VPN problem
Hello people!
I have to create a new VPN between 5506 and ASA 5555 already in production which is new.
The VPN is RISING, but there is no traffic, and I have no idea why.
Attached is the bundle of newspapers plotter, sh cryp ipsec her and sh isakmp his.
Thank you
Marcio
Hi Marcio,
Could you please update your ASDM to 7.6 (1) which is the recommended ASDM for ASA 9.5.2 and test version?
You should not face any questions about it.
Kind regards
Aditya
Please evaluate the useful messages and mark the correct answers.
Tags: Cisco Security
Similar Questions
-
VPN problem consumes my life...
At the Office I have a Server SBS 2011 Premium, cable modem Comcast/SMC 50/10 in the bridge, a NetVanta 3450 with port 1723 transmitted router, the VPN wizard ran over and over, I made the best practices recommendations, the firewall server is disabled, but I can still not log. Can I VPN in other places of the House. What Miss me? The PE Dell R510 is multi-aiguise with 3 NICs, but I use one of them. Would that be a problem? Thanks, Craig
At the Office I have a Server SBS 2011 Premium, cable modem Comcast/SMC 50/10 in the bridge, a NetVanta 3450 with port 1723 transmitted router, the VPN wizard ran over and over, I made the best practices recommendations, the firewall server is disabled, but I can still not log. Can I VPN in other places of the House. What Miss me? The PE Dell R510 is multi-aiguise with 3 NICs, but I use one of them. Would that be a problem? Thanks, Craig
Hi Craig
Your question is beyond the scope of these level consumer forums. Please ask your question on the following forums.
TechNet: ITPro - Small Business Server Forum: SBS http://social.technet.microsoft.com/Forums/en-US/smallbusinessserver/threads
Concerning
-
[FIXED] VPN problems
Hello.
I'm trying to set up a VPN server on my XP machine at home, in order to circumvent the blocks to internet on my school's network. I managed to set up a VPN server on my laptop with WIN7, but I do not run all the time, so I thought it would be more convinient to set up VPN on my old XP computer.
in any case, I think that I did everything what I'm supposed to. I have forwarded port 1723 in the router and open port 1723 and Protocol 47 (GRE) IP in the firewall. I also chose ports in the internet connection for the VPN properties, which do not mix with the DCHP server on my router.
However, still, when I try to connect from the network of my school, I get error 800 or 807. Can someone help me? What Miss me?
OK, so I found what my problem was. The local IP address for my XP computer has been updated with an IP address outside the range of the DHCP server on the router. Once I changed the IP address, forwarded the ports to the new IP address and configure the VPN server again, it worked.
-
Cisco VPN problem with security update KB3057839 for Vista
Someone had problems with any connection Cisco VPN works after the installation of update of security KB3057839 for Vista? When this update is installed, the pop-up to enter the password and user id not come, need to use the Task Manager to close the program. The first time I went back to the restore point to get my VPN to work, this time I tried to reinstall the VPN but that doesn't work anymore. I started to uninstall updates (had 7 of them), when I got to it, KB3057839, the VPN began working again.
Mike
See this on the real issue:
http://www.chiark.greenend.org.uk/~sgtatham/PuTTY/wishlist/Vista-update-breaks-config.html
It turns out that the logon dialog box is invisible, but still, it agrees to enter you your password and LOG you!
-
VPN problem taking in charge the VRF CSR
Hello community,
I am currently evaluating CSR at AWS (60 day trial) and already around the usual problems and specialty architecture network AWS design.
I can't open a TAC case, because we purchased no license. We will, once this last problem is solved.
Current configuration:
- Two councillors in a VPC in two AZs
- Transit between two advisers of the GRE tunnel
- running supports the BGP VRF
- using door VRF
- the RSC is connected to several AWS VPC (customers) via the AWS VPN feature - route entirely mesh based VPN--a VRF customer - all running with BGP
- Link to local is done in the same way: entirely mesh route based VPN - using door VRF - all running with BGP
- VRF import/export rules
It works fine - no problems here. All HA tests work as expected. So far, so good.
Now, we had to create a VPN connection to a special local location of our society. We should create a policy based VPN location (no support for VPN road based there). It is a two-to-one VPN. Two advisors of the connection to a gateway onPrem. The two tunnels, run the same field of encryption. OnPrem routing is based on the State of the tunnel. We put this tunnel in the VRF door of entry. Routes are injected to the door VRF routing table by VPN process (reverse-way static in crypto map). To get these exported to consumer VRF routes, there is a network statement in door VRF BGP process.
