VPN UPWARD
How can I check if the vpn site-to-site is in place?
Use the commands: sh sh ipsec isakmp and isakmp SA
Tags: Cisco Security
Similar Questions
-
Site to site VPN upward but not pass traffic (ASA 5505 8.3.1 and 9.2.3 version)
Hello
I'll put up a tunnel vpn site-to-site between two locations. Both have cisco ASA 5505 running a different version, I'll explain in more detail below. so far, I was able to get the tunnel to come but I can't seem to pass traffic, I work at this for days now and have not been able to understand why he will not pass traffic. Needless to say that the customer's PO would be on the fact that their VPN is not upward and they had to do by hand. I'll put the configs below, if possible can someone help me as soon as POSSIBLE, I really want to get this site up and running so that we do not lose the customer.
An IP address of 0.0.0.0 = site
Site B IP = 1.1.1.1A Version of the site = 8.3.1
Version of the site B = 9.2.3__________________________
_________A RACE OF THE SITE CONFIGURATION
Output of the command: "sh run".
: Saved
:
ASA Version 8.3 (1)
!
hostname SDMCLNASA01
SDMCLNASA01 domain name. LOCAL
Select 5E8js/Fs7qxjxWdp of encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
the IP 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
the IP 0.0.0.0 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
clock timezone CST - 6
clock to summer time recurring CDT
DNS lookup field inside
DNS domain-lookup outside
DNS server-group DefaultDNS
SDMCLNASA01 domain name. LOCAL
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network of the NETWORK_OBJ_192.168.0.0_24 object
192.168.0.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
network lan_internal object
192.168.0.0 subnet 255.255.255.0
purpose of the smtp network
Home 192.168.0.245
Network http object
Home 192.168.0.245
rdp network object
Home 192.168.0.245
network ssl object
Home 192.168.0.245
network camera_1 object
host 192.168.0.13
network camerahttp object
host 192.168.0.13
service object 8081
source eq 8081 destination eq 8081 tcp service
Dvr description
network camera-http object
host 192.168.0.13
network dvr-http object
host 192.168.0.13
network dvr-mediaport object
host 192.168.0.13
object-group Protocol DM_INLINE_PROTOCOL_1
object-protocol udp
object-tcp protocol
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
DM_INLINE_TCP_1 tcp service object-group
EQ port 3389 object
port-object eq www
EQ object of the https port
EQ smtp port object
DM_INLINE_TCP_2 tcp service object-group
port-object eq 34567
port-object eq 34599
EQ port 8081 object
permit access ip 192.168.0.0 scope list outside_1_cryptomap 255.255.255.0 192.168.1.0 255.255.255.0
outside_access_in list extended access permit tcp any any eq smtp
outside_access_in list extended access permit tcp any any DM_INLINE_TCP_1 object-group
outside_access_in list extended access permit tcp any any DM_INLINE_TCP_2 object-group
permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow all outside
don't allow no asdm history
ARP timeout 14400
NAT (inside, outside) static static source NETWORK_OBJ_192.168.1.0_24 destination NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.1.0_24
NAT (exterior, Interior) static static source NETWORK_OBJ_192.168.0.0_24 destination NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.0.0_24
!
network lan_internal object
NAT dynamic interface (indoor, outdoor)
purpose of the smtp network
NAT (all, outside) interface static tcp smtp smtp service
Network http object
NAT (all, outside) interface static tcp www www service
rdp network object
NAT (all, outside) interface static service tcp 3389 3389
network ssl object
NAT (all, outside) interface static tcp https https service
network dvr-http object
NAT (all, outside) interface static 8081 8081 tcp service
network dvr-mediaport object
NAT (all, outside) interface static 34567 34567 tcp service
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 71.42.194.209 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
http server enable 8080
http 192.168.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 outside
http 71.40.221.136 255.255.255.252 inside
http 71.40.221.136 255.255.255.252 outside
http 192.168.0.0 255.255.255.0 outside
http 97.79.197.42 255.255.255.255 inside
http 97.79.197.42 255.255.255.255 outside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set peer 1.1.1.1
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
outside_map interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd address 192.168.0.50 - 192.168.0.150 inside
dhcpd dns 192.168.0.245 209.18.47.62 interface inside
dhcpd SDMCLNASA01 field. LOCAL inside interface
dhcpd allow inside
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared key *.
!
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
!
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:462428c25e9748896e98863f2d8aeee7
: end________________________________
SITE B RUNNING CONFIG
Output of the command: "sh run".
: Saved
:
: Serial number: JMX1635Z1BV
: Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor
:
ASA Version 9.2 (3)
!
ciscoasa hostname
activate qddbwnZVxqYXToV9 encrypted password
volatile xlate deny tcp any4 any4
volatile xlate deny tcp any4 any6
volatile xlate deny tcp any6 any4
volatile xlate deny tcp any6 any6
volatile xlate deny udp any4 any4 eq field
volatile xlate deny udp any4 any6 eq field
volatile xlate deny udp any6 any4 eq field
volatile xlate deny udp any6 any6 eq field
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 1.1.1.1 255.255.255.252
!
passive FTP mode
clock timezone CST - 6
clock to summer time recurring CDT
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network camera_http object
host 192.168.1.13
network camera_media object
host 192.168.1.13
network of the NETWORK_OBJ_192.168.0.0_24 object
192.168.0.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
outside_access_in list extended access permit tcp any any eq 9000
outside_access_in list extended access permit tcp any any eq www
outside_access_in list extended access permit icmp any one
outside_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 object NETWORK_OBJ_192.168.0.0_24
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow all outside
ASDM image disk0: / asdm - 732.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static static source NETWORK_OBJ_192.168.0.0_24 destination NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.0.0_24
NAT (exterior, Interior) static static source NETWORK_OBJ_192.168.1.0_24 destination NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.1.0_24
!
network camera_http object
NAT (all, outside) interface static tcp www www service
network camera_media object
NAT (all, outside) interface static 9000 9000 tcp service
!
