VPN policy/S2S ASA 8.4 PAT Dynamics question

I'm preparing new ASA 5525 - x for a customer who has a multiple VPN S2S. On some of the VPN connections, I need to do a political nat to translate some of their subnets to a unique IP address until he goes over the VPN S2S. However, when I try to use a subnet, I get the following error:

Subnet cannot be used as sources mapped in the political dynamic nat.

This works very well on their old ASA which executes the code of 8.2. I figured out, I can use a network range, but can not go over 65535 (or whatever it is) addresses in this range. It is very annoying when they have several networks they want to allow through the VPN S2S. Is anyway around of this or am I stuck the creation of a network for each subnet range?

TIA,

Dan

I guess you try NAT 10.0.0.0/8 to 172.28.80.5 when accessing the remote network.

If the above assumption is correct, here's what you need to set up:

NAT (inside, outside) source dynamic obj - 10.0.0.0 obj - 172.28.80.5 destination static remote-remote network

Tags: Cisco Security

Similar Questions

Site-to-Site VPN - road on ASA (8.4.2)

ASA-SiteA-

Outside the int: 4,5,6,7

inside the int: 10.1.1.1

DMZ:192.168.0.1 255.255.255.0

National-SiteA routes-

Route outside 0.0.0.0 0.0.0.0 4,5,6,7 - road by default

Route inside 172.10.1.0 255.255.255.0 10.1.1.1 - road join the ASA-SiteB-inside interface

ASA-SiteB-

Int - 50.1.2.3 outdoor

inside the int: 172.10.1.1

DMZ:192.168.87.1 255.255.255.0

routes on ASA-SiteB-

Route outside 0.0.0.0 0.0.0.0 50.1.2.3 - road by default

Route inside 10.1.1.0 255.255.255.0 172.10.1.1 - road join the ASA-SiteA-inside interface

Inside the two ASAs interfaces can communicate with each other through circuits MPLS. We want to create a VPN tunnel between two DMZ networks so that traffic passes through a tunnel through the local network. You can check the config below and indicate if any changes are needed.

1 tunnel VPN to work, not the traffic must match a route on the ASA or simply to match the access-list(interesting traffic) for example after the configuration of the VPN tunnel between 192.168.0.0 and 192.168.87.0 networks when I ping 192.168.87.1 route IP made it reveal the tunnel because it fits to the interesting traffic or packets go to 4,5,6,7 where they correspond to the default?

2. virtue normal Site VPN to Site traffic scenarios run on high security interface (DMZ or inside) and goes to the interface (outside) low security, but in the case above traffic intiates on low security interface (DMZ) and goes to the high safety (inside) interface which usually gets blocked unless there is an access list entry to allow that traffic. We must therefore have an IP address a whole (on the access list applied to UI in DMZ) entered between the two dmz networks

Config on ASA-SiteA-

Political IKEv1

ASA - SiteA (config) #crypto ikev1 allow inside - Does allowing ikev1 on UI interrupts traffic?

Ikev1 crypto policy of ASA - SiteA (config) # 100

ASA - SiteA(config-ikev1-policy) preshared #authentication

ASA - SiteA(config-ikev1-policy) #encryption 3des

ASA - SiteA(config-ikev1-policy) #hash sha

ASA - SiteA(config-ikev1-policy) #group 2

ASA - SiteA(config-ikev1-policy) #lifetime 86400

IPSEC tunnel

ASA - SiteA (config) # crypto ipsec ikev1 transform-set VPN MPLS esp-3des esp-sha-hmac

ASA - SiteA(cfg-crypto-trans) #mode transport

Tunnel group

ASA - SiteA (config) # tunnel - group172.10.1.1 type ipsec-l2l

ASA - SiteA (config) # group172.10.1.1 - tunnel ipsec-attributes

ASA - SiteA(config-tunnel-ipsec) # test pre-shared key

Interesting traffic

ASA - SiteA (config) #object Network Site-A-DMZ

ASA - SiteA(config-network-object) #subnet 192.168.0.0 255.255.255.0

ASA - SiteA (config) #object Network Site-B-DMZ

ASA - SiteA(config-network-object) #subnet 192.168.87.0 255.255.255.0

ASA - SiteA (config) #access - list - INTERESTING - VPN TRAFFIC extended permitted ip object SN-A-Site B-Site-SN

ASA - SiteA (config) #nat (demilitarized zone, inside) static static destination source Site-A-DMZ DMZ-A-Site B-Site-DMZ Site-B-DMZ

Crypto MAP

ASA - SiteA (config) # 100 LAN VPN ipsec-isakmp crypto map

ASA - SiteA(config-crypto-map) # address of correspondence-INTERESTING-TRAFFIC VPN
ASA - SiteA(config-crypto-map) # set pfs group2

ASA - SiteA(config-crypto-map) #set peer 172.10.1.1

ASA - SiteA(config-crypto-map) #set transform-set ESP-3DES-SHA

ASA - SiteA(config-crypto-map) #crypto interface of VPN - LAN card inside

Yes, you need the correct route otherwise it will be just forwarded through the default gateway.

