VPN l2l failed inside on ASA 5520 (8.02)

Similar Questions

• VPN site to Site with ASA 5520 * please help *.

  I am using two ASA 5520, and try to put up a site to site VPN.  This seems to be pretty simple, but I'm on my third day of train this is up and running. Both 5520's are running the latest 9.1 (5) IOS.

  Please note: I replaced it with [#1-WAN IP] and [#2-WAN IP] for WAN IP of the ASA addresses.

  Thanks in advance for any help you may have.

  -------------------------------------------------------------------------------------------------------------------------------------------------

  ASA 5520 # 1:

  Crypto ikev1 allow outside

  the local object of net network
  10.0.0.0 subnet 255.255.255.0

  net remote object network
  172.20.0.0 subnet 255.255.255.0

  outside_1_cryptomap list of allowed ip object local net net access / remote

  tunnel-group [IP #2-WAN] type ipsec-l2l

  IPSec-attributes tunnel-group [#2-WAN IP]
  pre-shared-key cisco123

  IKEv1 crypto policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400

  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

  card crypto oustide_map 1 match address outside_1_cryptomap
  card crypto oustide_map 1 set transform-set ESP-3DES-SHA ikev1
  card crypto outside_map 1 set pfs Group1
  map 1 set outside_map crypto peer [#2-WAN IP]
  outside_map interface card crypto outside

  NAT (inside, outside) 1 local static source net net-local destination static remote net net / remote

  -------------------------------------------------------------------------------------------------------------------------------------------------

  ASA 5520 #2:

  Crypto ikev1 allow outside

  the local object of net network
  172.20.0.0 subnet 255.255.255.0

  net remote object network
  10.0.0.0 subnet 255.255.255.0

  outside_1_cryptomap list of allowed ip object local net net access / remote

  tunnel-group [#1-WAN IP] type ipsec-l2l

  IPSec-attributes tunnel-group [#1-WAN IP]
  pre-shared-key cisco123

  IKEv1 crypto policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400

  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

  card crypto oustide_map 1 match address outside_1_cryptomap
  card crypto oustide_map 1 set transform-set ESP-3DES-SHA ikev1
  card crypto outside_map 1 set pfs Group1
  map 1 set outside_map crypto peer [#1-WAN IP]
  outside_map interface card crypto outside

  NAT (inside, outside) 1 local static source net net-local destination static remote net net / remote

  Try to correct the mistakes in the two configs.

  In some places, you have 'oustide_map' where you need "outside_map".

• Cisco Anyconnect VPN and IPSEC coexist on ASA 5520?

  Can a Cisco ASA 5520 which has been configured as IPSEC VPN gateway and also be configured as a gateway ANYCONNECT VPN and vpn IPSEC service anyconnect vpn clients clients maintenance at the same time? Any negative impact on the performance or any other problem that everyone knows?

  I guess that by 2 connection limit, you are referring to the 2 licenses for anyconnect?  You should consider using the anyconnect essentials license, which is relatively cheap (100-200 dollars I think) and will take you to the edge of the platform with anyocnnect.

  You shouldn't have any problem using IPSEC with LDAP client.  It is quite common - my company is IPSEC as Anyconnect off the coast of the same interface using authentication ldap (even same-group policy) for the two.

  -Jason

• a public access remote vpn from an inside interface asa 5505

  I'm trying to see if it is possible to accomplish what I am trying. I have an ASA 5505 with the following configuration.

  1. There is an external connection, connected to the ISP. Let's say that it is 10.1.1.1/24 for ease. There is a remote VPN configuration as the access of people through this interface.

  2. There's the inside network, which is the normal LAN. It's cable system in the office. to say that it is 172.20.0.1/24.

  3. There is a wireless network on a VLAN separate called WLAN. It has an IP of 192.168.1.1/24. There is an ACL allowing traffic to that VLAN to the public internet.

  Essentially, I would like users to be able to use the same VPN settings they use when connecting from outside of the Office when you are connected to WIFI.

  Also, I would like that they can access public IP addresses that I have NAT would be to internal servers. In this way, they can use IP addresses when they use on the public internet.

  Is this possible?

  Hello

  Well that's not going to be possible, the only thing you can really do is to activate the crypto map on the WLAN facing interface, by design, you cannot not access VPN, ping or manage the device on an interface which is not directly connected to you.

