Dynamic routing through VPN on ASA

I have an environment with multiple remote offices connecting to the an ASA at the core. Currently we create seperate IPSec tunnels to each subnet that the remote office needs to connect to. We would like to enable dynamic routing to allow access to all the networks through one tunnel. The SOHO routers at the remote sites will support RIP V1 and V2. Can I enable RIP in my ASAs in a way that will propogate only the routes coming through the VPN tunnels? I can then redistribute them through EIGRP in my core routers.
Thanks

Erick,
I guess I fall into the hairpinning catagory. Playing with different traceroutes and pings I am going back out the internet via the default route for the concentrator and ASA. If I traceroute from my client back to a system on the inside there are four hops and they make sense. If I traceroute from the client to say google then I have about 16 hops and it does complete. I am now trying to figure out why HTTP to say google does not work. I am thinking that may be somethign up with my cloud firewall provider. That is what started this whole thing in the first place.
I was just wodering if there was a way to have the default route for just my Address pool point back towards the inside. I guess that would be a NAT to a new VLAN on the inside?
Brent

Similar Messages

Problem in dynamic routing through ESB

Hi All,
I am trying dynamic routing through ESB, So I created routing service in my esb with WSDL of BPEL Process1 and a soap service with same wsdl. Then created a xsl transformation. In this xsl transformation I added below code to route to BPEL process 2.
<xsl:variable name="LocationIn"
select="http://PC-HP249:8888/orabpel/default/SyncBPELProcess2/1.0/SyncBPELProcess2"/>
<xsl:variable name="LocationOut"
select="ehdr:setOutboundHeader('/shdr:ESBHeader/shdr:location',
$LocationIn, 'shdr=http://xmlns.oracle.com/esb;')"/>
But when I am invoking this ESB through another BPEL process, Got below error message:, Is there any solution for that , I am using 10.1..3.4.0, (JDEV, and BPEL).
receiveInput
[2010/02/25 17:50:39] Received "inputVariable" call from partner "client" More...
View xml document
Invoke_1 (faulted)
[2010/02/25 17:50:39] Faulted while invoking operation "initiate" on provider "PartnerLink_1".less
-<messages>
-<input>
-<Invoke_1_initiate_InputVariable>
-<part xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="payload">
<SyncBPELProcess1ProcessRequest xmlns="http://xmlns.oracle.com/SyncBPELProcess1"/>
</part>
</Invoke_1_initiate_InputVariable>
</input>
<fault>
ORABPEL-08034
JTA Rollback requested.
The current JTA transaction has been aborted due to rollback request received from partner invocation.
</fault>
</messages>
</sequence>
[2010/02/25 17:50:39] There is a system exception while performing the BPEL instance, the reason is "Namespace prefix 'http' used but not declared.". Please check the error log file for more infromation. Please try to use bpel fault handlers to catch the faults in your bpel process. If this is a system exception, please report this to your system administrator. Administrator could perform manual recovery of the instance from last non-idempotent activity or dehydration point. More...
oracle.xml.xpath.XPathException: Namespace prefix 'http' used but not declared.
     at oracle.xml.xslt.XSLBuilder.startElement(XSLBuilder.java:468)
     at oracle.xml.parser.v2.XMLElement.reportStartElement(XMLElement.java:3703)
     at oracle.xml.parser.v2.XMLElement.reportSAXEvents(XMLElement.java:3564)
     at oracle.xml.parser.v2.XMLElement.reportChildSAXEvents(XMLElement.java:3576)
     at oracle.xml.parser.v2.XMLElement.reportSAXEvents(XMLElement.java:3566)
     at oracle.xml.parser.v2.XMLElement.reportChildSAXEvents(XMLElement.java:3576)
     at oracle.xml.parser.v2.XMLElement.reportSAXEvents(XMLElement.java:3566)
     at oracle.xml.parser.v2.XMLElement.reportChildSAXEvents(XMLElement.java:3576)
     at oracle.xml.parser.v2.XMLDocument.reportSAXEvents(XMLDocument.java:1537)
     at oracle.xml.jaxp.JXSAXTransformerFactory.newTemplates(JXSAXTransformerFactory.java:379)
     at oracle.tip.esb.server.service.EsbTransformer.getXSLTTransformer(EsbTransformer.java:147)
     at oracle.tip.esb.server.common.cache.TransformCachePolicy.loadEntry(TransformCachePolicy.java:50)
     at oracle.tip.esb.server.common.cache.Cache.setEntry(Cache.java:306)
     at oracle.tip.esb.server.common.cache.Cache.setEntry(Cache.java:270)
     at oracle.tip.esb.server.common.cache.Cache.getEntry(Cache.java:208)
     at oracle.tip.esb.server.common.cache.Cache.getEntry(Cache.java:181)
     at oracle.tip.esb.server.common.cache.RuntimeCache.getXSLTransformer(RuntimeCache.java:324)
     at oracle.tip.esb.server.service.EsbTransformer.doTransform(EsbTransformer.java:101)
     at oracle.tip.esb.server.service.EsbTransformer.transform(EsbTransformer.java:90)
     at oracle.tip.esb.server.service.EsbTransformer.transform(EsbTransformer.java:83)
     at oracle.tip.esb.server.service.EsbRouterSubscription.transform(EsbRouterSubscription.java:388)
     at oracle.tip.esb.server.service.EsbRouterSubscription.onBusinessEvent(EsbRouterSubscription.java:208)
     at oracle.tip.esb.server.dispatch.EventDispatcher.executeSubscription(EventDispatcher.java:138)
     at oracle.tip.esb.server.dispatch.InitialEventDispatcher.processSubscription(InitialEventDispatcher.java:545)
