ASA with Multiple dynamic L2L VPN

I have an ASA 5510 as VPN Concentrator, used for about 30 L2L-VPNs.
I need also some L2L-VPN with dynamic remote peer.
While the configuration for a single dyn-VPN is quite simple (as described in several examples), how can I configure the ASA in the case of many dyn-VPNs ?
Basically, all the dyn-VPN should use the same PSK (the one of DefaultL2LGroup).
But using "aggressive mode" on the remote peer, I could use a different PSK for each dyn-VPN:
tunnel-group ABCD ipsec-attributes
pre-shared-key *
Is this configuration correct ?
Best regards
Claudio

Hi,
Maybe the solutions provided in the following document might also be an option for you to configure multiple dynamic L2L VPN connections on the ASA
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bc7d13.shtml
Hope this helps
- Jouni

Similar Messages

  • How to create VO with multiple dynamic where clauses on select with UNION?

    I am trying to implement the View Object for the UNION query that looks like this:
         select a,b,c...
              from t1,t2,...
              where dynamic_where_clause1     
         union all
         select a,b,c,...
              from t11,t12, ...
              where dynamic_where_clause2
    There are up to 60 input parameters that are used to generate dynamic where clauses. They are actually created by calling PL SQL function.
    So far, I was not able to assign both where clauses to the view object. Is there a workable solution for this problem, besides resorting to programmatic View Object?
    I understand that recommended way with UNIONs is to wrap both queries into a parent select:
    select * from (
         select a,b,c...
              from t1,t2,...
              where ... -- table relationship joints
         union all
         select a,b,c,...
              from t11,t12, ...
              where ... -- table relationship joints
    ) QRSLT
         where dynamic_where_clause
    Unfortunately this approach doesn't work here, since individual selects are producing unmanageable amount of data and resulting query takes forever to complete.

    I afraid I would not have any real benefits from using VO if I replace the entire query with every request. Actually, the performance may suffer.
    I solved the problem by creating a POJO Data Control and invoking the custom select query from java. Not sure if it is the best approach to the problem, but implementation time is limited and it works.
    Actually, this is not the first time I see the need to implement VO with complicated SQL like select with unions and dynamic pieces. It would be nice to find a solution and not resort to workarounds.
    Edited by: viksicom on Aug 2, 2012 8:48 AM

  • Reinitiate L2L VPN tunnel

    Hi,
    I have cisco ASA 5520 and two L2L VPN are configured in that box.Now if any time I want to reinitiate or reestablished the tunnel what command I have to give.I want to reestablish the IKE and IPSec SA.
    Please guide wht command i have to give to reestablish all the L2L tunnel or a single tunnel.
    Regards,
    som

    1. ASA5510# clear crypto ipsec sa ?
    counters Clear IPsec SA counters
    entry Clear IPsec SAs by entry
    map Clear IPsec SAs by map
    peer Clear IPsec SA by peer
    2. ASA5510# clear crypto isakmp sa

