VPN site to site PAT

Hello

I am creating a site to site vpn

A a B Site

100.100.100.100/24 192.168.1.0/24

Site A                                                    Site B

192.168.1.0/24-> 10.1.0.1 (PAT)-> 100.100.100.100/24

How to establish the above lan lan tunnel with interesting traffic 2

Thank you

Hello, code not tested, but I hope this would work:

SITE A:

object network LOCAL-NET-192.168.1.0_24 subnet 192.168.1.0 255.255.255.0
object network REMOTE-NET-100.100.100.0_24 subnet 100.100.100.0 255.255.255.0
object network VPN-PAT-IP-10.1.0.1 host 10.1.0.1
nat (INSIDE,OUTSIDE) source dynamic LOCAL-NET-192.168.1.0_24 VPN-PAT-IP-10.1.0.1 destination static REMOTE-NET-100.100.100.0_24 REMOTE-NET-100.100.100.0_24
access-list CRYPTO-ACL extended permit ip object VPN-PAT-IP-10.1.0.1 object REMOTE-NET-100.100.100.0_24
SITE B:
object network LOCAL-NET-100.100.100.0_24 subnet 100.100.100.0 255.255.255.0
object network REMOTE-NET-10.1.0.1_32 host 10.1.0.1
object network REMOTE-NET-192.168.1.0_24 subnet 192.168.1.0 255.255.255.0
nat (INSIDE,OUTSIDE) source static LOCAL-NET-100.100.100.0_24 LOCAL-NET-100.100.100.0_24 destination static REMOTE-NET-192.168.1.0_24 REMOTE-NET-10.1.0.1_32
access-list CRYPTO-ACL extended permit ip object LOCAL-NET-100.100.100.0_24 object REMOTE-NET-10.1.0.1_32
Cristian

Tags: Cisco Security

Similar Questions

  • VPN site to Site with a side PAT

    Hi all

    I created a VPN site-to site between two ASA 5505 s, with one side having a static public IP address and one side behind a device with PAT. UDP 500 is sent to the ASA.

    The tunnel works very well if the launched of the side behind the PAT, but may not be brought after on the other side.

    Here's what I see in the system log during initialization of the 'wrong' side:

    Is it still a problem with PAT?

    Best regards

    Tobias

    Hello

    To be honest, these are sometimes a little hard the problems especially when you do not have access to actual devices.

    For me the newspapers you shared seem to indicate a problem with the negotiation of Phase 1 where this local line sends proposals of Phase 1 to the remote device until he returned their enough responsible for negotiating to complete.

    So, I would try to confirm the device to remote site that this traffic is indeed allowed. For example, you can check the remote via a management connection VPN device when the VPN is NOT upward and see if there is no sign of VPN negotiating taking place when you start the other site traffic. That said if he still sees the initial messages in the direction that has problems with the opening of the tunnel.

    When you launch the negotiation this site VPN, what you see with the release of

    ISAKMP crypto to show his

    or with the latest software

    See ikev1 crypto his

    Try to take out several times while you generate the traffic to the VPN

    If the remote device does not respond at all you would see probably something like MM_WAIT_MSG2, which means that the local VPN device awaits the first response (second message to trading) of the remote VPN device.

    Maybe this will help you narrow down the problem a bit.

    -Jouni

  • Cisco ASA 5505 VPN Site to Site

    Hi all

    First post on the forums. I have worked with Cisco ASA 5505 for a few months and I recently bought a 2nd ASA to implement tunnel VPN Site to Site. It seems so simple in the number of videos watched on the internet. But when I did he surprise it did work for me... I've removed the tunnels, a number of times and tried to recreate. I use the VPN Wizard in the SMA to create the tunnel. Both the asa 5505 of are and have the same firmware even etc..

    I'd appreciate any help that can be directed to this problem please.  Slowly losing my mind

    Please see details below:

    Two ADMS are 7.1

    IOS

    ASA 1

    Nadia

    :

    ASA Version 9.0 (1)

    !

    hostname PAYBACK

    activate the encrypted password of HSMurh79NVmatjY0

    volatile xlate deny tcp any4 any4

    volatile xlate deny tcp any4 any6

    volatile xlate deny tcp any6 any4

    volatile xlate deny tcp any6 any6

    volatile xlate deny udp any4 any4 eq field

    volatile xlate deny udp any4 any6 eq field

    volatile xlate deny udp any6 any4 eq field

    volatile xlate deny udp any6 any6 eq field

    2KFQnbNIdI.2KYOU encrypted passwd

    names of

    local pool VPN1 192.168.50.1 - 192.168.50.254 255.255.255.0 IP mask

    !

    interface Ethernet0/0

    switchport access vlan 2

    Speed 100

    full duplex

    !

    interface Ethernet0/1

    link Trunk Description of SW1

    switchport trunk allowed vlan 1,10,20,30,40

    switchport trunk vlan 1 native

    switchport mode trunk

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    !

    interface Ethernet0/4

    !

    interface Ethernet0/5

    !

    interface Ethernet0/6

    !

    interface Ethernet0/7

    !

    interface Vlan1

    No nameif

    no level of security

    no ip address

    !

    interface Vlan2

    nameif outside

    security-level 0

    IP 92.51.193.158 255.255.255.252

    !

    interface Vlan10

    nameif inside

    security-level 100

    IP 192.168.10.1 255.255.255.0

    !

    interface Vlan20

    nameif servers

    security-level 100

    address 192.168.20.1 255.255.255.0

    !

    Vlan30 interface

    nameif printers

    security-level 100

    192.168.30.1 IP address 255.255.255.0

    !

    interface Vlan40

    nameif wireless

    security-level 100

    192.168.40.1 IP address 255.255.255.0

    !

    connection line banner welcome to the Payback loyalty systems

    boot system Disk0: / asa901 - k8.bin

    passive FTP mode

    summer time clock GMT/IDT recurring last Sun Mar 01:00 last Sun Oct 02:00

    DNS domain-lookup outside

    DNS lookup field inside

    domain-lookup DNS servers

    DNS lookup domain printers

    DNS domain-lookup wireless

    DNS server-group DefaultDNS

    Server name 83.147.160.2

    Server name 83.147.160.130

    permit same-security-traffic inter-interface

    network obj_any object

    subnet 0.0.0.0 0.0.0.0

    ftp_server network object

    network of the Internal_Report_Server object

    Home 192.168.20.21

    Description address internal automated report server

    network of the Report_Server object

    Home 89.234.126.9

    Description of server automated reports

    service object RDP

    service destination tcp 3389 eq

    Description RDP to the server

    network of the Host_QA_Server object

    Home 89.234.126.10

    Description QA host external address

    network of the Internal_Host_QA object

    Home 192.168.20.22

    host of computer virtual Description for QA

    network of the Internal_QA_Web_Server object

    Home 192.168.20.23

    Description Web Server in the QA environment

    network of the Web_Server_QA_VM object

    Home 89.234.126.11

    Server Web Description in the QA environment

    service object SQL_Server

    destination eq 1433 tcp service

    network of the Demo_Server object

    Home 89.234.126.12

    Description server set up for the product demo

    network of the Internal_Demo_Server object

    Home 192.168.20.24

    Internal description of the demo server IP address

    network of the NETWORK_OBJ_192.168.20.0_24 object

    subnet 192.168.20.0 255.255.255.0

    network of the NETWORK_OBJ_192.168.50.0_26 object

    255.255.255.192 subnet 192.168.50.0

    network of the NETWORK_OBJ_192.168.0.0_16 object

    Subnet 192.168.0.0 255.255.0.0

    service object MSSQL

    destination eq 1434 tcp service

    MSSQL port description

    VPN network object

    192.168.50.0 subnet 255.255.255.0

    network of the NETWORK_OBJ_192.168.50.0_24 object

    192.168.50.0 subnet 255.255.255.0

    service object TS

    tcp destination eq 4400 service

    service of the TS_Return object

    tcp source eq 4400 service

    network of the External_QA_3 object

    Home 89.234.126.13

    network of the Internal_QA_3 object

    Home 192.168.20.25

    network of the Dev_WebServer object

    Home 192.168.20.27

    network of the External_Dev_Web object

    Home 89.234.126.14

    network of the CIX_Subnet object

    255.255.255.0 subnet 192.168.100.0

    network of the NETWORK_OBJ_192.168.10.0_24 object

    192.168.10.0 subnet 255.255.255.0

    network of the NETWORK_OBJ_84.39.233.50 object

    Home 84.39.233.50

    network of the NETWORK_OBJ_92.51.193.158 object

    Home 92.51.193.158

    network of the NETWORK_OBJ_192.168.100.0_24 object

    255.255.255.0 subnet 192.168.100.0

    network of the NETWORK_OBJ_192.168.1.0_24 object

    subnet 192.168.1.0 255.255.255.0

    object-group service DM_INLINE_SERVICE_1

    the tcp destination eq ftp service object

    the purpose of the tcp destination eq netbios-ssn service

    the purpose of the tcp destination eq smtp service

    service-object TS

    the Payback_Internal object-group network

    object-network 192.168.10.0 255.255.255.0

    object-network 192.168.20.0 255.255.255.0

    object-network 192.168.40.0 255.255.255.0

    object-group service DM_INLINE_SERVICE_3

    the purpose of the service tcp destination eq www

    the purpose of the tcp destination eq https service

    service-object TS

    service-object, object TS_Return

    object-group service DM_INLINE_SERVICE_4

    service-object RDP

    the purpose of the service tcp destination eq www

    the purpose of the tcp destination eq https service

    object-group service DM_INLINE_SERVICE_5

    purpose purpose of the MSSQL service

    service-object RDP

    service-object TS

    object-group Protocol TCPUDP

    object-protocol udp

    object-tcp protocol

    object-group service DM_INLINE_SERVICE_6

    service-object TS

    service-object, object TS_Return

    the purpose of the service tcp destination eq www

    the purpose of the tcp destination eq https service

    Note to outside_access_in to access list that this rule allows Internet the interal server.

    Notice on the outside_access_in of the access-list allowed:

    Comment from outside_access_in-list of FTP access

    Comment from outside_access_in-RDP access list

    Comment from outside_access_in-list of SMTP access

    Note to outside_access_in to access list Net Bios

    Comment from outside_access_in-SQL access list

    Comment from outside_access_in-list to access TS - 4400

    outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_1 any4 Internal_Report_Server

    access host access-list outside_access_in note rule internal QA

    Notice on the outside_access_in of the access-list allowed:

    Comment from outside_access_in-HTTP access list

    Comment from outside_access_in-RDP access list

    outside_access_in list extended access permitted tcp any4 object Internal_Host_QA eq www

    Notice on the outside_access_in of the access-list access to the internal Web server:

    Notice on the outside_access_in of the access-list allowed:

    Comment from outside_access_in-HTTP access list

    Comment from outside_access_in-RDP access list

    outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_3 any4 Internal_QA_Web_Server

    Note to outside_access_in to access list rule allowing access to the demo server

    Notice on the outside_access_in of the access-list allowed:

    Comment from outside_access_in-RDP access list

    Comment from outside_access_in-list to access MSSQL

    outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_4 any4 Internal_Demo_Server

    outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_5 any object Internal_QA_3

    Note to outside_access_in access to the development Web server access list

    outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_6 any object Dev_WebServer

    AnyConnect_Client_Local_Print deny any4 any4 ip extended access list

    AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq lpd

    Note AnyConnect_Client_Local_Print of access list IPP: Internet Printing Protocol

    AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq 631

    print the access-list AnyConnect_Client_Local_Print Note Windows port

    AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq 9100

    access-list AnyConnect_Client_Local_Print mDNS Note: multicast DNS protocol

    AnyConnect_Client_Local_Print list extended access permit udp host 224.0.0.251 any4 eq 5353

    AnyConnect_Client_Local_Print of access list LLMNR Note: link Local Multicast Name Resolution protocol

    AnyConnect_Client_Local_Print list extended access permit udp host 224.0.0.252 any4 eq 5355

    Note access list TCP/NetBIOS protocol AnyConnect_Client_Local_Print

    AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 EQ. 137

    AnyConnect_Client_Local_Print list extended access permitted udp any4 any4 eq netbios-ns

    Payback_VPN_splitTunnelAcl list standard access allowed 192.168.20.0 255.255.255.0

    permit outside_cryptomap to access extended list ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0

    pager lines 24

    Enable logging

    information recording console

    asdm of logging of information

    address record

    [email protected] / * /.

    the journaling recipient

    [email protected] / * /.

    level alerts

    Outside 1500 MTU

    Within 1500 MTU

    MTU 1500 servers

    MTU 1500 printers

    MTU 1500 wireless

    no failover

    ICMP unreachable rate-limit 1 burst-size 1

    ASDM image disk0: / asdm-711 - 52.bin

    don't allow no asdm history

    ARP timeout 14400

    no permit-nonconnected arp

    NAT (inside, outside) source Dynamics one interface

    NAT (wireless, outdoors) source Dynamics one interface

    NAT (servers, outside) no matter what source dynamic interface

    NAT (servers, external) static source Internal_Report_Server Report_Server

    NAT (servers, external) static source Internal_Host_QA Host_QA_Server

    NAT (servers, external) static source Internal_QA_Web_Server Web_Server_QA_VM

    NAT (servers, external) static source Internal_Demo_Server Demo_Server

    NAT (servers, external) static source NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 non-proxy-arp-search of route static destination

    NAT (servers, external) static source Internal_QA_3 External_QA_3

    NAT (servers, external) static source Dev_WebServer External_Dev_Web

    NAT (inside, outside) static source NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

    NAT (inside, outside) static source NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 non-proxy-arp-search of route static destination

    Access-group outside_access_in in interface outside

    Route outside 0.0.0.0 0.0.0.0 92.51.193.157 1

    Timeout xlate 03:00

    Pat-xlate timeout 0:00:30

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    Floating conn timeout 0:00:00

    dynamic-access-policy-registration DfltAccessPolicy

    identity of the user by default-domain LOCAL
    the ssh LOCAL console AAA authentication
    Enable http server
    http 192.168.10.0 255.255.255.0 inside
    http 192.168.40.0 255.255.255.0 wireless
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
    Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
    Crypto ipsec ikev2 AES256 ipsec-proposal
    Protocol esp encryption aes-256
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal AES192
    Protocol esp encryption aes-192
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal AES
    Esp aes encryption protocol
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 proposal ipsec 3DES
    Esp 3des encryption protocol
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal OF
    encryption protocol esp
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec pmtu aging infinite - the security association
    card crypto outside_map 1 match address outside_cryptomap
    card crypto outside_map 1 set pfs
    peer set card crypto outside_map 1 84.39.233.50
    card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
    outside_map card crypto 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
    outside_map interface card crypto outside
    trustpool crypto ca policy
    IKEv2 crypto policy 1
    aes-256 encryption
    integrity sha
    Group 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 10
    aes-192 encryption
    integrity sha
    Group 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 20
    aes encryption
    integrity sha
    Group 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 30
    3des encryption
    integrity sha
    Group 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 40
    the Encryption
    integrity sha
    Group 5
    FRP sha
    second life 86400
    Crypto ikev2 activate out of service the customer port 443
    Crypto ikev1 allow outside
    IKEv1 crypto policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    Telnet timeout 5
    SSH 77.75.100.208 255.255.255.240 outside
    SSH 192.168.10.0 255.255.255.0 inside
    SSH 192.168.40.0 255.255.255.0 wireless
    SSH timeout 5
    Console timeout 0

    dhcpd 192.168.0.1 dns
    dhcpd outside auto_config
    !
    dhcpd address 192.168.10.21 - 192.168.10.240 inside
    dhcpd dns 192.168.20.21 83.147.160.2 interface inside
    paybackloyalty.com dhcpd option 15 inside ascii interface
    dhcpd allow inside
    !
    dhcpd address 192.168.40.21 - 192.168.40.240 Wireless
    dhcpd dns 192.168.20.21 83.147.160.2 wireless interface
    dhcpd update dns of the wireless interface
    dhcpd option 15 ascii paybackloyalty.com wireless interface
    dhcpd activate wireless
    !
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    internal Payback_VPN group strategy
    attributes of Group Policy Payback_VPN
    VPN - 10 concurrent connections
    Ikev1 VPN-tunnel-Protocol
    Split-tunnel-policy tunnelspecified
    value of Split-tunnel-network-list Payback_VPN_splitTunnelAcl
    attributes of Group Policy DfltGrpPolicy
    value of 83.147.160.2 DNS server 83.147.160.130
    VPN-tunnel-Protocol ikev1, ikev2 clientless ssl
    internal GroupPolicy_84.39.233.50 group strategy
    attributes of Group Policy GroupPolicy_84.39.233.50
    VPN-tunnel-Protocol ikev1, ikev2
    Noelle XB/IpvYaATP.2QYm username encrypted password
    Noelle username attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    username Éanna encrypted password privilege 0 vXILR9ZZQIsd1Naw
    Éanna attributes username
    VPN-group-policy Payback_VPN
    type of remote access service
    Michael qpbleUqUEchRrgQX of encrypted password username
    user name Michael attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    username, password from Danny .7fEXdzESUk6S/cC encrypted privilege 0
    user name Danny attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    Aileen tytrelqvV5VRX2pz encrypted password privilege 0 username
    user name Aileen attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    Aidan aDu6YH0V5XaxpEPg encrypted password privilege 0 username
    Aidan username attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    username password 6e6Djaz3W/XH59zX gordon encrypted privilege 15
    shane.c iqGMoWOnfO6YKXbw encrypted password username
    username shane.c attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    Shane uYePLcrFadO9pBZx of encrypted password username
    user name Shane attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    username, encrypted James TdYPv1pvld/hPM0d password
    user name James attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    Mark yruxpddqfyNb.qFn of encrypted password username
    user name brand attributes
    type of service admin
    username password of Mary XND5FTEiyu1L1zFD encrypted
    user name Mary attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    Massimo vs65MMo4rM0l4rVu encrypted password privilege 0 username
    Massimo username attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    type tunnel-group Payback_VPN remote access
    attributes global-tunnel-group Payback_VPN
    VPN1 address pool
    Group Policy - by default-Payback_VPN
    IPSec-attributes tunnel-group Payback_VPN
    IKEv1 pre-shared-key *.
    tunnel-group 84.39.233.50 type ipsec-l2l
    tunnel-group 84.39.233.50 General-attributes
    Group - default policy - GroupPolicy_84.39.233.50
    IPSec-attributes tunnel-group 84.39.233.50
    IKEv1 pre-shared-key *.
    remote control-IKEv2 pre-shared-key authentication *.
    pre-shared-key authentication local IKEv2 *.
    !
    Global class-card class
    match default-inspection-traffic
    !
    !
    World-Policy policy-map
    Global category
    inspect the dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    Review the ip options
    inspect the netbios
    inspect the pptp
    inspect the rsh
    inspect the rtsp
    inspect the sip
    inspect the snmp
    inspect sqlnet
    inspect sunrpc
    inspect the tftp
    inspect xdmcp
    inspect the icmp error
    inspect the icmp
    !
    service-policy-international policy global
    192.168.20.21 SMTP server
    context of prompt hostname
    no remote anonymous reporting call
    call-home
    Profile of CiscoTAC-1
    no active account
    http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
    email address of destination [email protected] / * /
    destination-mode http transport
    Subscribe to alert-group diagnosis
    Subscribe to alert-group environment
    Subscribe to alert-group monthly periodic inventory
    monthly periodicals to subscribe to alert-group configuration
    daily periodic subscribe to alert-group telemetry
    Cryptochecksum:d06974501eb0327a5ed229c8445f4fe1

    ASA 2

    ASA Version 9.0 (1)

    !

