LAN Pool cant communicate over L2L VPN on AdvanceSecurity IOS

Similar Messages

• MAPI latency/slowness over L2L VPN

  We recently implented an email archiving solution (Symantec Enterprise Vault) that sends the archives to a vendor across a L2L VPN on an ASA 5510.  EV apparently uses MAPI during the archive process.
  We're experencing slowness during the archive process, and the slowness seems to originate with the VPN tunnel.
  I'm reaching out to see if anyone has had any experience with MAPI over VPN or if anyone has seen a similar issue.
  The vendor is saying it's a "network issue", which I seriously doubt.
  Thanks.

  We recently implented an email archiving solution (Symantec Enterprise Vault) that sends the archives to a vendor across a L2L VPN on an ASA 5510.  EV apparently uses MAPI during the archive process.
  We're experencing slowness during the archive process, and the slowness seems to originate with the VPN tunnel.
  I'm reaching out to see if anyone has had any experience with MAPI over VPN or if anyone has seen a similar issue.
  The vendor is saying it's a "network issue", which I seriously doubt.
  Thanks.

• 6.3.5 upgrade to 7.2.2 cant connect over remote VPN client

  The device is a PIX 525 UR with v. 7.2.2 installed over 6.3.5. I have deleted all previous VPN setups and re-installed the remote vpn and client software multiple times and the VPN times out during securing the channel and comes back with a error: 412 the local client has disconnected the session. I have been using the ASDM VPN wizard to configure the VPN and upon submitting the config I recieve a warning saying the tunnel-group does not exist but then when I exit it shows up in the tunnel group and is listed in the CLI. Also in the debug logs iget the error: 3713902 Group = Eisenhower, IP = 166.214.197.X, Removing peer from peer table failed, no match!
  I would appreicate any assisance with this attached is the relevent configuration.
  Thanks,
  Scott r

  This document describes how to use the Cisco Adaptive Security Device Manager (ASDM) to configure authentication and authorization server groups on the Cisco PIX 500 Series Security Appliance. In this example, the server groups created are used by the policy of a VPN tunnel group to authenticate and authorize incoming users.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008060f261.shtml

• Very slow Windows domain login over IPSec VPN

  Hi
  I'm experiencing very slow Windows domain logins over an IPSec VPN connection. The AD is in Site 1, some users are in Site 2. Two Cisco ASA firewalls connect both sites by an IPSec VPN over the Internet.
  I made some registery changes on the Windows XP client on site2 to let Kerberos communicate over TCP instead of UDP. Still the logins take extremely long (45 minutes). Profiles are very small, so there had to be a problem with Kerberos, MTU sizes or somethin like that. I already changed the clients MTU settings to 1000 byes, but login is still very slow. I made some sniffer logs...
  Does anybody know what the problem can be ?
  Regards
  Remco

  Hi Remco,
  The most common issue with slowness over VPN is going to be fragementation. In general below are the recommendations to avoid fragmentation
  1. For TCP traffic, use "ip tcp adjust-mss 1360" on the Internal LAN Interface on the Router. If you are using GRE then configure "ip mtu 1400" under the Tunnel Interface.
  If you are not using GRE then the value of "ip tcp adjust-mss" depends on the type of transform-set being used E.g. AES\3DES etc, so you can increase the value of TCP adjust command from 1360 to a higher value. Though I will start from 1360 first for testing.
  Also take a look at the below article for MTU Issues
  http://www.cisco.com/en/US/customer/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml
  Thanks,
  Naman

• HA between Dedicated T1 and L2L VPN

  I'm looking for ideas on how to have complete HA between a dedicated T1 and an L2L VPN over the internet.
  We had discussed routing protocol OSPF but would like to avoid the converge issues that could rise and affect other customers in the same DMZ.
  What would be our options if we do not want to use a routing protocol? How could we fail over to the backup line, the L2L, should the T1 fail. I had mentioned changing the metrics but this will not identify a problem on the line should the customers ethernet link goe down.
  Feel free to include an ideas that would use routing protocols.

  I had to revisit this configuration. I had decided since we are not going to use a routing protocol that a floating route between the T1 router and VPN is the best solution. although this should work if the router or Ethernet of the router goes down it should fail if the the Ethernet interface of the router, which has OSPF running between their network and our LAN, does not fail.
  But it is not failing?
  I have attached a diagram.