So, on A Site, you should have:

Route inside 192.168.87.0 255.255.255.0 10.1.1.x--> x should be the next jump of the SAA within the interface

On Site B, you should have:

Route inside 192.168.0.0 255.255.255.0 172.10.1.x--> x should be the next jump of the SAA within the interface

Delete "transport mode" of two ASA.

To answer your questions:

1. Yes, it would be necessary to match a route, otherwise it will be routed through the default gateway.

2. Yes, you must have access-list to allow high traffic of low level of security. If you want a full IP access, you can configure IP allowed between 2 LANs.

VPN IPSec passthrough ASA 5505 (v9.2.4) - connected but no access

Hello

Here's my situation:

I am trying to connect a client IPSec VPN via an ASA 5505 to an other ASA 5505. In fact, I can make the connection to the VPN but all accesses are blocked (ping or IP access).

When I use a router ISP directly or at home, I have no problem (ping and IP access follow the firewall rules). Connection and access are allowed.

Schema:

I have attached both the configuration for this post

I've recently updated 8.2.5 ASA 8.4.6 and 9.2.4. An another ASA 5505 v8.2.5 works well in both way (via ASA VPN connection) and the VPN through ASA1 this ASA.

I have tried many solution to solve the problem (nat/ipsec static inspection), but I failed to solve it. I tried to see asp in ASA1 drop, but I was right to drop only "nat-xlate-failed".

Thanks for your help because I'm going crazy...

Olivier,

PS: Sorry for my English...

Hi Olivier,.

Could enable you icmp on the ASA inspection?

Use this command and check:

fixup protocol icmp

Kind regards

Aditya

Please evaluate the useful messages and mark the correct answers.

iPad VPN from Cisco ASA 5520

Hello

I'm trying to get my ipad to VPN to our Cisco ASA5520.

I think I have all the correct settings on both ends (I am able to vpn to the asa using a cisco 871 as the remote client).

I think that for some reason the client vpn on ipad is not even make the asa. My question is: How can I monitor the ASA logs to see if the same connection attempt and eventually find the failure?

Thank you

M

try: -.

Debug crypto ISAKMP

Debug crypto ipsec

Vpn-sessiondb SH remote control (to see if the client is connected)

I have configured ipad for remote vpn client, the user could connect to the 5520 but why that I had to use the ip addresses to access, but I couldn't use internal dns names. try to understand that at this moment.

It may be useful

Manish

IPSec VPN between Cisco ASA and Fortigate1000

Hello

I find a useful document on how to create a tunnel VPN IPSec with ASA 5510 firewall Fortigate 1000...

the configuration of the coast FG is done without any problem, BUT the document (. doc FG) said I must configure the ASA with a GRE interface and assign an internal IP address in order to communicate with the FG...

The question is: How do I configure the interface on the SAA ACCORD?

Thanks in advance, Experts...

Kind regards...

ASA firewall does not support the interface/GRE GRE tunnel.

If you need to have GRE configured, you will need to complete the GRE tunnel on router IOS.

If you want to configure just pure tunnel VPN IPSec (lan-to-lan), here is an example of configuration on the side of the ASA:

http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080950890.shtml

Hope that helps.

What VPN work as a PPTP vpn firewall CISCO-ASA-5520.

Hi all

Can you please tell me which replace the VPN I can configure PPTP on ASA 5520 firewall. What VPN work as a PPTP vpn firewall CISCO-ASA-5520.

You can use the wizard VPN of RA with ASDM and confiugre L2TP IPSEC VPN that does not need a VPN Client must be installed.

Michael

Please note all useful posts

Site to Site VPN between Cisco ASA 5505 and Sonicwall TZ170

I'm trying to implement a VPN site-to site between our data center and office. The data center has a Cisco ASA 5505 and the Office has a Sonicwall TZ170. I managed to configure the two so that the vpn connects. Each of the firewall I ping the IP Address of the internet firewall on the other side and a desktop computer I can ping the IP Address of the firewall internal datacenter but I can't carry traffic between private subnets datacenter and desktop. Can anyone help?

The config below has had IPs/passwords has changed.