Well, this also works fine if we do this only with CSR A. Reachablity is out. CSR B the delivery of the CSR due to taking work supported the VRF VPN. However, if we establish the second CSR B tunnel, there is something strange happens.
Tunnel is very well implemented. Traffic through the tunnel at CSR B is accepted and routed to the destination. Created at door VRF on CSR B traffic is routed in its own VPN very well. However, traffic from a VRF client who reached CSR B (traceroute proved that) is not routed through the VPN tunnel, despite the VPN client routing table is to say. CSR A running the same configuration, there is no problem. Only on the CSR B.
I don't understand this. If remove us the configuration of the tunnel of CSR and create only tunnel on CSR B, it still does not. I don't understand why, because I did a comparison of config and found no difference.
Someone at - it an idea, whats going on?
How can I debug this problem?
CSR - A:
B 172.29.13.176/28 [20/0] via 1.1.119.182 (vrf - default), 3w4d
CSR - B:
with route (doesn't work is not for the customer VRF)
B 172.29.13.176/28 [20/0] via 1.1.119.182 (vrf - default), 00:00:02No itinerary (work, because only sent by public transit to the CSR - A)
B 172.29.13.176/28 [20/0] via 192.168.254.53 (vrf - default), 00:38:23This problem is hard to describe, I would really appriciate discuss with a TAC engineer in a WebEx. Is this possible?
Thank you.
Hello Tobias,.
The problem you describe is going to be outside our CSR platform expertise. Looks like the CSR works well and HA works as well, and now you're trying to find a solution to a problem of network/VPN that you are facing.
Our team is led to find an internal resource to resolve your issue, please allow us a day or two to get back to you with an answer
Concerning
Tony
-
Hello
I got a pix 501 (6.3 - 4) on a local network and try to use Cisco VPN Client (4.0.2-D) on a remote pc.
I can open a vpn session.
I can't ping from the remote pc to the LAN
I can ping from any station on the LAN to the remote pc
After that I did a ping of a station on the LAN to the remote pc, I ping the remote computer to the local network.
I am so newb, trying for 2 days changing ACLs, no way.
I must say that I am in dynamic ip wan on the local network and the remote pc.
Any idea about this problem?
Any help is welcome.
Here is the configuration of my pix:
6.3 (4) version PIX
interface ethernet0 10baset
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate the password * encrypted
passwd * encrypted
pixfirewall hostname
domain ciscopix.com
clock timezone THATS 1
clock to summer time CEDT recurring last Sun Mar 02:00 last Sun Oct 03:00
fixup protocol dns-length maximum 512
fixup protocol ftp 21
correction... /...
fixup protocol tftp 69
names of
name 192.168.42.0 Dmi
inside_access_in ip access list allow a whole
inside_outbound_nat0_acl ip access list allow any 192.168.229.0 255.255.255.0
outside_cryptomap_dyn_20 ip access list Dmi 255.255.255.0 allow 192.168.229.32 255.255.255.224
access-list outside_cryptomap_dyn_20 allow icmp a whole
pager lines 24
opening of session
logging trap information
Outside 1500 MTU
Within 1500 MTU
IP address outside the 209.x.x.x.255.255.224
IP address inside 192.168.42.40 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
IP local pool dmivpndhcp 192.168.229.1 - 192.168.229.254
location of PDM 192.168.229.1 255.255.255.255 outside
209.165.x.x.x.255.255 PDM location inside
209.x.x.x.255.255.255 PDM location outdoors
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_outbound_nat0_acl
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
Route outside 0.0.0.0 0.0.0.0 209.165.200.225 1
Timeout xlate 0:05:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-server local LOCAL Protocol
Enable http server
Dmi 255.255.255.0 inside http
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
TFTP server inside the 192.168.42.100.
enable floodguard
Permitted connection ipsec sysopt
AUTH-prompt quick pass
AUTH-guest accept good
AUTH-prompt bad rejection
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA
Dynamic crypto map dynmap 20 match address outside_cryptomap_dyn_20
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
ISAKMP allows outside
ISAKMP identity address
part of pre authentication ISAKMP policy 20
ISAKMP policy 20 3des encryption
ISAKMP policy 20 chopping sha
20 2 ISAKMP policy group
ISAKMP duration strategy of life 20 86400
vpngroup address dmivpndhcp pool dmivpn
vpngroup dns 192.168.42.20 Server dmivpn
vpngroup dmivpn wins server - 192.168.42.20
vpngroup dmivpn by default-field defi.local
vpngroup idle 1800 dmivpn-time
vpngroup password dmivpn *.
