VPN site to Site, Phase 2 is do not fit correctly and no connectivity
Hi all
I am facing a problem with configuring VPN from Site to Site of my HO one of the remote site.
My remote site got the subnet(192.168.10.0/24) LAN, we use also in HO. Remote site wish to access certain servers in HO 192.168.200.0/24&192.168.80.0/24.So we did a NAT policy distance from the ASA 192.168.10.0/24 subnet remote site to 192.168.175.0/24 translation site while reaching the end of the HO.
The VPN the two phases are coming, but not able to reach my iam connectivity. I can see are encapsulating the packets from the remote site and decapsulating in HO, but opposite side does not (i.e. no encapsulation at the end of HO) & no decapsulation at the end of remote site.
a question, I noted at the end of HO "sh crypto ipsec his" shows a different card is attached to it. This cryptomap we have for our remote access VPN is displayed in the ipsec his. Please see the configuration and the output below...
Tag crypto map: non-retail-VPN, seq num: 3, local addr: x.x.x.x
local ident (addr, mask, prot, port): (192.168.200.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.175.0/255.255.255.0/0/0)
current_peer: x.x.x.x
I can see hits on my crypto access list, and the two phases are coming. kindly help to solve the problem...
Thanks in advance...
MIKAEL
Config of HO ASA
------------------------------
crypto ISAKMP policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Crypto ipsec transform-set httsa-Morocco-set esp-3des esp-sha-hmac
card crypto ENOCMAP 23 matches the acl-httsamorocco address
card crypto ENOCMAP 23 set counterpart x.x.x.x
card crypto ENOCMAP 23 the transform-set httsa-Morocco-set value
card crypto ENOCMAP 23 defined security-association life seconds 28800
card crypto ENOCMAP 23 set reverse-road
ENOCMAP interface card crypto outside
crypto ISAKMP allow outside
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
pre-shared key *.
permit access list acl-sheep line 127 scope ip 192.168.80.0 255.255.255.0 192.168.175.0 255.255.255.0
permit access list acl-sheep line 128 scope ip 192.168.200.0 255.255.255.0 192.168.175.0 255.255.255.0
access list acl-httsamorocco line 1 permit extended 192.168.200.0 ip 255.255.255.0 192.168.175.0 255.255.255.0 (hitcnt = 23)
permit access list acl-httsamorocco line 2 scope ip 192.168.80.0 255.255.255.0 192.168.175.0 255.255.255.0 (hitcnt = 5279)
SH crypto isakamp her HO
------------------------
12 peer IKE: x.x.x.x
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE
SH crypto ipsec his of the HO
------------------------------
ENOCDC-FW03 # sh crypto ipsec his counterpart x.x.x.x
peer address: x.x.x.x
Tag crypto map: non-retail-VPN, seq num: 3, local addr:x.x.x.x
local ident (addr, mask, prot, port): (192.168.80.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.175.0/255.255.255.0/0/0)
current_peer: x.x.x.x
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 2839, #pkts decrypt: 2839, #pkts check: 2839
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0
local crypto endpt. : x.x.x.x/4500, remote Start crypto. : x.x.x.x/4500
Path mtu 1500, fresh ipsec generals 66, media, mtu 1500
current outbound SPI: 5E757945
current inbound SPI: 5EF13ACE
SAS of the esp on arrival:
SPI: 0x5EF13ACE (1592867534)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, NAT-T program,}
slot: 0, id_conn: 6619136, crypto-card: non-retail-VPN
calendar of his: service life remaining (KB/s) key: (4373785/26747)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0xFFFFFFFF to 0xFFFFFFFF
outgoing esp sas:
SPI: 0x5E757945 (1584757061)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, NAT-T program,}
slot: 0, id_conn: 6619136, crypto-card: non-retail-VPN
calendar of his: service life remaining (KB/s) key: (4374000/26745)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
Tag crypto map: Non-retail-VPN, seq num: 3, local addr: x.x.x.x //This crypto-map is that of our remote - VPN access
local ident (addr, mask, prot, port): (192.168.200.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.175.0/255.255.255.0/0/0)
current_peer: x.x.x.x
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 41, #pkts decrypt: 41, #pkts check: 41
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0
local crypto endpt. : x.x.x.x/4500, remote Start crypto. : x.x.x.x/4500
Path mtu 1500, fresh ipsec generals 66, media, mtu 1500
current outbound SPI: 35F7B790
current inbound SPI: EE63084D
SAS of the esp on arrival:
SPI: 0xEE63084D (3999467597)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, NAT-T program,}
slot: 0, id_conn: 6619136, crypto-card: non-retail-VPN
