VPN site to site ASA and SSL VPN

Hello

Already configured vpn site to site for both sites. Now, I try to configure vpn remote access to one site.

But I'm starting to config some command like below to access remote vpn, the existing site-to-site vpn disconnected auto.

No crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA

map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

outside_map interface card crypto outside

Please, help me to check.

Thank you

Ko Htwe

Hello

You can have a single card encryption for an interface, you must configure both tunnels (access site to & remote) in a single card with number of different sequesnce encryption. Please make sure that the sequence number for the remote access is higher than for the site to site.

You can also get this back to the config command, why did you remove it.

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

If you still have a problem, please let us know the configuration.

Kind regards

Mohammad

Tags: Cisco Security

Similar Questions

Connectivity problems from site to Site - ASA and PIX

I'm trying to set up a tunnel between the ASA and PIX but I have some difficulty.

On the side of the ASA

June 29 at 08:09:44 [IKEv1]: Group = 190.213.57.203, IP = 190.213.57.203, error QM WSF (P2 struct & 0xc9309260, mess id 0x7e79b74e).

June 29 at 08:09:44 [IKEv1]: Group = 190.213.57.203, IP = 190.213.57.203, peer table correlator Removing failed, no match!

June 29 at 08:09:44 [IKEv1]: Group = 190.213.57.203, IP = 190.213.57.203, Session is be demolished. Reason: Phase 2
On the side of PIX

ISAKMP (0): the total payload length: 37
to return to the State is IKMP_NO_ERROR
crypto_isakmp_process_block:src:63.143.77.114, dest:190.213.57.203 spt:500 dpt:500
Exchange OAK_MM
ISAKMP (0): processing ID payload. Message ID = 0
ISAKMP (0): HASH payload processing. Message ID = 0
ISAKMP (0): load useful treatment vendor id

ISAKMP (0): Peer Remote supports dead peer detection

ISAKMP (0): SA has been authenticated.

ISAKMP (0): start Quick Mode Exchange, M - ID - 813626169:cf810cc7IPSEC (key_engine): had an event of the queue...
IPSec (spi_response): spi 0xbb1797c2 graduation (3138885570) for SA
from 63.143.77.114 to 190.213.57.203 for prot 3

to return to the State is IKMP_NO_ERROR
ISAKMP (0): send to notify INITIAL_CONTACT
ISAKMP (0): sending message 24578 NOTIFY 1 protocol
Peer VPN: ISAKMP: approved new addition: ip:63.143.77.114/500 Total VPN peers: 2
Peer VPN: ISAKMP: ip:63.143.77.114/500 Ref cnt is incremented to peers: 1 Total VPN peers: 2
crypto_isakmp_process_block:src:63.143.77.114, dest:190.213.57.203 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 14 Protocol 3
SPI 0, message ID = 2038434904
to return to the State is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:63.143.77.114, dest:190.213.57.203 spt:500 dpt:500
ISAKMP (0): processing DELETE payload. Message ID = 1798094647, spi size = 16
ISAKMP (0): delete SA: src 190.213.57.203 dst 63.143.77.114
to return to the State is IKMP_NO_ERR_NO_TRANS
ISADB: Reaper checking HIS 0x11fa6fc, id_conn = 0
ISADB: Reaper checking HIS 0x121ac3c, id_conn = 0 DELETE IT!

Peer VPN: ISAKMP: ip:63.143.77.114/500 Ref cnt decremented to peers: 0 Total of VPN peers: 2
Peer VPN: ISAKMP: deleted peer: ip:63.143.77.114/500 VPN Total peers:1IPSEC (key_engine): had an event of the queue...
IPSec (key_engine_delete_sas): rec would remove the ISAKMP notify
IPSec (key_engine_delete_sas): remove all SAs shared with 63.143.77.114

The ASA configuration

ASA Version 8.2 (5)

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.102.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

IP 63.143.77.114 255.255.255.252

!

passive FTP mode

clock timezone IS - 5

DNS lookup field inside

DNS domain-lookup outside

DNS server-group DefaultDNS

domain lexlocal

object-group service DM_INLINE_SERVICE_3

the eq https tcp service object

the eq telnet tcp service object

ICMP service object

the purpose of the service tcp - udp eq www

the udp service object

object-group service DM_INLINE_SERVICE_5

the udp service object

the tcp service object

the purpose of the service tcp - udp eq www

the purpose of the service tcp eq www

the purpose of the service udp eq www

ICMP service object

object-group service DM_INLINE_SERVICE_8

the eq https tcp service object

the purpose of the service tcp - udp eq www

object-group Protocol DM_INLINE_PROTOCOL_1

ip protocol object

object-protocol udp

object-tcp protocol

object-group service DM_INLINE_SERVICE_4

the purpose of the service tcp - udp eq www

the eq https tcp service object

EQ-tcp smtp service object

the purpose of the udp eq snmp service

the purpose of the ip service

ICMP service object

object-group Protocol DM_INLINE_PROTOCOL_2

ip protocol object

object-protocol udp

object-tcp protocol

object-group Protocol DM_INLINE_PROTOCOL_3

ip protocol object

object-protocol udp

object-tcp protocol

inside_nat0_outbound list of allowed ip extended access all VPN_Access 255.255.255.240