• Public-to-Public L2L VPN no return traffic

  Hello all,
  I'm hoping someone can give me a little help. I've researched the web and have read many forums, but I still can't get this to work. One of our vendors requires using a public ip address to setup a site-to-site IPSEC vpn. We only have one public ip address and that will be used for the vpn endpoint and for internet access for the local network. I've setup policy NAT from our local network to the outside interface. I'm also using the outside ip address for the crypto map. The tunnel setups successfully and the Tx count increases anytime I try to ping the remote network, but the ping fails and the Rx count does not increase. According to our vendor, we should be able to ping the remote network and connect using port 443. When trying to connect using port 443, I see a SYN timeout in the logs. I'm not sure if the problem is on their end and they're rejecting our traffic, or if something is misconfigured on our end. I'd like to make sure that I have everything configured correctly before I go and point fingers at them. Any help would be appreciated. Thanks.
  Local Network - 10.10.9.0/24
  Remote Network - 20.20.41.0/24
  Remote Peer - 20.20.60.193
  ASA Version 8.2(5)
  hostname ciscoasa
  domain-name
  names
  name 10.10.9.3 VPN description VPN Server
  name 10.10.9.4 IntranetMySQL description MySQL For Webserver
  name 192.168.0.100 IIS_Webserver
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  switchport access vlan 3
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.10.9.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 71.***.***.162 255.255.255.0
  interface Vlan3
  nameif dmz
  security-level 50
  ip address 192.168.0.254 255.255.255.0
  ftp mode passive
  clock timezone EST -5
  clock summer-time EDT recurring
  dns domain-lookup inside
  dns domain-lookup outside
  dns server-group DefaultDNS
  name-server 10.10.9.1
    domain-name
  same-security-traffic permit inter-interface
  object-group service VPN_TCP
  description VPN TCP Connection
  service-object tcp eq 1195
  object-group service VPN_UDP
  description VPN UDP Port
  service-object udp eq 1194
  object-group service VPN_HTTPS
  description VPN HTTPS Web Server
  service-object tcp eq 943
  service-object udp eq 943
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group service WebServer
  service-object tcp eq 8001
  object-group service DM_INLINE_SERVICE_1
  service-object tcp-udp eq www
  service-object tcp eq https
  object-group service VPN_HTTPS_UDP udp
  port-object eq 943
  object-group service WCF_WebService tcp
  port-object eq 808
  object-group service RDP tcp
  port-object eq 3389
  object-group service RDP_UDP udp
  port-object eq 3389
  object-group service DM_INLINE_SERVICE_2
  service-object tcp-udp eq www
  service-object tcp eq https
  object-group service *_Apache tcp
  port-object eq 8001
  object-group service *_ApacheUDP udp
  port-object eq 8001
  object-group service IIS_SQL_Server tcp
  port-object eq 1433
  object-group service DM_INLINE_TCP_1 tcp
  port-object eq www
  port-object eq https
  object-group service File_Sharing tcp
  port-object eq 445
  object-group service File_Sharing_UDP udp
  port-object eq 445
  object-group service MySQL tcp
  port-object eq 3306
  object-group service Http_Claims_Portal tcp
  port-object eq 8080
  object-group service Http_Claims_PortalUDP udp
  port-object eq 8080
  object-group service RTR_Portal tcp
    description Real Time Rating Portal
  port-object eq 8081
  object-group service RTR_PortalUDP udp
  port-object eq 8081
  object-group service DM_INLINE_SERVICE_3
  service-object tcp-udp eq www
  service-object tcp eq https
  access-list outside_access_in extended permit udp any 70.***.***.0 255.255.255.0 eq 1194
  access-list outside_access_in extended permit tcp any any eq 1195
  access-list outside_access_in extended permit object-group VPN_HTTPS any any
  access-list outside_access_in extended permit tcp any interface outside eq 943
  access-list outside_access_in extended permit tcp any any eq 8001
  access-list inside_access_in extended permit tcp any any
  access-list outside_access_in_1 extended permit tcp any interface outside eq 943
  access-list outside_access_in_2 extended permit object-group DM_INLINE_SERVICE_1 host 71.***.***.165 host 71.***.***.162
  access-list outside_access_in_2 extended permit object-group TCPUDP any any inactive
  access-list outside_access_in_2 extended permit icmp any any
  access-list outside_access_in_2 extended permit object-group VPN_HTTPS any host 71.***.***.162
  access-list outside_access_in_2 remark VPN TCP Ports
  access-list outside_access_in_2 extended permit tcp any host 71.***.***.162 eq 1195
  access-list outside_access_in_2 extended permit udp any host 71.***.***.162 eq 1194
  access-list outside_access_in_2 remark Palm Insure Apache Server
  access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group *_Apache inactive
  access-list outside_access_in_2 extended permit udp any host 71.***.***.164 object-group *_ApacheUDP inactive
  access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group MySQL inactive
  access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group Http_Claims_Portal inactive
  access-list outside_access_in_2 extended permit udp any host 71.***.***.164 object-group Http_Claims_PortalUDP inactive
  access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group RTR_Portal inactive
  access-list outside_access_in_2 extended permit udp any host 71.***.***.164 object-group RTR_PortalUDP inactive
  access-list outside_access_in_2 extended permit object-group DM_INLINE_SERVICE_3 any host 71.***.***.164 inactive
  access-list outside_access_in_2 remark RTR Access Rule for Internal VM's
