WRVS4400N ASA 5540 L2L IPSec connection

I have a remote WRVS4400N with a dynamic outside the address that opens a connection to an ASA 5540 with a static address.

I'm all set on the side of the ASA. My questions concern the 4400N. It does not seem to have a very robust configuration/configuration available for L2L tunnels. For one my encryption is limited to 3DES.

But I wonder if I'm missing something in the config. I have to configure L2L tunnels to two other firewalls. One firewall has 3 non-contiguous networks, and the other has 2. I have 5 tunnels configuration, this is the only way? What I'd like to see is 2 tunnels, one for each firewall distance, but then each tunnel would have access to networks (like on the side of the ASA), is anyway to do this? Perhaps a useful command line for this unit?

My other question concerns the tunnel-groups I've implemented on my ASA, and I do not want to use the proper names... However I can't seem to find a way to allow this to happen on the side of 4400N... I mean, I need a way to create a 'keyword' identifier or a "firewall identifier" on the 4400N and I do not see an appropriate field in the web interface. Someone at - it ideas?

Thanks in advance.

Hi WS, the WRVS router does not support a complete tunnel configuration or routes to have a multi site configuration. You would need a separate tunnel for each location.

Traditionally, the WRVS router was not a good game on any platform ASA. In most cases, I saw when a tunnel has put in place will be the router WRVS crash in an hour or less due to low memory. If you run a scenario where the WRVS stops responding or the tunnel down, this is the likely scenario.

I highly recommend is not to use the WRVS router for all tunnel with the ASA. If you are looking to stay in the field of small business, a RV220W or a RV042 router would be a much more suitable match.

-Tom
Please mark replied messages useful

Tags: Cisco Support

https://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa80/configuration/g...

Maximum connection profiles

The maximum number of connection profiles (tunnel groups) that can support a safety device is a function of the maximum number of concurrent sessions of VPN for the + 5 platform. For example, an ASA5505 can support a maximum of 25 concurrent sessions of VPN to 30 tunnel groups (25 + 5). Attempt to add a group of additional tunnel beyond the results of limit in the following message: "ERROR: the limit of 30 groups configured tunnel has been reached.

Table 32-2specifies the maximum VPN sessions and profiles of connection for each platform ASA.

Table 32-2 maximum VPN Sessions and profiles of connection by ASA platform

	5505 database / security more	5510/base/security Plus	5520	5540	5550
Maximum VPN sessions	10/25	250	750	5000	5000
Maximum connection profiles	15/30	255	755	5005	5005

How can I get an ASA 5540 return to the default configuration?

Is there an easy way to re-apply the default that comes with a new ASA 5540? I would like to have the our ASA 5540 to return to its default to 192.168.1.1 inside the interface and act as a DHCP server, so I connect a PC to start the initial configuration using the ASDM.

The ASA 5540 is running on asa723 - k8.bin.

factory default setting

http://www.Cisco.com/en/us/docs/security/ASA/asa72/command/reference/c4_72.html#wp2039866

a simple "write erase/recharge" would also do the trick.

L2l IPsec question: 0 packages decrypted!

Hello

We have implemented a solution for IPSec-l2l between HQ and remote sites. The last being a ship, we opted for the dynamic Ipsec l2l solution to static using two ASAs. However, the solution fails to certain ports. In fact, the tunnel is established and the packets are encrypted on the ASA remote. However, no packet is decrypted. HQ sees not all encrypted packets. It looks like something between the two does not prevent IPSec packets to reach the HQ...

How could ensure us that the solution works always regardless of any ACL or NAT between the two?

Excerpts of the "sh crypto ipsec his" cmd for a positive and result negative as well as the configuration of the remote control - ASA IPsec.

