Cisco asa 8.4 natting issues
Can any one help me out how to resolve this issue.
ASA 8.4 version
inside to TEST working fine.
nat (inside,TEST) source dynamic interface
my main concern is TEST (192.168.2.1) lan wants to access inside subnets with real ip addresses (ex: 11.11.11.1) with RDP connection.
please share the configuration.
Hi Rajesh,
Do you expect router 11.11.11.1 to respond for your RDP connection?? or you want the pc behind that router if any to respond to your rdp connection??
Please put your present configuration and describe your question with more details on what do you want to achieve with this sample setup..... hopefully we will try to provide better suggestions to you....
Regards
Karthik
Similar Messages
-
Cisco ASA 5505 - IPsec Tunnel issue
Issue with IPsec Child SA
Hi,
I have a site to site VPN tunnel setup with a Cisco ASA5505 and a Checkpoint Firewall. The version of software is 9.22. I am using IKEv2 for Phase 1 encryption. The following is my cisco asa configuration:
hostname GARPR-COM1-WF01
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
interface Ethernet0/0
description Failover Link
switchport access vlan 950
interface Ethernet0/1
description Outside FW Link
switchport access vlan 999
interface Ethernet0/2
description Inside FW Link
switchport access vlan 998
interface Ethernet0/3
description Management Link
switchport access vlan 6
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan6
nameif management
security-level 100
ip address 10.65.1.20 255.255.255.240
interface Vlan950
description LAN Failover Interface
interface Vlan998
nameif inside
security-level 100
ip address 10.65.1.5 255.255.255.252
interface Vlan999
nameif outside
security-level 0
ip address ************* 255.255.255.248
boot system disk0:/asa922-4-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name ***************
object network North_American_LAN
subnet 10.73.0.0 255.255.0.0
description North American LAN
object network Queretaro_LAN
subnet 10.74.0.0 255.255.0.0
description Queretaro_LAN
object network Tor_LAN
subnet 10.75.0.0 255.255.0.0
description Tor LAN
object network Mor_LAN
subnet 10.76.0.0 255.255.0.0
description Mor LAN
object network Tus_LAN
subnet 10.79.128.0 255.255.128.0
description North American LAN
object network Mtl_LAN
subnet 10.88.0.0 255.255.0.0
description Mtl LAN
object network Wic_LAN
subnet 10.90.0.0 255.254.0.0
description Wic LAN
object network Wic_LAN_172
subnet 172.18.0.0 255.255.0.0
description Wic Servers/Legacy Client LAN
object network Mtl_LAN_172
subnet 172.19.0.0 255.255.0.0
description Mtl Servers/Legacy Client LAN
object network Tor_LAN_172
subnet 172.20.0.0 255.255.0.0
description Tor Servers/Legacy Client LAN
object network Bridge_LAN_172
subnet 172.23.0.0 255.255.0.0
description Bridge Servers/Legacy Client LAN
object network Mtl_WLAN
subnet 10.114.0.0 255.255.0.0
description Mtl Wireless LAN
object network Bel_WLAN
subnet 10.115.0.0 255.255.0.0
description Bel Wireless LAN
object network Wic_WLAN
subnet 10.116.0.0 255.255.0.0
description Wic Wireless LAN
object network Mtl_Infrastructure_10
subnet 10.96.0.0 255.255.0.0
description Mtl Infrastructre LAN
object network BA_Small_Site_Blocks
subnet 10.68.0.0 255.255.0.0
description BA Small Sites Blocks
object network Bel_LAN
subnet 10.92.0.0 255.255.0.0
description Bel LAN 10 Network
object network LAN_172
subnet 172.25.0.0 255.255.0.0
description LAN 172 Network
object network Gar_LAN
subnet 10.65.1.0 255.255.255.0
description Gar LAN
object network garpr-com1-wf01.net.aero.bombardier.net
host **************
description Garching Firewall
object-group network BA_Sites
description Internal Networks
network-object object BA_Small_Site_Blocks
network-object object Bel_LAN
network-object object Bel_LAN_172
network-object object Bel_WLAN
network-object object Bridge_LAN_172
network-object object Mtl_Infrastructure_10
network-object object Mtl_LAN
network-object object Mtl_LAN_172
network-object object Mtl_WLAN
network-object object Mor_LAN
network-object object North_American_LAN
network-object object Queretaro_LAN
network-object object Tor_LAN
network-object object Tor_LAN_172
network-object object Tus_LAN
network-object object Wic_LAN
network-object object Wic_LAN_172
network-object object Wic_WLAN
access-list 101 extended permit ip object garpr-com1-wf01.net.aero.bombardier.net object Bel_LAN_172
access-list 101 extended permit ip object Garching_LAN object-group BA_Sites
pager lines 24
logging enable
logging timestamp
logging buffered warnings
logging trap informational
logging asdm informational
logging host outside 172.25.5.102
mtu management 1500
mtu inside 1500
mtu outside 1500
failover
failover lan unit primary
failover lan interface Failover_Link Vlan950
failover polltime interface msec 500 holdtime 5
failover key *****
failover interface ip Failover_Link 192.168.124.1 255.255.255.0 standby 192.168.124.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static Gar_LAN Gar_LAN destination static BA_Sites BA_Sites no-proxy-arp route-lookup
route outside 0.0.0.0 0.0.0.0 ************* 1
route inside 10.65.1.0 255.255.255.255 10.65.1.6 1
route inside 10.65.1.16 255.255.255.240 10.65.1.6 1
route inside 10.65.1.32 255.255.255.240 10.65.1.6 1
route inside 10.65.1.48 255.255.255.240 10.65.1.6 1
route inside 10.65.1.64 255.255.255.240 10.65.1.6 1
route inside 10.65.1.128 255.255.255.128 10.65.1.6 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.65.1.0 255.255.255.0 inside
http 172.25.5.0 255.255.255.0 inside
http 10.65.1.21 255.255.255.255 management
snmp-server host inside 172.25.49.0 community ***** udp-port 161
snmp-server host outside 172.25.49.0 community *****
snmp-server host inside 172.25.5.101 community ***** udp-port 161
snmp-server host outside 172.25.5.101 community *****
snmp-server host inside 172.25.81.88 poll community *****
snmp-server host outside 172.25.81.88 poll community *****
snmp-server location:
snmp-server contact
snmp-server community *****
snmp-server enable traps syslog
crypto ipsec ikev2 ipsec-proposal aes256
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association pmtu-aging infinite
crypto map GARCH 10 match address 101
crypto map GARCH 10 set pfs group19
crypto map GARCH 10 set peer *******************
crypto map GARCH 10 set ikev2 ipsec-proposal aes256
crypto map GARCH 10 set security-association lifetime seconds 3600
crypto map GARCH interface outside
crypto ca trustpool policy
no crypto isakmp nat-traversal
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 19
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside
telnet 10.65.1.6 255.255.255.255 inside
telnet timeout 5
ssh stricthostkeycheck
ssh 172.25.5.0 255.255.255.0 inside
ssh 172.19.9.49 255.255.255.255 inside
ssh 172.25.5.0 255.255.255.0 outside
ssh 172.19.9.49 255.255.255.255 outside
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 30
management-access inside
dhcprelay server 172.25.81.1 outside
dhcprelay server 172.25.49.1 outside
dhcprelay enable inside
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 172.19.109.41
ntp server 172.19.109.42
ntp server 172.19.9.49 source outside
tunnel-group ********* type ipsec-l2l
tunnel-group ********* ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:25ad9bf6db66a31e840ad96f49cd7e37
: end
I believe when a VPN tunnel is setup there should be one Child sa per subnet. The internal network of 10.65.1.0/24 should be setup with a child sa to the networks that were specified above depending on if there is traffic destined for them. What I am seeing is multiple child sa setup for the same subnet like the example below:
GARPR-COM1-WF01# sh crypto ikev2 sa | i 172.19
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
where for destination network 10.92.0.0/16 there is only one child sa:
GARPR-COM1-WF01# sh crypto ikev2 sa | i 10.92
remote selector 10.92.0.0/0 - 10.92.255.255/6553
Should this be the case or does anyone have any idea why there is multiple child sa setup for the same subnet?
