Compressed tunnelling
I have previously made a simple java port forwarder that uses a Tunnel class I made.
The tunnel class basically takes an InputStream, an OutputStream and optionally a buffer size (default size is 1024) then runs copies everything it gets from the input stream into the output stream and flushes it with this code. private void tunnel() throws IOException
byte[] buffer = new byte[bufferSize];
int read;
while((read = in.read(buffer)) != -1)
out.write(buffer, 0, read);
out.flush();
}I thought that in some uncompressed applications, performance could be improved by passing it a GZIPInputStream etc (or InflaterInputStream etc perhaps) but these require finish() rather than flush() [or as well as, I don't know if flush is still needed after finish()] I hoped I would be able to just pass the Tunnel a GZipInputStream and a GZipOutputStream and it would work, they are both InputStreams and OutputStreams after all, but beause finish() is required, this is not the case.
This would of course need the java app running on both ends but thats no big deal.
- Is this method of tunnelling even before compression any good?
- What effect does finish() have on it, does a new GZipOutputStream/DeflaterOutputStream have to be created for every transmission or what?
- Should Deflater and Inflater be used instead and not use this current code at all?
- Could I just insert the line "if(out instanceof DeflaterOutputStream) ((DeflaterOutputStream)out).finish();" before/instead of "out.flush();" ?
Ok in the past we had converted our files to apple prores 422 and that worked. The files I was converting into HD web sharing were .MOV files, whta else can I do because rendering every 2 minutes is doing my head in
Similar Messages
-
Opera Turbo opensource alternative
Is there any opensource alternative for Opera Turbo server ? I have netbook with 3G network, but limited only to 1gb/month, and at home, desktop computer running 24h. Im thinking about using desktop as a proxy for 3G connection in my netbook, to save bandwidth, but i dont know how to do it.
Two ready to use alternatives are RabbIT and Ziproxy. Both compress your traffic, convert images to smaller size/quality, try to optimize content (html/css/js). One can also build his own solution, using i.e. Apache with mod_proxy, mod_deflate and filters.
It may be also beneficial to run another proxy on client (netbook) side of connection, to implement more aggresive caching than browser would allow (or to use highly compressed transport format, that browser itself may not be able to decipher, say jpeg2000).
Another solution -- not replacing, but supplementing such proxies -- is to use some kind of compressed tunnel to your desktop: say, ssh -C -L|D or openvpn. Such a tunnel will extend compression benefits to non-HTTP traffic (mail, IM, ...) and HTTP metadata.
Speaking of mail (although it's way out of your initial question, I know... I like to think aloud ), using IMAP IDLE extension should greatly reduce bandwidth used to checking mail (in short, it's kind of push solution -- server notifies client about new mail, without repeated login/check/logout sequences). Basic IMAP by itself, when used reasonably, can reduce amount of data downloaded - headers-only, selective download of attachments... If I were building such solution, I'd use IMAP server at home, synced with all external accounts, and then connect from netbook via above tunnel, NOT using SSL/TLS -- tunnel is encrypted itself, and additional encryption layer would prevent good compression (although TLS has possibility of using compression internally, I have yet to see it used somewhere...).
And, for almost all protocols (although HTTP proxies will take care of it by themselves), local caching DNS may be convenient -- it won't significantly decrease your traffic, but may reduce latency.
Last edited by briest (2010-05-16 14:15:36) -
EZVPN public internet split tunnel with dialer interface
I have a job on where I need to be able to use EZVPN with split tunnel but still have access to an external server from the corporate network as the external server will only accept connections from the corporate public IP address.
So I have not only included the corporate C class in the interesting traffic but also the IP address of the external server.
So all good so far, traffic for the corporate network goes down the tunnel as well as the IP address for the external server.
Now comes the problem, I am trying to send the public IP traffic for the external server out of the corporate network into the public internet but it just drops and does not get back out the same interface into the internet.
I checked out this procedure and it did not help as the route map counters do not increase with my attempt to reach the external router.
http://www.cisco.com/c/en/us/support/docs/security/vpn-client/71461-router-vpnclient-pi-stick.html
And to just test the process, I removed the split tunnel and just have everything going down the tunnel so I can test with any web site. I also have a home server on the network that is reached so I can definitly reach into the network at home which is the test for the corporate network I am trying to reach.
Its a cisco 870 router and here is the config
Router#sh run
Building configuration...
Current configuration : 4617 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Router
boot-start-marker
boot-end-marker
logging message-counter syslog
enable secret 5 *************************
enable password *************************
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
dot11 syslog
ip source-route
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.2
ip dhcp excluded-address 192.168.1.3
ip dhcp excluded-address 192.168.1.4
ip dhcp excluded-address 192.168.1.5
ip dhcp excluded-address 192.168.1.6
ip dhcp excluded-address 192.168.1.7
ip dhcp excluded-address 192.168.1.8
ip dhcp excluded-address 192.168.1.9
ip dhcp excluded-address 192.168.1.111
ip dhcp pool myDhcp
network 192.168.1.0 255.255.255.0
dns-server 139.130.4.4
default-router 192.168.1.1
ip cef
ip inspect name myfw http
ip inspect name myfw https
ip inspect name myfw pop3
ip inspect name myfw esmtp
ip inspect name myfw imap
ip inspect name myfw ssh
ip inspect name myfw dns
ip inspect name myfw ftp
ip inspect name myfw icmp
ip inspect name myfw h323
ip inspect name myfw udp
ip inspect name myfw realaudio
ip inspect name myfw tftp
ip inspect name myfw vdolive
ip inspect name myfw streamworks
ip inspect name myfw rcmd
ip inspect name myfw isakmp
ip inspect name myfw tcp
ip name-server 139.130.4.4
username ************************* privilege 15 password 0 *************************
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group HomeFull
key *************************
dns 8.8.8.8 8.8.8.4
pool SDM_POOL_1
include-local-lan
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group HomeFull
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 3
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 1740
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
crypto ctcp port 10000
archive
log config
hidekeys
interface Loopback10
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
interface ATM0.1 point-to-point
description TimsInternet
ip flow ingress
ip policy route-map VPN-Client
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 3
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Virtual-Template3 type tunnel
ip unnumbered Dialer3
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Vlan1
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect myfw in
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
ip tcp adjust-mss 1372
no ip mroute-cache
hold-queue 100 out
interface Dialer0
no ip address
interface Dialer3
ip address negotiated
ip access-group blockall in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp header-compression
ip policy route-map VPN-Client
no ip mroute-cache
dialer pool 3
dialer-group 1
no cdp enable
ppp chap hostname *************************@direct.telstra.net
ppp chap password 0 *************************
ip local pool SDM_POOL_1 10.0.0.10 10.0.0.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer3
ip http server
ip http authentication local
no ip http secure-server
ip nat inside source list 101 interface Dialer3 overload
ip access-list extended VPN-OUT
permit ip 10.0.0.0 0.0.0.255 any
ip access-list extended blockall
remark CCP_ACL Category=17
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit esp any any
permit ahp any any
permit tcp any any eq 10000
deny ip any any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 10.0.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
route-map VPN-Client permit 10
match ip address VPN-OUT
set ip next-hop 10.0.0.2
control-plane
line con 0
no modem enable
line aux 0
line vty 0 4
password cisco
scheduler max-task-time 5000
end
Router#exit
Connection closed by foreign host.Thanks for the response.
Not sure how that would help as I can connect into the internal network just fine, but I want to hairpin back out the interface and surf the internet from the VPN client. The policy route map makes the L10 the next hop and it has NAT. -
Cisco ASA 5505 Site to site VPN IPSEC tunnel to an Clavister Firewall
Hi,
I have weird problem with a Site to site VPN tunnel from a Cisco ASA 5505 to an Clavister Firewall.
When I restart the Cisco ASA 5505 the tunnel is up and down,up, down, down, and I get all strange messages when I see if the tunnel is up or down with the syntax: show crypto isakmp sa
After a while like 5-10 min the vpn site to site tunnel is up and here is the strange thing happening I have all accesslists and tunnel accesslists right I can only access one remote network (Main site Clavister Firewall) trought the vpn tunnel behind the Cisco ASA 5505, and I have 5 more remote networks that I want to access but only one remote network is working trought the vpn tunnel behind the Cisco ASA. I see that when I do this syntax in ASA: show crypto ipsec sa.
They had a Clavister Firewall before on that site before and now they have a Cisco ASA 5505 and all the rules on the main site thats have the big Clavister Firewall is intact so the problems are in the Cisco ASA 5505.
