VPN traffic via a secondary access provider
Hello world
I have been asked by a client to implement this topology:
where:
ISP 1 is used as primary internet connection.
2 ISP will be used to connect remote users by IPsec VPN.
Currently, I'm not looking for the Active/Backup feature, I need to know if I can use both ISP connections (as I've written before) an ISP for the Internet company and the other for the user remote access VPN.
I read some post where, said, it's possible, but I want to be sure.
Kind regards
Jose
ASA must add the static route in the routing table automatically when the VPN client is connected. So, in general, you don't need to do anything. But if not, you can just manually configure who will forward a VPN client IP packet to ISP2.
With respect to NAT, in general, VPN traffic must ignore the NAT. You can use "nat (inside_interface_name) 0-list of access ' with an ACL that define the vpn traffic to do so.
Tags: Cisco Security
Similar Questions
-
VPN needs access to all external internal vpn traffic traffic all in tunnel
Hello
Could someone help me find the problem?
I am ASA configuration as firewall + vpn server, essentially outside of the device's access T1 (there are two VLANS in inside via an iptables, outside of iptables is on the same vlan as insdie of ASA (192.168.5.1 and 192.168.5.2).) VPN users are authenticated via authentication 2 factors (SDI, ip is 192.168.5.5) and get the ACL by local database. pool of VPN is 192.168.6.1 - 192.168.6.15. pool of VPN is coordinated to the external IP address
trying to access a remote host A from the host a is open for the IP and one specific Protocol. all vpn traffic are in the tunnel. the VPN user can connected and ACL vpnuser1_ONLY not working does not as expected.
Here is the part of configuration:
ASA Version 8.2 (2)
...........Route outside 0.0.0.0 0.0.0.0 xx.10.194.193 1
Route inside companynet1 255.255.255.0 192.168.5.2 1
Route inside companynet2 255.255.255.0 192.168.5.2 1
Route inside companynet3 255.255.255.0 192.168.5.2 1
Route inside companynet4 255.255.255.0 192.168.5.2 1
...............
Route inside companynetn 255.255.255.0 192.168.5.2 1
NAT (inside) 4 vpnpool 255.255.255.0 outside <--------- is="" this="">--------->
Global (outside) 4 xx.10.194.238 netmask 255.255.255.255
Split-tunnel-policy tunnelall
.....................
vpnuser1_ONLY list extended access permitted tcp vpnpool 255.255.255.0 192.168.1.28 host 255.255.255.255 eq ssh connect
vpnuser1_ONLY list extended access permitted tcp vpnpool 255.255.255.0 74.2.23.195 host 255.255.255.255 eq ssh connect
............
enable SVC
tunnel-group-list activate
attributes of Group Policy DfltGrpPolicy
VPN - connections 8
VPN-idle-timeout 10
VPN-session-timeout 60
Protocol-tunnel-VPN l2tp ipsec
WebVPN
SVC Dungeon - install any
time to generate a new key of SVC 8
SVC generate a new method ssl key
SVC request no svc default
internal GroupPolicy1 group strategy
attributes of Group Policy GroupPolicy1
VPN - connections 1
VPN-idle-timeout 9
VPN-session-timeout 45
VPN-tunnel-Protocol svc
Split-tunnel-policy tunnelall
WebVPN
SVC Dungeon - install any
time to generate a new key of SVC 15
SVC generate a new method ssl key
client of dpd-interval SVC 30
dpd-interval SVC 30 bridge
value of deny message connection succeeded, but because some criteria have not been met, or because of a specific group policy, you are not allowed to use the VPN features. For more information, contact your COMPUTER administrator.
disable the SVC routing-filtering-ignore
username vpnuser1 encrypted password xxxxxxx
username vpnuser1 attributes
VPN-group-policy GroupPolicy1
VPN-idle-timeout 6
VPN-session-timeout 20
VPN-filter value vpnuser1_ONLY
VPN-tunnel-Protocol svc
value of group-lock COMAVPN
type of remote access service
tunnel-group DefaultRAGroup webvpn-attributes
Disable group companyvpn aliases
type tunnel-group COMAVPN remote access
attributes global-tunnel-group COMAVPN
address (inside) vpnpool pool
address vpnpool pool
SDI Group-authentication server
authentication-server-group (inside) SDI
LOCAL authority-server-group
Group Policy - by default-GroupPolicy1
tunnel-group COMAVPN webvpn-attributes
activation of the Group companyremote alias
I did anything wrong / missing?
