Configure CPN Between Asa-Astaro

Similar Messages

• Communication problem between ASA 5510 and Cisco 3750, L2 Decode drops

  Having problem with communication between ASA 5510 an Cisco Catalyst 3750.
  Here is the Cisco switch port facing the ASA 5510 configuration:
  interface FastEthernet2/0/6
  description Trunk to ASA 5510
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 50
  switchport trunk allowed vlan 131,500
  switchport mode trunk
  switchport nonegotiate
  And here is the ASA 5510 port configuration:
  interface Ethernet0/3
  speed 100
  no nameif
  no security-level
  no ip address
  interface Ethernet0/3.500
  vlan 500
  nameif outside
  security-level 0
  ip address X.X.X.69 255.255.255.0
  There is a default route on ASA to X.X.X.1.
  When I try to ping from ASA X.X.X.1 i get:
  Sending 5, 100-byte ICMP Echos to 31.24.36.1, timeout is 2 seconds:
  Also in the output of show interface eth 0/3 on the ASA i can see that the L2 Decode drop counter increases.
  I have also changed the ports on the Switch and ASA but the same error stays.
  Any thoughts?

  I don't see anything wrong with your trunk configuration; I have a similar one working between an ASA 5520 and a Catalyst 3750G.
  Maybe you should adjust the "speed 100"?  In my experience, partial autoconfiguration results in duplex mis-matches, which results in dropped packets.
  I'd try removing the "speed 100" and letting the ASA port autonegotiate with the switch.  Alternatively, have both sides set
     speed 100
     duplex full
  and see if things improve.
  -- Jim Leinweber, WI State Lab of Hygiene

• Unable to print from HQ to Branch through the VPN tunnel between ASAs

  We have site to site VPN configured between ASAs. The VPN tunnel is up and running as desired except for one printer in the subnet. the users in the Hq cannot print in the branch office printer. I have allowed the ip protocols for the printer subnet but still it is not working. When I do a packet trac the traffic for the printer is allwed through the tunnel.
  Can anyone suggest what can be preventing from printing?

  When other printers in the same subnet can be reached, I would first control the IP-settings of the printer. In my experience it's most likely a wrong subnet-mask or gateway.

• Problem with a s2s IP SEC between ASA and Adtran

  I'm having a problem getting this tunnel to come up.  What info would you guys need to help me out? I'm just cutting my teeth on networking i've always had guys to defer these problems to but I dont right now....
  This is what keeps popping up in the logs
  6
  Dec 08 2012
  12:19:13
  713172
  Group = x.x.x.x, IP = x.x.x.x, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
    and
  6
  Dec 08 2012
  12:19:13
  302015
  OutsideIP
  500
  x.x.x.x
  500
  Built outbound UDP connection 1088 for outside:x.x.x.x/500 (x.x.x.x/500) to identity:OutsideIP/500 (OutsideIP/500)
  and
  4
  Dec 08 2012
  12:19:33
  713903
  Group = x.x.x.x, IP = x.x.x.x Information Exchange processing failed
  there's a couple more logs, let me know if ya'll need anything else to help.

  a copy of the configuration of the ASA would help and also advise which vpn tunnel is to the adtran device.
  also, if you can run the following debug:
  debug cry isa
  debug cry ipsec
  and share the output when you try to ping between the 2 LANs.

• Can't get L2L VPN up between ASA and Fortinet (IKEv2)

  Hi,
  I'm having issues getting a L2L tunnel up between a Cisco ASA and a Fortinet. This is the first tunnel being setup with IKEv2. The ASA is complaining that it can't find a matching policy.
  The Fortinet device is configured by other party and I have confirmed that they are using the agreed settings.
  Configuration from the ASA:
  crypto ipsec ikev2 ipsec-proposal AES-3DES-SHA1
   protocol esp encryption 3des
   protocol esp integrity sha-1
  crypto map VPN 100 match address ABC
  crypto map VPN 100 set pfs group5
  crypto map VPN 100 set peer x.x.x.x
  crypto map VPN 100 set ikev2 ipsec-proposal AES-3DES-SHA1
  crypto map VPN 100 set security-association lifetime seconds 28800
  crypto map VPN interface outside
  crypto ikev2 policy 10
   encryption aes-256 3des
   integrity sha256 sha
   group 5
   prf sha256
   lifetime seconds 86400
  crypto ikev2 enable outside
  tunnel-group x.x.x.x type ipsec-l2l
  tunnel-group x.x.x.x ipsec-attributes
   ikev2 remote-authentication pre-shared-key blablabla
   ikev2 local-authentication pre-shared-key blablabla
  Debugs say that there is no matching policy:
  IKEv2-PROTO-3: (97): Get peer authentication method
  IKEv2-PROTO-3: (97): Get peer's preshared key for x.x.x.x
  IKEv2-PROTO-3: (97): Verify authentication data
  IKEv2-PROTO-3: (97): Use preshared key for id x.x.x.x, key len 15
  IKEv2-PROTO-2: (97): Processing auth message
  IKEv2-PROTO-1: (97): Failed to find a matching policy
  IKEv2-PROTO-1: (97): Received Policies:
  ESP: Proposal 1:  3DES SHA96
  IKEv2-PROTO-1: (97): Failed to find a matching policy
  IKEv2-PROTO-1: (97): Expected Policies:
  IKEv2-PROTO-5: (97): Failed to verify the proposed policies
  IKEv2-PROTO-1: (97): Failed to find a matching policy

