VPN L2L: ASA5505->; ASA5520, initiator of IKE unable to find policy
Hello!
Periodically, we are experiencing a problem with tunnel between 5505 and 5520 L2L
Sometimes there is no 5505 LAN access to one of the LAN's 5520
ex: ping from the inside interface (10.1.13.1) 5505 to 5520 (10.1.1.1) does not work
5505:
- cry isa his we can see the peer - it's OK
-in Cree its pe ip itsnecessary there, but program is not increase and still no ping
-all the other itsof the acl work properly
5505 debugging:
% ASA-3-713042: unable to find political initiator IKE: outside Intf, Src: 10.1.13.1, Dst: 10.1.1.1
% ASA-3-313001: Denied ICMP type = 8, code = 0 to 10.1.1.1
ACL on both sides is correct
Erase isakmp his helps solve the problem
p.s., asa 5505 has two ISP and two crypto cards with 5520
This happens whenever your primary or secondary provider fails
Tags: Cisco Security
Similar Questions
-
2811: connecting two VPN l2l ASA5505
Hello
We have a HQ site with a 2811 (w/ADVSECURITYK9-M) acting as the firewall. We currently have 1 ASA5505 with an established ipsec VPN l2l.
I'm trying to connect a 2nd ASA, but I noticed that I only add 1 cryptomap to the external interface.
A worm watch 1 Module of virtual private network... Surely this does not mean only 1 VPN?
Can I use a card encryption and add a second "peer set" & "corresponds to" address inside the card Cryptography itself?
Thank you
Jason
Yes, you add another poicy to your configuration encryption.
Thank you
Tarik Admani
* Please note the useful messages *. -
IKE initiator unable to find the policy; Outside INTF, CBC: error
I have a Cisco ASA 5505 having a tunnel at a remote office. I just put in place another identical to another tunnel and when I followed the VPN in ASDM I see that the VPN is active. But I can't ping through it. When I check the logs I see "IKE initiator unable to find the policy; Outside INTF, CBC:... "Nobody knows what might be the cause? Here is a copy of the configuration. Thank you.
See the config of bdavpn1 #.
: Saved
: Written by admin in 17:54:11.823 HAA Monday, June 7, 2010
!
ASA Version 8.2 (2)
!
hostname bdavpn1
domain.com domain name
activate the encrypted password of OSaXLnYQKkAcBhYA
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
192.168.2.100 IP address 255.255.255.0 ensures 192.168.2.101
!
interface Vlan2
nameif outside
security-level 0
IP 101.17.205.116 255.255.255.1018 Eve 101.17.205.117
!
interface Vlan3
nameif dmz
security-level 50
IP 172.20.0.1 address 255.255.255.0 watch 172.20.0.3
!
interface Vlan4
Failover LAN Interface Description
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 91
!
interface Ethernet0/3
switchport access vlan 3
!
interface Ethernet0/4
switchport access vlan 3
!
interface Ethernet0/5
switchport access vlan 4
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
clock timezone AST - 4
clock to summer time recurring ADT
DNS domain-lookup dmz
DNS server-group DefaultDNS
Server name 172.20.0.99
domain.com domain name
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
object-group network Chicago-nets
object-network 10.150.1.0 255.255.255.0
object-network 10.150.55.0 255.255.255.0
object-network 10.150.56.0 255.255.255.0
object-network 10.150.57.0 255.255.255.0
object-network 172.16.1.0 255.255.255.0
object-network 192.168.26.0 255.255.255.0
object-network 10.150.111.0 255.255.255.0
the DM_INLINE_NETWORK_2 object-group network
object-network 192.168.4.0 255.255.255.0
object Group Chicago-nets
the DM_INLINE_NETWORK_1 object-group network
object-network 192.168.4.0 255.255.255.0
object Group Chicago-nets
the DM_INLINE_NETWORK_3 object-group network
object-NET 172.20.0.0 255.255.255.0
object-network 192.168.2.0 255.255.255.0
the DM_INLINE_NETWORK_4 object-group network
object-NET 172.20.0.0 255.255.255.0
object-network 192.168.2.0 255.255.255.0
outside_cryptomap to access extended list ip 192.168.2.0 allow 255.255.255.0 DM_INLINE_NETWORK_1 object-group
inside_nat0_outbound to access extended list ip 192.168.2.0 allow 255.255.255.0 DM_INLINE_NETWORK_2 object-group
