VPN site to site ASA and SSL VPN
Hello
Already configured vpn site to site for both sites. Now, I try to configure vpn remote access to one site.
But I'm starting to config some command like below to access remote vpn, the existing site-to-site vpn disconnected auto.
No crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
Please, help me to check.
Thank you
Ko Htwe
Hello
You can have a single card encryption for an interface, you must configure both tunnels (access site to & remote) in a single card with number of different sequesnce encryption. Please make sure that the sequence number for the remote access is higher than for the site to site.
You can also get this back to the config command, why did you remove it.
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
If you still have a problem, please let us know the configuration.
Kind regards
Mohammad
Tags: Cisco Security
Similar Questions
-
Connectivity problems from site to Site - ASA and PIX
I'm trying to set up a tunnel between the ASA and PIX but I have some difficulty.
On the side of the ASA
June 29 at 08:09:44 [IKEv1]: Group = 190.213.57.203, IP = 190.213.57.203, error QM WSF (P2 struct & 0xc9309260, mess id 0x7e79b74e).
June 29 at 08:09:44 [IKEv1]: Group = 190.213.57.203, IP = 190.213.57.203, peer table correlator Removing failed, no match!
June 29 at 08:09:44 [IKEv1]: Group = 190.213.57.203, IP = 190.213.57.203, Session is be demolished. Reason: Phase 2
On the side of PIX
ISAKMP (0): the total payload length: 37
to return to the State is IKMP_NO_ERROR
crypto_isakmp_process_block:src:63.143.77.114, dest:190.213.57.203 spt:500 dpt:500
Exchange OAK_MM
ISAKMP (0): processing ID payload. Message ID = 0
ISAKMP (0): HASH payload processing. Message ID = 0
ISAKMP (0): load useful treatment vendor idISAKMP (0): Peer Remote supports dead peer detection
ISAKMP (0): SA has been authenticated.
ISAKMP (0): start Quick Mode Exchange, M - ID - 813626169:cf810cc7IPSEC (key_engine): had an event of the queue...
IPSec (spi_response): spi 0xbb1797c2 graduation (3138885570) for SA
from 63.143.77.114 to 190.213.57.203 for prot 3to return to the State is IKMP_NO_ERROR
ISAKMP (0): send to notify INITIAL_CONTACT
ISAKMP (0): sending message 24578 NOTIFY 1 protocol
Peer VPN: ISAKMP: approved new addition: ip:63.143.77.114/500 Total VPN peers: 2
Peer VPN: ISAKMP: ip:63.143.77.114/500 Ref cnt is incremented to peers: 1 Total VPN peers: 2
crypto_isakmp_process_block:src:63.143.77.114, dest:190.213.57.203 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 14 Protocol 3
SPI 0, message ID = 2038434904
to return to the State is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:63.143.77.114, dest:190.213.57.203 spt:500 dpt:500
ISAKMP (0): processing DELETE payload. Message ID = 1798094647, spi size = 16
ISAKMP (0): delete SA: src 190.213.57.203 dst 63.143.77.114
to return to the State is IKMP_NO_ERR_NO_TRANS
ISADB: Reaper checking HIS 0x11fa6fc, id_conn = 0
ISADB: Reaper checking HIS 0x121ac3c, id_conn = 0 DELETE IT!Peer VPN: ISAKMP: ip:63.143.77.114/500 Ref cnt decremented to peers: 0 Total of VPN peers: 2
Peer VPN: ISAKMP: deleted peer: ip:63.143.77.114/500 VPN Total peers:1IPSEC (key_engine): had an event of the queue...
IPSec (key_engine_delete_sas): rec would remove the ISAKMP notify
IPSec (key_engine_delete_sas): remove all SAs shared with 63.143.77.114The ASA configuration
ASA Version 8.2 (5)
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.102.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 63.143.77.114 255.255.255.252
!