     at oracle.tip.esb.server.dispatch.InitialEventDispatcher.processSubscriptions(InitialEventDispatcher.java:527)
     at oracle.tip.esb.server.dispatch.EventDispatcher.dispatchRoutingService(EventDispatcher.java:94)
     at oracle.tip.esb.server.dispatch.InitialEventDispatcher.dispatch(InitialEventDispatcher.java:160)
     at oracle.tip.esb.server.dispatch.BusinessEvent.raise(BusinessEvent.java:1988)
     at oracle.tip.esb.server.dispatch.BusinessEvent.raise(BusinessEvent.java:1467)
     at oracle.tip.esb.wsif.WSIFOperation_ESB.executeRequestResponseOperation(WSIFOperation_ESB.java:288)
     at oracle.tip.esb.wsif.WSIFOperation_ESB.executeInputOnlyOperation(WSIFOperation_ESB.java:357)
     at com.collaxa.cube.ws.WSIFInvocationHandler.invoke(WSIFInvocationHandler.java:472)
     at com.collaxa.cube.ws.WSInvocationManager.invoke2(WSInvocationManager.java:437)
     at com.collaxa.cube.ws.WSInvocationManager.invoke(WSInvocationManager.java:251)
     at com.collaxa.cube.engine.ext.wmp.BPELInvokeWMP.__invoke(BPELInvokeWMP.java:826)
     at com.collaxa.cube.engine.ext.wmp.BPELInvokeWMP.__executeStatements(BPELInvokeWMP.java:402)
     at com.collaxa.cube.engine.ext.wmp.BPELActivityWMP.perform(BPELActivityWMP.java:199)
     at com.collaxa.cube.engine.CubeEngine.performActivity(CubeEngine.java:3698)
     at com.collaxa.cube.engine.CubeEngine.handleWorkItem(CubeEngine.java:1655)
     at com.collaxa.cube.engine.dispatch.message.instance.PerformMessageHandler.handleLocal(PerformMessageHandler.java:75)
     at com.collaxa.cube.engine.dispatch.DispatchHelper.handleLocalMessage(DispatchHelper.java:217)
     at com.collaxa.cube.engine.dispatch.DispatchHelper.sendMemory(DispatchHelper.java:314)
     at com.collaxa.cube.engine.CubeEngine.endRequest(CubeEngine.java:5765)
     at com.collaxa.cube.engine.CubeEngine.createAndInvoke(CubeEngine.java:1087)
     at com.collaxa.cube.engine.delivery.DeliveryService.handleInvoke(DeliveryService.java:546)
     at com.collaxa.cube.engine.ejb.impl.CubeDeliveryBean.handleInvoke(CubeDeliveryBean.java:342)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:585)
     at com.evermind.server.ejb.interceptor.joinpoint.EJBJoinPointImpl.invoke(EJBJoinPointImpl.java:35)
     at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
     at com.evermind.server.ejb.interceptor.system.DMSInterceptor.invoke(DMSInterceptor.java:52)
     at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
     at com.evermind.server.ejb.interceptor.system.JAASInterceptor$1.run(JAASInterceptor.java:31)
     at com.evermind.server.ThreadState.runAs(ThreadState.java:693)
     at com.evermind.server.ejb.interceptor.system.JAASInterceptor.invoke(JAASInterceptor.java:34)
     at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
     at com.evermind.server.ejb.interceptor.system.TxRequiredInterceptor.invoke(TxRequiredInterceptor.java:50)
     at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
     at com.evermind.server.ejb.interceptor.system.DMSInterceptor.invoke(DMSInterceptor.java:52)
     at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
     at com.evermind.server.ejb.InvocationContextPool.invoke(InvocationContextPool.java:55)
     at com.evermind.server.ejb.StatelessSessionEJBObject.OC4J_invokeMethod(StatelessSessionEJBObject.java:87)
     at CubeDeliveryBean_LocalProxy_4bin6i8.handleInvoke(Unknown Source)
     at com.collaxa.cube.engine.dispatch.message.invoke.InvokeInstanceMessageHandler.handle(InvokeInstanceMessageHandler.java:37)
     at com.collaxa.cube.engine.dispatch.DispatchHelper.handleMessage(DispatchHelper.java:140)
     at com.collaxa.cube.engine.dispatch.BaseDispatchTask.run(BaseDispatchTask.java:58)
     at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:650)
     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:675)
     at java.lang.Thread.run(Thread.java:595)
[2010/02/25 17:50:39] BPEL process instance "260032" cancelled
Regards

In below I changed http://PC-HP249:8888/orabpel/default/SyncBPELProcess2/1.0/SyncBPELProcess2 to http://PC-HP249:8888/orabpel/default/SyncBPELProcess2/1.0 . this is working.
<xsl:variable name="LocationIn"
select="http://PC-HP249:8888/orabpel/default/SyncBPELProcess2/1.0/SyncBPELProcess2"/>

Dynamic Routing with VPN and multiple Peers

I have several sites that connect to my primary host site (ASA5525-X) via LAN to LAN tunnels and currently all internal host routing is static. I need to implement a backup host site (ASA5520) for the remote sites to connect to. I know that I can add additional peers on each remote site for the host sites. However, I need to be able to do dynamic routing, so that if does not matter which site they are connected to the internal networks will learn where to route the traffic. I am running OSPF on my internal networks at both Primary and Backup host sites and they have an internal connection between the two sites.
Is there a way to accomplish this on the ASAs?
Thanks,
Doug

To make perhaps my question a little more clear, this is an example of how I would the result to look like
http://www.latitudes.co.uk/dept_search_pages/search_provence.php
where the labels with the checkboxes are retrieved from the 'category' table and when one or more boxes are ticked, the corresponding values are used to make the selection in the WHERE statement in the MySQL query.
Hope someone can help me out.
Erik

Good CCIE question: Can multiple site-2-site VPNs support dynamic routing protocols?

