VPN L2L: ASA5505-> ASA5520, initiator of IKE unable to find policy

Hello!

Periodically, we are experiencing a problem with tunnel between 5505 and 5520 L2L

Sometimes there is no 5505 LAN access to one of the LAN's 5520

ex: ping from the inside interface (10.1.13.1) 5505 to 5520 (10.1.1.1) does not work

5505:
- cry isa his we can see the peer - it's OK

-in Cree its pe ip itsnecessary there, but program is not increase and still no ping

-all the other itsof the acl work properly

5505 debugging:

% ASA-3-713042: unable to find political initiator IKE: outside Intf, Src: 10.1.13.1, Dst: 10.1.1.1
% ASA-3-313001: Denied ICMP type = 8, code = 0 to 10.1.1.1

ACL on both sides is correct

Erase isakmp his helps solve the problem

p.s., asa 5505 has two ISP and two crypto cards with 5520

This happens whenever your primary or secondary provider fails

Tags: Cisco Security

Similar Questions

  • 2811: connecting two VPN l2l ASA5505

    Hello

    We have a HQ site with a 2811 (w/ADVSECURITYK9-M) acting as the firewall. We currently have 1 ASA5505 with an established ipsec VPN l2l.

    I'm trying to connect a 2nd ASA, but I noticed that I only add 1 cryptomap to the external interface.

    A worm watch 1 Module of virtual private network... Surely this does not mean only 1 VPN?

    Can I use a card encryption and add a second "peer set" & "corresponds to" address inside the card Cryptography itself?

    Thank you

    Jason

    Yes, you add another poicy to your configuration encryption.

    Thank you

    Tarik Admani
    * Please note the useful messages *.

  • IKE initiator unable to find the policy; Outside INTF, CBC: error

    I have a Cisco ASA 5505 having a tunnel at a remote office. I just put in place another identical to another tunnel and when I followed the VPN in ASDM I see that the VPN is active. But I can't ping through it. When I check the logs I see "IKE initiator unable to find the policy; Outside INTF, CBC:... "Nobody knows what might be the cause? Here is a copy of the configuration. Thank you.

