VPN tunnel upward, but no traffic?

I decided to take a Cisco 1800 series router and try to put in place. Up to now I can get out, and everything seems fine. I then tried to configure a VPN tunnel between this router and a sonicwall router secure.

Now the problem is the GUI of SonicWall and Cisco say that this tunnel is mounted. But I can't access internal networks...

So my cisco LAN is 192.168.11.0 255.255.255.0

and the Sonic Wall is 192.168.1.0 255.255.255.0

They can talk even if the tunnel is up. I was hitting my head, and running through the tutorials and just can not understand.

Here's proof that we have achieved at least the first phase:

inbound esp sas:
      spi: 0xD1BC1B8E(3518765966)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3003, flow_id: FPGA:3, crypto map: vpn
        sa timing: remaining key lifetime (k/sec): (4541007/2298)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

outbound esp sas:
      spi: 0xAE589C1E(2925042718)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3004, flow_id: FPGA:4, crypto map: vpn
        sa timing: remaining key lifetime (k/sec): (4541027/2297)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

So here's my config: (what Miss me?)

Current configuration : 3972 bytes

!

version 12.4 no service pad

service tcp-keepalives-in service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname CompsysRouter

!

boot-start-marker

boot-end-marker

!

enable secret *****************

enable password ***********

!

aaa new-model

!

!

!

aaa session-id common

ip cef

!

!

!

!

no ip domain lookup

ip domain name ********.local

ip inspect name myfw http timeout 3600 ip inspect name myfw tcp timeout 3600 ip inspect name myfw udp timeout 3600 ip inspect name myfw dns timeout 3600 ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 !

!

crypto pki trustpoint TP-self-signed-1821875492 enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1821875492 revocation-check none

rsakeypair TP-self-signed-1821875492 !

!

crypto pki certificate chain TP-self-signed-1821875492 certificate self-signed 01   30820245 308201AE A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31383231 38373534 3932301E 170D3130 31323130 32333433

  35325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38323138

  37353439 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100CC57 E44AB177 3594C4C7 E88B1A4F CE4FD392 87CDB75C 2A6A6B1A 87D10791

  0134F1FC 54A84BB6 08A40213 35B9DD0A FD813D2F 1C778D01 3F8EBEB0 C4793850

  F52F7906 FDBC56A5 A4829AC5 4180DDA7 F54E3AAD DD1D4537 F1F19F11 9AE8A8A0

  91C98934 233CF608 1447DA83 41B09E55 4A0FF674 8D060945 07D3F3F9 8EA7B412

  5FD30203 010001A3 6D306B30 0F060355 1D130101 FF040530 030101FF 30180603

  551D1104 11300F82 0D436F6D 70737973 526F7574 6572301F 0603551D 23041830

  168014DC A9938F71 7CCF0E6D 8BC5DFA5 033DD7E4 0F605130 1D060355 1D0E0416

  0414DCA9 938F717C CF0E6D8B C5DFA503 3DD7E40F 6051300D 06092A86 4886F70D

  01010405 00038181 00148C2F AA7CA155 463B56F2 324FE1ED 3682E618 75E3048F

  93E1EA61 3305767A FA93567B AA93B107 83A2F3D6 8F773779 E6BF0204 DC71879A

  5F7FC07F 627D8444 48781289 7F8DC06A BC9057B1 4C72AE1F B64284BE 94C6059C

  7B6B8A5D 83375B86 3054C760 961E8763 91767604 5E0E0CE3 3736133A E51ACF26

  14F3C7C5 60E08BE3 88   quit

username jdixon secret 5 $*****************

!        

!

ip ssh time-out 60 ip ssh authentication-retries 2 !

!

crypto isakmp policy 1 encr aes 256 authentication pre-share

group 2 lifetime 28800 crypto isakmp key address  !

!

crypto ipsec transform-set compsys esp-aes 256 esp-sha-hmac

!

crypto map vpn 10 ipsec-isakmp

set peer set transform-set compsys

match address 101 !

!

!

interface FastEthernet0/0

ip address "LOCAL ROUTER OUTSIDE" 255.255.255.248 ip access-group Inbound in ip nat outside

ip inspect myfw out

ip virtual-reassembly

duplex auto

speed auto

no keepalive

crypto map vpn

!

interface FastEthernet0/1

ip address 192.168.11.1 255.255.255.0 ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 !

!

ip http server

ip http authentication local

ip http secure-server

ip nat inside source list 1 interface FastEthernet0/0 overload

ip nat inside source static tcp 192.168.11.55 3389 interface FastEthernet0/0 9999 !

ip access-list extended Inbound

permit icmp any any

permit gre host "REMOTE ROUTER" host "LOCAL ROUTER" permit esp host "REMOTE ROUTER" host "LOCAL ROUTER" permit udp host "REMOTE ROUTER" host "LOCAL ROUTER" eq isakmp

permit ahp host "REMOTE ROUTER" host "LOCAL ROUTER" permit udp host "REMOTE ROUTER" host "LOCAL ROUTER" eq non500-isakmp

permit ip host "REMOTE ROUTER" any

permit tcp any host "LOCAL ROUTER" eq 22 !

access-list 1 permit 192.168.11.0 0.0.0.255 access-list 101 permit ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255 !

!

!

!

control-plane

!        

!