  I hope this helps.

  Mike

• Allowing the VPN and return to the ASA 5520

  Here is the configuration:

  Outside Interface: 50.50.50.5

  Internal interface: 192.168.1.5

  Wireless interface: 192.168.2.5

  The wireless interface is used for the guest access to internet and you can't find the internal servers or workstations.  Offiste employees, we use Cisco VPN remotely in through the firewall.

  That is the question, an itinerant person comes into the office, connects to the network (no LAN port available) wireless and then wants the VPN in a work.  Can that be allowed through the ACL to allow traffic like that or would be using Cisco AnyConnect?  I don't want to "overall" activate the ability for Wireless talk range to the inside interface, but allow VPN access.  At first glance, I guess the ASA for not allowing this, but try to get some clarification, thank you!

  And if it's possible, I can see security implications, so I'm also looking for information best practice as well.

  Hello Mrjwilson,

  5 stars for you

  Thanks for sharing the solution, check now the question as answered so future users can learn of your problem.

• Failover of VPN for data/VoIP through ASA 5520 or 7204 VXR

  I would like to install a VPN failover for my remote sites using broadband 3dn/1up.  They are mainly 2800 routers.    I like options for end hub a pair of Cisco ASA active / standby and a 7204 VXR.  Voice and data will travel down the VPN failover and I intend to have QOS/Traffic shaping in place to better meet the needs for VoIP as possible.  I need to do it on about 150 sites. My questions are:

  1. What is the best why the ASA or the 7204

  2 Will VoIP packets pass through the two in the same way

  3 as far as redistributing routes can I use GRE on an ASA or should I keep all static. NH on the SAA is an L3 switch.

  4. an ASA with 100 mg of bandwithd through metro E supports 150 tunnels making VoIP and data. 1 to 3 calls per site max.

  Thank you

  J R

  To answer your questions: -.

  1. who is better for this, the ASA or the 7204 - ASA, is what is designed to do.

  2 packages VoIP Will cross both the same way - Yes

  3 as far as redistributing routes can I use GRE on an ASA or should I keep all static. NH on the SAA is an L3 switch. -l'ASA does not support GRE tunnels.

  4. an ASA with 100 mg of bandwithd through metro E supports 150 tunnels making VoIP and data. 1 to 3 calls per site max. -It depends on the model of the SAA, see the below matrix for thru-put http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

  HTH >

• ASA IPP on VPN L2L w/NAT

  I have a tunnel VPN L2L on a Cisco ASA 5520 I am trying to get IPPS, to work on. On my ACL cryptomap I defined a local group object and a remote object-group, and I'm the one-to-one NAT scene on the local group. I also have a configured route map that will take the static routes and redistribute in my ACE. EIGRP two things - 1, I noticed, I don't see on my ASA static routes that point to remote subnets and 2, the ACL that I used in my definition of route map is not getting any hits on it.

  Any thoughts on where I can go wrong?

  Thank you

  Darren

  You have configured the following:

  crypto set reverse-road map

  If you do, can you remove and Add again and see if that fixes the problem?

• IPSec VPN to asa 5520

  Hello

  First I must admit that I am not very versed in Cisco equipment or in general IPSEC connections so my apologies if I'm doing something really good obviously stupid, but I checked through any kind of things that I could find on the internet on the configuration of IPSEC VPN.

  The setup I have is an asa 5520 (o/s 8.2) firewall which, for now, is connected to a temporary connection beautiful style home broadband for testing purposes. The netopia router is configured to allow ipsec passthrough and redirect 62515 UDP, TCP 10000, 4500 UDP, UDP 500 ports in the asa 5520.

  I'm trying to connein out of a laptop with disabled windows firewall and vpn cisco 5.0.02.0090 client version.

  I ran several attempts through the ipsec configuration wizard options. most of the time that nothing comes in the newspaper to show that a connection was attempted, but there is a way I can set up product options the following on the firewall log:

  4. Sep 24 2010 | 13: 54:29 | 713903 | Group = VPNtest9, IP = 86.44.x.x, error: cannot delete PeerTblEntry

  5: Sep 24 2010 | 13: 54:29 | 713902 | Group = VPNtest9, IP = 86.44.x.x, drop table homologous counterpart does not, no match!