Thank you
Yijun
First of all, you can set "no nat-control" because once you have relieved of NAT, 'no nat-control' becomes disable anyway. 'No nat-control' is useful if you have no statement of NAT at all on the interface.
Second, if you can't access the outside inside which is because you must configure the NAT exemption. Not sure if you have configured it.
Here's the command:
access-list allowed sheep ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0
NAT (inside) 0 access-list sheep
You can then add all other subnets that are internal to the ACL sheep if you need VPN access.
Finally, for the error message deny on access-group "OUTSIDE", you would need check if you have configured "sysopt connection VPN-enabled'. If it is disabled, it will also check the "OUTSIDE" interface for VPN traffic.
-
Separate the internet access and VPN traffic
Hello everyone!
I have a VPN Client that connect with the office, the vpn works great. Now all traffic, including internet´s access goes through the tunnel. I would separate it, I know I can use a split tunnel, but does not work for me.
Here is the config:
internal remote group strategy
Group remote attributes policy
value of 192.168.0.11 WINS server
Server DNS 192.168.0.13 value
Protocol-tunnel-VPN IPSec
Split-tunnel-policy excludespecified
value of Split-tunnel-network-list Accesso_Restringido
XXXX.xxx value by default-fieldAccesso_Restringido list extended access denied object-group ip VPN remote everything
Any idea?
Concerning
KC
You should ignore the NAT for traffic between the vpn to the DMZ network client
1 remove the following text
No inside_nat0_outbound access ip 192.168.0.0 scope list allow 255.255.0.0 10.10.1.0 255.255.255.0
2. Add the following
permit dmz_nat0_outbound to access extended list ip 192.168.0.0 255.255.0.0 10.10.1.0 255.255.255.0
NAT (DMZ) 0-list of access dmz_nat0_outbound
-
Configuration of the router to allow VPN traffic through
I would like to ask for assistance with a specific configuration to allow VPN traffic through a router from 1721.
The network configuration is the following:
Internet - Cisco 1721 - Cisco PIX 506th - LAN
Remote clients connect from the internet by using the Cisco VPN client. The 1721 should just pass the packets through to the PIX, which is 192.168.0.2. Inside of the interface of the router is 192.168.0.1.
The pix was originally configured with a public ip address and has been tested to work well to authenticate VPN connections and passing traffic in the local network. Then, the external ip address was changed to 192.168.0.2 and the router behind.
The 1721 is configured with an ADSL connection, with fall-over automatic for an asynchronous connection. This configuration does not work well, and in the local network, users have normal internet access. I added lists of access for udp, esp and the traffic of the ahp.
Cisco VPN clients receive an error indicating that the remote control is not responding.
I have attached the router for reference, and any help would be greatly apreciated.
Manual.
Brian
For VPN clients reach the PIX to complete their VPN the PIX needs to an address that is accessible from the outside where the customers are. When the PIX was a public address was obviously easy for guests to reach the PIX. When you give the PIX one address private, then he must make a translation. And this becomes a problem if the translation is dynamic.
You have provided a static translation that is what is needed. But you have restricted the TCP 3389. I don't know why you restricted it in this way. What is supposed to happen for ISAKMP and ESP, AHP traffic? How is it to be translated?
If there is not a static translation for ISAKMP traffic, ESP and AHP so clients don't know how to reach the server. Which brings me to the question of what the address is configured in the client to the server?
HTH
Rick
-
7.2 ASA5520 - filters VPN traffic
Hi all,
I would like to know how can I filter out VPN traffic with a list of access, by using the source address and port of destination as filters.