External Datacenter: 1.1.1.4

External office: 1.1.1.1

Internal data center: 10.5.0.1/24

Internal office: 10.10.0.1/24

: Saved
:
ASA Version 8.2 (1)
!
hostname datacenterfirewall
mydomain.tld domain name
activate the password encrypted
passwd encrypted
names of
name 10.10.0.0 OfficeNetwork
10.5.0.0 DatacenterNetwork name
!
interface Vlan1
nameif inside
security-level 100
10.5.0.1 IP address 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
1.1.1.4 IP address 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
DNS server-group DefaultDNS
buydomains.com domain name
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
inside_access_in list extended access permit icmp any one
inside_access_in list extended access permitted tcp a whole
inside_access_in list extended access udp allowed a whole
inside_access_in of access allowed any ip an extended list
outside_access_in list extended access permit icmp any one
outside_access_in list extended access udp allowed any any eq isakmp
IP DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0 allow Access-list extended pixtosw
pixtosw list extended access allow icmp DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0
IP OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0 allow Access-list extended pixtosw
pixtosw list extended access allow icmp OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0
outside_cryptomap_66.1 list of allowed ip extended access all OfficeNetwork 255.255.255.0
outside_cryptomap_66.1 ip OfficeNetwork 255.255.255.0 allowed extended access list all
outside_cryptomap_66.1 list extended access permit icmp any OfficeNetwork 255.255.255.0
outside_cryptomap_66.1 list extended access allowed icmp OfficeNetwork 255.255.255.0 everything
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
IP verify reverse path to the outside interface
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 623.bin
don't allow no asdm history
ARP timeout 14400
NAT-control
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0
inside_access_in access to the interface inside group
Access-group outside_access_in in interface outside
Route inside 0.0.0.0 0.0.0.0 1.1.1.1 1
Route OfficeNetwork 255.255.255.0 outside 1.1.1.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 10.5.0.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-aes-256 walthamoffice, esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto dynamic-map ciscopix 1 corresponds to the address outside_cryptomap_66.1
Crypto dynamic-map ciscopix 1 transform-set walthamoffice
Crypto dynamic-map ciscopix 1 the value reverse-road
map dynmaptosw 66-isakmp ipsec crypto dynamic ciscopix
dynmaptosw interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 13
preshared authentication
aes-256 encryption
sha hash
Group 2
lifetime 28800
crypto ISAKMP policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
No encryption isakmp nat-traversal
Telnet 10.5.0.0 255.255.255.0 inside
Telnet timeout 5
SSH 10.5.0.0 255.255.255.0 inside
SSH timeout 5
Console timeout 0
management-access inside
dhcpd address 10.5.0.2 - 10.5.0.254 inside
dhcpd allow inside
!

a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP server 66.250.45.2 source outdoors
NTP server 72.18.205.157 source outdoors
NTP server 208.53.158.34 source outdoors
WebVPN
attributes of Group Policy DfltGrpPolicy
VPN-idle-timeout no
username admin password encrypted
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *.
!
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
!
context of prompt hostname
Cryptochecksum:7f319172e5de9c0e550804a263f8e49e
: end

Mattew, obvious lack of education is the rule exempt from nat for your tunnel, your access list pixtosw is similar on this example, I assume that you have gone through this link, if it does not see the configs on both sides.

Add the statement of rule sheep in asa and try again.

NAT (inside) 0-list of access pixtosw

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a008052c9d4.shtml

Concerning

Client VPN und Cisco asa 5505 tunnel work but no traffic

Hi all

I am new to this forum and Don t have a lot of experience with Cisco, so I hope I can get help from specialists.

I have the following problem:

I installed und konfigured ASA 5505 for use with vpn client. I would like to access the local network from outside through vpn.

To test, I installed ASA 5505 with ADSL (pppoe) and tried to give access to the internal network.

Of course whenever I have recive the supplier's different IP address, but it didn't is not a problem reconfigure in the vpn client.

After the connection is established (vpn tunnel work) I can see my external network packets. But I Don t have any connection to the internal network.

I erased my setup yesterday and tried to reconfigure ASA again. I didn t tested yesterday, because it was too late. And I know that I Don t have the authorization rule at present by the ACL. But I think I'm having the same problem again. (tunnel but no traffic).

What I did wrong. Could someone let me know what I have to do today.

With hope for your help Dimitri.

ASA configuration after reset and basic configuration: works to the Internet from within the course.

: Saved

: Written by enable_15 to the CEDT 20:29:18.909 Sunday, August 29, 2010

!

ASA Version 8.2 (2)

!

ciscoasa hostname

activate 2KFQnbNIdI.2KYOU encrypted password

2KFQnbNIdI.2KYOU encrypted passwd

names of

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

PPPoE client vpdn group home

IP address pppoe setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system Disk0: / asa822 - k8.bin

passive FTP mode

clock timezone THATS 1

clock to summer time CEDT recurring last Sun Mar 02:00 last Sun Oct 03:00

DNS domain-lookup outside

DNS server-group DefaultDNS

Server name 194.25.0.60

Server name 194.25.0.68

DM_INLINE_TCP_1 tcp service object-group

port-object eq www

EQ object of the https port

inside_access_in list extended access permitted udp 192.168.1.0 255.255.255.0 no matter what eq field open a debug session

