VPN site to Site with dynamic routing on ASAs
I'm planning a backup connection to a primary site if our link main broken through two ASAs using site to site vpn.
This is what I have resulted to date and just need to work through some issues and best practices.
##Regular connectivity and Internet traffic flow "> Primary_Internet".
Backup_Internet - ASA - CoreA - router-->> Private_Wan<>
?? If Private_Wan a link down, use via ASA l2l Internet VPN to connect sites
x - router - CoreA - ASA-->> VPN l2l<>
?? Once the link is available, preferred over the private Wan path must be used.
A few questions,
1. can I use a routing via the l2l VPN Protocol? VTI, GRE?
2. If I enter OSPF or EIGRP, will be the last static use of each work in the ASA redistibuting?
3. in execution of VPN l2l, using 'show the way' does not show available via the vpn routes, only "crypto ipsec to show his" watch info. Is this correct? If yes how metric would work for routes registered if all the links are up and there are many paths to the same subnet?
Welllll,
(2) I would keep as simple as possible, you can put all one VPN perhaps NSSA, if your ASA touch BB.
(3) IPP on ASA is always the insertion of static routes, it is not the best way to generate the backup.
Marcin
Tags: Cisco Security
Similar Questions
-
VPN site to Site using the router and ASA
Hello
I have a Cisco 1812 router that is configured for remote access VPN using IPSec (Cisco VPN Client), my question is if I can configure a Cisco ASA 5505 to connect to the router as a VPN from site to site.
Thank you
Karl
Dear Karl,
Yor are right, in this case you can create a tunnel vpn site-to-site between devices or you can configure your ASA as hardware VPN client. That is to say; Easy VPN.
For the same thing, you can consult the document below.
Kind regards
Shijo.
-
IPSEC with the router and asa 5510
Hi all
I have problems connecting ipsec l2l. I have set up a router and asa 5510 make ipsec between them, but it seems to fail on the phase 1. I already check and I am 100% sure that is the key. You can a few shed light on the issue, I have. Here's the output debug I get the two system.
Thank you
Hello
Isakmp policy match on both devices? What version of ios is running on the router and the asa5510
Thank you
-
Cisco 877 + VPN Site to Site
Hello
I'm new im this forum.
I've set up a Site VPN site with 2 Cisco 877.SITE A:
Address IP Adreess public: static
Internal IP Adrees: 192.168.0.XXX
Mask: 255.255.255.0SITE B:
IP address public Adreess: Dynamics
Internal IP address: 192.168.2.XXX
Mask: 255.255.255.0I managed to do a ping on both sides, but I can't access file shares, and could rdp on any server in site A, by the internal IP address.
Fix, is the SITES A and B SITE startup configs.
Could you please someone help me?
Hi Marcos,
Really happy to know that the problem is solved. There is no need to apologize. Please mark this message as answered if there is nothing more.
Rregards,
Assia
-
IPSEC VPN between Pix 515E and 1841 router
Hi all
BACKGROUND
We have implemented a site to site VPN IPSEC between a Pix 515E 8.0 operation (4) and an 1841 using static IP addresses at both ends. We used CCP on the router and the ASDM the pix to build initial tunnels. Now the site with the router is evolving into a dynamic IP address from the ISP so we have implemented dynamic DNS to update dynamic IP address.
PROBLEM
The problem is that ASDM will not allow us to set a domain as the address of peers, it will not accept an IP address. We believe that the solution will be to remove the static Crypto map and replace it with a dynamic Crypto map on the side of Pix. Our questions are simply; is this the best solution? can change us the original static list or is it better to delete and make a new dynamic encryption card? Y at - it a shortcut to change the config command-line? This is a real network, so just check it out before make us any changes on the live kit.
Any help much appreciated.
You don't have to change anything when the peer-address changes. The dynamic crypto map aims to take dynamic peer connections. The only thing to remember, is that only the dynamic peer can initiate the connection. And you reduce your security if you use Pre-Shared key that now you can use a generic-PSK character.
As I remember, the PIX / ASA does not support the dynamic use of FQDNs for peer-resolution. This feature is supported in IOS.
For a feature, it would be preferable to static IP addresses on both sides.
-
OSB 11 g dynamic routing number
Hello
I'm going crazy for not being able to get DynamicRouting to work. I use the DynamicRouting option in RouteNode and in the * variable Panel service of this action, I have the following:
< ctx:route >
< ctx:service proxy = "false" > /MyProject/Services/BusinessServices/MyBizService.biz < / ctx:service >
{$operation} < ctx:operation > < / ctx:operation >
< / ctx:route >
The Sales Department is here and the path is correct. $Operation is checked to ensure that the correct value.
The installation is I have a proxy service based on a WSDL and in the node of the road I am trying to dynamically deliver to a business service.
I get the following error:
The invocation was an error:
.
< soapenv:Envelope = "http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenv >
< soapenv:Body >
< soapenv:Fault >
soapenv:Server < faultcode > < / faultcode >
< faultstring > BEA-382612: error prepare the message for shipping < / faultstring >
< detail >
< con xmlns:con: fault = "http://www.bea.com/wli/sb/context" >
< con: errorCode > BEA-382612 < / con: errorCode >
message preparation < con: reason > error for shipping < / con: reason >
< con: location >
< con: node > RoutingToDataServices < / con: node >
request pipeline - < con: path > < / con: path >
< / con: location >
< / con: fault >
< / details >
< / soapenv:Fault >
< / soapenv:Body >
< / soapenv:Envelope >
If just use the Table routing or action of the road, there is no error and flow works very well.
Everyone encountered problems with dynamic routing in this nature?
Thanks in advance,
ManiI use the web console for my development OSB and when I click on the business service the path appears as "Back/BusinessService/CreditRatingTemplate" (based on the example downloaded from the link given by me)
I guess you are using the Eclipse/workshop for development and therefore find the below:
* / * NGWS/Services/BusinessServices/NGWS_http.*biz*
Can you replace it without the front / at the beginning of the URL and see if it works.
Thank you
Patrick -
Cisco VPN Site to Site with a static and dynamic does not
Hello
I have ASA 5510 in Headquarters with static, IP and ASA 5505 in the remote site behind ADSL router trying to establish VPN, but its failure in phase 1
Config of the headquarters
interface Ethernet0/0
Description link to router LeaseLine
nameif outside
security-level 0
IP x.x.x.x 255.255.255.248
!
interface Ethernet0/1
Description link to LAN internal
nameif inside
security-level 100
IP 172.17.1.15 255.255.255.0
access extensive list ip 172.17.1.0 inside_nat0_outbound_1 allow 255.255.255.0 172.20.1.0 255.255.255.0
access extensive list ip 172.17.1.0 inside_nat0_outbound_1 allow 255.255.255.0 172.19.1.0 255.255.255.0
access extensive list ip 172.17.1.0 vpn_to_remote allow 255.255.255.0 172.19.1.0 255.255.255.0
extended VPN ip 172.17.1.0 access list allow 255.255.255.0 172.20.1.0 255.255.255.0
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound_1
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
Crypto ipsec transform-set esp-aes-256-md5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
correspondence address 1 crypto dynamic-map cisco VPN
Crypto dynamic-map cisco 1 set of transformation-ESP-AES-256-SHA
card crypto outside_map 10 correspondence address vpn_to_remote
card crypto outside_map 10 set pfs
card crypto outside_map 10 peers set y.y.y.y
card crypto outside_map 10 transform-set esp-aes-256-md5
outside_map crypto 10 card value reverse-road
dynamic outside_map 30-isakmp ipsec crypto map Cisco
outside_map interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
aes-256 encryption
md5 hash
Group 5
life 86400
crypto ISAKMP policy 20
preshared authentication
aes encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
Crypto isakmp nat-traversal 20
tunnel-group y.y.y.y type ipsec-l2l
tunnel-group ipsec-attributes y.y.y.y
pre-shared-key *.
tunnel-group parkplace type ipsec-l2l
tunnel-group ipsec-attributes parkplace
pre-shared-key *.
The Remote Site configuration
interface Vlan1
nameif inside
security-level 100
address 172.20.1.1 IP 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 192.168.1.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
ICMP list extended access permit icmp any one
access-list SHEEP extended ip 172.20.1.0 allow 255.255.255.0 172.17.1.0 255.255.255.0
extended VPN 172.20.1.0 ip access list allow 255.255.255.0 172.17.1.0 255.255.255.0
Global 1 interface (outside)
NAT (inside) 0 access-list SHEEP
NAT (inside) 1 0.0.0.0 0.0.0.0 outdoors
Access-group ICMP in interface outside
Route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
crypto map outside_map 1 is the VPN address
peer set card crypto outside_map 1 83.111.252.242
card crypto outside_map 1 set of transformation-ESP-AES-256-SHA
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
Crypto isakmp nat-traversal 20
tunnel-group fairmount type ipsec-l2l
tunnel-group fairmount ipsec-attributes
pre-shared-key *.