Hi All,
Was not sure if this should be posted in LAN routing, WAN routing or VPN forums: I have posted here as the VPN tunnels are the limiting factors...
I am trying to understand if it is possible to have dynamic routing between LANs when using site to site VPNs on three or more ASA55x5-x (9.0).
To best explain the question I have put together an example scenario:
Lets say we have three sites, which are all connected via a separate site-2-site IKEv2 VPNs, in a full mesh topology (6 x SAs).
Across the whole system there would be a 192.168.0.0/16 subnet which is divided up by VLSM across all sites.
The inside / outside interfaces of the ASA would be static IPs from a /30 subnet.
Routing on the outside interface is not of concern in this scenario.
The inside interface of the ASA connects directly to a router, which further uses VLSM to assign additional subnets.
VLSM is not cleanly summarised per site. (I know this flys against VLSM best practice, but makes the scenario clearer...)
New subnets are added and removed at each site on a frequent basis.
EIGRP will be running on each core router, and any stub routers at each site.
So this results in the following example topology, of which I have exaggerated the VLSM position:
(http://www.diagram.ly/?share=#OtprIYuOeKRb3HBV6Qy8CL8ZUE6Bkc2FPg2gKHnzVliaJBhuIG)
Now, using static route redistribution from the ASAs into EIGRP and making the ASAs to be an EIGRP neighbour, would be one way. This would mean an isolated EIGRP AS per site, but each site would only learn about a new remote subnet if the crypto map match ACL was altered. But the bit that I am confused over, is the potential to have new subnets added or removed which would require EIGRP routing processes on the relevant site X router to be altered as well as crypto map ACLs being altered at all sites. This doesn't seem a sensible approach...
The second method could be to have the 192.168.0.0/16 network defined in the crypto map on all tunnels and allow the ASAs routing table to chose which tunnel to send the traffic over. This would require multiple neighbours for the ASA, but for example in OSPF, it can only support one neighbour over a S2S VPN when manually defined (point-to-point). The only way round this I can see is to share our internal routing tables with the IP cloud, but this then discloses information that would be otherwise protected by the IPSEC tunnel...
Is there a better method to propagate the routing information dynamically around the example scenario above?
Is there a way to have dynamic crypto maps based on router information?
P.S. Diagram above produced via http://www.diagram.ly/

Hi Guys,
Thanks for your responses! I am learning here, hence the post.
David: I had looked in to the potential for GRE tunnels, but the side-effects could out weight the benifits. The link provided shows how to pass IKEv1 and ISAKMP traffic through the ASA. In my example (maybe not too clear?) the IPSEC traffic would be terminated on the ASA and not the core router behind.
Marcin: Was looking at OSPF, but is that not limited to one neighbour, due to the "ospf network point-to-point non-broadcast" command in the example (needed to force the unicast over the IPSEC tunnel)? Have had a look in the ASA CLI 9.0 config guide and it is still limited to one neighbour per interface when in point-to-point:
ospf network point-to-point non-broadcastSpecifies the interface as a point-to-point, non-broadcast network.When you designate an interface as point-to-point and non-broadcast, you must manually define the OSPF neighbor; dynamic neighbor discovery is not possible. See the "Defining Static OSPFv2 Neighbors" section for more information. Additionally, you can only define one OSPF neighbor on that interface.
Otherwise I would agree it would be happy days...
Any other ideas (maybe around iBGPs like OSPF) which do not envolve GRE tunnels or terminating the IPSEC on the core router please?
Kindest Regards,
James.

