VPN site to site of simple laboratory works no - pix to pix

Hi all I have a lab at home configuring vpn site to site between 2 cisco pix 501 devices, but it does not work. Can anyone help, I have attached the followign run configs. Thank you

PIX Version 6.2 (1)

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

activate the encrypted password of NuLKvvWGg.x9HEKO

2KFQnbNIdI.2KYOU encrypted passwd

hostname CiscoPix2

domain ciscopix.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol they 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol 2000 skinny

names of

access-list ping_acl allow icmp a whole

access-list 90 allow ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list 100 permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

Outside 1500 MTU

Within 1500 MTU

IP 10.0.0.2 255.255.255.0 outside

IP address 192.168.1.100 within 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

history of PDM activate

ARP timeout 14400

NAT (inside) - 0-90 access list

Access-group ping_acl in interface outside

ping_acl access to the interface inside group

Route outside 0.0.0.0 0.0.0.0 10.0.0.1 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

RADIUS Protocol RADIUS AAA server

AAA-server local LOCAL Protocol

Enable http server

http 0.0.0.0 0.0.0.0 inside

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

enable floodguard

Permitted connection ipsec sysopt

No sysopt route dnat

Crypto ipsec transform-set strong esp-3des esp-sha-hmac

20 topix1 of ipsec-isakmp crypto map

correspondence address 20 card crypto topix1 100

crypto topix1 20 card set peer 10.0.0.1

20 strong crypto topix1 transform-set card game

topix1 interface card crypto outside

ISAKMP allows outside

ISAKMP key * address 10.0.0.1 netmask 255.255.255.255

part of pre authentication ISAKMP policy 8

encryption of ISAKMP strategy 8

ISAKMP strategy 8 sha hash

8 1 ISAKMP policy group

ISAKMP life duration strategy 8 the 86400

Telnet timeout 5

SSH timeout 5

Terminal width 80

Cryptochecksum:81f37c16401555abe7299b5a95e69d3d

: end

//////////////////////////////////////////////////////////////

6.3 (3) version PIX

interface ethernet0 car

interface ethernet1 100full

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

activate the encrypted password of NuLKvvWGg.x9HEKO

NuLKvvWGg.x9HEKO encrypted passwd

pixfirewall hostname

domain ciscopix.com

fixup protocol dns-length maximum 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol 2000 skinny

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names of

access-list ping_acl allow icmp a whole

access-list 90 allow ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list 100 permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0

pager lines 24

Outside 1500 MTU

Within 1500 MTU

IP 10.0.0.1 255.255.255.0 outside

IP address inside 192.168.0.100 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

history of PDM activate

ARP timeout 14400

NAT (inside) - 0-90 access list

Access-group ping_acl in interface outside

ping_acl access to the interface inside group

Route outside 0.0.0.0 0.0.0.0 10.0.0.2 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

RADIUS Protocol RADIUS AAA server

AAA-server local LOCAL Protocol

Enable http server

http 0.0.0.0 0.0.0.0 outdoors

http 0.0.0.0 0.0.0.0 inside

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

enable floodguard

Permitted connection ipsec sysopt

Crypto ipsec transform-set strong esp-3des esp-sha-hmac

20 topix2 of ipsec-isakmp crypto map

correspondence address 20 card crypto topix2 100

crypto topix2 20 card set peer 10.0.0.2

20 strong crypto topix2 transform-set card game

topix2 interface card crypto outside

ISAKMP allows outside

ISAKMP key * address 10.0.0.2 netmask 255.255.255.255

part of pre authentication ISAKMP policy 8

encryption of ISAKMP strategy 8

ISAKMP strategy 8 sha hash

8 1 ISAKMP policy group

ISAKMP life duration strategy 8 the 86400

Telnet timeout 5

SSH timeout 5

Console timeout 0

Terminal width 80

Cryptochecksum:4558d14bca52c36021eeab79729ee63b

: end

The first problem I see is that the access list that is used to identify the VPN traffic allows traffic from your home subnet for the external subnet of the peer but not inside the subnet of the peer.

HTH

Rick

Tags: Cisco Security

Similar Questions

VPN site to Site btw Pix535 and 2811 router, can't get to work

Hi, everyone, I spent a few days doing a VPN site-to site between PIX535 and 2811 router but returned empty-handed, I followed the instructions here:

http://www.Cisco.com/en/us/products/ps9422/products_configuration_example09186a0080b4ae61.shtml

#1: config PIX:

: Saved

: Written by enable_15 to the 18:05:33.678 EDT Saturday, October 20, 2012

!

8.0 (4) version PIX

!

hostname pix535

!

interface GigabitEthernet0

Description to cable-modem

nameif outside

security-level 0

address IP X.X.138.132 255.255.255.0

OSPF cost 10

!

interface GigabitEthernet1

Description inside 10/16

nameif inside

security-level 100

IP 10.1.1.254 255.255.0.0

OSPF cost 10

!

outside_access_in of access allowed any ip an extended list

access extensive list ip 10.1.0.0 inside_nat0_outbound allow 255.255.0.0 10.20.0.0 255.255.0.0

inside_nat0_outbound list of allowed ip extended access all 10.1.1.192 255.255.255.248

outside_cryptomap_dyn_60 list of allowed ip extended access all 10.1.1.192 255.255.255.248

access extensive list ip 10.1.0.0 outside_1_cryptomap allow 255.255.0.0 10.20.0.0 255.255.0.0

pager lines 24

cnf-8-ip 10.1.1.192 mask - 10.1.1.199 IP local pool 255.255.0.0

Global interface 10 (external)

15 1.2.4.5 (outside) global

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 15 10.1.0.0 255.255.0.0

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 X.X.138.1 1

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA MD5-ESP-3DES ESP-DES-MD5

life together - the association of security crypto dynamic-map outside_dyn_map 20 28800 seconds

Crypto-map dynamic outside_dyn_map 20 kilobytes of life together - the association of safety 4608000

Crypto-map dynamic outside_dyn_map 40 value transform-set ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA

life together - the association of security crypto dynamic-map outside_dyn_map 40 28800 seconds

Crypto-map dynamic outside_dyn_map 40 kilobytes of life together - the association of safety 4608000

Dynamic crypto map outside_dyn_map 60 match address outside_cryptomap_dyn_60

Crypto-map dynamic outside_dyn_map 60 value transform-set ESP-3DES-MD5 ESP-3DES-SHA ESP-DES-MD5 ESP-DES-SHA

life together - the association of security crypto dynamic-map outside_dyn_map 60 28800 seconds

Crypto-map dynamic outside_dyn_map 60 kilobytes of life together - the association of safety 4608000

Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-SHA-3DES ESP-MD5-3DES ESP-DES-SHA ESP-DES-MD5

Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define security association lifetime 28800 seconds

cryptographic kilobytes 4608000 life of the set - the association of security of the 65535 SYSTEM_DEFAULT_CRYPTO_MAP of the dynamic-map

card crypto outside_map 1 match address outside_1_cryptomap

outside_map game 1 card crypto peer X.X.21.29

card crypto outside_map 1 set of transformation-ESP-DES-SHA

outside_map map 1 lifetime of security association set seconds 28800 crypto

card crypto outside_map 1 set security-association life kilobytes 4608000

outside_map card crypto 65534 isakmp ipsec dynamic SYSTEM_DEFAULT_CRYPTO_MAP

map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

outside_map interface card crypto outside

ISAKMP crypto identity hostname

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

the Encryption

sha hash

Group 1

life 86400

crypto ISAKMP policy 20

preshared authentication

3des encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 65535

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Crypto isakmp nat-traversal 3600

internal GroupPolicy1 group strategy

cnf-vpn-cls group policy internal

attributes of cnf-vpn-cls-group policy

value of 10.1.1.7 WINS server

value of 10.1.1.7 DNS server 10.1.1.205

Protocol-tunnel-VPN IPSec l2tp ipsec

field default value x.com

sean U/h5bFVjXlIDx8BtqPFrQw password user name is nt encrypted

IPSec-attributes tunnel-group DefaultRAGroup

pre-shared-key secret1

RADIUS-sdi-xauth

tunnel-group DefaultRAGroup ppp-attributes

ms-chap-v2 authentication

tunnel-group cnf-vpn-cls type remote access

tunnel-group global cnf-vpn-cls-attributes

cnf-8-ip address pool

Group Policy - by default-cnf-vpn-cls

tunnel-group cnf-CC-vpn-ipsec-attributes

pre-shared-key secret2

ISAKMP ikev1-user authentication no

tunnel-group cnf-vpn-cls ppp-attributes

ms-chap-v2 authentication

tunnel-group X.X.21.29 type ipsec-l2l

IPSec-attributes tunnel-Group X.X.21.29

Pre-shared key SECRET

!

class-map inspection_default

match default-inspection-traffic

!

!

!

global service-policy global_policy

context of prompt hostname

Cryptochecksum:9780edb09bc7debe147db1e7d52ec39c

: end

#2: 2811 router config:

!

! Last configuration change to 09:15:32 PST Friday, October 19, 2012 by cnfla

! NVRAM config update at 13:45:03 PST Tuesday, October 16, 2012

!

version 12.4

horodateurs service debug datetime msec

Log service timestamps datetime msec

no password encryption service

!

hostname THE-2800

!

!

Crypto pki trustpoint TP-self-signed-1411740556

enrollment selfsigned

name of the object cn = IOS - Self - signed - certificate - 1411740556

revocation checking no

rsakeypair TP-self-signed-1411740556

!

!

TP-self-signed-1411740556 crypto pki certificate chain

certificate self-signed 01

308201A 8 A0030201 02020101 3082023F 300 D 0609 2A 864886 F70D0101 04050030

2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30

69666963 31343131 37343035 6174652D 3536301E 170 3132 31303136 32303435

30335A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D

4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 34313137 65642D

34303535 3630819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101

8100F75F F1BDAD9B DE9381FD 7EAF9685 CF15A317 165B 5188 1 B 424825 9C66AA28

C990B2D3 D69A2F0F D745DB0E 2BB4995D 73415AC4 F01B2019 C4BCF9E0 84373199

E599B86C 17DBDCE6 47EBE0E3 8DBC90B2 9B4E217A 87F04BF7 A182501E 24381019

A61D2C05 5404DE88 DA2A1ADC A81B7F65 C318B697 7ED69DF1 2769E4C8 F3449B33

010001A 3 67306530 1 130101 FF040530 030101FF 30120603 0F060355 35AF0203

1104 B 0 300982 074C412D 32383030 551D 551 2304 18301680 14B56EEB 301F0603

88054CCA BB8CF8E8 F44BFE2C B77954E1 52301 D 06 04160414 B56EEB88 03551D0E

054CCABB 8CF8E8F4 4BFE2CB7 7954E152 300 D 0609 2A 864886 F70D0101 04050003

81810056 58755 56 331294F8 BEC4FEBC 54879FF5 0FCC73D4 B964BA7A 07D 20452

E7F40F42 8B 355015 77156C9F AAA45F9F 59CDD27F 89FE7560 F08D953B FC19FD2D

310DA96E A5F3E83B 52D515F8 7B4C99CF 4CECC3F7 1A0D4909 BD08C373 50BB53CC

659 4246 2CB7B79F 43D94D96 586F9103 9B4659B6 5C8DDE4F 7CC5FC68 C4AD197A 4EC322 C

quit smoking

!

!

!

crypto ISAKMP policy 1

preshared authentication

ISAKMP crypto key address SECRET X.X.138.132 No.-xauth

!

!

Crypto ipsec transform-set the-2800-trans-set esp - esp-sha-hmac

!

map 1 la-2800-ipsec policy ipsec-isakmp crypto

ipsec vpn Description policy

defined by peer X.X.138.132

the transform-set the-2800-trans-set value

match address 101

!

!

!

!

!

!

interface FastEthernet0/0

Description WAN side

address IP X.X.216.29 255.255.255.248

NAT outside IP

IP virtual-reassembly

automatic duplex

automatic speed

No cdp enable

No mop enabled

card crypto 2800-ipsec-policy

!

interface FastEthernet0/1

Description side LAN

IP 10.20.1.1 255.255.255.0

IP nat inside

IP virtual-reassembly

full duplex

automatic speed

No mop enabled

!