I tried with "no sysopt permit vpn connection" but it is to filter the traffic through the VPN tunnel and I want to filter the host which can establish the VPN tunnel.
I did it in a router with this access list:
Note access-list 101 VPN
access-list 101 permit ahp host x.x.x.x everything
access-list 101 permit esp host x.x.x.x any newspaper
access-list 101 permit host x.x.x.x esp all
access-list 101 permit udp host x.x.x.x any eq isakmp
access-list 101 permit udp host x.x.x.x any eq non500-isakmp
But I tried the same thing in the ASA and does not work, I think it's because the ASA does not apply the access list for VPN traffic.
Sincerely, Fernando.
Fernando
You can disable it with "no crypto isakmp are outside", but then even if you apply an acl to the outside which allows all IP, ESP, AH it still does not allow an IPSEC connection.
So for the moment I see no way to do this without using an acl on your router upstream.
I'll do a reading just in case I missed something.
Jon
-
If a user connects using the AnyConnect client, and then connects via RDP to an internal Windows machine, I'd be able to see all traffic via syslog from the RDP session? I can see the client login, auth, DHCP, then the port 3389 in order to connect to the internal area of Windows, but only once the connection on port 3389 traffic (and subsequent termination of the VPN session at the request of the user). It seems that there is a kind of traffic through the ASA to the VPN client, at least at the level of the presentation layer. Asked me to look at this to determine if a person was actually connected and work or if they have just connected to make it look like they were doing their job.
Also, in the same sense - is there a difference shown when a session ends for max of the session and a user actually disconnection? The reason why I ask this question is the above user has been connected for exactly 12 hours, which is the Max connection time (720 minutes), but the newspaper it says was by the request of the user. My guess is that it was a max session timeout but I have to be positive about that.
Thanks in advance...
If the RDP user in a device, the activity that takes place during the RDP session would be from this device to other applications. When you're talking about syslog, I guess you see syslog messages when the RDP box creates an outgoing link or other subnet that goes through the ASA and ASA sends syslog messages?
If you want to see activity in the RDP session, you need check the outbound RDP host connection, and for the SAA trigger and send syslog, traffic from the host RDP must pass through the ASA.
Example:
Connect to it via RDP 192.168.1.5 and AnyConnect.
If you want to check the activities, you will need to check if 192.168.1.5 launches all connections.
In regards to the max session disconnects, can you please share the syslog message which specifies that.
Hope that helps.
-
Capture packets for VPN traffic
Hi team,
Please help me to set the ACL and capture for remote access VPN traffic.
To see the amount of traffic flows from this IP Source address.
Source: Remote VPN IP (syringe) 10.10.10.10 access
Destination: any
That's what I've done does not
extended VPN permit tcp host 10.10.10.10 access list all
interface captures CAP_VPN VPN access to OUTSIDE gross-list data type
Hello
If you have configured capture with this access list, you filter all TCP traffic, so you will not be able to see the UDP or ICMP traffic too, I would recommend using the ACL, although only with intellectual property:
list of allowed extended VPN ip host 10.10.10.10 access everything
Capture interface outside access, VPN CAP_VPN-list
Then with:
See the capture of CAP_VPN
You will be able to see the packet capture on the SAA, you can export the capture of a sniffer of packages as follows:
-
RA VPN VPN L2L via NAT strategy
Scenario: we have remote access VPN users who need to access a VPN L2L by ASA even outside the interface. This particular VPN L2L is a partner that requires us to NAT (192.168.x.x) addresses to another private address (172.20.x.x). We also access VPN L2L to internal hosts. NATing to the partner is accomplished through a NAT policy.
Our remote VPN users cannot access the L2L VPN. It seems that the host address VPN (assigned through RADIUS) is not in THAT NAT would not, even if it is in the range object.
"Group" is configured and works for the other VPN.
