VPN issues - 3005 to ASA5510

We are moving from a concentrator 3005 to an ASA5510 and I have a few questions.

In the 3005, you can disable and enable easy VPN tunnels. You go into politics and check or uncheck the box for enable. What is the method to temporarily disable a tunnel on the SAA? Through the ASDM of preference, for ease of management.

Also, I want my remote access sessions to timeout after 8 hours. It shows in the tunnel policy in the ASDM its value for 8 (28800) hours, but I don't see this value in the config at all. I can't quite see a value of 86400 for the isakmp policy. If it is set in the ASDM like 8 hours, why doesn't it appear in the config? Has priority on the time-out, the policy of tunnel or isakmp policy?

Thank you!

Ryan,

For your remote access to the vpn session users max connection time can be specified in attributes of tunnel group policy. Go to your group of tunnel in ASDM > general develop several obtions and uncheck maximum connect time here, you can specify minutes the vpn session will end when it reaches the time in minutes.

example to specify 90 minutes you can also do this through cli, note it's not a time out that this will decrease the session in 90 minutes for all members of the Group of tunnel.

group-policy attributes

vpn-session-timeout 90

You can disable it as:

group-policy attributes

no vpn-session-timeout

as I don't know how to disable vpn L2L sessions support there is no option to turn on/off as in the vpn concentrators, this is a nice feature in the hub, but I haven't seen yet a feature of ASA like that or not aware of an Im.

HTH

Rgds

Jorge

Tags: Cisco Security

Similar Questions

VPN concentrator 3005 - problem of IP attribution

I have a strange problem with the VPN concentrator 3005. I have the private interface configured with 192.168.3.3/24 as the ip address. For all the users I assign an ip address from the same network (for example) 192.168.3.105/24 or use an IP address pool (192.168.3.100 - 192.168.3.150) the connection fails and the hub will specify that it cannot assign an ip address to the client.

However, if I configure the user address pool or a client on a subnet different it works and the user GET connected. For example, 192.168.2.105/24. I hit him a back-end switch and do not really want to have to add a router to talk between subnets.

Am I missing something?

Any help is appreciated!

Alan,

It is recommended to assign another pool of IP addresses for VPN clients to internal network.

Although it is not recommended, you should be able to assign a Pool of IP addresses that is part of the same internal network and it should work. The only thing that you must be aware of, is that this range of IP addresses assigned to customers should not be used on the internal network

You can post the VPN3000 logs when its not able to assign an IP address to the VPN Client.

Let me know if it helps.

Kind regards

Arul

* Please note all useful messages *.

Connectivity VPN IPSec Client to ASA5510

I have an ASA5510 at a remote site. I used the IPSec VPN Wizard to configure remote access for developers in the portion of the DMZ network 192.168.100.0/24.

I can connect using two the last customer Cisco Windows and using VPNC on my Linux machine. A tunnel is created, I get a valid IP within the 192.168.100.0 subnet and everything is great.

But when I try to ssh to one of the servers, the SYN package times out. I can see the connection tries to establish by looking at the logs on the firewall.

There is no problem with Linux servers themselves to who I am trying to connect. I've ridden iptables and even tried to connect without any firewall rule. Still no dice.

I can post my running-config here if necessary.

Thank you.

Well just ensure that ISAKMP desired on your firewall policy is at the top. This will reduce the time for negotiation for Phase 1. Also, make sure that there is no fragmentation (MTU issues).

Concerning

Farrukh

RV042 VPN issues

Hi all

Well, I don't have VPN Linksys configuration in a while and have forgotten most of this, so I was wondering if somebody could please share any knoweldge response and help issues.

What I want to do is to create VPN tunnels between 2 remote sites for VOIP traffic. At both ends of my tunnel, I have a Linksys router. The main site that two remote sites are connecting to has a RV-042.

So here's what I need to know:

1. If I have an existing VPN that runs through the router (the router is currently not my VPN endpoint, a server is) when I place a VPN endpoint on the RV-042 point my existing VPN will be functional?

2. once the branch establishes as a tunnel with the RV-042 how will be the traffic that is intended to flow from the internet? I wish that only certain traffic flows through the tunnel, more specfically as VOIP traffic.

3. once the branch establishes a tunnel with the RV-042 how will forward the RV-042? Also, I want just the VOIp traffic through the tunnel that anything that is intended for the internet should not go to the internet... In other words Split tunneling on both ends of the tunnel.

