WCCP and ASA L2L VPN Tunnel

How L2L WCCP vpn tunnel? If there is a Web page on the otherside of the tunnel that I need access on ports 80 and 443, it goes through the process of WCCP. How will I know the traffic through the tunnel for 80 and 443 to ignore the WCCP?

Hello

I have not had to deal with WCCP on the SAA configurations as it, but to my knowledge, this could be done in the ACL that is used in configuring WCCP on the SAA.

I mean a single montage we have has an ACL that simply bypasses the WCCP for some destination addresses.

The ACL was originally for example

WCCP ip access list allow a whole

Then we had to stop it for some destination network and we would add a Deny statement at the top of the ACL

access-list 1 deny ip WCCP line any 10.10.10.0 255.255.255.0

-Jouni

Tags: Cisco Security

Similar Questions

  • ISPS double and two redundant ASA 5520 VPN tunnels

    Hi all

    I have a requirement that looks like this:

    -with two ISPs (of course public IP of different subnets), I have two firewalls that we have to do 2 l2l VPN tunnels.

    Virtual private networks will be redundant to each other and in the case where one of the links is congested, traffic should pass through the other tunnel.

    Did someone do something like that?

    Thank you

    Vlad

    Hi Vlad,

    To have redundant connections, I suggest the following link:

    ASA/PIX 7.x: example of redundant Configuration or backup ISP links

    To find out when the link is congested? I don't think it could be possible at all on the SAA, with a UDP IP SLA jitter, but I think that it is supported only on IOS routers.

    Analysis of IP Service levels using the UDP IP SLA jitter operation

    Thank you.

    Portu.

    Please note all messages that will be useful.

  • ASA L2L VPN UP with incoming traffic

    Hello

    I need help with this one, I have two identical VPN tunnel with two different customers who need access to one of our internal server, one of them (customer) works well, but the other (CustomerB) I can only see traffic from the remote peer (ok, RX but no TX). I put a sniffer on ports where the ASA and the server are connected and saw that traffic is to reach the server and traffic to reach the ASA of the server then nothing...

    See the result of sh crypto ipsec his below and part of the config for both clients

    ------------------

    address:

    local peer 100.100.100.178

    local network 10.10.10.0 / 24

    local server they need access to the 10.10.10.10

    Customer counterpart remote 200.200.200.200

    Customer remote network 172.16.200.0 / 20

    CustomerB peer remote 160.160.143.4

    CustomerB remote network 10.15.160.0 / 21

    ---------------------------

    Output of the command: "SH crypto ipsec its peer 160.160.143.4 det".

    address of the peers: 160.160.143.4
    Tag crypto map: outside_map, seq num: 3, local addr: 100.100.100.178

    outside_cryptomap list of allowed access host ip 10.10.10.10 10.15.160.0 255.255.248.0
    local ident (addr, mask, prot, port): (10.10.10.10/255.255.255.255/0/0)
    Remote ident (addr, mask, prot, port): (10.15.160.0/255.255.248.0/0/0)
    current_peer: 160.160.143.4

    #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
    #pkts decaps: 827, #pkts decrypt: 827, #pkts check: 827
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
    success #frag before: 0, failures before #frag: 0, #fragments created: 0
    Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
    #pkts not his (send): 0, invalid #pkts his (RRs): 0
    #pkts program failed (send): 0, #pkts decaps failed (RRs): 0
    #pkts invalid prot (RRs): 0, #pkts check failed: 0
    invalid identity #pkts (RRs): 0, #pkts invalid len (RRs): 0
    #pkts incorrect key (RRs): 0,
    #pkts invalid ip version (RRs): 0,
    replay reversal (send) #pkts: 0, #pkts replay reversal (RRs): 0
    #pkts replay failed (RRs): 0
    #pkts min frag mtu failed (send): bad frag offset 0, #pkts (RRs): 0
    #pkts internal err (send): 0, #pkts internal err (RRs): 0

    local crypto endpt. : 100.100.100.178, remote Start crypto. : 160.160.143.4

    Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
    current outbound SPI: C2AC8AAE