calendar of his: service life remaining (KB/s) key: (4373997/26924)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x000003FF 0xFFFFFFFF
outgoing esp sas:
SPI: 0x35F7B790 (905426832)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, NAT-T program,}
slot: 0, id_conn: 6619136, crypto-card: non-retail-VPN
calendar of his: service life remaining (KB/s) key: (4374000/26924)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
The ASA Site configuration
---------------------------------------------
192.168.175.0 static (inside and outside) of access list policy-nat
access list policy-nat allowed extended ip 192.168.1.0 255.255.255.0 192.168.80.0 255.255.255.0
access list policy-nat allowed extended ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
access list policy-nat extended permit ip 192.168.10.0 255.255.255.0 192.168.200.0 255.255.255.0
access list policy-nat extended permit ip 192.168.10.0 255.255.255.0 192.168.80.0 255.255.255.0
Crypto ipsec transform-set esp-3des esp-sha-hmac enoc-series
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto ENOCMAP 23 matches the acl-enoc address
card crypto ENOCMAP 23 set counterpart x.x.x.x
card crypto ENOCMAP 23 enoc-set transform-set
card crypto ENOCMAP 23 defined security-association life seconds 28800
card crypto ENOCMAP 23 set reverse-road
crypto ENOCMAP outside interface card
ISAKMP crypto enable ouside
crypto ISAKMP policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 86400
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
pre-shared key *.
access list acl-enoc extended ip 192.168.175.0 allow 255.255.255.0 192.168.80.0 255.255.255.0
access list acl-enoc extended ip 192.168.175.0 allow 255.255.255.0 192.168.200.0 255.255.255.0
ciscoasa # sh crypto isakmp his
-----------------------------------------------
ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 1
1 peer IKE: x.x.x.x
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE
ciscoasa # sh crypto ipsec his
----------------------------------------------
Interface: outdoor
Tag crypto map: ENOCMAP, seq num: 23, local addr: 192.168.20.2
access list acl-enoc extended ip 192.168.175.0 allow 255.255.255.0 192.168.200.0 255.255.255.0
local ident (addr, mask, prot, port): (192.168.175.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.200.0/255.255.255.0/0/0)
current_peer: x.x.x.x
program #pkts: 59, #pkts encrypt: 59, #pkts digest: 59
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 59, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0
local crypto endpt. : 192.168.20.2/4500, remote Start crypto. : x.x.x.x/4500
Path mtu 1500, fresh ipsec generals 66, media, mtu 1500
current outbound SPI: EE63084D
current inbound SPI: 35F7B790
SAS of the esp on arrival:
SPI: 0x35F7B790 (905426832)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, NAT-T program,}
slot: 0, id_conn: 57344, crypto-card: ENOCMAP
calendar of his: service life remaining (KB/s) key: (3915000/26325)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
outgoing esp sas:
SPI: 0xEE63084D (3999467597)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, NAT-T program,}
slot: 0, id_conn: 57344, crypto-card: ENOCMAP
calendar of his: service life remaining (KB/s) key: (3914996/26325)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
Tag crypto map: ENOCMAP, seq num: 23, local addr: 192.168.20.2
access list acl-enoc extended ip 192.168.175.0 allow 255.255.255.0 192.168.80.0 255.255.255.0
local ident (addr, mask, prot, port): (192.168.175.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.80.0/255.255.255.0/0/0)
current_peer: x.x.x.x
#pkts program: 3567, #pkts encrypt: 3569, #pkts digest: 3569
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 3569, model of #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
Errors in #send: 1, #recv errors: 0
local crypto endpt. : 192.168.20.2/4500, remote Start crypto. : x.x.x.x/4500
Path mtu 1500, fresh ipsec generals 66, media, mtu 1500
current outbound SPI: 5EF13ACE
current inbound SPI: 5E757945
SAS of the esp on arrival:
SPI: 0x5E757945 (1584757061)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, NAT-T program,}
slot: 0, id_conn: 57344, crypto-card: ENOCMAP
calendar of his: service life remaining (KB/s) key: (3915000/26143)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
outgoing esp sas:
SPI: 0x5EF13ACE (1592867534)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, NAT-T program,}
slot: 0, id_conn: 57344, crypto-card: ENOCMAP
calendar of his: service life remaining (KB/s) key: (3914728/26142)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
Hello
Clearly, the connection is managed by another card crypto bein.
