With tunnel VPN ASA5505 problem

The business needs is for a VLAN again on site to go directly back to an internet service to site B.

Site A and B are connected by a service of WES MB 100.

A site is a site of campus with about 25 switches. Him become VLAN on the site is for the engineer access only, so they can access their companys remote access service. This VLAN must stay back so there is very little potential of a trade-off on the live network.

The solution that I just put in place is to place an ASA5505 as the dhcp server for him VLAN become to Site A. All clients on that VLAN become get a 192.168.100.x address. The external interface on the ASA5505 to Site A is put on the live network to allow a site VPN tunnel to be put in place between the ASA5505 and the Internet - an another ASA5505 firewall

The Site A ASA5505 was put in place with inside and outside interfaces with the same level of security. 192.168.100.x subnet is exempt from NAT. Traffic is configured to transmit via the interfaces with the same level of security and the tunnel of L2L is coming.

But I can not all connectivity to the internet from any host on the 192.168.100.x VLAN.

This is made more complex because the external interfaces on both of the ASA are the corporate network...

The default route to the Site B ASA5505 is 87.xx.xx.1, the ISP router.

The Site B ASA5505 connects directly to the ISP router.

Site has ASA5505

--------------------

access-list no. - nat extended ip 192.168.100.0 allow 255.255.255.0 any

Access access-list ON scope ip 192.168.100.0 allow 255.255.255.0 any

NAT (inside) - access list 0 no - nat

Access-Group No. - nat inside interface

Route outside 0.0.0.0 0.0.0.0 10.0.99.254 1

Crypto ipsec transform-set AES-256 aes-256-esp esp-sha-hmac

vpn-traffic 10 crypto card matches the address OUT access

card crypto vpn-traffic 10 peers set ##Site B IP address #.

card crypto vpn-traffic 10 game of transformation-AES-256

vpn-traffic outside crypto map interface

tunnel-group ##Site B IP address # type ipsec-l2l

tunnel-group ##Site B IP address # ipsec - attributes

pre-shared-key *.

Site B ASA5505

-------------------

permit same-security-traffic intra-interface

access-list no. - nat extended ip 192.168.100.0 allow 255.255.255.240 all

outside_access_in of access allowed any ip an extended list

Global (inside) 1 interface

NAT (inside) - access list 0 no - nat

NAT (outside) 1 192.168.100.0 255.255.255.0

Access-Group No. - nat inside interface

Access-group outside_access_in in interface outside

Crypto ipsec transform-set AES-256 aes-256-esp esp-sha-hmac

Crypto ipsec transform-set esp-aes-256 set1, esp-sha-hmac

card crypto vpn-traffic 10 correspondence address wootton hall

card crypto vpn-traffic 10 peers set ##Site an IP #.

crypto-vpn 10 transform-set set1 traffic map

vpn-traffic outside crypto map interface

I spent some time on it and really need some advice form experts out there!

Can you help me to know where I have gone wrong?

Dan

There are some parts of the configuration that you have published to that surprise me, such as the assignment of the default route on the inside interface. But these things are not at the heart of your problem. I agree that the core of your problem is probably the sheep access list. If I understand your needs, what you need is 192.168.100.0 is not translated by going to meets B, and is translated by going to the Internet. But your translation says access list never 192.168.100.0 since your access list as another destination:

access-list no. - nat extended ip 192.168.100.0 allow 255.255.255.0 any

My suggestion is to rewrite this access list and change the destination of the 'all' to be addresses behind B (LAN to B).

HTH

Rick

Tags: Cisco Security

Similar Questions

Problem with Tunnel VPN L2L between 2 ASA´s

Hi guys,.

I have some problems with my VPN Site to site tunnel between 2 ASA (5520/5505).

I watched a lot of videos on youtube, but I can't find out why the tunnel does not...

Both devices can ping eachothers WAN IP address (outside interfaces), but I don't see any traffic between the 2 sites. It seems that the tunnel is not open to everyone. When i PING from the local to the Remote LAN (which should be an interesting traffic for the tunnel...), the its IKEv1 remains empty...

Am I missing something? I can't understand it more why same phase 1 is not engaged.

You NAT won't. In your config file traffic is NATted initially and then does not match any more crypto ACL. You must move the rule dynamic NAT/PAT until the end of the table on two ASAs NAT:
```
 no nat (INSIDE,OUTSIDE) source dynamic any interface nat (INSIDE,OUTSIDE) after-auto source dynamic any interface
```

VPN-ASA5505 problem

Hi all

I inherited this VPN and get slowly upward. At least users can connect to it now! I had a few problems. Users can connect to the VPN, but cannot ping or access shared files on the server (192.168.2.3), but the VPN users must be able to make full use of the network.

