Cisco ASA 5505 L2L VPN Tunnel with one Dynamic IP

Similar Messages

• CIsco ASA 5505 and VPN licenses

  Hi,
  Cisco ASA 5505 comes with 10 VPN licenses in a standard configuration.
  How those licenses are counted? Will I need a license per one IPSec SA?
  If I have two site connected with LAN-to-LAN VPN with 10 subnets at one site, how many licenses will be taken? 10 - one per IPSec SA or just 1 - one per point-to-point VPN?
  Thank you.
  Regards,
  Alex

  Alex,
  In an ASA 5505, it should say something like this...when you do sh ver.
  VPN Peers : 25
  It means that you can have so many peers connecting to the ASA. Its not per IPSec SA.
  Its a per tunnel license.
  Rate this, if it helps!
  Gilbert

• Cisco ASA 5505 Ipsec VPN and random connection dropping issues.

  Hello,
  We are currently having issues with a ASA 5505 Ipsec VPN. It was configured about 7-8 months ago and has been running very well..up until the last few weeks.  For some reason, the VPN tends to randomly disconnect any user clients connected a lot.  Furthermore, sometimes it actually connects; however does not put us on the local network for some reason and unable to browse file server.  We have tried rebooting the ASA a few times and our ISP Time Warner informed us there are no signs of packet loss but still unable to pinpoint the problem.  Sometimes users close out of VPN client completely, reopen several times and then it works.  However it's never really consistent enough and hasn't been the last few weeks.  No configuration changes have been made to ASA at all.  Furthermore, the Cisco Ipsec VPN client version is: 5.0.70
  Directly below is our current running config (modded for public).  Any help or ideas would be greatly appreciated.  Otherwise, if everything looks good...then I will defer back to our ISP Time Warner:
  : Saved
  ASA Version 8.4(2)
  hostname domainasa
  domain-name adomain.local
  enable password cTfsR84pqF5Xohw. encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.2.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 205.101.1.240 255.255.255.248
  ftp mode passive
  clock timezone EST -5
  clock summer-time EDT recurring
  dns domain-lookup inside
  dns domain-lookup outside
  dns server-group DefaultDNS
  name-server 192.168.2.60
  domain-name adomain.local
  same-security-traffic permit intra-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network SBS_2011
  host 192.168.2.60
  object network NETWORK_OBJ_192.168.2.0_24
  subnet 192.168.2.0 255.255.255.0
  object network NETWORK_OBJ_192.168.5.192_
  27
  subnet 192.168.5.192 255.255.255.224
  object network Https_Access
  host 192.168.2.90
  description Spam Hero
  object-group network DM_INLINE_NETWORK_1
  network-object object SPAM1
  network-object object SPAM2
  network-object object SPAM3
  network-object object SPAM4
  network-object object SPAM5
  network-object object SPAM6
  network-object object SPAM7
  network-object object SPAM8
  object-group service RDP tcp
  description Microsoft RDP
  port-object eq 3389
  access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 object SBS_2011 eq smtp
  access-list outside_access_in extended permit tcp any object SBS_2011 eq https
  access-list outside_access_in extended permit icmp any interface outside
  access-list outside_access_in remark External RDP Access
  access-list outside_access_in extended permit tcp any object SBS_2011 object-group RDP
  access-list domain_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool test 192.168.10.1-192.168.10.5 mask 255.255.255.0
  ip local pool VPN_Users 192.168.5.194-192.168.5.22
  0 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source static NETWORK_OBJ_192.168.2.0_24
  NETWORK_OBJ_192.168.2.0_24
  destination static NETWORK_OBJ_192.168.5.192_
  27 NETWORK_OBJ_192.168.5.192_
  27 no-proxy-arp route-lookup
  object network obj_any
  nat (inside,outside) dynamic interface
  object network SBS_2011
  nat (inside,outside) static interface service tcp smtp smtp
  object network Https_Access
  nat (inside,outside) static interface service tcp https https
  nat (inside,outside) after-auto source dynamic any interface
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 205.101.1.239 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-reco
  rd DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 192.168.2.0 255.255.255.0 inside
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet 192.168.2.0 255.255.255.0 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd address 192.168.2.160-192.168.2.19
  9 inside
  dhcpd dns 192.168.2.60 24.29.99.36 interface inside
  dhcpd wins 192.168.2.60 24.29.99.36 interface inside
  dhcpd domain adomain interface inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy domain internal
  group-policy domain attributes
  wins-server value 192.168.2.60
  dns-server value 192.168.2.60
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value domain_splitTunnelAcl
  default-domain value adomain.local
  username ben password zWCAaitV3CB.GA87 encrypted privilege 0
  username ben attributes
  vpn-group-policy domain
  username sdomain password FATqd4I1ZoqyQ/MN encrypted
  username sdomain attributes
  vpn-group-policy domain
  username adomain password V5.hvhZU4S8NwGg/ encrypted
  username adomain attributes
  vpn-group-policy domain
  service-type admin
  username jdomain password uODal3Mlensb8d.t encrypted privilege 0
  username jdomain attributes
  vpn-group-policy domain
  service-type admin
  tunnel-group domain type remote-access
  tunnel-group domain general-attributes
  address-pool VPN_Users
  default-group-policy domain
  tunnel-group domain ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:e2466a5b754
  eebcdb0cef
  f051bef91d
  9
  : end
  no asdm history enable
  Thanks again

  Hello Belnet,
  What do the logs show from the ASA.
  Can you post them ??
  Any other question..Sure..Just remember to rate all of the community answers.
  Julio

• Cisco ASA 5505 SSL VPN

  Hi Everyone,
  In my study home lab, I wanted to configure a cisco ASA 5505 ( Base license) to allow SSL VPN. I follow carefully the configuration procedure as instructed on a short videos I downloaded on youtube.
  I configured my outside e0/0 with a valid static IP address, unfortunately the vpn connection is timeout on a remote ( different) internet connection. But if  I connect to my own internet line using a WIFI the VPN ( AnyConnect SSL VPN client ) connection is established.
  I need help to solve this mystery. Please find attached the ASA config: #show run
  I hope my explaination does make sense, if not accept my apology I am just new in cisco technology.
  Best regards,
  BEN

  If you can connect with your own internet line, then most probably it's not an issue with the ASA configuration.
  I would check how you are routing the ASA to the internet, and if there is any ACL that might be blocking inbound access to the ASA on the device in front of the ASA.