!

line con 0 line aux 0 line vty 0 4 !

scheduler allocate 20000 1000 end

NAT exemption is where it is a failure.

Please kindly change to as follows:

access-list 150 deny ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 150 permit ip 192.168.11.0 0.0.0.255 any

IP nat inside source list 150 interface fastethernet0/0 overload

no nat ip within the source list 1 interface fastethernet0/0 overload

Hope that helps.

Tags: Cisco Security

Similar Questions

Tunnel established but no traffic passing on the Site 2 Site VPN

I have a cisco 2900 series construction of a site-2-site of the ASA 5510 vpn tunnel. The tunnel works out very well, but I can't get the traffic through the tunnel. I have read several other posts and tried a lot of suggestion (probably to break things in the process). I don't know if I'm not nat all messed up or if my access lists on the router are goofy. Any help is greatly appreciated.

THE ASA CONFIG:

ASA 4,0000 Version 1
!
hostname test-fw
domain ficticious.local

names of
!
interface Ethernet0/0
nameif outside
security-level 0
IP address *. *. * 255.255.255. *.
!
interface Ethernet0/1
nameif inside
security-level 100
IP 192.168.3.2 255.255.255.0
!
interface Ethernet0/2
nameif DMZ - TNS
security-level 10
IP 192.168.31.1 255.255.255.0
interface Ethernet0/3
nameif DMZ-SMTP
security-level 9
192.168.32.1 IP address 255.255.255.0
!
interface Management0/0
nameif cradelpoint
security-level 1
192.168.254.1 IP address 255.255.255.0
!
boot system Disk0: / asa844-1 - k8.bin
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
DNS server-group DefaultDNS
domain ficticious.local
network object obj - 172.16.3.2
host 172.16.3.2
network object obj - 172.16.7.2
Home 172.16.7.2
network object obj - 172.16.10.2
Home 172.16.10.2
network object obj - 172.16.13.2
Home 172.16.13.2
network object obj - 192.168.3.0
subnet 192.168.3.0 255.255.255.0
network object obj - 192.168.4.0
subnet 192.168.4.0 255.255.255.0
network object obj - 192.168.5.0
192.168.5.0 subnet 255.255.255.0
network object obj - 192.168.6.0
192.168.6.0 subnet 255.255.255.0
network object obj - 192.168.7.0
192.168.7.0 subnet 255.255.255.0
network object obj - 192.168.8.0
192.168.8.0 subnet 255.255.255.0
network object obj - 192.168.9.0
192.168.9.0 subnet 255.255.255.0
network object obj - 192.168.10.0
192.168.10.0 subnet 255.255.255.0
network object obj - 192.168.12.0
255.255.255.0 subnet 192.168.12.0
network object obj - 192.168.13.0
192.168.13.0 subnet 255.255.255.0
network object obj - 192.168.15.0
192.168.15.0 subnet 255.255.255.0
network object obj - 192.168.16.0
192.168.16.0 subnet 255.255.255.0
network object obj - 10.1.0.0
10.1.0.0 subnet 255.255.0.0
network object obj - 192.168.32.10
Home 192.168.32.10
network of the NETWORK_OBJ_192.168.20.0 object
host 192.168.20.0
network of the NETWORK_OBJ_192.168.20.0_24 object
subnet 192.168.20.0 255.255.255.0
network of the NETWORK_OBJ_192.168.3.0_24 object
subnet 192.168.3.0 255.255.255.0
network object obj - 192.168.0.0_16
Subnet 192.168.0.0 255.255.0.0
network of the NETWORK_OBJ_192.168.0.0_24 object
192.168.0.0 subnet 255.255.255.0

network of the NETWORK_OBJ_192.168.3.0 object
host 192.168.3.0
network of the NETWORK_OBJ_192.168.3.144_28 object
subnet 192.168.3.144 255.255.255.240
network object obj - 192.168.50.11
network object obj - 192.168.30.10
host 192.168.30.10
network object obj - 192.168.40.10
Home 192.168.40.10
network object obj - 192.168.70.10
Home 192.168.70.10
network object obj - 192.168.150.10
Home 192.168.150.10
network object obj - 192.168.160.10
Home 192.168.160.10
network object obj - 10.10.10.10
host 10.10.10.10
network object obj - 192.168.120.10
Home 192.168.120.10

access-list extended Out-In deny an ip
outside_1_cryptomap to access extended list ip 192.168.3.0 allow 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
Enable logging
timestamp of the record
information recording console
registration of information monitor
debug logging in buffered memory
recording of debug trap
debugging in the history record
asdm of logging of information

Outside 1500 MTU
Within 1500 MTU
MTU 1500 DMZ - TNS
MTU 1500 DMZ-SMTP
cradelpoint MTU 1500

no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP deny everything outside
ICMP deny any inside
ICMP deny all DMZ - TNS

ARP timeout 14400
NAT (inside, outside) static source any any static destination NETWORK_OBJ_192.168.3.144_28 NETWORK_OBJ_192.168.3.144_28 non-proxy-arp-search to itinerary
NAT (inside, outside) static source all all NETWORK_OBJ_192.168.0.0_24 of NETWORK_OBJ_192.168.0.0_24 static destination
!
network object obj - 172.16.3.2
NAT dynamic interface (indoor, outdoor)
network object obj - 172.16.7.2
NAT dynamic interface (indoor, outdoor)
network object obj - 172.16.10.2
NAT dynamic interface (indoor, outdoor)
network object obj - 172.16.13.2
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.3.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.4.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.5.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.6.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.7.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.8.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.9.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.10.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.12.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.13.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.15.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.16.0
NAT dynamic interface (indoor, outdoor)
network object obj - 10.1.0.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.32.10
NAT (DMZ-SMTP, outside) static 12.200.89.172
network object obj - 192.168.50.11

