2811:connecting two ASA5505 l2l VPN's
Hello,
We have an HQ site with a 2811 (w/ADVSECURITYK9-M) acting as the firewall. We currently have 1 ASA5505 that has an established ipsec l2l VPN.
I'm trying to connect a 2nd ASA, but I've noticed I can only add 1 cryptomap to the outside interface.
A show ver shows 1 Virtual Private Network Module... Surely that doesn't mean only 1 VPN?
Do I use one crypto map, and add a second 'set peer' & 'match address' inside the crypto map itself?
Thanks,
Jason
Ok, I'm getting closer, but still failing. I was close enough that a VOIP phone registered with the phone system at some point, but not sure why it wont stay connected.
The original, VPN1 is still connected though.
I've varified the preshared keys on both ends match.
Here's an error from the debug of the second ASA, VPN2
Aug 24 10:49:45 [IKEv1]: Group = 64.X.X.X, IP = 64.X.X.X, QM FSM error (P2 struct &0x42436b0, mess id 0x374e49ed)!
Aug 24 10:49:45 [IKEv1]: Group = 64.X.X.X, IP = 64.X.X.X, Removing peer from correlator table failed, no match!
Aug 24 10:49:45 [IKEv1]: Group = 64.X.X.X, IP = 64.X.X.X, QM FSM error (P2 struct &0x42436b0, mess id 0x374e49ed)!
Aug 24 10:49:45 [IKEv1]: Group = 64.X.X.X, IP = 64.X.X.X, Removing peer from correlator table failed, no match!
As far as the ASA configs, everything is the exactly the same, except;
NEW ASA VPN2 -both asa have object groups 1&2, containing other ip's of the HQ site. these ip's listed here are of VPN1's local lan.
I imagine I will need to add VPN2's local ip to VPN1's config for objectgroup 1&2, but I don't think that is the reason this wont connect to HQ
object-group network DM_INLINE_NETWORK_1
network-object 192.168.26.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object 192.168.26.0 255.255.255.0
object-group network DM_INLINE_NETWORK_3
network-object 192.168.27.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
Working ASA VPN1 - not sure exactly how the bolded line works
no crypto isakmp nat-traversal
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
HQ 2811 -----------------------------------------------------------------------
Hope I included enough of the router config. Again, VPN1 is working.
crypto isakmp key VPN1PW address 99.x.x.x
crypto isakmp key VPN2PW address 108.x.x.x
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec df-bit clear
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to 99.x.x.x VPN1
set peer 99.x.x.x
set transform-set ESP-AES-128-SHA
match address 103
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to 108.x.x.x VPN2
set peer 108.x.x.x
set transform-set ESP-AES-128-SHA
match address 105
****** This next section I dont recall typing in, but it refers to access group 105, but 105 was newly created for the new VPN2. I didn't not find a corresponding command for access-group 103, which 105 is a copy of 103, except each one includes the others local lan too.
class-map type inspect match-all sdm-nat-user-protocol--2-1
match access-group 105
match protocol user-protocol--2
interface FastEthernet0/1
description T1 to Internet$FW_OUTSIDE$
ip address 64.x.x.x 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
Similar Messages
-
ASA5505 L2L VPN does not function after move and reconfiguration
I have an ASA5505 that had multiple VPNs to both Cisco5505's and other Vendor security appliances. The one in question that moved to a new IP address checks out on isa sa, ipsec sa and nat, yet there is no communication accross the tunnel. This behavior is consistent accross all remote sites. The remote sites function normally. Below is the output with some show commands.
ASA Version 8.4(4)
hostname RitterBars
names
name 67.231.37.42 RitterLAB-ASA
name 67.231.37.45 RitterLAB-LB-WAN1
name 64.233.131.94 RitterLAB-LB-WAN3
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 3
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
description Port 7 on 9108
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
no forward interface Vlan2
nameif CoreNetwork
security-level 0
ip address 172.20.10.22 255.255.255.128
boot system disk0:/asa844-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CST recurring
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.9.0
subnet 192.168.9.0 255.255.255.0
object network obj-192.168.85.0
subnet 192.168.85.0 255.255.255.0
object network obj-10.200.1.0
subnet 10.200.1.0 255.255.255.0
object network obj-192.168.3.0
subnet 192.168.3.0 255.255.255.0
object network obj-192.168.1.2
host 192.168.1.2
object service obj-tcp-source-eq-22
service tcp source eq ssh
object service obj-tcp-source-eq-5922
service tcp source eq 5922
object network obj-192.168.1.10
host 192.168.1.10
object service obj-tcp-source-eq-5125
service tcp source eq 5125
object service obj-tcp-source-eq-80
service tcp source eq www
object network obj-192.168.1.119
host 192.168.1.119
object service obj-udp-source-eq-69
service udp source eq tftp
object network obj-192.168.1.51
host 192.168.1.51
object service obj-tcp-source-eq-443
service tcp source eq https
object service obj-tcp-source-eq-5980
service tcp source eq 5980
object network obj-192.168.1.114
host 192.168.1.114
object network obj-96.43.39.27
host 96.43.39.27
object network obj-xxx.xxx.xxx.xxx
host xxx.xxx.xxx.xxx
object-group network Inside
network-object 192.168.1.0 255.255.255.0
access-list split-tunnel extended permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list no_nat extended permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list no_nat extended permit ip 192.168.1.0 255.255.255.0 192.168.85.0 255.255.255.0
access-list no_nat extended permit ip 192.168.1.0 255.255.255.0 10.200.1.0 255.255.255.0
access-list no_nat extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list VPN2LAB extended permit ip 192.168.1.0 255.255.255.0 192.168.85.0 255.255.255.0
access-list VPN2LAB extended permit ip 192.168.1.0 255.255.255.0 10.200.1.0 255.255.255.0
access-list Barracudalab extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inat extended permit ip 192.168.1.0 255.255.255.0 any
access-list vnat extended permit ip 192.168.1.0 255.255.255.0 host 216.163.29.244
access-list out2in extended permit tcp host 64.233.128.6 host 192.168.1.2 eq ssh
access-list out2in extended permit tcp 64.233.128.0 255.255.255.0 host 192.168.1.2 eq ssh
access-list out2in extended permit tcp 64.233.128.0 255.255.255.0 host 192.168.1.10 eq 5125
access-list out2in extended permit tcp 64.233.128.0 255.255.255.0 host 192.168.1.10 eq www
access-list out2in extended permit udp 64.233.128.0 255.255.255.0 host 192.168.1.119 eq tftp
access-list out2in extended permit tcp 64.233.128.0 255.255.255.0 host 192.168.1.51 eq https
access-list out2in extended permit ip 64.233.128.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list out2in extended permit tcp any host 192.168.1.10 eq 5125
access-list out2in extended permit tcp any host 192.168.1.10 eq www
access-list out2in extended permit tcp any 192.168.1.0 255.255.255.0 eq ftp
access-list out2in extended permit tcp any 192.168.1.0 255.255.255.0 eq ftp-data
access-list out2in extended permit udp any host 192.168.1.119 eq tftp
access-list out2in extended permit tcp any host 192.168.1.51 eq https
access-list out2in extended permit icmp any any
pager lines 24
logging console alerts
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu CoreNetwork 1500