IP nat inside source map route sheep interface FastEthernet0/0 overload

access-list 10 permit X.X.138.132

access-list 99 allow 64.236.96.53

access-list 99 allow 98.82.1.202

access list 101 remark vpn tunnerl acl

Note access-list 101 category SDM_ACL = 4

policy of access list 101 remark tunnel

access-list 101 permit ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255

access-list 110 deny ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255

access-list 110 permit ip 10.20.0.0 0.0.0.255 any

public RO SNMP-server community

!

!

!

sheep allowed 10 route map

corresponds to the IP 110

!

!

!

!

WebVPN gateway gateway_1

IP address X.X.216.29 port 443

SSL trustpoint TP-self-signed-1411740556

development

!

WebVPN install svc flash:/webvpn/svc.pkg

!

WebVPN gateway-1 context

title 'b '.

secondary-color white

color of the title #CCCC66

text-color black

SSL authentication check all

!

!

policy_1 political group

functions compatible svc

SVC-pool of addresses "WebVPN-Pool."

SVC Dungeon-client-installed

SVC split include 10.20.0.0 255.255.0.0

Group Policy - by default-policy_1

Gateway gateway_1

development

!

!

end

#3: test Pix to the router:

ITS enabled: 1

Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)

Total SA IKE: 1

1 peer IKE: X.X.21.29

Type: user role: initiator

Generate a new key: no State: MM_WAIT_MSG2

> DEBUG:

12:07:14 pix535:Oct 22 Oct 22 12:20:28 EDT: % PIX-vpn-3-713902: IP = X.X.21.29, Removing peer to peer table has not, no match
!
22 Oct 12:07:14 pix535: 22 Oct 12:20:28 EDT: % PIX-vpn-4-713903: IP = X.X.21.29, error: cannot delete PeerTblEntry

#4: test the router to pix:

LA - 2800 #sh crypto isakmp his

IPv4 Crypto ISAKMP Security Association

status of DST CBC State conn-id slot

X.X.138.132 X.X.216.29 MM_KEY_EXCH 1017 ASSETS 0

> debug

LA - 2800 #ping 10.1.1.7 source 10.20.1.1

Type to abort escape sequence.

Send 5, echoes ICMP 100 bytes to 10.1.1.7, time-out is 2 seconds:

Packet sent with a source address of 10.20.1.1

Oct 22 16:24:33.945: ISAKMP: (0): profile of THE request is (NULL)

22 Oct 16:24:33.945: ISAKMP: created a struct peer X.X.138.132, peer port 500

22 Oct 16:24:33.945: ISAKMP: new created position = 0x488B25C8 peer_handle = 0 x 80000013

22 Oct 16:24:33.945: ISAKMP: lock struct 0x488B25C8, refcount 1 to peer isakmp_initiator

22 Oct 16:24:33.945: ISAKMP: 500 local port, remote port 500

22 Oct 16:24:33.945: ISAKMP: set new node 0 to QM_IDLE

22 Oct 16:24:33.945: ISAKMP: find a dup her to the tree during the isadb_insert his 487720 A 0 = call BVA

22 Oct 16:24:33.945: ISAKMP: (0): cannot start aggressive mode, try the main mode.

22 Oct 16:24:33.945: ISAKMP: (0): pair found pre-shared key matching 70.169.138.132

Oct 22 16:24:33.945: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID

Oct 22 16:24:33.945: ISAKMP: (0): built the seller-07 ID NAT - t

Oct 22 16:24:33.945: ISAKMP: (0): built of NAT - T of the seller-03 ID

Oct 22 16:24:33.945: ISAKMP: (0): built the seller-02 ID NAT - t

22 Oct 16:24:33.945: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

22 Oct 16:24:33.945: ISAKMP: (0): former State = new State IKE_READY = IKE_I_MM1

Oct 22 16:24:33.945: ISAKMP: (0): Beginner Main Mode Exchange

Oct 22 16:24:33.945: ISAKMP: (0): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_NO_STATE

22 Oct 16:24:33.945: ISAKMP: (0): sending a packet IPv4 IKE.

22 Oct 16:24:34.049: ISAKMP (0:0): packet received dport 500 sport Global 500 (I) MM_NO_STATE X.X.138.132

22 Oct 16:24:34.049: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH

22 Oct 16:24:34.049: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_I_MM2

Oct 22 16:24:34.049: ISAKMP: (0): treatment ITS payload. Message ID = 0

Oct 22 16:24:34.049: ISAKMP: (0): load useful vendor id of treatment

Oct 22 16:24:34.049: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123

Oct 22 16:24:34.049: ISAKMP: (0): provider ID is NAT - T v2

Oct 22 16:24:34.049: ISAKMP: (0): load useful vendor id of treatment

Oct 22 16:24:34.049: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 194

22 Oct 16:24:34.053: ISAKMP: (0): pair found pre-shared key matching 70.169.138.132

Oct 22 16:24:34.053: ISAKMP: (0): pre-shared key local found

22 Oct 16:24:34.053: ISAKMP: analysis of the profiles for xauth...

22 Oct 16:24:34.053: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1

22 Oct 16:24:34.053: ISAKMP: DES-CBC encryption

22 Oct 16:24:34.053: ISAKMP: SHA hash

22 Oct 16:24:34.053: ISAKMP: default group 1

22 Oct 16:24:34.053: ISAKMP: pre-shared key auth

22 Oct 16:24:34.053: ISAKMP: type of life in seconds

22 Oct 16:24:34.053: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x80

22 Oct 16:24:34.053: ISAKMP: (0): atts are acceptable
. Next payload is 0
22 Oct 16:24:34.053: ISAKMP: (0): Acceptable atts: real life: 0

22 Oct 16:24:34.053: ISAKMP: (0): Acceptable atts:life: 0

22 Oct 16:24:34.053: ISAKMP: (0): fill atts in his vpi_length:4

22 Oct 16:24:34.053: ISAKMP: (0): fill atts in his life_in_seconds:86400

22 Oct 16:24:34.053: ISAKMP: (0): return real life: 86400

22 Oct 16:24:34.053: ISAKMP: (0): timer life Started: 86400.

Oct 22 16:24:34.053: ISAKMP: (0): load useful vendor id of treatment

Oct 22 16:24:34.053: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123

Oct 22 16:24:34.053: ISAKMP: (0): provider ID is NAT - T v2

Oct 22 16:24:34.053: ISAKMP: (0): load useful vendor id of treatment

Oct 22 16:24:34.053: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 194

22 Oct 16:24:34.053: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

22 Oct 16:24:34.053: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM2

Oct 22 16:24:34.057: ISAKMP: (0): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_SA_SETUP

22 Oct 16:24:34.057: ISAKMP: (0): sending a packet IPv4 IKE.

22 Oct 16:24:34.057: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

22 Oct 16:24:34.057: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM3

22 Oct 16:24:34.181: ISAKMP (0:0): packet received dport 500 sport Global 500 (I) MM_SA_SETUP X.X.138.132

22 Oct 16:24:34.181: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH

22 Oct 16:24:34.181: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_I_MM4

Oct 22 16:24:34.181: ISAKMP: (0): processing KE payload. Message ID = 0

Oct 22 16:24:34.217: ISAKMP: (0): processing NONCE payload. Message ID = 0

22 Oct 16:24:34.217: ISAKMP: (0): pre-shared key found peer corresponding to X.X.138.132

Oct 22 16:24:34.217: ISAKMP: (1018): load useful vendor id of treatment

Oct 22 16:24:34.217: ISAKMP: (1018): provider ID is the unit

Oct 22 16:24:34.217: ISAKMP: (1018): load useful vendor id of treatment

Oct 22 16:24:34.217: ISAKMP: (1018): provider ID seems the unit/DPD but major incompatibility of 55

Oct 22 16:24:34.217: ISAKMP: (1018): provider ID is XAUTH

Oct 22 16:24:34.217: ISAKMP: (1018): load useful vendor id of treatment

Oct 22 16:24:34.217: ISAKMP: (1018): addressing another box of IOS
!
Oct 22 16:24:34.221: ISAKMP: (1018): load useful vendor id of treatment

22 Oct 16:24:34.221: ISAKMP: (1018): vendor ID seems the unit/DPD but hash mismatch

22 Oct 16:24:34.221: ISAKMP: receives the payload type 20

22 Oct 16:24:34.221: ISAKMP: receives the payload type 20

22 Oct 16:24:34.221: ISAKMP: (1018): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

22 Oct 16:24:34.221: ISAKMP: (1018): former State = new State IKE_I_MM4 = IKE_I_MM4

22 Oct 16:24:34.221: ISAKMP: (1018): send initial contact

22 Oct 16:24:34.221: ISAKMP: (1018): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication

22 Oct 16:24:34.221: ISAKMP (0:1018): payload ID

next payload: 8

type: 1

address: X.X.216.29

Protocol: 17

Port: 500

Length: 12

22 Oct 16:24:34.221: ISAKMP: (1018): the total payload length: 12

Oct 22 16:24:34.221: ISAKMP: (1018): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH

22 Oct 16:24:34.221: ISAKMP: (1018): sending a packet IPv4 IKE.

22 Oct 16:24:34.225: ISAKMP: (1018): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

22 Oct 16:24:34.225: ISAKMP: (1018): former State = new State IKE_I_MM4 = IKE_I_MM5

...

22 Oct 16:24:38.849: ISAKMP: (1017): purge the node 198554740

22 Oct 16:24:38.849: ISAKMP: (1017): purge the node 812380002

22 Oct 16:24:38.849: ISAKMP: (1017): purge node 773209335...

Success rate is 0% (0/5)

# THE-2800

Oct 22 16:24:44.221: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...

22 Oct 16:24:44.221: ISAKMP (0:1018): increment the count of errors on his, try 1 5: retransmit the phase 1

Oct 22 16:24:44.221: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH

Oct 22 16:24:44.221: ISAKMP: (1018): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH

22 Oct 16:24:44.221: ISAKMP: (1018): sending a packet IPv4 IKE.

22 Oct 16:24:44.317: ISAKMP (0:1018): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH X.X.138.132

Oct 22 16:24:44.317: ISAKMP: (1018): package of phase 1 is a duplicate of a previous package.

Oct 22 16:24:44.321: ISAKMP: (1018): retransmission jumped to the stage 1 (time elapsed since the last transmission 96)

22 Oct 16:24:48.849: ISAKMP: (1017): serving SA., his is 469BAD60, delme is 469BAD60

22 Oct 16:24:52.313: ISAKMP (0:1018): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH X.X.138.132

Oct 22 16:24:52.313: ISAKMP: (1018): package of phase 1 is a duplicate of a previous package.

Oct 22 16:24:52.313: ISAKMP: (1018): retransmission due to phase 1 of retransmission

Oct 22 16:24:52.813: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...

22 Oct 16:24:52.813: ISAKMP (0:1018): increment the count of errors on his, try 2 of 5: retransmit the phase 1

Oct 22 16:24:52.813: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH

Oct 22 16:24:52.813: ISAKMP: (1018): package X.X138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH

22 Oct 16:24:52.813: ISAKMP: (1018): sending a packet IPv4 IKE.

Oct 22 16:24:52.913: ISAKMP: (1018): package of phase 1 is a duplicate of a previous package.

Oct 22 16:24:52.913: ISAKMP: (1018): retransmission jumped to the stage 1 (time elapsed since the last transmission of 100)

22 Oct 16:25:00.905: ISAKMP (0:1018): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH X.X.138.132

22 Oct 16:25:00.905: ISAKMP: node set 422447177 to QM_IDLE

....

22 Oct 16:25:03.941: ISAKMP: (1018): SA is still budding. New application of ipsec in the annex
. (local 1 X. X.216.29, remote X.X.138.132)
22 Oct 16:25:03.941: ISAKMP: error during the processing of HIS application: failed to initialize SA

22 Oct 16:25:03.941: ISAKMP: error while processing message KMI 0, error 2.

Oct 22 16:25:12.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...

22 Oct 16:25:12.814: ISAKMP (0:1018): increment the count of errors on his, try 4 out 5: retransmit the phase 1

Oct 22 16:25:12.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH

Oct 22 16:25:12.814: ISAKMP: (1018): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH

22 Oct 16:25:12.814: ISAKMP: (1018): sending a packet IPv4 IKE.

Oct 22 16:25:22.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...