  • Issues with multiple subnets - ASA5510 to Vigor 2820 VPN

    Hi there,
    I am hoping someone here can help.  I have been struggling for some time to sort out issues in a VPN we have between our main London office and the Edinburgh branch office.  We have an ASA 5510  in London, talking to a Vigor 2820 in Edinburgh. 
    The London office has a 192.168.0.0/24 subnet, with the default gateway as a Cisco Catalyst at 192.168.0.254, and the Cisco ASA at 192.168.0.254 as the firewall. 
    The Edinburgh office has the subnet 192.168.2.0/24, with the Vigor running on 192.168.2.1, providing routing, DHCP and firewall services there. 
    I have the VPN working fine, correctly routing traffic between those two subnets over the IPsec tunnel.  However, I have had much trouble adding additional subnets for our VLANs in London.
    What I want to happen is traffic from 192.168.2.0/24 to be able to get to and from 192.168.50.0/24 and several similar networks.
    Upon tracing it using the Cisco packet tracer, I can see that the packets for the 192.168.50.0/24 subnet are not making it over the tunnel, having being stopped by the VPN: subtype: encrypt rules.  Looking at these rules though, I can't spot the problem.  Multiple changes of order of the rules, and reloads have not sorted out the problem.  When I run a packet trace on the main subnet it works fine.  I have attached some of the configuration (below) as well as the output from the packet tracer, and the config of the Vigor router.
    I apologise in advance for the length of the post, but I have tried to include all relevant information to see if anyone can help.
    Firstly, here's the ASA config that seemed relevant.  I tried to remove some since we have quite a few site-to-site tunnels set up, and these are probably not relevant (and are all working correctly).
    access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.20.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.50.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.30.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.40.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.30.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.50.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip any 192.168.0.192 255.255.255.192 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.0.0 192.168.7.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.7.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.2.0 255.255.255.0 192.168.7.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.0.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0 nat (inside) 0 access-list insideOutboundNonatAclnat (inside) 9 access-list vpnNatAclnat (inside) 10 192.168.30.5 255.255.255.255nat (inside) 10 192.168.0.0 255.255.255.0nat (inside) 10 192.168.20.0 255.255.255.0nat (inside) 10 192.168.30.0 255.255.255.0nat (inside) 10 192.168.50.0 255.255.255.0access-list inside_in extended permit ip 192.168.0.0 255.255.255.0 any access-list inside_in extended permit tcp host 192.168.5.2 host 192.168.0.2 eq domain access-list inside_in extended permit ip 192.168.20.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list inside_in extended permit ip 192.168.20.0 255.255.255.0 any access-list inside_in extended permit ip 192.168.50.0 255.255.255.0 any access-list inside_in extended permit ip 192.168.30.0 255.255.255.0 any access-list inside_in extended permit ip 192.168.30.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list inside_in extended permit ip 192.168.40.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list inside_in extended permit ip 192.168.40.0 255.255.255.0 any access-list inside_in extended permit ip 192.168.10.0 255.255.255.0 any access-list inside_in extended permit ip host 192.168.2.1 192.168.30.0 255.255.255.0 inactive access-list inside_in extended permit ip 192.168.2.0 255.255.255.0 192.168.50.0 255.255.255.0 access-list inside_in extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0 access-group inside_in in interface insideaccess-list outside_2_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.30.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.50.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0 route inside 192.168.20.0 255.255.255.0 192.168.0.254 1route inside 192.168.50.0 255.255.255.0 192.168.0.254 1route inside 192.168.30.0 255.255.255.0 192.168.0.254 1route inside 192.168.40.0 255.255.255.0 192.168.0.254 1crypto ipsec transform-set ESP_DES_MD5 esp-des esp-md5-hmac crypto ipsec transform-set TRANS_VPN_SET esp-3des esp-md5-hmac crypto ipsec transform-set TRANS_VPN_SET mode transportcrypto ipsec transform-set TRANS_VPN_SET_2 esp-3des esp-sha-hmac crypto ipsec transform-set TRANS_VPN_SET_2 mode transportcrypto ipsec transform-set ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP_3DES_MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec df-bit clear-df outsidecrypto dynamic-map core_vpn_dyn_map 20 set transform-set ESP_3DES_MD5 ESP_DES_MD5 TRANS_VPN_SET TRANS_VPN_SET_2crypto dynamic-map core_vpn_dyn_map 40 set pfs crypto dynamic-map core_vpn_dyn_map 40 set transform-set ESP_3DES_SHA ESP_DES_MD5crypto map outside_map 2 match address outside_2_cryptomapcrypto map outside_map 2 set pfs crypto map outside_map 2 set peer [branch peer ip]crypto map outside_map 2 set transform-set ESP_3DES_MD5crypto isakmp identity address crypto isakmp identity address crypto isakmp policy 25 authentication pre-share encryption 3des hash md5     group 1      lifetime 28800crypto isakmp nat-traversal  30crypto isakmp disconnect-notifygroup-policy DfltGrpPolicy attributes banner none  wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 100 vpn-idle-timeout none vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec l2tp-ipsec webvpn password-storage disable ip-comp disable re-xauth enable group-lock none pfs disable  ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none intercept-dhcp 255.255.255.255 disable secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable  backup-servers keep-client-config msie-proxy server none msie-proxy method no-modify msie-proxy except-list none msie-proxy local-bypass disable nac disable  nac-sq-period 300 nac-reval-period 36000 nac-default-acl none address-pools none smartcard-removal-disconnect enable client-firewall none client-access-rule nonetunnel-group [branch peer ip] type ipsec-l2ltunnel-group [branch peer ip] ipsec-attributes pre-shared-key *
    Note: [branch peer ip] replaces any instances of the branch office outside IP address
    I appreciate there may be some duplicated/redundant rules here - I have been playing with config to try to fix the problem.  I'd really appreciate any suggestions on how to track this down. 
    Here's the vigor config:
    So it looks to match ok to me at both ends, unless there is something I missed.  The vigor routing table shows:
    Key: C - connected, S - static, R - RIP, * - default, ~ - private*             0.0.0.0/         0.0.0.0 via [ISP gateway server],   WAN1S         [branch peer ip]/ 255.255.255.255 via [branch peer ip],   WAN1S~       192.168.40.0/   255.255.255.0 via [London office ip],    VPNS~       192.168.50.0/   255.255.255.0 via [London office ip],    VPNS~       192.168.10.0/   255.255.255.0 via [London office ip],    VPNS~        192.168.0.0/   255.255.255.0 via [London office ip],    VPNC~        192.168.2.0/   255.255.255.0 is directly connected,    LANS~        192.168.7.0/   255.255.255.0 via [London office ip],    VPNS~       192.168.30.0/   255.255.255.0 via [London office ip],    VPNS~       192.168.20.0/   255.255.255.0 via [London office ip],    VPN*     [ISP dns server]/ 255.255.255.255 via [ISP gateway server],   WAN1
    I have replaced IPs here as is shown.  You can see the vigor seems to want to route the appropriate traffic over the VPN.
    Finally, here is the packet trace output:
    ciscoasa# packet-trace input outside tcp 192.168.2.1 echo 192.168.50.10 echo d$Phase: 1Type: FLOW-LOOKUPSubtype: Result: ALLOWConfig:Additional Information:Found no matching flow, creating a new flowPhase: 2Type: ROUTE-LOOKUPSubtype: inputResult: ALLOWConfig:Additional Information:in   192.168.50.0    255.255.255.0   insidePhase: 3Type: ACCESS-LISTSubtype: logResult: ALLOWConfig:access-group outsideInAcl in interface outsideaccess-list outsideInAcl extended permit ip 192.168.2.0 255.255.255.0 any Additional Information: Forward Flow based lookup yields rule: in  id=0x4529e48, priority=12, domain=permit, deny=false        hits=362922, user_data=0x4529e08, cs_id=0x0, flags=0x0, protocol=0        src ip=192.168.2.0, mask=255.255.255.0, port=0        dst ip=0.0.0.0, mask=0.0.0.0, port=0Phase: 4      Type: IP-OPTIONSSubtype:      Result: ALLOW Config:       Additional Information: Forward Flow based lookup yields rule: in  id=0x44057f0, priority=0, domain=permit-ip-option, deny=true        hits=2693939, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0        src ip=0.0.0.0, mask=0.0.0.0, port=0        dst ip=0.0.0.0, mask=0.0.0.0, port=0Phase: 5      Type: NAT-EXEMPTSubtype: rpf-checkResult: ALLOW Config:       Additional Information: Forward Flow based lookup yields rule: in  id=0x44fe9a0, priority=6, domain=nat-exempt-reverse, deny=false        hits=12, user_data=0x44fe800, cs_id=0x0, use_real_addr, flags=0x0, protocol=0        src ip=192.168.2.0, mask=255.255.255.0, port=0        dst ip=192.168.50.0, mask=255.255.255.0, port=0Phase: 6      Type: NAT     Subtype: rpf-checkResult: ALLOW Config:       nat (inside) 10 192.168.50.0 255.255.255.0  match ip inside 192.168.50.0 255.255.255.0 outside any    dynamic translation to pool 10 (external [Interface PAT])    translate_hits = 2250, untranslate_hits = 17Additional Information: Forward Flow based lookup yields rule: out id=0x4b80e80, priority=1, domain=nat-reverse, deny=false hits=32, user_data=0x4b80ce0, cs_id=0x0, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=192.168.50.0, mask=255.255.255.0, port=0Phase: 7Type: NATSubtype: host-limitsResult: ALLOWConfig:nat (inside) 10 192.168.50.0 255.255.255.0  match ip inside 192.168.50.0 255.255.255.0 outside any    dynamic translation to pool 10 (external [Interface PAT])    translate_hits = 2250, untranslate_hits = 17Additional Information: Reverse Flow based lookup yields rule: in  id=0x4b80fa0, priority=1, domain=host, deny=false hits=2811, user_data=0x4b80ce0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=192.168.50.0, mask=255.255.255.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0Phase: 8Type: IP-OPTIONSSubtype:      Result: ALLOW Config:       Additional Information: Reverse Flow based lookup yields rule: in  id=0x4469ef8, priority=0, domain=permit-ip-option, deny=true        hits=2010804, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0        src ip=0.0.0.0, mask=0.0.0.0, port=0        dst ip=0.0.0.0, mask=0.0.0.0, port=0Phase: 9      Type: VPN     Subtype: encryptResult: DROP  Config:       Additional Information: Reverse Flow based lookup yields rule: out id=0x4887aa8, priority=70, domain=encrypt, deny=false        hits=10, user_data=0x0, cs_id=0x44b18f8, reverse, flags=0x0, protocol=0        src ip=192.168.50.0, mask=255.255.255.0, port=0        dst ip=192.168.2.0, mask=255.255.255.0, port=0Result:       input-interface: outsideinput-status: upinput-line-status: upoutput-interface: insideoutput-status: upoutput-line-status: upAction: drop  Drop-reason: (acl-drop) Flow is denied by configured rule
    So it seems to find the rule, which it ought to match, but then returns DENY.  What's going on here?  Perhaps this is misleading and the issue is elsewhere, but it isn't clear from the output here.
    For further information, this is output for the WORKING subnet - I have just taken a small part here though:
    Phase: 10     Type: VPN     Subtype: encryptResult: ALLOW Config:       Additional Information: Reverse Flow based lookup yields rule: out id=0x4b86418, priority=70, domain=encrypt, deny=false        hits=332214, user_data=0x7da5c, cs_id=0x44b18f8, reverse, flags=0x0, protocol=0        src ip=192.168.0.0, mask=255.255.255.0, port=0        dst ip=192.168.2.0, mask=255.255.255.0, port=0
    Thanks very much in advance for any help you can provide - I've been really stuck on this one!
    Chris