inside_nat0_outbound to access extended list ip 192.168.2.0 allow 255.255.255.0 172.20.0.0 255.255.255.0
inside_nat0_outbound list extended access allowed object-group ip DM_INLINE_NETWORK_3 192.168.4.0 255.255.255.0
inside_nat0_outbound list extended access allowed object-group ip DM_INLINE_NETWORK_4 192.168.4.0 255.255.255.0
Note to access list outside_to_dmz allow access to the citrix Server
outside_to_dmz list extended access permit tcp any newspaper HTTPS host 101.17.205.123 eq
dmz_to_inside allowed extended access list host 172.20.0.2 ip 192.168.2.0 255.255.255.0 connect
Note to outside_access_in entering of Citrix access list
outside_access_in list extended access permit tcp any host 101.17.205.123 eq https
outside_2_cryptomap list extended access allowed object-group ip DM_INLINE_NETWORK_4 192.168.4.0 255.255.255.0
pager lines 101
Enable logging
timestamp of the record
logging paused
logging buffered information
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
MTU 1500 dmz
IP verify reverse path to the outside interface
failover
primary failover lan unit
failover failover lan interface Vlan4
failover interface ip failover 172.16.30.1 255.255.255.252 watch 172.16.30.2
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 625.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
Global interface (dmz) 2
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
static (dmz, external) 101.17.205.123 172.20.0.2 netmask 255.255.255.255
Access-group outside_access_in in interface outside
Access-group dmz_to_inside in dmz interface
Route outside 0.0.0.0 0.0.0.0 101.17.205.115 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
AAA authentication enable LOCAL console
AAA authentication http LOCAL console
LOCAL AAA authentication serial console
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
LOCAL AAA authorization command
Enable http server
http 0.0.0.0 0.0.0.0 outdoors
http 0.0.0.0 0.0.0.0 inside
redirect http outside 80
SNMP-server host inside 10.150.1.177 community survey * version 2 c
SNMP-server host inside 10.150.2.38 community survey * version 2 c
location of Server SNMP Hamilton, Bermuda
SNMP Server contact René Bouchard
Community SNMP-server
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Service resetoutside
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
inside
redirect http outside 80
SNMP-server host inside 10.150.1.177 community survey * version 2 c
SNMP-server host inside 10.150.2.38 community survey * version 2 c
location of Server SNMP Hamilton, Bermuda
SNMP Server contact René Bouchard
Community SNMP-server
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Service resetoutside
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto outside_map3 1 match address outside_cryptomap
outside_map3 card crypto 1jeu peer 101.88.182.189
outside_map3 card crypto 1jeu transform-set ESP-3DES-SHA
card crypto game 2 outside_map3 address outside_2_cryptomap
outside_map3 crypto map peer set 2 101.1.95.253
card crypto outside_map3 2 the value transform-set ESP-3DES-SHA
Crypto map outside_map3 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
outside_map3 interface card crypto outside
Crypto ca trustpoint bdavpn1
Terminal registration
domain name full bdavpn1.domain.bm
name of the object CN = bdavpn1.domain.bm, OR = Ltd, O is domain, C = US, St is of_confusion, L is Hamilton,[email protected] / * /
Configure CRL
Crypto ca certificate card domainincCertificateMap 10
name of the object attr cn eq sslvpn.domain.com
Crypto ca certificate chain bdavpn1
certificate ca 00
30820267 308201d 0 a0030201 02020100 300 d 0609 2a 864886 f70d0101 04050030
32310b 30 09060355 04061302 5553310 300 b 0603 d. 55040 has 13 41 53311430 04414c
12060355 0403130b 63612e61 6c61732e 636f6d30 35303130 31303630 1e170d39
3335 30313031 30363031 31395 has 30 32310 b 30 170d 3131395a 09060355 04061302
300b 0603 55040 5553310d has 13 04414c 41 53311430 12060355 0403130b 63612e61
06092a 86 4886f70d 01010105 0003818d 00308189 819f300d 636f6d30 6c61732e
c19012ed 02818100 4cf67378 c9347162 2bcf6519 a3ab748f 1c9cae07 5c232c93
8a 625638 68416412 and 55808768 412675bc 5906ba4a 3ffd1d101 303d0ea7 d559ccf8
