VPN Remote LAN to LAN VPN issues

The issue I'm having is that I have an ASA that provides Lan to Lan VPN and remote access VPN. Lan to Lan VPN connects to another network where a remote server, and the remote vpn connects remote users to the LAN. The two virtual private networks are currently working, however users remote connection via the remote access vpn can not connect to the server over the lan to lan vpn. Here's our Installer.

ASA - LAN to LAN VPN - ASA - LAN Local - Server

Remote VPN access

Remote users

In this configuration remote users can access the local network, the server can access the local network, and the local network can access the server and remote users. However, the server cannot access the remote users and remote users cannot access the server. Any ideas on how to get this to work would be much appreciated. I created the NAT rules I think were needed and added the necessary address so that the user remote vpn' client application lists the network on the otherside of the vpn as routable network LAN to LAN. Also, I believe that all the rules of access are correct as tracers of package on both sides are successful. However when you try to ping across the remote client on the server at the other end of the L2L it fails as other attempts to access the server like rdp. Does anyone have a step by step on how to set up this type of vpn configuration remote and l2l configured on asa while leaving the two virtual private networks talk to each other. By the way are two ASA 5505 that with two virtual private networks in this configuration is one on the other end of the l2l 7.2 and 8.2. Any help would be appreciated, especially a tuturail or a list of commands needed to implement, because I think that I'm probably missing just a little extra configuration, I just can not understand.

Use your favorite search engine "permit same-security-traffic intra-interface"

Sent by Cisco Support technique iPad App

Tags: Cisco Security

Similar Questions

RVL200 SSL VPN: cannot access a remote LAN with iPad2

RVL200 firmware 1.1.12.1

iPad2 cannot access any device on the Remote LAN despite the closed padlock icon.

Is there another App needed? Or how to debug SSL VPN?

Emmanuel,

Were you able to access the LAN devices? Also, have you connected using a Mac or a PC successfully to verify that the devices are available? Sometimes antivirus and firewall software can block access to devices from a remote IP address.

8.4 ASA using NAT VPN issue.

Hello

I'm working on a customer site and they have a problem with one of their VPN (we have other works well), but it is a major issue and I think it's because we use manual NAT and NAT of the object on the same server for different things.

Traffic between indoors and outdoors:

It works with a specific manual NAT rule of source from the server 10.10.10.10 object

Inside

SRC-> DST

10.10.10.10-> 1.1.2.10 1.1.1.10-> 1.1.2.10 SNAT = VPN =-> 1.1.2.10 1.1.1.10 1.1.1.10-> 1.1.2.10 <3rd party="" fw="">

It works with a specific using the NAT on the server of 10.10.10.10 object

Remote

SRC-> DST

1.1.1.10-> 1.1.2.10 1.1.1.10-> 1.1.2.10 <3rd party="" fw="">= VPN =-> 1.1.2.10 1.1.1.10 1.1.1.10-> DNAT 10.10.10.10

If we have the manual NAT and NAT object it does anyway.

So the question is (as I am new to zip code 8.3 ASA) should not mix the 2 types of NAt and look at configuring it all with manual NAT or NAT object?

With the NAT object out it does not work as it is taken in ouside NAT inside all:

Dynamic NAT (inside, outside) source no matter what interface (this NAT to 1.1.1.1 then does not match the card encryption for VPN)

and I tried a no - nat above that, but that does not work either.

Straws and hugging come to mind try to configure a different config. Any pointers in the right direction would be great.

Kind regards

Z

Hello

I'm not sure that installing even with the explanation. Each NAT configuration I did for VPN used Section 1 Manual / NAT twice.

You have configured the rule by default PAT that you use as Section 1 NAT rule. NAT rules in the new software are divided into 3 sections
- Section 1: Manual / twice by NAT
- Section 2: Purpose NAT
- Section 3: Manual / double NAT (moved to section 3 using the setting "auto after")
- The Sections are passed by from 1 to 2 and 3 in order to find a match.
You should also notice that the Section 1 and Section 3 NAT has "line number" similar to the ACL parameter type. So if you have a default existing PAT rule configured for Section 1 and just add another Section 1 NAT rule without line/order number (VPN NAT) then it will just fall under the existing rule, making the new useless rule.

I would advice against the use of the rule by default PAT as Section 1 NAT rule. Finally, this means that you be constantly watch and edit its configuration when you try to configure more specific rules.

As a general rule 3 of the Section the PAT above default configuration would be the following

NAT (inside, outside) after the automatic termination of dynamic source no matter what interface

This would mean that you need to remove the old. That would mean as naturally as the change would temporarily dismantling all the current connections through "inside", "Outside" while you change the NAT rule format.