NO - NAT ACL does not seem to be involved (which it shouldn't), as the address of the internal host (192.168.60.x) is not NAT to be the public address.
Internal hosts that can access the VPN tunnel very well.
Here are the relevant config:
permit same-security-traffic intra-interface
the OURHosts object-group network
host 192.168.1.x network-object
host 192.168.2.x network-object
object-network 192.168.60.0 255.255.255.0
the PartnerHosts object-group network
network-host 10.2.32.a object
network-host 10.2.32.b object
network-host 10.2.32.c object
access-list extended NAT2 allowed ip object-group OURHosts-group of objects PartnerHosts
Global (OUTSIDE) 2 172.20.x.x
NAT (INSIDE) 2-list of access NAT2
The syslog error we receive:
% ASA-4-402117: IPSEC: received a package not IPSec (Protocol = ICMP) 10.2.32.a to 192.168.60.x
Yes. According to the config that you posted, there is no command currently in no place in vpn nat clients the RA to the hairpin above the tunnel.
The inside of our customers work due to "nat (INSIDE) 2 NAT2 access-list. But because your VPN RA customers coming from "OUTSIDE", this statement by nat would have no effect on them.
-
remote VPN and vpn site to site vpn remote users unable to access the local network
As per below config remote vpn and vpn site to site vpn remote users unable to access the local network please suggest me a required config
The local 192.168.215.4 not able ping server IP this server connectivity remote vpn works fine but not able to ping to the local network vpn users.
ASA Version 8.2 (2)
!
host name
domain kunchevrolet
activate r8xwsBuKsSP7kABz encrypted password
r8xwsBuKsSP7kABz encrypted passwd
names of
!
interface Ethernet0/0
nameif outside
security-level 0
PPPoE client vpdn group dataone
IP address pppoe
!
interface Ethernet0/1
nameif inside
security-level 50
IP 192.168.215.2 255.255.255.0
!
interface Ethernet0/2
nameif Internet
security-level 0
IP address dhcp setroute
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
No nameif
no level of security
no ip address
management only
!
passive FTP mode
clock timezone IST 5 30
DNS server-group DefaultDNS
domain kunchevrolet
permit same-security-traffic intra-interface
object-group network GM-DC-VPN-Gateway
object-group, net-LAN
access extensive list ip 192.168.215.0 sptnl allow 255.255.255.0 192.168.2.0 255.255.255.0
192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0
tunnel of splitting allowed access list standard 192.168.215.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
MTU 1500 Internet
IP local pool VPN_Users 192.168.2.1 - 192.168.2.250 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
enable ASDM history
ARP timeout 14400
NAT-control
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 59.90.214.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
AAA authentication http LOCAL console
AAA authentication enable LOCAL console
LOCAL AAA authentication serial console
Enable http server
x.x.x.x 255.255.255.252 out http
http 192.168.215.0 255.255.255.252 inside
http 192.168.215.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic dynmap 65500 transform-set RIGHT
card crypto 10 VPN ipsec-isakmp dynamic dynmap
card crypto VPN outside interface
card crypto 10 ASA-01 set peer 221.135.138.130
card crypto 10 ASA - 01 the transform-set RIGHT value
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 65535
preshared authentication
the Encryption
sha hash
Group 2
lifetime 28800
Telnet 192.168.215.0 255.255.255.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 5
Console timeout 0
management-access inside
VPDN group dataone request dialout pppoe
VPDN group dataone localname bb4027654187_scdrid
VPDN group dataone ppp authentication chap
VPDN username bb4027654187_scdrid password * local store
interface for identifying DHCP-client Internet customer
dhcpd dns 218.248.255.141 218.248.245.1
!