passive FTP mode
clock timezone IS - 5
DNS lookup field inside
DNS domain-lookup outside
DNS server-group DefaultDNS
domain lexlocal
object-group service DM_INLINE_SERVICE_3
the eq https tcp service object
the eq telnet tcp service object
ICMP service object
the purpose of the service tcp - udp eq www
the udp service object
object-group service DM_INLINE_SERVICE_5
the udp service object
the tcp service object
the purpose of the service tcp - udp eq www
the purpose of the service tcp eq www
the purpose of the service udp eq www
ICMP service object
object-group service DM_INLINE_SERVICE_8
the eq https tcp service object
the purpose of the service tcp - udp eq www
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
object-protocol udp
object-tcp protocol
object-group service DM_INLINE_SERVICE_4
the purpose of the service tcp - udp eq www
the eq https tcp service object
EQ-tcp smtp service object
the purpose of the udp eq snmp service
the purpose of the ip service
ICMP service object
object-group Protocol DM_INLINE_PROTOCOL_2
ip protocol object
object-protocol udp
object-tcp protocol
object-group Protocol DM_INLINE_PROTOCOL_3
ip protocol object
object-protocol udp
object-tcp protocol
inside_nat0_outbound list of allowed ip extended access all VPN_Access 255.255.255.240
access extensive list ip 192.168.102.0 inside_nat0_outbound allow Barbado-internal 255.255.255.0 255.255.255.0
inside_nat0_outbound list of allowed ip extended access all VPN_Access 255.255.255.192
access extensive list ip 192.168.102.0 inside_nat0_outbound allow 255.255.255.0 JA_Office_Internal 255.255.255.0
access extensive list ip 192.168.102.0 inside_nat0_outbound allow 255.255.255.0 P.O.S_Office_internal 255.255.255.0
outside_authentication list extended access allowed object-group DM_INLINE_PROTOCOL_3 all all idle state
inside_access_in access-list extended ip any any idle state to allow
inside_access_in list extended access allowed object-group host Jeremy DM_INLINE_SERVICE_5 all
inside_access_in list extended access allowed object-group DM_INLINE_SERVICE_3 192.168.102.0 255.255.255.0 any
inside_access_in list extended access allowed object-group DM_INLINE_PROTOCOL_1 192.168.102.0 255.255.255.0 192.168.102.0 255.255.255.0
outside_access_in list extended access allowed object-groups DM_INLINE_PROTOCOL_2 host interface idle outside Jeremy
outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_4 any external interface
extended access list ip 255.255.255.0 Barbado-internal outside_access_in allow 192.168.102.0 255.255.255.0
outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_8 any inactive external interface
IP JA_Office_Internal 255.255.255.0 JA_Office_Internal 255.255.255.0 allow Access-list extended outside_access_in
IP P.O.S_Office_internal 255.255.255.0 P.O.S_Office_internal 255.255.255.0 allow Access-list extended outside_access_in
access extensive list ip 192.168.102.0 outside_1_cryptomap allow Barbado-internal 255.255.255.0 255.255.255.0
access extensive list ip 192.168.102.0 outside_2_cryptomap allow 255.255.255.0 JA_Office_Internal 255.255.255.0
access extensive list ip 192.168.102.0 outside_3_cryptomap allow 255.255.255.0 P.O.S_Office_internal 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
mask of local pool remote_users 192.168.200.1 - 192.168.200.10 IP 255.255.255.0
mask of local pool VPN_IPs 192.168.200.25 - 192.168.200.50 IP 255.255.255.248
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
inside_access_in access to the interface inside group
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 63.143.77.113 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
AAA authentication match outside the LOCAL outside_authentication
Enable http server
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Sysopt connection timewait
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA
Crypto ipsec transform-set transit mode TRANS_ESP_3DES_SHA
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 200.50.87.198
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
card crypto outside_map 2 match address outside_2_cryptomap
card crypto outside_map 2 set pfs
peer set card crypto outside_map 2 66.54.113.191
card crypto outside_map 2 game of transformation-ESP-3DES-SHA
card crypto outside_map 3 match address outside_3_cryptomap
card crypto outside_map 3 set pfs
peer set card crypto outside_map 3 190.213.57.203
card crypto outside_map 3 game of transformation-ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
authentication crack
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 50
preshared authentication
the Encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP disconnect - notify
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd address 192.168.102.30 - 192.168.102.50 inside
dhcpd dns 66.54.116.4 66.54.116.5 interface inside
dhcpd allow inside
!
dhcpd dns 66.54.116.4 66.54.116.5 outside interface
!
a basic threat threat detection
Statistics-list of access threat detection
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
WebVPN
allow outside
internal DefaultRAGroup group strategy
attributes of Group Policy DefaultRAGroup
VPN-tunnel-Protocol svc
lexlocal value by default-field
WebVPN
SVC keepalive no
internal DefaultRAGroup_1 group strategy
attributes of Group Policy DefaultRAGroup_1
Protocol-tunnel-VPN l2tp ipsec
lexlocal value by default-field
WebVPN
SVC keepalive no
internal VPN_Tunnel_Client group strategy
attributes of Group Policy VPN_Tunnel_Client
value of server DNS 192.168.102.1
Protocol-tunnel-VPN IPSec l2tp ipsec svc
lexlocal value by default-field
username VPN_Connect password 6f7B + J8S2ADfQF4a/CJfvQ is nt encrypted
username VPN_Connect attributes
type of nas-prompt service
xxxxex iFxSRrE9uIWAFjJE encrypted password username
attributes global-tunnel-group DefaultRAGroup
address pool remote_users
address pool VPN_IPs
Group Policy - by default-DefaultRAGroup_1
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared key *.