Distance - ASA # sh crypto isakmp his

Interface: outside
Tag crypto map: CMAP, seq num: 10, local addr: 172.16.1.215

extended vpn ip 10.240.192.0 access list allow 255.255.255.0 10.0.0.0 255.0.0.0
local ident (addr, mask, prot, port): (10.240.192.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (10.0.0.0/255.0.0.0/0/0)
current_peer: 146.40.75.33

#pkts program: 28, encrypt #pkts: 28, #pkts digest: 28
decaps #pkts: 15, #pkts decrypt: 15, #pkts check: 15
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 28, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0

local crypto endpt. : 172.16.1.215, remote Start crypto. : 146.40.75.33

Distance - ASA # sh crypto isakmp his

Interface: outside
Tag crypto map: CMAP, seq num: 10, local addr: 168.240.6.11

extended vpn ip 10.240.192.0 access list allow 255.255.255.0 10.0.0.0 255.0.0.0
local ident (addr, mask, prot, port): (10.240.192.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (10.0.0.0/255.0.0.0/0/0)
current_peer: 146.40.75.33

#pkts program: 45, #pkts encrypt: 45, #pkts digest: 45
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 28, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0

local crypto endpt. : 168.240.6.11, remote Start crypto. : 146.40.75.33

Remote control - ASA config

extended vpn ip 10.240.192.0 access list allow 255.255.255.0 10.0.0.0 255.0.0.0

10.240.192.0 IP Access-list extended sheep 255.255.255.0 allow 10.0.0.0 255.0.0.0

Global 1 interface (outside)
NAT (inside) 0 access-list sheep
NAT (inside) 1 0.0.0.0 0.0.0.0

Crypto ipsec transform-set esp-sha-3des esp-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto CMAP 10 corresponds to the vpn address
card crypto CMAP 10 set pfs Group1
card crypto CMAP 10 set peer 146.40.75.33

card crypto CMAP 10 value transform-set esp-3des-sha
card crypto CMAP 10 set phase 1-mode aggressive Group1
card crypto CMAP 10 set reverse-road
CMAP outside crypto map interface
ISAKMP crypto identity hostname
crypto ISAKMP allow outside
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 1
life 86400
No encryption isakmp nat-traversal

tunnel-group 146.40.75.33 type ipsec-l2l
IPSec-attributes tunnel-group 146.40.75.33
pre-shared key *.

Thanks for your help!

Franc

Hello

The first output shows two packets encrypted/decrypted on the ASA remote.

At this point, the VPN worked very well? What was different?

The second output shows encrypted packets on the ASA remote but no decrypted.

You mentioned that the HQ site does not show decrypted packets either.

It seems that the ASA remote sends the traffic in the tunnel, but they never reached the HQ site.

This can happen when there is a problem of route, NAT problem or some sort of VPN filter.

To understand this better explain what the difference was between the first and the second scenario.

Federico.

Dynamic to static L2L IPSec VPN

Hello

I've implemented a dynamic to static IPSec Site to Site VPN between a branch (ship) ASA5505 and headquarters. Now, this solution does not allow HQ initiate the IPsec connection.

There is a router behind the ASA5505. I heard that if I want to keep the tunnel upward, so that the HQ customers can switch the traffic to remote clients through the tunnel, I would need to run ALS IP icmp probes on the router behind the ASA.

Could someone explain how to implement it?

Thanks for your help.

Frank

The ICMP probe can be done through any device that is able to do ping, not only of the router.

The reason is that it is interesting traffic triggers the traffic is encrypted by the vpn tunnel, tunnel will stay up, so you will be able to open the connection to the AC to your remote site.

Hope that helps.

VPN site to site by using the host name on cisco asa 5540 - dyndns

Can someone help me configure VPN site to site on cisco asa 5540. The other end is seen configured dyndns and so should set up her counterpart with the host name.

If the other end is a dynamic IP address, you must configure a dynamic map and then use in the encryption card

See the following example.

http://www.Cisco.com/en/us/partner/products/ps6120/products_configuration_example09186a00805733df.shtml

ASA mismanaged webvpn cascading connections

I'm trying to get a webvpn configuration to run with two ASAs which are cascading. Each ASA requires the user to connect to the webvpn. Practically, this means that you connect to the ASA to first, which, from the successful connection, should divert automatically you to the login screen the ASA webvpn cascade with a command of 'value https://homepage.

It does not work correctly because the first ASA never presents you with the webvpn ASA connection second, but instead you will see the login of the ASA first again. I suspect that this might have something to do with cookies or the way ASAs calculate the special URL that they present the user's browser...?

Furthermore, no matter what other web HTTPS service works properly when they are referenced as a home page, it won't work with a second ASA. In addition, connecting directly to the ASA second works without problem.

Someone has any idea how to solve this problem?

