Failover option(s) for remote site VPN

Currently, I have several remote VPN locations, in which most of them of ISDN dial backup in case the primary connection goes down. Can I use DSL/T1 circuit as a failover/dial backup link? If so, please point me to the right direction in finding documentations. Thank you.

As per your config, I guess you are referring to the VPN connectivity with Peer IP 166.149.125.81.
If yes than you have missed the other subnets of main site in the ACL outside_cryptomap_1
which have been mapped in the VPN with this Peer.
object-group network DM_INLINE_NETWORK_2
under this statement match the network-object with the subnets at main site that needs communication with the subnet 192.168.90.x/24 at remote site (same as you have done for 192.168.0.0/24 subnet)and vice versa.
BR
Please rate if this solve your problem.

Similar Messages

  • Internet connexion problem for remote site in Site to site VPN asa 5505

    Hi all
    I'm configuring a site to site Ipsec VPN in 2 sites using ASA 5505 V 8.2, The VPN is working fine i can ping machine in the 2 sides but the problem is the remote site dont' have internet.
    The architecture is, we 2 site Site1 is the main site and Site2 is secondary site there will be Site3, ...
    The internet connection is based in Site1 and site2 and site 3 will have internet connection through Site1. Site1, Site2 and Site 3 is interconnected by Ipsec VPN.
    Here is my ASA 5505 Configuration :
    SITE 1:
    ASA Version 8.2(5)
    hostname test-malabo
    domain-name test.mg
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd ta.qizy4R//ChqQH encrypted
    names
    interface Ethernet0/0
     description "Sortie Internet"
     switchport access vlan 2
    interface Ethernet0/1
     description "Interconnexion"
     switchport access vlan 171
    interface Ethernet0/2
     description "management"
     switchport access vlan 10
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
     nameif inside
     security-level 100
     ip address 192.168.1.1 255.255.255.0
    interface Vlan2
     nameif outside
     security-level 0
     ip address 41.79.49.42 255.255.255.192
    interface Vlan10
     nameif mgmt
     security-level 0
     ip address 10.12.1.100 255.255.0.0
    interface Vlan171
     nameif interco
     security-level 0
     ip address 10.22.19.254 255.255.255.0
    ftp mode passive
    dns server-group DefaultDNS
     domain-name test.mg
    object-group network LAN-MALABO
     description LAN DE MALABO
     network-object 192.168.1.0 255.255.255.0
    object-group network LAN-BATA
     description LAN DE BATA
     network-object 192.168.2.0 255.255.255.0
    object-group network LAN-LUBA
     description LAN DE LUBA
     network-object 192.168.3.0 255.255.255.0
    access-list interco_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
    pager lines 24
    mtu inside 1500
    mtu outside 1500
    mtu mgmt 1500
    mtu interco 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any inside
    icmp permit any outside
    icmp permit any interco
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (interco) 1 0.0.0.0 0.0.0.0
    route outside 0.0.0.0 0.0.0.0 41.79.49.1 1
    route interco 192.168.3.0 255.255.255.0 10.22.19.5 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map interco_map0 1 match address interco_1_cryptomap
    crypto map interco_map0 1 set pfs group1
    crypto map interco_map0 1 set peer 10.22.19.5
    crypto map interco_map0 1 set transform-set ESP-3DES-SHA
    crypto map interco_map0 interface interco
    crypto ca trustpoint _SmartCallHome_ServerCA
     crl configure
    crypto isakmp enable interco
    crypto isakmp policy 10
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    telnet 192.168.1.0 255.255.255.0 inside
    telnet 10.12.0.0 255.255.0.0 mgmt
    telnet timeout 30
    ssh 192.168.1.0 255.255.255.0 inside
    ssh 10.12.0.0 255.255.0.0 mgmt
    ssh timeout 30
    console timeout 0
    management-access interco
    dhcpd option 3 ip 192.168.1.1
    dhcpd address 192.168.1.100-192.168.1.254 inside
