Dual Simultaneous Site to Site VPN connections
My goal is to have an 891 router at a branch office with two, always active VPN tunnels where the routing would switch to the secondary tunnel within the 891. On the Hub side there would be two ISPs connected into the same MPLS cloud which has internet access. Is this possible? Which device should I terminate the VPNs on. Typically used ASAs in the past.
Remote Site
I
891
I
Cable/DSL
I
MPLS
I
ISP1 ISP2
I I
R1 R2
I |
ASA ASA
I I
Core SW1 SW2 Core
Server
To take it even further I would like to configure the branch office with two ISPs but have a VPN connection over both.
HI ,
As far I know, you cant create two IPSec VPN tunnel from same source to same destination in single router. For this you may can consider DMVPN but ASA doesnt support this yet. You would typically need a ISR router to do this.
Similar Messages
-
Need to change reconfigure vpn connection due to new ip address
My current situation is that i have 8 ASA site to stie vpn connected together. My company is changing isp providers and we wont' be using the same ip address anymore on two of the sites. I know i have to change the outside ip address on the ASA for the two sites but how do i configure the vpn with the new ip address? Do i need to configure ASA again from scratch and use the vpn wizard to connect all my sites? And if do have to configure from scratch how do i remove the old tunnel and ip address from the other ASA?
To remove the configuration for an exisitng tunnel fro mCLI :
clear configure tunnel-group
clear configure crypto map
clear configure access-list
Yes, you have to configure ASA for new tunnels from scratch.
-Kanishka -
I want to make a Vpn site to site connection between 2 offices (same city).Which VPN Routers(wireless/Ethernet) are best for it . i heard about cisco devices rv042, rv rv130w, rv215w ..In my current office i have router DELL TZ200 device. If i go with cisco vpn router for new office (6 users) vpn will work fine.Ex: Dell TZ200 with cisco rv042/rv130w.
which device is best rv042 or rv130w for good vpn connectivity
please help me to purchase best vpn router .Hi, Shaffz123.
As long as your Dell router also supports IPSec VPN, there shouldn't be any issues. The RV042 has more VPN peers compared to RV130W. Will you need the WAN failover feature of the RV042 as well? The RV042 can support Dual WAN, by the way.
Let me know if you need more support or please e-mail ([email protected]) me directly. -
ASA 5505. VPN Site-to-Site does not connect!
Hello!
Already more than a week ago, as we had a new channel of communication from MGTSa (ONT terminal Sercomm RV6688BCM, who just barely made in the "bridge" - was forced to make the provider in order to receive our white Cisco Ip-address), and now I'm trying too much more than a week to raise between our offices firm VPN IKEv1 IPsec Site-to-Site tunnel.
Configurable and use the wizard in ASDM and handles in CLI, the result of one, the connection does not rise.
Version Cisco 9.2 (2), the image of Cisco asa922-k8.bin, version license Security Plus, version ASDM 7.2 (2).
What I'll never know ...
Full configuration and debug enclose below.
Help, what can follow any responses, please! I was quite exhausted!
Config:
Result of the command: "sh run"
: Saved
: Serial Number: XXXXXXXXXXXX
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
ASA Version 9.2(2)
hostname gate-71
enable password F6OJ0GOws7WHxeql encrypted
names
ip local pool vpnpool 10.1.72.100-10.1.72.120 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.1.72.254 255.255.255.0
interface Vlan2
nameif outside_mgts
security-level 0
ip address 62.112.100.R1 255.255.255.252
ftp mode passive
clock timezone MSK/MSD 3
clock summer-time MSK/MDD recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns server-group MGTS
name-server 195.34.31.50
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NET72
subnet 10.1.72.0 255.255.255.0
object network obj-0.0.0.0
host 0.0.0.0
object network Nafanya
host 10.1.72.5
object network obj-10.1.72.0
subnet 10.1.72.0 255.255.255.0
object network NET61
subnet 10.1.61.0 255.255.255.0
object network NETWORK_OBJ_10.1.72.96_27
subnet 10.1.72.96 255.255.255.224
object network NETT72
subnet 10.1.72.0 255.255.255.0
object network NET30
subnet 10.1.30.0 255.255.255.0
object network NETWORK_OBJ_10.1.72.0_24
subnet 10.1.72.0 255.255.255.0
object-group service OG-FROM-INET
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
service-object tcp-udp destination eq echo
object-group network DM_INLINE_NETWORK_1
network-object object NET30
network-object object NET72