Best regards / Asfar
Hello
Have you tried to replace the names of 'tunnel-group' entry with Ip address on both ends... ?
Thank you
MS
-
Problem with the VPN site to site for the two cisco asa 5505
Starting with cisco asa. I wanted to do a vpn site-to site of cisco. I need help. I can't ping from site A to site B and vice versa.
Cisco Config asa1
interface Ethernet0/0
switchport access vlan 1
!
interface Ethernet0/1
switchport access vlan 2
!
interface Vlan1
nameif outside
security-level 0
IP address 172.xxx.xx.4 255.255.240.0
!
interface Vlan2
nameif inside
security-level 100
IP 192.168.60.2 255.255.255.0
!
passive FTP mode
network of the Lan_Outside object
192.168.60.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.60.0_24 object
192.168.60.0 subnet 255.255.255.0
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_2
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_3
ip protocol object
icmp protocol object
Access extensive list ip 192.168.60.0 Outside_cryptomap allow 255.255.255.0 192.168.1.0 255.255.255.0
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
Inside_access_in list extended access allow DM_INLINE_PROTOCOL_2 of object-group a
network of the Lan_Outside object
NAT (inside, outside) interface dynamic dns
Access-group Outside_access_in in interface outside
Inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 172.110.xx.1 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
Enable http server
http 192.168.60.0 255.255.255.0 inside
http 96.xx.xx.222 255.255.255.255 outside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto Outside_map 1 corresponds to the address Outside_cryptomap
card crypto Outside_map 1 set peer 96.88.75.222
card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
Outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
inside access managementdhcpd address 192.168.60.50 - 192.168.60.100 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
AnyConnect essentials
internal GroupPolicy_96.xx.xx.222 group strategy
attributes of Group Policy GroupPolicy_96.xx.xx.222
VPN-tunnel-Protocol ikev1, ikev2
username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
tunnel-group 96.xx.xx.222 type ipsec-l2l
tunnel-group 96.xx.xx.222 General-attributes
Group - default policy - GroupPolicy_96.xx.xx.222
96.XX.XX.222 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Cisco ASA 2 config
interface Ethernet0/0
switchport access vlan 1
!
interface Ethernet0/1
switchport access vlan 2
!
interface Vlan1
nameif outside
security-level 0
IP address 96.xx.xx.222 255.255.255.248
!
interface Vlan2
nameif inside
security-level 100
IP 192.168.1.254 255.255.255.0
!
passive FTP mode
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network of the Lan_Outside object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.60.0_24 object
192.168.60.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_2
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_3
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_4
ip protocol object
icmp protocol object
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_2 of object-group 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
Inside_access_in list extended access allow DM_INLINE_PROTOCOL_4 of object-group a
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.60.0_24 NETWORK_OBJ_192.168.60.0_24 non-proxy-arp-search of route static destination
!
network of the Lan_Outside object
dynamic NAT (all, outside) interface
Access-group Outside_access_in in interface outside
Inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 96.xx.xx.217 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
Enable http server
http 192.168.1.0 255.255.255.0 inside
http 172.xxx.xx.4 255.255.255.255 outside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto Outside_map 1 corresponds to the address Outside_cryptomap
card crypto Outside_map 1 set peer 172.110.74.4
card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
Outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0dhcpd address 192.168.1.50 - 192.168.1.100 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
AnyConnect essentials
internal GroupPolicy_172.xxx.xx.4 group strategy
attributes of Group Policy GroupPolicy_172.xxx.xx.4
L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
tunnel-group 172.xxx.xx.4 type ipsec-l2l
tunnel-group 172.xxx.xx.4 General-attributes
Group - default policy - GroupPolicy_172.xxx.xx.4
172.xxx.XX.4 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error
inspect the httpFor IKEv2 configuration: (example config, you can change to encryption, group,...)
-You must add the declaration of exemption nat (see previous answer).
-set your encryption domain ACLs:
access-list-TRAFFIC IPSEC allowed extended LOCAL REMOTE - LAN LAN ip
-Set the Phase 1:
Crypto ikev2 allow outside
IKEv2 crypto policy 10
3des encryption
the sha md5 integrity
Group 5
FRP sha
second life 86400-Set the Phase 2:
Crypto ipsec ikev2 ipsec IKEV2-PROPOSAL
Esp aes encryption protocol
Esp integrity sha-1 protocol-set the Group of tunnel
tunnel-group REMOTE-PUBLIC-IP type ipsec-l2l
REMOTE-PUBLIC-IP tunnel-group ipsec-attributes
IKEv2 authentication remote pre-shared-key cisco123
IKEv2 authentication local pre-shared-key cisco123-Define the encryption card
address for correspondence CRYPTOMAP 10 - TRAFFIC IPSEC crypto map
card crypto CRYPTOMAP 10 peer set REMOTE-PUBLIC-IP
card crypto CRYPTOMAP 10 set ipsec ikev2-IKEV2-PROPOSAL
CRYPTOMAP interface card crypto outside
crypto isakmp identity addressOn your config, you have all these commands but on your VPN config, you mix ikev1 and ikev2. You have also defined political different ikev2. Just do a bit of cleaning and reached agreement on a 1 strategy for the two site (encryption, hash,...)
Thank you
-
Problem on site to site and between router vpn client series 2,800
Hello
I need a little help.
I have 2 office of connection with a site to site vpn
Each site has a dry - k9 router 800 series.
Each router has actually client ipsec vpn active and all users can connect by using the client vpn with no problems.
I added the lines for the vpn site to another, but the tunnel is still down.
Here the sh run and sh encryption session 2 routers:
OFFICE A
version 15.3
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
OFFICE-A-DG host name
!
boot-start-marker
boot-end-marker
!
AQM-registry-fnf
!
!
AAA new-model
!
!
AAA authentication login default local
AAA authentication login xauthlist local
AAA authorization exec default local
AAA authorization exec vty group xauthlocal
AAA authorization exec defaultlocal group bdbusers
AAA authorization groupauthor LAN
!
!
!
!
!
AAA - the id of the joint session
!
Crypto pki trustpoint TP-self-signed-220561722
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 220561722
revocation checking no
rsakeypair TP-self-signed-220561722
!
!
TP-self-signed-220561722 crypto pki certificate chain
certificate self-signed 01
quit smoking
!
!
!
!!
!
dhcp WIRED IP pool
Network 10.0.0.0 255.255.255.0
router by default - 10.0.0.254
Server DNS 10.0.0.100
!
!
!
8.8.8.8 IP name-server
no ip cef
No ipv6 cef
!
!
!
!
!
Authenticated MultiLink bundle-name Panel
!
!
!
!
!
!
!!
!
!
!
!
VDSL controller 0
!
property intellectual ssh rsa ssh key pair name
property intellectual ssh version 2
property intellectual ssh pubkey-string
!
!
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 20
md5 hash
preshared authentication
OFFICE-B-IP address ISAKMP crypto key XXXXX
!
ISAKMP crypto client configuration group remoteusers
key XXXX
DNS 10.0.0.100
WINS 10.0.0.100
domain.ofc field
pool ippool
ACL 101
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
tunnel mode
Crypto ipsec transform-set esp - esp-md5-hmac xauathtransform
tunnel mode
!
!
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
Crypto-map dynamic dynmap 20
Set transform-set RIGHT
!
!
map clientmap client to authenticate crypto list userathen
card crypto clientmap isakmp authorization list groupauthor
client configuration address map clientmap crypto answer
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
20 ipsec-isakmp crypto map clientmap
defined OFFICE-B-IP peer
Set transform-set RIGHT
match address 115
!
!
!
!
!
!
!
ATM0 interface
no ip address
No atm ilmi-keepalive
PVC 8/35
aal5mux encapsulation ppp Dialer
Dialer pool-member 1
!
!
interface Ethernet0
no ip address
Shutdown
!
interface FastEthernet0
INTERNAL description
switchport access vlan 10
no ip address
!
interface FastEthernet1
no ip address
Shutdown
!
interface FastEthernet2
switchport access vlan 10
no ip address
!
interface FastEthernet3
switchport access vlan 10
no ip address
!
interface Vlan1
no ip address
Shutdown
!
interface Vlan10
IP 10.0.0.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
interface Dialer0
the negotiated IP address
NAT outside IP
IP virtual-reassembly in
encapsulation ppp
Dialer pool 1
Authentication callin PPP chap Protocol
PPP pap sent-name of user password xxx xxx 0
clientmap card crypto
!
router RIP
version 2
10.0.0.0 network
network 192.168.1.0
!
IP local pool ippool 10.16.20.1 10.16.20.200
IP forward-Protocol ND
no ip address of the http server
no ip http secure server
!