0d425ffc edf1cee8 337ca5c7 5f718f2d 081551f8 fc742b78 8866de9b c82310b0
89975e30 7ea7f047 bf518ac3 aa2dfd7e f93b1016 7d5261ea 34f18fa7 748d52c8
7595ecb3 02030100 01a3818c 30818930 1 d 060355 1d0e0416 0414c1ab b8651761
fc3f12d1 b132322e be36ff6a cecb305a 0603551d 23045330 518014c 1 abb86517
61fc3f12 d1b13232 2ebe36ff 6acecba1 36 has 43430 32310b 30 09060355 04061302
300b 0603 55040 5553310d has 13 04414c 41 53311430 12060355 0403130b 63612e61
6c61732e 636f6d82 0100300c 0603551d 13040530 030101ff 300 d 0609 2a 864886
f70d0101 818100ad 04050003 1d558eab 05d50f7b b656e2c4 213a9ac3 1cecee73
0251f931 0b47e84f f3c0847e b2168562 d27330b3 72c8023f b83aeb4a 2db8fbf7
f4575c8e c56300aa 6d5b0fd3 092e7747 76 76286 26e81b3e 4ca35b71 792380b 9
ca480932 c58a8ee6 2fa62a73 aa1d209d 68662c 59 0b8a71f1 c2db0cbb 5aefc8c5
bedcbda7 caf46f0c b01def
quit smoking
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
the Encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 20
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
No encryption isakmp nat-traversal
crypto ISAKMP ipsec-over-tcp port 10000
Telnet 0.0.0.0 0.0.0.0 inside
Telnet 0.0.0.0 0.0.0.0 outdoors
Telnet timeout 120
SSH enable ibou
SSH 0.0.0.0 0.0.0.0 inside
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 60
Console timeout 0
management-access insidea basic threat threat detection
threat detection statistics
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
prefer NTP server 192.168.2.116 source inside
NTP server 192.168.2.117 source inside
bdavpn1 point of trust SSL outdoors
WebVPN
allow outside
enable SVC
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
LtdAdmin XRlF3jA1k3JEhNgr encrypted privilege 15 password username
domainadmin encrypted E1zLpTPUtBADN9og privilege 15 password username
tunnel-group sslvpn.domain.com type ipsec-l2l
sslvpn.domain.com group of tunnel ipsec-attributes
validation by the peer-id cert
trust-point bdavpn1
tunnel-group 101.88.182.189 type ipsec-l2l
IPSec-attributes tunnel-group 101.88.182.189
pre-shared-key *.
tunnel-group 101.1.95.253 type ipsec-l2l
IPSec-attributes tunnel-group 101.1.95.253
pre-shared-key *.
tunnel-Group-map enable rules
Tunnel-Group-map domainincCertificateMap 10 sslvpn.domain.com
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 10101
ID-randomization
ID-incompatibility action log
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the icmp
inspect the icmp error
inspect the amp-ipsec
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:a23ada0366576d96bd5c343645521107Scott,
When you check the status of the two tunnels of the CLI, check the following:
HS cry isa--> of his watch as active or QM_IDLE
HS cry ips his--> shows the packages encrypted/decrypted
The second tunnel does not properly come upwards, should ensure that policies correspond to the two ends of the tunnel.
If this second tunnel is started but does not traffic, we might have a problem NAT or routing.
Federico.
-
Site to site VPN router-ASA5505
Hello
I have a problem with the VPN between ASA5505 and 3825 router.
behind the ASA, we have a server that serves the specific port. If for any reason any link is disconnected assets if the VPN will become not we do not generate traffic to this server. After generating even a ping VPN immediately become active and communication starts. another case is when you reboot ASA the VPn is not created without ping server behind this ASA.
How we could solve this problem without sending a traffing who serve?
How remote access to this ASA, I can access internal interface? If I open access on port 443 on the external interface of asa could I access it? or I must also exclude this traffic VPN
I used the VPN Wizard to configure on asa and CLI on router
some troubleshootingand configuration commands, if this is not enough please let me know what you otherwise.
Thanks in advance for your help
ciscoasa # sh crypto isakmp his
ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 11 peer IKE: 10.10.10.1
Type: L2L role: initiator
Generate a new key: no State: AM_ACTIVEConfiguration of the SAA.