access extensive list ip 192.168.102.0 inside_nat0_outbound allow Barbado-internal 255.255.255.0 255.255.255.0

inside_nat0_outbound list of allowed ip extended access all VPN_Access 255.255.255.192

access extensive list ip 192.168.102.0 inside_nat0_outbound allow 255.255.255.0 JA_Office_Internal 255.255.255.0

access extensive list ip 192.168.102.0 inside_nat0_outbound allow 255.255.255.0 P.O.S_Office_internal 255.255.255.0

outside_authentication list extended access allowed object-group DM_INLINE_PROTOCOL_3 all all idle state

inside_access_in access-list extended ip any any idle state to allow

inside_access_in list extended access allowed object-group host Jeremy DM_INLINE_SERVICE_5 all

inside_access_in list extended access allowed object-group DM_INLINE_SERVICE_3 192.168.102.0 255.255.255.0 any

inside_access_in list extended access allowed object-group DM_INLINE_PROTOCOL_1 192.168.102.0 255.255.255.0 192.168.102.0 255.255.255.0

outside_access_in list extended access allowed object-groups DM_INLINE_PROTOCOL_2 host interface idle outside Jeremy

outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_4 any external interface

extended access list ip 255.255.255.0 Barbado-internal outside_access_in allow 192.168.102.0 255.255.255.0

outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_8 any inactive external interface

IP JA_Office_Internal 255.255.255.0 JA_Office_Internal 255.255.255.0 allow Access-list extended outside_access_in

IP P.O.S_Office_internal 255.255.255.0 P.O.S_Office_internal 255.255.255.0 allow Access-list extended outside_access_in

access extensive list ip 192.168.102.0 outside_1_cryptomap allow Barbado-internal 255.255.255.0 255.255.255.0

access extensive list ip 192.168.102.0 outside_2_cryptomap allow 255.255.255.0 JA_Office_Internal 255.255.255.0

access extensive list ip 192.168.102.0 outside_3_cryptomap allow 255.255.255.0 P.O.S_Office_internal 255.255.255.0

pager lines 24

Enable logging

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

mask of local pool remote_users 192.168.200.1 - 192.168.200.10 IP 255.255.255.0

mask of local pool VPN_IPs 192.168.200.25 - 192.168.200.50 IP 255.255.255.248

no failover

ICMP unreachable rate-limit 1 burst-size 1

ICMP allow any inside

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 1 0.0.0.0 0.0.0.0

inside_access_in access to the interface inside group

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 63.143.77.113 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

the ssh LOCAL console AAA authentication

AAA authentication match outside the LOCAL outside_authentication

Enable http server

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Sysopt connection timewait

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA

Crypto ipsec transform-set transit mode TRANS_ESP_3DES_SHA

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

card crypto outside_map 1 match address outside_1_cryptomap

card crypto outside_map 1 set pfs

peer set card crypto outside_map 1 200.50.87.198

card crypto outside_map 1 set of transformation-ESP-3DES-SHA

card crypto outside_map 2 match address outside_2_cryptomap

card crypto outside_map 2 set pfs

peer set card crypto outside_map 2 66.54.113.191

card crypto outside_map 2 game of transformation-ESP-3DES-SHA

card crypto outside_map 3 match address outside_3_cryptomap

card crypto outside_map 3 set pfs

peer set card crypto outside_map 3 190.213.57.203

card crypto outside_map 3 game of transformation-ESP-DES-MD5

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 30

authentication crack

3des encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 50

preshared authentication

the Encryption

md5 hash

Group 2

life 86400

crypto ISAKMP policy 65535

preshared authentication

3des encryption

sha hash

Group 2

life 86400

crypto ISAKMP disconnect - notify

Telnet timeout 5

SSH timeout 5

Console timeout 0

dhcpd address 192.168.102.30 - 192.168.102.50 inside

dhcpd dns 66.54.116.4 66.54.116.5 interface inside

dhcpd allow inside

!

dhcpd dns 66.54.116.4 66.54.116.5 outside interface

!