    See the config of bdavpn1 #.
    : Saved
    : Written by admin in 17:54:11.823 HAA Monday, June 7, 2010
    !
    ASA Version 8.2 (2)
    !
    hostname bdavpn1
    domain.com domain name
    activate the encrypted password of OSaXLnYQKkAcBhYA
    2KFQnbNIdI.2KYOU encrypted passwd
    names of
    !
    interface Vlan1
    nameif inside
    security-level 100
    192.168.2.100 IP address 255.255.255.0 ensures 192.168.2.101
    !
    interface Vlan2
    nameif outside
    security-level 0
    IP 101.17.205.116 255.255.255.1018 Eve 101.17.205.117
    !
    interface Vlan3
    nameif dmz
    security-level 50
    IP 172.20.0.1 address 255.255.255.0 watch 172.20.0.3
    !
    interface Vlan4
    Failover LAN Interface Description
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    switchport access vlan 91
    !
    interface Ethernet0/3
    switchport access vlan 3
    !
    interface Ethernet0/4
    switchport access vlan 3
    !
    interface Ethernet0/5
    switchport access vlan 4
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    passive FTP mode
    clock timezone AST - 4
    clock to summer time recurring ADT
    DNS domain-lookup dmz
    DNS server-group DefaultDNS
    Server name 172.20.0.99
    domain.com domain name
    permit same-security-traffic inter-interface
    permit same-security-traffic intra-interface
    object-group Protocol TCPUDP
    object-protocol udp
    object-tcp protocol
    object-group network Chicago-nets
    object-network 10.150.1.0 255.255.255.0
    object-network 10.150.55.0 255.255.255.0
    object-network 10.150.56.0 255.255.255.0
    object-network 10.150.57.0 255.255.255.0
    object-network 172.16.1.0 255.255.255.0
    object-network 192.168.26.0 255.255.255.0
    object-network 10.150.111.0 255.255.255.0
    the DM_INLINE_NETWORK_2 object-group network
    object-network 192.168.4.0 255.255.255.0
    object Group Chicago-nets
    the DM_INLINE_NETWORK_1 object-group network
    object-network 192.168.4.0 255.255.255.0
    object Group Chicago-nets
    the DM_INLINE_NETWORK_3 object-group network
    object-NET 172.20.0.0 255.255.255.0
    object-network 192.168.2.0 255.255.255.0
    the DM_INLINE_NETWORK_4 object-group network
    object-NET 172.20.0.0 255.255.255.0
    object-network 192.168.2.0 255.255.255.0
    outside_cryptomap to access extended list ip 192.168.2.0 allow 255.255.255.0 DM_INLINE_NETWORK_1 object-group
    inside_nat0_outbound to access extended list ip 192.168.2.0 allow 255.255.255.0 DM_INLINE_NETWORK_2 object-group
    inside_nat0_outbound to access extended list ip 192.168.2.0 allow 255.255.255.0 172.20.0.0 255.255.255.0
    inside_nat0_outbound list extended access allowed object-group ip DM_INLINE_NETWORK_3 192.168.4.0 255.255.255.0
    inside_nat0_outbound list extended access allowed object-group ip DM_INLINE_NETWORK_4 192.168.4.0 255.255.255.0
    Note to access list outside_to_dmz allow access to the citrix Server
    outside_to_dmz list extended access permit tcp any newspaper HTTPS host 101.17.205.123 eq
    dmz_to_inside allowed extended access list host 172.20.0.2 ip 192.168.2.0 255.255.255.0 connect
    Note to outside_access_in entering of Citrix access list
    outside_access_in list extended access permit tcp any host 101.17.205.123 eq https
    outside_2_cryptomap list extended access allowed object-group ip DM_INLINE_NETWORK_4 192.168.4.0 255.255.255.0
    pager lines 101
    Enable logging
    timestamp of the record
    logging paused
    logging buffered information
    asdm of logging of information
    Within 1500 MTU
    Outside 1500 MTU
    MTU 1500 dmz
    IP verify reverse path to the outside interface
    failover
    primary failover lan unit
    failover failover lan interface Vlan4
    failover interface ip failover 172.16.30.1 255.255.255.252 watch 172.16.30.2
    ICMP unreachable rate-limit 1 burst-size 1
    ASDM image disk0: / asdm - 625.bin
    don't allow no asdm history
    ARP timeout 14400
    Global 1 interface (outside)
    Global interface (dmz) 2
    NAT (inside) 0-list of access inside_nat0_outbound
    NAT (inside) 1 0.0.0.0 0.0.0.0
    static (dmz, external) 101.17.205.123 172.20.0.2 netmask 255.255.255.255
    Access-group outside_access_in in interface outside
    Access-group dmz_to_inside in dmz interface
    Route outside 0.0.0.0 0.0.0.0 101.17.205.115 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-registration DfltAccessPolicy
    AAA authentication enable LOCAL console
    AAA authentication http LOCAL console
    LOCAL AAA authentication serial console
    the ssh LOCAL console AAA authentication
    AAA authentication LOCAL telnet console
    LOCAL AAA authorization command
    Enable http server
    http 0.0.0.0 0.0.0.0 outdoors
    http 0.0.0.0 0.0.0.0 inside
    redirect http outside 80
    SNMP-server host inside 10.150.1.177 community survey * version 2 c
    SNMP-server host inside 10.150.2.38 community survey * version 2 c
    location of Server SNMP Hamilton, Bermuda
    SNMP Server contact René Bouchard
    Community SNMP-server
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Service resetoutside
    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    inside
    redirect http outside 80
    SNMP-server host inside 10.150.1.177 community survey * version 2 c
    SNMP-server host inside 10.150.2.38 community survey * version 2 c
    location of Server SNMP Hamilton, Bermuda
    SNMP Server contact René Bouchard
    Community SNMP-server
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Service resetoutside
    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
    card crypto outside_map3 1 match address outside_cryptomap
    outside_map3 card crypto 1jeu peer 101.88.182.189
    outside_map3 card crypto 1jeu transform-set ESP-3DES-SHA
    card crypto game 2 outside_map3 address outside_2_cryptomap
    outside_map3 crypto map peer set 2 101.1.95.253
    card crypto outside_map3 2 the value transform-set ESP-3DES-SHA
    Crypto map outside_map3 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    outside_map3 interface card crypto outside
    Crypto ca trustpoint bdavpn1
    Terminal registration
    domain name full bdavpn1.domain.bm
    name of the object CN = bdavpn1.domain.bm, OR = Ltd, O is domain, C = US, St is of_confusion, L is Hamilton,[email protected] / * /
    Configure CRL
    Crypto ca certificate card domainincCertificateMap 10
    name of the object attr cn eq sslvpn.domain.com
    Crypto ca certificate chain bdavpn1
    certificate ca 00
    30820267 308201d 0 a0030201 02020100 300 d 0609 2a 864886 f70d0101 04050030
    32310b 30 09060355 04061302 5553310 300 b 0603 d. 55040 has 13 41 53311430 04414c
    12060355 0403130b 63612e61 6c61732e 636f6d30 35303130 31303630 1e170d39
    3335 30313031 30363031 31395 has 30 32310 b 30 170d 3131395a 09060355 04061302
    300b 0603 55040 5553310d has 13 04414c 41 53311430 12060355 0403130b 63612e61
    06092a 86 4886f70d 01010105 0003818d 00308189 819f300d 636f6d30 6c61732e
    c19012ed 02818100 4cf67378 c9347162 2bcf6519 a3ab748f 1c9cae07 5c232c93
    8a 625638 68416412 and 55808768 412675bc 5906ba4a 3ffd1d101 303d0ea7 d559ccf8
    0d425ffc edf1cee8 337ca5c7 5f718f2d 081551f8 fc742b78 8866de9b c82310b0
    89975e30 7ea7f047 bf518ac3 aa2dfd7e f93b1016 7d5261ea 34f18fa7 748d52c8
    7595ecb3 02030100 01a3818c 30818930 1 d 060355 1d0e0416 0414c1ab b8651761
    fc3f12d1 b132322e be36ff6a cecb305a 0603551d 23045330 518014c 1 abb86517
    61fc3f12 d1b13232 2ebe36ff 6acecba1 36 has 43430 32310b 30 09060355 04061302
    300b 0603 55040 5553310d has 13 04414c 41 53311430 12060355 0403130b 63612e61
    6c61732e 636f6d82 0100300c 0603551d 13040530 030101ff 300 d 0609 2a 864886
    f70d0101 818100ad 04050003 1d558eab 05d50f7b b656e2c4 213a9ac3 1cecee73
    0251f931 0b47e84f f3c0847e b2168562 d27330b3 72c8023f b83aeb4a 2db8fbf7
    f4575c8e c56300aa 6d5b0fd3 092e7747 76 76286 26e81b3e 4ca35b71 792380b 9
    ca480932 c58a8ee6 2fa62a73 aa1d209d 68662c 59 0b8a71f1 c2db0cbb 5aefc8c5
    bedcbda7 caf46f0c b01def
    quit smoking
    crypto ISAKMP allow outside
    crypto ISAKMP policy 10
    preshared authentication
    the Encryption
    sha hash
    Group 2
    life 86400
    crypto ISAKMP policy 20
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    crypto ISAKMP policy 30
    authentication rsa - sig
    3des encryption
    sha hash
    Group 2
    life 86400
    No encryption isakmp nat-traversal
    crypto ISAKMP ipsec-over-tcp port 10000
    Telnet 0.0.0.0 0.0.0.0 inside
    Telnet 0.0.0.0 0.0.0.0 outdoors
    Telnet timeout 120
    SSH enable ibou
    SSH 0.0.0.0 0.0.0.0 inside
    SSH 0.0.0.0 0.0.0.0 outdoors
    SSH timeout 60
    Console timeout 0
    management-access inside