    Hi,
    Can you issue the packet-tracer with the direction beeing your London office -> Remote office?
    Also issue the command twice.
    Personally I've used packet-tracer with some L2L VPNs to test if the remote end has the configurations correct. Also I've noticed that the first packet-tracer test never goes through. So issue that command twice and show how it goes.
    Though I imagine you have tried to connect through the L2L VPN with real host machines and not just the firewalls packet-tracer?
    Also I imagine the original info has a typo. You say your ASAs LAN gateway IP and the local L3 switches IP address is the same, 192.168.0.254.
    Basically the hardest part regarding L2L VPNs should be the initial setup of the VPN connection. Even though it should be simple people still tend to mess up PSKs or Phase1/2 parameters. But as your L2L VPN is already in working order and you are just adding networks to it, it should be pretty simple.
    When you add network and dont require any special NAT configurations, your NAT0 and Encryption domain access-list should look pretty much the same.
    And looking at your configurations, it should be like this
    access-list outside_2_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.30.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.50.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list insideOutboundNonatAcl extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.30.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.50.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
    Btw what is the network 192.168.7.0/24? It seems to have a VPN rule at the remote site but not at the HO site. Though there is a NAT0 rule for that traffic on the HO site.
    EDIT: I imagine the VPN network rules should be an exact mirror image of eachother. Though it seems this doesnt stop devices from negotiating the VPN up but who knows if some other device type is picky about that one. Only thing in your situation that I see is the network 192.168.7.0/24 that is not included in the other ends configurations.
    EDIT2: Also the reason your test for the already existing rule might be going through without a problem might be because the tunnel is up and working for the networks in question.
    EDIT3: Does your Vigor device also have NAT0 rules configured for the new networks?
    - Jouni