    dhcpd dns 41.79.48.66 8.8.8.8 interface inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    username admin password eY/fQXw7Ure8Qrz7 encrypted privilege 15
    tunnel-group 10.22.19.5 type ipsec-l2l
    tunnel-group 10.22.19.5 ipsec-attributes
     pre-shared-key *****
     isakmp keepalive threshold 60 retry 5
    class-map inspection_default
     match default-inspection-traffic
    policy-map global_policy
     class inspection_default
      inspect dns
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect snmp
      inspect icmp
    prompt hostname context
    call-home reporting anonymous
    call-home
     profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:5aa0d27f15e49ea597c8097cfdb755b8
    : end
    SITE2:
    ASA Version 8.2(5)
    hostname test-luba
    domain-name test.eg
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Ethernet0/0
     description "Sortie Interco-Internet"
     switchport access vlan 2
    interface Ethernet0/1
     description "management"
     switchport access vlan 10
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
     nameif inside
     security-level 100
     ip address 192.168.3.1 255.255.255.0
    interface Vlan2
     nameif outside
     security-level 0
     ip address 10.22.19.5 255.255.255.0
    interface Vlan10
     nameif mgmt
     security-level 0
     ip address 10.12.1.101 255.255.0.0
    ftp mode passive
    dns server-group DefaultDNS
     domain-name test.eg
    object-group network LAN-MALABO
     description LAN DE MALABO
     network-object 192.168.1.0 255.255.255.0
    object-group network LAN-BATA
     description LAN DE BATA
     network-object 192.168.2.0 255.255.255.0
    object-group network LAN-LUBA
     description LAN DE LUBA
     network-object 192.168.3.0 255.255.255.0
    access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
    pager lines 24
    mtu inside 1500
    mtu outside 1500
    mtu mgmt 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (inside) 0 access-list inside_nat0_outbound
    route outside 0.0.0.0 0.0.0.0 10.22.19.254 1
    route outside 192.168.1.0 255.255.255.0 10.22.19.254 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map outside_map0 1 match address outside_1_cryptomap
    crypto map outside_map0 1 set pfs group1
    crypto map outside_map0 1 set peer 10.22.19.254
    crypto map outside_map0 1 set transform-set ESP-3DES-SHA
    crypto map outside_map0 interface outside
    crypto ca trustpoint _SmartCallHome_ServerCA
     crl configure
    crypto ca certificate chain _SmartCallHome_ServerCA
    crypto isakmp enable outside
    crypto isakmp policy 10
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    telnet 10.12.0.0 255.255.0.0 mgmt
    telnet timeout 30
    ssh 192.168.3.0 255.255.255.0 inside
    ssh 10.12.0.0 255.255.0.0 mgmt
    ssh timeout 30
    console timeout 0
    management-access outside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    username admin password eY/fQXw7Ure8Qrz7 encrypted privilege 15
    tunnel-group 10.22.19.254 type ipsec-l2l
    tunnel-group 10.22.19.254 ipsec-attributes
     pre-shared-key *****
     isakmp keepalive threshold 60 retry 5
    class-map inspection_default
     match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
     parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect ip-options
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip
      inspect xdmcp
    service-policy global_policy global
    prompt hostname context
    call-home reporting anonymous
    call-home
     profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:185bd689118ba24f9a0ef2f7e80494f6
    Can anybody help why my remote site can't connect to Internet.
    REgards,
    Raitsarevo

    Hi Carv,
    Thanks for your reply. i have done finally
    i used no crypto ipsec nat-transparency udp-encapsulation in my end router only.
    and in remote access VPN i have enabled UDP for client configuration. the most imprtant is i have given IP add of same LAN pool to VPN user,
    Regards,
    Satya.M