Telnet timeout 5
SSH timeout 5
Console timeout 0
VPDN username vpnuser password *.
VPDN allow outside
VPDN allow inside
dhcpd address 192.168.42.41 - 192.168.42.72 inside
dhcpd lease 3600
dhcpd ping_timeout 750
Terminal width 80
Cryptochecksum: *.
Noelle,
Add the command: (in config mode): isakmp nat-traversal
Let me know if it helps.
Jay
-
Hi, I implemented a project some time back which went something like this: a Headquarters site where a PIX515E is installed with a public static IP on its external interface. Three remote sites, each with connecting to the internet through 837 routers ADSL with a dynamic public IP address. I configured the firewall and routers for EzVPN (router is configured in client mode) and the VPN tunnel rises and it works fine. Of course, when there is no interesting traffic through the tunnel and the idle timer on the PIX expires, the tunnel down. It is also very good. The problem is once the tunnel breaks down, it is again automatically when interesting traffic passes through the router (which is assumed). I use the console and ran the debugging on one of the routers and noticed that once the tunnel descends and the router tries to bring it up again, it gives the message:
"Key pair for this"XXX. " XX. XX. Mask XX/XX"already exists." Then, when I give the command "clear crypto isakmp his ', the tunnel rises immediately. I already posted this question before (link:http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd6e4b2). Maybe she has something to do with the Dead Peer Detection on the PIX and the router system. In any case, I have configured the following command on the router and PIX:
ISAKMP crypto keepalive 2 10
but still it does not solve the problem. The router's IOS version 12.3 (2) XC2 and the PIX OS version 6.3 a (3). Also im attaching the PIX and router config for this post. What else can be done to solve the problem?
I replied to your last message.
As I said, you must at least 12.3.7 so that it works correctly.
"You must at least 12.3 (7) T for Dead Peer Detection work and send KeepAlive interval you want.
ISAKMP crypto keepalive [interval] [dry til counted dead] periodical
for example,.
"isakmp crypto 15 5 keepalive periodicals.
the key word is "periodic" is not available until 12.3.7 or later.
ISAKMP crypto keepalive 2 10
without periodic does nothing, you need periodic KeepAlive.
ISAKMP crypto keepalive 2 10 periodicals
will maintain the tunnel and head of network device know if/when it falls. It should be applied to the router and the PIX in your situation.
I worked through this issue before with IOS EzVPN (12.3 (11) T) to PIX (6.3 (3)) and IOS EzVPN hub VPN3000 (4.1) of the basic VPN
also... http://www.Cisco.com/en/us/products/SW/iosswrel/ps5207/products_feature_guide09186a00801ee19a.html
-
Hello friends!
I ve been trying to configure the anyconnect VPN, but I cannot generate the CA, probably I m doing wrong sothing.
To be honest, I Don t know if the problem int this VPN is only what is missing, but is the only thing that I've seen what can be a problem.
Someone knows how to generate the CA in the ASA?
Hi Marcio,
Please follow this link:
https://supportforums.Cisco.com/document/12597006/how-configure-ASA-CA-s...
Do you want authentication certificate based for Anyconnect users?
I'm not sure we really need a CA in this case.
You can try to check this third party link to configure the Anyconnect on SAA basic settings:
http://www.petenetlive.com/kb/article/0000943
Kind regards
Aditya
Please evaluate the useful messages.
-
Cisco RV220W IPSec VPN problem Local configuration for any config mode
Dear all,
I need help, I am currently evaluating RV220W for VPN usage but I'm stuck with the config somehow, it seems that there is a problem with the Mode-Config?
What needs to be changed or where is my fault?
I have installed IPSec according to the RV220W Administrator's Guide. Client's Mac with Mac Cisco IPSec VPN, I also tried NCP Secure Client.
I have 3 other sites where the config on my Mac works fine, but the Cisco VPN router is not.
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: remote for found identifier "remote.com" configuration
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: application received for the negotiation of the new phase 1: x.x.x.x [500]<=>2.206.0.67 [53056]
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: early aggressive mode.