I removed the NAT rule.

#no nat (inside) 1 0.0.0.0 0.0.0.0)

And after removing that, VPN users have been able to navigate and access to internal resources. However, users in the office now had no internet. I went and added the rule of return and returned internet.

Believe it is related to the split tunneling, what can I do to activate full VPN access and still have internet at Headquarters?

ASA Version 7.2 (4)

!

ciscoasa hostname

domain default.domain.invalid

activate mI3N1CPoxB4FJhZg encrypted password

2KFQnbNIdI.2KYOU encrypted passwd

names of

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.2.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

209.124.X.X 255.255.255.252 IP address

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passive FTP mode

Server DNS 192.168.2.3 Group

DNS server-group DefaultDNS

domain default.domain.invalid

the Exchange25 object-group network

access-list standard split allow 192.168.2.0 255.255.255.0

access-list extended sheep permit ip 192.168.2.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list extended sheep permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.0

out_in of access allowed any ip an extended list

outside_access_in list extended access permit tcp any eq smtp host 192.168.2.3 eq smtp

outside_access_in list extended access permit tcp any host 192.168.2.3 eq https

outside_access_in list extended access permit tcp any host 192.168.2.3 eq www

outside-access allowed extended access list tcp no matter what interface outside eq 7000

outside-access allowed extended access list tcp no matter what interface outside eq 3389

outside-access allowed extended access list tcp no matter what interface outside eq 587

outside-access allowed extended access list tcp no matter what interface outside eq https

LAN_nat0_outbound list of allowed ip extended access any 192.168.10.0 255.255.255.0

pager lines 24

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

IP local pool vpnpool 192.168.2.31 - 192.168.2.60

ICMP unreachable rate-limit 1 burst-size 1

ICMP allow any inside

ASDM image disk0: / asdm - 524.bin

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0-list of access LAN_nat0_outbound

NAT (inside) 1 0.0.0.0 0.0.0.0

public static tcp (indoor, outdoor) interface 192.168.2.3 smtp smtp netmask 255.255.255.255

public static tcp (indoor, outdoor) interface 7000 192.168.2.80 7000 netmask 255.255.255.255

public static interface 3389 192.168.2.3 (indoor, outdoor) tcp 3389 netmask 255.255.255.255

public static interface 587 587 netmask 255.255.255.255 tcp (indoor, outdoor) 192.168.2.3

public static tcp (indoor, outdoor) interface https 192.168.2.3 https netmask 255.255.255.255

Access-group out_in in interface outside

Route outside 0.0.0.0 0.0.0.0 209.124.192.45 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

Enable http server

http 0.0.0.0 255.255.255.255 outside

http 192.168.2.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto-map dynamic dynmap 10 game of transformation-ESP-3DES-SHA

map mymap 65000-isakmp ipsec crypto dynamic dynmap

mymap outside crypto map interface

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Crypto isakmp nat-traversal 20

Telnet 0.0.0.0 0.0.0.0 inside

Telnet timeout 5

SSH timeout 5

Console timeout 0

management-access inside

dhcpd dns 192.168.2.3

!

attributes of Group Policy DfltGrpPolicy

No banner

WINS server no

value of server DNS 192.168.2.3

DHCP-network-scope no

VPN-access-hour no

VPN - 5 concurrent connections

VPN-idle-timeout 30

VPN-session-timeout no

VPN-filter no

Protocol-tunnel-VPN IPSec l2tp ipsec webvpn

allow password-storage

disable the IP-comp

Re-xauth disable

Group-lock no

disable the PFS

IPSec-udp disable

IPSec-udp-port 10000

Split-tunnel-policy tunnelall

Split-tunnel-network-list no

TMA.local value by default-field

Split-dns no

Disable dhcp Intercept 255.255.255.255

disable secure authentication unit

disable authentication of the user

user-authentication-idle-timeout 10

disable the IP-phone-bypass

disable the leap-bypass

disable the NEM

Dungeon-client-config backup servers

MSIE proxy server no

MSIE-proxy method non - change

Internet Explorer proxy except list - no

Disable Internet Explorer-proxy local-bypass

disable the NAC

NAC-sq-period 300

NAC-reval-period 36000

NAC-by default-acl no

address pools no

enable Smartcard-Removal-disconnect

the firewall client no

rule of access-client-none

WebVPN

url-entry functions

HTML-content-filter none

Home page no

4 Keep-alive-ignore

gzip http-comp

no filter

list of URLS no

value of customization DfltCustomization

port - forward, no

port-forward-name value access to applications

SSO-Server no

value of deny message connection succeeded, but because some criteria have not been met, or because of a specific group policy, you are not allowed to use the VPN features. Contact your administrator for more information