ip local pool vpn-pool 192.168.9.10-192.168.9.250
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.9.0 obj-192.168.9.0 no-proxy-arp
nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.85.0 obj-192.168.85.0 no-proxy-arp
nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-10.200.1.0 obj-10.200.1.0 no-proxy-arp
nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.3.0 obj-192.168.3.0 no-proxy-arp
nat (inside,outside) source static obj-192.168.1.2 interface service obj-tcp-source-eq-22 obj-tcp-source-eq-5922
nat (inside,outside) source static obj-192.168.1.10 interface service obj-tcp-source-eq-5125 obj-tcp-source-eq-5125
nat (inside,outside) source static obj-192.168.1.10 interface service obj-tcp-source-eq-80 obj-tcp-source-eq-80
nat (inside,outside) source static obj-192.168.1.119 interface service obj-udp-source-eq-69 obj-udp-source-eq-69
nat (inside,outside) source static obj-192.168.1.51 interface service obj-tcp-source-eq-443 obj-tcp-source-eq-5980
nat (inside,outside) source static obj-192.168.1.114 obj-96.43.39.27
nat (inside,CoreNetwork) source dynamic obj-192.168.1.0 interface destination static obj-xxx.xxx.xxx.xxx obj-xxx.xxx.xxx.xxx
nat (inside,outside) source dynamic Inside interface
nat (inside,outside) after-auto source dynamic any interface
access-group out2in in interface outside
route CoreNetwork 172.20.30.0 255.255.255.248 172.20.10.1 1
route CoreNetwork 216.163.29.244 255.255.255.255 172.20.10.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set psset esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map samap 1 match address VPN2LAB
crypto map samap 1 set peer RitterLAB-ASA
crypto map samap 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map samap 2 match address Barracudalab
crypto map samap 2 set peer RitterLAB-LB-WAN1 RitterLAB-LB-WAN3
crypto map samap 2 set ikev1 transform-set ESP-3DES-SHA
crypto map samap interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 11
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
dhcpd dns 64.233.128.10 64.233.128.11
dhcpd auto_config outside
dhcpd address 192.168.1.100-192.168.1.150 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 66.187.233.4 source outside
ntp server 64.99.80.30 source outside
webvpn
username xxx.xxx.xxx.xxx password xxx.xxx.xxx.xxx encrypted privilege 15
username xxx.xxx.xxx.xxx attributes
vpn-group-policy WebVPNpolicy
username xxx.xxx.xxx.xxx password xxx.xxx.xxx.xxx encrypted privilege 15
username xxx.xxx.xxx.xxx attributes
vpn-group-policy WebVPNpolicy
tunnel-group 67.231.37.42 type ipsec-l2l
tunnel-group 67.231.37.42 ipsec-attributes
ikev1 pre-shared-key xxx.xxx.xxx.xxx
tunnel-group 67.231.37.45 type ipsec-l2l
tunnel-group 67.231.37.45 ipsec-attributes
ikev1 pre-shared-key xxx.xxx.xxx.xxx
tunnel-group 64.233.131.94 type ipsec-l2l
tunnel-group 64.233.131.94 ipsec-attributes
ikev1 pre-shared-key xxx.xxx.xxx.xxx
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect ip-options
inspect tftp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:bcdf7281cbf323ff6af7457149529a5b
: end
RitterBars# sh isa sa
IKEv1 SAs:
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: 67.231.37.45
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
2 IKE Peer: 67.231.37.42
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
RitterBars# sh ipsec sa
interface: outside
Crypto map tag: samap, seq num: 1, local addr: 96.43.41.168
access-list VPN2LAB extended permit ip 192.168.1.0 255.255.255.0 192.168.85.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.85.0/255.255.255.0/0/0)
current_peer: 67.231.37.42
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 96.43.41.168/0, remote crypto endpt.: 67.231.37.42/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 6F98A015
current inbound spi : 6DD466F0
inbound esp sas:
spi: 0x6DD466F0 (1842636528)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1122304, crypto-map: samap
sa timing: remaining key lifetime (kB/sec): (4374000/28182)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x6F98A015 (1872273429)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1122304, crypto-map: samap
sa timing: remaining key lifetime (kB/sec): (4373999/28182)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: samap, seq num: 2, local addr: 96.43.41.168
access-list Barracudalab extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer: 67.231.37.45
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 96.43.41.168/0, remote crypto endpt.: 67.231.37.45/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 51AF17EA
current inbound spi : 859BC586
inbound esp sas:
spi: 0x859BC586 (2241578374)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1118208, crypto-map: samap
sa timing: remaining key lifetime (sec): 28152
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x51AF17EA (1370429418)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1118208, crypto-map: samap
sa timing: remaining key lifetime (sec): 28152
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
RitterBars# sh nat int inside
Manual NAT Policies (Section 1)
1 (inside) to (any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.9.0 obj-192.168.9.0 no-proxy-arp
translate_hits = 0, untranslate_hits = 0
2 (inside) to (any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.85.0 obj-192.168.85.0 no-proxy-arp
translate_hits = 18, untranslate_hits = 0
3 (inside) to (any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-10.200.1.0 obj-10.200.1.0 no-proxy-arp
translate_hits = 0, untranslate_hits = 0
4 (inside) to (any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.3.0 obj-192.168.3.0 no-proxy-arp
translate_hits = 0, untranslate_hits = 0
5 (inside) to (outside) source static obj-192.168.1.2 interface service obj-tcp-source-eq-22 obj-tcp-source-eq-5922
translate_hits = 0, untranslate_hits = 0
6 (inside) to (outside) source static obj-192.168.1.10 interface service obj-tcp-source-eq-5125 obj-tcp-source-eq-5125
translate_hits = 0, untranslate_hits = 9094
7 (inside) to (outside) source static obj-192.168.1.10 interface service obj-tcp-source-eq-80 obj-tcp-source-eq-80
translate_hits = 0, untranslate_hits = 126
8 (inside) to (outside) source static obj-192.168.1.119 interface service obj-udp-source-eq-69 obj-udp-source-eq-69
translate_hits = 0, untranslate_hits = 0
9 (inside) to (outside) source static obj-192.168.1.51 interface service obj-tcp-source-eq-443 obj-tcp-source-eq-5980
translate_hits = 0, untranslate_hits = 195
10 (inside) to (outside) source static obj-192.168.1.114 obj-96.43.39.27
translate_hits = 0, untranslate_hits = 0
11 (inside) to (CoreNetwork) source dynamic obj-192.168.1.0 interface destination static obj-216.163.29.244 obj-216.163.29.244
translate_hits = 107, untranslate_hits = 0
12 (inside) to (outside) source dynamic Inside interface
translate_hits = 35387, untranslate_hits = 2940
Manual NAT Policies (Section 3)
1 (inside) to (outside) source dynamic any interface
translate_hits = 291, untranslate_hits = 78I just recently got the triple play package from verizon with fios too. And of course the Actiontec is total crap. The very first night it rebooted over and over again. What good is an internet connection you can't use right... Anyways, I have a cisco 831 that i use for a VPN to work, and so, I decided to put that up front.
