VPN site to Site one-way traffic

Similar Questions

• LAN - to - LAN 837 to 3000series one-way traffic

  Hello

  Not even sure that there is even a way traffic. The 837 is encryting and the 3000series is done by increments Rx but nowhere on decrypt it and Tx respectively.

  Tracking guides and hub configuration cisco IOS religiously.

  The 837 ipsec cypto debugs seems to show that SAS created - when they actually decide to show them selves on the console.

  Routing is not a problem - unless you consider static routes on the 3000. Am I supposed to create a static route to send traffic to the LAN remote (837) on the public interface? Or is it not necessary to have an itinerary as SA definition will determine the tunnel to go down?

  Unfortunately no other LAN-to-LAN tnnnels on 3000 to compare these questions and I have no laboratory.

  Any help would be welcome. Of course, I can provide more information, all that is necessary. Am at my wits end with this one. So simple and yet not working - have to do something stupid.

  Thank you

  If the tunnel is under construction and your getting the traffic in one direction and not the other, it is usually the routing.

  The 831 sends traffic to the 3000 and 3000 is received, ranging from your counters. The problem is probably that the hosts behind the 3000 do not know how to return to the LAN behind the 831. Your internal network behind the 3000 will need a route to the LAN 831 that points to the interface of the 3000. The 3000 justs needs a default gateway pointing out the public interface.

  On the local network of 3000, if you have not all router internal and your interior hosts are directly connected to the same hub/switch interface private 3000, then each host will need a static route to the LAN 831 that points to the private interface 3000 (this is assuming of course that the 3000 is not the default gateway for hosts (, which is usually not).

  Keep in mind that if you see not all TX packets on the 3000, then the 3000 is not even see packets of it is inside the hosts which are intended for the 831 LAN, check the local routing behind the 3000 to see what is happening.

• VPN Cisco ASA 5540 L2L - one-way traffic only for the pair to a network

  Hello

  I'm a little confused as to which is the problem. This is the premise for the problem I have face.

  One of our big clients has a Cisco ASA5540 (8.2 (2)) failover (active / standby). Early last year, we have configured a VPN from Lan to Lan to a 3rd party site (a device of control point on their end). He worked until early this week when suddenly the connection problems.

  Only 1 of the 3 networks the / guests can access a remote network on the other side. 2 others have suddenly stopped working. We do not know of any change on our side and the remote end also insists that their end configurations are correct (and what information they sent me it seems to be correct)

  So essentially the encryption field is configured as follows:

  access-list line 1 permit extended ip 10.238.57.21 host 10.82.0.202 (hitcnt = 2)
  access-list line 2 extended permit ip 10.207.0.0 255.255.0.0 10.82.0.200 255.255.255.252 (hitcnt = 198)
  access-list line 3 extended permit ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252 (hitcnt = 173)

  Free NAT has been configured as follows (names modified interfaces):

  NAT (interface1) 0-list of access to the INTERIOR-VPN-SHEEP

  the INTERIOR-VPN-SHEEP line 1 permit access list extended ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
  permit for Access-list SHEEP-VPN-INSIDE line lengthened 2 ip host 10.238.57.21 10.82.0.202

  NAT (interface2) 0-list of access VPN-SHEEP

  VPN-SHEEP line 1 permit access list extended ip 10.207.0.0 255.255.0.0 10.82.0.200 255.255.255.252

  After the problem started only 10.207.0.0/16 network connections worked for the site remote 10.82.0.200/30. All other connections do not work.

  There has been no change made on our side and on the side remote also insists there has been no change. I also checked how long the ASAs have been upward and how long the same device has been active in the failover. Both have been at the same time (about a year)

  The main problem is that users of the 10.231.191.0/24 cant access remote network network. However, the remote user can initiate and implement the VPN on their side but usually get any return traffic. Ive also checked that the routes are configured correctly in the routers in core for the return of their connections traffic should go back to the firewall.