!
the IP nat inside source 1 interface Dialer0 overload list
overload of IP nat inside source list 101 interface Dialer0
IP route 0.0.0.0 0.0.0.0 Dialer0
!
!
access-list 22 allow 10.16.20.0
access-list 22 permit 10.16.20.0 0.0.0.255
Note access-list 101 * ACL SHEEP *.
access-list 101 deny ip 10.0.0.0 0.0.0.255 10.16.20.0 0.0.0.255
access-list 101 permit ip 10.0.0.0 0.0.0.255 any
access-list 115 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
control plan
!
!
!
MGCP behavior considered range tgcp only
MGCP comedia-role behavior no
disable the behavior MGCP comedia-check-media-src
disable the behavior of MGCP comedia-sdp-force
!
profile MGCP default
!
!
!
!
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
exec-timeout 0 0
preferred transport ssh
transport input telnet ssh
!
Scheduler allocate 20000 1000
!
endOFFICE B
OFFICE-B-DG host name
!
boot-start-marker
boot-end-marker
!
AQM-registry-fnf!
AAA new-model
!
!
AAA authentication login default local
AAA authentication login xauthlist local
AAA authorization exec default local
AAA authorization exec vty group xauthlocal
AAA authorization exec defaultlocal group bdbusers
AAA authorization groupauthor LAN
!
!
!
!
!
AAA - the id of the joint session
!
Crypto pki trustpoint TP-self-signed-1514396900
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 1514396900
revocation checking no
rsakeypair TP-self-signed-1514396900
!
!
TP-self-signed-1514396900 crypto pki certificate chain
certificate self-signed 01
quit smoking!
!
8.8.8.8 IP name-server
no ip cef
No ipv6 cef
!
!
!
!
!
Authenticated MultiLink bundle-name Panel
!
!
!
!
!
!
!
license udi pid C887VAM-K9 sn FCZ191362Q7
!
!!
!
!
!
VDSL controller 0
!
property intellectual ssh rsa SSH key pair name
!
!
crypto ISAKMP policy 1
md5 hash
preshared authentication
!
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 20
md5 hash
preshared authentication
encryption XXXX isakmp key address IP-OFFICE-A!
ISAKMP crypto client configuration group remoteusers
key xxxx
DNS 192.168.1.10
WINS 192.168.1.10
rete.loc field
pool ippool
ACL 101
!
!
Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
tunnel mode
Crypto ipsec transform-set esp - esp-md5-hmac xauathtransform
tunnel mode
Crypto ipsec transform-set esp - esp-md5-hmac rtpset
tunnel mode
!
!
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
Crypto-map dynamic dynmap 20
Set transform-set RIGHT
!
!
map clientmap client to authenticate crypto list userathen
card crypto clientmap isakmp authorization list groupauthor
client configuration address map clientmap crypto answer
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
20 ipsec-isakmp crypto map clientmap
peer IP-OFFICE-A value
Set transform-set RIGHT
match address 115
!
!
!
!
!
!
!
interface Loopback1
no ip address
!
ATM0 interface
no ip address
No atm ilmi-keepalive
PVC 8/35
aal5mux encapsulation ppp Dialer
Dialer pool-member 1
!
!
interface Ethernet0
no ip address
Shutdown
!
interface FastEthernet0
switchport access vlan 30
no ip address
!
interface FastEthernet1
switchport access vlan 30
no ip address
!
interface FastEthernet2
switchport access vlan 20
no ip address
!
interface FastEthernet3
switchport access vlan 10
no ip address
!
interface Vlan1
no ip address
Shutdown
!
Vlan30 interface
IP 192.168.1.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
interface Dialer0
the negotiated IP address
NAT outside IP
IP virtual-reassembly in
encapsulation ppp
Dialer pool 1
Authentication callin PPP chap Protocol
PPP pap sent-name to user
clientmap card crypto
!
router RIP
version 2
10.0.0.0 network
network 192.168.1.0
!
IP local pool ippool 10.16.20.201 10.16.20.250
IP forward-Protocol ND
no ip address of the http server
no ip http secure server
!
!
the IP nat inside source 1 interface Dialer0 overload list
overload of IP nat inside source list 101 interface Dialer0
IP nat inside source static tcp 192.168.1.100 5060 interface Dialer0 5060
IP nat inside source static tcp 192.168.1.100 5061 interface Dialer0 5061
IP nat inside source static tcp 192.168.1.100 5062 interface Dialer0 5062
IP nat inside source static tcp 192.168.1.100 5063 5063 Dialer0 interface
IP nat inside source static tcp 192.168.1.100 5064 interface Dialer0 5064
IP nat inside source static udp 192.168.1.100 5060 interface Dialer0 5060
IP nat inside source static udp 192.168.1.100 5061 interface Dialer0 5061
IP nat inside source static udp 192.168.1.100 5062 interface Dialer0 5062
IP nat inside source static udp 192.168.1.100 5063 5063 Dialer0 interface
IP nat inside source static udp 192.168.1.100 5064 interface Dialer0 5064
IP nat inside source static tcp 192.168.1.100 3541 interface Dialer0 3541
IP nat inside source static udp 192.168.1.100 3541 interface Dialer0 3541
IP route 0.0.0.0 0.0.0.0 Dialer0
!
!
sheep allowed 10 route map
corresponds to the IP 150 101
!
access-list 22 allow 10.16.20.0
access-list 22 permit 10.16.20.0 0.0.0.255
access list 101 deny ip 192.168.1.0 0.0.0.255 10.16.20.0 0.0.0.255
ACCESS-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 115 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
!
!
!
control plan
!
!
!
MGCP behavior considered range tgcp only
MGCP comedia-role behavior no
disable the behavior MGCP comedia-check-media-src
disable the behavior of MGCP comedia-sdp-force
!
profile MGCP default
!
!
!
!
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
exec-timeout 0 0
password Password02
preferred transport ssh
transport input telnet ssh
!
Scheduler allocate 20000 1000
!
endThanks in advance for any help :)
the site at the other tunnel is mounted, but it does not pass traffic; What is the source and destination ip on the router that you are trying to ping the address
whenever you try to open the traffic from router A to router B, you must to the source of the traffic.
for ex,.
Router A-->10.1.1.1--fa0/0
Router B - 172.168.1.100
source of ping 172.168.1.100 router # 10.1.1.1
After doing the pings, send the output of the show counterpart of its crypto ipsec
at both ends -
VPN site to Site with the possibility to dial Back-Up
Hello
Our network currently uses a lot of Frame-Relay links, for these connections, we use the Cisco 1720 with dial back-up on analog line in case the fials Frame-Relay.
I am looking for a way to site to site VPN connection and have always the possibility to dial emergency failure of the ISP. We currently have a Cisco Pix 515E who would host connections, what would be my best option on the side of Management Office? Firewalls PIX or Cisco 1720 with modules of VPN, perhaps a combination of the two? Which would be safer?
Thank you in advance for any help you provide.
Mauro
Mauro,
Do you want to replace EN with VPN links and then save the VPN with ISDN, or keep the FR, retreating to VPN, then falling back to ISDN?
Whatever it is, the way to go is to use a dynamic routing on the EN and the VPN Protocol, so when a link fails the IP routing protocol address reconverges. This way you can always trigger the ISDN with a static route floating.
EIGRP (or any other dynamic routing protocol) to via the VPN to allow multicasting neighbourgh through a GRE tunnel.
-
problem with users to access remote vpn site to site vpn network
I did the Setup: asa 5510 configured remote access vpn. My vpn users receive asa 5510 range 192.168.50.0/24 addresses and users access my local lan 192.168.0.0/24. the second side of the local lan 192.168.0.0/24 on asa 5505, I did a vpn site-to-site with network 192.168.5.0/24.on that both sides of a site are asa 5505. inside the interface asa 5510 Elise 192.168.0.10 and inside the interface asa 5505 have address 192.168.0.17.third asa 5505 networked 192.168.5.0/24 address 192.168.5.1. I want my remote access vpn users can access resources on network 192.168.5.0/24. I create the static route on inside the asa 5510 static route 192.168.5.0 interface 255.255.255.0 192.168.0.17 and a static route on inside the asa 5505 static route 192.168.50.0 interface 255.255.255.0 192.168.0.10, but it's not working. What do I do?
execution of the configuration of my asa 5510 is
Result of the command: "show run"
: Saved
:
ASA Version 8.4(2)
!
hostname asa5510
domain-name dri.local
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.178 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.10 255.255.255.0
!
interface Ethernet0/2
description Mreza za virtualne masine- mail server, wsus....