    SAS of the esp on arrival:
    SPI: 0xD88DC8A9 (3633170601)
    transform: esp-3des esp-md5-hmac no compression
    running parameters = {L2L, Tunnel}
    slot: 0, id_conn: 5517312, crypto-card: outside_map
    calendar of his: service life remaining (KB/s) key: (4373959/20144)
    Size IV: 8 bytes
    support for replay detection: Y
    Anti-replay bitmap:
    0xFFFFFFFF to 0xFFFFFFFF
    outgoing esp sas:
    SPI: 0xC2AC8AAE (3266087598)
    transform: esp-3des esp-md5-hmac no compression
    running parameters = {L2L, Tunnel}
    slot: 0, id_conn: 5517312, crypto-card: outside_map
    calendar of his: service life remaining (KB/s) key: (4374000/20144)
    Size IV: 8 bytes
    support for replay detection: Y
    Anti-replay bitmap:
    0x00000000 0x00000001

    -The configuration framework

    ASA Version 8.2 (1)

    !

    172.16.200.0 customer name

    name 10.15.160.0 CustomerB

    !

    interface Ethernet0/0

    nameif outside

    security-level 0

    IP 100.100.100.178 255.255.255.240

    !

    interface Ethernet0/1

    nameif inside

    security-level 100

    10.10.10.0 IP address 255.255.255.0

    !

    outside_1_cryptomap list extended access allowed host ip 10.10.10.10 customer 255.255.240.0

    inside_nat0_outbound_1 list extended access allowed host ip 10.10.10.10 customer 255.255.240.0

    inside_nat0_outbound_1 list extended access allowed host ip 10.10.10.10 CustomerB 255.255.248.0

    outside_cryptomap list extended access allowed host ip 10.10.10.10 CustomerB 255.255.248.0

    NAT-control

    Overall 101 (external) interface

    NAT (inside) 0-list of access inside_nat0_outbound_1

    NAT (inside) 101 0.0.0.0 0.0.0.0

    Route outside 0.0.0.0 0.0.0.0 100.100.100.177

    Route inside 10.10.10.0 255.255.255.0 10.10.10.254 1

    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

    Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

    card crypto outside_map 1 match address outside_1_cryptomap

    card crypto outside_map 1 set pfs

    peer set card crypto outside_map 1 200.200.200.200

    card crypto outside_map 1 set of transformation-ESP-3DES-SHA

    card crypto outside_map 3 match address outside_cryptomap

    peer set card crypto outside_map 3 160.160.143.4

    card crypto outside_map 3 game of transformation-ESP-3DES-MD5

    outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

    outside_map interface card crypto outside

    crypto ISAKMP allow outside

    crypto ISAKMP policy 10

    preshared authentication

    3des encryption

    md5 hash

    Group 2

    life 86400

    crypto ISAKMP policy 20

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP ipsec-over-tcp port 10000

    attributes of Group Policy DfltGrpPolicy

    Protocol-tunnel-VPN IPSec svc

    internal customer group strategy

    Customer group policy attributes

    Protocol-tunnel-VPN IPSec svc

    internal CustomerB group strategy

    attributes of Group Policy CustomerB

    Protocol-tunnel-VPN IPSec

    tunnel-group 160.160.143.4 type ipsec-l2l

    tunnel-group 160.160.143.4 General-attributes

    Group Policy - by default-CustomerB

    IPSec-attributes tunnel-group 160.160.143.4

    pre-shared key xxx

    tunnel-group 200.200.200.200 type ipsec-l2l

    tunnel-group 200.200.200.200 General attributes

    Customer by default-group-policy

    IPSec-attributes tunnel-group 200.200.200.200

    pre-shared key yyy

    Thank you

    A.

    Hello

    It seems that the ASA is not Encrypting traffic to the second peer (However there is no problem of routing).

    I saw this 7.x code behaviors not on code 8.x

    However you can do a test?

    You can change the order of cryptographic cards?

    card crypto outside_map 1 match address outside_cryptomap

    peer set card crypto outside_map 1 160.160.143.4

    map outside_map 1 set of transformation-ESP-3DES-MD5 crypto

    card crypto outside_map 3 match address outside_1_cryptomap

    card crypto outside_map 3 set pfs

    peer set card crypto outside_map 3 200.200.200.200

    card crypto outside_map 3 game of transformation-ESP-3DES-SHA

    I just want to see if by setting the peer nonworking time to be the first, it works...