SSH to ASA through VPN

Here is a variation on a theme I've seen on the boards here. I have an ASA 5580 configured for client ipsec vpns. I can connect via the vpn, ping the interface being used for management, and complete the TCP handshake for telnet or SSH. After that, the connection times out. I know I'm missing something small, but can't find it. Any help would be greatly appreciated.
Here are the relevant parts of the config:
interface TenGigabitEthernet0/8
nameif INSIDE
security-level 100
ip address 10.50.254.249 255.255.255.248 standby 10.50.254.250
interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address x.x.x.x x.x.x.x
interface GigabitEthernet0/1
nameif ToMGMT
security-level 10
ip address 10.50.253.18 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name local
object-group network Inside_NETWORK_ALL
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.248.0.0
object-group network Outside_REMOTE_VPN
network-object 10.50.224.0 255.255.254.0
object-group network MGMT_NET
network-object 10.50.253.0 255.255.255.0
access-list PERMIT_ANY extended permit ip any any
access-list RemoteVPN_SPLIT standard permit 10.50.253.0 255.255.255.0
access-list RemoteVPN_SPLIT standard permit 10.50.0.0 255.255.0.0
access-list RemoteVPN_SPLIT standard permit 10.50.224.0 255.255.254.0
access-list NO-NAT-VPN extended permit ip any 10.50.224.0 255.255.254.0
access-list MGMT-2-VPN extended permit ip 10.50.253.0 255.255.255.0 10.50.224.0 255.255.254.0
mtu INSIDE 1500
mtu OUTSIDE 1500
mtu ToMGMT 1500
ip local pool RemoteVPN_POOL 10.50.224.0-10.50.225.0 mask 255.255.254.0
monitor-interface DMZ
no monitor-interface OUTSIDE
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (INSIDE,any) source static Inside_NETWORK_ALL Inside_NETWORK_ALL destination static Inside_NETWORK_ALL Inside_NETWORK_ALL
nat (INSIDE,OUTSIDE) source dynamic Inside_NETWORK_ALL interface
access-group OUTSIDE_IN in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 200.200.100.10 1
route INSIDE 10.50.0.0 255.255.224.0 10.50.254.254 1
route INSIDE 10.50.253.0 255.255.255.0 10.50.254.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS_COLO protocol radius
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set 3dessha-Transport esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set 3dessha-Transport mode transport
crypto ipsec ikev1 transform-set dessha esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set 3dessha esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto dynamic-map RemoteVPN_DM 5 set ikev1 transform-set 3dessha
crypto dynamic-map PUB_IPSEC_CLIENT 1 set ikev1 transform-set ESP-3DES-MD5
crypto map CRYPTO_MAP 1 ipsec-isakmp dynamic RemoteVPN_DM
crypto map CRYPTO_MAP 2 ipsec-isakmp dynamic PUB_IPSEC_CLIENT
crypto map CRYPTO_MAP interface OUTSIDE
crypto isakmp identity key-id ***********
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 65534
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
ssh 10.0.0.0 255.0.0.0 INSIDE
ssh 10.50.253.0 255.255.255.0 ToMGMT
ssh 10.50.224.0 255.255.254.0 ToMGMT
ssh 10.0.0.0 255.0.0.0 ToMGMT
ssh timeout 5
ssh version 2
console timeout 0
management-access ToMGMT
tls-proxy maximum-session 1000
ssl trust-point localtrust OUTSIDE
webvpn
enable OUTSIDE
anyconnect image disk0:/anyconnect-win-2.5.3055-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
dns-server value 10.50.223.10
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteVPN_SPLIT
address-pools value RemoteVPN_POOL
group-policy RemoteVPN internal
group-policy RemoteVPN attributes
dns-server value 10.200.0.6
password-storage enable
split-tunnel-network-list value RemoteVPN_SPLIT
group-policy IPSEC-POLICY internal
group-policy IPSEC-POLICY attributes
vpn-simultaneous-logins 20
vpn-tunnel-protocol ikev1
ip-comp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteVPN_SPLIT
user-authentication enable
tunnel-group RemoteVPN type remote-access
tunnel-group RemoteVPN general-attributes
address-pool RemoteVPN_POOL
default-group-policy RemoteVPN
tunnel-group RemoteVPN ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
tunnel-group IPSECGROUP type remote-access
tunnel-group IPSECGROUP general-attributes
address-pool RemoteVPN_POOL
default-group-policy IPSEC-POLICY
authorization-required
tunnel-group IPSECGROUP ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic

Michael,
TFTP should work through VPN, I have tested through RA VPN. I do not see a reason why should not work through l2l vpn scenario.
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/t.html#wp1498951
In RA vpn scenario where client runs the tftp server.
In RA VPN test scenario,VPN client gets IP 140.40.30.15 assigned.
asa5500fw(config)#tftp-server inside
tftp-server 140.40.30.15 f:\
asa5500fw(config)# copy running-config tftp:
Source filename [running-config]?
Address or name of remote host [140.40.30.15]?
Destination filename []? running-config
Cryptochecksum: 67f2f1a3 c31d5a9b 0f6b1f6d 2f21766d
26019 bytes copied in 3.460 secs (8673 bytes/sec)
In your scenario with l2l vpn as long the tftp server IP on other side of tunnel is part of the IPsec tunnel policy try this bellow.
tftp-server outside
Regards

ASA does not propagate routes to VPN users

Good afternoon
I´m having an issue regarding the propagation of routes to VPN users that authenticate through the asa tunnel-group.
I have a VPN-Users-Pool from where my users receive their IP address, and after authentication and the tunnel is established the idea is for the user to get to the following networks defined in the following ACL:
access-list Inside standard permit 10.1.0.0 255.255.0.0
access-list Inside standard permit 192.168.15.0 255.255.224.0
Now the problem is that after the tunnel is established the only route the user receives is the default route (which is not suposed to be sent). The user does not receive the specified routes in the ACL above. He also does not receive the netmask and assumes a /8 netmask (given that the network pool from where he is receiving the IP is a class A network).
The network routing is working as expected (when I add the static routes directly to the users PC, everything works OK). It´s just the issue of the ASA not propagating the routes as it should.
Here are my split tunneling settings:
group-policy DefaultRAGroup attributes
vpn-idle-timeout 1
vpn-tunnel-protocol l2tp-ipsec
pfs disable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Inside
group-policy DfltGrpPolicy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Inside
Any ideas?
I apreciate your help
Best regards