dhcpd address 192.168.215.11 - 192.168.215.254 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
Des-sha1 encryption SSL
WebVPN
allow outside
tunnel-group-list activate
internal kun group policy
kun group policy attributes
VPN - connections 8
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value split tunnel
kunchevrolet value by default-field
test P4ttSyrm33SV8TYp encrypted password username
username kunauto password bSHrKTGl8PUbvus / encrypted privilege 15
username kunauto attributes
Strategy Group-VPN-kun
Protocol-tunnel-VPN IPSec
tunnel-group vpngroup type remote access
tunnel-group vpngroup General attributes
address pool VPN_Users
Group Policy - by default-kun
tunnel-group vpngroup webvpn-attributes
the vpngroup group alias activation
vpngroup group tunnel ipsec-attributes
pre-shared key *.
type tunnel-group test remote access
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:0d2497e1280e41ab3875e77c6b184cf8
: end
kunauto #.Hello
Looking at the configuration, there is an access list this nat exemption: -.
192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0
But it is not applied in the States of nat.
Send the following command to the nat exemption to apply: -.
NAT (inside) 0 access-list sheep
Kind regards
Dinesh Moudgil
P.S. Please mark this message as 'Responded' If you find this information useful so that it brings goodness to other users of the community
-
AnyConnect VPN full tunnel could not access the site to site VPN
I have a set of AnyConnect VPN upward with no split tunneling (U-turning/crossed traffic), running 8.2.5 code.
It works fine, but I want to allow customers to AnyConnect VPN site to site, which I was unable to access.
I checked the IP addresses of network anyconnect are part of the tunnel on both sides.
My logic tells me that I must not turn back traffic from the network anyconnect for the site to site VPN, but I don't know how to do this.
Any help would be appreciated.
Here are the relevant parts of my config:
(Domestic network is 192.168.0.0/24,
the AnyConnect network is 192.168.10.0/24,
site to site VPN network is 192.168.2.0/24)
--------------------------------------------------------------------------------------
permit same-security-traffic inter-interface
permit same-security-traffic intra-interfacethe DM_INLINE_NETWORK_1 object-group network
object-network 192.168.0.0 255.255.255.0
object-network 192.168.10.0 255.255.255.0
inside_nat0_outbound list extended access allowed object-group ip DM_INLINE_NETWORK_1 192.168.2.0 255.255.255.0
permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.10.0 255.255.255.0outside_1_cryptomap list extended access allowed object-group ip DM_INLINE_NETWORK_1 192.168.2.0 255.255.255.0
mask 192.168.10.2 - 192.168.10.254 255.255.255.0 IP local pool AnyConnectPool
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (outside) 1 192.168.10.0 255.255.255.0
access-outside group access component software snap-in interface outside
Route outside 0.0.0.0 0.0.0.0 (the gateway IP) 1
WebVPN
allow outside
AnyConnect essentials
SVC disk0:/anyconnect-win-3.1.05152-k9.pkg 1 image
SVC profiles AnyConnectProfile disk0: / anyconnect_client.xml
enable SVC
tunnel-group-list activate
internal AnyConnectGrpPolicy group strategy
attributes of Group Policy AnyConnectGrpPolicy
WINS server no
value of 192.168.0.33 DNS server 192.168.2.33
VPN-session-timeout no
Protocol-tunnel-VPN l2tp ipsec svc
Split-tunnel-policy tunnelall
the address value AnyConnectPool pools
type tunnel-group AnyConnectGroup remote access
attributes global-tunnel-group AnyConnectGroup
address pool AnyConnectPool
authentication-server-group SERVER1_AD
Group Policy - by default-AnyConnectGrpPolicy
tunnel-group AnyConnectGroup webvpn-attributes
the aaa authentication certificate
activation of the Group _AnyConnect aliasYour dial-up VPN traffic as originating apears on the external interface, so I think you need to exonerate NAT pool PN traffic directed to the site to site VPN. Something like this:
global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 nat (outside) 0 access-list outside_nat0 nat (outside) 1 192.168.10.0 255.255.255.0 access-list outside_nat0 extended permit ip any 192.168.10.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
-
ASA encrypt interesting VPN traffic
Hello everybody out there using ASA.
I had a few IPSEC VPN tunnels between the company's central site and remote sites.
Two dsl lines were connected to the ASA, one for VPN traffic and the other for the internet.
