VPN issues - 3005 to ASA5510
We are moving from a concentrator 3005 to an ASA5510 and I have a few questions.
In the 3005, you can disable and enable easy VPN tunnels. You go into politics and check or uncheck the box for enable. What is the method to temporarily disable a tunnel on the SAA? Through the ASDM of preference, for ease of management.
Also, I want my remote access sessions to timeout after 8 hours. It shows in the tunnel policy in the ASDM its value for 8 (28800) hours, but I don't see this value in the config at all. I can't quite see a value of 86400 for the isakmp policy. If it is set in the ASDM like 8 hours, why doesn't it appear in the config? Has priority on the time-out, the policy of tunnel or isakmp policy?
Thank you!
Ryan,
For your remote access to the vpn session users max connection time can be specified in attributes of tunnel group policy. Go to your group of tunnel in ASDM > general develop several obtions and uncheck maximum connect time here, you can specify minutes the vpn session will end when it reaches the time in minutes.
example to specify 90 minutes you can also do this through cli, note it's not a time out that this will decrease the session in 90 minutes for all members of the Group of tunnel.
group-policy
vpn-session-timeout 90
You can disable it as:
group-policy
no vpn-session-timeout
as I don't know how to disable vpn L2L sessions support there is no option to turn on/off as in the vpn concentrators, this is a nice feature in the hub, but I haven't seen yet a feature of ASA like that or not aware of an Im.
HTH
Rgds
Jorge
Tags: Cisco Security
Similar Questions
-
VPN concentrator 3005 - problem of IP attribution
I have a strange problem with the VPN concentrator 3005. I have the private interface configured with 192.168.3.3/24 as the ip address. For all the users I assign an ip address from the same network (for example) 192.168.3.105/24 or use an IP address pool (192.168.3.100 - 192.168.3.150) the connection fails and the hub will specify that it cannot assign an ip address to the client.
However, if I configure the user address pool or a client on a subnet different it works and the user GET connected. For example, 192.168.2.105/24. I hit him a back-end switch and do not really want to have to add a router to talk between subnets.
Am I missing something?
Any help is appreciated!
Alan,
It is recommended to assign another pool of IP addresses for VPN clients to internal network.
Although it is not recommended, you should be able to assign a Pool of IP addresses that is part of the same internal network and it should work. The only thing that you must be aware of, is that this range of IP addresses assigned to customers should not be used on the internal network
You can post the VPN3000 logs when its not able to assign an IP address to the VPN Client.
Let me know if it helps.
Kind regards
Arul
* Please note all useful messages *.
-
Connectivity VPN IPSec Client to ASA5510
I have an ASA5510 at a remote site. I used the IPSec VPN Wizard to configure remote access for developers in the portion of the DMZ network 192.168.100.0/24.
I can connect using two the last customer Cisco Windows and using VPNC on my Linux machine. A tunnel is created, I get a valid IP within the 192.168.100.0 subnet and everything is great.
But when I try to ssh to one of the servers, the SYN package times out. I can see the connection tries to establish by looking at the logs on the firewall.
There is no problem with Linux servers themselves to who I am trying to connect. I've ridden iptables and even tried to connect without any firewall rule. Still no dice.
I can post my running-config here if necessary.
Thank you.
Well just ensure that ISAKMP desired on your firewall policy is at the top. This will reduce the time for negotiation for Phase 1. Also, make sure that there is no fragmentation (MTU issues).
Concerning
Farrukh
-
Hi all
Well, I don't have VPN Linksys configuration in a while and have forgotten most of this, so I was wondering if somebody could please share any knoweldge response and help issues.
What I want to do is to create VPN tunnels between 2 remote sites for VOIP traffic. At both ends of my tunnel, I have a Linksys router. The main site that two remote sites are connecting to has a RV-042.
So here's what I need to know:
1. If I have an existing VPN that runs through the router (the router is currently not my VPN endpoint, a server is) when I place a VPN endpoint on the RV-042 point my existing VPN will be functional?
2. once the branch establishes as a tunnel with the RV-042 how will be the traffic that is intended to flow from the internet? I wish that only certain traffic flows through the tunnel, more specfically as VOIP traffic.
3. once the branch establishes a tunnel with the RV-042 how will forward the RV-042? Also, I want just the VOIp traffic through the tunnel that anything that is intended for the internet should not go to the internet... In other words Split tunneling on both ends of the tunnel.