22 Oct 16:25:22.814: ISAKMP (0:1018): increment the count of errors on his, try 5 of 5: retransmit the phase 1

Oct 22 16:25:22.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH

Oct 22 16:25:22.814: ISAKMP: (1018): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH

22 Oct 16:25:22.814: ISAKMP: (1018): sending a packet IPv4 IKE.

Oct 22 16:25:32.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...

22 Oct 16:25:32.814: ISAKMP: (1018): peer does not paranoid KeepAlive.

......

22 Oct 16:25:32.814: ISAKMP: (1018): removal of reason ITS status of 'Death by retransmission P1' (I) MM_KEY_EXCH (post 70.169.138.132)

22 Oct 16:25:32.814: ISAKMP: (1018): removal of reason ITS status of 'Death by retransmission P1' (I) MM_KEY_EXCH (post 70.169.138.132)

22 Oct 16:25:32.814: ISAKMP: Unlocking counterpart struct 0x488B25C8 for isadb_mark_sa_deleted(), count 0

22 Oct 16:25:32.814: ISAKMP: delete peer node by peer_reap for X.X.138.132: 488B25C8

22 Oct 16:25:32.814: ISAKMP: (1018): error suppression node 1112432180 FALSE reason 'IKE deleted.

22 Oct 16:25:32.814: ISAKMP: (1018): error suppression node 422447177 FALSE reason 'IKE deleted.

22 Oct 16:25:32.814: ISAKMP: (1018): node-278980615 error suppression FALSE reason 'IKE deleted.

22 Oct 16:25:32.814: ISAKMP: (1018): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

22 Oct 16:25:32.814: ISAKMP: (1018): former State = new State IKE_I_MM5 = IKE_DEST_SA

22 Oct 16:26:22.816: ISAKMP: (1018): purge the node 1112432180

22 Oct 16:26:22.816: ISAKMP: (1018): purge the node 422447177

22 Oct 16:26:22.816: ISAKMP: (1018): purge the node-278980615

22 Oct 16:26:32.816: ISAKMP: (1018): serving SA., its A 487720, 0 =, delme = A 487720, 0

The PIX is also used VPN client, such as the VPN Cicso 5.0 client access, works very well. Router is used as a server SSL VPN, too much work

I know there are a lot of data here, I hope that these data may be useful for diagnostic purposes.

All suggestions and tips are greatly appreciated.

Sean

Recommended action:

On the PIX:

no card crypto outside_map 1

!

crypto ISAKMP policy 5

preshared authentication

3des encryption

sha hash

Group 2

life 86400

!

card crypto outside_map 10 correspondence address outside_1_cryptomap

crypto outside_map 10 peer X.X.216.29 card game

outside_map crypto 10 card value transform-set ESP-3DES-SHA

life safety association set card crypto outside_map 10 28800 seconds

card crypto outside_map 10 set security-association life kilobytes 4608000

!

tunnel-group X.X.216.29 type ipsec-l2l

IPSec-attributes tunnel-Group X.X.216.29

Pre-shared key SECRET

!

On the router:

crypto ISAKMP policy 10

preshared authentication

Group 2

3des encryption

!

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

output

!

card 10 la-2800-ipsec policy ipsec-isakmp crypto

ipsec vpn Description policy

defined by peer X.X.138.132

game of transformation-ESP-3DES-SHA

match address 101

!

No crypto card-2800-ipsec-policy 1

Let me know how it goes.

Portu.

Please note all useful posts

Post edited by: Javier Portuguez

Have a vpn site to site of work, added second who has problems

We've had a success vpn site to site working for several months now. It's a 5510 ASA to Headquarters for an ASA 5505 in a branch in another State. We add a second vpn site to site in another State this time of the AC to a Sonicwall TZ100. After connecting the Sonicwall to the Qwest modem in bridge mode tunnel came right up. I was unable to ping all off the coast of the private IPs to the HQ of the new branch, but was able to use the remote desktop in servers and workstations at Headquarters. Also, all computers appear when you browse the network of the new branch.

The first part, we are able to ping both directions and use remote desktop in both directions.

When using tracers of package in ASDM on the ASA HQ and rattling one of the IPs in HQ protected network to an IP address in the new network of agencies EXEMPT from NAT looks good, but when it hits the first NAT it fits on the "dynamic translation to the pool (10.1.255.254) 10 [Interface PAT]" (which is the default route to all VLAN access to Internet).

Next NAT (subtype - host-limits) is more beautiful and this one goes to the IP address of the external interface of the ASA 5510 HQ, but then the third NAT (subtype - rpf-check) returns to the ' 10 (10.1.255.254) Interface PAT] "and the package is ABANDONED. Also there is no step VPN in Packet Tracer after NAT.

So obviously the HQ ASA 5510 does not consider this to be interesting traffic but I don't know why.

Here is the output of sh crypto ipsec his ffrom HQ ASA:

Interface: outside
Tag crypto map: outside_map, seq num: 30 local addr: 209.X.X.X

access-list encrypt_acl-30 permit ip 10.1.1.0 255.255.255.0 10.1.8.0 255.255.255.0
local ident (addr, mask, prot, port): (10.1.1.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (10.1.8.0/255.255.255.0/0/0)
current_peer: 65.102.14.72

#pkts program: 229450, #pkts encrypt: 229450, #pkts digest: 229450
#pkts decaps: 172516, #pkts decrypt: 172516, #pkts check: 172516
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 229450, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0

local crypto endpt. : 209.X.X.X, remote Start crypto. : 65.102.X.X

Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: 91860025

SAS of the esp on arrival:
SPI: 0x88957B9C (2291497884)
transform: esp-3des esp-md5-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 2600960, crypto-card: outside_map
calendar of his: service life remaining key (s): 59068
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0xFFFFFFFF to 0xFFFFFFFF
outgoing esp sas:
SPI: 0 x 91860025 (2441478181)
transform: esp-3des esp-md5-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 2600960, crypto-card: outside_map
calendar of his: service life remaining key (s): 59068
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001

Tag crypto map: outside_map, seq num: 30 local addr: 209.X.X.X

access-list encrypt_acl-30 permit ip 10.1.10.0 255.255.255.0 10.1.8.0 255.255.255.0
local ident (addr, mask, prot, port): (10.1.10.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (10.1.8.0/255.255.255.0/0/0)
current_peer: 65.102.x.x

#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0

local crypto endpt. : 209.X.X.X, remote Start crypto. : 65.102.X.X

Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: A204BAE2

SAS of the esp on arrival:
SPI: 0xDA8C653A (3666634042)
transform: esp-3des esp-md5-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 2600960, crypto-card: outside_map
calendar of his: service life remaining key (s): 84670
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
outgoing esp sas:
SPI: 0xA204BAE2 (2718218978)
transform: esp-3des esp-md5-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 2600960, crypto-card: outside_map
calendar of his: service life remaining key (s): 84621
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001

Here is the output of sh crypto isakmp his on HQ ASA:

3 peer IKE: 65.102.x.x

Type: L2L role: answering machine

Generate a new key: no State: MM_ACTIVE

Here is the config:

ASA Version 8.0 (4)
!
hostname COMPASA
domain COMPfirm.com
activate the encrypted password of TMACBloMlcBsq1kp
TMACBloMlcBsq1kp encrypted passwd
names of
DNS-guard
!
interface Ethernet0/0
nameif outside
security-level 0
IP 209.X.X.X 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
IP 10.1.255.254 255.255.255.248
!
interface Ethernet0/2
nameif dmz
security-level 50
10.2.2.1 IP address 255.255.255.0
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
boot system Disk0: / asa804 - k8.bin
passive FTP mode
clock timezone MDT - 7
clock to summer time recurring MDT
DNS domain-lookup outside
DNS server-group DefaultDNS
Name-Server 4.2.2.1
domain COMPfirm.com
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
list of allowed inbound tcp extended access any host 209.X.X.X eq www
list of allowed inbound tcp extended access any host 209.X.X.X eq https
list of allowed inbound tcp extended access any host 209.X.X.X eq ftp
list of allowed inbound tcp extended access any host 209.X.X.X eq ftp - data
list of allowed inbound tcp extended access any host 209.X.X.X eq ssh
list of allowed inbound tcp extended access any host 209.X.X.X eq imap4
list of allowed inbound tcp extended access any host 209.X.X.X eq pop3
list of allowed inbound tcp extended access any host 209.X.X.X eq www
list of allowed inbound tcp extended access any host 209.X.X.X eq https
list of allowed inbound tcp extended access any host 209.X.X.X eq smtp
list of extended inbound icmp permitted access a whole
access list entering note MMS-1755
list incoming extended access permit tcp any eq 1755 host inactive 209.X.X.X
inbound access list notice MMS - UDP
list of inbound udp allowed extended access all eq 1755 host inactive 209.X.X.X
DMZ list extended access permit tcp host 10.2.2.2 10.1.1.11 host eq smtp
DMZ list extended access permit tcp host 10.2.2.2 host 10.1.1.50 eq 8777
access-list extended sheep allowed ip 10.1.0.0 255.255.0.0 172.16.22.0 255.255.255.0
access-list sheep extended ip 10.1.10.0 allow 255.255.255.0 10.0.0.0 255.255.255.0
access-list extended sheep allowed ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list sheep extended ip 10.1.10.0 allow 255.255.255.0 10.1.8.0 255.255.255.0
access-list extended sheep allowed ip 10.1.1.0 255.255.255.0 10.1.8.0 255.255.255.0
access extensive list ip 10.1.0.0 vpnsplit allow 255.255.0.0 172.16.22.0 255.255.255.0
access extensive list ip 10.1.10.0 encrypt_acl allow 255.255.255.0 10.0.0.0 255.255.255.0
permit encrypt_acl to access extended list ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0
global_mpc list extended access permitted tcp a whole
access-list encrypt_acl-30 scope ip 10.1.10.0 allow 255.255.255.0 10.1.8.0 255.255.255.0
access-list encrypt_acl-30 permit extended ip 10.1.1.0 255.255.255.0 10.1.8.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
MTU 1500 dmz
management of MTU 1500
IP local pool vpnpool 172.16.22.1 - 172.16.22.254 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ASDM image disk0: / asdm - 61551.bin
don't allow no asdm history
ARP timeout 14400
Global (outside) 10 209.X.X.X netmask 255.255.255.0
Global interface (10 Interior)
Global interface (dmz) 10
NAT (inside) 0 access-list sheep
NAT (inside) 10 0.0.0.0 0.0.0.0
NAT (dmz) 10 0.0.0.0 0.0.0.0
static (dmz, external) 209.X.X.X 10.2.2.2 netmask 255.255.255.255
static (inside, outside) 209.X.X.X 10.1.1.11 netmask 255.255.255.255
static (dmz, inside) 10.2.2.2 10.2.2.2 netmask 255.255.255.255
static (inside, dmz) 10.1.1.11 10.1.1.11 netmask 255.255.255.255
static (inside, dmz) 10.1.1.50 10.1.1.50 netmask 255.255.255.255
Access-group interface incoming outside
Access-group in interface dmz dmz
Route outside 0.0.0.0 0.0.0.0 209.X.X.X 1
Route inside 10.1.0.0 255.255.0.0 10.1.255.249 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
Ray of AAA-server vpn Protocol
AAA-server vpn (inside) host 10.1.1.12
key--> ZZZZZZ
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
local AAA authentication attempts 16 max in case of failure
Enable http server
http 172.16.22.0 255.255.255.0 inside
http 10.1.0.0 255.255.0.0 inside
No snmp server location
No snmp Server contact
Sysopt noproxyarp inside
Sysopt noproxyarp dmz
Sysopt noproxyarp management
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-md5-hmac HQset
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic outside_dyn_map 10 the transform-set ESP-3DES-MD5 value
life together - the association of security crypto dynamic-map outside_dyn_map 10 28800 seconds
Crypto-map dynamic outside_dyn_map 10 kilobytes of life together - the association of safety 4608000
Crypto-map dynamic outside_dyn_map 10 the value reverse-road
card crypto outside_map 20 match address encrypt_acl
card crypto outside_map 20 game peers 67.42.X.X
outside_map 20 game of transformation-HQset crypto card
life safety association set card crypto outside_map 20 28800 seconds
card crypto outside_map 20 set security-association life kilobytes 4608000
card crypto 30 match address encrypt_acl-30 outside_map
crypto outside_map 30 peer 65.102.X.X card game
crypto outside_map 30 card value transform-set HQset
86400 seconds, duration of life card crypto outside_map 30 set - the security association
card crypto outside_map 30 set security-association life kilobytes 4608000
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
Crypto isakmp nat-traversal 50
Telnet 10.1.0.0 255.255.0.0 inside
Telnet timeout 15
SSH 0.0.0.0 0.0.0.0 outdoors
SSH 10.1.0.0 255.255.0.0 inside
SSH timeout 30
Console timeout 0
management-access inside
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
threat scan-threat detection
threat detection statistics
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
Server NTP 192.43.244.18
WebVPN
allow outside
SVC disk0:/anyconnect-win-2.3.0254-k9.pkg 1 image
enable SVC
tunnel-group-list activate
internal Clients_VPN group strategy
Group Policy Clients_VPN attributes
value of server WINS 10.1.1.12
value of server DNS 10.1.1.12
Protocol-tunnel-VPN IPSec
enable IPSec-udp
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list vpnsplit
value by default-field COMPfirm.local
Split-dns value COMPfirm.local
the address value vpnpool pools
internal clientgroup group policy
attributes of the strategy of group clientgroup
value of server WINS 10.1.1.12
value of server DNS 10.1.1.12
VPN-tunnel-Protocol svc webvpn
Split-tunnel-policy tunnelall
WebVPN
SVC Dungeon-Installer installed
time to generate a new key of SVC 30
SVC generate a new method ssl key
SVC request no svc default
ssluser1 encrypted password username
username bcurtis encrypted password privilege 0 v
username privilege 15 WPDR encrypted password
username admin privilege 15 encrypted password
username privilege password encrypted XXXXXXX 0
tunnel-group M & J type remote access
tunnel-group M & J - global attributes
address vpnpool pool
Vpn server authentication group
strategy - by default-group Clients_VPN
tunnel-group M & J ipsec-attributes
pre-shared-key *.
type tunnel-group sslgroup remote access
tunnel-group sslgroup General-attributes
address vpnpool pool
Vpn server authentication group
Group Policy - by default-clientgroup
tunnel-group sslgroup webvpn-attributes
activation of the Group sslgroup_users alias
tunnel-group 67.42.X.X type ipsec-l2l
IPSec-attributes tunnel-group 67.42.X.X
pre-shared-key *.
tunnel-group 65.102.X.X type ipsec-l2l
IPSec-attributes tunnel-group 65.102.X.X
pre-shared-key *.
!
Global class-card class
corresponds to the global_mpc access list
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns migrated_dns_map_1
parameters
message-length maximum 768
Policy-map global_policy
class inspection_default
inspect the migrated_dns_map_1 dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Global category
IPS inline sensor vs0 relief
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:ZZZZZZZZZZZZZZZZZZZZZ
: end