a basic threat threat detection

Statistics-list of access threat detection

a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200

WebVPN

allow outside

internal DefaultRAGroup group strategy

attributes of Group Policy DefaultRAGroup

VPN-tunnel-Protocol svc

lexlocal value by default-field

WebVPN

SVC keepalive no

internal DefaultRAGroup_1 group strategy

attributes of Group Policy DefaultRAGroup_1

Protocol-tunnel-VPN l2tp ipsec

lexlocal value by default-field

WebVPN

SVC keepalive no

internal VPN_Tunnel_Client group strategy

attributes of Group Policy VPN_Tunnel_Client

value of server DNS 192.168.102.1

Protocol-tunnel-VPN IPSec l2tp ipsec svc

lexlocal value by default-field

username VPN_Connect password 6f7B + J8S2ADfQF4a/CJfvQ is nt encrypted

username VPN_Connect attributes

type of nas-prompt service

xxxxex iFxSRrE9uIWAFjJE encrypted password username

attributes global-tunnel-group DefaultRAGroup

address pool remote_users

address pool VPN_IPs

Group Policy - by default-DefaultRAGroup_1

IPSec-attributes tunnel-group DefaultRAGroup

pre-shared key *.

tunnel-group 200.50.87.198 type ipsec-l2l

IPSec-attributes tunnel-group 200.50.87.198

pre-shared key *.

type tunnel-group VPN_Tunnel_Client remote access

attributes global-tunnel-group VPN_Tunnel_Client

address pool remote_users

Group Policy - by default-VPN_Tunnel_Client

IPSec-attributes tunnel-group VPN_Tunnel_Client

pre-shared key *.

tunnel-group 66.54.113.191 type ipsec-l2l

IPSec-attributes tunnel-group 66.54.113.191

pre-shared key *.

tunnel-group 190.213.57.203 type ipsec-l2l

IPSec-attributes tunnel-group 190.213.57.203

pre-shared key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

Review the ip options

inspect the netbios

inspect the rsh

inspect the rtsp

inspect the skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect the tftp

inspect the sip

inspect xdmcp

!

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

call-home

Profile of CiscoTAC-1

PIX configuration

lexmailserver name 192.168.1.3

name 192.168.1.120 Lextt-SF

name 192.168.1.6 Lextt-ms

name 192.168.100.0 Barbados

name 192.168.102.0 Data_Center_Internal

outside_access_in tcp allowed access list any interface outside eq smtp

outside_access_in tcp allowed access list any interface outside eq www

outside_access_in tcp allowed access list any interface outside eq https

inside_outbound_nat0_acl ip access list allow any 192.168.2.0 255.255.255.224

permit 192.168.1.0 ip access list inside_outbound_nat0_acl 255.255.255.0 Barbado

permit 192.168.1.0 ip access list inside_outbound_nat0_acl 255.255.255.0 Data_Ce

permit 192.168.1.0 ip access list outside_cryptomap_20 255.255.255.0 Barbados 25

permit 192.168.1.0 ip access list outside_cryptomap_40 255.255.255.0 Data_Center

pager lines 24

opening of session

debug logging in buffered memory

logging trap information

logging out of the 190.213.57.203 host

Outside 1500 MTU

Within 1500 MTU

external IP 190.213.57.203 255.255.255.0

IP address inside 192.168.1.1 255.255.255.0

IP verify reverse path to the outside interface

alarm action IP verification of information

alarm action attack IP audit

IP local pool vpn_pool 192.168.2.0 - 192.168.2.20

no failover

failover timeout 0:00:00

failover poll 15

No IP failover outdoors

No IP failover inside

PDM location lexmailserver 255.255.255.255 outside

location of PDM Lextt-ms 255.255.255.255 outside

location of PDM 192.168.2.0 255.255.255.224 outside

location of PDM 200.50.87.198 255.255.255.255 outside

PDM location Barbados 255.255.255.0 inside

location of PDM 255.255.255.255 Lextt-SF on the inside

PDM location 255.255.255.0 outside Barbados

location of PDM 255.255.255.255 Lextt-ms on the inside

location of PDM Data_Center_Internal 255.255.255.0 outside

PDM 100 logging alerts

history of PDM activate

ARP timeout 14400

Global interface 10 (external)

NAT (inside) 0-list of access inside_outbound_nat0_acl

NAT (inside) 10 192.168.1.0 255.255.255.0 0 0

public static tcp (indoor, outdoor) interface smtp smtp Lextt-SF netmask 255.255.255.255

public static tcp (indoor, outdoor) interface www Lextt-ms www netmask 255.255.255.255 0

public static tcp (indoor, outdoor) interface Lextt-ms https netmask 255.255.255.2 https

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 190.213.73.1 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