  access-list outside_access_in_2 extended permit tcp any host 71.***.***.162 object-group Http_Claims_Portal
  access-list outside_access_in_2 remark RTR Access rule for internal VMs
  access-list outside_access_in_2 extended permit udp any host 71.***.***.162 object-group Http_Claims_PortalUDP
  access-list inside_access_in_1 extended permit object-group TCPUDP any any
  access-list inside_access_in_1 extended permit icmp any any
  access-list inside_access_in_1 extended permit esp any any
  access-list inside_access_in_1 extended permit udp any any eq isakmp
  access-list dmz_access_in extended permit ip any any
  access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_2 any host 70.***.***.252
  access-list dmz_access_in extended permit tcp any host 70.***.***.252 eq www
  access-list dmz_access_in_1 extended permit tcp host IIS_Webserver host 10.10.9.5 object-group DM_INLINE_TCP_1 inactive
  access-list dmz_access_in_1 extended permit object-group TCPUDP any host IIS_Webserver eq www inactive
  access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver eq https inactive
  access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group *_Apache inactive
  access-list dmz_access_in_1 extended permit udp any host IIS_Webserver object-group *_ApacheUDP inactive
  access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver eq 3389 inactive
  access-list dmz_access_in_1 extended permit udp any host IIS_Webserver eq 3389 inactive
  access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group IIS_SQL_Server inactive
  access-list dmz_access_in_1 extended permit object-group TCPUDP any any inactive
  access-list dmz_access_in_1 extended permit tcp host 10.10.9.5 host IIS_Webserver eq ftp inactive
  access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group MySQL inactive
  access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group Http_Claims_Portal inactive
  access-list dmz_access_in_1 extended permit udp any host IIS_Webserver object-group Http_Claims_PortalUDP inactive
  access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group RTR_Portal inactive
  access-list dmz_access_in_1 extended permit udp any host IIS_Webserver object-group RTR_PortalUDP inactive
  access-list inside_nat_static extended permit ip host 10.10.9.1 20.20.41.0 255.255.255.0
  access-list outside_1_cryptomap extended permit ip host 71.***.***.162 20.20.41.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu dmz 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat-control
  global (outside) 1 interface
  global (dmz) 1 interface
  nat (inside) 1 10.10.9.0 255.255.255.0
  static (inside,outside) tcp interface 943 VPN 943 netmask 255.255.255.255
  static (inside,outside) tcp interface 1195 VPN 1195 netmask 255.255.255.255
  static (inside,outside) tcp interface 1194 VPN 1194 netmask 255.255.255.255
  static (inside,outside) udp interface 1194 VPN 1194 netmask 255.255.255.255
  static (inside,outside) udp interface 1195 VPN 1195 netmask 255.255.255.255
  static (inside,outside) tcp interface ssh IntranetMySQL ssh netmask 255.255.255.255
  static (inside,outside) tcp interface ftp IntranetMySQL ftp netmask 255.255.255.255
  static (dmz,inside) tcp IIS_Webserver 3389 IIS_Webserver 3389 netmask 255.255.255.255
  static (inside,outside) tcp interface www 10.10.9.5 www netmask 255.255.255.255
  static (dmz,outside) tcp 71.***.***.164 3389 IIS_Webserver 3389 netmask 255.255.255.255
  static (dmz,outside) tcp 71.***.***.164 8001 IIS_Webserver 8001 netmask 255.255.255.255
  static (dmz,outside) udp 71.***.***.164 8001 IIS_Webserver 8001 netmask 255.255.255.255
  static (dmz,outside) tcp 71.***.***.164 www IIS_Webserver www netmask 255.255.255.255
  static (dmz,outside) tcp 71.***.***.164 https IIS_Webserver https netmask 255.255.255.255
  static (dmz,outside) tcp 71.***.***.164 ftp IIS_Webserver ftp netmask 255.255.255.255
  static (dmz,outside) tcp 71.***.***.164 3306 IIS_Webserver 3306 netmask 255.255.255.255
  static (dmz,inside) tcp IIS_Webserver 3306 IIS_Webserver 3306 netmask 255.255.255.255
  static (dmz,outside) tcp 71.***.***.164 8080 IIS_Webserver 8080 netmask 255.255.255.255
  static (dmz,outside) udp 71.***.***.164 8080 IIS_Webserver 8080 netmask 255.255.255.255
  static (dmz,inside) tcp IIS_Webserver 8080 IIS_Webserver 8080 netmask 255.255.255.255
  static (dmz,outside) tcp 71.***.***.164 8081 IIS_Webserver 8081 netmask 255.255.255.255
  static (dmz,outside) udp 71.***.***.164 8081 IIS_Webserver 8081 netmask 255.255.255.255
  static (dmz,inside) tcp IIS_Webserver 8081 IIS_Webserver 8081 netmask 255.255.255.255
  static (inside,outside) tcp interface 8080 10.10.9.15 8080 netmask 255.255.255.255
  static (inside,outside) udp interface 8080 10.10.9.15 8080 netmask 255.255.255.255
  static (dmz,outside) 71.***.***.164 IIS_Webserver netmask 255.255.255.255
  static (dmz,inside) IIS_Webserver IIS_Webserver netmask 255.255.255.255
  static (inside,dmz) 10.10.9.5 10.10.9.5 netmask 255.255.255.255
  static (inside,outside) interface  access-list inside_nat_static
  access-group inside_access_in_1 in interface inside
  access-group outside_access_in_2 in interface outside
  access-group dmz_access_in_1 in interface dmz
  route outside 0.0.0.0 0.0.0.0 71.***.***.1 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 10.10.9.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set peer 20.20.60.193
  crypto map outside_map 1 set transform-set ESP-AES-256-SHA
  crypto map outside_map 1 set reverse-route
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 86400
  telnet timeout 5
  ssh 10.10.9.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  tunnel-group 20.20.60.193 type ipsec-l2l
  tunnel-group 20.20.60.193 ipsec-attributes
  pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous

  Hi,
  If you are using the public IP address of your ASA (that is used as the PAT address for all outbound traffic) as the only source IP address for the L2L VPN you dont really have to build any additional NAT configurations for the L2L VPN connection. So you shouldnt need the "static" configuration you have made.
  static (inside,outside) interface  access-list inside_nat_static
  This is because any traffic from your local LAN will be PATed to the "outside" IP address and when the ASA also sees that the destination network for the connection is part of the L2L VPN configurations, then the traffic should be forwarded to the L2L VPN connection just fine.
  Did you try the connectivity without the "static" configuration?
  For ICMP testing I would add the command
  fixup protocol icmp
  or
  policy-map global_policy
    class inspection_default
     inspect icmp
  Should do the same thing
  - Jouni

• Controlling Traffic Over SA520 VPN

  Hi
  We have a site to site VPN between a satellite site and a customer.  Both ends are running SA520s.
  Is there any way to limit the traffic that is allowed to pass over the VPN?  Previously on PIXs and ASAs we've disabled the option to allow all traffic and then used ACLs but I can see a similar way to do this on the SA520.
  Ideally, we'd like to make the VPN one way so we have full access to the customer site but they have no access back to our office.
  Thanks
  Joe

  Hi Joe, thank you for using our forum, my name is Luis I am part of the Small business Support community. In this case you could set an ACL in order to restrict the access from the remote client to your LAN, bellow I will share an article, please follow those steps and if you have any question please let me know.
  IPv4 Firewall Rule configuration on Cisco SA540 Security Appliance
  I hope you find this answer useful
  Greetings,
  Luis Arias.
  Cisco Network Support Engineer.

• 2811:connecting two ASA5505 l2l VPN's

  Hello,
  We have an HQ site with a 2811 (w/ADVSECURITYK9-M) acting as the firewall. We currently have 1 ASA5505 that has an established ipsec l2l VPN.
  I'm trying to connect a 2nd ASA, but I've noticed I can only add 1 cryptomap to the outside interface.
  A show ver shows 1 Virtual Private Network Module... Surely that doesn't mean only 1 VPN?
  Do I use one crypto map, and add a second 'set peer' & 'match address' inside the crypto map itself?
  Thanks,
  Jason

  Ok, I'm getting closer, but still failing. I was close enough that a VOIP phone registered with the phone system at some point, but not sure why it wont stay connected.
  The original, VPN1 is still connected though.
  I've varified the preshared keys on both ends match.
  Here's an error from the debug of the second ASA, VPN2
  Aug 24 10:49:45 [IKEv1]: Group = 64.X.X.X, IP = 64.X.X.X, QM FSM error (P2 struct &0x42436b0, mess id 0x374e49ed)!
  Aug 24 10:49:45 [IKEv1]: Group = 64.X.X.X, IP = 64.X.X.X, Removing peer from correlator table failed, no match!
  Aug 24 10:49:45 [IKEv1]: Group = 64.X.X.X, IP = 64.X.X.X, QM FSM error (P2 struct &0x42436b0, mess id 0x374e49ed)!
  Aug 24 10:49:45 [IKEv1]: Group = 64.X.X.X, IP = 64.X.X.X, Removing peer from correlator table failed, no match!
  As far as the ASA configs, everything is the exactly the same, except;
  NEW ASA VPN2 -both asa have object groups 1&2, containing other ip's of the HQ site. these ip's listed here are of VPN1's local lan.
  I imagine I will need to add VPN2's local ip to VPN1's config for objectgroup 1&2, but I don't think that is the reason this wont connect to HQ
  object-group network DM_INLINE_NETWORK_1
  network-object 192.168.26.0 255.255.255.0
  object-group network DM_INLINE_NETWORK_2
  network-object 192.168.26.0 255.255.255.0
  object-group network DM_INLINE_NETWORK_3
  network-object 192.168.27.0 255.255.255.0
  network-object 192.168.1.0 255.255.255.0
  Working ASA VPN1  - not sure exactly how the bolded line works
  no crypto isakmp nat-traversal
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  HQ 2811 -----------------------------------------------------------------------
  Hope I included enough of the router config. Again, VPN1 is working.
  crypto isakmp key VPN1PW address 99.x.x.x
  crypto isakmp key VPN2PW address 108.x.x.x
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec df-bit clear
  crypto map SDM_CMAP_1 1 ipsec-isakmp
  description Tunnel to 99.x.x.x VPN1
  set peer 99.x.x.x
  set transform-set ESP-AES-128-SHA
  match address 103
  crypto map SDM_CMAP_1 2 ipsec-isakmp
  description Tunnel to 108.x.x.x VPN2
  set peer 108.x.x.x
  set transform-set ESP-AES-128-SHA
  match address 105
  ****** This next section I dont recall typing in, but it refers to access group 105, but 105 was newly created for the new VPN2.  I didn't not find a corresponding command for access-group 103, which 105 is a copy of 103, except each one includes the others local lan too.
  class-map type inspect match-all sdm-nat-user-protocol--2-1
  match access-group 105
  match protocol user-protocol--2
  interface FastEthernet0/1
  description T1 to  Internet$FW_OUTSIDE$
  ip address 64.x.x.x 255.255.255.248
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  crypto map SDM_CMAP_1