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received Vendor ID: RFC 3947
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received Vendor ID: CISCO - UNITY
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received Vendor ID: DPD
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: for 2.206.0.67 [53056], version selected NAT - T: RFC 39472013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: floating ports NAT - t with peer 2.206.0.67 [52149]
2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: NAT - D payload is x.x.x.x [4500]
2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: NAT - D payload does not match for 2.206.0.67 [52149]
2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: NAT detected: Peer is behind a NAT device
2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: request sending Xauth for 2.206.0.67 [52149]
2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: ISAKMP Security Association established for x.x.x.x [4500] - 2.206.0.67 [52149] with spi: 1369a43b6dda8a7d:fd874108e09e207e
2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: type of the attribute "ISAKMP_CFG_REPLY" from 2.206.0.67 [52149]
2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: connection for the user "Testuser".
2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: type of the attribute "ISAKMP_CFG_REQUEST" from 2.206.0.67 [52149]
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] WARNING: ignored attribute 5
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] WARNING: attribute ignored 28678
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode=>
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] WARNING: attribute ignored 28683
2013-03-07 01:56:07: [CiscoFirewall] [IKE] INFO: purged-with proto_id = ISAKMP and spi = 1369a43b6dda8a7d:fd874108e09e207e ISAKMP Security Association.
2013-03-07 01:56:08: [CiscoFirewall] [IKE] INFO: ISAKMP Security Association deleted for x.x.x.x [4500] - 2.206.0.67 [52149] with spi: 1369a43b6dda8a7d:fd874108e09e207e
Hi Mike, the built-in client for MAC does not work with the RV220W. The reason is, the MAC IPSec client is the same as the Cisco VPN 5.x client.
The reason that this is important is that the 5.x client work that on certain small business products include the SRP500 and SA500 series.
I would recommend that you search by using a client VPN as Greenbow or IPSecuritas.
-Tom
Please mark replied messages useful -
We have a customer (lets call the ODC) who has an office. There is a user who likes to work from home. User does not have a static IP address at home.
In order to comply with the Auditors, this particular customer uses an ACL to prohibit any person (other than good known IPs).
Router of the ODC was a WRV4000 with VPN. The user would use the utility of VPN fast Cisco to connect their laptop to the home office LAN to access server resources.
I took screenshots of the excavations configuration before you remove the service. I then reverse these settings on the new RV180W. Everything worked perfectly except the VPN.
I tried to update the Firmware to the latest version that I could find.
After replacing the older WRV4000 with a RV180W, I am unable to get the logged in user. I created the user account in the VPN router section.
Uninstalled the old Version of Cisco Quick Connect from the user's portable computer, restarted the laptop and installed the Version of Quick Connect to the RV180W and made sure that I have the latest Version of the utility.
I entered the name of user and password that have been put in the VPN router section and am unable to connect. Then I disabled all the ACL rules that block all traffic. Then I tried to connect again, no luck. I looked then to the top of the dynamic external IP address of the user at home and in the white list all services from this address. Then I tried to connect again without success. I get a generic error message that I have attached.
* I checked the name of user and password is correct
* The laptop to the home of the user and the server have a valid network connection. Both places are able to browse the internet and perform DNS lookups
* I used both the FULL domain name and the external IP address of the Office
* Checked the firewall on the laptop (no changes made since before summer that the router has been replaced). The firewall IS turned on.
* The IP Office is model 192.168.10.x with 255.255.255.0 mask. The user's home is 192.1681.x with a 255.255.255.0 mask
I am running out of ideas and would like to help.
-Cody
Cody,
Thank you for your response. The page Web of VPN fast said that the program is only explicitly supports up to Windows 7, then you're probably right in thinking that it is incompatible with Windows 8.
If your problem has been resolved, please be sure to mark your question as answered while it may help others in the community!