Router RV - 042 is VPN Head end or head office, if you want to...

RV-042 Firmware: 1.3.12.6 - tm

Ideas or things I should look out for. Is this possible to do?

Topic 1. Perhaps. If you connect to the same endpoint router and a server within the local network, then you will get most likely difficulties.

Re 2/3. The two parties define the traffic that tunnel is based on IP addresses. You define a local and remote security group that essentially defines the IP addresses in the part of the source and destination of each IP packet. If these are in circulation will be tunnel. If they do not match, the traffic is sent outside the tunnel. The configuration of the tunnel does not specify certain protocols or ports. You can only do this based on the IP address. If you use software phones on the computers that you will not get it work as you want because you can't separate the other traffic of the computer VoIP traffic. If you use hardphone you could put all the phones in a specific subnet or address range, and then set that only those IP addresses go through the tunnel.

VPN IPSec SRP500 to ASA5510

Hello:

I have the task to set up a Site Site IPSec VPN between an ASA5510 and SRP500, but I would like to know if anyone else has made the same connection. I would like to know if there is a problem of compatibility between the devices, or if there is no document explaining the correct configuration of the devices.

Kind regards.

Julio

Hello

I don't have an example configuration of ASA, but I know customers who have configured with IPSec between an ASA and a SRP500.

In your design will be the two publicly discussed? If ASA is behind a NAT, make sure to use the version SRP520 MR3 and activate NAT - T after you configure IPSec.

Kind regards

Andy

8.4 ASA using NAT VPN issue.

Hello

I'm working on a customer site and they have a problem with one of their VPN (we have other works well), but it is a major issue and I think it's because we use manual NAT and NAT of the object on the same server for different things.

Traffic between indoors and outdoors:

It works with a specific manual NAT rule of source from the server 10.10.10.10 object

Inside

SRC-> DST

10.10.10.10-> 1.1.2.10 1.1.1.10-> 1.1.2.10 SNAT = VPN =-> 1.1.2.10 1.1.1.10 1.1.1.10-> 1.1.2.10 <3rd party="" fw="">

It works with a specific using the NAT on the server of 10.10.10.10 object

Remote

SRC-> DST

1.1.1.10-> 1.1.2.10 1.1.1.10-> 1.1.2.10 <3rd party="" fw="">= VPN =-> 1.1.2.10 1.1.1.10 1.1.1.10-> DNAT 10.10.10.10

If we have the manual NAT and NAT object it does anyway.

So the question is (as I am new to zip code 8.3 ASA) should not mix the 2 types of NAt and look at configuring it all with manual NAT or NAT object?

With the NAT object out it does not work as it is taken in ouside NAT inside all:

Dynamic NAT (inside, outside) source no matter what interface (this NAT to 1.1.1.1 then does not match the card encryption for VPN)

and I tried a no - nat above that, but that does not work either.

Straws and hugging come to mind try to configure a different config. Any pointers in the right direction would be great.

Kind regards

Z

Hello

I'm not sure that installing even with the explanation. Each NAT configuration I did for VPN used Section 1 Manual / NAT twice.

You have configured the rule by default PAT that you use as Section 1 NAT rule. NAT rules in the new software are divided into 3 sections
- Section 1: Manual / twice by NAT
- Section 2: Purpose NAT
- Section 3: Manual / double NAT (moved to section 3 using the setting "auto after")
- The Sections are passed by from 1 to 2 and 3 in order to find a match.
You should also notice that the Section 1 and Section 3 NAT has "line number" similar to the ACL parameter type. So if you have a default existing PAT rule configured for Section 1 and just add another Section 1 NAT rule without line/order number (VPN NAT) then it will just fall under the existing rule, making the new useless rule.

I would advice against the use of the rule by default PAT as Section 1 NAT rule. Finally, this means that you be constantly watch and edit its configuration when you try to configure more specific rules.

As a general rule 3 of the Section the PAT above default configuration would be the following

NAT (inside, outside) after the automatic termination of dynamic source no matter what interface

This would mean that you need to remove the old. That would mean as naturally as the change would temporarily dismantling all the current connections through "inside", "Outside" while you change the NAT rule format.

If after this configure a NAT twice to the VPN (wihtout the setting "auto after"), it will be the rule in article 1 while the default PAT will be Section 3. Of course, Section 1 will be matched first.

I'm not quite sure of what your setup of the foregoing have understood.