ajaychauhan
Thank you for your reply. I´m sending the config bellow (I´ve cleared all info confidential such as IPs, passwords, timeout values, etc, but i think what you have bellow is enough to get a clear picture):
ASA Version 8.2(1)
hostname asa-xxxx
enable password xxxxxxxxx encrypted
passwd xxxxxxxxxx encrypted
names
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 197.X.XX.XX 255.255.255.248
interface GigabitEthernet0/1
nameif vpncorp
security-level 50
ip address 10.X.XX.XX 255.255.255.248
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
speed 100
duplex full
nameif mgmt
security-level 100
ip address 10.x.xx.xx 255.255.255.240
management-only
ftp mode passive
dns server-group DefaultDNS
domain-name zz.df.es
access-list Inside standard permit 10.1.0.0 255.255.0.0
access-list Inside standard permit 192.168.15.0 255.255.224.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 14000
logging buffered debugging
logging asdm debugging
logging facility 21
logging host mgmt 10.xx.x.x
logging class auth trap informational
logging class config trap informational
logging class ha trap informational
logging class sys trap informational
logging class vpdn trap informational
logging class vpn trap informational
mtu outside 1500
mtu vpncorp 1500
mtu mgmt 1500
ip local pool VPN-01-pool 10.XX.XX.X-10.XX.XX.XX mask 255.255.252.0
ip local pool VPN-02-pool 10.xx.xx.x-10.xx.xx.xx mask 255.255.252.0
ip local pool VPN-USER-pool 192.168.xx.x-192.168.xx.xx mask 255.255.0.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
route outside 0.0.0.0 0.0.0.0 197.xx.xx.xx 1
route vpncorp 10.x.x.x 255.xx.xx.xx 10.xx.xx.xx 1
route vpncorp 10.xx.xx.xx 255.255.0.0 10.xx.xx.xx 1
route mgmt 10.xx.xx.xx 255.255.255.0 10.xx.xx.xx 1
route mgmt 10.xx.xx.xx 255.255.255.248 10.xx.xx.xx 1
route mgmt 10.xx.xx.xx 255.255.255.0 10.xx.xx.xx 1
route mgmt 10.xx.xx.xx 255.255.255.255 10.xx.xx.xx 1
route mgmt 10.xx.xx.xx 255.255.255.255 10.xx.xx.xx 1
route mgmt 10.xx.xx.xx 255.255.255.255 10.xx.xx.xx 1
dynamic-access-policy-record DfltAccessPolicy
aaa-server mgmtt protocol radius
aaa-server mgmtt (mgmt) host 10.xx.x.xx
timeout xxx
key xxxxxxxxxx
authentication-port xxx
accounting-port xxxx
aaa-server mgmtt (mgmt) host 10.xx.xx.xx
timeout xxx
key xxxxxx
authentication-port xxxx
accounting-port xxxx
aaa-server Users protocol radius
accounting-mode simultaneous
interim-accounting-update
aaa-server Users (mgmt) host 10.xx.xx.xx
key xxxxx
authentication-port xxxx
accounting-port xxxx
aaa-server Users-2 protocol radius
accounting-mode simultaneous
interim-accounting-update
aaa-server users-2 (mgmt) host 10.xx.xx.xxx
key xxxx
authentication-port xxx
accounting-port xxxx
aaa authentication ...
aaa authentication ...
aaa authentication ...
aaa authorization ...
aaa accounting ...
aaa accounting ...
aaa accounting ...
snmp-server ...
crypto ipsec transform-set ...
crypto ipsec transform-set ...
crypto ipsec transform-set ...
crypto ipsec transform-set ...
crypto ipsec transform-set ...
crypto ipsec transform-set ...
crypto ipsec security-association lifetime seconds xxx
crypto ipsec security-association lifetime kilobytes xxx
crypto dynamic-map vpn-ra-dyn_map 10 set ...
crypto map outside_map 100 ipsec-isakmp dynamic vpn-ra-dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy ...
authentication pre-share
encryption xxx
hash xxx
group x
lifetime xxx
crypto isakmp policy xxx
authentication pre-share
encryption xxx
hash xxx
group x
lifetime xxx
telnet timeout xxx
ssh 10.x.x.x 255.255.255.255 mgmt
ssh timeout x
ssh version x
console timeout x
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-idle-timeout 1
vpn-tunnel-protocol l2tp-ipsec
pfs disable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Inside
default-domain value xx.xx.es
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
vpn-idle-timeout 1
split-tunnel-policy tunnelspecified
username ...
username ...
username ...
tunnel-group DefaultRAGroup general-attributes
authentication-server-group (outside) Users
accounting-server-group users
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key xxxxx
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group asa type remote-access
tunnel-group asa general-attributes
address-pool VPN-user-pool
authentication-server-group (outside) test
accounting-server-group test
tunnel-group asa ipsec-attributes
pre-shared-key xxxx
tunnel-group asa ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group tstvpn type remote-access
tunnel-group tstvpn general-attributes
authentication-server-group (outside) users-2
accounting-server-group users-2
default-group-policy DefaultRAGroup
tunnel-group tstvpn ipsec-attributes
pre-shared-key xxxx
tunnel-group tstvpn ppp-attributes
no authentication chap
authentication ms-chap-v2
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum xxxx
policy-map global_policy
class inspection_default
inspect xxxx
inspect ...
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxxxxx
: end

Dynamic Routing for Failover L2L VPN

Hi,
Can someone offer me some guidance with this issue please?
I've attached a simple diagram of our WAN for reference.
Overview
Firewall is ASA 5510 running 8.4(9)
Core network at Head Office uses OSPF
Static routes on ASA are redistributed into OSPF
Static routes on ASA for VPN are redistributed into OSPF with Metric of 130 so redistributed BGP routes are preferred
Core network has a static route of 10.0.0.0/8 to Corporate WAN, which is redistributed into OSPF
Branch Office WAN uses BGP - Routes are redistributed into OSPF
The routers at the Branch Office use VRRP for IP redundancy for the local clients default gateway.
Primary Branch Office router will pass off VRRP IP to backup router when the WAN interface is down
Backup BO router (.253) only contains a default route to internet
Under normal operation, traffic to/from BO uses Local Branch Office WAN
If local BO WAN link fails, traffic to/from BO uses IPSec VPN across public internet
I'm trying to configure dynamic routing on our network for when a branch office fails over to the IPsec VPN. What I would like to happen (not sure if it's possible) is for the ASA to advertise the subnet at the remote end of the VPN back into OSPF at the Head Office.
I've managed to get this to work using RRI, but for some reason the VPN stays up all the time when we're not in a failover scenario. This causes the ASA to add the remote subnet into it's routing table as a Static route, and not use the route advertised from OSPF from the core network. This prevents clients at the BO from accessing the Internet. If I remove the RRI setting on the VPN, the ASA learns the route to the subnet via the BO WAN - normal operation is resumed.
I have configured the metric of the static routes that get redistributed into OSPF by the ASA to be higher than 110. This is so that the routes redistributed by BGP from the BO WAN into OSPF, are preferred. The idea being, that when the WAN link is available again, the routing changes automatically and the site fails back to the BO WAN.
I suppose what I need to know is; Is this design feasible, and if so where am I going wrong?
Thanks,
Paul