SVC no

SVC Dungeon-Installer installed

SVC keepalive no

generate a new key SVC time no

method to generate a new key of SVC no

client of dpd-interval SVC no

dpd-interval SVC bridge no

deflate compression of SVC

internal TMAgroup group strategy

attributes of Group Policy TMAgroup

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value split

gene AzJFyGPWta7durW9 encrypted privilege 15 password username

username admin privilege 15 encrypted password hLjunphNGLvrgsRP

username TMAen encrypted password ojCI79mnpWOehEZC

tunnel-group TMAgroup type ipsec-ra

attributes global-tunnel-group TMAgroup

address vpnpool pool

Group Policy - by default-TMAgroup

IPSec-attributes tunnel-group TMAgroup

pre-shared-key *.

!

!

context of prompt hostname

Cryptochecksum:78c4838558d030ac964d2c331deed909

: end

Hello

Please add the following to your configuration:

nonat_inside ip access list allow any 192.168.2.0 255.255.255.0

NAT (inside) 0-list of access nonat_inside

You must keep the "nat (inside) 1 0.0.0.0 0.0.0.0 ' so that your users access to the Internet.

"Nat (inside) 0 nonat_inside access-list" allows to bypass the above rule only for traffic destined to the VPN pool.

In addition, it is to you if you want to use split tunneling or not.

More information on tunneling split:

ASA/PIX: Allow the tunneling split for the VPN Clients on the example of Configuration of ASA

Let me know.

Portu.

Please note all useful posts

Can anyone help me how I will work with tunnel VPN Failover.

Hi Experts,

I have two 5520 ASA one headquarters and another is disaster recovery. So I need to build the tunnel of the Branch Office Chief at the office that I have 3g router.

So I need to build failover to ASA of recovery after a disaster. Please can someone help me what would be the best option that makes my task complete.

Thank you

Mohammed

Hello

I guess you are looking for a relief tunnel VPN router. Here's how you set it up:

http://www.Cisco.com/en/us/products/sw/secursw/ps5318/products_user_guide_chapter09186a0080531f28.html#wp1002246

I hope this helps.

Kind regards

Anisha

P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.

tunnel VPN ZFW problem

Recently I tried to build a tunnel VPN of LAN LAN 2 connecting an Asa to a current zone based firewall 2911. It's a standard IPSec psk tunnel nothing complicated. I got the tunnel to establish, but I could only get traffic to encap on the side of the SAA and decap on the side of 2911. I couldn't return circulation. I followed this doc classic here for IPSec in the last example.

http://www.Cisco.com/en/us/prod/collateral/vpndevc/ps5708/ps5710/ps1018/...

And I don't know that the SAA is right I have built a ton of those but I am new to zfw. I don't see anything about a NAT rule exempt. But as all used real IPs instead of NAT I wasn't sure and I have found no info. I do free NAT? If If you are using a roadmap on the end you NAT overload line config as in the past?

I also have a pair of area to "self" and I didn't know if I need something there to be able to do a ping from inside the 2911 interface when the tunnel is at the top of the remote end. Thank you

Is the pair area yourself, outside of itself?

And you say that you do not use only NAT, have real addresses (public routable addresses?), so why you have to make an exception for NAT you have not?

Client VPN ASA5505 problem

My ASA5505Plus to connect to the internet and a laptop, the laptop can access the internet.

a VPN client connect to the ASA but cannot access internal or external IPs

I see that the default gateway is wrong, but cannot find how to change it:

********************************

The connection-specific DNS suffix. :

... Description: Cisco Systems VPN card

Physical address.... : 00-05-9A-3C-78-00

DHCP active...: No.

... The IP address: 192.168.200.5

... Subnet mask: 255.255.255.0.

... Default gateway. : 192.168.200.1.

DNS servers...: 4.2.2.2.