You're just source NAT?

I guess that the configuration you do is something like this?

network of the LAN-REAL object

10.10.10.0 subnet 255.255.255.0

purpose of the MAPPED in LAN network

1.1.1.0 subnet 255.255.255.0

being REMOTE-LAN network

1.1.2.0 subnet 255.255.255.0

NAT static destination of LAN LAN-REAL-MAPPED Shared source (indoor, outdoor) REMOTE - LAN LAN

If the network 1.1.1.0/24 is supposed to be one that is connected directly to your "external" to the format interface may need to be anything else.

-Jouni

VPN Remote LAN to LAN VPN issues

The issue I'm having is that I have an ASA that provides Lan to Lan VPN and remote access VPN. Lan to Lan VPN connects to another network where a remote server, and the remote vpn connects remote users to the LAN. The two virtual private networks are currently working, however users remote connection via the remote access vpn can not connect to the server over the lan to lan vpn. Here's our Installer.

ASA - LAN to LAN VPN - ASA - LAN Local - Server

|

|

Remote VPN access

|

|

Remote users

In this configuration remote users can access the local network, the server can access the local network, and the local network can access the server and remote users. However, the server cannot access the remote users and remote users cannot access the server. Any ideas on how to get this to work would be much appreciated. I created the NAT rules I think were needed and added the necessary address so that the user remote vpn' client application lists the network on the otherside of the vpn as routable network LAN to LAN. Also, I believe that all the rules of access are correct as tracers of package on both sides are successful. However when you try to ping across the remote client on the server at the other end of the L2L it fails as other attempts to access the server like rdp. Does anyone have a step by step on how to set up this type of vpn configuration remote and l2l configured on asa while leaving the two virtual private networks talk to each other. By the way are two ASA 5505 that with two virtual private networks in this configuration is one on the other end of the l2l 7.2 and 8.2. Any help would be appreciated, especially a tuturail or a list of commands needed to implement, because I think that I'm probably missing just a little extra configuration, I just can not understand.

Use your favorite search engine "permit same-security-traffic intra-interface"

Sent by Cisco Support technique iPad App

SSL VPN issues

Hello

We have had problems with the SSL VPN for quite awhile, but don't seem to be getting anywhere.

This is an intermittent problem that we can not simply track down.

Users can connect to the VPN, get an IP address and show as connected on GEORGE page.
Users concerned, always shows a time of 0: logon. If they try to access anything whatsoever, they cannot, as looks that all traffic is blocked.
I ran a trace of packets to an affected user, and it shows this. To me, it looks like a firewall policy blocks.

(* Parcel number: 1 * header values: bytes captured: 74, real bytes on the wire: 74 Packet Info(Time:02/19/2016 18:01:42.256): in: X 1 * (interface), out:-, DROPPED, Code Drop: 582 Id of Module (package abandoned-denied by SSLVPN under user control strategy),: 27 (policy), (Ref.Id: _968_qpmjdzDifdl), 18:31) ether header Ethernet Type: IP (0 x 800), Src = [00:11:22:33:44:55], Dst = [c2 [:ea:e4:b1:8 b: 23] Type of IP header IP Packet: ICMP (0 x 1), Src = [192.118.201.6], [172.18.1.252] = Type ICMP ICMP Packet Header Dst = 8 (ECHO_REQUEST), ICMP Code = 0, 19407 value = ICMP checksum: [2] dump hexadecimal and ASCII of the package: c2eae4b1 8 b 230011 22334455 and 08004500 003c1a76 00008001 *... #... "3DU... E...<.v....* e8bfc076="" c906ac12="" 01fc0800="" 4bcf0001="" 018c6162="" 63646566="" *...v........k.....abcdef*="" 6768696a="" 6b6c6d6e="" 6f707172="" 73747576="" 77616263="" 64656667="" *ghijklmnopqrstuvwabcdefg*="" 6869="" *hi="">

The only solution is to unplug / reconnect several times, until he started working. We cannot find a reason for this. Somedays it works very good and other days it is not.

Any help would be greatly appreciated.

Thank you

Hello

Just came across the same problem.

We had some additional IP address ranges that had to go through the firewall on SSLVPN. I beilive source was the same.

When configuring users > local users must also assign in selected authorized user access VPN (pencil icon on the right of the user name) Configure > VPN access.