Thanks
JonathanHi there,
I had same issue with PIX 506E and it was not even a circuit issue and I got ride of it and problem got fixed with PIX515E
I don't know, the device is too old to stay alive.
thanks -
Cisco ASA 5505 VPN connection issue ("Unable to add route")
I'm trying to get IPSec VPN working onto a new Cisco ASA5505. Pretty standard configuration.
Setup:
* Cisco VPN client on Windows 7 (v5.0.07.0290 x64 on Laptop1 and v5.0.07.0440 x64 on Laptop2)
* PPPoE/NAT and internal DHCP on the ASA were configured with the Startup Wizard in ASDM
NATting is working fine - internal PCs get an IP address in the 192.168.2.0/24 range and can all access the Internet.
I wanted to be able to connect from anywhere to the ASA in order to reach one of the internal servers. Should be pretty basic.
First I tried with the built-in ASDM IPSec Wizard, instructions found here.
VPN clients can connect to the ASA, are connected (until they're manually disconnected), but cannot reach the internal network nor the Internet. Note VPN client can connect fine to a different VPN site (not administered by myself).
Client logs show following error messages:
1 15:53:09.363 02/11/12 Sev=Warning/3 IKE/0xA300005F
Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.
2 15:53:13.593 02/11/12 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination 192.168.1.255
Netmask 255.255.255.255
Gateway 172.16.1.1
Interface 172.16.1.101
3 15:53:13.593 02/11/12 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100165, Gateway: ac100101.
4 15:54:30.425 02/11/12 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0
5 15:54:31.433 02/11/12 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0
6 15:54:32.445 02/11/12 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0
7 20:50:45.355 02/11/12 Sev=Warning/3 IKE/0xA300005F
Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.
8 20:50:50.262 02/11/12 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination 192.168.1.255
Netmask 255.255.255.255
Gateway 172.16.1.1
Interface 172.16.1.100
9 20:50:50.262 02/11/12 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100164, Gateway: ac100101.
I've already tried the suggestions from this link, although the problem is different there (as the user can still access the internet, even without split tunneling, which I cannot).
A show run shows the following output (note in the below I have tried a different VPN network: 192.168.3.0/24 instead of 172.16.1.0/24 seen in the Client log)
Result of the command: "sh run"
: Saved
ASA Version 8.2(5)
hostname AsaDWD
enable password kLu0SYBETXUJHVHX encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group DW-VPDN
ip address pppoe setroute
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool DWD-VPN-Pool 192.168.3.5-192.168.3.15 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group DW-VPDN request dialout pppoe
vpdn group DW-VPDN localname fa******@SKYNET
vpdn group DW-VPDN ppp authentication pap
vpdn username fa******@SKYNET password *****
dhcpd auto_config outside
dhcpd address 192.168.2.5-192.168.2.36 inside
dhcpd domain DOMAIN interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DWD internal
group-policy DWD attributes
vpn-tunnel-protocol IPSec
username test password ******* encrypted privilege 0
username test attributes
vpn-group-policy DWD
tunnel-group DWD type remote-access
tunnel-group DWD general-attributes
address-pool DWD-VPN-Pool
default-group-policy DWD
tunnel-group DWD ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:3e6c9478a1ee04ab2e1e1cabbeddc7f4
: end
I've installed everything using the CLI as well (after a factory reset). This however yielded exactl the same issue.
Following commands have been entered:
ip local pool vpnpool 172.16.1.100-172.16.1.199 mask 255.255.255.0
username *** password ****
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp enable outside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp nat-traversal
sysopt connection permit-ipsec
sysopt connection permit-vpn
group-policy dwdvpn internal
group-policy dwdvpn attributes
vpn-tunnel-protocol IPSec
default-domain value DWD
tunnel-group dwdvpn type ipsec-ra
tunnel-group dwdvpn ipsec-attributes
pre-shared-key ****
tunnel-group dwdvpn general-attributes
authentication-server-group LOCAL
default-group-policy dwdvpn
Unfortunately I'm getting the same "AddRoute failed to add a route with metric of 0: code 160" error message.
I'm very confused as this should be a pretty standard setup. I tried to follow the instructions on the Cisco site to the letter...
The only "differences" in my setup are an internal network of 192.168.2.0 (with ASA IP address 192.168.2.254) and PPPoE with DHCP instead of no PPPoE at all.
Does anyone know what's going on?Yes, I have tried from a different laptop - same results. Using that laptop I can connect to a different IPSec site without issues.
Please find my renewed config below:
DWD-ASA(config)# sh run: Saved:ASA Version 8.2(5) !hostname DWD-ASAenable password ******* encryptedpasswd ****** encryptednames!interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1 nameif inside security-level 100 ip address 192.168.2.254 255.255.255.0 !interface Vlan2 nameif outside security-level 0 pppoe client vpdn group DWD ip address pppoe setroute !ftp mode passiveaccess-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.224 pager lines 24logging asdm informationalmtu inside 1500mtu outside 1500ip local pool vpnpool 192.168.50.10-192.168.50.20 mask 255.255.255.0icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400global (outside) 1 interfacenat (inside) 0 access-list inside_nat0_outboundnat (inside) 1 0.0.0.0 0.0.0.0timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyhttp server enablehttp 192.168.2.0 255.255.255.0 insidehttp 0.0.0.0 0.0.0.0 outsideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstartcrypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAPcrypto map outside_map interface outsidecrypto isakmp enable outsidecrypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400telnet timeout 5ssh 0.0.0.0 0.0.0.0 outsidessh timeout 5console timeout 0vpdn group DWD request dialout pppoevpdn group DWD localname *****@SKYNETvpdn group DWD ppp authentication papvpdn username *****@SKYNET password ***** dhcpd auto_config outside!dhcpd address 192.168.2.10-192.168.2.40 insidedhcpd enable inside!threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptwebvpn enable outside svc enablegroup-policy DfltGrpPolicy attributes vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpngroup-policy dwdipsec internalgroup-policy dwdipsec attributes vpn-tunnel-protocol IPSec default-domain value DWDDOMusername user1 password ***** encrypted privilege 0username user1 attributes vpn-group-policy dwdipsectunnel-group dwdipsec type remote-accesstunnel-group dwdipsec general-attributes address-pool vpnpool default-group-policy dwdipsectunnel-group dwdipsec ipsec-attributes pre-shared-key *****tunnel-group dwdssl type remote-accesstunnel-group dwdssl general-attributes address-pool vpnpool!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options !service-policy global_policy globalprompt hostname context no call-home reporting anonymousCryptochecksum:f5c8dd644aa2a27374a923671da1c834: endDWD-ASA(config)# -
Cisco ASA 8.6 configuration issues
Hello all ,
internet router-----------outside------------- ASA -------inside-------------cisco 3750 (----A----)
|
|
DMZ
|
|
Cisco 3750 (-----B---)
1- switch A -- wireless User + Cisco Wireless Ip phones
2- Switch B -- CUCM
Problem discriptiom :
--- from switch A i can not ping SwitchB (DMZ) so ip phones can not reached to CUCM
--- on switchA 4 VLANS are configured with Different SSIDs and internet is working fine .
