solve.

  • Design of VPN L2L ASA question

    We expect to have more than 10,000 remote VPN L2L clients.

    I see that each crypto card needs a statement of 'same game' and the IP address is the address of the remote peer VPN L2L.

    :

    EX:

    card encryption UNI-POP 3 set peer 172.23.0.3

    : . . .

    card crypto UNI-POP 10000 set peer 172.26.0.250

    :

    I already feel that this will be a VERY long config, maybe too big to save/read/from memory.

    :

    Anyone would be a better approach?

    Thank you

    Frank

    Frank,

    If the remote end will run only from time to time, you should not have set peer statements and normally it would suffice to have a dynamic encryption card.

    If the remote ends do not support certificates, it is possible to land on defaultl2l tunnel-group.

    bsns-asa5505-19# sh run all tunnel-group
    

    tunnel-group DefaultL2LGroup type ipsec-l2l
    

    tunnel-group DefaultL2LGroup general-attributes
    

    (...)

    You need to test yourself to see if it will work.

    I also agree in terms of more than one firewall. With devices for two in the load balancing or if possible 2pairs of devices in the failover cluster could be great way to have a decent charge by machine and equipment redundancy (ideal circumstances]);. I suggest you ping your system engineer for sure any deployment involving 5585, guys can usually give good advice (and discounts;]).

    Marcin

Maybe you are looking for