If after this configure a NAT twice to the VPN (wihtout the setting "auto after"), it will be the rule in article 1 while the default PAT will be Section 3. Of course, Section 1 will be matched first.

I'm not quite sure of what your setup of the foregoing have understood.

You're just source NAT?

I guess that the configuration you do is something like this?

network of the LAN-REAL object

10.10.10.0 subnet 255.255.255.0

purpose of the MAPPED in LAN network

1.1.1.0 subnet 255.255.255.0

being REMOTE-LAN network

1.1.2.0 subnet 255.255.255.0

NAT static destination of LAN LAN-REAL-MAPPED Shared source (indoor, outdoor) REMOTE - LAN LAN

If the network 1.1.1.0/24 is supposed to be one that is connected directly to your "external" to the format interface may need to be anything else.

-Jouni

Cannot access a remote LAN with Cisco Client

Hello

IAM using an ASA 5505 and connect with the Cisco Client 5.0.02.0090. The Client connects to the Remote LAN and get an IP of the SAA.

But I can't access the Remote LAN or ping the Interface of the ASA trainee.

Can someone help me with this problem?

If the client computer is in the same subnet as the other PC, then its dislikes a question ASA.

Just make sure that the client computer is in the subnet, default gateway of 192.168.20.100 192.168.20./24 and connected to a switchport on vlan 1.

Finally, check whether the DNS resolution works, or if you can browse the internet with the ip address.

Remote LAN Internet access

I have a PIX 501 connected to an ordinary switch, unmanaged. The internal IP address of the PIX is 192.168.0.100. I also have a router connected to a remote site via a dedicated line. The router is also connected to the switch. The IP of the router E0 is 192.168.0.101. The IP address of the interface of the router S0 is example 192.1.1.1. On the remote site, the interface of the router S0 is 192.1.1.2, and the E0 interface is 192.168.1.101.

Users on the LAN using the router as the gateway address. The router forwards all internet traffic to the PIX.

The problem is that local users can hit the internet and the remote site. Remote users can hit the local site, but they can't hit the internet. They can't even ping the PIX. I assume that there must be a statement from access list in the PIX I'm missing, but I couldn't see what it takes.

Paul,

You have a route to your remote LAN in your PIX config file? i.e.

inside

If not, then add to the PIX config that is mode

Route inside

Let me know if this can help,

Jay

VPN connects but no remote LAN access

Hello

I'll put up on a PIX 501 VPN remote access.

When I try to connect via VPN software, I am able to connect but I am unable to access LAN resources.

I have pasted below part of which seems relevant to my setup. I'm stuck on this issue, could someone help me? Thanks in advance.

ethernet0 nameif outside security0
nameif ethernet1 inside the security100
test.local domain name
name 10.0.2.0 inside
name 10.0.2.13 MSExchange-en
2.2.2.2 the MSExchange-out name

outside_access_in tcp allowed access list all gt 1023 host 2.2.2.2 eq smtp
outside_access_in list access permit tcp any host 2.2.2.2 eq https
outside_access_in list access permit tcp any host 2.2.2.2 eq www
inside_outbound_nat0_acl 10.0.2.0 ip access list allow 255.255.255.0 192.168.235.0 255.255.255.192
access-list 101 permit icmp any one

3.3.3.3 exterior IP address 255.255.255.0
IP address inside 10.0.2.254 255.255.255.0
IP local pool vpn_pool 192.168.235.1 - 192.168.235.15
IP local pool vpn_pool_2 192.168.235.16 - 192.168.235.40

1 3.3.3.4 (outside) global
NAT (inside) 0-list of access inside_outbound_nat0_acl
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside, outside) 2.2.2.2 10.0.2.13 netmask 255.255.255.255 1000 1000
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 3.3.3.1 1

RADIUS Protocol RADIUS AAA server
AAA-server RADIUS (inside) host 10.0.2.3 * timeout 10
AAA-server local LOCAL Protocol

Permitted connection ipsec sysopt
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto-map dynamic dynmap 10 game of transformation-ESP-3DES-MD5
map outside_map 90-isakmp ipsec crypto dynamic dynmap
card crypto outside_map the LOCAL RADIUS client authentication
outside_map interface card crypto outside
ISAKMP allows outside
part of pre authentication ISAKMP policy 20
ISAKMP policy 20 3des encryption
ISAKMP policy 20 md5 hash
20 2 ISAKMP policy group
ISAKMP duration strategy of life 20 86400
vpngroup signal address vpn_pool pool
vpngroup dns-server 10.0.2.3 signal
vpngroup default-field test.local signal
vpngroup idle time 1800 signal
vpngroup max-time 14400 signal
signal vpngroup password *.
vpngroup TF vpn_pool_2 address pool
vpngroup dns-server 10.0.2.3 TF
TF vpngroup default-domain test.local
vpngroup TF 1800 idle time
vpngroup max-time 14400 TF
TF vpngroup password *.