--- on Switch A i want 2 VLANs (vlan60 and vlan 80) to communicate with DMZ also (Not working )
## some relevent Config is as under :
SWITCH A CONFIG
===============
vlan internal allocation policy ascending
interface FastEthernet0
no ip address
no ip route-cache cef
no ip route-cache
shutdown
interface GigabitEthernet1/0/1
switchport access vlan 60
switchport mode access
spanning-tree portfast
|
|
|
|
|
|
interface GigabitEthernet1/0/23
description **connected to ASA-Inside**
switchport access vlan 100
switchport mode access
interface Vlan10
ip address X.X.100.5 255.255.255.0
interface Vlan50
ip address X.X.6.12 255.255.255.0
interface Vlan60
ip address X.X.8.251 255.255.255.0
interface Vlan80
ip address X.X.10.251 255.255.255.0
interface Vlan100
ip address X.X.20.1 255.255.255.0
ip classless
ip route 0.0.0.0 0.0.0.0 X.X.20.2
=========================================
ASA CONFIG
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address X.X.20.2 255.255.255.0
|
|
interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address X.X.21.2 255.255.255.0
|
|
interface GigabitEthernet0/5
nameif outside
security-level 0
ip address 192.168.2.5 255.255.255.0
|
|
object network IN-OUT
subnet 0.0.0.0 0.0.0.0
object network W-PHONE
subnet X.X.10.0 255.255.255.0
object network BECA-WIRELESS-USER
subnet X.X.8.0 255.255.255.0
pager lines 24
|
|
nat (inside,outside) source dynamic IN-OUT interface
nat (inside,DMZ) source dynamic W-PHONE interface
nat (inside,DMZ) source dynamic BECA-WIRELESS-USER interface
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
route inside X.X.6.0 255.255.255.0 X.X.20.1 1
route inside X.X.7.0 255.255.255.0 X.X.20.1 1
route inside X.X.8.0 255.255.255.0 X.X.20.1 1
route inside X.X.10.0 255.255.255.0 X.X.20.1 1
timeout xlate 3:00:00
============================================
switch B
interface GigabitEthernet1/0/17
switchport access vlan 50
switchport mode access
switchport voice vlan 20
spanning-tree portfast
interface GigabitEthernet1/0/18
switchport access vlan 50
switchport mode access
interface Vlan10
ip address X.X.100.1 255.255.255.0
interface Vlan20
ip address X.X.7.1 255.255.255.0
ip helper-address X.X.6.6
interface Vlan50
ip address X.X.6.30 255.255.255.0
ip helper-address X.X.6.6
interface Vlan60
ip address X.X.8.252 255.255.255.0
interface Vlan101
ip address X.X.21.1 255.255.255.0
ip forward-protocol nd
ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 X.X.6.4
ip route X.X.6.0 255.255.255.0 X.X.21.2
ip route X.X.7.0 255.255.255.0 X.X.21.2We would also need to see the ACL configuration of the ASA as this is what actually controls the flow of traffic, that is if routing is correct which it seems to be from your configuration.
What you can do is run a packet-tracer on the ASA to see if the packet is allowed through the ASA:
packet-tracer input inside tcp 12345 detail
This should give you an indication where or if there is a misconfiguration on the ASA.
Please post the output here if you require further assistance. Also a full ASA configuration (remove public IPs and passwords) would help to identify the issue.
Please remember to rate and select a correct answer -
Cisco ASA 5505 IOS 9.2(1), ASDM 7.3(2) NAT issues
Hey all,
I am really new to Cisco and am trying to get this Cisco ASA 5505 configured that I bought recently configured properly.
Things I have successfully been able to do:
1. Configure static WAN IP on WAN port e0/0 (I have a /29 block of addresses)
2. Create static routes to point to all of my vlans that are currently being being routed through my layer 3 SG-300
3. Install and run ASDM 7.3(2)
4. Went through the start-up wizard and configured all of my WAN and LAN settings (I have a WAN block of /29 addresses. So I congured my device with NAT and put in the range the first usable IP address outside of the one I configured for the direct connected WAN port from my modem. Example: 10.24.56.99-102 where .98 is already configured as the direct connect from modem to ASA 5505 and .97 is the gateway of my ISP modem.)
The struggle that I am running into today is with NAT rules from outside to inside. I currently have an Exchange server behind this device but I am unable to get ports forwarded to it. I followed this tutorial about Static NAT, however there is still no joy.
http://www.networkworld.com/article/2162844/tech-primers/how-to-configure-static-nat-on-a-cisco-asa-security-appliance.html
Attached is a copy of my running-config and version. Any help with this would be greatly appreciated.Your Ethernet0/1 is a trunk with multiple VLANs allowed but you do not have corresponding VLAN interfaces for SVIs in each of the associated subnets. If, as your routing setup indicates, you will be going via your internal gateway at 10.10.1.1 to reach the internal subnets then Eth0/1 should just be an access port.
So your Exchange server in the 10.10.12.0/24 subnet will talk via the internal gateway (10.10.12.1?) and thus on to the ASA inside interface at 10.10.1.2.
I assume your "public" IPs have been changed to anonymize the output. If those are your actual addresses (10.24.56.x) then there must be additional NAT taking place upstream - that would all need to be setup properly as well. -
Cisco asa 5505 issues ( ROUTING AND PAT)
I have some issues with my cisco asa 5505 config. Please see details below:
NETWORK SETUP:
gateway( 192.168.223.191) - cisco asa 5505 ( outside - 192.168.223.200 , inside - 192.168.2.253, DMZ - 172.16.3.253 ) -
ISSUES:
1)
no route from DMZ to outside
example:
ping from 172.16.3201 to the gateway
6 Jan 27 2014 11:15:33 172.16.3.201 39728 Failed to locate egress interface for ICMP from outside:172.16.3.201/39728 to 172.16.3.253/0
2)
not working access from external to DMZ AT ALL
ASA DETAILS:
cisco asa5505
Device license Base
Maximum Physical Interfaces 8 perpetual
VLANs 3 DMZ Restricted
Inside Hosts Unlimited perpetual
configuration:
firewall200(config)# show run
: Saved
ASA Version 9.1(3)
hostname firewall200
domain-name test1.com
enable password xxxxxxxxxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd XXXXXXXXXXX encrypted
names
interface Ethernet0/0
switchport access vlan 100
interface Ethernet0/1
switchport access vlan 200
interface Ethernet0/2
switchport access vlan 200
interface Ethernet0/3
switchport access vlan 200
interface Ethernet0/4
switchport access vlan 300
interface Ethernet0/5
switchport access vlan 300
interface Ethernet0/6
switchport access vlan 300
interface Ethernet0/7
switchport access vlan 300
interface Vlan100
nameif outside
security-level 0
ip address 192.168.223.200 255.255.255.0
interface Vlan200
mac-address 001b.539c.597e
nameif inside
security-level 100
ip address 172.16.2.253 255.255.255.0
interface Vlan300
no forward interface Vlan200
nameif DMZ
security-level 50
ip address 172.16.3.253 255.255.255.0
boot system disk0:/asa913-k8.bin
boot config disk0:/startup-config.cfg
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name test1.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network office1-int
host 172.16.2.1
object network firewall-dmz-gateway
host 172.16.3.253
object network firewall-internal-gateway
host 172.16.2.253
object network com1
host 192.168.223.227
object network web2-ext
host 192.168.223.201
object network web2-int
host 172.16.3.201
object network gateway
host 192.168.223.191
object network office1-int
host 172.16.2.1
object-group network DMZ_SUBNET
network-object 172.16.3.0 255.255.255.0
object-group service www tcp
port-object eq www
port-object eq https
access-list DMZ_access_in extended permit icmp any any
access-list DMZ_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any object web2-ext eq www
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp DMZ 172.16.4.199 001b.539c.597e alias
arp DMZ 172.16.3.199 001b.539c.597e alias
arp timeout 14400
no arp permit-nonconnected
object network web2-int
nat (DMZ,outside) static web2-ext service tcp www www
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
route inside 172.168.2.0 255.255.255.0 192.168.223.191 1
route inside 172.168.3.0 255.255.255.0 192.168.223.191 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.223.227 255.255.255.255 outside
http 172.163.2.5 255.255.255.255 outside
http 172.163.2.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.223.227 255.255.255.255 outside
ssh 172.163.2.5 255.255.255.255 outside
ssh 172.163.2.5 255.255.255.255 inside
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 172.16.2.10-172.16.2.10 inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 176.58.109.199 source outside prefer
ntp server 81.150.197.169 source outside
ntp server 82.113.154.206
username xxxx password xxxxxxxxx encrypted
class-map DMZ-class
match any
policy-map global_policy
policy-map DMZ-policy
class DMZ-class
inspect icmp
service-policy DMZ-policy interface DMZ
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:9c73fa27927822d24c75c49f09c67c24
: endThank you one more time for everthing. It is workingin indeed
Reason why maybe sometimes I had some 'weird' results was because I had all devices connected to the same switch.Separtated all networks to a different switches helped.Anyway if you could take a look one last time to my configuration and let me know if it's good enough to deploy it on live ( only www for all , ssh restricted from outside, lan to dmz) .Thanks one more time.
