VPN question on encryption

Similar Questions

• Question about encryption for a VPN established between two of our sites

  We have two routers Cisco 2951, one at our main location and one at a branch.  An engineer for a local company came and worked all the parameters, including the VPN between the two men.

  For an upcoming exam, the firm wanted to know what kind of security/encryption has been implemented between the two routers.  The engineer is no longer available, so I've went over our configuration files for each of the routers and will have questions about what to tell them (I'll be the first to admit that some of this stuff is over my head).

  I enclose the portions of the configs with "crypto" information he put in place.  If you see something wrong, or need something extra, let me know.

  Thanks in advance!

  That's what you use:

  Phase 1: 3DES, SHA1, PSK, Group2 DH (1024 bits), life time 86400 s

  Phase2: 3DES, SHA1

  Which is today considered legacy crypto, but probably nothing to worry. The crypto-config has always considered that there is "room for improvement"...

• Cisco AnyConnect VPN question

  I am ASA 5505 that I am of is running correctly by using the AnyConnect client. The question is, can I connect to the fine external interface, but cannot ping or attach them to any host on the inside. When I connect, it accepts the user name and password, and I can run the ASDM or SSH to the firewall very well, but not further. In the control, after I log in, I get an IP address inside, of the order of 10.7.30.x as expected.

  Following configuration:

  : Saved
  :
  ASA Version 8.2 (5)
  !
  asa5505 hostname
  domain BLA
  activate the password * encrypted
  passwd * encrypted
  no names

  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  switchport access vlan 150
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  interface Vlan1
  nameif inside
  security-level 100
  IP 10.7.30.1 255.255.255.0
  !
  interface Vlan2
  nameif outside
  security-level 0
  IP EXTERNAL IP 255.255.255.128
  !
  interface Vlan150
  nameif WLAN_GUESTS
  security-level 50
  IP 10.7.150.1 255.255.255.0
  !
  boot system Disk0: / asa825 - k8.bin
  config to boot Disk0: / running-config
  passive FTP mode
  clock timezone STD - 7
  DNS server-group DefaultDNS
  domain BLA
  permit same-security-traffic intra-interface
  object-group service tcp Webaccess
  port-object eq www
  EQ object of the https port
  object-group network McAfee
  network-object 208.65.144.0 255.255.248.0
  network-object 208.81.64.0 255.255.248.0
  access extensive list ip 10.7.30.0 outside_1_cryptomap allow 255.255.255.0 192.168.24.0 255.255.252.0
  access extensive list ip 10.7.30.0 inside_nat0_outbound allow 255.255.255.0 192.168.24.0 255.255.252.0
  access extensive list ip 10.7.30.0 inside_nat0_outbound allow 255.255.255.0 172.16.10.0 255.255.255.0
  outside_access_in list extended access permit tcp any host 159.87.30.252 eq smtp
  outside_access_in list extended access permit tcp any host 159.87.30.136 Webaccess object-group
  outside_access_in list extended access permit tcp any host 159.87.30.243 Webaccess object-group
  access-list extended outside_access_in permit tcp host 159.87.70.66 host 159.87.30.251 eq lpd
  outside_access_in list extended access permit tcp any host 159.87.30.252 Webaccess object-group
  outside_access_in list extended access permit tcp any host 159.87.30.245 Webaccess object-group
  outside_access_in list extended access permitted tcp object-group McAfee any eq smtp
  permit access list extended ip 172.16.10.0 outside_access_in 255.255.255.0 10.7.30.0 255.255.255.0
  outside_access_in list extended access permit ip host 159.87.64.30 all
  standard access list vpn_users_splitTunnelAcl allow 10.7.30.0 255.255.255.0
  IPS_TRAFFIC of access allowed any ip an extended list
  access extensive list ip 10.7.30.0 outside_nat0_outbound allow 255.255.255.0 any
  inside_access_in list extended access permit udp 10.7.30.0 255.255.255.0 any eq snmp
  access extensive list ip 10.7.30.0 outside_cryptomap allow 255.255.255.0 172.16.10.0 255.255.255.0
  pager lines 24
  Enable logging
  asdm of logging of information
  host of logging inside the 10.7.30.37
  Debugging trace record
  Within 1500 MTU
  Outside 1500 MTU
  MTU 1500 WLAN_GUESTS
  local pool VPN_POOL 10.7.30.190 - 10.7.30.200 255.255.255.0 IP mask
  no failover
  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image disk0: / asdm-645 - 206.bin
  don't allow no asdm history
  ARP timeout 14400
  Global 1 interface (outside)
  NAT (inside) 0-list of access inside_nat0_outbound
  NAT (inside) 1 0.0.0.0 0.0.0.0
  NAT (outside) 0-list of access outside_nat0_outbound
  NAT (WLAN_GUESTS) 1 0.0.0.0 0.0.0.0
  public static 159.87.30.251 (Interior, exterior) 10.7.30.50 netmask 255.255.255.255
  public static 159.87.30.245 (Interior, exterior) 10.7.30.53 netmask 255.255.255.255
  public static 159.87.30.252 (Interior, exterior) 10.7.30.30 netmask 255.255.255.255
  public static 159.87.30.243 (Interior, exterior) 10.7.30.19 netmask 255.255.255.255
  public static 159.87.30.136 (Interior, exterior) 10.7.30.43 netmask 255.255.255.255
  Access-group inside_access_in in interface inside the control plan
  Access-group outside_access_in in interface outside
  Route outside 0.0.0.0 0.0.0.0 159.87.30.254 1
  Route inside 172.16.1.0 255.255.255.0 10.7.30.1 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  AAA-server ADWM-FPS-02 nt Protocol
  AAA-server ADWM-FPS-02 (inside) host 10.7.30.32
  Timeout 5
  auth-domain NT ADWM-FPS-02 controller
  AAA-server ADWM-FPS-02 (inside) host 10.7.30.49
  auth-DC NT ADWM-DC02
  AAA authentication http LOCAL console
  AAA authentication LOCAL telnet console
  the ssh LOCAL console AAA authentication
  Enable http server
  http 206.169.55.66 255.255.255.255 outside
  http 206.169.50.171 255.255.255.255 outside
  http 10.7.30.0 255.255.255.0 inside
  http 206.169.51.32 255.255.255.240 outside
  http 159.87.35.84 255.255.255.255 outside
  SNMP-server host within the 10.7.30.37 community * version 2 c
  location of the SNMP server *.
  contact SNMP Server
  Community SNMP-server
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  Crypto-map dynamic outside_dyn_map pfs set 20 Group1
  card crypto outside_map 1 match address outside_1_cryptomap
  peer set card crypto outside_map 1 206.169.55.66
  map outside_map 1 set of transformation-ESP-3DES-MD5 crypto
  card crypto outside_map 2 match address outside_cryptomap
  peer set card crypto outside_map 2 159.87.64.30
  card crypto outside_map 2 game of transformation-ESP-AES-192-SHA
  map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
  outside_map interface card crypto outside
  Crypto ca trustpoint *.
  Terminal registration
  full domain name *.
  name of the object *.
  MYKEY keypairs
  Configure CRL
  Crypto ca trustpoint A1
  Terminal registration
  fqdn ***************
  name of the object *.
  MYKEY keypairs
  Configure CRL
  Crypto ca trustpoint INTERMEDIARY
  Terminal registration
  no client-type
  Configure CRL
  Crypto ca trustpoint _SmartCallHome_ServerCA
  Configure CRL
  Crypto ca trustpoint ASDM_TrustPoint0
  Configure CRL
  Crypto ca trustpoint ASDM_TrustPoint1
  Configure CRL
  ca encryption certificate chain *.
  certificate ca 0301
  BUNCH OF STUFF
  quit smoking
  A1 crypto ca certificate chain
  OTHER LOTS of certificate
  quit smoking
  encryption ca INTERMEDIATE certificate chain
  YET ANOTHER certificate
  quit smoking
  Crypto ca certificate chain _SmartCallHome_ServerCA
  certificate ca LAST BOUQUET
  quit smoking
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  No encryption isakmp nat-traversal
  Telnet 10.7.30.0 255.255.255.0 inside
  Telnet timeout 30
  SSH 206.169.55.66 255.255.255.255 outside