  6. Sep 24 2010 | 13: 54:21 | 713905 | Group VPNtest9, IP = 86.44.x.x, P1 = relay msg sent to AM WSF

  3: Sep 24 2010 | 13: 54:21 | 713201 | Group = VPNtest9, IP = 86.44.x.x, double-Phase 1 detected package. Retransmit the last packet.

  6. Sep 24 2010 | 13: 54:16 | 713905 | Group VPNtest9, IP = 86.44.x.x, P1 = relay msg sent to AM WSF

  3: Sep 24 2010 | 13: 54:16 | 713201 | Group = VPNtest9, IP = 86.44.x.x, double-Phase 1 detected package. Retransmit the last packet.

  6. Sep 24 2010 | 13: 54:11 | 713905 | Group VPNtest9, IP = 86.44.x.x, P1 = relay msg sent to AM WSF

  3: Sep 24 2010 | 13: 54:11 | 713201 | Group = VPNtest9, IP = 86.44.x.x, double-Phase 1 detected package. Retransmit the last packet.

  3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

  3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

  3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

  3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

  3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

  3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

  3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

  3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

  3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

  3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

  6. Sep 24 2010 | 13: 54:06 | 302015 | 86.44.x.x | 51905 | 192.168.0.27 | 500 | Built UDP inbound connection 7487 for Internet:86.44.x.x/51905 (86.44.x.x/51905) at identity:192.168.0.27/500 (192.168.0.27/500)

  and this, in the journal of customer:

  Cisco Systems VPN Client Version 5.0.02.0090

  Copyright (C) 1998-2007 Cisco Systems, Inc.. All rights reserved.

  Customer type: Windows, Windows NT

  Running: 5.1.2600 Service Pack 3

  24 13:54:08.250 24/09/10 Sev = Info/4 CM / 0 x 63100002

  Start the login process

  25 13:54:08.265 24/09/10 Sev = Info/4 CM / 0 x 63100004

  Establish a secure connection

  26 13:54:08.265 24/09/10 Sev = Info/4 CM / 0 x 63100024

  Attempt to connect with the server "213.94.x.x".

  27 13:54:08.437 24/09/10 Sev = Info/6 IKE/0x6300003B

  Attempts to establish a connection with 213.94.x.x.

  28 13:54:08.437 24/09/10 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) at 213.94.x.x

  29 13:54:08.484 24/09/10 Sev = Info/4 IPSEC / 0 x 63700008

  IPSec driver started successfully

  30 13:54:08.484 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014

  Remove all keys

  31 13:54:13.484 24/09/10 Sev = Info/4 IKE / 0 x 63000021

  Retransmit the last package!

  32 13:54:13.484 24/09/10 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK AG (Retransmission) to 213.94.x.x

  33 13:54:18.484 24/09/10 Sev = Info/4 IKE / 0 x 63000021

  Retransmit the last package!

  34 13:54:18.484 24/09/10 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK AG (Retransmission) to 213.94.x.x

  35 13:54:23.484 24/09/10 Sev = Info/4 IKE / 0 x 63000021

  Retransmit the last package!

  36 13:54:23.484 24/09/10 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK AG (Retransmission) to 213.94.x.x

  37 13:54:28.484 24/09/10 Sev = Info/4 IKE / 0 x 63000017

  Marking of IKE SA delete (I_Cookie = 36C50ACCE984B0B0 R_Cookie = 0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

  38 13:54:28.984 24/09/10 Sev = Info/4 IKE/0x6300004B

  IKE negotiation to throw HIS (I_Cookie = 36C50ACCE984B0B0 R_Cookie = 0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

  39 13:54:28.984 24/09/10 Sev = Info/4 CM / 0 x 63100014

  Could not establish the Phase 1 SA with the server '213.94.x.x' due to the 'DEL_REASON_PEER_NOT_RESPONDING '.

  40 13:54:28.984 24/09/10 Sev = Info/5 CM / 0 x 63100025

  Initializing CVPNDrv

  41 13:54:28.984 24/09/10 Sev = Info/6 CM / 0 x 63100046

  Set indicator established tunnel to register to 0.