tunnel-group 200.50.87.198 type ipsec-l2l
IPSec-attributes tunnel-group 200.50.87.198
pre-shared key *.
type tunnel-group VPN_Tunnel_Client remote access
attributes global-tunnel-group VPN_Tunnel_Client
address pool remote_users
Group Policy - by default-VPN_Tunnel_Client
IPSec-attributes tunnel-group VPN_Tunnel_Client
pre-shared key *.
tunnel-group 66.54.113.191 type ipsec-l2l
IPSec-attributes tunnel-group 66.54.113.191
pre-shared key *.
tunnel-group 190.213.57.203 type ipsec-l2l
IPSec-attributes tunnel-group 190.213.57.203
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
PIX configuration
lexmailserver name 192.168.1.3
name 192.168.1.120 Lextt-SF
name 192.168.1.6 Lextt-ms
name 192.168.100.0 Barbados
name 192.168.102.0 Data_Center_Internal
outside_access_in tcp allowed access list any interface outside eq smtp
outside_access_in tcp allowed access list any interface outside eq www
outside_access_in tcp allowed access list any interface outside eq https
inside_outbound_nat0_acl ip access list allow any 192.168.2.0 255.255.255.224
permit 192.168.1.0 ip access list inside_outbound_nat0_acl 255.255.255.0 Barbado
permit 192.168.1.0 ip access list inside_outbound_nat0_acl 255.255.255.0 Data_Ce
permit 192.168.1.0 ip access list outside_cryptomap_20 255.255.255.0 Barbados 25
permit 192.168.1.0 ip access list outside_cryptomap_40 255.255.255.0 Data_Center
pager lines 24
opening of session
debug logging in buffered memory
logging trap information
logging out of the 190.213.57.203 host
Outside 1500 MTU
Within 1500 MTU
external IP 190.213.57.203 255.255.255.0
IP address inside 192.168.1.1 255.255.255.0
IP verify reverse path to the outside interface
alarm action IP verification of information
alarm action attack IP audit
IP local pool vpn_pool 192.168.2.0 - 192.168.2.20
no failover
failover timeout 0:00:00
failover poll 15
No IP failover outdoors
No IP failover inside
PDM location lexmailserver 255.255.255.255 outside
location of PDM Lextt-ms 255.255.255.255 outside
location of PDM 192.168.2.0 255.255.255.224 outside
location of PDM 200.50.87.198 255.255.255.255 outside
PDM location Barbados 255.255.255.0 inside
location of PDM 255.255.255.255 Lextt-SF on the inside
PDM location 255.255.255.0 outside Barbados
location of PDM 255.255.255.255 Lextt-ms on the inside
location of PDM Data_Center_Internal 255.255.255.0 outside
PDM 100 logging alerts
history of PDM activate
ARP timeout 14400
Global interface 10 (external)
NAT (inside) 0-list of access inside_outbound_nat0_acl
NAT (inside) 10 192.168.1.0 255.255.255.0 0 0
public static tcp (indoor, outdoor) interface smtp smtp Lextt-SF netmask 255.255.255.255
public static tcp (indoor, outdoor) interface www Lextt-ms www netmask 255.255.255.255 0
public static tcp (indoor, outdoor) interface Lextt-ms https netmask 255.255.255.2 https
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 190.213.73.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-server local LOCAL Protocol
AAA authentication enable LOCAL console
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.1.0 255.255.255.0 inside
Barbados 255.255.255.0 HTTP inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
Sysopt connection permit-pptp
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
outside_map 20 ipsec-isakmp crypto map
card crypto outside_map 20 match address outside_cryptomap_20
peer set card crypto outside_map 20 200.50.87.198
outside_map card crypto 20 the transform-set ESP-DES-MD5 value
outside_map 40 ipsec-isakmp crypto map
card crypto outside_map 40 correspondence address outside_cryptomap_40
peer set card crypto outside_map 40 63.143.77.114
outside_map card crypto 40 the transform-set ESP-DES-MD5 value
outside_map interface card crypto outside
ISAKMP allows outside
ISAKMP key * address 200.50.87.198 netmask 255.255.255.255
ISAKMP key * address 63.143.77.114 netmask 255.255.255.255
part of pre authentication ISAKMP policy 20
encryption of ISAKMP policy 20
ISAKMP policy 20 md5 hash
20 2 ISAKMP policy group
ISAKMP duration strategy of life 20 86400
Telnet timeout 5
If you haven't already done so, you must clear the SAs Phase I on both sides after you make a change to the map. Once the Phase I SA has been cleared, he renegotiate and reset Phase II. If you alerady made this, the only other thing I can think is manually re-enter the secrets disclosed in advance on tunnel groups then erase both the Phase I and Phase II SAs.