Route outside 0.0.0.0 0.0.0.0 *. *. *. * 1
Route inside 10.1.0.0 255.255.0.0 192.168.3.1 1
Route inside 10.10.0.0 255.255.0.0 192.168.3.1 1
Route inside 10.200.0.0 255.255.0.0 192.168.3.1 1
Route inside 172.16.3.2 255.255.255.255 192.168.3.1 1
Route inside 172.16.7.2 255.255.255.255 192.168.3.1 1
Route inside 172.16.10.2 255.255.255.255 192.168.3.1 1
Route inside 172.16.13.2 255.255.255.255 192.168.3.1 1
Route inside 192.168.4.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.5.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.6.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.7.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.8.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.9.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.10.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.12.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.13.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.15.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.16.0 255.255.255.0 192.168.3.1 1
external route 192.168.20.0 255.255.255.0 *. *. *. * 1
Route inside 192.168.30.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.40.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.50.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.70.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.100.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.120.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.150.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.160.0 255.255.255.0 192.168.3.1 1

card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set peer 1.1.1.1
card crypto 1 ikev1 transform-set cradelpoint_vpn set outside_map
card crypto outside_map 1 the value reverse-road
outside_map interface card crypto outside

Telnet timeout 5
SSH timeout 5
Console timeout 0
management-access inside
a basic threat threat detection
host of statistical threat detection
statistical threat detection port
Statistical threat detection Protocol
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP 10.1.2.13 Server prefer
SSL-trust outside ASDM_TrustPoint0 point

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
IKEv1 pre-shared-key *.
!
class-map IPSclass
match any
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map IPSpolicy
class IPSclass
IPS inline help
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
class class by default
Statistical accounting of user
!

Router config:

Current configuration: 2605 bytes
!
! Last modification of the configuration at 18:39:30 UTC Tuesday, August 7, 2012
! NVRAM config update at 19:50:03 UTC Monday, August 6, 2012
! NVRAM config update at 19:50:03 UTC Monday, August 6, 2012
version 15.1
horodateurs service debug datetime msec
Log service timestamps datetime msec

!
router host name
!
boot-start-marker
boot-end-marker
!
!
activate the bonnefin password
!
No aaa new-model
!
!
No ipv6 cef
IP source-route
IP cef
!
!
!
!
!
name-server IP 192.168.100.1
!
Authenticated MultiLink bundle-name Panel
!
!
Crypto pki token removal timeout default 0
!

!
!
!
redundancy
crypto ISAKMP policy 2
preshared authentication
address of crypto isakmp key 6 IBETYOUCANTGUESS *. *. *. *
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac cradelpoint_vpn
!
map SDM_CMAP_1 1 ipsec-isakmp crypto
Description Tunnel to *. *. *. *
set peer *. *. *. *
Set transform-set cradelpoint_vpn
match address 100
!
!
!
!
!
the Embedded-Service-Engine0/0 interface
no ip address
Shutdown
!
interface GigabitEthernet0/0
no ip address

Shutdown
!
interface GigabitEthernet0/0
no ip address
IP nat inside
IP virtual-reassembly in
automatic duplex
automatic speed
No cdp enable
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
the IP 192.168.0.1 255.255.255.0
IP nat inside
IP virtual-reassembly in
No cdp enable
!
interface GigabitEthernet0/0.2
encapsulation dot1Q 2
No cdp enable
!
interface GigabitEthernet0/0.3
encapsulation dot1Q 3
No cdp enable
!
interface GigabitEthernet0/1
DHCP IP address
automatic duplex
automatic speed
No cdp enable
map SDM_CMAP_1 crypto
!
interface Serial0/0/0
no ip address
Shutdown
no fair queue
!
IP forward-Protocol ND
!
no ip address of the http server
no ip http secure server
!
overload of IP nat inside source list 110 interface GigabitEthernet0/1
overload of IP nat inside source list sheep interface GigabitEthernet0/1
IP route 0.0.0.0 0.0.0.0 192.168.100.1 254
IP route 0.0.0.0 0.0.0.0 192.168.100.1 254
IP route 192.168.3.0 255.255.255.0 192.168.3.1
!
Access-list 100 = 4 SDM_ACL category note
Note access-list 100 IPSec rule
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 110 deny ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
!
!
!
!
sheep allowed 10 route map
corresponds to the IP 110
!
!
!
control plan
!
!
!
Line con 0
line to 0
line 2
no activation-character
No exec
preferred no transport
transport of entry all
transport output pad rlogin lapb - your MOP v120 udptn ssh telnet
StopBits 1
line vty 0 4
opening of session
transport of entry all
!
Scheduler allocate 20000 1000
end

Ahh, looks like the CradelPoint router could have dropped the ESP package, as we can see the router is to encrypt the packets, but the ASA receives nothing / decrypts, which means it does not even reach the ASA.