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
access-list inside_access_in extended permit ip object NET72 object-group DM_INLINE_NETWORK_1
access-list inside_access_in extended permit ip 10.1.72.0 255.255.255.0 any
access-list inside_access_in extended permit ip object Nafanya any inactive
access-list inside_access_in extended permit object-group OG-FROM-INET any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended deny ip any any log alerts
access-list outside_mgts_access_in extended permit object-group OG-FROM-INET any any
access-list outside_mgts_access_in extended permit tcp any any object-group DM_INLINE_TCP_1
access-list outside_mgts_access_in extended deny ip any any log alerts
access-list outside_mgts_cryptomap extended permit ip 10.1.72.0 255.255.255.0 object NET61
access-list VPN-ST_splitTunnelAcl standard permit 10.1.72.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside_mgts 1500
ip verify reverse-path interface outside_mgts
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside_mgts) source static NET72 NET72 destination static NETWORK_OBJ_10.1.72.96_27 NETWORK_OBJ_10.1.72.96_27 no-proxy-arp route-lookup
nat (inside,outside_mgts) source static NETWORK_OBJ_10.1.72.0_24 NETWORK_OBJ_10.1.72.0_24 destination static NET61 NET61 no-proxy-arp route-lookup
object network obj_any
nat (inside,outside_mgts) dynamic obj-0.0.0.0
object network NET72
nat (inside,outside_mgts) dynamic interface dns
access-group inside_access_in in interface inside
access-group outside_mgts_access_in in interface outside_mgts
route outside_mgts 0.0.0.0 0.0.0.0 62.112.100.R 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no user-identity enable
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.1.72.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_mgts_map 1 match address outside_mgts_cryptomap
crypto map outside_mgts_map 1 set pfs group1
crypto map outside_mgts_map 1 set peer 91.188.180.42
crypto map outside_mgts_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_mgts_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_mgts_map interface outside_mgts
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
email [email protected]
subject-name CN=gate-71
serial-number
ip-address 62.112.100.42
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
keypair ASDM_TrustPoint1
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate eff26954
30820395 3082027d a0030201 020204ef f2695430 0d06092a 864886f7 0d010105
019
6460ae26 ec5f301d 0603551d 0e041604 14c9a3f2 d70e6789 38fa4b01 465d1964
60ae26ec 5f300d06 092a8648 86f70d01 01050500 03820101 00448753 7baa5c77
62857b65 d05dc91e 3edfabc6 7b3771af bbedee14 673ec67d 3d0c2de4 b7a7ac05
5f203a8c 98ab52cf 076401e5 1a2c6cb9 3f7afcba 52c617a5 644ece10 d6e1fd7d
28b57d8c aaf49023 2037527e 9fcfa218 9883191f 60b221bf a561f2be d6882091
0222b7a3 3880d6ac 49328d1f 2e085b15 6d1c1141 5f850e5c b6cb3e67 0e373591
94a82781 44493217 38097952 003d5552 5c445f1f 92f04039 a23fba20 b9d51b13
f511f311 d1feb2bb 6d056a15 7e63cc1b 1f134677 8124c024 3af56b97 51af8253
486844bc b1954abe 8acd7108 5e4212df 193b8167 db835d76 98ffdb2b 8c8ab915
0db3dd54 c8346b96 c4f4eff7 1e7cd576 a8b1f86e 3b868a6e 89
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate a39a2b54
30820377 3082025f a0030201 020204a3 9a2b5430 0d06092a 864886f7 0d010105
0500304b 3110300e 06035504 03130767 6174652d 36313137 30120603 55040513
c084dcd9 d250e194 abcb3eb8 1da93bd0 fb0dba1a b1c35b43 d547a841 5d4ee1a4
14bdb207 7dd790a4 0cd70471 5f3a896a 07bd56dc ea01b3dd 254cde88 e1490e97
f3e54c05 551adde0 66aa3782 c85880c2 b162ec29 4e49346a df71062d 6d6d8f49
62b9de93 ba07b4f7 a50e77e1 8f54b32b 6627cb27 e982b36f 362973a0 88de3272
9bd6d4d2 8ca1e11f 214f20a9 78bdea95 78fdc45c d6d45674 6acb9bcb d0bd930e
638eedfe cd559ab1 e1205c48 3ee9616f e631db55 e82b623c 434ffdc1 11020301
0001a363 3061300f 0603551d 130101ff 04053003 0101ff30 0e060355 1d0f0101
ff040403 02018630 1f060355 1d230418 30168014 0cea70bf 0d0e0c4b eb34a0b1
8242a549 5183ccf9 301d0603 551d0e04 1604140c ea70bf0d 0e0c4beb 34a0b182
42a54951 83ccf930 0d06092a 864886f7 0d010105 05000382 0101004e 7bfe054a
d434a27c 1d3dce15 529bdc5f 70a2dff1 98975de9 96077966 2a97333b 05a8e9ef
bf320cbd ecec3819 ade20a86 9aeb5bde bd129c7b 29341e4b edf91473 f2bf235d
9aaeae21 a629ccc6 3c79200b b9a89b08 4745a411 bf38afb6 ea56b957 4430f692
34d71fad 588e4e18 2b2d97af b2aae6b9 b6a22350 d031615b 49ea9b9f 2fdd82e6
ebd4dccd df93c17e deceb796 f268abf1 bd5f7b69 89183841 881409b5 f484f0e7
ebf7481c faf69d3e 9d24df6e 9c2b0791 785019f7 a0d20e95 2ef35799 66ffc819
4a77cdf2 c6fb4380 fe94c13c d4261655 7bf3d6ba 6289dc8b f9aad4e1 bd918fb7