-
Hello
We want to buy a SSL certificate to change the real certificate in ASA. Is there a requirement or a specific type of certicate compatible with ASA?
Thank you
See this document
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00808a61cd.shtml
Support for 3rd-party CA vendors are Baltimore, Cisco, Entrust, iPlanet/Netscape, Microsoft, RSA and VeriSign. So if you want Cisco support, need a certificate from these suppliers but we also used successfully certificate from other suppliers... Generally, it should be an X.509 certificate
M.
hope that helps rate if it is
-
Troubleshooting IPSec Site to Site VPN between ASA and 1841
Hi all
in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.
I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).
I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.
It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),
On the ASA:
Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.
address of the peers: 217.86.154.120
Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.ccaccess extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
current_peer: 217.xx.yy.zz#pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz
Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: 39135054
current inbound SPI: B2E9E500SAS of the esp on arrival:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4374000/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
outgoing esp sas:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4373976/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001Output of the command: "sh crypto isakmp his."
HIS active: 4
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 4IKE Peer: 217.xx.yy.zz
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVEOn the 1841
1841 crypto isakmp #sh its
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE1841 crypto ipsec #sh its
Interface: Dialer1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorslocal crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
Interface: virtual Network1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorslocal crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.
Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto. (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.
I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!
It's the running of the 1841 configuration
!
version 15.1
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
host name 1841
!
boot-start-marker
start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
boot-end-marker
!
logging buffered 51200 notifications
!
AAA new-model
!
!
AAA authentication login default local
!
AAA - the id of the joint session
!
iomem 20 memory size
clock timezone PCTime 1
PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
dot11 syslog
IP source-route
!
No dhcp use connected vrf ip
!
IP cef
no ip bootp Server
IP domain name test
name of the IP-server 194.25.2.129
name of the IP-server 194.25.2.130
name of the IP-server 194.25.2.131
name of the IP-server 194.25.2.132
name of the IP-server 194.25.2.133
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
object-group network phone
VoIP phone description
Home 172.20.2.50
Home 172.20.2.51
!
redundancy
!
!
controller LAN 0/0/0
atm mode
Annex symmetrical shdsl DSL-mode B
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
isakmp encryption key * address 62.aa.bb.cc
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
map SDM_CMAP_1 1 ipsec-isakmp crypto
Description Tunnel to62.aa.bb.cc
the value of 62.aa.bb.cc peer
game of transformation-ESP-3DES-SHA
PFS group2 Set
match address 100
!
!
!
interface FastEthernet0/0
DMZ description $ FW_OUTSIDE$
10.10.10.254 IP address 255.255.255.0
IP nat inside
IP virtual-reassembly
automatic duplex
automatic speed
!
interface FastEthernet0/1
Description $ETH - LAN$ $FW_INSIDE$
IP 172.20.2.254 255.255.255.0
IP access-group 100 to
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1412
automatic duplex
automatic speed
!
ATM0/0/0 interface
no ip address
No atm ilmi-keepalive
!
point-to-point interface ATM0/0/0.1
PVC 1/32
PPPoE-client dial-pool-number 1
!
!
interface Dialer1
Description $FW_OUTSIDE$
the negotiated IP address
IP mtu 1452
NAT outside IP
IP virtual-reassembly
encapsulation ppp
Dialer pool 1
Dialer-Group 2
PPP authentication chap callin pap
PPP chap hostname xxxxxxx
PPP chap password 7 xxxxxxx8
PPP pap sent-name of user password xxxxxxx xxxxxxx 7
map SDM_CMAP_1 crypto
!
IP forward-Protocol ND
IP http server
local IP http authentication
IP http secure server
!
!
The dns server IP
IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
!
logging trap notifications
Note category of access list 1 = 2 CCP_ACL
access-list 1 permit 172.20.2.0 0.0.0.255
Note access-list category 2 CCP_ACL = 2
access-list 2 allow 10.10.10.0 0.0.0.255
Note access-list 100 category CCP_ACL = 4
Note access-list 100 IPSec rule
access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
Note CCP_ACL the access list 101 = 2 category
Note access-list 101 IPSec rule
access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 101 permit ip 172.20.2.0 0.0.0.255 any
Note access-list 102 CCP_ACL category = 2
Note access-list 102 IPSec rule
access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
!!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 101
!
allowed SDM_RMAP_2 1 route map
corresponds to the IP 102
!
!
control plan
!
!
Line con 0
line to 0
line vty 0 4
length 0
transport input telnet ssh
!
Scheduler allocate 20000 1000
NTP-Calendar Update
NTP 172.20.2.250 Server prefer
endAs I mentioned previously: suspicion is much appreciated!