AAA-server GANYMEDE + 3 max-failed-attempts

AAA-server GANYMEDE + deadtime 10

RADIUS Protocol RADIUS AAA server

AAA-server RADIUS 3 max-failed-attempts

AAA-RADIUS deadtime 10 Server

AAA-server local LOCAL Protocol

AAA authentication enable LOCAL console

the ssh LOCAL console AAA authentication

Enable http server

http 192.168.1.0 255.255.255.0 inside

Barbados 255.255.255.0 HTTP inside

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

enable floodguard

Permitted connection ipsec sysopt

Sysopt connection permit-pptp

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

outside_map 20 ipsec-isakmp crypto map

card crypto outside_map 20 match address outside_cryptomap_20

peer set card crypto outside_map 20 200.50.87.198

outside_map card crypto 20 the transform-set ESP-DES-MD5 value

outside_map 40 ipsec-isakmp crypto map

card crypto outside_map 40 correspondence address outside_cryptomap_40

peer set card crypto outside_map 40 63.143.77.114

outside_map card crypto 40 the transform-set ESP-DES-MD5 value

outside_map interface card crypto outside

ISAKMP allows outside

ISAKMP key * address 200.50.87.198 netmask 255.255.255.255

ISAKMP key * address 63.143.77.114 netmask 255.255.255.255

part of pre authentication ISAKMP policy 20

encryption of ISAKMP policy 20

ISAKMP policy 20 md5 hash

20 2 ISAKMP policy group

ISAKMP duration strategy of life 20 86400

Telnet timeout 5

If you haven't already done so, you must clear the SAs Phase I on both sides after you make a change to the map. Once the Phase I SA has been cleared, he renegotiate and reset Phase II. If you alerady made this, the only other thing I can think is manually re-enter the secrets disclosed in advance on tunnel groups then erase both the Phase I and Phase II SAs.

ASA and SSL compatibility

Hello

We want to buy a SSL certificate to change the real certificate in ASA. Is there a requirement or a specific type of certicate compatible with ASA?

Thank you

See this document

http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00808a61cd.shtml

Support for 3rd-party CA vendors are Baltimore, Cisco, Entrust, iPlanet/Netscape, Microsoft, RSA and VeriSign. So if you want Cisco support, need a certificate from these suppliers but we also used successfully certificate from other suppliers... Generally, it should be an X.509 certificate

M.

hope that helps rate if it is

Troubleshooting IPSec Site to Site VPN between ASA and 1841

Hi all

in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.

I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).

I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.

It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),

On the ASA:

Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.

address of the peers: 217.86.154.120
Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.cc

access extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
current_peer: 217.xx.yy.zz

#pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0

local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz

Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: 39135054
current inbound SPI: B2E9E500

SAS of the esp on arrival:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4374000/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
outgoing esp sas:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4373976/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001

Output of the command: "sh crypto isakmp his."

HIS active: 4
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 4

IKE Peer: 217.xx.yy.zz
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE

On the 1841

1841 crypto isakmp #sh its
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE

1841 crypto ipsec #sh its

Interface: Dialer1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors

local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2

SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

outgoing ah sas:

outgoing CFP sas:

Interface: virtual Network1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors

local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2

SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

outgoing ah sas:

outgoing CFP sas:

It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.

Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto. (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.

I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!

It's the running of the 1841 configuration

!
version 15.1
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
host name 1841
!
boot-start-marker
start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
boot-end-marker
!
logging buffered 51200 notifications
!
AAA new-model
!
!
AAA authentication login default local
!
AAA - the id of the joint session
!
iomem 20 memory size
clock timezone PCTime 1
PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
dot11 syslog
IP source-route
!
No dhcp use connected vrf ip
!
IP cef
no ip bootp Server
IP domain name test
name of the IP-server 194.25.2.129
name of the IP-server 194.25.2.130
name of the IP-server 194.25.2.131
name of the IP-server 194.25.2.132
name of the IP-server 194.25.2.133
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
object-group network phone
VoIP phone description
Home 172.20.2.50
Home 172.20.2.51
!
redundancy
!
!
controller LAN 0/0/0
atm mode
Annex symmetrical shdsl DSL-mode B
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
isakmp encryption key * address 62.aa.bb.cc
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
map SDM_CMAP_1 1 ipsec-isakmp crypto
Description Tunnel to62.aa.bb.cc
the value of 62.aa.bb.cc peer
game of transformation-ESP-3DES-SHA
PFS group2 Set
match address 100
!
!
!
interface FastEthernet0/0
DMZ description $ FW_OUTSIDE$
10.10.10.254 IP address 255.255.255.0
IP nat inside
IP virtual-reassembly
automatic duplex
automatic speed
!
interface FastEthernet0/1
Description $ETH - LAN$ $FW_INSIDE$
IP 172.20.2.254 255.255.255.0
IP access-group 100 to
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1412
automatic duplex
automatic speed
!
ATM0/0/0 interface
no ip address
No atm ilmi-keepalive
!
point-to-point interface ATM0/0/0.1
PVC 1/32
PPPoE-client dial-pool-number 1
!
!
interface Dialer1
Description $FW_OUTSIDE$
the negotiated IP address
IP mtu 1452
NAT outside IP
IP virtual-reassembly
encapsulation ppp
Dialer pool 1
Dialer-Group 2
PPP authentication chap callin pap
PPP chap hostname xxxxxxx
PPP chap password 7 xxxxxxx8
PPP pap sent-name of user password xxxxxxx xxxxxxx 7
map SDM_CMAP_1 crypto
!
IP forward-Protocol ND
IP http server
local IP http authentication
IP http secure server
!
!
The dns server IP
IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
!
logging trap notifications
Note category of access list 1 = 2 CCP_ACL
access-list 1 permit 172.20.2.0 0.0.0.255
Note access-list category 2 CCP_ACL = 2
access-list 2 allow 10.10.10.0 0.0.0.255
Note access-list 100 category CCP_ACL = 4
Note access-list 100 IPSec rule
access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
Note CCP_ACL the access list 101 = 2 category
Note access-list 101 IPSec rule
access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 101 permit ip 172.20.2.0 0.0.0.255 any
Note access-list 102 CCP_ACL category = 2
Note access-list 102 IPSec rule
access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
!