    a basic threat threat detection
    threat detection statistics
    a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
    prefer NTP server 192.168.2.116 source inside
    NTP server 192.168.2.117 source inside
    bdavpn1 point of trust SSL outdoors
    WebVPN
    allow outside
    enable SVC
    attributes of Group Policy DfltGrpPolicy
    Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
    LtdAdmin XRlF3jA1k3JEhNgr encrypted privilege 15 password username
    domainadmin encrypted E1zLpTPUtBADN9og privilege 15 password username
    tunnel-group sslvpn.domain.com type ipsec-l2l
    sslvpn.domain.com group of tunnel ipsec-attributes
    validation by the peer-id cert
    trust-point bdavpn1
    tunnel-group 101.88.182.189 type ipsec-l2l
    IPSec-attributes tunnel-group 101.88.182.189
    pre-shared-key *.
    tunnel-group 101.1.95.253 type ipsec-l2l
    IPSec-attributes tunnel-group 101.1.95.253
    pre-shared-key *.
    tunnel-Group-map enable rules
    Tunnel-Group-map domainincCertificateMap 10 sslvpn.domain.com
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    message-length maximum 10101
    ID-randomization
    ID-incompatibility action log
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    inspect the icmp
    inspect the icmp error
    inspect the amp-ipsec
    !
    global service-policy global_policy
    context of prompt hostname
    Cryptochecksum:a23ada0366576d96bd5c343645521107

    Scott,

    When you check the status of the two tunnels of the CLI, check the following:

    HS cry isa--> of his watch as active or QM_IDLE

    HS cry ips his--> shows the packages encrypted/decrypted

    The second tunnel does not properly come upwards, should ensure that policies correspond to the two ends of the tunnel.

    If this second tunnel is started but does not traffic, we might have a problem NAT or routing.

    Federico.

  • Site to site VPN router-ASA5505

    Hello

    I have a problem with the VPN between ASA5505 and 3825 router.

    behind the ASA, we have a server that serves the specific port. If for any reason any link is disconnected assets if the VPN will become not we do not generate traffic to this server. After generating even a ping VPN immediately become active and communication starts. another case is when you reboot ASA the VPn is not created without ping server behind this ASA.

    How we could solve this problem without sending a traffing who serve?

    How remote access to this ASA, I can access internal interface? If I open access on port 443 on the external interface of asa could I access it? or I must also exclude this traffic VPN

    I used the VPN Wizard to configure on asa and CLI on router

    some troubleshootingand configuration commands, if this is not enough please let me know what you otherwise.