inside_access_in list extended access permitted tcp 192.168.1.0 255.255.255.0 any object-group DM_INLINE_TCP_1 open a debug session

inside_access_in list extended access deny ip any any debug log

inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.0.0 255.255.0.0

permit inside_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 192.168.10.0 255.255.255.128

homegroup_splitTunnelAcl list standard access allowed 192.168.10.0 255.255.255.0

pager lines 24

Enable logging

asdm of logging of information

Outside 1500 MTU

Within 1500 MTU

IP local pool homepool 192.168.10.1 - 192.168.10.100 mask 255.255.255.0

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm-625 - 53.bin

ASDM location 192.168.0.0 255.255.0.0 inside

ASDM location 192.168.10.0 255.255.255.0 inside

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 1 0.0.0.0 0.0.0.0

inside_access_in access to the interface inside group

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-registration DfltAccessPolicy

Enable http server

http 192.168.1.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Telnet timeout 5

SSH timeout 5

Console timeout 0

VPDN group home request dialout pppoe

VPDN group House localname 04152886790

VPDN group House ppp authentication PAP

VPDN username 04152886790 password 1

dhcpd outside auto_config

!

dhcpd address 192.168.1.5 - 192.168.1.36 inside

dhcpd allow inside

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

TFTP server 192.168.1.5 inside c:/tftp-root

WebVPN

Group Policy inner residential group

attributes of the strategy of group home group

value of 192.168.1.1 DNS server

Protocol-tunnel-VPN IPSec

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list homegroup_splitTunnelAcl

username user01 encrypted password privilege 0 v5P40l1UGvtJa7Nn

user01 username attributes

VPN-strategy group home group

tunnel-group home group type remote access

attributes global-tunnel-group home group

address homepool pool

Group Policy - by default-homegroup

tunnel-group group residential ipsec-attributes

pre-shared-key ciscotest

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

context of prompt hostname

Cryptochecksum:930e6cddf25838e47ef9633dc2f07acb

: end

Hello

Normally, you want a static public IP address on the ASA to allow it to receive connections from VPN clients (avoid to change the IP address all the time).

If you connect via VPN, check the following:

1. the tunnel is established:

HS cry isa his

Must say QM_IDLE or MM_ACTIVE

2 traffic is flowing (encrypted/decrypted):

HS cry ips its

3. Enter the command:

management-access inside

And check if you can PING the inside ASA VPN client IP.

4. check that the default gateway for the LAN internal ASA within intellectual property (or there is a road to the ASA to send traffic to the VPN clients).

Federico.

iPsec S2S ASA to ASR with VRF using Lo's ADDRESS

so, I have a solution and then a question about this solution:

first the solution and the config for any guy in the future, who would need it:

to configure the ASA VPN to the ASR:

door-key crypto KEY-SITE-B-DC

address [asr-ip-address]

pre-shared key address [address-ip-ASA] key test123

!

Crypto ISAKMP-SITE-B-DC isakmp profile

VRF VPN

door KEY-SITE-B-DC

identity function address [address-ip-ASA] 255.255.255.255

!

crypto ISAKMP policy 9

BA aes

preshared authentication

Group 2

lifetime 28800

!

card crypto VPN - S2S - address Loopback11

Map 10 S2S - VPN ipsec-isakmp crypto

Description # VPN S2S SITE-B-DC ASA #.

defined by peer [ASA-ip-address]

game of transformation-TRANS_SET-SITE-B-DC

PFS group2 Set

define the profile of isakmp ISAKMP-SITE-B-DC

match address IPSEC-VPN-ACL_SITE-B-DC

!

Crypto ipsec transform-set esp-aes - TRANS_SET-SITE-B-DC esp-sha-hmac

tunnel mode

!

EXIT/ENTRY interface

Description # BECAUSE RUN US DYNAMIC PROTOCOL BGP (in my case), no matter WHAT INTERFACE COULD BE THE If INPUT/OUTPUT, SO THESE IFs MUST ALSO HAVE THE CRYPTOMAP #.

S2S - VPN crypto card

!

interface Loopback11

Description # IPSEC TEST #.

IP 255.255.255.255 [asr-ip-address]

!

!

IPSEC-VPN-ACL_SITE-B-DC extended IP access list

permit ip host [ASR-LAN-addresses] [ASA-LAN-addresses]

!

IP route vrf VPN [ASA-LAN-addresses] 255.255.255.x 8.8.8.8 global name GENERIC-IPSEC-CRYPTO-ROAD (ANYCAST) * the road here is for the traffic is encrypted, the next hop MUST be no recursive road *.

!

So now for my question:

REALLY should be a route with a match on the other than a default route routing table?

(because it does not work with a route that directs the default route, even when the recursive path pointing to the interface even spefic road made).

is there any other way to do this? because to point the way to 8.8.8.8, means im my tunnels to be available on the availability of a course of 8.0.0.0 in the RIBS.

help would be what enjoyed here guys!