  Also used of "packet - trace" event raising the VPN tunnel (even if it passes the phases VPN). For my understanding "packet - trace" alone with the IP source and destination addresses must activate the VPN connection (even if it generates no traffic to the current tunnel).

  This is printing to the following command: "packet - trace entry interface1 tcp 10.231.191.100 1025 10.82.0.203 80.

  Phase: 1
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit rule
  Additional information:
  MAC access list

  Phase: 2
  Type: FLOW-SEARCH
  Subtype:
  Result: ALLOW
  Config:
  Additional information:
  Not found no corresponding stream, creating a new stream

  Phase: 3
  Type:-ROUTE SEARCH
  Subtype: entry
  Result: ALLOW
  Config:
  Additional information:
  in 10.82.0.200 255.255.255.252 outside

  Phase: 4
  Type: ACCESS-LIST
  Subtype: Journal
  Result: ALLOW
  Config:
  Access-group interface interface1
  access-list extended allow ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
  Additional information:

  Phase: 5
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional information:

  Phase: 6
  Type: INSPECT
  Subtype: np - inspect
  Result: ALLOW
  Config:
  class-map inspection_default
  match default-inspection-traffic
  Policy-map global_policy
  class inspection_default
  inspect the http
  global service-policy global_policy
  Additional information:

  Phase: 7
  Type: FOVER
  Subtype: Eve-updated
  Result: ALLOW
  Config:
  Additional information:

  Phase: 8
  Type: NAT-FREE
  Subtype:
  Result: ALLOW
  Config:
  NAT-control
  is the intellectual property inside 10.231.191.0 255.255.255.0 outside 10.82.0.200 255.255.255.252
  Exempt from NAT
  translate_hits = 32, untranslate_hits = 35251
  Additional information:

  -Phase 9 is a static nat of the problem to another network interface. Don't know why his watch to print.

  Phase: 9
  Type: NAT
  Subtype: host-limits
  Result: ALLOW
  Config:
  static (interface1, interface3) 10.231.0.0 10.231.0.0 255.255.0.0 subnet mask
  NAT-control
  is the intellectual property inside 10.231.0.0 255.255.0.0 interface3 all
  static translation at 10.231.0.0
  translate_hits = 153954, untranslate_hits = 88
  Additional information:

  -Phase 10 seems to be the default NAT for the local network configuration when traffic is to the Internet

  Phase: 10
  Type: NAT
  Subtype:
  Result: ALLOW
  Config:
  NAT (interface1) 5 10.231.191.0 255.255.255.0
  NAT-control
  is the intellectual property inside 10.231.191.0 255.255.255.0 outside of any
  dynamic translation of hen 5 (y.y.y.y)
  translate_hits = 3048900, untranslate_hits = 77195
  Additional information:

  Phase: 11
  Type: VPN
  Subtype: encrypt
  Result: ALLOW
  Config:
  Additional information:

  Phase: 12
  Type: VPN
  Subtype: ipsec-tunnel-flow
  Result: ALLOW
  Config:
  Additional information:

  Phase: 13
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional information:

  Phase: 14
  Type: CREATING STREAMS
  Subtype:
  Result: ALLOW
  Config:
  Additional information:
  New workflow created with the 1047981896 id, package sent to the next module

  Result:
  input interface: interface1
  entry status: to the top
  entry-line-status: to the top
  output interface: outside
  the status of the output: to the top
  output-line-status: to the top
  Action: allow

  So, basically, the connection should properly go to connect VPN L2L but yet is not. I tried to generate customer traffic of base (with the source IP address of the client network and I see the connection on the firewall, but yet there is absolutely no encapsulated packets when I check "crypto ipsec to show his" regarding this connection VPN L2L.) Its almost as if the firewall only transfers the packets on the external interface instead of encapsulating for VPN?