    Thanks in advance for your help

    ciscoasa # sh crypto isakmp his

    ITS enabled: 1
    Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
    Total SA IKE: 1

    1 peer IKE: 10.10.10.1
    Type: L2L role: initiator
    Generate a new key: no State: AM_ACTIVE

    Configuration of the SAA.

    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    card crypto outside_map 1 match address outside_1_cryptomap
    card crypto outside_map 1 set pfs Group1
    card crypto outside_map 1 set counterpart 10.10.10.1
    map outside_map 1 set of transformation-ESP-DES-MD5 crypto
    outside_map interface card crypto outside
    crypto ISAKMP allow outside
    crypto ISAKMP policy 10
    preshared authentication
    the Encryption
    sha hash
    Group 2
    life 86400
    crypto ISAKMP policy 30
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400

    the main router configuration

    crypto ISAKMP policy 1
    preshared authentication
    !
    crypto ISAKMP policy 5
    BA 3des
    preshared authentication
    Group 2
    !
    crypto ISAKMP policy 10
    preshared authentication
    Group 2
    crypto ISAKMP key 6 _JQfe [BeRGNBCGfbGxxxxxxxxx address 10.10.10.10

    Crypto ipsec transform-set esp - esp-md5-hmac xxxxx

    ETH0 2696 ipsec-isakmp crypto map
    defined peer 10.10.10.10
    Set transform-set xxxxx
    match address 2001

    access-list 2001 permit ip any 192.168.26.96 0.0.0.7

    Post edited by: adriatikb
    I just read somewhere that might change the type VPN "bi-direcitonal' two 'initiator' or 'answering machine' could help me but I test and no results.

    I had the same problem last week, and told the TAC engineer on our service ticket downgrade from IOS 8.2 (3) 8.2 (1).  Since then, it works fine.

  • VPN site to Site stuck in IKE Phase 1 - MM_WAIT_MSG2

    We do a vpn site-to site. The tunnel has worked before, but after some discussions about the location of ASA_Receiving (no change in config for asa made, this asa is directly connected to the internet) will not return the tunnel upward. The devices can ping each other without problem.

    It is a vpn L2L, I wonder if the guy saying user is related to the issue?

    ASA_Initiator

    IKE Peer: 71.13.xxx.xxx
    Type: user role: initiator
    Generate a new key: no State: MM_WAIT_MSG2

    ASA_Receiving

    # show crypto isakmp his

    There is no isakmp sas

    Hey,.

    is the remote end ASA as well?

    If so, the capture below on the ASA:

    capture capout match udp host host interface

    The tunnel gets stuck on MM_WAIT_MSG2 for 2 reasons:

    1 either a problem with the policies of the phase 1 of the remote end or

    2 UDP 500 is not reaching the remote end or the remote end sends the packet UDP 500 back and can't the ASA local.

    Concerning

  • Policy NAT for VPN L2L

    Summary:

    We strive to establish a two-way VPN L2L tunnel with a partner. VPN traffic is one-to-many towards our partner, and our partner they need of a many-to-one to us (they need to access a host on our network). In addition, our partner has many VPN, so they force us to use a separate NAT with two private hosts addresses, one for each direction of the tunnel.

    My initial configuration of the tunnel on my grown up side of Phase 1, but not IPSec. Partner ran debug that revealed that my host did not address NAT'd in the NAT policy. We use an ASA5520, ver 7.0.

    Here is the config:

    # #List of OUR guests

    the OURHosts object-group network

    network-host 192.168.x.y object

    # Hosts PARTNER #List

    the PARTNERHosts object-group network

    network-host 10.2.a.b object

    ###ACL for NAT

    # Many - to - many outgoing

    access-list extended NAT2 allowed ip object-group OURHosts-group of objects PARTNERHosts

    # One - to - many incoming

    VIH3 list extended access permit ip host 192.168.c.d PARTNERHosts object-group

    # #NAT

    NAT (INSIDE) 2-list of access NAT2

    NAT (OUTSIDE) 2 172.20.n.0

    NAT (INSIDE) 3 access-list VIH3

    NAT (OUTSIDE) 3 172.20.n.1

    # #ACL for VPN

    access list permits extended VPN ip object-group objects PARTNERHosts OURHosts-group

    access allowed extended VPN ip host 192.168.c.d PARTNERHosts object-group list

    # #Tunnel

    tunnel-group type ipsec-l2l

    card <#>crypto is the VPN address

    card crypto <#>the value transform-set VPN

    card <#>crypto defined peer

    I realize that the ACL for the VPN should read:

    access allowed extended VPN ip host 172.20.n.0 PARTNERHosts object-group list

    access allowed extended VPN ip host 172.20.n.1 PARTNERHosts object-group list

    .. . If the NAT was working properly, but when this ACL is used, Phase 1 is not even negotiating, so I know the NAT is never translated.