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs Group1
card crypto outside_map 1 set counterpart 10.10.10.1
map outside_map 1 set of transformation-ESP-DES-MD5 crypto
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
the Encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
sha hash
Group 2
life 86400the main router configuration
crypto ISAKMP policy 1
preshared authentication
!
crypto ISAKMP policy 5
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 10
preshared authentication
Group 2
crypto ISAKMP key 6 _JQfe [BeRGNBCGfbGxxxxxxxxx address 10.10.10.10Crypto ipsec transform-set esp - esp-md5-hmac xxxxx
ETH0 2696 ipsec-isakmp crypto map
defined peer 10.10.10.10
Set transform-set xxxxx
match address 2001access-list 2001 permit ip any 192.168.26.96 0.0.0.7
Post edited by: adriatikb
I just read somewhere that might change the type VPN "bi-direcitonal' two 'initiator' or 'answering machine' could help me but I test and no results.I had the same problem last week, and told the TAC engineer on our service ticket downgrade from IOS 8.2 (3) 8.2 (1). Since then, it works fine.
-
VPN site to Site stuck in IKE Phase 1 - MM_WAIT_MSG2
We do a vpn site-to site. The tunnel has worked before, but after some discussions about the location of ASA_Receiving (no change in config for asa made, this asa is directly connected to the internet) will not return the tunnel upward. The devices can ping each other without problem.
It is a vpn L2L, I wonder if the guy saying user is related to the issue?
ASA_Initiator
IKE Peer: 71.13.xxx.xxx
Type: user role: initiator
Generate a new key: no State: MM_WAIT_MSG2ASA_Receiving
# show crypto isakmp his
There is no isakmp sas
Hey,.
is the remote end ASA as well?
If so, the capture below on the ASA:
capture capout
match udp host host interface The tunnel gets stuck on MM_WAIT_MSG2 for 2 reasons:
1 either a problem with the policies of the phase 1 of the remote end or
2 UDP 500 is not reaching the remote end or the remote end sends the packet UDP 500 back and can't the ASA local.
Concerning
-
Summary:
We strive to establish a two-way VPN L2L tunnel with a partner. VPN traffic is one-to-many towards our partner, and our partner they need of a many-to-one to us (they need to access a host on our network). In addition, our partner has many VPN, so they force us to use a separate NAT with two private hosts addresses, one for each direction of the tunnel.
My initial configuration of the tunnel on my grown up side of Phase 1, but not IPSec. Partner ran debug that revealed that my host did not address NAT'd in the NAT policy. We use an ASA5520, ver 7.0.
Here is the config:
# #List of OUR guests
the OURHosts object-group network
network-host 192.168.x.y object
# Hosts PARTNER #List
the PARTNERHosts object-group network
network-host 10.2.a.b object
###ACL for NAT
# Many - to - many outgoing
access-list extended NAT2 allowed ip object-group OURHosts-group of objects PARTNERHosts
# One - to - many incoming
VIH3 list extended access permit ip host 192.168.c.d PARTNERHosts object-group
# #NAT
NAT (INSIDE) 2-list of access NAT2
NAT (OUTSIDE) 2 172.20.n.0
NAT (INSIDE) 3 access-list VIH3
NAT (OUTSIDE) 3 172.20.n.1
# #ACL for VPN
access list permits extended VPN ip object-group objects PARTNERHosts OURHosts-group
access allowed extended VPN ip host 192.168.c.d PARTNERHosts object-group list
# #Tunnel
tunnel-group
type ipsec-l2l card
<#>crypto is the VPN address card crypto
<#>the value transform-set VPN #>card
<#>crypto defined peer #> #>I realize that the ACL for the VPN should read:
access allowed extended VPN ip host 172.20.n.0 PARTNERHosts object-group list
access allowed extended VPN ip host 172.20.n.1 PARTNERHosts object-group list
.. . If the NAT was working properly, but when this ACL is used, Phase 1 is not even negotiating, so I know the NAT is never translated.
What am I missing to NAT guests for 172.20 addresses host trying to access their internal addresses via the VPN?
Thanks in advance.
Patrick
Here is the order of operations for NAT on the firewall:
1 nat 0-list of access (free from nat)
2. match the existing xlates
3. match the static controls
a. static NAT with no access list
b. static PAT with no access list
4. match orders nat
a. nat [id] access-list (first match)
b. nat [id] [address] [mask] (best match)
i. If the ID is 0, create an xlate identity
II. use global pool for dynamic NAT
III. use global dynamic pool for PAT
If you can try
(1) a static NAT with an access list that will have priority on instruction of dynamic NAT
(2) as you can see on 4A it uses first match with NAT and access list so theoretically Exchange autour should do the trick.