  42 13:54:28.984 24/09/10 Sev = Info/4 IKE / 0 x 63000001

  Signal received IKE to complete the VPN connection

  43 13:54:29.187 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014

  Remove all keys

  44 13:54:29.187 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014

  Remove all keys

  45 13:54:29.187 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014

  Remove all keys

  46 13:54:29.187 24/09/10 Sev = Info/4 IPSEC/0x6370000A

  IPSec driver successfully stopped

  I have connectivity full http from the internet to a machine inside the asa 5520 so I think that the static routing and NAT'ing should be ok, but I am pleased to provide you with all the details.

  Can you see what I'm doing wrong?

  Thank you

  Sam

  Pls add the following policy:

  crypto ISAKMP policy 10

  preshared authentication

  the Encryption

  md5 hash

  Group 2

  You can also run debug on the ASA:

  debugging cry isa

  debugging ipsec cry

  and retrieve debug output after trying to connect.

• How many group Supportepar ASA 5520 vpn for remote access

  Hello

  Howmany vpn group is supported on asa 5520 with configuraion vpn remote access.

  Concerning

  1 if nat-control is disabled and you do not have any other order NAT in your config file, you do not have it. Try to remove the existing "NAT 0" command and "clear xlate."

  2. you must ensure that your network inside know they can go by ASA to access remote vpn client IP. You have any device layer 3 behind the ASA that does the routing. If so, please verify that this is the routing table.

• Using VPN L2L static and dynamic dedicated tunnels

  We have an ASA 5510 running 8.0 at our company headquarters. We have remote sites who need to create VPN L2L at the HQ ASA tunnels. Some remote sites have static IP addresses and others have dynamic IP addresses.

  I found documentation Cisco L2L static IP VPN tunnels and make them work. I found another Cisco documentation for static IP dynamic L2L VPN tunnels using the tunnel-group "DefaultL2LGroup".

  My question is, can you have two types of tunnels on the same ASA L2L? If so, simply by using the definitions of "DefaultL2LGroup" tunnel-group and of tunnel-group work? Is there a reason to not do? Is better technology (ASA HQ and a combination of ASA 5505 and 1861 at remote sites) available?

  Yes, you can have both types of tunnels L2L. If you use a PSK - remember that the IP address of the remote site is used to 'validate' to connect to Headquarters. As long as you use a sure PSK = 64 characters and all with upper/lower case alpha numeric - you should be OK.

  A better way to do it - is to get the static IP addresses for the site that currently have DHCP from ISP.

  HTH >

• Tunnel VPN ASA 5520 (DMZ + INSIDE) destined for OUTSIDE

  I can't find any reference to anywhere else.

  We have an ASA 5520 to our site HQ (inside the network) with several regional subnets on the DMZ interface.

  We need connectivity VPN Site to Site between the INSIDE and a remote control on the OUTSIDE of the site, as well as between the DMZ subnets and even outside the site. The interface from the OUTSIDE of the SAA must be local VPN endpoint for all tunnels.

  I created a S2S VPN between the INSIDE and the OUTSIDE site and it works great.

  When I create a VPN S2S tunnel between a site of DMZ and even outside the site (using the same settings the and remote, but with a cryptomap different because the local subnet (DMZ) is different from the other inside the subnet, the traffic gets the mapping (show crypto isakmp his) to the same cryptomap that was created for the access to the tunnel from the OUTSIDE) , instead of to the new cryptomap, so remote endpoint deletes it, and traffic also causes SPI incorrect of for the remote endpoint, which makes the original INTERIOR outside OF THE VPN tunnel to fall from time to time.

  Is this a bug?

  I also did a local S2S VPN tunnel configuration test of networks as everything INSIDE and the DMZ. With the help of the wizard VPN S2S leads ASA only to create a NAT rule exempted for the subnet on the INSIDE interface. Can I manually create another tax-exempt NAT rule to the side of the DMZ and use this a S2S tunnel to connect sites inside and DMZ to the remote OFF-SITE in a connection profile?

  I'm building a Rube Goldberg?

  Thank you

  George

  Hi George,.

  It seems you have a situation overlapping it, are you sure that subnets inside did not overlap with the networks from the DMZ?  A package tracer could clarify wha that the ASA is actually sending.

  In addition, you can merge the two interfaces on the same card encryption if you wish, just make sure that the NAT is configured correctly.   For example; Source NAT (all, outside) static...