Is the problem may be due to the fact that my 2 new ACL to fall "encrypt_acl-30" after "access-list extended global_mpc permit tcp any any" in the config and it flows into the implied all refuse?

Thanks for looking at this.

Rather than replace the static route, you can simply add a new static route to 10.1.8.0/24 as follows:

outdoor 10.1.8.0 255.255.255.0 209.X.X.X 1

Because it is more precise it will take precedence over your most generic static route from 10.1.0.0/16 inward.

Good spot btw!

VPN site to Site, as a part of the work of the ACL, why?

I built a VPN site-to site IPsec from A to B, I have about 10 different subnets in the traffice interesting ACL, now, I can get some subnets don't talk to each other, no problem, but some may not. For example, A to site B 10.1.0.1 subnet was not working, but 10.100.0.1 has functioned and 10.1.0.1 and 10.100.0.1 is actually two interfaces VLAN on a same router.

Debugging of the ICMP has shown, when A ping to 10.1 and 10.100, the firewall at site B receives pings of echo from site A and also the echo of ping time reply 10.1 recevived and 10,100, but only the firewall received echo response from the 10,100. looked like Firewall VPN B has no echo response 10.1 the site in some way

Config enabled on both sites several times, is unable to identify the problems and the incompatibility. 10.1.0.0/24 and 10.100.0.0/24 are two network objects in the same ACL.

The Super Cisco can provide some advice, what could go wrong, what I could use to troubleshoot...

Thank you very much.

PS everthing worked perfectly for a few days, then I had the problem of loss of package on the Web link, now the VPN tunnel is up, no config has been changed, but some just subnets not achieved through the VPN.

W.

Hello Yue,

WOW, that's weard.

Good thing is that now everything works now and believe me, it won't happen to you once again, you and I will know what to do next time... lol

If possible please brand of answering the question as to future users with the same problem will know what to do based on your experience.

Kind regards

Julio

Cisco ASA 5505 VPN Site to Site

Hi all

First post on the forums. I have worked with Cisco ASA 5505 for a few months and I recently bought a 2nd ASA to implement tunnel VPN Site to Site. It seems so simple in the number of videos watched on the internet. But when I did he surprise it did work for me... I've removed the tunnels, a number of times and tried to recreate. I use the VPN Wizard in the SMA to create the tunnel. Both the asa 5505 of are and have the same firmware even etc..

I'd appreciate any help that can be directed to this problem please. Slowly losing my mind

Please see details below:

Two ADMS are 7.1

IOS

ASA 1

Nadia

:

ASA Version 9.0 (1)

!

hostname PAYBACK

activate the encrypted password of HSMurh79NVmatjY0

volatile xlate deny tcp any4 any4

volatile xlate deny tcp any4 any6

volatile xlate deny tcp any6 any4

volatile xlate deny tcp any6 any6

volatile xlate deny udp any4 any4 eq field

volatile xlate deny udp any4 any6 eq field

volatile xlate deny udp any6 any4 eq field

volatile xlate deny udp any6 any6 eq field

2KFQnbNIdI.2KYOU encrypted passwd

names of

local pool VPN1 192.168.50.1 - 192.168.50.254 255.255.255.0 IP mask

!

interface Ethernet0/0

switchport access vlan 2

Speed 100

full duplex

!

interface Ethernet0/1

link Trunk Description of SW1

switchport trunk allowed vlan 1,10,20,30,40

switchport trunk vlan 1 native

switchport mode trunk

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

No nameif

no level of security

no ip address

!

interface Vlan2

nameif outside

security-level 0

IP 92.51.193.158 255.255.255.252

!

interface Vlan10

nameif inside

security-level 100

IP 192.168.10.1 255.255.255.0

!

interface Vlan20

nameif servers

security-level 100

address 192.168.20.1 255.255.255.0

!

Vlan30 interface

nameif printers

security-level 100

192.168.30.1 IP address 255.255.255.0

!

interface Vlan40

nameif wireless

security-level 100

192.168.40.1 IP address 255.255.255.0

!

connection line banner welcome to the Payback loyalty systems

boot system Disk0: / asa901 - k8.bin

passive FTP mode

summer time clock GMT/IDT recurring last Sun Mar 01:00 last Sun Oct 02:00

DNS domain-lookup outside

DNS lookup field inside

domain-lookup DNS servers

DNS lookup domain printers

DNS domain-lookup wireless

DNS server-group DefaultDNS

Server name 83.147.160.2

Server name 83.147.160.130

permit same-security-traffic inter-interface

network obj_any object

subnet 0.0.0.0 0.0.0.0

ftp_server network object

network of the Internal_Report_Server object

Home 192.168.20.21

Description address internal automated report server

network of the Report_Server object

Home 89.234.126.9

Description of server automated reports

service object RDP

service destination tcp 3389 eq

Description RDP to the server

network of the Host_QA_Server object

Home 89.234.126.10

Description QA host external address

network of the Internal_Host_QA object

Home 192.168.20.22

host of computer virtual Description for QA

network of the Internal_QA_Web_Server object

Home 192.168.20.23

Description Web Server in the QA environment

network of the Web_Server_QA_VM object

Home 89.234.126.11

Server Web Description in the QA environment

service object SQL_Server

destination eq 1433 tcp service

network of the Demo_Server object

Home 89.234.126.12

Description server set up for the product demo

network of the Internal_Demo_Server object

Home 192.168.20.24

Internal description of the demo server IP address

network of the NETWORK_OBJ_192.168.20.0_24 object

subnet 192.168.20.0 255.255.255.0

network of the NETWORK_OBJ_192.168.50.0_26 object

255.255.255.192 subnet 192.168.50.0

network of the NETWORK_OBJ_192.168.0.0_16 object

Subnet 192.168.0.0 255.255.0.0

service object MSSQL

destination eq 1434 tcp service

MSSQL port description

VPN network object

192.168.50.0 subnet 255.255.255.0

network of the NETWORK_OBJ_192.168.50.0_24 object

192.168.50.0 subnet 255.255.255.0

service object TS

tcp destination eq 4400 service

service of the TS_Return object

tcp source eq 4400 service

network of the External_QA_3 object

Home 89.234.126.13

network of the Internal_QA_3 object

Home 192.168.20.25

network of the Dev_WebServer object

Home 192.168.20.27

network of the External_Dev_Web object

Home 89.234.126.14

network of the CIX_Subnet object

255.255.255.0 subnet 192.168.100.0

network of the NETWORK_OBJ_192.168.10.0_24 object

192.168.10.0 subnet 255.255.255.0

network of the NETWORK_OBJ_84.39.233.50 object

Home 84.39.233.50

network of the NETWORK_OBJ_92.51.193.158 object

Home 92.51.193.158

network of the NETWORK_OBJ_192.168.100.0_24 object

255.255.255.0 subnet 192.168.100.0

network of the NETWORK_OBJ_192.168.1.0_24 object

subnet 192.168.1.0 255.255.255.0

object-group service DM_INLINE_SERVICE_1

the tcp destination eq ftp service object

the purpose of the tcp destination eq netbios-ssn service

the purpose of the tcp destination eq smtp service

service-object TS

the Payback_Internal object-group network

object-network 192.168.10.0 255.255.255.0

object-network 192.168.20.0 255.255.255.0

object-network 192.168.40.0 255.255.255.0

object-group service DM_INLINE_SERVICE_3

the purpose of the service tcp destination eq www

the purpose of the tcp destination eq https service

service-object TS

service-object, object TS_Return

object-group service DM_INLINE_SERVICE_4

service-object RDP

the purpose of the service tcp destination eq www

the purpose of the tcp destination eq https service

object-group service DM_INLINE_SERVICE_5

purpose purpose of the MSSQL service

service-object RDP

service-object TS

object-group Protocol TCPUDP

object-protocol udp

object-tcp protocol

object-group service DM_INLINE_SERVICE_6

service-object TS

service-object, object TS_Return

the purpose of the service tcp destination eq www

the purpose of the tcp destination eq https service

Note to outside_access_in to access list that this rule allows Internet the interal server.