Once I created the Group of subnet for all subnets internal and permitted all Local defined users to access this group for VPN access settings, all traffic began to flow.

I see that 1/2 of last year, but I just joined.

Kind regards

Rajko

Simple PIX PIX VPN issues

I'm trying to implement a simple PIX PIX VPN using the simple PIX - PIX VPN documentation for the sample config page. I have a lot of VPN tunnels with other very happy other PIX devices so it's quite annoying. Anyway, on the source PIX config is as follows:-

access-list 101 permit ip 172.18.138.0 255.255.255.0 172.18.133.0 255.255.255.0

access-list 101 permit ip 172.18.133.0 255.255.255.0 172.18.138.0 255.255.255.0

NAT (phoenix_private) 0-access list 101

Permitted connection ipsec sysopt

No sysopt route dnat

Crypto ipsec transform-set esp - esp-md5-hmac chevelle

ntlink 1 ipsec-isakmp crypto map

1 ipsec-isakmp crypto map TransAm

correspondence address 1 card crypto transam 101

card crypto transam 1 set peer 172.18.126.233

card crypto transam 1 transform-set chevelle

interface inside crypto map transam

ISAKMP allows inside

ISAKMP key * address 172.18.126.233 netmask 255.255.255.255

ISAKMP identity address

part of pre authentication ISAKMP policy 1

of ISAKMP policy 1 encryption

ISAKMP policy 1 md5 hash

1 1 ISAKMP policy group

ISAKMP policy 1 lifetime 1000

and if I generate the traffic logs show this: -.

9 August 18:40:15 10.60.6.247% PIX-3-305005: no translation not found for icmp src phoenix_private:172.18.138.111 dst domestic group: 172.18.133.51 (type 8, code 0)

9 August 18:40:17 10.60.6.247% PIX-3-305005: no translation not found for icmp src phoenix_private:172.18.138.111 dst domestic group: 172.18.133.51 (type 8, code 0)

9 August 18:40:18 10.60.6.247% PIX-3-305005: no group of translation not found for udp src phoenix_private:172.18.138.111/3832 dst inside:172.18.133.51/53

9 August 18:40:18 10.60.6.247% PIX-3-305005: no translation not found for icmp src phoenix_private:172.18.138.111 dst domestic group: 172.18.133.51 (type 8, code 0)

9 August 18:40:19 10.60.6.247% PIX-3-305005: no group of translation not found for udp src phoenix_private:172.18.138.111/3832 dst inside:172.18.133.51/53

No isakmp and ipsec debugging message appears, but you who wait that the PIX does not even link the traffic with the access list or a NAT.

I do something obviously stupid, can someone tell me what it is, thank you.

Jon.

Hello

1. you create a second access as list:

outside_cryptomap ip 172.18.138.0 access list allow 255.255.255.0 172.18.133.0 255.255.255.0

and

2. instead of

correspondence address 1 card crypto transam 101

You must configure

card crypto transam 1 match address outside_cryptomap

the problem is that you configure an ACL for nat and crypto - that does not work

concerning

Alex

IOS SSL VPN issues

Hi Experts.

I can't get SSL VPN tunnel mode to work on a router Cisco1801. I can get the side URL works fine, but when I try and set up the Tunnel with SDM mode. I get the following error message when I try to connect.

An error was found in the certificate of the VPN server.

Received certificate is signed by an untrusted authority.

Then I have the ability to install the certificate. This process seems to work, but I get the following error.

The form of received HTTP SSL VPN gateway response code indicates an error, contact your network administrator.

I do something wrong regarding the certificate?

I'm sorry, just had a chance to flip through your configs. It seems that you are using a VPN pool that is not directly connected to the router. You must either use a pool directly connected or create a loopback on the same subnet.

Also after exit

debugging webvpn tunnel

debugging webvpn auth

debugging webvpn svc

Concerning

Farrukh

VPN issues

Hello

I bought an ASA5505 and I'll it be implemented as a vpn server and firewalls.

After several attempts, my vpn client connected to the server, but now I can't access my 'internal' network or internet...

What is the problem with my config?

My router (192.168.1.254) is related to eth0 and my vpn (192.168.1.10 - assigned by dhcp) client is connected to eth7...