Check those:
-Where your ASA rounting the destination network. (192.168.175.0 network)
-L' outgoing interface that uses the path has a card encryption? THAT IS "NON-RETAIL-VPN.
-If it is rounting to the wrong interface try reconfigure the route to this destination.
This is most likely your problem. Or at least one of them.
Rate if this can help.
Tags: Cisco Security
Similar Questions
-
How can I disable the 'top sites' history of cleaning does not remove this and confusing and a risk to privacy.
It also serves as the sites I want to keep are my favorites
Is there an alternatively an add-on for thisHi Wayne_a,
If you are concerened about your privacy you can turn off this feature:
-
Running Windows 7 home Premiun 64 x. Click to open the program the message pop up "Windows Media Player is not installed correctly and must be reinstalled. You want to install the Player from the Microsoft Web site? "that it takes to the site and there is no available media player Windows 7, installed WMP 11 does not work either. Tried to turn on and back on... did not work
Do you remember the last time that your Media Player worked properly? You can use the system restore (type it in the start menu to find) to go back on this point. This restoration takes about 2 minutes and will not affect your files - no matter how far you go. It simply restores your system files and settings.
-
Thomas Thomann (thomann.de) are among other things, the online musical instrument suppliers. I visited their site several times and they list products with 'our price' (in Euros) and a title of sup in GB pounds. Just like tech sheet. descriptions of products etc. are expected except no prize not collected (or in Eur or GBp) number I often complains that I couldn't compare prices I covered products and they said it must be a problem "with my browser settings" I have not had a similar experience on other websites where I do fairly regular purchases , my browser settings should be OK.?
I checked the website and they seem to be using a GIF (sprite) and use the CSS code to display a specific number of this sprite to dial the numbers that display prices.
So make sure that you do not block the CSS on this site to make it work.
"Clear the Cache":
- Tools > Options > advanced > network > storage (Cache) offline: 'clear now '.
'Delete Cookies' sites causing problems:
- Tools > Options > privacy > Cookies: "show the Cookies".
Start Firefox in Firefox to solve the issues in Safe Mode to check if one of the extensions or if hardware acceleration is the cause of the problem (switch to the DEFAULT theme: Firefox (Tools) > Add-ons > appearance/themes).
- Makes no changes on the start safe mode window.
- https://support.Mozilla.org/KB/safe+mode
-
My site is not displayed correctly on firefox, but works well on other browsers
My site: www.karposveg.com is not displayed correctly on firefox. I have created some social media icons, but all of a sudden they started to display as hyperlinks or words out and get out. It's frustrating because it works perfectly well on other browsers, but I'm used to sort of mozilla. What exactly is the problem?
The images are present on your own server:
http://www.karposveg.com/wp-content/uploads/2015/09/Instagram.PNG<img src="/wp-content/uploads/2015/09/facebook.png" class="" style="border: medium none; opacity: 1;" title="Facebook" alt="Facebook" width="32" height="32"> <img src="/wp-content/uploads/2015/09/twitter.png" class="" style="border: medium none; opacity: 1;" title="Twitter" alt="Twitter" width="32" height="32"> <img src="/wp-content/uploads/2015/09/instagram.png" class="" style="border: medium none; opacity: 1;" title="Instagram" alt="Instagram" width="32" height="32">
-
The sides of my layout of the Web site are not aligned correctly, and the image is slightly moved above.
To much better understand what I mean... First discovered my site here: http://www.clanmog.hostei.com/ - I noticed that this problem only occurs in Firefox (to my knowledge) and not Internet Explorer. It does not have this in IE, but Firefox does.
then look at this image: http://img261.imageshack.us/img261/7210/helpme.PNG
How can I solve this problem?
At a glance I'd say it's because you are clearing out the average divs, but not others. This changes the alignment calculations...
Mylenium
-
VPN site to Site stuck in IKE Phase 1 - MM_WAIT_MSG2
We do a vpn site-to site. The tunnel has worked before, but after some discussions about the location of ASA_Receiving (no change in config for asa made, this asa is directly connected to the internet) will not return the tunnel upward. The devices can ping each other without problem.
It is a vpn L2L, I wonder if the guy saying user is related to the issue?
