VPN3005 and GRE as interesting traffic (in tunnel)

Hello

is it possible to qualify the GRE or interesting traffic IPinIP tunnel traffic

(in the Tunnel LAN2LAN) on a VPN3005.

On router or PIX simply define you access-list with gre or IP, how

can you do that on a hub if possible?

Thanks in advance,

Kind regards

Stefan

Hello

Just set the Lists(based on interesting traffic) network and hub crypt GRE traffic as IP or ICMP protocol, so no specific configuration is necessary.

Thank you

AFAQ

Tags: Cisco Security

Similar Questions

  • ASA base S2S VPN, Tunnel establishes only when interesting traffic hits to end distance

    Dear all,

    I need your help to solve the problem mentioned below.

    VPN tunnel established between the unit two ASA.   A DEVICE and device B

    (1) if interesting traffic initiates a LAN device. traffic ACL hits. TUNEL is not coming

    (2) if interesting traffic initiates B LAN device. Tunnel will establish all the works of serivces

    (3) after the Tunnel device establishmnet B. We forced to tunnel down at both ends. Interesting again traffic initiates device a surpringly tunnel

    will go up.   After 2 or 3 days (after life expire 86400 seconds) initiated traffic of device A, tunnel will not esatblish.

    (it comes to rescue link: interesting won't be there all the time.)

    checked all parametrs, everthing seems fine. Here are the logs of attached but not more informative debugging on the balls. Please suggest.

    February 2, 2010 13:23:17: % ASA-7-713236: IP = 81.145.x.x, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 496

    February 2, 2010 13:23:18: % ASA-6-713219: IP = 81.x.x.x, KEY-ACQUIRE Queuing messages are treated when SA P1 is finished.

    February 2, 2010 13:23:18: % ASA-6-713219: IP = 81.x.x.x, KEY-ACQUIRE Queuing messages are treated when SA P1 is finished.

    February 2, 2010 13:23:23: % ASA-6-713219: IP = 81.x.x.x, KEY-ACQUIRE Queuing messages are treated when SA P1 is finished.

    February 2, 2010 13:23:25: % ASA-7-715065: IP = 81.x.x.x, history of mistake IKE MM Initiator WSF (struct & 0x1abb1e10) , : MM_DONE, EV_ERROR--> MM_WAIT_MSG2, EV_RETRY--> MM_WAIT_MSG2, EV_TIMEOUT--> MM_WAIT_MSG2 NullEvent--> MM_SND_MSG1, EV_SND_MSG--> MM_SND_MSG1, EV_START_TMR--> MM_SND_MSG1, EV_RESEND_MSG--> MM_WAIT_MSG2, EV_RETRY

    February 2, 2010 13:23:25: % ASA-7-713906: IP = 81.x.x.x, IKE SA MM:56f95c85 ending: flags 0 x 01000022, refcnt 0, tuncnt 0

    February 2, 2010 13:23:25: % ASA-7-713906: IP = 81.x.x.x, sending clear/delete with the message of reason

    February 2, 2010 13:23:25: % ASA-3-713902: IP = 81.x.x.x, counterpart of drop table counterpart, didn't match!

    February 2, 2010 13:23:25: % ASA-4-713903: IP = 81.x.x.x, error: cannot delete PeerTblEntry

    Hi, I have a similar problem a long time ago. You can choose which set up the tunnel in your crypto card:

    card crypto bidirectional IPsec_map 1 set-type of connection

    I hope that it might help to solve your problem. Kind regards.

  • Bring up the tunnel vpn crypto without interesting traffic map

    Is it possible on ASA to bring up the tunnel vpn site to site static crypto map without generating interesting traffic? I want to reverse route injection generate road dynamic until traffic begins to flow.

    Roman,

    Unless something chnaged recently RRI inserts routes without present SAs, meaning that they are static (in contrast to current default behavior on IOS 12.4 (9) T-I_think leave).

    But to answer the question, in more recent versions, you can bring up the tunnel using packet - trace CLI.

    M.

    Edit: request for improvement that will present the same features of IPP on ASA as on IOS:

    http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId= CSCsx67450

  • Cannot generate interesting traffic

    Why doesn't the following config generate no matter what interesting traffic when I ping 192.168.100.161 10.40.10.117?

    I have a crypto debugging on and it doesn't seem to be any attempt to bring up the tunnel. I checked that it is hitting the correct access list and it is NATing correctly, but there is no attempt to bring up the tunnel. I would like an overview of this issue.

    Thank you.

    -pk

    (I cut the pieces that I felt were significant to the problem.)