• Cisco ASA 5505 Reset-I Problem with TCP State Bypass

  Hello,
  I have a Cisco ASA 5505 that functions as my primary firewall and a Mitel 5000 controller behind it. I have two external phone users that have been connecting through the firewall with no issues for six months until about two weeks ago. I am now seeing the following log entry on the phone trying to connect to the Mitel Controller.
  6
  May 16 2014
  14:52:52
  302014
  72.135.115.37
  6915
  192.168.20.2
  6801
  Teardown TCP connection 1203584 for outside:72.135.115.37/6915 to inside:192.168.20.2/6801 duration 0:00:00 bytes 0 TCP Reset-I
  My phones are designed to work with the Mitel 5000 and Mitel 3300 phone controllers. The 5000 will only use port 6800 for call control, while the 3300 will use 6801 (Secured Minet), 6802 (Minet SSH), and if those fail, port 6800 (Minet Unsecured). When the phones initiate a connection, they try 6801 first. If 6801 is unavailable, the phone controller adds the RST flag to the ACK packet. When the phone sees the RST flag, it is supposed to reset and use the next port (6802). The same process happens again for port 6802, then the phone knows to try 6800. The problem is that the ASA sees the RST flag now and terminates the connection at the firewall. Therefore, the phones never see the RST flag, and continue to try the connection with port 6801.
  I have tried to use the TCP State Bypass feature to correct the situation, but the log shows that the connection is still being terminated immediately by the firewall. I am a novice when it comes to configuring the ASA. Any help would be greatly appreciated, as the company that I bought the phone system from is out of troubleshooting options. I do not think that I have made any changes to the firewall around this time. I have packet captures and logs from my ASA and I have wireshark data on the inside of my network. I need to figure out how to configure the ASA so that it ignores the RST flag and sends the packet back to the source.
  Any help would be greatly appreciated!

  Thanks Rizwan,
  Still no luck.  I can't even ping the otherside (office)..  I am not sure if i'm running the debug rightway.   Here are my results...
  homeasa(config)# ping inside 10.10.5.254............. (Office CIsco ASA5505 IP on local side.  I also tried pinging the server on other side (office) whic is @10.10.5.10 and got the same result)
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 10.10.5.254, timeout is 2 seconds:
  Success rate is 0
  homeasa(config)# debug crypto isakmp 7
  homeasa(config)# debug crypto ipsec 7
  homeasa(config)# sho crypto isakmp 7
                                     ^
  ERROR: % Invalid input detected at '^' marker.
  homeasa(config)# sho crypto isakmp
  There are no isakmp sas
  Global IKE Statistics
  Active Tunnels: 0
  Previous Tunnels: 0
  In Octets: 0
  In Packets: 0
  In Drop Packets: 0
  In Notifys: 0
  In P2 Exchanges: 0
  In P2 Exchange Invalids: 0
  In P2 Exchange Rejects: 0
  In P2 Sa Delete Requests: 0
  Out Octets: 0
  Out Packets: 0
  Out Drop Packets: 0
  Out Notifys: 0
  Out P2 Exchanges: 0
  Out P2 Exchange Invalids: 0
  Out P2 Exchange Rejects: 0
  Out P2 Sa Delete Requests: 0
  Initiator Tunnels: 0
  Initiator Fails: 0
  Responder Fails: 0
  System Capacity Fails: 0
  Auth Fails: 0
  Decrypt Fails: 0
  Hash Valid Fails: 0
  No Sa Fails: 0
  Global IPSec over TCP Statistics
  Embryonic connections: 0
  Active connections: 0
  Previous connections: 0
  Inbound packets: 0
  Inbound dropped packets: 0
  Outbound packets: 0
  Outbound dropped packets: 0
  RST packets: 0
  Recevied ACK heart-beat packets: 0
  Bad headers: 0
  Bad trailers: 0
  Timer failures: 0
  Checksum errors: 0
  Internal errors: 0
  hjnavasa(config)# sh crypto ipsec sa peer 96.xxx.xxx.118
  There are no ipsec sas
  homeasa(config)#

• Unable to ping device behind Cisco 3750 on the same inside VLAN via Cisco ASA 5505 Anyconnect VPN

  Hi Guys,
  I've been stuck with this for the last 2 days, and I thought to try and use Cisco's forum, I setup my home DC, and started having problems once I moved a Cisco 5505 behind a Cisco 1841 router (I wanted to eventually test DMVPN live on the internet,) I was no longer able to ping some devices, then as soon as I introduce a collapsed core/distribution switch, I'm also no longer able to ping the devices behind the Cisco 3750, I've attached a network diagram and the ASA running-config.
  Everything seem fine internally with the exception of an intermittent network connectivity with a Citrix NetScaler VPX running on a VMware ESXi.
  For some odd reason, I am able to ping the following, with no issues.
  Cisco 3750 SVI (192.168.1.3)
  CentOS web server (connected directly to the Cisco ASA 5505)
  I have checked and enable the following:
  Nat Exemption
  Sysopt connection permit-vpn
  ACL's
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  Added ICMP in the inspection policy
  Packet-capture - Only getting echo requests.
  Thanks in advance!

  Hi,
  I believe you have the problem with your no-nat configurations..... you to exempt NAT for the traffic from 172.16.10.0 (Anyconnect VPN pool) to 192.168.1.0/24 (Inside LAN) to make this work
  object network acvpnpool
  subnet <anyconnect VPN Subnet>
  object network insidelan
  subnet <inside lan subnet>
  nat (inside,outside) source static acvpnpool acvpnpool destination static insidelan insidelan
  Make sure that you are able to reach the GW/Inside ip adress of the firewall from LAN machine.... all routing in place properly..... Thanks!!!
  Regards
  Karthik

• Cisco ASA 5505 as VPN client

  Hello all thanks for looking,
  I need to know how to setup my cisco asa 5505 as a vpn client to services like HMA or privateinternet and other paid VPN services. If someone else has already written a guide to this then that would be great. What I want to do is route all my secure traffice through the asa and have it go across the internet as encrypted VPN stuff and have my other stuff that does not need to be encrypted just go through to my other router. 
  Thanks in advance,

  If your remote end of the services in question support IPsec IKEv1 as the VPN type then, yes - the 5505 can be a client for that service. At that point it looks like a regular LAN-LAN VPN which is documented in many Cisco and 3rd party how-to documents.