  • AAA Radius Authentication for Remote VPN With ACS Server Across L2L VPN

    Hi,
    I have an ASA running fine on the network which provide L2L tunnel to remote site and provide Remote VPN for remote access users.
    Currently, there is a need for the users to authenticate against an ACS server that located across the L2L VPN tunnel.
    The topology is just simple with 2 interfaces on the ASA, inside and outside, and a default route pointing to the ISP IP Address.
    I can ping the IP address of the ACS Server (which located at the remote site, IP addr: 10.10.10.56) from the ASA:
    ping inside 10.10.10.56
    However when I configure the ASA for the AAA group with commands:
    aaa-server ACSAuth protocol radius
    aaa-server ACSAuth host (inside) 10.10.10.56 key AcsSecret123
    Then when I do the show run, here is the result:
    aaa-server ACSAuth protocol radius
    aaa-server host 10.10.10.56
    key AcsSecret123
    From what I thought is, with this running config, traffic is not directed to the L2L VPN tunnel
    (seems to be directed to the default gateway due to the default route information) which cause failure to do the AAA authentication.
    Does anybody ever implement such this thing and whether is it possible? And if yes, how should be the config?
    Your help will be really appreciated!
    Thanks.
    Best Regards,
    Jo

    AAA is designed to enable you to dynamically configure the type of authentication and authorization you want on a per-line (per-user) or per-service (for example, IP, IPX, or VPDN) basis. You define the type of authentication and authorization you want by creating method lists, then applying those method lists to specific services or interfaces.
    http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schaaa.html

  • WRVS4400N - Multiple Dynamic VPN Configurations?