32916fe1 477666ab c2a3d591 a84dd435 51711f6e 93e2bd84 89884c
quit
crypto isakmp identity address
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside_mgts client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable inside
crypto ikev1 enable outside_mgts
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
no ssh stricthostkeycheck
ssh 10.1.72.0 255.255.255.0 inside
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
vpnclient server 91.188.180.X
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup VPN-L2L password *****
vpnclient username aradetskayaL password *****
dhcpd auto_config outside_mgts
dhcpd update dns both override interface inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 outside_mgts
webvpn
enable outside_mgts
group-policy GroupPolicy_91.188.180.X internal
group-policy GroupPolicy_91.188.180.X attributes
vpn-tunnel-protocol ikev1
group-policy VPN-ST internal
group-policy VPN-ST attributes
dns-server value 195.34.31.50 8.8.8.8
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-ST_splitTunnelAcl
default-domain none
username aradetskayaL password HR3qeva85hzXT6KK encrypted privilege 15
tunnel-group 91.188.180.X type ipsec-l2l
tunnel-group 91.188.180.X general-attributes
default-group-policy GroupPolicy_91.188.180.42
tunnel-group 91.188.180.X ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 remote-authentication certificate
ikev2 local-authentication pre-shared-key *****
tunnel-group VPN-ST type remote-access
tunnel-group VPN-ST general-attributes
address-pool vpnpool
default-group-policy VPN-ST
tunnel-group VPN-ST ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:212e4f5035793d1c219fed57751983d8
: end
gate-71# sh crypto ikev1 sa
There are no IKEv1 SAs
gate-71# sh crypto ikev2 sa
There are no IKEv2 SAs
gate-71# sh crypto ipsec sa
There are no ipsec sas
gate-71# sh crypto isakmp
There are no IKEv1 SAs
There are no IKEv2 SAs
Global IKEv1 Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Notifys: 0
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 0
Out Packets: 0
Out Drop Packets: 0
Out Notifys: 0
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0
IKEV1 Call Admission Statistics
Max In-Negotiation SAs: 25
In-Negotiation SAs: 0
In-Negotiation SAs Highwater: 0
In-Negotiation SAs Rejected: 0
Global IKEv2 Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Drop Fragments: 0
In Notifys: 0
In P2 Exchange: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In IPSEC Delete: 0
In IKE Delete: 0
Out Octets: 0
Out Packets: 0
Out Drop Packets: 0
Out Drop Fragments: 0
Out Notifys: 0
Out P2 Exchange: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out IPSEC Delete: 0
Out IKE Delete: 0
SAs Locally Initiated: 0
SAs Locally Initiated Failed: 0
SAs Remotely Initiated: 0
SAs Remotely Initiated Failed: 0
System Capacity Failures: 0
Authentication Failures: 0
Decrypt Failures: 0
Hash Failures: 0
Invalid SPI: 0
In Configs: 0
Out Configs: 0
In Configs Rejects: 0
Out Configs Rejects: 0
Previous Tunnels: 0
Previous Tunnels Wraps: 0
In DPD Messages: 0
Out DPD Messages: 0
Out NAT Keepalives: 0
IKE Rekey Locally Initiated: 0
IKE Rekey Remotely Initiated: 0
CHILD Rekey Locally Initiated: 0
CHILD Rekey Remotely Initiated: 0
IKEV2 Call Admission Statistics
Max Active SAs: No Limit
Max In-Negotiation SAs: 50
Cookie Challenge Threshold: Never
Active SAs: 0
In-Negotiation SAs: 0
Incoming Requests: 0
Incoming Requests Accepted: 0
Incoming Requests Rejected: 0
Outgoing Requests: 0
Outgoing Requests Accepted: 0
Outgoing Requests Rejected: 0
Rejected Requests: 0
Rejected Over Max SA limit: 0
Rejected Low Resources: 0
Rejected Reboot In Progress: 0
Cookie Challenges: 0
Cookie Challenges Passed: 0
Cookie Challenges Failed: 0
Global IKEv1 IPSec over TCP Statistics
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0
gate-71# sh crypto protocol statistics all
[IKEv1 statistics]
Encrypt packet requests: 0
Encapsulate packet requests: 0
Decrypt packet requests: 0
Decapsulate packet requests: 0
HMAC calculation requests: 0
SA creation requests: 0
SA rekey requests: 0
SA deletion requests: 0
Next phase key allocation requests: 0
Random number generation requests: 0
Failed requests: 0
[IKEv2 statistics]
Encrypt packet requests: 0
Encapsulate packet requests: 0
Decrypt packet requests: 0
Decapsulate packet requests: 0
HMAC calculation requests: 0
SA creation requests: 0
SA rekey requests: 0
SA deletion requests: 0
Next phase key allocation requests: 0
Random number generation requests: 0
Failed requests: 0
[IPsec statistics]
Encrypt packet requests: 0