Router RV - 042 is VPN Head end or head office, if you want to...
RV-042 Firmware: 1.3.12.6 - tm
Ideas or things I should look out for. Is this possible to do?
Topic 1. Perhaps. If you connect to the same endpoint router and a server within the local network, then you will get most likely difficulties.
Re 2/3. The two parties define the traffic that tunnel is based on IP addresses. You define a local and remote security group that essentially defines the IP addresses in the part of the source and destination of each IP packet. If these are in circulation will be tunnel. If they do not match, the traffic is sent outside the tunnel. The configuration of the tunnel does not specify certain protocols or ports. You can only do this based on the IP address. If you use software phones on the computers that you will not get it work as you want because you can't separate the other traffic of the computer VoIP traffic. If you use hardphone you could put all the phones in a specific subnet or address range, and then set that only those IP addresses go through the tunnel.
-
Hello:
I have the task to set up a Site Site IPSec VPN between an ASA5510 and SRP500, but I would like to know if anyone else has made the same connection. I would like to know if there is a problem of compatibility between the devices, or if there is no document explaining the correct configuration of the devices.
Kind regards.
Julio
Hello
I don't have an example configuration of ASA, but I know customers who have configured with IPSec between an ASA and a SRP500.
In your design will be the two publicly discussed? If ASA is behind a NAT, make sure to use the version SRP520 MR3 and activate NAT - T after you configure IPSec.
Kind regards
Andy
-
8.4 ASA using NAT VPN issue.
Hello
I'm working on a customer site and they have a problem with one of their VPN (we have other works well), but it is a major issue and I think it's because we use manual NAT and NAT of the object on the same server for different things.
Traffic between indoors and outdoors:
It works with a specific manual NAT rule of source from the server 10.10.10.10 object
Inside
SRC-> DST
10.10.10.10-> 1.1.2.10 1.1.1.10-> 1.1.2.10 SNAT
= VPN =-> 1.1.2.10 1.1.1.10 1.1.1.10-> 1.1.2.10 <3rd party="" fw=""> It works with a specific using the NAT on the server of 10.10.10.10 object
Remote
SRC-> DST
1.1.1.10-> 1.1.2.10 1.1.1.10-> 1.1.2.10 <3rd party="" fw="">= VPN =-> 1.1.2.10 1.1.1.10
1.1.1.10-> DNAT 10.10.10.10 3rd>3rd>If we have the manual NAT and NAT object it does anyway.
So the question is (as I am new to zip code 8.3 ASA) should not mix the 2 types of NAt and look at configuring it all with manual NAT or NAT object?
With the NAT object out it does not work as it is taken in ouside NAT inside all:
Dynamic NAT (inside, outside) source no matter what interface (this NAT to 1.1.1.1 then does not match the card encryption for VPN)
and I tried a no - nat above that, but that does not work either.
Straws and hugging come to mind try to configure a different config. Any pointers in the right direction would be great.
Kind regards
Z
Hello
I'm not sure that installing even with the explanation. Each NAT configuration I did for VPN used Section 1 Manual / NAT twice.
You have configured the rule by default PAT that you use as Section 1 NAT rule. NAT rules in the new software are divided into 3 sections
- Section 1: Manual / twice by NAT
- Section 2: Purpose NAT
- Section 3: Manual / double NAT (moved to section 3 using the setting "auto after")
- The Sections are passed by from 1 to 2 and 3 in order to find a match.
You should also notice that the Section 1 and Section 3 NAT has "line number" similar to the ACL parameter type. So if you have a default existing PAT rule configured for Section 1 and just add another Section 1 NAT rule without line/order number (VPN NAT) then it will just fall under the existing rule, making the new useless rule.
I would advice against the use of the rule by default PAT as Section 1 NAT rule. Finally, this means that you be constantly watch and edit its configuration when you try to configure more specific rules.
As a general rule 3 of the Section the PAT above default configuration would be the following
NAT (inside, outside) after the automatic termination of dynamic source no matter what interface
This would mean that you need to remove the old. That would mean as naturally as the change would temporarily dismantling all the current connections through "inside", "Outside" while you change the NAT rule format.