Notice on the outside_access_in of the access-list allowed:

Comment from outside_access_in-list of FTP access

Comment from outside_access_in-RDP access list

Comment from outside_access_in-list of SMTP access

Note to outside_access_in to access list Net Bios

Comment from outside_access_in-SQL access list

Comment from outside_access_in-list to access TS - 4400

outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_1 any4 Internal_Report_Server

access host access-list outside_access_in note rule internal QA

Notice on the outside_access_in of the access-list allowed:

Comment from outside_access_in-HTTP access list

Comment from outside_access_in-RDP access list

outside_access_in list extended access permitted tcp any4 object Internal_Host_QA eq www

Notice on the outside_access_in of the access-list access to the internal Web server:

Notice on the outside_access_in of the access-list allowed:

Comment from outside_access_in-HTTP access list

Comment from outside_access_in-RDP access list

outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_3 any4 Internal_QA_Web_Server

Note to outside_access_in to access list rule allowing access to the demo server

Notice on the outside_access_in of the access-list allowed:

Comment from outside_access_in-RDP access list

Comment from outside_access_in-list to access MSSQL

outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_4 any4 Internal_Demo_Server

outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_5 any object Internal_QA_3

Note to outside_access_in access to the development Web server access list

outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_6 any object Dev_WebServer

AnyConnect_Client_Local_Print deny any4 any4 ip extended access list

AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq lpd

Note AnyConnect_Client_Local_Print of access list IPP: Internet Printing Protocol

AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq 631

print the access-list AnyConnect_Client_Local_Print Note Windows port

AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq 9100

access-list AnyConnect_Client_Local_Print mDNS Note: multicast DNS protocol

AnyConnect_Client_Local_Print list extended access permit udp host 224.0.0.251 any4 eq 5353

AnyConnect_Client_Local_Print of access list LLMNR Note: link Local Multicast Name Resolution protocol

AnyConnect_Client_Local_Print list extended access permit udp host 224.0.0.252 any4 eq 5355

Note access list TCP/NetBIOS protocol AnyConnect_Client_Local_Print

AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 EQ. 137

AnyConnect_Client_Local_Print list extended access permitted udp any4 any4 eq netbios-ns

Payback_VPN_splitTunnelAcl list standard access allowed 192.168.20.0 255.255.255.0

permit outside_cryptomap to access extended list ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0

pager lines 24

Enable logging

information recording console

asdm of logging of information

address record

[email protected] / * /.

the journaling recipient

[email protected] / * /.

level alerts

Outside 1500 MTU

Within 1500 MTU

MTU 1500 servers

MTU 1500 printers

MTU 1500 wireless

no failover

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm-711 - 52.bin

don't allow no asdm history

ARP timeout 14400

no permit-nonconnected arp

NAT (inside, outside) source Dynamics one interface

NAT (wireless, outdoors) source Dynamics one interface

NAT (servers, outside) no matter what source dynamic interface

NAT (servers, external) static source Internal_Report_Server Report_Server

NAT (servers, external) static source Internal_Host_QA Host_QA_Server

NAT (servers, external) static source Internal_QA_Web_Server Web_Server_QA_VM

NAT (servers, external) static source Internal_Demo_Server Demo_Server

NAT (servers, external) static source NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 non-proxy-arp-search of route static destination

NAT (servers, external) static source Internal_QA_3 External_QA_3

NAT (servers, external) static source Dev_WebServer External_Dev_Web

NAT (inside, outside) static source NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

NAT (inside, outside) static source NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 non-proxy-arp-search of route static destination

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 92.51.193.157 1

Timeout xlate 03:00

Pat-xlate timeout 0:00:30

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.10.0 255.255.255.0 inside
http 192.168.40.0 255.255.255.0 wireless
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 84.39.233.50
card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 5
FRP sha
second life 86400
Crypto ikev2 activate out of service the customer port 443
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 77.75.100.208 255.255.255.240 outside
SSH 192.168.10.0 255.255.255.0 inside
SSH 192.168.40.0 255.255.255.0 wireless
SSH timeout 5
Console timeout 0

dhcpd 192.168.0.1 dns
dhcpd outside auto_config
!
dhcpd address 192.168.10.21 - 192.168.10.240 inside
dhcpd dns 192.168.20.21 83.147.160.2 interface inside
paybackloyalty.com dhcpd option 15 inside ascii interface
dhcpd allow inside
!
dhcpd address 192.168.40.21 - 192.168.40.240 Wireless
dhcpd dns 192.168.20.21 83.147.160.2 wireless interface
dhcpd update dns of the wireless interface
dhcpd option 15 ascii paybackloyalty.com wireless interface
dhcpd activate wireless
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
internal Payback_VPN group strategy
attributes of Group Policy Payback_VPN
VPN - 10 concurrent connections
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Payback_VPN_splitTunnelAcl
attributes of Group Policy DfltGrpPolicy
value of 83.147.160.2 DNS server 83.147.160.130
VPN-tunnel-Protocol ikev1, ikev2 clientless ssl
internal GroupPolicy_84.39.233.50 group strategy
attributes of Group Policy GroupPolicy_84.39.233.50
VPN-tunnel-Protocol ikev1, ikev2
Noelle XB/IpvYaATP.2QYm username encrypted password
Noelle username attributes
VPN-group-policy Payback_VPN
type of remote access service
username Éanna encrypted password privilege 0 vXILR9ZZQIsd1Naw
Éanna attributes username
VPN-group-policy Payback_VPN
type of remote access service
Michael qpbleUqUEchRrgQX of encrypted password username
user name Michael attributes
VPN-group-policy Payback_VPN
type of remote access service
username, password from Danny .7fEXdzESUk6S/cC encrypted privilege 0
user name Danny attributes
VPN-group-policy Payback_VPN
type of remote access service
Aileen tytrelqvV5VRX2pz encrypted password privilege 0 username
user name Aileen attributes
VPN-group-policy Payback_VPN
type of remote access service
Aidan aDu6YH0V5XaxpEPg encrypted password privilege 0 username
Aidan username attributes
VPN-group-policy Payback_VPN
type of remote access service
username password 6e6Djaz3W/XH59zX gordon encrypted privilege 15
shane.c iqGMoWOnfO6YKXbw encrypted password username
username shane.c attributes
VPN-group-policy Payback_VPN
type of remote access service
Shane uYePLcrFadO9pBZx of encrypted password username
user name Shane attributes
VPN-group-policy Payback_VPN
type of remote access service
username, encrypted James TdYPv1pvld/hPM0d password
user name James attributes
VPN-group-policy Payback_VPN
type of remote access service
Mark yruxpddqfyNb.qFn of encrypted password username
user name brand attributes
type of service admin
username password of Mary XND5FTEiyu1L1zFD encrypted
user name Mary attributes
VPN-group-policy Payback_VPN
type of remote access service
Massimo vs65MMo4rM0l4rVu encrypted password privilege 0 username
Massimo username attributes
VPN-group-policy Payback_VPN
type of remote access service
type tunnel-group Payback_VPN remote access
attributes global-tunnel-group Payback_VPN
VPN1 address pool
Group Policy - by default-Payback_VPN
IPSec-attributes tunnel-group Payback_VPN
IKEv1 pre-shared-key *.
tunnel-group 84.39.233.50 type ipsec-l2l
tunnel-group 84.39.233.50 General-attributes
Group - default policy - GroupPolicy_84.39.233.50
IPSec-attributes tunnel-group 84.39.233.50
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
Global class-card class
match default-inspection-traffic
!
!
World-Policy policy-map
Global category
inspect the dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the pptp
inspect the rsh
inspect the rtsp
inspect the sip
inspect the snmp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect xdmcp
inspect the icmp error
inspect the icmp
!
service-policy-international policy global
192.168.20.21 SMTP server
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:d06974501eb0327a5ed229c8445f4fe1

ASA 2

ASA Version 9.0 (1)

!

Payback-CIX hostname

activate the encrypted password of HSMurh79NVmatjY0

2KFQnbNIdI.2KYOU encrypted passwd

names of

!

interface Ethernet0/0

switchport access vlan 2

Speed 100

full duplex

!

interface Ethernet0/1

Description this port connects to the local network VIRTUAL 100

switchport access vlan 100

!

interface Ethernet0/2

!

interface Ethernet0/3

switchport access vlan 100

!

interface Ethernet0/4

switchport access vlan 100

!

interface Ethernet0/5

switchport access vlan 100

!

interface Ethernet0/6

switchport access vlan 100

!

interface Ethernet0/7

switchport access vlan 100

!

interface Vlan2

nameif outside

security-level 0

IP 84.39.233.50 255.255.255.240

!

interface Vlan100

nameif inside

security-level 100

IP 192.168.100.1 address 255.255.255.0

!

banner welcome to Payback loyalty - CIX connection line

passive FTP mode

summer time clock gmt/idt recurring last Sun Mar 01:00 last Sun Oct 02:00

DNS domain-lookup outside

DNS lookup field inside

DNS server-group defaultDNS

Name-Server 8.8.8.8

Server name 8.8.4.4

permit same-security-traffic inter-interface

network obj_any object

subnet 0.0.0.0 0.0.0.0

network of the host-CIX-1 object

host 192.168.100.2

Description This is the VM server host machine

network object host-External_CIX-1

Home 84.39.233.51

Description This is the external IP address of the server the server VM host

service object RDP

source between 1-65535 destination eq 3389 tcp service

network of the Payback_Office object

Home 92.51.193.158

service object MSQL

destination eq 1433 tcp service

network of the Development_OLTP object

Home 192.168.100.10

Description for Eiresoft VM

network of the External_Development_OLTP object

Home 84.39.233.52

Description This is the external IP address for the virtual machine for Eiresoft

network of the Eiresoft object

Home 146.66.160.70

Contractor s/n description

network of the External_TMC_Web object

Home 84.39.233.53

Description Public address to the TMC Web server

network of the TMC_Webserver object

Home 192.168.100.19

Internal description address TMC Webserver

network of the External_TMC_OLTP object

Home 84.39.233.54

External targets OLTP IP description

network of the TMC_OLTP object

Home 192.168.100.18

description of the interal target IP address

network of the External_OLTP_Failover object

Home 84.39.233.55

IP failover of the OLTP Public description

network of the OLTP_Failover object

Home 192.168.100.60

Server failover OLTP description

network of the servers object

subnet 192.168.20.0 255.255.255.0

being Wired network

192.168.10.0 subnet 255.255.255.0

the subject wireless network

192.168.40.0 subnet 255.255.255.0

network of the NETWORK_OBJ_192.168.100.0_24 object

255.255.255.0 subnet 192.168.100.0

network of the NETWORK_OBJ_192.168.10.0_24 object

192.168.10.0 subnet 255.255.255.0

network of the Eiresoft_2nd object

Home 137.117.217.29

Description 2nd Eiresoft IP

network of the Dev_Test_Webserver object

Home 192.168.100.12

Description address internal to the Test Server Web Dev

network of the External_Dev_Test_Webserver object

Home 84.39.233.56

Description This is the PB Dev Test Webserver

network of the NETWORK_OBJ_192.168.1.0_24 object

subnet 192.168.1.0 255.255.255.0

object-group service DM_INLINE_SERVICE_1

service-object MSQL

service-object RDP

object-group service DM_INLINE_SERVICE_2

service-object MSQL

service-object RDP

object-group service DM_INLINE_SERVICE_3

service-object MSQL

service-object RDP

object-group service DM_INLINE_SERVICE_4

service-object MSQL

service-object RDP

the tcp destination eq ftp service object

object-group service DM_INLINE_SERVICE_5

service-object MSQL

service-object RDP

the tcp destination eq ftp service object

object-group service DM_INLINE_SERVICE_6

service-object MSQL

service-object RDP

the Payback_Intrernal object-group network

object-network servers

Wired network-object

wireless network object

object-group service DM_INLINE_SERVICE_7

service-object MSQL

service-object RDP

object-group service DM_INLINE_SERVICE_8

service-object MSQL

service-object RDP

object-group service DM_INLINE_SERVICE_9

service-object MSQL

service-object RDP

object-group service DM_INLINE_SERVICE_10

service-object MSQL

service-object RDP

the tcp destination eq ftp service object

object-group service DM_INLINE_SERVICE_11

service-object RDP

the tcp destination eq ftp service object

outside_access_in list extended access allow object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-host-1

Note to access list OLTP Development Office of recovery outside_access_in

outside_access_in list extended access allow DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP object-group

Comment from outside_access_in-access Eiresoft access list

outside_access_in list extended access allow DM_INLINE_SERVICE_3 object Eiresoft object Development_OLTP object-group

outside_access_in list extended access allow DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver object-group

Note to outside_access_in access to OLTP for target recovery Office Access list

outside_access_in list extended access allow DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP object-group

outside_access_in list extended access allow DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover object-group

Note to outside_access_in access-list that's allowing access of the Eiresoft on the failover OLTP server

outside_access_in list extended access allow DM_INLINE_SERVICE_7 object Eiresoft object OLTP_Failover object-group

Comment from outside_access_in-access list access for the 2nd period of INVESTIGATION of Eiresoft

outside_access_in list extended access allow DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP object-group

Note to outside_access_in access from the 2nd IP Eiresoft access list

outside_access_in list extended access allow DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover object-group

outside_access_in list extended access allow DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver object-group

outside_access_in list extended access allow DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP object-group

outside_cryptomap to access extended list ip 192.168.100.0 allow 255.255.255.0 192.168.10.0 255.255.255.0

pager lines 24

Enable logging

asdm of logging of information

Outside 1500 MTU

Within 1500 MTU

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

no permit-nonconnected arp

NAT (inside, outside) source Dynamics one interface

NAT (inside, outside) static source CIX-host-1 External_CIX-host-1

NAT (inside, outside) static source Development_OLTP External_Development_OLTP

NAT (inside, outside) static source TMC_Webserver External_TMC_Web

NAT (inside, outside) static source TMC_OLTP External_TMC_OLTP

NAT (inside, outside) static source OLTP_Failover External_OLTP_Failover

NAT (inside, outside) static source Dev_Test_Webserver External_Dev_Test_Webserver