The default gateway has been configured online internet, some static while insured roads as traffic to the sites of the company was sent through the other line.
A few days ago we changed the configuration of ASA to use only a single dsl connection, then the line serving the internet has been cut, while the other will become the gateway default and static routes have been removed.
The VPN connections instant stopped working and trying to send packets to the remote lan, it seems that ASA will not recognize that the traffic is encrypted. Obviousely we checked cryptomap, acl, ecc, but we find no problem... do you have any suggestions?
Thanks in advance,
Matt
-----------------------------------------------------------------------------------------------------------------------------------------------------------------
XNetwork object network
10.10.0.0 subnet 255.255.255.0network of the YNetwork object
172.0.1.0 subnet 255.255.255.0card crypto RB1ITSHDSL001_map2 1 corresponds to the address RB1ITSHDSL001_1_cryptomap
card crypto RB1ITSHDSL001_map2 1 set peer a.b.c.186
RB1ITSHDSL001_map2 1 transform-set ESP-3DES-SHA crypto card gameRB1ITSHDSL001_1_cryptomap list extended access permitted ip XNetwork object YNetwork
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
Hello
Your exit the ASA must be encrypting the traffic between XNetwork and YNetwork.
If the ASA does not encrypt this traffic, it could be because there is a problem with the NAT configuration.
When the ASA receives a packet, it must first check if there are ACLs that allows traffic, passes through the inspection engine and check that the associated NAT. For example, if the package is coordinated, then the private IP encryption will never take place.
Could ensure you that packets from the XNetwork are really reach the ASA, the NAT rule is correct and you may be looking for "debugging cry isa 127" and "scream ips 127" debug to check for errors of incompatibility.
In addition, what is the condition of the tunnel trying to communicate: "sh cry isa his"
Federico.
-
Does site to Site VPN traffic.
Hello
I had a problem with my connection to my supplier, and we can't figure it out for the life of us. We have the tunnel upward, we simply cannot ping either side of it. (as you can tell from the moment where the position, I am at a loss).
The goal is for our site to pass all traffic via the seller, so they can go out route to the internet for the rest of their network.
As I said, the tunnel is just, does not seem to be passsing no matter what traffic, or at least real traffic, I think the keep alives pass.
Hello
Some comments on configurations
Your configurations of sites on a quick glance seems fine. You have configured NAT0 for all traffic and you have set up all the traffic on the local network to connect VPN L2L.
The seller site configurations seems a little weird. Lets start with the routing. It has a route for network 10.0.0.0/8 and 10.4.0.0/16 pointing to the IP address 10.4.250.49 behind the interface 'inner' that CANNOT be the right gateway IP address as the IP 'internal' interfaces is 10.4.253.66/30, so the roads to my knowledge are useless. (IP address of the next hop must be from a directly connected network)
These are the roads
Route inside 10.0.0.0 255.0.0.0 10.4.250.49 1
Route inside 10.4.0.0 255.255.0.0 10.4.250.49 1
It's the 'inside' interface
interface GigabitEthernet0/1
No tap
Speed 1000
full duplex
nameif inside
security-level 100
IP 10.4.253.66 255.255.255.252
So with the configuration above it needs impossible even for traffic to the front between the local networks of the two sites.
If your goal is also to have passed your site outside of the site and outside traffic to the Internet through the ASA of the seller then its lack of certain configurations.
You should be at least
Global 1 interface (outside)
Since there are only "nat" statement currently sets the addresses of source for translations, but there is no "global" setting the actual address of the NAT/PAT.
The ASA of the Site of the seller is also the command lack
permit same-security-traffic intra-interface
That would allow the traffic coming through the "outside" interface (from your site through the VPN) and go through the 'outside' (your topic traffic to Internet)
-Jouni
-
VPN clients are unable to access internal resources
Hello
I have problems with internal resources from access to the content of VPN Clients. They connect using Cisco VPN Client, they connect correctly, an IP address from the correct range is given and I ping to the internal server, but any other type of access as Server terminal server. Ping to server ip from the inside is answered by interface router public ip instead of the internal server and I don't know if it's this way. There isn't any ACL applied.