    Hello,
    I am wondering if anyone knows whether or not the WRVS4400N supports more than one dynamic VPN configuration?
    I am trying to get the WRVS4400N to let more than one TheGreenBow client to connect to it.....
    Thank you,
    A Read

    Yes, you can configure multiple dynamic-to-static l2l on ASA. But for multiple connections using ezvpn will be much easier. Following links may help you
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml

  • L2L VPN with source and destination NAT

    Hello,
    i am new with the ASA 8.4 and was wondering how to tackle the following scenario.
    The diagram is
    Customer ---->>> Firewall --->> L2L VPN --->> Me --->> MPLS ---> Server
    The server is accessible by other tunnels in place but there is no NAT needed. For the tunnel we are talking about it is
    The Customer connects the following way
    Source: 198.1.1.1
    Destination: 192.168.1.1
    It gets to the outside ASA interface which should translate the packets to:
    Source: 10.110.110.1
    Destination: 10.120.110.1
    On the way back, 10.120.110.1 should be translated to 192.168.1.1 only when going to 198.1.1.1
    I did the following configuration which I am not able to test but tomorrow during the migration
    object network obj-198.1.1.1
    host 198.1.1.1
    object network obj-198.1.1.1
    nat (outside,inside) dynamic 10.110.110.1
    For the inside to outside NAT depending on the destination:
    object network Real-IP
      host 10.120.110.1
    object-group network PE-VPN-src
    network-object host 198.1.1.1
    object network Destination-NAT
    host 192.168.1.1
    nat (inside,outside) source static Real-IP Destination-NAT destination static PE-VPN-src PE-VPN-src
    Question is if I should create also the following or not for the outside to inside flow NAT? Or the NAT is done from the inside to outside estatement even if the traffic is always initiated from outside interface?
    object network obj-192.168.1.1
    host 192.168.1.1
    object network obj-192.168.1.1
    nat (outside,inside) dynamic 10.120.110.1

    Let's use a spare ip address in the same subnet as the ASA inside interface for the NAT (assuming that 10.10.10.251 is free (pls kindly double check and use a free IP Address accordingly):
    object network obj-10.10.10.243
      host 10.10.10.243
    object network obj-77.x.x.24
      host 77.x.x.24
    object network obj-10.10.10.251
      host 10.10.10.251
    object network obj-pcA
      host 86.x.x.253
    nat (inside,outside) source static obj-10.10.10.243 obj-77.x.x.24 destination static obj-10.10.10.251 obj-86.x.x.253
    Hope that helps.

  • L2L VPN Decrypted Traffic Not Exiting ASA

    Hi,
    I have a pair of ASAs runing version 9.1 at the remote site and 8.4 (4) at the local site. When sending traffic over the tunnel from the local to remote, I can see in the IPSec SA the encap packet count increasing locally and the decap count increasing on the remote ASAs but no traffic is egressing the remote ASA's interfaces.
    Here is the remote ASAs config:
    GigabitEthernet0/0       outside                x.x.x.123       255.255.255.192GigabitEthernet0/1.701   dev_1                  10.140.0.1      255.255.255.0crypto map VPN-Z 10 match address acl_temp_vpncrypto map VPN-Z 10 set pfs crypto map VPN-Z 10 set peer x.x.x.67 crypto map VPN-Z 10 set ikev1 transform-set ESP-3DES-SHAcrypto map VPN-Z 10 set security-association lifetime seconds 28800crypto map VPN-Z 10 set security-association lifetime kilobytes 4608000crypto map VPN-Z 10 set nat-t-disablecrypto map VPN-Z interface outsideaccess-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 object-group zx-subs (hitcnt=5) 0x3e8360b3 access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 10.0.0.0 255.0.0.0 (hitcnt=0) 0x5cf3e6d1 access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 172.16.0.0 255.240.0.0 (hitcnt=15) 0x73407a52 access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 192.168.0.0 255.255.0.0 (hitcnt=0) 0xe1b9579c access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 x.x.x.224 255.255.255.224 (hitcnt=0) 0x894cf410 access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 x.x.x.0 255.255.255.192 (hitcnt=0) 0xa879a3f1tunnel-group x.x.x.67 type ipsec-l2ltunnel-group x.x.x.67 ipsec-attributes ikev1 pre-shared-key *****nat (dev_1,outside) source static dev_1-sub dev_1-sub destination static zx-subs zx-subs
    Here is the ipsec sa stats
    Crypto map tag: VPN-Zanox, seq num: 10, local addr: x.x.x.123access-list acl_temp_vpn extended permit ip 10.140.0.0 255.255.0.0 172.16.0.0 255.240.0.0       local ident (addr/mask/prot/port): (10.140.0.0/255.255.0.0/0/0)      remote ident (addr/mask/prot/port): (172.16.0.0/255.240.0.0/0/0)      current_peer: x.x.x.67      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0      #pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
    With a dump on the dev_1 interface
    capture dev type raw-data interface dev_1 [Capturing - 0 bytes]   match tcp any any
    With packet tracer the egress interface is correct but in the capture there appears to be nothing traversing the interface.
    Can any body see anything wrong wiht this config or any suggestions as to might be going wrong?
    Thanks
    James