Here is some logs that ASDM give me about the tunnel issue, but like I said, the tunnel is up and only one remote network is reachable in that tunnel.....
3
Nov 21 2012
07:11:09
713902
Group = 195.149.180.254, IP = 195.149.169.254, Removing peer from correlator table failed, no match!
3
Nov 21 2012
07:11:09
713902
Group = 195.149.180.254, IP = 195.149.169.254, QM FSM error (P2 struct &0xc92462d0, mess id 0x1c6bf927)!
3
Nov 21 2012
07:11:09
713061
Group = 195.149.180.254, IP = 195.149.169.254, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
5
Nov 21 2012
07:11:09
713119
Group = 195.149.180.254, IP = 195.149.169.254, PHASE 1 COMPLETED
Here is from the syntax: show crypto isakmp sa
Result of the command: "show crypto isakmp sa"
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 195.149.180.254
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Result of the command: "show crypto ipsec sa"
interface: outside
Crypto map tag: CustomerCryptoMap, seq num: 10, local addr: 213.180.90.29
access-list arvika_garnisonen permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
local ident (addr/mask/prot/port): (172.22.65.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.123.0/255.255.255.0/0/0)
current_peer:195.149.180.254
#pkts encaps: 2188, #pkts encrypt: 2188, #pkts digest: 2188
#pkts decaps: 2082, #pkts decrypt: 2082, #pkts verify: 2082
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2188, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 213.180.67.29, remote crypto endpt.: 195.149.180.254
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: E715B315
inbound esp sas:
spi: 0xFAC769EB (4207372779)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
sa timing: remaining key lifetime (kB/sec): (38738/2061)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xE715B315 (3876958997)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
sa timing: remaining key lifetime (kB/sec): (38673/2061)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
And here are my Accesslists and vpn site to site config:
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 84600
crypto isakmp nat-traversal 40
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map CustomerCryptoMap 10 match address VPN_Tunnel
crypto map CustomerCryptoMap 10 set pfs group5
crypto map CustomerCryptoMap 10 set peer 195.149.180.254
crypto map CustomerCryptoMap 10 set transform-set ESP-AES-256-SHA
crypto map CustomerCryptoMap interface outside
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0 -------> This is the only remote network I can reach behind the Cisco ASA and the other remote networks dont work..
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
nat (inside) 0 access-list nonat
All these remote networks are at the Main Site Clavister Firewall.
Best Regards
MichaelHi,
I'd start by getting the configuration of the remote site related to Local/Remote network configurations and go through them. Even though no changes have been made.
If they are mirror images of eachother already I'd say its probably some problem related to Cisco/Clavister setup
Seems especially wierd to me that one of the error messages includes 0.0.0.0 lines.
I have run into some problems with L2L VPN configurations when our Cisco device just doesnt want to work with the remote end device. In some cases we have confirmed that our networks defined for the L2L VPN are exactly the same and yet when checking debugs on the ASA side we can see the remote end device using totally wrong network masks for the VPN negotiaton and therefore it failed. That problem we corrected with changing the network masks a bit.
Maybe you could try to change the Encryption Domain configurations a bit and test it then.
You could also maybe take some debugs on the Phase2 and see if you get anymore hints as to what could be the problem when only one network is working for the L2L VPN.
- Jouni -
Cisco ASA 5505 Site to Site VPN tunnel up, but not passing traffic
Thanks to a previous thread, I do have a 5505 up and running, and passing data....
https://supportforums.cisco.com/message/3900751
Now I am trying to get a IPSEC VPN tunnel working.
I actually have it up (IKE phase 1 & 2 both passed), but it is not sending/receiving data through the tunnel.
The networks concerned:
name 10.0.0.0 Eventual (HQ Site behind Firewall)
name 1.1.1.0 CFS (Public Network Gateway for Palo Alto Firewall - Firewall IP: 1.1.1.1)
name 2.2.2.0 T1 (Remote site - Outside interface of 5505: 2.2.2.2)
name 10.209.0.0 Local (Remote Network - internal interface of 5505: 10.209.0.3)
On a ping to the HQ network from behind the ASA, I get....
portmap translation creation failed for icmp src inside:10.209.0.9 dst inside:10.0.0.33 (type 8, code 0)
I am suspecting that there is a NAT error and/or a lack of a static route for the rest of the 10.0.0.0 traffic, and that I may have to exempt/route the traffic for the HQ network (10.0.0.0), but I haven't been able to get the correct entries to make it work.
Below is the config.
Can anyone see if there is something sticking out?
: Saved
ASA Version 8.2(5)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.0.0.0 Eventual
name 10.209.0.0 Local
name 2.2.2.0 T1
name 1.1.1.0 CFS
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 0
ip address 10.209.0.3 255.0.0.0
interface Vlan2
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.248
time-range Indefinite
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object Eventual 255.0.0.0
network-object T1 255.255.255.248
network-object CFS 255.255.255.240
access-list outside_1_cryptomap extended permit ip Local 255.255.255.0 object-group DM_INLINE_NETWORK_1
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 67.139.113.217 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http Eventual 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 1.1.1.1
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 1 set phase1-mode aggressive
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.209.0.201-10.209.0.232 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy FTMGP internal
group-policy FTMGP attributes
vpn-idle-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
default-group-policy FTMGP
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:701d8da28ee256692a1e49d904e9cb04
: end
asdm location Eventual 255.0.0.0 inside
asdm location Local 255.255.255.0 inside
asdm location T1 255.255.255.248 inside
asdm location CFS 255.255.255.240 inside
asdm history enable
Thank You.I'm just re-engaging on the firewall this afternoon, but right now I'm getting request timed out on the pings....
Here's the output requested:
Result of the command: "show crypto isakmp sa"
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 1.1.1.1
Type : L2L Role : initiator
Rekey : no State : AM_ACTIVE
Result of the command: "show crypto ipsec sa"
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 2.2.2.2
access-list outside_1_cryptomap extended permit ip 10.209.0.0 255.255.255.0 10.0.0.0 255.0.0.0
local ident (addr/mask/prot/port): (Local/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (Eventual/255.0.0.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 84, #pkts encrypt: 84, #pkts digest: 84
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 84, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 8FC06BD1
current inbound spi : 42EC16F4
inbound esp sas:
spi: 0x42EC16F4 (1122768628)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (62207/28464)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x8FC06BD1 (2411752401)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (62201/28464)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Here's the current config:
: Saved
ASA Version 8.2(5)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.0.0.0 Eventual
name 10.209.0.0 Local
name 67.139.113.216 T1
name 1.1.1.0 IntegraCFS
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 0
ip address 10.209.0.3 255.0.0.0
interface Vlan2
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.248
time-range Indefinite
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object Eventual 255.0.0.0
network-object T1 255.255.255.248
network-object IntegraCFS 255.255.255.240
access-list outside_1_cryptomap extended permit ip Local 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list No_NAT extended permit ip Local 255.255.255.0 Eventual 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list No_NAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 2.2.2.0 1
route outside Eventual 255.255.255.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http Eventual 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 1.1.1.1
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 1 set security-association lifetime kilobytes 65535
crypto map outside_map 1 set phase1-mode aggressive
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.209.0.201-10.209.0.232 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy FTMGP internal
group-policy FTMGP attributes
vpn-idle-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
default-group-policy FTMGP
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:301e573544ce0f89b3c597bdfe2c414a
: end
asdm location Eventual 255.0.0.0 inside
asdm location Local 255.255.255.0 inside
asdm location T1 255.255.255.248 inside
asdm location IntegraCFS 255.255.255.240 inside
asdm history enable -
One computer at COMPANY-A is attempting to communicate with two
computers located at COMPANY-B, via an IPsec tunnel between the
two companies.
All communications are via TCP protocol.
All devices present public IP addresses to one another, although they
may have RFC 1918 addresses on other interfaces, and NAT may be in use
on the COMPANY-B side. (NAT is not being used on the COMPANY-A side.)
The players:(Note: first three octets have been changed for security reasons)
COMPANY-A computer 1.2.3.161
COMPANY-A router 1.2.3.8 (also IPsec peer)
COMPANY-A has 1.2.3.0/24 with no subnetting.
COMPANY-B router 4.5.6.228 (also IPsec peer)
COMPANY-B computer #1 4.5.7.94 (this one has no issues)
COMPANY-B computer #2 4.5.7.29 (this one fails)
COMPANY-B has 4.5.6.0/23 subnetted in various ways.
COMPANY-B also has 9.10.11.0/24, but it is not involved in the issue.
What works:
The COMPANY-A computer 1.2.3.161 can communicate via the single IPsec
tunnel to COMPANY-B computer #1 4.5.7.94 without problems.