Crypto ipsec debugging I see this error when I do the server terminal server:
% CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd package not an IPSEC packet. (ip) vrf/adr_dest = / public-ip, src_addr = 172.16.73.4, prot = 6
Here is the configuration associated with vpn:
crypto ISAKMP policy 10
BA aes 256
preshared authentication
Group 2
!
Configuration group customer isakmp crypto VPN_Clients
Cisco key
DNS 4.2.2.2
pool - vpn clients
ACL 101
netmask 255.255.255.0
!
!
Crypto ipsec transform-set RIGHT aes - esp esp-sha-hmac
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
market arriere-route
!
!
card crypto mymap client authentication list userlist
Group card crypto mymap isakmp authorization list
client configuration address map mymap crypto initiate
client configuration address map mymap crypto answer
map mymap 10-isakmp ipsec crypto dynamic dynmap
!
!
! Gateway for the default internal resources
interface Vlan72
IP 172.16.72.1 255.255.255.0
no ip proxy-arp
IP nat inside
IP virtual-reassembly
!
Kind regards.
VPN client IP local pool 172.16.73.2 172.16.73.10
!
!
interface Dialer1
the negotiated IP address
IP mtu 1492
NAT outside IP
IP virtual-reassembly
encapsulation ppp
Dialer pool 1
Dialer-Group 1
Authentication callin PPP chap Protocol
PPP chap hostname XXXXX
PPP chap password 7 XXXXXXXX
accept dns ipcp PPP
PPP ipcp address accept
No cdp enable
crypto mymap map
access-list 101 permit ip 172.16.72.0 0.0.0.255 any
!
Hi Anotino,
Problem seems to be with the NAT configuration on the router. The NAT config is now below:
access-list 1 permit 172.16.72.0 0.0.0.255
NAT_WAN1 allowed 10 route map
corresponds to the ip address 1
match interface Dialer1
IP nat inside source overload map route NAT_WAN1 interface Dialer1
We need to change it to look like this:
access-list 100 deny ip 172.16.72.0 0.0.0.255 172.16.73.0 0.0.0.255
access-list 100 permit ip 172.16.72.0 0.0.0.255 any
NAT_WAN1 allowed 10 route map
corresponds to the IP 100
IP nat inside source overload map route NAT_WAN1 interface Dialer1
This should make sure to go to the pool of clients VPN traffic United Nations concerns and therefore, you should be able to access the network using the private IP (172.16.72.2 for example).
Try this and tell me if this solves your problem.
Kind regards
Assia
Post edited by: Assia Ramamoorthy small correction in the post!
-
I have a new access provider. They have changed the look of my research.
I have a new access provider, and although I was NOT choosing their site as my home page, my research results now include their Web site page. I don't see where they are listed as my search engine. Google is always displayed as my search engine, but my research certainly are using their search engine. How can I get back the Google search engine and remove the search engine of century Link? Please help me? RRR
You are using Safari, Firefox, or Chrome?
Did you call Qwest support?
Tell them that you do not have a positive experience with their search engine, support of your searches on google.I know that the search in the address bar of firefox would be redirected to the ISP search engine.
I personally experienced this problem with all the cables from the ISP (Comcast, Cox, Charter, Frontier, Bright House, is not just of CL)You put your DNS servers 8.8.8.8 and 8.8.4.4 Google?
This will alleviate the problem you see with search for CL.
https://developers.Google.com/speed/public-DNS/docs/using#change_your_dns_server s_settings -
VPN IS CONNECTED BUT CANNOT ACCESS THE INTERNAL NETWORK
I tried to set up a simple customer vpn using this document
VPN IS CONNECTED BUT CANNOT ACCESS THE INTERNAL NETWORK BEHIND "RA"...