************************************

I hope that's why I can't access either the laptop (192.168.200.2), Telnet (192.168.200.4) or through the internet via the customer management. I don't know if that part is configured correctly

configuration see attachment

Ofir,

Try the following

IP local pool VPN_Pool 172.16.20.1 - 172.16.20.254 netmask 255.255.255.0

inside_nat0_outbound 192.168.200.0 ip access list allow 255.255.255.0 172.16.20.0 255.255.255.0

no access list inside_nat0_outbound extended permits all ip 192.168.200.4 255.255.255.252

allow no extended access list inside_nat0_outbound 255.255.255.0 IP 192.168.200.0 192.168.200.0 255.255.255.0

Split_T 192.168.200.0 ip access list allow 255.255.255.0 172.16.20.0 255.255.255.0

tunnel-group test general attributes

address pool VPN_Pool

no address pool test

test group policy attributes

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list Split_T

Crypto isakmp nat-traversal 20

management-access inside

Concerning

Remote Access Auto Connection Manager and error with a VPN work

I use my laptop to connect to my VPN working. It has not worked since June 24, 2010. I get a message indicating that the connection to network access device is not found. I also have a problem with the connection manager automatic remote access. I'm trying to launch and get an error code 5, unauthorized. The Auto Connection Manager remote access has something to do with the vpn access problem and if so how can I solve this problem?

Hello hitherandthee,

Your question of Windows Vista is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for the platform of networking on TechNet. Following your question thanks for posting the link below:

http://social.technet.Microsoft.com/forums/en-us/winserverPN/threads?page=10

Thank you
Irfan H, Engineer Support Microsoft Answers. Visit our Microsoft answers feedback Forum and let us know what you think.

problem of traffic flow with tunnel created the network with a tunnel to a VPN concentrator

Hi, I worked with Cisco and the seller for 2 weeks on this.II am hoping that what we are witnessing will ring a Bell with someone.

Some basic information:

I work at a seller who needs from one site to the other tunnel. There are currently 1 site to another with the seller using a Juniper SSG, which works without incident in my system. I'm transitioning to routers Cisco 2811 and put in place a new tunnel with the seller for the 2800 uses a different public ip address in my address range. So my network has 2 tunnels with the provider that uses a Cisco VPN concentrator. The hosts behind the tunnel use 20x.x.x.x public IP addresses.

My Cisco router will create a tunnel, but I can't not to hosts on the network of the provider through the Cisco 2811, but I can't get through the tunnel of Juniper. The seller sees my packages and provider host meets them and sends them to the tunnel. They never reach the external interface on my Cisco router.

I'm from the external interface so that my endpoint and the peers are the same IP address. (note, I tried to do a static NAT and have an address of tunnel and my different host to the same result.) Cisco has confirmed that I do have 2 addresses different and this configuration was a success with the creation of another successful tunnels toa different network.)

I tested this configuration on a network of transit area before moving the router to the production network and my Cisco 2811 has managed to create the tunnel and ping the inside host. Once we moved the router at camp, we can no longer ping on the host behind the seller tunnel. The seller assured me that the tunnel setting is exactly the same, and he sees his host to send traffic to the tunnel. The seller seems well versed with the VPN concentrator and manages connections for many customers successfully.

The seller has a second VPN concentrator on a separate network and I can connect to this VPN concentrator with success of the Cisco 2811 who is having problems with the hub, which has also a tunnel with Gin.

Here is what we have done so far:

(1) confirm the config with the help of Cisco 2811. The tunnel is up. SH cyrpto ipa wristwatch tunnel upward.
(2) turn on Nat - T side of the tunnel VPN landscapers
(3) confirm that the traffic flows properly a tunnel on another network (which would indicate that the Cisco config is ok)
(4) successfully, tunnel and reach a different configuration hosting
(5) to confirm all the settings of tunnel with the seller
(6) the seller confirmed that his side host has no way and that it points to the default gateway
(7) to rebuild the tunnel from scratch
8) confirm with our ISP that no way divert traffic elsewhere. My gateway lSP sees my directly connected external address.
(9) confirm that the ACL matches with the seller
(10) I can't get the Juniper because he is in production and in constant use

Is there a known issue with the help of a VPN concentrator to connect to 2 tunnels on the same 28 network range?

Options or ideas are welcome. I had countless sessions with Cisco webex, but do not have access to the hub of the seller. I can forward suggestions.