Kind regards

Joana

Very similar to the question of the configuration of the switch. You should check if there is no specific roads on the switch outside the default gateway. The switch should route the subnet pool ip to the firewall (10.0.2.254).

Duplicate remote Lan VPN subnets

Hello Experts,

I have 2 lans DISTANCE double connection via VPN with the ip address of 192.168.70.X and 192.168.70.x

We are already working, but I don't know how to add the second that is listed

exactly the same thing. Not clear how to apply the NAT on my Local router for the second subnet duplicate.

I found this article but he speaks of lans in double on both sides, and it does NOT

http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a00800b07ed.shtml

Is there something similar, but with 2 LAN REMOTE subnets?

Thank you

Randall

Hi, Randall

As far as I know, you will have to do it on the remote end. The problem is that if you have the same address for example 192.168.1.70 arriving from two sites on the same time on your side VPN device will get very confused as to where the return traffic should pass.

You can NAT IP source on your local router to a set of addresses 192.168.70.x addresses, but I still think that the VPN device would not be able to determine what tunnel to send traffic down on the way back.

I appreciate it is not always easy to get the 3rd party to do something, but I think that that's your only choice.

HTH

Jon

Remote VPN - no remote LAN connectivity

Hi all

I'm having a problem with my remote access VPN to home. I have a router 800 series which is serves as the VPN (this is also my ADSL router modem), and there isn't enough work as it should...

I can establish a connection to the outside world, and when I run show crypto isakmp/ipsec his I see relevant entries. However, my problem is that once connected, I cannot ping anything in my local network. I can't ping even inside my ADSL router interface. I have another 800 series which is the next leap in broadcasting wireless clients, and is not accessible by ICMP either when it is connected through the VPN.

I won't go through all the troubleshooting steps that I've taken the case, this post will be a saga. I guess it's a routing problem or a NAT? It is not all NAT entries for the VPN client when it is connected, so I think that I bypassed that correctly.

I stripped my config back a bit just to try to make it work, I've pasted below:

version 12.4
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
hostname blah - blah
!
boot-start-marker
boot-end-marker
!
enable secret 5

!
AAA new-model
!
!
local AAA_VPN AAA authentication login
local AAA_VPN AAA authorization network
!
AAA - the id of the joint session
!
resources policy
!
!
!
IP cef
IP domain name blah.com/results.htm
name-server IP 208.67.222.222
property intellectual ssh
property intellectual ssh

property intellectual ssh
no accounting vlan
!
!
!
username secret blah 5

username password blah 7
!
!
crypto ISAKMP policy 1
BA aes
preshared authentication
Group 2
life 3600
!
ISAKMP crypto client configuration group xxxxxx
password key 6
pool VPN_address_pool
!
!
Crypto ipsec transform-set VPN_transformset aes - esp esp-sha-hmac
!
Crypto-map dynamic dyn1 10
game of transformation-VPN_transformset
reverse-road remote-peer x.x.x.x (the ISP gateway address)
!
!
list of authentication of card crypto client VPN AAA_VPN
VPN isakmp AAA_VPN crypto card authorization list
open crypto map configuration VPN client address
crypto map VPN client configuration address respond
VPN ipsec-isakmp dyn1 10 crypto dynamic map
!
Bridge IRB
!
!
interface Loopback0
no ip address
Shutdown
!
ATM0 interface
xxxx.xxxx.xxxx Mac address
no ip address
no ip redirection
no ip unreachable
No atm ilmi-keepalive
DSL-automatic operation mode
!
point-to-point interface ATM0.50
link to high-speed description
DHCP IP address
IP mtu 1492
NAT outside IP
IP virtual-reassembly
no link-status of snmp trap
ATM with a road ip bridge
PVC 0/101
aal5snap encapsulation
!
VPN crypto card
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
no ip address
Bridge-Group 1
!
interface BVI1
description of the LAN interface
IP x.x.x.x 255.255.255.0
IP nat inside
IP virtual-reassembly
!
IP local pool VPN_address_pool x.x.x.x where x.x.x.x (do not overlap with any of my other used private beaches)
IP route 0.0.0.0 0.0.0.0 x.x.x.x (Gateway ISP)
IP route x.x.x.x 255.255.255.0 x.x.x.x
!
no ip address of the http server
no ip http secure server
IP nat inside source tcp static x.x.x.x interface ATM0.50 x x
IP nat inside source map route ROUTE_MAP_VPN interface ATM0.50 overload (prevents the VPN pool specified in the line to refuse to ACL_NAT_VPN to be translated)
IP nat inside source tcp static x.x.x.x interface ATM0.50 x x
!
ACL_NAT_VPN (basis of the road map) extended IP access list
refuse the x.x.x.x (pool VPN) 0.0.0.255 ip x.x.x.x 0.0.0.255
allow an ip x.x.x.x 0.0.0.255
allow an ip x.x.x.x 0.0.0.255
allow an ip x.x.x.x 0.0.0.255
!
access-list 1 permit x.x.x.x 0.0.0.255
access-list 1 permit x.x.x.x 0.0.0.255
177 permit icmp any one access list - ignore, used for troubleshooting
ROUTE_MAP_VPN allowed 10 route map
corresponds to the IP ACL_NAT_VPN
!
!
control plan
!
Bridge Protocol ieee 1
1 channel ip bridge
!
Line con 0
exec-timeout 0 0
Synchronous recording
no activation of the modem
line to 0
line vty 0 4
exec-timeout 0 0
Synchronous recording
transport input x
!
max-task-time 5000 Planner
end