ASA_Initiator
IKE Peer: 71.13.xxx.xxx
Type: user role: initiator
Generate a new key: no State: MM_WAIT_MSG2ASA_Receiving
# show crypto isakmp his
There is no isakmp sas
Hey,.
is the remote end ASA as well?
If so, the capture below on the ASA:
capture capout
match udp host host interface The tunnel gets stuck on MM_WAIT_MSG2 for 2 reasons:
1 either a problem with the policies of the phase 1 of the remote end or
2 UDP 500 is not reaching the remote end or the remote end sends the packet UDP 500 back and can't the ASA local.
Concerning
-
Site of the error of phase 2 for the VPN site
Dear all,
We have a VPN site to site with a partner, we need to access three different hosts on the network of partners. Phase 1 came but there is problem with the guests of the three phase 2 we can only connected with a host of others are not connected, and they all share the same settings.
Below is show access ip list matching packages shown but connection to host failed
With the crypto ipsec to see his I saw send error and I don't know what could be responsible.
Any body who could be wrong please help me to am exhausted.
access-list
10 permit ip host 4.2.3.1 4.2.6.22 (647594 matches)
20 permit ip host 4.2.3.14 4.2.6.64 (47794 matches)
30 permit ip host 41.2.3.37 41.2.6.76 (581720 matches)Crypto ipsec to show his
local ident (addr, mask, prot, port): (41.2.3.37/255.255.255.255/0/0)
Remote ident (addr, mask, prot, port): (4.2.6.76/255.255.255.255/0/0)
current_peer 4.2.6.24 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 198, #recv errors 0local crypto endpt. : 4.2.3.16, remote Start crypto. : 4.2.6.24
clearly, mtu 1500, path mtu 1500, mtu 1500 ip mtu IDB FastEthernet4 ip
current outbound SPI: 0x0 (0)
PFS (Y/N): N, Diffie-Hellman group: noSAS of the esp on arrival:
the arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
outgoing ah sas:
outgoing CFP sas:
local ident (addr, mask, prot, port): (4.2.3.14/255.255.255.255/0/0)
Remote ident (addr, mask, prot, port): (4.2.6.64/255.255.255.255/0/0)
current_peer 4.2.6.24 port 500
PERMITS, flags = {origin_is_acl, ipsec_sa_request_sent}
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 508, #recv errors 0local crypto endpt. : 4.2.3.16, remote Start crypto. : 4.2.6.24
clearly, mtu 1500, path mtu 1500, mtu 1500 ip mtu IDB FastEthernet4 ip
current outbound SPI: 0x0 (0)
PFS (Y/N): N, Diffie-Hellman group: noSAS of the esp on arrival:
the arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
outgoing ah sas:
outgoing CFP sas:
Edit: can you put the configuration on both sides of the tunnel? Otherwise re - check once more the configs on both sides
-
Problem with the VPN site to site for the two cisco asa 5505
Starting with cisco asa. I wanted to do a vpn site-to site of cisco. I need help. I can't ping from site A to site B and vice versa.
Cisco Config asa1
interface Ethernet0/0
switchport access vlan 1
!
interface Ethernet0/1
switchport access vlan 2
!
interface Vlan1
nameif outside
security-level 0
IP address 172.xxx.xx.4 255.255.240.0
!
interface Vlan2
nameif inside
security-level 100
IP 192.168.60.2 255.255.255.0
!
passive FTP mode
network of the Lan_Outside object
192.168.60.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.60.0_24 object
192.168.60.0 subnet 255.255.255.0
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_2
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_3
ip protocol object
icmp protocol object
Access extensive list ip 192.168.60.0 Outside_cryptomap allow 255.255.255.0 192.168.1.0 255.255.255.0
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
Inside_access_in list extended access allow DM_INLINE_PROTOCOL_2 of object-group a
network of the Lan_Outside object
NAT (inside, outside) interface dynamic dns
Access-group Outside_access_in in interface outside
Inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 172.110.xx.1 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
Enable http server
http 192.168.60.0 255.255.255.0 inside
http 96.xx.xx.222 255.255.255.255 outside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto Outside_map 1 corresponds to the address Outside_cryptomap
card crypto Outside_map 1 set peer 96.88.75.222
card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
Outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
inside access managementdhcpd address 192.168.60.50 - 192.168.60.100 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
AnyConnect essentials
internal GroupPolicy_96.xx.xx.222 group strategy
attributes of Group Policy GroupPolicy_96.xx.xx.222
VPN-tunnel-Protocol ikev1, ikev2
username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
tunnel-group 96.xx.xx.222 type ipsec-l2l
tunnel-group 96.xx.xx.222 General-attributes
Group - default policy - GroupPolicy_96.xx.xx.222
96.XX.XX.222 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Cisco ASA 2 config
interface Ethernet0/0
switchport access vlan 1
!