Here's a code

crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
!
crypto ISAKMP policy 2
BA 3des
preshared authentication
Group 2

Crypto ipsec transform-set mytrans aes - esp esp-sha-hmac

Crypto-map dynamic dynmap 30
Set transform-set RIGHT

ISAKMP crypto key address No.-xauth

interface FastEthernet0/0
Description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE $ 0/0
IP 255.255.255.240
IP access-group 107 to
IP access-group out 106
NAT outside IP
IP virtual-reassembly
route IP cache flow
automatic duplex
automatic speed
crypto mymap map

logging of access lists (applied outside to get an idea of what will happen. No esp traffic happens, he has never hits)

allowed access list 106 esp host host newspaper
106 ip access list allow a whole
allowed access list 107 esp host host Journal
access-list 107 permit ip host host Journal

access-list 107 permit ip host host Journal
107 ip access list allow a whole

Crypto isa HS her
IPv4 Crypto ISAKMP Security Association
status of DST CBC State conn-id slot
QM_IDLE ASSETS 0 1010

"Mymap" ipsec-isakmp crypto map 1
Peer =.
Extend the 116 IP access list
access - list 116 permit ip host host (which is a public IP address))
Current counterpart:
Life safety association: 4608000 kilobytes / 2800 seconds
PFS (Y/N): N
Transform sets = {}
myTrans,
}

OK - so I have messed around the lab for 20 minutes and came up with the below (ip are IP test:-)

(4) ip nat pool crypto-nat 10.1.1.1 10.1.1.1 prefix length 30 <> it comes to the new address of NAT

!
(1) ip nat inside source list 102 interface FastEthernet0/0 overload <> it comes to the interface by default NAT

!
IP nat inside source map route overload of crypto-nat of crypto-nat pool <> it is the policy of the NAT function

!

(6) access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255 <> defines the IP source and destination traffic

!

(2) access-list 102 deny ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255 <> does not NAT the normal communication

(3) access-list 102 deny ip 10.1.1.1 host 172.16.2.0 0.0.0.255 <> does not re - NAT NAT

(1) access-list 102 permit ip 172.16.1.0 0.0.0.255 any <> allows everyone else to use the IP Address of the interface for NAT

!

(5) crypto-nat route-map permit 5 <> condition for the specific required NAT
corresponds to the IP 101 <> game of traffic source and destination IP must be NAT'td

(7) access list 103 permit ip 10.1.1.1 host 172.16.2.0 0.0.0.255 <> crypto acl

Then, how the works above, when a package with the what IP 172.16.1.0/24 source wants to leave the router to connect to google, say the source will change to IP interface (1). When 172.16.1.0/24 wants to talk to172.16.2.0/24, it does not get translated (2). When the remote end traffic equaled the following clause of NAT - the already NAT'td IP will not be affected again (3) when a host 172.16.1.0/24 wants to communicate with 172.16.2.20/24 we need a NAT NAT specific pool is required (4). We must define a method of specific traffic to apply the NAT with a roadmap (5) which applies only when the specific traffic (6), then simply define the interesting traffic to the VPN to initiate and enable comms (7) corresponding

Client VPN with tunneling IPSEC over TCP transport does not

Hello world

Client VPN works well with tunneling IPSEC over UDP transport.

I test to see if it works when I chose the VPN client with ipsec over tcp.

Under the group policy, I disabled the IPSEC over UDP and home port 10000

But the VPN connection has failed.

What should I do to work VPN using IPSEC over TCP

Concerning

MAhesh

Mahesh,

You must use "ikev1 crypto ipsec-over-tcp port 10000.

As crypto isakmp ipsec-over-tcp work on image below 8.3

HTH

PIX 515E (7.0.1) - problem with the VPN connection between inside and outside

Hello

I ve creates a VLAN on the pix.

In this VLAN, users are allowed to connect only to the Internet. Everything is fine, but when trying to connect with his VPN Client to their company, it has problems... (Outside traffic flow, but no traffic came back.)

Is the only solution for this problem to create a Pool of Nat with public ip addresses, one to one mapping, or is there another solution with a public IP address (NAT on PAT) possible for this problem?

Thanks for your replies.

D.

The problem is that the esp is an IP Protocol, so PAT will not work in this scenario. When the return traffic returns to pix he doesn't know how to get to the inside host. The only way to do this is by adding a static nat (1 to 1 mapping) and create a rule to allow esp. Is what type of vpn client? Microsoft vpn? Cisco vpn? If cisco VPN, perhaps, they can use NAT - T on the vpn that overcomes the question PAT by encapsulating ipsec within UDP packets. You need to talk to the admin VPN and itself it allow.

-kevin

Problem with IPSec VPN ISA500 & login questions (multiple devices)

I have a Cisco ISA500, we use for connection with IPSEC VPN of some products apple (MacBook Pro and iPad). We can operate randomly once in a while, but it fails most of the time of negotiation. Someone at - it suggestions on what I can do to make this work?