  • Unity Message Monitoring No Audio For Remote Site IP Phones

    I have Unity Message Monitoring running on a Unity 7.0 server and it works fine with IP Phones located at the same site via G.711. It also works fine with Remote Message Monitoring phones (Cell Phones configured via Message Notification Device Phone 6). But it does not work with IP Phones at remote sites via G.729. The Unity server is configured to support G.711 and G.729 and I'm not sure if my problem has anything to do with Codecs. The reason being is because the Remote Message Monitoring to cell phones is working fine and we send in all external calls from the PSTN to Unity as G.729 via our SIP Trunk and the Remote Message Monitoring media stream going out to the cell phone is G.729 with no Transcoding resource being used.
    Is anyone else having problems with Message Monitoring to IP Phones at remote sites that normally use G.729 for WAN based calls? If not, do you have your Unity setup to run G.711 and G.729 or do you have it set to G.711 only and use a MRGL with a Transcoding resource?
    Thank You,
    Mike Shelley

    Hi.
    This is a normal behaviour, because RTP between endpoints is end to end and IP phone of remote user A should be able to reach ip phone user B directly.
    This means that you should have two options:
    - VPN from user A to HQ should include User B subnet in SA association and vice versa.
    - A direct VPN between user A and user B
    HTH
    Regards
    Carlo
    Please rate all helpful posts
    "The more you help the more you learn"

  • NAT for remote access VPN clients

    Hello,
    I have a simple remote access VPN setup on a 2811 router. The remote subnet of the clients connecting have access to the local LAN subnet, but I am wondering if it is possible to somehow NAT those remote access users, so that they can go beyond the local LAN, and through the VPN routers outside connection, giving them access to other resources.
    The remote subnet would need to be added to the NAT overload pool that the local LAN is on somehow, but since no interface is created, I am unsure where I would need to put "ip nat inside" if it even needs to be done, or if I am just missing something.
    I guess really what I want to do is tunnel all traffic, and have that remote client IP translate to the NAT pool on the router for internet access.
    Thanks.

    Have a look here for solution
    http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml
    Regards

  • Manually editing NetworkConfig.xml for multi-site VPN

    I'm designing a network comprised of on-premise, Azure East US VNet and Azure North Central US VNet. East will be my production VNet and North Central will be backup/dev. I want them routed together as well and accessible via on premise-VPN with RRAS and
    using point-to-site. I have successfully made all these connections individually in test scenarios but never simultaneously as the portal only has one field for a site-to-site VPN and this scenario requires two.
    I understand it's possible to create this design by editing the NetworkConfig.xml file. However, it's confusing to me why even when making small or no edits to the NetworkConfig.xml file the portal tells me my existing networks will be deleted and re-created.
    Does that take out my gateway IPs, etc as well? If so, I'll have to re-enter all the new IPs in RRAS and basically start from scratch. I have a few test VMs in each VNet as well to test connectivity between sites. I'm guessing those would have to go too or
    the VNets wouldn't be able to be deleted in the first place.
    Also, an unrelated static network that I make no changes to in the xml file says it will be updated when I upload even an unchanged NetworkConfig.xml. This is concerning as it's hard to know what downtime and issues I'm going to cause if I save the new file.
    Any tips would be appreciated. My sense is you have to have your whole design in your head first, get it into the NetworkConfig.xml and then move forward with creating the gateways and entering your IPs into RRAS or whatever your VPN tool my be. Being able
    to edit existing VNets, specifically adding additional site-to-site VPNs after they are in use would really be helpful. Perhaps this is possible and I'm missing something.