    Payback-CIX hostname

    activate the encrypted password of HSMurh79NVmatjY0

    2KFQnbNIdI.2KYOU encrypted passwd

    names of

    !

    interface Ethernet0/0

    switchport access vlan 2

    Speed 100

    full duplex

    !

    interface Ethernet0/1

    Description this port connects to the local network VIRTUAL 100

    switchport access vlan 100

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    switchport access vlan 100

    !

    interface Ethernet0/4

    switchport access vlan 100

    !

    interface Ethernet0/5

    switchport access vlan 100

    !

    interface Ethernet0/6

    switchport access vlan 100

    !

    interface Ethernet0/7

    switchport access vlan 100

    !

    interface Vlan2

    nameif outside

    security-level 0

    IP 84.39.233.50 255.255.255.240

    !

    interface Vlan100

    nameif inside

    security-level 100

    IP 192.168.100.1 address 255.255.255.0

    !

    banner welcome to Payback loyalty - CIX connection line

    passive FTP mode

    summer time clock gmt/idt recurring last Sun Mar 01:00 last Sun Oct 02:00

    DNS domain-lookup outside

    DNS lookup field inside

    DNS server-group defaultDNS

    Name-Server 8.8.8.8

    Server name 8.8.4.4

    permit same-security-traffic inter-interface

    network obj_any object

    subnet 0.0.0.0 0.0.0.0

    network of the host-CIX-1 object

    host 192.168.100.2

    Description This is the VM server host machine

    network object host-External_CIX-1

    Home 84.39.233.51

    Description This is the external IP address of the server the server VM host

    service object RDP

    source between 1-65535 destination eq 3389 tcp service

    network of the Payback_Office object

    Home 92.51.193.158

    service object MSQL

    destination eq 1433 tcp service

    network of the Development_OLTP object

    Home 192.168.100.10

    Description for Eiresoft VM

    network of the External_Development_OLTP object

    Home 84.39.233.52

    Description This is the external IP address for the virtual machine for Eiresoft

    network of the Eiresoft object

    Home 146.66.160.70

    Contractor s/n description

    network of the External_TMC_Web object

    Home 84.39.233.53

    Description Public address to the TMC Web server

    network of the TMC_Webserver object

    Home 192.168.100.19

    Internal description address TMC Webserver

    network of the External_TMC_OLTP object

    Home 84.39.233.54

    External targets OLTP IP description

    network of the TMC_OLTP object

    Home 192.168.100.18

    description of the interal target IP address

    network of the External_OLTP_Failover object

    Home 84.39.233.55

    IP failover of the OLTP Public description

    network of the OLTP_Failover object

    Home 192.168.100.60

    Server failover OLTP description

    network of the servers object

    subnet 192.168.20.0 255.255.255.0

    being Wired network

    192.168.10.0 subnet 255.255.255.0

    the subject wireless network

    192.168.40.0 subnet 255.255.255.0

    network of the NETWORK_OBJ_192.168.100.0_24 object

    255.255.255.0 subnet 192.168.100.0

    network of the NETWORK_OBJ_192.168.10.0_24 object

    192.168.10.0 subnet 255.255.255.0

    network of the Eiresoft_2nd object

    Home 137.117.217.29

    Description 2nd Eiresoft IP

    network of the Dev_Test_Webserver object

    Home 192.168.100.12

    Description address internal to the Test Server Web Dev

    network of the External_Dev_Test_Webserver object

    Home 84.39.233.56

    Description This is the PB Dev Test Webserver

    network of the NETWORK_OBJ_192.168.1.0_24 object

    subnet 192.168.1.0 255.255.255.0

    object-group service DM_INLINE_SERVICE_1

    service-object MSQL

    service-object RDP

    object-group service DM_INLINE_SERVICE_2

    service-object MSQL

    service-object RDP

    object-group service DM_INLINE_SERVICE_3

    service-object MSQL

    service-object RDP

    object-group service DM_INLINE_SERVICE_4

    service-object MSQL

    service-object RDP

    the tcp destination eq ftp service object

    object-group service DM_INLINE_SERVICE_5

    service-object MSQL

    service-object RDP

    the tcp destination eq ftp service object

    object-group service DM_INLINE_SERVICE_6

    service-object MSQL

    service-object RDP

    the Payback_Intrernal object-group network

    object-network servers

    Wired network-object

    wireless network object

    object-group service DM_INLINE_SERVICE_7

    service-object MSQL

    service-object RDP

    object-group service DM_INLINE_SERVICE_8

    service-object MSQL

    service-object RDP

    object-group service DM_INLINE_SERVICE_9

    service-object MSQL

    service-object RDP

    object-group service DM_INLINE_SERVICE_10

    service-object MSQL

    service-object RDP

    the tcp destination eq ftp service object

    object-group service DM_INLINE_SERVICE_11

    service-object RDP

    the tcp destination eq ftp service object

    outside_access_in list extended access allow object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-host-1

    Note to access list OLTP Development Office of recovery outside_access_in

    outside_access_in list extended access allow DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP object-group

    Comment from outside_access_in-access Eiresoft access list

    outside_access_in list extended access allow DM_INLINE_SERVICE_3 object Eiresoft object Development_OLTP object-group

    outside_access_in list extended access allow DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver object-group

    Note to outside_access_in access to OLTP for target recovery Office Access list

    outside_access_in list extended access allow DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP object-group

    outside_access_in list extended access allow DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover object-group

    Note to outside_access_in access-list that's allowing access of the Eiresoft on the failover OLTP server

    outside_access_in list extended access allow DM_INLINE_SERVICE_7 object Eiresoft object OLTP_Failover object-group

    Comment from outside_access_in-access list access for the 2nd period of INVESTIGATION of Eiresoft

    outside_access_in list extended access allow DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP object-group

    Note to outside_access_in access from the 2nd IP Eiresoft access list

    outside_access_in list extended access allow DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover object-group

    outside_access_in list extended access allow DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver object-group

    outside_access_in list extended access allow DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP object-group

    outside_cryptomap to access extended list ip 192.168.100.0 allow 255.255.255.0 192.168.10.0 255.255.255.0

    pager lines 24

    Enable logging

    asdm of logging of information

    Outside 1500 MTU

    Within 1500 MTU

    ICMP unreachable rate-limit 1 burst-size 1

    don't allow no asdm history

    ARP timeout 14400

    no permit-nonconnected arp

    NAT (inside, outside) source Dynamics one interface

    NAT (inside, outside) static source CIX-host-1 External_CIX-host-1

    NAT (inside, outside) static source Development_OLTP External_Development_OLTP

    NAT (inside, outside) static source TMC_Webserver External_TMC_Web

    NAT (inside, outside) static source TMC_OLTP External_TMC_OLTP

    NAT (inside, outside) static source OLTP_Failover External_OLTP_Failover

    NAT (inside, outside) static source Dev_Test_Webserver External_Dev_Test_Webserver

    NAT (inside, outside) static source NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 non-proxy-arp-search of route static destination

    NAT (inside, outside) static source NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

    Access-group outside_access_in in interface outside

    Route outside 0.0.0.0 0.0.0.0 84.39.233.49 1

    Timeout xlate 03:00

    Pat-xlate timeout 0:00:30

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    Floating conn timeout 0:00:00

    dynamic-access-policy-registration DfltAccessPolicy

    identity of the user by default-domain LOCAL

    the ssh LOCAL console AAA authentication

    Enable http server

    http 92.51.193.156 255.255.255.252 outside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac

    Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit

    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac

    Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit

    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

    Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit

    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

    Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit

    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

    Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit

    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

    Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit

    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

    Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit

    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

    Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit

    Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

    Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac

    Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit

    Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac

    Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit

    Crypto ipsec ikev2 ipsec-proposal OF

    encryption protocol esp
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 proposal ipsec 3DES
    Esp 3des encryption protocol
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal AES
    Esp aes encryption protocol
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal AES192
    Protocol esp encryption aes-192
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 AES256 ipsec-proposal
    Protocol esp encryption aes-256
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec pmtu aging infinite - the security association
    card crypto outside_map 1 match address outside_cryptomap
    card crypto outside_map 1 set pfs
    peer set card crypto outside_map 1 92.51.193.158
    card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
    outside_map card crypto 1jeu ikev2 AES AES192 AES256 3DES ipsec-proposal
    outside_map interface card crypto outside
    trustpool crypto ca policy
    IKEv2 crypto policy 1
    aes-256 encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 10
    aes-192 encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 20
    aes encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 30
    3des encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 40
    the Encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    Crypto ikev2 allow outside
    Crypto ikev1 allow outside
    IKEv1 crypto policy 10
    authentication crack
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 20
    authentication rsa - sig
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 30
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 40
    authentication crack
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 50
    authentication rsa - sig
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 60
    preshared authentication
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 70
    authentication crack
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 80
    authentication rsa - sig
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 90
    preshared authentication
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 100
    authentication crack
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 110
    authentication rsa - sig
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 120
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 130
    authentication crack
    the Encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 140
    authentication rsa - sig
    the Encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 150
    preshared authentication
    the Encryption
    sha hash
    Group 2
    life 86400
    Telnet timeout 5
    SSH 77.75.100.208 255.255.255.240 outside
    SSH 92.51.193.156 255.255.255.252 outside
    SSH timeout 5
    Console timeout 0

    dhcpd outside auto_config
    !
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    internal GroupPolicy_92.51.193.158 group strategy
    attributes of Group Policy GroupPolicy_92.51.193.158
    VPN-tunnel-Protocol ikev1, ikev2
    username password 6e6Djaz3W/XH59zX gordon encrypted privilege 15
    tunnel-group 92.51.193.158 type ipsec-l2l
    tunnel-group 92.51.193.158 General-attributes
    Group - default policy - GroupPolicy_92.51.193.158
    IPSec-attributes tunnel-group 92.51.193.158
    IKEv1 pre-shared-key *.
    remote control-IKEv2 pre-shared-key authentication *.
    pre-shared-key authentication local IKEv2 *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    Review the ip options
    inspect the icmp
    !
    global service-policy global_policy
    context of prompt hostname
    no remote anonymous reporting call
    Cryptochecksum:83b2069fa311e6037163ae74f9b2bec2
    : end

    Hello

    There are some clear problems I see on a quick glance. These are not related to the actual VPN configuration but rather the NAT configurations.

    All your configuration of NAT CLI format above are configured as manual NAT / double NAT in Section 1. This means that the appliance NAT configurations have been added to the same section of the NAT configurations and scheduling of the NAT inside this Section rules is the cause of the problem for the L2L VPN connection for some.

    Here are a few suggestions on what to change

    ASA1

    Minimal changes

    the object of the LAN network

    192.168.10.0 subnet 255.255.255.0

    being REMOTE-LAN network

    255.255.255.0 subnet 192.168.100.0

    NAT (inside, outside) 1 static source LAN LAN to static destination REMOTE - LAN LAN

    no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 non-proxy-arp-search of route static destination

    That means foregoing is first of all create 'object' that contain the local LAN and remote LANs. Then, it creates a NAT0 rule and adds to the top rules NAT. (number 1). It is essentially of at least one of the problems preventing the VPN operation or traffic that cross.

    Finally, we remove the old rule that generated the ASDM. It would do the same thing if it has been moved to the top, but I generally find the creation of the 'object' with descriptive names easier on the eyes in the long term.

    Other suggestions

    These changes are not necessary with regard to the VPN L2L. Here are some suggestions how to clean a part of NAT configurations.

    PAT-SOURCE network object-group

    source networks internal PAT Description

    object-network 192.168.10.0 255.255.255.0

    object-network 192.168.20.0 255.255.255.0

    object-network 192.168.40.0 255.255.255.0

    NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source

    No source (indoor, outdoor) nat Dynamics one interface

    no nat (wireless, outdoors) source Dynamics one interface

    no nat (servers, outside) no matter what source dynamic interface

    The above configuration creates a "object-group" that lists all internal networks that you have dynamic PAT configured so far. It then uses the ' object-group ' in a command unique 'nat' to manage the dynamic PAT for all internal networks (with the exception of printers who had nothing at first). Then we remove the old PAT dynamic configurations.

    Contains the command "nat" "car after" because it moving this "nat" configuration to the bottom of the NAT rules. For this reason its less likely to cause problems in the future.

    network of the SERVERS object

    subnet 192.168.20.0 255.255.255.0

    network of the VPN-POOL object

    192.168.50.0 subnet 255.255.255.0

    NAT (servers, external) 2 static static source of destination of SERVERS SERVERS VPN-VPN-POOL

    no nat (servers, external) static source NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 non-proxy-arp-search of route static destination

    The above configuration is supposed to create a NAT0 configuration for traffic between the network and the pool of Client VPN server. To my knowledge the old configuration that remove us is not used because the traffic would have matched PAT rule dynamic server yet rather than this rule which is later in the NAT configurations and would not be addressed.

    no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

    It seems to me that network 192.168.1.0/24 is not configured from anywhere in your network. Therefore, the above 'nat' configuration seems useless, can be deleted. If I missed something and its use in then of course do not remove it.

    ASA2

    Minimal changes

    the object of the LAN network

    255.255.255.0 subnet 192.168.100.0

    being REMOTE-LAN network

    192.168.10.0 subnet 255.255.255.0

    NAT (inside, outside) 1 static source LAN LAN to static destination REMOTE - LAN LAN

    no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 non-proxy-arp-search of route static destination

    That means foregoing is first of all create 'object' that contain the local LAN and remote LANs. Then, it creates a NAT0 rule and adds to the top rules NAT. (number 1). It is essentially of at least one of the problems preventing the VPN operation or traffic that cross.

    Finally, we remove the old rule that generated the ASDM.

    Other suggestions

    PAT-SOURCE network object-group

    object-network 192.168.100.0 255.255.255.0

    NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source

    No source (indoor, outdoor) nat Dynamics one interface

    The above configuration is supposed to do the same thing with the other ASA. Although given that this network contains only a single subnet it cleans the "nat" configurations exist that much. But the order of the "nat" configurations is changed to avoid further problems with the NAT order.

    no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

    It seems to me that network 192.168.1.0/24 is not configured from anywhere in your network. Therefore, the above 'nat' configuration seems useless, can be deleted. If I missed something and its use in then of course do not remove it.

    I suggest trying the changes related to VPN L2L first NAT0 configurations and test traffic. So who gets the work of connectivity, then you could consider changing other NAT configurations. There are other things that could be changed also in what concerns THAT static NAT servers but that probably better left for another time.

    Hope this makes any sense and has helped

    Remember to mark a reply as the answer if it answered your question.

    Feel free to ask more if necessary

    -Jouni

  • Problem with the VPN site to site for the two cisco asa 5505

    Starting with cisco asa. I wanted to do a vpn site-to site of cisco. I need help. I can't ping from site A to site B and vice versa.

    Cisco Config asa1

    interface Ethernet0/0
    switchport access vlan 1
    !
    interface Ethernet0/1
    switchport access vlan 2
    !
    interface Vlan1
    nameif outside
    security-level 0
    IP address 172.xxx.xx.4 255.255.240.0
    !
    interface Vlan2
    nameif inside
    security-level 100
    IP 192.168.60.2 255.255.255.0
    !
    passive FTP mode
    network of the Lan_Outside object
    192.168.60.0 subnet 255.255.255.0
    network of the NETWORK_OBJ_192.168.1.0_24 object
    subnet 192.168.1.0 255.255.255.0
    network of the NETWORK_OBJ_192.168.60.0_24 object
    192.168.60.0 subnet 255.255.255.0
    object-group Protocol DM_INLINE_PROTOCOL_1
    ip protocol object
    icmp protocol object
    object-group Protocol DM_INLINE_PROTOCOL_2
    ip protocol object
    icmp protocol object
    object-group Protocol DM_INLINE_PROTOCOL_3
    ip protocol object
    icmp protocol object
    Access extensive list ip 192.168.60.0 Outside_cryptomap allow 255.255.255.0 192.168.1.0 255.255.255.0
    Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
    Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
    Inside_access_in list extended access allow DM_INLINE_PROTOCOL_2 of object-group a
    network of the Lan_Outside object
    NAT (inside, outside) interface dynamic dns
    Access-group Outside_access_in in interface outside
    Inside_access_in access to the interface inside group
    Route outside 0.0.0.0 0.0.0.0 172.110.xx.1 1
    Timeout xlate 03:00
    Pat-xlate timeout 0:00:30
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    Floating conn timeout 0:00:00
    dynamic-access-policy-registration DfltAccessPolicy
    identity of the user by default-domain LOCAL
    AAA authentication http LOCAL console
    Enable http server
    http 192.168.60.0 255.255.255.0 inside
    http 96.xx.xx.222 255.255.255.255 outside
    No snmp server location
    No snmp Server contact
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
    Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
    Crypto ipsec ikev2 ipsec-proposal OF
    encryption protocol esp
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 proposal ipsec 3DES
    Esp 3des encryption protocol
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal AES
    Esp aes encryption protocol
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal AES192
    Protocol esp encryption aes-192
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 AES256 ipsec-proposal
    Protocol esp encryption aes-256
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec pmtu aging infinite - the security association
    card crypto Outside_map 1 corresponds to the address Outside_cryptomap
    card crypto Outside_map 1 set peer 96.88.75.222
    card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
    card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
    Outside_map interface card crypto outside
    trustpool crypto ca policy
    IKEv2 crypto policy 1
    aes-256 encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 10
    aes-192 encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 20
    aes encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 30
    3des encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 40
    the Encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    Crypto ikev2 allow outside
    Crypto ikev1 allow outside
    IKEv1 crypto policy 10
    authentication crack
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 20
    authentication rsa - sig
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 30
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 40
    authentication crack
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 50
    authentication rsa - sig
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 60
    preshared authentication
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 70
    authentication crack
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 80
    authentication rsa - sig
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 90
    preshared authentication
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 100
    authentication crack
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 110
    authentication rsa - sig
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 120
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 130
    authentication crack
    the Encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 140
    authentication rsa - sig
    the Encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 150
    preshared authentication
    the Encryption
    sha hash
    Group 2
    life 86400
    Telnet timeout 5
    SSH stricthostkeycheck
    SSH timeout 5
    SSH group dh-Group1-sha1 key exchange
    Console timeout 0
    inside access management

    dhcpd address 192.168.60.50 - 192.168.60.100 inside
    dhcpd allow inside
    !
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    WebVPN
    AnyConnect essentials
    internal GroupPolicy_96.xx.xx.222 group strategy
    attributes of Group Policy GroupPolicy_96.xx.xx.222
    VPN-tunnel-Protocol ikev1, ikev2
    username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
    tunnel-group 96.xx.xx.222 type ipsec-l2l
    tunnel-group 96.xx.xx.222 General-attributes
    Group - default policy - GroupPolicy_96.xx.xx.222
    96.XX.XX.222 group of tunnel ipsec-attributes
    IKEv1 pre-shared-key *.
    remote control-IKEv2 pre-shared-key authentication *.
    pre-shared-key authentication local IKEv2 *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    Review the ip options
    inspect the icmp
    inspect the icmp error