• Cisco ASA 5505 - 1st VPN works, 2nd VPN can't get traffic across

  This is my first Cisco configuration ever so go easy on me.  A lot of the commands that I used here I don't really understand.  I got them from Googling configs.  I have the need for more than one VPN on this thing, and I've been fighting with this thing for hours today without any luck.
  The first VPN I setup, labeled vpn1 here works perfectly.  I connect via the public IP on the DSL and I can get traffic to my 192.168.1.0/24 network without any problems.
  I pretty much duplicated the configuration for the 2nd VPN, just replacing my 192.168.1.0/24 subnet w/ the network connected to a third interface on the ASA (10.4.0.0 255.255.240.0).  I successfully make connection to this VPN, but I cannot get traffic to traverse the VPN.  I'm using the address 10.4.0.1 to test pings.  The ASA itself can ping 10.4.0.1 as that interface of the ASA has 10.4.13.10 255.255.240.0, which is the same subnet (range is 10.4.0.0 - 10.4.15.255).
  Here is my config (edited for names and passwords)
  ciscoasa# show run
  : Saved
  ASA Version 8.2(5)
  hostname ciscoasa
  enable password ********** encrypted
  passwd ********** encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  switchport access vlan 3
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  pppoe client vpdn group ISP_DSL
  ip address pppoe setroute
  interface Vlan3
  no forward interface Vlan1
  nameif private
  security-level 100
  ip address 10.4.13.10 255.255.240.0
  ftp mode passive
  access-list 100 extended permit icmp any any
  access-list nonat remark ACL for Nat Bypass
  access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list nonat extended permit ip 10.4.0.0 255.255.240.0 192.168.3.0 255.255.255.0
  access-list vpn_SplitTunnel remark ACL for VPN Split Tunnel
  access-list vpn_SplitTunnel standard permit 192.168.1.0 255.255.255.0
  access-list vpn_SplitTunnel standard permit 10.4.0.0 255.255.240.0
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1492
  mtu private 1500
  ip local pool vpn1pool 192.168.2.100-192.168.2.110
  ip local pool vpn2pool 192.168.3.100-192.168.3.110
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list nonat
  nat (inside) 1 0.0.0.0 0.0.0.0
  nat (private) 0 access-list nonat
  access-group 100 in interface outside
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set strong-des esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map dynmap 30 set transform-set strong-des
  crypto map vpn1 65535 ipsec-isakmp dynamic dynmap
  crypto map vpn1 interface outside
  crypto map vpn2 65535 ipsec-isakmp dynamic dynmap
  crypto isakmp identity address
  crypto isakmp enable outside
  crypto isakmp policy 11
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 inside
  ssh 0.0.0.0 0.0.0.0 outside
  ssh timeout 10
  console timeout 0
  vpdn group ISP_DSL request dialout pppoe
  vpdn group ISP_DSL localname [email protected]
  vpdn group ISP_DSL ppp authentication chap
  vpdn username [email protected] password **********
  dhcp-client update dns
  dhcpd auto_config outside
  dhcpd address 192.168.1.100-192.168.1.200 inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy vpn2 internal
  group-policy vpn2 attributes
  vpn-idle-timeout 120
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value vpn_SplitTunnel
  group-policy vpn1 internal
  group-policy vpn1 attributes
  vpn-idle-timeout 120
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value vpn_SplitTunnel
  username cssadmin password ********** encrypted
  username vpn2user password ********** encrypted
  username vpn1user password ********** encrypted
  tunnel-group vpn1-VPN type remote-access
  tunnel-group vpn1-VPN general-attributes
  address-pool vpn1pool
  default-group-policy vpn1
  tunnel-group vpn1-VPN ipsec-attributes
  pre-shared-key **********
  tunnel-group vpn2-VPN type remote-access
  tunnel-group vpn2-VPN general-attributes
  address-pool vpn2pool
  default-group-policy vpn2
  tunnel-group vpn2-VPN ipsec-attributes
  pre-shared-key *****
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:f5137c68c4b4a832c9dff8db808004ae
  : end
  Theories:  after fighting with it for a while and having another guy in my office look at it, we decided that the problem is probably that even though the pings are probably reaching 10.4.0.1, they have no route back to my VPN subnet 192.168.3.0/24.  I contacted the admins of the 10.4.0.0 network and asked if they could add a route to 192.168.3.0/24 via 10.4.13.10, but he said there is no router of default gateway on the network to even configure.
  So, what do I do?  Maybe NAT the VPN traffic?  If that is the correct answer, what lines would I put/change in the config to NAT that traffic.
  I'm assuming the reason the 1st VPN works is because the ASA is the default gateway for the inside 192.168.1.0/24 network.
  Thanks in advance for any insight you can provide.

  Hello Belnet,
  What do the logs show from the ASA.
  Can you post them ??
  Any other question..Sure..Just remember to rate all of the community answers.
  Julio

• Cisco ASA 5505 L2TP VPN cannot access internal network

  Hi,
  I'm trying to configure Cisco L2TP VPN to my office. After successful connection I cannot access to internal network.
  Can you jhelp me to find out the issue?
  I have Cisco ASA:
  inside network - 192.168.1.0
  VPN network - 192.168.168.0
  I have router 192.168.1.2 and I cannot ping or get access to this router.
  Here is my config:
  ASA Version 8.4(3)
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 198.X.X.A 255.255.255.248
  ftp mode passive
  same-security-traffic permit intra-interface
  object network net-all
  subnet 0.0.0.0 0.0.0.0
  object network vpn_local
  subnet 192.168.168.0 255.255.255.0
  object network inside_nw
  subnet 192.168.1.0 255.255.255.0
  access-list outside_access_in extended permit icmp any any echo-reply
  access-list outside_access_in extended deny ip any any log
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool sales_addresses 192.168.168.1-192.168.168.254
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source dynamic net-all interface
  nat (inside,outside) source static inside_nw inside_nw destination static vpn_local vpn_local
  nat (outside,inside) source static vpn_local vpn_local destination static inside_nw inside_nw route-lookup
  object network vpn_local
  nat (outside,outside) dynamic interface
  object network inside_nw
  nat (inside,outside) dynamic interface
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 198.X.X.B 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication enable console LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication http console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set my-transform-set-ikev1 esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set my-transform-set-ikev1 mode transport
  crypto dynamic-map dyno 10 set ikev1 transform-set my-transform-set-ikev1
  crypto map vpn 20 ipsec-isakmp dynamic dyno
  crypto map vpn interface outside
  crypto isakmp nat-traversal 3600
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 192.168.1.0 255.255.255.0 inside
  ssh timeout 30
  console timeout 0
  management-access inside
  dhcpd address 192.168.1.5-192.168.1.132 inside
  dhcpd dns 75.75.75.75 76.76.76.76 interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy sales_policy internal
  group-policy sales_policy attributes
  dns-server value 75.75.75.75 76.76.76.76
  vpn-tunnel-protocol l2tp-ipsec
  username ----------
  username ----------
  tunnel-group DefaultRAGroup general-attributes
  address-pool sales_addresses
  default-group-policy sales_policy
  tunnel-group DefaultRAGroup ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group DefaultRAGroup ppp-attributes
  authentication ms-chap-v2
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:5d1fc9409c87ecdc1e06f06980de6c13
  : end
  Thanks for your help.