  And as I said, at the same time the remote end can activate the connection between these 2 networks very well, but just won't get any traffic back to their echo ICMP messages.

  access-list extended allow ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
  local ident (addr, mask, prot, port): (10.231.191.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (10.82.0.200/255.255.255.252/0/0)
  current_peer: y.y.y.y

  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 131, #pkts decrypt: 131, #pkts check: 131
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #send errors: 0, #recv errors: 0

  If it was just a routing problem it would be a simple thing to fix, but it is not because I can see the connection I have to confirm it by the router base on the firewall, but they don't just get passed on to the VPN connection.

  Could this happen due to a bug in the Software ASA? Would this be something with Checkpoint VPN device? (I have absolutely no experience with devices of control point)

  If there is any essential information that I can give, please ask.

  -Jouni

  Jouni,

  8.2.4.1 is the minimum - 8.2.4 had some issues (including TCP proxy).

  If this does not resolve the problem - I suggest open TAC box to get to the bottom of this ;-)

  Marcin

• One-way traffic DMVPN

  setting up the first star in a mesh network. VPN connects very well and there is a part of the traffic above him, however it looks like anything to get wrapped. I see eigrp and PNDH, try to go forward and backward, but neither made with great success. Any ideas where to look?

  E - townInternet #show cry ipsec his

  Interface: Tunnel0
  Tag crypto map: addr Tunnel0-head-0, local 67.235.62.74

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (xx/255.255.255.255/47/0)
  Remote ident (addr, mask, prot, port): (xx/255.255.255.255/47/0)
  current_peer xx port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 1646, #pkts decrypt: 1646, #pkts check: 1646
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  endpt local crypto. : xx, remote Start crypto. : xx
  Path mtu 1500, ip mtu 1500
  current outbound SPI: 0x1DAF1EB4 (498015924)

  SAS of the esp on arrival:
  SPI: 0x3E489DA4 (1044946340)
  transform: esp-3des esp-md5-hmac.
  running parameters = {Tunnel}
  Conn ID: 3003, flow_id: FPGA:3, crypto card: head-Tunnel0-0
  calendar of his: service life remaining (k/s) key: (4585669/53)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0x1DAF1EB4 (498015924)
  transform: esp-3des esp-md5-hmac.
  running parameters = {Tunnel}
  Conn ID: 3005, flow_id: FPGA:5, crypto card: head-Tunnel0-0
  calendar of his: service life remaining (k/s) key: (4585672/53)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:
  E - townInternet #.

  Neil,

  EIGRP retry limit is used when no complete PNDH was built.

  You mean interface tunnel itself beat (going up/down)?

  Marcin

• debugging/troubleshooting IPSec one-way traffic tunnel

  I'll put up a business network IPSec consists of a UC520 at the head end (Headquarters) and several routers Linksys WRV remotes nodes/network.  I see that ISAKMP and IPSec SA on both ends and I ping the IP of the remote networks UC520 internal.  However, I can not ping any other IP on the network of the company.

  I see of "cry ips to show his" packages are décapsulés (remote business) but none are encapsulated (remote business).  I can also see (from a traceroute) how remote business packages are sent to the default gateway of the UC520 to the Internet instead of being placed in the tunnel.  This jives with what I see with ' sho ips cry her. "

  I made sure to create an ACL for the NAT for corporate remote subnets are not translated, but I don't know what else to check.  I tried to do a "debug IP packet detail xxx' with a corresponding company in remote traffic but the debug and ACL get no success.

  Any other ideas?

  Thank you
  Diego

  Well, looks like that your exemption of Nat does not work. Check 'show ip nat trans' confirm this when sending traffic.

  Can you maybe post your config NAT (together)?

• VPN site to Site from one-way data (need help)

  Hello

  Scenario:

  VPN site to Site with Cisco 837 routers:

  Place: Clients and printers

  Site B: server queues and Print

  Site A can communicate via VPN using RDP to site B, very well.