    I know it should work the way you have it, I just want to see if this is the same behavior I've seen.

    Thank you.

    Federico.

  • Cisco ASA l2l VPN disorder

    Hello Experts from Cisco,

    I run in trouble with one of my l2l ipec vpn between an asa 5510 and 5520 cisco running version 8.2.2.

    Our existing l2l VPN are connected fine and work very well. Currently SITE a (10.10.0.0/16) connects to the SITE B (10.20.0.0/16). SITE A connects to SITE C (10.100.8.0/21). These are OK.

    What is a failure is when I try to connect SITE B to SITE C. The tunnel coming up and phase 1 and 2 complete successfully. However, even if in the course of execution: ' entry packet - trace within the icmp 10.20.8.2 8 0 detailed 10.100.8.1 ' I get the following:

    Phase: 10

    Type: VPN

    Subtype: encrypt

    Result: DECLINE

    Config:

    Additional information:

    Direct flow from returns search rule:

    ID = 0xad1c4500, priority = 70, domain = encrypt, deny = false

    hits = 609, user_data = 0 x 0, cs_id = 0xad1c2e10, reverse, flags = 0 x 0 = 0 protocol

    SRC ip = 10.20.0.0, mask is 255.255.0.0, port = 0

    DST ip = 10.100.8.0, mask is 255.255.248.0, port = 0, dscp = 0 x 0

    I noticed that when the tunnel came, the road to 10.100.8.0/21 was added in the routing table and cyrpto what ACL has not been applied on the SAA remote. I added the route manually but cannot get the cryto ACL to apply.

    Useful info:

    C SITE

    the object-group NoNatDMZ-objgrp network

    object-network 10.10.0.0 255.255.0.0

    object-network 10.10.12.0 255.255.255.0

    network-object 10.20.0.0 255.255.0.0

    access extensive list ip 10.100.8.0 outside_30_cryptomap allow 255.255.248.0 10.20.0.0 255.255.0.0

    IP 10.100.8.0 allow Access - list extended sheep 255.255.248.0 sheep-objgrp object-group

    card crypto outside_map 30 match address outside_30_cryptomap

    card crypto outside_map 30 peers set x.x.x.x

    crypto outside_map 30 card value transform-set ESP-AES256-SHA

    crypto outside_map 30 card value reverse-road

    outside_map interface card crypto outside

    SITE B

    object-group network sheep-objgrp

    object-network 10.10.0.0 255.255.0.0

    object-network 10.21.0.0 255.255.0.0

    object-network 10.10.12.0 255.255.255.0

    network-object 10.100.8.0 255.255.248.0

    IP 10.20.0.0 allow Access - list extended sheep 255.255.0.0 sheep-objgrp object-group

    allow outside_50_cryptomap to access extended list ip 10.20.0.0 255.255.0.0 10.100.8.0 255.255.248.0

    card crypto outside_map 50 match address outside_50_cryptomap

    game card crypto outside_map 50 peers XX. XX. XX. XX

    outside_map crypto 50 card value transform-set ESP-AES256-SHA

    outside_map crypto 50 card value reverse-road

    outside_map interface card crypto outside

    I've been struggling with this these days. Any help is very appreciated!

    Thank you!!

    Follow these steps:

    no card outside_map 10-isakmp ipsec crypto dynamic outside_dyn_map

    map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

    clear crypto ipsec its SITE_B_Public peer

    Try again and attach the same outputs.

    Let me know.

    Thank you.

  • ASA at the ASA L2L VPN Firewall

    Hi experts,

    I currently have problems establishing a VPN site-to-site easy. It's my first time at this meeting and I am pulling my hair out for this issue.

    Currently, the installation program below is a typical topology (using ASDM):

    An ASA IP (1.1.1.2) of the site <-->(ISP) <-->Site B (ASA IP 2.2.2.2)

    All ASA IPs are the external interface connecting directly to their respective suppliers. Site has existing VPN tunnels to other networks, but Site B is a new network configuration (one can imagine Site A as a hub and the rest are rays). Site B outside interface opened ports IP 50 ESP, UDP 500 and UDP 4500 on the interface of all sources to connect to the external interface (besides us has allowed all the IP protocol for the external interface for troubleshooting). However, we have issues that phase 1 upward. We have carefully matched and double checked IKEv1 all the settings are correct and the same for the two parties, including the PSK. However Site A can ping IP of the Site B and Site B is not able to ping to the Site A IP.