  You have to test it with "real" traffic to 192.168.1.2 and if you use ping, you have to add icmp-inspection:
  policy-map global_policy
    class inspection_default
      inspect icmp
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni

• Asa 5505 Remote VPN Can't access with my local network

  Hello Guys ,, i have a problem with my asa 5505 Remote VPN Connection with local network access , the VPn is working fine and connected , but the problem is i can't reach my inside network connection of 192.168.30.x , here is my configuration , please can you help me
  ASA Version 8.2(1)
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.30.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 155.155.155.10 255.255.255.0
  interface Vlan5
  no nameif
  no security-level
  no ip address
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  access-list inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.240
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool vpn-Pool 192.168.100.1-192.168.100.10 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy mull internal
  group-policy mull attributes
  vpn-tunnel-protocol IPSec
  username xxx password eKJj9owsQwAIk6Cw encrypted privilege 0
  vpn-group-policy Mull
  tunnel-group mull type remote-access
  tunnel-group mull general-attributes
  address-pool vpn-Pool
  default-group-policy mull
  tunnel-group mull ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context

  Hey Jennifer i did every thing you mention it , but still i can't reach my inside network (LOCAL network)  iam using Shrew Soft VPN Access Manager for my vpn connection
  here is my cry ipsec sa
  interface: outside
      Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 155.155.155.1
        local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.100.1/255.255.255.255/0/0)
        current_peer:155.155.155.1, username: Thomas
        dynamic allocated peer ip: 192.168.100.1
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 155.155.155.1/4500, remote crypto endpt.: 155.155.155.20/4500
        path mtu 1500, ipsec overhead 82, media mtu 1500
        current outbound spi: 73FFAB96
      inbound esp sas:
        spi: 0x1B5FFBF1 (459275249)
           transform: esp-aes esp-sha-hmac no compression
           in use settings ={RA, Tunnel,  NAT-T-Encaps, }
           slot: 0, conn_id: 12288, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
           sa timing: remaining key lifetime (sec): 2894
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001
      outbound esp sas:
        spi: 0x73FFAB96 (1946135446)
           transform: esp-aes esp-sha-hmac no compression
           in use settings ={RA, Tunnel,  NAT-T-Encaps, }
           slot: 0, conn_id: 12288, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
           sa timing: remaining key lifetime (sec): 2873
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001

• CISCO ASA 5505 VPN problem in Windows 7

  I am using CISCO ASA 5505. Client PC with Windows XP can use IE to make the VPN connection normally.
  However, client PC with Windows 7 cannot use IE to make the VPN connection.
  It just show the error of "Internet Explorer cannot display the webpage"
  Would you please help?
  Thank you very much!

  Hi Timothy,
  Could you please try disabling UAC in Win 7. Also try to connect from a machine where you have admin privileges (in case you are trying connection from a restricted machine.
  Also, add the site under trusted sites in IE. i.e if you are connecting to https://1.1.1.1 or https://vpn.abc.com then please add it under the trusted sites:
  Let me know if this helps.
  Thanks,
  Vishnu Sharma

• Cisco ASA 5505 Site to site VPN IPSEC tunnel to an Clavister Firewall

  Hi,
  I have weird problem with a Site to site VPN tunnel from a Cisco ASA 5505 to an Clavister Firewall.
  When I restart the Cisco ASA 5505 the tunnel is up and down,up, down, down, and I get all strange messages when I see if the tunnel is up or down with the syntax: show crypto isakmp sa
  After a while like 5-10 min the vpn site to site tunnel is up and here is the strange thing happening I have all accesslists and tunnel accesslists right I can only access one remote network (Main site Clavister Firewall) trought the vpn tunnel behind the Cisco ASA 5505, and I have 5 more remote networks that I want to access but only one remote network is working trought the vpn tunnel behind the Cisco ASA. I see that when I do this syntax in ASA: show crypto ipsec sa.
  They had a Clavister Firewall before on that site before and now they have a Cisco ASA 5505 and all the rules on the main site thats have the big Clavister Firewall is intact so the problems are in the Cisco ASA 5505.
  Here is some logs that ASDM give me about the tunnel issue, but like I said, the tunnel is up and only one remote network is reachable in that tunnel.....
  3
  Nov 21 2012
  07:11:09
  713902
  Group = 195.149.180.254, IP = 195.149.169.254, Removing peer from correlator table failed, no match!
  3
  Nov 21 2012
  07:11:09
  713902
  Group = 195.149.180.254, IP = 195.149.169.254, QM FSM error (P2 struct &0xc92462d0, mess id 0x1c6bf927)!
  3
  Nov 21 2012
  07:11:09
  713061
  Group = 195.149.180.254, IP = 195.149.169.254, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
  5
  Nov 21 2012
  07:11:09
  713119
  Group = 195.149.180.254, IP = 195.149.169.254, PHASE 1 COMPLETED
  Here is from the syntax: show crypto isakmp sa
  Result of the command: "show crypto isakmp sa"
     Active SA: 1
      Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 1
  1   IKE Peer: 195.149.180.254
      Type    : L2L             Role    : responder
      Rekey   : no              State   : MM_ACTIVE
  Result of the command: "show crypto ipsec sa"
  interface: outside
      Crypto map tag: CustomerCryptoMap, seq num: 10, local addr: 213.180.90.29
        access-list arvika_garnisonen permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
        local ident (addr/mask/prot/port): (172.22.65.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.123.0/255.255.255.0/0/0)
        current_peer:195.149.180.254
        #pkts encaps: 2188, #pkts encrypt: 2188, #pkts digest: 2188
        #pkts decaps: 2082, #pkts decrypt: 2082, #pkts verify: 2082
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 2188, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 213.180.67.29, remote crypto endpt.: 195.149.180.254
        path mtu 1500, ipsec overhead 74, media mtu 1500
        current outbound spi: E715B315
      inbound esp sas:
        spi: 0xFAC769EB (4207372779)
           transform: esp-aes-256 esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, PFS Group 5, }
           slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
           sa timing: remaining key lifetime (kB/sec): (38738/2061)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0xFFFFFFFF 0xFFFFFFFF
      outbound esp sas:
        spi: 0xE715B315 (3876958997)
           transform: esp-aes-256 esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, PFS Group 5, }
           slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
           sa timing: remaining key lifetime (kB/sec): (38673/2061)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001
  And here are my Accesslists and vpn site to site config:
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 84600
  crypto isakmp nat-traversal 40
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map CustomerCryptoMap 10 match address VPN_Tunnel
  crypto map CustomerCryptoMap 10 set pfs group5
  crypto map CustomerCryptoMap 10 set peer 195.149.180.254
  crypto map CustomerCryptoMap 10 set transform-set ESP-AES-256-SHA
  crypto map CustomerCryptoMap interface outside
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0 -------> This is the only remote network I can reach behind the Cisco ASA and the other remote networks dont work..
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
  nat (inside) 0 access-list nonat
  All these remote networks are at the Main Site Clavister Firewall.
  Best Regards
  Michael