show run
: Saved
ASA Version 9.1(3)
hostname firewall200
domain-name test1.com
enable password xxxxxxxxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd xxxxxxxxxxxx encrypted
names
interface Ethernet0/0
switchport access vlan 100
interface Ethernet0/1
switchport access vlan 200
interface Ethernet0/2
switchport access vlan 200
interface Ethernet0/3
switchport access vlan 200
interface Ethernet0/4
switchport access vlan 300
interface Ethernet0/5
switchport access vlan 300
interface Ethernet0/6
switchport access vlan 300
interface Ethernet0/7
switchport access vlan 300
interface Vlan100
nameif outside
security-level 0
ip address 192.168.223.200 255.255.255.0
interface Vlan200
mac-address 001b.539c.597e
nameif inside
security-level 100
ip address 172.16.2.253 255.255.255.0
interface Vlan300
no forward interface Vlan200
nameif DMZ
security-level 50
ip address 172.16.3.253 255.255.255.0
boot system disk0:/asa913-k8.bin
boot config disk0:/startup-config.cfg
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inside
dns domain-lookup DMZ
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
domain-name test1.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network firewall-dmz-gateway
host 172.16.3.253
object network firewall-internal-gateway
host 172.16.2.253
object network com1
host 192.168.223.227
object network web2-ext
host 192.168.223.201
object network web2-int
host 172.16.3.201
object network gateway
host 192.168.223.191
object network office1-int
host 172.16.2.1
object-group network DMZ_SUBNET
network-object 172.16.3.0 255.255.255.0
object-group service www tcp
port-object eq www
port-object eq https
access-list DMZ_access_in extended permit icmp any any
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended permit tcp 172.16.3.0 255.255.255.0 interface outside eq ssh
access-list outside_access_in extended permit tcp any object web2-int eq www
access-list outside_access_in extended permit tcp any object web2-int eq ssh
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any DMZ
asdm image disk0:/asdm-714.bin
no asdm history enable
arp DMZ 172.16.4.199 001b.539c.597e alias
arp DMZ 172.16.3.199 001b.539c.597e alias
arp timeout 14400
no arp permit-nonconnected
object network web2-int
nat (DMZ,outside) static web2-ext net-to-net
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 192.168.223.191 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.223.227 255.255.255.255 outside
http 172.163.2.5 255.255.255.255 outside
http 172.163.2.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.223.227 255.255.255.255 outside
ssh 172.163.2.5 255.255.255.255 outside
ssh 172.16.3.253 255.255.255.255 outside
ssh 172.163.2.5 255.255.255.255 inside
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 176.58.109.199 source outside prefer
ntp server 81.150.197.169 source outside
ntp server 82.113.154.206
username xxxxx password xxxxxxxxx encrypted
class-map DMZ-class
match any
policy-map global_policy
policy-map DMZ-policy
class DMZ-class
inspect icmp
service-policy DMZ-policy interface DMZ
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f264c94bb8c0dd206385a6b72afe9e5b
: end -
Cisco ASA 5505 Remote Access IP/Sec VPN Connectivity Issues
We have a Cisco ASA that we use just for Remote Access VPN. It uses UDP and was working fine for about 2 months. Recently clients have had intermittent issues when connecting from home. The following message is display by the Cisco VPN Client :
"Secure VPN connection terminated locally by the Client. Reason 412: The remote peer is no longer responding"
Upon looking at a client side packet capture, I notice that no response is being given back to the client for the udp packets sent to the ASA on udp 500. If I login to the ASA from the LAN and send a single ping FROM the ASA, then the client can connect without issue. I don't understand the significance of the needed outbound ping since ping is not used by the client to test if the ASA is alive.
Once again this is a remote access udp ip/sec VPN. I set most of it up with the VPN wizard and then backed up the config. The issue started happening at least a month after setup (maybe two) and I restored to the saved config just in-case, but the issue remains.
Any insight would be greatly appreciated.
I'm using IOS 831 and have tried 821 and 823 as one thread that I found recommended downgraded to 821.
Thanks much,
JustinJavier,
I logged into the ASA last time the VPN went down. I issued the following commands:
debug crypto isakmp 190
debug crypto ipsec 190
capture outside-cap interface outside match udp any any
I then used a remote access tool to access the client and tried to connect. I got absolutely nothing from debugging. So I issued the following command:
show capture outside | include 500
and also got nothing. So I issued the following command:
ping 4.2.2.2
Upon which my normal deug messaged began to showup, so I issued the show capture outside command again and recieved the expected output below:
1: 15:44:18.570160 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 868
2: 15:44:18.579269 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 444
3: 15:44:18.703866 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 172
4: 15:44:18.706567 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 76
5: 15:44:18.831499 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 92
6: 15:44:19.024061 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 76
7: 15:44:19.111963 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 60
8: 15:44:19.517185 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 204
9: 15:44:19.521350 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 92
10: 15:44:19.522723 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 252
11: 15:44:42.121957 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 868
12: 15:44:42.130822 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 444
13: 15:44:42.228397 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 172
14: 15:44:42.231036 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 76
15: 15:44:42.329557 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 92
16: 15:44:42.521091 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 76
17: 15:44:42.610167 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 60
18: 15:44:42.649258 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 204
19: 15:44:42.653790 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 252
20: 15:44:42.789342 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 1036
21: 15:44:42.792119 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 92
22: 15:44:42.800846 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 188
23: 15:44:42.892120 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 60
34: 15:44:54.446220 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 92
35: 15:44:54.447913 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 92
70: 15:45:01.825000 802.1Q vlan#2 P0 OFFICE_IP.10000 > REMOTE_IP.10000: udp 100
174: 15:45:03.417764 802.1Q vlan#2 P0 OFFICE_IP.10000 > REMOTE_IP.10000: udp 500
377: 15:45:07.881500 802.1Q vlan#2 P0 REMOTE_IP.10000 > OFFICE_IP.10000: udp 100 1: 15:44:18.570160 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 868
2: 15:44:18.579269 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 444
3: 15:44:18.703866 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 172
4: 15:44:18.706567 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 76
5: 15:44:18.831499 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 92
6: 15:44:19.024061 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 76
7: 15:44:19.111963 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 60
8: 15:44:19.517185 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 204
9: 15:44:19.521350 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 92
10: 15:44:19.522723 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 252
11: 15:44:42.121957 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 868
12: 15:44:42.130822 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 444
13: 15:44:42.228397 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 172
14: 15:44:42.231036 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 76
15: 15:44:42.329557 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 92
16: 15:44:42.521091 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 76
17: 15:44:42.610167 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 60
18: 15:44:42.649258 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 204
19: 15:44:42.653790 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 252
20: 15:44:42.789342 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 1036
21: 15:44:42.792119 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 92
22: 15:44:42.800846 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 188
23: 15:44:42.892120 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 60
34: 15:44:54.446220 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 92
35: 15:44:54.447913 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 92
70: 15:45:01.825000 802.1Q vlan#2 P0 OFFICE_IP.10000 > REMOTE_IP.10000: udp 100
174: 15:45:03.417764 802.1Q vlan#2 P0 OFFICE_IP.10000 > REMOTE_IP.10000: udp 500
377: 15:45:07.881500 802.1Q vlan#2 P0 REMOTE_IP.10000 > OFFICE_IP.10000: udp 100
It would seem as if no traffic reached the ASA until some outbound traffic to an arbitrary public IP. In this case I sent an echo request to a public DNS server. It seems almost like a state-table issue although I don't know how ICMP ties in.
Once again, any insight would be greatly appreciated.
Thanks,
Justin -
Cisco ASA 5505 Failover issue..
Hi,
I am having two firewalls (cisco ASA 5505) which is configured as active/standby Mode.It was running smoothly for more than an year,but last week the secondary firewall got failed and It made my whole network down.then I just removed the connectivity of the secondary firewall and run only the primary one.when I login by console i found out that the failover has been disabled .So again I connected to the Network and enabled the firewall.After a couple of days same issue happen.This time I take down the Secondary firewall erased the Flash.Reloaded the IOS image.Configured the failover and connected to the primary for the replication of configs.It found out the Active Mate.Replicated the configs and got synced...But after sync the same thing happened,The whole network gone down .I juz done the same thing removed the secondary firewall.Network came up.I feel there is some thing with failover thing ,but couldnt fin out :( .And the firewalls are in Router Mode.Please find the logs...