Best regards
Joerg
Joerg,
ASA receives not all VPN packages because IOS does not send anything.
Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)
The problem seems so on the side of the router.
I think that is a routing problem, but you only have one default gateway (no other channels on the router).
The ACL 100 is set to encrypt the traffic between the two subnets.
It seems that the ACL 101 is also bypassing NAT for VPN traffic.
Follow these steps:
Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.
I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.
Federico.
-
problem setting up vpn site-to-site between asa and 1811 router
I get the following error.
3. January 8, 2008 | 15: 47:31 | 710003 | 192.168.0.45 | 192.168.0.50. TCP access denied by ACL to 192.168.0.45/3698 to LAN:192.168.0.50/80
3. January 8, 2008 | 15:47:28 | 710003 | 192.168.0.45 | 192.168.0.50. TCP access denied by ACL to 192.168.0.45/3698 to LAN:192.168.0.50/80
6. January 8, 2008 | 15:47:28 | 302021 | 192.168.0.45 | 192.168.0.50. Connection of disassembly for faddr gaddr laddr 192.168.0.50/0 192.168.0.50/0 192.168.0.45/1024 ICMP
6. January 8, 2008 | 15:47:28 | 302020 | 192.168.0.45 | 192.168.0.50. Built of ICMP incoming connections for faddr gaddr laddr 192.168.0.50/0 192.168.0.50/0 192.168.0.45/1024
5. January 8, 2008 | 15: 47:03 | 713904 | IP = public IP address, encrypted packet received with any HIS correspondent, drop
4. January 8, 2008 | 15: 47:03 | 113019 | Group = public IP address, Username = public IP address, IP = IP address public, disconnected Session. Session type: IPSecLAN2LAN, duration: 0 h: 00 m: 00s, xmt bytes: 0, RRs bytes: 0, right: Phase 2 Mismatch
3. January 8, 2008 | 15: 47:03 | 713902 | Group = public IP address, IP = public IP address, peer table correlator withdrawal failed, no match!
3. January 8, 2008 | 15: 47:03 | 713902 | Group = public IP address, IP = IP address public, error QM WSF (P2 struct & 0x4969c90, mess id 0xf3d044e8).
5. January 8, 2008 | 15: 47:03 | 713904 | Group = public IP address, IP = IP proposals public, IPSec Security Association all found unacceptable.
3. January 8, 2008 | 15: 47:03 | 713119 | Group = public IP address, IP = IP address public, PHASE 1 COMPLETED
6. January 8, 2008 | 15: 47:03 | 113009 | AAA recovered in group policy by default (DfltGrpPolicy) to the user = public IP address
4. January 8, 2008 | 15: 47:03 | 713903 | Group = public IP address, IP = IP address public, previously allocated memory release for authorization-dn-attributes
I do not think that because of the incompatibility of encryption. Any help is appreciated.
Thank you
Nilesh
You have PFS (Perfect Forward Secrecy) configured on the ASA and not the router. This could be one of the reasons why the tunnel fails in Phase 2.
If you do not need a PFS, can you not make a 'no encryption card WAN_map 1 set pfs' the configuration of the ASA and make appear the tunnel.
Kind regards
Arul
-
Microsoft l2tp IPSec VPN site to site ASA on top
I have a specialized applications casino that requires end-to-end encryption. I'm under the stack of Microsoft IPSec l2tp between my XP machine and my Windows 2003 server on the LAN. Can I use the same type of protocol stack Microsoft l2tp IPSec between my XP machine and the Windows Server 2003 a branch on the SAA to site to site ASA VPN tunnel? The VPN site-to site ASA is a type of key Preshare IPSec VPN tunnelle traffic between our head office and a branch in distance.
In other words, the ASA site-to-site IPSec VPN will allow Microsoft l2tp through IPSec encrypted traffic? My ACL tunnel would allow full IP access between site. Something like:
name 192.168.100.0 TexasSubnet
name 192.168.200.0 RenoSubnet
IP TexasSubnet 255.255.255.0 RenoSubnet 255.255.255.0 allow Access-list extended nat_zero
Hello
Yes, the L2TP can be encapsulated in IPSEC as all other traffic.
However, make sure that no NAT is performed on each end. L2TP is a default header protection which will see NAT as a falsification of package and reject it.
See you soon,.
Daniel
-
VPN site to Site - ASA to PIX - same subnet on the inside
Chaps,
I have a unusual scenario, whereby case I need a tunnel vpn site-to-site between a pix of cisco version 7 and version 8 cisco asa, which have the same subnet ip to each endpoint. Is it possible to create such a tunnel from site to site or do I change one of the remote endpoints?
Thank you
Nick
Hi Nicolas,.