    What am I missing to NAT guests for 172.20 addresses host trying to access their internal addresses via the VPN?

    Thanks in advance.

    Patrick

    Here is the order of operations for NAT on the firewall:

    1 nat 0-list of access (free from nat)

    2. match the existing xlates

    3. match the static controls

    a. static NAT with no access list

    b. static PAT with no access list

    4. match orders nat

    a. nat [id] access-list (first match)

    b. nat [id] [address] [mask] (best match)

    i. If the ID is 0, create an xlate identity

    II. use global pool for dynamic NAT

    III. use global dynamic pool for PAT

    If you can try

    (1) a static NAT with an access list that will have priority on instruction of dynamic NAT

    (2) as you can see on 4A it uses first match with NAT and access list so theoretically Exchange autour should do the trick.

    I don't see any negative consequences? -Well Yes, you could lose all connectivity. I don't think that will happen, but I can't promise if you do absolutely not this after-hours.

    Jon

  • Do not do a ping ASA inside IP port of the remote site VPN L2L with her

    The established VPN L2L OK between ASA-1/ASA-2:

    ASA-2# see the crypto isakmp his

    KEv1 SAs:

    ITS enabled: 1

    Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)

    Total SA IKE: 1

    1 peer IKE: 207.140.28.102

    Type: L2L role: answering machine

    Generate a new key: no State: MM_ACTIVE

    There are no SAs IKEv2

    QUESTION: 3750-2, we ping 3750-1 (10.10.2.253) are OK, but not ASA-1 inside port (10.10.2.254).

    Debug icmp ASA-1 data:

    ASA-1 debug icmp trace #.

    trace of icmp debug enabled at level 1

    Echo ICMP Internet request: 10.100.2.252 server: 10.10.2.253 ID = 400 seq = 0 len = 72

    ICMP echo response from the server: 10.10.2.253 Internet: 10.100.2.252 ID = 400 seq = 0 len = 72

    Echo ICMP Internet request: 10.100.2.252 server: 10.10.2.253 ID = 400 seq = 1 len = 72

    ICMP echo response from the server: 10.10.2.253 Internet: 10.100.2.252 ID = 400 seq = 1 len = 72

    Echo request ICMP 10.100.2.252 to 10.10.2.254 ID = 401 seq = 0 len = 72

    Echo request ICMP 10.100.2.252 to 10.10.2.254 ID = 401 seq = 1 len = 72

    Echo request ICMP 10.100.2.252 to 10.10.2.254 ID = 401 seq = 2 len = 72

    Make sure you have access to the administration # inside

    lt me know f This allows.

  • Design of VPN L2L ASA question

    We expect to have more than 10,000 remote VPN L2L clients.

    I see that each crypto card needs a statement of 'same game' and the IP address is the address of the remote peer VPN L2L.

    :

    EX:

    card encryption UNI-POP 3 set peer 172.23.0.3

    : . . .

    card crypto UNI-POP 10000 set peer 172.26.0.250

    :

    I already feel that this will be a VERY long config, maybe too big to save/read/from memory.

    :

    Anyone would be a better approach?

    Thank you

    Frank

    Frank,

    If the remote end will run only from time to time, you should not have set peer statements and normally it would suffice to have a dynamic encryption card.

    If the remote ends do not support certificates, it is possible to land on defaultl2l tunnel-group.

    bsns-asa5505-19# sh run all tunnel-group
    

    tunnel-group DefaultL2LGroup type ipsec-l2l
    

    tunnel-group DefaultL2LGroup general-attributes
    

    (...)

    You need to test yourself to see if it will work.

    I also agree in terms of more than one firewall. With devices for two in the load balancing or if possible 2pairs of devices in the failover cluster could be great way to have a decent charge by machine and equipment redundancy (ideal circumstances]);. I suggest you ping your system engineer for sure any deployment involving 5585, guys can usually give good advice (and discounts;]).

    Marcin

  • VPN L2L dynamic to static w/o DefaultL2LGroup

    I was looking for a method to have a VPN L2L static dyn without using DefaultL2LGroup but to set in place several groups of tunnel for each router with a dynamic IP address. Many people say it is not possible, but I found this guide: http://inetpro.org/wiki/LAN-to-LAN_IPSec_VPN_between_PIX/ASA_7.2_hub_and_IOS_spokes_with_dynamic_IP_addresses

    Now the problem: the vpn rises, but I can't reach any device with a ping.