  Hi,
  I'd start by getting the configuration of the remote site related to Local/Remote network configurations and go through them. Even though no changes have been made.
  If they are mirror images of eachother already I'd say its probably some problem related to Cisco/Clavister setup
  Seems especially wierd to me that one of the error messages includes 0.0.0.0 lines.
  I have run into some problems with L2L VPN configurations when our Cisco device just doesnt want to work with the remote end device. In some cases we have confirmed that our networks defined for the L2L VPN are exactly the same and yet when checking debugs on the ASA side we can see the remote end device using totally wrong network masks for the VPN negotiaton and therefore it failed. That problem we corrected with changing the network masks a bit.
  Maybe you could try to change the Encryption Domain configurations a bit and test it then.
  You could also maybe take some debugs on the Phase2 and see if you get anymore  hints as to what could be the problem when only one network is working for the L2L VPN.
  - Jouni

• Setting up site to site vpn with cisco asa 5505

  I have a cisco asa 5505 that needs to be set up for site to site vpn to a cisco asa 5500. The 5505 is the remote office and the 5500 is the main office.
  IP of remote office router is 71.37.178.142
  IP of the main office firewall is 209.117.141.82
  Can someone tell me if my config is correct, this is the first time I am setting this up and it can not be tested until I set it up at the remote office. I would rather know its correct before I go.
  ciscoasa# show run
  : Saved
  ASA Version 7.2(4)
  hostname ciscoasa
  domain-name default.domain.invalid
  enable password TMACBloMlcBsq1kp encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
  access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host 209.117.141.82
  access-list inside_nat0_outbound extended permit ip host 71.37.178.142 host 209.117.141.82
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs group5
  crypto map outside_map 1 set peer 209.117.141.82
  crypto map outside_map 1 set transform-set ESP-AES-256-SHA
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  vpdn username [email protected] password ********* store-local
  dhcpd auto_config outside
  dhcpd address 192.168.1.2-192.168.1.129 inside
  dhcpd enable inside
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:7e338fb2bf32a9ceb89560b314a5ef6c
  : end
  ciscoasa#
  Thanks!