Anyways, had the same problem. First I setup my router to bridge the connetion from the Actiontec to my router. So it goes Broadband Moca -> Actiontec LAN -(eth cable)-> Cisco WAN port. This worked great, except now my vod didn't work. So then I found this article....
http://www.dslreports.com/forum/r19559467-How-To-MI424WR-Network-Bridge-working-FIOS-TV
It was genius, add a second bridge from the Cisco LAN -(eth cable)-> Actiontec WAN -> local Moca. And then put DHCP relay on the bridge. Everything worked again, hooray. then I added an access list, and there went my vod again.
So then I spent about two hours turning ports on and off and such, finally I figured it out. You'll need to allow inbound established tcp connections that internal hosts create. This will get back your guide and allow the vod menu to work again. then you have to allow inbound connections on udp port 21310. I applied it and lo and behold vod is back. Now my only problem is that the 831 only has a 10 Mb/s ethernet WAN, so I can't get HD VOD but ah well. I'll upgrade one of these days to an 851 or 871.
Here's what the access lists should look like in IOS:
permit tcp any host (your external IP address) established
permit udp any host (your external IP address) eq 21310
probably is going to be a little bit different since you have an ASA but I think you get the idea. -
Connecting two remote LANs through a VPN connection
1)
I am trying to interconnect
two LANs as you see below.
2)
The scenario is to interconnecting two LANs with a
single domain “domain.local” in order to have
two domain controllers backing up each other. We already have a Domain Controller “SRVDC1.domain.local” in our local network “LAN1” and another Server which is going to be as both our
secondary domain controller and VPN Server “SRVDC3.domain.local” in our remote network “LAN2” where is the
Netelligent Network. I am trying to make these two servers (our two LANs)
visible to each other by a MikroTik Cloud Router Switch solution.
3)
I am using a
MikroTik Router as a PPTP Client to VPN to our
Remote Server SRVDC3 (87.75.45.66/29).
4)
All the computers in
LAN1, including Server SRVDC1, have a gateway set on “192.168.10.1” which is a
Asus WiFi Router as a core switch which is connected to our Fiber Optic Translator. <o:p></o:p>
5)
To prevent and minimize any down-time risk during the configuration, I have isolated one computer “table2pc5.domain.local” as sample of the
whole network; by changing its gateway set to 192.168.10.6 (the
Ether3-Slave-Lacal-interface on the MikroTikRouter).
I am going to replace the “Asus WiFi Router” shown in the map, by the
MikroTik Router later, after making sure that everything would work properly, so, everything is going to be naturalized after.
6)
My
solution simply can be explained as below:
a.
Providing
another interface in addition to “Netelligent Network” adapter.
b.
To
assign a LAN-based IP (in network range 192.168.10.0/24) to the added adapter (Microsoft Virtual Adapter)
c.
Configuring
SRVDC3 in Netelligent network “LAN2” as
a Remote Access Server (VPN Server).
d.
To provide a
MikroTik Router/Firewall on the Edge of the
LAN1 as VPN Client.
e.
Configure
MikroTik Router VPN PPTP connection to
SRVDC3 via the Internet.
f.
To have
two LANs connected through a permanent VPN connection.
7)
IP Addresses for the three EDGE-Devices (SRVDC1
ßàMikroTik
Router ßàSRVDC3)
are as below:
a.
SRVDC1:
Interface:
Local Area Connection
IP Address:
192.168.10.2/24
Gateway:
192.168.10.1/24
(Asus WiFi Router)
DHCP Server Pool:
192.168.10.1 – 192.168.10.254 (exclusions 10.1-10.50 , 10.50-10.99 , 10.200-10.254)
b.
MikroTikRouter:
Interface:
Local IP
IP Address: 192.168.88.1/24
Interface:
Ether1-gateway-master
IP Address: 192.168.0.1/24
Interface:
Ether2-master-local
IP Address: 192.168.88.1/24
Interface:
ether3-slave-local
IP Address: 192.168.10.6/24
DHCP Server Pool:
192.168.10.1 – 192.168.102.254
c.
SRVDC3:
Interface:
Netelligent Network
IP Address: 87.75.45.66/29
Gateway: 87.75.45.65/29
Interface:
Microsoft Network Adapter
IP Address: 192.168.10.50/24
Gateway: 192.168.11.1
Interface:
PPP Adapter RAS
IP Address: 192.168.11.1/24
gateway:
8)
The node “table7pc2.domain.local” is not able to see<o:p></o:p>
Now, I would ask you to help me to realise this solution by helping me to find the Bad-Routing problem, and letting me know how to fix it.
What NAT / Rout Paths or any configuration do I need to make this two LANs visible and recognizable to each other?
I would introduce you critical nodes which play important roles in this configuration. I have tried to colour-mark them in order to have a better recognition once you take a look at the “Ping Result” table.
The “Ping Result” table would give you an idea which nodes are able to see which others and where does problem hide itself?I got my own answer :D
1) I have to right-click on my "Routing and Remote Access" Server.
2) on IPv4 tab, I should define a static IP Pool. I had it done before; but since that I had chosen a wide range as 192.168.11.0/24, every time the router was taking a different IP address; so I should define a very small pool with two 2
nodes as 192.168.11.1 and 192.168.11.2. In this way, I'll have the local address (router) as 192.168.11.2 and the remote address (my remote server) as 192.168.11.1
3) After establishment of the PPTP connection successfully, I should add an static route to the "Netelligent Network" adapter. I had it done but in the RRAS routes, so that's why it didn't work. so:
C:\SRVDC3>_ route -p add 192.168.10.0 mask 255.255.255.0 192.168.11.2
[Enter]
Now, I would be able to ping all of the computers whose their gateways are set on 192.168.10 (router)
and If I wand to see all of the computers at the first LAN, I have to put my router at the edge of the network, instead of the ASUS WiFi Router, then change it's IP address to 192.168.10.1 or alternatively set all of the computers gateways on 192.168.10.6. -
L2L VPN Issue - one subnet not reachable
Hi Folks,
I have a strange issue with a new VPN connection and would appreciate any help.