PS: If you have any suggestions to improve my network security do not hesitate to suggest ^_^

(I'm sorry, but this is the first time that I have set up a virtual private network, so I'm deeply ignorant on this subject)

access-list no. - NAT ip enable any 192.168.10.0 255.255.255.0

NAT (inside) - No. - NAT 0 access list

permitted access SPLIT-T-list standard 192.168.0.0 255.255.255.0

attributes of Group Policy Tailoradio

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list SPLIT-T value

NAT-t-disable the value no encryption dynamic-map outside_dyn_map 20

No inside_map card crypto inside interface

No crypto isakmp are inside

ISAKMP nat-traversal crypto

The router 851 and 871 VPN issues still

Main site

1 - all connectivity-all thin - Web - database-email Mail - Proxy - ETC.

2 - VPN Tunnel to the TOP

Remote sites

1 - VPN Tunnel to the TOP and tests

1 cannot ping the main location of the 192.168.0.X (Yes any IP address)

2 - could not get out to the Internet (GO HOLLOW PROXY SERVER 192.168.0.3 even if I could ping)

3 could connect to the database but crashes right after the login screen. Can ping the address of 192.168.0.11 to this fine location database but the connection hangs and does not

* HAND CONFIG

crypto ISAKMP policy 1

BA 3des

md5 hash

preshared authentication

Group 2

!

crypto ISAKMP policy 3

BA 3des

md5 hash

preshared authentication

Group 2

XXX address X.X.X.X isakmp encryption key

XXX address X.X.X.X isakmp encryption key

ISAKMP crypto keepalive 5 20

!

Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

!

bssn 10 ipsec-isakmp crypto map

Description VPN for PARK

defined peer X.X.X.X

Set transform-set RIGHT

match address 100

bssn 20 ipsec-isakmp crypto map

VPN for Corneilia description

defined peer X.X.X.X

Set transform-set RIGHT

match address 102

bssn 30 ipsec-isakmp crypto map

Description VPN to OAK

defined peer X.X.X.X

Set transform-set RIGHT

match address 103

bssn 40 ipsec-isakmp crypto map

Description VPN to Herbert George Wells

defined peer X.X.X.X

Set transform-set RIGHT

match address 104

interface FastEthernet4

WAN

IP address 216.x.x.x 255.255.255.128 secondary

IP 216.x.x.x 255.255.255.128.

no ip redirection

no ip unreachable

no ip proxy-arp

NAT outside IP

IP virtual-reassembly

route IP cache flow

automatic duplex

automatic speed

card crypto bssn

!

interface Vlan1

Entry door

IP 216.X.X.X 255.255.255.248 secondary

IP 192.168.0.11 255.255.255.0

no ip redirection

no ip unreachable

IP nat inside

IP virtual-reassembly

route IP cache flow

IP tcp adjust-mss 1452

!

IP classless

IP route 0.0.0.0 0.0.0.0 216.x.x.x.

!

IP nat inside source overload map route interface FastEthernet4 sheep

!

recording of debug trap

access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 103 allow ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 104. allow ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255

not run cdp

sheep allowed 10 route map

corresponds to the IP 101

* REMOTE SITE

crypto ISAKMP policy 1

BA 3des

md5 hash

preshared authentication

Group 2

XXX address X.X.X.X isakmp encryption key

ISAKMP crypto keepalive 5 20

!

!

Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

!

bssn 10 ipsec-isakmp crypto map

Connect to main BSSN description

defined peer X.X.X.X

Set transform-set RIGHT

match address 100

interface FastEthernet4

IP 216.X.X.X 255.255.255.224

NAT outside IP

IP virtual-reassembly

automatic duplex

automatic speed

card crypto bssn

!

interface Vlan1

Entry door

IP 192.168.1.2 255.255.255.0

IP directed broadcast to the

IP nat inside

IP virtual-reassembly

IP tcp adjust-mss 1452

!

IP classless

IP route 0.0.0.0 0.0.0.0 X.X.X.X

IP http server

local IP http authentication

IP http secure server

IP http timeout policy slowed down 60 life 86400 request 10000

IP nat inside source overload map route interface FastEthernet4 sheep

!

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

not run cdp

sheep allowed 10 route map

corresponds to the IP 101

Thank you

Laughing out loud

On the remote router access list 100 should look like:

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

On the main router, the 100 access list should look like:

access-list 100 permit ip any 192.168.1.0 0.0.0.255

HTH,

Kind regards

Kamal

Cisco VPN concentrator 3005

FW 4.1.7r

I can't the https management work on the device. The event logs tell something, of not being able to add the ssl certificate to the private interface. I tried to turn on/off box https without success. I also restarted the device.