Activate the NAT - T, so ESP is encapsulated in UDP/4500.

On ASA:

Crypto isakmp nat-traversal 30

Client VPN und Cisco asa 5505 tunnel work but no traffic

Hi all

I am new to this forum and Don t have a lot of experience with Cisco, so I hope I can get help from specialists.

I have the following problem:

I installed und konfigured ASA 5505 for use with vpn client. I would like to access the local network from outside through vpn.

To test, I installed ASA 5505 with ADSL (pppoe) and tried to give access to the internal network.

Of course whenever I have recive the supplier's different IP address, but it didn't is not a problem reconfigure in the vpn client.

After the connection is established (vpn tunnel work) I can see my external network packets. But I Don t have any connection to the internal network.

I erased my setup yesterday and tried to reconfigure ASA again. I didn t tested yesterday, because it was too late. And I know that I Don t have the authorization rule at present by the ACL. But I think I'm having the same problem again. (tunnel but no traffic).

What I did wrong. Could someone let me know what I have to do today.

With hope for your help Dimitri.

ASA configuration after reset and basic configuration: works to the Internet from within the course.

: Saved

: Written by enable_15 to the CEDT 20:29:18.909 Sunday, August 29, 2010

!

ASA Version 8.2 (2)

!

ciscoasa hostname

activate 2KFQnbNIdI.2KYOU encrypted password

2KFQnbNIdI.2KYOU encrypted passwd

names of

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

PPPoE client vpdn group home

IP address pppoe setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system Disk0: / asa822 - k8.bin

passive FTP mode

clock timezone THATS 1

clock to summer time CEDT recurring last Sun Mar 02:00 last Sun Oct 03:00

DNS domain-lookup outside

DNS server-group DefaultDNS

Server name 194.25.0.60

Server name 194.25.0.68

DM_INLINE_TCP_1 tcp service object-group

port-object eq www

EQ object of the https port

inside_access_in list extended access permitted udp 192.168.1.0 255.255.255.0 no matter what eq field open a debug session

inside_access_in list extended access permitted tcp 192.168.1.0 255.255.255.0 any object-group DM_INLINE_TCP_1 open a debug session

inside_access_in list extended access deny ip any any debug log

inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.0.0 255.255.0.0

permit inside_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 192.168.10.0 255.255.255.128

homegroup_splitTunnelAcl list standard access allowed 192.168.10.0 255.255.255.0

pager lines 24

Enable logging

asdm of logging of information

Outside 1500 MTU

Within 1500 MTU

IP local pool homepool 192.168.10.1 - 192.168.10.100 mask 255.255.255.0

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm-625 - 53.bin

ASDM location 192.168.0.0 255.255.0.0 inside

ASDM location 192.168.10.0 255.255.255.0 inside

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 1 0.0.0.0 0.0.0.0

inside_access_in access to the interface inside group

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-registration DfltAccessPolicy

Enable http server

http 192.168.1.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Telnet timeout 5

SSH timeout 5

Console timeout 0

VPDN group home request dialout pppoe

VPDN group House localname 04152886790

VPDN group House ppp authentication PAP

VPDN username 04152886790 password 1

dhcpd outside auto_config

!

dhcpd address 192.168.1.5 - 192.168.1.36 inside

dhcpd allow inside

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

TFTP server 192.168.1.5 inside c:/tftp-root

WebVPN

Group Policy inner residential group

attributes of the strategy of group home group

value of 192.168.1.1 DNS server

Protocol-tunnel-VPN IPSec

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list homegroup_splitTunnelAcl

username user01 encrypted password privilege 0 v5P40l1UGvtJa7Nn

user01 username attributes

VPN-strategy group home group

tunnel-group home group type remote access

attributes global-tunnel-group home group

address homepool pool

Group Policy - by default-homegroup

tunnel-group group residential ipsec-attributes

pre-shared-key ciscotest

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

context of prompt hostname

Cryptochecksum:930e6cddf25838e47ef9633dc2f07acb

: end

Hello

Normally, you want a static public IP address on the ASA to allow it to receive connections from VPN clients (avoid to change the IP address all the time).

If you connect via VPN, check the following:

1. the tunnel is established:

HS cry isa his

Must say QM_IDLE or MM_ACTIVE

2 traffic is flowing (encrypted/decrypted):

HS cry ips its

3. Enter the command:

management-access inside

And check if you can PING the inside ASA VPN client IP.

4. check that the default gateway for the LAN internal ASA within intellectual property (or there is a road to the ASA to send traffic to the VPN clients).

Federico.

Remote VPN on 2801 upward but no traffic

I decided to set up a remote vpn on 2801 router. so, after some time a get my VPN tunnel to the top and State QM_IDLE but all traffic on VPN Client work around or ignored so I can't access my internal network via the VPN tunnel.

can you please help?