    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    Cisco ASA 2 config

    interface Ethernet0/0
    switchport access vlan 1
    !
    interface Ethernet0/1
    switchport access vlan 2
    !
    interface Vlan1
    nameif outside
    security-level 0
    IP address 96.xx.xx.222 255.255.255.248
    !
    interface Vlan2
    nameif inside
    security-level 100
    IP 192.168.1.254 255.255.255.0
    !
    passive FTP mode
    permit same-security-traffic inter-interface
    permit same-security-traffic intra-interface
    network of the Lan_Outside object
    subnet 192.168.1.0 255.255.255.0
    network of the NETWORK_OBJ_192.168.60.0_24 object
    192.168.60.0 subnet 255.255.255.0
    network of the NETWORK_OBJ_192.168.1.0_24 object
    subnet 192.168.1.0 255.255.255.0
    object-group Protocol DM_INLINE_PROTOCOL_1
    ip protocol object
    icmp protocol object
    object-group Protocol DM_INLINE_PROTOCOL_2
    ip protocol object
    icmp protocol object
    object-group Protocol DM_INLINE_PROTOCOL_3
    ip protocol object
    icmp protocol object
    object-group Protocol DM_INLINE_PROTOCOL_4
    ip protocol object
    icmp protocol object
    Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_2 of object-group 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0
    Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
    Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
    Inside_access_in list extended access allow DM_INLINE_PROTOCOL_4 of object-group a
    pager lines 24
    Enable logging
    asdm of logging of information
    Outside 1500 MTU
    Within 1500 MTU
    no failover
    ICMP unreachable rate-limit 1 burst-size 1
    don't allow no asdm history
    ARP timeout 14400
    no permit-nonconnected arp
    NAT (inside, outside) static source NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.60.0_24 NETWORK_OBJ_192.168.60.0_24 non-proxy-arp-search of route static destination
    !
    network of the Lan_Outside object
    dynamic NAT (all, outside) interface
    Access-group Outside_access_in in interface outside
    Inside_access_in access to the interface inside group
    Route outside 0.0.0.0 0.0.0.0 96.xx.xx.217 1
    Timeout xlate 03:00
    Pat-xlate timeout 0:00:30
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    Floating conn timeout 0:00:00
    dynamic-access-policy-registration DfltAccessPolicy
    identity of the user by default-domain LOCAL
    AAA authentication http LOCAL console
    Enable http server
    http 192.168.1.0 255.255.255.0 inside
    http 172.xxx.xx.4 255.255.255.255 outside
    No snmp server location
    No snmp Server contact
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
    Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
    Crypto ipsec ikev2 ipsec-proposal OF
    encryption protocol esp
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 proposal ipsec 3DES
    Esp 3des encryption protocol
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal AES
    Esp aes encryption protocol
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal AES192
    Protocol esp encryption aes-192
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 AES256 ipsec-proposal
    Protocol esp encryption aes-256
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec pmtu aging infinite - the security association
    card crypto Outside_map 1 corresponds to the address Outside_cryptomap
    card crypto Outside_map 1 set peer 172.110.74.4
    card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
    card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
    Outside_map interface card crypto outside
    trustpool crypto ca policy
    IKEv2 crypto policy 1
    aes-256 encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 10
    aes-192 encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 20
    aes encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 30
    3des encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 40
    the Encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    Crypto ikev2 allow outside
    Crypto ikev1 allow outside
    IKEv1 crypto policy 10
    authentication crack
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 20
    authentication rsa - sig
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 30
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 40
    authentication crack
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 50
    authentication rsa - sig
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 60
    preshared authentication
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 70
    authentication crack
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 80
    authentication rsa - sig
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 90
    preshared authentication
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 100
    authentication crack
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 110
    authentication rsa - sig
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 120
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 130
    authentication crack
    the Encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 140
    authentication rsa - sig
    the Encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 150
    preshared authentication
    the Encryption
    sha hash
    Group 2
    life 86400
    Telnet timeout 5
    SSH stricthostkeycheck
    SSH timeout 5
    SSH group dh-Group1-sha1 key exchange
    Console timeout 0

    dhcpd address 192.168.1.50 - 192.168.1.100 inside
    dhcpd allow inside
    !
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    WebVPN
    AnyConnect essentials
    internal GroupPolicy_172.xxx.xx.4 group strategy
    attributes of Group Policy GroupPolicy_172.xxx.xx.4
    L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
    username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
    tunnel-group 172.xxx.xx.4 type ipsec-l2l
    tunnel-group 172.xxx.xx.4 General-attributes
    Group - default policy - GroupPolicy_172.xxx.xx.4
    172.xxx.XX.4 group of tunnel ipsec-attributes
    IKEv1 pre-shared-key *.
    remote control-IKEv2 pre-shared-key authentication *.
    pre-shared-key authentication local IKEv2 *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    Review the ip options
    inspect the icmp
    inspect the icmp error
    inspect the http

    For IKEv2 configuration: (example config, you can change to encryption, group,...)

    -You must add the declaration of exemption nat (see previous answer).

    -set your encryption domain ACLs:

    access-list-TRAFFIC IPSEC allowed extended LOCAL REMOTE - LAN LAN ip

    -Set the Phase 1:

    Crypto ikev2 allow outside
    IKEv2 crypto policy 10
    3des encryption
    the sha md5 integrity
    Group 5
    FRP sha
    second life 86400

    -Set the Phase 2:

    Crypto ipsec ikev2 ipsec IKEV2-PROPOSAL
    Esp aes encryption protocol
    Esp integrity sha-1 protocol

    -set the Group of tunnel

    tunnel-group REMOTE-PUBLIC-IP type ipsec-l2l
    REMOTE-PUBLIC-IP tunnel-group ipsec-attributes
    IKEv2 authentication remote pre-shared-key cisco123


    IKEv2 authentication local pre-shared-key cisco123

    -Define the encryption card

    address for correspondence CRYPTOMAP 10 - TRAFFIC IPSEC crypto map
    card crypto CRYPTOMAP 10 peer set REMOTE-PUBLIC-IP
    card crypto CRYPTOMAP 10 set ipsec ikev2-IKEV2-PROPOSAL
    CRYPTOMAP interface card crypto outside
    crypto isakmp identity address

    On your config, you have all these commands but on your VPN config, you mix ikev1 and ikev2. You have also defined political different ikev2. Just do a bit of cleaning and reached agreement on a 1 strategy for the two site (encryption, hash,...)

    Thank you

  • VPN site to Site with NAT (PIX 7.2)

    Hi all

    I hope for more help with config PIX.  TBH I would classify myself as a newb on PIX, only dabbling in it every 6 months or so...

    I have to configure a VPN site-to site between our UK and US Office, to replace our frame relay link.  I have configured multiple VPN site to site on the before PIX, so am reasonably okay with the appearance of the config of who.  What is a new concept for me is the needs of NAT'ing between the IPSEC tunnel.

    The U.S. Agency requires us to NAT source addresses (i.e. 192.168.1.0) usable on their side address (i.e. 143.102.89.0).  The tunnel must then be set to encrypt traffic between 143.102.89.0/24 and 172.24.0.0/14.

    I added the following config and hoping to test it at the U.S. office happens online today.

    If I Ping from 192.168.1.0 to 172.24.x.x source and run a SH NAT inside, the NAT translation seems good.

    is the intellectual property inside 192.168.1.0 255.255.255.0 outside 172.24.0.0 255.252.0.0
    static translation at 143.102.89.0
    translate_hits = 4, untranslate_hits = 0

    Could someone please go through the following lines of config and comment if there is no error?

    Thank you very much

    Kevin

    / * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-margin : 0 cm ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}

    IP 143.102.89.0 allow Access-list ipsec - dallas extended 255.255.255.0 172.24.0.0 255.252.0.0

    policy-nat-dallas-list of allowed extensive access ip 192.168.1.0 255.255.255.0 172.24.0.0 255.252.0.0

    public static 143.102.89.0 (inside, outside) - list of access policy-nat-dallas

    Crypto ipsec transform-set esp-3des esp-md5-hmac 3desmd5set

    card crypto map dyn 40 correspondence address ipsec - dallas

    set dyn-map 40 crypto map peer 143.101.6.141

    card crypto dyn-map 40 transform-set 3desmd5set

    dyn-map interface card crypto outside

    crypto isakmp identity address

    crypto ISAKMP allow outside

    crypto ISAKMP policy 10

    preshared authentication

    3des encryption

    md5 hash

    Group 2

    life 86400

    tunnel-group 143.101.6.141 type ipsec-l2l

    IPSec-attributes tunnel-group 143.101.6.141

    pre-shared-key *.

    You can configure NAT/Global pair for the rest of the users.

    For example:

    You can use the initially configured ACL:

    policy-nat-dallas-list of allowed extensive access ip 192.168.1.0 255.255.255.0 172.24.0.0 255.252.0.0
    NAT (inside) 1 access list policy-nat-dallas

    Global 1 143.102.89.x (outside)

    The static statement that you configured previously will take precedence over the above. So the printer gets statically using a NAT to 143.102.89.10, and the rest can do another ip address 143.102.89.x PATed.

    Please note that for PAT, traffic can only be initiated from 192.168.1.0/24 LAN to 172.24.0.0/14, not the other way around.

    Hope that helps.

  • remote VPN and vpn site to site vpn remote users unable to access the local network

    As per below config remote vpn and vpn site to site vpn remote users unable to access the local network please suggest me a required config

    The local 192.168.215.4 not able ping server IP this server connectivity remote vpn works fine but not able to ping to the local network vpn users.

    ASA Version 8.2 (2)
    !
    host name
    domain kunchevrolet
    activate r8xwsBuKsSP7kABz encrypted password
    r8xwsBuKsSP7kABz encrypted passwd
    names of
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    PPPoE client vpdn group dataone
    IP address pppoe
    !
    interface Ethernet0/1
    nameif inside
    security-level 50
    IP 192.168.215.2 255.255.255.0
    !
    interface Ethernet0/2
    nameif Internet
    security-level 0
    IP address dhcp setroute
    !
    interface Ethernet0/3
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface Management0/0
    Shutdown
    No nameif
    no level of security
    no ip address
    management only
    !
    passive FTP mode
    clock timezone IST 5 30
    DNS server-group DefaultDNS
    domain kunchevrolet
    permit same-security-traffic intra-interface
    object-group network GM-DC-VPN-Gateway
    object-group, net-LAN
    access extensive list ip 192.168.215.0 sptnl allow 255.255.255.0 192.168.2.0 255.255.255.0
    192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0
    tunnel of splitting allowed access list standard 192.168.215.0 255.255.255.0
    pager lines 24
    Enable logging
    asdm of logging of information
    Outside 1500 MTU
    Within 1500 MTU
    MTU 1500 Internet
    IP local pool VPN_Users 192.168.2.1 - 192.168.2.250 mask 255.255.255.0
    ICMP unreachable rate-limit 1 burst-size 1
    enable ASDM history
    ARP timeout 14400
    NAT-control
    Global 1 interface (outside)
    NAT (inside) 1 0.0.0.0 0.0.0.0
    Route outside 0.0.0.0 0.0.0.0 59.90.214.1 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-registration DfltAccessPolicy
    the ssh LOCAL console AAA authentication
    AAA authentication LOCAL telnet console
    AAA authentication http LOCAL console
    AAA authentication enable LOCAL console
    LOCAL AAA authentication serial console
    Enable http server
    x.x.x.x 255.255.255.252 out http
    http 192.168.215.0 255.255.255.252 inside
    http 192.168.215.0 255.255.255.0 inside
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    Crypto-map dynamic dynmap 65500 transform-set RIGHT
    card crypto 10 VPN ipsec-isakmp dynamic dynmap
    card crypto VPN outside interface
    card crypto 10 ASA-01 set peer 221.135.138.130
    card crypto 10 ASA - 01 the transform-set RIGHT value
    crypto ISAKMP allow outside
    crypto ISAKMP policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    crypto ISAKMP policy 65535
    preshared authentication
    the Encryption
    sha hash
    Group 2
    lifetime 28800
    Telnet 192.168.215.0 255.255.255.0 inside
    Telnet timeout 5
    SSH 0.0.0.0 0.0.0.0 outdoors
    SSH timeout 5
    Console timeout 0
    management-access inside
    VPDN group dataone request dialout pppoe
    VPDN group dataone localname bb4027654187_scdrid
    VPDN group dataone ppp authentication chap
    VPDN username bb4027654187_scdrid password * local store
    interface for identifying DHCP-client Internet customer
    dhcpd dns 218.248.255.141 218.248.245.1
    !
    dhcpd address 192.168.215.11 - 192.168.215.254 inside
    dhcpd allow inside
    !
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    Des-sha1 encryption SSL
    WebVPN
    allow outside
    tunnel-group-list activate
    internal kun group policy
    kun group policy attributes
    VPN - connections 8
    Protocol-tunnel-VPN IPSec
    Split-tunnel-policy tunnelspecified
    Split-tunnel-network-list value split tunnel
    kunchevrolet value by default-field
    test P4ttSyrm33SV8TYp encrypted password username
    username kunauto password bSHrKTGl8PUbvus / encrypted privilege 15
    username kunauto attributes
    Strategy Group-VPN-kun
    Protocol-tunnel-VPN IPSec
    tunnel-group vpngroup type remote access
    tunnel-group vpngroup General attributes
    address pool VPN_Users
    Group Policy - by default-kun
    tunnel-group vpngroup webvpn-attributes
    the vpngroup group alias activation
    vpngroup group tunnel ipsec-attributes
    pre-shared key *.
    type tunnel-group test remote access
    tunnel-group x.x.x.x type ipsec-l2l
    tunnel-group ipsec-attributes x.x.x.x
    pre-shared key *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    Review the ip options
    inspect the netbios
    inspect the rsh
    inspect the rtsp
    inspect the skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect the tftp
    inspect the sip
    inspect xdmcp
    inspect the icmp
    !
    global service-policy global_policy
    context of prompt hostname
    call-home
    Profile of CiscoTAC-1
    no active account
    http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
    email address of destination [email protected] / * /
    destination-mode http transport
    Subscribe to alert-group diagnosis
    Subscribe to alert-group environment
    Subscribe to alert-group monthly periodic inventory
    monthly periodicals to subscribe to alert-group configuration
    daily periodic subscribe to alert-group telemetry
    Cryptochecksum:0d2497e1280e41ab3875e77c6b184cf8
    : end
    kunauto #.

    Hello

    Looking at the configuration, there is an access list this nat exemption: -.

    192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0

    But it is not applied in the States of nat.

    Send the following command to the nat exemption to apply: -.

    NAT (inside) 0 access-list sheep

    Kind regards

    Dinesh Moudgil

    P.S. Please mark this message as 'Responded' If you find this information useful so that it brings goodness to other users of the community

  • Make the remote web server accessible via VPN Site to website

    We have two test sites that are connected by a tunnel IPSEC VPN site-to-site (hosted on a SAA each site) over the Internet. We are trying to set up an environment to test two web applications running side by side. Two web servers are running on the Site of Test 1. We don't have the same public IP available at each site.

    To address the public site 1 unique IP address restriction, we try to install ACL and NAT rules to have 2 Site accept traffic from the internet and send it on the site to the other tunnel. So 1 Web server would accept the ASA 1 internet traffic and Web Server 2 accept traffic from ASA 2 to the other site. Here's a network diagram:

    We have difficulties to get this configuration works correctly. Please note that the network 192.168.3.0/24 clients are able to access the servers Web1 and Web2. This question seems to be due to our NAT configuration. This is the type of error, we see on the two firewalls:

    Asymmetrical NAT rules matched for flows forward and backward; Connection for tcp src outside:4.4.4.4/443 dst outside:192.168.1.10/443 refused due to path failure reverse that of NAT

    Our situation seems similar to this post: https://supportforums.cisco.com/thread/2242230

    Any help would be appreciated.

    Hello

    What Karsten said above is true. While it is possible and works, it also means that the configuration is a little more complex to manage. I have done no such features in a real-life network environment and have always used additional public IP addresses on the local site when a server is hosted.

    If you want to continue to move forward with this so here's a few points to consider and the configurations that you need.

    First off it seems to me that the other server will be organized by the local Site 1 so a simple static PAT (Port Forward) must manage the Site 1.

    network of the WEB-HTTP object

    host 192.168.1.10

    NAT (inside, outside) interface static tcp 443 443 service

    And if you need TCP/80 also then you will need

    network of the HTTPS WEB object

    host 192.168.1.10

    NAT (inside, outside) interface static service tcp 80 80

    Now, 2 Site will naturally a little different that the server is hosted on the Site 1 and Site 2 is the public IP address used to publish the server on the external network.

    Essentially, you will need to configure NAT that both makes dynamic PAT for the addresses of the source of the connection to your server Web 2, but also makes the static PAT (Port Forward) for the IP address of the Web Server 2. Additionally, you have to set the area of encryption on the Site 1 and Site 2 to match this new addition to the L2L VPN connection.

    Unless of course you use an existing IP address on the field of encryption in the dynamic translation of PAT for the source address. In this case, it would take no change VPN L2L. I'll use that in the example below.

    The NAT configuration might look like this

    service object WWW

    destination eq 80 tcp service

    service object HTTPS

    destination eq 443 tcp service

    the object SOURCE-PAT-IP network

    host 192.168.3.254

    network of the WEB-SERVER-2-SITE1 object

    host 192.168.1.11

    NAT (outside, outside) 1 dynamic source no matter what static SOURCE-PAT-IP destination interface WEB-SERVER-2-SITE1 service WWW WWW

    NAT (outdoors, outdoor), 2 dynamic source no matter what static SOURCE-PAT-IP destination interface WEB-SERVER-2-SITE1 service HTTPS HTTPS

    So, essentially, NAT configurations above should ake 'all' traffic coming from behind 'outside' interface intended to "outside" "interface" IP address and translate the source to ' SOURCE-PAT-IP ' address and untranslate destination to "WEB-SERVER-2-SITE1".

    Make sure that the IP address chosen (in this case 192.168.3.254) is not used on any device. If she is then replace it with something that is not currently used in the network. Otherwise, configure an IP address of some other subnet and include in the L2L VPN configurations on both sites.

    Unless you already have it, you also have this configuration command to activate the traffic to make a U-turn/pin on the ' outside ' of the Site 2 ASA interface

    permit same-security-traffic intra-interface

    Hope this helps

    Remember to mark a reply as the answer if it answered your question.

    Feel free to ask more if necessary.

    -Jouni

  • VPN site to Site on Cisco ASA

    Hello

    I'm trying to implement a VPN site-to site. I've never done this before and can't make it work. I looked online training videos and thought it looked fairly straightforward. My problem seems to be that th ASA does not try to create a tunnel. He doesn't seem to know that this traffic should be sent over the tunnel. Both external interfaces can ping each other and are on the same subnet.

    I glued the two configs below. They have just basic configs with all VPN orders, having been created by the wizard. I did put the routes that both devices are on the same subnet. If you can see my error, I would be very grateful if you could point out or even point me in the right direction.

    See you soon,.

    Tormod

    ciscoasa1

    : Saved

    : Written by enable_15 at 05:11:30.489 UTC Wednesday, June 19, 2013

    !

    ASA 5,0000 Version 13

    !

    hostname ciscoasa1

    activate 8Ry2YjIyt7RRXU24 encrypted password

    2KFQnbNIdI.2KYOU encrypted passwd

    names of

    !

    interface GigabitEthernet0/0

    nameif outside

    security-level 0

    IP 1.1.1.1 255.255.255.0

    !

    interface GigabitEthernet0/1

    nameif inside

    security-level 100

    10.1.1.1 IP address 255.255.255.0

    !

    interface GigabitEthernet0/2

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    interface GigabitEthernet0/3

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    interface Management0/0

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    passive FTP mode

    permit outside_1_cryptomap to access extended list ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0

    permit inside_nat0_outbound to access extended list ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0

    pager lines 24

    Enable logging

    asdm of logging of information

    Outside 1500 MTU

    Within 1500 MTU

    no failover

    ICMP unreachable rate-limit 1 burst-size 1

    don't allow no asdm history

    ARP timeout 14400

    NAT (inside) 0-list of access inside_nat0_outbound

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    Floating conn timeout 0:00:00

    dynamic-access-policy-registration DfltAccessPolicy

    Enable http server

    http 0.0.0.0 0.0.0.0 inside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    card crypto outside_map 1 match address outside_1_cryptomap

    card crypto outside_map 1 set pfs Group1

    card crypto outside_map 1 set peer 1.1.1.2

    card crypto outside_map 1 set of transformation-ESP-3DES-SHA

    outside_map interface card crypto outside

    crypto ISAKMP allow outside

    crypto ISAKMP policy 10

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 65535

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    Telnet timeout 5

    SSH 0.0.0.0 0.0.0.0 inside

    SSH timeout 5

    Console timeout 0

    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    WebVPN

    username cisco password encrypted privilege 15 3USUcOPFUiMCO4Jk

    tunnel-group 1.1.1.2 type ipsec-l2l

    1.1.1.2 tunnel-group ipsec-attributes

    pre-shared-key ciscocisco

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    maximum message length automatic of customer

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    Review the ip options

    inspect the netbios

    inspect the rsh

    inspect the rtsp

    inspect the skinny

    inspect esmtp

    inspect sqlnet

    inspect sunrpc

    inspect the tftp

    inspect the sip

    inspect xdmcp

    !

    global service-policy global_policy

    context of prompt hostname

    no remote anonymous reporting call

    call-home

    Profile of CiscoTAC-1

    no active account

    http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

    email address of destination [email protected] / * /

    destination-mode http transport

    Subscribe to alert-group diagnosis

    Subscribe to alert-group environment

    Subscribe to alert-group monthly periodic inventory

    monthly periodicals to subscribe to alert-group configuration

    daily periodic subscribe to alert-group telemetry

    Cryptochecksum:29e3cdb2d704736b7fbbc477e8418d65

    : end

    ciscoasa2

    : Saved

    : Written by enable_15 at 15:40:31.509 UTC Wednesday, June 19, 2013

    !