Anything else I can try?

You can check if the self-signed certificate VPN concentrator has expired.

It will be under the Administration--> Management of certificates

l2l ASA vpn issues

Hi all

I have two firewalls that I'm trying to implement VPNs l2l between them. Once of them is an old wall of sonic and the other 5505.

I put in all and ends the phase 1/2 and the tunnel rises however no traffic passes through

Here is my configuration

ASA (outside, 192.168.30.1) asa internal 192.168.10.0/25

(Outside 192.168.30.2) SonicWALL sonicwall 192.168.20.0/24

I have an accesslist that is configured on the asa and applied to the cypto card using card crypto XXXX 1, atch address YYY

However when I watch the news ebugging on the console it says: "cannot locate the output for UDP of XXXX interface: 192.168.10.10/1 to 192.178.20.1/0.

any ideas why this is?

I just need a static route to say all traffic on asa with 192 source... 10.0 should go through 192.168.30.2?

I guess it's the work of crypto card

Am I wrong?

Hello

Begins to seems to me you have a filter ACL configured for your L2L VPN VPN and also the ACL filter of VPN and Crypto ACLs are the same things, which means you use a simple both ACL.

Why I think it's like this is the fact that you say that your VPN L2L cross trading in the "packet-tracer" VPN Phase means Crypto VPN L2L ACL was correct. At the same time say you that the connection was stopped to the Phase of the VPN USER. He points to a VPN filter ACL being configured.

In view of the foregoing, I also know that the ACL of filter for the L2L VPN behave with a logic different than typical ACL interface. In VPN L2L the ACL filter ALWAYS mention the remote network as the source ALWAYS and your Local network as the destination.

If add you an ACL rule with order switched networks appears this fixes the VPN filter ACL problems and finally allowed traffic. Naturally I can only guess that I saw actual configurations at this point (which, usually with release "packet - trace", help to solve a problem faster just guessing)

If you indeed filter VPN, you may be able to track him down with the following commands

See the tunnel-group race

Check if a "group policy" is defined then the command

See establishing group policy enforcement

This output should list the name of the ACL filter VPN if its game

Regarding the installantion auto road. The default setting for ASA, is that it will create NO static routes automatically depending on the VPN configurations. This must be enabled manually in "crypto map" configurations, or you can configure static routes manually.

ASA tracking to default TCP and UDP connections. ICMP is inspected only if his permit. By default, it is NOT inspected.

Hope this helps

Remember to mark a reply as the answer if it answered your question.

Feel free to ask more if necessary.

-Jouni

Site to Site VPN issues

Hello

I have created a new site to site vpn connection and can't know why it does not work.

All other VPN site-to-site work properly. The news, the problem is MATCHJLS. Could anyone recommend measures to correct?

!

vpn hostname

domain name

activate the encrypted password of Pp6RUfdBBUU

ucU7iJnNlZ passwd / encrypted

names of

DNS-guard

!

interface Ethernet0/0

nameif outside

security-level 0

IP address 87.117.xxx.xx 255.255.255.252

!

interface Ethernet0/1

nameif inside

security-level 100

IP address 78.129.xxx.x 255.255.255.128

!

interface Ethernet0/2

Shutdown

No nameif

no level of security

no ip address

!

interface Ethernet0/3

Shutdown

No nameif

no level of security

no ip address

!

interface Management0/0

Shutdown

No nameif

no level of security

no ip address

!

boot system Disk0: / asa822 - k8.bin

passive FTP mode

DNS server-group DefaultDNS

domain msiuk.com

permit same-security-traffic inter-interface

DM_INLINE_TCP_1 tcp service object-group

EQ port 3389 object

EQ object of port 8080

port-object eq www

EQ object of the https port

Http81 tcp service object-group

port-object eq 81

DM_INLINE_TCP_3 tcp service object-group

port-object eq 81

port-object eq www

the DM_INLINE_NETWORK_1 object-group network

host of the object-Network 172.19.60.52

host of the object-Network 172.19.60.53

host of the object-Network 172.19.60.68

host of the object-Network 172.19.60.69

host of the object-Network 172.19.60.84

host of the object-Network 172.19.60.85

host of the object-Network 172.19.60.86

access-list extended basic permit icmp any any echo response

access-list extended basic permit icmp any one time exceed

access-list extended basic permit tcp any host 78.129.xxx.xx eq 8731

access-list extended basic permit tcp any host 78.129.xxx.xx eq www

access-list extended basic permit tcp any host 78.129.xxx.xx DM_INLINE_TCP_3 object-group