  Dear Robert,
  The above error from ASA indicates there may be a problem with your preshared key..Both Local and remotre sites...or an Out of Synce problem to the remote end/peer. Give more details about ur Watchguard version with what application it is running..Send the complete log of
  1. sh crypto ipsec sa
  2. sh crypto isakmp sa
  3. debug crypto isa 255
  4. debug crypto ipsec 255

• Issue bringing up VPN between ASA and Checkpoint - HELP

  Hi all
  We are having major issues bringing up a vpn between our ASA and third party checkpoint, it seems if the checkpoint initiates the connection it works, but if we initiate it from the ASA it doesnt come up.
  on the ASA I see the following
  any ideas what this is ?
  7
  Jan 30 2014
  11:52:03
  715065
  IP = 159.50.93.1, IKE MM Initiator FSM error history (struct &0x79c4bb68) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY

  Phase 2 failures means several things:
  Encryption domain (interesting traffics) fail to match.  Checkpoint tends to supper net network together, by design,
  Phase 2 parameters such as ESP, PFS and seconds timeouts do not match.
  Why don't you put in relevance configuration on the ASA and if possible, ask the checkpoint firewall guy to do the following on the firewall:
  - output of "uname -a" and "fw ver"
  - is this Nokia, Windows or Secureplatform Checkpoint?
  - run the following commands on the firewall:  "debug ike off", "debug ike trunc"  and send you the ike.elg file.  That file can be decoded with the IKEView.exe and it will tell you exactly where things are wrong. 
  Disable/turn OFF kilobytes timeouts is not the solution. 

• IPSec ikev2 between ASA and Cisco Router

  Hi,
  i try to do IPSec with ikev2 (SHA2) between ASA and Cisco Router, without success. Any one can help me ?
  - Remote site (Router) with dynamic public IP -> Dynamic crypto map on the ASA
  - Authentication with Certificats
  - integrity sha2
  I try a lot of configurations without success.
  Thanks for your help.
  Mic

  The more secure ike policy should have the higher priority which is a smaller number. So I would configure there the following way (policy 30 only if really needed):
  crypto ikev1 policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 28800
  crypto ikev1 policy 20
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 28800
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 43200
  The Cisco VPN Client is EOL and not supported any longer. And yes, by default DH group 2 is used. But that can be configured by a parameter in the PCF-file.
  There are two (three) better options:
  Best option with very little needed configuration:
  Move to AnyConnect with TLS. AnyConnect is the actual Cisco client that is also supported with Windows 8.x. The legacy IPsec client isn't.
  Best option with a little stronger crypto but more configuration:
  Move to AnyConnect with IPsec/IKEv2. 
  Move to a third-party client like shrew.net. I didn't use that client since a couple of years any more, but it's quite flexible and also has a config for a better DH-group.
  For option 1) and 2) there is an extra license needed, but thats not very expensive.

• Unable to establish site to site vpn between asa 5505 an 5510

  Hi ALL expert
  We are now plan to form a site to site IPSec VPN tunnel between ASA 5505 (ASA Version 8.4) and ASA 5510 (ASA Version 8.0) but failure, would you please teach me how to establish it? Any reference guide?
  Hugo

  Here are the links to the cisco config-guides:
  http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/site2sit.html
  http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_site2site.html
  In addition to VPN you need to look into NAT exemption:
  http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1043541
  http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_overview.html#wpxref25608
  http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_rules.html#wp1232160
  And lots of examples:
  http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni

• Is it possible to Configure VPC Between N5010 and 6513

  Hello Gents,
  Please let me know if we can  configure VPC Between N5010 and 6513(coreswitch).
  IF Yes, Does it have any loops or abnormal traiffc behaviour ?
  Please refer the attached mail for current network diagram
  1) I would like to establish VPC Between N5010 and Cisco 6513 switch
  2) if yes, Does the upstream devices above 6513 core switch will forward the traffic from all the
  6513 ports connected to N5000 ports or 6513 will send traffic from one up link and block other
  uplink ports as part of STP.
  3) Is VSS on 6513 is required for Point #1
  Please refer some links on this as well.
  Appreciate your quick response.
  Thanks and Regards,
  KA.