    Hi,
    Firstly, you need to delete the gateway and all resources in the virtual network before you delete it.
    In addition, based on my experience, you just need to add the local network sites parts into the network configuration file for a multi-site VPN connection. If you are afraid that the virtual
    network configuration would be wrong after importing, I recommend you to keep the previous network configuration file as a backup. In addition, I am glad to help you with the network configuration file, you can also share me the whole network configuration
    file and tell me some more detailed information about your requirement. (Please hide the Public IP addresses for your VPN gateways and VPN device.)
    Meanwhile, you can also refer to the link below for reference:
    https://msdn.microsoft.com/en-us/library/azure/dn690124.aspx
    Best regards,
    Susie
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

  • Cisco ASA 5510 site to site VPN only

    Hi,
    Need some expert help. I will be deploying the CISCO ASA 5510 in VPN site to site scenario only. One interface will be for the WAN and the other LAN interface is connected to another firewall appliance. The main purpose of the ASA is for branch site VPN connection only. My default gateway is pointing to the Internet router on my WAN inteface. Should NAT be enabled on my WAN inteface? The only expected traffic to go thru my ASA is VPN traffic to the other site. I have already defined static routes and have gone thru the wizard for site to site VPN and added my local and remote networks. Also how do I approach my access policies, the default deny any any is in place. Should I allow anything on it? The firewall connected to my LAN interface is expected to do the filtering, like I said the ASA's purpose is just to do VPN site to site. Thanks all

    Thanks Jon. That is what I want to clarify as well, running the VPN site to site wizard, will automatically create the 'cryptomap' access rules, will the existing deny all rule apply to the VPN traffic? I think there was an option that VPN traffic will bypass access rules.
    So having NAT enabled for anything that goes out on My WAN inteface would not matter at all, even if the VPN traffic will go out of that interface right? Hope I don't sound confusing.
    As per your second question, I know it sounds weird and is not good network design, but customer just renewed maintenance contract for the other firewall box that is why he does not want to get rid of it yet. Although ISA can perform the function as well. Thanks.