The "show crypto session detail" command shows Inbound/Outbound packets
flowing in the dec'ed and enc'ed positions.
What doesn't:
When the COMPANY-A computer 1.2.3.161 attempts to communicate
via the single IPsec tunnel with the COMPANY-B computer #2 4.5.7.29,
the COMPANY-A router eventually reports five of these messages:
Oct 9 15:24:54.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:24:57.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:25:03.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:25:15.328: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:25:39.329: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:26:27.328: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
and the "show crypto session detail" shows inbound packets being dropped.
The COMPANY-A computer that opens the TCP connection never gets past the
SYN_SENT phase of the TCP connection whan trying to communicate with the
COMPANY-B computer #2, and the repeated error messages are the retries of
the SYN packet.
On the COMPANY-A side, this IPsec configuration has been set up on a 3745,
a 3725, and some 76xx routers were tried, all with similar behavior,
with packets from one far-end computer passing fine, and packets from
another far-end computer in the same netblock passing through the same
IPsec tunnel failing with the "failed SA identity" error.
The COMPANY-A computer directs all packets headed to COMPANY-B via the
COMPANY-A router at 1.2.3.8 with this set of route settings:
netstat -r -n
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
4.5.7.0 1.2.3.8 255.255.255.0 UG 0 0 0 eth3
1.2.3.8.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3
10.1.0.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth3
10.0.0.0 10.1.1.1 255.0.0.0 UG 0 0 0 eth0
0.0.0.0 1.2.3.1 0.0.0.0 UG 0 0 0 eth3
The first route line shown is selected for access to both COMPANY-B computers.
The COMPANY-A router (IPsec tunnel endpoint, 1.2.3.8) has this
configuration:
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key XXXXXXXXXXXXXXXXXXXXXXX address 4.5.6.228
crypto ipsec security-association lifetime seconds 86400
crypto ipsec transform-set COMPANY-B01 esp-3des esp-sha-hmac
crypto map COMPANY-BMAP1 10 ipsec-isakmp
description COMPANY-B VPN
set peer 4.5.6.228
set transform-set COMPANY-B01
set pfs group2
match address 190
interface FastEthernet0/0
ip address 1.2.3.8 255.255.255.0
no ip redirects
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map COMPANY-BMAP1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1.2.3.1
ip route 10.0.0.0 255.0.0.0 10.1.1.1
ip route 1.2.3.8.0 255.255.255.0 FastEthernet0/0
access-list 190 permit ip host 1.2.3.161 4.5.7.0 0.0.0.255
access-list 190 permit ip host 1.2.3.161 9.10.11.0 0.0.0.255
bridge 1 protocol ieee
One of the routers tried had this IOS/hardware configuration:
Cisco IOS Software, 3700 Software (C3725-ADVIPSERVICESK9-M), Version 12.4(25c),
RELEASE SOFTWARE (fc2)
isco 3725 (R7000) processor (revision 0.1) with 115712K/15360K bytes of memory.
Processor board ID XXXXXXXXXXXXXXX
R7000 CPU at 240MHz, Implementation 39, Rev 3.3, 256KB L2 Cache
2 FastEthernet interfaces
4 ATM interfaces
DRAM configuration is 64 bits wide with parity disabled.
55K bytes of NVRAM.
31296K bytes of ATA System CompactFlash (Read/Write)
250368K bytes of ATA Slot0 CompactFlash (Read/Write)
Configuration register is 0x2102
#show crypto sess
Crypto session current status
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 4.5.6.228 port 500
IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
Active SAs: 2, origin: crypto map
IPSEC FLOW: permit ip host 1.2.3.161 9.10.11.0/255.255.255.0
Active SAs: 0, origin: crypto map
#show crypto sess det
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 4.5.6.228
Desc: (none)
IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
Capabilities:(none) connid:1 lifetime:06:26:27
IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 651 drop 16 life (KB/Sec) 4496182/23178
Outbound: #pkts enc'ed 574 drop 2 life (KB/Sec) 4496279/23178
IPSEC FLOW: permit ip host 1.2.3.161 9.10.11.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
The COMPANY-B device on their end of the IPsec VPN is a Juniper SSG1000
Version 6.1 (ScreenOS)
We only have a limited view into the Juniper device configuration.
What we were allowed to see was:
COMPANY-B-ROUTER(M)-> sh config | incl COMPANY-A
set address "Untrust" "oss-COMPANY-A-1.2.3.161" 1.2.3.161 255.255.255.255
set ike gateway "COMPANY-A-1-GW" address 1.2.3.8 Main outgoing-interface "ethernet2/1" preshare xxxxxxxxxxxxxxxxxxxxxx proposal "pre-g2-3des-sha"
set vpn "COMPANY-A-1-IKE" gateway "COMPANY-A-1-GW" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha-28800"
set policy id 2539 from "Untrust" to "Trust" "oss-COMPANY-A-1.2.3.161" "9.10.11.0-24" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309a pair-policy 2500
set policy id 2500 from "Trust" to "Untrust" "9.10.11.0-24" "oss-COMPANY-A-1.2.3.161" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309a pair-policy 2539
set policy id 2541 from "Trust" to "Untrust" "4.5.7.0-24" "oss-COMPANY-A-1.2.3.161" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309b pair-policy 2540
set policy id 2540 from "Untrust" to "Trust" "oss-COMPANY-A-1.2.3.161" "4.5.7.0-24" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309b pair-policy 2541
COMPANY-B-ROUTER(M)->
I suspect that this curious issue is due to a configuration setting on the
Juniper device, but neither party has seen this error before. COMPANY-B
operates thousands of IPsec VPNs and they report that this is a new error
for them too. The behavior that allows traffic from one IP address to
work and traffic from another to end up getting this error is also unique.
As only the Cisco side emits any error message at all, this is the only
clue we have as to what is going on, even if this isn't actually an IOS
problem.
What we are looking for is a description of exactly what the Cisco
IOS error message:
IPSEC(epa_des_crypt): decrypted packet failed SA identity check
is complaining about, and if there are any known causes of the behavior
described that occur when running IPsec between Cisco IOS and a Juniper
SSG device. Google reports many other incidents of the same error
message (but not the "I like that IP address but hate this one" behavior),
and not just with a Juniper device on the COMPANY-B end, but for those cases,
not one was found where the solution was described.
It is hoped that with a better explanation of the error message
and any known issues with Juniper configuration settings causing
this error, we can have COMPANY-B make adjustments to their device.
Or, if there is a setting change needed on the COMPANY-A router,
that can also be implemented.
Thanks in advance for your time in reading this, and any ideas.Hello Harish,
It is believed that:
COMPANY-B computer #1 4.5.7.94 (this one has no issues)
COMPANY-B computer #2 4.5.7.29 (this one fails)
both have at least two network interfaces, one with a public IP address
(which we are supposedly conversing with) and one with a RFC 1918 type
address. COMPANY-B is reluctant to disclose details of their network or
servers setup, so this is not 100% certain.
Because of that uncertainty, it occurred to me that perhaps COMPANY-B
computer #2 might be incorrectly routing via the RFC 1918 interface.
In theory, such packets should have been blocked by the access-list on both
COMPANY-A router, and should not have even made it into the IPsec VPN
if the Juniper access settings work as it appears they should. So I turned up
debugging on COMPANY-A router so that I could see the encrypted and
decrypted packet hex dumps.
I then hand-disassembled the decoded ACK packet IP header received just
prior to the "decrypted packet failed SA check" error being emitted and
found the expected source and destination IP addresses (4.5.7.29 and 1.2.3.161),
in the unecapsulated packet. I also found the expected port numbers of the TCP
conversation that was trying to be established in the TCP header. So, it
looks like COMPANY-B computer #2 is emitting the packets out the right
interface.
The IP packet header of the encrypted packet showed the IP addresses of the
two routers at each terminus of the IPsec VPN, but since I don't know what triggers
the "SA check" error message or what it is complaining about, I don't know what
other clues to look for in the packet dumps.
As to your second question, "can you check whether both encapsulation and
decapsulation happening in 'show crypto ipsec sa'", the enc'ed/dec'ed
counters were both going up by the correct quantities. When communicating
with the uncooperative COMPANY-B computer #2, you would also see the
received Drop increment for each packet decrypted. When communicating
with the working COMPANY-B computer #1, the Drop counters would not
increment, and the enc'ed/dec'ed would both increment.