• L2L VPN Decrypted Traffic Not Exiting ASA

  Hi,
  I have a pair of ASAs runing version 9.1 at the remote site and 8.4 (4) at the local site. When sending traffic over the tunnel from the local to remote, I can see in the IPSec SA the encap packet count increasing locally and the decap count increasing on the remote ASAs but no traffic is egressing the remote ASA's interfaces.
  Here is the remote ASAs config:
  GigabitEthernet0/0       outside                x.x.x.123       255.255.255.192GigabitEthernet0/1.701   dev_1                  10.140.0.1      255.255.255.0crypto map VPN-Z 10 match address acl_temp_vpncrypto map VPN-Z 10 set pfs crypto map VPN-Z 10 set peer x.x.x.67 crypto map VPN-Z 10 set ikev1 transform-set ESP-3DES-SHAcrypto map VPN-Z 10 set security-association lifetime seconds 28800crypto map VPN-Z 10 set security-association lifetime kilobytes 4608000crypto map VPN-Z 10 set nat-t-disablecrypto map VPN-Z interface outsideaccess-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 object-group zx-subs (hitcnt=5) 0x3e8360b3 access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 10.0.0.0 255.0.0.0 (hitcnt=0) 0x5cf3e6d1 access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 172.16.0.0 255.240.0.0 (hitcnt=15) 0x73407a52 access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 192.168.0.0 255.255.0.0 (hitcnt=0) 0xe1b9579c access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 x.x.x.224 255.255.255.224 (hitcnt=0) 0x894cf410 access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 x.x.x.0 255.255.255.192 (hitcnt=0) 0xa879a3f1tunnel-group x.x.x.67 type ipsec-l2ltunnel-group x.x.x.67 ipsec-attributes ikev1 pre-shared-key *****nat (dev_1,outside) source static dev_1-sub dev_1-sub destination static zx-subs zx-subs
  Here is the ipsec sa stats
  Crypto map tag: VPN-Zanox, seq num: 10, local addr: x.x.x.123access-list acl_temp_vpn extended permit ip 10.140.0.0 255.255.0.0 172.16.0.0 255.240.0.0       local ident (addr/mask/prot/port): (10.140.0.0/255.255.0.0/0/0)      remote ident (addr/mask/prot/port): (172.16.0.0/255.240.0.0/0/0)      current_peer: x.x.x.67      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0      #pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
  With a dump on the dev_1 interface
  capture dev type raw-data interface dev_1 [Capturing - 0 bytes]   match tcp any any
  With packet tracer the egress interface is correct but in the capture there appears to be nothing traversing the interface.
  Can any body see anything wrong wiht this config or any suggestions as to might be going wrong?
  Thanks
  James

  Hi Javier,
  Packet-tracer output with a temp ACL to permit ip any any inbound on the outside interface:
  l-de-ham-asa-01/act(config)# packet-tracer input outside tcp 172.22.0.90 1234 10.140.0.10 22Phase: 1Type: UN-NATSubtype: staticResult: ALLOWConfig:nat (dev_1,outside) source static dev_1-sub dev_1-sub destination static zx-subs zx-subsAdditional Information:NAT divert to egress interface dev_1Untranslate 10.140.0.10/22 to 10.140.0.10/22Phase: 2Type: ROUTE-LOOKUPSubtype: inputResult: ALLOWConfig:Additional Information:in   0.0.0.0         0.0.0.0         outsidePhase: 3Type: ACCESS-LISTSubtype: logResult: ALLOWConfig:access-group acl_outside in interface outsideaccess-list acl_outside extended permit ip any any access-list acl_outside remark Zugriffsrichtlinie fuer ICMP Antworten aus dem InternetAdditional Information:Phase: 4Type: CONN-SETTINGSSubtype: Result: ALLOWConfig:Additional Information:Phase: 5Type: NATSubtype: Result: ALLOWConfig:nat (dev_1,outside) source static dev_1-sub dev_1-sub destination static zx-subs zx-subsAdditional Information:Static translate 172.22.0.90/1234 to 172.22.0.90/1234Phase: 6Type: NATSubtype: per-sessionResult: ALLOWConfig:       Additional Information:Phase: 7Type: IP-OPTIONSSubtype: Result: ALLOWConfig:Additional Information:Phase: 8Type: VPNSubtype: ipsec-tunnel-flowResult: DROPConfig:Additional Information:Result:input-interface: outsideinput-status: upinput-line-status: upoutput-interface: dev_1output-status: upoutput-line-status: upAction: dropDrop-reason: (acl-drop) Flow is denied by configured rule
  This is the same result from another site that has an L2L VPN configured.
  ASP drop capture to follow...