If after this configure a NAT twice to the VPN (wihtout the setting "auto after"), it will be the rule in article 1 while the default PAT will be Section 3. Of course, Section 1 will be matched first.
I'm not quite sure of what your setup of the foregoing have understood.
You're just source NAT?
I guess that the configuration you do is something like this?
network of the LAN-REAL object
10.10.10.0 subnet 255.255.255.0
purpose of the MAPPED in LAN network
1.1.1.0 subnet 255.255.255.0
being REMOTE-LAN network
1.1.2.0 subnet 255.255.255.0
NAT static destination of LAN LAN-REAL-MAPPED Shared source (indoor, outdoor) REMOTE - LAN LAN
If the network 1.1.1.0/24 is supposed to be one that is connected directly to your "external" to the format interface may need to be anything else.
-Jouni
-
VPN Remote LAN to LAN VPN issues
The issue I'm having is that I have an ASA that provides Lan to Lan VPN and remote access VPN. Lan to Lan VPN connects to another network where a remote server, and the remote vpn connects remote users to the LAN. The two virtual private networks are currently working, however users remote connection via the remote access vpn can not connect to the server over the lan to lan vpn. Here's our Installer.
ASA - LAN to LAN VPN - ASA - LAN Local - Server
|
|
Remote VPN access
|
|
Remote users
In this configuration remote users can access the local network, the server can access the local network, and the local network can access the server and remote users. However, the server cannot access the remote users and remote users cannot access the server. Any ideas on how to get this to work would be much appreciated. I created the NAT rules I think were needed and added the necessary address so that the user remote vpn' client application lists the network on the otherside of the vpn as routable network LAN to LAN. Also, I believe that all the rules of access are correct as tracers of package on both sides are successful. However when you try to ping across the remote client on the server at the other end of the L2L it fails as other attempts to access the server like rdp. Does anyone have a step by step on how to set up this type of vpn configuration remote and l2l configured on asa while leaving the two virtual private networks talk to each other. By the way are two ASA 5505 that with two virtual private networks in this configuration is one on the other end of the l2l 7.2 and 8.2. Any help would be appreciated, especially a tuturail or a list of commands needed to implement, because I think that I'm probably missing just a little extra configuration, I just can not understand.
Use your favorite search engine "permit same-security-traffic intra-interface"
Sent by Cisco Support technique iPad App
-
Hello
We have had problems with the SSL VPN for quite awhile, but don't seem to be getting anywhere.
This is an intermittent problem that we can not simply track down.
Users can connect to the VPN, get an IP address and show as connected on GEORGE page.
Users concerned, always shows a time of 0: logon. If they try to access anything whatsoever, they cannot, as looks that all traffic is blocked.
I ran a trace of packets to an affected user, and it shows this. To me, it looks like a firewall policy blocks.(* Parcel number: 1 * header values: bytes captured: 74, real bytes on the wire: 74 Packet Info(Time:02/19/2016 18:01:42.256): in: X 1 * (interface), out:-, DROPPED, Code Drop: 582 Id of Module (package abandoned-denied by SSLVPN under user control strategy),: 27 (policy), (Ref.Id: _968_qpmjdzDifdl), 18:31) ether header Ethernet Type: IP (0 x 800), Src = [00:11:22:33:44:55], Dst = [c2 [:ea:e4:b1:8 b: 23] Type of IP header IP Packet: ICMP (0 x 1), Src = [192.118.201.6], [172.18.1.252] = Type ICMP ICMP Packet Header Dst = 8 (ECHO_REQUEST), ICMP Code = 0, 19407 value = ICMP checksum: [2] dump hexadecimal and ASCII of the package: c2eae4b1 8 b 230011 22334455 and 08004500 003c1a76 00008001 *... #... "3DU... E...<.v....* e8bfc076="" c906ac12="" 01fc0800="" 4bcf0001="" 018c6162="" 63646566="" *...v........k.....abcdef*="" 6768696a="" 6b6c6d6e="" 6f707172="" 73747576="" 77616263="" 64656667="" *ghijklmnopqrstuvwabcdefg*="" 6869="" *hi="">
The only solution is to unplug / reconnect several times, until he started working. We cannot find a reason for this. Somedays it works very good and other days it is not.
Any help would be greatly appreciated.
Thank you
Hello
Just came across the same problem.
We had some additional IP address ranges that had to go through the firewall on SSLVPN. I beilive source was the same.