  • Remote Access VPN strange behavior

    Hello all,
    I have a problem with remote access VPN on a ASA5505 (8.2).
    I can establish a VPN connection and can ping the ASA, but nothing else on the network! Not only ping isn't working, I've also tried RDP, HTTP, and file access.
    Additionally there is a site-to-site VPN to this ASA, which is working perfectly.
    I have another ASA5505 which is almost configured the same and there it's working, so I really don't know where the problem is.
    I hope you guys can help me!
    Many thanks in advance!
    Here's my config:
    Result of the command: "show running-config"
    : Saved
    ASA Version 8.2(1)
    hostname Shanghai
    domain-name *******.local
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    name 172.20.18.0 network-vpnclient
    name 172.20.16.8 SHDC01
    interface Vlan1
     nameif inside
     security-level 100
     ip address 172.20.16.1 255.255.248.0
    interface Vlan2
     nameif outside
     security-level 0
     ip address ***.***.***.62 255.255.255.252
    interface Ethernet0/0
     switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ftp mode passive
    clock timezone SGT 8
    dns domain-lookup inside
    dns server-group DefaultDNS
     name-server 172.20.16.1
     domain-name *****.local
    same-security-traffic permit inter-interface
    access-list nonat extended permit ip 172.20.16.0 255.255.248.0 network-vpnclient 255.255.255.0
    access-list nonat extended permit ip 172.20.16.0 255.255.248.0 172.20.0.0 255.255.248.0
    access-list split_tunnel standard permit 172.20.16.0 255.255.248.0
    access-list acl-in extended permit icmp any any
    access-list acl-in extended permit tcp any host ***.***.***.190 eq h323
    access-list VPN_acl extended permit ip 172.20.16.0 255.255.248.0 network-vpnclient 255.255.255.0
    access-list outside_cryptomap extended permit ip 172.20.16.0 255.255.248.0 172.20.0.0 255.255.248.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool client-vpn 172.20.18.1-172.20.18.254 mask 255.255.248.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 172.20.16.0 255.255.248.0
    static (inside,outside) tcp interface h323 192.168.0.250 h323 netmask 255.255.255.255
    access-group acl-in in interface outside
    route outside 0.0.0.0 0.0.0.0 ***.***.***.61 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server ActiveDirectory protocol ldap
    aaa-server ActiveDirectory (inside) host SHDC01
     server-port 3268
     ldap-base-dn DC=*****,DC=local
     ldap-scope subtree
     ldap-login-password *
     ldap-login-dn CN=Administrator,CN=Users,DC=lap-laser,DC=local
     server-type microsoft
    aaa authentication enable console LOCAL
    aaa authentication ssh console LOCAL
    aaa authentication http console LOCAL
    http server enable
    http 172.20.0.0 255.255.248.0 inside
    http 172.20.16.0 255.255.248.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community *****
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    sysopt noproxyarp inside
    crypto ipsec transform-set laplaserset esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map dynmap 20 set transform-set laplaserset
    crypto map laplasermap 1 match address outside_cryptomap
    crypto map laplasermap 1 set pfs group5
    crypto map laplasermap 1 set peer **.***.***.51
    crypto map laplasermap 1 set transform-set ESP-AES-256-SHA
    crypto map laplasermap 65535 ipsec-isakmp dynamic dynmap
    crypto map laplasermap interface outside
    crypto isakmp identity address
    crypto isakmp enable outside
    crypto isakmp policy 5
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    crypto isakmp policy 10
     authentication pre-share
     encryption 3des
     hash md5
     group 2
     lifetime 86400
    crypto isakmp policy 11
     authentication pre-share
     encryption aes-256
     hash sha
     group 5
     lifetime 86400
    crypto isakmp policy 30
     authentication pre-share
     encryption des
     hash sha
     group 2
     lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    management-access inside
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd address 172.20.16.50-172.20.17.1 inside
    dhcpd dns SHDC01 interface inside
    dhcpd option 3 ip 172.20.16.1 interface inside
    dhcpd enable inside
    vpnclient vpngroup lapserver password ********
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy DfltGrpPolicy attributes
    group-policy user-vpn internal
    group-policy user-vpn attributes
     wins-server value 172.20.16.8
     dns-server value 172.20.16.8
     vpn-tunnel-protocol IPSec webvpn
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value split_tunnel
     default-domain value *****.local
    username admin password VQiqjZZuUSQOWz6. encrypted
    username adminlogin password qZwgnR/XebVbOZxI encrypted
    tunnel-group connection2 type ipsec-l2l
    tunnel-group connection2 ipsec-attributes
     pre-shared-key *
    tunnel-group **.***.***.51 type ipsec-l2l
    tunnel-group **.***.***.51 ipsec-attributes
     pre-shared-key *
    tunnel-group user-vpn type remote-access
    tunnel-group user-vpn general-attributes
     address-pool client-vpn
     authentication-server-group ActiveDirectory
     default-group-policy user-vpn
     dhcp-server 172.20.16.1
    tunnel-group user-vpn ipsec-attributes
     pre-shared-key *
    class-map inspection_default
     match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
     parameters
      message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny  
      inspect sunrpc
      inspect xdmcp
      inspect sip  
      inspect netbios
      inspect tftp
      inspect dns preset_dns_map
      inspect http
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:bc5e7b4ca01a2227885487ab3520ea9c
    : end

    I note in your config that the pool of addresses for remote access VPN is a group of addresses included within the range of addresses on the inside interface. I have seen situations where this caused problems and so have a couple of suggestions:
    - do the devices connected on the inside network have routes to the vpn pool of addresses?
    - if you change the vpn address pool to use addresses that do not overlap with your inside network, does the behavior change?
    HTH
    Rick

  • Azure multiple site-to-site VPNs (dynamic gateway) with Cisco ASA devices

    Hello
    I've been experimenting with moving certain on-premise servers to Azure however they would need a site-to-site VPN link to our many branch sites e.g. monitoring of nodes.
    The documentation says I need to configure a dynamic gateway to have multiple site-to-site VPNs. This is not a problem for our typical Cisco ISR's. However three of our key sites use Cisco ASA devices which are listed as 'Not Compatible' with dynamic routing.
    So I am stuck...
    What options are available to me? Is there any sort of tweak-configuration to make a Cisco ASA work with Azure and dynamic routing?
    I was hoping Azure's VPN solution would be very flexible.
    Thanks