Encapsulate packet requests: 0
Decrypt packet requests: 0
Decapsulate packet requests: 0
HMAC calculation requests: 0
SA creation requests: 0
SA rekey requests: 0
SA deletion requests: 0
Next phase key allocation requests: 0
Random number generation requests: 0
Failed requests: 0
[SSL statistics]
Encrypt packet requests: 19331
Encapsulate packet requests: 19331
Decrypt packet requests: 437
Decapsulate packet requests: 437
HMAC calculation requests: 19768
SA creation requests: 178
SA rekey requests: 0
SA deletion requests: 176
Next phase key allocation requests: 0
Random number generation requests: 0
Failed requests: 0
[SSH statistics are not supported]
[SRTP statistics]
Encrypt packet requests: 0
Encapsulate packet requests: 0
Decrypt packet requests: 0
Decapsulate packet requests: 0
HMAC calculation requests: 0
SA creation requests: 0
SA rekey requests: 0
SA deletion requests: 0
Next phase key allocation requests: 0
Random number generation requests: 0
Failed requests: 0
[Other statistics]
Encrypt packet requests: 0
Encapsulate packet requests: 0
Decrypt packet requests: 0
Decapsulate packet requests: 0
HMAC calculation requests: 6238
SA creation requests: 0
SA rekey requests: 0
SA deletion requests: 0
Next phase key allocation requests: 0
Random number generation requests: 76
Failed requests: 9
gate-71# sh crypto ca trustpoints
Trustpoint ASDM_TrustPoint0:
Configured for self-signed certificate generation.
Trustpoint ASDM_TrustPoint1:
Configured for self-signed certificate generation.
If you need something more, then lay out!
Please explain why it is I do not want to work?When I launched a packet tracer from the CLI connection has gone! Hooray!
I just do not understand why it had not launched with the same settings?
As I understood MGTS finally required ports began to miss! -
Site to site VPN re-connection issue
Hi I done site -to -site VPN between two UC 560 and I am able to make call too. Both site I am using DDNS FQDN. Now I am facing these problems,
1. When ever any of the site gone down , it is taking around 45 minute to get reconnect the VPN.
2. With in 2 minute Dialer interface is getting WAN IP address from service provider and it is updating with Dyndns also. But while checking crypto session details from my local UC I can see the peer address is not changing or showing none.
please help me to overcome this issue
I tested by restarting ROUTER-A UC560
Please find the status of remote site:
ROUTER-B#sh crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
2.50.37.13 86.99.72.10 MM_NO_STATE 2004 ACTIVE (deleted)
ROUTER-B#sh crypto isa saIPv4 Crypto ISAKMP SA
dst src state conn-id status
ROUTER-A#sh crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
ROUTER-B#sho crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Dialer0
Session status: UP-NO-IKE
Peer: 86.99.72.10 port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit ip 192.168.10.0/255.255.255.0 192.168.50.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 12452 drop 0 life (KB/Sec) 4477633/1050
Outbound: #pkts enc'ed 15625 drop 228 life (KB/Sec) 4477628/1050
ROUTER-A# sho crypto session det
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Virtual-Access2
Session status: DOWN
Peer: port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit ip 192.168.50.0/255.255.255.0 192.168.10.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
Interface: Dialer0
Session status: DOWN
Peer: port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit ip 192.168.50.0/255.255.255.0 192.168.10.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 23 life (KB/Sec) 0/0
**** Here I can see the peer IP is 86.99.72.10, but address had been changed to 92.98.211.242 in ROUTER-A
Please see the debug crypto isakpm
ROUTER-A#debug crypto isakmp
Crypto ISAKMP debugging is on
ROUTER-A#terminal monitor
000103: Aug 6 18:40:48.083: ISAKMP:(0): SA request profile is (NULL)
000104: Aug 6 18:40:48.083: ISAKMP: Created a peer struct for , peer port 500
000105: Aug 6 18:40:48.083: ISAKMP: New peer created peer = 0x86682AAC peer_handle = 0x80000031
000106: Aug 6 18:40:48.083: ISAKMP: Locking peer struct 0x86682AAC, refcount 1 for isakmp_initiator
000107: Aug 6 18:40:48.083: ISAKMP: local port 500, remote port 500
000108: Aug 6 18:40:48.083: ISAKMP: set new node 0 to QM_IDLE
000109: Aug 6 18:40:48.083: ISAKMP:(0):insert sa successfully sa = 8B4EBE04
000110: Aug 6 18:40:48.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
000111: Aug 6 18:40:48.083: ISAKMP:(0):No pre-shared key with !
000112: Aug 6 18:40:48.083: ISAKMP:(0): No Cert or pre-shared address key.