nameif DMZ
security-level 50
ip address 172.16.20.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name dri.local
object network VPN-POOL
subnet 192.168.50.0 255.255.255.0
description VPN Client pool
object network LAN-NETWORK
subnet 192.168.0.0 255.255.255.0
description LAN Network
object network NETWORK_OBJ_192.168.0.0_24
subnet 192.168.0.0 255.255.255.0
object network 192.168.0.10
host 192.168.0.10
object service ssl
service tcp destination eq 465
object service tls
service tcp destination eq 995
object network mail_server
host 172.16.20.201
object service StartTLS
service tcp destination eq 587
object service admin_port
service tcp destination eq 444
object service ODMR
service tcp destination eq 366
object service SSL-IMAP
service tcp destination eq 993
object network remote
host 172.16.20.200
object network test
host 192.168.0.22
object network mail
host 172.16.20.200
object network DMZ
host 172.16.20.200
object network Inside_DMZ
host 192.168.0.20
object service rdp
service tcp destination eq 3389
object network DRI_PS99
host 192.168.0.54
object service microsoft_dc
service tcp destination eq 445
object service https448
service tcp destination eq 448
object network mail_server_internal
host 172.16.20.201
object service Acronis_remote
service tcp destination eq 9876
object service Acronis_25001
service tcp destination eq 25001
object service HTTP3000
service tcp destination eq 3000
object network VPNPOOL
subnet 192.168.50.0 255.255.255.0
object-group network PAT-SOURCE-NETWORKS
description Source networks for PAT
network-object 192.168.0.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object object admin_port
service-object object ssl
service-object object tls
service-object object https448
object-group service DM_INLINE_SERVICE_2
service-object object admin_port
service-object object https448
service-object object ssl
service-object object tls
service-object tcp destination eq pop3
service-object tcp destination eq smtp
object-group service DM_INLINE_SERVICE_3
service-object object admin_port
service-object object https448
service-object object ssl
service-object tcp destination eq smtp
service-object object tls
service-object object Acronis_remote
service-object tcp destination eq www
service-object object Acronis_25001
service-object object microsoft_dc
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object tcp
object-group service DM_INLINE_SERVICE_4
service-object object Acronis_25001
service-object object Acronis_remote
service-object object microsoft_dc
service-object tcp destination eq www
service-object tcp
service-object ip
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any object mail_server
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object mail
access-list Split_Tunnel_List extended permit ip 192.168.0.0 255.255.255.0 any
access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list DMZ extended permit object-group DM_INLINE_SERVICE_4 172.16.20.0 255.255.255.0 any
access-list DMZ extended permit object-group DM_INLINE_SERVICE_3 host 172.16.20.201 any
access-list DMZ extended permit object-group DM_INLINE_PROTOCOL_1 172.16.20.0 255.255.255.0 any inactive
access-list DMZ extended deny tcp any any eq smtp
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
ip local pool vpnadrese 192.168.50.1-192.168.50.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static LAN-NETWORK LAN-NETWORK destination static VPN-POOL VPN-POOL
!
object network mail_server
nat (DMZ,outside) static x.x.x.179
object network mail
nat (DMZ,outside) static x.x.x.180
access-group outside_access_in in interface outside
access-group DMZ in interface DMZ
route outside 0.0.0.0 0.0.0.0 178.254.133.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
action terminate
dynamic-access-policy-record dripolisa
aaa-server DRI protocol ldap
aaa-server DRI (inside) host 192.168.0.20
ldap-base-dn DC=dri,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=dragan urukalo,OU=novisad,OU=sektor2,OU=REVIZIJA,DC=dri,DC=local
server-type microsoft
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
virtual telnet 192.168.1.12
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 195.222.96.223
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.0.14-192.168.0.45 inside
!
dhcpd address 172.16.20.2-172.16.20.150 DMZ
dhcpd dns x.x.x.177 interface DMZ
dhcpd auto_config outside interface DMZ
dhcpd option 6 ip x.x.x.177 interface DMZ
dhcpd enable DMZ
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy GroupPolicy_x.x.x.223 internal
group-policy GroupPolicy_x.x.x.223 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy drivpn internal
group-policy drivpn attributes
dns-server value 192.168.0.20 192.168.0.254
vpn-simultaneous-logins 10
vpn-idle-timeout 30
vpn-tunnel-protocol ikev1 l2tp-ipsec
split-tunnel-network-list value Split_Tunnel_List
default-domain value dri.local
username driadmin password AojCAMO/soZo8W.W encrypted privilege 15
tunnel-group drivpn type remote-access
tunnel-group drivpn general-attributes
address-pool vpnadrese
authentication-server-group DRI
default-group-policy drivpn
tunnel-group drivpn ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group x.x.x.223 type ipsec-l2l
tunnel-group x.x.x.223 general-attributes
default-group-policy GroupPolicy_x.x.x.223
tunnel-group x.x.x.223 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect tftp
inspect ip-options
inspect netbios
inspect icmp
inspect http
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:69c651e94663fc570b67e0c4c0dcbae1
: endrunning config asa 5505
Result of the command: "show run"
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password csq7sfr0bQJqMGET encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.5.0 PALATA
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.17 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.13.74.33 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp
service-object icmp echo
service-object icmp echo-reply
service-object tcp eq domain
service-object tcp eq ldap
service-object tcp eq smtp
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object tcp eq domain
service-object tcp eq www
service-object tcp eq https
service-object tcp eq smtp
object-group service Sharepoint8080 tcp
port-object eq 8080
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 192.168.0.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 PALATA 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.0.0 255.255.255.0 PALATA 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 192.168.0.0 255.255.255.0 PALATA 255.255.255.0
pager lines 24
logging enable
logging asdm informational
logging mail errors
logging from-address
logging recipient-address level debugging
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 192.168.0.0 255.255.255.0
static (inside,outside) 10.13.74.35 192.168.0.22 netmask 255.255.255.255
static (inside,outside) 10.13.74.34 192.168.0.20 netmask 255.255.255.255 dns
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.13.74.1 1
route inside 0.0.0.0 0.0.0.0 192.168.0.17 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
http server enable
http 10.13.74.0 255.255.255.0 outside
http 192.168.0.0 255.255.255.0 inside
http 10.15.100.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
virtual telnet 192.168.0.53
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_2_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 10.15.100.15
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username driadmin password AojCAMO/soZo8W.W encrypted privilege 15
tunnel-group 10.15.100.15 type ipsec-l2l
tunnel-group 10.15.100.15 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
smtp-server 173.194.79.109
prompt hostname context
Cryptochecksum:4767b6764cb597f0a7b8b138587d4192
: endThank you
Hello
I have previously edited the my initial response was in fact not necessary since you were actually using full Tunnel
EDIT: Actually just noticed the the VPN client isnt using Split Tunnel. Its Full Tunnel at the moment since it doesnt have the "split-tunnel-policy tunnelspecified"
So you don't really have any of those.
Please mark the question answers and/or assess response
Ask more if necessary
-Jouni
-
Default route inside the tunnel VPN Site to site
We want to carry the default traffic within the site to site VPN tunnel, our goal is to route all traffic including default branch road and HO HO help branch for surfing the internet.
I have due to difficulties
1. cannot configure dynamic NAT for the router in the branch on the ASA HO, I know configuration for 8.2, but know not about 8.4
This is the configuration for the 8.2, if someone can translate to 8.4, which would be a great help
NAT (outside) 1 192.168.230.0
2. I do not know how to write the default route on the branch office router to send all traffic within the VPN tunnel
Hello
As I understand it then you want to route ALL traffic from the Remote Site to the Central Site and manage Internet traffic there.
I suppose you could define "interesting traffic" in configuring VPN L2L ACL / access-list in the following way
Branch router
extended IP access list
allow an ip
ASA central
ip access list allow one
The idea behind the type of ACL for the VPN L2L above configurations is that, for example, the branch office router has a rule that sets connection coming from the local LAN for 'any' destination address must be sent to the VPN L2L connection. So, it would be in such a way that all the traffic will be sent to the Central Site via VPN L2L.
I must say however, that the VPN router configurations side are not more familiar to me because I manage especially with ASA Firewall (and to some extent still PIX and FWSMs)
I guess that on the ASA Central you will PAT translation to "outside" so that the host can access the Internet?
You would probably do something like this
object-group network to REMOTE-SITE-PAT-SOURCE
network-object
interface of REMOTE-SITE-PAT-SOURCE dynamic NAT (outside, outside) after auto source
If you don't want to use the 'outside' IP address, then you will have to create a 'network of object' for address IP of PAT and use it in the line of NAT configuration above instead of "interface".
Alternate configuration might be
network of the REMOTE-SITE-PAT object
subnet
dynamic NAT interface (outdoors, outdoor)
You also need to enable
permit same-security-traffic intra-interface
To allow traffic to enter and exit the same interface on the ASA
All these answers are naturally suggestion on what you have to do. I don't know what kind of configurations you have right now.