Why not let the router hide the complexity of administration using IPP?

http://www.Cisco.com/en/us/docs/iOS-XML/iOS/sec_conn_vpnav/configuration/15-Mt/sec-Rev-RTE-inject.html#GUID-DEBFE993-16DF-4599-946A-1B7A42521C92

The example is not perfect because of the connection point to point between two routers, but you can understand what IP address as the gateway.

I suggest also entry of cryptographic cards, the new software. logical interfaces with tunnel protection is the way to go. The problem does not appear here.

The dynamic firewall application on the VPN Clients with ASA

Hello

I'll put up a Cisco ASA to complete the remote VPN client connections, but I want to assure you that the dynamic firewall is enabled on the client.

I know it's possible with the VPN concentrator, but cannot see any documentation detailing that can be performed on an ASA.

Anyone encountered this?

Thank you

James

I believe you can use Group Policy settings to configure the firewall client.

You can find more information about this feature in the migration to http://www.cisco.com/en/US/docs/security/asa/asa72/vpn3000_upgrade/upgrade/guide/migrate.htmlguide.

Hope this helps.

Andrea.

Step 1 under Configuration > VPN > General > Group Policy Panel, select group policy in the table and

Click on change. ASDM displays the Edit Group Policy dialog box.

Step 2: click on the customer Firewall tab Figure 5-6 shows the firewall client options configured for this example:

• Inherit-disabled (disabled)

• The required Firewall Firewall setting

• Type firewall Cisco Integrated Client Firewall

Firewall policy-policy (CPP) pushed •

Darkness of 8.4 (1) vpn L2L filter ASA when you specify the Protocol and port

Hi all - I've spent many hours trying to diagnose this and have read several discussions and the Cisco docs unsuccessfully...

Situation: two sites running Cisco ASA 5520 on 8.4 (1) with L2L IPsec on the public internet between each of them. The configuration of IPsec and associated routing works as it should and we are able to pass traffic between networks private behind each device as expected. The problem occurs when you try to block sessions using a vpn-filter group policy configuration.

Each site has 3 private subnets that are able to communicate correctly without the vpn-filter configuration. We want to restrict access to specific protocols, hosts, and ports between each network.

SITE A: 10.10.0.0/18, 10.10.64.0/18, 10.10.128.0/18

SITE B: 10.20.0.0/18, 10.20.64.0/18, 10.20.128.0/18

When we apply a filter-vpn configuration which restricted access only two guests, as follows...

SITE A: vpn_acl_x_x_x_x list extended access permit ip host 10.20.0.1 host 10.10.0.1

SITE b: the ip host 10.10.0.1 allowed extended access list vpn_acl_x_x_x_x host 10.20.0.1

... the configuration works correctly. However, when we try to lock the configuration more far and specify the protocols and ports, as follows...

SITE A: vpn_acl_x_x_x_x list extended access permit tcp host 10.20.0.1 host 10.10.0.1 eq 22

SITE b: vpn_acl_x_x_x_x to the list of access permit tcp host 10.10.0.1 host 10.20.0.1 eq 22

... and then try to establish a SSH connection between 10.10.0.1 and 10.20.0.1 or vice versa, the package is stopped on the side of the SOURCE. ..

Mar 22 11:58:01 x.x.x.x 22 March 2011 14:34:56: % ASA-4-106103: vpn_acl_x_x_x_x of the access list refused tcp to the user "" inside-data/10.10.0.1(59112)-> outside-iptrans/10.20.0.1(22) hit - cnt 1 first success [0xd8d1c1b4, 0 x 0]

I would really appreciate it if someone could shed some light on what is wrong with this Setup.

SOLUTION

The ACE must be implemented on the source and the end of the tunnel destination to facilitate this configuration.

EXAMPLE 1: allow SSH two-way communication between hosts on each network (SITE A can connect to SITE B, SITE B can connect to SITE A)...
```
SITE A:
access-list vpn_acl_x_x_x_x extended permit tcp host 10.20.0.1 host 10.10.0.1 eq 22
access-list vpn_acl_x_x_x_x extended permit tcp host 10.20.0.1 eq 22 host 10.10.0.1
SITE B:
access-list vpn_acl_x_x_x_x extended permit tcp host 10.10.0.1 host 10.20.0.1 eq 22
access-list vpn_acl_x_x_x_x extended permit tcp host 10.10.0.1 eq 22 host 10.20.0.1
```
EXAMPLE 2: allow communication one-way SSH between hosts on each network (SITE A can connect to SITE B, SITE B is unable to connect to SITE A)...
```
SITE A:
access-list vpn_acl_x_x_x_x extended permit tcp host 10.20.0.1 eq 22 host 10.10.0.1
SITE B:
access-list vpn_acl_x_x_x_x extended permit tcp host 10.10.0.1 host 10.20.0.1 eq 22
```
Very good and thank you for this post. Please kindly marks the message as answered while others may learn from your post. I think that you have started a very good discussion on vpn-filter for tunnel L2L.