I did test it on my Linux machine and it does not when I had configured default settings. I had to change the NAT Traversal for UDP CISCO on the Linux machine for the connection to work.

14/04/03 20:54:13 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: quick mode attempt fails, please check if IKE/transformation/PFS local are the same as remote site; (pluto)
2014-04-03 20:54:13 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: max number of retransmissions (2) reached STATE_AGGR_R1. (pluto)
2014-04-03 20:53:30 - warning - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: quick mode attempt fails, please check if IKE/transformation/PFS local are the same as remote site; (pluto)
2014-04-03 20:53:30 - warning - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: max number of retransmissions (2) reached STATE_AGGR_R1. (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: STATE_AGGR_R1: sent AR1, expected AI2.; (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received vendor ID payload [Dead Peer Detection]; (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]; (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: regardless of the payload of unknown Vendor ID [16f6ca16e4a4066d83821a0f0aeaa862]; (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received meth payload [draft-ietf-ipsec-nat-t-ike-02] Vendor ID = 107, but already using method 109; (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received meth payload [draft-ietf-ipsec-nat-t-ike-02_n] Vendor ID = 106, but already using method 109; (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received meth payload [draft-ietf-ipsec-nat-t-ike-03] Vendor ID = 108, but already using method 109; (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received Vendor ID value = 109 payload [RFC 3947] method; (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received vendor ID payload [Cisco-Unity]; (pluto)
2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received vendor ID payload [XAUTH]; (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: STATE_AGGR_R1: sent AR1, expected AI2.; (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute. Attribute OAKLEY_KEY_LENGTH. (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received vendor ID payload [Dead Peer Detection]; (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]; (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: regardless of the payload of unknown Vendor ID [16f6ca16e4a4066d83821a0f0aeaa862]; (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received meth payload [draft-ietf-ipsec-nat-t-ike-02] Vendor ID = 107, but already using method 109; (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received meth payload [draft-ietf-ipsec-nat-t-ike-02_n] Vendor ID = 106, but already using method 109; (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received meth payload [draft-ietf-ipsec-nat-t-ike-03] Vendor ID = 108, but already using method 109; (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received Vendor ID value = 109 payload [RFC 3947] method; (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received vendor ID payload [Cisco-Unity]; (pluto)
2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received vendor ID payload [XAUTH]; (pluto)

Hi rich,

What version of firmware you used before upgrade? You upgrade to 1.2.19 and now this works?

Thank you

Brandon

Tunnel VPN site to Site with 2 routers Cisco 1921

Hi all

So OK, I'm stumped. I create much s2s vpn tunnels before, but this one I just can't go there. It's just a tunnel VPN Site to Site simple using pre-shared keys. I would appreciate it if someone could take a look at our configs for both routers running and provide a comment. This is the configuration for both routers running. Thank you!

Router 1

=======

Current configuration: 4009 bytes

!

! Last configuration change at 19:01:31 UTC Wednesday, February 22, 2012 by asiuser

!

version 15.0

horodateurs service debug datetime msec

Log service timestamps datetime msec

no password encryption service

!

SJWHS-RTRSJ host name

!

boot-start-marker

boot-end-marker

!

!

No aaa new-model

!

!

!

!

No ipv6 cef

IP source-route

IP cef

!

!

DHCP excluded-address 192.168.200.1 IP 192.168.200.110

DHCP excluded-address IP 192.168.200.200 192.168.200.255

!

IP dhcp POOL SJWHS pool

network 192.168.200.0 255.255.255.0

default router 192.168.200.1

10.10.2.1 DNS server 10.10.2.2

!

!

no ip domain search

IP-name 10.10.2.1 Server

IP-name 10.10.2.2 Server

!

Authenticated MultiLink bundle-name Panel

!

!

Crypto pki trustpoint TP-self-signed-236038042

enrollment selfsigned

name of the object cn = IOS - Self - signed - certificate - 236038042

revocation checking no

rsakeypair TP-self-signed-236038042

!

!

TP-self-signed-236038042 crypto pki certificate chain

certificate self-signed 01

30820241 308201AA A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030

8B1E638A EC

quit smoking

license udi pid xxxxxxxxxx sn CISCO1921/K9

!

!

!

redundancy

!

!

!

!

crypto ISAKMP policy 10

md5 hash

preshared authentication

ISAKMP crypto key presharedkey address 112.221.44.18

!

!

Crypto ipsec transform-set esp-3des esp-md5-hmac IPSecTransformSet1

!

map CryptoMap1 10 ipsec-isakmp crypto

defined by peer 112.221.44.18

game of transformation-IPSecTransformSet1

match address 100

!