    Side static: ASA 5505 - 8.22

    Side Dynamics: Zyxel P-661HW-D3

    Here is the config for the SAA:

    access-list outside extended permit icmp any any
    
    access-list outside extended deny ip any any
    
    access-list inside extended permit ip 10.1.0.0 255.255.248.0 10.51.10.0 255.255.255.0
    
    access-list inside extended deny ip any any
    
    access-list VPN extended permit ip 10.1.0.0 255.255.248.0 10.51.10.0 255.255.255.0
    
    access-list ST_3710 extended permit ip 10.1.0.0 255.255.248.0 10.51.10.0 255.255.255.0
    

    nat (inside) 0 access-list VPN
    
    nat (inside) 1 10.1.0.0 255.255.248.0
    

    access-group inside in interface inside
    
    access-group outside in interface outside
    

    crypto ipsec transform-set myset esp-3des esp-md5-hmac
    
    crypto ipsec security-association lifetime seconds 28800
    
    crypto ipsec security-association lifetime kilobytes 4608000
    

    crypto dynamic-map DN3710 1 match address ST_3710
    
    crypto dynamic-map DN3710 1 set transform-set myset
    

    crypto map dyn-map 2 ipsec-isakmp dynamic DN3710
    
    crypto map dyn-map interface outside
    

    crypto isakmp enable outside
    

    crypto isakmp policy 10
    
    authentication pre-share
    
    encryption 3des
    
    hash md5
    
    group 2
    
    lifetime 86400
    

    crypto isakmp policy 20
    
    authentication pre-share
    
    encryption des
    
    hash md5
    
    group 2
    
    lifetime 86400
    
    no crypto isakmp nat-traversal
    

    group-policy GP3710 internal
    
    group-policy GP3710 attributes
    
    vpn-filter value ST_3710
    
    vpn-tunnel-protocol IPSec
    

    tunnel-group TG3710 type ipsec-l2l
    
    tunnel-group TG3710 general-attributes
    
    default-group-policy GP3710
    
    tunnel-group TG3710 ipsec-attributes
    
    pre-shared-key *********

    As you can see it the vpn is in place:

    2   IKE Peer: ***.***.***.***
    
        Type    : L2L             Role    : responder
    
        Rekey   : no              State   : AM_ACTIVE

    Thanks in advance if anyone can help me with this problem.

    Kind regards

    Luca

    Hello Luca,

    You have reason for it, you can have the spokes of landing on a separate tunnel-groups, not only for the DefaultL2LGroup, the ASA follows this sequence when making a tunnel-group looup for L2L tunnels with pre-shared keys:

    - ike-id verified first and could be (full fqdn) host name or IP address

    -If ike-id search fails ASA tent peer IP address

    -DefaultRAGroup/DefaultL2LGroup is used as a last resort

    The output of your "sh cry isa his" I can see that at least Phase 1 is in place for your tunnel, please make sure that it landed on the correct tunnel-group.

    The problem I see clearly here is the VPN filter that you have applied Group Policy, keep in mind that we must apply filters on incoming management vpn.

    When a vpn-filter is applied to a political group that governs a LAN to LAN VPN connection, the ACL must be configured with the
    remote network in the position of the ACL src_ip and LAN in the position of dest_ip of the ACL.  Be careful during the construction of the
    ACL for use with the vpn-filter feature.  The ACL are built with traffic after decrypted in mind, however, they are also applied to the traffic
    in the direction opposite.

    In your case, the remote network is 10.51.10.0 255.255.255.0 and the local network 10.1.0.0 255.255.248.0. so let's say you want to allow just telnet:

    The following ACE will allow remote Telnet network for LAN:

    permit access-list vpnfilt-l2l 10.51.10.0 255.255.255.0 10.1.0.0 255.255.248.0 eq 23

    The following ACE will allow LAN to Telnet to the remote network:
    permit access-list vpnfilt-l2l 10.0.0.0 255.255.255.0 eq 23 10.1.0.0 255.255.248.0

    Note: The ACE access-list vpnfilt-l2l allowed 10.51.10.0 255.255.255.0 10.1.0.0 255.255.248.0 eq 23 will allow the local network establish a connection to the remote on any TCP port network if he uses a port source from 23.

    The access-list vpnfilt-l2l allowed 10.0.0.0 ACE 255.255.255.0 eq 23 10.1.0.0 255.255.248.0 will allow the network to remote connect to the LAN on any TCP port if he uses a port source from 23.

    Kind regards

  • Add the existing network of VPN l2l

    I have properly configured VPN l2l between our main site and 2 offices. Now, I would like to allow additional networks on the main site to access the branch sites. Here the doc of Cisco (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fad90.shtml) presents a method to do this by adding an additional interface. Is it possible to do without the addition of an interface?