  Hi Mandy,
  By using following access list define Peer IP as source and destination
  access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
  you are not defining the interesting traffic / subnets from both ends.
  Make some number ACL 101 as you do not have to write the extended keyword then if you like as follows, or else NAME aCL will also work:
  access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
  access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
  access-list 101 remark CCP_ACL Category=4 access-list 101 remark IPSEC Rule
  !.1..source subnet(called local encryption domain) at your end  192.168.200.0
  !..2.and destination subnet(called remote encryption domain)at other end 192.168.100.0 !.3..I mean you have to define what subnets you need to communicate between which are behind these firewalls
  !..4...Local Subnets behind IP of the main office firewall is 209.117.141.82 say
  !...at your end  192.168.200.0
  !..5.Remote Subnets behind IP of remote office router is 71.37.178.142 say
  !...at other end 192.168.100.0
  Please use Baisc Steps as follows:
  A. Configuration in your MAIN office  having IP = 209.117.141.82  (follow step 1 to 6)
  Step 1.
  Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
  access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
  Step 2.
  Config ISAKMP Policy with minimum 4 parameters are to be config for
  crypto isakmp policy 10
  authentication pre-share  ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
  encryption aes-256   --->2nd parameter of ISAKMP Policy is OK
  hash sha   --->  3rd parameter of ISAKMP Policy is OK
  group 5  --->  4th parameter of ISAKMP Policy is OK
  lifetime 86400  ------ >  this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
  Step 3.
  Define Preshared key or PKI which you will use with other side Peer address 71.37.178.142, either key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
  Here in your case in step 2 Authentication is using PSK, looks you have not defines Password
  Use following command:
  crypto isakmp key 0 CISCO123 address 71.37.178.142
  or , but not both
  crypto isakmp key 6 CISCO123 address71.37.178.142
  step 4.
  Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
  Here is yours one:
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
  crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
  or
  crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
  Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
  ah-sha-hmac or  ah-md5-hmac
  crypto ipsec transform-set TSET1 ah-sha-hmac
  or
  crypto ipsec transform-set TSET1 ah-md5-hmac
  Step 5.
  Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
  crypto map ipsec-isakmp
  1. Define peer -- called WHO to set tunnel with
  2. Define or call WHICH - Transform Set
  3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
  Like in your case it is but ipsec-isakmp keyword missing in the ;ast
  crypto map outside_map 10 ipsec-isakmp
  1. set peer 209.117.141.82  -----> is correct as this is your other side peer called WHO in my step
  2. set transform-set TSET1  -----> is correct as this is WHICH, and only one transform set can be called
  !..In you case it is correct
  !...set transform-set ESP-AES-256-SHA (also correct)
  3.  match address outside_1_cryptomap  ---->Name of the extended ACL define as WHAT to pass through this tunnel
  4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
  Step 6.
  Now apply this one crypto MAP to your OUTSIDE interface always
  interface outside
  crypto map outside_map
  Configure the same but just change ACL on other end in step one  by reversing source and destination
  and also set the peer IP of this router in other end.
  So other side config should look as follows:
  B.  Configuration in oyur Remote PEER IP having IP = 71.37.178.142 (follow step 7 to 12)
  Step 7.
  Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
  access-list outside_1_cryptomap extended ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
  Step 8.
  Config ISAKMP Policy with minimum 4 parameters are to be config for
  crypto isakmp policy 10
  authentication pre-share  ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
  encryption aes-256   --->2nd parameter of ISAKMP Policy is OK
  hash sha   --->  3rd parameter of ISAKMP Policy is OK
  group 5  --->  4th parameter of ISAKMP Policy is OK
  lifetime 86400  ------ >  this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
  Step 9.
  Define Preshared key or PKI which you will use with other side Peer address key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
  Here in your case in step 8 Authentication is using PSK, looks you have not defines Password
  Use following command:
  crypto isakmp key 0 CISCO123 address 209.117.141.82
  or , but not both
  crypto isakmp key 6 CISCO123 address 209.117.141.82
  step 10.
  Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
  Here is yours one:
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
  crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
  or
  crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
  Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
  ah-sha-hmac or  ah-md5-hmac
  crypto ipsec transform-set TSET1 ah-sha-hmac
  or
  crypto ipsec transform-set TSET1 ah-md5-hmac
  Step 11.
  Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
  crypto map    ipsec-isakmp
  1. Define peer -- called WHO to set tunnel with
  2. Define or call WHICH - Transform Set, only one is permissible
  3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
  Like in your case it is but ipsec-isakmp keyword missing in the ;ast
  crypto map outside_map 10 ipsec-isakmp
  1. set peer 209.117.141.82  -----> is correct as this is your other side peer called WHO in my step
  2. set transform-set TSET1  -----> is correct as this is WHICH, and only one transform set can be called
  !..In you case it is correct
  !...set transform-set ESP-AES-256-SHA (also correct)
  3.  match address outside_1_cryptomap  ---->Name of the extended ACL define as WHAT to pass through this tunnel
  4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
  Step 12.
  Now apply this one crypto MAP to your OUTSIDE interface always
  interface outside
  crypto map outside_map
  Now initite a ping
  Here is for your summary:
  IPSec: Site to Site - Routers
  Configuration Steps
  Phase 1
  Step 1: Configure Mirrored ACL/Crypto ACL       for Interesting Traffic
  Step 2: Configure ISAKMP Policy
  Step 3: Configure ISAKMP Key
  Phase 2
  Step 4: Configure Transform Set
  Step 5: Configure Crypto Map
  Step 6: Apply Crypto Map to an Interface
  To debug for Phase 1 and Phase 2. Store it in buffer without displaying logs on terminal.
  Router#debug crpyto isakmp
  Router#debug crpyto ipsec
  Router(config)# logging buffer 7
  Router(config)# logging buffer 99999
  Router(config)# logging console 6
  Router# clear logging
  Configuration
  In R1:
  (config)# access-list 101 permit ipo host 10.1.1.1 host      10.1.2.1
  (config)# crypto isakmp policy 10
  (config-policy)# encryption 3des
  (config-policy)# authentication pre-share
  (config-policy)# group 2
  (config-policy)# hash sha1
  (config)# crypto isakmp key 0 cisco address 2.2.2.1
  (config)# crypto ipsec transform-set TSET esp-3des      sha-aes-hmac
  (config)# crypto map CMAP 10 ipsec-isakmp
  (config-crypto-map)# set peer 2.2.2.1
  (config-crypto-map)# match address 101
  (config-crypto-map)# set transform-set TSET
  (config)# int f0/0
  (config-if)# crypto map CMAP
  Similarly in R2
  Verification Commands
  #show crypto isakmp SA
  #show crypto ipsec SA
  Change to Transport Mode, add the following command in Step 4:
  (config-tranform-set)# mode transport
  Even after  doing this change, the ipsec negotiation will still be done through  tunnel mode if pinged from Loopback to Loopback. To overcome this we  make changes to ACL.
  Change to Aggressive Mode, replace the Step 3 command with these commands in R1:
  (config)# crypto isakmp peer address 2.2.2.1
  (config-peer)# set aggressive-mode password cisco
  (config-peer)# set aggressive-mode clien-endpoint       ipv4-address 2.2.2.1
  Similarly on R2.
  The below process is for the negotiation using RSA-SIG (PKI) as authentication type
  Debug Process:
  After  we debug, we can see the negotiation between the two peers. The first  packet of the interesting traffic triggers the ISAKMP (Phase1)  negotiation. Important messages are marked in BOLD and explanation in  RED
  R2(config)#do ping 10.1.1.1 so lo0 // Interesting Traffic
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
  Packet sent with a source address of 2.2.2.2
  Mar  2 16:18:42.939: ISAKMP:(0): SA request profile is (NULL) //  Router tried to find any IPSec SA matching the outgoing connection but  no valid SA has been found in Security Association Database (SADB)
  Mar  2 16:18:42.939: ISAKMP: Created a peer struct for 20.1.1.10, peer port 500
  Mar  2 16:18:42.939: ISAKMP: New peer created peer = 0x46519678 peer_handle = 0x8000000D
  Mar  2 16:18:42.939: ISAKMP: Locking peer struct 0x46519678, refcount 1 for isakmp_initiator
  Mar  2 16:18:42.939: ISAKMP: local port 500, remote port 500
  Mar  2 16:18:42.939: ISAKMP: set new node 0 to QM_IDLE    
  Mar  2 16:18:42.939: ISAKMP:(0):insert sa successfully sa = 4542B818
  Mar  2 16:18:42.939: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. // Not an error. By default it is configured for Main Mode
  Mar  2 16:18:42.939: ISAKMP:(0):No pre-shared key with 20.1.1.10! // Since we are using RSA Signature, this message. If we use pre-share, this is where it would indicate so!
  Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
  Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-07 ID
  Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-03 ID
  Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-02 ID
  Mar  2 16:18:42.939: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
  Mar  2 16:18:42.939: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1
  Mar  2 16:18:42.943: ISAKMP:(0): beginning Main Mode exchange
  Mar  2 16:18:42.943: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_NO_STATE // Sending ISAKMP Policy to peer
  Mar  2 16:18:42.943: ISAKMP:(0):Sending an IKE IPv4 Packet.
  Mar  2 16:18:42.943: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_NO_STATE // Sending ISAKMP Policy to peer