Hope this helps in some way
-Jouni
Post edited by: Jouni Forss
-
Need urgent help in the configuration of the Client VPN IPSec Site with crossed on Cisco ASA5510 - 8.2 (1).
Here is the presentation:
There are two leased lines for Internet access - a route 1.1.1.1 and 2.2.2.2, the latter being the default Standard, old East for backup.
I was able to configure the Client VPN IPSec Site
(1) with access to the outside so that the internal network (172.16.0.0/24) behind the asa
(2) with Split tunnel with simultaneous assess internal LAN and Internet on the outside.
But I was not able to make the tradiotional model Hairpinng to work in this scenario.
I followed every possible suggestions made on this subject in many topics of Discussion but still no luck. Can someone help me here please?
Here is the race-Conf with Normal Client to Site IPSec VPN configured with no access boarding:
LIMITATION: Cannot boot into any other image ios for unavoidable reasons, must use 8.2 (1)
race-conf - Site VPN Customer normal work without internet access/split tunnel
:
ASA Version 8.2 (1)
!
ciscoasa hostname
domain cisco.campus.com
enable the encrypted password xxxxxxxxxxxxxx
XXXXXXXXXXXXXX encrypted passwd
names of
!
interface GigabitEthernet0/0
nameif outside internet1
security-level 0
IP 1.1.1.1 255.255.255.240
!
interface GigabitEthernet0/1
nameif outside internet2
security-level 0
IP address 2.2.2.2 255.255.255.224
!
interface GigabitEthernet0/2
nameif dmz interface
security-level 0
IP 10.0.1.1 255.255.255.0
!
interface GigabitEthernet0/3
nameif campus-lan
security-level 0
IP 172.16.0.1 255.255.0.0
!
interface Management0/0
nameif CSC-MGMT
security-level 100
the IP 10.0.0.4 address 255.255.255.0
!
boot system Disk0: / asa821 - k8.bin
boot system Disk0: / asa843 - k8.bin
passive FTP mode
DNS server-group DefaultDNS
domain cisco.campus.com
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
object-group network cmps-lan
the object-group CSC - ip network
object-group network www-Interior
object-group network www-outside
object-group service tcp-80
object-group service udp-53
object-group service https
object-group service pop3
object-group service smtp
object-group service tcp80
object-group service http-s
object-group service pop3-110
object-group service smtp25
object-group service udp53
object-group service ssh
object-group service tcp-port
port udp-object-group service
object-group service ftp
object-group service ftp - data
object-group network csc1-ip
object-group service all-tcp-udp
access list INTERNET1-IN extended permit ip host 1.2.2.2 2.2.2.3
access-list extended SCC-OUT permit ip host 10.0.0.5 everything
list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq www
list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any https eq
list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq ssh
list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 no matter what eq ftp
list of access CAMPUS-LAN extended permitted udp 172.16.0.0 255.255.0.0 no matter what eq field
list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq smtp
list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq pop3
access CAMPUS-wide LAN ip allowed list a whole
access-list CSC - acl note scan web and mail traffic
access-list CSC - acl extended permit tcp any any eq smtp
access-list CSC - acl extended permit tcp any any eq pop3
access-list CSC - acl note scan web and mail traffic
access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq 993
access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq imap4
access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq 465
access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq www
access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq https
access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq smtp
access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq pop3
access-list extended INTERNET2-IN permit ip any host 1.1.1.2
access-list sheep extended ip 172.16.0.0 allow 255.255.0.0 172.16.0.0 255.255.0.0
access list DNS-inspect extended permit tcp any any eq field
access list DNS-inspect extended permit udp any any eq field
access-list extended capin permit ip host 172.16.1.234 all
access-list extended capin permit ip host 172.16.1.52 all
access-list extended capin permit ip any host 172.16.1.52
Capin list extended access permit ip host 172.16.0.82 172.16.0.61
Capin list extended access permit ip host 172.16.0.61 172.16.0.82
access-list extended capout permit ip host 2.2.2.2 everything
access-list extended capout permit ip any host 2.2.2.2
Access campus-lan_nat0_outbound extended ip 172.16.0.0 list allow 255.255.0.0 192.168.150.0 255.255.255.0
pager lines 24
Enable logging
debug logging in buffered memory
asdm of logging of information
Internet1-outside of MTU 1500
Internet2-outside of MTU 1500
interface-dmz MTU 1500
Campus-lan of MTU 1500
MTU 1500 CSC-MGMT
IP local pool 192.168.150.2 - 192.168.150.250 mask 255.255.255.0 vpnpool1
IP check path reverse interface internet2-outside
IP check path reverse interface interface-dmz
IP check path opposite campus-lan interface
IP check path reverse interface CSC-MGMT
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 621.bin
don't allow no asdm history
ARP timeout 14400
interface of global (internet1-outside) 1
interface of global (internet2-outside) 1
NAT (campus-lan) 0-campus-lan_nat0_outbound access list
NAT (campus-lan) 1 0.0.0.0 0.0.0.0
NAT (CSC-MGMT) 1 10.0.0.5 255.255.255.255
static (CSC-MGMT, internet2-outside) 2.2.2.3 10.0.0.5 netmask 255.255.255.255
Access-group INTERNET2-IN interface internet1-outside
group-access INTERNET1-IN interface internet2-outside
group-access CAMPUS-LAN in campus-lan interface
CSC-OUT access-group in SCC-MGMT interface
Internet2-outside route 0.0.0.0 0.0.0.0 2.2.2.5 1
Route internet1-outside 0.0.0.0 0.0.0.0 1.1.1.5 2
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
AAA authentication enable LOCAL console
Enable http server
http 10.0.0.2 255.255.255.255 CSC-MGMT
http 10.0.0.8 255.255.255.255 CSC-MGMT
HTTP 1.2.2.2 255.255.255.255 internet2-outside
HTTP 1.2.2.2 255.255.255.255 internet1-outside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs set group5
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
Crypto map internet2-outside_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
crypto internet2-outside_map outside internet2 network interface card
Crypto ca trustpoint _SmartCallHome_ServerCA
Configure CRL
Crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca xyzxyzxyzyxzxyzxyzxyzxxyzyxzyxzy
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as
quit smoking
ISAKMP crypto enable internet2-outside
crypto ISAKMP policy 10
preshared authentication
aes encryption
md5 hash
Group 2
life 86400
Telnet 10.0.0.2 255.255.255.255 CSC-MGMT
Telnet 10.0.0.8 255.255.255.255 CSC-MGMT
Telnet timeout 5
SSH 1.2.3.3 255.255.255.240 internet1-outside
SSH 1.2.2.2 255.255.255.255 internet1-outside
SSH 1.2.2.2 255.255.255.255 internet2-outside
SSH timeout 5
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal VPN_TG_1 group policy
VPN_TG_1 group policy attributes
Protocol-tunnel-VPN IPSec
username ssochelpdesk encrypted password privilege 15 xxxxxxxxxxxxxx
privilege of encrypted password username administrator 15 xxxxxxxxxxxxxx
username vpnuser1 encrypted password privilege 0 xxxxxxxxxxxxxx
username vpnuser1 attributes
VPN-group-policy VPN_TG_1
type tunnel-group VPN_TG_1 remote access
attributes global-tunnel-group VPN_TG_1
address vpnpool1 pool
Group Policy - by default-VPN_TG_1
IPSec-attributes tunnel-group VPN_TG_1
pre-shared-key *.
!
class-map cmap-DNS
matches the access list DNS-inspect
CCS-class class-map
corresponds to the CSC - acl access list
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
CCS category
CSC help
cmap-DNS class
inspect the preset_dns_map dns
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum: y0y0y0y0y0y0y0y0y0y0y0y0y0y
: end
Adding dynamic NAT for 192.168.150.0/24 on the external interface works, or works the sysopt connection permit VPN
Please tell what to do here, to pin all of the traffic Internet from VPN Clients.
That is, that I need clients connected via VPN tunnel, when connected to the internet, should have their addresses IP NAT'ted against the address of outside internet2 network 2.2.2.2 interface, as it happens for the customers of Campus (172.16.0.0/16)
I am well aware of all involved in here, so please be elaborative in your answers. Please let me know if you need more information about this configuration to respond to my request.
Thank you & best regards
MAXS
Hello
If possible, I'd like to see that a TCP connection attempt (e.g. http://www.google.com) in the ASDM logging of the VPN Client when you set up the dynamic NAT for the VPN Pool also.
I'll try also the command "packet - trace" on the SAA, while the VPN Client is connected to the ASA.