    ---------------------------------------

    name Phil 192.168.100.161

    the AddressesAllowed object-group network

    Description here are the addresses that are allowed through the Firewall VPN.

    network-object 10.40.10.118 255.255.255.255

    network-object 10.40.110.71 255.255.255.255

    network-object 10.48.10.37 255.255.255.255

    network-object 10.48.10.38 255.255.255.255

    network-object 192.168.41.31 255.255.255.255

    network-object 192.168.41.32 255.255.255.255

    network-object 10.46.0.15 255.255.255.255

    network-object 10.46.0.19 255.255.255.255

    network-object 10.40.10.117 255.255.255.255

    network-object 10.46.0.1 255.255.255.255

    polnat161 list of allowed access host ip Phil object-group AddressesAllowed

    NAT (inside) 0-list of access inside_outbound_nat0_acl

    NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

    public static 10.44.3.161 (inside, outside) access-list polnat161 0 0

    Permitted connection ipsec sysopt

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    outside_map 40 ipsec-isakmp crypto map

    card crypto outside_map 40 correspondence address polnat161

    peer set card crypto outside_map 40 21.54.52.112

    outside_map crypto 40 card value transform-set ESP-3DES-SHA

    life safety association set card crypto outside_map 40 seconds 21600 4608000 kilobytes

    outside_map interface card crypto outside

    ISAKMP allows outside

    ISAKMP key * address 21.54.52.112 netmask 255.255.255.255 No.-xauth No. config-mode

    ISAKMP identity address

    part of pre authentication ISAKMP policy 40

    ISAKMP policy 40 3des encryption

    ISAKMP policy 40 sha hash

    40 2 ISAKMP policy group

    ISAKMP living 40 3600 duration strategy

    Hi Philippe

    Was your previous and current config is OK except one thing. You translate Philip to 10.44.3.161 when the internal IP address tries to reach one of the networks listed in AddressesAllowed it's very good.

    But you say your crypto to establish a tunnel when Philip tries to climb AddressesAllowed. But Philip is translated! So it isn't the IP address that comes from traffic. It's 10.44.3.161. If you need to make the following change

    int_traffic_40 permit IP host 10.44.3.161 list object-group AddressesAllowed

    No crypto outside_map 40 correspondence card for polnat161

    card crypto outside_map 40 correspondence address int_traffic_40

    Concerning

  • VPN3005 - PIX506 using NEM & IPP with split tunnel

    After the design is given

    VPN3005 (central) - tunnel - PIX506 (Remote) network-extension-mode & RRI

    A VPN (PC) Client connects to VPN3005 and wants to reach the server at the site of PIX506 above the tunnel of 3005 to PIX506.

    At the same time the users on LAN Pix506 want to use Internet directly - which means

    split tunneling should be used.

    On VPN3005 under IProuting - RRI - IPP network extension and

    Customer IPP is enabled.

    Connectivity between LAN (central) and LAN (remote) is known, but IPP for

    VPN Client (PC) (wants to connect to the server on the Remote LAN) is not possible.

    If split for ezvpn (PIX506) tunneling is used.

    It works, if you all tunnel!

    Question:

    Is this cause is not possible, this feature (EZVPN + RRI + split-tunnel) is not implemented, or if this thing works well?

    (Even behave with a real HW3002)

    BTW. VPNConc3.6.7 (3.6.3,3.6.5,3.6.7A), HW3002 3.6.7, PIX 6.2.2 (6.3.136beta)

    Images in brackets have also been tested with even behave.

    Thank you for the help & information

    This thing in advance.

    Kind regards

    Stefan

    You have the pool of addresses VPN client in the tunnel of split for the PIX list? The troubled with making split tunneling is that traffic has behind the PIX for this network first, then only ITS special is based for this particular network subnet. If you try to connect via a client, or even to the LAN behind the 3005 (same thing in theory), then unless someone behind the PIX sent traffic to this subnet first, your traffic will not get there.

    When the split tunneling is not used, the PIX automatically creates the SA for all networks, and that's why you can then test the hosts a VPN client (or to the LAN behind the 3005).

    Take a simple test and launch a VPN client to the 3005 connection, making sure that the address pool is in the list of PIX split tunnel. If you try and ping from the client to the PIX network it will not work. Now have someone behind the PIX ping to the address of the VPN client, you will probably lose the first packages of one or two, but then it should respond OK. NOW try to VPN client and ping, PIX network, it should work now, because the PIX has built the tunnel to the address pool.