I have a pair of Cisco asa 5540s configured as a failover pair (code version 8.2(5)).
I have recently added 2 new L2L VPNs - both these VPNs are sourced from the same interface on my ASA (called isp), and both are to the same customer, but they terminate on different firewalls on the cusomter end, and encrypt traffic from different customer subnets. There's a basic network diagram attached.
VPN 1 - is for traffic from the customer subnet 10.2.1.0/24. Devices in this subnet should be able to access 2 subnets on my network - DMZ 211 (192.168.211.0./24) and DMZ 144 (192.168.144.0/24). This VPN works correctly.
VPN 2 - is for traffic from the customer subnet 192.168.1.0/24. Devices in this subnet should be able to access the same 2 subnets on my network - DMZ 211 (192.168.211.0./24) and DMZ 144 (192.168.144.0/24). This VPN is not working correctly - the customer can access DMZ 144, but not DMZ 211.
There are isakmp and ipsec SAs for both VPNs. I've noticed that the packets encaps/decaps counter does not increment when the customer sends test traffic to DMZ 211. This counter does increment when they send test traffic to DMZ144. I can also see traffic sent to DMZ 144 from the customer subnet 192.168.1.0/24 in packet captures on the DMZ 144 interface of the ASA. I cannot see similar traffic in captures on the DMZ211 interface (although I can see traffic sent to DMZ211 if it is sourced from 10.2.1.0/24 - ie when it uses VPN1)
Nat exemption is configured for both 192.168.1.0/24 and 10.2.1.0/24.
There is a route to both customer subnets via the same next hop.
There is nothing in the logs toindicate that traffic from 192.168.1.0/24 is being dropped
I suspect that this may be an issue on the customer end, but I'd like to be able to prove that. Specifically, I would really like to be able to capture traffic destined to DMZ 211 on the isp interface of the firewall after it has been decrypted - I don't know if this can be done however, and I haven'treally found a good way to prove or disprove that VPN traffic from 192.168.1.0/24 to DMZ211 is arriving at the isp interface of my ASA, and to show what's happening to that traffic after it arrives.
Here is the relevant vpn configuration:
crypto map MY_CRYPTO_MAP 90 match address VPN_2
crypto map MY_CRYPTO_MAP 90 set peer 217.154.147.221
crypto map MY_CRYPTO_MAP 90 set transform-set 3dessha
crypto map MY_CRYPTO_MAP 90 set security-association lifetime seconds 86400
crypto map MY_CRYPTO_MAP 100 match address VPN_1
crypto map MY_CRYPTO_MAP 100 set peer 193.108.169.48
crypto map MY_CRYPTO_MAP 100 set transform-set 3dessha
crypto map MY_CRYPTO_MAP 100 set security-association lifetime seconds 86400
crypto map MY_CRYPTO_MAP interface isp
ASA# sh access-list VPN_2
access-list VPN_2; 6 elements; name hash: 0xa902d2f4
access-list VPN_2 line 1 extended permit ip object-group VPN_2_NETS 192.168.1.0 255.255.255.0 0x56c7fb8f
access-list VPN_2 line 1 extended permit ip 192.168.144.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=45) 0x93b6dc21
access-list VPN_2 line 1 extended permit ip 192.168.211.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=6) 0x0abf7bb9
access-list VPN_2 line 1 extended permit ip host 192.168.146.29 192.168.1.0 255.255.255.0 (hitcnt=8) 0xcc48a56e
ASA# sh access-list VPN_1
access-list VPN_1; 3 elements; name hash: 0x30168cce
access-list VPN_1 line 1 extended permit ip 192.168.144.0 255.255.252.0 10.2.1.0 255.255.255.0 (hitcnt=6) 0x61759554
access-list VPN_1 line 2 extended permit ip 192.168.211.0 255.255.255.0 10.2.1.0 255.255.255.0 (hitcnt=3) 0xa602c97c
access-list VPN_1 line 3 extended permit ip host 192.168.146.29 10.2.1.0 255.255.255.0 (hitcnt=0) 0x7b9f32e3
nat (dmz144) 0 access-list nonatdmz144
nat (dmz211) 0 access-list nonatdmz211
ASA# sh access-list nonatdmz144
access-list nonatdmz144; 5 elements; name hash: 0xbf28538e
access-list nonatdmz144 line 1 extended permit ip 192.168.144.0 255.255.255.0 192.168.0.0 255.255.0.0 (hitcnt=0) 0x20121683
access-list nonatdmz144 line 2 extended permit ip 192.168.144.0 255.255.255.0 172.28.2.0 255.255.254.0 (hitcnt=0) 0xbc8ab4f1
access-list nonatdmz144 line 3 extended permit ip 192.168.144.0 255.255.255.0 194.97.141.160 255.255.255.224 (hitcnt=0) 0xce869e1e
access-list nonatdmz144 line 4 extended permit ip 192.168.144.0 255.255.255.0 172.30.0.0 255.255.240.0 (hitcnt=0) 0xd3ec5035
access-list nonatdmz144 line 5 extended permit ip 192.168.144.0 255.255.255.0 10.2.1.0 255.255.255.0 (hitcnt=0) 0x4c9cc781
ASA# sh access-list nonatdmz211 | in 192.168\.1\.
access-list nonatdmz1 line 3 extended permit ip 192.168.211.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=0) 0x2bbfcfdd
ASA# sh access-list nonatdmz211 | in 10.2.1.
access-list nonatdmz1 line 4 extended permit ip 192.168.211.0 255.255.255.0 10.2.1.0 255.255.255.0 (hitcnt=0) 0x8a836d91
route isp 192.168.1.0 255.255.255.0 137.191.234.33 1
route isp 10.2.1.0 255.255.255.0 137.191.234.33 1
Thanks in advance to anyone who gets this far!Darragh
Clearing the counters was a good idea. If the counter is not incrementing and if ping from the remote side is not causing the VPN to come up it certainly confirms that something is not working right.
It might be interesting to wait till the SAs time out and go inactive and then test again with the ping from the remote subnet that is not working. Turn on debug for ISAKMP and see if there is any attempt to negotiate. Especially if you do not receive any attempt to initiate ISAKMP from then then that would be one way to show that there is a problem on the remote side.