    Hello RTF_Admin,
    1. Which is the Series of CISCO ASA device you are using?
    Thank you for your interest in Windows Azure. The Dynamic routing is not supported for the Cisco ASA family of devices.
    Unfortunately, a dynamic routing VPN gateway is required for Multi-Site VPN, VNet to VNet, and Point-to-Site.
    However, you should be able to setup a site-to-site VPN with Cisco ASA 5505 series security appliance as demonstrated in this blog:
    Step-By-Step: Create a Site-to-Site VPN between your network and Azure
    http://blogs.technet.com/b/canitpro/archive/2013/10/09/step-by-step-create-a-site-to-site-vpn-between-your-network-and-azure.aspx
    You can refer to this article for Cisco ASA templates for Static routing:
    http://msdn.microsoft.com/en-us/library/azure/dn133793.aspx
    If your requirement is only for Multi-Site VPN then there is no option but to upgrade the device as Multisite VPN requires dyanmic routing and unfortunately there is no tweak or workaround due to hardware compatibility issue.
    I hope that this information is helpful
    Thanks,
    Syed Irfan Hussain

  • Remote access vpn clients, access to Internet resources

    Hello, we currently have a remote access vpn set up terminating on an ASA 5520.  Remote access users connect into this ASA and are able to access resources inside of the firewall- the public IP of the ASA is 1.1.1.135.  We need these users to be able to access resources natted behind another ASA firewall on the same public IP segment, at IP address 1.1.1.165.
    I have gotten to the point where I believe I have all of my Nat/global statements in place, along with my ACLs on both firewalls, but I am not able to make the connection to the server behind the second ASA.
    running packet tracer on the second ASA (hosting the 1.1.1.165 server) shows that the packet will be allowed.  RUnning packet tracer on the Remote access VPN ASA is showing that the packet is dropped due to :
    Action: drop
    Drop-reason: (ipsec-spoof) IPSEC Spoof detected
    To me, this should be a simple setup, very similar to a company that tunnels all traffic (including Internet traffic) for remote access VPN users.  It just doesn't seem like my traffic is getting to the second ASA wioth the remote host.
    Anyone have any ideas?

    I figured out the answer- I had to add a nat statement form my VPN user subnet to be natted to the outside global IP:
    nat (outside) 1 10.2.2.0 255.255.255.0 (this is my vpn subnet)
    global (outside) 1 interface

  • Azure Site to Site VPN with Cisco ASA 5505

    I have got Cisco ASA 5505 device (version 9.0(2)). And i cannot connect S2S with azure (azure network alway in "connecting" state). In my cisco log:
    IP = 104.40.182.93, Keep-alives configured on but peer does not support keep-alives (type = None)
    Group = 104.40.182.93, IP = 104.40.182.93, QM FSM error (P2 struct &0xcaaa2a38, mess id 0x1)!
    Group = 104.40.182.93, IP = 104.40.182.93, Removing peer from correlator table failed, no match!
    Group = 104.40.182.93, IP = 104.40.182.93,Overriding Initiator's IPSec rekeying duration from 102400000 to 4608000 Kbs
    Group = 104.40.182.93, IP = 104.40.182.93, PHASE 1 COMPLETED
    I have done all cisco s2s congiguration over standard wizard cos seems your script for 8.x version of asa only?
    (Does azure support 9.x version of asa?)
    How can i fix it?