  SSH timeout 5
  Console timeout 0
  management-access inside
  dhcpd 4.2.2.2 dns 8.8.8.8
  !
  dhcpd address 10.7.150.10 - 10.7.150.30 WLAN_GUESTS
  enable WLAN_GUESTS dhcpd
  !

  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  SSL encryption rc4 - md5 of sha1
  SSL-trust A1 out point
  WebVPN
  allow outside
  AnyConnect essentials
  SVC disk0:/anyconnect-dart-win-2.5.2019-k9.pkg 1 image
  enable SVC
  attributes of Group Policy DfltGrpPolicy
  Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
  internal VPNUsers group strategy
  Group Policy VPNUsers attributes
  value of server DNS 10.7.30.20
  Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
  Split-tunnel-policy tunnelspecified
  value of Split-tunnel-network-list vpn_users_splitTunnelAcl
  dwm2000.WM.State.AZ.us value by default-field
  Split-dns value dwm2000.wm.state.az.us
  username HCadmin password * encrypted privilege 15
  attributes global-tunnel-group DefaultWEBVPNGroup
  address VPN_POOL pool
  authentication-server-group ADWM-FPS-02
  strategy - by default-VPNUsers group
  tunnel-group 206.169.55.66 type ipsec-l2l
  IPSec-attributes tunnel-group 206.169.55.66
  pre-shared key *.
  tunnel-group 159.87.64.30 type ipsec-l2l
  IPSec-attributes tunnel-group 159.87.64.30
  pre-shared key *.
  !
  class-map IPS_TRAFFIC
  corresponds to the IPS_TRAFFIC access list
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  inspect the icmp
  Review the ip options
  class IPS_TRAFFIC
  IPS inline help
  !
  global service-policy global_policy
  field of context fast hostname
  anonymous reporting remote call
  call-home
  Profile of CiscoTAC-1
  no active account
  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
  email address of destination [email protected] / * /
  destination-mode http transport
  Subscribe to alert-group diagnosis
  Subscribe to alert-group environment
  Subscribe to alert-group monthly periodic inventory
  monthly periodicals to subscribe to alert-group configuration
  daily periodic subscribe to alert-group telemetry
  Cryptochecksum:e70de424cf976e0a62b5668dc2284587
  : end
  ASDM image disk0: / asdm-645 - 206.bin
  ASDM location 159.87.70.66 255.255.255.255 inside
  ASDM location 208.65.144.0 255.255.248.0 inside
  ASDM location 208.81.64.0 255.255.248.0 inside
  ASDM location 172.16.10.0 255.255.255.0 inside
  ASDM location 159.87.64.30 255.255.255.255 inside
  don't allow no asdm history

  Anyone have any ideas?

  Hello

  Please, add this line in your configuration and let me know if it works:

  access extensive list ip 10.7.30.0 inside_nat0_outbound allow 255.255.255.0 10.7.30.0 255.255.255.0

  I ask you to add that it is because you have not specified any exceptions for the return shipping. Once you add to it, will allow you to go through the tunnel VPN, packets back. When this command is not there, you will be able to access everything on the SAA but nothing behind it.