!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 101
!
allowed SDM_RMAP_2 1 route map
corresponds to the IP 102
!
!
control plan
!
!
Line con 0
line to 0
line vty 0 4
length 0
transport input telnet ssh
!
Scheduler allocate 20000 1000
NTP-Calendar Update
NTP 172.20.2.250 Server prefer
end

As I mentioned previously: suspicion is much appreciated!

Best regards

Joerg

Joerg,

ASA receives not all VPN packages because IOS does not send anything.

Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)

The problem seems so on the side of the router.

I think that is a routing problem, but you only have one default gateway (no other channels on the router).

The ACL 100 is set to encrypt the traffic between the two subnets.

It seems that the ACL 101 is also bypassing NAT for VPN traffic.

Follow these steps:

Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.

I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.

Federico.

problem setting up vpn site-to-site between asa and 1811 router

I get the following error.

3. January 8, 2008 | 15: 47:31 | 710003 | 192.168.0.45 | 192.168.0.50. TCP access denied by ACL to 192.168.0.45/3698 to LAN:192.168.0.50/80

3. January 8, 2008 | 15:47:28 | 710003 | 192.168.0.45 | 192.168.0.50. TCP access denied by ACL to 192.168.0.45/3698 to LAN:192.168.0.50/80

6. January 8, 2008 | 15:47:28 | 302021 | 192.168.0.45 | 192.168.0.50. Connection of disassembly for faddr gaddr laddr 192.168.0.50/0 192.168.0.50/0 192.168.0.45/1024 ICMP

6. January 8, 2008 | 15:47:28 | 302020 | 192.168.0.45 | 192.168.0.50. Built of ICMP incoming connections for faddr gaddr laddr 192.168.0.50/0 192.168.0.50/0 192.168.0.45/1024

5. January 8, 2008 | 15: 47:03 | 713904 | IP = public IP address, encrypted packet received with any HIS correspondent, drop

4. January 8, 2008 | 15: 47:03 | 113019 | Group = public IP address, Username = public IP address, IP = IP address public, disconnected Session. Session type: IPSecLAN2LAN, duration: 0 h: 00 m: 00s, xmt bytes: 0, RRs bytes: 0, right: Phase 2 Mismatch

3. January 8, 2008 | 15: 47:03 | 713902 | Group = public IP address, IP = public IP address, peer table correlator withdrawal failed, no match!

3. January 8, 2008 | 15: 47:03 | 713902 | Group = public IP address, IP = IP address public, error QM WSF (P2 struct & 0x4969c90, mess id 0xf3d044e8).

5. January 8, 2008 | 15: 47:03 | 713904 | Group = public IP address, IP = IP proposals public, IPSec Security Association all found unacceptable.

3. January 8, 2008 | 15: 47:03 | 713119 | Group = public IP address, IP = IP address public, PHASE 1 COMPLETED

6. January 8, 2008 | 15: 47:03 | 113009 | AAA recovered in group policy by default (DfltGrpPolicy) to the user = public IP address

4. January 8, 2008 | 15: 47:03 | 713903 | Group = public IP address, IP = IP address public, previously allocated memory release for authorization-dn-attributes

I do not think that because of the incompatibility of encryption. Any help is appreciated.

Thank you

Nilesh

You have PFS (Perfect Forward Secrecy) configured on the ASA and not the router. This could be one of the reasons why the tunnel fails in Phase 2.

If you do not need a PFS, can you not make a 'no encryption card WAN_map 1 set pfs' the configuration of the ASA and make appear the tunnel.