I don't see any negative consequences? -Well Yes, you could lose all connectivity. I don't think that will happen, but I can't promise if you do absolutely not this after-hours.
Jon
-
Do not do a ping ASA inside IP port of the remote site VPN L2L with her
The established VPN L2L OK between ASA-1/ASA-2:
ASA-2# see the crypto isakmp his
KEv1 SAs:
ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 1
1 peer IKE: 207.140.28.102
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE
There are no SAs IKEv2
QUESTION: 3750-2, we ping 3750-1 (10.10.2.253) are OK, but not ASA-1 inside port (10.10.2.254).
Debug icmp ASA-1 data:
ASA-1 debug icmp trace #.
trace of icmp debug enabled at level 1
Echo ICMP Internet request: 10.100.2.252 server: 10.10.2.253 ID = 400 seq = 0 len = 72
ICMP echo response from the server: 10.10.2.253 Internet: 10.100.2.252 ID = 400 seq = 0 len = 72
Echo ICMP Internet request: 10.100.2.252 server: 10.10.2.253 ID = 400 seq = 1 len = 72
ICMP echo response from the server: 10.10.2.253 Internet: 10.100.2.252 ID = 400 seq = 1 len = 72
Echo request ICMP 10.100.2.252 to 10.10.2.254 ID = 401 seq = 0 len = 72
Echo request ICMP 10.100.2.252 to 10.10.2.254 ID = 401 seq = 1 len = 72
Echo request ICMP 10.100.2.252 to 10.10.2.254 ID = 401 seq = 2 len = 72
Make sure you have access to the administration # inside
lt me know f This allows.
-
Design of VPN L2L ASA question
We expect to have more than 10,000 remote VPN L2L clients.
I see that each crypto card needs a statement of 'same game' and the IP address is the address of the remote peer VPN L2L.
:
EX:
card encryption UNI-POP 3 set peer 172.23.0.3
: . . .
card crypto UNI-POP 10000 set peer 172.26.0.250
:
I already feel that this will be a VERY long config, maybe too big to save/read/from memory.
:
Anyone would be a better approach?
Thank you
Frank
Frank,
If the remote end will run only from time to time, you should not have set peer statements and normally it would suffice to have a dynamic encryption card.
If the remote ends do not support certificates, it is possible to land on defaultl2l tunnel-group.
bsns-asa5505-19# sh run all tunnel-group
tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup general-attributes
(...)
You need to test yourself to see if it will work.
I also agree in terms of more than one firewall. With devices for two in the load balancing or if possible 2pairs of devices in the failover cluster could be great way to have a decent charge by machine and equipment redundancy (ideal circumstances]);. I suggest you ping your system engineer for sure any deployment involving 5585, guys can usually give good advice (and discounts;]).
Marcin
-
VPN L2L dynamic to static w/o DefaultL2LGroup
I was looking for a method to have a VPN L2L static dyn without using DefaultL2LGroup but to set in place several groups of tunnel for each router with a dynamic IP address. Many people say it is not possible, but I found this guide: http://inetpro.org/wiki/LAN-to-LAN_IPSec_VPN_between_PIX/ASA_7.2_hub_and_IOS_spokes_with_dynamic_IP_addresses
Now the problem: the vpn rises, but I can't reach any device with a ping.
Side static: ASA 5505 - 8.22
Side Dynamics: Zyxel P-661HW-D3
Here is the config for the SAA:
access-list outside extended permit icmp any any
access-list outside extended deny ip any any
access-list inside extended permit ip 10.1.0.0 255.255.248.0 10.51.10.0 255.255.255.0
access-list inside extended deny ip any any
access-list VPN extended permit ip 10.1.0.0 255.255.248.0 10.51.10.0 255.255.255.0
access-list ST_3710 extended permit ip 10.1.0.0 255.255.248.0 10.51.10.0 255.255.255.0nat (inside) 0 access-list VPN
nat (inside) 1 10.1.0.0 255.255.248.0access-group inside in interface inside
access-group outside in interface outsidecrypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000crypto dynamic-map DN3710 1 match address ST_3710
crypto dynamic-map DN3710 1 set transform-set mysetcrypto map dyn-map 2 ipsec-isakmp dynamic DN3710
crypto map dyn-map interface outsidecrypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400crypto isakmp policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversalgroup-policy GP3710 internal
group-policy GP3710 attributes
vpn-filter value ST_3710
vpn-tunnel-protocol IPSectunnel-group TG3710 type ipsec-l2l
tunnel-group TG3710 general-attributes
default-group-policy GP3710
tunnel-group TG3710 ipsec-attributes
pre-shared-key *********As you can see it the vpn is in place:
2 IKE Peer: ***.***.***.***
Type : L2L Role : responder
Rekey : no State : AM_ACTIVEThanks in advance if anyone can help me with this problem.