  Let me know if it helps.

  Thank you

  Vishnu

• nat VPN question.

  Try to find what happened.  I had the remote end raise the tunnel, as they can ping resources on my side.  I am unable to ping 10.90.238.148 through this tunnel.  I used to be able to until the interface of K_Inc has been added.  The network behind this interface is 10/8.

  I asked a question earlier in another post and advises him to play opposite road of Cryptography.  And who did it.  I was able to ping 10.90.238.148 of 192.168.141.10, with the config below.

  I am at a loss to why I can't all of a sudden.  A bit of history, given routes have not changed.  By adding the command set opposite road to cryptography, I find myself with a static entry for the 10.90.238.0 network is what fixed it initially so I don't think it's a problem of route.  The remote end had an overlap with the 192.168.141.0/24 that is why my side is natted on the 10.40.27.0.  None of the nats have changed so if adding the reverse route worked for a day, it should still work.  Any thoughts?

  interface GigabitEthernet0/3.10

  VLAN 10

  nameif K_Inc

  security-level 100

  IP address 192.168.10.254 255.255.255.0

  interface GigabitEthernet0/3.141

  VLAN 141

  cold nameif

  security-level 100

  IP 192.168.141.254 255.255.255.0

  (Cold) NAT 0 access-list sheep

  NAT (cold) 1 192.168.141.0 255.255.255.0

  Access extensive list ip 192.168.141.0 CSVPNOFFSITE allow 255.255.255.0 10.90.238.0 255.255.255.0

  Access extensive list ip 10.40.27.0 CSVPNOFFSITE allow 255.255.255.0 10.90.238.0 255.255.255.0

  Access extensive list ip 192.168.141.0 CSVPNNAT allow 255.255.255.0 10.90.238.0 255.255.255.0

  IP 10.40.27.0 allow Access-list extended sheep 255.255.255.0 10.90.238.0 255.255.255.0

  static 10.40.27.0 (cold, outside) - CSVPNNAT access list

  card crypto Outside_map 5 corresponds to the address CSVPNOFFSITE

  card crypto Outside_map 5 the value reverse-road

  card crypto Outside_map 5 set pfs

  card crypto Outside_map 5 set peer 20.x.x.3

  Outside_map 5 transform-set ESP-3DES-MD5 crypto card game

  card crypto Outside_map 5 defined security-association life seconds 28800

  card crypto Outside_map 5 set security-association kilobytes of life 4608000

  tunnel-group 20.x.x.3 type ipsec-l2l

  20.x.x.3 Group of tunnel ipsec-attributes

  pre-shared-key *.

  Route outside 0.0.0.0 0.0.0.0 7.x.x.1 1

  Route 10.0.0.0 K_Inc 255.192.0.0 192.168.10.252 1

  Route K_Inc 10.64.0.0 255.224.0.0 192.168.10.252 1

  Route K_Inc 10.100.100.0 255.255.255.0 192.168.10.252 1

  Route K_Inc 10.128.0.0 255.128.0.0 192.168.10.252 1

  Tunnel is up:

  14 peer IKE: 20.x.x.243

  Type: L2L role: answering machine

  Generate a new key: no State: MM_ACTIVE

  EDIT:

  I just noticed when tracer packet i run I don't get a phase VPN or encrypt:

  Packet-trace entry cold tcp 192.168.141.10 80 80 10.90.238.148 det

  Phase: 1

  Type: FLOW-SEARCH

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  Not found no corresponding stream, creating a new stream

  Phase: 2

  Type:-ROUTE SEARCH

  Subtype: entry

  Result: ALLOW

  Config:

  Additional information:

  in 10.90.238.0 255.255.255.0 outside

  Phase: 3

  Type: IP-OPTIONS

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  Direct flow from returns search rule:

  ID = 0xad048d08, priority = 0, sector = option-ip-enabled, deny = true

  hits = 2954624, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

  SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

  DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

  Phase: 4

  Type: QOS

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  Direct flow from returns search rule:

  ID = 0xb2ed4b80, priority = 72, domain = qos by class, deny = false

  hits = 2954687, user_data = 0xb2ed49d8, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

  SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

  DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

  Phase: 5

  Type: FOVER

  Subtype: Eve-updated

  Result: ALLOW

  Config:

  Additional information:

  Direct flow from returns search rule:

  ID = 0xad090180, priority = 20, area = read, deny = false

  hits = 618776, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 0, Protocol = 6

  SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

  DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

  Phase: 6

  Type: NAT

  Subtype:

  Result: ALLOW

  Config:

  static (ColdSpring, external) 74.x.x.50 192.168.141.10 netmask 255.255.255.255

  match ip host 192.168.141.10 ColdSpring outside of any

  static translation at 74.x.x.50

  translate_hits = 610710, untranslate_hits = 188039

  Additional information:

  Definition of static 192.168.141.10/0 to 74.112.122.50/0 using subnet mask 255.255.255.255

  Direct flow from returns search rule:

  ID = 0xac541e50, priority = 5, area = nat, deny = false

  hits = 610742, user_data = 0xac541c08, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol

  SRC ip = 192.168.141.10, mask is 255.255.255.255, port = 0

  DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

  Phase: 7

  Type: NAT

  Subtype: host-limits

  Result: ALLOW

  Config:

  static (ColdSpring, dmz) 192.168.141.0 192.168.141.0 netmask 255.255.255.0

  match ip ColdSpring 192.168.141.0 255.255.255.0 dmz all

  static translation at 192.168.141.0

  translate_hits = 4194, untranslate_hits = 20032

  Additional information:

  Direct flow from returns search rule:

  ID = 0xace2c1a0, priority = 5, area = host, deny = false

  hits = 2954683, user_data = 0xace2ce68, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