Hi Paul,
your ASA keeps the tunnel alive only because that route exists on ASA. Therefore you have to use IP-SLA on ASA to push network taffic "10.10.10.0/24" based on the echo-reply, by using IP-SLA
Please look at example below, in the example below shows the traffic will flow via the tunnel, only in the event the ASA cannot reach network 10.10.10.0/24 via HQ internal network.
This config will go on ASA,
route inside 10.10.10.0 255.255.2550 10.0.0.2 track 10
(assuming 10.0.0.2 the peering ip of inside ip address of router at HO)
route outside 10.10.10.0 255.255.255.0 254 xxx.xxx.xxx.xxx
(value 254 is higher cost of the route to go via IPSec tunnel and x = to default-gateway of ISP)
sla monitor 99
type echo protocol ipIcmpEcho 10.10.10.254 interface inside
num-packets 3
frequency 10
sla monitor schedule 99 life forever start-time now
track 10 rtr 99 reachability
Let me know, if this helps.
thanks
Rizwan Rafeek

Dynamic routing alternative between ASA and edge routers?

This is the current setup between two edge routers and an ASA 5580. The edge routers carry approximately 9200 BGP routes with ISP A also supplying the default route. Is there a good, i.e. has been successfully implemented, dynamic routing situation between the edge routers and ASA such that the ASA can send traffic to the particular edge router that carries the best specific route?

Hello,
Let's remember that the ASA was built as a High-Level Next Generation Firewall.
That does not mean it's not useful for routing but here we are talking about thousands of routes, I do not think there will be a performance issue on the FW because of that. I mean you have one of the greatest Cisco Firewalls (functionality and power speaking).
So if that's the case and you really want to do that you will need to implement either RIP,EIGRP,OSPF on the link and then do the redistribution on the routers.
Makes sense?
Regards,
Jcarvaja
CCIE 42930

Dynamic Routing Gateway and ASA

Greetings,
We have a requirement to configure a multisite gateway and have run into an issue. According to http://msdn.microsoft.com/en-us/library/azure/dn133793.aspx, dynamic routing gateways are not supported on the ASA platform. Does this simply mean that MS does
not support this configuration or that this configuration is not possible? I cannot negotiate an ikev2 proposal with a dynamic gateway so I fear that it isn't possible.
Has anyone here made this work?
Thanks in advance.

Hello
In the link you provided, the combination of ASA with dynamic routing says it is not compatible (it does not say not supported).
From that I understand that it will not work.
We have tried a few Juniper combinations in the past with static and dynamic routing that were not on the list you mention - only to find out that they indeed did not work.
My recommendation is to stick to the supported setup.

Dynamic Routing Protocol Support in Cisco ASA Multiple Context Mode

                   Dear Experts,
Wold like to know whether dynamic Routing Protocol Support in Cisco ASA Firewall Multiple Context Mode. If yes then please provide OS version and Hardware Model of Cisco ASA Firewall. Appreciate the quick response. Thanks.

Hi,
Check out this document for the information
http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html#wp93116
Its lists the following for software level 9.0(1)
Multiple   Context Mode Features
Dynamic routing in Security   Contexts
EIGRP and OSPFv2 dynamic   routing protocols are now supported in multiple context mode. OSPFv3, RIP, and multicast routing   are not supported.
Seems to me you would need some 9.x version to support the above mentioned Dynamic Routing Protocols.
I don't think its related to the hardware model of the ASA other than that it requires a model that supports Multiple Context Mode. To my understanding the only model that doesnt support that is ASA5505 of the whole ASA5500 and ASA5500-X series.
Hope this helps
- Jouni