    Hi Javier,
    Packet-tracer output with a temp ACL to permit ip any any inbound on the outside interface:
    l-de-ham-asa-01/act(config)# packet-tracer input outside tcp 172.22.0.90 1234 10.140.0.10 22Phase: 1Type: UN-NATSubtype: staticResult: ALLOWConfig:nat (dev_1,outside) source static dev_1-sub dev_1-sub destination static zx-subs zx-subsAdditional Information:NAT divert to egress interface dev_1Untranslate 10.140.0.10/22 to 10.140.0.10/22Phase: 2Type: ROUTE-LOOKUPSubtype: inputResult: ALLOWConfig:Additional Information:in   0.0.0.0         0.0.0.0         outsidePhase: 3Type: ACCESS-LISTSubtype: logResult: ALLOWConfig:access-group acl_outside in interface outsideaccess-list acl_outside extended permit ip any any access-list acl_outside remark Zugriffsrichtlinie fuer ICMP Antworten aus dem InternetAdditional Information:Phase: 4Type: CONN-SETTINGSSubtype: Result: ALLOWConfig:Additional Information:Phase: 5Type: NATSubtype: Result: ALLOWConfig:nat (dev_1,outside) source static dev_1-sub dev_1-sub destination static zx-subs zx-subsAdditional Information:Static translate 172.22.0.90/1234 to 172.22.0.90/1234Phase: 6Type: NATSubtype: per-sessionResult: ALLOWConfig:       Additional Information:Phase: 7Type: IP-OPTIONSSubtype: Result: ALLOWConfig:Additional Information:Phase: 8Type: VPNSubtype: ipsec-tunnel-flowResult: DROPConfig:Additional Information:Result:input-interface: outsideinput-status: upinput-line-status: upoutput-interface: dev_1output-status: upoutput-line-status: upAction: dropDrop-reason: (acl-drop) Flow is denied by configured rule
    This is the same result from another site that has an L2L VPN configured.
    ASP drop capture to follow...

  • Dynamic L2L between ASA 5505

    Hello,
    we're realizing a project with 5x ASA 5505 Base License and one 5512-X in a computing center. The 5 branches shall be work as dynamic sites, because they are all running on dynamic internet connection. I read, that on the main site (ASA 5512-X) the access from dynamic IPs must be permit, so that a IKE-Exchange and the IPsec tunnel can be established.
    We all are new to Cisco ASA devices. I read a lot in "Cisco ASA configuration" written by Richard A. Deal and "Cisco ASA: All-in-one firewall.." written by Frahim & Santos. Everywhere only static L2L tunnels are discussed, but dyn. L2L scripts are missing.
    I've done all the config with ASDM, but have read many CLI configurations also.
    I got different failures in ASDM syslog, depending on which mode I choose.
    I paste the conf. of both ASA 5505 (for test-tunnel). Later 5505 and 5512-X will be connected.
    One comes with dynamic cryptomap and the other with static.
    I will be grateful if someone could figured out what's the problem.
    Greets,
    Sascha
    Config is attached.

    Hi JouniForss,
    thanks for you're early reply.
    I know this tutorial yet. I've tried it one time, but didn't work out. Maybe I made a mistake. I'll try it again.
    When I configure dynamic tunnels, ADSM / CLI output says something like "dynamic l2l tunnels will fail if no cert. will be used and/or agressive mode is not used on peer". Sry, I don't got the message with me a.t.m.
    1) Which mode do I have to use for tunnel build-up process? AM or MM? Do I really need to use AM?
    Furthermore I'd rather prefer to use IKEv2, because tunnel build-up process shall work less fault-prone than IKEv1.
    2) Is it the same procedure as IKEv1 or do I have to consider some special points?
    EDIT:
    3) What's about naming the tunnel-profiles / tunnel-groups? Is it necessary to match the tunnel-profile name? Does it has a consequence when writing the connection name in addition to the peer IP in connection profile on dynamic site?