Secondary Firewall While Sync..
cisco-asa(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: e0/7 Vlan3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 23 maximum
Version: Ours 8.2(5), Mate 8.2(5)
Last Failover at: 06:01:10 GMT Apr 29 2015
This host: Secondary - Sync Config
Active time: 55 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
Interface outside (27.251.167.246): No Link (Waiting)
Interface inside (10.11.0.20): No Link (Waiting)
Interface mgmt (10.11.200.21): No Link (Waiting)
slot 1: empty
Other host: Primary - Active
Active time: 177303 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
Interface outside (27.251.167.247): Unknown (Waiting)
Interface inside (10.11.0.21): Unknown (Waiting)
Interface mgmt (10.11.200.22): Unknown (Waiting)
slot 1: empty
=======================================================================================
Secondary Firewall Just after Sync ,Active (primary Firewall got rebootted)
cisco-asa# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: e0/7 Vlan3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 23 maximum
Version: Ours 8.2(5), Mate Unknown
Last Failover at: 06:06:12 GMT Apr 29 2015
This host: Secondary - Active
Active time: 44 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
Interface outside (27.251.167.246): Normal (Waiting)
Interface inside (10.11.0.20): No Link (Waiting)
Interface mgmt (10.11.200.21): No Link (Waiting)
slot 1: empty
Other host: Primary - Not Detected
Active time: 0 (sec)
slot 0: empty
Interface outside (27.251.167.247): Unknown (Waiting)
Interface inside (10.11.0.21): Unknown (Waiting)
Interface mgmt (10.11.200.22): Unknown (Waiting)
slot 1: empty
==========================================================================================
After Active firewall got rebootted failover off,whole network gone down.
cisco-asa# sh failover
Failover Off
Failover unit Secondary
Failover LAN Interface: e0/7 Vlan3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 23 maximum
===========================================================================================
Primary Firewall after rebootting
cisco-asa# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: e0/7 Vlan3 (Failed - No Switchover)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 23 maximum
Version: Ours 8.2(5), Mate Unknown
Last Failover at: 06:17:29 GMT Apr 29 2015
This host: Primary - Active
Active time: 24707 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
Interface outside (27.251.167.246): Normal (Waiting)
Interface inside (10.11.0.20): Normal (Waiting)
Interface mgmt (10.11.200.21): Normal (Waiting)
slot 1: empty
Other host: Secondary - Failed
Active time: 0 (sec)
slot 0: empty
Interface outside (27.251.167.247): Unknown (Waiting)
Interface inside (10.11.0.21): Unknown (Waiting)
Interface mgmt (10.11.200.22): Unknown (Waiting)
slot 1: empty
cisco-asa# sh failover history
==========================================================================
From State To State Reason
==========================================================================
06:16:43 GMT Apr 29 2015
Not Detected Negotiation No Error
06:17:29 GMT Apr 29 2015
Negotiation Just Active No Active unit found
06:17:29 GMT Apr 29 2015
Just Active Active Drain No Active unit found
06:17:29 GMT Apr 29 2015
Active Drain Active Applying Config No Active unit found
06:17:29 GMT Apr 29 2015
Active Applying Config Active Config Applied No Active unit found
06:17:29 GMT Apr 29 2015
Active Config Applied Active No Active unit found
==========================================================================
cisco-asa#
cisco-asa# sh failover state
State Last Failure Reason Date/Time
This host - Primary
Active None
Other host - Secondary
Failed Comm Failure 06:17:43 GMT Apr 29 2015
====Configuration State===
====Communication State===
==================================================================================
Secondary Firewall
cisc-asa# sh failover h
==========================================================================
From State To State Reason
==========================================================================
06:16:32 GMT Apr 29 2015
Not Detected Negotiation No Error
06:17:05 GMT Apr 29 2015
Negotiation Disabled Set by the config command
==========================================================================
cisco-asa# sh failover
Failover Off
Failover unit Secondary
Failover LAN Interface: e0/7 Vlan3 (down)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 23 maximum
ecs-pune-fw-01# sh failover h
==========================================================================
From State To State Reason
==========================================================================
06:16:32 GMT Apr 29 2015
Not Detected Negotiation No Error
06:17:05 GMT Apr 29 2015
Negotiation Disabled Set by the config command
==========================================================================
cisco-asa# sh failover state
State Last Failure Reason Date/Time
This host - Secondary
Disabled None
Other host - Primary
Not Detected None
====Configuration State===
====Communication State===
Thanks... -
Cisco ASA 5505 IPSEC, one endpoint behind NAT device
We have two Cisco ASA 5505 devices.
Both are identical, however, one of them is behind a NAT device.
We are attempting to create an IPSEC network.
Site fg:
<ipsec subnet1> -- ASA 5505 (ASA1) -- <internet>
ASA1: 10.1.1.2/24 (inside), 212.xxx.xxx.xxx/28 (outside)
Site be:
<ipsec_subnet2> -- ASA 5505 (ASA3) -- Zywall USG (USG1) -- <internet>
ASA3: 10.1.4.1/24 (inside), 192.168.4.50/24 (outside)
USG1: 192.168.4.100/24 (inside), 195.xxx.xxx.xxx/30 (outside)
USG1: UDP port 500/4500 forwarded to 192.168.4.50
It seems that ASA1 stops the procedure (we verified this with debug crypto isakmp 254):
Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, QM FSM error (P2 struct &0xd1111cd8, mess id 0x81111a78)!
Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.4.50/255.255.255.255/0/0 local proxy 212.xxx.xxx.xxx/255.255.255.255/0/0 on interface outside
Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, PHASE 1 COMPLETED
We verified / attempted the following:
- NAT excemption on both sides for IPSEC subnets
- Mirror image crypto maps
- Disabled IKE peer ID validation (yes, pre-shared key but we ran out of ideas)
- Toggled between static to dynamic crypto maps on ASA1
Most search results turned up results referring to the incorrect settings of the crypto map or the lack of NAT excemption.
Does anyone have any idea?
195.txt contains show running-config of ASA3
212.txt contains show running-config of ASA1
log.txt contains somewhat entire log snipper of ASA1Hi,
on 212 is see
tunnel-group 195.xxx.xxx.xxx type ipsec-l2l
tunnel-group 195.xxx.xxx.xxx ipsec-attributes
pre-shared-key
When you define the peer with static tunnel-group entry ASA is looking for peer configuration in static crypto map. If the peer is behind static NAT configure a proper static crypto map with matching acl and proposals.
If the peer is behind dynamic nat refer this example :http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/81883-ipsec-iosrtr-dyn-pix-nat.html
Regards,
Abaji. -
Cisco ASA 5510 Natting 2 internal ip to 1 public ip
Hi Guys,
I have a doubt on how do nat 2 internal ip addresses to 1 public ip for FTP uses.
As I know Cisco ASA cannot use to nat 2 internal ips to 1 public ip as the ASA cannot read the host header. It there anyway to control it by using acl or network object group?
My current configuration for nat 1 internal ip to 1 public ip:
static (firewall-dmz,firewall-outside) tcp 210.19.xx.xx 21 172.16.101.11 21 netmask 255.255.255.255 dns
Thank you for your help.