Kind regards

Arul

Microsoft l2tp IPSec VPN site to site ASA on top

I have a specialized applications casino that requires end-to-end encryption. I'm under the stack of Microsoft IPSec l2tp between my XP machine and my Windows 2003 server on the LAN. Can I use the same type of protocol stack Microsoft l2tp IPSec between my XP machine and the Windows Server 2003 a branch on the SAA to site to site ASA VPN tunnel? The VPN site-to site ASA is a type of key Preshare IPSec VPN tunnelle traffic between our head office and a branch in distance.

In other words, the ASA site-to-site IPSec VPN will allow Microsoft l2tp through IPSec encrypted traffic? My ACL tunnel would allow full IP access between site. Something like:

name 192.168.100.0 TexasSubnet

name 192.168.200.0 RenoSubnet

IP TexasSubnet 255.255.255.0 RenoSubnet 255.255.255.0 allow Access-list extended nat_zero

Hello

Yes, the L2TP can be encapsulated in IPSEC as all other traffic.

However, make sure that no NAT is performed on each end. L2TP is a default header protection which will see NAT as a falsification of package and reject it.

See you soon,.

Daniel

VPN site to Site - ASA to PIX - same subnet on the inside

Chaps,

I have a unusual scenario, whereby case I need a tunnel vpn site-to-site between a pix of cisco version 7 and version 8 cisco asa, which have the same subnet ip to each endpoint. Is it possible to create such a tunnel from site to site or do I change one of the remote endpoints?

Thank you

Nick

Hi Nicolas,.

To allow the traffic through the tunnel when having the same at both ends addressing scheme, you should NAT VPN traffic.

That is to say.

Site a 10.1.1.0/24 LAN

Site B LAN 10.1.1.0/24

The site config:

NAT permit list to access ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0

(in, out) static 192.168.1.0 access-list NAT

license of crypto list to access ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

Site B config:

NAT permit list to access ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

(in, out) static 192.168.2.0 access-list NAT

license of crypto list to access ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

The idea is that Site A will to 192.168.1.0 translatefd when you go to Site B, and Site B will result to 192.168.2.0 when you go to the Site A.

Hope that makes sense.

Federico.

2 one-Site VPN between HQ, Site A and Site B

Dear brothers,

Really I need your kindly help on Site 2 Site VPN.

We have a HQ and 2 Sites (Site A Site & B), and we think to set up VPN Site-2-Site between them now.

HQ--> 3845 router (will be the hub)--> a given vlan 11 & vlan voice 21

Site A--> router 2901 (will be the Spoke1)--> a given vlan 12 & vlan voice 22

Site B--> router 1941 (will be the Spoke2)--> a given vlan 13 & vlan voice 23

So my questions are:

1 - when the VPN going up, are only the HQ VLAN data & voice will be able to reach the Site & A B data & Voice VLAN and Vice versa?

2 - when the VPN is going up, are that the Site has data & Voice VLAN will be able to reach the Site B Data & Voice VLAN and Vice versa?

Thank you

Hello

I think this example explains what you need:http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation...

Kind regards

Averroès.

VPN Site to Site ASA (only happens with interesting traffic)

Is anyway to get an ASA to VPN site-to-site ASA addition interesting traffic? I need to keep this tunnel independently of traffic is anyway to do this?

Unfortunately, no such feature has been developed on the SAA. You need to deceive the ASA with a host located in the "interesting" part of the network to constantly generate interesting traffic. Here are a few suggestions:

-Use the IP SLA on a Cisco device

-Perform a host TCP ping

-Setting up a host of the site has press site B as a NTP source ASA

Thank you for evaluating useful messages!

VPN from Site to Site ASA setting not

Hi all...

I have two firewalls ASA 5505, headquarters of one and the other in a warehouse at a distance. I want to create an IPsec tunnel so that our warehouse distance can use some applications that have a component of database hosted at Headquarters.

I think I created links correctly (in reverse the settings on the two ASAs and crippled the IP addresses were required, quadruple checked the IKE keys, etc.) but my tunnel does not put in place.

At this point, I think what Miss me is probably obvious and manifest right at me. Anyone would be able to help? I can provide show run on devices and other log files, as requested.

Concerning

Rob

Hello

Try changing your peer IP card crypto HQ. It's different on what is configured on the ASA remote outside intellectual property.

Site to Site with ASA and FortiGate

I have setup a VPN site-to site between my ASA and FortiGate customers. The tunnel rises with success, but we can not pass traffic. When I do a packet capture on my ASA, I see traffic on the port of entry as usual, but on the output port, the source address gets NAT had I checked all statements of NAT, and there is a statement NAT exempted from the entry port to the port of exit and in the VPN configuration.

Then your oder of NAT statements in probably wrong. The dynamic NAT for outgoing traffic must be at the end (I put them always in article 3), while the Exemption must be at the beginning of Section 1.

Cisco ASA and dynamic VPN L2L Fortigate configuration

I met a problem recently with an ASA 5510 (7.0) and a bunch of Fortigate 50 (3.0 MR7). The ASA is the hub and Fortigates are rays with a dynamic public IP.