• L2L VPN Access-list crypto-interesting

  Hi Everyone,I have a question.
  I have ASA1 and ASA2 connected over a private IP cloud and two hosts behind each of the ASAs.
  The tunnel is up and I can ping from host1 which is behind ASA1 host2 which is behind ASA2 over the VPN tunnel.
  When I do show crypto ipsec sa on ASA2 I see
  #pkts encaps: 451, #pkts encrypt: 451, #pkts digest: 451
        #pkts decaps: 451, #pkts decrypt: 451, #pkts verify: 451
  and they are increasing, with every ping I send from host1 to host2. But when I do sh access-list cryptointeresting which defines my crypto interesting traffic on ASA2 I don't see increasing hits with every ping I send from host1 which is behind ASA1.
  The question is if I am supposed to see crtyptointeresting access-list hits increasing on ASA2, when I ping host2(behind ASA2) from host1 which is behind ASA1 on the other end.
  Thanks

  Hi my friend.
  When you ping from ASA1 to ASA2 you will not see hitcounts on the ACL from ASA2. That happens because for the hitcount number to increase the traffic must match the direction defined on the ACL.
  Basically when you ping from ASA1 to ASA2 the traffic doesnt match the direction of the crypto ACL on ASA 2 (which is defined from ASA2 LAN to ASA1 LAN) therefore it doesnt count as a hit.
  You do see packets decrypted and decapsualated because the traffic matched the conditions previously negotiated for the VPN Tunnel, then the traffic gets encryped and sent thru the tunnel.
  I hope this clarifies your questions.
  BTW sorry I didnt get back to you on your second NAT post, I see that Varun gave you a great answer .
  Have fun!
  Raga

• Troubleshooting RPC issue over ASA VPN

  Hello,
  I have a IPSec VPN Tunnel between my corporate data center and a satellite service provider.  I also have 2 trucks, A & B, with networks on them.  These truck networks communicate via satellite to the provider base station, and then across the VPN tunnel to our corp. data center.  The A & B truck networks each have a Windows Domain Controller that communicates to our DCs in the data center, for Active Directory replication.  They are using RPC for this.
  Both truck networks and servers were tested and worked perfectly when first tested and deployed.
  ASA 5510 running IOS ver 8.2(1)
  About a month ago, truck B lost it's ability to communicate via RPC to the DCs in the data center.  Nothing has changed on the network on my side as well as the satellite provider side.  I've looked through my VPN logs and firewall logs, but don't see anything that indicates a probable cause.  There is no evidence of requests being denied on my firewall, and the VPN ACLS.
  The one strange thing I've noticed when doing some tests is that I don't see interesting traffic hitting the ACL on the ASA when trying to PING or traceroute from the truck B server, or when the RPC request is being run.  BTW, the truck B server can PING and traceroute over the VPN tunnel to servers in the data center just fine.  And the reverse it also true. Just the RPC doesn't work.
  Here's the RPC error output:
  NtFrsApi Version Information
     NtFrsApi Major      : 0
     NtFrsApi  Minor      : 0
     NtFrsApi Compiled on: Feb 16 2007 20:10:33
  ERROR -  Cannot RPC to computer, odyssey; 00000721 (1825)
  Below is a traceroute from the truck B server to the data center server.  Notice the multiple entries for server accord?
  I seem to remember that this kind of behavior occurs whent an IP Address is being Natted.  Is that correct?
  Any suggestions are greatly appreciated.

  Thanks Pranesh,
  I haven't checked IPsec tunnel but I assumed that since I get successful connection to the VPN tunnel, the tunnel is up.  I have very limited knowledge about this; still learning the basics for CCNA certification.    The wiered thing is when I swap out ASA-5505 with home netgear router (at home), I don't have any problem accessing inside network at the temple.  Therefore, my assumption is something is wrong on my ASA-5505 config at home (the confg is pasted in intitial post.).  Please advise.
  Again thank yo so much for your help.

• How can I see shared review comments in a PDF when connected to a SharePoint server over a VPN?