#show crypto sess det
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 4.5.6.228
Desc: (none)
IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
Capabilities:(none) connid:1 lifetime:07:59:54
IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 376 drop 5 life (KB/Sec) 4458308/28784
Outbound: #pkts enc'ed 401 drop 3 life (KB/Sec) 4458308/28784
Attempt a TCP communication to COMPANY-B computer #2...
show crypto sess det
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 4.5.6.228
Desc: (none)
IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
Capabilities:(none) connid:1 lifetime:07:59:23
IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 376 drop 6 life (KB/Sec) 4458307/28753
Outbound: #pkts enc'ed 402 drop 3 life (KB/Sec) 4458307/28753
Note Inbound "drop" changed from 5 to 6. (I didn't let it sit for all
the retries.)
#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: COMPANY-BMAP1, local addr 1.2.3.8
protected vrf: (none)
local ident (addr/mask/prot/port): (1.2.3.161/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (4.5.7.0/255.255.255.0/0/0)
current_peer 4.5.6.228 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 402, #pkts encrypt: 402, #pkts digest: 402
#pkts decaps: 376, #pkts decrypt: 376, #pkts verify: 376
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 3, #recv errors 6
local crypto endpt.: 1.2.3.8, remote crypto endpt.: 4.5.6.228
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xDF2CC59C(3744253340)
inbound esp sas:
spi: 0xD9D2EBBB(3654478779)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: SW:4, crypto map: COMPANY-BMAP1
sa timing: remaining key lifetime (k/sec): (4458307/28600)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xDF2CC59C(3744253340)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: SW:3, crypto map: COMPANY-BMAP1
sa timing: remaining key lifetime (k/sec): (4458307/28600)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
The "send" errors appear to be related to the tunnel reverting to a
DOWN state after periods of inactivity, and you appear to get one
each time the tunnel has to be re-negotiated and returned to
an ACTIVE state. There is no relationship between Send errors
incrementing and working/non-working TCP conversations to the
two COMPANY-B servers.
Thanks for pondering this very odd behavior. -
How to set up Split Tunneling on ASA 5505
Good Morning,
I have an ASA 5505 with security plus licensing. I need to set up split tunneling on the ASA and not sure how. I am very new to Cisco but am learning quickly. What I want to accomplish, if possible is to send all traffic to our corporate web site (static ip address) straight out to the internet and all other traffic to go though the tunnel as normal. Basically we have a remote office that is using a local ISP to provide internet service. IF our connection at the main office goes down, we want the branch office to still be able to get to our corporate website without having to unplug cables and connect their computer directly to the local ISP modem. Any help with be greatly appriciated. Thanks in advance. Below is a copy of our current config.
ASA Version 7.2(4)
hostname TESTvpn
enable password rBtWtkaB8W1R3ub8 encrypted
passwd rBtWtkaB8W1R3ub8 encrypted
names
name 10.0.0.0 Corp_LAN
name 192.168.64.0 Corp_Voice
name 172.31.155.0 TESTvpn
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
nameif Corp_Voice
security-level 100
ip address 172.30.155.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 3
ftp mode passive
object-group network SunVoyager
network-object host 64.70.8.160
network-object host 64.70.8.242
object-group network Corp_Networks
network-object Corp_LAN 255.0.0.0
network-object Corp_Voice 255.255.255.0
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list inside_access_in extended permit ip TESTvpn 255.255.255.0 any
access-list inside_access_in extended permit icmp TESTvpn 255.255.255.0 any
access-list Corp_Voice_access_in extended permit ip 172.30.155.0 255.255.255.0 any
access-list Corp_Voice_access_in extended permit icmp 172.30.155.0 255.255.255.0 any
access-list VPN extended deny ip TESTvpn 255.255.255.0 object-group SunVoyager
access-list VPN extended permit ip TESTvpn 255.255.255.0 any
access-list VPN extended permit ip 172.30.155.0 255.255.255.0 any
access-list data-vpn extended permit ip TESTvpn 255.255.255.0 any
access-list voice-vpn extended permit ip 172.30.155.0 255.255.255.0 any
access-list all-vpn extended permit ip TESTvpn 255.255.255.0 any
access-list all-vpn extended permit ip 172.30.155.0 255.255.255.0 any
pager lines 24
logging enable
logging buffer-size 10000
logging monitor debugging
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Corp_Voice 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list data-vpn
nat (inside) 1 TESTvpn 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (Corp_Voice) 0 access-list voice-vpn
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group Corp_Voice_access_in in interface Corp_Voice
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
http TESTvpn 255.255.255.0 inside
http Corp_LAN 255.0.0.0 inside
http 65.170.136.64 255.255.255.224 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set VPN esp-3des esp-md5-hmac
crypto map outside_map 1 match address VPN
crypto map outside_map 1 set peer 66.170.136.65
crypto map outside_map 1 set transform-set VPN
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
telnet timeout 5
ssh Corp_LAN 255.0.0.0 inside
ssh TESTvpn 255.255.255.0 inside
ssh 65.170.136.64 255.255.255.224 outside
ssh timeout 20
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd option 150 ip 192.168.64.4 192.168.64.3
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 10.10.10.7 10.10.10.44 interface inside
dhcpd domain sun.ins interface inside
dhcpd enable inside
dhcpd address 172.30.155.10-172.30.155.30 Corp_Voice
dhcpd dns 10.10.10.7 10.10.10.44 interface Corp_Voice
dhcpd domain sun.ins interface Corp_Voice
dhcpd enable Corp_Voice
username admin password kM12Q.ZBqkvh2p03 encrypted privilege 15
tunnel-group 66.170.136.65 type ipsec-l2l
tunnel-group 66.170.136.65 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:953e50e9cbc02e1b264830dab4a3f2bd
: endSo I tried to use the exclude way that you suggested. Here is my new config. It is still not working. The address I put in for the excluded list was 4.2.2.2 and when I do a trace route to it from the computer, it still goes though the vpn to the main office and out the switch at the main office and not from the local isp. Any other suggestions?
hostname TESTvpn
domain-name default.domain.invalid
enable password rBtWtkaB8W1R3ub8 encrypted
passwd rBtWtkaB8W1R3ub8 encrypted
names
name 10.0.0.0 Corp_LAN
name 192.168.64.0 Corp_Voice
name 172.31.155.0 TESTvpn
interface Vlan1
nameif inside
security-level 100
ip address 172.31.155.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
nameif Corp_Voice
security-level 100
ip address 172.30.155.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 3
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group network SunVoyager
network-object host 64.70.8.160
network-object host 64.70.8.242
object-group network Corp_Networks
network-object Corp_LAN 255.0.0.0
network-object Corp_Voice 255.255.255.0
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list inside_access_in extended permit ip TESTvpn 255.255.255.0 any
access-list inside_access_in extended permit icmp TESTvpn 255.255.255.0 any
access-list Corp_Voice_access_in extended permit ip 172.30.155.0 255.255.255.0 a
ny
access-list Corp_Voice_access_in extended permit icmp 172.30.155.0 255.255.255.0
any
access-list VPN extended deny ip TESTvpn 255.255.255.0 object-group SunVoyager
access-list VPN extended permit ip TESTvpn 255.255.255.0 any
access-list VPN extended permit ip 172.30.155.0 255.255.255.0 any
access-list data-vpn extended permit ip TESTvpn 255.255.255.0 any
access-list voice-vpn extended permit ip 172.30.155.0 255.255.255.0 any
access-list all-vpn extended permit ip TESTvpn 255.255.255.0 any
access-list all-vpn extended permit ip 172.30.155.0 255.255.255.0 any
access-list TEST standard permit host 4.2.2.2
pager lines 24
logging enable
logging buffer-size 10000
logging monitor debugging
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Corp_Voice 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list data-vpn
nat (inside) 1 TESTvpn 255.255.255.0
nat (Corp_Voice) 0 access-list voice-vpn
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group Corp_Voice_access_in in interface Corp_Voice
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http TESTvpn 255.255.255.0 inside
http Corp_LAN 255.0.0.0 inside
http 65.170.136.64 255.255.255.224 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set VPN esp-3des esp-md5-hmac
crypto map outside_map 1 match address VPN
crypto map outside_map 1 set peer 66.170.136.65
crypto map outside_map 1 set transform-set VPN
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh Corp_LAN 255.0.0.0 inside
ssh TESTvpn 255.255.255.0 inside
ssh 65.170.136.64 255.255.255.224 outside
ssh timeout 20
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd option 150 ip 192.168.64.4 192.168.64.3
dhcpd address 172.31.155.10-172.31.155.30 inside
dhcpd dns 10.10.10.7 10.10.10.44 interface inside
dhcpd domain sun.ins interface inside
dhcpd enable inside
dhcpd address 172.30.155.10-172.30.155.30 Corp_Voice
dhcpd dns 10.10.10.7 10.10.10.44 interface Corp_Voice
dhcpd domain sun.ins interface Corp_Voice
dhcpd enable Corp_Voice
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy excludespecified
split-tunnel-network-list value TEST
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not
been met or due to some specific group policy, you do not have permission to us
e any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
username admin password kM12Q.ZBqkvh2p03 encrypted privilege 15
tunnel-group 66.170.136.65 type ipsec-l2l
tunnel-group 66.170.136.65 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
Cryptochecksum:8b3caaecf2a0dec7334633888081c367
: end -
Static-nat and vpn tunnel bound traffic from same private address?