  Mar  2 16:18:42.947: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Mar  2 16:18:42.947: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2
  Mar  2 16:18:42.947: ISAKMP:(0): processing SA payload. message ID = 0
  Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
  Mar  2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch // Do not worry about this! Not an ERROR!
  Mar  2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
  Mar  2 16:18:42.947:.!!!!
  Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
  R2(config)# ISAKMP:(0): processing vendor id payload
  Mar  2 16:18:42.947: ISAKMP:(0): processing IKE frag vendor id payload
  Mar  2 16:18:42.947: ISAKMP:(0):Support for IKE Fragmentation not enabled
  Mar  2 16:18:42.947: ISAKMP : Scanning profiles for xauth ...
  Mar  2 16:18:42.947: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
  Mar  2 16:18:42.947: ISAKMP:      encryption 3DES-CBC
  Mar  2 16:18:42.947: ISAKMP:      hash SHA
  Mar  2 16:18:42.947: ISAKMP:      default group 2
  Mar  2 16:18:42.947: ISAKMP:      auth RSA sig
  Mar  2 16:18:42.947: ISAKMP:      life type in seconds
  Mar  2 16:18:42.947: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
  Mar  2 16:18:42.947: ISAKMP:(0):atts are acceptable. Next payload is 0
  Mar  2 16:18:42.947: ISAKMP:(0):Acceptable atts:actual life: 0
  Mar  2 16:18:42.947: ISAKMP:(0):Acceptable atts:life: 0
  Mar  2 16:18:42.947: ISAKMP:(0):Fill atts in sa vpi_length:4
  Mar  2 16:18:42.947: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
  Mar  2 16:18:42.947: ISAKMP:(0):Returning Actual lifetime: 86400
  Mar  2 16:18:42.947: ISAKMP:(0)::Started lifetime timer: 86400.
  Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
  Mar  2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
  Mar  2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
  Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
  Mar  2 16:18:42.951: ISAKMP:(0): processing IKE frag vendor id payload
  Mar  2 16:18:42.951: ISAKMP:(0):Support for IKE Fragmentation not enabled
  Mar  2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Mar  2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2
  Mar  2 16:18:42.951: ISAKMP (0): constructing CERT_REQ for issuer cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
  Mar  2 16:18:42.951: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_SA_SETUP // Sending Key Exchange Information to peer
  Mar  2 16:18:42.951: ISAKMP:(0):Sending an IKE IPv4 Packet.
  Mar  2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Mar  2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3
  Mar  2 16:18:42.955: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_SA_SETUP // Receive key exchange information from peer
  Mar  2 16:18:42.955: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Mar  2 16:18:42.955: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4
  Mar  2 16:18:42.959: ISAKMP:(0): processing KE payload. message ID = 0
  Mar  2 16:18:43.003: ISAKMP:(0): processing NONCE payload. message ID = 0
  Mar  2 16:18:43.007: ISAKMP:(1008): processing CERT_REQ payload. message ID = 0
  Mar  2 16:18:43.007: ISAKMP:(1008): peer wants a CT_X509_SIGNATURE cert
  Mar  2 16:18:43.007: ISAKMP:(1008): peer wants cert issued by cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
  Mar  2 16:18:43.007:  Choosing trustpoint CA_Server as issuer
  Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID is Unity
  Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID seems Unity/DPD but major 180 mismatch
  Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID is XAUTH
  Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.007: ISAKMP:(1008): speaking to another IOS box!
  Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.007: ISAKMP:(1008):vendor ID seems Unity/DPD but hash mismatch
  Mar  2 16:18:43.007: ISAKMP:received payload type 20
  Mar  2 16:18:43.007: ISAKMP (1008): His hash no match - this node outside NAT
  Mar  2 16:18:43.007: ISAKMP:received payload type 20
  Mar  2 16:18:43.007: ISAKMP (1008): No NAT Found for self or peer
  Mar  2 16:18:43.007: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Mar  2 16:18:43.007: ISAKMP:(1008):Old State = IKE_I_MM4  New State = IKE_I_MM4
  Mar  2 16:18:43.011: ISAKMP:(1008):Send initial contact
  Mar  2 16:18:43.011: ISAKMP:(1008):My ID configured as IPv4 Addr, but Addr not in Cert!
  Mar  2 16:18:43.011: ISAKMP:(1008):Using FQDN as My ID
  Mar  2 16:18:43.011: ISAKMP:(1008):SA is doing RSA signature authentication using id type ID_FQDN
  Mar  2 16:18:43.011: ISAKMP (1008): ID payload
            next-payload : 6
            type         : 2
            FQDN name    : R2
            protocol     : 17
            port         : 500
            length       : 10
  Mar  2 16:18:43.011: ISAKMP:(1008):Total payload length: 10
  Mar  2 16:18:43.019: ISAKMP (1008): constructing CERT payload for hostname=R2+serialNumber=FHK1502F2H8
  Mar  2 16:18:43.019: ISAKMP:(1008): using the CA_Server trustpoint's keypair to sign
  Mar  2 16:18:43.035: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_KEY_EXCH
  Mar  2 16:18:43.035: ISAKMP:(1008):Sending an IKE IPv4 Packet.
  Mar  2 16:18:43.035: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Mar  2 16:18:43.035: ISAKMP:(1008):Old State = IKE_I_MM4  New State = IKE_I_MM5
  Mar  2 16:18:43.047: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_KEY_EXCH
  // "MM_KEY_EXCH" indicates that the peers have exchanged DH Public keys and generated a shared secret!
  Mar  2 16:18:43.047: ISAKMP:(1008): processing ID payload. message ID = 0
  Mar  2 16:18:43.047: ISAKMP (1008): ID payload
            next-payload : 6
            type         : 2
            FQDN name    : ASA1
            protocol     : 0
            port         : 0
            length       : 12
  Mar  2 16:18:43.047: ISAKMP:(0):: peer matches *none* of the profiles // Normal Message! Not an error!
  Mar  2 16:18:43.047: ISAKMP:(1008): processing CERT payload. message ID = 0
  Mar  2 16:18:43.047: ISAKMP:(1008): processing a CT_X509_SIGNATURE cert
  Mar  2 16:18:43.051: ISAKMP:(1008): peer's pubkey isn't cached
  Mar  2 16:18:43.059: ISAKMP:(1008): Unable to get DN from certificate!
  Mar  2 16:18:43.059: ISAKMP:(1008): Cert presented by peer contains no OU field.
  Mar  2 16:18:43.059: ISAKMP:(0):: peer matches *none* of the profiles
  Mar  2 16:18:43.063: ISAKMP:(1008): processing SIG payload. message ID = 0
  Mar  2 16:18:43.067: ISAKMP:received payload type 17
  Mar  2 16:18:43.067: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.067: ISAKMP:(1008): vendor ID is DPD
  Mar  2 16:18:43.067: ISAKMP:(1008):SA authentication status:
            authenticated
  Mar  2 16:18:43.067: ISAKMP:(1008):SA has been authenticated with 20.1.1.10
  Mar  2 16:18:43.067: ISAKMP: Trying to insert a peer 40.1.1.1/20.1.1.10/500/,  and inserted successfully 46519678. // SA inserted into SADB
  Mar  2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Mar  2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM5  New State = IKE_I_MM6
  Mar  2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Mar  2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM6  New State = IKE_I_MM6
  Mar  2 16:18:43.071: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Mar  2 16:18:43.071: ISAKMP:(1008):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE
  Mar  2 16:18:43.071: ISAKMP:(1008):beginning Quick Mode exchange, M-ID of -1523793378
  Mar  2 16:18:43.071: ISAKMP:(1008):QM Initiator gets spi
  Mar  2 16:18:43.075: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE    
  Mar  2 16:18:43.075: ISAKMP:(1008):Sending an IKE IPv4 Packet.
  Mar  2 16:18:43.075: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
  Mar  2 16:18:43.075: ISAKMP:(1008):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
  Mar  2 16:18:43.075: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
  Mar  2 16:18:43.075: ISAKMP:(1008):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
  Mar  2 16:18:43.079: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) QM_IDLE // IPSec Policies
  Mar  2 16:18:43.079: ISAKMP:(1008): processing HASH payload. message ID = -1523793378
  Mar  2 16:18:43.079: ISAKMP:(1008): processing SA payload. message ID = -1523793378
  Mar  2 16:18:43.079: ISAKMP:(1008):Checking IPSec proposal 1
  Mar  2 16:18:43.079: ISAKMP: transform 1, ESP_3DES
  Mar  2 16:18:43.079: ISAKMP:   attributes in transform:
  Mar  2 16:18:43.079: ISAKMP:      SA life type in seconds
  Mar  2 16:18:43.079: ISAKMP:      SA life duration (basic) of 3600
  Mar  2 16:18:43.079: ISAKMP:      SA life type in kilobytes
  Mar  2 16:18:43.079: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
  Mar  2 16:18:43.079: ISAKMP:      encaps is 1 (Tunnel)
  Mar  2 16:18:43.079: ISAKMP:      authenticator is HMAC-SHA
  Mar  2 16:18:43.079: ISAKMP:(1008):atts are acceptable. // IPSec attributes are acceptable!
  Mar  2 16:18:43.079: ISAKMP:(1008): processing NONCE payload. message ID = -1523793378
  Mar  2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
  Mar  2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
  Mar  2 16:18:43.083: ISAKMP:(1008): Creating IPSec SAs
  Mar  2 16:18:43.083:         inbound SA from 20.1.1.10 to 40.1.1.1 (f/i)  0/ 0
            (proxy 1.1.1.1 to 2.2.2.2)
  Mar  2 16:18:43.083:         has spi 0xA9A66D46 and conn_id 0
  Mar  2 16:18:43.083:         lifetime of 3600 seconds
  Mar  2 16:18:43.083:         lifetime of 4608000 kilobytes
  Mar  2 16:18:43.083:         outbound SA from 40.1.1.1 to 20.1.1.10 (f/i) 0/0
            (proxy 2.2.2.2 to 1.1.1.1)
  Mar  2 16:18:43.083:         has spi  0x2B367FB4 and conn_id 0
  Mar  2 16:18:43.083:         lifetime of 3600 seconds
  Mar  2 16:18:43.083:         lifetime of 4608000 kilobytes
  Mar  2 16:18:43.083: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE    
  Mar  2 16:18:43.083: ISAKMP:(1008):Sending an IKE IPv4 Packet.
  Mar  2 16:18:43.083: ISAKMP:(1008):deleting node -1523793378 error FALSE reason "No Error"
  Mar  2 16:18:43.083: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
  Mar  2 16:18:43.083: ISAKMP:(1008):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE // At this point tunnels are up and ready to pass traffic!
  Verification Commands
  #show crypto isakmp SA
  #show crypto ipsec SA
  Kindly rate if you find the explanation useful !!
  Best Regards
  Sachin Garg