    ASA 5,0000 Version 13

    !

    hostname ciscoasa2

    activate 8Ry2YjIyt7RRXU24 encrypted password

    2KFQnbNIdI.2KYOU encrypted passwd

    names of

    !

    interface Ethernet0/0

    nameif outside

    security-level 0

    1.1.1.2 IP 255.255.255.0

    !

    interface Ethernet0/1

    nameif inside

    security-level 100

    10.1.2.1 IP address 255.255.255.0

    !

    interface Ethernet0/2

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    interface Ethernet0/3

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    interface Management0/0

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    passive FTP mode

    outside_1_cryptomap to access extended list ip 10.1.2.0 allow 255.255.255.0 10.1.1.0 255.255.255.0

    inside_nat0_outbound to access extended list ip 10.1.2.0 allow 255.255.255.0 10.1.1.0 255.255.255.0

    pager lines 24

    Enable logging

    asdm of logging of information

    Outside 1500 MTU

    Within 1500 MTU

    no failover

    ICMP unreachable rate-limit 1 burst-size 1

    don't allow no asdm history

    ARP timeout 14400

    NAT (inside) 0-list of access inside_nat0_outbound

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    Floating conn timeout 0:00:00

    dynamic-access-policy-registration DfltAccessPolicy

    Enable http server

    http 0.0.0.0 0.0.0.0 inside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    card crypto outside_map 1 match address outside_1_cryptomap

    card crypto outside_map 1 set pfs Group1

    card crypto outside_map 1 set peer 1.1.1.1

    card crypto outside_map 1 set of transformation-ESP-3DES-SHA

    outside_map interface card crypto outside

    crypto ISAKMP allow outside

    crypto ISAKMP policy 10

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 65535

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    Telnet timeout 5

    SSH 0.0.0.0 0.0.0.0 inside

    SSH timeout 5

    Console timeout 0

    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    WebVPN

    username cisco password encrypted privilege 15 3USUcOPFUiMCO4Jk

    tunnel-group 1.1.1.1 type ipsec-l2l

    tunnel-group 1.1.1.1 ipsec-attributes

    pre-shared-key ciscocisco

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    maximum message length automatic of customer

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    Review the ip options

    inspect the netbios

    inspect the rsh

    inspect the rtsp

    inspect the skinny

    inspect esmtp

    inspect sqlnet

    inspect sunrpc

    inspect the tftp

    inspect the sip

    inspect xdmcp

    !

    global service-policy global_policy

    context of prompt hostname

    no remote anonymous reporting call

    call-home

    Profile of CiscoTAC-1

    no active account

    http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

    email address of destination [email protected] / * /

    destination-mode http transport

    Subscribe to alert-group diagnosis

    Subscribe to alert-group environment

    Subscribe to alert-group monthly periodic inventory

    monthly periodicals to subscribe to alert-group configuration

    daily periodic subscribe to alert-group telemetry

    Cryptochecksum:92dca65f5c2cf16486aa7d564732b0e1

    : end

    Hello

    Then your ASAs directly connected by the same network do not need a route to connect with eachother that VPN traffic still has a route to the remote network so that the traffic will be forwarded to the VPN L2L connection.

    To my knowledge that the SAA should do a route search before everything about the VPN is made. In this spirit the cant of the SAA is really decide where to forward traffic that it doesn't even have a default route for traffic that he does not know the specific road.

    So I guess you have to be to add this on the two ASAs

    card crypto outside_map 1 the value reverse-road

    and/or

    Configure a default route on each SAA pointing the other ASA, so they can choose the interface appropriate for traffic to destination across the VPN L2L.

    Try these and let me know if it works for you.

    Hope this helps

    Think about scoring the answer as the answer if it answered your question.

    Ask more if necessary

    -Jouni

  • Breeze remote VPN VPN site-to-site

    Excuse me, but I am a novice with this and in over my head.

    I'm trying to add features to remote VPN to a small office ASA5505 that works well for external access to the ' net and has a tunnel from site to site in an office in another city.

    After the various guides, I have added (or tried to add) the necessary configuration, but when I try to add cryptographic declarations for the remote vpn, VPN site-to-site goes down.  The internal network is on 10.1.10.0/24 and remote users must be on the 192.168.30.0/24 subnet

    I would appreciate anyone pointing out some stupid mistake that I made.  Here is the configuration of private information and outside addresses "cleaned."

    Thanks in advance for your suggestions!

    ======================================================

    ASA Version 8.2 (5)

    !

    asa-hhh hostname

    xyz.com domain name

    activate 1ltRLCMh8jwpmLdb encrypted password

    1ltRLCMh8jwpmLdb encrypted passwd

    names of

    !

    interface Ethernet0/0

    switchport access vlan 2

    !

    interface Ethernet0/1

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    !

    interface Ethernet0/4

    !

    interface Ethernet0/5

    !

    interface Ethernet0/6

    !

    interface Ethernet0/7

    !

    interface Vlan1

    nameif inside

    security-level 100

    IP 10.1.10.1 255.255.255.0

    !

    interface Vlan2

    nameif outside

    security-level 0

    IP address xxx.xxx.xxx.241 255.255.255.248

    !

    passive FTP mode

    clock timezone CST - 6

    clock to summer time recurring CDT

    DNS server-group DefaultDNS

    domain peissel.com

    outside_in list extended access permit icmp any any echo response

    outside_in list extended access deny ip any any newspaper

    list of access VPN AUS ip 10.1.10.0 scopes allow 255.255.255.0 192.168.1.0 255.255.255.0

    access-list SHEEP extended ip 10.1.10.0 allow 255.255.255.0 192.168.1.0 255.255.255.0

    access extensive list ip 10.1.10.0 splittunnel allow 255.255.255.0 192.168.30.0 255.255.255.0

    pager lines 24

    Enable logging

    asdm of logging of information

    Within 1500 MTU

    Outside 1500 MTU

    IP local pool vpnpool 192.168.30.1 - 192.168.30.254

    ICMP unreachable rate-limit 1 burst-size 1

    ASDM image disk0: / asdm - 643.bin

    don't allow no asdm history

    ARP timeout 14400

    Global 1 interface (outside)

    NAT (inside) 0 access-list SHEEP

    NAT (inside) 1 10.1.10.0 255.255.255.0

    NAT (inside) 1 0.0.0.0 0.0.0.0

    Route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.246 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    Floating conn timeout 0:00:00

    dynamic-access-policy-registration DfltAccessPolicy

    the ssh LOCAL console AAA authentication

    Enable http server

    http 10.1.10.0 255.255.255.0 inside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    Crypto ipsec transform-set esp-3des esp-sha-hmac espSHA3DESproto

    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    Crypto-map dynamic outside_dyn_map 20 the transform-set ESP-3DES-MD5 value

    crypto IPSEC 10 card matches the address VPN-AUS

    card crypto IPSEC 10 set peer yy.yy.yy.33

    card crypto IPSEC transform-set espSHA3DESproto value 10

    card crypto IPSEC outside interface

    Crypto ca trustpoint localtrust

    registration auto

    domain name full abc.xyz.com

    sslvpnkey key pair

    Configure CRL

    Crypto ca certificate chain localtrust

    certificate 68b4ea4e

    b4fe602b 58b8deaf df648bf3 512a5be1 3fd1e2df 3ae2dc41 2602cd 67 0500bb88 e1

    quit smoking

    crypto isakmp identity address

    crypto ISAKMP allow outside

    crypto ISAKMP policy 10

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 20

    preshared authentication

    3des encryption

    md5 hash

    Group 2

    life 86400

    Telnet timeout 5

    SSH 10.1.10.0 255.255.255.0 inside

    SSH 0.0.0.0 0.0.0.0 outdoors

    SSH timeout 5

    Console timeout 0

    dhcpd address 10.1.10.10 - 10.1.10.40 inside

    interface dns 8.8.8.8 dhcpd inside

    rental contract interface 86400 dhcpd inside

    dhcpd peissel.com area inside interface

    dhcpd allow inside

    !

    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    NTP server 192.5.41.41 source outdoors

    NTP server 192.5.41.40 source outdoors

    localtrust point of trust SSL outdoors

    WebVPN

    allow outside

    enable SVC

    internal remotevpn group policy

    attributes of the strategy of group remotevpn

    VPN-idle-timeout 30

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list splittunnel

    myname 8NYVxDRPHUNYpspD encrypted privilege 15 password username

    user myname attributes name

    type of service admin

    username the user password encrypted remote /yoq2HhsDPlgKIdN

    tunnel-group yy.yy.yy.33 type ipsec-l2l

    yy.yy.yy.33 group of tunnel ipsec-attributes

    pre-shared key *.

    ISAKMP retry threshold 30 keepalive 5

    type tunnel-group remotevpn remote access

    tunnel-group remotevpn General-attributes

    address vpnpool pool

    Group Policy - by default-remotevpn

    remotevpn group of tunnel ipsec-attributes

    pre-shared key *.

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the rsh

    inspect the rtsp

    inspect esmtp

    inspect sqlnet

    inspect the skinny

    inspect sunrpc

    inspect xdmcp

    inspect the sip

    inspect the netbios

    inspect the tftp

    Review the ip options

    !

    global service-policy global_policy

    context of prompt hostname

    no remote anonymous reporting call

    Cryptochecksum:465a4a58a8ad00e66259d93e645b3ed1

    : end

    Hello

    Try these configuration changes

    Create an ACL from Tunnel simpler Split (standard type that indicates which networks of tunnel)

    standard access list permits 10.1.10.0 SPLIT-TUNNEL 255.255.255.0

    Modify the ACL of Split Tunnel in use

    attributes of the strategy of group remotevpn

    No split-tunnel-network-list splittunnel value

    Split-tunnel-network-list value of SPLIT TUNNEL

    Remove the old ACL of the ASA

    No splittunnel Access 10.1.10.0 ip range list allow 255.255.255.0 192.168.30.0 255.255.255.0

    Add NAT0 rule for the VPN Client to the LAN traffic that you were missing (only had one for VPN L2L)

    access-list SHEEP extended ip 10.1.10.0 allow 255.255.255.0 192.168.30.0 255.255.255.0

    May also add the following

    fixup protocol icmp

    It will add ICMP Inspection to the ASA. Accelerations passing messages ICMP Echo Reply through the ASA.

    Hope this helps

    Don't forget to check the answer as the answer if it answered your question. And/or useful response rates

    -Jouni

  • VPN site to Site one-way traffic

    Hi all

    I set up a Vpn site-to site and everything works well in the remote site to the corporate site, but since the site of the company asa 5510, I can't access to the remote site asa 5505.  I checked the logging on the SAA and I can see the packets being fallen but I can't find what I need to do to allow this traffic through.  Here are most of my 5510 config, I'm sure it's something simple I'm missing, but I can't run it please help.

    REMOTE network is 192.168.72.0

    : Saved

    : Written by enable_15 at 10:29:17.163 GMT/BDT Thu Jun 10 2010

    !

    ASA Version 8.0 (5)

    !

    host name Casa

    uk domain name

    activate the encrypted password of VgZT0UwPdkSV9l7N

    zlo5ImUVRkHl4lcl encrypted passwd

    names of

    name 192.168.103.14 description of Appliance CITRIX CITRIX Appliance

    name 192.168.3.12 description villages villages

    DNS-guard

    !

    interface Ethernet0/0

    nameif outside

    security-level 0

    IP address x.x.x.123 255.255.255.224

    !

    interface Ethernet0/1

    nameif inside

    security-level 100

    192.168.3.254 IP address 255.255.255.0

    !

    interface Ethernet0/2

    nameif dmz

    security-level 50

    IP 192.168.103.254 255.255.255.0

    !

    interface Ethernet0/3

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    interface Management0/0

    nameif management

    security-level 100

    IP 192.168.1.1 255.255.255.0

    management only

    !

    boot system Disk0: / asa805 - k8.bin

    boot system Disk0: / asa707 - k8.bin

    passive FTP mode

    clock timezone GMT/UTC 0

    summer time clock GMT/BDT recurring last Sun Mar 01:00 last Sun Oct 02:00

    DNS server-group DefaultDNS

    uk domain name

    object-group network ExternalAccess

    Description hosts allowed direct web access

    network object-SVR-01 255.255.255.255

    SVR GIS 255.255.255.255 network-object

    host of network-object cient

    host villages network-object

    the ExternalAccessFromDMZ object-group network

    Description hosts allowed direct web access to DMZ

    CITRIX-device 255.255.255.255 network-object

    network-object IRONPORT1 255.255.255.255

    worker of the object-network 255.255.255.255

    MitelUDPinternet udp service object-group

    Description Mitel UDP services on the internet

    20000-27000 object-port Beach

    port-object eq sip

    port-object eq 5064

    MitelTCPinternet tcp service object-group

    Description Mitel TCP services on the internet

    port-object eq 2114

    port-object eq 2116

    port-object eq 35000

    port-object eq 37000

    port-object eq 3998

    6801-6802 object-port Beach

    port-object eq 6880

    port-object eq www

    EQ object of the https port

    port-object eq 6800

    EQ object Port 3478

    port-object eq sip

    EQ port ssh object

    MitelTCPinternetOpt tcp service object-group

    Description Mitel TCP optional services on the internet

    port-object eq 3300

    6806-6807 object-port Beach

    36005 36005 object-port Beach

    36005 36006 object-port Beach

    EQ object Port 3478

    port-object eq sip

    MitelUDP2LAN udp service object-group

    Description Mitel UDP for the local network of services

    object-port range 1024-65535

    port-object eq sip

    MitelTCP2LAN tcp service object-group

    Description Mitel TCP for the local network of services

    port-object eq 2114

    port-object eq 2116

    port-object eq 35000

    port-object eq 37000

    port-object eq 1606

    object-port 4443 eq

    port-object eq 3998

    port-object eq 3999

    6801-6802 object-port Beach

    port-object eq 6880

    port-object eq www

    EQ object of the https port

    EQ object Port 3478

    port-object eq sip

    acl_outside list extended access permit icmp any any echo response

    acl_outside list extended access allow all unreachable icmp

    acl_outside list extended access permit icmp any any source-quench

    acl_outside list extended access permit tcp any host Mail_Outside_AGH eq smtp

    acl_outside list extended access permit tcp any host Mail_Outside_AGH eq https

    acl_outside list extended access permit tcp any host x.x.x.123 eq ssh

    acl_outside list extended access permit tcp host x.x.x.x host Icritical_Outside eq ssh

    acl_outside list extended access permit tcp any host Citrix_Portal_outside eq 8088

    acl_outside list extended access permit tcp any host Citrix_Portal_outside eq https

    acl_outside list extended access permit tcp any host Citrix_Portal_outside eq 8081

    acl_outside list extended access permit tcp any host Mail_Outside_AVON eq smtp

    acl_outside list extended access permit tcp any host Mail_Outside_AVON eq https

    acl_outside list extended access permit udp host x.x.x.x host Icritical_Outside eq snmp

    acl_outside list extended access permit udp host x.x.x.x host Icritical_Outside eq snmp

    acl_outside list extended access permit tcp any host teleworker_outside MitelTCPinternet object-group

    acl_outside list extended access permit udp any host teleworker_outside MitelUDPinternet object-group

    acl_outside list extended access permit tcp any host teleworker_outside MitelTCPinternetOpt object-group

    acl_outside list extended access permit tcp host x.x.x.x host Icritical_Outside eq ssh

    acl_outside list extended access permit udp any host ESX-PAL-01 eq ntp

    acl_outside list extended access permit udp any host ESX-PAL-02 eq ntp

    acl_outside list extended access permit udp any host ESX-PAL-03 eq ntp

    inside_outbound_nat0_acl to access ip 192.168.1.0 scope list allow 255.255.255.0 172.30.100.0 inactive 255.255.255.224

    inside_outbound_nat0_acl list of allowed ip extended access all 172.31.1.0 255.255.255.0

    inside_outbound_nat0_acl to access extended list ip 192.168.3.0 allow 255.255.255.0 192.168.103.0 255.255.255.0

    inside_outbound_nat0_acl to access extended list ip 192.168.3.0 allow 255.255.255.0 192.168.72.0 255.255.255.0

    inside_pnat_outbound list extended access allowed object-group ip ExternalAccess everything

    acl_dmz list extended access permit ip host host IRONPORT1 Mail_Inside_AGH

    acl_dmz list extended access permit udp host field of pal-svr-22 eq IRONPORT1 host

    acl_dmz list extended access permit tcp host IRONPORT1 host pal-svr-22 eq 3268

    acl_dmz list extended access permit udp host host IRONPORT1 ARM-SVR-01 eq field

    acl_dmz list extended access permit tcp host IRONPORT1 host ARM-SVR-01 eq 3268

    acl_dmz list extended access permit udp host host IRONPORT1 Pal-Svr-17 eq field

    acl_dmz list extended access allowed icmp host host IRONPORT1 Mail_Inside_AGH

    access extensive list ip 192.168.103.0 acl_dmz allow 255.255.255.0 any

    acl_dmz list extended access permit tcp host host CITRIX-device-CITRIXCSG-lan eq https inactive

    acl_dmz list extended access permit ip any host CITRIXCSG-lan idle

    acl_dmz list extended access permit tcp host IRONPORT1 eq Mail_Outside_AGH smtp

    acl_dmz list extended access permit tcp host teleworker host 192.168.20.1 object-group MitelTCP2LAN

    acl_dmz list extended access permit udp host teleworker host 192.168.20.1 object-group MitelUDP2LAN

    dmz_pnat_outbound list extended access allowed object-group ip ExternalAccessFromDMZ all

    access extensive list ip 192.168.103.0 dmz_nat0_inbound allow 255.255.255.0 192.168.3.0 255.255.255.0

    dmz_nat0_inbound list of ip host 192.168.20.1 telecommuter host allowed extended access

    access extensive list ip 192.168.21.0 inside_pnat_outbound_AVON allow 255.255.255.0 any

    access extensive list ip 192.168.22.0 inside_pnat_outbound_AVON allow 255.255.255.0 any

    access extensive list ip 192.168.23.0 inside_pnat_outbound_AVON allow 255.255.255.0 any

    access extensive list ip 192.168.24.0 inside_pnat_outbound_AVON allow 255.255.248.0 all

    inside_pnat_outbound_AVON to access extended list ip 192.168.32.0 allow 255.255.240.0 everything

    access extensive list ip 192.168.48.0 inside_pnat_outbound_AVON allow 255.255.248.0 all

    access extensive list ip 192.168.56.0 inside_pnat_outbound_AVON allow 255.255.252.0 all

    access extensive list ip 192.168.60.0 inside_pnat_outbound_AVON allow 255.255.255.0 any

    allow any scope to an entire ip access list

    inside_nat_AVON_Marshall list extended access permit ip host Mail_Inside_AVON all

    dmz_pnat1_outbound list of ip telecommuter host allowed extended access any

    outside_1_cryptomap to access extended list ip 192.168.3.0 allow 255.255.255.0 192.168.72.0 255.255.255.0

    pager lines 24

    Enable logging

    asdm of logging of information

    logging e-mail notifications

    uk address record

    exploitation forest-address recipient [email protected] / * / critical level

    Outside 1500 MTU

    Within 1500 MTU

    MTU 1500 dmz

    management of MTU 1500

    IP local pool vpnpool 172.31.1.1 - 172.31.1.254 mask 255.255.255.0

    no failover

    ICMP unreachable rate-limit 1 burst-size 1

    ICMP allow any inside

    ICMP allow no dmz echo

    ICMP allow all dmz

    ASDM image disk0: / asdm-625 - 53.bin

    ASDM location SVR-01 255.255.255.255 inside

    ASDM location svr-02 255.255.255.255 inside

    ASDM location IRONPORT1 255.255.255.255 dmz

    ASDM location 194.81.55.226 255.255.255.255 dmz

    ASDM 255.255.255.255 inside server location

    ASDM location CITRIX-device 255.255.255.255 dmz

    ASDM group ExternalAccess inside

    ASDM group dmz ExternalAccessFromDMZ

    don't allow no asdm history

    ARP timeout 14400

    Global x.x.x.121 2 (outdoor)