Thank you

Toni

Hi Toni,

This is not a scenario supported (without customer through without customer)

Kind regards

Rami

8.2 ASA vpn filter for connections l2l

I have a vpn-filter set to my police L2L. The remote site uses a Cisco 1811 router and the main hub is a Cisco 5580. I already have an acl of vpn-filter in place on an existing L2L connection which works fine. The only question is, when I make changes to the ACLs for add/remove access, I have to reload the whole of the tunnel until the changes take place.

My question is, are at - it a command to reload the access control without destroying the tunnel?

Hi Jeffrey,.

Design whenever there are changes in the attributes of Group Policy (including the vpn-filter, dns ip of victories or vpn-Protocol etc.), you need to reset the respective tunnel while phase 2 is negotiating with the newly added policy. The command to clear a specific tunnel is: -.

his clear crypto ipsec peer

For more details on the command, please see the link below

http://www.Cisco.com/en/us/docs/security/ASA/asa80/command/reference/C3.html#wp2133652

So, to answer your query wasn't there command is not to reset the access control. There had been such a command you would still back the tunnel to trigger negotiations ipsec with the new group policy settings.

HTH...

Concerning
Mohit

IPSec tunnel do not come between two ASA - 5540 s.

I've included the appropriate configuration of the two ASA lines - 5540 s that I'm trying to set up a tunnel of 2 lan lan between. The first few lines show the messages that are generated when I try to ping another host on each side.

Did I miss something that will prevent the tunnel to come?

4 IP = 10.10.1.147, error: cannot delete PeerTblEntry

3 IP = 10.10.1.147, Removing peer to peer table has not, no match!

6 IP = 10.10.1.147, P1 retransmit msg sent to the WSF MM

5 IP is 10.10.1.147, in double Phase 1 detected package. Retransmit the last packet.

6 IP = 10.10.1.147, P1 retransmit msg sent to the WSF MM

5 IP is 10.10.1.147, in double Phase 1 detected package. Retransmit the last packet.

4 IP = 10.10.1.147, error: cannot delete PeerTblEntry

3 IP = 10.10.1.147, Removing peer to peer table has not, no match!

6 IP = 10.10.1.147, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.

6 IP = 10.10.1.147, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.

6 IP = 10.10.1.147, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.

5 IP = 10.10.1.147, IKE initiator: New Phase 1, Intf inside, IKE Peer 10.10.1.147 address Proxy local 10.10.1.135, Proxy address remote 10.10.1.155, Card Crypto (outside_map0)

ROC-ASA5540-A # sh run

!

ASA Version 8.0 (3)

!

CRO-ASA5540-A host name

names of

10.10.1.135 GHC_Laptop description name to test the VPN

10.10.1.155 SunMed_pc description name to test the VPN

!

interface GigabitEthernet0/0

Speed 100

full duplex

nameif inside

security-level 100

IP 10.10.1.129 255.255.255.240

!

interface GigabitEthernet0/3

nameif outside

security-level 0

IP 10.10.1.145 255.255.255.248

!

!

outside_2_cryptomap list extended access permit ip host host GHC_Laptop SunMed_pc

!

ASDM image disk0: / asdm - 603.bin

!

Route outside 255.255.255.248 10.10.1.152 10.10.1.147 1

!

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

card crypto game 2 outside_map0 address outside_2_cryptomap

outside_map0 crypto map peer set 2 10.10.1.147

card crypto outside_map0 2 the value transform-set ESP-3DES-SHA

outside_map0 card crypto 2 set nat-t-disable

outside_map0 interface card crypto outside

crypto ISAKMP allow outside

crypto ISAKMP policy 5

preshared authentication

3des encryption

sha hash

Group 2

life 86400

!

Group Policy Lan-2-Lan_only internal

attributes of Lan-2-Lan_only-group policy

VPN-filter no

Protocol-tunnel-VPN IPSec

tunnel-group 10.10.1.147 type ipsec-l2l

IPSec-attributes tunnel-group 10.10.1.147

pre-shared-key *.

!

ROC-ASA5540-A #.

----------------------------------------------------------

ROC-ASA5540-B # sh run

: Saved

:

ASA Version 8.0 (3)

!

name of host ROC-ASA5540-B

!

names of

name 10.10.1.135 GHC_laptop

name 10.10.1.155 SunMed_PC

!

interface GigabitEthernet0/0

Speed 100

full duplex

nameif inside

security-level 100

IP 10.10.1.153 255.255.255.248

!

interface GigabitEthernet0/3

nameif outside

security-level 0

IP 10.10.1.147 255.255.255.248

!

outside_cryptomap list extended access permit ip host host SunMed_PC GHC_laptop

!