Ahhhhhhhhhhhhhhhhhhh, now I know, k first of all if it is the card top debit MOBILE, it is not supported by the vpn client

Now we have a work around, Setup your 3 g as a connection by modem and boom, it should start working

Kind regards

Rebecca

RA-tunnel upward, but can not access to remote resources

The VPN client connects successfully to the PIX, but it does not appear that all traffic through the tunnel. There is a tunnel from site to site, which works very well, it's just the stuff of RA that doesn't. He had worked at some point and then stopped. This is a sanitized config:

:
6.3 (3) version PIX
interface ethernet0 car
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate the password *.
passwd *.
name of host depot-pix
domain.local domain name
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
No fixup not protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
name 2.2.2.2 cottage-pix
Server1 name 192.168.0.3
name 192.168.0.4 Server2
vpn ip 192.168.0.0 access list permit 255.255.255.0 192.168.10.0 255.255.255.0
vpn access list allow icmp a whole
vpn ip 192.168.0.0 access list permit 192.168.30.0 255.255.255.0 255.255.255.0 sign
access list permit ip 192.168.0.0 split tunnel 255.255.255.0 192.168.30.0 255.255.255.0
access-list acl_out permit icmp any one
acl_out tcp allowed access list any interface outside eq https
acl_out tcp allowed access list any interface outside eq 9333
pager lines 24
opening of session
monitor debug logging
debug logging in buffered memory
ICMP allow any inaccessible outside
Outside 1500 MTU
Within 1500 MTU
IP 1.2.3.4 address outside 255.255.255.248
IP address inside 192.168.0.1 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
IP local pool vpnPool 192.168.30.10 - 192.168.30.20
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access vpn
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
public static tcp (indoor, outdoor) interface smtp server1 smtp netmask 255.255.255.255 0 0
public static tcp (indoor, outdoor) interface 5989 192.168.0.2 5989 netmask 255.255.255.255 0 0
public static tcp (indoor, outdoor) interface https server1 https netmask 255.255.255.255 0 0
public static tcp (indoor, outdoor) interface 9333 server2 9333 netmask 255.255.255.255 0 0
Access-group acl_out in interface outside
Route outside 0.0.0.0 0.0.0.0 1.2.3.5 1
Timeout xlate 0:05:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
RADIUS protocol AAA-server raAuth
raAuth AAA-server (host server1 secretkey timeout 5 inside)
RADIUS protocol local AAA server
Enable http server
http 192.168.0.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
Crypto ipsec transform-set strong esp-3des esp-sha-hmac
Crypto-map Dynamics 20 set transformation-strong dynMap
map OutsideMap 10 ipsec-isakmp crypto
card crypto OutsideMap 10 is the vpn address
card crypto OutsideMap 10 set counterpart cottage-pix
map OutsideMap 10 game of transformation-strong crypto
map OutsideMap 20-isakmp ipsec crypto dynamic dynMap
card crypto client OutsideMap of authentication raAuth
OutsideMap interface card crypto outside
ISAKMP allows outside
ISAKMP key * address cottage-pix netmask 255.255.255.255
ISAKMP nat-traversal 20
part of pre authentication ISAKMP policy 9
ISAKMP policy 9 3des encryption
ISAKMP policy 9 sha hash
9 1 ISAKMP policy group
ISAKMP policy 9 life 86400
part of pre authentication ISAKMP policy 20
ISAKMP policy 20 3des encryption
ISAKMP policy 20 chopping sha
20 2 ISAKMP policy group
ISAKMP duration strategy of life 20 86400
vpngroup address vpnPool pool remoteAccess
vpngroup dns-server server1 remoteAccess
vpngroup remoteAccess wins-server server1
vpngroup remoteAccess by default-field domain.local
vpngroup split-tunnel remoteAccess split tunnel
vpngroup idle time 1800 remoteAccess
remoteAccess vpngroup password *.
management-access inside
Console timeout 0
dhcpd outside auto_config
Terminal width 80
Cryptochecksum:9f8a7e0796962279858931db84e4e14a
: end

Hello

Want to send traffic destined to remote clients, through the tunnel from Site to Site.

The recommendation is to use a different ACL for nat0 and crypto ACL.

Federico.

L2l VPN is up but no traffic flow

Hi people,

Im trying to set up a VPN L2L between a 1841 and a NSA 2400, via the SDM. The Tunnel rises and when I test connectivity it shows as being successful, but I get an error stating: -.

"

A ping with the size of the data of this VPN interface size MTU and "do not fragment" bit set in the other end VPN device is a failure. This can happen if there is a lower MTU network which removes the packages "do not fragment". »

From my reading, this should not cause any traffic to drop, right?

Currently, I can't ping or telnet services from one end of the tunnel to the other. I was able to ping momentarily at the end of Sonicwall at one point, but this disappeared shortly after (without changing my about config).

All ACLs created have been populated by the SDM.

Should what troubleshooting steps I take?

Reduce the MTU size on the interface of your router
```
router (config)# interface type [slot_#/]     port_# router (config-if)# ip mtu MTU_size_in_bytes 
```

tunnel upward but not ping of the asa inside interface

Dear all

I am establishing a tunnel vpn between cisco asa 5510 and a cisco router. The tunnel is up, and I can ping both cryptographic interfaces. Also, from the console of the asa I can ping to the router lan interface but the router I can not ping the lan interface of the asa, this message appears in the log

% ASA-3-713042: unable to find political initiator IKE: Intf liaison_BLR, Src: 128.2

23.125.232, DST: 129.223.123.234

Here is the config of the equipment.

I was able to successfully establish an ipsec with an another ROUTER 1841 tunnel. I have 1 hub site and 3 remotes sites with asa as a hub.

Help, please.

Your crypto that ACLs are not matching. They must be exact mirror of the other.