  It may be useful

  -Randy-

• Do not do a ping ASA inside IP port of the remote site VPN L2L with her

  The established VPN L2L OK between ASA-1/ASA-2:

  ASA-2# see the crypto isakmp his

  KEv1 SAs:

  ITS enabled: 1

  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)

  Total SA IKE: 1

  1 peer IKE: 207.140.28.102

  Type: L2L role: answering machine

  Generate a new key: no State: MM_ACTIVE

  There are no SAs IKEv2

  QUESTION: 3750-2, we ping 3750-1 (10.10.2.253) are OK, but not ASA-1 inside port (10.10.2.254).

  Debug icmp ASA-1 data:

  ASA-1 debug icmp trace #.

  trace of icmp debug enabled at level 1

  Echo ICMP Internet request: 10.100.2.252 server: 10.10.2.253 ID = 400 seq = 0 len = 72

  ICMP echo response from the server: 10.10.2.253 Internet: 10.100.2.252 ID = 400 seq = 0 len = 72

  Echo ICMP Internet request: 10.100.2.252 server: 10.10.2.253 ID = 400 seq = 1 len = 72

  ICMP echo response from the server: 10.10.2.253 Internet: 10.100.2.252 ID = 400 seq = 1 len = 72

  Echo request ICMP 10.100.2.252 to 10.10.2.254 ID = 401 seq = 0 len = 72

  Echo request ICMP 10.100.2.252 to 10.10.2.254 ID = 401 seq = 1 len = 72

  Echo request ICMP 10.100.2.252 to 10.10.2.254 ID = 401 seq = 2 len = 72

  Make sure you have access to the administration # inside

  lt me know f This allows.

• VPN site to site & outdoor on ASA 5520 VPN client

  Hi, I'm jonathan rivero.

  I have an ASA 5520 Version 8.0 (2), I configured the site-to-site VPN and works very well, in the other device, I configured the VPN Client for remote users and works very well, but I try to cofigure 2 VPNs on ASA 5520 on the same outside interface and I have the line "outside_map interface card crypto outdoors (for VPN client). , but when I set up the "crypto map VPNL2L outside interface, it replaces the command', and so I can have only a single connection.

  the executed show.

  ASA1 (config) # sh run

  : Saved

  :

  ASA Version 8.0 (2)

  !

  hostname ASA1

  activate 7esAUjZmKQSFDCZX encrypted password

  names of

  !

  interface Ethernet0/0

  nameif inside

  security-level 100

  address 172.16.3.2 IP 255.255.255.0

  !

  interface Ethernet0/1

  nameif outside

  security-level 0

  IP 200.20.20.1 255.255.255.0

  !

  interface Ethernet0/1.1

  VLAN 1

  nameif outside1

  security-level 0

  no ip address

  !

  interface Ethernet0/2

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Ethernet0/3

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Ethernet0/4

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Ethernet0/5

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  2KFQnbNIdI.2KYOU encrypted passwd

  passive FTP mode

  object-group, net-LAN

  object-network 172.16.0.0 255.255.255.0

  object-network 172.16.1.0 255.255.255.0

  object-network 172.16.2.0 255.255.255.0

  object-network 172.16.3.0 255.255.255.0

  object-group, NET / remote

  object-network 172.16.100.0 255.255.255.0

  object-network 172.16.101.0 255.255.255.0

  object-network 172.16.102.0 255.255.255.0

  object-network 172.16.103.0 255.255.255.0

  object-group network net-poolvpn

  object-network 192.168.11.0 255.255.255.0

  access list outside nat extended permit ip net local group object all

  access-list extended sheep allowed ip local object-group net object-group net / remote

  access-list extended sheep allowed ip local object-group net net poolvpn object-group

  access-list splittun-vpngroup1 extended permitted ip local object-group net net poolvpn object-group

  pager lines 24

  Within 1500 MTU

  Outside 1500 MTU

  outside1 MTU 1500

  IP local pool ippool 192.168.11.1 - 192.168.11.100 mask 255.255.255.0

  no failover

  ICMP unreachable rate-limit 100 burst-size 10

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0 access-list sheep

  NAT (inside) 1 access list outside nat

  Route outside 0.0.0.0 0.0.0.0 200.20.20.1 1

  Route inside 172.16.0.0 255.255.255.0 172.16.3.2 1

  Route inside 172.16.1.0 255.255.255.0 172.16.3.2 1

  Route inside 172.16.2.0 255.255.255.0 172.16.3.2 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout, uauth 0:05:00 absolute

  dynamic-access-policy-registration DfltAccessPolicy

  the ssh LOCAL console AAA authentication

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  86400 seconds, duration of life crypto ipsec security association