    Global 1 x.x.x.125 (outside)

    Global Mail_Outside_AVON 3 (outside)

    Global Mail_Outside_AGH 4 (outside)

    Global teleworker_outside 5 (outside)

    NAT (inside) 0-list of access inside_outbound_nat0_acl

    NAT (inside) 2-list of access inside_pnat_outbound_AVON

    NAT (inside) 3 access-list inside_nat_AVON_Marshall

    NAT (inside) 1 access-list inside_pnat_outbound

    NAT (dmz) 0-list of access dmz_nat0_inbound outside

    NAT (dmz) 4 access-list dmz_pnat_outbound

    NAT (dmz) 5 access-list dmz_pnat1_outbound

    static (inside, outside) tcp ssh Icritical ssh netmask 255.255.255.255 Icritical_Outside

    static (inside, outside) tcp https Mail_Outside_AGH Mail_Inside_AGH https netmask 255.255.255.255

    static (dmz, outside) tcp smtp smtp IRONPORT1 netmask 255.255.255.255 Mail_Outside_AGH

    static (inside, outside) tcp https Mail_Outside_AVON Exchange_Inside_AVON https netmask 255.255.255.255

    static (inside, outside) tcp smtp smtp Mail_Inside_AVON netmask 255.255.255.255 Mail_Outside_AVON

    static (inside, outside) udp snmp Icritical snmp netmask 255.255.255.255 Icritical_Outside

    static (dmz, outside) device-CITRIX-Citrix_Portal_outside netmask 255.255.255.255

    static (inside, outside) Mail_Outside_AVON Mail_Inside_AVON netmask 255.255.255.255

    static (dmz, external) teleworker_outside netmask 255.255.255.255 teleworker

    Access-group acl_outside in interface outside

    Access-group acl_dmz in dmz interface

    Route outside 0.0.0.0 0.0.0.0 X.X.X.254 1

    Route inside 192.168.0.0 255.255.0.0 192.168.3.3 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    dynamic-access-policy-registration DfltAccessPolicy

    Enable http server

    oner http 255.255.255.255 inside

    http 192.168.1.0 255.255.255.0 management

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

    card crypto outside_map 1 match address outside_1_cryptomap

    card crypto outside_map 1 set pfs Group1

    card crypto outside_map 1 set r.r.r.244 counterpart

    card crypto outside_map 1 set of transformation-ESP-3DES-SHA

    outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

    outside_map interface card crypto outside

    crypto ISAKMP allow outside

    crypto ISAKMP policy 10

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    No encryption isakmp nat-traversal

    Telnet timeout 5

    SSH x.x.x.x 255.255.255.255 outside

    SSH Mail_Inside_AGH 255.255.255.255 inside

    SSH timeout 5

    Console timeout 0

    management of 192.168.1.2 - dhcpd address 192.168.1.254

    enable dhcpd management

    !

    a basic threat threat detection

    statistical threat detection port

    Statistical threat detection Protocol

    Statistics-list of access threat detection

    a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200

    prefer NTP server SVR - DC1 source inside

    internal VPN group policy

    attributes of VPN group policy

    value 192.168.x.x 192.168.x.x WINS server

    Server DNS value 192.168.x.x 192.168.x.x

    enable IPSec-udp

    value by default domain-ACE

    username, password pmmPwcDD/inpnNfB VPN encrypted privilege 0

    attributes of VPN username

    Strategy-Group-VPN VPN

    VPN Tunnel-group type remote access

    General-attributes of VPN Tunnel-group

    address vpnpool pool

    Group Policy - by default-VPN

    Group-tunnel VPN ipsec-attributes

    pre-shared key *.

    tunnel-group r.r.r.244 type ipsec-l2l

    r.r.r.244 tunnel ipsec-attributes group

    pre-shared key *.

    by default-group r.r.r.244 tunnel-Group-map

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns migrated_dns_map_1

    parameters

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the migrated_dns_map_1 dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the rsh

    inspect the rtsp

    inspect esmtp

    inspect sqlnet

    inspect the skinny

    inspect sunrpc

    inspect xdmcp

    inspect the netbios

    inspect the tftp

    inspect the sip

    !

    global service-policy global_policy

    context of prompt hostname

    Cryptochecksum:8360816431357f109b3c4b950d545c86

    : end

    This route is duplicated with the remote network

    Route inside 192.168.0.0 255.255.0.0 192.168.3.3 1

    I suggest to make this more specific subnet or add something like

    Route outside 192.168.72.0 255.255.255.0 outside_default_gateway_ip

    Internal, if above not in fact help, put a trace packet to simulate traffic even that fails on the 5510.

    http://www.Cisco.com/en/us/docs/security/ASA/asa80/command/reference/p.html#wp1878788

    Kind regards

  • problem with users to access remote vpn site to site vpn network

    I did the Setup: asa 5510 configured remote access vpn. My vpn users receive asa 5510 range 192.168.50.0/24 addresses and users access my local lan 192.168.0.0/24. the second side of the local lan 192.168.0.0/24 on asa 5505, I did a vpn site-to-site with network 192.168.5.0/24.on that both sides of a site are asa 5505. inside the interface asa 5510 Elise 192.168.0.10 and inside the interface asa 5505 have address 192.168.0.17.third asa 5505 networked 192.168.5.0/24 address 192.168.5.1. I want my remote access vpn users can access resources on network 192.168.5.0/24. I create the static route on inside the asa 5510 static route 192.168.5.0 interface 255.255.255.0 192.168.0.17 and a static route on inside the asa 5505 static route 192.168.50.0 interface 255.255.255.0 192.168.0.10, but it's not working. What do I do?

    execution of the configuration of my asa 5510 is

    Result of the command: "show run"

    : Saved
    :
    ASA Version 8.4(2)
    !
    hostname asa5510
    domain-name dri.local
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address x.x.x.178 255.255.255.248
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.0.10 255.255.255.0
    !
    interface Ethernet0/2
    description Mreza za virtualne masine- mail server, wsus....
    nameif DMZ
    security-level 50
    ip address 172.16.20.1 255.255.255.0
    !
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    !
    ftp mode passive
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    dns server-group DefaultDNS
    domain-name dri.local
    object network VPN-POOL
    subnet 192.168.50.0 255.255.255.0
    description VPN Client pool
    object network LAN-NETWORK
    subnet 192.168.0.0 255.255.255.0
    description LAN Network
    object network NETWORK_OBJ_192.168.0.0_24
    subnet 192.168.0.0 255.255.255.0
    object network 192.168.0.10
    host 192.168.0.10
    object service ssl
    service tcp destination eq 465
    object service tls
    service tcp destination eq 995
    object network mail_server
    host 172.16.20.201
    object service StartTLS
    service tcp destination eq 587
    object service admin_port
    service tcp destination eq 444
    object service ODMR
    service tcp destination eq 366
    object service SSL-IMAP
    service tcp destination eq 993
    object network remote
    host 172.16.20.200
    object network test
    host 192.168.0.22
    object network mail
    host 172.16.20.200
    object network DMZ
    host 172.16.20.200
    object network Inside_DMZ
    host 192.168.0.20
    object service rdp
    service tcp destination eq 3389
    object network DRI_PS99
    host 192.168.0.54
    object service microsoft_dc
    service tcp destination eq 445
    object service https448
    service tcp destination eq 448
    object network mail_server_internal
    host 172.16.20.201
    object service Acronis_remote
    service tcp destination eq 9876
    object service Acronis_25001
    service tcp destination eq 25001
    object service HTTP3000
    service tcp destination eq 3000
    object network VPNPOOL
    subnet 192.168.50.0 255.255.255.0
    object-group network PAT-SOURCE-NETWORKS
    description Source networks for PAT
    network-object 192.168.0.0 255.255.255.0
    object-group service DM_INLINE_SERVICE_1
    service-object object admin_port
    service-object object ssl
    service-object object tls
    service-object object https448
    object-group service DM_INLINE_SERVICE_2
    service-object object admin_port
    service-object object https448
    service-object object ssl
    service-object object tls
    service-object tcp destination eq pop3
    service-object tcp destination eq smtp
    object-group service DM_INLINE_SERVICE_3
    service-object object admin_port
    service-object object https448
    service-object object ssl
    service-object tcp destination eq smtp
    service-object object tls
    service-object object Acronis_remote
    service-object tcp destination eq www
    service-object object Acronis_25001
    service-object object microsoft_dc
    object-group protocol DM_INLINE_PROTOCOL_1
    protocol-object ip
    protocol-object tcp
    object-group service DM_INLINE_SERVICE_4
    service-object object Acronis_25001
    service-object object Acronis_remote
    service-object object microsoft_dc
    service-object tcp destination eq www
    service-object tcp
    service-object ip
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any object mail_server
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object mail
    access-list Split_Tunnel_List extended permit ip 192.168.0.0 255.255.255.0 any
    access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0
    access-list DMZ extended permit object-group DM_INLINE_SERVICE_4 172.16.20.0 255.255.255.0 any
    access-list DMZ extended permit object-group DM_INLINE_SERVICE_3 host 172.16.20.201 any
    access-list DMZ extended permit object-group DM_INLINE_PROTOCOL_1 172.16.20.0 255.255.255.0 any inactive
    access-list DMZ extended deny tcp any any eq smtp
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu DMZ 1500
    mtu management 1500
    ip local pool vpnadrese 192.168.50.1-192.168.50.100 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source static LAN-NETWORK LAN-NETWORK destination static VPN-POOL VPN-POOL
    !
    object network mail_server
    nat (DMZ,outside) static x.x.x.179
    object network mail
    nat (DMZ,outside) static x.x.x.180
    access-group outside_access_in in interface outside
    access-group DMZ in interface DMZ
    route outside 0.0.0.0 0.0.0.0 178.254.133.177 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    action terminate
    dynamic-access-policy-record dripolisa
    aaa-server DRI protocol ldap
    aaa-server DRI (inside) host 192.168.0.20
    ldap-base-dn DC=dri,DC=local
    ldap-scope subtree
    ldap-naming-attribute sAMAccountName
    ldap-login-password *****
    ldap-login-dn CN=dragan urukalo,OU=novisad,OU=sektor2,OU=REVIZIJA,DC=dri,DC=local
    server-type microsoft
    user-identity default-domain LOCAL
    aaa authentication enable console LOCAL
    aaa authentication http console LOCAL
    aaa authentication serial console LOCAL
    aaa authentication telnet console LOCAL
    aaa authorization command LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 management
    http 192.168.0.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    virtual telnet 192.168.1.12
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 1 match address outside_cryptomap
    crypto map outside_map 1 set peer 195.222.96.223
    crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ikev2 policy 1
    encryption aes-256
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 10
    encryption aes-192
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 20
    encryption aes
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 30
    encryption 3des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 40
    encryption des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 enable outside
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet 192.168.0.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    !
    dhcpd address 192.168.0.14-192.168.0.45 inside
    !
    dhcpd address 172.16.20.2-172.16.20.150 DMZ
    dhcpd dns x.x.x.177 interface DMZ
    dhcpd auto_config outside interface DMZ
    dhcpd option 6 ip x.x.x.177 interface DMZ
    dhcpd enable DMZ
    !
    dhcpd address 192.168.1.2-192.168.1.254 management
    dhcpd enable management
    !
    threat-detection basic-threat
    threat-detection statistics port
    threat-detection statistics protocol
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy GroupPolicy_x.x.x.223 internal
    group-policy GroupPolicy_x.x.x.223 attributes
    vpn-tunnel-protocol ikev1 ikev2
    group-policy drivpn internal
    group-policy drivpn attributes
    dns-server value 192.168.0.20 192.168.0.254
    vpn-simultaneous-logins 10
    vpn-idle-timeout 30
    vpn-tunnel-protocol ikev1 l2tp-ipsec
    split-tunnel-network-list value Split_Tunnel_List
    default-domain value dri.local
    username driadmin password AojCAMO/soZo8W.W encrypted privilege 15
    tunnel-group drivpn type remote-access
    tunnel-group drivpn general-attributes
    address-pool vpnadrese
    authentication-server-group DRI
    default-group-policy drivpn
    tunnel-group drivpn ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group x.x.x.223 type ipsec-l2l
    tunnel-group x.x.x.223 general-attributes
    default-group-policy GroupPolicy_x.x.x.223
    tunnel-group x.x.x.223 ipsec-attributes
    ikev1 pre-shared-key *****
    ikev2 remote-authentication pre-shared-key *****
    ikev2 local-authentication pre-shared-key *****
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect tftp
      inspect ip-options
      inspect netbios
      inspect icmp
      inspect http
    !
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:69c651e94663fc570b67e0c4c0dcbae1
    : end

    running config asa 5505

    Result of the command: "show run"

    : Saved
    :
    ASA Version 8.2(1)
    !
    hostname ciscoasa
    enable password csq7sfr0bQJqMGET encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    name 192.168.5.0 PALATA
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.0.17 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address 10.13.74.33 255.255.255.0
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    ftp mode passive
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    object-group service DM_INLINE_SERVICE_1
    service-object ip
    service-object tcp
    service-object icmp echo
    service-object icmp echo-reply
    service-object tcp eq domain
    service-object tcp eq ldap
    service-object tcp eq smtp
    object-group service DM_INLINE_SERVICE_2
    service-object ip
    service-object tcp eq domain
    service-object tcp eq www
    service-object tcp eq https
    service-object tcp eq smtp
    object-group service Sharepoint8080 tcp
    port-object eq 8080
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
    access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 192.168.0.0 255.255.255.0 any
    access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 PALATA 255.255.255.0
    access-list outside_2_cryptomap extended permit ip 192.168.0.0 255.255.255.0 PALATA 255.255.255.0
    access-list inside_nat0_outbound_1 extended permit ip 192.168.0.0 255.255.255.0 PALATA 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    logging mail errors
    logging from-address
    logging recipient-address  level debugging
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound_1
    nat (inside) 1 192.168.0.0 255.255.255.0
    static (inside,outside) 10.13.74.35 192.168.0.22 netmask 255.255.255.255
    static (inside,outside) 10.13.74.34 192.168.0.20 netmask 255.255.255.255 dns
    access-group inside_access_in in interface inside
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 10.13.74.1 1
    route inside 0.0.0.0 0.0.0.0 192.168.0.17 tunneled
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication telnet console LOCAL
    http server enable
    http 10.13.74.0 255.255.255.0 outside
    http 192.168.0.0 255.255.255.0 inside
    http 10.15.100.0 255.255.255.0 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    virtual telnet 192.168.0.53
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map outside_map 1 match address outside_2_cryptomap
    crypto map outside_map 1 set pfs
    crypto map outside_map 1 set peer 10.15.100.15
    crypto map outside_map 1 set transform-set ESP-3DES-SHA
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet 192.168.0.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    !

    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    username driadmin password AojCAMO/soZo8W.W encrypted privilege 15
    tunnel-group 10.15.100.15 type ipsec-l2l
    tunnel-group 10.15.100.15 ipsec-attributes
    pre-shared-key *
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect icmp
    !
    service-policy global_policy global
    smtp-server 173.194.79.109
    prompt hostname context
    Cryptochecksum:4767b6764cb597f0a7b8b138587d4192
    : end

    Thank you

    Hello

    I have previously edited the my initial response was in fact not necessary since you were actually using full Tunnel

    EDIT: Actually just noticed the the VPN client isnt using Split Tunnel. Its Full Tunnel at the moment since it doesnt have the "split-tunnel-policy tunnelspecified"

    So you don't really have any of those.

    Please mark the question answers and/or assess response

    Ask more if necessary

    -Jouni

  • Default route inside the tunnel VPN Site to site

    We want to carry the default traffic within the site to site VPN tunnel, our goal is to route all traffic including default branch road and HO HO help branch for surfing the internet.

    I have due to difficulties

    1. cannot configure dynamic NAT for the router in the branch on the ASA HO, I know configuration for 8.2, but know not about 8.4

    This is the configuration for the 8.2, if someone can translate to 8.4, which would be a great help

    NAT (outside) 1 192.168.230.0

    2. I do not know how to write the default route on the branch office router to send all traffic within the VPN tunnel

    Hello

    As I understand it then you want to route ALL traffic from the Remote Site to the Central Site and manage Internet traffic there.

    I suppose you could define "interesting traffic" in configuring VPN L2L ACL / access-list in the following way

    Branch router

    extended IP access list

    allow an ip

    ASA central

    ip access list allow one

    The idea behind the type of ACL for the VPN L2L above configurations is that, for example, the branch office router has a rule that sets connection coming from the local LAN for 'any' destination address must be sent to the VPN L2L connection. So, it would be in such a way that all the traffic will be sent to the Central Site via VPN L2L.

    I must say however, that the VPN router configurations side are not more familiar to me because I manage especially with ASA Firewall (and to some extent still PIX and FWSMs)

    I guess that on the ASA Central you will PAT translation to "outside" so that the host can access the Internet?

    You would probably do something like this

    object-group network to REMOTE-SITE-PAT-SOURCE

    network-object

    interface of REMOTE-SITE-PAT-SOURCE dynamic NAT (outside, outside) after auto source

    If you don't want to use the 'outside' IP address, then you will have to create a 'network of object' for address IP of PAT and use it in the line of NAT configuration above instead of "interface".

    Alternate configuration might be

    network of the REMOTE-SITE-PAT object

    subnet

    dynamic NAT interface (outdoors, outdoor)

    You also need to enable

    permit same-security-traffic intra-interface

    To allow traffic to enter and exit the same interface on the ASA

    All these answers are naturally suggestion on what you have to do. I don't know what kind of configurations you have right now.

    Hope this helps in some way

    -Jouni

    Post edited by: Jouni Forss

  • VPN site to Site-> DMZ

    Good evening

    First time poster, long drive when these forums. I should probably stop to say thanks for all the advice that I managed to stick like a leech from various comments that have been posted - thank you!

    My problem is to get to the step to be a bit boring.

    I have a Cisco 5520, which is a Cisco 5505 is connected via a tunnel from Site to Site.

    The tunnel runs just dandy, with traffic fortunately passed to and from the interface of my Interior.

    An issue with users connected to access 5505 our DMZ, he simply refuses to work. I read a lot of posts about the changes to subsection 8.3 (which I'm running on the 5520) when it comes to exemptions of NAT which according to me is the issue I'm having, but I am not able to apply any configuration to allow my site to site VPN to connect to hosts in the DMZ.

    An old copy of the configuration below (I tried a lot of things after this point, but it is one of the cleanest copies!), any help would be much appreciated.