ASDM image disk0: / asdm - 603.bin

!

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

card crypto outside_map2 1 match address outside_cryptomap

outside_map2 card crypto 1jeu peer 10.10.1.145

outside_map2 card crypto 1jeu transform-set ESP-3DES-SHA

outside_map2 card crypto 1jeu nat-t-disable

outside_map2 interface card crypto outside

crypto ISAKMP allow inside

crypto ISAKMP policy 5

preshared authentication

3des encryption

sha hash

Group 2

life 86400

!

internal Lan-2-Lan group strategy

Lan Lan 2-strategy of group attributes

Protocol-tunnel-VPN IPSec

tunnel-group 10.10.1.145 type ipsec-l2l

IPSec-attributes tunnel-group 10.10.1.145

pre-shared-key *.

!

ROC-ASA5540-B #.

On the ASA of ROC-ASA5540-B, you have "isakmp allows inside", it should be "enable isakmp outside."

Please reconfigure the ASA and let me know how it goes.

Kind regards

Arul

* Please note the useful messages *.

ASA 8.6 - l2l IPsec tunnel established - not possible to ping

Hello world

I have a problem of configuration of the CISCO ASA 5512-x (IOS 8.6).

The IPsec tunnel is created between ASA and an another non-CISCO router (hereinafter "router"). I can send packets ping from router to ASA, but ASA is NOT able to meet these demands. Sending requests of ASA is also NOT possible.

I'm trying to interconnect with the network 192.168.2.0/24 (CISCO, interface DMZ) premises and 192.168.3.0/24 (router).

The CISCO ASA has a static public IP address. The router has a dynamic IP address, so I use the dynamic-map option...

Here is the output of "show run":

---------------------------------------------------------------------------------------------------------------------------------------------

ASA 1.0000 Version 2

!

ciscoasa hostname

activate oBGOJTSctBcCGoTh encrypted password

2KFQnbNIdI.2KYOU encrypted passwd

names of

!

interface GigabitEthernet0/0

nameif outside

security-level 0

address IP X.X.X.X 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

the IP 192.168.0.1 255.255.255.0

!

interface GigabitEthernet0/2

nameif DMZ

security-level 50

IP 192.168.2.1 255.255.255.0

!

interface GigabitEthernet0/3

Shutdown

No nameif

no level of security

no ip address

!

interface GigabitEthernet0/4

Shutdown

No nameif

no level of security

no ip address

!

interface GigabitEthernet0/5

Shutdown

No nameif

no level of security

no ip address

!

interface Management0/0

nameif management

security-level 100

IP 192.168.1.1 255.255.255.0

management only

!

passive FTP mode

internal subnet object-

192.168.0.0 subnet 255.255.255.0

object Web Server external network-ip

host Y.Y.Y.Y

Network Web server object

Home 192.168.2.100

network vpn-local object - 192.168.2.0

Subnet 192.168.2.0 255.255.255.0

network vpn-remote object - 192.168.3.0

subnet 192.168.3.0 255.255.255.0

outside_acl list extended access permit tcp any object Web server

outside_acl list extended access permit tcp any object webserver eq www

access-list l2l-extensive list allowed ip, vpn-local - 192.168.2.0 vpn-remote object - 192.168.3.0

dmz_acl access list extended icmp permitted an echo

pager lines 24

asdm of logging of information

Outside 1500 MTU

Within 1500 MTU

MTU 1500 DMZ

management of MTU 1500

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

NAT (DMZ, outside) static static vpn-local destination - 192.168.2.0 vpn-local - 192.168.2.0, 192.168.3.0 - remote control-vpn vpn-remote control - 192.168.3.0

!

internal subnet object-

NAT dynamic interface (indoor, outdoor)