  Hi Karim ,
  You can use this one - you can consider your 6k the FEX as in this example
  http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/configuration_guide_c07-543563.html
  On the portchannel to 6k will not configure :
  "switchport mode fex-fabric"
  "fex associate 100"
  This configuration in indended to be used with FEX.
  Regards
  Dan

• Error  while configuring SSO between Portal 7.0 and Operating System.

  Dear all,
  I am having an issue,i need to configure SSO between the Portal 7.0 and operating System.I have followed both the Kerberos as well as spNego wizard methods,but i am not able to configure UME settings as we are using datasourceConfiguration_abap.xml. I tried to edit the datasource confuiguration file but after editing the server is not starting.
  Please let me know the steps i have to do to edit the datasourceConfiguration_abap.xml
  We are not able to Map the Service USer to the UME CONFIGURATION XML File.
  Thanks
  Ravi.S

  Ravi,
  If you have successfully configured the SSO, please pass on the document if any you have.
  Regards,
  Mohammad.

• What are the configuration need between R3 and XI when we use RFC sync adap

  hi,
  What are the configuration need between R3 and XI when we use RFC sync adapter.
  Regards
  siva.

  if its the sender adapter ref:
  RFC adapter
  Sender- /people/michal.krawczyk2/blog/2005/03/29/configuring-the-sender-rfc-adapter--step-by-step
  Receiver;
  http://help.sap.com/saphelp_nw04/helpdata/en/c8/e80440a832e369e10000000a155106/content.htm
  Also;
  trouble shooting rfc/soap -
  /people/shabarish.vijayakumar/blog/2008/01/08/troubleshooting--rfc-and-soap-scenarios-updated-on-20042009

• Change MTU for just one Site-to-Site VPN between ASAs?

          Hi -
  I'm setting up a Site-to-Site Cisco VPN between ASAs. I'm being told by the remote site engineer to set the maximum MTU at 1362.
  Is it possible to set the MTU for one specific site-to-site VPN on my ASA 5510 Security Plus to MTU 1362? I see my interfeces are all set at 1500.
  If not, would you recommend I setup a subinterface on my inside network router and a subinterface on the ASA with an MTU of 1362 to get around this issue? Then use this subinterface for traffic from my inside network to transverse through prior to hitting the VPN.
  Thank you.

  I would not worry too much about UDP traffics.  I rather concentrate on TCP traffics because almost all of the issues will be TCP.
  Therefore, I would set the MSS value to 1362 or may be like 1300:   sysopt connection tcp-mss 1300
  That will solve most of  your issues.

• How we archieve configuration for Cisco ASA 5500 series appliances

  Hi,
  We need to archieve configuration for Cisco ASA 5500 series appliances.
  We have Cisco works LMS 3.0.1.
  Device package installed is 4.2
  Any help would be appricated.
  Thanks in advance.
  Samir

  Hi ,
  Thanks for your answer.
  Right now we are using TACAS to login in to the ASA. That means we need single username and password to login via
  Cisoworks. Am I correct ?
  Waiting for your reply.
  thanks,
  Samir

• How to configure SingleSignOn between GRC and BOBJ 4.1

  How to configure SingleSignOn between GRC and BOBJ 4.1?
  We have configured the System entitlement in BOBJ CMC. But didn't do anything on the GRC system.
  User can login from BOBJ to GRC with password but not with SSO.
  We haven't configured SNC . I don't this for this simple flow, we need to have SNC.
  We haven't set up the Trust certificate exchange as well between BOBJ and GRC.
  Please help us to know what are the mandatory settings need to be done to create a Relational connection for a ERP/GRC system  from BOBJ client tool IDT?
  thanks,
  Tilak

  How to configure SingleSignOn between GRC and BOBJ 4.1?
  We have configured the System entitlement in BOBJ CMC. But didn't do anything on the GRC system.
  User can login from BOBJ to GRC with password but not with SSO.
  We haven't configured SNC . I don't this for this simple flow, we need to have SNC.
  We haven't set up the Trust certificate exchange as well between BOBJ and GRC.
  Please help us to know what are the mandatory settings need to be done to create a Relational connection for a ERP/GRC system  from BOBJ client tool IDT?
  thanks,
  Tilak

• Configure ssh between two hosts as a ROOT user

  Hi Experts,
  I have tried several times to configure ssh between two hosts but didn't get success. Can some please help me to configure ssh as a root.
  I have freshly installed two solaris 10 VM's.
  Thanks~
  Edited by: user12108503 on Jun 3, 2013 1:28 PM

  Hi,
  I have changed the config file and still getting exactly same error message.
  /etc/ssh/ssh_config: line 32: Bad configuration option: PermitRootLogin
  /etc/ssh/ssh_config: terminating, 1 bad configuration options
  Please help.
  Thanks~