  • question about redundancy and failover from one site to tunnel

    First, I create the underside of crypto card,

    crypto IPSec_map 10 card matches the address encrypt-acl
    card crypto IPSec_map 10 set peer 209.165.201.1

    card crypto IPSec_map 10 the transform-set RIGHT value

    card crypto IPSec_map 10 the value reverse-road

    Then I set up a 2nd card statement, corresponding to the same ACL.

    crypto IPSec_map 20 card matches the address encrypt-acl
    card crypto IPSec_map 20 set peer 23.10.10.10

    card crypto IPSec_map 20 set transform-set RIGHT

    card crypto IPSec_map 20 set reverse-road

    My first question is - since Cryptography cards are processed in order, does that mean the first tunnel VPN (map 10) will always be used if its place?

    If so, what happens when the 209.165.201.1 remote peer becomes unreachable? is the tunnel of the 23.10.10.10 peer back automatically?

    What is the best way to reach a VPN site-to-site main and secondary where 209.165.201.1 primary school and 23.10.10.10 is backup and appears only when the primary is down?

    Thank you

    Hello

    As you mentioned that the Cryptography cards are processed in the order.

    If two cryptographic cards have the same "interesting" traffic then the second card encryption is never used (first crypto card is used).

    The best way to get a redundancy is to do the following:

    crypto IPSec_map 10 card matches the address encrypt-acl
    card crypto IPSec_map 10 set peer 209.165.201.1 23.10.10.10

    card crypto IPSec_map 10 the transform-set RIGHT value

    card crypto IPSec_map 10 the value reverse-road

    Note in the example above that you have defined an instance unique card crypto with two counterparts. The first pair will try first and if not answered, the second peer will be used as a backup.

    It will be useful.

    Federico.

  • Specify remote access interesting traffic?

    This is probably a stupid question, but I can't make my vpn remote access traffic decryption. I use an ASA5510 and 5.0 cisco vpn client. I have no problem getting the next tunnel. But traffic 'decrypted' zero rest and increments "ecarte traffic" at all times.

    Here is the ASA5510 encryption config:

    OK, I guess that this site does not allow to paste text so I have attached the config.

    I'm pretty sure that I can't pass the traffic because I was not able to understand how to specify interesting traffic for the vpn connection. Can someone please show me the syntax for this? It seems that it must be a sort of tunnel - group commands.

    Am I the only one who thinks that the Cisco documentation is worth anything on it? The ASA configuration guide you give all that you need to configure a tunnel, but has absolutely nothing on the config required to actually pass traffic. This helps a lot.

    Hello

    If you see the traffic is encrypted by the VPN Client but no return traffic may not be a configuration that is not on the ASA host or destination do not have a good road to the VPN Client or something else.

    To my knowledge, if you do not specify this tunnel on the VPN Client connection then EVERYTHING is going to be in the client endpoint VPN tunnel.

    If you want to specify what to send to the VPN you are using configurations of the 'group policy '.

    VPN-GROUP-POLICY group policy interns

    attributes of VPN-GROUP-POLICY-group policy

    Split-tunnel-policy tunnelall

    OR

    standard permit access list TUNNEL of SPLIT

    VPN-GROUP-POLICY group policy interns

    attributes of VPN-GROUP-POLICY-group policy

    Split-tunnel-policy tunnelspecified

    Split-tunnel-network-list value of SPLIT TUNNEL

    • Usually the ACL 'standard' which includes 'permit' statements for all of the network you want to tunnel to the VPN

    "Group policy" is then set under configurations "tunnel-group.

    It would probably be easier to check when to see the configurations on the ASA. If you are simply testing connectivity ICMP I recommend that you check that you have 'an icmp inspection' configured so that ICMP Echo-reply messages are automatically allowed by the ASA.

    -Jouni

  • ACL by crypto-interesting setting direct tunnel IPSEC-L2L

    Hi all

    I need to put additional hosts on the existing ACL crypto-interesting on a tunnel directly with real-time traffic.

    I have a network-side remote engineer to apply the same to their end.

    My question is it will interrupt existing tunnel/traffic if we put additional hosts on the ACL on both sides at the same time?

    Thank you!

    Each permit in TS in ACL generates its own IPsec security association.

    There should be no impact on existing services - just pay more attention is not to introduce any overlap of the ACL.

    Another topic that is very often updated card crypto DB that sometimes one must remove and re-add the crypto map configuration - which will cause traffic distruption.

    Marcin

  • Doubt the implementation in a VPN between a VPN3005 and a Cisco 827 router

    Imagine this:

    Establish a VPN tunnel between the central administration (VPN3005) and a branch (827). Only need to spend intellectual property data in the tunnel and the two sites must reach the resources of the other, which means I don't want not just any what NAT involved.