NAT (inside, outside) static source NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 non-proxy-arp-search of route static destination

NAT (inside, outside) static source NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 84.39.233.49 1

Timeout xlate 03:00

Pat-xlate timeout 0:00:30

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

identity of the user by default-domain LOCAL

the ssh LOCAL console AAA authentication

Enable http server

http 92.51.193.156 255.255.255.252 outside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac

Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac

Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit

Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit

Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit

Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit

Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit

Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit

Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit

Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac

Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit

Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac

Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit

Crypto ipsec ikev2 ipsec-proposal OF

encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 92.51.193.158
card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 1jeu ikev2 AES AES192 AES256 3DES ipsec-proposal
outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 77.75.100.208 255.255.255.240 outside
SSH 92.51.193.156 255.255.255.252 outside
SSH timeout 5
Console timeout 0

dhcpd outside auto_config
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
internal GroupPolicy_92.51.193.158 group strategy
attributes of Group Policy GroupPolicy_92.51.193.158
VPN-tunnel-Protocol ikev1, ikev2
username password 6e6Djaz3W/XH59zX gordon encrypted privilege 15
tunnel-group 92.51.193.158 type ipsec-l2l
tunnel-group 92.51.193.158 General-attributes
Group - default policy - GroupPolicy_92.51.193.158
IPSec-attributes tunnel-group 92.51.193.158
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:83b2069fa311e6037163ae74f9b2bec2
: end

Hello

There are some clear problems I see on a quick glance. These are not related to the actual VPN configuration but rather the NAT configurations.

All your configuration of NAT CLI format above are configured as manual NAT / double NAT in Section 1. This means that the appliance NAT configurations have been added to the same section of the NAT configurations and scheduling of the NAT inside this Section rules is the cause of the problem for the L2L VPN connection for some.

Here are a few suggestions on what to change

ASA1

Minimal changes

the object of the LAN network

192.168.10.0 subnet 255.255.255.0

being REMOTE-LAN network

255.255.255.0 subnet 192.168.100.0

NAT (inside, outside) 1 static source LAN LAN to static destination REMOTE - LAN LAN

no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 non-proxy-arp-search of route static destination

That means foregoing is first of all create 'object' that contain the local LAN and remote LANs. Then, it creates a NAT0 rule and adds to the top rules NAT. (number 1). It is essentially of at least one of the problems preventing the VPN operation or traffic that cross.

Finally, we remove the old rule that generated the ASDM. It would do the same thing if it has been moved to the top, but I generally find the creation of the 'object' with descriptive names easier on the eyes in the long term.

Other suggestions

These changes are not necessary with regard to the VPN L2L. Here are some suggestions how to clean a part of NAT configurations.

PAT-SOURCE network object-group

source networks internal PAT Description

object-network 192.168.10.0 255.255.255.0

object-network 192.168.20.0 255.255.255.0

object-network 192.168.40.0 255.255.255.0

NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source

No source (indoor, outdoor) nat Dynamics one interface

no nat (wireless, outdoors) source Dynamics one interface

no nat (servers, outside) no matter what source dynamic interface

The above configuration creates a "object-group" that lists all internal networks that you have dynamic PAT configured so far. It then uses the ' object-group ' in a command unique 'nat' to manage the dynamic PAT for all internal networks (with the exception of printers who had nothing at first). Then we remove the old PAT dynamic configurations.

Contains the command "nat" "car after" because it moving this "nat" configuration to the bottom of the NAT rules. For this reason its less likely to cause problems in the future.

network of the SERVERS object

subnet 192.168.20.0 255.255.255.0

network of the VPN-POOL object

192.168.50.0 subnet 255.255.255.0

NAT (servers, external) 2 static static source of destination of SERVERS SERVERS VPN-VPN-POOL

no nat (servers, external) static source NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 non-proxy-arp-search of route static destination

The above configuration is supposed to create a NAT0 configuration for traffic between the network and the pool of Client VPN server. To my knowledge the old configuration that remove us is not used because the traffic would have matched PAT rule dynamic server yet rather than this rule which is later in the NAT configurations and would not be addressed.

no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

It seems to me that network 192.168.1.0/24 is not configured from anywhere in your network. Therefore, the above 'nat' configuration seems useless, can be deleted. If I missed something and its use in then of course do not remove it.

ASA2

Minimal changes

the object of the LAN network

255.255.255.0 subnet 192.168.100.0

being REMOTE-LAN network

192.168.10.0 subnet 255.255.255.0

NAT (inside, outside) 1 static source LAN LAN to static destination REMOTE - LAN LAN

no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 non-proxy-arp-search of route static destination

That means foregoing is first of all create 'object' that contain the local LAN and remote LANs. Then, it creates a NAT0 rule and adds to the top rules NAT. (number 1). It is essentially of at least one of the problems preventing the VPN operation or traffic that cross.

Finally, we remove the old rule that generated the ASDM.

Other suggestions

PAT-SOURCE network object-group

object-network 192.168.100.0 255.255.255.0

NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source

No source (indoor, outdoor) nat Dynamics one interface

The above configuration is supposed to do the same thing with the other ASA. Although given that this network contains only a single subnet it cleans the "nat" configurations exist that much. But the order of the "nat" configurations is changed to avoid further problems with the NAT order.

no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

It seems to me that network 192.168.1.0/24 is not configured from anywhere in your network. Therefore, the above 'nat' configuration seems useless, can be deleted. If I missed something and its use in then of course do not remove it.

I suggest trying the changes related to VPN L2L first NAT0 configurations and test traffic. So who gets the work of connectivity, then you could consider changing other NAT configurations. There are other things that could be changed also in what concerns THAT static NAT servers but that probably better left for another time.

Hope this makes any sense and has helped

Remember to mark a reply as the answer if it answered your question.

Feel free to ask more if necessary

-Jouni

Static NAT enable VPN site-to-site.

Hello

We plan to build VPN site to site, but, we have a single public routerable internet IP address to assign VPN on Site A, but Site B is ok.

in this case, I think that we must use static NAT on the router, the simple diagram is as below.

internal a subnet - router VPN - router for Internet of the Site - to - VPN - B B Site internal subnet.

the final goal is to make the communication between internal a subnet and subnet B on IPSEC tunnel.

OK, as I said, Site A having a public IP address, then it must use the static NAT and need to apply on the Site router.

Router

interface x/x

Head of ESCR to the internet

NAT outside IP

!

interface x/x

Head of DESC to internal (VPN)

IP nat inside

!

IP nat inside source static (like IP address x.x.x.x) public (as private VPN interface IP x.x.x.x)

so, wouldn't be work without any problem? I think it will work, but I would find other one just in case.

Hey,.

Is that what you try to achieve:

subnet A - A = vpn router = router B - Sub-B network

and you need communicate between Subnet A and subnet via ipsec vpn b?

Concerning

Make the remote web server accessible via VPN Site to website

We have two test sites that are connected by a tunnel IPSEC VPN site-to-site (hosted on a SAA each site) over the Internet. We are trying to set up an environment to test two web applications running side by side. Two web servers are running on the Site of Test 1. We don't have the same public IP available at each site.

To address the public site 1 unique IP address restriction, we try to install ACL and NAT rules to have 2 Site accept traffic from the internet and send it on the site to the other tunnel. So 1 Web server would accept the ASA 1 internet traffic and Web Server 2 accept traffic from ASA 2 to the other site. Here's a network diagram:

We have difficulties to get this configuration works correctly. Please note that the network 192.168.3.0/24 clients are able to access the servers Web1 and Web2. This question seems to be due to our NAT configuration. This is the type of error, we see on the two firewalls:

Asymmetrical NAT rules matched for flows forward and backward; Connection for tcp src outside:4.4.4.4/443 dst outside:192.168.1.10/443 refused due to path failure reverse that of NAT

Our situation seems similar to this post: https://supportforums.cisco.com/thread/2242230

Any help would be appreciated.

Hello

What Karsten said above is true. While it is possible and works, it also means that the configuration is a little more complex to manage. I have done no such features in a real-life network environment and have always used additional public IP addresses on the local site when a server is hosted.

If you want to continue to move forward with this so here's a few points to consider and the configurations that you need.

First off it seems to me that the other server will be organized by the local Site 1 so a simple static PAT (Port Forward) must manage the Site 1.

network of the WEB-HTTP object

host 192.168.1.10

NAT (inside, outside) interface static tcp 443 443 service

And if you need TCP/80 also then you will need

network of the HTTPS WEB object

host 192.168.1.10

NAT (inside, outside) interface static service tcp 80 80

Now, 2 Site will naturally a little different that the server is hosted on the Site 1 and Site 2 is the public IP address used to publish the server on the external network.

Essentially, you will need to configure NAT that both makes dynamic PAT for the addresses of the source of the connection to your server Web 2, but also makes the static PAT (Port Forward) for the IP address of the Web Server 2. Additionally, you have to set the area of encryption on the Site 1 and Site 2 to match this new addition to the L2L VPN connection.

Unless of course you use an existing IP address on the field of encryption in the dynamic translation of PAT for the source address. In this case, it would take no change VPN L2L. I'll use that in the example below.

The NAT configuration might look like this

service object WWW

destination eq 80 tcp service

service object HTTPS

destination eq 443 tcp service

the object SOURCE-PAT-IP network

host 192.168.3.254

network of the WEB-SERVER-2-SITE1 object

host 192.168.1.11

NAT (outside, outside) 1 dynamic source no matter what static SOURCE-PAT-IP destination interface WEB-SERVER-2-SITE1 service WWW WWW

NAT (outdoors, outdoor), 2 dynamic source no matter what static SOURCE-PAT-IP destination interface WEB-SERVER-2-SITE1 service HTTPS HTTPS

So, essentially, NAT configurations above should ake 'all' traffic coming from behind 'outside' interface intended to "outside" "interface" IP address and translate the source to ' SOURCE-PAT-IP ' address and untranslate destination to "WEB-SERVER-2-SITE1".

Make sure that the IP address chosen (in this case 192.168.3.254) is not used on any device. If she is then replace it with something that is not currently used in the network. Otherwise, configure an IP address of some other subnet and include in the L2L VPN configurations on both sites.

Unless you already have it, you also have this configuration command to activate the traffic to make a U-turn/pin on the ' outside ' of the Site 2 ASA interface

permit same-security-traffic intra-interface

Hope this helps

Remember to mark a reply as the answer if it answered your question.

Feel free to ask more if necessary.

-Jouni

Breeze remote VPN VPN site-to-site

Excuse me, but I am a novice with this and in over my head.

I'm trying to add features to remote VPN to a small office ASA5505 that works well for external access to the ' net and has a tunnel from site to site in an office in another city.

After the various guides, I have added (or tried to add) the necessary configuration, but when I try to add cryptographic declarations for the remote vpn, VPN site-to-site goes down. The internal network is on 10.1.10.0/24 and remote users must be on the 192.168.30.0/24 subnet

I would appreciate anyone pointing out some stupid mistake that I made. Here is the configuration of private information and outside addresses "cleaned."

Thanks in advance for your suggestions!