Well, if you see encrypted/decrypted packets move away a lot of problems.

You can TEST inside the router of the VPN Client (LAN) IP?

This local network should have a default gateway pointing to the router or a route from the pool of VPN.

Federico.

Urgent! Users of remote access VPN connects but cannot access remote LAN (ping, folder,...)

Hello

I am setting up a VPN on a Cisco ASA 5510 version 8.4 remote access (4) 1.

When I try to connect via the Cisco VPN client software, I am able to connect however I am unable to access network resources.

However, I can ping the servers in the other site that is connected through the VPN site-to site to the main site!

VPN client--> main site (ping times on)--> Site connected with the main site with VPN S2S (successful ping)

Please help me I need to find a solution as soon as POSSIBLE!

Thank you in advance.

Hello

Please remove the NAT exemption and the re - issue the command but with #1, so it will place the NAT as first line:

No nat (SERVERS, external) static source SERVERS_LAN SERVERS_LAN NETWORK_OBJ_10.10.40.8_29 NETWORK_OBJ_10.10.40.8_29 non-proxy-arp-search of route static destination

NAT (SERVERS, external) 1 static source SERVERS_LAN SERVERS_LAN NETWORK_OBJ_10.10.40.8_29 NETWORK_OBJ_10.10.40.8_29 non-proxy-arp-search of route static destination

After re-configured this way, make sure that this command is also available:

Sysopt connection permit VPN

This sysopt will allow traffic regardles any ACL a fall, just in case. Please continue to run a package tracer and post it here,

Packet-trace entry Server icmp XXXXXX 8 0 detailed YYYYY

XXXX--> server IP

AAAA--> VPN IP of the user

Don't forget to do the two steps and a just in case, capture Please note and mark it as correct the useful message!

Thank you

David Castro,

On ASA 5505 VPN cannot access remote (LAN)

I have an ASA 5505 upward and running, all static NAT statements I need to forward ports to the internal services such as smtp, desktop remotely and it works very well, however I have set up an IPSEC vpn connection that authenticates to our DC and part works. However, after I connect and cannot ping anything on the local network or access services. I don't know what a NAT statement I have corrected. Here is the config. I really need to get this up and going tomorrow. Thanks for any help.

Tyler

Just remove the line of nat (outside) and ACL outside_nat0_outbound.

And talk about these statements:

IPSec-1 sysopt connection permit... (If it is disabled, you can check with sh run sysopt).

2, crypto isakmp nat traversal 10 or 20

3 no NAT ACL, mention your local subnets as the source and vpn client as the destination.

4, create the other ACL (ST) with different name and source and destination like no nat ACL.

5, then type nat (inside) 0 access-list sheep

6, in the dwgavpn group policy, talk to splittunnel tunnelspecified and mention the tunnel split ACL (ST).

Concerning

RV042 VPN issues

Hi all

Well, I don't have VPN Linksys configuration in a while and have forgotten most of this, so I was wondering if somebody could please share any knoweldge response and help issues.

What I want to do is to create VPN tunnels between 2 remote sites for VOIP traffic. At both ends of my tunnel, I have a Linksys router. The main site that two remote sites are connecting to has a RV-042.

So here's what I need to know:

1. If I have an existing VPN that runs through the router (the router is currently not my VPN endpoint, a server is) when I place a VPN endpoint on the RV-042 point my existing VPN will be functional?

2. once the branch establishes as a tunnel with the RV-042 how will be the traffic that is intended to flow from the internet? I wish that only certain traffic flows through the tunnel, more specfically as VOIP traffic.

3. once the branch establishes a tunnel with the RV-042 how will forward the RV-042? Also, I want just the VOIp traffic through the tunnel that anything that is intended for the internet should not go to the internet... In other words Split tunneling on both ends of the tunnel.

Router RV - 042 is VPN Head end or head office, if you want to...