NAT source auto after (indoor, outdoor) dynamic one interface
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 71.40.221.137 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 peer set 0.0.0.0
card crypto outside_map 1 set transform-set ESP-3DES-SHA ikev1
outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev1 allow outside
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0dhcpd address 192.168.1.50 - 192.168.1.150 inside
dhcpd dns 192.168.0.245 209.18.47.61 interface inside
dhcpd SDPHARR field. LOCAL inside interface
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
AnyConnect essentials
attributes of Group Policy DfltGrpPolicy
Ikev1 VPN-tunnel-Protocol
internal GroupPolicy_0.0.0.0 group strategy
attributes of Group Policy GroupPolicy_0.0.0.0
VPN-tunnel-Protocol ikev1, ikev2
tunnel-group 0.0.0.0 type ipsec-l2l
tunnel-group 0.0.0.0 ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
!
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:19031ab1e3bae21d7cc8319fb7ecf0eb
: endSorry my mistake.
Delete this if it's still there
card crypto external_map 1 the value reverse-road
Add this to both sides
card crypto outside_map 1 the value reverse-road
Sorry about that.
Mike
-
VPN upward, but cannot ping through
Hello
Have a problem where two places trying to connect. first location has a cisco 861 and a uc500 for the phone system. The second location uses a UC520 for phones and the router. Here are the configurations of the 861 and the UC520. Any help would be greatly appereciated!
Cisco 861
Current configuration: 7635 bytes
!
version 15.0
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
No aaa new-model
iomem 10 memory size
PCTime-5 timezone clock
PCTime of summer time clock day April 6, 2003 02:00 October 26, 2003 02:00
!
Crypto pki trustpoint TP-self-signed-1477458744
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 1477458744
revocation checking no
rsakeypair TP-self-signed-1477458744
!
!
TP-self-signed-1477458744 crypto pki certificate chain
quit smoking
IP source-route
!
!
!
!
IP cef
no ip domain search
IP domain name
8.8.8.8 IP name-server
IP-server names 8.8.4.4
!
!
license udi pid CISCO861-K9 sn fff
!
!
username admin
!
!
!
!
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
ISAKMP crypto key xxx address 2.2.2.140 No.-xauth
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set esp-3des esp-md5-hmac TS
!
Profile of crypto ipsec SDM_Profile1
game of transformation-ESP-3DES-SHA
!
!
MYmap 1 ipsec-isakmp crypto map
defined by peer 1.1.1.140
game of transformation-ESP-3DES-SHA
match address SDM_1
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
IP 1.1.1.130 255.255.255.240
Check IP unicast reverse path
NAT outside IP
IP virtual-reassembly
full duplex
automatic speed
crypto mymap map
!
interface Vlan1
Description $ETH - SW - LAUNCH, INTF-INFO-HWIC $$ $4ESW
10.1.1.1 IP address 255.255.255.0
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1452
!
IP forward-Protocol ND
IP http server
23 class IP http access
local IP http authentication
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
IP nat inside source overload map route SDM_RMAP_1 interface FastEthernet4
IP nat inside source static tcp 10.1.1.23 80 1.1.1.133 80 extensible
IP nat inside source static 10.1.1.23 1.1.1.133
1
IP route 0.0.0.0 0.0.0.0 1.1.1.129
!
SDM_1 extended IP access list
Note CCP_ACL category = 20
ip licensing 10.1.1.0 0.0.0.255 10.0.0.0 0.0.0.255
ip licensing 10.1.1.0 0.0.0.255 172.16.6.0 0.0.0.255
ip licensing 10.1.1.0 0.0.0.255 192.168.2.0 0.0.0.255
IP 172.16.4.0 allow 0.0.0.255 10.0.0.0 0.0.0.255
IP 172.16.4.0 allow 0.0.0.255 172.16.6.0 0.0.0.255
IP 172.16.4.0 allow 0.0.0.255 192.168.2.0 0.0.0.255
ip licensing 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
ip licensing 192.168.3.0 0.0.0.255 10.0.0.0 0.0.0.255
ip licensing 192.168.3.0 0.0.0.255 172.16.6.0 0.0.0.255
Note rule IPSec
VPN-TRAFFIC extended IP access list
Note CCP_ACL category = 16
ip licensing 10.1.1.0 0.0.0.255 10.0.0.0 0.0.0.255
Licensing ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
!