Kind regards
Luca
Hello Luca,
You have reason for it, you can have the spokes of landing on a separate tunnel-groups, not only for the DefaultL2LGroup, the ASA follows this sequence when making a tunnel-group looup for L2L tunnels with pre-shared keys:
- ike-id verified first and could be (full fqdn) host name or IP address
-If ike-id search fails ASA tent peer IP address
-DefaultRAGroup/DefaultL2LGroup is used as a last resort
The output of your "sh cry isa his" I can see that at least Phase 1 is in place for your tunnel, please make sure that it landed on the correct tunnel-group.
The problem I see clearly here is the VPN filter that you have applied Group Policy, keep in mind that we must apply filters on incoming management vpn.
When a vpn-filter is applied to a political group that governs a LAN to LAN VPN connection, the ACL must be configured with the
remote network in the position of the ACL src_ip and LAN in the position of dest_ip of the ACL. Be careful during the construction of the
ACL for use with the vpn-filter feature. The ACL are built with traffic after decrypted in mind, however, they are also applied to the traffic
in the direction opposite.In your case, the remote network is 10.51.10.0 255.255.255.0 and the local network 10.1.0.0 255.255.248.0. so let's say you want to allow just telnet:
The following ACE will allow remote Telnet network for LAN:
permit access-list vpnfilt-l2l 10.51.10.0 255.255.255.0 10.1.0.0 255.255.248.0 eq 23
The following ACE will allow LAN to Telnet to the remote network:
permit access-list vpnfilt-l2l 10.0.0.0 255.255.255.0 eq 23 10.1.0.0 255.255.248.0Note: The ACE access-list vpnfilt-l2l allowed 10.51.10.0 255.255.255.0 10.1.0.0 255.255.248.0 eq 23 will allow the local network establish a connection to the remote on any TCP port network if he uses a port source from 23.
The access-list vpnfilt-l2l allowed 10.0.0.0 ACE 255.255.255.0 eq 23 10.1.0.0 255.255.248.0 will allow the network to remote connect to the LAN on any TCP port if he uses a port source from 23.
Kind regards
-
Add the existing network of VPN l2l
I have properly configured VPN l2l between our main site and 2 offices. Now, I would like to allow additional networks on the main site to access the branch sites. Here the doc of Cisco (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fad90.shtml) presents a method to do this by adding an additional interface. Is it possible to do without the addition of an interface?
Here are the relevant config on the main site ASA (8,0) and one of the remote PIX (7.0):
=========================
ASA (main site)
access extensive list ip 172.16.0.0 outside_1_cryptomap allow 255.255.255.0 172.16.29.0 255.255.255.0
access extensive list ip 172.16.1.0 outside_1_cryptomap allow 255.255.255.0 172.16.29.0 255.255.255.0
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set 24.97.x.x counterpart
map outside_map 1 set of transformation-ESP-3DES-MD5 crypto
=========================
PIX (remote site)
access extensive list ip 172.16.29.0 outside_cryptomap_20_2 allow 255.255.255.0 172.16.0.0 255.255.255.0
access extensive list ip 172.16.29.0 outside_cryptomap_20_2 allow 255.255.255.0 172.16.1.0 255.255.255.0
card crypto outside_map 20 match address outside_cryptomap_20_2
card crypto outside_map 20 peers set 204.14.x.x
outside_map card crypto 20 the transform-set ESP-3DES-MD5 value
Just add valuable traffic to your access lists. New = 172.16.2.0/24 network
ASA (main site)
outside_1_cryptomap to access extended list ip 172.16.2.0 allow 255.255.255.0 172.16.29.0 255.255.255.0
PIX (remote site)
access extensive list ip 172.16.29.0 outside_cryptomap_20_2 allow 255.255.255.0 172.16.2.0 255.255.255.0
Don't forget your nat exemption acl as well. For example...