    Hi,
    As of now, we do not have any scripts for Cisco ASA 9x series.
    Thank you for your interest in Windows Azure. The Dynamic routing is not supported for the Cisco ASA family of devices.
    Unfortunately, a dynamic routing VPN gateway is required for Multi-Site VPN, VNet to VNet, and Point-to-Site.
    However, you should be able to setup a site-to-site VPN with Cisco ASA 5505 series security appliance as
    demonstrated in this blog:
    Step-By-Step: Create a Site-to-Site VPN between your network and Azure
    http://blogs.technet.com/b/canitpro/archive/2013/10/09/step-by-step-create-a-site-to-site-vpn-between-your-network-and-azure.aspx
    You can refer to this article for Cisco ASA templates for Static routing:
    http://msdn.microsoft.com/en-us/library/azure/dn133793.aspx
    Did you download the VPN configuration file from the dashboard and copy the content of the configuration
    file to the Command Line Interface of the Cisco ASDM application? It seems that there is no specified IP address in the access list part and maybe that is why the states message appeared.
    According to the
    Cisco ASA template, it should be similar to this:
    access-list <RP_AccessList>
    extended permit ip object-group
    <RP_OnPremiseNetwork> object-group <RP_AzureNetwork>
    nat (inside,outside) source static <RP_OnPremiseNetwork>
    <RP_OnPremiseNetwork> destination static <RP_AzureNetwork>
    <RP_AzureNetwork>
    Based on my experience, to establish
    IPSEC tunnel, you need to allow the ESP protocol and UDP Port 500. Please make sure that the
    VPN device cannot be located behind a NAT. Besides, since Cisco ASA templates are not
    compatible for dynamic routing, please make sure that you chose the static routing.
    Since you configure the VPN device yourself, it's important that you would be familiar with the device and its configuration settings.
    Hope this helps you.
    Girish Prajwal

  • Remote access Vpn issue

    Dear All,
    I have configured remote access vpn without using split tunnel.Everything is working fine.I can access all the inside network which is allowed in acl.
    I am facing strange issue now. I have created a pool for remote access vpn with a range 192.168.5.8/29.I can access my internal subnets 10.10.0.0/16.
    I have below acess-list for acl-in.
    access-list acl-in extended permit ip object-group vpnclients 192.168.5.8 255.255.255.248
    object-group network vpnclients
    network-object host 10.110.100.26
    network-object host 10.106.100.15
    network-object host 10.10.10.6
    network-object host 10.10.20.82
    network-object host 10.110.100.48
    network-object host 10.10.20.53
    network-object host 10.10.20.54
    network-object host 10.60.100.1
    network-object host 10.10.10.75
    network-object host 10.10.20.100
    network-object host 10.10.130.136
    network-object host 10.106.100.16
    network-object host 10.106.100.9
    network-object host 10.170.100.1
    network-object host 10.170.100.2
    network-object host 10.170.100.21
    network-object host 10.101.100.20
    network-object host 10.170.100.25
    So whichever IPs i have called in vpnclient group is able to access via RA vpn.Issue is when i try to access internal network of 192.168.198.0/24, i am able to access it without adding in vpnclient group. Even for 192.168.197.0/24,192.168.197.0/24 the same. But for 10.10.0.0/16 we can access only after adding in vpnclient group. Any one has face this issue before. Is this because of same network i mean 192.168.0.0 something like that.There is no other staement in acl-in for 192.168.0.0
    Regards
    -Danesh Ahammad

    Hi,
    If i read correctly you made the RA vpn "without"  split tunnel, correct? if that is the case, all of the traffic will traverse the vpn connection (tunnel all) , the access-list "acl-in" is of no use to it.
    try converting it to use split tunnel, i am sure that way you can not access resources that are not mentioned in the list.
    ~Harry

  • Remote Access VPN Users with CX Active Authentication.