  Question:

  Site B cannot send print jobs to printers on the Site A. also unable to telnet and other access devices on the Site A of the Site (B) Pings work correctly but to all devices.

  Debugging on site an access-list 110 showed no response traffic to the Site B via the VPN?

  I tried change ip tcp adjust 1452 but not good...

  Attached configs.

  An IOS - c837-k9o3y6 - mz.123 - 4.T3.bin site

  SITE B IOS - c837-k9o3sy6 - mz.123 - 2.XC2.bin

  Any help would be appreciated.

  Thank you very much...

  Thank you for including the configs and IOS versions. Looks like you hit a bug known to FW IOS (http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCec78231&Submit=Search), you can perform debugging as described in details to see for sure. It is difficult to understand what router would be the culprit in a scenario when both run on a tunnel L2L CBAC, but probably RouterA is dropping packets. This would also explain why pings work but TCP connections are not.

  I would upgrade TWO routers to be the same version anyway, you encounter far fewer problems in this way, but make sure that you upgrade to one fixed-In version (or later version), has to work around the problem.

• VPN site to site UP, but no traffic

  Dear friends,

  I did a VPN site to site using ASA 5555 02 in each site running the Version of the software 9.2 (4).

  The VPN is UP, as shown below:

  ASA-SSP-Pri (config) # sh isak his

  There are no SAs IKEv1

  IKEv2 SAs:

  Session-id: 1, State: UP-ACTIVE, IKE County: 1, number of CHILDREN: 1

  Tunnel-id Local remote status role
  201.23.100.130/500 268373031 200.174.36.19/500 LOAN MACHINE
  BA: AES - CBC, keysize: 256, Hash: SHA96, Grp:5 DH, Auth sign: PSK, Auth check: PSK
  Duration of life/active: 86400/272 sec
  His child: selector local 10.69.0.0/0 - 10.69.0.255/65535
  selector of distance 10.12.20.0/0 - 10.12.20.255/65535
  SPI ESP/output: 0xf89430e6/0x86a5cd8f

  But when I try to ping from one site to another, is not possible, the result of the ping command is '?

  I did some research on this problem and a lot of people say that Miss crypto isakmp nat-traversal 20 command, but this command is already enabled.

  Exempt from NAT is enabled and I did tests of deactivation as well.

  Hello

  The last thing I think is that there is a SPINNAKER twice on the table of the asp and that is why the traffic is not encrypted everything seems correct, run the following command on the ASA:

  clear crypto ipsec its inactive

  test again

• the traffic in a vpn site-to-site tunnel restrictions

  Hello

  I have install a VPN site-to site between an ASA 5550 7.2 (3) and the external network of the contractor. I have set up the VPN using the wizard and it worked fine. The wizard has created the cryptomap acl see below

  outside_2_cryptomap list extended access allowed object-group ip 10.0.0.0 LOCAL_IPS 255.255.255.0

  where LOCAL_IPS is a group of objects containing our local subnets to be dug and 10.0.0.0/24 is the network of the remote end.

  I'm trying to restrict the traffic tunnel at about 6 tcp ports, so I changed the acl (using the GUI as well from the CLI) to the following:-

  outside_2_cryptomap list extended access permitted tcp object-group LOCAL_IPS 10.0.0.0 255.255.255.0 PERMITTED_TRAFFIC object-group

  where PERMITTED_TRAFFIC is a group of TCP services containing the ports we'd like to tunnel.

  As soon as I apply this acl (applied at the other end also) the tunnel down and or end it can re - open.

  My question is - how do you restrict what traffic (tcp ports) that you want to send in the tunnel on the SAA?

  Thank you

  Andy

  You have 2 options.

  VPN-filter

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

  Or something like that...