  SRC ip = 192.168.141.0, mask is 255.255.255.0, port = 0

  DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

  Phase: 8

  Type: IP-OPTIONS

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  Reverse flow from returns search rule:

  ID = 0xaacbcb90, priority = 0, sector = option-ip-enabled, deny = true

  hits = 282827537, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

  SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

  DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

  Phase: 9

  Type: QOS

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  Reverse flow from returns search rule:

  ID = 0xb2ed5c78, priority = 72, domain = qos by class, deny = false

  hits = 4749562, user_data = 0xb2ed5ad0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

  SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

  DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

  Phase: 10

  Type: CREATING STREAMS

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  New workflow created with the 339487904 id, package sent to the next module

  Information module for forward flow...

  snp_fp_inspect_ip_options

  snp_fp_tcp_normalizer

  snp_fp_translate

  snp_fp_adjacency

  snp_fp_fragment

  snp_fp_tracer_drop

  snp_ifc_stat

  Information for reverse flow...

  snp_fp_inspect_ip_options

  snp_fp_translate

  snp_fp_tcp_normalizer

  snp_fp_adjacency

  snp_fp_fragment

  snp_fp_tracer_drop

  snp_ifc_stat

  Phase: 11

  Type:-ROUTE SEARCH

  Subtype: output and contiguity

  Result: ALLOW

  Config:

  Additional information:

  found 7.x.x.1 of next hop using ifc of evacuation outside

  contiguity Active

  0007.B400.1402 address of stretch following mac typo 51982146

  Result:

  input interface: cold

  entry status: to the top

  entry-line-status: to the top

  output interface: outside

  the status of the output: to the top

  output-line-status: to the top

  Action: allow

  What version are you running to ASA?

  My guess is that your two static NAT is configured above policy nat you have configured for the VPN?  If this is the case, move your above these static NAT NAT policy and you should see the traffic start to flow properly.

  --

  Please note all useful posts

• VPN question

  Hi, I use the windows Server 2003 and. When I access my server at home I connect the VPN but I not have access to the shared private folder when I try to open the system crashes but the other file I can open without blocking. Please help me solve this problem...

  Hi Patchamuthu,

  Your question of Windows is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for support on Windows server. Please post your question in the below link:http://social.technet.microsoft.com/Forums/en/itproxpsp/threads

  With regard to:

  Samhrutha G S - Microsoft technical support.

  Visit our Microsoft answers feedback Forum and let us know what you think.

• 3 questions about encryption on the Z5

  Hi, I have three questions to ask other Xperia users.

  If I decide to encrypt my phone (Z5):

  (1) what will be the star of the performance? It will be noticeable?

  (2) I know it is not compatible with the smart lock, but it will make it also impossible to unlock the phone by using the fingerprint reader, knowing that this feature uses a proprietary API in its current form of "Lollipop"? (Good thing Marshmallow natively supports it)

  (3) again, it will be possible to use and update my phone with Flashtool?

  Thank you

  Hey, I have improved my Z5P yesterday to 6.0 using flashtool, so I can help

  (1) not for me / I have no comparison

  (2) totally compatible. Fingerprints don't worked with LL, as well as with mm. Fingerprint req. a code pin or password then, no reason

  (3) totally, Yes. BUT: I have my sdcard BA. Well, and not have suffered in some way the cryptokey erased (something like that), so I had to restore a backup that I did the day before. The files are always there, they just cannot be opened. Memory as before interior work, without loss of data.

  Cheers.

• ACL VPN question

  I have two questions that regarding ACL is used in the instructions on the Card Crypto:

  1. the two devices VPN should have the same ACE in the ACL? I know that without the second ACE site B below will not see as interesting udp traffic, but the will of the vpn tunnel fails because the ACL is not the same ACE?

  That is to say...

  Site has

  Access-list 110 permit tcp 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0

  Access-list 110 permit udp 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0

  Site B

  Access-list 110 permit tcp 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0

  2. once a tunnel is established it will send ANY/ALL traffic destined to the remote network through this tunnel. If the first ACE in the ACL 110 to Site A list is used to bring up the tunnel, only tcp from to 10.0.2.0/24 10.0.1.0/24 traffic will use the tunnel or all traffic from 10.0.1.0/24 intended for the remote network to cross the tunnel?

  I guess my thought is this. The ACL is only used to determine valuable traffic and once the tunnel is up it is a free for all. Or the ACL only allows traffic that meets the criteria specified in the ACL list to flow once the tunnel is established?

  Thank you

  Brian

  Brian,

  Your statement

  'Or the ACL allows only traffic that meets the criteria specified in the ACL list to flow after the tunnel is established'

  Is correct, only the traffic that meets the ACL crypto will go through the vpn tunnel and all other traffic will be denied. If you need UDP traffic to travel through the tunnel, you need crypto ACL on both sides and not only on one side, that is, SITE A.

  Hope this helps,

  Jay

• L2L IOS VPN question

  Hello

  I created a vpn between two routers in two different sites. The VPN works well, but I noticed something that I can ping from peer1 at peer2 however the tunnel although the ACL of the interesting traffic allows no icmp between two counterparts, it is configured as follows:

  access-list 120 allow ip 10.10.10.0 255.255.255.0 192.168.2.0 255.255.255.0

  access-list 120 allow ip 1.1.1.1 host 2.2.2.2

  No icmp is allowed, but the icmp traffic is encapsulated, encrypted, and through the tunnel, why?

  Hello moahmed1981,

  When you configure access-list for IPs, so it includes ICMP, TCP, and UDP, therefore, it is expected that you will be able to ping across the tunnel.