    Rob

    Output of the command: "sh runn.

    : Saved

    :

    ASA 8.3 Version (2)

    !

    ciscoasa hostname

    activate the password * encrypted

    passwd * encrypted

    names of

    !

    interface GigabitEthernet0/0

    No nameif

    no level of security

    no ip address

    !

    interface GigabitEthernet0/0.1

    Description connection Internet GCI VLAN 99

    VLAN 99

    nameif outside GCI

    security-level 0

    IP 213.218.219.65 255.255.255.192

    !

    interface GigabitEthernet0/1

    Inside the 254 unreferenced Network Interface Description

    nameif Inisde

    security-level 100

    IP 192.168.254.240 255.255.255.0

    !

    interface GigabitEthernet0/2

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    interface GigabitEthernet0/3

    Description placeholder for the secondary Interfaces Interface

    No nameif

    security-level 50

    no ip address

    !

    interface GigabitEthernet0/3.1

    Tagged VLAN253 traffic within the DMZ description

    VLAN 253

    nameif DMZ-253

    security-level 50

    IP 192.168.253.240 255.255.255.0

    !

    interface GigabitEthernet0/3.2

    Description the tag VLAN traffic 252

    VLAN 252

    nameif Edge

    security-level 49

    IP 192.168.252.240 255.255.255.0

    !

    interface Management0/0

    nameif management

    security-level 0

    IP 192.168.1.1 255.255.255.0

    management only

    !

    boot system Disk0: / asa832 - k8.bin

    passive FTP mode

    permit same-security-traffic inter-interface

    permit same-security-traffic intra-interface

    network 192.168.197.0 - Wibble object

    192.168.197.0 subnet 255.255.255.0

    STS Wibble remote network description

    network 192.168.196.0 - Wibble2 object

    192.168.196.0 subnet 255.255.255.0

    STS Wibble2 remote network description

    network of the 213.218.219.67 object

    Home 213.218.219.67

    Address translation NAT static description

    Network 10.128.117.0 - Wibble3 object

    10.128.117.0 subnet 255.255.255.0

    Description 12345

    network 192.168.253.15 - CorporateProxy object

    Home 192.168.253.15

    Description Corporate Proxy

    network 192.168.253.22 - NonCorporateProxy object

    Home 192.168.253.22

    Stores Proxy description

    network 192.168.253.46 - DMZWeb object

    Home 192.168.253.46

    Description 1

    purpose of the 10.150.100.0 - DTC network

    10.150.100.0 subnet 255.255.255.0

    DTC remote network description

    network of the NETWORK_OBJ_10.150.100.0_24 object

    10.150.100.0 subnet 255.255.255.0

    10.150.101.0 - Europa network object

    10.150.101.0 subnet 255.255.255.0

    123 description

    Network 10.110.170.0 - Wibble4 object

    10.110.170.0 subnet 255.255.255.0

    123 description

    network of the NETWORK_OBJ_10.110.170.0_24 object

    10.110.170.0 subnet 255.255.255.0

    network 192.168.198.0 - Wibble4 object

    255.255.255.0 subnet 192.168.198.0

    123 description

    Network 10.128.116.0 - Wibble6 object

    10.128.116.0 subnet 255.255.255.0

    123 description

    network of the NETWORK_OBJ_10.128.116.0_24 object

    10.128.116.0 subnet 255.255.255.0

    network 192.168.192.0 - Wibble4_Office object

    192.168.192.0 subnet 255.255.255.0

    Description F1234

    network of the NETWORK_OBJ_192.168.192.0_24 object

    192.168.192.0 subnet 255.255.255.0

    network of the 192.168.200.10 object

    Home 192.168.200.10

    network 192.168.191.0 - Darlington_Test object

    192.168.191.0 subnet 255.255.255.0

    the SiteToSiteVPNs object-group network

    Description contains VPN Site to Site groups

    network-object 192.168.197.0 - Wibble

    network-object 192.168.196.0 - Wibble2

    network-object 10.128.117.0 - Wibble3

    network-object object 10.150.100.0 - DTC

    network-object 10.150.101.0 - Europa

    network-object 10.110.170.0 - Wibble4

    network-object object 192.168.198.0 - Wibble4

    network-object 10.128.116.0 - Wibble6

    network-object 192.168.192.0 - Wibble4_Office

    network-object 192.168.191.0 - Darlington_Test

    the ExternalIPs object-group network

    network-object, object 213.218.219.67

    DM_INLINE_TCP_1 tcp service object-group

    EQ object of port 8080

    EQ object of the https port

    the DM_INLINE_NETWORK_1 object-group network

    network-object 192.168.253.15 - CorporateProxy

    network-object 192.168.253.22 - NonCorporateProxy

    the DM_INLINE_NETWORK_2 object-group network

    network-object 192.168.253.15 - CorporateProxy

    network-object 192.168.253.22 - NonCorporateProxy

    DM_INLINE_TCP_2 tcp service object-group

    port-object eq ftp

    port-object eq ftp - data

    port-object eq www

    EQ object of the https port

    DM_INLINE_TCP_3 tcp service object-group

    EQ port 3306 object

    port-object eq ftp

    port-object eq ftp - data

    port-object eq www

    EQ smtp port object

    EQ port ssh object

    DM_INLINE_TCP_4 tcp service object-group

    port-object eq 1280

    port-object eq 29002

    port-object eq 29005

    port-object eq 29006

    port-object eq 61023

    GCI-Outside_cryptomap access-list extended permits all ip 192.168.197.0 255.255.255.0

    Inisde_access_in list extended access permit ip host 192.168.191.50 all

    access-list Inisde_access_in note allow inside devices to access the web proxy

    Inisde_access_in list extended access permit tcp any object-group DM_INLINE_NETWORK_2-group of objects DM_INLINE_TCP_1

    access-list Inisde_access_in note allow internal users to access Web / FTP

    Inisde_access_in list extended access permit tcp any object 192.168.253.46 - DMZWeb object-group DM_INLINE_TCP_3

    Inisde_access_in of access note list Chp & Pin authorization/downloads

    Inisde_access_in list extended access permit tcp any any DM_INLINE_TCP_4 object-group

    Comment by Inisde_access_in-RDP/VNC access to VPN site-to-site list

    Inisde_access_in list of allowed ip extended access any object-group SiteToSiteVPNs

    Inisde_access_in deny ip extended access list a whole

    GCI-Outside_access_in extended permitted any one ip access-list

    GCI-Outside_1_cryptomap access-list extended permits all ip 192.168.196.0 255.255.255.0

    GCI-Outside_cryptomap_1 access-list extended permits all ip 10.128.117.0 255.255.255.0

    access-list DMZ - 253_access_in note Proxy to access the Internet

    DMZ-253_access_in allowed extended object-group DM_INLINE_NETWORK_1 ip access-list all

    access-list DMZ-253_access_in note enable DMZ Web Server you connect to the Internet

    access-list DMZ-253_access_in extended permitted tcp object 192.168.253.46 - DMZWeb any object-group DM_INLINE_TCP_2

    refuse the DMZ-253_access_in access-list extended ip a

    GCI-Outside_3_cryptomap access-list extended 192.168.198.0 allowed any ip 255.255.255.0

    GCI-Outside_4_cryptomap access-list extended permits all ip 10.150.100.0 255.255.255.0

    GCI-Outside_5_cryptomap access-list extended permits all ip 10.150.101.0 255.255.255.0

    GCI-Outside_7_cryptomap access-list extended permits all ip 10.110.170.0 255.255.255.0

    GCI-Outside_8_cryptomap access-list extended permits all ip 10.128.116.0 255.255.255.0

    GCI-Outside_9_cryptomap access-list extended permits all ip 192.168.192.0 255.255.255.0

    GCI-Outside_10_cryptomap access-list extended permits all ip 192.168.191.0 255.255.255.0

    pager lines 24

    Enable logging

    recording of debug trap

    logging of debug asdm

    host Inisde 192.168.154.60 record

    MTU 1500 GCI-outside

    MTU 1500 Inisde

    MTU 1500 DMZ-253

    MTU 1500 m

    MTU 1500 management

    IP check path reverse interface GCI-outside

    no failover

    ICMP unreachable rate-limit 1 burst-size 1

    ASDM image disk0: / asdm - 634.bin

    don't allow no asdm history

    ARP timeout 14400

    NAT (outside GCI, GCI-outside) SiteToSiteVPNs SiteToSiteVPNs SiteToSiteVPNs SiteToSiteVPNs description static destination static source allows cross-site routing

    NAT (GCI-outside, Inisde) static source everything any static destination SiteToSiteVPNs SiteToSiteVPNs description Allow sites to talk inside.

    NAT (Inisde, GCI-outside) static source just any static destination SiteToSiteVPNs SiteToSiteVPNs description Site-to-Site exempt inside VPN NAT

    NAT (DMZ-253, GCI-outside) static source all electricity static destination SiteToSiteVPNs SiteToSiteVPNs

    !

    network 192.168.197.0 - Wibble object

    NAT (outside GCI, GCI-outside) dynamic 213.218.219.67

    network 192.168.196.0 - Wibble2 object

    NAT (outside GCI, GCI-outside) dynamic 213.218.219.67

    Network 10.128.117.0 - Wibble3 object

    NAT (outside GCI, GCI-outside) dynamic 213.218.219.67

    network 192.168.253.15 - CorporateProxy object

    NAT (DMZ-253, GCI-outside) static 213.218.219.69

    network 192.168.253.22 - NonCorporateProxy object

    NAT (DMZ-253, GCI-outside) static 213.218.219.88

    network 192.168.253.46 - DMZWeb object

    NAT (DMZ-253, GCI-outside) static 213.218.219.82

    purpose of the 10.150.100.0 - DTC network

    NAT (outside GCI, GCI-outside) dynamic 213.218.219.67

    10.150.101.0 - Europa network object

    NAT (outside GCI, GCI-outside) dynamic 213.218.219.67

    Network 10.110.170.0 - Wibble4 object

    NAT (outside GCI, GCI-outside) dynamic 213.218.219.67

    network 192.168.198.0 - Wibble4 object

    NAT (outside GCI, GCI-outside) dynamic 213.218.219.67

    Network 10.128.116.0 - Wibble6 object

    NAT (outside GCI, GCI-outside) dynamic 213.218.219.67

    network 192.168.192.0 - Wibble4_Office object

    NAT (outside GCI, GCI-outside) dynamic 213.218.219.67

    !

    NAT (Inisde, GCI-outdoor) automatic static source after-service all 213.218.219.67

    Access-group interface GCI-outside GCI-Outside_access_in

    Access-group Inisde_access_in in the Inisde interface

    Access-group DMZ-253_access_in in interface DMZ-253

    Route from GCI-outside 0.0.0.0 0.0.0.0 213.218.219.126 1

    Route Inisde 10.0.0.0 255.0.0.0 192.168.254.1 1

    Route from GCI-outside 10.110.170.0 255.255.255.0 213.218.219.126 1

    Route from GCI-outside 10.128.116.0 255.255.255.0 213.218.219.126 1

    Route from GCI-outside 10.128.117.0 255.255.255.0 213.218.219.126 1

    Route from GCI-outside 10.150.100.0 255.255.255.0 213.218.219.126 1

    Route from GCI-outside 10.150.101.0 255.255.255.0 213.218.219.126 1

    Route Inisde 172.16.0.0 255.255.0.0 192.168.254.1 1

    Route Inisde 192.168.0.0 255.255.0.0 192.168.254.1 1

    Route from GCI-outside 192.168.191.0 255.255.255.0 213.218.219.126 1

    Route from GCI-outside 192.168.192.0 255.255.255.0 213.218.219.126 1

    Route from GCI-outside 192.168.196.0 255.255.255.0 213.218.219.126 1

    Route from GCI-outside 192.168.197.0 255.255.255.0 213.218.219.126 1

    Route from GCI-outside 192.168.198.0 255.255.255.0 213.218.219.126 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    dynamic-access-policy-registration DfltAccessPolicy

    AAA authentication http LOCAL console

    Enable http server

    http 192.168.1.0 255.255.255.0 management

    http 192.168.0.0 255.255.0.0 Inisde

    http 172.16.0.0 255.255.0.0 Inisde

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    Service resetoutside

    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    GCI-Outside_map1 1 crypto card is the GCI-Outside_1_cryptomap address

    card crypto GCI-Outside_map1 1 set pfs Group1

    card crypto GCI-Outside_map1 1 set peer 92.27.104.41

    card crypto GCI-Outside_map1 1 the transform-set ESP-3DES-MD5 value

    card crypto GCI-Outside_map1 2 corresponds to the GCI-Outside_cryptomap_1 address

    card crypto GCI-Outside_map1 2 set pfs Group1

    card crypto GCI-Outside_map1 2 set peer 63.130.248.189

    card crypto GCI-Outside_map1 2 the transform-set ESP-3DES-MD5 value

    card encryption GCI-Outside_map1 3 is the GCI-Outside_3_cryptomap address

    card encryption GCI-Outside_map1 3 set pfs Group1

    GCI-Outside_map1 3 set peer 154.32.92.204 encryption card

    card encryption GCI-Outside_map1 3 the transform-set ESP-3DES-MD5 value

    card crypto GCI-Outside_map1 4 is the GCI-Outside_4_cryptomap address

    card crypto GCI-Outside_map1 4 set pfs Group1

    card crypto GCI-Outside_map1 4 set peer 195.244.209.169

    card crypto GCI-Outside_map1 4 the transform-set ESP-3DES-MD5 value

    GCI-Outside_map1 5 crypto card is the GCI-Outside_5_cryptomap address

    card crypto GCI-Outside_map1 5 set pfs Group1

    card crypto GCI-Outside_map1 5 set peer 195.244.209.168

    card crypto GCI-Outside_map1 5 the transform-set ESP-3DES-MD5 value

    card crypto GCI-Outside_map1 6 corresponds to the GCI-Outside_cryptomap address

    card crypto GCI-Outside_map1 6 set pfs Group1

    card crypto GCI-Outside_map1 6 set peer 95.177.124.233

    card crypto GCI-Outside_map1 6 the transform-set ESP-3DES-MD5 value

    card crypto GCI-Outside_map1 7 is the GCI-Outside_7_cryptomap address

    card crypto GCI-Outside_map1 7 set pfs Group1

    card crypto GCI-Outside_map1 7 set peer 63.130.248.186

    card crypto GCI-Outside_map1 7 the transform-set ESP-3DES-MD5 value

    card crypto GCI-Outside_map1 8 is the GCI-Outside_8_cryptomap address

    card crypto GCI-Outside_map1 8 set pfs Group1

    card crypto GCI-Outside_map1 8 set peer 63.130.248.187

    card crypto GCI-Outside_map1 8 the transform-set ESP-3DES-MD5 value

    card crypto GCI-Outside_map1 9 corresponds to the GCI-Outside_9_cryptomap address

    card crypto GCI-Outside_map1 9 set pfs Group1

    card crypto GCI-Outside_map1 9 set peer 63.130.248.188

    card crypto GCI-Outside_map1 9 the transform-set ESP-3DES-MD5 value

    card crypto GCI-Outside_map1 10 is the GCI-Outside_10_cryptomap address

    card crypto GCI-Outside_map1 10 set pfs Group1

    card crypto GCI-Outside_map1 10 set peer 92.27.143.0

    card crypto GCI-Outside_map1 10 the transform-set ESP-3DES-MD5 value

    interface card crypto GCI-Outside_map1 GCI-outside

    ISAKMP crypto enable GCI-outside

    crypto ISAKMP policy 5

    preshared authentication

    3des encryption

    md5 hash

    Group 2

    life 86400

    crypto ISAKMP policy 30

    preshared authentication

    3des encryption

    md5 hash

    Group 1

    life 86400

    Crypto isakmp nat-traversal 300

    Telnet timeout 5

    SSH 192.168.0.0 255.255.0.0 Inisde

    SSH timeout 5

    Console timeout 0

    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    SSL encryption rc4-aes128-sha1 aes256-sha1 sha1, 3des-sha1

    WebVPN

    attributes of Group Policy DfltGrpPolicy

    VPN-idle-timeout no

    Protocol-tunnel-VPN IPSec l2tp ipsec

    asdm mEI9mGOFgPDwvzKv encrypted password username

    username robsmith nopassword

    tunnel-group 95.177.124.233 type ipsec-l2l

    IPSec-attributes tunnel-group 95.177.124.233

    pre-shared key *.

    tunnel-group 92.27.104.41 type ipsec-l2l

    IPSec-attributes tunnel-group 92.27.104.41

    pre-shared key *.

    tunnel-group 63.130.248.189 type ipsec-l2l

    IPSec-attributes tunnel-group 63.130.248.189

    pre-shared key *.

    tunnel-group 154.32.92.204 type ipsec-l2l

    IPSec-attributes tunnel-group 154.32.92.204

    pre-shared key *.

    tunnel-group 195.244.209.169 type ipsec-l2l

    IPSec-attributes tunnel-group 195.244.209.169

    pre-shared key *.

    tunnel-group 195.244.209.168 type ipsec-l2l

    IPSec-attributes tunnel-group 195.244.209.168

    pre-shared key *.

    tunnel-group 63.130.248.186 type ipsec-l2l

    IPSec-attributes tunnel-group 63.130.248.186

    pre-shared key *.

    tunnel-group 63.130.248.187 type ipsec-l2l

    IPSec-attributes tunnel-group 63.130.248.187

    pre-shared key *.

    tunnel-group 63.130.248.188 type ipsec-l2l

    IPSec-attributes tunnel-group 63.130.248.188

    pre-shared key *.

    tunnel-group 92.27.143.0 type ipsec-l2l

    IPSec-attributes tunnel-group 92.27.143.0

    pre-shared key *.

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    maximum message length automatic of customer

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the rsh

    inspect the rtsp

    inspect esmtp

    inspect sqlnet

    inspect the skinny

    inspect sunrpc

    inspect xdmcp

    inspect the sip

    inspect the netbios

    inspect the tftp

    Review the ip options

    !

    global service-policy global_policy

    context of prompt hostname

    Cryptochecksum:6c9f7a5f275020c5b6c5a71e9c45e6b6

    : end

    Hello Rob,

    Can we do the following for this network (192.168.191.0/24) and the test

    network testnw object

    192.168.191.0 subnet 255.255.255.0

    network testdmz object

    192.168.253.0 subnet 255.255.255.0

    NAT (DMZ - 253, GCI-outside) 1 source testdmz destination testdmz static static testdmz testdmz

    Harish.

  • Have a vpn site to site of work, added second who has problems

    We've had a success vpn site to site working for several months now. It's a 5510 ASA to Headquarters for an ASA 5505 in a branch in another State. We add a second vpn site to site in another State this time of the AC to a Sonicwall TZ100. After connecting the Sonicwall to the Qwest modem in bridge mode tunnel came right up. I was unable to ping all off the coast of the private IPs to the HQ of the new branch, but was able to use the remote desktop in servers and workstations at Headquarters. Also, all computers appear when you browse the network of the new branch.

    The first part, we are able to ping both directions and use remote desktop in both directions.

    When using tracers of package in ASDM on the ASA HQ and rattling one of the IPs in HQ protected network to an IP address in the new network of agencies EXEMPT from NAT looks good, but when it hits the first NAT it fits on the "dynamic translation to the pool (10.1.255.254) 10 [Interface PAT]" (which is the default route to all VLAN access to Internet).

    Next NAT (subtype - host-limits) is more beautiful and this one goes to the IP address of the external interface of the ASA 5510 HQ, but then the third NAT (subtype - rpf-check) returns to the ' 10 (10.1.255.254) Interface PAT] "and the package is ABANDONED. Also there is no step VPN in Packet Tracer after NAT.

    So obviously the HQ ASA 5510 does not consider this to be interesting traffic but I don't know why.