access-list extended basic permit tcp any host 78.129.xxx.xx eq www

access-list extended basic permit tcp any host 78.129.xxx.xx eq www

access-list extended basic permit tcp any host 78.129.xxx.xx eq www inactive

access-list extended basic permit tcp any host 78.129.xxx.xx eq www

access-list extended basic permit tcp any host 78.129.xxx.xx eq https

access-list extended basic permit tcp any host 78.129.xxx.xx eq https

access-list extended basic permit tcp any host 78.129.xxx.xx

permit access-list extended basic host tcp 94.128.xxx.xx 78.129.xxx.xx 255.255.255.128 DM_INLINE_TCP_1 object-group

access-list extended SHEEP allowed ip 10.1.1.0 255.255.255.0 10.255.255.0 255.255.255.0

Standard access list SPLITTUN allow 78.129.xxx.xx 255.255.255.128

SPLITTUN list standard access allowed 10.1.1.0 255.255.255.0

access list allow extended permit ip any one

MATCHVPN1 list extended access permit ip host host 78.129.xxx.xx 212.118.157.203

MATCHVPN2 list of allowed ip extended access all 212.118.xxx.xx 255.255.255.0

SMTP-NAT extended permit tcp host 78.129.xxx.xx access list any eq smtp

MATCHVPN3 list extended access permitted ip 78.129.xxx.xx 255.255.255.224 host 10.180.xxx.xx

MATCHVPN3 list extended access permitted ip 78.129.xxx.xx 255.255.255.224 host 10.180.xxx.xx

MATCHVPN3 list extended access permitted ip 78.129.xxx.xx 255.255.255.224 host 10.180.xxx.xx

MATCHVPN4 list extended access permit ip host 78.129.xxx.xx host 172.16.xxx.xx

MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.16.xxx.xx

MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.17.xxx.xx

MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.16.xxx.xx

MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.16.xxx.xx

Access list extended ip 78.129.151.0 MATCHJLS allow 255.255.255.128 DM_INLINE_NETWORK_1 object-group

pager lines 24

Enable logging

asdm of logging of information

Outside 1500 MTU

Within 1500 MTU

local IP LOCPOOL 10.255.255.1 pool - 10.255.255.254

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm-625 - 53.bin

don't allow no asdm history

ARP timeout 14400

Global (1 interface external)

NAT (inside) 0 access-list SHEEP

Access SMTP-NAT NAT (inside) 1 list

NAT (inside) 1 10.1.1.0 255.255.255.0

NAT (inside) 1 10.2.2.0 255.255.255.0

Access-group basic in external interface

Access-group allow external interface

Access-group allow the interface inside

Access-group allow the interface inside

Route outside 0.0.0.0 0.0.0.0 87.117.213.65 1

Route inside 10.1.1.0 255.255.255.0 78.129.151.2 1

Route inside 10.2.2.0 255.255.255.0 78.129.151.2 1

Route inside 10.33.67.0 255.255.255.0 78.129.151.26 1

Route 172.20.xxx.xx 255.255.255.0 inside 78.129.xxx.xx 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-registration DfltAccessPolicy

AAA authentication enable LOCAL console

the ssh LOCAL console AAA authentication

Enable http server

http 0.0.0.0 0.0.0.0 outdoors

No snmp server location

No snmp Server contact

Crypto ipsec transform-set esp-3des esp-md5-hmac VPN3DES

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set esp-3des esp-sha-hmac asa2transform

Crypto ipsec transform-set esp-3des esp-md5-hmac kwset

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set esp-3des esp-sha-hmac jlstransformset