interface Ethernet0/1
switchport access vlan 2
!
interface Vlan1
nameif outside
security-level 0
IP address 96.xx.xx.222 255.255.255.248
!
interface Vlan2
nameif inside
security-level 100
IP 192.168.1.254 255.255.255.0
!
passive FTP mode
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network of the Lan_Outside object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.60.0_24 object
192.168.60.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_2
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_3
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_4
ip protocol object
icmp protocol object
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_2 of object-group 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
Inside_access_in list extended access allow DM_INLINE_PROTOCOL_4 of object-group a
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.60.0_24 NETWORK_OBJ_192.168.60.0_24 non-proxy-arp-search of route static destination
!
network of the Lan_Outside object
dynamic NAT (all, outside) interface
Access-group Outside_access_in in interface outside
Inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 96.xx.xx.217 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
Enable http server
http 192.168.1.0 255.255.255.0 inside
http 172.xxx.xx.4 255.255.255.255 outside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto Outside_map 1 corresponds to the address Outside_cryptomap
card crypto Outside_map 1 set peer 172.110.74.4
card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
Outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0dhcpd address 192.168.1.50 - 192.168.1.100 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
AnyConnect essentials
internal GroupPolicy_172.xxx.xx.4 group strategy
attributes of Group Policy GroupPolicy_172.xxx.xx.4
L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
tunnel-group 172.xxx.xx.4 type ipsec-l2l
tunnel-group 172.xxx.xx.4 General-attributes
Group - default policy - GroupPolicy_172.xxx.xx.4
172.xxx.XX.4 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error
inspect the httpFor IKEv2 configuration: (example config, you can change to encryption, group,...)
-You must add the declaration of exemption nat (see previous answer).
-set your encryption domain ACLs:
access-list-TRAFFIC IPSEC allowed extended LOCAL REMOTE - LAN LAN ip
-Set the Phase 1:
Crypto ikev2 allow outside
IKEv2 crypto policy 10
3des encryption
the sha md5 integrity
Group 5
FRP sha
second life 86400-Set the Phase 2:
Crypto ipsec ikev2 ipsec IKEV2-PROPOSAL
Esp aes encryption protocol
Esp integrity sha-1 protocol-set the Group of tunnel
tunnel-group REMOTE-PUBLIC-IP type ipsec-l2l
REMOTE-PUBLIC-IP tunnel-group ipsec-attributes
IKEv2 authentication remote pre-shared-key cisco123
IKEv2 authentication local pre-shared-key cisco123-Define the encryption card
address for correspondence CRYPTOMAP 10 - TRAFFIC IPSEC crypto map
card crypto CRYPTOMAP 10 peer set REMOTE-PUBLIC-IP
card crypto CRYPTOMAP 10 set ipsec ikev2-IKEV2-PROPOSAL
CRYPTOMAP interface card crypto outside
crypto isakmp identity addressOn your config, you have all these commands but on your VPN config, you mix ikev1 and ikev2. You have also defined political different ikev2. Just do a bit of cleaning and reached agreement on a 1 strategy for the two site (encryption, hash,...)
Thank you
-
IPSec VPN Site-to-Site router Cisco 837 to Firewall FortiGate 200 has
I had a challege for a site to site vpn scenario that may need some brainstorming you guys.
So far, I have had a prior configuration planned for this scenario, but I'm not very sure if the tunnel I created will work because I did not test it before with this scenario. I'll go next week on this project and hopefully get a solution of brainstorming you guys. Thanks in advance!
Network diagram:
http://cjunhan.multiply.com/photos/hi-res/5/3?xurl=%2Fphotos%2Fphoto%2F5%2F3
Challenge:
(1) configure CISCO R3 IPSec Site to Site VPN between 172.20.10.0 and 10.20.20.0 using cryptographic cards
(2) IKE Phase I MainMode, lifetime 28000, md5, DH-Group1
IKE Phase II: des-esp, hmac-md5, tunnel mode
PSK: sitetositevpn
Here is my setup for review:
crypto ISAKMP policy 10
the BA
preshared authentication
Group 1
md5 hash
ISAKMP crypto key sitetositevpn address 210.x.x.66
!