RV-042 Firmware: 1.3.12.6 - tm

Ideas or things I should look out for. Is this possible to do?

Topic 1. Perhaps. If you connect to the same endpoint router and a server within the local network, then you will get most likely difficulties.

Re 2/3. The two parties define the traffic that tunnel is based on IP addresses. You define a local and remote security group that essentially defines the IP addresses in the part of the source and destination of each IP packet. If these are in circulation will be tunnel. If they do not match, the traffic is sent outside the tunnel. The configuration of the tunnel does not specify certain protocols or ports. You can only do this based on the IP address. If you use software phones on the computers that you will not get it work as you want because you can't separate the other traffic of the computer VoIP traffic. If you use hardphone you could put all the phones in a specific subnet or address range, and then set that only those IP addresses go through the tunnel.

VPN issues - 3005 to ASA5510

We are moving from a concentrator 3005 to an ASA5510 and I have a few questions.

In the 3005, you can disable and enable easy VPN tunnels. You go into politics and check or uncheck the box for enable. What is the method to temporarily disable a tunnel on the SAA? Through the ASDM of preference, for ease of management.

Also, I want my remote access sessions to timeout after 8 hours. It shows in the tunnel policy in the ASDM its value for 8 (28800) hours, but I don't see this value in the config at all. I can't quite see a value of 86400 for the isakmp policy. If it is set in the ASDM like 8 hours, why doesn't it appear in the config? Has priority on the time-out, the policy of tunnel or isakmp policy?

Thank you!

Ryan,

For your remote access to the vpn session users max connection time can be specified in attributes of tunnel group policy. Go to your group of tunnel in ASDM > general develop several obtions and uncheck maximum connect time here, you can specify minutes the vpn session will end when it reaches the time in minutes.

example to specify 90 minutes you can also do this through cli, note it's not a time out that this will decrease the session in 90 minutes for all members of the Group of tunnel.

group-policy attributes
vpn-session-timeout 90

You can disable it as:

group-policy attributes
no vpn-session-timeout

as I don't know how to disable vpn L2L sessions support there is no option to turn on/off as in the vpn concentrators, this is a nice feature in the hub, but I haven't seen yet a feature of ASA like that or not aware of an Im.

HTH

Rgds

Jorge

The router 851 and 871 VPN issues still

Main site

1 - all connectivity-all thin - Web - database-email Mail - Proxy - ETC.

2 - VPN Tunnel to the TOP

Remote sites

1 - VPN Tunnel to the TOP and tests

1 cannot ping the main location of the 192.168.0.X (Yes any IP address)

2 - could not get out to the Internet (GO HOLLOW PROXY SERVER 192.168.0.3 even if I could ping)

3 could connect to the database but crashes right after the login screen. Can ping the address of 192.168.0.11 to this fine location database but the connection hangs and does not

* HAND CONFIG

crypto ISAKMP policy 1

BA 3des

md5 hash

preshared authentication

Group 2

!

crypto ISAKMP policy 3

BA 3des

md5 hash

preshared authentication

Group 2

XXX address X.X.X.X isakmp encryption key

XXX address X.X.X.X isakmp encryption key

ISAKMP crypto keepalive 5 20

!

Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

!

bssn 10 ipsec-isakmp crypto map

Description VPN for PARK

defined peer X.X.X.X

Set transform-set RIGHT

match address 100

bssn 20 ipsec-isakmp crypto map

VPN for Corneilia description

defined peer X.X.X.X

Set transform-set RIGHT

match address 102

bssn 30 ipsec-isakmp crypto map

Description VPN to OAK

defined peer X.X.X.X

Set transform-set RIGHT

match address 103

bssn 40 ipsec-isakmp crypto map

Description VPN to Herbert George Wells

defined peer X.X.X.X

Set transform-set RIGHT

match address 104

interface FastEthernet4

WAN

IP address 216.x.x.x 255.255.255.128 secondary

IP 216.x.x.x 255.255.255.128.

no ip redirection

no ip unreachable

no ip proxy-arp

NAT outside IP

IP virtual-reassembly

route IP cache flow

automatic duplex

automatic speed

card crypto bssn

!

interface Vlan1

Entry door

IP 216.X.X.X 255.255.255.248 secondary

IP 192.168.0.11 255.255.255.0

no ip redirection

no ip unreachable

IP nat inside

IP virtual-reassembly

route IP cache flow

IP tcp adjust-mss 1452

!

IP classless

IP route 0.0.0.0 0.0.0.0 216.x.x.x.

!

IP nat inside source overload map route interface FastEthernet4 sheep

!

recording of debug trap

access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 103 allow ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 104. allow ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255

not run cdp

sheep allowed 10 route map

corresponds to the IP 101

* REMOTE SITE

crypto ISAKMP policy 1

BA 3des

md5 hash

preshared authentication

Group 2

XXX address X.X.X.X isakmp encryption key

ISAKMP crypto keepalive 5 20

!