!

!

!

!

interface GigabitEthernet0/0

192.168.200.1 IP address 255.255.255.0

automatic duplex

automatic speed

!

!

interface GigabitEthernet0/1

Description wireless bridge

IP 172.17.1.2 255.255.255.0

automatic duplex

automatic speed

!

!

interface FastEthernet0/0/0

Verizon DSL description for failover of VPN

IP 171.108.63.159 255.255.255.0

automatic duplex

automatic speed

card crypto CryptoMap1

!

!

!

Router eigrp 88

network 172.17.1.0 0.0.0.255

network 192.168.200.0

redistribute static

passive-interface GigabitEthernet0/0

passive-interface FastEthernet0/0/0

!

IP forward-Protocol ND

!

no ip address of the http server

local IP http authentication

IP http secure server

!

IP route 0.0.0.0 0.0.0.0 172.17.1.1

IP route 112.221.44.18 255.255.255.255 171.108.63.1

!

access-list 100 permit ip 192.168.200.0 0.0.0.255 10.10.0.0 0.0.255.255

!

!

!

!

!

!

control plan

!

!

!

Line con 0

Synchronous recording

local connection

line to 0

line vty 0 4

exec-timeout 30 0

Synchronous recording

local connection

transport input telnet ssh

!

Scheduler allocate 20000 1000

end

=======

Router 2

=======

Current configuration: 3719 bytes

!

! Last configuration change at 18:52:54 UTC Wednesday, February 22, 2012 by asiuser

!

version 15.0

horodateurs service debug datetime msec

Log service timestamps datetime msec

no password encryption service

!

SJWHS-RTRHQ host name

!

boot-start-marker

boot-end-marker

!

logging buffered 1000000

!

No aaa new-model

!

!

!

!

No ipv6 cef

IP source-route

IP cef

!

!

!

!

no ip domain search

!

Authenticated MultiLink bundle-name Panel

!

!

Crypto pki trustpoint TP-self-signed-3490164941

enrollment selfsigned

name of the object cn = IOS - Self - signed - certificate - 3490164941

revocation checking no

rsakeypair TP-self-signed-3490164941

!

!

TP-self-signed-3490164941 crypto pki certificate chain

certificate self-signed 01

30820243 308201AC A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030

2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30

EA1455E2 F061AA

quit smoking

license udi pid xxxxxxxxxx sn CISCO1921/K9

!

!

!

redundancy

!

!

!

!

crypto ISAKMP policy 10

md5 hash

preshared authentication

ISAKMP crypto key presharedkey address 171.108.63.159

!

86400 seconds, duration of life crypto ipsec security association

!

Crypto ipsec transform-set esp-3des esp-md5-hmac IPSecTransformSet1

!

map CryptoMap1 10 ipsec-isakmp crypto

defined by peer 171.108.63.159

game of transformation-IPSecTransformSet1

match address 100

!

!

!

!

!

interface GigabitEthernet0/0

no ip address

automatic duplex

automatic speed

!

!

interface GigabitEthernet0/0.1

encapsulation dot1Q 1 native

IP 10.10.1.6 255.255.0.0

!

interface GigabitEthernet0/1

IP 172.17.1.1 255.255.255.0

automatic duplex

automatic speed

!

!

interface FastEthernet0/0/0

IP 112.221.44.18 255.255.255.248

automatic duplex

automatic speed

card crypto CryptoMap1

!

!

!

Router eigrp 88

Network 10.10.0.0 0.0.255.255

network 172.17.1.0 0.0.0.255

redistribute static

passive-interface GigabitEthernet0/0

passive-interface GigabitEthernet0/0.1

!

IP forward-Protocol ND

!

no ip address of the http server

local IP http authentication

IP http secure server

!

IP route 0.0.0.0 0.0.0.0 112.221.44.17

!

access-list 100 permit ip 10.10.0.0 0.0.255.255 192.168.200.0 0.0.0.255

!

!

!

!

!

!

control plan

!

!

!

Line con 0

Synchronous recording

local connection

line to 0

line vty 0 4

exec-timeout 30 0

Synchronous recording

local connection

transport input telnet ssh

!

Scheduler allocate 20000 1000

end

When the GRE tunnel carries your traffic to private ip range, your ACL must contain address of the host of point to point the IPSec tunnel.

Since then, both routers are running EIGRP in the corporate network, let the EIGRP Exchange routes via GRE tunnel, which is a good practice, rather than push the ip ranges private individual through the IPSec tunnel.