Note CCP_ACL the access list 1 = 16 category
access-list 1 permit 0.0.0.0 255.255.255.0
access-list 1 permit one
access-list 23 allow 10.1.1.0 0.0.0.255
access-list 23 allow one
Access-list 100 category CCP_ACL = 2 Note
Note access-list 100 IPSec rule
access-list 100 deny ip 10.1.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access ip-list 100 permit a whole
access-list 100 permit ip 0.0.0.0 255.255.255.0 any
access-list 100 deny ip 192.168.3.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 deny ip 172.16.4.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 deny ip 10.1.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 deny ip 172.16.4.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 deny ip 192.168.3.0 0.0.0.255 172.16.6.0 0.0.0.255
access-list 100 deny ip 10.1.1.0 0.0.0.255 172.16.6.0 0.0.0.255
access-list 100 deny ip 172.16.4.0 0.0.0.255 172.16.6.0 0.0.0.255
Note access-list 101 category CCP_ACL = 4
access-list 101 permit ip 172.16.4.0 0.0.0.255 172.16.6.0 0.0.0.255
access-list 101 permit ip 10.1.1.0 0.0.0.255 172.16.6.0 0.0.0.255
access-list 101 permit ip 192.168.3.0 0.0.0.255 172.16.6.0 0.0.0.255
access-list 101 permit ip 172.16.4.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 10.1.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 172.16.4.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit ip 10.1.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit ip 192.168.3.0 0.0.0.255 10.0.0.0 0.0.0.255
not run cdp
allowed SDM_RMAP_1 1 route map
corresponds to the IP 100
!
!
control plan
!
------------------------------------------------------------------------------------------------------------------------------------------------------
Cisco UC520
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
address 1.1.1.130 Panasonic key crypto isakmp xauth No.
!
Configuration group customer isakmp crypto EZVPN_GROUP_1
key 8888
DNS 64.132.94.250 216.136.95.1
pool SDM_POOL_1
ACL 105
Save-password
10 Max-users
ISAKMP crypto sdm-ike-profile-1 profile
match of group identity EZVPN_GROUP_1
list of authentication of client Foxtrot_sdm_easyvpn_xauth_ml_1
Foxtrot_sdm_easyvpn_group_ml_1 of ISAKMP authorization list.
client configuration address respond
virtual-model 1
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
Profile of crypto ipsec SDM_Profile1
game of transformation-ESP-3DES-SHA
isakmp-profile sdm-ike-profile-1 game
!
!
MYmap 1 ipsec-isakmp crypto map
defined by peer 1.1.1.130
game of transformation-ESP-3DES-SHA
match address 100
!
Archives
The config log
Enable logging
size of logging 600
hidekeys
!
!
Telnet IP interface-source BVI100
TFTP IP source-interface Loopback0
!
class-map correspondence-everything sdm_p2p_kazaa
fasttrack Protocol game
match Protocol kazaa2
class-map correspondence-everything sdm_p2p_edonkey
match the edonkey Protocol
class-map correspondence-everything sdm_p2p_gnutella
gnutella Protocol game
class-map correspondence-everything sdm_p2p_bittorrent
bittorrent Protocol game
!
Bridge IRB
!
interface Loopback0
IP 10.1.10.2 255.255.255.252
IP nat inside
IP virtual-reassembly
!
interface FastEthernet0/0
IP 2.2.2.140 255.255.255.0
NAT outside IP
IP virtual-reassembly
Speed 100
full-duplex
crypto mymap map
!
the integrated-Service-Engine0/0 interface
description Locator is initialized with default IMAP group
BVI100 IP unnumbered
IP nat inside
IP virtual-reassembly
the ip address of the service module 172.16.6.2 255.255.255.0
Service-module ip default gateway - 172.16.6.1
!
type of interface virtual-Template1 tunnel
BVI1 IP unnumbered
ipv4 ipsec tunnel mode
Tunnel SDM_Profile1 ipsec protection profile
!
interface Vlan1
no ip address
IP nat inside
IP virtual-reassembly
Bridge-Group 1
!
interface Vlan100
no ip address
IP nat inside
IP virtual-reassembly
Bridge-group 100
!
interface BVI1
10.0.0.250 IP address 255.255.255.0
10.0.0.6 IP helper-address
IP nat inside
IP virtual-reassembly
!
interface BVI100
IP 172.16.6.1 255.255.255.0
IP nat inside
IP virtual-reassembly
H323-gateway voip interface
H323-gateway voip bind port 172.16.6.1
!
local IP 192.168.2.10 SDM_POOL_1 pool 192.168.2.19
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 2.2.2.1
IP route 172.16.6.2 255.255.255.255 integrated-Service-Engine0/0
!
IP http server
local IP http authentication
IP http secure server
IP http access path flash: / gui
overload of IP nat inside source list INSIDE_NAT interface FastEthernet0/0
IP nat inside source static tcp 10.0.0.7 80 2.2.2.142 80 extensible
!
INSIDE_NAT extended IP access list
deny ip 172.16.6.0 0.0.0.255 172.16.4.0 0.0.0.255
deny ip any 10.1.1.0 0.0.0.255
deny ip any 192.168.3.0 0.0.0.255
deny ip any 172.16.4.0 0.0.0.255
deny ip 10.1.10.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip 172.16.6.0 0.0.0.255 192.168.2.0 0.0.0.255
ip permit 10.1.10.0 0.0.0.255 any
Licensing ip 10.0.0.0 0.0.0.255 any
IP 172.16.6.0 allow 0.0.0.255 any
NAT_CUSTOMERS extended IP access list
allow any host 2.2.2.140 eq 4550 tcp
!
access-list 100 permit ip 172.16.6.0 0.0.0.255 172.16.4.0 0.0.0.255
access-list 100 permit ip 172.16.6.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 100 permit ip 172.16.6.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 172.16.4.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 172.16.4.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 105 allow ip 172.16.4.0 0.0.0.255 any
access-list 105 allow ip 10.1.1.0 0.0.0.255 any
access-list 105 allow ip 192.168.3.0 0.0.0.255 any
Note access-list 105 SDM_ACL category = 4
access-list 105 allow ip 10.1.10.0 0.0.0.3 all
access-list 105 allow ip 10.0.0.0 0.0.0.255 any
access-list 105 allow ip 172.16.6.0 0.0.0.255 any
public RO SNMP-server community
Hi, Marshal.