Hi guys,
I have site-to-site tunnel local host @192.168.0.250 and remote-host @172.16.3.3.
For this local host @192.168.0.250, I also have a static one-to-one private to public.
static (mgmt-192,outside-50) 216.9.50.250 192.168.0.250 netmask 255.255.255.255
As you can see, IPSec SA shows end-points in question and traffic is being decrypted but not encrypted host traffic never enter into the tunnel, why?
How can I resolve this problem, without complicating the setup ?
BurlingtonASA1# packet-tracer input mgmt-192 icmp 192.168.0.250 8 0 172.16.3.3
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside-50
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.0.0 255.255.255.0 mgmt-192
Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group mgmt_intf in interface mgmt-192
access-list mgmt_intf extended permit icmp any any
access-list mgmt_intf remark *** Permit Event02 access to DMZ Intf ***
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
nat-control
match ip mgmt-192 host 192.168.0.250 outside-50 host 172.16.3.3
NAT exempt
translate_hits = 5, untranslate_hits = 0
Additional Information:
Phase: 9
Type: NAT
Subtype:
Result: ALLOW
Config:
static (mgmt-192,outside-50) 216.9.50.250 192.168.0.250 netmask 255.255.255.255
nat-control
match ip mgmt-192 host 192.168.0.250 outside-50 any
static translation to 216.9.50.250
translate_hits = 25508, untranslate_hits = 7689
Additional Information:
Phase: 10
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (mgmt-192,dmz2-172) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
nat-control
match ip mgmt-192 192.168.0.0 255.255.255.0 dmz2-172 any
static translation to 192.168.0.0
translate_hits = 28867754, untranslate_hits = 29774713
Additional Information:
Phase: 11
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1623623685, packet dispatched to next module
Result:
input-interface: mgmt-192
input-status: up
input-line-status: up
output-interface: outside-50
output-status: up
output-line-status: up
Action: allow
BurlingtonASA1#
Crypto map tag: map1, seq num: 4, local addr: 216.9.50.4
access-list newvpn extended permit ip host 192.168.0.250 host 172.16.3.3
local ident (addr/mask/prot/port): (192.168.0.250/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.16.3.3/255.255.255.255/0/0)
current_peer: 216.9.62.4
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 53, #pkts decrypt: 53, #pkts verify: 53
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 216.9.50.4, remote crypto endpt.: 216.9.62.4
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 37CA63F1
current inbound spi : 461C843C
inbound esp sas:
spi: 0x461C843C (1176273980)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 77398016, crypto-map: map1
sa timing: remaining key lifetime (kB/sec): (3914997/25972)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x003FFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x37CA63F1 (936010737)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 77398016, crypto-map: map1
sa timing: remaining key lifetime (kB/sec): (3915000/25972)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001Hi
intersting VPN ACL
object-group network DM_INLINE_NETWORK_18
network-object YYY.YYY.YYY.0 255.255.255.0
object-group network DM_INLINE_NETWORK_22
network-object UUU.UUU.UUU.0 255.255.255.0
access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_22 object-group DM_INLINE_NETWORK_18
Static NAT
static (Inside,outside) XXX.XXX.XXX.171 YYY.YYY.YYY.39 netmask 255.255.255.255
No NAT
object-group network DM_INLINE_NETWORK_20
network-object UUU.UUU.UUU.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip ZZZ.ZZZ.ZZZ.0 255.255.255.0 object-group DM_INLINE_NETWORK_20
VPN CLient Pool
No pool configured as it uses the interesting traffic or protected traffic in ASDM - UUU.UUU.UUU.0 is the IP address range at the far side of the site to site VPN.
I hope this helps
Thanks -
The tale of two IPSec Tunnels...
I'm trying to set up an ipsec tunnel at a particular site, and I am just stumped at this point. I have two sites I'm working with, a test site on my bench and the other actual site at another location. Both are ASA 5510's, both are running ASA v8.2(5). The test site has a 3560 off of it, and the production site has a 3750 stack off it. I don't think that part should matter, though.
I used the wizard to create the ipsec configuration on both devices, test and prod, and used the same naming on both to help compare. The test site connects and I can ssh to the 3560 behind it just fine. The production site, however, cannot connect to that 3750 or ping it to save my life. I've poured through the configs on both, and although there are just a couple of differences, the two ASA's are pretty close in configs.
At first I thought it was an acl issue, but I've filtered the logs by syslog id 106023 to watch for denys by access group. When I try to connect to the 3750, I get absolutely no entry in the log that anything is being denied, so I figure that's not it.
Then I thought it may be a routing issue. The one difference between the two sites is that the test site is using eigrp to disperse routes between the asa and switch, while the production site is using static routes. But I also didn't think that would've mattered, because on the static route switch I even put a static route in there to the vpn network which didn't make a difference.
I've also run packet traces on the firewall when doing a ping, and on the test siteI see echo requests and replies. Oon the production site I only see requests, no replies. My encap counters don't increment during pings, but the decap counters do, which make sense.
Other things to note: The test site that works also has a site-to-site vpn up and runnning, so you'll see that in the config as well. Client is Mac OS X 10.6.8, using the Cisco IPSec Config.
I'm hoping someone can look at my configs and tell me if they see anything I'm missing on them that could help solve my problems. I'd appreciate it! Thanks
Test Site that works
Production Site that Doesn't
testasa01-5510# sh run
: Saved
ASA Version 8.2(5)
hostname testasa01-5510
names
interface Ethernet0/0
nameif outside
security-level 0
ip address <outsideif> 255.255.255.240
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.39.194.2 255.255.255.248
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
no ip address
management-only
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
access-list inside_access_in extended permit ip 10.39.0.0 255.255.0.0 any log disable
access-list RemoteAccess_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 10.39.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 172.16.139.0 255.255.255.240
access-list outside_cryptomap extended permit ip 10.39.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list remoteaccess extended permit ip 172.16.139.0 255.255.255.240 any log disable
tcp-map WSOptions
tcp-options range 24 31 allow
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpn_ip_pool 172.16.139.0-172.16.139.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
global (outside) 100 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 100 10.39.0.0 255.255.0.0
access-group inside_access_in in interface inside
router eigrp 100
network 10.0.0.0 255.0.0.0
passive-interface default
no passive-interface inside
route outside 0.0.0.0 0.0.0.0 <outsideif> 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 management
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map1 1 match address outside_cryptomap
crypto map outside_map1 1 set pfs group1
crypto map outside_map1 1 set peer 209.242.145.200
crypto map outside_map1 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map1 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map1 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 170
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 60
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server <server> source inside
webvpn
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol IPSec
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
dns-server value 8.8.8.8
vpn-filter value remoteaccess
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteAccess_splitTunnelAcl
split-tunnel-all-dns disable
vlan none
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
address-pool vpn_ip_pool
default-group-policy RemoteAccess
tunnel-group RemoteAccess ipsec-attributes
pre-shared-key *****
tunnel-group 111.222.333.444 type ipsec-l2l
tunnel-group 111.222.333.444
general-attributes
default-group-policy GroupPolicy1
tunnel-group 111.222.333.444
ipsec-attributes
pre-shared-key *****
class-map WSOptions-class
match any
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class WSOptions-class
set connection advanced-options WSOptions
policy-map type inspect ip-options ip-options-map
parameters
eool action allow
nop action allow
router-alert action allow
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
: end
mp01-5510asa# sh run
: Saved
ASA Version 8.2(5)
hostname mp01-5510asa
names
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.29.194.2 255.255.255.252
interface Ethernet0/1
nameif dmz
security-level 50
ip address 172.16.29.1 255.255.255.0
interface Ethernet0/2
description
nameif backup
security-level 0
ip address <backupif> 255.255.255.252
interface Ethernet0/3
description
speed 100
duplex full
nameif outside
security-level 0
ip address <outsideif> 255.255.255.248
interface Management0/0
nameif management
security-level 100