  If you want to change this, please configure the VPN filter to prevent the ping to the vpn tunnel.
  Here's a doc for your reference:-
  https://popravak.WordPress.com/2011/11/07/Cisco-IOS-VPN-filter/

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.

• ASA to AWS VPN question

  I have problems with our VPN to AWS. The configuration of the firewall is below:

  Firewall 1

  !
  hostname FW
  activate the password
  names of

  !
  interface GigabitEthernet0/0
  Description Inside_To_SW-DISTRIBUTION-01_Gi1/0/2
  nameif LAN
  security-level 100
  IP address 172.16.x.1 255.255.252.0
  !
  interface GigabitEthernet0/1
  Description Outside_To_SW-DISTRIBUTION-01_Gi1/0/1
  nameif WAN
  security-level 0
  IP address 212.x.x.201 255.255.255.248 watch 212.x.x.202
  !
  !
  interface Management0/0
  management only
  nameif management
  security-level 100
  IP address 10.x.x.x 255.255.255.0
  !
  boot system Disk0: / asa913-smp - k8.bin
  passive FTP mode
  clock timezone GMT/UTC 0
  summer time clock GMT/BDT recurring last Sun Mar 01:00 last Sun Oct 02:00
  DNS domain-lookup LAN
  DNS server-group DefaultDNS
  Name-Server 8.8.8.8
  4.4.4.4 server name
  permit same-security-traffic intra-interface
  network of the object OBJ-LAN-SUB-NETWORK
  subnet 172.x.128.0 255.255.252.0
  object OBJ-POOL-A network
  range 212.x.x.195 212.x.x.196
  object obj-SrcNet network
  subnet 0.0.0.0 0.0.0.0
  network of object obj-amzn
  10.32.0.0 subnet 255.255.0.0

  gamma of network object
  subnet 88.215.48.0 255.255.240.0
  tinet network object
  subnet 89.149.128.0 255.255.192.0

  object-group service DM_INLINE_SERVICE_1
  ICMP service object
  the purpose of the echo icmp message service
  response to echo icmp service object
  object-group service DM_INLINE_SERVICE_2
  ICMP service object
  the purpose of the echo icmp message service
  response to echo icmp service object
  object-group service DM_INLINE_SERVICE_3
  ICMP service object
  the purpose of the echo icmp message service
  response to echo icmp service object
  object-group service DM_INLINE_SERVICE_4
  ICMP service object
  the purpose of the echo icmp message service
  response to echo icmp service object
  DM_INLINE_TCP_1 tcp service object-group
  port-object eq www
  EQ object of the https port
  object-group Protocol TCPUDP
  object-protocol udp
  object-tcp protocol
  object-group service DM_INLINE_SERVICE_5
  SIP service-purpose tcp - udp destination eq
  the purpose of the service tcp destination eq www
  the purpose of the tcp destination eq https service
  the purpose of the tcp destination eq ldap service
  area of service-object udp destination eq
  the purpose of the udp destination eq ntp service
  object-group service tcp imp
  EQ object Port 5222
  rtp udp service object-group
  60000 10000 port-object range
  object-group service tcp sip1
  port-object eq 8011
  object-group service sip2 tcp
  port-object eq 5080
  DM_INLINE_TCP_2 tcp service object-group
  port-object eq ftp
  port-object eq ftp - data
  EQ port ssh object
  object-group service DHCP udp
  port-object eq bootps
  DHCPrange udp service object-group
  ports of DHCP Description
  Beach of port-object bootps bootpc

  object-group grp-voip network
  gamma of network-object object
  network-object object tinet

  LAN_access_in list extended access allowed object-group DM_INLINE_SERVICE_3 object OBJ-LAN-SUB-NETWORK any4
  LAN_access_in list extended access allowed object-group TCPUDP object OBJ-LAN-SUB-NETWORK any eq field
  LAN_access_in list extended access allowed object OBJ-LAN-SUB-NETWORK ip everything
  LAN_access_in list extended access permitted ip 10.x.x.x 255.255.255.0 everything
  LAN_access_in list extended access udp allowed any any DHCP object-group
  list of access TUNNEL of SPLIT standard allowed 172.16.x.0 255.255.252.0

  extended access list acl-amzn allow any4 ip 10.32.0.0 255.255.0.0
  extended access list acl-amzn allow icmp any4 10.32.0.0 255.255.0.0

  global_access deny ip extended access list a whole

  10.32.0.0 IP Access-list extended filter amzn 255.255.0.0 allow 172.16.128.0 255.255.252.0
  refuse the access-list extended ip a whole amzn-filter

  WAN_access_out list extended access allowed object-group DM_INLINE_SERVICE_4 object OBJ-LAN-SUB-NETWORK any4
  WAN_access_out list extended access allowed object-group DM_INLINE_SERVICE_5 object OBJ-SUB-LAN-NETWORK-object-group grp-voip
  WAN_access_out list extended access permitted udp object OBJ-SUB-LAN-NETWORK-object-group grp-voip-group of objects rtp
  permit WAN_access_out to access extensive ip list object OBJ-LAN-SUB-NETWORK object obj-amzn
  WAN_access_out list extended access allowed object-group TCPUDP object OBJ-LAN-SUB-NETWORK any eq field
  WAN_access_out list extended access permitted tcp object OBJ-LAN-SUB-NETWORK any4 object-group DM_INLINE_TCP_1
  WAN_access_out list extended access permit tcp any any DM_INLINE_TCP_2 object-group
  WAN_access_out of access allowed any ip an extended list
  permit access list extended ip host 52.17.201.49 WAN_access_in 212.84.183.201
  permit access list extended ip host 52.18.197.187 WAN_access_in 212.84.183.201

  pager lines 24
  Enable logging
  emergency logging console
  emergency logging monitor
  exploitation forest asdm warnings
  MTU 1500 LAN
  MTU 1500 WAN
  management of MTU 1500