ASA (main site)
extended access-list allow ip 172.16.2.0 255.255.255.0 172.16.29.0 255.255.255.0
PIX (remote site)
permit extended access list ip 172.16.29.0 255.255.255.0 172.16.2.0 255.255.255.0
-
Question of redundancy VPN l2l using 2811 as endpoint devices
I have a new implementation of VPN L2L passes using two 2811 s than VPN terminal devices. I'll try to use the HSRP address between the public interfaces of both routers as VPN peer address. The problem that I found during the test is that the tunnel will become active and debugs watch the HSRP address as an invalid address to form the tunnel. Have a work-around, or a better plan for redundancy on peering address using similar devices? Thanks in advance.
Take a look at this doc about IOS IPSec HA.
-
Go simple configuration of vpn L2L comply with security requirements
Hello
I have successfully install a L2L connection (5510, 7.2) and a 3rd party (SonicWall).
Security requirements are such that (contractors) to our office users to connect to various devices to the 3rd party, BUT nothing to the 3rd party must connect to what be it at our office.
I tried an outbound ACL (access-group L2L-RESTRICT the interface inside) inside the interface. But the funny thing is that I'm getting hits on the declarations of refusal on the ACL, although tests show no problems for you connect to multiple hosts to our site of the 3rd party. My ACL config looks like the following:
<..snip..>
Note to L2L-RESTRICT access-list * ATTENTION * WITH CAUTION - RESTRICTIONS ON the 3rd PARTY VPN L2L
L2L-RESTRICT access-list scope allow icmp 192.168.16.0 255.255.255.0 10.180.21.0 255.255.255.0 echo-reply
deny access list L2L-RESTRICT the scope ip 192.168.16.0 255.255.255.0 no matter what newspaper
Note to L2L-RESTRICT access-list > NOTE< last="" line="" *must*="" be="" permit="" any="">
L2L-RESTRICT access-list scope ip allow a whole
!
L2L-RESTRICT the interface inside access-group
<..snip..>
Their network is obviously 192.168.16.x and they won't be able to use a vlan from different source as "interesting traffic" ACL won't allow it. So that sounds good in theory
I have it configured correctly? Is there a better way?
Thanks in advance,
Mike
Mike,
It seems that you might be able to assign a VPN ACL filter via a group assigned to each tunnel L2L policy. I have never done this personally before, but looks like it would work...
-
ASA5510 VPN L2L cannot reach hosts on the other side
Hello experts,
I have an ASA5510 with 3 VPN L2L and remote VPN access. Two VPN L2L, Marielle and Aeromique no problem, but for VPN ASPCANADA, to a host behind the ASA 192.168.100.xx, I can't reach 57.5.64.250 or 251 and vice versa. But the tunnel is up. Can you help me please, thank you in advance.
Add these two lines to the NAT 0 access list:
inside_outbound_nat0_acl list extended access allowed hosting ASP-NETWORK 255.255.255.0 ip 57.5.64.251
inside_outbound_nat0_acl list extended access allowed hosting ASP-NETWORK 255.255.255.0 ip 57.5.64.250
Also make sure this reflection of these statements are also in the distance of the ASA NAT 0-list of access.
Test and validate results
HTH
Sangaré
Pls rate helpful messages
-
VPN l2l failed inside on ASA 5520 (8.02)
VPN l2l is dropping packets to Phase 5 because of a rule configured. I have an isakmp his but the client cannot connect to the destination here in my network. I'll post my config to access list at the bottom of the Packet-trace output.