======================================================

ASA Version 8.2 (5)

!

asa-hhh hostname

xyz.com domain name

activate 1ltRLCMh8jwpmLdb encrypted password

1ltRLCMh8jwpmLdb encrypted passwd

names of

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

IP 10.1.10.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

IP address xxx.xxx.xxx.241 255.255.255.248

!

passive FTP mode

clock timezone CST - 6

clock to summer time recurring CDT

DNS server-group DefaultDNS

domain peissel.com

outside_in list extended access permit icmp any any echo response

outside_in list extended access deny ip any any newspaper

list of access VPN AUS ip 10.1.10.0 scopes allow 255.255.255.0 192.168.1.0 255.255.255.0

access-list SHEEP extended ip 10.1.10.0 allow 255.255.255.0 192.168.1.0 255.255.255.0

access extensive list ip 10.1.10.0 splittunnel allow 255.255.255.0 192.168.30.0 255.255.255.0

pager lines 24

Enable logging

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

IP local pool vpnpool 192.168.30.1 - 192.168.30.254

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm - 643.bin

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0 access-list SHEEP

NAT (inside) 1 10.1.10.0 255.255.255.0

NAT (inside) 1 0.0.0.0 0.0.0.0

Route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.246 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

the ssh LOCAL console AAA authentication

Enable http server

http 10.1.10.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-3des esp-sha-hmac espSHA3DESproto

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

Crypto-map dynamic outside_dyn_map 20 the transform-set ESP-3DES-MD5 value

crypto IPSEC 10 card matches the address VPN-AUS

card crypto IPSEC 10 set peer yy.yy.yy.33

card crypto IPSEC transform-set espSHA3DESproto value 10

card crypto IPSEC outside interface

Crypto ca trustpoint localtrust

registration auto

domain name full abc.xyz.com

sslvpnkey key pair

Configure CRL

Crypto ca certificate chain localtrust

certificate 68b4ea4e

b4fe602b 58b8deaf df648bf3 512a5be1 3fd1e2df 3ae2dc41 2602cd 67 0500bb88 e1

quit smoking

crypto isakmp identity address

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 20

preshared authentication

3des encryption

md5 hash

Group 2

life 86400

Telnet timeout 5

SSH 10.1.10.0 255.255.255.0 inside

SSH 0.0.0.0 0.0.0.0 outdoors

SSH timeout 5

Console timeout 0

dhcpd address 10.1.10.10 - 10.1.10.40 inside

interface dns 8.8.8.8 dhcpd inside

rental contract interface 86400 dhcpd inside

dhcpd peissel.com area inside interface

dhcpd allow inside

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

NTP server 192.5.41.41 source outdoors

NTP server 192.5.41.40 source outdoors

localtrust point of trust SSL outdoors

WebVPN

allow outside

enable SVC

internal remotevpn group policy

attributes of the strategy of group remotevpn

VPN-idle-timeout 30

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list splittunnel

myname 8NYVxDRPHUNYpspD encrypted privilege 15 password username

user myname attributes name

type of service admin

username the user password encrypted remote /yoq2HhsDPlgKIdN

tunnel-group yy.yy.yy.33 type ipsec-l2l

yy.yy.yy.33 group of tunnel ipsec-attributes

pre-shared key *.

ISAKMP retry threshold 30 keepalive 5

type tunnel-group remotevpn remote access

tunnel-group remotevpn General-attributes

address vpnpool pool

Group Policy - by default-remotevpn

remotevpn group of tunnel ipsec-attributes

pre-shared key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

Cryptochecksum:465a4a58a8ad00e66259d93e645b3ed1

: end

Hello

Try these configuration changes

Create an ACL from Tunnel simpler Split (standard type that indicates which networks of tunnel)

standard access list permits 10.1.10.0 SPLIT-TUNNEL 255.255.255.0

Modify the ACL of Split Tunnel in use

attributes of the strategy of group remotevpn

No split-tunnel-network-list splittunnel value

Split-tunnel-network-list value of SPLIT TUNNEL

Remove the old ACL of the ASA

No splittunnel Access 10.1.10.0 ip range list allow 255.255.255.0 192.168.30.0 255.255.255.0

Add NAT0 rule for the VPN Client to the LAN traffic that you were missing (only had one for VPN L2L)

access-list SHEEP extended ip 10.1.10.0 allow 255.255.255.0 192.168.30.0 255.255.255.0

May also add the following

fixup protocol icmp

It will add ICMP Inspection to the ASA. Accelerations passing messages ICMP Echo Reply through the ASA.

Hope this helps

Don't forget to check the answer as the answer if it answered your question. And/or useful response rates

-Jouni

VPN site to Site one-way traffic

Hi all

I set up a Vpn site-to site and everything works well in the remote site to the corporate site, but since the site of the company asa 5510, I can't access to the remote site asa 5505. I checked the logging on the SAA and I can see the packets being fallen but I can't find what I need to do to allow this traffic through. Here are most of my 5510 config, I'm sure it's something simple I'm missing, but I can't run it please help.

REMOTE network is 192.168.72.0

: Saved

: Written by enable_15 at 10:29:17.163 GMT/BDT Thu Jun 10 2010

!

ASA Version 8.0 (5)

!

host name Casa

uk domain name

activate the encrypted password of VgZT0UwPdkSV9l7N

zlo5ImUVRkHl4lcl encrypted passwd

names of

name 192.168.103.14 description of Appliance CITRIX CITRIX Appliance

name 192.168.3.12 description villages villages

DNS-guard

!

interface Ethernet0/0

nameif outside

security-level 0

IP address x.x.x.123 255.255.255.224

!

interface Ethernet0/1

nameif inside

security-level 100

192.168.3.254 IP address 255.255.255.0

!

interface Ethernet0/2

nameif dmz

security-level 50

IP 192.168.103.254 255.255.255.0

!

interface Ethernet0/3

Shutdown

No nameif

no level of security

no ip address

!

interface Management0/0

nameif management

security-level 100

IP 192.168.1.1 255.255.255.0

management only

!

boot system Disk0: / asa805 - k8.bin

boot system Disk0: / asa707 - k8.bin

passive FTP mode

clock timezone GMT/UTC 0

summer time clock GMT/BDT recurring last Sun Mar 01:00 last Sun Oct 02:00

DNS server-group DefaultDNS

uk domain name

object-group network ExternalAccess

Description hosts allowed direct web access

network object-SVR-01 255.255.255.255

SVR GIS 255.255.255.255 network-object

host of network-object cient

host villages network-object

the ExternalAccessFromDMZ object-group network

Description hosts allowed direct web access to DMZ

CITRIX-device 255.255.255.255 network-object

network-object IRONPORT1 255.255.255.255

worker of the object-network 255.255.255.255

MitelUDPinternet udp service object-group

Description Mitel UDP services on the internet

20000-27000 object-port Beach

port-object eq sip

port-object eq 5064

MitelTCPinternet tcp service object-group

Description Mitel TCP services on the internet

port-object eq 2114

port-object eq 2116

port-object eq 35000

port-object eq 37000

port-object eq 3998

6801-6802 object-port Beach

port-object eq 6880

port-object eq www

EQ object of the https port

port-object eq 6800

EQ object Port 3478

port-object eq sip

EQ port ssh object

MitelTCPinternetOpt tcp service object-group

Description Mitel TCP optional services on the internet

port-object eq 3300

6806-6807 object-port Beach

36005 36005 object-port Beach

36005 36006 object-port Beach

EQ object Port 3478

port-object eq sip

MitelUDP2LAN udp service object-group

Description Mitel UDP for the local network of services

object-port range 1024-65535

port-object eq sip

MitelTCP2LAN tcp service object-group

Description Mitel TCP for the local network of services

port-object eq 2114

port-object eq 2116

port-object eq 35000

port-object eq 37000

port-object eq 1606

object-port 4443 eq

port-object eq 3998

port-object eq 3999

6801-6802 object-port Beach

port-object eq 6880

port-object eq www

EQ object of the https port

EQ object Port 3478

port-object eq sip

acl_outside list extended access permit icmp any any echo response

acl_outside list extended access allow all unreachable icmp

acl_outside list extended access permit icmp any any source-quench

acl_outside list extended access permit tcp any host Mail_Outside_AGH eq smtp

acl_outside list extended access permit tcp any host Mail_Outside_AGH eq https

acl_outside list extended access permit tcp any host x.x.x.123 eq ssh

acl_outside list extended access permit tcp host x.x.x.x host Icritical_Outside eq ssh

acl_outside list extended access permit tcp any host Citrix_Portal_outside eq 8088

acl_outside list extended access permit tcp any host Citrix_Portal_outside eq https

acl_outside list extended access permit tcp any host Citrix_Portal_outside eq 8081

acl_outside list extended access permit tcp any host Mail_Outside_AVON eq smtp

acl_outside list extended access permit tcp any host Mail_Outside_AVON eq https

acl_outside list extended access permit udp host x.x.x.x host Icritical_Outside eq snmp

acl_outside list extended access permit udp host x.x.x.x host Icritical_Outside eq snmp

acl_outside list extended access permit tcp any host teleworker_outside MitelTCPinternet object-group

acl_outside list extended access permit udp any host teleworker_outside MitelUDPinternet object-group

acl_outside list extended access permit tcp any host teleworker_outside MitelTCPinternetOpt object-group

acl_outside list extended access permit tcp host x.x.x.x host Icritical_Outside eq ssh

acl_outside list extended access permit udp any host ESX-PAL-01 eq ntp

acl_outside list extended access permit udp any host ESX-PAL-02 eq ntp

acl_outside list extended access permit udp any host ESX-PAL-03 eq ntp

inside_outbound_nat0_acl to access ip 192.168.1.0 scope list allow 255.255.255.0 172.30.100.0 inactive 255.255.255.224

inside_outbound_nat0_acl list of allowed ip extended access all 172.31.1.0 255.255.255.0

inside_outbound_nat0_acl to access extended list ip 192.168.3.0 allow 255.255.255.0 192.168.103.0 255.255.255.0

inside_outbound_nat0_acl to access extended list ip 192.168.3.0 allow 255.255.255.0 192.168.72.0 255.255.255.0

inside_pnat_outbound list extended access allowed object-group ip ExternalAccess everything

acl_dmz list extended access permit ip host host IRONPORT1 Mail_Inside_AGH

acl_dmz list extended access permit udp host field of pal-svr-22 eq IRONPORT1 host

acl_dmz list extended access permit tcp host IRONPORT1 host pal-svr-22 eq 3268

acl_dmz list extended access permit udp host host IRONPORT1 ARM-SVR-01 eq field

acl_dmz list extended access permit tcp host IRONPORT1 host ARM-SVR-01 eq 3268

acl_dmz list extended access permit udp host host IRONPORT1 Pal-Svr-17 eq field

acl_dmz list extended access allowed icmp host host IRONPORT1 Mail_Inside_AGH

access extensive list ip 192.168.103.0 acl_dmz allow 255.255.255.0 any

acl_dmz list extended access permit tcp host host CITRIX-device-CITRIXCSG-lan eq https inactive

acl_dmz list extended access permit ip any host CITRIXCSG-lan idle

acl_dmz list extended access permit tcp host IRONPORT1 eq Mail_Outside_AGH smtp

acl_dmz list extended access permit tcp host teleworker host 192.168.20.1 object-group MitelTCP2LAN

acl_dmz list extended access permit udp host teleworker host 192.168.20.1 object-group MitelUDP2LAN

dmz_pnat_outbound list extended access allowed object-group ip ExternalAccessFromDMZ all

access extensive list ip 192.168.103.0 dmz_nat0_inbound allow 255.255.255.0 192.168.3.0 255.255.255.0

dmz_nat0_inbound list of ip host 192.168.20.1 telecommuter host allowed extended access

access extensive list ip 192.168.21.0 inside_pnat_outbound_AVON allow 255.255.255.0 any

access extensive list ip 192.168.22.0 inside_pnat_outbound_AVON allow 255.255.255.0 any

access extensive list ip 192.168.23.0 inside_pnat_outbound_AVON allow 255.255.255.0 any

access extensive list ip 192.168.24.0 inside_pnat_outbound_AVON allow 255.255.248.0 all

inside_pnat_outbound_AVON to access extended list ip 192.168.32.0 allow 255.255.240.0 everything

access extensive list ip 192.168.48.0 inside_pnat_outbound_AVON allow 255.255.248.0 all

access extensive list ip 192.168.56.0 inside_pnat_outbound_AVON allow 255.255.252.0 all

access extensive list ip 192.168.60.0 inside_pnat_outbound_AVON allow 255.255.255.0 any

allow any scope to an entire ip access list

inside_nat_AVON_Marshall list extended access permit ip host Mail_Inside_AVON all

dmz_pnat1_outbound list of ip telecommuter host allowed extended access any

outside_1_cryptomap to access extended list ip 192.168.3.0 allow 255.255.255.0 192.168.72.0 255.255.255.0

pager lines 24

Enable logging

asdm of logging of information

logging e-mail notifications

uk address record

exploitation forest-address recipient [email protected] / * / critical level

Outside 1500 MTU

Within 1500 MTU

MTU 1500 dmz

management of MTU 1500

IP local pool vpnpool 172.31.1.1 - 172.31.1.254 mask 255.255.255.0

no failover

ICMP unreachable rate-limit 1 burst-size 1

ICMP allow any inside

ICMP allow no dmz echo

ICMP allow all dmz

ASDM image disk0: / asdm-625 - 53.bin

ASDM location SVR-01 255.255.255.255 inside

ASDM location svr-02 255.255.255.255 inside

ASDM location IRONPORT1 255.255.255.255 dmz

ASDM location 194.81.55.226 255.255.255.255 dmz

ASDM 255.255.255.255 inside server location

ASDM location CITRIX-device 255.255.255.255 dmz

ASDM group ExternalAccess inside

ASDM group dmz ExternalAccessFromDMZ

don't allow no asdm history

ARP timeout 14400

Global x.x.x.121 2 (outdoor)