To allow the traffic through the tunnel when having the same at both ends addressing scheme, you should NAT VPN traffic.
That is to say.
Site a 10.1.1.0/24 LAN
Site B LAN 10.1.1.0/24
The site config:
NAT permit list to access ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0
(in, out) static 192.168.1.0 access-list NAT
license of crypto list to access ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
Site B config:
NAT permit list to access ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
(in, out) static 192.168.2.0 access-list NAT
license of crypto list to access ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
The idea is that Site A will to 192.168.1.0 translatefd when you go to Site B, and Site B will result to 192.168.2.0 when you go to the Site A.
Hope that makes sense.
Federico.
-
2 one-Site VPN between HQ, Site A and Site B
Dear brothers,
Really I need your kindly help on Site 2 Site VPN.
We have a HQ and 2 Sites (Site A Site & B), and we think to set up VPN Site-2-Site between them now.
HQ--> 3845 router (will be the hub)--> a given vlan 11 & vlan voice 21
Site A--> router 2901 (will be the Spoke1)--> a given vlan 12 & vlan voice 22
Site B--> router 1941 (will be the Spoke2)--> a given vlan 13 & vlan voice 23
So my questions are:
1 - when the VPN going up, are only the HQ VLAN data & voice will be able to reach the Site & A B data & Voice VLAN and Vice versa?
2 - when the VPN is going up, are that the Site has data & Voice VLAN will be able to reach the Site B Data & Voice VLAN and Vice versa?
Thank you
Hello
I think this example explains what you need:http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation...
Kind regards
Averroès.
-
VPN Site to Site ASA (only happens with interesting traffic)
Is anyway to get an ASA to VPN site-to-site ASA addition interesting traffic? I need to keep this tunnel independently of traffic is anyway to do this?
Unfortunately, no such feature has been developed on the SAA. You need to deceive the ASA with a host located in the "interesting" part of the network to constantly generate interesting traffic. Here are a few suggestions:
-Use the IP SLA on a Cisco device
-Perform a host TCP ping
-Setting up a host of the site has press site B as a NTP source ASA
Thank you for evaluating useful messages!
-
VPN from Site to Site ASA setting not
Hi all...
I have two firewalls ASA 5505, headquarters of one and the other in a warehouse at a distance. I want to create an IPsec tunnel so that our warehouse distance can use some applications that have a component of database hosted at Headquarters.
I think I created links correctly (in reverse the settings on the two ASAs and crippled the IP addresses were required, quadruple checked the IKE keys, etc.) but my tunnel does not put in place.
At this point, I think what Miss me is probably obvious and manifest right at me. Anyone would be able to help? I can provide show run on devices and other log files, as requested.
Concerning
Rob
Hello
Try changing your peer IP card crypto HQ. It's different on what is configured on the ASA remote outside intellectual property.
-
Site to Site with ASA and FortiGate
I have setup a VPN site-to site between my ASA and FortiGate customers. The tunnel rises with success, but we can not pass traffic. When I do a packet capture on my ASA, I see traffic on the port of entry as usual, but on the output port, the source address gets NAT had I checked all statements of NAT, and there is a statement NAT exempted from the entry port to the port of exit and in the VPN configuration.
Then your oder of NAT statements in probably wrong. The dynamic NAT for outgoing traffic must be at the end (I put them always in article 3), while the Exemption must be at the beginning of Section 1.
-
Cisco ASA and dynamic VPN L2L Fortigate configuration
I met a problem recently with an ASA 5510 (7.0) and a bunch of Fortigate 50 (3.0 MR7). The ASA is the hub and Fortigates are rays with a dynamic public IP.
I followed this document on the site Web of Cisco (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml) to set up my ASA and the parameters passed to my counterparts to set up their Fortigates.
However, the ASA journal reveals that attemtps Fortigate connection always tried with DefaultRAGroup before falling back to DefaultL2LGroup and finally died. Experience with putting in place a dynamic VPN between Cisco and Fortigate someone? Which could not fail at each end? Here's a typical piece of error log ASA. The ASA is currently having a static VPN tunnel and a site-2-client VPN in two groups by default.
6. January 10, 2011 20:58:45 | 713905: Group DefaultL2LGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
5. January 10, 2011 20:58:45 | 713201: Group = DefaultL2LGroup, IP = 116.230.243.205, in double Phase 1 detected package. Retransmit the last packet.
6. January 10, 2011 20:58:45 | 713905: Group DefaultL2LGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
5. January 10, 2011 20:58:45 | 713201: Group = DefaultL2LGroup, IP = 116.230.243.205, in double Phase 1 detected package. Retransmit the last packet.