    We also checked with our Internet service providers and they confirmed that they do not block 3 ports we need for the VPN. Is there more ideas or points that we missed?

    Oh, activation of debugging are not returned all the papers, but will help generate some 'interesting' traffic such as internal ping subnet of Site A of the Site B?

    Hello

    Instead of launching the plotter of the interface IP packets use all other inside IP, I see a failure of ifc interface.

    Also is it possible for you to take the UDP 500 captures on the external interfaces on the SAA?

    This would answer a lot of questions.

    Kind regards

    Aditya

    Please evaluate the useful messages and mark the correct answers.

  • ASA L2L VPN NAT

    We have a partner that we set up a VPN L2L with.  Their internal host IP infringes on our internal IP range.  Unfortunately, they are not offer NAT on their side.  Is it possible on the SAA to configure a NAT device for my internal hosts will say 1.1.1.1 and ASA changes the internal address of the remote end overlapping?

    If this is the scenario

    192.168.5.0 ASA1 <---> <-- internet="" --="">ASA2<-->

    ASA1 (NAT will be applied)

    ASA2 (without nat will be applied)

    You want to do something like that on ASA1

    Change your source host or network to be 192.168.7.0 when communicating with the remote network. Change the remote network to come as long as 192.168.8.0 coming to your network on the SAA.

    ACL soccer match:!-match-list ACLaccess acl_match_VPN ip 192.168.7.0 allow 255.255.255.0 192.168.5.0 255.255.255.0

    ! - NAT ACL

    vpn_nat 192.168.5.0 ip access list allow 255.255.255.0 192.168.8.0 255.255.255.0

    ! - Translations

    public static 192.168.7.0 (exterior, Interior) 192.168.5.0 netmask 255.255.255.0 0 0

    static (inside, outside) 192.168.8.0 public - access policy-nat list

    Complete the VPN configuration using acl_match_VPN as the ACL match. Your inside host will have to use the 192.168.7.0 network when you talk to the remote end.

    I hope this helps.

  • ASA 5505 VPN tunnel

    Hello again,

    can you please answer me a few questions that burned my head these days

    1 can I connect ASA5505 a WRT54GL router in a VPN tunnel so that the WRT54GL is the endpoint that connects to the ASA?

    2. If Yes can you tell me please which firmware should I use and the steps that will follow.

    3 if not can you me say what router should I use so that the VPN tunnel can be done.

    Thank you!

    Hi Svetoslav,

    I understand that you ask if you can establish a VPN site to site between an ASA 5505 and Linksys WRT54GL. Unfortunately, the WRT54GL doesn't support VPN endpoint. If you don't want to spend money on another ASA 5505 (which I recommend), you can watch the line Cisco Small Business firewall-lights/roads, like the RV320.

    http://www.Cisco.com/en/us/products/ps11997/index.html

    Kind regards

    Mike

  • L2l VPN tunnel is reset during the generate a new IPSec key

    I have a tunnel VPN L2L that resets completely, start with Phase 1, at the expiration of the timer of the IPSec Security Association.  Although there are several SAs, it always resets all of the tunnel.

    I see the following in the log errors when this happens:

    03/06/2013 12:54:41 Local7.Notice ipRemoved June 3, 2013 12:54:41 LKM-NVP-L2L-01: % 713050-5-ASA: Group = ipRemoved, IP = ipRemoved, completed for the ipRemoved peer connection.  Reason: Peer terminate Proxy remote n/a, Proxy Local n/a

    03/06/2013 12:54:41 Local7.Notice ipRemoved June 3, 2013 12:54:41 LKM-NVP-L2L-01: % 713259-5-ASA: Group = ipRemoved, IP = ipRemoved, Session is be demolished. Reason: The user has requested