000113: Aug 6 18:40:48.083: ISAKMP:(0): construct_initial_message: Can not start Main mode
000114: Aug 6 18:40:48.083: ISAKMP: Unlocking peer struct 0x86682AAC for isadb_unlock_peer_delete_sa(), count 0
000115: Aug 6 18:40:48.083: ISAKMP: Deleting peer node by peer_reap for : 86682AAC
000116: Aug 6 18:40:48.083: ISAKMP:(0):purging SA., sa=8B4EBE04, delme=8B4EBE04
000117: Aug 6 18:40:48.083: ISAKMP:(0):purging node 2113438140
000118: Aug 6 18:40:48.083: ISAKMP: Error while processing SA request: Failed to initialize SA
000119: Aug 6 18:40:48.083: ISAKMP: Error while processing KMI message 0, error 2.
000120: Aug 6 18:41:18.083: ISAKMP:(0): SA request profile is (NULL)
000121: Aug 6 18:41:18.083: ISAKMP: Created a peer struct for , peer port 500
000122: Aug 6 18:41:18.083: ISAKMP: New peer created peer = 0x8668106C peer_handle = 0x80000032
000123: Aug 6 18:41:18.083: ISAKMP: Locking peer struct 0x8668106C, refcount 1 for isakmp_initiator
000124: Aug 6 18:41:18.083: ISAKMP: local port 500, remote port 500
000125: Aug 6 18:41:18.083: ISAKMP: set new node 0 to QM_IDLE
000126: Aug 6 18:41:18.083: ISAKMP:(0):insert sa successfully sa = 86685DFC
000127: Aug 6 18:41:18.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
000128: Aug 6 18:41:18.083: ISAKMP:(0):No pre-shared key with !
000129: Aug 6 18:41:18.083: ISAKMP:(0): No Cert or pre-shared address key.
000130: Aug 6 18:41:18.083: ISAKMP:(0): construct_initial_message: Can not start Main mode
000131: Aug 6 18:41:18.083: ISAKMP: Unlocking peer struct 0x8668106C for isadb_unlock_peer_delete_sa(), count 0
000132: Aug 6 18:41:18.083: ISAKMP: Deleting peer node by peer_reap for : 8668106C
000133: Aug 6 18:41:18.083: ISAKMP:(0):purging SA., sa=86685DFC, delme=86685DFC
000134: Aug 6 18:41:18.083: ISAKMP:(0):purging node 379490091
000135: Aug 6 18:41:18.083: ISAKMP: Error while processing SA request: Failed to initialize SA
000136: Aug 6 18:41:18.083: ISAKMP: Error while processing KMI message 0, error 2.
000137: Aug 6 18:42:48.083: ISAKMP:(0): SA request profile is (NULL)
000138: Aug 6 18:42:48.083: ISAKMP: Created a peer struct for , peer port 500
000139: Aug 6 18:42:48.083: ISAKMP: New peer created peer = 0x86691200 peer_handle = 0x80000033
000140: Aug 6 18:42:48.083: ISAKMP: Locking peer struct 0x86691200, refcount 1for isakmp_initiator
000141: Aug 6 18:42:48.083: ISAKMP: local port 500, remote port 500
000142: Aug 6 18:42:48.083: ISAKMP: set new node 0 to QM_IDLE
000143: Aug 6 18:42:48.083: ISAKMP:(0):insert sa successfully sa = 866E1758
000144: Aug 6 18:42:48.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
000145: Aug 6 18:42:48.083: ISAKMP:(0):No pre-shared key with !
000146: Aug 6 18:42:48.083: ISAKMP:(0): No Cert or pre-shared address key.
000147: Aug 6 18:42:48.083: ISAKMP:(0): construct_initial_message: Can not start Main mode
000148: Aug 6 18:42:48.083: ISAKMP: Unlocking peer struct 0x86691200 for isadb_unlock_peer_delete_sa(), count 0
000149: Aug 6 18:42:48.083: ISAKMP: Deleting peer node by peer_reap for : 86691200
000150: Aug 6 18:42:48.083: ISAKMP:(0):purging SA., sa=866E1758, delme=866E1758
000151: Aug 6 18:42:48.083: ISAKMP:(0):purging node -309783810
000152: Aug 6 18:42:48.083: ISAKMP: Error while processing SA request: Failed to initialize SA
000153: Aug 6 18:42:48.083: ISAKMP: Error while processing KMI message 0, error 2.
000154: Aug 6 18:43:18.083: ISAKMP:(0): SA request profile is (NULL)
000155: Aug 6 18:43:18.083: ISAKMP: Created a peer struct for , peer port 500
000156: Aug 6 18:43:18.083: ISAKMP: New peer created peer = 0x8668106C peer_handle = 0x80000034
000157: Aug 6 18:43:18.083: ISAKMP: Locking peer struct 0x8668106C, refcount 1 for isakmp_initiator
000158: Aug 6 18:43:18.083: ISAKMP: local port 500, remote port 500
000159: Aug 6 18:43:18.083: ISAKMP: set new node 0 to QM_IDLE
000160: Aug 6 18:43:18.083: ISAKMP:(0):insert sa successfully sa = 8B4AB780
000161: Aug 6 18:43:18.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
000162: Aug 6 18:43:18.083: ISAKMP:(0):No pre-shared key with !