When configuring users > local users must also assign in selected authorized user access VPN (pencil icon on the right of the user name) Configure > VPN access.
Once I created the Group of subnet for all subnets internal and permitted all Local defined users to access this group for VPN access settings, all traffic began to flow.
I see that 1/2 of last year, but I just joined.
Kind regards
Rajko
-
I'm trying to implement a simple PIX PIX VPN using the simple PIX - PIX VPN documentation for the sample config page. I have a lot of VPN tunnels with other very happy other PIX devices so it's quite annoying. Anyway, on the source PIX config is as follows:-
access-list 101 permit ip 172.18.138.0 255.255.255.0 172.18.133.0 255.255.255.0
access-list 101 permit ip 172.18.133.0 255.255.255.0 172.18.138.0 255.255.255.0
NAT (phoenix_private) 0-access list 101
Permitted connection ipsec sysopt
No sysopt route dnat
Crypto ipsec transform-set esp - esp-md5-hmac chevelle
ntlink 1 ipsec-isakmp crypto map
1 ipsec-isakmp crypto map TransAm
correspondence address 1 card crypto transam 101
card crypto transam 1 set peer 172.18.126.233
card crypto transam 1 transform-set chevelle
interface inside crypto map transam
ISAKMP allows inside
ISAKMP key * address 172.18.126.233 netmask 255.255.255.255
ISAKMP identity address
part of pre authentication ISAKMP policy 1
of ISAKMP policy 1 encryption
ISAKMP policy 1 md5 hash
1 1 ISAKMP policy group
ISAKMP policy 1 lifetime 1000
and if I generate the traffic logs show this: -.
9 August 18:40:15 10.60.6.247% PIX-3-305005: no translation not found for icmp src phoenix_private:172.18.138.111 dst domestic group: 172.18.133.51 (type 8, code 0)
9 August 18:40:17 10.60.6.247% PIX-3-305005: no translation not found for icmp src phoenix_private:172.18.138.111 dst domestic group: 172.18.133.51 (type 8, code 0)
9 August 18:40:18 10.60.6.247% PIX-3-305005: no group of translation not found for udp src phoenix_private:172.18.138.111/3832 dst inside:172.18.133.51/53
9 August 18:40:18 10.60.6.247% PIX-3-305005: no translation not found for icmp src phoenix_private:172.18.138.111 dst domestic group: 172.18.133.51 (type 8, code 0)
9 August 18:40:19 10.60.6.247% PIX-3-305005: no group of translation not found for udp src phoenix_private:172.18.138.111/3832 dst inside:172.18.133.51/53
No isakmp and ipsec debugging message appears, but you who wait that the PIX does not even link the traffic with the access list or a NAT.
I do something obviously stupid, can someone tell me what it is, thank you.
Jon.
Hello
1. you create a second access as list:
outside_cryptomap ip 172.18.138.0 access list allow 255.255.255.0 172.18.133.0 255.255.255.0
and
2. instead of
correspondence address 1 card crypto transam 101
You must configure
card crypto transam 1 match address outside_cryptomap
the problem is that you configure an ACL for nat and crypto - that does not work
concerning
Alex
-
Hi Experts.
I can't get SSL VPN tunnel mode to work on a router Cisco1801. I can get the side URL works fine, but when I try and set up the Tunnel with SDM mode. I get the following error message when I try to connect.
An error was found in the certificate of the VPN server.
Received certificate is signed by an untrusted authority.
Then I have the ability to install the certificate. This process seems to work, but I get the following error.
The form of received HTTP SSL VPN gateway response code indicates an error, contact your network administrator.
I do something wrong regarding the certificate?
I'm sorry, just had a chance to flip through your configs. It seems that you are using a VPN pool that is not directly connected to the router. You must either use a pool directly connected or create a loopback on the same subnet.
Also after exit
debugging webvpn tunnel
debugging webvpn auth
debugging webvpn svc
Concerning
Farrukh
-
Hello
I bought an ASA5505 and I'll it be implemented as a vpn server and firewalls.
After several attempts, my vpn client connected to the server, but now I can't access my 'internal' network or internet...
What is the problem with my config?
My router (192.168.1.254) is related to eth0 and my vpn (192.168.1.10 - assigned by dhcp) client is connected to eth7...