    03/06/2013 12:54:41 Local7.Warning ipRemoved June 3, 2013 12:54:41 LKM-NVP-L2L-01: % ASA-4-113019: Group = ipRemoved username = ipRemoved, IP = ipRemoved, disconnected Session. Session type: IKE, duration: 4 h: 00 m: 06 s, xmt bytes: 260129, RRs bytes: 223018, reason: the user has requested

    03/06/2013 12:55:33 Local7.Notice ipRemoved June 3, 2013 12:55:33 LKM-NVP-L2L-01: % 713041-5-ASA: IP = ipRemoved, IKE initiator: New Phase 1, Intf inside, IKE Peer ipRemoved local Proxy 204.139.127.24 address, address remote Proxy 156.30.21.200, Card Crypto (L2LVPN)

    03/06/2013 12:55:33 Local7.Notice ipRemoved June 3, 2013 12:55:33 LKM-NVP-L2L-01: % 713119-5-ASA: Group = ipRemoved, IP = ipRemoved, PHASE 1 COMPLETED

    Local7.Notice ipRemoved June 3, 2013 03/06/2013-12:55:33 12:55:33 LKM-NVP-L2L-01: % 713049-5-ASA: Group = ipRemoved, IP = ipRemoved, the security negotiation is complete for LAN - to - LAN Group (ipRemoved) initiator, Inbound SPI = 0x9213bdc9, outbound SPI = 0x1799a099

    03/06/2013 12:55:33 Local7.Notice ipRemoved June 3, 2013 12:55:33 LKM-NVP-L2L-01: % 713120-5-ASA: Group = ipRemoved, IP = ipRemoved, PHASE 2 COMPLETED (msgid = b8a47603)

    03/06/2013 13:02:11 Local7.Notice ipRemoved June 3, 2013 13:02:11 LKM-NVP-L2L-01: % 713041-5-ASA: Group = ipRemoved, IP = ipRemoved, IKE initiator: New Phase 2, Intf inside, IKE Peer ipRemoved local Proxy 204.139.127.71 address, address remote Proxy 156.30.21.200, Card Crypto (L2LVPN)

    Local7.Notice ipRemoved June 3, 2013 03/06/2013-13:02:11 13:02:11 LKM-NVP-L2L-01: % 713049-5-ASA: Group = ipRemoved, IP = ipRemoved, the security negotiation is complete for LAN - to - LAN Group (ipRemoved) initiator, Inbound SPI = 0x93f9be6c, outbound SPI = 0x1799a16d

    03/06/2013 13:02:11 Local7.Notice ipRemoved June 3, 2013 13:02:11 LKM-NVP-L2L-01: % 713120-5-ASA: Group = ipRemoved, IP = ipRemoved, PHASE 2 COMPLETED (msgid = 1f6c9acd)

    Any thoughts on why she would do that?

    Thank you.

    Jason

    Hello

    Both the log messages seems to suggest that the remote end is closed/compensation connection.

    Is this a new connection that suffer from this problem or has it started on an existing connection?

    The Cisco documentation associated with the Syslog messages does really not all useful information about these log messages.

    I guess that your problem is that TCP by L2L VPN connections suffer from the complete renegotiations of the L2L VPN.

    I wonder if the following configuration can help even if this situation persists

    Sysopt preserve-vpn-flow of connection

    Here is a link to the order of the ASA reference (8, 4-8, 6 software) with a better explanation of this configuration.

    http://www.Cisco.com/en/us/docs/security/ASA/asa84/command/reference/S8.html#wp1538395

    It is not enabled by default on the SAA.

    Hope this helps

    -Jouni

  • The L2L VPN Tunnels on several external Interfaces ISP

    Due to special circumstances, we have 2 links on an ASA5510 ISP. I'm trying to put an end to some VPN L2L tunnels on a link and others on the second link of Internet service provider, for example below:

    LOCAL FIREWALL

    card crypto outside-map_isp1 20 corresponds to the address VPN_ACL_A
    set outside-map_isp1 20 crypto map peer 1.1.1.1
    outside-map_isp1 20 game card crypto transform-set TS-generic

    card crypto outside-map_isp2 30 corresponds to the address VPN_ACL_B
    peer set card crypto outside-map_isp2 30 3.3.3.3
    card crypto outside-map_isp2 30 value transform-set TS-generic

    crypto map interface outside-map-isps1 ISP_1
    outside-map-isp2 interface card crypto ISP_2

    ISAKMP crypto enable ISP_1
    ISAKMP crypto enable ISP_2

    Route 0.0.0.0 ISP_1 0.0.0.0 1.1.1.254
    Route ISP_2 3.3.3.3 255.255.255.255 2.2.2.254

    Establishing the VPN tunnels in both directions when using ISP_1 works very well establshing in both directions of remote access users and several tunnels L2L (only showing a for example).