Best,
Taylor
-
Hi, I currently have a site to site vpn upward and running and it works fine. I try to put the other two online and just cannot make them work. I used the same configuration of one operation but I cannot get the next tunnel. I saw several errors when debugging isakmp and ipsec and they are at the end of my configs. Anyone have any ideas? Thank you
Main site - a vpn clients connecting too it and pt to pt vpn to 3 endpoints
Cisco PIX Firewall Version 6.3 (3)
* Main Site Config *.
client_vpn 10.10.0.0 ip access list allow 255.255.0.0 192.168.0.0 255.255.255.0
VPN_to_Site2 10.10.0.0 ip access list allow 255.255.0.0 192.168.0.0 255.255.255.0
NAT (inside) 0-list of access client_vpn
Permitted connection ipsec sysopt
Crypto ipsec transform-set esp-3des esp-md5-hmac fws_encry_set
outside_map 60 ipsec-isakmp crypto map
address for correspondence card crypto outside_map 60 VPN_to_Site2
crypto outside_map 60 peer 64.X.X.19 card game
card crypto outside_map 60 transform-set fws_encry_set
outside_map interface card crypto outside
ISAKMP allows outside
ISAKMP key * address 64.X.X.19 netmask 255.255.255.255 No.-xauth-no-config-mode
ISAKMP identity address
ISAKMP nat-traversal 20
part of pre authentication ISAKMP policy 10
ISAKMP policy 10 3des encryption
ISAKMP policy 10 md5 hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
Site 2 config
* only because the pt to pt does not work I have it set up to allow vpn clients to cross to connect to the main site.
Cisco PIX Firewall Version 6.3 (5) *.
permit access ip 192.168.0.0 list VPN_to_Main 255.255.255.0 10.10.0.0 255.255.0.0
NAT (inside) 0-list of access VPN_to_Main
Permitted connection ipsec sysopt
Crypto ipsec transform-set esp-3des esp-md5-hmac fws_encry_set
outside_map 10 ipsec-isakmp crypto map
outside_map card crypto 10 corresponds to the address VPN_to_Main
crypto outside_map 10 peer 207.X.X.13 card game
card crypto outside_map 10 transform-set fws_encry_set
outside_map interface card crypto outside
ISAKMP allows outside
ISAKMP key * address 207.X.X.13 netmask 255.255.255.255 No.-xauth-no-config-mode
ISAKMP identity address
ISAKMP nat-traversal 20
part of pre authentication ISAKMP policy 10
ISAKMP policy 10 3des encryption
ISAKMP policy 10 md5 hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
Errors
PIX (config) # IPSEC (sa_initiate): ACL = deny; No its created
authenticator is HMAC-MD5IPSEC (validate_proposal): invalid local address
I have a link that works very well. I have copied the config from there, changed the ip info and it does not work. The only differences in the configs are no sysopt route dnat and it's on Version 6.2 (2)
IPSec (sa_initiate): ACL = deny; No its created
I think that you have configured a VPN tunnel without removing the cryptographic card of the external interface. The message above is the error we get in such situation.
I suggest the following solution:
-remove the external interface (the two pix) cryptographic card
-Cree claire isa his and trendy clear ipsec his (the two pix)
-Reapply the card encryption on external interfaces.
If this doesn't solve the problem, restart the equipment.
Kind regards
Ajit
-
Can connect, I see not all network resources.
The Vpn Client, worm: 5.0.01, is running on an xp machine.
It connects to the network is behind a 6.3 (5) pix501-worm.
When the connection is established the remote client gets an address assigned to the pool 192.168.2.10 vpn - 192.168.2.25:
The vpn client log shows:
Line: 45 18:07:27.898 12/08/09 Sev = Info/4 CM / 0 x 63100034
The virtual card has been activated:
IP=192.168.2.10/255.255.255.0
DNS = 0.0.0.0 0.0.0.0
WINS = 0.0.0.0 0.0.0.0
Area =
Split = DNS names
It is followed by these lines:
46 18:07:27.968 12/08/09 Sev = WARNING/2 CVPND/0xE3400013
AddRoute cannot add a route: code 87
Destination 192.168.1.255
Subnet mask 255.255.255.255
Gateway 192.168.2.1
Interface 192.168.2.10
47 18:07:27.968 12/08/09 Sev = WARNING/2 CM/0xA3100024
Failed to add the route. Network: c0a801ff, subnet mask: ffffffff, Interface: c0a8020a Gateway: c0a80201.
48 18:07:28.178 12/08/09 Sev = Info/4 CM / 0 x 63100038
Were saved successfully road to file changes.
49 18:07:28.198 12/08/09 Sev = Info/6 CM / 0 x 63100036
The routing table has been updated for the virtual card
50 18:07:29.760 12/08/09 Sev = Info/4 CM/0x6310001A
A secure connection established
* ...
I can ping the remote client, on an inside ip behind the same pix
When I get the 'route add failure' above, but I cannot ping the computer name.