ip address 10.29.199.11 255.255.255.0
management-only
banner login Authorized Use Only
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
object-group network DM_INLINE_NETWORK_1
network-object 10.29.1.0 255.255.255.0
network-object 10.29.15.0 255.255.255.0
network-object 10.29.199.0 255.255.255.0
network-object 10.29.200.0 255.255.255.0
network-object 10.29.31.0 255.255.255.0
access-list inside_access_in extended permit ip 10.29.0.0 255.255.0.0 any log warnings
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 any log warnings
access-list inside_access_in extended permit ip 192.168.29.0 255.255.255.0 any log warnings
access-list inside_access_in extended permit ip 10.29.32.0 255.255.255.0 any log warnings
access-list outside_access_in extended permit ip any host 50.59.30.116 log warnings
access-list RemoteAccess_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.254.29.0 255.255.255.0 log warnings
access-list remoteaccess extended permit ip 10.254.29.0 255.255.255.0 any log warnings
access-list RemoteAccess2_splitTunnelAcl standard permit 10.29.0.0 255.255.0.0
pager lines 24
logging enable
logging list acl-messages message 106023
logging buffered acl-messages
logging asdm acl-messages
mtu inside 1500
mtu dmz 1500
mtu backup 1500
mtu outside 1500
mtu management 1500
ip local pool vpn_ip_pool3 10.254.29.0-10.254.29.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
asdm history enable
arp timeout 14400
global (inside) 201 interface
global (dmz) 101 interface
global (backup) 101 interface
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 10.29.1.0 255.255.255.0
nat (inside) 101 10.29.15.0 255.255.255.0
nat (inside) 101 10.29.31.0 255.255.255.0
nat (inside) 101 10.29.32.0 255.255.255.0
nat (inside) 101 10.29.199.0 255.255.255.0
nat (inside) 101 10.29.200.0 255.255.255.0
nat (inside) 101 192.168.29.0 255.255.255.0
static (inside,outside) <outsideif> 10.29.15.10 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 50.59.30.113 1 track 1
route backup 0.0.0.0 0.0.0.0 205.179.122.165 254
route management 10.0.0.0 255.0.0.0 10.29.199.1 1
route inside 10.29.0.0 255.255.0.0 10.29.194.1 1
route inside 192.168.29.0 255.255.255.0 10.29.194.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 management
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 100
type echo protocol ipIcmpEcho 74.125.239.16 interface outside
num-packets 3
frequency 10
sla monitor schedule 100 life forever start-time now
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
track 1 rtr 100 reachability
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh 10.0.0.0 255.0.0.0 management
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.200.1.41 source inside
webvpn
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
dns-server value 8.8.8.8
vpn-filter value remoteaccess
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteAccess_splitTunnelAcl
split-tunnel-all-dns disable
vlan none
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
address-pool vpn_ip_pool3
default-group-policy RemoteAccess
tunnel-group RemoteAccess ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
testasa01-5510# sh crypto ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: <outsideif>
local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.139.1/255.255.255.255/0/0)
current_peer: <peer ip>, username: blah
dynamic allocated peer ip: 172.16.139.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 30, #pkts decrypt: 30, #pkts verify: 30
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: <outsideif>/4500, remote crypto endpt.: <peer ip>/37291
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 0A7F396F
current inbound spi : E87AF806
inbound esp sas:
spi: 0xE87AF806 (3900372998)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 49152, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 3587
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x7FFFFFFF
outbound esp sas:
spi: 0x0A7F396F (176109935)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 49152, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 3587
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
mp01-5510asa# sh crypto ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: <outsideif>
local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.254.29.1/255.255.255.255/0/0)
current_peer: <peer ip>, username: blah
dynamic allocated peer ip: 10.254.29.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 51, #pkts decrypt: 51, #pkts verify: 51
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: <outsideif>/4500, remote crypto endpt.: <peer ip>/37291
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 096265D4
current inbound spi : F5E4780C
inbound esp sas:
spi: 0xF5E4780C (4125390860)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 102400, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 3576
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x001FFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x096265D4 (157443540)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 102400, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 3576
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001Config (non working site) looks fine(unless I missed something:)) . You may want to add :
access-list RemoteAccess_splitTunnelAcl standard permit 192.168.29.0 255.255.255.0
Try by taking out vpnfilter : vpn-filter value remoteaccess
To further t-shoot, try using packet tracer from ASA to the client...
https://supportforums.cisco.com/docs/DOC-5796
Thx
MS -
SSH Tunnel to other SSH servers?
I'm not sure how this can be done, with or even without an SSH tunnel.
Here's my scenario:
PowerBook@Work --> Firewall --> INTERNET --> Linksys Router/Firewall with port forwarding to Mac mini home server --> Mac mini --> Other Mac clients
Obviously I can SSH into my Mac mini server from my PowerBook at work:
ssh [email protected]
However, what I want to do is, to ssh to the Other Mac client on my home LAN from my Work LAN. So far I accomplish this by SSH'ing into my Mac mini server and then SSH'ing from there to my other Mac clients (which all have static 192.168.X.X addresses).
I have tried the following and it's doesn't seem to work:
ssh -N -p 22 [email protected] -R 2110/example.com/22
With port 2110 forwarded from my Linksys to my Other Mac client. Doesn't work.
I know this is one of those scenarios where I "can't see the forest through the trees". Meaning, there must be an easier way? Any help?Paul,
sorry for my mistake. I forgot the "yes" in the commandline.
I wouldn't put all the different ssh connections into aliases of my .bashrc. SSH offers the use of a config file. Put everything there. It's easier to maintain and the recommended way for ssh.
Create a plain text file in ~/.ssh/config (for example with vi). And put the following stuff in there.
Host nicknameforyourhost
Hostname hostname.example.com
User yourusername
In Addition you might want to add one of these:
Port 22
Protocol 2
Compression yes
ForwardX11 yes
You can even put portforwardings, reflections etc. in there.
LocalForward 10548 127.0.0.1:548 To tunnel AFP on the server.
LocalForward 10080 127.0.0.1:80 To tunnel to an webserver running on the host that is blocked by the firewall.
To tunnel ServerAdmin, Workgroup Manager and Server Monitor Connections to the host (if it's running Mac OS X Server)
LocaLForward 311 127.0.0.1:311
LocalForward 625 127.0.0.1:625
LocalForward 687 127.0.0.1:687
You then connect your admin apps to localhost. This one has to be done as root, as you're forwarding privileged ports.
To forward an http connection to the webinterface of your router through the tunnel. Provided your LAN Range is 192.168.1.0 and your router is located at 192.168.1.1.
LocalForward 10080 192.168.1.1:80
You then connect your browser to http://localhost:10080/ and it will go through the tunnel, and be reflected from the host you connected to via SSH directly to the router. That way you could access your routers config pages without activating remote administration which is of course a lot more secure.
For your particular problem:
Create one Host entry with the actual machine that you connect to.
Host myserver
Hostname myserver.example.com
User yourusername
Protocol 2
Port 22
Compression yes
LocalForward 10080 192.168.1.1:80 see example with router above
LocalForward 10022 192.168.1.100:22 to create a ssh portreflector for host 192.168.1.100
This config will allow you to connect to your server and access your router like I described above and also create a tunnel for another ssh connection to 192.168.1.100. To access that machine, create a second config in that file just a few lines below.
Host myothermac
Hostname localhost
User yourusername
Protocol 2
Port 10022
To use all that you enter into your terminal:
$ ssh myserver
Password:
and from a second terminal:
$ ssh myothermac
Password:
You're directly taken to the othermac. You can put as many options in ther as you like. See the man page for SSH what else you can put into a config file. I hope by now is clear why not to use aliases in your .bashrc. Do some experimenting, you cannot hurt anything.
You could also do that from a screen session or just background the first SSH session from the terminal but that would make things unnecessarily more complex for the examples given.
Hope that helped.
Regards MacLemon -
[SOLVED] How to tunnel HTTP over SSH via SOCKS?
This should be a simple issue to solve, but for some reason it's not working for me.