Crypto ipsec transform-set esp - esp-md5-hmac ciscoset
!
infotelmap 10 ipsec-isakmp crypto map
the value of 210.x.x.66 peer
Set transform-set ciscoset
match address 111
!
!
interface Ethernet0
3 LAN description
IP 10.20.20.1 255.255.255.0
IP nat inside
servers-exit of service-policy policy
Hold-queue 100 on
!
ATM0 interface
no ip address
ATM vc-per-vp 64
No atm ilmi-keepalive
DSL-automatic operation mode
!
point-to-point interface ATM0.1
IP address 210.x.20.x.255.255.252
no ip redirection<-- disable="">
no ip unreachable<-- disable="" icmp="" host="" unreachable="">
no ip proxy-arp<-- disables="" ip="" directed="">
NAT outside IP
PVC 8/35
aal5snap encapsulation
!
!
IP nat inside source list 102 interface ATM0.1 overload
IP classless
IP route 0.0.0.0 0.0.0.0 ATM0.1
IP route 0.0.0.0 0.x.0.x.190.60.66
no ip http secure server
!
Note access-list 102 NAT traffic
access-list 102 permit ip 10.20.20.0 0.0.0.255 any
!
access-list 111 note VPN Site-to-Site 3 LAN to LAN 2 network
access-list 111 allow 0.0.0.x.x.10.0 ip 10.20.20.0 0.0.0.255
Kind regards
Junhan
Hello
Three changes required in this configuration.
(1) change the NAT-list access 102 as below:
access-list 102 deny ip 10.20.20.0 0.0.0.255 172.20.10.0 0.0.0.255
access-list 102 permit ip 10.20.20.0 0.0.0.255 any
(2) place the card encryption on interface point-to-point ATM.
(3) remote all of a default route.
Thank you
Mustafa
-
Hello
I built a VPN site-to site with an external company. I use a Cisco ASA 5500. We have the installer, the encryption phase settings 1 and 2 on both sides, but I don't see on the follow-up is that he connects for 1 second and then disappears again
Tx0
Rx0
Any ideas why this is?
All my other site-to-site VPN work very well.
Kind regards
Kevin
Hey Kevin,
If you are familiar with the console of the ASA, you can run him debugs below for more information on this issue.
Debug crypto conditions counterpart x.x.x.x
Debug of ikev1 127 crypto (isakmp older versions)
Debug the crypto ipsec 127
It may be useful
-Randy-
-
Hi all, I have two sites in central administration, I have a C2801 as hub and in the remote part, I have a C1861 as it is get the IP through ADSL, after I configured the two rtrs, all stages of phase 1 is complete, the next step, I get the IKMP_ERR_NO_RETRANS error, I read a lot of entries here , but none are like the one I have.
Please check if I missed some in the configuration. Another thing is that in the same C2801 I got a VPN Client and other vpn site-to-site, with a fixed IP address and work perfect.
Side remote network: 192.168.225.0/24 and 192.168.226.0/24
HQ networks: 192.168.0.0
I have attached the configs and debugs.
Fixing of work (for me) configuration + debugs.
Both star are 12.4 (22) T1
-
VPN site-to-site initiated in one direction
Hello. We try to establish a VPN site-to site between two ASA firewalls, let's call them ASA1 and ASA2. Problem is that ASA1 cannot start the connection. ISAKMP of ASA1 packets reach ASA2, but removed by an unwritten rule.
When ASA2 launches, everything is OK. And while the stream exists on ASA2, ASA1 use flow, so he can start VPN also.