I activated traversal of NAT using the PDM, but when I connect with this option, I get the error that the "remote endpoint is NOT behind a NAT device this end is behind a NAT device" and ping fails.
Behind the pix are a few computers with no central server, so I'm failed a WINS server for remote clients.
I created the vpn with the wizard.
The configuration file is attached.
Any suggestion would be appreciated.
Kind regards
Hugh
Hugh, sure you can classify based on the whole conversation, but you don't have to do but be certainly provide assessments.
To sum up the shrinking global problems, the main objective was to ensure configuration VPN RA on the PIX501 has been corrected.
1. we have enabled NAT - T on the firewall - even if it wasn't the question, but need it either it should you RA other places - travseral NAT VPN sensitizes the firewall on the other ends NAT devices - here is some good information on NAT - T for reference in the future
http://www.Microsoft.com/technet/community/columns/cableguy/cg0802.mspx
2. we fixed the VPN-POOL/28 network as well as the access list and acl to be coherent crypto sheep.
Here is a link for future reference with many PIX configuration scenarios
http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/prod_configuration_examples_list.html
Finally, your only question remaining, we can say is purely isolated with the customer software vpn and MAC machine.
You could maybe try a different version of the client in the MAC, or also look at the release notes for the open caveats to avoid cisco cleint managing versions and MAC versions if there are problems.
http://www.Cisco.com/en/us/products/sw/secursw/ps2308/prod_release_notes_list.html
Concerning
-
My remote access vpn client is not able to connect to the internal network.
concentrator is connected with the main switch and the 172.28.31.171 Server (server) is also connected to the main switch.
InterVLN routing works very well. Server and conncentrator is able to reach each other via the main switch.
private hub Ip address 172.28.31.92/248
POOL OF VPN: 172.28.31.128/29
Switch main Ip address is 172.28.31.91
Customer is able to connect without any problem, but not able to ping or connect with any device client network.
In the VPN session I see bytes send and receive. My LAN LAN 2 tunnles properly without any problem.
No firewall involoved in the path between the hub and the desired server 172.28.31.171.
Both connected to the same switch but VLAN different. Inter VLAN routing works and both are able to ping.
Only access remote 172.28.31.128/248 client is not able to reach anywhere.
Switch to kernel routing table
IP route 172.28.0.0 255.255.0.0 172.28.31.68
IP route 172.28.0.0 255.255.224.0 172.28.31.77
IP route 172.28.31.128 255.255.255.248 172.28.31.92
IP route 172.28.32.50 255.255.255.255 172.28.31.92
IP route 172.29.0.0 255.255.0.0 172.28.31.68
Hub routing table
172.28.0.0 via 172.28.31.91 255.255.0.0
172.29.0.0 via 172.28.31.91 255.255.0.0
192.168.0.0 255.255.0.0 via 172.28.31.91
Split tunnel is enabled for
172.28.0.0/0.0.255.255
172.29.0.0/0.0.255.255
172.31.0.0/0.0.255.255
192.168.0.0/0.0.255.255
See attachment that shows the customer connects successfully but not sending receving anything. I checked
with the change in the size of mtu and by activation and deactivation of the NAT_T. But without success.
Did you add the static route of IP subnet of your base pointing back to the VPn concentrator unit?
-
Hello world
I have a problem with the vpn site to site between two cisco routers. The configurations are:
Site has
crypto ISAKMP policy 10
BA 3des
preshared authentication
Group 2
life 86000
ISAKMP crypto secrettestkey key address x.x.x.x
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac S2S
!
S2S 10 ipsec-isakmp crypto map
defined peer x.x.x.x
game of transformation-S2S
match address S2Sinterface FastEthernet4
IP address y.y.y.y 255.255.255.252
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
card crypto S2S
!
!
interface Vlan1
no ip address
!
!
interface Vlan12
IP 192.168.100.1 address 255.255.255.0
IP nat inside
IP virtual-reassembly
!
!
IP forward-Protocol ND
no ip address of the http server
no ip http secure server
!
!
overload of IP nat inside source list 100 interface FastEthernet4
IP route 0.0.0.0 0.0.0.0 y.y.y.x
IP route 192.168.14.0 255.255.255.0 y.y.y.x
!