Cheers
TommyYes it is possible . See if this helps. I'm not in front of my ASA right now, but I think this is the old and new way. If you are actually using the interface address, you might need to use the "interface" keyword
Pre 8.3
static (inside,outside) tcp 1.1.1.1 80 192.168.1.100 8080 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.1 8080 192.168.1.101 8080 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.1 25 192.168.1.102 25 netmask 255.255.255.255
8.3 and Later
object network obj-192.168.1.100
host 192.168.1.100
nat (inside,outside) static 1.1.1.1 service tcp 8080 80
object network obj-192.168.1.101
host 192.168.1.101
nat (inside,outside) static 1.1.1.1 service tcp 8080 8080
object network obj-192.168.1.102
host 192.168.1.102
nat (inside,outside) static 1.1.1.1 service tcp 25 25
If you are using the interface address--
static (inside,outside) tcp interface 80 192.168.1.100 8080 netmask 255.255.255.255
static (inside,outside) tcp interface 8080 192.168.1.101 8080 netmask 255.255.255.255
static (inside,outside) tcp interface 25 192.168.1.102 25 netmask 255.255.255.255
8.3 and Later
object network obj-192.168.1.100
host 192.168.1.100
nat (inside,outside) static interface service tcp 8080 80
object network obj-192.168.1.101
host 192.168.1.101
nat (inside,outside) static interface service tcp 8080 8080
object network obj-192.168.1.102
host 192.168.1.102
nat (inside,outside) static interface service tcp 25 25 -
Cisco ASA 8.2. Destination NAT (network - network)
Hi Guys,
Could you tell me if I can do destination NAT (class C network => class C network) on Cisco ASA running 8.2? (or another version).
For example, will destination NAT like this work:
static (inside,outside) 8.2.2.0 10.10.8.0 netmask 255.255.255.0
I need that when a packet from Internet go to 8.2.2.X it's destination IP address will change to 10.10.8.X.
So, if a packet goes to 8.2.2.145 , the dest IP field of the packet will be changed to 10.10.8.145.
If a packet goes to 8.2.2.1, the dest IP field of the packet will be changed to 10.10.8.1.
Etc.
Thanks.Hello,
Yes, that is possible.. In fact that is the way it works.
Regards,
Julio -
stevemoores wrote:
"interface" means just that, the IP address of the interface, so make an object with the x.x.x.100 address and try using that instead of interface.
That is what I am thinking and trying now.Hi Everyone,
Running 8.4 on Cisco ASA. When a user is connected via VPN a subset of internet traffic is required to go outside via our office internet connection. I have that working fine but it is using the outside interface IP instead of a particular IP I want to use. Below is my NAT statement but I am not sure how to amend so it uses the address I want. I assume I need to replace interface with something that specifies the NAT I want to use?
Outside interface is x.x.x.99 and is what sites see when VPN traffic is routed out to internet.
I want the traffic to show as x.x.x.100
nat (outside,outside) source dynamic NETWORK_OBJ_VPN_Pool interface
This topic first appeared in the Spiceworks Community -
I have a cisco asa 5505 that I am setting up VPN access too. I have multiple subnets all routed through a layer 3 switch conected to my asa. My problem is I can ping everything on VLAN1 (192.168.100.0/24) but no other VLANS (10.141.152.0/23 etc.)
Post the config of your ASA and someone will be able to assist.
-
Configuring Cisco ASA for site to site VPN ( Issue with setting up local network)
OK, so our primary firewall is a checkpoint gateway. Behind that we have a cisco ASA for vpn users. I have a project at the moment where we need to connect to another company using site to site VPN through the cisco ASA, as the checkpoint gateway is unable to establish a permanent tunnel with the other companies Cisco ASA.
What would be the best practise for setting up the local network on my side? Create the network on the ASA and then use a L2 vlan to connect to the Core switch?
Setup a L3 interface on the core switch and point it towards the checkpoint gateway which would then point to the ASA?
When you have to select your local network through the site to site wizard do you have to put the inside network address of the ASA?
Our network is setup like this: Access layer switch > Core 6500 Switch > Checkpoint-Firewall > Internet
The ASA is connected to a checkpoint sub interface
Any help would be beneficial as im new to cisco ASAs
Thanks
MarkMark
If we understood more about your environment we might be able to give you better answers. My initial reaction was similar to the suggestion from Michael to use a L2 vlan. But as I think a bit more my attention is drawn to something that you mention in the original post. The ASA is there for VPN users. If the VPN users need to access your internal network then you probably already have something configured on the ASA that allows access to the internal network. Perhaps that same thing might provide access for your site to site VPN?
HTH
Rick -
Setting up site to site vpn with cisco asa 5505
I have a cisco asa 5505 that needs to be set up for site to site vpn to a cisco asa 5500. The 5505 is the remote office and the 5500 is the main office.
IP of remote office router is 71.37.178.142
IP of the main office firewall is 209.117.141.82
Can someone tell me if my config is correct, this is the first time I am setting this up and it can not be tested until I set it up at the remote office. I would rather know its correct before I go.
ciscoasa# show run
: Saved
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password TMACBloMlcBsq1kp encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host 209.117.141.82
access-list inside_nat0_outbound extended permit ip host 71.37.178.142 host 209.117.141.82
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 209.117.141.82
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn username [email protected] password ********* store-local
dhcpd auto_config outside
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd enable inside
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:7e338fb2bf32a9ceb89560b314a5ef6c
: end
ciscoasa#
Thanks!Hi Mandy,
By using following access list define Peer IP as source and destination
access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
you are not defining the interesting traffic / subnets from both ends.
Make some number ACL 101 as you do not have to write the extended keyword then if you like as follows, or else NAME aCL will also work:
access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 remark CCP_ACL Category=4 access-list 101 remark IPSEC Rule
!.1..source subnet(called local encryption domain) at your end 192.168.200.0
!..2.and destination subnet(called remote encryption domain)at other end 192.168.100.0 !.3..I mean you have to define what subnets you need to communicate between which are behind these firewalls
!..4...Local Subnets behind IP of the main office firewall is 209.117.141.82 say
!...at your end 192.168.200.0
!..5.Remote Subnets behind IP of remote office router is 71.37.178.142 say
!...at other end 192.168.100.0
Please use Baisc Steps as follows:
A. Configuration in your MAIN office having IP = 209.117.141.82 (follow step 1 to 6)
Step 1.
Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
Step 2.
Config ISAKMP Policy with minimum 4 parameters are to be config for
crypto isakmp policy 10
authentication pre-share ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
encryption aes-256 --->2nd parameter of ISAKMP Policy is OK
hash sha ---> 3rd parameter of ISAKMP Policy is OK
group 5 ---> 4th parameter of ISAKMP Policy is OK
lifetime 86400 ------ > this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
Step 3.
Define Preshared key or PKI which you will use with other side Peer address 71.37.178.142, either key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
Here in your case in step 2 Authentication is using PSK, looks you have not defines Password
Use following command:
crypto isakmp key 0 CISCO123 address 71.37.178.142
or , but not both
crypto isakmp key 6 CISCO123 address71.37.178.142
step 4.
Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
Here is yours one:
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
or
crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
ah-sha-hmac or ah-md5-hmac
crypto ipsec transform-set TSET1 ah-sha-hmac
or
crypto ipsec transform-set TSET1 ah-md5-hmac
Step 5.
Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
crypto map ipsec-isakmp
1. Define peer -- called WHO to set tunnel with
2. Define or call WHICH - Transform Set
3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
Like in your case it is but ipsec-isakmp keyword missing in the ;ast
crypto map outside_map 10 ipsec-isakmp
1. set peer 209.117.141.82 -----> is correct as this is your other side peer called WHO in my step
2. set transform-set TSET1 -----> is correct as this is WHICH, and only one transform set can be called
!..In you case it is correct
!...set transform-set ESP-AES-256-SHA (also correct)
3. match address outside_1_cryptomap ---->Name of the extended ACL define as WHAT to pass through this tunnel
4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
Step 6.
Now apply this one crypto MAP to your OUTSIDE interface always
interface outside
crypto map outside_map
Configure the same but just change ACL on other end in step one by reversing source and destination
and also set the peer IP of this router in other end.
So other side config should look as follows:
B. Configuration in oyur Remote PEER IP having IP = 71.37.178.142 (follow step 7 to 12)
Step 7.
Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
access-list outside_1_cryptomap extended ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
Step 8.
Config ISAKMP Policy with minimum 4 parameters are to be config for
crypto isakmp policy 10
authentication pre-share ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
encryption aes-256 --->2nd parameter of ISAKMP Policy is OK
hash sha ---> 3rd parameter of ISAKMP Policy is OK
group 5 ---> 4th parameter of ISAKMP Policy is OK
lifetime 86400 ------ > this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
Step 9.