000163: Aug 6 18:43:18.083: ISAKMP:(0): No Cert or pre-shared address key.
000164: Aug 6 18:43:18.083: ISAKMP:(0): construct_initial_message: Can not start Main mode
000165: Aug 6 18:43:18.083: ISAKMP: Unlocking peer struct 0x8668106C for isadb _unlock_peer_delete_sa(), count 0
000166: Aug 6 18:43:18.083: ISAKMP: Deleting peer node by peer_reap for : 8668106C
000167: Aug 6 18:43:18.083: ISAKMP:(0):purging SA., sa=8B4AB780, delme=8B4AB78 0
000168: Aug 6 18:43:18.083: ISAKMP:(0):purging node 461611358
000169: Aug 6 18:43:18.083: ISAKMP: Error while processing SA request: Failed to initialize SA
000170: Aug 6 18:43:18.083: ISAKMP: Error while processing KMI message 0, erro r 2.
000171: Aug 6 18:44:48.083: ISAKMP:(0): SA request profile is (NULL)
000172: Aug 6 18:44:48.083: ISAKMP: Created a peer struct for , peer port 500
000173: Aug 6 18:44:48.083: ISAKMP: New peer created peer = 0x8B4A25C8 peer_handle = 0x80000035
000174: Aug 6 18:44:48.083: ISAKMP: Locking peer struct 0x8B4A25C8, refcount 1 for isakmp_initiator
000175: Aug 6 18:44:48.083: ISAKMP: local port 500, remote port 500
000176: Aug 6 18:44:48.083: ISAKMP: set new node 0 to QM_IDLE
000177: Aug 6 18:44:48.083: ISAKMP:(0):insert sa successfully sa = 8B4EC7E8
000178: Aug 6 18:44:48.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
000179: Aug 6 18:44:48.083: ISAKMP:(0):No pre-shared key with !
000180: Aug 6 18:44:48.083: ISAKMP:(0): No Cert or pre-shared address key.
000181: Aug 6 18:44:48.083: ISAKMP:(0): construct_initial_message: Can not start Main mode
000182: Aug 6 18:44:48.083: ISAKMP: Unlocking peer struct 0x8B4A25C8 for isadb_unlock_peer_delete_sa(), count 0
000183: Aug 6 18:44:48.083: ISAKMP: Deleting peer node by peer_reap for : 8B4A25C8
000184: Aug 6 18:44:48.083: ISAKMP:(0):purging SA., sa=8B4EC7E8, delme=8B4EC7E8
000185: Aug 6 18:44:48.083: ISAKMP:(0):purging node -1902909277
000186: Aug 6 18:44:48.083: ISAKMP: Error while processing SA request: Failed to initialize SA
000187: Aug 6 18:44:48.083: ISAKMP: Error while processing KMI message 0, error 2.
000188: Aug 6 18:45:18.083: ISAKMP:(0): SA request profile is (NULL)
000189: Aug 6 18:45:18.083: ISAKMP: Created a peer struct for , peer port 500
000190: Aug 6 18:45:18.083: ISAKMP: New peer created peer = 0x8668106C peer_handle = 0x80000036
000191: Aug 6 18:45:18.083: ISAKMP: Locking peer struct 0x8668106C, refcount 1 for isakmp_initiator
000192: Aug 6 18:45:18.083: ISAKMP: local port 500, remote port 500
000193: Aug 6 18:45:18.083: ISAKMP: set new node 0 to QM_IDLE
000194: Aug 6 18:45:18.083: ISAKMP:(0):insert sa successfully sa = 86685DFC
000195: Aug 6 18:45:18.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
000196: Aug 6 18:45:18.083: ISAKMP:(0):No pre-shared key with !
000197: Aug 6 18:45:18.083: ISAKMP:(0): No Cert or pre-shared address key.
000198: Aug 6 18:45:18.083: ISAKMP:(0): construct_initial_message: Can not start Main mode
000199: Aug 6 18:45:18.083: ISAKMP: Unlocking peer struct 0x8668106C for isadb_unlock_peer_delete_sa(), count 0
000200: Aug 6 18:45:18.083: ISAKMP: Deleting peer node by peer_reap for : 8668106C
000201: Aug 6 18:45:18.083: ISAKMP:(0):purging SA., sa=86685DFC, delme=86685DFC
000202: Aug 6 18:45:18.083: ISAKMP:(0):purging node 1093064733
000203: Aug 6 18:45:18.083: ISAKMP: Error while processing SA request: Failed to initialize SA
000204: Aug 6 18:45:18.083: ISAKMP: Error while processing KMI message 0, error 2.