PS: If you have any suggestions to improve my network security do not hesitate to suggest ^_^
(I'm sorry, but this is the first time that I have set up a virtual private network, so I'm deeply ignorant on this subject)
access-list no. - NAT ip enable any 192.168.10.0 255.255.255.0
NAT (inside) - No. - NAT 0 access list
permitted access SPLIT-T-list standard 192.168.0.0 255.255.255.0
attributes of Group Policy Tailoradio
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list SPLIT-T value
NAT-t-disable the value no encryption dynamic-map outside_dyn_map 20
No inside_map card crypto inside interface
No crypto isakmp are inside
ISAKMP nat-traversal crypto
-
The router 851 and 871 VPN issues still
Main site
1 - all connectivity-all thin - Web - database-email Mail - Proxy - ETC.
2 - VPN Tunnel to the TOP
Remote sites
1 - VPN Tunnel to the TOP and tests
1 cannot ping the main location of the 192.168.0.X (Yes any IP address)
2 - could not get out to the Internet (GO HOLLOW PROXY SERVER 192.168.0.3 even if I could ping)
3 could connect to the database but crashes right after the login screen. Can ping the address of 192.168.0.11 to this fine location database but the connection hangs and does not
* HAND CONFIG
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
!
crypto ISAKMP policy 3
BA 3des
md5 hash
preshared authentication
Group 2
XXX address X.X.X.X isakmp encryption key
XXX address X.X.X.X isakmp encryption key
ISAKMP crypto keepalive 5 20
!
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
!
bssn 10 ipsec-isakmp crypto map
Description VPN for PARK
defined peer X.X.X.X
Set transform-set RIGHT
match address 100
bssn 20 ipsec-isakmp crypto map
VPN for Corneilia description
defined peer X.X.X.X
Set transform-set RIGHT
match address 102
bssn 30 ipsec-isakmp crypto map
Description VPN to OAK
defined peer X.X.X.X
Set transform-set RIGHT
match address 103
bssn 40 ipsec-isakmp crypto map
Description VPN to Herbert George Wells
defined peer X.X.X.X
Set transform-set RIGHT
match address 104
interface FastEthernet4
WAN
IP address 216.x.x.x 255.255.255.128 secondary
IP 216.x.x.x 255.255.255.128.
no ip redirection
no ip unreachable
no ip proxy-arp
NAT outside IP
IP virtual-reassembly
route IP cache flow
automatic duplex
automatic speed
card crypto bssn
!
interface Vlan1
Entry door
IP 216.X.X.X 255.255.255.248 secondary
IP 192.168.0.11 255.255.255.0
no ip redirection
no ip unreachable
IP nat inside
IP virtual-reassembly
route IP cache flow
IP tcp adjust-mss 1452
!
IP classless
IP route 0.0.0.0 0.0.0.0 216.x.x.x.
!
IP nat inside source overload map route interface FastEthernet4 sheep
!
recording of debug trap
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 103 allow ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 104. allow ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
not run cdp
sheep allowed 10 route map
corresponds to the IP 101
* REMOTE SITE
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
XXX address X.X.X.X isakmp encryption key
ISAKMP crypto keepalive 5 20
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
!
bssn 10 ipsec-isakmp crypto map
Connect to main BSSN description
defined peer X.X.X.X
Set transform-set RIGHT
match address 100
interface FastEthernet4
IP 216.X.X.X 255.255.255.224
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
card crypto bssn
!
interface Vlan1
Entry door
IP 192.168.1.2 255.255.255.0
IP directed broadcast to the
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1452
!
IP classless
IP route 0.0.0.0 0.0.0.0 X.X.X.X
IP http server
local IP http authentication
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
IP nat inside source overload map route interface FastEthernet4 sheep
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
not run cdp
sheep allowed 10 route map
corresponds to the IP 101
Thank you
Laughing out loud
On the remote router access list 100 should look like:
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
On the main router, the 100 access list should look like:
access-list 100 permit ip any 192.168.1.0 0.0.0.255
HTH,
Kind regards
Kamal
-
FW 4.1.7r
I can't the https management work on the device. The event logs tell something, of not being able to add the ssl certificate to the private interface. I tried to turn on/off box https without success. I also restarted the device.
Anything else I can try?
You can check if the self-signed certificate VPN concentrator has expired.