IP lan can't acces remote network through VPN

hello
i want my asa 5505 8.2(5) to access my proxy server on remote lan through VPN
my VPN is OK, all PCs of local network can access to remote network.
but ASA on local network can't access to remote network.
i think it's a NAT problem but ....
local network 192.168.157.0/24 local IP ASA 192.168.157.1
remote netword 10.28.0.0 /16
remote proxy 10.28.1.26
my conf
ASA Version 8.2(5)
hostname ASACTM
enable password GC3gU8Dqv5.xJLCr encrypted
passwd GC3gU8Dqv5.xJLCr encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.157.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 90.89.245.154 255.255.255.248
ftp mode passive
access-list InOutside extended permit icmp any any
access-list outside_1_cryptomap extended permit ip 192.168.157.0 255.255.255.0 10.28.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.157.0 255.255.255.0 10.28.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.157.0 255.255.255.0 192.168.57.0 255.255.255.0
access-list VPNRACTM_splitTunnelAcl standard permit 192.168.157.0 255.255.255.0
access-list InInside extended permit tcp 192.168.157.0 255.255.255.0 10.28.0.0 255.255.0.0 eq www
access-list InInside extended deny tcp 192.168.157.0 255.255.255.0 any eq www
access-list InInside extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500ip local pool POOLIPVPNCTM 192.168.57.1-192.168.57.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group InInside in interface inside
access-group InOutside in interface outside
route outside 0.0.0.0 0.0.0.0 90.89.245.155 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.157.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 90.80.215.141
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 192.168.157.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.157.121-192.168.157.150 inside
dhcpd dns 10.28.1.16 194.2.0.20 interface inside
dhcpd wins 10.28.1.16 10.28.1.7 interface inside
dhcpd domain vignes.local interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPNRACTM internal
group-policy VPNRACTM attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNRACTM_splitTunnelAcl
default-domain value vignes.local
username admin password 6QiRA9AlUbU.gFTP encrypted privilege 0
username admin attributes
vpn-group-policy VPNRACTM
username ICS1 password 5nDKAM1RJweYzrBO encrypted privilege 0
username ICS1 attributes
vpn-group-policy VPNRACTM
tunnel-group 90.80.215.141 type ipsec-l2l
tunnel-group 90.80.215.141 ipsec-attributes
pre-shared-key *****
tunnel-group VPNRACTM type remote-access
tunnel-group VPNRACTM general-attributes
address-pool POOLIPVPNCTM
default-group-policy VPNRACTM
tunnel-group VPNRACTM ipsec-attributes
pre-shared-key *****
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e2c2e2223cb7d5d83af808bb0a2b2636
: end
thanks a lot

What do you mean by you would like the ASA to access the proxy server at the remote end?
What configuration/command have you configured on the ASA for the ASA itself to access the remote proxy server?
Do you want the PC behind the ASA to access the remote proxy server, or you want the ASA itself to access the remote proxy server?
How do you want to access the proxy server?

Remote access VPN with ASA 5510 using DHCP server

Hi,
Can someone please share your knowledge to help me find why I am not able to receive an IP address on remote access VPN connection while I can get an IP address on local DHCP pool?
I am trying to setup remote access VPN with ASA 5510. It works with local dhcp pool but doesn't seem to work when I tried using an existing DHCP server. It is being tested in an internal network as follows:
ASA Version 8.2(5)
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.6.0.12 255.255.254.0
ip local pool testpool 10.6.240.150-10.6.240.159 mask 255.255.248.0 !(worked with this)
route inside 0.0.0.0 0.0.0.0 10.6.0.1 1
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface inside
crypto isakmp enable inside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
vpn-addr-assign aaa
vpn-addr-assign dhcp
group-policy testgroup internal
group-policy testgroup attributes
dhcp-network-scope 10.6.192.1
ipsec-udp enable
ipsec-udp-port 10000
username testlay password *********** encrypted
tunnel-group testgroup type remote-access
tunnel-group testgroup general-attributes
default-group-policy testgroup
dhcp-server 10.6.20.3
tunnel-group testgroup ipsec-attributes
pre-shared-key *****
I got following output when I test connect to ASA with Cisco VPN client 5.0
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDO
4024 bytesR copied in 3.41 0 secs (1341 by(tes/sec)13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 853
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing SA payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ke payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ISA_KE payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing nonce payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received xauth V6 VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received DPD VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received Fragmentation VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, IKE Peer included IKE fragmentation capability flags: Main Mode:        True Aggressive Mode: False
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received NAT-Traversal ver 02 VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received Cisco Unity client VID
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, Connection landed on tunnel_group testgroup
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing IKE SA payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA Proposal # 1, Transform # 9 acceptable Matches global IKE entry # 1
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ISAKMP SA payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ke payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing nonce payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Generating keys for Responder...
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Computing hash for ISAKMP
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing Cisco Unity VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing xauth V6 VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing dpd vid payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Traversal VID ver 02 payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing Fragmentation VID + extended capabilities payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 440
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NOTIFY (11) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Computing hash for ISAKMP
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing notify payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000408)
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Received Cisco Unity client VID
Jan 16 15:39:21 [IKEv1]: Group = testgroup, I
[OK]
kens-mgmt-012# P = 10.15.200.108, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing blank hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing qm hash payload
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=d4ca48e4) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=d4ca48e4) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 87
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, process_attr(): Enter!
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Processing MODE_CFG Reply attributes.
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary DNS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary DNS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary WINS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary WINS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: IP Compression = disabled
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Split Tunneling Policy = Disabled
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Browser Proxy Setting = no-modify
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Browser Proxy Bypass Local = disable
Jan 16 15:39:26 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, User (testlay) authenticated.
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing blank hash payload
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing qm hash payload
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=6b1b471) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=6b1b471) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 60
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): Enter!
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Processing cfg ACK attributes
Jan 16 15:39:27 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=49ae1bb8) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 182
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): Enter!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Processing cfg Request attributes
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for IPV4 address!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for IPV4 net mask!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for DNS server address!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for WINS server address!
Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Received unsupported transaction mode attribute: 5
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Banner!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Save PW setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Default Domain Name!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Split Tunnel List!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Split DNS!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for PFS setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Client Browser Proxy Setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for backup ip-sec peer list!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Client Smartcard Removal Disconnect Setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Application Version!
Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Client Type: WinNT Client Application Version: 5.0.07.0440
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for FWTYPE!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for DHCP hostname for DDNS is: DEC20128!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for UDP Port!
Jan 16 15:39:32 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Duplicate Phase 2 packet detected. No last packet to retransmit.
Jan 16 15:39:37 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=b04e830f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing hash payload
Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing notify payload
Jan 16 15:39:37 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Duplicate Phase 2 packet detected. No last packet to retransmit.
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE received response of type [] to a request from the IP address utility
Jan 16 15:39:39 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Cannot obtain an IP address for remote peer
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE TM V6 FSM error history (struct &0xd8030048) <state>, <event>: TM_DONE, EV_ERROR-->TM_BLD_REPLY, EV_IP_FAIL-->TM_BLD_REPLY, NullEvent-->TM_BLD_REPLY, EV_GET_IP-->TM_BLD_REPLY, EV_NEED_IP-->TM_WAIT_REQ, EV_PROC_MSG-->TM_WAIT_REQ, EV_HASH_OK-->TM_WAIT_REQ, NullEvent
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE AM Responder FSM error history (struct &0xd82b6740) <state>, <event>: AM_DONE, EV_ERROR-->AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL-->AM_TM_INIT_MODECFG_V6H, NullEvent-->AM_TM_INIT_MODECFG, EV_WAIT-->AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG-->AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE SA AM:bd3a9a4b terminating: flags 0x0945c001, refcnt 0, tuncnt 0
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, sending delete/delete with reason message
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing blank hash payload
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing IKE delete payload
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing qm hash payload
Jan 16 15:39:39 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=9de30522) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Regards,
Lay