    Can someone tell me what is the way to better/simple to do this?

    Can it be implemented with Cisco easy VPN? (or not, due to not wanting to make any type of NAT)

    Thanks in advance!

    Hello

    I would have preferred a VPN Tunnel from Lan to Lan. I have attached a few URLS that

    explains the implementation of IPSec Lan to Lan tunnel in different scenarios:

    1. with the router with a static routable ip address

    http://www.Cisco.com/warp/public/471/ALTIGAR.shtml

    2. with the router is assigned an IP via DHCP.

    http://www.Cisco.com/warp/public/471/vpn3k_iosdhcp.html

    Kind regards

    Arul

  • Cisco VPN Site to Site - Interesting traffic required to put in place a VPN or not?

    A really quick and easy for the guru there VPN...

    Essentially, I am setting up a VPN for backup, but there is NO interesting traffic unfortunately and we need VPN upward.

    So... is this possible?

    Thanks in advance

    Arnoult

    I would also like to add to David's response. Some persistent according to which firewall and configuration, you use either have phase 1 KeepAlive, or full end-to-end KeepAlive 2 phase.

    I do not know the equivalent of Cisco or if they even have one. Example of this with Juniper dead-peer-detection (DPD) sends only persistent IKEv1/2, while the monitoring of VPN sends ICMP echo requests to follow the VPN / or says he's dead.

    With DPD, it isn't exactly a traffic interesting survey, it's just the IKE "Hello you're here" messages. After awhile, the vpn can go down due to lack of interesting traffic or having to re - negotiate the phase 2. However, to create interesting traffic, you can assign an sla for icmp ip end-to-end.

    You may have noticed in the past that VPN will just down after a while (if you have this configuration)

    There are three modes of RE how actually starts in the negotiations on the SAA

    One answer: Specifies that this peer does respond to incoming connections from IKE first during the exchange of the original owner to determine the appropriate peer to connect to.

    Bidirectional (default): Specifies that this peer can accept and come from the connections based on this crypto map entry. This is the type of default login for Site-to-Site connections. [Only if interesting traffic is put in correspondence]

    Originate only: Specifies that this peer is launching the first Exchange of industrial property to determine the appropriate peer to connect to.

    For the ASA Experts out there, please correct me if I'm wrong.

    Hope this helps

    Bilal

  • VPN Site to Site ASA (only happens with interesting traffic)

    Is anyway to get an ASA to VPN site-to-site ASA addition interesting traffic?  I need to keep this tunnel independently of traffic is anyway to do this?

    Unfortunately, no such feature has been developed on the SAA. You need to deceive the ASA with a host located in the "interesting" part of the network to constantly generate interesting traffic. Here are a few suggestions:

    -Use the IP SLA on a Cisco device

    -Perform a host TCP ping

    -Setting up a host of the site has press site B as a NTP source ASA

    Thank you for evaluating useful messages!

  • I lost 5 Lightroom bought in Dec 2014 and want to download another copy with a serial number.  It is not available on the site of Adobe Web and Im not interested in Lightroom CC.  Can you direct me to an appropriate site? Thanks Frank

    I lost 5 Lightroom bought in Dec 2014 and want to download another copy with a serial number.  It is not available on the site of Adobe Web and Im not interested in Lightroom CC.  Can you direct me to an appropriate site? Thanks Frank

    Lightroom - all versions

    Windows

    http://www.Adobe.com/support/downloads/product.jsp?product=113&platform=Windows

    Mac

    http://www.Adobe.com/support/downloads/product.jsp?product=113&platform=Macintosh

  • Difference between organizarion and GRE

    Hi all
    I would like to know what is the difference between an organization and GRE?

    Thank you
    Anil

    Organization is a generic term and can be of any ranking (Business Group, HR-organization, a person moral a.k.a GRE etc...)
    If, as ERG is an organization with classification such as GRE, a.k.a moral / legal employer / tax unit.

    If you are referring to the Organization on the screen of the person posting, the HR organization.

    See you soon,.
    VB

  • IGP and GRE Tunnel

    Please see the photo above two connected sites using FA 0/1 R1 and R2 and a GRE Tunnel is formed.

    Case 1:

    We have a point-to-point connection between two routers and the IP address assigned to FA 0/1 on R1 and R2 belong to the same subnet. We then configure a GRE Tunnel on these as indicated in the topology:

    • Using such as eigrp and ospf IGP we can peer routers R1 and R2 using the tunnel and the point-to-point connections.
    • This will make the redundant paths between two routers
    • This will form the double equal relationship between the two routers (for example for EIGRP or OSPF).
    • Or we can tunnel just for the exchange of traffic between two routers.