Limit the bandwidth in the tunnel VPN on Cisco ASA

Hello

I have a site VPN tunnel to create with the local desktop client. I fear that the traffic in the tunnel in impacting the Internet bandwidth for the entire office. Is it possible to limit bandwidth on the speed VPN tunnel. I have attached a configuration that shows the configuration of the ASA at the local office.

Any help would be much appreciate. I watched QoS mapping but it's hard to make sense.

Thank you very much

Kind regards

Michael.

The ASA supported QoS features are:
Police, LLQ and Traffic Shaping

To avoid the individual flows hogging the bandwidth of the network, you can limit the maximum bandwidth used by flow (with the police)
The police is a way of ensuring that no traffic exceeds the rate (in bits per second) that you configure,
so make that person not traffic or the class can return to any of the resource.
When traffic is higher than the maximum rate, the ASA removes the excess traffic. Policy defines also the largest single burst of allowed traffic.

Example of font options:
class policing_map_name hostname(config-pmap) #.
Police hostname(config-pmap-c) # {exit | entry} to compliance rates [conform burst]
[action in line [drop | send]] [action exceed [drop | send]]

That is to say

HostName (config) # class - police-class card
HostName(config-CMAP) # match any
HostName(config-CMAP) # QoS_policy policy-map
class police_class hostname(config-pmap) #.
HostName(config-pmap-c) # exit police 56000 10500

The configuration depends on the "this" base that you want to limit the connection.

Federico.

AnyConnect VPN for Cisco ASA 5505 refused connections

I'm trying to set up my Cisco 5505 with AnyConnect VPN client VPN access. Here is the relevant information of my config:

interface Vlan2
mac-address xxxx.xxxx.xxxx
nameif outside
security-level 0
ip address A.A.A.A 255.255.255.240
!
access-list outside_access_in extended permit tcp any host C.C.C.C eq pptp
access-list outside_access_in extended permit tcp any host C.C.C.C eq https
access-list outside_access_in extended permit tcp any host C.C.C.C eq ftp
access-list outside_access_in extended permit tcp any host C.C.C.D eq https
access-list outside_access_in extended permit tcp any host C.C.C.D eq ftp
access-list outside_access_in extended permit tcp any host C.C.C.D eq www
access-list outside_access_in extended permit tcp any host C.C.C.C eq smtp
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host C.C.C.D eq ssh
access-list outside_access_in extended permit tcp any host C.C.C.D eq 8080
access-list outside_access_in extended permit gre any host C.C.C.C
access-list outside_access_out extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any interface outside
access-list inside_access_out extended permit ip any any

access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside

webvpn
enable inside
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable

group-policy DfltGrpPolicy attributes
dns-server value X.X.X.X
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value
address-pools value palm
webvpn
svc rekey time 30
svc rekey method ssl
svc ask enable default webvpn

policy-map global_policy
class inspection_default
inspect pptp
inspect http
inspect icmp
inspect ftp
!

When I try to connect, I get this error in the real-time log viewer:

TCP access denied by ACL from X.X.X.X/57356 to outside:A.A.A.A/443

Here are the details of the license:

Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs                        : 3, DMZ Restricted
Inside Hosts                 : Unlimited
Failover                     : Disabled
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
SSL VPN Peers                : 2
Total VPN Peers              : 10
Dual ISPs                    : Disabled
VLAN Trunk Ports             : 0
Shared License               : Disabled
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials        : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions      : 2
Total UC Proxy Sessions      : 2
Botnet Traffic Filter        : Disabled

This platform has a Base license.

Can someone tell me what I am doing wrong or what access list I'm missing?

I have two Cisco ASA 5510 firewall with a similar setup configuration and the AnyConnect SSL VPN works great.

Hi Matt,

You are probably landing on the tunnel-group by default - you will need to indicate which group to connect to the client. This can be done in different ways - I see that you already have a defined group aliases, but to be able to use that you must configure:

WebVPN

tunnel-group-list activate

Alternatively, if you have only a single group, you can add 'group-url https://yourasa.yourcompany.com/ permit' to the webvpn attributes tunnel-group.