  I am using Acrobat Pro XI on Windows 7.
  When I issue a shared review, hosted on our work SharePoint server, I always encounter problems when accessing my work network from home, over a VPN. My comments do not get published, and I cannot see comments that reviewers have published.
  I issue the review PDF as an attachment when I open the review, and all reviewers save a local copy of this file. When I open the PDF, the "Welcome back to shared review..." screen is never updated with the number of comments. The server status always seems to show green, but the comment reporting mechanisms do not behave as they do at work. When I click Publish comments, I am usually asked if I wish to take ownership of unpublished comments by other reviewers (to which I click No). When I return to the office, everything seems to "just work" again. But this is hugely inconvenient if I am out of office for days on end.
  I had this problem with my previous version of Acrobat, and no satisfactory solution was ever reached. I am most dismayed to find it is still present in version XI.
  Please can anyone advise?

  I don't know if you solved this issue yet. But we have the same issue in the pass, and clean the log files under "\Synchronizer\resources\" folder seems to be a solution. Here is the thread talking about it.
  https://forums.adobe.com/thread/1426298?start=0&tstart=0

• L2L VPN Issue - one subnet not reachable

  Hi Folks,
  I have a strange issue with a new VPN connection and would appreciate any help.
  I have a pair of Cisco asa 5540s configured as a failover pair (code version 8.2(5)).   
  I have recently added 2 new L2L VPNs - both these VPNs are sourced from the same interface on my ASA (called isp), and both are to the same customer, but they terminate on different firewalls on the cusomter end, and encrypt traffic from different customer subnets.    There's a basic network diagram attached.
  VPN 1 - is for traffic from the customer subnet 10.2.1.0/24.    Devices in this subnet should be able to access 2 subnets on my network - DMZ 211 (192.168.211.0./24) and DMZ 144 (192.168.144.0/24).    This VPN works correctly.
  VPN 2 - is for traffic from the customer subnet 192.168.1.0/24.    Devices in  this subnet should be able to access the same 2 subnets on my network - DMZ 211  (192.168.211.0./24) and DMZ 144 (192.168.144.0/24).    This VPN is not working correctly - the customer can access DMZ 144, but not DMZ 211.
  There are isakmp and ipsec SAs for both VPNs.    I've noticed that the packets encaps/decaps counter does not increment when the customer sends test traffic to DMZ 211.  This counter does increment when they send test traffic to DMZ144.   I can also see traffic sent to DMZ 144 from the customer subnet 192.168.1.0/24 in packet captures on the DMZ 144 interface of the ASA.   I cannot see similar traffic in captures on the DMZ211 interface (although I can see traffic sent to DMZ211 if it is sourced from 10.2.1.0/24 - ie when it uses VPN1)
  Nat exemption is configured for both 192.168.1.0/24 and 10.2.1.0/24.
  There is a route to both customer subnets via the same next hop.
  There is nothing in the logs toindicate that traffic from 192.168.1.0/24 is being dropped
  I suspect that this may be an issue on the customer end, but I'd like to be able to prove that.   Specifically, I would really like to be able to capture traffic destined to DMZ 211 on the isp interface of the firewall after it has been decrypted - I don't know if this can be done however, and I haven'treally found a good way to prove or disprove that VPN traffic from 192.168.1.0/24 to DMZ211 is arriving at the isp interface of my ASA, and to show what's happening to that traffic after it arrives.
  Here is the relevant vpn configuration:
  crypto map MY_CRYPTO_MAP 90 match address VPN_2
  crypto map MY_CRYPTO_MAP 90 set peer 217.154.147.221
  crypto map MY_CRYPTO_MAP 90 set transform-set 3dessha
  crypto map MY_CRYPTO_MAP 90 set security-association lifetime seconds 86400
  crypto map MY_CRYPTO_MAP 100 match address VPN_1
  crypto map MY_CRYPTO_MAP 100 set peer 193.108.169.48
  crypto map MY_CRYPTO_MAP 100 set transform-set 3dessha
  crypto map MY_CRYPTO_MAP 100 set security-association lifetime seconds 86400
  crypto map MY_CRYPTO_MAP interface isp
  ASA# sh access-list VPN_2
  access-list VPN_2; 6 elements; name hash: 0xa902d2f4
  access-list VPN_2 line 1 extended permit ip object-group VPN_2_NETS 192.168.1.0 255.255.255.0 0x56c7fb8f
    access-list VPN_2 line 1 extended permit ip 192.168.144.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=45) 0x93b6dc21
    access-list VPN_2 line 1 extended permit ip 192.168.211.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=6) 0x0abf7bb9
    access-list VPN_2 line 1 extended permit ip host 192.168.146.29 192.168.1.0 255.255.255.0 (hitcnt=8) 0xcc48a56e
  ASA# sh access-list VPN_1
  access-list VPN_1; 3 elements; name hash: 0x30168cce
  access-list VPN_1 line 1 extended permit ip 192.168.144.0 255.255.252.0 10.2.1.0 255.255.255.0 (hitcnt=6) 0x61759554
  access-list VPN_1 line 2 extended permit ip 192.168.211.0 255.255.255.0 10.2.1.0 255.255.255.0 (hitcnt=3) 0xa602c97c
  access-list VPN_1 line 3 extended permit ip host 192.168.146.29 10.2.1.0 255.255.255.0 (hitcnt=0) 0x7b9f32e3
  nat (dmz144) 0 access-list nonatdmz144
  nat (dmz211) 0 access-list nonatdmz211
  ASA# sh access-list nonatdmz144
  access-list nonatdmz144; 5 elements; name hash: 0xbf28538e
  access-list nonatdmz144 line 1 extended permit ip 192.168.144.0 255.255.255.0 192.168.0.0 255.255.0.0 (hitcnt=0) 0x20121683
  access-list nonatdmz144 line 2 extended permit ip 192.168.144.0 255.255.255.0 172.28.2.0 255.255.254.0 (hitcnt=0) 0xbc8ab4f1
  access-list nonatdmz144 line 3 extended permit ip 192.168.144.0 255.255.255.0 194.97.141.160 255.255.255.224 (hitcnt=0) 0xce869e1e
  access-list nonatdmz144 line 4 extended permit ip 192.168.144.0 255.255.255.0 172.30.0.0 255.255.240.0 (hitcnt=0) 0xd3ec5035
  access-list nonatdmz144 line 5 extended permit ip 192.168.144.0 255.255.255.0 10.2.1.0 255.255.255.0 (hitcnt=0) 0x4c9cc781
  ASA# sh access-list nonatdmz211 | in 192.168\.1\.
  access-list nonatdmz1 line 3 extended permit ip 192.168.211.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=0) 0x2bbfcfdd
  ASA# sh access-list nonatdmz211 | in 10.2.1.
  access-list nonatdmz1 line 4 extended permit ip 192.168.211.0 255.255.255.0 10.2.1.0 255.255.255.0 (hitcnt=0) 0x8a836d91
  route isp 192.168.1.0 255.255.255.0 137.191.234.33 1
  route isp 10.2.1.0 255.255.255.0 137.191.234.33 1
  Thanks in advance to anyone who gets this far!