Certainly the ASA does have the ability to do packet capture. I have used that capability and it can be quite helpful. I have not tried to do a capture on the outside interface for incoming VPN traffic and so am not sure whether you would be capturing the encrypted packet or the de-encrypted packet. You can configure an access list to identify traffic to capture and I guess that you could write an access list that included both the peer addresses as source and destination to capture the encrypted traffic and entries that were the un-encrypted source and destination subnets to capture traffic after de-encryption.
HTH
Rick -
Public-to-Public L2L VPN no return traffic
Hello all,
I'm hoping someone can give me a little help. I've researched the web and have read many forums, but I still can't get this to work. One of our vendors requires using a public ip address to setup a site-to-site IPSEC vpn. We only have one public ip address and that will be used for the vpn endpoint and for internet access for the local network. I've setup policy NAT from our local network to the outside interface. I'm also using the outside ip address for the crypto map. The tunnel setups successfully and the Tx count increases anytime I try to ping the remote network, but the ping fails and the Rx count does not increase. According to our vendor, we should be able to ping the remote network and connect using port 443. When trying to connect using port 443, I see a SYN timeout in the logs. I'm not sure if the problem is on their end and they're rejecting our traffic, or if something is misconfigured on our end. I'd like to make sure that I have everything configured correctly before I go and point fingers at them. Any help would be appreciated. Thanks.
Local Network - 10.10.9.0/24
Remote Network - 20.20.41.0/24
Remote Peer - 20.20.60.193
ASA Version 8.2(5)
hostname ciscoasa
domain-name
names
name 10.10.9.3 VPN description VPN Server
name 10.10.9.4 IntranetMySQL description MySQL For Webserver
name 192.168.0.100 IIS_Webserver
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.10.9.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 71.***.***.162 255.255.255.0
interface Vlan3
nameif dmz
security-level 50
ip address 192.168.0.254 255.255.255.0
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 10.10.9.1
domain-name
same-security-traffic permit inter-interface
object-group service VPN_TCP
description VPN TCP Connection
service-object tcp eq 1195
object-group service VPN_UDP
description VPN UDP Port
service-object udp eq 1194
object-group service VPN_HTTPS
description VPN HTTPS Web Server
service-object tcp eq 943
service-object udp eq 943
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service WebServer
service-object tcp eq 8001
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp eq www
service-object tcp eq https
object-group service VPN_HTTPS_UDP udp
port-object eq 943
object-group service WCF_WebService tcp
port-object eq 808
object-group service RDP tcp
port-object eq 3389
object-group service RDP_UDP udp
port-object eq 3389
object-group service DM_INLINE_SERVICE_2
service-object tcp-udp eq www
service-object tcp eq https
object-group service *_Apache tcp
port-object eq 8001
object-group service *_ApacheUDP udp
port-object eq 8001
object-group service IIS_SQL_Server tcp
port-object eq 1433
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service File_Sharing tcp
port-object eq 445
object-group service File_Sharing_UDP udp
port-object eq 445
object-group service MySQL tcp
port-object eq 3306
object-group service Http_Claims_Portal tcp
port-object eq 8080
object-group service Http_Claims_PortalUDP udp
port-object eq 8080
object-group service RTR_Portal tcp
description Real Time Rating Portal
port-object eq 8081
object-group service RTR_PortalUDP udp
port-object eq 8081
object-group service DM_INLINE_SERVICE_3
service-object tcp-udp eq www
service-object tcp eq https
access-list outside_access_in extended permit udp any 70.***.***.0 255.255.255.0 eq 1194
access-list outside_access_in extended permit tcp any any eq 1195
access-list outside_access_in extended permit object-group VPN_HTTPS any any
access-list outside_access_in extended permit tcp any interface outside eq 943
access-list outside_access_in extended permit tcp any any eq 8001
access-list inside_access_in extended permit tcp any any
access-list outside_access_in_1 extended permit tcp any interface outside eq 943
access-list outside_access_in_2 extended permit object-group DM_INLINE_SERVICE_1 host 71.***.***.165 host 71.***.***.162
access-list outside_access_in_2 extended permit object-group TCPUDP any any inactive
access-list outside_access_in_2 extended permit icmp any any
access-list outside_access_in_2 extended permit object-group VPN_HTTPS any host 71.***.***.162
access-list outside_access_in_2 remark VPN TCP Ports
access-list outside_access_in_2 extended permit tcp any host 71.***.***.162 eq 1195
access-list outside_access_in_2 extended permit udp any host 71.***.***.162 eq 1194
access-list outside_access_in_2 remark Palm Insure Apache Server
access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group *_Apache inactive
access-list outside_access_in_2 extended permit udp any host 71.***.***.164 object-group *_ApacheUDP inactive
access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group MySQL inactive
access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group Http_Claims_Portal inactive
access-list outside_access_in_2 extended permit udp any host 71.***.***.164 object-group Http_Claims_PortalUDP inactive
access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group RTR_Portal inactive
access-list outside_access_in_2 extended permit udp any host 71.***.***.164 object-group RTR_PortalUDP inactive
access-list outside_access_in_2 extended permit object-group DM_INLINE_SERVICE_3 any host 71.***.***.164 inactive
access-list outside_access_in_2 remark RTR Access Rule for Internal VM's
access-list outside_access_in_2 extended permit tcp any host 71.***.***.162 object-group Http_Claims_Portal
access-list outside_access_in_2 remark RTR Access rule for internal VMs
access-list outside_access_in_2 extended permit udp any host 71.***.***.162 object-group Http_Claims_PortalUDP
access-list inside_access_in_1 extended permit object-group TCPUDP any any
access-list inside_access_in_1 extended permit icmp any any
access-list inside_access_in_1 extended permit esp any any
access-list inside_access_in_1 extended permit udp any any eq isakmp
access-list dmz_access_in extended permit ip any any
access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_2 any host 70.***.***.252
access-list dmz_access_in extended permit tcp any host 70.***.***.252 eq www
access-list dmz_access_in_1 extended permit tcp host IIS_Webserver host 10.10.9.5 object-group DM_INLINE_TCP_1 inactive
access-list dmz_access_in_1 extended permit object-group TCPUDP any host IIS_Webserver eq www inactive
access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver eq https inactive
access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group *_Apache inactive
access-list dmz_access_in_1 extended permit udp any host IIS_Webserver object-group *_ApacheUDP inactive
access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver eq 3389 inactive