  Crypto ipsec kilobytes of life security-association 400000

  Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA

  card crypto VPNL2L 1 match for sheep

  card crypto VPNL2L 1 set peer 200.30.30.1

  VPNL2L 1 transform-set ESP-3DES-MD5 crypto card game

  map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

  outside_map interface card crypto outside

  crypto isakmp identity address

  crypto ISAKMP allow outside

  crypto ISAKMP policy 20

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  crypto ISAKMP policy 30

  preshared authentication

  aes-256 encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP policy 65535

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  a basic threat threat detection

  Statistics-list of access threat detection

  !

  !

  internal vpngroup1 group policy

  attributes of the strategy of group vpngroup1

  banner value +++ welcome to Cisco Systems 7.0. +++

  value of 192.168.0.1 DNS server 192.168.1.1

  Split-tunnel-policy tunnelspecified

  Split-tunnel-network-list value splittun-vpngroup1

  value by default-ad domain - domain.local

  Split-dns value ad - domain.local

  the address value ippool pools

  username password asa1 VRTlLlJ48/PoDKjS encrypted privilege 15

  tunnel-group 200.30.30.1 type ipsec-l2l

  IPSec-attributes tunnel-group 200.30.30.1

  pre-shared-key *.

  type tunnel-group vpngroup1 remote access

  tunnel-group vpngroup1 General-attributes

  ippool address pool

  Group Policy - by default-vpngroup1

  vpngroup1 group of tunnel ipsec-attributes

  pre-shared-key *.

  context of prompt hostname

  Cryptochecksum:00000000000000000000000000000000

  : end

  ASA2 (config) #sh run

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
  86400 seconds, duration of life crypto ipsec security association
  Crypto ipsec kilobytes of life security-association 400000
  card crypto VPNL2L 1 match for sheep
  card crypto VPNL2L 1 set peer 200.30.30.1
  VPNL2L 1 transform-set ESP-3DES-MD5 crypto card game
  VPNL2L interface card crypto outside
  crypto isakmp identity address
  crypto ISAKMP allow outside
  crypto ISAKMP policy 20
  preshared authentication
  3des encryption
  md5 hash
  Group 2
  life 86400

  tunnel-group 200.30.30.1 type ipsec-l2l
  IPSec-attributes tunnel-group 200.30.30.1
  pre-shared key cisco

  my topology:

  

  I try with the following links, but did not work

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080912cfd.shtml

  http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a00807e0aca.shtml

  Best regards...

  "" I thing both the force of the SAA with the new road outside, why is that? ".

  without the road ASA pushes traffic inward, by default.

  In any case, this must have been a learning experience.

  Hopefully, this has been no help.

  Please rate, all the helful post.

  Thank you

  Rizwan Muhammed.

• Darkness of 8.4 (1) vpn L2L filter ASA when you specify the Protocol and port

  Hi all - I've spent many hours trying to diagnose this and have read several discussions and the Cisco docs unsuccessfully...

  Situation: two sites running Cisco ASA 5520 on 8.4 (1) with L2L IPsec on the public internet between each of them. The configuration of IPsec and associated routing works as it should and we are able to pass traffic between networks private behind each device as expected. The problem occurs when you try to block sessions using a vpn-filter group policy configuration.

  Each site has 3 private subnets that are able to communicate correctly without the vpn-filter configuration. We want to restrict access to specific protocols, hosts, and ports between each network.

  SITE A: 10.10.0.0/18, 10.10.64.0/18, 10.10.128.0/18

  SITE B: 10.20.0.0/18, 10.20.64.0/18, 10.20.128.0/18

  When we apply a filter-vpn configuration which restricted access only two guests, as follows...

  SITE A: vpn_acl_x_x_x_x list extended access permit ip host 10.20.0.1 host 10.10.0.1

  SITE b: the ip host 10.10.0.1 allowed extended access list vpn_acl_x_x_x_x host 10.20.0.1

  ... the configuration works correctly. However, when we try to lock the configuration more far and specify the protocols and ports, as follows...