Here's the output of packet - trace on ASA2:
ASA2 # packet - trace entry outside udp ASA1_IP isakmp ASA2_IP isakmp detailed
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xaffd1bc8, priority = 13, area = capture, deny = false
hits = 14830976, user_data = 0xaee75a18, cs_id = 0 x 0, l3_type = 0 x 0
Mac SRC = 0000.0000.0000, mask is 0000.0000.0000
DST = 0000.0000.0000 Mac, mask is 0000.0000.0000
input_ifc = out, output_ifc = anyPhase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit rule
Additional information:
Direct flow from returns search rule:
ID = 0xae06b0c0, priority = 1, domain = allowed, deny = false
hits = 16921285389, user_data = 0 x 0, cs_id = 0 x 0, l3_type = 0 x 8
Mac SRC = 0000.0000.0000, mask is 0000.0000.0000
DST = 0000.0000.0000 Mac, mask is 0100.0000.0000
input_ifc = out, output_ifc = anyPhase: 3
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
identity of ASA2_IP 255.255.255.255Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DECLINE
Config:
Implicit rule
Additional information:
Direct flow from returns search rule:
ID = 0xad731f30, priority = 0, domain = allowed, deny = true
hits = 60834932, user_data = 0 x 9, cs_id = 0 x 0, use_real_addr, flags = 0 x 1000, protocol = 0
IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0
input_ifc = out, output_ifc = anyResult:
input interface: outdoors
entry status: to the top
entry-line-status: to the top
the output interface: NP identity Ifc
the status of the output: to the top
output-line-status: to the top
Action: drop
Drop-reason: flow (acl-drop) is denied by the configured ruleASA1 added to inbound ACL on the external interface of the ASA2 did not help. Using tracers of package in ASDM has not point to any specific rule, he just showed the entire list of the ACL rules. Using asp-menu type capture displays the reason of gout as packet-tracer, without more details. ASA2 layout only response did not help.
How to interpret the values of phase 4, i.e. to find the rule that causes drops, based on the id and other data? There is no such id in HS to access lists.
Any other ideas? Thank you very much.
And an idea more :)
Maybe you have something like this on ASA2:
Access-group outside_access_in in interface outside control plan
?
Keyword group-access-control-plan sentence, traffic, which is aimed at the interface of the ASA, may be filed. Please, see the following discussion:
https://supportforums.Cisco.com/discussion/11130691/access-group-control-plane-Cisco-pixasa
-
VPN site-to-site to package tracers
Hello
I configured both local networks with NAT. There is an ISP router inbetween these routers to emulate the internet.
I would like to set up a VPN site-to site between these two routers.
Here is the configuration of R1 and R3:
R1:
hostname R1
no ip cef
No ipv6 cef
!
crypto ISAKMP policy 1
BA aes
preshared authentication
Group 2
!
ISAKMP crypto key 0 address 209.123.123.33
!
86400 seconds, duration of life crypto ipsec security association
!
Crypto ipsec transform-set aes - esp esp-sha-hmac yasser
!
auDA 100 ipsec-isakmp crypto map
defined by peer 209.123.123.33
PFS group2 Set
86400 seconds, life of security association set
Set transform-set yasser
match address ramzy
!
pvst spanning-tree mode
!
interface FastEthernet0/0
IP 172.16.1.21 255.255.248.0
automatic duplex
automatic speed
!
interface FastEthernet0/0.10
encapsulation dot1Q 10
IP 172.16.8.99 255.255.248.0
IP nat inside
!
interface Serial0/3/0
IP 209.123.123.1 255.255.255.240
NAT outside IP
clock speed of 128000
auda crypto card
!
router ospf 1
router ID - 15.15.15.15
Log-adjacency-changes
network of 172.16.8.0 0.0.7.255 area 1
209.123.123.0 network 0.0.0.15 area 0
!
IP nat inside source list ADDRESSES interface Serial0/3/0 overload
IP classless
!
IP flow-export version 9
!
standard access IP ADDRESSES list
permit of 172.16.8.0 0.0.7.255
ramzy extended IP access list
172.16.8.0 IP allow 0.0.7.255 172.16.40.0 0.0.7.255
!
Line con 0
!
line to 0
!
line vty 0 4
opening of session
!
end
R3:
p, li {white-space: pre wrap ;}}
hostname R3
!
no ip cef
No ipv6 cef
!
crypto ISAKMP policy 1
BA aes
preshared authentication
Group 2
!
ISAKMP crypto key 0 address 209.123.123.1
!
86400 seconds, duration of life crypto ipsec security association
!