6. January 10, 2011 20:58:41 | 713905: Group DefaultL2LGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
5. January 10, 2011 20:58:41 | 713201: Group = DefaultL2LGroup, IP = 116.230.243.205, in double Phase 1 detected package. Retransmit the last packet.
4. January 10, 2011 20:58:39 | 713903: Group = DefaultL2LGroup, IP = 116.230.243.205, ERROR, had decrypt packets, probably due to problems not match pre-shared key. Abandonment
5. January 10, 2011 20:58:39 | 713904: Group = DefaultL2LGroup, IP = 116.230.243.205, received the package of Mode main Oakley encrypted with invalid payloads, MessID = 0
6. January 10, 2011 20:58:39 | 713905: Group = DefaultRAGroup, IP = 116.230.243.205, WARNING, had decrypt packets, probably due to problems not match pre-shared key. User switching to the tunnel-group: DefaultL2LGroup
5. January 10, 2011 20:58:39 | 713904: Group = DefaultRAGroup, IP = 116.230.243.205, received the package of Mode main Oakley encrypted with invalid payloads, MessID = 0
4. January 10, 2011 20:58:33 | 713903: Group = DefaultRAGroup, IP = 116.230.243.205, error: cannot delete PeerTblEntry
3. January 10, 2011 20:58:33 | 713902: Group = DefaultRAGroup, IP = 116.230.243.205, Removing peer to peer table has no, no match!
6. January 10, 2011 20:58:33 | 713905: Group DefaultRAGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
5. January 10, 2011 20:58:33 | 713201: Group = DefaultRAGroup, IP = 116.230.243.205, in double Phase 1 detected package. Retransmit the last packet.
6. January 10, 2011 20:58:25 | 713905: Group DefaultRAGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
5. January 10, 2011 20:58:25 | 713201: Group = DefaultRAGroup, IP = 116.230.243.205, in double Phase 1 detected package. Retransmit the last packet.
6. January 10, 2011 20:58:21 | 713905: Group DefaultRAGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
5. January 10, 2011 20:58:21 | 713201: Group = DefaultRAGroup, IP = 116.230.243.205, in double Phase 1 detected package. Retransmit the last packet.
5. January 10, 2011 20:58:19 | 713904: IP = 116.230.243.205, encrypted packet received with any HIS correspondent, dropYes, sounds about right. He will try to match with the DefaultRAGroup first, and when you know that it's a dynamic IPSec in LAN-to-LAN, it will be
then back to the DefaultL2LGroup, because he doesn't know if the VPN Client or L2L again when he is contacted fist as they are connecting from dynamic IP peer.
You must ensure that your L2L tunnel-group by default has been configured with the corresponding pre-shared key.
Assuming that you have configured the dynamic map and assign to the card encryption.
Here is an example of configuration where ASA has a static and peripheral ip address pair has dynamic IP:
Hope that helps.
-
AnyConnect and SSL - VPN without client
Are there problems in running Cisco AnyConnect and SSL - VPN without client side by side?
I am currently looking into adding features for an ASA AnyConnect who currently set up to operate without SSL - VPN client. The system without client is not removed. I don't know how to set it up, I wonder if someone has already set up this or if there is no problem with this Setup?
Hi Daniel
It's a little complicated if you want a granular authentication and authorization, but it works.
I'm running an ASA with IPSec, SSL Client and clientless SSL.
Each of these virtual private networks with user/one-time-password name and certificate based authentic.
The main challenge is to put in place its own structure of profile cards, connection profiles, group policies and dynamic access policies.
Feel free to ask questions...
Stephan
-
I'm having trouble finding information on SSL VPN for ASR1K, when we bought the boxes told us that SSL VPN was on the roadmap of the software, but that was back in 2010 and now I can not find anything nor can I get the right information.
Does anyone have a recommendation on what to do or who to ask?
PLS, contact your Cisco account manager as he or she would be able to provide additional information.
There is normally a long list of features to add to the product, and SSL VPN is one of them who was asked to appear on the ASR. However, depending on the needs, it might be on the top of the list of the road map, or to the bottom of the list. Your Cisco AM should be able to get information from the product team.