  • IP Phone SSL VPN to ASA for multiple CUCM (CallManager)

    hi all,
    I have a case to support multiple CallManager clusters in different locations for internet SSL VPN IP Phone. We will deploy one ASA firewall for SSL VPN IP Phone connections. So, can we use single ASA firewall for mulitple CUCM clusters?? In order words, Internet IP Phone will connect to different CUCM via a single ASA firewall (by using SSL VPN).
    I tested I need to upload the ASA's certificate into CUCM and upload CUCM's certificate into ASA for one ASA to one CUCM. If I create multiple profile (e.g. different URL for phone logins) for different CUCM. Is it possible to do that?
    thanks for your input!
    Samuel

    Samuel,
    Did you ever find an answer to your question? I have a similar scenario.
    Any input would be appreciated.

  • Dynamic Actions with Multiple Actions Capability

    Dynamic Actions with Multiple Actions Capability
    How can I get Dynamic Actions to work on Actions that are stored solely on IT0302 due to the multiple relationship to a previous Action that is stored on both IT0302 and IT0000?
    When multiple actions on a given day are executed, the dynamic action from the first action entered is executed twice - when it should only execute the first time with the second actions dynamic action triggering the second time.
    Thanks

    When there are multiple actions with the same effective date the wrong dynamic action is triggered.  For example, if I have an Expat Return To Home action followed by an Internal Move action with the same effective date the below events occur:
    1.  IT0001 is updated due to Expat Return to Home - triggering the Dynamic Action off of IT0000 which is Expat Return to Home (Correct)
                -  Action is stored on IT0000 and IT0302
    2.  IT0001 is updated due to Internal Move - triggering the Dynamic Action off of IT0000 which is Expat Return to Home (Incorrect - background processing creates data not needed)
                -  Action is stored only on IT0302
    Question:
    How can we leverage Multiple Actions with the same effective date while continuing to use Dynamic Actions?

  • Dynamic routing for a Business Service with multiple operations

    I have two business services with multiple operations. Business service A (bsA) has operations OpA1 and OpA2. Business service B (bsB) has operations OpB1 and OpB2.
    Depending on incoming Proxy message and operation, I have to do one of the following
    1. If someValue = A and operation= Op1 then invoke operation opA1 of bsA
    2. If someValue = B and operation= Op1 then invoke operation opB1 of bsB
    3. If someValue = C and operation= Op1 then invoke operation opA1 of bsA AND* operation opB1 of bsB and return aggregate data of both invocations
    1. If someValue = A and operation= Op2 then invoke operation opA2 of bsA
    2. If someValue = B and operation= Op2 then invoke operation opB2 of bsB
    3. If someValue = C and operation= Op2 then invoke operation opA2 of bsA AND* operation opB2 of bsB and return aggregate data of both invocations
    Using a dynamic route node or dynamic routing options, I am able to achieve cases 1, 2, 4, and 5.
    But for cases 3 & 6, I can not use a route node. When I use a Service call out instead, then I am forced to create a Operational branch but that does not seem like the best design since for every new operation added to the business services, I have to add a new branch to the Operational branch and redo all the functionality for that branch.
    Basically, I am looking to achieve the functionality of the Route node ( no need to specify the operation ).
    Any thoughts/ideas on what the best design would be?
    thanks

    For cases 3 & 6, why don't you route to another proxy service where you can simple do two service callouts, merge output data somehow and return them to the first proxy?
    If you look for "special route feature", that could possibly call two services for a single message, I'm afraid you won't succeed.

  • Dynamic SORT with multiple components

    Hi all,
    I want to sort an internal table in this way:
    SORT itab BY (component).
    This is not difficult if "component" contains the name of ONE column of itab. But - and here is my problem - how can I sort with multiple components?
    Like this:
    SORT itab BY (comp_1) (comp_2) ... (comp_N).
    The number of components (N) shall be flexible. It is not possible to concatenate the components into one string-variable. This causes an error ITAB_ILLEGAL_COMPONENT.
    Brillant would be a solution which also contains the sort-direction (ASCENDING or DESCENDING for each component like this:
    SORT itab BY (comp_1) (dir_1)
                 (comp_2) (dir_2)
                 (comp_N) (dir_N).
    Is there a way to do so?
    Thanks for all hints!
    Mathias