HTH

Herbert

NAT before going on a VPN Tunnel Cisco ASA or SA520

I have a friend who asked me to try to help. We are established VPN site to site with a customer. Our camp is a Cisco sa520 and side there is a control point. The tunnel is up, we checked the phase 1 and 2 are good. The question is through the tunnel to traffic, our LAN ip address are private addresses 10.10.1.0/24 but the client says must have a public IP address for our local network in order to access that server on local network there. So, in all forums, I see that you cannot NAT before crossing the VPN tunnel, but our problem is that our site has only 6 assigned IP addresses and the comcast router, on the side of the firewall SA520 WAN. So we were wondering was there a way we can use the WAN on the SA520 interface or use another available 6 who were assigned to the NAT traffic and passes through the tunnel. That sounds confusing to you? Sorry, but it's rarely have I a customer say that I must have a public IP address on my side of the LAN. Now, I say this is a SA520 firewall, but if it is not possible to do with who he is a way were able with an ASA5505?

Help or direction would be very useful.

Hello

I guess I could quickly write a basic configuration. Can't be sure I remember all correctly. But should be the biggest part of it.

Some of the course settings may be different depending on the type of VPN L2L connection settings, you have chosen.

Naturally, there are also a lot of the basic configuration which is not mentioned below.

For example
- Configurations management and AAA
- DHCP for LAN
- Logging
- Interface "nonstop."
- etc.
Information for parameters below
- x.x.x.x = ASA 'outside' of the public IP interface
- y.y.y.y = ASA "outside" network mask
- z.z.z.z = ASA "outside" IP address of the default gateway
- a.a.a.a = the address of the remote site VPN L2L network
- b.b.b.b = mask of network to the remote site VPN L2L
- c.c.c.c = IP address of the public peer device VPN VPN L2L remote site
- PSK = The Pre Shared Key to connect VPN L2L
Interfaces - Default - Access-list Route

interface Vlan2

WAN description

nameif outside

security-level 0

Add IP x.x.x.x y.y.y.y

Route outside 0.0.0.0 0.0.0.0 z.z.z.z

interface Ethernet0

Description WAN access

switchport access vlan 2
- All interfaces are on default Vlan1 so their ' switchport access vlan x "will not need to be configured
interface Vlan1

LAN description

nameif inside

security-level 100

10.10.1.0 add IP 255.255.255.0

Note to access the INSIDE-IN list allow all local network traffic

access to the INTERIOR-IN ip 10.10.1.0 list allow 255.255.255.0 any

group-access INTERIOR-IN in the interface inside

Configuring NAT and VPN L2L - ASA 8.2 software and versions prior

Global 1 interface (outside)

NAT (inside) 1 10.10.1.0 255.255.255.0

Crypto ipsec transform-set AES-256 aes-256-esp esp-sha-hmac

crypto ISAKMP policy 10

preshared authentication

aes-256 encryption

sha hash

Group 2

lifetime 28800

L2L-VPN-CRYPTOMAP of the access list allow ip x.x.x.x a.a.a.a b.b.b.b host

card crypto WAN-CRYPTOMAP 10 matches L2L-VPN-CRYPTOMAP address

card crypto WAN-CRYPTOMAP 10 set peer c.c.c.c

card crypto WAN-CRYPTOMAP 10 the value transform-set AES-256

card crypto WAN-CRYPTOMAP 10 set security-association second life 3600

CRYPTOMAP WAN interface card crypto outside

crypto isakmp identity address

crypto ISAKMP allow outside

tunnel-group c.c.c.c type ipsec-l2l

tunnel-group c.c.c.c ipsec-attributes

pre-shared key, PSK

NAT and VPN L2L - ASA 8.3 software configuration and after

NAT source auto after (indoor, outdoor) dynamic one interface

Crypto ipsec transform-set ikev1 AES-256 aes-256-esp esp-sha-hmac

IKEv1 crypto policy 10

preshared authentication

aes-256 encryption

sha hash

Group 2

lifetime 28800

L2L-VPN-CRYPTOMAP of the access list allow ip x.x.x.x a.a.a.a b.b.b.b host

card crypto WAN-CRYPTOMAP 10 matches L2L-VPN-CRYPTOMAP address

card crypto WAN-CRYPTOMAP 10 set peer c.c.c.c

card crypto WAN-CRYPTOMAP 10 set transform-set AES-256 ikev1

card crypto WAN-CRYPTOMAP 10 set security-association second life 3600

CRYPTOMAP WAN interface card crypto outside

crypto isakmp identity address

Crypto ikev1 allow outside

tunnel-group c.c.c.c type ipsec-l2l

tunnel-group c.c.c.c ipsec-attributes

IKEv1 pre-shared key, PSK

I hope that the above information was useful please note if you found it useful

If it boils down to the configuration of the connection with the ASA5505 and does not cut the above configuration, feel free to ask for more

-Jouni

Site to site VPN routing via ASA

Need help setting up routing through the tunnel. We have a bunch of remote sites in the 192.168.0.0 16 passing through a central site 192.168.137.0

How can I get all the traffic goes 192.168.0.0 to cross the tunnel. I have the tunnel upward, but no traffic passes through. Here is the config.