Let me know, if that's what you want.

Thank you

is it possible this with remote vpn access?

Hello

I have access to my corporate network through the VPN Cisco (software) customer and it goes through the vpn to access configuration remote ipsec on an ASA 5510. Everything works fine.

But now that connect to the corporate network users also need access to remote sites connected by tunnels VPN site to site networks: tunnels IPSec between mentioned ASA5510 and distance ASA5510s and ASA5505s in the branches.

Is this possible?

If so what shoud I consider make it works?

My setup looks like

business network: 10.1.1.0/24

Remote vpn clients receive the ip addresses of: 10.0.5.0/28

Branch on the remote 1 network: 10.1.10.0/24

network of remote sites 2: 10.1.20.0/24

3 remote site network: 10.1.30.0/24

There rule for NAT exemption which exempts the networks 10.1.10.0/24, 10.1.20.0/24, 10.1.30.0/24

All traffic on the local network 10.1.1.0/24 have complete ip connectivity with all networks in the branches. The PROBLEM is that the remote vpn clients can reach only local network 10.1.1.0/24, but not the remote networks.

The ASAs in remote sites has created NAT exemption to the two local network 10.1.1.0/24 and network 10.0.5.0/28 remote access clients, but as I said, it won't. Help, please!

Thanks in advance!

Zoran

Yes, you can...

Let's take 1 remote sites for example network: network of agencies 1 (10.1.10.0/24):

Company ASA:

-If you have split tunnel configured for the VPN Client, you must also add the remote site network in the list (10.1.10.0/24).

-Crypto ACL between the company ASA and ASA 1 remote sites must have added the following:

10.0.5.0 ip access list allow 255.255.255.240 10.1.10.0 255.255.255.0

-' same-security-traffic permit intra-interface' must be configured

On the remote control of the branch 1 ASA:

-Crypto ACL between remote branch 1 ASA and company ASA must have added the following:

ip 10.1.10.0 access list allow 255.255.255.0 10.0.5.0 255.255.255.240

-Rule of exemption NAT to exempt traffic:

ip 10.1.10.0 access list allow 255.255.255.0 10.0.5.0 255.255.255.240

Clear the tunnels of both ends and test the connectivity.

I hope this helps.

Tunnel VPN BEFVP41-BEFVP41 after a certain time blocks

I have 2 networks in different countries with routers BEFVP41 put in place to establish a VPN tunnel. Setup in country A has a static Internet IP address, in country B a dynamic IP address. For the remote security gateway a DynDNS-FULL domain name is inserted. (I tried "Any", but for some reason any that does not work.) However this is not a problem at this point). Installation works perfectly in the sense that a VPN connection is established and works as it should.

However the annoying problem is that after some time, usually during the night, the VPN tunnel seems to block even if it remainsl upward. I can not all data through more. I can get running again by resetting the modem and router b (I couldn't try if that would also be the case if the modem and the router could be reinitialized, because these are unmanned at the moment)

In the situation of blocking internet connection is OK on both sides. A connection between the networks outside the VPN tunnel works without problem. The VPN can be disconnected and reconnected, but he remains blocked.

Both routers are the latest firmware 1.02.06, build 003.

Thanks in advance for any help to solve this annoying problem.

You have to try to adjust the MTU, change it to 1350...

Also, make sure that you have done this

No access to Internet with Tunneling active split

Hi all

We are facing a problem with tunneling split. Our VPN profile has split the tunnel enabled with only networks allowed to enter the tunnel and the internet traffic is going on locally. Now it works fine almost 90% of users, but some users are unable to access internet when they connected to the VPN. Intranet works very well. Here are some observations from the affected user's machine:

1. when trying to ping any public FQDN (for example google.com), it is resolved, but when I try to ping with the IP address that it works.

2. most users access internet VPN has the House, wireless networks usually network 192.168.1.0/24.

3. this question is only met by some users, other users who also connect to VPN via WiFi at home can successfully both internet & intranet access.

4 road print machine users watch WiFi router default gateway (192.168.1.1 or private IP). DNS is also the same.

5A took a capture of packets of users on both adapter AnyConnect & WiFi adapter machine. After analysing captures what we have seen that the public DNS requests are not considered in making that ran on WiFi adapter.

All guess what might be the problem?

Any help will be appreciated.

Thank you.

Kind regards

Gerard

Gaurav,

Have you tried to disable the IPv6 option under the physical card?

With tunnel VPN ASA5505 problem

Similar Questions

Maybe you are looking for