    Here are the relevant config on the main site ASA (8,0) and one of the remote PIX (7.0):

    =========================

    ASA (main site)

    access extensive list ip 172.16.0.0 outside_1_cryptomap allow 255.255.255.0 172.16.29.0 255.255.255.0

    access extensive list ip 172.16.1.0 outside_1_cryptomap allow 255.255.255.0 172.16.29.0 255.255.255.0

    card crypto outside_map 1 match address outside_1_cryptomap

    card crypto outside_map 1 set 24.97.x.x counterpart

    map outside_map 1 set of transformation-ESP-3DES-MD5 crypto

    =========================

    PIX (remote site)

    access extensive list ip 172.16.29.0 outside_cryptomap_20_2 allow 255.255.255.0 172.16.0.0 255.255.255.0

    access extensive list ip 172.16.29.0 outside_cryptomap_20_2 allow 255.255.255.0 172.16.1.0 255.255.255.0

    card crypto outside_map 20 match address outside_cryptomap_20_2

    card crypto outside_map 20 peers set 204.14.x.x

    outside_map card crypto 20 the transform-set ESP-3DES-MD5 value

    Just add valuable traffic to your access lists. New = 172.16.2.0/24 network

    ASA (main site)

    outside_1_cryptomap to access extended list ip 172.16.2.0 allow 255.255.255.0 172.16.29.0 255.255.255.0

    PIX (remote site)

    access extensive list ip 172.16.29.0 outside_cryptomap_20_2 allow 255.255.255.0 172.16.2.0 255.255.255.0

    Don't forget your nat exemption acl as well. For example...

    ASA (main site)

    extended access-list allow ip 172.16.2.0 255.255.255.0 172.16.29.0 255.255.255.0

    PIX (remote site)

    permit extended access list ip 172.16.29.0 255.255.255.0 172.16.2.0 255.255.255.0

  • Question of redundancy VPN l2l using 2811 as endpoint devices

    I have a new implementation of VPN L2L passes using two 2811 s than VPN terminal devices. I'll try to use the HSRP address between the public interfaces of both routers as VPN peer address. The problem that I found during the test is that the tunnel will become active and debugs watch the HSRP address as an invalid address to form the tunnel. Have a work-around, or a better plan for redundancy on peering address using similar devices? Thanks in advance.

    Take a look at this doc about IOS IPSec HA.

    http://www.Cisco.com/en/us/docs/iOS/security/configuration/guide/sec_vpn_ha_enhance_ps6922_TSD_Products_Configuration_Guide_Chapter.html#wp1039849

  • Go simple configuration of vpn L2L comply with security requirements

    Hello

    I have successfully install a L2L connection (5510, 7.2) and a 3rd party (SonicWall).

    Security requirements are such that (contractors) to our office users to connect to various devices to the 3rd party, BUT nothing to the 3rd party must connect to what be it at our office.

    I tried an outbound ACL (access-group L2L-RESTRICT the interface inside) inside the interface. But the funny thing is that I'm getting hits on the declarations of refusal on the ACL, although tests show no problems for you connect to multiple hosts to our site of the 3rd party. My ACL config looks like the following:

    <..snip..>

    Note to L2L-RESTRICT access-list * ATTENTION * WITH CAUTION - RESTRICTIONS ON the 3rd PARTY VPN L2L

    L2L-RESTRICT access-list scope allow icmp 192.168.16.0 255.255.255.0 10.180.21.0 255.255.255.0 echo-reply

    deny access list L2L-RESTRICT the scope ip 192.168.16.0 255.255.255.0 no matter what newspaper

    Note to L2L-RESTRICT access-list > NOTE< last="" line="" *must*="" be="" permit="" any="">

    L2L-RESTRICT access-list scope ip allow a whole

    !

    L2L-RESTRICT the interface inside access-group

    <..snip..>

    Their network is obviously 192.168.16.x and they won't be able to use a vlan from different source as "interesting traffic" ACL won't allow it. So that sounds good in theory

    I have it configured correctly? Is there a better way?

    Thanks in advance,

    Mike

    Mike,

    It seems that you might be able to assign a VPN ACL filter via a group assigned to each tunnel L2L policy. I have never done this personally before, but looks like it would work...

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml#configs

  • ASA5510 VPN L2L cannot reach hosts on the other side

    Hello experts,

    I have an ASA5510 with 3 VPN L2L and remote VPN access. Two VPN L2L, Marielle and Aeromique no problem, but for VPN ASPCANADA, to a host behind the ASA 192.168.100.xx, I can't reach 57.5.64.250 or 251 and vice versa. But the tunnel is up. Can you help me please, thank you in advance.

    Add these two lines to the NAT 0 access list:

    inside_outbound_nat0_acl list extended access allowed hosting ASP-NETWORK 255.255.255.0 ip 57.5.64.251

    inside_outbound_nat0_acl list extended access allowed hosting ASP-NETWORK 255.255.255.0 ip 57.5.64.250

    Also make sure this reflection of these statements are also in the distance of the ASA NAT 0-list of access.