It will be under the Administration--> Management of certificates
-
Hi all
I have two firewalls that I'm trying to implement VPNs l2l between them. Once of them is an old wall of sonic and the other 5505.
I put in all and ends the phase 1/2 and the tunnel rises however no traffic passes through
Here is my configuration
ASA (outside, 192.168.30.1) asa internal 192.168.10.0/25
(Outside 192.168.30.2) SonicWALL sonicwall 192.168.20.0/24
I have an accesslist that is configured on the asa and applied to the cypto card using card crypto XXXX 1, atch address YYY
However when I watch the news ebugging on the console it says: "cannot locate the output for UDP of XXXX interface: 192.168.10.10/1 to 192.178.20.1/0.
any ideas why this is?
I just need a static route to say all traffic on asa with 192 source... 10.0 should go through 192.168.30.2?
I guess it's the work of crypto card
Am I wrong?
Hello
Begins to seems to me you have a filter ACL configured for your L2L VPN VPN and also the ACL filter of VPN and Crypto ACLs are the same things, which means you use a simple both ACL.
Why I think it's like this is the fact that you say that your VPN L2L cross trading in the "packet-tracer" VPN Phase means Crypto VPN L2L ACL was correct. At the same time say you that the connection was stopped to the Phase of the VPN USER. He points to a VPN filter ACL being configured.
In view of the foregoing, I also know that the ACL of filter for the L2L VPN behave with a logic different than typical ACL interface. In VPN L2L the ACL filter ALWAYS mention the remote network as the source ALWAYS and your Local network as the destination.
If add you an ACL rule with order switched networks appears this fixes the VPN filter ACL problems and finally allowed traffic. Naturally I can only guess that I saw actual configurations at this point (which, usually with release "packet - trace", help to solve a problem faster just guessing)
If you indeed filter VPN, you may be able to track him down with the following commands
See the tunnel-group race
Check if a "group policy" is defined then the command
See establishing group policy enforcement
This output should list the name of the ACL filter VPN if its game
Regarding the installantion auto road. The default setting for ASA, is that it will create NO static routes automatically depending on the VPN configurations. This must be enabled manually in "crypto map" configurations, or you can configure static routes manually.
ASA tracking to default TCP and UDP connections. ICMP is inspected only if his permit. By default, it is NOT inspected.
Hope this helps
Remember to mark a reply as the answer if it answered your question.
Feel free to ask more if necessary.
-Jouni
-
Hello
I have created a new site to site vpn connection and can't know why it does not work.
All other VPN site-to-site work properly. The news, the problem is MATCHJLS. Could anyone recommend measures to correct?
!
vpn hostname
domain name
activate the encrypted password of Pp6RUfdBBUU
ucU7iJnNlZ passwd / encrypted
names of
DNS-guard
!
interface Ethernet0/0
nameif outside
security-level 0
IP address 87.117.xxx.xx 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
IP address 78.129.xxx.x 255.255.255.128
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
No nameif
no level of security
no ip address
!
boot system Disk0: / asa822 - k8.bin
passive FTP mode
DNS server-group DefaultDNS
domain msiuk.com
permit same-security-traffic inter-interface
DM_INLINE_TCP_1 tcp service object-group
EQ port 3389 object
EQ object of port 8080
port-object eq www
EQ object of the https port
Http81 tcp service object-group
port-object eq 81
DM_INLINE_TCP_3 tcp service object-group
port-object eq 81
port-object eq www
the DM_INLINE_NETWORK_1 object-group network
host of the object-Network 172.19.60.52
host of the object-Network 172.19.60.53
host of the object-Network 172.19.60.68
host of the object-Network 172.19.60.69
host of the object-Network 172.19.60.84
host of the object-Network 172.19.60.85
host of the object-Network 172.19.60.86
access-list extended basic permit icmp any any echo response
access-list extended basic permit icmp any one time exceed
access-list extended basic permit tcp any host 78.129.xxx.xx eq 8731
access-list extended basic permit tcp any host 78.129.xxx.xx eq www
access-list extended basic permit tcp any host 78.129.xxx.xx DM_INLINE_TCP_3 object-group
access-list extended basic permit tcp any host 78.129.xxx.xx eq www
access-list extended basic permit tcp any host 78.129.xxx.xx eq www
access-list extended basic permit tcp any host 78.129.xxx.xx eq www inactive
access-list extended basic permit tcp any host 78.129.xxx.xx eq www
access-list extended basic permit tcp any host 78.129.xxx.xx eq https
access-list extended basic permit tcp any host 78.129.xxx.xx eq https