In addition, you can consider setting the levels of security for the interfaces. They are all at 0. The value internal/private those a higher value.

Let me know how it goes.

PS. If you find this article useful, please note it.

SSL VPN on IOS but no traffic

Dear score

I configured SSL VPN on c3845. WebVPN working via browser but through webvpn client I am able to connect but can not reach an internal with ip address on the network. Please find the show for your reference

Check your 'ip nat inside' list 1 and make sure that you're not VPN traffic to be NATted

-heather

PIX of Concentrator VPN tunnel, can I NAT traffic before the tunnel?

I have a tunnel IPSEC of PIX-to-VPNConcentrator.

I have a localhost on my PIX inside interface with the IP 192.168.5.5 but the site on the end of the tunnel VPNConcentrator wants to see the IP 192.168.77.9 (because they use the 192.168.5.x network to an end for another use)

I know how things NAT from inside out, but I never have NAT - ed before traffic tunnel.

Can I NAT a local inside IP address BEFORE traffic hits the tunnel?

Yes, it is possible. Please see the below URL for the configuration details:

http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a00800949f1.shtml

Kind regards

Arul

VPN Tunnel established but no LAN access

I have an embarrassing problem where more remote site PCs are accessing resources HQ LAN very well using the VPN Client (v4.6) connecting to a Cisco PIX 515E. Any PC running Windows XP SP2 with the firewall off o/s. A PC site however establishes the IPSEC tunnel, but cannot communicate with network resources (Intranet, Email, etc) and it also times out ping machines which must meet. I noticed when running VPN stats on the client, even if the packages are be encrypted, they may not be decrypted and there are many packets discarded. I'm quite a beginner when it comes to Cisco VPN if someone at - it clues as to why a machine will not work when it is exactly the same configuration as the others what to do.

No problem

If possible mark this issue as resolved on this forum - its useful when you search for old messages

M.

IPSec Tunnel upward, but not accessible from local networks

Hello

I have an ASA5520 and a Snapgear. The IPSec tunnel is in place and works very well. But I am not able to access the local LAN on both sides. Here are a few setups:

SH crypt isakmp his

Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 10.10.10.2 Type : L2L Role : responder Rekey : no State : AM_ACTIVE

Crypto/isakmp:

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto map IPSECTEST_map0 1 match address IPSECTEST_cryptomap crypto map IPSECTEST_map0 1 set peer 10.10.10.2 crypto map IPSECTEST_map0 1 set transform-set ESP-3DES-SHA crypto map IPSECTEST_map0 1 set nat-t-disable crypto map IPSECTEST_map0 1 set phase1-mode aggressive crypto map IPSECTEST_map0 interface IPSECTEST crypto isakmp enable outside crypto isakmp enable IPSECTEST crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 3600

Route SH:

C 172.16.3.0 255.255.255.0 is directly connected, VLAN10 C 10.10.10.0 255.255.255.0 is directly connected, IPSECTEST C 192.168.112.0 255.255.254.0 is directly connected, inside

access-list:

IPSECTEST_cryptomap list extended access allowed object-group DM_INLINE_PROTOCOL_1 172.16.3.0 255.255.255.0 object 172.20.20.0

and here's the scenario:

If I make a ping of the asa to the Remote LAN, I got this:

ciscoasa (config) # ping 172.20.20.1
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 10.172.20.20.1, wait time is 2 seconds:
No route to the host 172.20.20.1

Success rate is 0% (0/1)

No idea what I lack?

Here's how to set up NAT ASA 8.3 exemption:

network object obj - 172.16.3.0
172.16.3.0 subnet 255.255.255.0

network object obj - 172.20.20.0
172.20.20.0 subnet 255.255.255.0

NAT (inside, outside) source static obj - 172.16.3.0 obj - 172.16.3.0 destination static obj - 172.20.20.0 obj - 172.20.20.0

Here's how it looks to the ASA 8.2 and below:

Inside_nat0_outbound to access extended list ip 172.16.3.0 allow 255.255.255.0 172.20.20.0 255.255.255.0
NAT (inside) 0-list of access Inside_nat0_outbound

Tunnel upward, but cannot Ping

I've set up a tunnel to an ASA called SALMONARM to a Cisco 1921 called PG-1921.

I raise the tunnel by sending a part of traffic 'interesting '.

PG-1921, I run isakmp crypto to show its, and an entrance to the tunnel is present, with the status ACTIVE.

I do the same on SALMONARM, and once again the tunnel is present, with the MM_ACTIVEState.

So far so good.

I try to send pings from the inside of the SALMONARM network within the network PG-1921 .

Pings do not (time out).

I run the crypto ipsec its peer view SALMONARM, and I see program 0 and 0 decaps.

This seems to suggest that the pings never leave SALMONARM ASA.

I believe that I was NAT exemption and an ACL to allow traffic for the remote network from internal.

Here's the configs...
SALMONARM (ASA): http://pastebin.com/raw.php?i=vYDhfe3r
PG-1921 (1921 Cisco): http://pastebin.com/raw.php?i=L6aYhmc9

The tunnel is crypto map PG_TUNNEL_MAP 11 in the config SALMONARM and crypto map SDM_CMAP_1 5 in the config of PG-1921 .

What might be missing?