  No sysopt permi-vpn connection

  list of access vpn extended permitted tcp object-group LOCAL_IPS 10.0.0.0 255.255.255.0 PERMITTED_TRAFFIC object-group

  list of vpn access deny ip 10.0.0.0 LOCAL_IPS object-group 255.255.255.0

  extended vpn allowed any one ip access list

  group-access vpn in interface inside

• How to restrict the tunnel VPN Site to site traffic thrue

  Hello

  I have a tunnel from site to site, where Site 1 is the local site and main site.  and 2 the site is the remote site.

  How to limit the traffic of site 2, so that they can only reach a few IPS on the lokal site.

  But since the lokal site all IP addresses must be able to reach all of the IP addresses to site 2 (remotely).

  an access list to the 'inside' interface does not work, since all the acl is bypassed for the interfaces for IPSEC traffic.

  Then, I tried to make a political group where I only allow traffic to servers specifik, but site 2 can still reach everything on the lokal site.

  Am I missing here?

  Best regards

  Erik

  Hi Erik,

  Unfortunately, the only options that we have are VPN filters that are two-way and disabling the sysopt feature.

  If you have a core switch/router we can block traffic on this device by using the access list or null routes.

  See you soon,.

  Nash.

• Routing of traffic between two VPN Site-to-Site Tunnels

  Hi people,

  I am trying to establish routing between two vpn Site-to-Site tunnels which are destined for the same outside the interface of my Cisco ASA.

  Please find attached flowchart for the same thing. All used firewalls are Cisco ASA 5520.

  Two VPN tunnels between Point A and Point B, Point B and Point C is too much upward. I activated same command to permit security level interface also intra.

  How can I activate the LAN subnets traffic behind Point to join LAN subnets behind C Point without having to create a tunnel separated between Point A and Point C

  Thank you very much.

  Hello

  Basically, you will need to NAT0 and VPN rules on each site to allow this traffic.

  I think that the configurations should look something like below. Naturally you will already probably a NAT0 configuration and certainly the L2L VPN configuration

  Site has

  access-list NAT0 note NAT0 rule for SiteA SiteC traffic

  access-list allowed NAT0 ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

  NAT (inside) 0 access-list NAT0

  Note L2L-VPN-CRYPTO-SITEB access-list interesting traffic for SiteA to SiteC

  access-list L2L-VPN-CRYPTO-SITEB permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

  Where

  • NAT0 = is the ACL to be used in the NAT0 rules that will exempt SiteA SiteC NAT traffic
  • NAT = is the line of configuration NAT0
  • L2l-VPN-CRYPTO-SITEB = LCA in configurations VPN L2L that defines the SiteA LAN to LAN SiteC traffic must use the VPN L2L existing SiteB

  Site B

  access list OUTSIDE-NAT0 note NAT0 rule for SiteA SiteC traffic

  OUTSIDE-NAT0 allowed 192.168.1.0 ip access list 255.255.255.0 192.168.3.0 255.255.255.0

  NAT (outside) 0-list of access OUTSIDE-NAT0

  Note L2L-VPN-CRYPTO-SITEA access-list traffic for SiteA to SiteC through a Tunnel between A - B

  access-list L2L-VPN-CRYPTO-SITEA ip 192.168.3.0 allow 255.255.255.0 192.168.1.0 255.255.255.0

  Note L2L-VPN-CRYPTO-SITEC access-list traffic for SiteA to SiteC through a Tunnel between B - C

  access-list L2L-VPN-CRYPTO-SITEC permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

  Where

  • OUTSIDE-NAT0 = is the ACL to be used in the NAT0 rules that will exempt SiteA SiteC NAT traffic. It is this time tied to the 'outer' interface, as traffic will be coming in and out through this interface to SiteB
  • NAT = is the line of configuration NAT0
  • L2l-VPN-CRYPTO-SITEA (and SITEC) = are the ACL in the configurations of VPN L2L that defines the SiteA LAN to LAN SiteC traffic should use existing VPN L2L connections.