Define Preshared key or PKI which you will use with other side Peer address key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
Here in your case in step 8 Authentication is using PSK, looks you have not defines Password
Use following command:
crypto isakmp key 0 CISCO123 address 209.117.141.82
or , but not both
crypto isakmp key 6 CISCO123 address 209.117.141.82
step 10.
Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
Here is yours one:
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
or
crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
ah-sha-hmac or ah-md5-hmac
crypto ipsec transform-set TSET1 ah-sha-hmac
or
crypto ipsec transform-set TSET1 ah-md5-hmac
Step 11.
Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
crypto map ipsec-isakmp
1. Define peer -- called WHO to set tunnel with
2. Define or call WHICH - Transform Set, only one is permissible
3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
Like in your case it is but ipsec-isakmp keyword missing in the ;ast
crypto map outside_map 10 ipsec-isakmp
1. set peer 209.117.141.82 -----> is correct as this is your other side peer called WHO in my step
2. set transform-set TSET1 -----> is correct as this is WHICH, and only one transform set can be called
!..In you case it is correct
!...set transform-set ESP-AES-256-SHA (also correct)
3. match address outside_1_cryptomap ---->Name of the extended ACL define as WHAT to pass through this tunnel
4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
Step 12.
Now apply this one crypto MAP to your OUTSIDE interface always
interface outside
crypto map outside_map
Now initite a ping
Here is for your summary:
IPSec: Site to Site - Routers
Configuration Steps
Phase 1
Step 1: Configure Mirrored ACL/Crypto ACL for Interesting Traffic
Step 2: Configure ISAKMP Policy
Step 3: Configure ISAKMP Key
Phase 2
Step 4: Configure Transform Set
Step 5: Configure Crypto Map
Step 6: Apply Crypto Map to an Interface
To debug for Phase 1 and Phase 2. Store it in buffer without displaying logs on terminal.
Router#debug crpyto isakmp
Router#debug crpyto ipsec
Router(config)# logging buffer 7
Router(config)# logging buffer 99999
Router(config)# logging console 6
Router# clear logging
Configuration
In R1:
(config)# access-list 101 permit ipo host 10.1.1.1 host 10.1.2.1
(config)# crypto isakmp policy 10
(config-policy)# encryption 3des
(config-policy)# authentication pre-share
(config-policy)# group 2
(config-policy)# hash sha1
(config)# crypto isakmp key 0 cisco address 2.2.2.1
(config)# crypto ipsec transform-set TSET esp-3des sha-aes-hmac
(config)# crypto map CMAP 10 ipsec-isakmp
(config-crypto-map)# set peer 2.2.2.1
(config-crypto-map)# match address 101
(config-crypto-map)# set transform-set TSET
(config)# int f0/0
(config-if)# crypto map CMAP
Similarly in R2
Verification Commands
#show crypto isakmp SA
#show crypto ipsec SA
Change to Transport Mode, add the following command in Step 4:
(config-tranform-set)# mode transport
Even after doing this change, the ipsec negotiation will still be done through tunnel mode if pinged from Loopback to Loopback. To overcome this we make changes to ACL.
Change to Aggressive Mode, replace the Step 3 command with these commands in R1:
(config)# crypto isakmp peer address 2.2.2.1
(config-peer)# set aggressive-mode password cisco
(config-peer)# set aggressive-mode clien-endpoint ipv4-address 2.2.2.1
Similarly on R2.
The below process is for the negotiation using RSA-SIG (PKI) as authentication type
Debug Process:
After we debug, we can see the negotiation between the two peers. The first packet of the interesting traffic triggers the ISAKMP (Phase1) negotiation. Important messages are marked in BOLD and explanation in RED
R2(config)#do ping 10.1.1.1 so lo0 // Interesting Traffic
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
Mar 2 16:18:42.939: ISAKMP:(0): SA request profile is (NULL) // Router tried to find any IPSec SA matching the outgoing connection but no valid SA has been found in Security Association Database (SADB)
Mar 2 16:18:42.939: ISAKMP: Created a peer struct for 20.1.1.10, peer port 500
Mar 2 16:18:42.939: ISAKMP: New peer created peer = 0x46519678 peer_handle = 0x8000000D
Mar 2 16:18:42.939: ISAKMP: Locking peer struct 0x46519678, refcount 1 for isakmp_initiator
Mar 2 16:18:42.939: ISAKMP: local port 500, remote port 500
Mar 2 16:18:42.939: ISAKMP: set new node 0 to QM_IDLE
Mar 2 16:18:42.939: ISAKMP:(0):insert sa successfully sa = 4542B818
Mar 2 16:18:42.939: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. // Not an error. By default it is configured for Main Mode
Mar 2 16:18:42.939: ISAKMP:(0):No pre-shared key with 20.1.1.10! // Since we are using RSA Signature, this message. If we use pre-share, this is where it would indicate so!
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-07 ID
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-03 ID
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-02 ID
Mar 2 16:18:42.939: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Mar 2 16:18:42.939: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Mar 2 16:18:42.943: ISAKMP:(0): beginning Main Mode exchange
Mar 2 16:18:42.943: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_NO_STATE // Sending ISAKMP Policy to peer
Mar 2 16:18:42.943: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 2 16:18:42.943: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_NO_STATE // Sending ISAKMP Policy to peer
Mar 2 16:18:42.947: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 2 16:18:42.947: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Mar 2 16:18:42.947: ISAKMP:(0): processing SA payload. message ID = 0
Mar 2 16:18:42.947: ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch // Do not worry about this! Not an ERROR!
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
Mar 2 16:18:42.947:.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
R2(config)# ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0): processing IKE frag vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0):Support for IKE Fragmentation not enabled
Mar 2 16:18:42.947: ISAKMP : Scanning profiles for xauth ...
Mar 2 16:18:42.947: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Mar 2 16:18:42.947: ISAKMP: encryption 3DES-CBC
Mar 2 16:18:42.947: ISAKMP: hash SHA
Mar 2 16:18:42.947: ISAKMP: default group 2
Mar 2 16:18:42.947: ISAKMP: auth RSA sig
Mar 2 16:18:42.947: ISAKMP: life type in seconds
Mar 2 16:18:42.947: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Mar 2 16:18:42.947: ISAKMP:(0):atts are acceptable. Next payload is 0
Mar 2 16:18:42.947: ISAKMP:(0):Acceptable atts:actual life: 0
Mar 2 16:18:42.947: ISAKMP:(0):Acceptable atts:life: 0
Mar 2 16:18:42.947: ISAKMP:(0):Fill atts in sa vpi_length:4
Mar 2 16:18:42.947: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Mar 2 16:18:42.947: ISAKMP:(0):Returning Actual lifetime: 86400
Mar 2 16:18:42.947: ISAKMP:(0)::Started lifetime timer: 86400.
Mar 2 16:18:42.947: ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
Mar 2 16:18:42.947: ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.951: ISAKMP:(0): processing IKE frag vendor id payload
Mar 2 16:18:42.951: ISAKMP:(0):Support for IKE Fragmentation not enabled
Mar 2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Mar 2 16:18:42.951: ISAKMP (0): constructing CERT_REQ for issuer cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
Mar 2 16:18:42.951: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_SA_SETUP // Sending Key Exchange Information to peer
Mar 2 16:18:42.951: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Mar 2 16:18:42.955: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_SA_SETUP // Receive key exchange information from peer
Mar 2 16:18:42.955: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 2 16:18:42.955: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Mar 2 16:18:42.959: ISAKMP:(0): processing KE payload. message ID = 0
Mar 2 16:18:43.003: ISAKMP:(0): processing NONCE payload. message ID = 0
Mar 2 16:18:43.007: ISAKMP:(1008): processing CERT_REQ payload. message ID = 0
Mar 2 16:18:43.007: ISAKMP:(1008): peer wants a CT_X509_SIGNATURE cert
Mar 2 16:18:43.007: ISAKMP:(1008): peer wants cert issued by cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
Mar 2 16:18:43.007: Choosing trustpoint CA_Server as issuer
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008): vendor ID is Unity
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008): vendor ID seems Unity/DPD but major 180 mismatch
Mar 2 16:18:43.007: ISAKMP:(1008): vendor ID is XAUTH
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008): speaking to another IOS box!