S2S extended IP access list
IP 192.168.100.0 allow 0.0.0.255 192.168.14.0 0.0.0.255
!
access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 100 permit ip 192.168.100.0 0.0.0.255 anySite B
crypto ISAKMP policy 20
BA 3des
preshared authentication
Group 2
life 86000ISAKMP crypto secrettestkey key address x.x.x.x
Crypto ipsec transform-set esp-3des esp-sha-hmac testS2S
DCMAP 20 ipsec-isakmp crypto map
tunnel test Description
defined peer x.x.x.x
Set transform-set testS2S
match the address testS2Sinterface GigabitEthernet0/0
Description. : Outside:.
IP address y.y.y.y 255.255.255.224
IP access-group OUTSIDE2INSIDE in
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
media type rj45
card crypto DCMAPIP route 192.168.100.0 255.255.255.0 y.y.y.x
testS2S extended IP access list
IP 192.168.14.0 allow 0.0.0.255 192.168.100.0 0.0.0.255There is also a NAT - T configuration on this site
Tunnel is not coming. The status is MM_NO_STATE
What are the causes of the problem? Please notify.
Hello
Check out the link. Its for remote access IPSec. Try to remove the config and reapply the card encryption.
Second in debugging, see router goes for x-auth.
04:35:44.707 26 Jan: ISAKMP: Config payload REQUEST
26 jan 04:35:44.707: ISAKMP: (2083): no provision of demand
04:35:44.707 26 Jan: ISAKMP: Invalid configuration REQUEST
04:35:44.707 26 Jan: ISAKMP (2083): action of WSF returned the error: 2
04:35:44.707 26 Jan: ISAKMP: (2083): entry = IKE_MESG_FROM_PEER, IKE_CFG_REQUESTYou can disable using xauth No. in the end of statement isakmp key.
# isakmp crypto key 0 abc address x.x.x.x No.-xauth
HTH
-
Guys,
I'm new in the world of IP VPN. I am setting up a site 2 site between 2 routers Cisco 1841 vpn. I have SDSL connection on both ends and I am able to ping outside intellectual property both ok but with vpn configuration problems. The VPN tunnel is not come and show crypto isakmp its shows me nothing. I enabled debugging on isakmp and ipsec but no display of the trace. Attached is my router config, I have a similar config on the other end.
Help, please!
See you soon,.
K
This ping will never work, ping now you will from the dialer interface, go ahead and do
source of ping 192.168.1.1 192.168.0.254
-
Madam, Sir, I have the following problem:
ASA ClientVPN---Internet--ASA--VLAN1(192.168.1.0/24)
| -VLAN2
| -VLAN3
VPN = 192.168.10.0/24
When you create the VPN connection with the wizard, the list of networks to the tunnel,
This does not connect and displays the following message:
No group of translation not found for tcp src outside:192.168.10.2/48257 dst
192.168.1.2/80
This message is the same as it throws when trying to communicate a VLAN on the SAA,
That's why create the following rules:
static (outdoors, VLAN1) 192.168.10.0 192.168.10.0 255.255.255.0
static (VLAN1, outside) 192.168.1.0 192.168.1.0 255.255.255.0
which allows communication between the VPN and the VLAN1, but I lose internet
access from VLAN1 please help
Julio,
You need to add nat are subtracted to your VLAN internal to your VPN address pool, something like this:
access-list allowed sheep ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
NAT (inside) 0 access-list sheep
which will allow communication from inside 192.168.1.0/24 vpn client, you must add the remaining lines for the VLAN left and apply them on the required VLANs if they are on different interfaces, of course.
Maybe you are looking for
-
HP w2207: screen rotation
My cat has just sat on the keyboard and the screen has turned sideways. How can I activate this back please? Thank you
-
Satellite M40-244 - cannot start from CD after driver change
Hi all I have a Satellite M40-244 and the original DVD drive is faulty. So I changed the drive with one that is exactly the same (same brand, same date of manufacture). Under Windows, the new disk is recognized and works perfectly. However, when I tr
-
Need advice for the new graphics card
I have a desktop HP Pavilion a6610t with HP w1907 monitors. Windows 7 32 bit. I want to upgrade to a graphics card that supports two monitors. Games isn't a factor, but I'd like a card that does not become the neck of the bottle when you surf or wo
-
In Windows 7, in libraries, when I changed a Word document created previously and save it, the document library area does not appear in the documents of today. Even if I sort by modified Date, it still shows that in its original day created. Is this
-
Cut out the individual parts in a video
Why can't cut us the different parts in a video?