  Site C

  access-list NAT0 note NAT0 rule for SiteC SiteA traffic

  NAT0 192.168.3.0 ip access list allow 255.255.255.0 192.168.1.0 255.255.255.0

  NAT (inside) 0 access-list NAT0

  Note list-access-L2L-VPN-CRYPTO-SITEB SiteC to SiteA interesting traffic

  L2L-VPN-CRYPTO-SITEB 192.168.3.0 ip access list allow 255.255.255.0 192.168.1.0 255.255.255.0

  Where

  • NAT0 = is the ACL to be used in the NAT0 rules that will exempt SiteC to SiteA NAT traffic
  • NAT = is the line of configuration NAT0
  • L2l-VPN-CRYPTO-SITEB = LCA in configurations VPN L2L that defines the SiteC LAN to LAN SiteA traffic must use the VPN L2L existing SiteB

  To my knowledge, the foregoing must manage the selection NAT0 and traffic for VPN L2L connections. Naturally, the Interface/ACL names may be different depending on your current configuration.

  Hope this helps

  -Jouni

• VPN site-to-site initiated in one direction

  Hello. We try to establish a VPN site-to site between two ASA firewalls, let's call them ASA1 and ASA2. Problem is that ASA1 cannot start the connection. ISAKMP of ASA1 packets reach ASA2, but removed by an unwritten rule.

  When ASA2 launches, everything is OK. And while the stream exists on ASA2, ASA1 use flow, so he can start VPN also.

  Here's the output of packet - trace on ASA2:

  ASA2 # packet - trace entry outside udp ASA1_IP isakmp ASA2_IP isakmp detailed

  Phase: 1
  Type: CAPTURE
  Subtype:
  Result: ALLOW
  Config:
  Additional information:
  Direct flow from returns search rule:
  ID = 0xaffd1bc8, priority = 13, area = capture, deny = false
  hits = 14830976, user_data = 0xaee75a18, cs_id = 0 x 0, l3_type = 0 x 0
  Mac SRC = 0000.0000.0000, mask is 0000.0000.0000
  DST = 0000.0000.0000 Mac, mask is 0000.0000.0000
  input_ifc = out, output_ifc = any

  Phase: 2
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit rule
  Additional information:
  Direct flow from returns search rule:
  ID = 0xae06b0c0, priority = 1, domain = allowed, deny = false
  hits = 16921285389, user_data = 0 x 0, cs_id = 0 x 0, l3_type = 0 x 8
  Mac SRC = 0000.0000.0000, mask is 0000.0000.0000
  DST = 0000.0000.0000 Mac, mask is 0100.0000.0000
  input_ifc = out, output_ifc = any

  Phase: 3
  Type:-ROUTE SEARCH
  Subtype: entry
  Result: ALLOW
  Config:
  Additional information:
  identity of ASA2_IP 255.255.255.255

  Phase: 4
  Type: ACCESS-LIST
  Subtype:
  Result: DECLINE
  Config:
  Implicit rule
  Additional information:
  Direct flow from returns search rule:
  ID = 0xad731f30, priority = 0, domain = allowed, deny = true
  hits = 60834932, user_data = 0 x 9, cs_id = 0 x 0, use_real_addr, flags = 0 x 1000, protocol = 0
  IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0
  IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0
  input_ifc = out, output_ifc = any

  Result:
  input interface: outdoors
  entry status: to the top
  entry-line-status: to the top
  the output interface: NP identity Ifc
  the status of the output: to the top
  output-line-status: to the top
  Action: drop
  Drop-reason: flow (acl-drop) is denied by the configured rule

  ASA1 added to inbound ACL on the external interface of the ASA2 did not help. Using tracers of package in ASDM has not point to any specific rule, he just showed the entire list of the ACL rules. Using asp-menu type capture displays the reason of gout as packet-tracer, without more details. ASA2 layout only response did not help.

  How to interpret the values of phase 4, i.e. to find the rule that causes drops, based on the id and other data? There is no such id in HS to access lists.