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008):vendor ID seems Unity/DPD but hash mismatch
Mar 2 16:18:43.007: ISAKMP:received payload type 20
Mar 2 16:18:43.007: ISAKMP (1008): His hash no match - this node outside NAT
Mar 2 16:18:43.007: ISAKMP:received payload type 20
Mar 2 16:18:43.007: ISAKMP (1008): No NAT Found for self or peer
Mar 2 16:18:43.007: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 2 16:18:43.007: ISAKMP:(1008):Old State = IKE_I_MM4 New State = IKE_I_MM4
Mar 2 16:18:43.011: ISAKMP:(1008):Send initial contact
Mar 2 16:18:43.011: ISAKMP:(1008):My ID configured as IPv4 Addr, but Addr not in Cert!
Mar 2 16:18:43.011: ISAKMP:(1008):Using FQDN as My ID
Mar 2 16:18:43.011: ISAKMP:(1008):SA is doing RSA signature authentication using id type ID_FQDN
Mar 2 16:18:43.011: ISAKMP (1008): ID payload
next-payload : 6
type : 2
FQDN name : R2
protocol : 17
port : 500
length : 10
Mar 2 16:18:43.011: ISAKMP:(1008):Total payload length: 10
Mar 2 16:18:43.019: ISAKMP (1008): constructing CERT payload for hostname=R2+serialNumber=FHK1502F2H8
Mar 2 16:18:43.019: ISAKMP:(1008): using the CA_Server trustpoint's keypair to sign
Mar 2 16:18:43.035: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Mar 2 16:18:43.035: ISAKMP:(1008):Sending an IKE IPv4 Packet.
Mar 2 16:18:43.035: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 2 16:18:43.035: ISAKMP:(1008):Old State = IKE_I_MM4 New State = IKE_I_MM5
Mar 2 16:18:43.047: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_KEY_EXCH
// "MM_KEY_EXCH" indicates that the peers have exchanged DH Public keys and generated a shared secret!
Mar 2 16:18:43.047: ISAKMP:(1008): processing ID payload. message ID = 0
Mar 2 16:18:43.047: ISAKMP (1008): ID payload
next-payload : 6
type : 2
FQDN name : ASA1
protocol : 0
port : 0
length : 12
Mar 2 16:18:43.047: ISAKMP:(0):: peer matches *none* of the profiles // Normal Message! Not an error!
Mar 2 16:18:43.047: ISAKMP:(1008): processing CERT payload. message ID = 0
Mar 2 16:18:43.047: ISAKMP:(1008): processing a CT_X509_SIGNATURE cert
Mar 2 16:18:43.051: ISAKMP:(1008): peer's pubkey isn't cached
Mar 2 16:18:43.059: ISAKMP:(1008): Unable to get DN from certificate!
Mar 2 16:18:43.059: ISAKMP:(1008): Cert presented by peer contains no OU field.
Mar 2 16:18:43.059: ISAKMP:(0):: peer matches *none* of the profiles
Mar 2 16:18:43.063: ISAKMP:(1008): processing SIG payload. message ID = 0
Mar 2 16:18:43.067: ISAKMP:received payload type 17
Mar 2 16:18:43.067: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.067: ISAKMP:(1008): vendor ID is DPD
Mar 2 16:18:43.067: ISAKMP:(1008):SA authentication status:
authenticated
Mar 2 16:18:43.067: ISAKMP:(1008):SA has been authenticated with 20.1.1.10
Mar 2 16:18:43.067: ISAKMP: Trying to insert a peer 40.1.1.1/20.1.1.10/500/, and inserted successfully 46519678. // SA inserted into SADB
Mar 2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM5 New State = IKE_I_MM6
Mar 2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM6 New State = IKE_I_MM6
Mar 2 16:18:43.071: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 2 16:18:43.071: ISAKMP:(1008):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Mar 2 16:18:43.071: ISAKMP:(1008):beginning Quick Mode exchange, M-ID of -1523793378
Mar 2 16:18:43.071: ISAKMP:(1008):QM Initiator gets spi
Mar 2 16:18:43.075: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE
Mar 2 16:18:43.075: ISAKMP:(1008):Sending an IKE IPv4 Packet.
Mar 2 16:18:43.075: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Mar 2 16:18:43.075: ISAKMP:(1008):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Mar 2 16:18:43.075: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Mar 2 16:18:43.075: ISAKMP:(1008):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Mar 2 16:18:43.079: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) QM_IDLE // IPSec Policies
Mar 2 16:18:43.079: ISAKMP:(1008): processing HASH payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008): processing SA payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008):Checking IPSec proposal 1
Mar 2 16:18:43.079: ISAKMP: transform 1, ESP_3DES
Mar 2 16:18:43.079: ISAKMP: attributes in transform:
Mar 2 16:18:43.079: ISAKMP: SA life type in seconds
Mar 2 16:18:43.079: ISAKMP: SA life duration (basic) of 3600
Mar 2 16:18:43.079: ISAKMP: SA life type in kilobytes
Mar 2 16:18:43.079: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
Mar 2 16:18:43.079: ISAKMP: encaps is 1 (Tunnel)
Mar 2 16:18:43.079: ISAKMP: authenticator is HMAC-SHA
Mar 2 16:18:43.079: ISAKMP:(1008):atts are acceptable. // IPSec attributes are acceptable!
Mar 2 16:18:43.079: ISAKMP:(1008): processing NONCE payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
Mar 2 16:18:43.083: ISAKMP:(1008): Creating IPSec SAs
Mar 2 16:18:43.083: inbound SA from 20.1.1.10 to 40.1.1.1 (f/i) 0/ 0
(proxy 1.1.1.1 to 2.2.2.2)
Mar 2 16:18:43.083: has spi 0xA9A66D46 and conn_id 0
Mar 2 16:18:43.083: lifetime of 3600 seconds
Mar 2 16:18:43.083: lifetime of 4608000 kilobytes
Mar 2 16:18:43.083: outbound SA from 40.1.1.1 to 20.1.1.10 (f/i) 0/0
(proxy 2.2.2.2 to 1.1.1.1)
Mar 2 16:18:43.083: has spi 0x2B367FB4 and conn_id 0
Mar 2 16:18:43.083: lifetime of 3600 seconds
Mar 2 16:18:43.083: lifetime of 4608000 kilobytes
Mar 2 16:18:43.083: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE
Mar 2 16:18:43.083: ISAKMP:(1008):Sending an IKE IPv4 Packet.
Mar 2 16:18:43.083: ISAKMP:(1008):deleting node -1523793378 error FALSE reason "No Error"
Mar 2 16:18:43.083: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Mar 2 16:18:43.083: ISAKMP:(1008):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE // At this point tunnels are up and ready to pass traffic!
Verification Commands
#show crypto isakmp SA
#show crypto ipsec SA
Kindly rate if you find the explanation useful !!
Best Regards
Sachin Garg
Maybe you are looking for
-
My 875P Neo tends to reset the CMOS settings randomly, about once or twice every other week, or whenever I'm making changes to the hardware. This is happening on two separate 875Ps, so I don't think it's the lithium battery, though I have not tried r
-
Switching between VTs kills Xorg and GDM restarts
Hi, since yesterday I noticed some sort of severe problem of my system. I am still trying to locate the reason why this all happens. My problem looks like this: Every time I switch from X to a VT everything looks fine. But once I want to switch back
-
Remainder amount of contract not updated in sales order
I have a value contract with orders on it. However, when I create a new sales order on this contract, the amount which appears is the contract value instead of the remaining amount. Could you please let me know how to have the remaining amount of the
-
"Firefox has stopped working"!! EveryTime I run it!!
THis problem occurs after each firefox run. after this problem Iam not able to use firefox. "Unhandled exception at 0x758b9617 in firefox.exe: 0x0EEDFADE: 0xeedfade." while debugging through Visula studio. At Disassembly, it stops at "758B9617 leave
-
Poor wireless signal since Infinity
I have always had a good wireless signal from my HH2 on ADSL. Since having Infinity installed the signal has decreased considerably, even though the new HH is in exactly the same place. To connect to wireless devices I have to within a few metres of