access-list dmz_access_in_1 extended permit udp any host IIS_Webserver eq 3389 inactive
access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group IIS_SQL_Server inactive
access-list dmz_access_in_1 extended permit object-group TCPUDP any any inactive
access-list dmz_access_in_1 extended permit tcp host 10.10.9.5 host IIS_Webserver eq ftp inactive
access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group MySQL inactive
access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group Http_Claims_Portal inactive
access-list dmz_access_in_1 extended permit udp any host IIS_Webserver object-group Http_Claims_PortalUDP inactive
access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group RTR_Portal inactive
access-list dmz_access_in_1 extended permit udp any host IIS_Webserver object-group RTR_PortalUDP inactive
access-list inside_nat_static extended permit ip host 10.10.9.1 20.20.41.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip host 71.***.***.162 20.20.41.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 10.10.9.0 255.255.255.0
static (inside,outside) tcp interface 943 VPN 943 netmask 255.255.255.255
static (inside,outside) tcp interface 1195 VPN 1195 netmask 255.255.255.255
static (inside,outside) tcp interface 1194 VPN 1194 netmask 255.255.255.255
static (inside,outside) udp interface 1194 VPN 1194 netmask 255.255.255.255
static (inside,outside) udp interface 1195 VPN 1195 netmask 255.255.255.255
static (inside,outside) tcp interface ssh IntranetMySQL ssh netmask 255.255.255.255
static (inside,outside) tcp interface ftp IntranetMySQL ftp netmask 255.255.255.255
static (dmz,inside) tcp IIS_Webserver 3389 IIS_Webserver 3389 netmask 255.255.255.255
static (inside,outside) tcp interface www 10.10.9.5 www netmask 255.255.255.255
static (dmz,outside) tcp 71.***.***.164 3389 IIS_Webserver 3389 netmask 255.255.255.255
static (dmz,outside) tcp 71.***.***.164 8001 IIS_Webserver 8001 netmask 255.255.255.255
static (dmz,outside) udp 71.***.***.164 8001 IIS_Webserver 8001 netmask 255.255.255.255
static (dmz,outside) tcp 71.***.***.164 www IIS_Webserver www netmask 255.255.255.255
static (dmz,outside) tcp 71.***.***.164 https IIS_Webserver https netmask 255.255.255.255
static (dmz,outside) tcp 71.***.***.164 ftp IIS_Webserver ftp netmask 255.255.255.255
static (dmz,outside) tcp 71.***.***.164 3306 IIS_Webserver 3306 netmask 255.255.255.255
static (dmz,inside) tcp IIS_Webserver 3306 IIS_Webserver 3306 netmask 255.255.255.255
static (dmz,outside) tcp 71.***.***.164 8080 IIS_Webserver 8080 netmask 255.255.255.255
static (dmz,outside) udp 71.***.***.164 8080 IIS_Webserver 8080 netmask 255.255.255.255
static (dmz,inside) tcp IIS_Webserver 8080 IIS_Webserver 8080 netmask 255.255.255.255
static (dmz,outside) tcp 71.***.***.164 8081 IIS_Webserver 8081 netmask 255.255.255.255
static (dmz,outside) udp 71.***.***.164 8081 IIS_Webserver 8081 netmask 255.255.255.255
static (dmz,inside) tcp IIS_Webserver 8081 IIS_Webserver 8081 netmask 255.255.255.255
static (inside,outside) tcp interface 8080 10.10.9.15 8080 netmask 255.255.255.255
static (inside,outside) udp interface 8080 10.10.9.15 8080 netmask 255.255.255.255
static (dmz,outside) 71.***.***.164 IIS_Webserver netmask 255.255.255.255
static (dmz,inside) IIS_Webserver IIS_Webserver netmask 255.255.255.255
static (inside,dmz) 10.10.9.5 10.10.9.5 netmask 255.255.255.255
static (inside,outside) interface access-list inside_nat_static
access-group inside_access_in_1 in interface inside
access-group outside_access_in_2 in interface outside
access-group dmz_access_in_1 in interface dmz
route outside 0.0.0.0 0.0.0.0 71.***.***.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.10.9.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 20.20.60.193
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map 1 set reverse-route
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh 10.10.9.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 20.20.60.193 type ipsec-l2l
tunnel-group 20.20.60.193 ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymousHi,
If you are using the public IP address of your ASA (that is used as the PAT address for all outbound traffic) as the only source IP address for the L2L VPN you dont really have to build any additional NAT configurations for the L2L VPN connection. So you shouldnt need the "static" configuration you have made.
static (inside,outside) interface access-list inside_nat_static
This is because any traffic from your local LAN will be PATed to the "outside" IP address and when the ASA also sees that the destination network for the connection is part of the L2L VPN configurations, then the traffic should be forwarded to the L2L VPN connection just fine.
Did you try the connectivity without the "static" configuration?
For ICMP testing I would add the command
fixup protocol icmp
or
policy-map global_policy
class inspection_default
inspect icmp
Should do the same thing
- Jouni -
Two separate L2L tunnels between same two ASA
I have a large MPLS fully meshed network with two main locations, both of which have an ASA with internet access as well as the MPLS access. I need to be able to provide a backup connection between the two main locations in the event one of the MPLS links to one or the other goes down.
I am considering using a L2L IPSEC tunnel between the two ASA's but the interesting traffic for the tunnel is different depending on which of the links is down and there fore I would need two different tunnels. I have my servers and remote desktop servers at one of the main sites and the other main site has another organization attached to it externally that the servers must be able to access.
Is there a way of creating two separate L2L tunnels between the two ASA's? Could I perhaps assign two public IP addresses to each of the ASA's and then create the tunnels between different endpoints on each ASA?
Does anyone have another possible solution to the problem?
GeneYou should be able to do what you want using IP SLA. Please see this excellent blog post which documents one way to accomplish it.
Hope this helps. -
Please,
I plan on connecting two LANs together via. the internet (public resource). The LANs are across town.
The computers on each LAN will be able to access other(some) computers on the other LAN (and vice-versa), they will still be able to connect to the internet. Basically, they will be able to share resources (files, application etc.)
Undergone some research regarding this, was able to find out that having a VPN connection will be a good way to go. But I have no full knowledge on what hardware I will need. How to start exactly.
If VPN is actually a good way to go, please let me know (maybe some other alternatives).
If I can get a good picture of what to do, will be very happy.
Please, can someone lead me in a good direction. Thank you.Hi
First of all lets focus on the end points connectivity part.What is the internet terminating onto?Say if its a leased line or a Ethernet or ADSL, then you can directly terminate it onto a cisco router.If its a ethernet connectivity, then I would recommend PIX or ASA.
Secondary we come to the tunnels,i.e, the link between both the offices which should be encrypted.This tunnel will be your pipe.Though a PIX/ASA by default support VPN tunnels and encryptions,you need to have that K9 IOS into the router.