You have a router behind the ASA that could have bad roads in there? Are you ping of the SAA itself or a device behind him? Can you add the command 'inside access management' and try to ping of the asa with the command "ping inside x.x.x.x" and see if you get the program then?

Thank you

Mike

Impossible to pass traffic through the VPN tunnel

I have an ASA 5505 9.1 running. I have the VPN tunnel connection, but I am not able to pass traffic. through the tunnel. Ping through the internet works fine.

Here is my config

LN-BLF-ASA5505 > en
Password: *.
ASA5505-BLF-LN # sho run
: Saved
:
: Serial number: JMX1216Z0SM
: Material: ASA5505, 256 MB RAM, 500 MHz Geode Processor
:
ASA 5,0000 Version 21
!
LN-BLF-ASA5505 hostname
domain lopeznegrete.com
activate the password
volatile xlate deny tcp any4 any4
volatile xlate deny tcp any4 any6
volatile xlate deny tcp any6 any4
volatile xlate deny tcp any6 any6
volatile xlate deny udp any4 any4 eq field
volatile xlate deny udp any4 any6 eq field
volatile xlate deny udp any6 any4 eq field
volatile xlate deny udp any6 any6 eq field
passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.116.254 255.255.255.0
OSPF cost 10
!
interface Vlan2
nameif outside
security-level 0
IP 50.201.218.69 255.255.255.224
OSPF cost 10
!
boot system Disk0: / asa915-21 - k8.bin
passive FTP mode
DNS server-group DefaultDNS
domain lopeznegrete.com
network obj_any object
subnet 0.0.0.0 0.0.0.0
the LNC_Local_TX_Nets object-group network
Description of internal networks Negrete Lopez (Texas)
object-network 192.168.1.0 255.255.255.0
object-network 192.168.2.0 255.255.255.0
object-network 192.168.3.0 255.255.255.0
object-network 192.168.4.0 255.255.255.0
object-network 192.168.5.0 255.255.255.0
object-network 192.168.51.0 255.255.255.0
object-network 192.168.55.0 255.255.255.0
object-network 192.168.52.0 255.255.255.0
object-network 192.168.20.0 255.255.255.0
object-network 192.168.56.0 255.255.255.0
object-network 192.168.59.0 255.255.255.0
object-network 10.111.14.0 255.255.255.0
object-network 10.111.19.0 255.255.255.0
the LNC_Blueleaf_Nets object-group network
object-network 192.168.116.0 255.255.255.0
access outside the permitted scope icmp any4 any4 list
extended outdoor access allowed icmp a whole list
outside_1_cryptomap list extended access permitted ip object-group LNC_Blueleaf_Nets-group of objects LNC_Local_TX_Nets
inside_nat0_outbound list extended access permitted ip object-group LNC_Blueleaf_Nets-group of objects LNC_Local_TX_Nets
LNC_BLF_HOU_VPN list extended access permitted ip object-group LNC_Blueleaf_Nets-group of objects LNC_Local_TX_Nets
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 741.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
outside access-group in external interface
!
router ospf 1
255.255.255.255 network 192.168.116.254 area 0
Journal-adj-changes
default-information originate always
!
Route outside 0.0.0.0 0.0.0.0 50.201.218.94 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
AAA authentication enable LOCAL console
Enable http server
http 192.168.2.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 1 match address outside_1_cryptomap
peer set card crypto outside_map 1 50.201.218.93
card crypto outside_map 1 set transform-set ESP-3DES-SHA ikev1
outside_map interface card crypto outside
Crypto ca trustpoint _SmartCallHome_ServerCA
no use of validation
Configure CRL
trustpool crypto ca policy
Crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
308204 4 a0030201 d 308205ec 0202106e cc7aa5a7 032009b 8 cebcf4e9 52d 49130
010105 05003081 09060355 04061302 55533117 ca310b30 0d 864886f7 0d06092a
30150603 55040 has 13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313 has 3038 06035504
0b 133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 7a 656420 75736520 6f6e6c79 31453043 06035504 03133c 56 686f7269
65726953 69676e20 436c 6173 73203320 5075626c 69632050 72696 72792043 61 d
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
30303230 38303030 3030305a 170d 3230 30323037 32333539 35395a 30 81b5310b
30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
496e632e 311f301d 06035504 0b 131656 65726953 69676e20 54727573 74204e65
74776f72 6b313b30 5465726d 20757365 20617420 73206f66 39060355 040b 1332
68747470 7777772e 733a2f2f 76657269 7369676e 2e636f6d 2f727061 20286329
302d 0603 55040313 26566572 69536967 61737320 33205365 6e20436c 3130312f
63757265 20536572 76657220 20473330 82012230 0d06092a 864886f7 4341202d
010101 05000382 010f0030 82010 0d has 02 b187841f 82010100 c20c45f5 bcab2597
a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
9c688b2e 957b899b 13cae234 34c1f35b f3497b62 d188786c 83488174 0253f9bc
7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8 63cd
18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 01 has 38201 02030100 df308201
082b 0601 05050701 01042830 26302406 082 b 0601 db303406 05050730 01861868
7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1 d 130101
ff040830 02010030 70060355 b 200469 30673065 060, 6086 480186f8 1 d 060101ff
45010717 03305630 2806082b 06010505 07020116 1 c 687474 70733a2f 2f777777
2e766572 69736967 6e2e636f 6d2f6370 73302 has 06 082 b 0601 05050702 02301e1a
1 c 687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
03551d1f 042d302b 3029 has 027 a0258623 68747470 3a2f2f63 726c2e76 65726973
69676e2e 636f6d2f 2d67352e 70636133 63726c 30 0e060355 1d0f0101 ff040403
02010630 6d06082b 06010505 07010c 59305730 55160969 5da05b30 04 61305fa1
6 d 616765 2f676966 3021301f 2b0e0302 30070605 1a04148f e5d31a86 ac8d8e6b
c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
1 b 311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301D 0603
445 1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355 c 1604140d 551d0e04
1 230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300 d 0609 d
2a 864886 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80 f70d0101
4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
b2227055 d9203340 3307c 265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
99 c 71928 8705 404167d 1 273aeddc 866d 24f78526 a2bed877 7d494aca 6decd018
481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
6c2527b9 deb78458 c61f381e a4c4cb66
quit smoking
crypto isakmp identity address
Crypto isakmp nat-traversal 1500
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
aes-256 encryption
sha hash
Group 5
life 86400
IKEv1 crypto policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH 0.0.0.0 0.0.0.0 inside
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 5
SSH version 2
SSH group dh-Group1-sha1 key exchange
Console timeout 0
management-access inside