!

Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

!

bssn 10 ipsec-isakmp crypto map

Connect to main BSSN description

defined peer X.X.X.X

Set transform-set RIGHT

match address 100

interface FastEthernet4

IP 216.X.X.X 255.255.255.224

NAT outside IP

IP virtual-reassembly

automatic duplex

automatic speed

card crypto bssn

!

interface Vlan1

Entry door

IP 192.168.1.2 255.255.255.0

IP directed broadcast to the

IP nat inside

IP virtual-reassembly

IP tcp adjust-mss 1452

!

IP classless

IP route 0.0.0.0 0.0.0.0 X.X.X.X

IP http server

local IP http authentication

IP http secure server

IP http timeout policy slowed down 60 life 86400 request 10000

IP nat inside source overload map route interface FastEthernet4 sheep

!

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

not run cdp

sheep allowed 10 route map

corresponds to the IP 101

Thank you

Laughing out loud

On the remote router access list 100 should look like:

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

On the main router, the 100 access list should look like:

access-list 100 permit ip any 192.168.1.0 0.0.0.255

HTH,

Kind regards

Kamal

l2l ASA vpn issues

Hi all

I have two firewalls that I'm trying to implement VPNs l2l between them. Once of them is an old wall of sonic and the other 5505.

I put in all and ends the phase 1/2 and the tunnel rises however no traffic passes through

Here is my configuration

ASA (outside, 192.168.30.1) asa internal 192.168.10.0/25

(Outside 192.168.30.2) SonicWALL sonicwall 192.168.20.0/24

I have an accesslist that is configured on the asa and applied to the cypto card using card crypto XXXX 1, atch address YYY

However when I watch the news ebugging on the console it says: "cannot locate the output for UDP of XXXX interface: 192.168.10.10/1 to 192.178.20.1/0.

any ideas why this is?

I just need a static route to say all traffic on asa with 192 source... 10.0 should go through 192.168.30.2?

I guess it's the work of crypto card

Am I wrong?

Hello

Begins to seems to me you have a filter ACL configured for your L2L VPN VPN and also the ACL filter of VPN and Crypto ACLs are the same things, which means you use a simple both ACL.

Why I think it's like this is the fact that you say that your VPN L2L cross trading in the "packet-tracer" VPN Phase means Crypto VPN L2L ACL was correct. At the same time say you that the connection was stopped to the Phase of the VPN USER. He points to a VPN filter ACL being configured.

In view of the foregoing, I also know that the ACL of filter for the L2L VPN behave with a logic different than typical ACL interface. In VPN L2L the ACL filter ALWAYS mention the remote network as the source ALWAYS and your Local network as the destination.

If add you an ACL rule with order switched networks appears this fixes the VPN filter ACL problems and finally allowed traffic. Naturally I can only guess that I saw actual configurations at this point (which, usually with release "packet - trace", help to solve a problem faster just guessing)

If you indeed filter VPN, you may be able to track him down with the following commands

See the tunnel-group race

Check if a "group policy" is defined then the command

See establishing group policy enforcement

This output should list the name of the ACL filter VPN if its game

Regarding the installantion auto road. The default setting for ASA, is that it will create NO static routes automatically depending on the VPN configurations. This must be enabled manually in "crypto map" configurations, or you can configure static routes manually.

ASA tracking to default TCP and UDP connections. ICMP is inspected only if his permit. By default, it is NOT inspected.

Hope this helps

Remember to mark a reply as the answer if it answered your question.

Feel free to ask more if necessary.

-Jouni

Site to Site VPN issues

Hello

I have created a new site to site vpn connection and can't know why it does not work.

All other VPN site-to-site work properly. The news, the problem is MATCHJLS. Could anyone recommend measures to correct?

!

vpn hostname

domain name

activate the encrypted password of Pp6RUfdBBUU

ucU7iJnNlZ passwd / encrypted

names of

DNS-guard

!

interface Ethernet0/0

nameif outside

security-level 0

IP address 87.117.xxx.xx 255.255.255.252

!

interface Ethernet0/1

nameif inside

security-level 100

IP address 78.129.xxx.x 255.255.255.128

!

interface Ethernet0/2

Shutdown

No nameif

no level of security

no ip address

!

interface Ethernet0/3

Shutdown

No nameif

no level of security

no ip address

!

interface Management0/0

Shutdown

No nameif

no level of security

no ip address

!