The command format is
packet-tracer intput tcp
That should tell what the SAA for this kind of package entering its "input" interface
Still can not see something wrong with the configuration (other than the statement of "nat" missing Dynamics PAT)
-Jouni
-
VPN site to Site btw Pix535 and 2811 router, can't get to work
Hi, everyone, I spent a few days doing a VPN site-to site between PIX535 and 2811 router but returned empty-handed, I followed the instructions here:
http://www.Cisco.com/en/us/products/ps9422/products_configuration_example09186a0080b4ae61.shtml
#1: config PIX:
: Saved
: Written by enable_15 to the 18:05:33.678 EDT Saturday, October 20, 2012
!
8.0 (4) version PIX
!
hostname pix535
!
interface GigabitEthernet0
Description to cable-modem
nameif outside
security-level 0
address IP X.X.138.132 255.255.255.0
OSPF cost 10
!
interface GigabitEthernet1
Description inside 10/16
nameif inside
security-level 100
IP 10.1.1.254 255.255.0.0
OSPF cost 10
!
outside_access_in of access allowed any ip an extended list
access extensive list ip 10.1.0.0 inside_nat0_outbound allow 255.255.0.0 10.20.0.0 255.255.0.0
inside_nat0_outbound list of allowed ip extended access all 10.1.1.192 255.255.255.248
outside_cryptomap_dyn_60 list of allowed ip extended access all 10.1.1.192 255.255.255.248
access extensive list ip 10.1.0.0 outside_1_cryptomap allow 255.255.0.0 10.20.0.0 255.255.0.0
pager lines 24
cnf-8-ip 10.1.1.192 mask - 10.1.1.199 IP local pool 255.255.0.0
Global interface 10 (external)
15 1.2.4.5 (outside) global
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 15 10.1.0.0 255.255.0.0
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 X.X.138.1 1
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA MD5-ESP-3DES ESP-DES-MD5
life together - the association of security crypto dynamic-map outside_dyn_map 20 28800 seconds
Crypto-map dynamic outside_dyn_map 20 kilobytes of life together - the association of safety 4608000
Crypto-map dynamic outside_dyn_map 40 value transform-set ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA
life together - the association of security crypto dynamic-map outside_dyn_map 40 28800 seconds
Crypto-map dynamic outside_dyn_map 40 kilobytes of life together - the association of safety 4608000
Dynamic crypto map outside_dyn_map 60 match address outside_cryptomap_dyn_60
Crypto-map dynamic outside_dyn_map 60 value transform-set ESP-3DES-MD5 ESP-3DES-SHA ESP-DES-MD5 ESP-DES-SHA
life together - the association of security crypto dynamic-map outside_dyn_map 60 28800 seconds
Crypto-map dynamic outside_dyn_map 60 kilobytes of life together - the association of safety 4608000
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-SHA-3DES ESP-MD5-3DES ESP-DES-SHA ESP-DES-MD5
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define security association lifetime 28800 seconds
cryptographic kilobytes 4608000 life of the set - the association of security of the 65535 SYSTEM_DEFAULT_CRYPTO_MAP of the dynamic-map
card crypto outside_map 1 match address outside_1_cryptomap
outside_map game 1 card crypto peer X.X.21.29
card crypto outside_map 1 set of transformation-ESP-DES-SHA
outside_map map 1 lifetime of security association set seconds 28800 crypto
card crypto outside_map 1 set security-association life kilobytes 4608000
outside_map card crypto 65534 isakmp ipsec dynamic SYSTEM_DEFAULT_CRYPTO_MAP
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
ISAKMP crypto identity hostname
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
the Encryption
sha hash
Group 1
life 86400
crypto ISAKMP policy 20
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Crypto isakmp nat-traversal 3600
internal GroupPolicy1 group strategy
cnf-vpn-cls group policy internal
attributes of cnf-vpn-cls-group policy
value of 10.1.1.7 WINS server
value of 10.1.1.7 DNS server 10.1.1.205
Protocol-tunnel-VPN IPSec l2tp ipsec
field default value x.com
sean U/h5bFVjXlIDx8BtqPFrQw password user name is nt encrypted
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared-key secret1
RADIUS-sdi-xauth
tunnel-group DefaultRAGroup ppp-attributes
ms-chap-v2 authentication
tunnel-group cnf-vpn-cls type remote access
tunnel-group global cnf-vpn-cls-attributes
cnf-8-ip address pool
Group Policy - by default-cnf-vpn-cls
tunnel-group cnf-CC-vpn-ipsec-attributes
pre-shared-key secret2
ISAKMP ikev1-user authentication no
tunnel-group cnf-vpn-cls ppp-attributes
ms-chap-v2 authentication
tunnel-group X.X.21.29 type ipsec-l2l
IPSec-attributes tunnel-Group X.X.21.29
Pre-shared key SECRET
!
class-map inspection_default
match default-inspection-traffic
!
!
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:9780edb09bc7debe147db1e7d52ec39c
: end
#2: 2811 router config:
!
! Last configuration change to 09:15:32 PST Friday, October 19, 2012 by cnfla
! NVRAM config update at 13:45:03 PST Tuesday, October 16, 2012
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname THE-2800
!
!
Crypto pki trustpoint TP-self-signed-1411740556
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 1411740556
revocation checking no
rsakeypair TP-self-signed-1411740556
!
!
TP-self-signed-1411740556 crypto pki certificate chain
certificate self-signed 01
308201A 8 A0030201 02020101 3082023F 300 D 0609 2A 864886 F70D0101 04050030
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
69666963 31343131 37343035 6174652D 3536301E 170 3132 31303136 32303435
30335A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 34313137 65642D
34303535 3630819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
8100F75F F1BDAD9B DE9381FD 7EAF9685 CF15A317 165B 5188 1 B 424825 9C66AA28
C990B2D3 D69A2F0F D745DB0E 2BB4995D 73415AC4 F01B2019 C4BCF9E0 84373199
E599B86C 17DBDCE6 47EBE0E3 8DBC90B2 9B4E217A 87F04BF7 A182501E 24381019
A61D2C05 5404DE88 DA2A1ADC A81B7F65 C318B697 7ED69DF1 2769E4C8 F3449B33
010001A 3 67306530 1 130101 FF040530 030101FF 30120603 0F060355 35AF0203
1104 B 0 300982 074C412D 32383030 551D 551 2304 18301680 14B56EEB 301F0603
88054CCA BB8CF8E8 F44BFE2C B77954E1 52301 D 06 04160414 B56EEB88 03551D0E
054CCABB 8CF8E8F4 4BFE2CB7 7954E152 300 D 0609 2A 864886 F70D0101 04050003
81810056 58755 56 331294F8 BEC4FEBC 54879FF5 0FCC73D4 B964BA7A 07D 20452
E7F40F42 8B 355015 77156C9F AAA45F9F 59CDD27F 89FE7560 F08D953B FC19FD2D
310DA96E A5F3E83B 52D515F8 7B4C99CF 4CECC3F7 1A0D4909 BD08C373 50BB53CC
659 4246 2CB7B79F 43D94D96 586F9103 9B4659B6 5C8DDE4F 7CC5FC68 C4AD197A 4EC322 C
quit smoking
!
!
!
crypto ISAKMP policy 1
preshared authentication
ISAKMP crypto key address SECRET X.X.138.132 No.-xauth
!
!
Crypto ipsec transform-set the-2800-trans-set esp - esp-sha-hmac
!
map 1 la-2800-ipsec policy ipsec-isakmp crypto
ipsec vpn Description policy
defined by peer X.X.138.132
the transform-set the-2800-trans-set value
match address 101
!
!
!
!
!
!
interface FastEthernet0/0
Description WAN side
address IP X.X.216.29 255.255.255.248
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
No cdp enable
No mop enabled
card crypto 2800-ipsec-policy
!
interface FastEthernet0/1
Description side LAN
IP 10.20.1.1 255.255.255.0
IP nat inside
IP virtual-reassembly
full duplex
automatic speed
No mop enabled
!
IP nat inside source map route sheep interface FastEthernet0/0 overload
access-list 10 permit X.X.138.132
access-list 99 allow 64.236.96.53
access-list 99 allow 98.82.1.202
access list 101 remark vpn tunnerl acl
Note access-list 101 category SDM_ACL = 4
policy of access list 101 remark tunnel
access-list 101 permit ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 permit ip 10.20.0.0 0.0.0.255 any
public RO SNMP-server community
!
!
!
sheep allowed 10 route map
corresponds to the IP 110
!
!
!
!
WebVPN gateway gateway_1
IP address X.X.216.29 port 443
SSL trustpoint TP-self-signed-1411740556
development
!
WebVPN install svc flash:/webvpn/svc.pkg
!
WebVPN gateway-1 context
title 'b '.
secondary-color white
color of the title #CCCC66
text-color black
SSL authentication check all
!
!
policy_1 political group
functions compatible svc
SVC-pool of addresses "WebVPN-Pool."
SVC Dungeon-client-installed
SVC split include 10.20.0.0 255.255.0.0
Group Policy - by default-policy_1
Gateway gateway_1
development
!