Pls eleborate on the connectivity medium, then it will be easier to suggest you something.
Pls read the text at following link...it will give you a better picture...
http://www.cisco.com/en/US/products/ps5743/Products_Sub_Category_Home.html
Pls rate helpful posts.
Regards
JD -
Hi,
I have cisco ASA 5520 and two L2L VPN are configured in that box.Now if any time I want to reinitiate or reestablished the tunnel what command I have to give.I want to reestablish the IKE and IPSec SA.
Please guide wht command i have to give to reestablish all the L2L tunnel or a single tunnel.
Regards,
som1. ASA5510# clear crypto ipsec sa ?
counters Clear IPsec SA counters
entry Clear IPsec SAs by entry
map Clear IPsec SAs by map
peer Clear IPsec SA by peer
2. ASA5510# clear crypto isakmp sa -
Add a new L2L VPN tunnel URGENT
Hi,
I have a ASA5520 deviceand already 2 L2L VPN is running on that. I want to add a new VPN tuuel to connect other branch.
In the configuration when i have given
crypto map toremote 50 match address SINGAPORE this command...it's showing WARNING incomplete command !
what is the problem for that..please help me in the issue.
Thanks
somnathHi Somnath
This is a normal prompt. You will get this prompt untill you complete your cryptomap.
crypto map toremote 50 match address SINGAPORE
crypto map toremote 50 set peer SINGAPOREIP
crypto map toremote 50 set transform-set yoursetnamehere
As you issue the last line above, cryptomap will be complete and you wont receive Warning anymore.
Regards -
Connecting to Harris FRAC VPN?
My office uses:
http://www.harris.com/frac/
And my office uses a hardware key to connect to the VPN. Is the built-in VPN software on 10.6 able to connect in any fashion? They also use a hardware key to connect.
If not, and none of the VPN third party solutions work, what would be the best virtualization solution to work with this? I was hoping to ask someone with experience on this, just in case Harris doesn't know.Good news! I no longer have to use VirtualBox. It works now with Safari & Microsoft Remote Desktop. Still trying to find out how to connect two displays with display spanning though:
http://discussions.apple.com/thread.jspa?threadID=2575444&tstart=0 -
Firstly I'll state what I want to achieve and would welcome any advice.
Currently have my business network 192.168.2.x connected to my home network 192.168.1.x via VPN run by my two respective routers. Works perfectly.
Have recently installed new Lion Server on work network to handle, DNS, Mail, OD, Address Book, Chat, etc.
Am considering installing Lion Server on home network to handle the same (probably not all or as much as don't have the need)
Would it be better to use the two servers running VPN to link the two networks or leave as is via the two routers.
I imagine setting up the DNS to be the more difficult over the tasks involved. As really like just going to any machine on our network and typing mail into a browser and getting my email via webmail. I guess I would have to setup DNS on both servers to direct requests to the right server that handles the right domain.
Getting ahead of my self but would then like one server to back up the others services, if possible.
Any words of wisdom appreciated.First you want to get static IP's and then you can setup an IPSEC tunnel or site to site VPN. Then you will want to creat a trust between the 2 domains if they are in different forests. Then you can add your user account to a universal group (forest functional level must be at Server 2003 level) for enterprise management.
James Goodwin - Senior Technical Instructor & Network Infrastructure Expert
MCT, MCP+ I, MCTS:Server 2008, MCTS: SCCM, MCTS:Vista
MCSA:S, MCSE:S, MCITP:SA, MCITP:EA , MCITP:ES, CCNA,
CCSI(# 32018),C|EH, C|HFI, C|EI, HDSA, A+, Network+, i-Net+, Server+, Security+
My Blog:http://thattrainerguy.blogspot.com/ -
Connecting Two ASAs together via local interface
Hi
I have two cisco ASA routers & wish to connect them together so that traffic between is permitted with out going outside interface.
Two asa are located at in ONE office and two have separate internet connection (ISP) configured.
So here is what I did so far.
configure one of the interface on each ASA with some IP adddress.
ASA 1 ------- interface 0/6 10.1.1.1 (ASA X 1512)
ASA 2 --------- interface 0/5 10.2.2.2 (ASA 5055)
now connected a Ethernet cable to these inferface.
I was able to addd a route on asa 2.
route add interface0/5 10.1.1.0/24 10.2.2.2
but when I add route on ASA 1 I get the following error.
route add interface0/6 10.2.2.2/24 10.1.1.1
%invalid next hop address it belongs to one of our interface.Sorry if I was not clear
I have two separate ISPs connecting two two separate ASAs.. Two asa are now connecting separate LANs.
Now I want to communicate between LANs.
So I connected an ethernet cable bw ASAs and trying to configure the route.
But not able to establish
Here is the configuration of ASA where I am faceing problem, while trying to add route
route add voice-interface 10.1.1.1/24 255.255.255.0 10.2.2.2 1
I get error says
route already exsists
interface GigabitEthernet0/0
nameif outside0
security-level 0
ip address 0.2.5.2 255.255.255.252
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/2
nameif inside2
security-level 100
ip address 192.168.1.1 255.255.255.0
interface GigabitEthernet0/5
nameif voice-interface
security-level 100
ip address 10.1.1.1 255.255.255.0
object network NETWORK_OBJ_12.1.3.0_2
subnet 12.1.3.0 255.255.255.0
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network OBJ_ALL_NETWORK
subnet 0.0.0.0 0.0.0.0
description Any Network
object network voice-asa-network
subnet 10.2.2.0 255.255.255.0
object network 10.1.1.1
host 10.1.1.1
access-list outside0_cryptomap extended permit ip 192.168.1.0 255.255.255.0 12.1.3.0 255.255.255.0
access-list inside2_access_in extended permit ip 192.168.1.0 255.255.255.0 any
nat (inside2,outside0) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_12.1.3.0_24 NETWORK_OBJ_12.1.3.0_24 no-proxy-arp route-lookup
object network OBJ_ALL_NETWORK
nat (any,outside0) dynamic interface
route outside0 0.0.0.0 0.0.0.0 0.2.5.2 1
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec security-association pmtu-aging infinite
crypto map outside0_map 1 match address outside0_cryptomap
crypto map outside0_map 1 set pfs
crypto map outside0_map 1 set peer 9.2.5.1
crypto map outside0_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside0_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside0_map interface outside0
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes128-sha1 3des-sha1
group-policy GroupPolicy_6.2.5.1 internal
group-policy GroupPolicy_6.2.5.1 attributes
vpn-tunnel-protocol ikev1 ikev2
class-map inspection_default
match default-inspection-traffic -
L2L VPN with source and destination NAT
Hello,
i am new with the ASA 8.4 and was wondering how to tackle the following scenario.