    Here is the output of sh crypto ipsec his ffrom HQ ASA:

    Interface: outside
    Tag crypto map: outside_map, seq num: 30 local addr: 209.X.X.X

    access-list encrypt_acl-30 permit ip 10.1.1.0 255.255.255.0 10.1.8.0 255.255.255.0
    local ident (addr, mask, prot, port): (10.1.1.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (10.1.8.0/255.255.255.0/0/0)
    current_peer: 65.102.14.72

    #pkts program: 229450, #pkts encrypt: 229450, #pkts digest: 229450
    #pkts decaps: 172516, #pkts decrypt: 172516, #pkts check: 172516
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 229450, comp #pkts failed: 0, #pkts Dang failed: 0
    success #frag before: 0, failures before #frag: 0, #fragments created: 0
    Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
    #send errors: 0, #recv errors: 0

    local crypto endpt. : 209.X.X.X, remote Start crypto. : 65.102.X.X

    Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
    current outbound SPI: 91860025

    SAS of the esp on arrival:
    SPI: 0x88957B9C (2291497884)
    transform: esp-3des esp-md5-hmac no compression
    running parameters = {L2L, Tunnel}
    slot: 0, id_conn: 2600960, crypto-card: outside_map
    calendar of his: service life remaining key (s): 59068
    Size IV: 8 bytes
    support for replay detection: Y
    Anti-replay bitmap:
    0xFFFFFFFF to 0xFFFFFFFF
    outgoing esp sas:
    SPI: 0 x 91860025 (2441478181)
    transform: esp-3des esp-md5-hmac no compression
    running parameters = {L2L, Tunnel}
    slot: 0, id_conn: 2600960, crypto-card: outside_map
    calendar of his: service life remaining key (s): 59068
    Size IV: 8 bytes
    support for replay detection: Y
    Anti-replay bitmap:
    0x00000000 0x00000001

    Tag crypto map: outside_map, seq num: 30 local addr: 209.X.X.X

    access-list encrypt_acl-30 permit ip 10.1.10.0 255.255.255.0 10.1.8.0 255.255.255.0
    local ident (addr, mask, prot, port): (10.1.10.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (10.1.8.0/255.255.255.0/0/0)
    current_peer: 65.102.x.x

    #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
    success #frag before: 0, failures before #frag: 0, #fragments created: 0
    Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
    #send errors: 0, #recv errors: 0

    local crypto endpt. : 209.X.X.X, remote Start crypto. : 65.102.X.X

    Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
    current outbound SPI: A204BAE2

    SAS of the esp on arrival:
    SPI: 0xDA8C653A (3666634042)
    transform: esp-3des esp-md5-hmac no compression
    running parameters = {L2L, Tunnel}
    slot: 0, id_conn: 2600960, crypto-card: outside_map
    calendar of his: service life remaining key (s): 84670
    Size IV: 8 bytes
    support for replay detection: Y
    Anti-replay bitmap:
    0x00000000 0x00000001
    outgoing esp sas:
    SPI: 0xA204BAE2 (2718218978)
    transform: esp-3des esp-md5-hmac no compression
    running parameters = {L2L, Tunnel}
    slot: 0, id_conn: 2600960, crypto-card: outside_map
    calendar of his: service life remaining key (s): 84621
    Size IV: 8 bytes
    support for replay detection: Y
    Anti-replay bitmap:
    0x00000000 0x00000001

    Here is the output of sh crypto isakmp his on HQ ASA:

    3 peer IKE: 65.102.x.x

    Type: L2L role: answering machine

    Generate a new key: no State: MM_ACTIVE

    Here is the config:

    ASA Version 8.0 (4)
    !
    hostname COMPASA
    domain COMPfirm.com
    activate the encrypted password of TMACBloMlcBsq1kp
    TMACBloMlcBsq1kp encrypted passwd
    names of
    DNS-guard
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    IP 209.X.X.X 255.255.255.224
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    IP 10.1.255.254 255.255.255.248
    !
    interface Ethernet0/2
    nameif dmz
    security-level 50
    10.2.2.1 IP address 255.255.255.0
    !
    interface Ethernet0/3
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface Management0/0
    nameif management
    security-level 100
    IP 192.168.1.1 255.255.255.0
    management only
    !
    boot system Disk0: / asa804 - k8.bin
    passive FTP mode
    clock timezone MDT - 7
    clock to summer time recurring MDT
    DNS domain-lookup outside
    DNS server-group DefaultDNS
    Name-Server 4.2.2.1
    domain COMPfirm.com
    permit same-security-traffic inter-interface
    permit same-security-traffic intra-interface
    list of allowed inbound tcp extended access any host 209.X.X.X eq www
    list of allowed inbound tcp extended access any host 209.X.X.X eq https
    list of allowed inbound tcp extended access any host 209.X.X.X eq ftp
    list of allowed inbound tcp extended access any host 209.X.X.X eq ftp - data
    list of allowed inbound tcp extended access any host 209.X.X.X eq ssh
    list of allowed inbound tcp extended access any host 209.X.X.X eq imap4
    list of allowed inbound tcp extended access any host 209.X.X.X eq pop3
    list of allowed inbound tcp extended access any host 209.X.X.X eq www
    list of allowed inbound tcp extended access any host 209.X.X.X eq https
    list of allowed inbound tcp extended access any host 209.X.X.X eq smtp
    list of extended inbound icmp permitted access a whole
    access list entering note MMS-1755
    list incoming extended access permit tcp any eq 1755 host inactive 209.X.X.X
    inbound access list notice MMS - UDP
    list of inbound udp allowed extended access all eq 1755 host inactive 209.X.X.X
    DMZ list extended access permit tcp host 10.2.2.2 10.1.1.11 host eq smtp
    DMZ list extended access permit tcp host 10.2.2.2 host 10.1.1.50 eq 8777
    access-list extended sheep allowed ip 10.1.0.0 255.255.0.0 172.16.22.0 255.255.255.0
    access-list sheep extended ip 10.1.10.0 allow 255.255.255.0 10.0.0.0 255.255.255.0
    access-list extended sheep allowed ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0
    access-list sheep extended ip 10.1.10.0 allow 255.255.255.0 10.1.8.0 255.255.255.0
    access-list extended sheep allowed ip 10.1.1.0 255.255.255.0 10.1.8.0 255.255.255.0
    access extensive list ip 10.1.0.0 vpnsplit allow 255.255.0.0 172.16.22.0 255.255.255.0
    access extensive list ip 10.1.10.0 encrypt_acl allow 255.255.255.0 10.0.0.0 255.255.255.0
    permit encrypt_acl to access extended list ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0
    global_mpc list extended access permitted tcp a whole
    access-list encrypt_acl-30 scope ip 10.1.10.0 allow 255.255.255.0 10.1.8.0 255.255.255.0
    access-list encrypt_acl-30 permit extended ip 10.1.1.0 255.255.255.0 10.1.8.0 255.255.255.0
    pager lines 24
    Enable logging
    asdm of logging of information
    Outside 1500 MTU
    Within 1500 MTU
    MTU 1500 dmz
    management of MTU 1500
    IP local pool vpnpool 172.16.22.1 - 172.16.22.254 mask 255.255.255.0
    ICMP unreachable rate-limit 1 burst-size 1
    ICMP allow any inside
    ASDM image disk0: / asdm - 61551.bin
    don't allow no asdm history
    ARP timeout 14400
    Global (outside) 10 209.X.X.X netmask 255.255.255.0
    Global interface (10 Interior)
    Global interface (dmz) 10
    NAT (inside) 0 access-list sheep
    NAT (inside) 10 0.0.0.0 0.0.0.0
    NAT (dmz) 10 0.0.0.0 0.0.0.0
    static (dmz, external) 209.X.X.X 10.2.2.2 netmask 255.255.255.255
    static (inside, outside) 209.X.X.X 10.1.1.11 netmask 255.255.255.255
    static (dmz, inside) 10.2.2.2 10.2.2.2 netmask 255.255.255.255
    static (inside, dmz) 10.1.1.11 10.1.1.11 netmask 255.255.255.255
    static (inside, dmz) 10.1.1.50 10.1.1.50 netmask 255.255.255.255
    Access-group interface incoming outside
    Access-group in interface dmz dmz
    Route outside 0.0.0.0 0.0.0.0 209.X.X.X 1
    Route inside 10.1.0.0 255.255.0.0 10.1.255.249 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    dynamic-access-policy-registration DfltAccessPolicy
    Ray of AAA-server vpn Protocol
    AAA-server vpn (inside) host 10.1.1.12
    key--> ZZZZZZ
    the ssh LOCAL console AAA authentication
    AAA authentication LOCAL telnet console
    local AAA authentication attempts 16 max in case of failure
    Enable http server
    http 172.16.22.0 255.255.255.0 inside
    http 10.1.0.0 255.255.0.0 inside
    No snmp server location
    No snmp Server contact
    Sysopt noproxyarp inside
    Sysopt noproxyarp dmz
    Sysopt noproxyarp management
    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set esp-3des esp-md5-hmac HQset
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    Crypto-map dynamic outside_dyn_map 10 the transform-set ESP-3DES-MD5 value
    life together - the association of security crypto dynamic-map outside_dyn_map 10 28800 seconds
    Crypto-map dynamic outside_dyn_map 10 kilobytes of life together - the association of safety 4608000
    Crypto-map dynamic outside_dyn_map 10 the value reverse-road
    card crypto outside_map 20 match address encrypt_acl
    card crypto outside_map 20 game peers 67.42.X.X
    outside_map 20 game of transformation-HQset crypto card
    life safety association set card crypto outside_map 20 28800 seconds
    card crypto outside_map 20 set security-association life kilobytes 4608000
    card crypto 30 match address encrypt_acl-30 outside_map
    crypto outside_map 30 peer 65.102.X.X card game
    crypto outside_map 30 card value transform-set HQset
    86400 seconds, duration of life card crypto outside_map 30 set - the security association
    card crypto outside_map 30 set security-association life kilobytes 4608000
    map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
    outside_map interface card crypto outside
    crypto ISAKMP allow outside
    crypto ISAKMP policy 10
    preshared authentication
    3des encryption
    md5 hash
    Group 2
    life 86400
    Crypto isakmp nat-traversal 50
    Telnet 10.1.0.0 255.255.0.0 inside
    Telnet timeout 15
    SSH 0.0.0.0 0.0.0.0 outdoors
    SSH 10.1.0.0 255.255.0.0 inside
    SSH timeout 30
    Console timeout 0
    management-access inside
    management of 192.168.1.2 - dhcpd address 192.168.1.254
    enable dhcpd management
    !
    a basic threat threat detection
    threat scan-threat detection
    threat detection statistics
    a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
    Server NTP 192.43.244.18
    WebVPN
    allow outside
    SVC disk0:/anyconnect-win-2.3.0254-k9.pkg 1 image
    enable SVC
    tunnel-group-list activate
    internal Clients_VPN group strategy
    Group Policy Clients_VPN attributes
    value of server WINS 10.1.1.12
    value of server DNS 10.1.1.12
    Protocol-tunnel-VPN IPSec
    enable IPSec-udp
    Split-tunnel-policy tunnelspecified
    value of Split-tunnel-network-list vpnsplit
    value by default-field COMPfirm.local
    Split-dns value COMPfirm.local
    the address value vpnpool pools
    internal clientgroup group policy
    attributes of the strategy of group clientgroup
    value of server WINS 10.1.1.12
    value of server DNS 10.1.1.12
    VPN-tunnel-Protocol svc webvpn
    Split-tunnel-policy tunnelall
    WebVPN
    SVC Dungeon-Installer installed
    time to generate a new key of SVC 30
    SVC generate a new method ssl key
    SVC request no svc default
    ssluser1 encrypted password username
    username bcurtis encrypted password privilege 0 v
    username privilege 15 WPDR encrypted password
    username admin privilege 15 encrypted password
    username privilege password encrypted XXXXXXX 0
    tunnel-group M & J type remote access
    tunnel-group M & J - global attributes
    address vpnpool pool
    Vpn server authentication group
    strategy - by default-group Clients_VPN
    tunnel-group M & J ipsec-attributes
    pre-shared-key *.
    type tunnel-group sslgroup remote access
    tunnel-group sslgroup General-attributes
    address vpnpool pool
    Vpn server authentication group
    Group Policy - by default-clientgroup
    tunnel-group sslgroup webvpn-attributes
    activation of the Group sslgroup_users alias
    tunnel-group 67.42.X.X type ipsec-l2l
    IPSec-attributes tunnel-group 67.42.X.X
    pre-shared-key *.
    tunnel-group 65.102.X.X type ipsec-l2l
    IPSec-attributes tunnel-group 65.102.X.X
    pre-shared-key *.
    !
    Global class-card class
    corresponds to the global_mpc access list
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns migrated_dns_map_1
    parameters
    message-length maximum 768
    Policy-map global_policy
    class inspection_default
    inspect the migrated_dns_map_1 dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    Global category
    IPS inline sensor vs0 relief
    !
    global service-policy global_policy
    context of prompt hostname
    Cryptochecksum:ZZZZZZZZZZZZZZZZZZZZZ
    : end

    Is the problem may be due to the fact that my 2 new ACL to fall "encrypt_acl-30" after "access-list extended global_mpc permit tcp any any" in the config and it flows into the implied all refuse?

    Thanks for looking at this.

    Rather than replace the static route, you can simply add a new static route to 10.1.8.0/24 as follows:

    outdoor 10.1.8.0 255.255.255.0 209.X.X.X 1

    Because it is more precise it will take precedence over your most generic static route from 10.1.0.0/16 inward.

    Good spot btw!

  • Cannot access remote network by VPN Site to Site ASA

    Hello everyone

    First of all I must say that I have configured the VPN site-to site a million times before.  Stuck with it. First of all I can't ping outside the interface of my ASA remote. Secondly, VPN is in place, but no connectivity between local networks

    ASA local:
    hostname gyd - asa
    domain bct.az
    activate the encrypted password of XeY1QWHKPK75Y48j
    XeY1QWHKPK75Y48j encrypted passwd
    names of
    DNS-guard
    !
    interface GigabitEthernet0/0
    Shutdown
    nameif vpnswc
    security-level 0
    IP 10.254.17.41 255.255.255.248
    !
    interface GigabitEthernet0/1
    Vpn-turan-Baku description
    nameif outside Baku
    security-level 0
    IP 10.254.17.9 255.255.255.248

    !
    interface GigabitEthernet0/2
    Vpn-ganja description
    nameif outside-Ganja
    security-level 0
    IP 10.254.17.17 255.255.255.248
    !
    interface GigabitEthernet0/2.30
    Description remote access
    VLAN 30
    nameif remote access
    security-level 0
    IP 85.*. *. * 255.255.255.0
    !
    interface GigabitEthernet0/3
    Description BCT_Inside
    nameif inside-Bct
    security-level 100
    IP 10.40.50.65 255.255.255.252
    !
    interface Management0/0
    nameif management
    security-level 100
    IP 192.168.251.1 255.255.255.0
    management only
    !
    boot system Disk0: / asa823 - k8.bin
    passive FTP mode
    DNS server-group DefaultDNS
    name-server 192.168.1.3
    domain bct.az
    permit same-security-traffic intra-interface
    object-group network obj - 192.168.121.0
    object-group network obj - 10.40.60.0
    object-group network obj - 10.40.50.0
    object-group network obj - 192.168.0.0
    object-group network obj - 172.26.0.0
    object-group network obj - 10.254.17.0
    object-group network obj - 192.168.122.0
    object-group service obj-tcp-eq-22
    object-group network obj - 10.254.17.18
    object-group network obj - 10.254.17.10
    object-group network obj - 10.254.17.26
    access-list 110 scope ip allow a whole
    NAT list extended access permit tcp any host 10.254.17.10 eq ssh
    NAT list extended access permit tcp any host 10.254.17.26 eq ssh
    access-list extended ip allowed any one sheep
    icmp_inside list extended access permit icmp any one
    icmp_inside of access allowed any ip an extended list
    access list nat-ganja extended permit tcp any host 10.254.17.18 eq ssh
    RDP list extended access permit tcp any host 192.168.45.3 eq 3389
    rdp extended permitted any one ip access list
    sheep-vpn access-list extended permits all ip 192.168.121.0 255.255.255.0
    NAT-vpn-internet access-list extended ip 192.168.121.0 allow 255.255.255.0 any
    NAT-vpn-internet access-list extended ip 172.26.0.0 allow 255.255.255.0 any
    NAT-vpn-internet access-list extended ip 192.168.122.0 allow 255.255.255.0 any
    access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 10.40.60.0 255.255.255.0
    access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 10.40.50.0 255.255.255.0
    access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 192.168.0.0 255.255.0.0
    access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 172.26.0.0 255.255.255.0
    access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 10.254.17.0 255.255.255.0
    GHC-ganja-internet access-list extended ip 192.168.45.0 allow 255.255.255.0 any
    Standard access list Split_Tunnel_List allow 192.168.16.0 255.255.255.0
    azans 192.168.69.0 ip extended access-list allow 255.255.255.0 any
    permit inside_nat0_outbound to access extended list ip 192.168.0.0 255.255.0.0 192.168.121.0 255.255.255.0
    permit inside_nat0_outbound to access extended list ip 192.168.0.0 255.255.0.0 192.168.80.0 255.255.255.0
    pager lines 24
    Enable logging
    emblem of logging
    recording of debug console
    recording of debug trap
    asdm of logging of information
    Interior-Bct 192.168.1.27 host connection
    flow-export destination inside-Bct 192.168.1.27 9996
    vpnswc MTU 1500
    outside Baku MTU 1500
    outside-Ganja MTU 1500
    MTU 1500 remote access
    Interior-Bct MTU 1500
    management of MTU 1500
    IP local pool raccess 192.168.121.60 - 192.168.121.120 mask 255.255.255.0
    IP local pool ssl 192.168.121.130 - 192.168.121.200 mask 255.255.255.0
    no failover
    ICMP unreachable rate-limit 1 burst-size 1
    ICMP allow any outside Baku
    ICMP allow access remotely
    ICMP allow any interior-Bct
    ASDM image disk0: / asdm - 621.bin
    don't allow no asdm history
    ARP timeout 14400
    global (outside-Baku) 1 interface
    global (outside-Ganja) interface 2
    3 overall (RAS) interface
    azans access-list NAT 3 (outside-Ganja)
    NAT (remote access) 0 access-list sheep-vpn-city
    NAT 3 list nat-vpn-internet access (remote access)
    NAT (inside-Bct) 0-list of access inside_nat0_outbound
    NAT (inside-Bct) 2-nat-ganja access list
    NAT (inside-Bct) 1 access list nat
    Access-group rdp on interface outside-Ganja
    !
    Router eigrp 2008
    No Auto-resume
    neighbor 10.254.17.10 interface outside Baku
    neighbor 10.40.50.66 Interior-Bct interface
    Network 10.40.50.64 255.255.255.252
    Network 10.250.25.0 255.255.255.0
    Network 10.254.17.8 255.255.255.248
    Network 10.254.17.16 255.255.255.248
    redistribute static
    !
    Access remote 0.0.0.0 0.0.0.0 85.*. *. * 1
    Outside-Baku route 10.0.11.0 255.255.255.0 10.254.17.10 1
    Outside-Baku route 10.0.33.0 255.255.255.0 10.254.17.10 1
    Outside-Baku route 10.0.150.0 255.255.255.0 10.254.17.10 1
    Outside-Baku route 10.0.170.0 255.255.255.0 10.254.17.10 1
    Route outside Baku 10.254.17.24 255.255.255.248 10.254.17.10 1
    Route outside Baku 10.254.17.32 255.255.255.248 10.254.17.10 1
    Route outside Baku 192.1.1.0 255.255.255.0 10.254.17.10 1
    Outside-Baku route 192.168.27.0 255.255.255.0 10.254.17.10 1
    Outside-Baku route 192.168.39.0 255.255.255.0 10.254.17.10 1
    Route outside-Ganja 192.168.45.0 255.255.255.0 10.254.17.18 1
    Route outside-Ganja 192.168.66.0 255.255.255.0 10.254.17.18 1
    Route outside-Ganja 192.168.69.0 255.255.255.0 10.254.17.18 1
    Outside-Baku route 192.168.80.0 255.255.255.0 10.254.17.11 1
    Access remote 192.168.121.0 255.255.255.0 85.132.43.1 1
    Route outside-Ganja 192.168.184.0 255.255.255.0 10.254.17.18 1
    Route outside Baku 192.168.208.16 255.255.255.240 10.254.17.10 1
    Route outside-Ganja 192.168.208.112 255.255.255.240 10.254.17.18 1
    Route inside-Bct 192.168.254.0 255.255.255.0 10.40.50.66 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-registration DfltAccessPolicy
    AAA-server protocol Ganymede GANYMEDE +.
    AAA-server GANYMEDE (Interior-Bct) 192.168.1.8
    key *.
    AAA-server GANYMEDE (Interior-Bct) 192.168.22.46
    key *.
    RADIUS protocol AAA-server TACACS1
    AAA-server TACACS1 (Interior-Bct) host 192.168.1.8
    key *.
    AAA-server TACACS1 (Interior-Bct) host 192.168.22.46
    key *.
    authentication AAA ssh console LOCAL GANYMEDE
    Console to enable AAA authentication RADIUS LOCAL
    Console Telnet AAA authentication RADIUS LOCAL
    AAA accounting ssh console GANYMEDE
    Console Telnet accounting AAA GANYMEDE
    Enable http server
    http 192.168.1.0 255.255.255.0 management
    http 192.168.1.0 255.255.255.0 Interior-Bct
    http 192.168.139.0 255.255.255.0 Interior-Bct
    http 192.168.0.0 255.255.255.0 Interior-Bct
    Survey community SNMP-server host inside-Bct 192.168.1.27
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
    Crypto ipsec transform-set newset aes - esp esp-md5-hmac
    Crypto ipsec transform-set esp-3des esp-sha-hmac myset2