!
end
#3: test Pix to the router:
ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 1
1 peer IKE: X.X.21.29
Type: user role: initiator
Generate a new key: no State: MM_WAIT_MSG2
> DEBUG:
12:07:14 pix535:Oct 22 Oct 22 12:20:28 EDT: % PIX-vpn-3-713902: IP = X.X.21.29, Removing peer to peer table has not, no match22 Oct 12:07:14 pix535: 22 Oct 12:20:28 EDT: % PIX-vpn-4-713903: IP = X.X.21.29, error: cannot delete PeerTblEntry#4: test the router to pix:LA - 2800 #sh crypto isakmp hisIPv4 Crypto ISAKMP Security Associationstatus of DST CBC State conn-id slotX.X.138.132 X.X.216.29 MM_KEY_EXCH 1017 ASSETS 0> debugLA - 2800 #ping 10.1.1.7 source 10.20.1.1Type to abort escape sequence.Send 5, echoes ICMP 100 bytes to 10.1.1.7, time-out is 2 seconds:Packet sent with a source address of 10.20.1.1Oct 22 16:24:33.945: ISAKMP: (0): profile of THE request is (NULL)22 Oct 16:24:33.945: ISAKMP: created a struct peer X.X.138.132, peer port 50022 Oct 16:24:33.945: ISAKMP: new created position = 0x488B25C8 peer_handle = 0 x 8000001322 Oct 16:24:33.945: ISAKMP: lock struct 0x488B25C8, refcount 1 to peer isakmp_initiator22 Oct 16:24:33.945: ISAKMP: 500 local port, remote port 50022 Oct 16:24:33.945: ISAKMP: set new node 0 to QM_IDLE22 Oct 16:24:33.945: ISAKMP: find a dup her to the tree during the isadb_insert his 487720 A 0 = call BVA22 Oct 16:24:33.945: ISAKMP: (0): cannot start aggressive mode, try the main mode.22 Oct 16:24:33.945: ISAKMP: (0): pair found pre-shared key matching 70.169.138.132Oct 22 16:24:33.945: ISAKMP: (0): built of NAT - T of the seller-rfc3947 IDOct 22 16:24:33.945: ISAKMP: (0): built the seller-07 ID NAT - tOct 22 16:24:33.945: ISAKMP: (0): built of NAT - T of the seller-03 IDOct 22 16:24:33.945: ISAKMP: (0): built the seller-02 ID NAT - t22 Oct 16:24:33.945: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM22 Oct 16:24:33.945: ISAKMP: (0): former State = new State IKE_READY = IKE_I_MM1Oct 22 16:24:33.945: ISAKMP: (0): Beginner Main Mode ExchangeOct 22 16:24:33.945: ISAKMP: (0): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_NO_STATE22 Oct 16:24:33.945: ISAKMP: (0): sending a packet IPv4 IKE.22 Oct 16:24:34.049: ISAKMP (0:0): packet received dport 500 sport Global 500 (I) MM_NO_STATE X.X.138.13222 Oct 16:24:34.049: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH22 Oct 16:24:34.049: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_I_MM2Oct 22 16:24:34.049: ISAKMP: (0): treatment ITS payload. Message ID = 0Oct 22 16:24:34.049: ISAKMP: (0): load useful vendor id of treatmentOct 22 16:24:34.049: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123Oct 22 16:24:34.049: ISAKMP: (0): provider ID is NAT - T v2Oct 22 16:24:34.049: ISAKMP: (0): load useful vendor id of treatmentOct 22 16:24:34.049: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 19422 Oct 16:24:34.053: ISAKMP: (0): pair found pre-shared key matching 70.169.138.132Oct 22 16:24:34.053: ISAKMP: (0): pre-shared key local found22 Oct 16:24:34.053: ISAKMP: analysis of the profiles for xauth...22 Oct 16:24:34.053: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 122 Oct 16:24:34.053: ISAKMP: DES-CBC encryption22 Oct 16:24:34.053: ISAKMP: SHA hash22 Oct 16:24:34.053: ISAKMP: default group 122 Oct 16:24:34.053: ISAKMP: pre-shared key auth22 Oct 16:24:34.053: ISAKMP: type of life in seconds22 Oct 16:24:34.053: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x8022 Oct 16:24:34.053: ISAKMP: (0): atts are acceptable22 Oct 16:24:34.053: ISAKMP: (0): Acceptable atts: real life: 022 Oct 16:24:34.053: ISAKMP: (0): Acceptable atts:life: 022 Oct 16:24:34.053: ISAKMP: (0): fill atts in his vpi_length:422 Oct 16:24:34.053: ISAKMP: (0): fill atts in his life_in_seconds:8640022 Oct 16:24:34.053: ISAKMP: (0): return real life: 8640022 Oct 16:24:34.053: ISAKMP: (0): timer life Started: 86400.Oct 22 16:24:34.053: ISAKMP: (0): load useful vendor id of treatmentOct 22 16:24:34.053: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123Oct 22 16:24:34.053: ISAKMP: (0): provider ID is NAT - T v2Oct 22 16:24:34.053: ISAKMP: (0): load useful vendor id of treatmentOct 22 16:24:34.053: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 19422 Oct 16:24:34.053: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE22 Oct 16:24:34.053: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM2Oct 22 16:24:34.057: ISAKMP: (0): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_SA_SETUP22 Oct 16:24:34.057: ISAKMP: (0): sending a packet IPv4 IKE.22 Oct 16:24:34.057: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE22 Oct 16:24:34.057: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM322 Oct 16:24:34.181: ISAKMP (0:0): packet received dport 500 sport Global 500 (I) MM_SA_SETUP X.X.138.13222 Oct 16:24:34.181: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH22 Oct 16:24:34.181: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_I_MM4Oct 22 16:24:34.181: ISAKMP: (0): processing KE payload. Message ID = 0Oct 22 16:24:34.217: ISAKMP: (0): processing NONCE payload. Message ID = 022 Oct 16:24:34.217: ISAKMP: (0): pre-shared key found peer corresponding to X.X.138.132Oct 22 16:24:34.217: ISAKMP: (1018): load useful vendor id of treatmentOct 22 16:24:34.217: ISAKMP: (1018): provider ID is the unitOct 22 16:24:34.217: ISAKMP: (1018): load useful vendor id of treatmentOct 22 16:24:34.217: ISAKMP: (1018): provider ID seems the unit/DPD but major incompatibility of 55Oct 22 16:24:34.217: ISAKMP: (1018): provider ID is XAUTHOct 22 16:24:34.217: ISAKMP: (1018): load useful vendor id of treatmentOct 22 16:24:34.217: ISAKMP: (1018): addressing another box of IOS!Oct 22 16:24:34.221: ISAKMP: (1018): load useful vendor id of treatment22 Oct 16:24:34.221: ISAKMP: (1018): vendor ID seems the unit/DPD but hash mismatch22 Oct 16:24:34.221: ISAKMP: receives the payload type 2022 Oct 16:24:34.221: ISAKMP: receives the payload type 2022 Oct 16:24:34.221: ISAKMP: (1018): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE22 Oct 16:24:34.221: ISAKMP: (1018): former State = new State IKE_I_MM4 = IKE_I_MM422 Oct 16:24:34.221: ISAKMP: (1018): send initial contact22 Oct 16:24:34.221: ISAKMP: (1018): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication22 Oct 16:24:34.221: ISAKMP (0:1018): payload IDnext payload: 8type: 1address: X.X.216.29Protocol: 17Port: 500Length: 1222 Oct 16:24:34.221: ISAKMP: (1018): the total payload length: 12Oct 22 16:24:34.221: ISAKMP: (1018): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH22 Oct 16:24:34.221: ISAKMP: (1018): sending a packet IPv4 IKE.22 Oct 16:24:34.225: ISAKMP: (1018): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE22 Oct 16:24:34.225: ISAKMP: (1018): former State = new State IKE_I_MM4 = IKE_I_MM5...22 Oct 16:24:38.849: ISAKMP: (1017): purge the node 19855474022 Oct 16:24:38.849: ISAKMP: (1017): purge the node 81238000222 Oct 16:24:38.849: ISAKMP: (1017): purge node 773209335...Success rate is 0% (0/5)# THE-2800Oct 22 16:24:44.221: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...22 Oct 16:24:44.221: ISAKMP (0:1018): increment the count of errors on his, try 1 5: retransmit the phase 1Oct 22 16:24:44.221: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCHOct 22 16:24:44.221: ISAKMP: (1018): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH22 Oct 16:24:44.221: ISAKMP: (1018): sending a packet IPv4 IKE.22 Oct 16:24:44.317: ISAKMP (0:1018): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH X.X.138.132Oct 22 16:24:44.317: ISAKMP: (1018): package of phase 1 is a duplicate of a previous package.Oct 22 16:24:44.321: ISAKMP: (1018): retransmission jumped to the stage 1 (time elapsed since the last transmission 96)22 Oct 16:24:48.849: ISAKMP: (1017): serving SA., his is 469BAD60, delme is 469BAD6022 Oct 16:24:52.313: ISAKMP (0:1018): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH X.X.138.132Oct 22 16:24:52.313: ISAKMP: (1018): package of phase 1 is a duplicate of a previous package.Oct 22 16:24:52.313: ISAKMP: (1018): retransmission due to phase 1 of retransmissionOct 22 16:24:52.813: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...22 Oct 16:24:52.813: ISAKMP (0:1018): increment the count of errors on his, try 2 of 5: retransmit the phase 1Oct 22 16:24:52.813: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCHOct 22 16:24:52.813: ISAKMP: (1018): package X.X138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH22 Oct 16:24:52.813: ISAKMP: (1018): sending a packet IPv4 IKE.Oct 22 16:24:52.913: ISAKMP: (1018): package of phase 1 is a duplicate of a previous package.Oct 22 16:24:52.913: ISAKMP: (1018): retransmission jumped to the stage 1 (time elapsed since the last transmission of 100)22 Oct 16:25:00.905: ISAKMP (0:1018): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH X.X.138.13222 Oct 16:25:00.905: ISAKMP: node set 422447177 to QM_IDLE....22 Oct 16:25:03.941: ISAKMP: (1018): SA is still budding. New application of ipsec in the annex22 Oct 16:25:03.941: ISAKMP: error during the processing of HIS application: failed to initialize SA22 Oct 16:25:03.941: ISAKMP: error while processing message KMI 0, error 2.Oct 22 16:25:12.