    Test and validate results

    HTH

    Sangaré

    Pls rate helpful messages

  • VPN l2l failed inside on ASA 5520 (8.02)

    VPN l2l is dropping packets to Phase 5 because of a rule configured. I have an isakmp his but the client cannot connect to the destination here in my network. I'll post my config to access list at the bottom of the Packet-trace output.

    vpnASA01 # entry packet - trace within the icmp [10.0.0.243] 0 8 10.97.29.73 det

    Phase: 1

    Type: CAPTURE

    Subtype:

    Result: ALLOW

    Config:

    Additional information:

    Direct flow from returns search rule:

    ID = 0xc92087c8, priority = 12, area = capture, deny = false

    hits = 85188209121, user_data = 0xc916a478, cs_id = 0 x 0, l3_type = 0 x 0

    Mac SRC = 0000.0000.0000, mask is 0000.0000.0000

    DST = 0000.0000.0000 Mac, mask is 0000.0000.0000

    Phase: 2

    Type: ACCESS-LIST

    Subtype:

    Result: ALLOW

    Config:

    Implicit rule

    Additional information:

    Direct flow from returns search rule:

    ID = 0xc87f1f98, priority = 1, domain = allowed, deny = false

    hits = 85193048387, user_data = 0 x 0, cs_id = 0 x 0, l3_type = 0 x 8

    Mac SRC = 0000.0000.0000, mask is 0000.0000.0000

    DST = 0000.0000.0000 Mac, mask is 0000.0000.0000

    Phase: 3

    Type: FLOW-SEARCH

    Subtype:

    Result: ALLOW

    Config:

    Additional information:

    Not found no corresponding stream, creating a new stream

    Phase: 4

    Type:-ROUTE SEARCH

    Subtype: entry

    Result: ALLOW

    Config:

    Additional information:

    in 10.0.0.0 255.0.0.0 inside

    Phase: 5

    Type: ACCESS-LIST

    Subtype:

    Result: DECLINE

    Config:

    Implicit rule

    Additional information:

    Direct flow from returns search rule:

    ID = 0xc87f3670, priority = 111, domain = allowed, deny = true

    hits = 67416, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 4000, protocol = 0

    SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

    DST ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

    Result:

    input interface: inside

    entry status: to the top

    entry-line-status: to the top

    the output interface: inside

    the status of the output: to the top

    output-line-status: to the top

    Action: drop

    Drop-reason: flow (acl-drop) is denied by the configured rule

    = ACCESS-LIST + Config =.

    the object-group L2LVPN-blah_local network
    network-object 10.97.29.73 255.255.255.255
    the object-group L2LVPN-blah_remote network
    network-object [10.0.0.240] 255.255.255.240

    INBOUND_OUTSIDE list of allowed ip extended access object-L2LVPN-blah_remote L2LVPN-blah_local group object

    L2LVPN-blah_obj allowed extended ip access-list object-L2LVPN-blah_local group L2LVPN-blah_remote

    access-list SHEEP extended permits all ip [10.0.0.243] 255.255.255.240

    Route outside [10.0.0.240] [10.97.29.1] 255.255.255.240 1

    address for correspondence card crypto outside-VPN 46 L2LVPN - blah_obj
    peer set card crypto VPN-exterior 46 [10.0.0.243]
    outside-VPN 46 transform-set esp-sha-aes-256 crypto card
    outside-VPN interface card crypto outside

    IPSec-l2l type tunnel-group [10.0.0.243]
    IPSec-attributes of tunnel-group [10.0.0.243]
    pre-shared-key *.

    [10.0.0.1] is to protect the global addresses of clients. Assume that these are still used in place of the current range of intellectual property. 10.0.0.240/28

    ===========================================

    Thanks in advance.

    Michael Garcia

    Profit Systems, Inc..

    Hi Michael,

    -Is the IP peer really part of the network that make up the field of encryption?

    -Is the ACL INBOUND_OUTSIDE applied (incoming) inside or outside interface (inbound)? It is the current form, it would need to be on the external interface.

    -You specify the peer IP only in the ACL SHEEP, so all other traffic is NAT would and eventually denied because it does not match the field of encryption

    Someone else may have a few ideas, but these are questions I have for the moment.

    James

  • Redirect peer tunnel VPN L2L ina

    Question of curiosity... I have 2 new ASA5515 which I put up for an improvement of the equipment. In the time before I swap them I am using them as a sort of laboratory of fortune to get him going to setup VPN L2L. I didn't use current IP addresses for the test environment, so I used false numbers.

    My question is: can I go back and change the IP address peer and address local/remote without having to tear them up to specifications plant again?

    -Do I have reprint just the type of Tunnel-Group IPsec-l2l X.X.X.X command with the IP address?

    I know that there are a few other of the region that I have to change the IP of both peers, but just of my question is, I can do or do I have to start over?

    -Jon

    Jon

    You should not reconfigure from scratch if that's what you're asking.

    You just need to change the peer IPs everywhere where they appear in your configuration.

    Jon

Maybe you are looking for