For RADIUS you need a aaa-server-definition:
aaa-server NPS-RADIUS protocol radius
aaa-server NPS-RADIUS (inside) host 10.10.18.12
key *****
authentication-port 1812
accounting-port 1813
and tell your tunnel-group to ask that server:
tunnel-group VPN general-attributes
authentication-server-group NPS-RADIUS LOCAL
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Change MTU for just one Site-to-Site VPN between ASAs?

Hi -
I'm setting up a Site-to-Site Cisco VPN between ASAs. I'm being told by the remote site engineer to set the maximum MTU at 1362.
Is it possible to set the MTU for one specific site-to-site VPN on my ASA 5510 Security Plus to MTU 1362? I see my interfeces are all set at 1500.
If not, would you recommend I setup a subinterface on my inside network router and a subinterface on the ASA with an MTU of 1362 to get around this issue? Then use this subinterface for traffic from my inside network to transverse through prior to hitting the VPN.
Thank you.

I would not worry too much about UDP traffics. I rather concentrate on TCP traffics because almost all of the issues will be TCP.
Therefore, I would set the MSS value to 1362 or may be like 1300: sysopt connection tcp-mss 1300
That will solve most of your issues.

NAC VPN and ASA

Hi
I have a customer who currently is using an ASA5520 as a firewall between his network and the Internet. He now wants remote VPN access with SecureID tokens for authentication added which is fine but he has also brought up NAC. Can I simply insert a NAC between the ASA and the internal network as in this Cisco document:
http://www.cisco.com/en/US/partner/products/ps6128/products_configuration_example09186a008074d641.shtml
That looks like it will work fine for VPN access but what about the outgoing Internet access for the current internal users will that be OK still or do I need to use a separate ASA for VPN access with NAC. Oh yes will I need an ACS as well or can the NAC talk directly to the SecureID appliance either using radius or RSA's own protocol ? Sorry if these are dumb questions but he dropped the NAC stuff on me at the last minute and I just need to know the basics quickly and can work out the details later.
Thanks
Pat

You can use a single ASA for internet access and NAC VPN.
If the Cisco NAC Server is Real IP, you can implement Policy Based Routing to route your VPN traffic through the Cisco NAC Server and normal internet traffic will bypass the Cisco NAC Server.
If the Cisco NAC Server is VGW or you do not want PBR, you can terminate your VPN traffic on a separate interface (two interfaces into internal nework). Once you have the VPN traffic routing this way, implement the Cisco NAC solution by putting the Cisco NAC Server inline with this interface.
Cisco NAC VPN SSO uses Radius accounting packets to authenticate VPN users. The ASA will interface with the Token server. Once authenticated, the ASA will send a Radius accounting packet to the Cisco NAC Server.
VGW Example
NAC Appliance (Cisco Clean Access) In-Band Virtual Gateway for Remote Access VPN Configuration Example
http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml
Real IP example
Integrating with Cisco VPN Concentrators
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/416/CAS/s_vpncon.html
Regards,
Dan Laden

PE-CE Dynamic routing

I am running a PE-CE vpn routing. Now my client wants to access a particulat ip which is on internet and may be the demand can be increased and he doesnot want to add the addtional static routes for this. Can we have any routing solution which can solve the purpose. Please post your comments.
regards
shivlu

Hi Shivlu,
What i understand is, This is an VPN customer and you running dynamic routing protocol (RIPv2/OSPF/EIGRP/BGP) as PE-CE, the customer want to access specific destination address on the internet (google.com) for example, so now we talking about how to make this route reachable through the customer VPN, i think Route Leaking in MPLS/VPN will solve your issue, but in this case you should consider the customer address space issue, i mean how the customer private routes will talk to internet destination, there is a NAT device should be in the path to NAT the customer private address.
This is a very simple URL by Cisco explaning MPLS Route Leaking:
http://www.cisco.com/en/US/tech/tk436/tk832/technologies_configuration_example09186a0080231a3e.shtml
In this case you will add 2 static routes on your PE and redistribute it by the customer PE-CE routing protocol.
Correct me if i didn't get your point
Best Regards,
Mounir Mohamed

Dynamic routing through VPN on ASA

Similar Messages

Maybe you are looking for