    I have ASA 5515 with CX for webfiltering , also have enabled remote access vpn . All my inside users are able to get active and passive authentication correctly . But for remote access VPN users , they are redirected to ASA external ip and CX authentication port 9000 but a blank page comes in and there is no prompt for authentication. I wasnt doing split tunneling , but now i have excluded ASA WAN ip from the tunnel and still have the same issue.
    The CX version we have is 9.3.1.1

    Have you excluded the VPN traffic from being NATed when traffic is going between clients?
    Please post a full sanitised configuration of the router so we can check it for configuration issues.
    Please remember to select a correct answer and rate helpful posts

  • Best place to create the DHCP scope for Guest SSID for remote office connected to HQ Foreign-Anchor controller

    Hi Experts ,
    Need help with the respect to understand the best practice to place/create the DHCP scope for remote site Guest SSID which will be connected to HQ Foeign-Anchor controller set-up.
    how about internet traffic for Guest SSID , which one will be recommanded :
    1) Guest SSID gets authenticated from HQ ISE and exposed to the local internet
    2) Guest SSID gets authenticated from HQ ISE and exposed to the HQ internet
    Thanks

    Hi George ,
    Thanks for your reply ...So you mean, best design would be to create the DHCP scope into DMZ for guest and let it get exposed to HQ internet ...
    how about if I have another anchor controller in lets say in other  office and I need to anchor the traffic or load balance from HQ foreign controller , in that case if I create DHCP scope into HQ anchor controller and if its down , I will loose the connectivity , how do I achieve fail-over to another anchor ?
    Do I need to create secondary scope into another anchor controller and let the client get reauthenticated from other location ISE and get ip address as well from another anchor controller . Is it what you are proposing ?

  • Vpn config for shrew soft vpn client

    I wonder whether I am the only one having these problems.
    I can't connect with my windows 7 home premium to Lion server vpn.
    I can connect with it through my iphone, so the server works.
    Since I am unable to change any security policy stuff I downloaded shrew soft vpn client.
    But I can't find any documentation which settings the mac vpn system uses for the connection.
    Hope someone can help me

    Here is a sample configuration for Remote access VPN using Cisco IPSec VPN Client:
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml

  • Best solution for managing 50 remote sites via cisco vpn

    At the moment my support organisation use the cisco vpn client on their windows pc's to provide remote support to our customers. I want to know if there is a solution from cisco that would support nialing up the 30 connections all the time without having to use clients on individual pc's. I know there will be issues because some of the sites will have conflicting lan ip address ranges. We would like to offer improved support to our customers for example using nagios to monitor their servers but this is not possible if vpn connection if not nialled up.
    Please help with the best solution.

    L2L vpns solution is suitable for your scenario, depending on your traffic load for each site u would have to do assesment on that, any asa5510 or higher in an active/standby architecture with stateful failover sure can do the job. As for conflicting LAN ips there is ways to work around that by using NAT or Policy NAT.
    ASA product line
    http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
    Perhaps for monitoring/managing Ipsec tunels CSM Cisco Security manager
    http://www.cisco.com/en/US/products/ps6498/index.html

Maybe you are looking for

  • Report for update of Material with deletion Flag from R/3 to SRM

    Hi All,            Is any report for Updating material in SRM with deletion indicator for those  deletion flag set in R/3...

  • Is there a simple way to retrieve the data from a resultset using JavaBean?

    I have a result set from a select * from users where userid = xxx statement. However, at the moment I have had to hard code the remainder of the code to get the data from each column as I need the column name as well as its data. I had read somewhere

  • Missing draft folder in mac mail

    My draft folders in my mac mail seem to have disappeared.  I have three email accounts and they all are missing.  How do I find them?

  • Anyone successfully used mirrormount on Solaris 10 5/08?

    Hi All, Sun claimed that Solaris 10 5/08 support mirrormounts on nfs4 client. However, I cannot make it work. I tried the same think on Redhat Linux 4 and it works fine. Can anybody tell me how to enable mirrormount support on Solaris 10? Thanks, cm

  • PDF Optimizer Settings

    Hi Group! Hope some one can help! I received a file from one of our printers with customized settings to the PDF Optimizer window under the Advanced menu in Acrobat 8 for Mac. I don't know where, for the life of me, to put this file so that when I op