access-list extended basic permit tcp any host 78.129.xxx.xx
permit access-list extended basic host tcp 94.128.xxx.xx 78.129.xxx.xx 255.255.255.128 DM_INLINE_TCP_1 object-group
access-list extended SHEEP allowed ip 10.1.1.0 255.255.255.0 10.255.255.0 255.255.255.0
Standard access list SPLITTUN allow 78.129.xxx.xx 255.255.255.128
SPLITTUN list standard access allowed 10.1.1.0 255.255.255.0
access list allow extended permit ip any one
MATCHVPN1 list extended access permit ip host host 78.129.xxx.xx 212.118.157.203
MATCHVPN2 list of allowed ip extended access all 212.118.xxx.xx 255.255.255.0
SMTP-NAT extended permit tcp host 78.129.xxx.xx access list any eq smtp
MATCHVPN3 list extended access permitted ip 78.129.xxx.xx 255.255.255.224 host 10.180.xxx.xx
MATCHVPN3 list extended access permitted ip 78.129.xxx.xx 255.255.255.224 host 10.180.xxx.xx
MATCHVPN3 list extended access permitted ip 78.129.xxx.xx 255.255.255.224 host 10.180.xxx.xx
MATCHVPN4 list extended access permit ip host 78.129.xxx.xx host 172.16.xxx.xx
MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.16.xxx.xx
MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.17.xxx.xx
MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.16.xxx.xx
MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.16.xxx.xx
Access list extended ip 78.129.151.0 MATCHJLS allow 255.255.255.128 DM_INLINE_NETWORK_1 object-group
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
local IP LOCPOOL 10.255.255.1 pool - 10.255.255.254
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm-625 - 53.bin
don't allow no asdm history
ARP timeout 14400
Global (1 interface external)
NAT (inside) 0 access-list SHEEP
Access SMTP-NAT NAT (inside) 1 list
NAT (inside) 1 10.1.1.0 255.255.255.0
NAT (inside) 1 10.2.2.0 255.255.255.0
Access-group basic in external interface
Access-group allow external interface
Access-group allow the interface inside
Access-group allow the interface inside
Route outside 0.0.0.0 0.0.0.0 87.117.213.65 1
Route inside 10.1.1.0 255.255.255.0 78.129.151.2 1
Route inside 10.2.2.0 255.255.255.0 78.129.151.2 1
Route inside 10.33.67.0 255.255.255.0 78.129.151.26 1
Route 172.20.xxx.xx 255.255.255.0 inside 78.129.xxx.xx 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
AAA authentication enable LOCAL console
the ssh LOCAL console AAA authentication
Enable http server
http 0.0.0.0 0.0.0.0 outdoors
No snmp server location
No snmp Server contact
Crypto ipsec transform-set esp-3des esp-md5-hmac VPN3DES
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac asa2transform
Crypto ipsec transform-set esp-3des esp-md5-hmac kwset
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac jlstransformset
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
set of 10 DYNOMAP crypto dynamic-map transform-set VPN3DES
card crypto VPNPEER 1 corresponds to the address MATCHJLS
card crypto VPNPEER 1 set peer 94.128.xxx.xx
card crypto VPNPEER 1 the value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto VPNPEER 10 corresponds to the address MATCHVPN3
card crypto VPNPEER 10 set peer 94.128.xxx.xx
crypto VPNPEER 10 the transform-set jlstransformset value card
card crypto VPNPEER 10 set nat-t-disable
card crypto VPNPEER 30 corresponds to the address MATCHVPN2
card crypto VPNPEER 30 212.118.xxx.xx peer value
card crypto VPNPEER 30 value transform-set ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto VPNPEER 30 the value reverse-road map
card crypto VPNPEER 40 corresponds to the address MATCHVPN4
VPNPEER 40 crypto map set peer 94.128.xxx.xx
crypto VPNPEER 40 the transform-set kwset value card
card crypto VPNPEER 50 corresponds to the address MATCHVPN3
card crypto VPNPEER 50 set pfs
card crypto VPNPEER 50 set peer 94.128.xxx.xx
card crypto VPNPEER 50 set ESP ESP-3DES-SHA transform-set kwset DES-ESP-MD5-DES-SHA
card crypto VPNPEER 50 set nat-t-disable
card crypto VPNPEER 100-isakmp dynamic ipsec DYNOMAP
VPNPEER interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 3600
Crypto isakmp nat-traversal 3600
crypto ISAKMP disconnect - notify
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH 0.0.0.0 0.0.0.0 inside
SSH timeout 60
SSH version 2
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal GroupPolicy1 group strategy
attributes of Group Policy GroupPolicy1
value of VPN-filter MATCHKW
Protocol-tunnel-VPN IPSec l2tp ipsec
internal CLIENTGROUP group policy
CLIENTGROUP group policy attributes
value of server DNS 10.1.1.10 10.1.1.2
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list SPLITTUN
msiuk.local value by default-field
Username admin privilege 15 encrypted password 9RG9xAvynJRd.Q
tunnel-group msi type remote access
msi General attributes tunnel-group
address LOCPOOL pool
Group Policy - by default-CLIENTGROUP
MSI group tunnel ipsec-attributes
pre-shared key *.