6.3 (5) PIX version
interface ethernet0 car
Auto interface ethernet1
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate the encrypted password of VmHKIhnF4Gs5AWk3
VmHKIhnF4Gs5AWk3 encrypted passwd
hostname VOIPLABPIX
domain voicelab.com
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
access-list 101 permit ip 172.10.2.0 255.255.255.0 172.10.3.0 255.255.255.0
access-list 101 permit ip 172.10.1.0 255.255.255.0 172.10.3.0 255.255.255.0
access-list 102 permit ip 172.10.2.0 255.255.255.0 172.10.3.0 255.255.255.0
access-list 102 permit ip 172.10.1.0 255.255.255.0 172.10.3.0 255.255.255.0
pager lines 24
Outside 1500 MTU
Within 1500 MTU
IP address outside 208.x.x.11 255.255.255.0
IP address inside 172.10.2.2 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
IP local pool voicelabpool 172.10.3.100 - 172.10.3.254
history of PDM activate
ARP timeout 14400
NAT (inside) - 0 102 access list
Route outside 0.0.0.0 0.0.0.0 208.x.x.11 1
Route inside 172.10.1.0 255.255.255.0 172.10.2.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-server local LOCAL Protocol
Enable http server
http 172.0.0.0 255.0.0.0 inside
http 0.0.0.0 0.0.0.0 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
Crypto ipsec transform-set esp-aes-256 trmset1, esp-sha-hmac
Crypto-map dynamic map2 10 set transform-set trmset1
map map1 10 ipsec-isakmp crypto dynamic map2
client authentication card crypto LOCAL map1
map1 outside crypto map interface
ISAKMP allows outside
ISAKMP identity address
part of pre authentication ISAKMP policy 10
ISAKMP policy 10 encryption aes-256
ISAKMP policy 10 sha hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
vpngroup address voicelabpool pool cuclab
vpngroup dns 204.x.x.10 Server cuclab
vpngroup cuclab by default-field voicelab.com
vpngroup split tunnel 101 cuclab
vpngroup idle 1800 cuclab-time
vpngroup password cuclab *.
Telnet timeout 5
SSH 208.x.x.11 255.255.255.255 outside
SSH 0.0.0.0 0.0.0.0 outdoors
SSH 172.10.1.2 255.255.255.255 inside
SSH timeout 60
Console timeout 0
username labadmin jNEF0yoDIDCsaoVQ encrypted password privilege 2
Terminal width 80
Cryptochecksum:b03a349e1ac9e6022432523bbb54504b
: end
Try to turn on NAT - T
PIX (config) #isakmp nat-traversal 20
http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution1
HTH
Maybe you are looking for
-
Rendered figures x 2, in some areas, quotes from finance.yahoo
GoogleChrome has had the problem for a while. In the page fields such as the 'Value of the Index', 'Edit', "Days Range", floating-point numbers are displayed 2 x, adjacent. Eg "Days Range". instead of 14, 469.73 - 14, 528.89 GC and FF display 14,469.
-
iPhone 6s doesn't sound. Ringing only
I've looked EVERYWHERE in the settings, and yes I checked the DND. phone is brand new. Just received today
-
Satellite Pro 4600: sometimes applications stop running with the new RAM
Hi all I was wondering if anyone out there can shed some light on my problem. I've recently upgraded for an extra 256 MB on my Satellite Pro 4600. The laptop showed the increase in RAM. Since the installation, for some reason any after running for aw
-
Hi guys, I have attached a 30 "HP monitor (lp3065) using HP displayport-> dvi adapter supplied with the monitor from the cradle of my x 220 (model 4290-lt8). Unfortunately, the resulting maximum resolution is 1280 x 800 I tried to connect the monitor
-
INCREASE the SCREEN RESOLUTION OF 1280 * 1024 to 1920 * 1080
The office is a Dell Optiplex GX260 with Windows XP Professional Version 2002 Service Pack 3. I recently bought a new monitor flat screen to replace the old monitor original fashion. The flat screen monitor is designed to provide the best images to