  SITE A: vpn_acl_x_x_x_x list extended access permit tcp host 10.20.0.1 host 10.10.0.1 eq 22

  SITE b: vpn_acl_x_x_x_x to the list of access permit tcp host 10.10.0.1 host 10.20.0.1 eq 22

  ... and then try to establish a SSH connection between 10.10.0.1 and 10.20.0.1 or vice versa, the package is stopped on the side of the SOURCE. ..

  Mar 22 11:58:01 x.x.x.x 22 March 2011 14:34:56: % ASA-4-106103: vpn_acl_x_x_x_x of the access list refused tcp to the user "" inside-data/10.10.0.1(59112)-> outside-iptrans/10.20.0.1(22) hit - cnt 1 first success [0xd8d1c1b4, 0 x 0]

  I would really appreciate it if someone could shed some light on what is wrong with this Setup.

  SOLUTION
  

  The ACE must be implemented on the source and the end of the tunnel destination to facilitate this configuration.

  EXAMPLE 1: allow SSH two-way communication between hosts on each network (SITE A can connect to SITE B, SITE B can connect to SITE A)...

  SITE A:
  access-list vpn_acl_x_x_x_x extended permit tcp host 10.20.0.1 host 10.10.0.1 eq 22
  access-list vpn_acl_x_x_x_x extended permit tcp host 10.20.0.1 eq 22 host 10.10.0.1
  SITE B:
  access-list vpn_acl_x_x_x_x extended permit tcp host 10.10.0.1 host 10.20.0.1 eq 22
  access-list vpn_acl_x_x_x_x extended permit tcp host 10.10.0.1 eq 22 host 10.20.0.1
  

  EXAMPLE 2: allow communication one-way SSH between hosts on each network (SITE A can connect to SITE B, SITE B is unable to connect to SITE A)...

  SITE A:
  access-list vpn_acl_x_x_x_x extended permit tcp host 10.20.0.1 eq 22 host 10.10.0.1
  SITE B:
  access-list vpn_acl_x_x_x_x extended permit tcp host 10.10.0.1 host 10.20.0.1 eq 22
  

  Very good and thank you for this post. Please kindly marks the message as answered while others may learn from your post. I think that you have started a very good discussion on vpn-filter for tunnel L2L.

• ASA 5520 to Juniper ss505m vpn

  I'm having a problem with the vpn site to site between a asa 5520 and Juniper ss 505 m. The tunnel rises, but we seem unable to pass traffic through the vpn tunnel.  It appears on the remote side makes a connection to the ftp server on the Local Server, but is never prompt identification of connection information.

  April 19, 2016 13:27:13 SQL-B2B-01: % ASA-4-402116: IPSEC: received a package ESP x.x (SPI = 0xD167A5E8, sequence number = 0xD).

  241.90 (user = X.X.241.90) at X.X.167.230.  Inside the package décapsulés does not match policy negotiated in the SA.  The

  package specifies its destination as its Protocol TCP, its source such as X.X.2.68 and X.X.167.233.  SA specifies its loc

  proxy of Al X.X.167.233/255.255.255.255/tcp/5376 and his remote_proxy as X.X.2.68/255.255.255.255/tcp/5376.

  list of remote ip-group of objects allowed extended West Local Group object

  NAT static Local_Pub Local destination (indoor, outdoor) static source Remote

  Crypto ipsec ikev1 transform-set esp-aes-256 Remote esp-sha-hmac

  West-map 95 crypto card is the Remote address
  card crypto West-map 95 set peer X.X.241.90
  map West-map 95 set transform-set Remote ikev1 crypto
  card crypto West-map 95 defined security-association life seconds 28800

  Juniper-

  "Remote-ftp" X.X.167.233 255.255.255.255

  Gateway proposal P1 preshare "[email protected]/ * /" proposal "pre-g2-aes256-sha-28800.

  P2-proposal "no-pfs-esp-aes256-sha-28800" No. - pfs esp aes256 sha-1 second 28800

  ----------------------

  the top of the policy of "Trust" to "Untrust" "X.X.2.68/32" "Remote-ftp' 'ftp' vpn"Remote-vpn"tunnel log

  put on top of the "Untrust" policy to the "Trust" "Remote-ftp' 'X.X.2.68/32' 'ftp' vpn"SonoraQ-vpn"tunnel sign

  I do not know Juniper, but it seems that it is trying to negotiate the use of only 5376/tcp on the tunnel, when it should be negotiated just Protocol "ip".