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...22 Oct 16:25:12.814: ISAKMP (0:1018): increment the count of errors on his, try 4 out 5: retransmit the phase 1Oct 22 16:25:12.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCHOct 22 16:25:12.814: ISAKMP: (1018): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH22 Oct 16:25:12.814: ISAKMP: (1018): sending a packet IPv4 IKE.Oct 22 16:25:22.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...22 Oct 16:25:22.814: ISAKMP (0:1018): increment the count of errors on his, try 5 of 5: retransmit the phase 1Oct 22 16:25:22.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCHOct 22 16:25:22.814: ISAKMP: (1018): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH22 Oct 16:25:22.814: ISAKMP: (1018): sending a packet IPv4 IKE.Oct 22 16:25:32.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...22 Oct 16:25:32.814: ISAKMP: (1018): peer does not paranoid KeepAlive.......22 Oct 16:25:32.814: ISAKMP: (1018): removal of reason ITS status of 'Death by retransmission P1' (I) MM_KEY_EXCH (post 70.169.138.132)
22 Oct 16:25:32.814: ISAKMP: (1018): removal of reason ITS status of 'Death by retransmission P1' (I) MM_KEY_EXCH (post 70.169.138.132)
22 Oct 16:25:32.814: ISAKMP: Unlocking counterpart struct 0x488B25C8 for isadb_mark_sa_deleted(), count 0
22 Oct 16:25:32.814: ISAKMP: delete peer node by peer_reap for X.X.138.132: 488B25C8
22 Oct 16:25:32.814: ISAKMP: (1018): error suppression node 1112432180 FALSE reason 'IKE deleted.
22 Oct 16:25:32.814: ISAKMP: (1018): error suppression node 422447177 FALSE reason 'IKE deleted.
22 Oct 16:25:32.814: ISAKMP: (1018): node-278980615 error suppression FALSE reason 'IKE deleted.
22 Oct 16:25:32.814: ISAKMP: (1018): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
22 Oct 16:25:32.814: ISAKMP: (1018): former State = new State IKE_I_MM5 = IKE_DEST_SA
22 Oct 16:26:22.816: ISAKMP: (1018): purge the node 1112432180
22 Oct 16:26:22.816: ISAKMP: (1018): purge the node 422447177
22 Oct 16:26:22.816: ISAKMP: (1018): purge the node-278980615
22 Oct 16:26:32.816: ISAKMP: (1018): serving SA., its A 487720, 0 =, delme = A 487720, 0
The PIX is also used VPN client, such as the VPN Cicso 5.0 client access, works very well. Router is used as a server SSL VPN, too much work
I know there are a lot of data here, I hope that these data may be useful for diagnostic purposes.
All suggestions and tips are greatly appreciated.
Sean
Recommended action:
On the PIX:
no card crypto outside_map 1
!
crypto ISAKMP policy 5
preshared authentication
3des encryption
sha hash
Group 2
life 86400
!
card crypto outside_map 10 correspondence address outside_1_cryptomap
crypto outside_map 10 peer X.X.216.29 card game
outside_map crypto 10 card value transform-set ESP-3DES-SHA
life safety association set card crypto outside_map 10 28800 seconds
card crypto outside_map 10 set security-association life kilobytes 4608000
!
tunnel-group X.X.216.29 type ipsec-l2l
IPSec-attributes tunnel-Group X.X.216.29
Pre-shared key SECRET
!
On the router:
crypto ISAKMP policy 10
preshared authentication
Group 2
3des encryption
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
output
!
card 10 la-2800-ipsec policy ipsec-isakmp crypto
ipsec vpn Description policy
defined by peer X.X.138.132
game of transformation-ESP-3DES-SHA
match address 101
!
No crypto card-2800-ipsec-policy 1
Let me know how it goes.
Portu.
Please note all useful posts
Post edited by: Javier Portuguez
-
Hi all
I threw myself little in this project without a lot of lead in. Basically, we have 5 sites
Site A: HQ with ASA 5520
Site B: Remote with 5505 with L2L at Site A
Site C: Remote with 5505 with L2L at Site A
Square D: distance with 5505 with L2L at the Site
Site E: Remote with 5505 with L2L at Site A
In an emergency, I had to get phone running systems when a T1 PTP line was cut at the beginning by the customer! I created a VLAN on each phone named 5505 and created the Tunnels of VPN L2L all return to the HQs 5520. Everything was good in the neighborhood, phones were talking about main PBX server to HQ, we could compose and in no problem. The problem is now the phone Vender tells us that we need routing between each site. We cannot compose between each remote site without using external number (whereas before you dial internal extensions in order to reach all other sites)
Site B needs to talk to the PBX to C, D and E (A, obviously as well but that is already at work) and so on.
I found topics dealing with 2 remote sites requiring a routing, however, with 4 that all need to routing to the other configs will very quickly very vast and complicated. There is already extra virtual private networks to of the HQ 5520 who go elsewhere and a good amount of security configurations, so the config is already pretty decently sized.
Is there a better way to do this, or should I start to write my setups now?
If I understand your question, you need to configure a list of VPN networks on each VPN Ray and the hub.
For example on the RADIUS B a crypto access list that is similar to:
ip-> A B permit
ip-> C B permit
ip-> D B permit
ip-E > B permit
corresponding Cryptography ACL on the hub for talks would be like:
IP-> B to allow
IP C-> B permit
allow the ip D-> B
E-> B ip license
Repeat for each Department accordingly.
So basically your configuration crypto would ' t grow, only the ACL crypto.
You can work with groups of objects to simplify the ACL crypt, in this case:
Crypto ACL on Hub B:
object-group VoIP-dst
object A
object C
object D
object E
object-group VoIP-src
object B
permit ip src VoIP VoIP-dst
And so on...
Just make sure your config allows same-security-traffic intra-interface
Maybe you are looking for
-
What model of 7 Iphone at the apple store online? locked or unlocked?
I plan to buy an iphone 7 on the apple store online to Singapore. I want the unlocked model. I want to know what model apple will deliver to my home? According to the website A1778 is the unlocked that works with my carrier. shows the GSM model. can
-
It becomes painful. I just received this: [quote]Het STAT-commando had geen success. Doing verkrijgen van berichtnummers en bij - formats. Mail server pop - mail.outlook.com antwoordde: exceeded the limit of connection for a period of 15 minutes. Red
-
Windows xp. Windows Live. Hotmail Sign In.
When signing with my ID in hotmail, after typing the first letters of the ID, the memory shows examples of previous connections with the same or simular letters. Question - how do I delete or remove these examples previous simular sign in ID. I use s
-
Windows Media Player 11 Date added function - please stop repeating the date for EACH file.
I have been using Media Player 9, decided to upgrade to Windows Media Player 11, and the only thing I can not stand on Player 11 is how it sorts Date added media files. In Player 9 when I chose the column Date added, the program would list all the f
-
HelloI tried to download the trial yet on the web, but it prevents download of first CC,I found a version of cs6 (I have seen that it is not longer available on cc) but I can't install it on "El Capitan," BONESCould you give me a good link?I guess th