  ICMP unreachable rate-limit 1 burst-size 1
  ICMP allow any WAN

  ARP timeout 14400
  no permit-nonconnected arp
  NAT (LAN, WAN) source static obj-SrcNet obj-SrcNet destination static obj-amzn obj-amzn
  NAT (LAN, WAN) static source any any destination static OBJ ANYCONNECT-SUB-NETWORK-OBJ-ANYCONNECT-UNDER-NETWORK non-proxy-arp-search directions
  !
  network of the object OBJ-LAN-SUB-NETWORK
  OBJ-POOL-A dynamic pool pat flat interface include the NAT (LAN, WAN) reserves
  !
  OBJ-ANYCONNECT-SUB-NETWORK dynamic interface source NAT (all, WAN) after the automatic termination
  LAN_access_in access to the LAN by-user-override interface group
  WAN_access_in access to the WAN interface group
  Access-group WAN_access_out WAN interface
  Access-Group global global_access
  Route WAN 0.0.0.0 0.0.0.0 212.x.x.x 1
  Timeout xlate 03:00
  Pat-xlate timeout 0:00:30
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy

  Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
  Sysopt connection tcpmss 1387
  SLA 1 monitor
  type echo protocol ipIcmpEcho 10.x.x.x WAN interface
  frequency 5
  SLA monitor Appendix 1 point of life to always start-time now

  Crypto ipsec transform-set transform-amzn ikev1 aes - esp esp-sha-hmac
  replay window-size 128 ipsec encryption security association
  Crypto ipsec pmtu aging infinite - the security association
  Crypto ipsec WAN clear-df df - bit

  card crypto amzn_vpn_map 1 match address acl-amzn
  card crypto amzn_vpn_map 1 set pfs
  amzn_vpn_map card crypto peer 52.17.201.x 52.18.197.x 1jeu
  amzn_vpn_map 1 set transform-set transform-amzn ikev1 crypto card
  amzn_vpn_map card crypto 1 lifetime of security set association, 3600 seconds
  card crypto amzn_vpn_map WAN interface
  Crypto ca trustpoint ASDM_TrustPoint0
  Terminal registration
  name of the object CN = FW-INTERNET-LON
  Configure CRL
  trustpool crypto ca policy
  crypto isakmp identity address
  Crypto ikev2 enable port 443 of the WAN-customer service
  Crypto ikev1 enable WAN
  IKEv1 crypto policy 201
  preshared authentication
  aes encryption
  sha hash
  Group 2
  lifetime 28800
  Telnet timeout 5
  SSH 0.0.0.0 0.0.0.0 WAN
  SSH timeout 5
  SSH version 2
  SSH group dh-Group1-sha1 key exchange
  Console timeout 0
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  source of x.x.x.x server NTP WAN
  WebVPN
  Select the WAN
  AnyConnect enable
  tunnel-group-list activate
  GroupPolicy_ANYCONNECT-group-policy PROFILE internal
  attributes of Group Policy GroupPolicy_ANYCONNECT-PROFILE
  value of server DNS 8.8.8.8 4.4.4.4
  client ssl-VPN-tunnel-Protocol
  Split-tunnel-policy tunnelspecified
  IPv6-split-tunnel-policy excludespecified
  crowdmix.me value by default-field
  activate dns split-tunnel-all
  internal filter group policy
  attributes to filter group policy
  VPN-value amzn-filter

  tunnel-group ANYCONNECT-PROFILE type remote access
  tunnel-group ANYCONNECT-PROFILE general-attributes
  ANYCONNECT-POOL address pool
  GroupPolicy_ANYCONNECT-PROFILE of default-group-strategy
  tunnel-group ANYCONNECT-PROFILE webvpn-attributes
  enable ANYCONNECT-PROFILE Group-alias
  tunnel-group 52.17.201.x type ipsec-l2l
  tunnel-group 52.17.201.x General-attributes
  filter by default-group-policy
  52.17.201.x group of tunnel ipsec-attributes
  IKEv1 pre-shared-key *.
  ISAKMP keepalive retry threshold 10 3
  tunnel-group 52.18.197.x type ipsec-l2l
  tunnel-group 52.18.197.x General-attributes
  filter by default-group-policy
  52.18.197.x group of tunnel ipsec-attributes
  IKEv1 pre-shared-key *.
  ISAKMP keepalive retry threshold 10 3
  tunnel-group 52.30.177.x type ipsec-l2l
  tunnel-group 52.31.131.x type ipsec-l2l
  !
  ICMP-class class-map
  match default-inspection-traffic
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map icmp_policy
  icmp category
  inspect the icmp
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  !
  global service-policy global_policy
  icmp_policy service-policy interface WAN
  context of prompt hostname
  !
  Booking Jumbo-image
  !
  no remote anonymous reporting call
  Cryptochecksum:ff493f0ff375e83710e6bc9d19476e0e
  : end

  When I add a second VPN connection by using the commands below:

  object obj-amzn2 network

  10.34.0.0 subnet 255.255.0.0

  NAT (LAN, WAN) source static obj-SrcNet obj-SrcNet destination static obj-amzn2 obj-amzn2

  I see the tunnels going up, however, we immediately begin to see the Voip system lose the SIP traffic with its servers, and even if you can still use internet if you have an open socket you can not create a new session. It looks like a problem of routing for me, but I can't seem to find the place where

  Any help greatly appreciated

  So, you want to have two virtual private networks from Amazon to blocks of different destinations, 10.32.0.0/16, and 10.34.0.0/16, correct?