Good news, I give you 5 stars
Please mark this question as answered.
Good day.
-
Hi, I currently have a site to site vpn upward and running and it works fine. I try to put the other two online and just cannot make them work. I used the same configuration of one operation but I cannot get the next tunnel. I saw several errors when debugging isakmp and ipsec and they are at the end of my configs. Anyone have any ideas? Thank you
Main site - a vpn clients connecting too it and pt to pt vpn to 3 endpoints
Cisco PIX Firewall Version 6.3 (3)
* Main Site Config *.
client_vpn 10.10.0.0 ip access list allow 255.255.0.0 192.168.0.0 255.255.255.0
VPN_to_Site2 10.10.0.0 ip access list allow 255.255.0.0 192.168.0.0 255.255.255.0
NAT (inside) 0-list of access client_vpn
Permitted connection ipsec sysopt
Crypto ipsec transform-set esp-3des esp-md5-hmac fws_encry_set
outside_map 60 ipsec-isakmp crypto map
address for correspondence card crypto outside_map 60 VPN_to_Site2
crypto outside_map 60 peer 64.X.X.19 card game
card crypto outside_map 60 transform-set fws_encry_set
outside_map interface card crypto outside
ISAKMP allows outside
ISAKMP key * address 64.X.X.19 netmask 255.255.255.255 No.-xauth-no-config-mode
ISAKMP identity address
ISAKMP nat-traversal 20
part of pre authentication ISAKMP policy 10
ISAKMP policy 10 3des encryption
ISAKMP policy 10 md5 hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
Site 2 config
* only because the pt to pt does not work I have it set up to allow vpn clients to cross to connect to the main site.
Cisco PIX Firewall Version 6.3 (5) *.
permit access ip 192.168.0.0 list VPN_to_Main 255.255.255.0 10.10.0.0 255.255.0.0
NAT (inside) 0-list of access VPN_to_Main
Permitted connection ipsec sysopt
Crypto ipsec transform-set esp-3des esp-md5-hmac fws_encry_set
outside_map 10 ipsec-isakmp crypto map
outside_map card crypto 10 corresponds to the address VPN_to_Main
crypto outside_map 10 peer 207.X.X.13 card game
card crypto outside_map 10 transform-set fws_encry_set
outside_map interface card crypto outside
ISAKMP allows outside
ISAKMP key * address 207.X.X.13 netmask 255.255.255.255 No.-xauth-no-config-mode
ISAKMP identity address
ISAKMP nat-traversal 20
part of pre authentication ISAKMP policy 10
ISAKMP policy 10 3des encryption
ISAKMP policy 10 md5 hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
Errors
PIX (config) # IPSEC (sa_initiate): ACL = deny; No its created
authenticator is HMAC-MD5IPSEC (validate_proposal): invalid local address
I have a link that works very well. I have copied the config from there, changed the ip info and it does not work. The only differences in the configs are no sysopt route dnat and it's on Version 6.2 (2)
IPSec (sa_initiate): ACL = deny; No its created
I think that you have configured a VPN tunnel without removing the cryptographic card of the external interface. The message above is the error we get in such situation.
I suggest the following solution:
-remove the external interface (the two pix) cryptographic card
-Cree claire isa his and trendy clear ipsec his (the two pix)
-Reapply the card encryption on external interfaces.
If this doesn't solve the problem, restart the equipment.
Kind regards
Ajit
-
Cisco VPN Site to Site - Interesting traffic required to put in place a VPN or not?
A really quick and easy for the guru there VPN...
Essentially, I am setting up a VPN for backup, but there is NO interesting traffic unfortunately and we need VPN upward.
So... is this possible?
Thanks in advance
Arnoult
I would also like to add to David's response. Some persistent according to which firewall and configuration, you use either have phase 1 KeepAlive, or full end-to-end KeepAlive 2 phase.
I do not know the equivalent of Cisco or if they even have one. Example of this with Juniper dead-peer-detection (DPD) sends only persistent IKEv1/2, while the monitoring of VPN sends ICMP echo requests to follow the VPN / or says he's dead.
With DPD, it isn't exactly a traffic interesting survey, it's just the IKE "Hello you're here" messages. After awhile, the vpn can go down due to lack of interesting traffic or having to re - negotiate the phase 2. However, to create interesting traffic, you can assign an sla for icmp ip end-to-end.
You may have noticed in the past that VPN will just down after a while (if you have this configuration)
There are three modes of RE how actually starts in the negotiations on the SAA
One answer: Specifies that this peer does respond to incoming connections from IKE first during the exchange of the original owner to determine the appropriate peer to connect to.
Bidirectional (default): Specifies that this peer can accept and come from the connections based on this crypto map entry. This is the type of default login for Site-to-Site connections. [Only if interesting traffic is put in correspondence]
Originate only: Specifies that this peer is launching the first Exchange of industrial property to determine the appropriate peer to connect to.