  Any other ideas? Thank you very much.

  And an idea more :)

  Maybe you have something like this on ASA2:

  Access-group outside_access_in in interface outside control plan

  ?

  Keyword group-access-control-plan sentence, traffic, which is aimed at the interface of the ASA, may be filed. Please, see the following discussion:

  https://supportforums.Cisco.com/discussion/11130691/access-group-control-plane-Cisco-pixasa

• VPN Site to Site ASA (only happens with interesting traffic)

  Is anyway to get an ASA to VPN site-to-site ASA addition interesting traffic?  I need to keep this tunnel independently of traffic is anyway to do this?

  Unfortunately, no such feature has been developed on the SAA. You need to deceive the ASA with a host located in the "interesting" part of the network to constantly generate interesting traffic. Here are a few suggestions:

  -Use the IP SLA on a Cisco device

  -Perform a host TCP ping

  -Setting up a host of the site has press site B as a NTP source ASA

  Thank you for evaluating useful messages!

• Route VPN site to site on one path other than the default gateway

  I want to route VPN site-to-site on one path other than the default gateway

  ASA 5510

  OS 8.0 8.3 soon

  1 (surf) adsl line interface default gateway

  line 1 interface SDSL (10 VPN site-to-site)

  1 LAN interface

  What's possible?

  Thank you

  Sorry for my English

  Here is the assumption that I will do:

  -Your IP SHDL is 200.1.1.1, and the next hop is 200.1.1.2

  -Your LAN-to-LAN ends on this interface (interface card crypto SHDL)

  -VPN peer 1 - 150.1.1.1 and LAN is 192.168.1.0/24

  -VPN peer 2 - 175.1.1.1 and LAN is 192.168.5.0/24

  This is the routing based on the assumption above:

  Route SHDL 150.1.1.1 255.255.255.255 200.1.1.2

  Route SHDL 175.1.1.1 255.255.255.255 200.1.1.2

  Route SHDL 192.168.1.0 255.255.255.0 200.1.1.2

  Route SHDL 192.168.5.0 255.255.255.0 200.1.1.2

  Hope that helps.

• Traffic permitted only one-way for VPN-connected computers

  Hello

  I currently have an ASA 5505.  I put up as a remote SSL VPN access. My computers can connect to the VPN very well.  They just cannot access the internal network (192.168.250.0).  They cannot ping the inside interface of the ASA, nor any of the machines.  It seems that all traffic is blocked for them.  The strange thing is that when someone is connected to the VPN, I can ping this ASA VPN connection machine and other machines inside the LAN.  It seems that the traffic allows only one way.  I messed up with ACL with nothing doesn't.  Any suggestions please?

  Pool DHCP-192.168.250.20 - 50--> for LAN

  Pool VPN: 192.168.250.100 and 192.168.250.101

  Outside interface to get the modem DHCP

  The inside interface: 192.168.1.1

  Courses Running Config:

  : Saved

  :

  ASA Version 8.2 (5)

  !

  hostname HardmanASA

  activate the password # encrypted

  passwd # encrypted

  names of

  !

  interface Ethernet0/0

  switchport access vlan 20

  !

  interface Ethernet0/1

  switchport access vlan 10

  !

  interface Ethernet0/2

  switchport access vlan 10

  !

  interface Ethernet0/3

  Shutdown

  !

  interface Ethernet0/4

  Shutdown

  !

  interface Ethernet0/5

  Shutdown

  !

  interface Ethernet0/6

  Shutdown

  !

  interface Ethernet0/7

  switchport access vlan 10

  !

  interface Vlan1

  No nameif

  no level of security

  no ip address

  !

  interface Vlan10

  nameif inside

  security-level 100

  IP 192.168.250.1 255.255.255.0

  !

  interface Vlan20

  nameif outside

  security-level 0

  IP address dhcp setroute

  !