    Hi Matahias ...
    From ABAP help...
    SORT itab.
    Extras:
    1. ... BY f1 f2 ... fn
    2. ... ASCENDING
    3. ... DESCENDING
    4. ... AS TEXT
    5. ... STABLE
    The syntax check performed in an ABAP Objects context is stricter than in other ABAP areas. See Field symbols not allowed as sort criterion.
    Effect
    The entries in the internal table are sorted in ascending order using the key from the table definition (DATA, TYPES).
    Addition 1
    ... BY f1 f2 ... fn
    Effect
    Uses the sort key defined by the sub-fields f1, f2, ..., fn of the table itab instead of the table key. The fields can be of any type; even number fields and tables are allowed.
    You can also specify the sort fields dynamically in the form (name). If name is blank at run time, the sort field is ignored. If itab is a table with a header line, you can also use a field symbol pointing to the header line of itab as a dynamic sort criterion. A field symbol that is not assigned is ignored. If a field symbol is assigned, but does not point to the header line of the internal table, a runtime error occurs.
    If the line type of the internal table contains object reference variables as components, or the entire line type is a reference variable, you can use the attributes of the object to which a reference is pointing in a line as sort criteria (see Attributes of Objects as the Key of an Internal Table
    You can address the entire line of an internal table as the key using the pseudocomponent TABLE_LINE. This is particularly relevant for tables with a non-structured line type when you want to address the whole line as the key of the table (see also Pseudocomponent TABLE_LINE With Internal Tables).
    If you use one of the additions 2 to 5 before BY, it applies to all fields of the sort key by default. You can also specify these additions after each individual sort field f1, f2, ..., fn. For each key field, this defines an individual sort rule which overrides the default.
    Cheers
    Preetham

  • Is it possible to update multiple tables with a dynamic form?

    I have columns from two tables populating a dynamic form. I am trying to have the form update both tables on submit. I have tried both a linked transaction and a custom transaction but I am not making progress. Only the master table is being updated. Is it possible with ADDT to update two tables with a dynamic form?

    I meant
    SXMSMSTAT
    SXMSSYERR
    Thanks.

  • Dynamic stamps with multiple editable fields

    Our Accounting department wants to go completely digitable with invoices.
    For them to be able to do this they require a stamp that has several editable fields such as
    General Ledger number
    Financial Controllers name
    Comments
    Date
    Approval status
    They want to be able to stamp a PDF invoice and then fill in the fields manually.
    I cannot find a stamp that will do this.  I tried a couple add-in stamp apps for Acrobat 9 but they did not offer this kind of feature.
    Thanks

    Hi teede,
    We have begun publishing a large amount of information on creating/developing custom dynamic stamps  at www.pdfscripting.com due to the number of requests for information on these powerful PDF workflow tools.  It is a membership site requiring a paid membership for full access to all content, but we recently published a free video "PDF Stamps Gone Wild!" on the home page under Featured Videos that shows many possibilities for what you can do with custom dynamic stamps.
    We'll be adding downloads of some the stamp files shown in the video over the next few weeks.
    Hope this helps,
    Dimitri
    WindJack Solutions
    www.pdfscripting.com
    www.windjack.com

Maybe you are looking for

  • LINE-SIZE setting

    Hi , I have an output with a number of fields I have given the page setting like this ... REPORT zvms_purchasing             LINE-SIZE 255             LINE-COUNT 60             NO STANDARD PAGE HEADING. But I need the line-size atleast upto 365 . How

  • How to activate functional location replication

    Hello all, I have activate user exit and equipment replication.  This is working fine except that I have all my equipment linked to a functional location and that this one is not replicated so in CRM I have one installed base by equipment instead of

  • Default image editing program

    I can't seem to open any files directly from Bridge CC to Photoshop CC?  The only options I am given when right clicking to Open With is IE and photoviewer quick time (default).  I don't want Quick Time to be the default obviously!  I need to be able

  • Determine class dependencies

    Hi, I was curious if anyone has or knows of a way to determine the dependencies for a given class. For example... Example package people; import java.util.List; import pet.*; public class Bob {      Pet[] pets;      List todoList;     // ...other cod

  • How to transfer DW preferences from CS4 to CS5?

    I've installed Dreamweaver CS5 before uninstalling DW CS4 hoping that it will import all my customisations and settings. The list of sites was transferred, but none of the keyboard shortcuts, panels, etc. How can I import/transfer my settings? Any he