For the ASA Experts out there, please correct me if I'm wrong.
Hope this helps
Bilal
-
Hello
I had a SonicWALL, SonicWALL VPN upward and running for a few years, with network 192.168.5.x to my office able to access 192.168.6.x and 192.168.70.x in my data center. Now he must replace the SonicWALL to my office with a 2811, and I need to keep the VPN tunnel and work.
My 2811 is currently NAT and I have the VPN tunnel to the top, but no traffic passes. I think I have troubleshoot-carried out down to a problem of sheep, and I do not know how to solve with ACL, although I used to know how to do on PIX.
What lines of code do I need enable my office network (192.168.5.x) access to the network of data centre (192.168.6.x and 70.x)? There are currently only no ACLs not applied to the WAN interface at all, and I don't have that one static IP address.
Hi Eric,.
access-list 111 deny ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 111 deny ip 192.168.5.0 0.0.0.255 192.168.70.0 0.0.0.255
access-list 111 permit ip 192.168.5.0 0.0.0.255 any route-map nonat permit 10 match ip address 111
!
ip nat inside source route-map nonat interface
overload So that means all who refused in road - map ACL will be denied NATing when it corresponds to the specific rule and it goes as it is...
Concerning
Knockaert
-
Wondering if anyone has any suggestions for a configuration that I'm trying to go there.
What I have is a Colo data center that is connected to multiple sites via MPLS. Internet access is through the camp from all sites. In case of failure of the MPLS, I'm trying make a future automated VPN that would connect a router, Adtran with a Verizon Wireless Card inside. I have the VPN upward and that works. This is the piece of automation that I try to understand. Thus, currently, the Pix has static routes that point to the MPLS router for all sites. Everything else uses the router MPLS as a GTS and then the GTS for the SPLM is the Pix.
If there is a failure the VPN will return but then there are the roads on the Pix that will push just to the SPLM. The supplier is said to superiors to see metric for the static back for the SPLM, but higher than what? When the VPN rises it is not really of routes there to push the traffic through the VPN.
Thought I had was that, given that the MPLS router managed at camp is a router Cisco to have redistribute it provider BGP route back to EIGRP which the Pix could pick up. Failure, once EIGRP has been updated there is no route to the SPLM and everything would just route on the GTS which would be the Pix.
Anyone dones something like that before that might have some ideas?
Thank you
A simple delay sensitive solution will be IP SLA in the PIX / ASA. When the SiteA MPLS interface is inaccessible,
a static route in the PIX / ASA pointing in the tunnel VPN is enabled. When the MPLS interface becomes available,
Then, the road is removed.
HTH >
Andrew.
-
AnyConnect VPN full tunnel could not access the site to site VPN
I have a set of AnyConnect VPN upward with no split tunneling (U-turning/crossed traffic), running 8.2.5 code.
It works fine, but I want to allow customers to AnyConnect VPN site to site, which I was unable to access.
I checked the IP addresses of network anyconnect are part of the tunnel on both sides.
My logic tells me that I must not turn back traffic from the network anyconnect for the site to site VPN, but I don't know how to do this.
Any help would be appreciated.
Here are the relevant parts of my config:
(Domestic network is 192.168.0.0/24,
the AnyConnect network is 192.168.10.0/24,
site to site VPN network is 192.168.2.0/24)
--------------------------------------------------------------------------------------
permit same-security-traffic inter-interface
permit same-security-traffic intra-interfacethe DM_INLINE_NETWORK_1 object-group network
object-network 192.168.0.0 255.255.255.0
object-network 192.168.10.0 255.255.255.0
inside_nat0_outbound list extended access allowed object-group ip DM_INLINE_NETWORK_1 192.168.2.0 255.255.255.0
permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.10.0 255.255.255.0outside_1_cryptomap list extended access allowed object-group ip DM_INLINE_NETWORK_1 192.168.2.0 255.255.255.0
mask 192.168.10.2 - 192.168.10.254 255.255.255.0 IP local pool AnyConnectPool
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (outside) 1 192.168.10.0 255.255.255.0
access-outside group access component software snap-in interface outside
Route outside 0.0.0.0 0.0.0.0 (the gateway IP) 1
WebVPN
allow outside
AnyConnect essentials
SVC disk0:/anyconnect-win-3.1.05152-k9.pkg 1 image
SVC profiles AnyConnectProfile disk0: / anyconnect_client.xml
enable SVC
tunnel-group-list activate
internal AnyConnectGrpPolicy group strategy
attributes of Group Policy AnyConnectGrpPolicy
WINS server no
value of 192.168.0.33 DNS server 192.168.2.33
VPN-session-timeout no
Protocol-tunnel-VPN l2tp ipsec svc
Split-tunnel-policy tunnelall
the address value AnyConnectPool pools
type tunnel-group AnyConnectGroup remote access
attributes global-tunnel-group AnyConnectGroup
address pool AnyConnectPool
authentication-server-group SERVER1_AD
Group Policy - by default-AnyConnectGrpPolicy
tunnel-group AnyConnectGroup webvpn-attributes
the aaa authentication certificate
activation of the Group _AnyConnect aliasYour dial-up VPN traffic as originating apears on the external interface, so I think you need to exonerate NAT pool PN traffic directed to the site to site VPN. Something like this:
global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 nat (outside) 0 access-list outside_nat0 nat (outside) 1 192.168.10.0 255.255.255.0 access-list outside_nat0 extended permit ip any 192.168.10.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
-
Cisco AnyConnect VPN connection has not changed my public IP address on Windows 7 64 bit
Hello
I installed a customer Cisco AnyConnect VPN from my school, so that I can access school of my Windows 7 laptop at home network. I was able to connect, but when I used http://www.whatismyip.com/, it still shows the IP address assigned by my ISP. The "network and sharing Center", I have my original LAN and LAN VPN upward but access to LAN VPN type is 'without Internet access. The VPN connection seems to have activities based on evolution bytes sent and received.