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

set of 10 DYNOMAP crypto dynamic-map transform-set VPN3DES

card crypto VPNPEER 1 corresponds to the address MATCHJLS

card crypto VPNPEER 1 set peer 94.128.xxx.xx

card crypto VPNPEER 1 the value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

card crypto VPNPEER 10 corresponds to the address MATCHVPN3

card crypto VPNPEER 10 set peer 94.128.xxx.xx

crypto VPNPEER 10 the transform-set jlstransformset value card

card crypto VPNPEER 10 set nat-t-disable

card crypto VPNPEER 30 corresponds to the address MATCHVPN2

card crypto VPNPEER 30 212.118.xxx.xx peer value

card crypto VPNPEER 30 value transform-set ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto VPNPEER 30 the value reverse-road map

card crypto VPNPEER 40 corresponds to the address MATCHVPN4

VPNPEER 40 crypto map set peer 94.128.xxx.xx

crypto VPNPEER 40 the transform-set kwset value card

card crypto VPNPEER 50 corresponds to the address MATCHVPN3

card crypto VPNPEER 50 set pfs

card crypto VPNPEER 50 set peer 94.128.xxx.xx

card crypto VPNPEER 50 set ESP ESP-3DES-SHA transform-set kwset DES-ESP-MD5-DES-SHA

card crypto VPNPEER 50 set nat-t-disable

card crypto VPNPEER 100-isakmp dynamic ipsec DYNOMAP

VPNPEER interface card crypto outside

crypto ISAKMP allow outside

crypto ISAKMP policy 1

preshared authentication

3des encryption

sha hash

Group 2

life 3600

Crypto isakmp nat-traversal 3600

crypto ISAKMP disconnect - notify

Telnet timeout 5

SSH 0.0.0.0 0.0.0.0 outdoors

SSH 0.0.0.0 0.0.0.0 inside

SSH timeout 60

SSH version 2

Console timeout 0

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

internal GroupPolicy1 group strategy

attributes of Group Policy GroupPolicy1

value of VPN-filter MATCHKW

Protocol-tunnel-VPN IPSec l2tp ipsec

internal CLIENTGROUP group policy

CLIENTGROUP group policy attributes

value of server DNS 10.1.1.10 10.1.1.2

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list SPLITTUN

msiuk.local value by default-field

Username admin privilege 15 encrypted password 9RG9xAvynJRd.Q

tunnel-group msi type remote access

msi General attributes tunnel-group

address LOCPOOL pool

Group Policy - by default-CLIENTGROUP

MSI group tunnel ipsec-attributes

pre-shared key *.

tunnel-group msi ppp-attributes

ms-chap-v2 authentication

tunnel-group 212.118.xxx.xx type ipsec-l2l

212.118.xxx.XX group of tunnel ipsec-attributes

pre-shared key *.

tunnel-group 94.128.xxx.xx type ipsec-l2l

94.128.xxx.XX group of tunnel ipsec-attributes

pre-shared key *.

tunnel-group 94.128.xxx.xx type ipsec-l2l

94.128.xxx.XX group of tunnel ipsec-attributes

pre-shared key *.

tunnel-group 94.128.xxx.xx type ipsec-l2l

94.128.xxx.XX group of tunnel ipsec-attributes

pre-shared key *.

!

class-map ftpdefault

match default-inspection-traffic

class-map default inspection

!

!

Policy-map global_policy

!

global service-policy global_policy

context of prompt hostname

call-home

Profile of CiscoTAC-1

no active account

http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

email address of destination [email protected] / * /

destination-mode http transport

Subscribe to alert-group diagnosis

Subscribe to alert-group environment

Subscribe to alert-group monthly periodic inventory

monthly periodicals to subscribe to alert-group configuration

daily periodic subscribe to alert-group telemetry

Cryptochecksum:b251877ef24a1dc161b594dc052c44

: end

ASDM image disk0: / asdm-625 - 53.bin

don't allow no asdm history

Hello

OK, given the above information, I would say that the VPN L2L your part should probably be fine for traffic you are trying with the packet - trace.

It seems that you get no traffic back from the remote end

This could mean one of the following things
- Remote site may not login either in their VPN appliance, firewall or the firewall of the real server (which I doubt since were talking about web service)
- Remote site has not configured routing properly for your source IP address / network. For example, your connection attempt can reach the remote server, but the return traffic could get transferred to the wrong place on the remote site. It is more likely when the remote end manages Internet traffic and VPN traffic on separate devices
- Remote site has not activated the service on the real server (which is still little provided this isn't a service only serve on the server you through this VPN L2L)
- etc.
As I said look it seems so VPN L2L is fine. Its place and running, but you can't get traffic back on the L2L VPN that suggest that the problem is at the remote site.

If you go ask about this since the admins of the remote site, let us know how to do the thing.

If you found this information useful, please note the answer/answers and naturally ask more if necessary

-Jouni

VPN issues - 3005 to ASA5510

Similar Questions

Maybe you are looking for