• Azure Site to Site VPN with Cisco ASA 5505

  I have got Cisco ASA 5505 device (version 9.0(2)). And i cannot connect S2S with azure (azure network alway in "connecting" state). In my cisco log:
  IP = 104.40.182.93, Keep-alives configured on but peer does not support keep-alives (type = None)
  Group = 104.40.182.93, IP = 104.40.182.93, QM FSM error (P2 struct &0xcaaa2a38, mess id 0x1)!
  Group = 104.40.182.93, IP = 104.40.182.93, Removing peer from correlator table failed, no match!
  Group = 104.40.182.93, IP = 104.40.182.93,Overriding Initiator's IPSec rekeying duration from 102400000 to 4608000 Kbs
  Group = 104.40.182.93, IP = 104.40.182.93, PHASE 1 COMPLETED
  I have done all cisco s2s congiguration over standard wizard cos seems your script for 8.x version of asa only?
  (Does azure support 9.x version of asa?)
  How can i fix it?

  Hi,
  As of now, we do not have any scripts for Cisco ASA 9x series.
  Thank you for your interest in Windows Azure. The Dynamic routing is not supported for the Cisco ASA family of devices.
  Unfortunately, a dynamic routing VPN gateway is required for Multi-Site VPN, VNet to VNet, and Point-to-Site.
  However, you should be able to setup a site-to-site VPN with Cisco ASA 5505 series security appliance as
  demonstrated in this blog:
  Step-By-Step: Create a Site-to-Site VPN between your network and Azure
  http://blogs.technet.com/b/canitpro/archive/2013/10/09/step-by-step-create-a-site-to-site-vpn-between-your-network-and-azure.aspx
  You can refer to this article for Cisco ASA templates for Static routing:
  http://msdn.microsoft.com/en-us/library/azure/dn133793.aspx
  Did you download the VPN configuration file from the dashboard and copy the content of the configuration
  file to the Command Line Interface of the Cisco ASDM application? It seems that there is no specified IP address in the access list part and maybe that is why the states message appeared.
  According to the
  Cisco ASA template, it should be similar to this:
  access-list <RP_AccessList>
  extended permit ip object-group
  <RP_OnPremiseNetwork> object-group <RP_AzureNetwork>
  nat (inside,outside) source static <RP_OnPremiseNetwork>
  <RP_OnPremiseNetwork> destination static <RP_AzureNetwork>
  <RP_AzureNetwork>
  Based on my experience, to establish
  IPSEC tunnel, you need to allow the ESP protocol and UDP Port 500. Please make sure that the
  VPN device cannot be located behind a NAT. Besides, since Cisco ASA templates are not
  compatible for dynamic routing, please make sure that you chose the static routing.
  Since you configure the VPN device yourself, it's important that you would be familiar with the device and its configuration settings.
  Hope this helps you.
  Girish Prajwal

• Cisco Asa 5505 and Layer 3 Switch With Remote VPN Access

  i got today a new CISCO LAYER 3 Switch .. so here is my scenrio
  Cisco Asa 5505
  I
  Outside  == 155.155.155.x
  Inside  =      192.168.7.1
  VPN POOL Address =   10.10.10.1   -   10.10.10.20
  Layer 3 Switch Config
  Vlan 2
  interface ip address =  192.168.1.1
  Vlan 2
  interface ip address =  192.168.2.1
  Vlan 2
  interface ip address =  192.168.3.1
  Vlan 2
  interface ip address =  192.168.4.1
  Vlan 2
  interface ip address =  192.168.5.1
  ip Routing
  So i want My Remote Access VPN clients to access all this Networks. So Please can you give me a helpfull trick or Link to configure the rest of my routing
  Thank You all

  When My Remote VPN is Connected , it reaches 192.168.7.2 of the Layer 3 VLan that's Connected to The ASA 5505 ,
  But i can't reach the rest of the VLAN - example
  192.168.1.1
  192.168.1.2
  192.168.1.3
  192.168.1.4
  192.168.1.5
  But i can reach the Connected Interface Vlan to My ASA ..
  So here i think iam miss configuration to my Route
  Any Help Please this is urgent