I searched the Web for solutions and changed something like adding the entry door. But it did not help.
Thanks for your help.
Split tunnel is probably configured so that traffic destined to school networks pass through the VPN tunnel, and traffic destined to the Internet goes outward through your local ISP. That's why whatismyip show your public IP address from ISP.
-
File shares of some non-visible windows through the clientless ssl vpn
Hello
I have an ASA 5505 with the SSC module and were able to get the ssl vpn upward and running, for some reason, some of the shared folders do not appear when I connect. I checked permissions for shared folders which can't be compared to those who do, and they are exactly the same.
Thank you
Chauncey
Don't forget to note the positions that helped you and mark it as resolved if this addressed the issue. Thank you!
-
I don't know if it can be made to work or not, or if it's a mutually excluded NAT configuration that is not possible, but I have a 5520 ASA to my site central office with a fiber of 20Mbps Internet streams and two remote offices with ASA 5505 devices connected via DSL or cable modem and have finally got from Site to Site "spoke" VPN upward tunnels and run with the ability to route traffic to through a 'hairpin turn' speak-to-Spoke on the Hub Site 5520.
I have desktop PC at each remote site speaks A & B that need to communicate directly with them to support a small group of work-style of the software point of sale that is actually hosted on a remote site A PC.
PC on two remote sites must also be able to communicate with a credit card processing by the public Internet service, and I wish have the ASA 5505 units in each block of remote office as all traffic directly NAT'ed from each respective out on the local LAN PC straight Internet above each site cable modem or DSL modem. I want to force these PCs need to NAT their Internet-destination back through the ASA 5520 traffic located at the Home Office, on the VPN tunnels. In other words, I want the cable modem and DSL connections to route traffic strictly VPN encrypted to the Home Office and also behave like routers NAT for the local PC it.
I can kill the 5505 prevents NAT for PCS in remote offices simply removing the rule dynamic NAT factory default for 'everything', but then I can't understand how to get my 5520 central to perform NAT which required of the remote PCs to talk to their service of Internet credit card processor without breaking the configs "NAT-free" necessary for VPN traffic to spoke-to-spoke to work. If I'm trying to put an entry static or dynamic NAT for a remote desktop on my 5520 ASA central, it breaks the VPN tunnel so that PC specific.
Is that what I want to accomplish even possible with the ASA?
Hi Neal,
Yes, it's quite possible! below is a loss of things you need to do:
(1) make sure of course on both the 5505 s of the ASA, you send ALL traffic from the local network through the VPN.
(2) as Andrew mentioned, have the 'same-security-traffic permit intra-interface' command on the ASA 5520.
(3) you do not have to have a configured proxy server, but it is also a good solution. But to make it work without her, assuming that the ASA 5505 remote subnets 192.168.1.0/24 and 192.168.2.0/24, add the config lines below to the ASA 5520:
NAT (outside) 1 192.168.1.0 255.255.255.0
NAT (outside) 1 192.168.2.0 255.255.255.0
Global 1 interface (outside)
Please note that 1 id, and the interface can be replaced according to the configuration you already have in place in the ASA 5520.
I don't know what kind of NAT exemptions are at the origin of the questions for you, but if you can put a sanitized one of your ASA 5505 and ASA 5520 config, I can make suggestions concerning the exact configuration.
Let me know if it helps!
Thank you and best regards,
Assia
-
S2S VPN - cannot get the tunnel upward
I couldn't lift a VPN site-to site because of a configuration error that I can't fix
The topology is Server1 > Hub > ASA - 1 ASA-2<><>
When I launch a ping server 1 Server 2 to try to get out of the tunnel to the top, I get the following error:
% ASA-6-110002: unable to locate the output for ICMP inside:192.168.100.2/2655 to 192.168.200.2/0 interface
No matter which side I am ping, I get the error on both of the ASA. Here is the config for the two ASA, thanks for any help.
!
ASA-1 hostname
!
interface GigabitEthernet0
nameif outside
security-level 0
IP 80.1.1.1 255.255.255.252
!
interface GigabitEthernet1
nameif inside
security-level 100
IP 192.168.100.1 address 255.255.255.0
!