    On ISP_2

    1. peer device 3.3.3.3 establishes a VPN tunnel, but the return traffic does NOT get back to devices 3.3.3.3 tunnel.

    2. the local firewall does NOT establish a VPN tunnel to 3.3.3.3

    It suggests that the problems lies with this firewall multihomed do not direct traffic properly on back down and VPN tunnel of workbenches (point1) or to trigger a tunnel if there is (point 2).

    Reconfiguration of the VPN tunnel to 3.3.3.3 counterpart to be on the local firewall, all the springs in the life ISP_1! All ideas, there are enough license etc...

    Another way you need is the subnet of destination on VPN_ACL_B to be routed to ISP_2 as well.

    So you must send the address of peers (in your case 3.3.3.3) and the remote subnet (in your destination subnet case VPN_ACL_B) at 2.2.2.254

  • Cisco ACS 5.1 and ASA SSL VPN change or notify the expired password

    Hello

    Now, my ACS and ASA related to RADIUS (MSCHAPv2). I've set up password life on GBA and password management on SAA. But Cisco ASA did prompt change or whatever it is to notify when the user tries to log on with Clientless SSL VPN. Could you advice me everything to change, or notify the expired password?

    PS.

    I check change password on the first login of th on ACS this confirmation of the ASA to change password dialog box. But I want change or warn when the expired password

    Thank you

    The default password is marked as disabled after expiry

    I think that there is an improvement for this in the 5.2.0.26.2 patch and above, which includes the following:

    CSCtk32168: Add an option to change the password when the password expires (T + and Radius)

    After you install this hotfix, you get an option to the user authentication settings is:

    -Disable the user account

    -Expire the password

    When the expiration period is exceeded

    If password is expired then user will be asked to change password next authentication

    Note this latest patch for 5.2 is 5.2.0.26.4. All patches are cumulative

  • Write syslog to ASA 5505 VPN tunnel on syslog server?

    Hello

    Is it possible to let the ASA 5505 write syslog messages to a syslog server on the core network where the ASA 5550 is? (on the ipsec tunnel?)

    I tried this. The tunnel is up, but I get the message from routing could not locate the next hop for the NP (ASA 5505 ip) udp inside: (ip of the syslog server).

    THX,

    Marc

    MJonkers,

    I would suggest that you configure inside interface as the interface for management access. Include IP and IP address NAT syslog server interface inside 0 ACL and ACL crypto.

    You can order the "access management" when you want to run an ASA inside of interface through the VPN 7.2 below command reference:

    http://www.Cisco.com/en/us/customer/docs/security/ASA/asa72/command/reference/m_72.html#wp1780826

    I am running the VPN configuration on 8.2 and querying SNMP works.

    I hope this helps.

    Thank you

  • Cisco ASA - l2l IPSEC tunnel two dynamic hosts

    Hello

    I have two firewall Cisco ASA an i want to made a l2l between two ipsec tunnel, the problem is that both parties have a dynamic IP, on both sides I have configured dyndns, can I did an ipsec tunnel using dyndns name such as address peer?

    Hello

    ASA supports only the RFC compliant method for updates used with dynamic DNS, not updates HTTP, such as dyndns.org and others use.
    i.e. https://tools.cisco.com/bugsearch/bug/CSCsk25102/?reffering_site=dumpcr

    On ASA, it is not possible to configure the tunnel between two dynamic peers.
    You will need to have a static end to configure static to dynamic IP.

    For routers, you can follow this link.
    I hope this helps.

    Kind regards
    Dinesh Moudgil

    PS Please rate helpful messages.