a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
attributes of Group Policy DfltGrpPolicy
Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client
username
username
tunnel-group 50.201.218.93 type ipsec-l2l
IPSec-attributes tunnel-group 50.201.218.93
IKEv1 pre-shared-key *.
NOCHECK Peer-id-validate
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
call-home service
anonymous reporting remote call
call-home
contact-email-addr [email protected] / * /
Profile of CiscoTAC-1
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:e519f212867755f697101394f40d9ed7
: end
LN-BLF-ASA5505 #.

Assuming that you have an active IPSEC security association (i.e. "show crypto ipsec his" shows the tunnel is up), please perform a packet trace to see why it's a failure:
```
 packet-tracer input inside tcp 192.168.116.1 1025 192.168.1.1 80 detail
```
(simulating a hypothetical customer of blue LNC tries to navigate to a hypothetical LNC TX Local site server)

VPN tunnel stopped sending traffic

Hello

One of our VPN tunnels ceased to send traffic... Is there a way where we can reset the tunnel again because I know that there is no change in config on the tunnel

THX

Shyam

Hi Shyam,

To clear the tunnel, you can make one:

PIX:

clear the isa cry his

delete the ipsec cry his

IOS:

cry clear isa

Claire crying its

HTH,

Rate if this helped!

-Kanishka

Help with a VPN tunnel between ASA 5510 and Juniper SSG20

Hello

We have a customer wanting to configure a VPN Site to Site tunnel between a new purchased 5510 of ASA located in his direction with its Juniper SSG20 Office, located in the main office. We contacted HP and they send us a Cisco professional to do the job.

After 2 days from 16:00 to 22:00 and error and countless hours of research online and nunerous calls, we are still unable to get traffic from the network of agencies to enter the tunnel.

Main branch
1.1.1.2                                 1.1.1.1
-----                                               -----------
192.168.8.0/24 | ASA|-----------------------------------| Juniper |    192.168.1.0/24
-----                                               -----------
192.168.8.254 192.168.1.254

According to Cisco professionals, the tunnel is now in place but no traffic through. We are unable to ping anything on the network on the other side (192.168.1.0/24). We receive timeout ping all the time. The Cisco professional told us it's a routing or NAT problem and he's working on a solution!

Through research, I came across a post on Experts-Exchange (here) [the 1st comment on the original post] which States "...". that both sides of the VPN must have a different class of LAN for the VPN to work... " Would that be our problem?

It has become a critical issue to the point that he had to replace the Cisco ASA with a temporary Juniper SSG5 on another subnet (192.168.7.0/24) to get the tunnel upward and through traffic until the ASA VPN issue is resolved and I didn't need to say that the client is killing us!

Help is very appreciated.

Thank you

1. Yes, ping package from the interface of the ASA is considered valuable traffic to the LAN of Juniper.

SAA, need you traffic from the interface source ASA's private, because interesting to determine by crypto ACL MYLIST traffic between 192.168.8.0/24 and 192.168.1.0/24.

You will also need to add the following configuration to be able to get the ping of the interface of the ASA:

management-private access

To initiate the ping of the private interface ASA:

ping 192.168.1.254 private

2. the default time before the next generation of new key is normally 28800 seconds, and if there is no interesting traffic flowing between 2 subnets, he'll tear the VPN tunnel down. As soon as there is interesting traffic, the VPN tunnel will be built automatically into the next generation of new key. However, if there is traffic before generating a new key, the new tunnel will be established, and VPN tunnel will remain standing and continue encrypt and decrypt traffic.

Currently, your configuration has been defined with ITS lifetime of 3600 seconds GOLD / 4608000 kilobytes of traffic before the next generate a new key (it will be either 3600 seconds, or 4608000 kilobytes period expires first). You can certainly change it by default to 28800 seconds without configuring kilobytes. SA life is negotiated between the ASA and Juniper, and whatever is the lowest value will be used.

Hope that helps.

VPN tunnel upward, but no traffic?

Similar Questions

Maybe you are looking for