passive FTP mode
network of the PC_LAN object
255.255.255.0 subnet 192.168.100.0
network of the REMOTE_LAN object
192.168.200.0 subnet 255.255.255.0
extended access list ACL-OUTSIDE-PING icmp permitted any one
LAB_S2S_VPN to access extended list ip 192.168.100.0 allow 255.255.255.0 192.168.200.0 255.255.255.0 connect
LAB_S2S_VPN list extended access allow icmp 192.168.100.0 255.255.255.0 192.168.200.0 255.255.255.0 connect
pager lines 24
Enable logging
exploitation forest-size of the buffer of 6000
debug logging in buffered memory
Outside 1500 MTU
Within 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ARP timeout 14400
NAT static PC_LAN PC_LAN destination (indoor, outdoor) static source REMOTE_LAN REMOTE_LAN
Access-Group ACL-OUTSIDE-PING to the interface inside
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 aes-esp - SHA-AES-ESP esp-sha-hmac
card crypto VPN_CRYPTO_MAP 1 corresponds to the address LAB_S2S_VPN
card crypto VPN_CRYPTO_MAP 1 set peer 80.1.1.2
card crypto VPN_CRYPTO_MAP 1 set transform-set ESP-AES-SHA ikev1
VPN_CRYPTO_MAP interface card crypto outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
aes encryption
sha hash
Group 2
life 86400
management-access inside
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
tunnel-group 80.1.1.2 type ipsec-l2l
IPSec-attributes tunnel-group 80.1.1.2
IKEv1 pre-shared-key *.ASA-2 host name
!
interface GigabitEthernet0
nameif outside
security-level 0
IP 80.1.1.2 255.255.255.252
!
interface GigabitEthernet1
nameif inside
security-level 100
192.168.200.1 IP address 255.255.255.0
!
interface GigabitEthernet2
Shutdown
No nameif
no level of security
no ip address
!
passive FTP mode
network of the PC_LAN object
192.168.200.0 subnet 255.255.255.0
network of the REMOTE_LAN object
255.255.255.0 subnet 192.168.100.0
extended access list ACL-OUTSIDE-PING icmp permitted any one
LAB_S2S_VPN to access extended list ip 192.168.200.0 allow 255.255.255.0 192.168.100.0 255.255.255.0 connect
LAB_S2S_VPN list extended access allow icmp 192.168.200.0 255.255.255.0 192.168.100.0 255.255.255.0 connect
pager lines 24
Outside 1500 MTU
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT static REMOTE_LAN REMOTE_LAN destination (indoor, outdoor) static source PC_LAN PC_LAN
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 aes-esp - SHA-AES-ESP esp-sha-hmac
card crypto VPN_CRYPTO_MAP 1 corresponds to the address LAB_S2S_VPN
card crypto VPN_CRYPTO_MAP 1 set peer 80.1.1.1
card crypto VPN_CRYPTO_MAP 1 set transform-set ESP-AES-SHA ikev1
VPN_CRYPTO_MAP interface card crypto outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
aes encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
tunnel-group 80.1.1.1 type ipsec-l2l
IPSec-attributes tunnel-group 80.1.1.1
IKEv1 pre-shared-key *.
!You won't have a road to 192.168.200.2 so he was not able to locate the next hop for the traffic of the tunnel.
These static routes adding causes all traffic to be sent to the default gateway of the internet, including VPN and VPN traffic not.
So adding a route for 192.168.200.0 pointing to 80.1.1.X gave the same results.Kind regards
Dinesh MoudgilPS Please rate helpful messages.
-
VPN Site to Site not upward Tunel on a router
Hello
First time I try to configure the VPN Site to Site on the two routers X and Y. I use cisco SDM
X router that I have set up on this path http://www.tekkom.dk/mediawiki/images/e/ee/IP_sec_site-to-site_sdm.pdf
Then I create a mirror and spent on router Y I tunel up VPN router Y.
But I have problem with router X. When I try to the top of Tunel, I have two problems:
The peer must be routed through the crypto map interface. The following host is routed through the non-crypto map interface. (1) 79.*. * **. **
(79.* *-it is the WLAN router address Y)
Destination of traffic of the tunnel must be channelled through the crypto map interface. The destination following (s) is routed through non-crypto map interface. (1) 10.*. * **. **
(10.* *. *-is router LAN address Y)
Configuration of routers in the files.
Apologies for the lack of your answer.
You have the same card encryption applied to the physical interface and dialer0 interface. You can try removing it from the dialer0 interface and a new test.
If it does not can try you backwards IE. remove physical and apply to the dialer0 only.
Jon
-
VPN tunnel upward, but no traffic?
I decided to take a Cisco 1800 series router and try to put in place. Up to now I can get out, and everything seems fine. I then tried to configure a VPN tunnel between this router and a sonicwall router secure.
Now the problem is the GUI of SonicWall and Cisco say that this tunnel is mounted. But I can't access internal networks...
So my cisco LAN is 192.168.11.0 255.255.255.0
and the Sonic Wall is 192.168.1.0 255.255.255.0
They can talk even if the tunnel is up. I was hitting my head, and running through the tutorials and just can not understand.
Here's proof that we have achieved at least the first phase:
inbound esp sas:
spi: 0xD1BC1B8E(3518765966)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3003, flow_id: FPGA:3, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4541007/2298)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVEoutbound esp sas:
spi: 0xAE589C1E(2925042718)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3004, flow_id: FPGA:4, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4541027/2297)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
So here's my config: (what Miss me?)
Current configuration : 3972 bytes
!
version 12.4 no service pad
service tcp-keepalives-in service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CompsysRouter
!
boot-start-marker
boot-end-marker
!
enable secret *****************
enable password ***********
!
aaa new-model
!
!
!
aaa session-id common
ip cef
!
!
!
!
no ip domain lookup
ip domain name ********.local
ip inspect name myfw http timeout 3600 ip inspect name myfw tcp timeout 3600 ip inspect name myfw udp timeout 3600 ip inspect name myfw dns timeout 3600 ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 !