000205: Aug 6 18:46:48.083: ISAKMP:(0): SA request profile is (NULL)
000206: Aug 6 18:46:48.083: ISAKMP: Created a peer struct for , peer port 500
000207: Aug 6 18:46:48.083: ISAKMP: New peer created peer = 0x86682BE0 peer_handle = 0x80000037
000208: Aug 6 18:46:48.083: ISAKMP: Locking peer struct 0x86682BE0, refcount 1 for isakmp_initiator
000209: Aug 6 18:46:48.083: ISAKMP: local port 500, remote port 500
000210: Aug 6 18:46:48.083: ISAKMP: set new node 0 to QM_IDLE
000211: Aug 6 18:46:48.083: ISAKMP:(0):insert sa successfully sa = 866E1758
000212: Aug 6 18:46:48.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
000213: Aug 6 18:46:48.083: ISAKMP:(0):No pre-shared key with !
000214: Aug 6 18:46:48.083: ISAKMP:(0): No Cert or pre-shared address key.
000215: Aug 6 18:46:48.083: ISAKMP:(0): construct_initial_message: Can not start Main mode
000216: Aug 6 18:46:48.083: ISAKMP: Unlocking peer struct 0x86682BE0 for isadb_unlock_peer_delete_sa(), count 0
000217: Aug 6 18:46:48.083: ISAKMP: Deleting peer node by peer_reap for : 86682BE0
000218: Aug 6 18:46:48.083: ISAKMP:(0):purging SA., sa=866E1758, delme=866E1758
000219: Aug 6 18:46:48.083: ISAKMP:(0):purging node -1521272284
000220: Aug 6 18:46:48.083: ISAKMP: Error while processing SA request: Failed to initialize SA
000221: Aug 6 18:46:48.083: ISAKMP: Error while processing KMI message 0, error 2.
000222: Aug 6 18:47:03.131: ISAKMP (0): received packet from 2.50.37.13 dport 500 sport 500 Global (N) NEW SA
000223: Aug 6 18:47:03.131: ISAKMP: Created a peer struct for 2.50.37.13, peer port 500
000224: Aug 6 18:47:03.131: ISAKMP: New peer created peer = 0x8668106C peer_handle = 0x80000038
000225: Aug 6 18:47:03.131: ISAKMP: Locking peer struct 0x8668106C, refcount 1 for crypto_isakmp_process_block
000226: Aug 6 18:47:03.131: ISAKMP: local port 500, remote port 500
000227: Aug 6 18:47:03.131: ISAKMP:(0):insert sa successfully sa = 8B4C1924
000228: Aug 6 18:47:03.131: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
000229: Aug 6 18:47:03.131: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
000230: Aug 6 18:47:03.131: ISAKMP:(0): processing SA payload. message ID = 0
000231: Aug 6 18:47:03.131: ISAKMP:(0): processing vendor id payload
000232: Aug 6 18:47:03.131: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
000233: Aug 6 18:47:03.131: ISAKMP (0): vendor ID is NAT-T RFC 3947
000234: Aug 6 18:47:03.131: ISAKMP:(0): processing vendor id payload
000235: Aug 6 18:47:03.131: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
000236: Aug 6 18:47:03.131: ISAKMP (0): vendor ID is NAT-T v7
000237: Aug 6 18:47:03.131: ISAKMP:(0): processing vendor id payload
000238: Aug 6 18:47:03.131: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
000239: Aug 6 18:47:03.131: ISAKMP:(0): vendor ID is NAT-T v3
000240: Aug 6 18:47:03.131: ISAKMP:(0): processing vendor id payload
000241: Aug 6 18:47:03.131: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
000242: Aug 6 18:47:03.131: ISAKMP:(0): vendor ID is NAT-T v2
000243: Aug 6 18:47:03.131: ISAKMP:(0):found peer pre-shared key matching 2.50.37.13
000244: Aug 6 18:47:03.131: ISAKMP:(0): local preshared key found
000245: Aug 6 18:47:03.131: ISAKMP : Scanning profiles for xauth ... sdm-ike-profile-1
000246: Aug 6 18:47:03.131: ISAKMP:(0): Authentication by xauth preshared
000247: Aug 6 18:47:03.131: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
000248: Aug 6 18:47:03.131: ISAKMP: encryption 3DES-CBC
000249: Aug 6 18:47:03.131: ISAKMP: hash SHA
000250: Aug 6 18:47:03.131: ISAKMP: default group 2
000251: Aug 6 18:47:03.131: ISAKMP: auth pre-share
000252: Aug 6 18:47:03.131: ISAKMP: life type in seconds
000253: Aug 6 18:47:03.131: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
000254: Aug 6 18:47:03.135: ISAKMP:(0):atts are acceptable. Next payload is 0
000255: Aug 6 18:47:03.135: ISAKMP:(0):Acceptable atts:actual life: 1800
000256: Aug 6 18:47:03.135: ISAKMP:(0):Acceptable atts:life: 0
000257: Aug 6 18:47:03.135: ISAKMP:(0):Fill atts in sa vpi_length:4
000258: Aug 6 18:47:03.135: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
000259: Aug 6 18:47:03.135: ISAKMP:(0):Returning Actual lifetime: 1800
000260: Aug 6 18:47:03.135: ISAKMP:(0)::Started lifetime timer: 1800.