The diagram is
Customer ---->>> Firewall --->> L2L VPN --->> Me --->> MPLS ---> Server
The server is accessible by other tunnels in place but there is no NAT needed. For the tunnel we are talking about it is
The Customer connects the following way
Source: 198.1.1.1
Destination: 192.168.1.1
It gets to the outside ASA interface which should translate the packets to:
Source: 10.110.110.1
Destination: 10.120.110.1
On the way back, 10.120.110.1 should be translated to 192.168.1.1 only when going to 198.1.1.1
I did the following configuration which I am not able to test but tomorrow during the migration
object network obj-198.1.1.1
host 198.1.1.1
object network obj-198.1.1.1
nat (outside,inside) dynamic 10.110.110.1
For the inside to outside NAT depending on the destination:
object network Real-IP
host 10.120.110.1
object-group network PE-VPN-src
network-object host 198.1.1.1
object network Destination-NAT
host 192.168.1.1
nat (inside,outside) source static Real-IP Destination-NAT destination static PE-VPN-src PE-VPN-src
Question is if I should create also the following or not for the outside to inside flow NAT? Or the NAT is done from the inside to outside estatement even if the traffic is always initiated from outside interface?
object network obj-192.168.1.1
host 192.168.1.1
object network obj-192.168.1.1
nat (outside,inside) dynamic 10.120.110.1Let's use a spare ip address in the same subnet as the ASA inside interface for the NAT (assuming that 10.10.10.251 is free (pls kindly double check and use a free IP Address accordingly):
object network obj-10.10.10.243
host 10.10.10.243
object network obj-77.x.x.24
host 77.x.x.24
object network obj-10.10.10.251
host 10.10.10.251
object network obj-pcA
host 86.x.x.253
nat (inside,outside) source static obj-10.10.10.243 obj-77.x.x.24 destination static obj-10.10.10.251 obj-86.x.x.253
Hope that helps. -
Hi,
We are setting up IPSec L2L tunnel with our client. Client will access some of our internal servers through vpn tunnel. Client are natting his internal networks with public ip 121.16.141.x. We have below servers IPs which client would access.
10.150.20.131
10.150.20.132
I have prepared config for VPN tunnel but not preety sure that it is correct so looking for your help on this.
======================================
object-group network server_IP
network-object host 10.150.20.131
network-object host 10.150.20.132
object network client_IP
host 121.16.141.x
nat (inside,outside) source static server_IP server_IP destination static client_IP client_IP no-proxy-arp
access-list VPN extended permit ip object-group server_IP object client_IP
crypto map outside_map 6 match address VPN
crypto map outside_map 6 set peer <<client FW outside interface ip(y.y.y.y) >>
crypto map outside_map 6 set ikev1 transform-set ESP-3DES-MD5
crypto map outside_map 6 set security-association lifetime seconds 28800
crypto map outside_map 6 set security-association lifetime kilobytes 4608000
tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
ikev1 pre-shared-key *****
=========================================================
Pls confirm if this config is correct..Hi,
Well there is couple of options
You can configure Filter ACL for the L2L VPN.
You can configure "no sysopt connection permit-vpn".
While configuring the VPN Filter is the easiest way to restrict connections coming from VPNs WHEN you have a lot of existing VPN connections, I still wouldnt recommend it as a first choice as it can get a bit complicated.
The second option is something that I personally like BUT using it depends on your current environment.
If you were to add the command "no sysopt connection permit-vpn" THEN ANY connection coming through VPN connections through the "outside" interface of your ASA would need to have a permitting ACL rule on the "outside" interface ACL.
So judging by your number in the "crypto map" configuration which is "6" I assume you have multiple L2L VPN configurations atleast, possibly remote access VPN also?
If this is the case then you would have to first create ACL rules to define what connections can be initiated behind VPN connections on each of those connections BEFORE enabling the command I mention. If you didnt then all connections from the direction of the remote host or remote network would start to get blocked by the ASA.
When you enable that command you could basically use the "outside" interface ACL to allow and deny traffic that is coming through VPN just like it was coming through Internet.
So if you are able to preconfigure the ACL rules for all of your existing VPN connections THEN I would recommend using the "no sysopt connection permit-vpn" to BLOCK ALL connections coming through VPN connections UNLESS they are allowed in the interface ACL of "outside" interface.
Hope I made any sense
Naturally ask more if needed
- Jouni -
ASA with Multiple dynamic L2L VPN
I have an ASA 5510 as VPN Concentrator, used for about 30 L2L-VPNs.
I need also some L2L-VPN with dynamic remote peer.
While the configuration for a single dyn-VPN is quite simple (as described in several examples), how can I configure the ASA in the case of many dyn-VPNs ?
Basically, all the dyn-VPN should use the same PSK (the one of DefaultL2LGroup).
But using "aggressive mode" on the remote peer, I could use a different PSK for each dyn-VPN:
tunnel-group ABCD ipsec-attributes
pre-shared-key *
Is this configuration correct ?
Best regards
ClaudioHi,
Maybe the solutions provided in the following document might also be an option for you to configure multiple dynamic L2L VPN connections on the ASA
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bc7d13.shtml
Hope this helps
- Jouni
Maybe you are looking for
-
Spry Photo Gallery not visible other than in Safari
Hi, I created a photo gallery using Spry using the step-by-step instructions found at http://www.adobe.com/devnet/dreamweaver/articles/spry_photo_album.html. The problem is that my gallery only can be viewed in Safari - Firefox, Netscape and Explorer
-
Almost invisible JTable column headers
I'm writing an applet which contains a JTable within a JScrollPane. For a while the column headings (text) were visible, but recently the column headings have become very small in height. There is barely enough there so that the mouse can be used to
-
Weblogic Workshop for non-WLS work
Hello I am working on a Java servlet based application to be hosted on Apache Tomcat server. Can I use Weblogic Workshop to build a Web service and host it under Tomcat? In other words, is Weblogic Workshop strongly coupled with Weblogic Server platf
-
Urgent :Posting Payroll results from Legacy system to FI/co
Hi Experts, A client requirment is such that they have to post payroll results to FI/Co They are not using SAP HR- Payroll module . They use their own payroll processing system . Please tell what would be the best way of doing so Help is urgently req
-
Can I merge a JPG and RAW folder in a catalog and keep the edits?
I usually shoot RAW plus JPG and always used to copy all of them into the same folder. That worked fine, but was a little pointless as the JPG was only used as a temporary preview before the RAW was loaded in behind it. For speed of editing at events