!
crypto pki trustpoint TP-self-signed-1821875492 enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1821875492 revocation-check none
rsakeypair TP-self-signed-1821875492 !
!
crypto pki certificate chain TP-self-signed-1821875492 certificate self-signed 01 30820245 308201AE A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383231 38373534 3932301E 170D3130 31323130 32333433
35325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38323138
37353439 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CC57 E44AB177 3594C4C7 E88B1A4F CE4FD392 87CDB75C 2A6A6B1A 87D10791
0134F1FC 54A84BB6 08A40213 35B9DD0A FD813D2F 1C778D01 3F8EBEB0 C4793850
F52F7906 FDBC56A5 A4829AC5 4180DDA7 F54E3AAD DD1D4537 F1F19F11 9AE8A8A0
91C98934 233CF608 1447DA83 41B09E55 4A0FF674 8D060945 07D3F3F9 8EA7B412
5FD30203 010001A3 6D306B30 0F060355 1D130101 FF040530 030101FF 30180603
551D1104 11300F82 0D436F6D 70737973 526F7574 6572301F 0603551D 23041830
168014DC A9938F71 7CCF0E6D 8BC5DFA5 033DD7E4 0F605130 1D060355 1D0E0416
0414DCA9 938F717C CF0E6D8B C5DFA503 3DD7E40F 6051300D 06092A86 4886F70D
01010405 00038181 00148C2F AA7CA155 463B56F2 324FE1ED 3682E618 75E3048F
93E1EA61 3305767A FA93567B AA93B107 83A2F3D6 8F773779 E6BF0204 DC71879A
5F7FC07F 627D8444 48781289 7F8DC06A BC9057B1 4C72AE1F B64284BE 94C6059C
7B6B8A5D 83375B86 3054C760 961E8763 91767604 5E0E0CE3 3736133A E51ACF26
14F3C7C5 60E08BE3 88 quit
username jdixon secret 5 $*****************
!
!
ip ssh time-out 60 ip ssh authentication-retries 2 !
!
crypto isakmp policy 1 encr aes 256 authentication pre-share
group 2 lifetime 28800 crypto isakmp key address !
!
crypto ipsec transform-set compsys esp-aes 256 esp-sha-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer set transform-set compsys
match address 101 !
!
!
interface FastEthernet0/0
ip address "LOCAL ROUTER OUTSIDE" 255.255.255.248 ip access-group Inbound in ip nat outside
ip inspect myfw out
ip virtual-reassembly
duplex auto
speed auto
no keepalive
crypto map vpn
!
interface FastEthernet0/1
ip address 192.168.11.1 255.255.255.0 ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 !
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.11.55 3389 interface FastEthernet0/0 9999 !
ip access-list extended Inbound
permit icmp any any
permit gre host "REMOTE ROUTER" host "LOCAL ROUTER" permit esp host "REMOTE ROUTER" host "LOCAL ROUTER" permit udp host "REMOTE ROUTER" host "LOCAL ROUTER" eq isakmp
permit ahp host "REMOTE ROUTER" host "LOCAL ROUTER" permit udp host "REMOTE ROUTER" host "LOCAL ROUTER" eq non500-isakmp
permit ip host "REMOTE ROUTER" any
permit tcp any host "LOCAL ROUTER" eq 22 !
access-list 1 permit 192.168.11.0 0.0.0.255 access-list 101 permit ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255 !
!
!
!
control-plane
!
!
!
line con 0 line aux 0 line vty 0 4 !
scheduler allocate 20000 1000 endNAT exemption is where it is a failure.
Please kindly change to as follows:
access-list 150 deny ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 150 permit ip 192.168.11.0 0.0.0.255 any
IP nat inside source list 150 interface fastethernet0/0 overload
no nat ip within the source list 1 interface fastethernet0/0 overload
Hope that helps.
-
Remote VPN on 2801 upward but no traffic
I decided to set up a remote vpn on 2801 router. so, after some time a get my VPN tunnel to the top and State QM_IDLE but all traffic on VPN Client work around or ignored so I can't access my internal network via the VPN tunnel.can you please help?Ahhhhhhhhhhhhhhhhhhh, now I know, k first of all if it is the card top debit MOBILE, it is not supported by the vpn client
Now we have a work around, Setup your 3 g as a connection by modem and boom, it should start working
Kind regards
Rebecca
Maybe you are looking for
-
HP Officejet Pro 8610: HP Officejet Pro 8610
Help! I got my new printer for a week. It was fine when I first put in place. I now get an idle "printer" in my impression q. I re-support software and verified that they are both on the samenetwork. What can I do else?
-
CanI set programmatically PXI-8431 half duplex ports (two sons)?
Hello I use an NI PXI-8431/8 RS485 card for half duplex comms. I use configuration of the serial port baud rate usual VISA, etc., but I also want to set the port to two sons, no handshake. Currently I can do this from Windows, using the Device Manage
-
My hotmail has been closed and I can't use it!
-
How get rockbox for sansa fuze without overcomplicated instructions site has? Please help me!
-
Don't I have the latest Firmware for WRT110?
I just bought and installed the WRT110 and I was wondering if I have the latest firmware. I show the version 1.0.04)is build 10 in routers administration page. Also, I would like to know if I have security measures in place for my network. I am 'new'