vpnASA01 # entry packet - trace within the icmp [10.0.0.243] 0 8 10.97.29.73 det
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xc92087c8, priority = 12, area = capture, deny = false
hits = 85188209121, user_data = 0xc916a478, cs_id = 0 x 0, l3_type = 0 x 0
Mac SRC = 0000.0000.0000, mask is 0000.0000.0000
DST = 0000.0000.0000 Mac, mask is 0000.0000.0000
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit rule
Additional information:
Direct flow from returns search rule:
ID = 0xc87f1f98, priority = 1, domain = allowed, deny = false
hits = 85193048387, user_data = 0 x 0, cs_id = 0 x 0, l3_type = 0 x 8
Mac SRC = 0000.0000.0000, mask is 0000.0000.0000
DST = 0000.0000.0000 Mac, mask is 0000.0000.0000
Phase: 3
Type: FLOW-SEARCH
Subtype:
Result: ALLOW
Config:
Additional information:
Not found no corresponding stream, creating a new stream
Phase: 4
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
in 10.0.0.0 255.0.0.0 inside
Phase: 5
Type: ACCESS-LIST
Subtype:
Result: DECLINE
Config:
Implicit rule
Additional information:
Direct flow from returns search rule:
ID = 0xc87f3670, priority = 111, domain = allowed, deny = true
hits = 67416, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 4000, protocol = 0
SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
DST ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
Result:
input interface: inside
entry status: to the top
entry-line-status: to the top
the output interface: inside
the status of the output: to the top
output-line-status: to the top
Action: drop
Drop-reason: flow (acl-drop) is denied by the configured rule
= ACCESS-LIST + Config =.
the object-group L2LVPN-blah_local network
network-object 10.97.29.73 255.255.255.255
the object-group L2LVPN-blah_remote network
network-object [10.0.0.240] 255.255.255.240INBOUND_OUTSIDE list of allowed ip extended access object-L2LVPN-blah_remote L2LVPN-blah_local group object
L2LVPN-blah_obj allowed extended ip access-list object-L2LVPN-blah_local group L2LVPN-blah_remote
access-list SHEEP extended permits all ip [10.0.0.243] 255.255.255.240
Route outside [10.0.0.240] [10.97.29.1] 255.255.255.240 1
address for correspondence card crypto outside-VPN 46 L2LVPN - blah_obj
peer set card crypto VPN-exterior 46 [10.0.0.243]
outside-VPN 46 transform-set esp-sha-aes-256 crypto card
outside-VPN interface card crypto outsideIPSec-l2l type tunnel-group [10.0.0.243]
IPSec-attributes of tunnel-group [10.0.0.243]
pre-shared-key *.[10.0.0.1] is to protect the global addresses of clients. Assume that these are still used in place of the current range of intellectual property. 10.0.0.240/28
===========================================
Thanks in advance.
Michael Garcia
Profit Systems, Inc..
Hi Michael,
-Is the IP peer really part of the network that make up the field of encryption?
-Is the ACL INBOUND_OUTSIDE applied (incoming) inside or outside interface (inbound)? It is the current form, it would need to be on the external interface.
-You specify the peer IP only in the ACL SHEEP, so all other traffic is NAT would and eventually denied because it does not match the field of encryption
Someone else may have a few ideas, but these are questions I have for the moment.
James
-
Redirect peer tunnel VPN L2L ina
Question of curiosity... I have 2 new ASA5515 which I put up for an improvement of the equipment. In the time before I swap them I am using them as a sort of laboratory of fortune to get him going to setup VPN L2L. I didn't use current IP addresses for the test environment, so I used false numbers.
My question is: can I go back and change the IP address peer and address local/remote without having to tear them up to specifications plant again?
-Do I have reprint just the type of Tunnel-Group IPsec-l2l X.X.X.X command with the IP address?
I know that there are a few other of the region that I have to change the IP of both peers, but just of my question is, I can do or do I have to start over?
-Jon
Jon
You should not reconfigure from scratch if that's what you're asking.
You just need to change the peer IPs everywhere where they appear in your configuration.
Jon
Maybe you are looking for
-
As usual, I 'agree' and 'download and install' and let it run. An hour later, when I came back, the phone goes into recovery mode and can never be restored reset or turned on more. No idea why this piece of "corpse" can be done like this? In any case
-
backup procedure submitted re automatic previous bookmark
See the previous contribution
-
New York Times down. How to fix?
NYTimes.com in a few days. For many users, it is upwards. Looks like a large number of users with it still are Firefox users. Is this a Firefox problem? If so, how to fix?
-
Integrated video makes to small size
I use embedded video of VK http://VK.com/Matthew.Klimek on my Google Blogger pages: http://Matthew-Klimek.blogspot.com/ http://newtonfamilyreunion.blogspot.com/ The size of the video was reduced considerably, this problem only occurs through the Fire
-
Games will not play with the flash drive