`ssh vps` works just fine (I use authentication keys)
I set up the tunnel with the command:
ssh -C2TNv -D 8080 vps
I then modify Firefox network settings:
manual config
http proxy: localhost, port: 8080
use this proxy server for all protocols
SOCKS v5
about:config
network.proxy.socks_remote_dns: true
Terminal output:
$ ssh -C2TNv -D 8080 vps
OpenSSH_6.0p1, OpenSSL 1.0.1a 19 Apr 2012
debug1: Reading configuration data /home/ting/.ssh/config
debug1: /home/ting/.ssh/config line 47: Applying options for vps
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to vps.server.com [1.1.1.1] port 22.
debug1: Connection established.
debug1: identity file /home/ting/.ssh/id_rsa type 1
debug1: identity file /home/ting/.ssh/id_rsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-6+squeeze1
debug1: match: OpenSSH_5.5p1 Debian-6+squeeze1 pat OpenSSH_5*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 [email protected]
debug1: kex: client->server aes128-ctr hmac-md5 [email protected]
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA <removed>
debug1: Host 'vps.server.com' is known and matches the RSA host key.
debug1: Found key in /home/ting/.ssh/known_hosts:10
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/ting/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: Enabling compression at level 6.
debug1: Authentication succeeded (publickey).
Authenticated to vps.server.com ([1.1.1.1]:22).
debug1: Local connections to LOCALHOST:8080 forwarded to remote address socks:0
debug1: Local forwarding listening on ::1 port 8080.
debug1: channel 0: new [port listener]
debug1: Local forwarding listening on 127.0.0.1 port 8080.
debug1: channel 1: new [port listener]
debug1: Requesting [email protected]
debug1: Entering interactive session.
I then try visiting a site using Firefox, SSH output:
debug1: Connection to port 8080 forwarding to socks port 0 requested.
debug1: channel 2: new [dynamic-tcpip]
debug1: channel 2: free: dynamic-tcpip, nchannels 3
debug1: Connection to port 8080 forwarding to socks port 0 requested.
debug1: channel 2: new [dynamic-tcpip]
debug1: channel 2: free: dynamic-tcpip, nchannels 3
Despite the proxy seemingly working, visiting any site with Firefox just returns with the error "The connection was reset".
Last edited by AncientPC (2012-04-27 06:47:39)I eventually figured it out from here:
http://superuser.com/questions/417397/h … -via-socks
It turns out my Firefox settings were wrong, only SOCKS Proxy needed to be filled in.
For future reference, you can test your SSH tunnel by using:
curl --socks5 127.0.0.1:8080 http://blah
curl --proxy 127.0.0.1:8080 http://blah -
IPSec secured L2TPv3 - one way traffic in L2 tunnel
Sigh... after 7 hours battling coming here because I've exhausted all my options to find an answer for my problem.
So here is the topology - standard (boring) IPSec secured L2TPv3 tunnel: on one side - 897 connected to a DSL box, on another side - 1921 with two interfaces.
Purpose to setup a plain L2TPv3 tunnel between those locations so computers plugged into the 897's 8-port switch interface can communicate with number of devices connected to 1921 on other side.
897:
crypto ikev2 keyring key1
peer destination_ip_address
address local_outside_ip_address
pre-shared-key key
crypto ikev2 profile default
match identity remote address 1921_outside_ip_address 255.255.255.255
identity local address 897_outside_ip_address
authentication remote pre-share
authentication local pre-share
keyring local key1
crypto ikev2 dpd 30 3 periodic
controller VDSL 0
ip ssh rsa keypair-name router-key
ip ssh version 2
pseudowire-class DZD
encapsulation l2tpv3
ip local interface Loopback1
ip pmtu
ip dfbit set
ip tos reflect
crypto ipsec transform-set default esp-aes esp-sha-hmac
mode tunnel
crypto ipsec df-bit set
crypto map local 1 ipsec-isakmp
set peer 1921_outside_ip_address
set ikev2-profile default
match address 130
interface Loopback1
ip address 172.16.1.1 255.255.255.255
interface ATM0
no ip address
no atm ilmi-keepalive
interface Ethernet0
no ip address
interface GigabitEthernet0
no ip address
interface GigabitEthernet1
no ip address
interface GigabitEthernet2
no ip address
interface GigabitEthernet3
no ip address
xconnect 172.16.1.2 1 encapsulation l2tpv3 pw-class DZD
interface GigabitEthernet4
no ip address
interface GigabitEthernet5
no ip address
interface GigabitEthernet6
no ip address
interface GigabitEthernet7
no ip address
interface GigabitEthernet8
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
interface Wlan-GigabitEthernet8
no ip address
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
ip unnumbered Vlan1
interface Vlan1
ip address 10.97.2.29 255.255.255.0
interface Dialer1
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ipv6 address autoconfig
ppp authentication pap callin
ppp pap sent-username DSL_username password DSL_password
crypto map local
ip forward-protocol nd
ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 Dialer1
access-list 130 permit ip host 172.16.1.1 host 172.16.1.2
dialer-list 1 protocol ip permit
c897#
1921:
crypto ikev2 keyring key1
peer 897_outside_ip_address
address 897_outside_ip_address
pre-shared-key key
crypto ikev2 profile default
match identity remote address 897_outside_ip_address 255.255.255.255
identity local address 1921_outside_ip_address
authentication remote pre-share
authentication local pre-share
keyring local key1
crypto ikev2 dpd 30 3 periodic
ip ssh version 2
lldp run
pseudowire-class ZRH
encapsulation l2tpv3
ip local interface Loopback1
ip pmtu
ip dfbit set
ip tos reflect
crypto ipsec transform-set default esp-aes esp-sha-hmac
mode tunnel
crypto ipsec df-bit set
crypto map local 1 ipsec-isakmp
set peer 897_outside_ip_address
set ikev2-profile default
match address 130
interface Loopback1
ip address 172.16.1.2 255.255.255.255
interface Embedded-Service-Engine0/0
no ip address
interface GigabitEthernet0/0
description WAN-ACC
ip address 1921_outside_ip_address 255.255.255.0
duplex auto
speed auto
crypto map local
interface GigabitEthernet0/1
description LAN-Trunk
no ip address
duplex auto
speed auto
xconnect 172.16.1.1 1 encapsulation l2tpv3 pw-class ZRH
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 default_gateway_of_1921
logging host 10.96.2.21
access-list 130 permit ip host 172.16.1.2 host 172.16.1.1
pnc01921#
Note - 1921 is connected to the Nexus 2248TP FEX, here is the config of the interface of the FEX:
pnc00001# sh run int e101/1/6
!Time: Thu May 1 06:15:02 2014
version 5.0(3)N2(2b)
interface Ethernet101/1/6
switchport access vlan 702
Now, IPsec tunnel comes up and does pass traffic - I can ping from one l1 another l1, below is the output from 897:
sh cry ike sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 897_outside_ip_address/500 1921_outside_ip_address/500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/76 sec
IPv6 Crypto IKEv2 SA
#sh cry ips sa
interface: Dialer1
Crypto map tag: local, local addr 897_outside_ip_address
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.16.1.2/255.255.255.255/0/0)
current_peer 1921_outside_ip_address port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 7
#pkts decaps: 51, #pkts decrypt: 51, #pkts verify: 51
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 897_outside_ip_address, remote crypto endpt.: 1921_outside_ip_address
path mtu 1492, ip mtu 1492, ip mtu idb Dialer1
current outbound spi: 0x852BF1F2(2234249714)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x5D9DFB1A(1570634522)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: Onboard VPN:2, sibling_flags 80000040, crypto map: local
sa timing: remaining key lifetime (k/sec): (4190855/3504)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x852BF1F2(2234249714)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: Onboard VPN:1, sibling_flags 80000040, crypto map: local
sa timing: remaining key lifetime (k/sec): (4190863/3504)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
#ping 172.16.1.2 sour l1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/23/24 ms
Now, L2 tunnel shows to be up on both ends as well (output from 897 here)
#sh xconnect all
Legend: XC ST=Xconnect State S1=Segment1 State S2=Segment2 State
UP=Up DN=Down AD=Admin Down IA=Inactive
SB=Standby RV=Recovering NH=No Hardware
XC ST Segment 1 S1 Segment 2 S2
------+---------------------------------+--+---------------------------------+--
UP ac Gi3(Ethernet) UP l2tp 172.16.1.2:1 UP
However, if you look at detailed output of l2tunn, you will see that the tunnel receives traffic from 1921, but does not send anything:
#sh l2tun tunnel all
L2TP Tunnel Information Total tunnels 1 sessions 1
Tunnel id 3504576447 is up, remote id is 2898810219, 1 active sessions
Locally initiated tunnel
Tunnel state is established, time since change 00:19:34
Tunnel transport is IP (115)
Remote tunnel name is pnc01921
Internet Address 172.16.1.2, port 0
Local tunnel name is pnc0DRZD
Internet Address 172.16.1.1, port 0
L2TP class for tunnel is l2tp_default_class
Counters, taking last clear into account:
0 packets sent, 763 received
0 bytes sent, 65693 received
Last clearing of counters never
Counters, ignoring last clear:
0 packets sent, 763 received
0 bytes sent, 65693 received
Control Ns 18, Nr 9
Local RWS 512 (default), Remote RWS 512 (max)
Control channel Congestion Control is disabled
Tunnel PMTU checking enabled
Retransmission time 1, max 1 seconds
Unsent queuesize 0, max 0
Resend queuesize 0, max 2
Total resends 0, ZLB ACKs sent 8
Total out-of-order dropped pkts 0
Total out-of-order reorder pkts 0
Total peer authentication failures 0
Current no session pak queue check 0 of 5
Retransmit time distribution: 0 0 0 0 0 0 0 0 0
Control message authentication is disabled
Mirrored situation on other side - 1921 sends packets, but nothing is received:
pnc01921#sh l2tun tunnel all
L2TP Tunnel Information Total tunnels 1 sessions 1
Tunnel id 2898810219 is up, remote id is 3504576447, 1 active sessions
Remotely initiated tunnel
Tunnel state is established, time since change 00:21:15
Tunnel transport is IP (115)
Remote tunnel name is pnc0DRZD
Internet Address 172.16.1.1, port 0
Local tunnel name is pnc01921
Internet Address 172.16.1.2, port 0
L2TP class for tunnel is l2tp_default_class
Counters, taking last clear into account:
815 packets sent, 0 received
69988 bytes sent, 0 received
Last clearing of counters never
Counters, ignoring last clear:
815 packets sent, 0 received
69988 bytes sent, 0 received
Control Ns 9, Nr 20
Local RWS 1024 (default), Remote RWS 512
Control channel Congestion Control is disabled
Tunnel PMTU checking enabled
Retransmission time 1, max 1 seconds
Unsent queuesize 0, max 0
Resend queuesize 0, max 1
Total resends 0, ZLB ACKs sent 18
Total out-of-order dropped pkts 0
Total out-of-order reorder pkts 0
Total peer authentication failures 0
Current no session pak queue check 0 of 5
Retransmit time distribution: 0 0 0 0 0 0 0 0 0
Control message authentication is disabled
There is a Windows box plugged into 897's G3 with IP address 10.97.2.25. I can ping from it 897's VLAN1 at 10.97.2.29. However I can't ping anything across the L2TPv3 tunnel. At the same time on that Windows box I can see broadcast traffic coming across the tunnel.