Network Web server object

NAT (DMZ, outside) Web-external-ip static tcp www www Server service

Access-Group global dmz_acl

Route outside 0.0.0.0 0.0.0.0 Z.Z.Z.Z 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

identity of the user by default-domain LOCAL

Enable http server

http 192.168.1.0 255.255.255.0 management

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

IKEv1 crypto ipsec transform-set ikev1-trans-set esp-3des esp-md5-hmac

Crypto ipsec ikev2 proposal ipsec 3des-GNAT

Esp 3des encryption protocol

Esp integrity md5 Protocol

Crypto dynamic-map dynMidgeMap 1 match l2l-address list

Crypto dynamic-map dynMidgeMap 1 set pfs

Crypto dynamic-map dynMidgeMap 1 set ikev1 ikev1-trans-set transform-set

Crypto dynamic-map dynMidgeMap 1 set ikev2 ipsec-proposal 3des-GNAT

Crypto dynamic-map dynMidgeMap 1 life span of seconds set association security 28800

Crypto dynamic-map dynMidgeMap 1 the value reverse-road

midgeMap 1 card crypto ipsec-isakmp dynamic dynMidgeMap

midgeMap interface card crypto outside

ISAKMP crypto identity hostname

IKEv2 crypto policy 1

3des encryption

the md5 integrity

Group 2

FRP md5

second life 86400

Crypto ikev2 allow outside

Crypto ikev1 allow outside

IKEv1 crypto policy 1

preshared authentication

3des encryption

md5 hash

Group 2

life 86400

Telnet timeout 5

SSH timeout 5

Console timeout 0

management of 192.168.1.2 - dhcpd address 192.168.1.254

enable dhcpd management

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

internal midgeTrialPol group policy

attributes of the strategy of group midgeTrialPol

L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2

enable IPSec-udp

tunnel-group midgeVpn type ipsec-l2l

tunnel-group midgeVpn General-attributes

Group Policy - by default-midgeTrialPol

midgeVpn group of tunnel ipsec-attributes

IKEv1 pre-shared-key *.

remote control-IKEv2 pre-shared-key authentication *.

pre-shared-key authentication local IKEv2 *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

Cryptochecksum:fa02572f9ff8add7bbfe622a4801e606

: end

------------------------------------------------------------------------------------------------------------------------------

X.X.X.X - ASA public IP

Y.Y.Y.Y - a web server

Z.Z.Z.Z - default gateway

-------------------------------------------------------------------------------------------------------------------------------

ASA PING:

ciscoasa # ping DMZ 192.168.3.1

Type to abort escape sequence.

Send 5, echoes ICMP 100 bytes to 192.168.3.1, time-out is 2 seconds:

?????

Success rate is 0% (0/5)

PING from router (debug on CISCO):

NAT ciscoasa #: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0

NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0

NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0

Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 0 len = 40

Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 1 len = 40

Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 2 len = 40

Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = len 3 = 40

-------------------------------------------------------------------------------------------------------------------------------

ciscoasa # show the road outside

Code: C - connected, S - static, RIP, M - mobile - IGRP, R - I, B - BGP

D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone

N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2

E1 - OSPF external type 1, E2 - external OSPF of type 2, E - EGP

i - IS - L1 - IS - IS level 1, L2 - IS - IS IS level 2, AI - IS inter zone

* - candidate by default, U - static route by user, o - ODR

P periodical downloaded static route

Gateway of last resort is Z.Z.Z.Z to network 0.0.0.0

C Z.Z.Z.0 255.255.255.0 is directly connected to the outside of the

S 192.168.3.0 255.255.255.0 [1/0] via Z.Z.Z.Z, outdoors

S * 0.0.0.0 0.0.0.0 [1/0] via Z.Z.Z.Z, outdoors

-------------------------------------------------------------------------------------------------------------------------------

Do you have an idea that I am wrong? Probably some bad NAT/ACL I suppose, but I could always find something only for 8.4 iOS and not 8.6... Perhaps and no doubt I already missed the configuration with the unwanted controls, but I've tried various things...

Please, if you have an idea, let me know! Thank you very much!

Hello

I've never used "global" option in ACL, but it looks to be the origin of the problem. Cisco doc.

"The global access rules are defined as a special ACL that is processed for each interface on the device for incoming traffic in the interface. Thus, although the ACL is configured once on the device, it acts as an ACL defined for Management In secondary interface-specific. (Global rules are always in the direction of In, never Out Management). "

You ACL: access-list extended dmz_acl to any any icmp echo

For example, when you launch the ASA, there is an echo response from the router on the external interface--> global can block.