    Crypto ipsec transform-set esp-3des esp-md5-hmac raccess
    Crypto ipsec transform-set esp-3des esp-sha-hmac vpnclienttrans
    Crypto ipsec transform-set vpnclienttrans transport mode
    life crypto ipsec security association seconds 2147483646
    Crypto ipsec kilobytes of life security-association 2147483646
    raccess 1 set transform-set vpnclienttrans crypto dyn1 dynamic-map
    correspondence address card crypto mymap 10 110
    card crypto mymap 10 peers set 10.254.17.10

    card crypto mymap 10 transform-set RIGHT
    correspondence address card crypto mymap 20 110
    card crypto mymap 20 peers set 10.254.17.11
    mymap 20 transform-set myset2 crypto card
    card crypto mymap interface outside Baku
    correspondence address card crypto ganja 10 110
    10 ganja crypto map peer set 10.254.17.18
    card crypto ganja 10 transform-set RIGHT
    card crypto interface outside-Ganja ganja
    correspondence address card crypto vpntest 20 110
    peer set card crypto vpntest 20 10.250.25.1
    newset vpntest 20 transform-set card crypto
    card crypto vpntest interface vpnswc
    vpnclientmap 30 card crypto ipsec-isakmp dynamic dyn1
    card crypto interface for remote access vpnclientmap
    Crypto ca trustpoint ASDM_TrustPoint0
    registration auto
    name of the object CN = gyd - asa .az .bct
    sslvpnkeypair key pair
    Configure CRL
    map of crypto DefaultCertificateMap 10 ca certificate

    crypto isakmp identity address
    ISAKMP crypto enable vpnswc
    ISAKMP crypto enable outside-Baku
    ISAKMP crypto enable outside-Ganja
    crypto ISAKMP enable remote access
    ISAKMP crypto enable Interior-Bct
    crypto ISAKMP policy 10
    preshared authentication
    3des encryption
    md5 hash
    Group 2
    life 86400
    crypto ISAKMP policy 20
    preshared authentication
    aes encryption
    md5 hash
    Group 2
    life 86400
    crypto ISAKMP policy 30
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    crypto ISAKMP policy 40
    preshared authentication
    aes encryption
    sha hash
    Group 2
    life 86400
    Crypto isakmp nat-traversal 30
    No vpn-addr-assign aaa
    Telnet timeout 5
    SSH 192.168.0.0 255.255.255.0 Interior-Bct
    SSH timeout 35
    Console timeout 0
    priority queue outside Baku
    queue-limit 2046
    TX-ring-limit 254
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    Server NTP 192.168.1.3
    SSL encryption, 3des-sha1 rc4 - md5 aes128-sha1 sha1-aes256
    SSL-trust point ASDM_TrustPoint0 to vpnlb-ip remote access
    SSL-trust ASDM_TrustPoint0 remote access point
    WebVPN
    turn on remote access
    SVC disk0:/anyconnect-win-2.4.1012-k9.pkg 1 image
    enable SVC
    tunnel-group-list activate
    attributes of Group Policy DfltGrpPolicy
    Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
    internal group ssl policy
    attributes of group ssl policy
    banner welcome to SW value
    value of DNS-server 192.168.1.3
    Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
    group-lock value SSL
    WebVPN
    value of the SPS URL-list
    internal vpn group policy
    attributes of vpn group policy
    value of DNS-server 192.168.1.3
    Protocol-tunnel-VPN IPSec l2tp ipsec
    disable the PFS
    BCT.AZ value by default-field
    ssl VPN-group-strategy
    WebVPN
    value of the SPS URL-list
    IPSec-attributes tunnel-group DefaultL2LGroup
    ISAKMP retry threshold 20 keepalive 5
    attributes global-tunnel-group DefaultRAGroup
    raccess address pool
    Group-RADIUS authentication server
    Group Policy - by default-vpn
    IPSec-attributes tunnel-group DefaultRAGroup
    pre-shared key *.
    ISAKMP retry threshold 20 keepalive 5
    IPSec-attributes tunnel-group DefaultWEBVPNGroup
    ISAKMP retry threshold 20 keepalive 5
    tunnel-group 10.254.17.10 type ipsec-l2l
    IPSec-attributes tunnel-group 10.254.17.10
    pre-shared key *.
    ISAKMP retry threshold 20 keepalive 5
    type SSL tunnel-group remote access
    attributes global-group-tunnel SSL
    ssl address pool
    Authentication (remote access) LOCAL servers group
    Group Policy - by default-ssl
    certificate-use-set-name username
    Group-tunnel SSL webvpn-attributes
    enable SSL group-alias
    Group-url https://85. *. *. * / activate
    tunnel-group 10.254.17.18 type ipsec-l2l
    IPSec-attributes tunnel-group 10.254.17.18
    pre-shared key *.
    ISAKMP retry threshold 20 keepalive 5
    tunnel-group 10.254.17.11 type ipsec-l2l
    IPSec-attributes tunnel-group 10.254.17.11
    pre-shared key *.

    ISAKMP retry threshold 20 keepalive 5
    type tunnel-group DefaultSWITGroup remote access
    attributes global-tunnel-group DefaultSWITGroup
    raccess address pool
    Group-RADIUS authentication server
    Group Policy - by default-vpn
    IPSec-attributes tunnel-group DefaultSWITGroup
    pre-shared key *.
    !
    type of policy-card inspect dns migrated_dns_map_1
    parameters
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the migrated_dns_map_1 dns
    inspect the rsh
    inspect the rtsp
    inspect sqlnet
    inspect sunrpc
    inspect xdmcp
    inspect the netbios
    Review the ip options
    class flow_export_cl
    flow-export-type of event all the destination 192.168.1.27
    class class by default
    flow-export-type of event all the destination 192.168.1.27
    Policy-map Voicepolicy
    class voice
    priority
    The class data
    police release 80000000
    !
    global service-policy global_policy
    service-policy interface outside Baku Voicepolicy
    context of prompt hostname

    Cryptochecksum:4f35f975ba7a0c11f7f46dfd541d266f
    : end
    GYD - asa #.

    ASA remote:
    ASA Version 8.2 (3)
    !
    ciscoasa hostname
    activate the encrypted password of XeY1QWHKPK75Y48j
    2KFQnbNIdI.2KYOU encrypted passwd
    names of
    DNS-guard
    !
    interface Ethernet0/0
    nameif inside
    security-level 100
    IP 192.168.80.14 255.255.255.0

    !
    interface Ethernet0/1
    nameif outside
    security-level 0
    IP 10.254.17.11 255.255.255.248

    !
    interface Ethernet0/2
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface Ethernet0/3
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface Management0/0
    Shutdown
    nameif management
    security-level 100
    no ip address
    management only
    !
    boot system Disk0: / asa823 - k8.bin
    passive FTP mode
    access-list 110 scope ip allow a whole
    192.168.80.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.0.0 255.255.0.0

    pager lines 24
    Enable logging
    asdm of logging of information
    Outside 1500 MTU
    management of MTU 1500
    Within 1500 MTU
    no failover
    ICMP unreachable rate-limit 1 burst-size 1
    ICMP allow all outside
    ICMP allow any inside
    ASDM image disk0: / asdm - 621.bin
    don't allow no asdm history
    ARP timeout 14400
    NAT (inside) 0 access-list sheep
    Route outside 0.0.0.0 0.0.0.0 10.254.17.9 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-registration DfltAccessPolicy
    Enable http server
    http 192.168.1.0 255.255.255.0 management
    http 192.168.80.0 255.255.255.0 inside
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
    Crypto ipsec transform-set newset aes - esp esp-md5-hmac
    Crypto ipsec transform-set esp-3des esp-sha-hmac myset2

    life crypto ipsec security association seconds 2147483646
    Crypto ipsec kilobytes of life security-association 2147483646
    correspondence address card crypto mymap 10 110
    card crypto mymap 10 peers set 10.254.17.9
    mymap 10 transform-set myset2 crypto card
    mymap outside crypto map interface
    crypto ISAKMP allow outside
    crypto ISAKMP policy 10

    preshared authentication
    3des encryption
    md5 hash
    Group 2
    life 86400
    crypto ISAKMP policy 20
    preshared authentication
    aes encryption
    md5 hash
    Group 2
    life 86400
    crypto ISAKMP policy 30
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    crypto ISAKMP policy 40
    preshared authentication
    aes encryption
    sha hash
    Group 2
    life 86400
    Telnet timeout 5
    SSH timeout 5
    Console timeout 0
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    WebVPN

    tunnel-group 10.254.17.9 type ipsec-l2l
    IPSec-attributes tunnel-group 10.254.17.9
    pre-shared key *.

    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns migrated_dns_map_1
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the migrated_dns_map_1 dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    Review the ip options
    !
    global service-policy global_policy
    context of prompt hostname

    Cryptochecksum:1c1ac60e2fb84f65269d15d53f27c21b
    : end
    ciscoasa # $

    Still, I can't ping ASA remote outside from outside of the Local interface. And there is no connectivity between the 192.168.80.0 distance and local don't say 192.168.1.0. I have run out of ideas

    Would appreciate any help. Thank you in advance...

    If the tunnel is up (phase 1), but no traffic passing the best test is the following:

    Add order management-access to the Interior , and then try to PING the intellectual property inside ASA counterpart.

    inside x.x.x.x ping --> x.x.x.x is the IP of the ASA peer inside

    The test above shows if the traffic passes through the tunnel (check encrypted/decrypted packets of sh cry ips its).

    Test on both directions.

    Please post the results.

    Federico.

  • Disable the NAT for VPN site-to-site

    Hello world

    I work in a company, and we had to make a VPN site-to site.

    Everything works fine, except that the packages sent to my site are translated, in other words: the firewall on the other site (site_B) see only the IP address of my firewall (Site_A).

    I tried to solve the problem, but without success, I think that natives of VPN packets is the problem.

    Here is my current config running:

    ASA Version 8.3(2)

    !

    hostname ciscoasa

    enable password 9U./y4ITpJEJ8f.V encrypted

    passwd 2KFQnbNIdI.2KYOU encrypted

    names

    !

    interface Vlan1

    nameif inside

    security-level 100

    ip address 192.168.67.254 255.255.255.0

    !

    interface Vlan2

    nameif outside

    security-level 0

    ip address 41.220.X.Y 255.255.255.252 (External WAN public IP Address)

    !

    interface Ethernet0/0

    switchport access vlan 2

    !

    interface Ethernet0/1

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    !

    interface Ethernet0/4

    !

    interface Ethernet0/5

    !

    interface Ethernet0/6

    !

    interface Ethernet0/7

    !

    ftp mode passive

    clock timezone CET 1

    object network obj_any

    subnet 0.0.0.0 0.0.0.0

    object network 41.220.X1.Y1

    host 41.220.X1.Y1

    object network NETWORK_OBJ_192.168.67.0_24

    subnet 192.168.67.0 255.255.255.0

    object network NETWORK_OBJ_172.19.32.0_19

    subnet 172.19.32.0 255.255.224.0

    object network 194.2.176.18

    host 194.2.XX.YY (External IP address public of the other site (Site_B))

    description 194.2.XX.YY

    access-list inside_access_in extended permit ip any any log warnings

    access-list inside_access_in extended permit ip object NETWORK_OBJ_172.19.32.0_19 object NETWORK_OBJ_192.168.67.0_24 log debugging

    access-list inside_access_in extended permit ip object 194.2.176.18 any log debugging

    access-list inside_access_in extended permit ip any object NETWORK_OBJ_172.19.32.0_19 log debugging

    access-list outside_1_cryptomap extended permit ip 192.168.67.0 255.255.255.0 172.19.32.0 255.255.224.0 log debugging

    access-list outside_1_cryptomap extended permit ip any object NETWORK_OBJ_172.19.32.0_19 log debugging

    access-list 1111 standard permit 172.19.32.0 255.255.224.0

    access-list 1111 standard permit 192.168.67.0 255.255.255.0

    access-list outside_1_cryptomap_1 extended permit ip 172.19.32.0 255.255.224.0 any log debugging

    access-list outside_1_cryptomap_1 extended permit ip any object NETWORK_OBJ_172.19.32.0_19 log debugging

    access-list outside_1_cryptomap_2 extended permit ip 192.168.67.0 255.255.255.0 172.19.32.0 255.255.224.0 log debugging

    access-list outside_1_cryptomap_2 extended permit ip any object NETWORK_OBJ_172.19.32.0_19 log debugging

    access-list outside_access_in extended permit ip any any log warnings

    access-list outside_access_in extended permit ip object 194.2.XX.YY any log debugging

    access-list outside_access_in extended permit ip any object NETWORK_OBJ_172.19.32.0_19 log debugging

    access-list nonat extended permit ip 192.168.67.0 255.255.255.0 176.19.32.0 255.255.224.0

    access-list nonat extended permit ip 192.168.67.0 255.255.255.0 172.19.32.0 255.255.224.0

    pager lines 24

    logging enable

    logging monitor informational

    logging asdm warnings

    mtu inside 1500

    mtu outside 1500

    icmp unreachable rate-limit 1 burst-size 1

    icmp permit any inside

    icmp permit any outside

    no asdm history enable

    arp timeout 14400

    nat (inside,outside) source dynamic any interface

    nat (inside,outside) source static NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_192.168.67.0_24 destination static NETWORK_OBJ_172.19.32.0_19 NETWORK_OBJ_172.19.32.0_19

    access-group inside_access_in in interface inside

    access-group outside_access_in in interface outside

    route outside 0.0.0.0 0.0.0.0 41.220.X.Y 1

    timeout xlate 3:00:00

    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    dynamic-access-policy-record DfltAccessPolicy

    aaa authentication ssh console LOCAL

    aaa authentication telnet console LOCAL

    http server enable

    http 192.168.67.0 255.255.255.0 inside

    http 0.0.0.0 0.0.0.0 outside

    no snmp-server location

    no snmp-server contact

    snmp-server enable traps snmp authentication linkup linkdown coldstart

    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

    crypto ipsec security-association lifetime seconds 28800

    crypto ipsec security-association lifetime kilobytes 4608000

    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-MD5

    crypto map outside_map 1 match address outside_1_cryptomap_2

    crypto map outside_map 1 set peer 194.2.XX.YY

    crypto map outside_map 1 set transform-set ESP-DES-MD5

    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

    crypto map outside_map interface outside

    crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

    crypto map inside_map interface inside

    crypto isakmp enable inside

    crypto isakmp enable outside

    crypto isakmp policy 10

    authentication pre-share

    encryption des

    hash md5

    group 2

    lifetime 86400

    telnet 192.168.67.200 255.255.255.255 inside

    telnet timeout 5

    ssh 0.0.0.0 0.0.0.0 outside

    ssh timeout 30

    console timeout 0

    dhcpd auto_config outside

    !

    threat-detection basic-threat

    threat-detection statistics access-list

    no threat-detection statistics tcp-intercept

    webvpn

    username bel_md password HSiYQZRzgeT8u.ml encrypted privilege 15

    username nebia_said password qQ6OoFJ5IJa6sgLi encrypted privilege 15

    tunnel-group 194.2.XX.YY type ipsec-l2l

    tunnel-group 194.2.XX.YY ipsec-attributes

    pre-shared-key *****

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    policy-map type inspect dns preset_dns_map

    parameters

    message-length maximum client auto

    message-length maximum 512

    policy-map global_policy

    class inspection_default

    inspect dns preset_dns_map

    inspect ftp

    inspect h323 h225

    inspect h323 ras

    inspect rsh

    inspect rtsp

    inspect esmtp

    inspect sqlnet

    inspect skinny

    inspect sunrpc

    inspect xdmcp

    inspect sip

    inspect netbios

    inspect tftp

    inspect ip-options

    inspect icmp

    inspect ipsec-pass-thru

    !

    service-policy global_policy global

    prompt hostname context

    Cryptochecksum:0398876429c949a766f7de4fb3e2037e

    : end

    If you need any other information or explanation, just ask me.

    My firewall model: ASA 5505

    Thank you for the help.

    Hey Houari,.

    I suspect something with the order of your NATing statement which is:

    NAT (inside, outside) static static source NETWORK_OBJ_172.19.32.0_19 destination NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_172.19.32.0_19

    Can you please have this change applied to the ASA:

    No source (indoor, outdoor) nat static static NETWORK_OBJ_172.19.32.0_19 destination NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_172.19.32.0_19

    NAT (inside, outside) 1 static source NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_192.168.67.0_24 static destination NETWORK_OBJ_172.19.32.0_19 NETWORK_OBJ_172.19.32.0_19

    Try and let me know how it goes.

    If she did not help, please put the output form a package tracer will shape your internal network to the remote VPN subnet with the release of «see the nat detail»

    HTH,

    Mo.

Maybe you are looking for

  • Satellite L550 - 19U PSLW8E - extremly slow start-up sequence

    When I start my laptop, it freezes on the bios boot sequence.I see the lines:'System BIOS with a shadow '."Video BIOS with a shadow.and you have to wait about 3 minutes before she continues start.Then I see the following lines:"Fixed disk 0: FUJITSU

  • How to make a value decrease of time, at intervals of one second

    Hello, I am working with an Agilent N5181A to send a command from my code. I've set up the frequency, and now I want to be able to change the value of the amplitude. Right now I have a constant set to-30 and I want to replace it so that it passes fro

  • Touch pad

    Hi I have locked the touchpad on Pavilion mt on my computer laptop g6 please help

  • Utility Windows do not work

    Hello My Dell Precision M4400 gave me a blue screen and showed the message to the virus. I was unable to boot into SafeMode either. I ran AVG boot disk to analyze, but it did not find any virus. I changed my operation type SATA from AHCI to ATA and I

  • Can't get usb wireless adapter to work

    I have a desktop dell Vista I'm tryin to get a belkin surf and usb wireless adapter goes to work the map shows the acount wirless is there with full force, but after I typed my password it trying to connect then don't I'm not sure that is a router bi