Global 1 x.x.x.125 (outside)

Global Mail_Outside_AVON 3 (outside)

Global Mail_Outside_AGH 4 (outside)

Global teleworker_outside 5 (outside)

NAT (inside) 0-list of access inside_outbound_nat0_acl

NAT (inside) 2-list of access inside_pnat_outbound_AVON

NAT (inside) 3 access-list inside_nat_AVON_Marshall

NAT (inside) 1 access-list inside_pnat_outbound

NAT (dmz) 0-list of access dmz_nat0_inbound outside

NAT (dmz) 4 access-list dmz_pnat_outbound

NAT (dmz) 5 access-list dmz_pnat1_outbound

static (inside, outside) tcp ssh Icritical ssh netmask 255.255.255.255 Icritical_Outside

static (inside, outside) tcp https Mail_Outside_AGH Mail_Inside_AGH https netmask 255.255.255.255

static (dmz, outside) tcp smtp smtp IRONPORT1 netmask 255.255.255.255 Mail_Outside_AGH

static (inside, outside) tcp https Mail_Outside_AVON Exchange_Inside_AVON https netmask 255.255.255.255

static (inside, outside) tcp smtp smtp Mail_Inside_AVON netmask 255.255.255.255 Mail_Outside_AVON

static (inside, outside) udp snmp Icritical snmp netmask 255.255.255.255 Icritical_Outside

static (dmz, outside) device-CITRIX-Citrix_Portal_outside netmask 255.255.255.255

static (inside, outside) Mail_Outside_AVON Mail_Inside_AVON netmask 255.255.255.255

static (dmz, external) teleworker_outside netmask 255.255.255.255 teleworker

Access-group acl_outside in interface outside

Access-group acl_dmz in dmz interface

Route outside 0.0.0.0 0.0.0.0 X.X.X.254 1

Route inside 192.168.0.0 255.255.0.0 192.168.3.3 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-registration DfltAccessPolicy

Enable http server

oner http 255.255.255.255 inside

http 192.168.1.0 255.255.255.0 management

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

card crypto outside_map 1 match address outside_1_cryptomap

card crypto outside_map 1 set pfs Group1

card crypto outside_map 1 set r.r.r.244 counterpart

card crypto outside_map 1 set of transformation-ESP-3DES-SHA

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

No encryption isakmp nat-traversal

Telnet timeout 5

SSH x.x.x.x 255.255.255.255 outside

SSH Mail_Inside_AGH 255.255.255.255 inside

SSH timeout 5

Console timeout 0

management of 192.168.1.2 - dhcpd address 192.168.1.254

enable dhcpd management

!

a basic threat threat detection

statistical threat detection port

Statistical threat detection Protocol

Statistics-list of access threat detection

a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200

prefer NTP server SVR - DC1 source inside

internal VPN group policy

attributes of VPN group policy

value 192.168.x.x 192.168.x.x WINS server

Server DNS value 192.168.x.x 192.168.x.x

enable IPSec-udp

value by default domain-ACE

username, password pmmPwcDD/inpnNfB VPN encrypted privilege 0

attributes of VPN username

Strategy-Group-VPN VPN

VPN Tunnel-group type remote access

General-attributes of VPN Tunnel-group

address vpnpool pool

Group Policy - by default-VPN

Group-tunnel VPN ipsec-attributes

pre-shared key *.

tunnel-group r.r.r.244 type ipsec-l2l

r.r.r.244 tunnel ipsec-attributes group

pre-shared key *.

by default-group r.r.r.244 tunnel-Group-map

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns migrated_dns_map_1

parameters

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the migrated_dns_map_1 dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the netbios

inspect the tftp

inspect the sip

!

global service-policy global_policy

context of prompt hostname

Cryptochecksum:8360816431357f109b3c4b950d545c86

: end

This route is duplicated with the remote network

Route inside 192.168.0.0 255.255.0.0 192.168.3.3 1

I suggest to make this more specific subnet or add something like

Route outside 192.168.72.0 255.255.255.0 outside_default_gateway_ip

Internal, if above not in fact help, put a trace packet to simulate traffic even that fails on the 5510.

http://www.Cisco.com/en/us/docs/security/ASA/asa80/command/reference/p.html#wp1878788

Kind regards

ASA5505 VPN Site to site and limiting access - URGENT

I'll admit knowledge limited to the front, so forgive me if I look like a fool. The company that I work began recently to hosting our application for some of our customers. to do this, we are renting rack space, connections and equipment in a data center. We must send data to our request for an application in the center of data of our customers. They have an ASA 5505.

Our data center will support VPN site-to-site and nothing else. Our client find it unacceptable, citing security and the inability to restrict access to only the small number of servers, our application needs to access. I have to be able to talk intelligently and with the facts (and, preferably, examples of configuration on hand) with their staff of the IOC and network in the next day or so.

The ASA 5505 can be configured for a VPM from site to site with our data center which limits our application server to access a limited set of IP addresses within their network? If so, this is quite easily possible? Anyone done this?

Thank you

Leighton Wingerd

Leighton,

Sounds complicated problem - but are simple actuall. Remember that a VPN ensures the transmission from site A to site B on a precarious environment - internet. For example, you can DEFINE the traffic that goes through the VPN, you also DEFINE the traffic that will launch the VPN tunnel in the first place. With these statements said - using your supposed information you would create valuable traffic as the exact traffic you want to allow through the vpn;

access-list permits datacentre_2_client tcp host 1.2.3.4 host 192.168.1.2 eq 1521

And you will use the same ACL to set which can cross traffic. However, I know for a fact that an ODBC Oracle connection uses more than one TCP port!

The confidentiality of data is something else - that your customer needs to define requirements. An SSL connection is fine and dandy - you will just be to encrypt the traffic twice!

VPN site to Site from one-way data (need help)

Hello

Scenario:

VPN site to Site with Cisco 837 routers:

Place: Clients and printers

Site B: server queues and Print

Site A can communicate via VPN using RDP to site B, very well.

Question:

Site B cannot send print jobs to printers on the Site A. also unable to telnet and other access devices on the Site A of the Site (B) Pings work correctly but to all devices.

Debugging on site an access-list 110 showed no response traffic to the Site B via the VPN?

I tried change ip tcp adjust 1452 but not good...

Attached configs.

An IOS - c837-k9o3y6 - mz.123 - 4.T3.bin site

SITE B IOS - c837-k9o3sy6 - mz.123 - 2.XC2.bin

Any help would be appreciated.

Thank you very much...

Thank you for including the configs and IOS versions. Looks like you hit a bug known to FW IOS (http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCec78231&Submit=Search), you can perform debugging as described in details to see for sure. It is difficult to understand what router would be the culprit in a scenario when both run on a tunnel L2L CBAC, but probably RouterA is dropping packets. This would also explain why pings work but TCP connections are not.

I would upgrade TWO routers to be the same version anyway, you encounter far fewer problems in this way, but make sure that you upgrade to one fixed-In version (or later version), has to work around the problem.

VPN site to Site with restrictions (vpn-filter)

VPN site to site, I installed and it works fine and two site can meet but I question after the vpn enforcement - run under Group Policy

restrict users in the local site for dial-up networking with specific tcp ports, the vpn does not not like after order question «sh l2l vpn-sessiondb»

This works but users can't access something in the remote site

Note > after rising online in ACL at the end with this

US_SITE ip access list allow a whole

new to works well again

example of a line of Access-List

US_SITE list extended access permit tcp host 10.68.22.50 host 192.168.10.23 HTTP_HTTPS object-group
US_SITE list extended access permit tcp host 10.68.22.50 host 192.168.10.24 HTTP_HTTPS object-group

local network: 10.68.22.50

remote network: 192.168.10.24

is that correct or not?

attributes of the strategy group x.x.x.x
value of VPN-filer US_SITE

tunnel-group General y.y.y.y
x.x.x.x by default-group-policy

Note: allowed sysopt active vpn connection

The syntax on ACL that is used as a vpn-filter is different from what is normally expected. These VPN filters is not a direction, it should be noted the traffic we want to allow incoming and outgoing of the VPN in an ACL. The syntax for this is:

access-list X permit/deny REMOTE-DEFINITION LOCAL-DEFINITION

Example: You want to allow local users to access the RDP on the remote site:
```
access-list VPN-ACL permit tcp host 192.168.10.24 eq 3389 10.68.22.0 255.255.255.0
```
Disadvantage: This is all really confusing, and you can't afford things like Ping in one direction.

Issue of ASA vpn site to site isakmp

Hello

He has been asked to configure on ASA a new vpn site-to-site. For that vpn should I put:

crypto isakmp identity address
crypto ISAKMP allow outside

.. the configuration of my identity crypto isakmp is automatic and isakmp crypto is not enabled on any interface. I love vpn with ike enabled on the external interface. My question is: why should I enable isakmp on the external interface and especially can create disturbances to ike vpn that are already in place?

By elsewhere-group or tunnel-group strategy, it was me asked to set up, the two do not have indication of ike. Never seen this kind of configuration before vpn, something new.

Thank you

Hi, Giuseppe.

The crypto isakmp command activate outside changed ikev1 crypto Enable outside in the new ASA versions you need not enable this.

There is also no need configure isakmp crypto identity address such that it is set to auto.

This command indicates that the tunnel would be negotiated on the basis of the IP address but since it is set to auto it on it own will therefore not need to specify this command.

Yes, you can create a new group policy group for this new tunnel and tunnel and there should be no impact on other tunnels of work.

Kind regards

Aditya

Please evaluate the useful messages and mark the correct answers.

Problem with VPN Site-to-Site between RV215W and ASA5510

The RV215W is intended to connect a new branch via 3G, but fail.

But when connected to the internet via a cable modem VPN works.

I have set up with the FULL domain name and remote ip address.

Please help me soon as soon as you can.

Thaks a lot.

Henriux2412.

Dear Henry;

Thank you to the small community of Support Business.

I doubt that this VPN site-to-site is compatible with the USB modem broadband Mobile 3 G, but I have when even suggest to verify that the Status field of the map will show your mobile card is connected (status > Mobile network). I've seen a similar problem with a Verizon USB modem where the solution was to change a few settings in their access Manager software ("NDIS Mode - connect manually" has been selected and change this option to "Modem Mode - connect manually fixed), but if this is not your case then I suggest you to check with your service provider about supported VPN site to site on the WAN configuration.

Except that I advise you to contact the Small Business Support Center for more information on this subject, although I don't think they will support

https://supportforums.Cisco.com/community/NetPro/small-business/sbcountrysupport

https://www.Cisco.com/en/us/support/tsd_cisco_small_business_support_center_contacts.html

Do not hesitate to contact me if there is anything I can help you with in the meantime.

Kind regards

Jeffrey Rodriguez S... : | :. : | :.
Support Engineer Cisco client

* Please rate the Post so other will know when an answer has been found.

How to turn the notifications by e-mail to connect VPN Site to Site on ASA?

How to activate the VPN Site to Site connection e-mail notifications?

Maybe it's possible with the event Manager?

Hi Mario

I think this could work depending on your intent:
```
logging list email level notifications class vpnlogging list email level notifications class vpnc!logging mail emaillogging from-address logging recipient-address  level notifications
```
Cordially Véronique

VPN site to site of simple laboratory works no - pix to pix

Similar Questions

How to activate the VPN Site to Site connection e-mail notifications?

Maybe you are looking for