I followed this document on the site Web of Cisco (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml) to set up my ASA and the parameters passed to my counterparts to set up their Fortigates.

However, the ASA journal reveals that attemtps Fortigate connection always tried with DefaultRAGroup before falling back to DefaultL2LGroup and finally died. Experience with putting in place a dynamic VPN between Cisco and Fortigate someone? Which could not fail at each end? Here's a typical piece of error log ASA. The ASA is currently having a static VPN tunnel and a site-2-client VPN in two groups by default.

6. January 10, 2011 20:58:45 | 713905: Group DefaultL2LGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
5. January 10, 2011 20:58:45 | 713201: Group = DefaultL2LGroup, IP = 116.230.243.205, in double Phase 1 detected package. Retransmit the last packet.
6. January 10, 2011 20:58:45 | 713905: Group DefaultL2LGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
5. January 10, 2011 20:58:45 | 713201: Group = DefaultL2LGroup, IP = 116.230.243.205, in double Phase 1 detected package. Retransmit the last packet.
6. January 10, 2011 20:58:41 | 713905: Group DefaultL2LGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
5. January 10, 2011 20:58:41 | 713201: Group = DefaultL2LGroup, IP = 116.230.243.205, in double Phase 1 detected package. Retransmit the last packet.
4. January 10, 2011 20:58:39 | 713903: Group = DefaultL2LGroup, IP = 116.230.243.205, ERROR, had decrypt packets, probably due to problems not match pre-shared key. Abandonment
5. January 10, 2011 20:58:39 | 713904: Group = DefaultL2LGroup, IP = 116.230.243.205, received the package of Mode main Oakley encrypted with invalid payloads, MessID = 0
6. January 10, 2011 20:58:39 | 713905: Group = DefaultRAGroup, IP = 116.230.243.205, WARNING, had decrypt packets, probably due to problems not match pre-shared key. User switching to the tunnel-group: DefaultL2LGroup
5. January 10, 2011 20:58:39 | 713904: Group = DefaultRAGroup, IP = 116.230.243.205, received the package of Mode main Oakley encrypted with invalid payloads, MessID = 0
4. January 10, 2011 20:58:33 | 713903: Group = DefaultRAGroup, IP = 116.230.243.205, error: cannot delete PeerTblEntry
3. January 10, 2011 20:58:33 | 713902: Group = DefaultRAGroup, IP = 116.230.243.205, Removing peer to peer table has no, no match!
6. January 10, 2011 20:58:33 | 713905: Group DefaultRAGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
5. January 10, 2011 20:58:33 | 713201: Group = DefaultRAGroup, IP = 116.230.243.205, in double Phase 1 detected package. Retransmit the last packet.
6. January 10, 2011 20:58:25 | 713905: Group DefaultRAGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
5. January 10, 2011 20:58:25 | 713201: Group = DefaultRAGroup, IP = 116.230.243.205, in double Phase 1 detected package. Retransmit the last packet.
6. January 10, 2011 20:58:21 | 713905: Group DefaultRAGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
5. January 10, 2011 20:58:21 | 713201: Group = DefaultRAGroup, IP = 116.230.243.205, in double Phase 1 detected package. Retransmit the last packet.
5. January 10, 2011 20:58:19 | 713904: IP = 116.230.243.205, encrypted packet received with any HIS correspondent, drop

Yes, sounds about right. He will try to match with the DefaultRAGroup first, and when you know that it's a dynamic IPSec in LAN-to-LAN, it will be

then back to the DefaultL2LGroup, because he doesn't know if the VPN Client or L2L again when he is contacted fist as they are connecting from dynamic IP peer.

You must ensure that your L2L tunnel-group by default has been configured with the corresponding pre-shared key.

Assuming that you have configured the dynamic map and assign to the card encryption.

Here is an example of configuration where ASA has a static and peripheral ip address pair has dynamic IP:

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml

Hope that helps.

AnyConnect and SSL - VPN without client

Are there problems in running Cisco AnyConnect and SSL - VPN without client side by side?

I am currently looking into adding features for an ASA AnyConnect who currently set up to operate without SSL - VPN client. The system without client is not removed. I don't know how to set it up, I wonder if someone has already set up this or if there is no problem with this Setup?

Hi Daniel

It's a little complicated if you want a granular authentication and authorization, but it works.

I'm running an ASA with IPSec, SSL Client and clientless SSL.

Each of these virtual private networks with user/one-time-password name and certificate based authentic.

The main challenge is to put in place its own structure of profile cards, connection profiles, group policies and dynamic access policies.

Feel free to ask questions...

Stephan

ASR1K and SSL VPN

I'm having trouble finding information on SSL VPN for ASR1K, when we bought the boxes told us that SSL VPN was on the roadmap of the software, but that was back in 2010 and now I can not find anything nor can I get the right information.