  passive FTP mode

  DNS lookup field inside

  DNS domain-lookup outside

  pager lines 24

  Within 1500 MTU

  Outside 1500 MTU

  mask 192.168.250.100 - 192.168.250.101 255.255.255.0 IP local pool VPN_Pool

  ICMP unreachable rate-limit 1 burst-size 1

  don't allow no asdm history

  ARP timeout 14400

  Global interface 10 (external)

  NAT (inside) 10 192.168.250.0 255.255.255.0

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  the ssh LOCAL console AAA authentication

  Enable http server

  http 192.168.250.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  Telnet timeout 5

  SSH 192.168.250.0 255.255.255.0 inside

  SSH timeout 5

  SSH version 2

  Console timeout 0

  dhcpd dns 8.8.8.8

  !

  dhcpd address 192.168.250.20 - 192.168.250.50 inside

  dhcpd allow inside

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  WebVPN

  allow outside

  SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 1 image

  SVC disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2 image

  Picture disk0:/anyconnect-linux-2.5.2014-k9.pkg 3 SVC

  enable SVC

  tunnel-group-list activate

  attributes of Group Policy DfltGrpPolicy

  value of server DNS 8.8.8.8

  Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn

  tunnel-group AnyConnect type remote access

  tunnel-group AnyConnect General attributes

  address pool VPN_Pool

  tunnel-group AnyConnect webvpn-attributes

  enable AnyConnect group-alias

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  Review the ip options

  inspect the netbios

  inspect the rsh

  inspect the rtsp

  inspect the skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect the tftp

  inspect the sip

  inspect xdmcp

  !

  global service-policy global_policy

  context of prompt hostname

  no remote anonymous reporting call

  call-home

  Profile of CiscoTAC-1

  no active account

  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

  email address of destination [email protected] / * /

  destination-mode http transport

  Subscribe to alert-group diagnosis

  Subscribe to alert-group environment

  Subscribe to alert-group monthly periodic inventory

  monthly periodicals to subscribe to alert-group configuration

  daily periodic subscribe to alert-group telemetry

  Cryptochecksum:30fadff4b400e42e73e17167828e046f

  : end

  Hello

  No worries

  As we change the config I would do as well as possible.

  First, it is strongly recommended to use a different range of IP addresses for VPN clients and the internal network

  No VPN_Pool 192.168.250.100 - 192.168.250.101 255.255.255.0 ip local pool mask

  mask 192.168.251.100 - 192.168.251.101 255.255.255.0 IP local pool VPN_Pool

  NAT_0 ip 192.168.250.0 access list allow 255.255.255.0 192.168.251.0 255.255.255.0

  NAT (inside) 0-list of access NAT_0

  Then give it a try and it work note this post hehe

• Two links one for VPN Site to Site and another for internet on the same router configuration

  Hi all

  I have 2 internet links an ADSL and lease terminated on the same router. I need to configure ADSL for VPN site-to-site of HO and internet leased line dedicated for all users.

  my site IP subnet is 10.10.100.0/24 and HO subnet is 10.1.0.0/24.   Please find attached Config and advice it will be OK and works fine

  Thanks in advance...

  Mikael

  Hello

  For me, it looks like it has configured the route correctly;

  ip route 0.0.0.0 0.0.0.0 fastethernet4 -> for all traffic to the internet.

  Road 10.1.0.0 ip 255.255.255.0 Dialer1 -> for vpn traffic to HO.
  

  The public_IP_HO must be defined according to the map of encryption using the set by the peers command.

  I want to add is on the isakmp policy hash attribute, you can choose between sha/md5 or whatever available on your device. Make sure that the isakmp policy to match political isakmp of your HO.

  The other thing is the acl for the internet. You may want to consider replacing the deny statement if you want to deny traffic only to your jar currently it is said to deny all traffic 10.10.100.0 10.0.0.0 network, not to the 10.1.0.0 HO (network).

  HTH,