• Site to Site VPN question

  Hello world

  The vendor name is implemented server in our environment.

  We implement VPN site-to-site.

  Subnet it is interesting traffic 192.168.50.x

  Server IP 192.168.50.1 - Switch1 - ASA - Site to site VPN - provider ASA.

  Gateway server is on switch1 if this server requires access to the internet I need to know what config I need on ASA on my site?

  I want the server to access the internet through the provider network

  Concerning

  Mahesh

  Hello

  Your crypto ACL would be:

  ip access-list VPN-TO-VENDOR permit ip 192.168.50.0 255.255.255.0 any

  Cryptography providers ACL would be:

  ip acces-list VPN-TO-COMPANY permit ip any 192.168.50.0 255.255.255.0

  All traffic from 192.168.50.0/24 out of the application interface map encryption for any destination would be sent to the seller through the VPN. It will be useful.

• VPN question: ISP assigned a private ip address

  Hi all

  Internet-online-online headquarters VPN 3015 concentrator

  Users remote VPN Client connected to the internet using a private ip address provided by the ISP (cable) is to establish a VPN tunnel, but they can not ping our private network.

  The only way to get the VPN works is when remote users use a public ip.

  It is a question of Cisco VPN Client? Or it has a solution...

  Thanks in advance,

  Kind regards

  Carlos Welhous

  Network engineer

  Hi Carlos,

  If your ISP gave you a private address, they must use NAT - in which case you will have to enable NAT - T on the VPN concentrator.

  To configure the NAT - T in the world, go to Configuration | System | Tunnelling protocols. IPSec | Screen of transparent NAT and check on NAT - T IPSec case.

• VPN - question of General design for a ut of a router tunnel more

  Hello

  We have a router that has VPN connections with different partners of our company. VPN remote access were used on computers that are connecting to the different partners of our company.

  There has been problems of this kind, that is to say put on both a watchdog and a customer vpn cisco router led to blue-screens on the PC.

  The current idea is to put different tunnels from site to site on the router (default gateway of PC clients that connect to the partners). My question is... How our PC to get DHCP addresses on networks of visitors, once the tunnels are up? I guess I'm alittle confused about the address for the PC on our side how will work.

  Thanks for your help.

  Divide the pool of ip from the internal network, you're going to visit. for example the document below will be exaplain the same configuration in user mode.

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00806ab788.shtml

• Site to site VPN question: passing a public IP with IPSEC

  Hi all

  I need to create a VPN tunnel site to site using IPSEC between two offices on the Internet. The offices belong to two different companies.

  They gave me a series of 16 public IP addresses. One of these IP addresses is used on the ISP router and this is the next hop for my router. Another IP in the range is used on my router? s external interface (which is a Cisco 851) and he is also my site VPN endpoint. So far so good...

  Here's my problem: the IP source of encrypted traffic, is a public address from within the IPs public 16 I (not the one on my router interface). The actual application that needs to send the encrypted data is a server in my local network, and it has a private IP address. The other site, expects to receive data, however, the public IP address. I used NAT between the private IP address of the server and its public IP address, but no data goes through the tunnel. Moreover, the tunnel between the two end points established without problem. The problem is that the source of my encrypted data is the public IP address and I don't know how to get through the tunnel. I enclose my router configuration.

  Any help is appreciated.

  The access list "natted-traffic" should say:

  extended traffic natted IP access list

  deny ip host 192.168.0.160 BB. ABM ABM BD

  deny ip host 192.168.0.160 BB. ABM BB.BE

  output

  I hope this helps.

  -Kanishka

• SSL VPN recommendation without encryption RC4

  Hello

  Actually I m using Annyconnect in ASA with SSL RC4 Cipher Suites taken care of, vulnerability it is recommended to use without RC4 encryption.

  The question is, there is a document illustrating the best practices or recommendations to do?, I Don t know if it has an impact in this change, or if it is supported in the code.

  Concerning

  Ricardo

  Ricardo,

  Recommendations:

  http://www.Cisco.com/Web/about/security/intelligence/nextgen_crypto.html#15

  The impact is usually double that:

  -All clients/browsers will support new encryption algorithms

  -What level of computational overhead will be presented.

  ASA side it is a cryptographic chip that is quite effective at handling in general crypto.

  If your clients support address allowing DHE based ciphers.

  I don't think there is a big best practices doc avilable, need a little more on the environment.

  M.

• L2l - a non-reachable subnet VPN question

  Hi people,

  I have a strange problem with a new VPN connection and would appreciate any help.

  I have a pair of Cisco asa 5540 s configured as a failover pair (code version 8.2 (5)).

  Recently, I added 2 new VPN L2L - these two VPNS come from the same interface on my ASA (called Internet service provider) and both are to the same customer, but they end the different firewall on the end of cusomter and different client subnets traffic encryption.    There is a basic network diagram attached.

  1 - the VPN is for customer subnet 10.2.1.0/24 traffic.    Devices in this subnet should have access to 2 subnets on my network - DMZ 211 (192.168.211.0./24) and DMZ 144 (192.168.144.0/24).    This VPN working properly.

  2 - the VPN is for the subnet 192.168.1.0/24 customer traffic.    Devices in this subnet should be able to access the same 2 subnets on my network - DMZ 211 (192.168.211.0./24) and DMZ 144 (192.168.144.0/24).    What VPN does not work - the client can access 144 DMZ, but not of DMZ 211.