Then to initiate router, the ASA Launches echo-reply being blocked again.

Try to add permit-response to echo as well.

In addition, you can use both "inspect icmp" in world politics than the ACL.

If none does not work, you can run another t-shoot with control packet - trace on SAA.

THX

MS

Cisco ASA - l2l IPSEC tunnel two dynamic hosts

Hello

I have two firewall Cisco ASA an i want to made a l2l between two ipsec tunnel, the problem is that both parties have a dynamic IP, on both sides I have configured dyndns, can I did an ipsec tunnel using dyndns name such as address peer?

Hello

ASA supports only the RFC compliant method for updates used with dynamic DNS, not updates HTTP, such as dyndns.org and others use.
i.e. https://tools.cisco.com/bugsearch/bug/CSCsk25102/?reffering_site=dumpcr

On ASA, it is not possible to configure the tunnel between two dynamic peers.
You will need to have a static end to configure static to dynamic IP.

For routers, you can follow this link.
I hope this helps.

Kind regards
Dinesh Moudgil

PS Please rate helpful messages.

ASA or 871 l2l ipsec to SSG - 140: tunnel is up, but no traffic

Hello

I am currently troubleshooting an ipsec VPN l2l between

1. ASA 7.2 (4) SSG - 140

2 cisco 871W to SSG - 140

In both scenarios the tunnel is well established and the traffic is in the tunnel, but nothing comes out. Of all the encap, but no decap

Looks a routing problem, but we cannot find anything on the two sites.

So maybe I m running in a (known) problem between equipment cisco VPN and SSG-140?

I've searched the forum, but can not find any idea on this subject.

If anyone has an idea the most welcome.

What is a proxy-id problem? Cause they set up stuff like 10.1.1.0/24 and I configure 10.1.1.0 0.0.0.255

Thanks in advance!

Tom, I have not seen the downloaded configs or poster. I would focus on the asa as it's easier to troubleshoot. You can use the ease of packet trace to verify that the syn is sent through the encrypted and external interface. Also gives you the ability to capture. Of course, the problem is that the traffic is encrypted. A syn packet is small and hard to distinguish. Try to send a ping from 10 to 1000 pkt size and see if you can locate in the capture (ipsec will add about 80 bytes). You will need to do a quiet moment to make it easier. Assuming that you can identify the packages, you can repeat the capture and ask someone to do the same thing at the remote end. Also, try to do the ping from the remote device and see if you can capture packets. My guess is that there is something wrong at the other end or a firewall drop packets (ip prot 50) esp. If you want to send the config, display, capture of the [email protected] / * / I can take a look. Matthew

L2l IPSec VPN blocks SQL (ASA v8.4)

Good evening everyone,

I have an ASA 5510 8.4 (2) which has an IPSec VPN site to a 3rd party who run a form any checkpoint running. VPN establishes and allows to access a server in our demilitarized zone on all the ports that we tested (so far HTTP, FTP, SSL, RDP), with the exception of SQL that does not even reach the server. I've got Wireshark running on the DMZ server and if the 3rd party initiates a conversation of TCP of their server on any of the ports on the server I see all desired packages come with the correct IPs ETC (without NAT takes place through the VPN), but when an ODBC client attempts to query the SQL Server on our DMZ zone packets do not reach the level of the server. What I see is the number of bytes of RX on the VPN increases whenever the query is run, but certainly not arriving on the SQL Server.

Also if I come back to the ASA to the old PIX, it replaced with the same VPN configuration but on version 7.x, then it works fine.

While I find some time to clean up the config this weekend, I have ideas.

Thank you very much

Simon.

Hi Simon,.

If you look at the options sys in the ASDM he advises that you still need ACL for traffic. As I understand it, in the old days, when you were in as you pointed out. If you set the ports in this group then Yes, it's a whole and potentially your only protection is the NAT or his absence.

I would like to add an another ACE to the external interface, which allows the source to you DMZ host (see below)

Object-group service GROUP SQL-tcp PORTS

EQ port 1433 object

EQ object Port 1434

Port-object eq 1521

outside_access extended access list permit tcp host 192.168.100.30 DMZ_158-group of objects SQL-PORTS object

Concerning

WRVS4400N ASA 5540 L2L IPSec connection

Similar Questions

https://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa80/configuration/g...

Maximum connection profiles

Maybe you are looking for