XXXX # show run
: Saved
:
ASA Version 8.2 (1)
!
xxxxx host name
xxxx.xxx domain name
activate the xxxxxxxx password
passwd xxxxxxxxxxxxx
names of
!
interface Vlan1
Description =-= - on the INSIDE of the INTERFACE =-=-
nameif inside
security-level 100
192.168.33.1 IP address 255.255.255.0
!
interface Vlan2
Description =-= - CABLE EXTERNAL INTERFACE =-=-
nameif outside
security-level 0
IP address aaa.bbb.ccc.202 255.255.255.252
!
interface Ethernet0/0
Description =-= - CABLE EXTERNAL INTERFACE =-=-
switchport access vlan 2
!
interface Ethernet0/1
Description =-= - on the INSIDE of the INTERFACE =-=-
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system Disk0: / asa821 - k8.bin
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
DNS domain-lookup outside
DNS server-group DefaultDNS
Server name 24.92.226.12
Server name 24.92.226.11
Domain xxxxxx.xxx
object-group NETWORK-OUR network
object-network 10.254.1.0 255.255.255.0
network-object 172.22.0.0 255.255.0.0
object-network 192.168.0.0 255.255.0.0
access-list SHEEP note-=-=-= = =-=-=-= -
access-list SHEEP note is-ACCESS LIST for EXEMPTION NAT =-=-
access-list SHEEP note-=-=-= = =-=-=-= -
IP 192.168.33.0 allow Access - list extended SHEEP 255.255.255.0 object-group NETWORK-OUR
access INTERESTING list Remarque-=-=-=-=-=-= = =-=-=-=-=-=-=-=-= -.
access list INTERESTING note is-ACCESS LIST for INTERESTING TRAFFIC =-=-
access INTERESTING list Remarque-=-=-=-=-=-= = =-=-=-=-=-=-=-=-= -.
INTERESTING list extended ip access 192.168.33.0 allow 255.255.255.0 object-group NETWORK-OUR
access-list ICMP note =--= =-= = =-=-=-= -
access-list ICMP note is - to ALLOW ICMP to the OUTSIDE INTERFACE =-=-
access-list ICMP note =--= =-= = =-=-=-= -
ICMP access list extended icmp permitted no echo of aaa.bbb.ccc.201 host
no pager
Enable logging
timestamp of the record
exploitation forest-size of the buffer 38400
logging buffered stored alerts
logging of debug asdm
Within 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 621.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0 access-list SHEEP
NAT (inside) 1 0.0.0.0 0.0.0.0
Access-group ICMP in interface outside
Route outside 0.0.0.0 0.0.0.0 aaa.bbb.ccc.201 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
LOCAL AAA authentication serial console
AAA authentication http LOCAL console
Enable http server
http xx.xx.xx.xx 255.255.255.0 outside
xxx.xxx.xxx.xxx http 255.255.192.0 outside
http xxx.xxx.0.0 255.255.0.0 inside
xxx.xxx.xxx.xxx http 255.255.255.255 outside
Server SNMP location xxxxxx
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-HMAC-SHA-ESP-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
86400 seconds, duration of life crypto ipsec security association
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto L2LMAP 10 INTERESTING address correspondence
card crypto L2LMAP 10 set pfs
card crypto L2LMAP 10 set peer ddd.eee.fff.32
10 L2LMAP transform-set ESP-3DES-MD5 crypto card game
card crypto L2LMAP set 10 security-association life seconds 86400
card crypto L2LMAP 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
L2LMAP interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
Telnet timeout 5
SSH enable ibou
SSH xxx.xxx.0.0 255.255.0.0 inside
SSH xxx.xxx.0.0 255.255.0.0 outside
SSH xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx outside
SSH timeout 60
Console timeout 0
management-access inside
dhcpd dns 192.168.137.225 24.92.226.12
dhcpd field arc.com
dhcpd outside auto_config
dhcpd option 150 ip 172.22.137.5
!
dhcpd address 192.168.33.2 - 192.168.33.33 inside
dhcpd allow inside
!

a basic threat threat detection
statistical threat detection port
Statistical threat detection Protocol
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP server 206.246.122.250 source outdoors
NTP server 96.47.67.105 prefer external source
WebVPN
xxxx xxxx password username
IPSec-attributes tunnel-group DefaultL2LGroup
pre-shared-key *.
tunnel-group ddd.eee.fff.32 type ipsec-l2l
ddd.EEE.fff.32 group of tunnel ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
context of prompt hostname

Thank you

Mike

As I suspected unmatched.

Remote side is set to 3des/sha. You are set to 3des/md5.

change the following:

10 L2LMAP transform-set ESP-3DES-MD5 crypto card game

TO

10 L2LMAP transform-set ESP-3DES-SHA crypto card game

Assuming that the things ACL match should be fine.

Let me know.

VPN policy/S2S ASA 8.4 PAT Dynamics question

Similar Questions

Maybe you are looking for