I give up. Anyone has some reasonable suggestion what might be wrong? I suspect that something is wrong at 897's side.
One last question - how can I create svi on 1921 and assign ip address from 10.97.2.0/24 network on it?Anybody? Opened ticket #630128425, no response from Cisco yet..
-
What is WAN compression on AOS 6.4.3.0 and it`s use case?
Q: What is WAN compression on AOS 6.4.3.0 and it`s use case?
A: This feature is supported from AOS 6.4.3.0 and above.
The 7000 Series Controllers contain the Compression/Decompression Engine (CDE) that compresses the raw IP payload data and also decompresses the compressed payload data
Deflation & Inflation
The CDE compression process is called Deflation; the decompression process is called Inflation.
XLP 4xx and XLP2xx Packet Processor Card is a high-performance network processor PCI Express card designed for use in PCI Express compliant systems.
It features the latest Broadcom XLP 4xx series processor with up to 2.5 Gbps per CDE.
This processor is ideally suited to both data-plane applications, which are inherently sensitive to memory latencies, and control-plane applications, which will help best-in-class processing performance.
Advantages
Four CDE channels on the XLP4XX processor and one CDE channel on the XLP2XX processor.
2.5 GBps per CDE (Deflation process, Inflation process, or combination of both)
Deflation context save and restore (at block boundaries)
Inflation context save and restore (at arbitrary file position)
Load balancing the input messages to all CDEs
The Compression/Decompression Engine feature is enabled by default. However, the packets are compressed only if the IP Payload Compression Protocol (IPComp) is successfully negotiated via the Internet Key Exchange (IKE) protocol.
Use-case
Data compression reduces the size of data frames that are transmitted over a network link, thereby reducing the time required to transmit the frame across the network. IP payload compression is one of the key features of the WAN bandwidth optimization solution, which is comprised of the following elements:
You can split a file or data into blocks, and each block can use the mode of compression that suits it best. In this case, it is packet data and there will be only one block.
IP Payload Compression
Traffic Management and QoS
Caching
Recommendation
Boc (Branch office controller)can have traffic to destinations other than HQ on the same link, the preferred method is to enable payload compression on the IPsec tunnel between the branch controller and the master controller.
IP Payload needs to be enabled only between Aruba devices.
Notes
When this hardware-based compression feature is enabled, the quality of unencrypted traffic (such as Lync or Voice traffic) is not compromised through increased latency or decreased throughput.They didn't do the NVIDIA test on it? At this point I guess it really doesn't matter. It sounds like it needs a new logic board, which has the GPU soldered on it. Price-wise, it's not worth having Apple put a new LB in it, given its age. If you're handy inside a laptop, you might consider installing a used LB yourself if you can find one on eBay, etc. Not good news, I know.
-
MPLS over Serial links with Hardware Compression
We have a core network comprising multiple nodes (2821s) with 256K - 2M Serial links joining them. The network currently support MPLS TE tunnels to provide load balancing across multiple paths within the core network. I am aware that it is not possible to run software compression (STAC) on these links as MPLS requires CEF switching to work and software compression results in process switching. Is it possible to implement hardware compression and CEF switching concurrently and hence MPLS functionality or will packets still be process switched?
Martin,
thanks for the suggestion. It works correctly but has highlighted what I believe to be an IOS bug. With MPLS packet debugging enabled on an intermediate router it works fine. Without MPLS packet debugging the intermediate router forwards the paket untagged out the wrong interface. Time for a TAC case.
Regards
Gary -
Configuration of sshd to allow port forwarding (tunneling)?
I'm having a tough time setting up my sshd daemon to allow me to tunnel. I use the following to connect and get these bind errors as shown below:
$ ssh bigbox -D 7000
bind: Address already in use
channel_setup_fwd_listener: cannot listen to port: 7000
Could not request local forwarding.
Can someone advise me what I need to enable to allow tunneling/forwarding? Here is my server's /etc/ssh/sshd_config
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
ListenAddress 0.0.0.0
Protocol 2
ChallengeResponseAuthentication no
UsePAM yes
AllowAgentForwarding yes
AllowTcpForwarding yes
#GatewayPorts yes
#X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
PrintMotd yes
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
PermitTunnel yes
#ChrootDirectory none
# override default of no subsystems
Subsystem sftp /usr/lib/ssh/sftp-server
DenyUsers root
Last edited by graysky (2010-01-23 19:48:20)Here my functional sshd_config that I use as a socks proxy -- keep in mind this is using key authentication, so don't lock yourself out by accident! Notice you have to define the port you are using -- make sure first it's not being used by another application, which could also result in the error message you saw.
I setup the socks proxy on the client machine by: ssh -fND <localport> -l <login> -p <server port> <location>
so if you have sshd running on port 7000 on your server: ssh -fND 7000 -l graysky -p 7000 bigbox.
(although without the -l and -p if bigbox is defined in .ssh/config)
# Package generated configuration file
# See the sshd(8) manpage for details
# What ports, IPs and protocols we listen for
Port 7000
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
Good luck!
Scott
Maybe you are looking for
-
Exporting iDVD5 to be opened in iDVD4
Hello, I'm interested in migrating back to iDVD 4. There are some bugs in version 5 that affect every project I work on (I've just reported them, don't worry). Anyway, I just installed v4.x and can't open my v5.x projects (oops). I've moved the v4.ap
-
I can't update my playbook to 1.0.7.x
I there guys. This is my first post. I'm looking for a solution to my current problem. I've get a new playbook 16gb in hands with original software version 1.0.0.1439 And when I start setting up the device it's force me to download the version to 1.0
-
Dear All, Myself working as an Oralce Apps Functional Consultant SCM, I wish to do a certification for SCM in R12 can anybody suggest me which exam shall i plan to appear. Thanks Jiji Thomas
-
Airport will not turn off and is acting strange
my airport has recently been doing something strange. According to the status bar icon, it is turned on but has a weak signal(greyed bars rather than black) when you click the icon it says the airport is turned off and gives the option to turn it on.
-
Weird problems w/ mother board
i reciently built a system using the 845GE MAX main board, and it worked great for about 3 months. now its having communication problems w/ most devices. it sees the printer, but wont print. it reconizes the floppy, and USB devices, but cant communic