-
Problem with IPsec VPN between ASA and router Cisco - ping is not response
Hello
I don't know because the IPsec VPN does not work. This is my setup (IPsec VPN between ASA and R2):
my network topology data:
LAN 1 connect ASA - 1 (inside the LAN)
PC - 10.0.1.3 255.255.255.0 10.0.1.1
ASA - GigabitEthernet 1: 10.0.1.1 255.255.255.0
-----------------------------------------------------------------
ASA - 1 Connect (LAN outide) R1
ASA - GigabitEthernet 0: 172.30.1.2 255.255.255.252
R1 - FastEthernet 0/0: 172.30.1.1 255.255.255.252
---------------------------------------------------------------------
R1 R2 to connect
R1 - FastEthernet 0/1: 172.30.2.1 255.255.255.252
R2 - FastEthernet 0/1: 172.30.2.2 255.255.255.252
R2 for lan connection 2
--------------------------------------------------------------------
R2 to connect LAN2
R2 - FastEthernet 0/0: 10.0.2.1 255.255.255.0
PC - 10.0.2.3 255.255.255.0 10.0.2.1
ASA configuration:
1 GigabitEthernet interface
nameif inside
security-level 100
IP 10.0.1.1 255.255.255.0
no downtime
interface GigabitEthernet 0
nameif outside
security-level 0
IP 172.30.1.2 255.255.255.252
no downtime
Route outside 0.0.0.0 0.0.0.0 172.30.1.1------------------------------------------------------------
access-list scope LAN1 to LAN2 ip 10.0.1.0 allow 255.255.255.0 10.0.2.0 255.255.255.0
object obj LAN
subnet 10.0.1.0 255.255.255.0
object obj remote network
10.0.2.0 subnet 255.255.255.0
NAT (inside, outside) 1 static source obj-local obj-local destination obj-remote control remote obj non-proxy-arp static-----------------------------------------------------------
IKEv1 crypto policy 10
preshared authentication
aes encryption
sha hash
Group 2
life 3600
Crypto ikev1 allow outside
crypto isakmp identity address------------------------------------------------------------
tunnel-group 172.30.2.2 type ipsec-l2l
tunnel-group 172.30.2.2 ipsec-attributes
IKEv1 pre-shared-key cisco123
Crypto ipsec transform-set esp-aes-192 ASA1TS, esp-sha-hmac ikev1-------------------------------------------------------------
card crypto ASA1VPN 10 is the LAN1 to LAN2 address
card crypto ASA1VPN 10 set peer 172.30.2.2
card crypto ASA1VPN 10 set transform-set ASA1TS ikev1
card crypto ASA1VPN set 10 security-association life seconds 3600
ASA1VPN interface card crypto outsideR2 configuration:
interface fastEthernet 0/0
IP 10.0.2.1 255.255.255.0
no downtime
interface fastEthernet 0/1
IP 172.30.2.2 255.255.255.252
no downtime-----------------------------------------------------
router RIP
version 2
Network 10.0.2.0
network 172.30.2.0------------------------------------------------------
access-list 102 permit ahp 172.30.1.2 host 172.30.2.2
access-list 102 permit esp 172.30.1.2 host 172.30.2.2
access-list 102 permit udp host 172.30.1.2 host 172.30.2.2 eq isakmp
interface fastEthernet 0/1
IP access-group 102 to------------------------------------------------------
crypto ISAKMP policy 110
preshared authentication
aes encryption
sha hash
Group 2
life 42300------------------------------------------------------
ISAKMP crypto key cisco123 address 172.30.1.2-----------------------------------------------------
Crypto ipsec transform-set esp - aes 128 R2TS------------------------------------------------------
access-list 101 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
------------------------------------------------------
R2VPN 10 ipsec-isakmp crypto map
match address 101
defined by peer 172.30.1.2
PFS Group1 Set
R2TS transformation game
86400 seconds, life of security association set
interface fastEthernet 0/1
card crypto R2VPNI don't know what the problem
Thank you
If the RIP is not absolutely necessary for you, try adding the default route to R2:
IP route 0.0.0.0 0.0.0.0 172.16.2.1
If you want to use RIP much, add permissions ACL 102:
access-list 102 permit udp any any eq 520
Maybe you are looking for
-
disable the confimation of fax in Officejet Pro 8600 Premiun
Hello I can't find any place to enable printing of the confirmation by fax to the wide page. There was a suggestion to go to Fax reports, but I don't have a Fax reports page. Fax just history, and there is no option for the confirmation of the turn o
-
Can't send or respond to an e-mail using Outlook Express.
I am able to receive emails on my desk but I can't send or answer. I use outlook express. original title: Angela
-
interface web cisco ip phone from the computer LAN
Hello On the uc540 the DATA VLAN is en 192.168.10.0 as the VLAN DATA it is en en 10.1.1.0, I want to access them from the local network the computer the my client who is en 192.168.0.0 to web interfaces of the cisco ip phone so by going to http://10.
-
Hello, now I have an individual membership Adobe Creative Cloud. I would change to a membership of the teams.Now, the products/apps are Danish - I want that all the products/apps to be English versions. If anyone can help. Thank you :-)
-
Is this a bug in XMLTYPE or it's something that I don't understand?
I wanted to extract a subset of a standard XHTML file. I thought that I could just put aXMLTYPE and then extract what I wanted with the appropriate xpath. My test scenariois below. It creates two XMLTYPE objects with the only difference is that on