  Darragh
  Clearing the counters was a good idea. If the counter is not incrementing and if ping from the remote side is not causing the VPN to come up it certainly confirms that something is not working right.
  It might be interesting to wait till the SAs time out and go inactive and then test again with the ping from the remote subnet that is not working. Turn on debug for ISAKMP and see if there is any attempt to negotiate. Especially if you do not receive any attempt to initiate ISAKMP from then then that would be one way to show that there is a problem on the remote side.
  Certainly the ASA does have the ability to do packet capture. I have used that capability and it can be quite helpful. I have not tried to do a capture on the outside interface for incoming VPN traffic and so am not sure whether you would be capturing the encrypted packet or the de-encrypted packet. You can configure an access list to identify traffic to capture and I guess that you could write an access list that included both the peer addresses as source and destination to capture the encrypted traffic and entries that were the un-encrypted source and destination subnets to capture traffic after de-encryption.
  HTH
  Rick

• Is it OK to have two SBS Servers with same name, on different subnets but connected over a VPN?

  Hi Everyone,
                     I'm just about to connect up two SBS 2011 Servers with the same server name but on different subnets & domains over a VPN.
  So for example both servers will have the name Server01, one would have an ip address of 192.168.85.5, the other 192.168.86.5, they both then would be connected over a VPN.
  Can anyone foresee any issues with this configuration, like DNS & DHCP requests, adding new machines to the domain, mapping drives etc.
  Many thanks,
  Nick

  Hi Larry & Strike First,
                    Thank you for your responses. I understand that this is an unusual situation. Basically I've recently taken over the IT support for this client. The client has just had a new phone system installed
  & are asking if they can speak to each office internally, which can easily be done once I setup the VPN.
  However I noticed whilst looking at this further that the Server names are the same, hence my question?
  Am I right in saying that providing the workstations  have a trust relationship with their own domain controllers through their individual domains on separate subnets, that hopefully there shouldn't be any DNS issues between the two domains and Servers?
  I could build a new VM if you feel it would be better practice to do so?
  Many thanks for your assistance,
  Nick

• Can't get Apple watch and iPhone 5S to communicate over wifi.  Any suggestions?

  one feature of the watch I'm very interested in is the ability for it to communicate over wifi to my phone.  Put the phone down or be charging it in another room and still use the watch. So far it works fine Bluetooth but I haven't had any success wifi.  Phone is definitely connected wifi.  i don't see any options on the watch or watch app on the phone that would address this .  Anyone have any ideas?

  According to this:
  https://support.apple.com/kb/PH20767
  If your Apple Watch and iPhone are on the same network but aren’t connected by Bluetooth, you can also do the following on Apple Watch without iPhone:
  Send and receive messages using iMessage
  Send and receive Digital Touch messages
  Use Siri
  It implies you should get iMessage but not email.