  • Downtime in the L2L VPN tunnel

    is there a way to reduce the timeout on a L2L tunnel, so that it disconnects after a specific period of no traffic intresting?

    Thank you

    Here's a URL that describes how to adjust life IPSEC security association.  The default value is 1 hour.   HTH

    http://www.Cisco.com/en/us/docs/iOS/12_2/Security/command/reference/srfipsec.html#wp1017619

  • PIX and ASA static, dynamic and RA VPN does not

    Hello

    I am facing a very interesting problem between a PIX 515 and an ASA 5510.

    The PIX is in HQ and has several dynamic VPN connections (around 130) and IPsec vpn remote works very well. I had to add a PIX to ASA L2L VPN static and it does not work as it is supposed to be. The ASA 5510, at the remote end, connects and rest for a small period of time, however, all other VPN connections stop working.

    The most interesting thing is that ASA is associated with the dynamic map and not the static map that I created (check by sh crypto ipsec his counterpart x.x.x.x). However, if I make any changes in the ACL 'ACL-Remote' it affects the tunnel between the PIX and ASA.

    Someone saw something like that?

    Here is more detailed information:

    HQ - IOS 8.0 (3) - PIX 515

    ASA 5510 - IOS 7.2 (3) - remote provider

    Several Huawei and Cisco routers dynamically connected via ADSL

    Several users remote access IPsec

    A VPN site-to site static between PIX and ASA - does not.

    Here is the config on the PIX:

    Crypto ipsec transform-set ESP-3DES-ESP-SHA-HMAC-IPSec esp-3des esp-sha-hmac

    Dyn - VPN game 100 Dynamics-card crypto transform-set ESP-3DES-ESP-SHA-HMAC-IPSec

    Crypto dynamic-map Dyn - VPN 100 the value reverse-road

    VPN - card 30 crypto card matches the ACL address / remote

    card crypto VPN-card 30 peers set 20 x. XX. XX. XX

    card crypto VPN-card 30 the transform-set ESP-3DES-ESP-SHA-HMAC-IPSec value

    VPN crypto card - 100 - isakmp dynamic Dyn - VPN ipsec

    interface card crypto VPN-card outside

    crypto ISAKMP allow outside

    crypto ISAKMP policy 10

    preshared authentication

    3des encryption

    md5 hash

    Group 2

    life 86400

    crypto ISAKMP policy 65535

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    access list ACL-remote ext ip 10.0.0.0 allow 255.255.255.0 192.168.1.0 255.255.255.0

    Thank you.

    Marcelo Pinheiro

    The problem is that the ASA has a crypto acl defined between host and network, while the remote end has to the network.

    Make sure that the acl is reversed.

  • Unable to pass traffic between ASA Site to Site VPN Tunnel

    Hello

    I have problems passing traffic between two ASA firewall. The VPN tunnel is up with a dynamic IP and static IP address. I have attached a diagram of the VPN connection. I'm not sure where the problem lies and what to check next. I think I have all the roads and in the access lists are needed.

    I've also attached the ASA5505 config and the ASA5510.

    This is the first time that I've set up a VPN connection any guidance would be greatly appreciated.

    Thank you

    Adam

    Hello

    Regarding your opinion of configuration Remote Site ASA that you have not added the internal networks of the Central Site VPN L2L configurations at all so the traffic does not pass through the VPN.

     access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.0.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.170.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.172.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 140.15.0.0 255.255.*.*

    Take a look at ACL configurations above. The 'exempt' ACL is used in configurations NAT0 and tells the ASA what traffic of exempting from NAT. "outside_1_cryptomap" ACL is used to tell the traffic between the subnets should be using the L2L VPN connection.

    So in short on the Remote Site ASA these ACLs should be identical. Make additions to the LIST of VPN L2L, then try again.

    I would also like to point out that to ensure that the Central ASAs L2L VPN ACL Site contains the same networks. The ACL on the Central Site will, of course, its internal subnets as the source and the site LAN remote destination.

    THW out of ' crypto ipsec to show his " shows you that only the SA between binding Site Central network and the Remote Site LAN was established. Others have not formed as the configuration is lacking at LEAST on the Remote Site ASA. Can also be the Central Site.

    -Jouni

Maybe you are looking for