  There is a SAs isakmp and ipsec for two virtual private networks.    I noticed that the program/decaps packages counter does not increment when the client sends the test traffic to 211 of the DMZ.  This counter will increment when they send traffic test to DMZ144.   I also see the traffic sent to 144 DMZ customer subnet 192.168.1.0/24 in packet capture on the interface DMZ 144 of the ASA.   I don't see similar traffic capture on the interface DMZ211 (although I can see the traffic sent to DMZ211, if it is from 10.2.1.0/24 - IE when using VPN1)

  Exemption of NAT is configured for 192.168.1.0/24 and 10.2.1.0/24.

  There is a road to two client subnets via the same next hop.

  There is nothing in the unknown newspapers 192.168.1.0/24 traffic has been ignored

  I suspect that this may be a problem on the client side, but I would like to be able to prove that.   Specifically, I'd like to really be able to capture traffic destined to 211 DMZ on the interface of the firewall after her Internet service provider has been deciphered - I don't know if this can be done however, and I haven'treally has found a good way to prove or disprove that the 192.168.1.0/24 DMZ211 VPN traffic coming to my ASA Internet service provider interface and show what happens to This traffic, after his arrival.

  Here is the relevant vpn configuration:

  MY_CRYPTO_MAP 90 crypto card matches the address VPN_2

  card crypto MY_CRYPTO_MAP 90 set peer 217.154.147.221

  crypto 90 MY_CRYPTO_MAP the transform-set 3dessha value card

  card crypto set MY_CRYPTO_MAP security-association life 90 seconds 86400

  crypto MY_CRYPTO_MAP 100 card matches the address VPN_1

  card crypto MY_CRYPTO_MAP 100 set peer 193.108.169.48

  crypto MY_CRYPTO_MAP 100 the transform-set 3dessha value card

  card crypto MY_CRYPTO_MAP 100 set security-association second life 86400

  crypto MY_CRYPTO_MAP isp interface card

  ASA # sh access-list VPN_2

  VPN_2 list of access; 6 elements; hash name: 0xa902d2f4

  permit for access list 1 VPN_2 line extended ip object-group VPN_2_NETS 192.168.1.0 255.255.255.0 0x56c7fb8f

  access-list 1 permit line VPN_2 extended 192.168.144.0 ip 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt = 45) 0x93b6dc21

  access-list 1 permit line VPN_2 extended ip 192.168.211.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt = 6) 0x0abf7bb9

  access-list 1 permit line VPN_2 extended ip host 192.168.146.29 192.168.1.0 255.255.255.0 (hitcnt = 8) 0xcc48a56e

  ASA # sh VPN_1 access-list

  VPN_1 access list; 3 elements; hash name: 0x30168cce

  access-list line 1 license VPN_1 extended ip 192.168.144.0 255.255.252.0 10.2.1.0 255.255.255.0 (hitcnt = 6) 0 x 61759554

  allowed to Access - list line 2 VPN_1 extended ip 192.168.211.0 255.255.255.0 10.2.1.0 255.255.255.0 (hitcnt = 3) 0xa602c97c

  allowed to Access - list VPN_1 line 3 extended ip host 192.168.146.29 10.2.1.0 255.255.255.0 (hitcnt = 0) 0x7b9f32e3

  nonatdmz144 (dmz144) NAT 0 access list

  nonatdmz211 (dmz211) NAT 0 access list

  ASA # sh access-list nonatdmz144

  nonatdmz144 list of access; 5 elements; hash name: 0xbf28538e

  access-list 1 permit line nonatdmz144 extended 192.168.144.0 ip 255.255.255.0 192.168.0.0 255.255.0.0 (hitcnt = 0) 0 x 20121683

  allowed to Access-list nonatdmz144 line 2 extended 192.168.144.0 ip 255.255.255.0 172.28.2.0 255.255.254.0 (hitcnt = 0) 0xbc8ab4f1

  permit for access list 3 nonatdmz144 line scope ip 192.168.144.0 255.255.255.0 194.97.141.160 255.255.255.224 (hitcnt = 0) 0xce869e1e

  allowed to Access-list nonatdmz144 line 4 extended 192.168.144.0 ip 255.255.255.0 172.30.0.0 255.255.240.0 (hitcnt = 0) 0xd3ec5035

  permit for access list 5 nonatdmz144 line scope ip 192.168.144.0 255.255.255.0 10.2.1.0 255.255.255.0 (hitcnt = 0) 0x4c9cc781

  ASA # sh nonatdmz211 access-list | in 192.168\.1\.

  permit for access list 3 nonatdmz1 line scope ip 192.168.211.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt = 0) 0x2bbfcfdd

  ASA # sh nonatdmz211 access-list | in 10.2.1.

  allowed to Access-list nonatdmz1 line 4 extended ip 192.168.211.0 255.255.255.0 10.2.1.0 255.255.255.0 (hitcnt = 0) 0x8a836d91

  Route ISP 192.168.1.0 255.255.255.0 137.191.234.33 1

  Route ISP 10.2.1.0 255.255.255.0 137.191.234.33 1

  Thanks in advance to anyone who's looking good!

  Darragh

  The counters of compensation was a good idea. If the counter is not incremented and ping the remote side is not cause future VPN it certainly confirms that something is not working properly.

  It might be interesting to wait the SAs time out and go idle and test it again with the ping to the remote subnet that does not work. Turn on debugging for ISAKMP and see if there is an attempt of negotiation. Especially if you don't get any attempt to open ISAKMP then so it would be a way of showing that there is a problem on the remote site.

  Certainly, the ASA has the ability to capture packets. I've used this feature and it can be very useful. I have not tried to make a catch on the external interface for incoming VPN traffic and so not sure if you would be available to capture the encrypted packet or the off encrypted packet. You can configure an access list to identify traffic capture and I guess you could write an access list that included the two addresses as source and destination peer to capture encrypted traffic and the Scriptures that were unencrypted source and destination subnets to capture traffic after encryption.

  HTH

  Rick