boot system Disk0: / asa822 - k8.bin

passive FTP mode

DNS server-group DefaultDNS

domain msiuk.com

permit same-security-traffic inter-interface

DM_INLINE_TCP_1 tcp service object-group

EQ port 3389 object

EQ object of port 8080

port-object eq www

EQ object of the https port

Http81 tcp service object-group

port-object eq 81

DM_INLINE_TCP_3 tcp service object-group

port-object eq 81

port-object eq www

the DM_INLINE_NETWORK_1 object-group network

host of the object-Network 172.19.60.52

host of the object-Network 172.19.60.53

host of the object-Network 172.19.60.68

host of the object-Network 172.19.60.69

host of the object-Network 172.19.60.84

host of the object-Network 172.19.60.85

host of the object-Network 172.19.60.86

access-list extended basic permit icmp any any echo response

access-list extended basic permit icmp any one time exceed

access-list extended basic permit tcp any host 78.129.xxx.xx eq 8731

access-list extended basic permit tcp any host 78.129.xxx.xx eq www

access-list extended basic permit tcp any host 78.129.xxx.xx DM_INLINE_TCP_3 object-group

access-list extended basic permit tcp any host 78.129.xxx.xx eq www

access-list extended basic permit tcp any host 78.129.xxx.xx eq www

access-list extended basic permit tcp any host 78.129.xxx.xx eq www inactive

access-list extended basic permit tcp any host 78.129.xxx.xx eq www

access-list extended basic permit tcp any host 78.129.xxx.xx eq https

access-list extended basic permit tcp any host 78.129.xxx.xx eq https

access-list extended basic permit tcp any host 78.129.xxx.xx

permit access-list extended basic host tcp 94.128.xxx.xx 78.129.xxx.xx 255.255.255.128 DM_INLINE_TCP_1 object-group

access-list extended SHEEP allowed ip 10.1.1.0 255.255.255.0 10.255.255.0 255.255.255.0

Standard access list SPLITTUN allow 78.129.xxx.xx 255.255.255.128

SPLITTUN list standard access allowed 10.1.1.0 255.255.255.0

access list allow extended permit ip any one

MATCHVPN1 list extended access permit ip host host 78.129.xxx.xx 212.118.157.203

MATCHVPN2 list of allowed ip extended access all 212.118.xxx.xx 255.255.255.0

SMTP-NAT extended permit tcp host 78.129.xxx.xx access list any eq smtp

MATCHVPN3 list extended access permitted ip 78.129.xxx.xx 255.255.255.224 host 10.180.xxx.xx

MATCHVPN3 list extended access permitted ip 78.129.xxx.xx 255.255.255.224 host 10.180.xxx.xx

MATCHVPN3 list extended access permitted ip 78.129.xxx.xx 255.255.255.224 host 10.180.xxx.xx

MATCHVPN4 list extended access permit ip host 78.129.xxx.xx host 172.16.xxx.xx

MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.16.xxx.xx

MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.17.xxx.xx

MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.16.xxx.xx

MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.16.xxx.xx

Access list extended ip 78.129.151.0 MATCHJLS allow 255.255.255.128 DM_INLINE_NETWORK_1 object-group

pager lines 24

Enable logging

asdm of logging of information

Outside 1500 MTU

Within 1500 MTU

local IP LOCPOOL 10.255.255.1 pool - 10.255.255.254

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm-625 - 53.bin

don't allow no asdm history

ARP timeout 14400

Global (1 interface external)

NAT (inside) 0 access-list SHEEP

Access SMTP-NAT NAT (inside) 1 list

NAT (inside) 1 10.1.1.0 255.255.255.0

NAT (inside) 1 10.2.2.0 255.255.255.0

Access-group basic in external interface

Access-group allow external interface

Access-group allow the interface inside

Access-group allow the interface inside

Route outside 0.0.0.0 0.0.0.0 87.117.213.65 1

Route inside 10.1.1.0 255.255.255.0 78.129.151.2 1

Route inside 10.2.2.0 255.255.255.0 78.129.151.2 1

Route inside 10.33.67.0 255.255.255.0 78.129.151.26 1

Route 172.20.xxx.xx 255.255.255.0 inside 78.129.xxx.xx 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-registration DfltAccessPolicy

AAA authentication enable LOCAL console

the ssh LOCAL console AAA authentication

Enable http server

http 0.0.0.0 0.0.0.0 outdoors

No snmp server location

No snmp Server contact

Crypto ipsec transform-set esp-3des esp-md5-hmac VPN3DES

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set esp-3des esp-sha-hmac asa2transform

Crypto ipsec transform-set esp-3des esp-md5-hmac kwset

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set esp-3des esp-sha-hmac jlstransformset