tunnel-group msi ppp-attributes
ms-chap-v2 authentication
tunnel-group 212.118.xxx.xx type ipsec-l2l
212.118.xxx.XX group of tunnel ipsec-attributes
pre-shared key *.
tunnel-group 94.128.xxx.xx type ipsec-l2l
94.128.xxx.XX group of tunnel ipsec-attributes
pre-shared key *.
tunnel-group 94.128.xxx.xx type ipsec-l2l
94.128.xxx.XX group of tunnel ipsec-attributes
pre-shared key *.
tunnel-group 94.128.xxx.xx type ipsec-l2l
94.128.xxx.XX group of tunnel ipsec-attributes
pre-shared key *.
!
class-map ftpdefault
match default-inspection-traffic
class-map default inspection
!
!
Policy-map global_policy
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:b251877ef24a1dc161b594dc052c44
: end
ASDM image disk0: / asdm-625 - 53.bin
don't allow no asdm history
Hello
OK, given the above information, I would say that the VPN L2L your part should probably be fine for traffic you are trying with the packet - trace.
It seems that you get no traffic back from the remote end
This could mean one of the following things
- Remote site may not login either in their VPN appliance, firewall or the firewall of the real server (which I doubt since were talking about web service)
- Remote site has not configured routing properly for your source IP address / network. For example, your connection attempt can reach the remote server, but the return traffic could get transferred to the wrong place on the remote site. It is more likely when the remote end manages Internet traffic and VPN traffic on separate devices
- Remote site has not activated the service on the real server (which is still little provided this isn't a service only serve on the server you through this VPN L2L)
- etc.
As I said look it seems so VPN L2L is fine. Its place and running, but you can't get traffic back on the L2L VPN that suggest that the problem is at the remote site.
If you go ask about this since the admins of the remote site, let us know how to do the thing.
If you found this information useful, please note the answer/answers and naturally ask more if necessary
-Jouni
Maybe you are looking for
-
When I go into options I can't access "content" so I can't make changes to the pop-up windows
I have been making a large number of pop-up windows and you want to check if I clicked block pop-up windows, but I can't access the tab "content" under options. I can click on the other tabs, but the 'content' tab just shows the last tab, on that I c
-
HP Envy all in one PC: Recovery Manager, the system restore is disabled by a virus
Had a virus on my all in one PC envy after a free update to windows 10. Computer has been closing down could not get antivirus to work fast enough. After reboot system had disappeared. There is now no operating system. HP Envy Recovery manager, Syste
-
Tecra 9100: How to enter the BIOS without password BIOS?
Hello I have a password on the bios of my tecra 9100, but do not remember what it is, anyone know a way around this to get into the bios?
-
SPL10: Function keys for the strange keyboard
some of the keys on my keyboard have been strange If I press 'p' I get a "*" for example, it happens with most of the letters and the numbers on the right side of the keyboard, ive tried unistalling the keyboard and ive checked the locale and all key
-
Why the cd dvd burner motor does not start but will start to manual
I have a E-Machines, does not start Windows Vista Home Premium 32-Bit, Windows media player or no matter what dvd burner