Does anyone have a recommendation on what to do or who to ask?

PLS, contact your Cisco account manager as he or she would be able to provide additional information.

There is normally a long list of features to add to the product, and SSL VPN is one of them who was asked to appear on the ASR. However, depending on the needs, it might be on the top of the list of the road map, or to the bottom of the list. Your Cisco AM should be able to get information from the product team.

Problem with IPsec VPN between ASA and router Cisco - ping is not response

Hello

I don't know because the IPsec VPN does not work. This is my setup (IPsec VPN between ASA and R2):

my network topology data:

LAN 1 connect ASA - 1 (inside the LAN)

PC - 10.0.1.3 255.255.255.0 10.0.1.1

ASA - GigabitEthernet 1: 10.0.1.1 255.255.255.0

-----------------------------------------------------------------

ASA - 1 Connect (LAN outide) R1

ASA - GigabitEthernet 0: 172.30.1.2 255.255.255.252

R1 - FastEthernet 0/0: 172.30.1.1 255.255.255.252

---------------------------------------------------------------------

R1 R2 to connect

R1 - FastEthernet 0/1: 172.30.2.1 255.255.255.252

R2 - FastEthernet 0/1: 172.30.2.2 255.255.255.252

R2 for lan connection 2

--------------------------------------------------------------------

R2 to connect LAN2

R2 - FastEthernet 0/0: 10.0.2.1 255.255.255.0

PC - 10.0.2.3 255.255.255.0 10.0.2.1

ASA configuration:

1 GigabitEthernet interface
nameif inside
security-level 100
IP 10.0.1.1 255.255.255.0
no downtime
interface GigabitEthernet 0
nameif outside
security-level 0
IP 172.30.1.2 255.255.255.252
no downtime
Route outside 0.0.0.0 0.0.0.0 172.30.1.1

------------------------------------------------------------

access-list scope LAN1 to LAN2 ip 10.0.1.0 allow 255.255.255.0 10.0.2.0 255.255.255.0
object obj LAN
subnet 10.0.1.0 255.255.255.0
object obj remote network
10.0.2.0 subnet 255.255.255.0
NAT (inside, outside) 1 static source obj-local obj-local destination obj-remote control remote obj non-proxy-arp static

-----------------------------------------------------------
IKEv1 crypto policy 10
preshared authentication
aes encryption
sha hash
Group 2
life 3600
Crypto ikev1 allow outside
crypto isakmp identity address

------------------------------------------------------------
tunnel-group 172.30.2.2 type ipsec-l2l
tunnel-group 172.30.2.2 ipsec-attributes
IKEv1 pre-shared-key cisco123
Crypto ipsec transform-set esp-aes-192 ASA1TS, esp-sha-hmac ikev1

-------------------------------------------------------------
card crypto ASA1VPN 10 is the LAN1 to LAN2 address
card crypto ASA1VPN 10 set peer 172.30.2.2
card crypto ASA1VPN 10 set transform-set ASA1TS ikev1
card crypto ASA1VPN set 10 security-association life seconds 3600
ASA1VPN interface card crypto outside

R2 configuration:

interface fastEthernet 0/0
IP 10.0.2.1 255.255.255.0
no downtime
interface fastEthernet 0/1
IP 172.30.2.2 255.255.255.252
no downtime

-----------------------------------------------------

router RIP
version 2
Network 10.0.2.0
network 172.30.2.0

------------------------------------------------------
access-list 102 permit ahp 172.30.1.2 host 172.30.2.2
access-list 102 permit esp 172.30.1.2 host 172.30.2.2
access-list 102 permit udp host 172.30.1.2 host 172.30.2.2 eq isakmp
interface fastEthernet 0/1
IP access-group 102 to

------------------------------------------------------
crypto ISAKMP policy 110
preshared authentication
aes encryption
sha hash
Group 2
life 42300

------------------------------------------------------
ISAKMP crypto key cisco123 address 172.30.1.2

-----------------------------------------------------
Crypto ipsec transform-set esp - aes 128 R2TS

------------------------------------------------------

access-list 101 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255

------------------------------------------------------

R2VPN 10 ipsec-isakmp crypto map
match address 101
defined by peer 172.30.1.2
PFS Group1 Set
R2TS transformation game
86400 seconds, life of security association set
interface fastEthernet 0/1
card crypto R2VPN

I don't know what the problem

Thank you

If the RIP is not absolutely necessary for you, try adding the default route to R2:

IP route 0.0.0.0 0.0.0.0 172.16.2.1

If you want to use RIP much, add permissions ACL 102:

access-list 102 permit udp any any eq 520

VPN site to site ASA and SSL VPN

Similar Questions

Maybe you are looking for