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

set of 10 DYNOMAP crypto dynamic-map transform-set VPN3DES

card crypto VPNPEER 1 corresponds to the address MATCHJLS

card crypto VPNPEER 1 set peer 94.128.xxx.xx

card crypto VPNPEER 1 the value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

card crypto VPNPEER 10 corresponds to the address MATCHVPN3

card crypto VPNPEER 10 set peer 94.128.xxx.xx

crypto VPNPEER 10 the transform-set jlstransformset value card

card crypto VPNPEER 10 set nat-t-disable

card crypto VPNPEER 30 corresponds to the address MATCHVPN2

card crypto VPNPEER 30 212.118.xxx.xx peer value

card crypto VPNPEER 30 value transform-set ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto VPNPEER 30 the value reverse-road map

card crypto VPNPEER 40 corresponds to the address MATCHVPN4

VPNPEER 40 crypto map set peer 94.128.xxx.xx

crypto VPNPEER 40 the transform-set kwset value card

card crypto VPNPEER 50 corresponds to the address MATCHVPN3

card crypto VPNPEER 50 set pfs

card crypto VPNPEER 50 set peer 94.128.xxx.xx

card crypto VPNPEER 50 set ESP ESP-3DES-SHA transform-set kwset DES-ESP-MD5-DES-SHA

card crypto VPNPEER 50 set nat-t-disable

card crypto VPNPEER 100-isakmp dynamic ipsec DYNOMAP

VPNPEER interface card crypto outside

crypto ISAKMP allow outside

crypto ISAKMP policy 1

preshared authentication

3des encryption

sha hash

Group 2

life 3600

Crypto isakmp nat-traversal 3600

crypto ISAKMP disconnect - notify

Telnet timeout 5

SSH 0.0.0.0 0.0.0.0 outdoors

SSH 0.0.0.0 0.0.0.0 inside

SSH timeout 60

SSH version 2

Console timeout 0

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

internal GroupPolicy1 group strategy

attributes of Group Policy GroupPolicy1

value of VPN-filter MATCHKW

Protocol-tunnel-VPN IPSec l2tp ipsec

internal CLIENTGROUP group policy

CLIENTGROUP group policy attributes

value of server DNS 10.1.1.10 10.1.1.2

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list SPLITTUN

msiuk.local value by default-field

Username admin privilege 15 encrypted password 9RG9xAvynJRd.Q

tunnel-group msi type remote access

msi General attributes tunnel-group

address LOCPOOL pool

Group Policy - by default-CLIENTGROUP

MSI group tunnel ipsec-attributes

pre-shared key *.

tunnel-group msi ppp-attributes

ms-chap-v2 authentication

tunnel-group 212.118.xxx.xx type ipsec-l2l

212.118.xxx.XX group of tunnel ipsec-attributes

pre-shared key *.

tunnel-group 94.128.xxx.xx type ipsec-l2l

94.128.xxx.XX group of tunnel ipsec-attributes

pre-shared key *.

tunnel-group 94.128.xxx.xx type ipsec-l2l

94.128.xxx.XX group of tunnel ipsec-attributes

pre-shared key *.

tunnel-group 94.128.xxx.xx type ipsec-l2l

94.128.xxx.XX group of tunnel ipsec-attributes

pre-shared key *.

!

class-map ftpdefault

match default-inspection-traffic

class-map default inspection

!

!

Policy-map global_policy

!

global service-policy global_policy

context of prompt hostname

call-home

Profile of CiscoTAC-1

no active account

http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

email address of destination [email protected] / * /

destination-mode http transport

Subscribe to alert-group diagnosis

Subscribe to alert-group environment

Subscribe to alert-group monthly periodic inventory

monthly periodicals to subscribe to alert-group configuration

daily periodic subscribe to alert-group telemetry

Cryptochecksum:b251877ef24a1dc161b594dc052c44

: end

ASDM image disk0: / asdm-625 - 53.bin

don't allow no asdm history

Hello

OK, given the above information, I would say that the VPN L2L your part should probably be fine for traffic you are trying with the packet - trace.

It seems that you get no traffic back from the remote end

This could mean one of the following things
- Remote site may not login either in their VPN appliance, firewall or the firewall of the real server (which I doubt since were talking about web service)
- Remote site has not configured routing properly for your source IP address / network. For example, your connection attempt can reach the remote server, but the return traffic could get transferred to the wrong place on the remote site. It is more likely when the remote end manages Internet traffic and VPN traffic on separate devices
- Remote site has not activated the service on the real server (which is still little provided this isn't a service only serve on the server you through this VPN L2L)
- etc.
As I said look it seems so VPN L2L is fine. Its place and running, but you can't get traffic back on the L2L VPN that suggest that the problem is at the remote site.

If you go ask about this since the admins of the remote site, let us know how to do the thing.

If you found this information useful, please note the answer/answers and naturally ask more if necessary

-Jouni

VPN Remote LAN to LAN VPN issues

Similar Questions

Maybe you are looking for