    My Question:

    1. What is the standard in this topology using the two connection for iGP peering or just tunnel in the real world?
    2. What is the standard in this topology using the two connection for iGP peering or tunnel just in a review?

    Case 2:

    If Fa 0/1 on both routers is all public IPs and in fact do not belong to the same subnet. So I think that we have to create a Tunnel between the two routers and then use the tunnel both routers for iGP peer.

    My Question:

    • I just want to know there is a valid case and also do we get this case in a review?

    What comments can you do on both cases freely, I just create these two cases to clear my mind.

    Basically the tunnel's link to Point Virtual Point between two routers. When you have two router physically connected by Point to point the link for this tunnel has no utility, but if you have two routers separate my many network jumps then GRE and IPsec tunnel is useful, and in this case tunnel gives you the ease of the logical Point to Point network.

    In the tunnel you can run any routing protocol ospf, eigrp, BGP route smiler or Sttic as interface point-to-point between two routers.

    Answer to your question on my opinion are as below

    case 1

    1. What is the standard in this topology using the two connection for iGP peering or just tunnel in the real world? -No use of the tunnel in this case in the real world so he will use any routing protocol between physical point-to-point interface.
    2. What is the standard in this topology using the two connection for iGP peering or tunnel just in a review? -Same as above point Exam are mostly due to the scenario of the real world (not sure what you're talking about what exam).

    Case 2

    • I just want to know there is a valid case and also do we get this case in a review? -Yes, this is valid in the real world, but also optical examination specially DMVPN and Ipsec tunnel in the CCIE exam.

    Please always evaluate the useful post!

    Kind regards

    Pawan (CCIE # 52104)

  • NAT VPN tunnel and still access Internet traffic

    Hello

    Thank you in advance for any help you can provide.

    I have a server with the IP 192.168.1.9 that needs to access a subnet remote from 192.168.50.0/24, through the Internet.  However, before the server can access the remote subnet, the server IP must be NAT'ed to 10.1.0.1 because the VPN gateway remote (which is not under my control) allows access to other customers who have the same subnet address that we do on our local network.

    We have a 2801 Cisco (running c2801-advsecurityk9 - mz.124 - 15.T9.bin) set up to make the NAT.  It is the only gateway on our network.

    I have configured the Cisco 2801 with the following statements of NAT and the relevant access lists:

    access-list 106 allow host ip 192.168.1.9 192.168.50.0 0.0.0.255

    NAT extended IP access list
    refuse the host ip 192.168.1.9 192.168.50.0 0.0.0.255
    deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
    ip permit 192.168.1.0 0.0.0.255 any

    route allowed ISP 10 map
    corresponds to the IP NAT

    IP nat EMDVPN 10.1.0.1 pool 10.1.0.1 netmask 255.255.255.0
    IP nat inside source list 106 pool EMDVPN
    IP nat inside source map route ISP interface FastEthernet0/1 overload

    When the server (192.168.1.9) attempts to ping on the subnet of 192.168.50.0/24 devices, the VPN tunnel is established successfully.  However, after that, the server is no longer able to access the Internet because the NAT translation for 192.168.1.9 has changed since the external IP address of the router (FastEthernet0/1) at 10.1.0.1.

    The documentation I've seen on the site of Cisco says that this type of Setup allows only host subnet communication.  Internet access is not possible.  However, maybe I missed something, or one of you experts can help me.  Is it possible to configure the NAT router traffic destined to the VPN tunnel and still access the Internet by using the dynamic NAT on FastEthernet0/1?

    Once again, thank you for any help you can give.

    Alex

    Hello

    Rather than use a pool for NAT

    192.168.1.9 - 10.1.0.1 > 192.168.50.x

    ACL 102 permit ip 192.168.1.9 host 192.168.50.0 0.0.0.255

    RM-STATIC-NAT route map permit 10
    corresponds to the IP 102

    IP nat inside source static 192.168.1.9 10.1.0.1 card expandable RM-STATIC-NAT route

    ACL 101 deny host ip 192.168.1.9 192.168.50.0 0.0.0.255
    ACL 101 by ip 192.168.1.0 0.0.0.255 any
    overload of IP nat inside source list 101 interface FastEthernet0/1

    VPN access list will use the source as 10.1.0.1... *.

    Let me know if it works.

    Concerning

    M

Maybe you are looking for