Crypto ipsec transform-set aes - esp esp-sha-hmac yasser
!
auDA 100 ipsec-isakmp crypto map
defined by peer 209.123.123.1
PFS group2 Set
86400 seconds, life of security association set
Set transform-set yasser
match address ramzy
!
pvst spanning-tree mode
!
interface FastEthernet0/0
IP 172.16.1.22 255.255.248.0
automatic duplex
automatic speed
!
interface FastEthernet0/0.40
encapsulation dot1Q 40
IP 172.16.40.99 255.255.248.0
IP nat inside
!
interface Serial0/3/1
IP 209.123.123.33 255.255.255.240
NAT outside IP
auda crypto card
!
router ospf 1
router ID - 25.25.25.25
Log-adjacency-changes
network 172.16.40.0 0.0.7.255 area 2
209.123.123.32 network 0.0.0.15 area 0
!
IP nat inside source list ADDRESSES interface Serial0/3/1 overload
IP classless
!
IP flow-export version 9
!
standard access IP ADDRESSES list
172.16.40.0 permit 0.0.7.255
ramzy extended IP access list
IP 172.16.40.0 allow 0.0.7.255 172.16.8.0 0.0.7.255
!
Line con 0
!
line to 0
!
line vty 0 4
opening of session
!
end
Try to ping of PC - A (172.16.8.1) PC - C (172.16.40.1) does not work.
I tried several times to get the traffic through the tunnel with no success. Can someone tell me where I'm wrong?
Thank you
Josh
Hi Josh,.
Around this deployment, you will not be able to ping or reach the other side because of the NAT, NATting is dynamically IP addresses, you must do the following:
R! :
no nat ip inside source list ADDRESSES interface Serial0/3/0 overload
no standard ip access list ADDRESSES
permit of 172.16.8.0 0.0.7.255
IP extended access.list ADDRESSES_NAT
refuse the 172.16.8.0 ip 0.0.7.255 172.16.40.0 0.0.7.255
overload of IP nat inside source list ADDRESSES_NAT interface Serial0/3/0
R3:
no nat ip inside the overload of source list ADDRESSES interface Serial0/3/1
no standard ip access list ADDRESSES
172.16.40.0 permit 0.0.7.255
ADDRESSES_NAT extended IP access list
deny ip 172.16.40.0 0.0.7.255 172.16.8.0 0.0.7.255
IP nat inside source list ADDRESSES Overload: NAT interface Serial0/3/1
with this show commands you make to phase 1 and phase 2 is in place and work:
-show crypto isakmp his
-show crypto ipsec his
I hope this helps!
Please note and mark it as correct the helpful post!
David Castro,
Concerning
-
Static - VPN Site to Site DMVPN Tunnel
Hello
I have two sites, Site-a with Cisco ASA 5505 static IP Configuration & Site-B 1841 Cisco ISR with dynamic IP Configuration.
See the diagram attached for a glimpse.
The goal is to have the tunnel VPN Site to Site between the site of two so that desktop sitting in Site B can access the server applications residing in the Site-A.
Please suggest
Concerning
@Mohammed
Hello
A site to Site IPSec, the ASA is the static side and he should have the 'dynamic' configuration, and the side Dynamics SRI 1841 should have the static side:
I'll give an example configuration to achieve, but you can use a different encryption algorithms:
ASA 5505:
Phase 1:
crypto ISAKMP policy 1
3des encryption
md5 hash
preshared authentication
Group 2
IPSec-attributes tunnel-group DefaultL2LGrouppre-shared-key cisco123
Maybe you are looking for
-
5 days without being able to receive email to iCloud
Hello Since 5 days I could not get email to iCloud. It is in the back-end. Intensified at the Apple Support and they say they have engineers search inside. I can send emails but not receive them. My hunch is a kind of corruption of the files from
-
Tablete PC input panel failure - error
Whenever I click to open the start at the bottom bar input panel, it says error has occurred and closes.(he asked me to send the error to microsoft or not, I'm sending evertime) Does anyone know how to fix this?
-
How can I activate XP after the expiry of the grace period of 7 days?
A couple of weeks, my PC (home built with XP Pro OEM) downloaded a load of updates through Windows Update. This weekend was the first time that I had turned it on since then, and the logon screen XP tells me now that XP is not active any longer. I
-
Power supply is turned on, but not fans.
I have a Gateway with Vista Home 5478. My power supply is on, but the vista system will not start. The power light is on, but that's all. I also noticed that all fans, including the fans inside my diet, are dead. I changed power supplies, increased f
-
Asus AC53 wireless adapter installation problem
I bought a 2 sets of Asus wireless adapters ac53 last weekend. The adapter installation went off without a hitch on my wife's computer, but I came across a multitude of problems for mine. First of all, the Asus wireless signals constantly adapter as