000261: Aug 6 18:47:03.135: ISAKMP:(0): processing vendor id payload
000262: Aug 6 18:47:03.135: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
000263: Aug 6 18:47:03.135: ISAKMP (0): vendor ID is NAT-T RFC 3947
000264: Aug 6 18:47:03.135: ISAKMP:(0): processing vendor id payload
000265: Aug 6 18:47:03.135: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
000266: Aug 6 18:47:03.135: ISAKMP (0): vendor ID is NAT-T v7
000267: Aug 6 18:47:03.135: ISAKMP:(0): processing vendor id payload
000268: Aug 6 18:47:03.135: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
000269: Aug 6 18:47:03.135: ISAKMP:(0): vendor ID is NAT-T v3
000270: Aug 6 18:47:03.135: ISAKMP:(0): processing vendor id payload
000271: Aug 6 18:47:03.135: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
000272: Aug 6 18:47:03.135: ISAKMP:(0): vendor ID is NAT-T v2
000273: Aug 6 18:47:03.135: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
000274: Aug 6 18:47:03.135: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
000275: Aug 6 18:47:03.135: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
000276: Aug 6 18:47:03.135: ISAKMP:(0): sending packet to 2.50.37.13 my_port 500 peer_port 500 (R) MM_SA_SETUP
000277: Aug 6 18:47:03.135: ISAKMP:(0):Sending an IKE IPv4 Packet.
000278: Aug 6 18:47:03.135: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
000279: Aug 6 18:47:03.135: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
000280: Aug 6 18:47:03.191: ISAKMP (0): received packet from 2.50.37.13 dport 500 sport 500 Global (R) MM_SA_SETUP
000281: Aug 6 18:47:03.191: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
000282: Aug 6 18:47:03.191: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
000283: Aug 6 18:47:03.191: ISAKMP:(0): processing KE payload. message ID = 0
000284: Aug 6 18:47:03.199: ISAKMP:(0): processing NONCE payload. message ID = 0
000285: Aug 6 18:47:03.203: ISAKMP:(0):found peer pre-shared key matching 2.50.37.13
000286: Aug 6 18:47:03.203: ISAKMP:(2001): processing vendor id payload
000287: Aug 6 18:47:03.203: ISAKMP:(2001): vendor ID is DPD
000288: Aug 6 18:47:03.203: ISAKMP:(2001): processing vendor id payload
000289: Aug 6 18:47:03.203: ISAKMP:(2001): speaking to another IOS box!
000290: Aug 6 18:47:03.203: ISAKMP:(2001): processing vendor id payload
000291: Aug 6 18:47:03.203: ISAKMP:(2001): vendor ID seems Unity/DPD but major 223 mismatch
000292: Aug 6 18:47:03.203: ISAKMP:(2001): vendor ID is XAUTH
000293: Aug 6 18:47:03.203: ISAKMP:received payload type 20
000294: Aug 6 18:47:03.203: ISAKMP (2001): His hash no match - this node outside NAT
000295: Aug 6 18:47:03.203: ISAKMP:received payload type 20
000296: Aug 6 18:47:03.203: ISAKMP (2001): No NAT Found for self or peer
000297: Aug 6 18:47:03.203: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
000298: Aug 6 18:47:03.203: ISAKMP:(2001):Old State = IKE_R_MM3 New State = IKE_R_MM3
000299: Aug 6 18:47:03.203: ISAKMP:(2001): sending packet to 2.50.37.13 my_port 500 peer_port 500 (R) MM_KEY_EXCH
000300: Aug 6 18:47:03.203: ISAKMP:(2001):Sending an IKE IPv4 Packet.
000301: Aug 6 18:47:03.203: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
000302: Aug 6 18:47:03.203: ISAKMP:(2001):Old State = IKE_R_MM3 New State = IKE_R_MM4
000303: Aug 6 18:47:03.295: ISAKMP (2001): received packet from 2.50.37.13 dport 500 sport 500 Global (R) MM_KEY_EXCH
000304: Aug 6 18:47:03.295: ISAKMP:(2001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
000305: Aug 6 18:47:03.295: ISAKMP:(2001):Old State = IKE_R_MM4 New State = IKE_R_MM5
000306: Aug 6 18:47:03.295: ISAKMP:(2001): processing ID payload. message ID = 0
000307: Aug 6 18:47:03.295: ISAKMP (2001): ID payload
next-payload : 8
type : 1
address : 2.50.37.13
protocol : 17
port : 500
length : 12
000308: Aug 6 18:47:03.295: ISAKMP:(0):: peer matches *none* of the profiles
000309: Aug 6 18:47:03.295: ISAKMP:(2001): processing HASH payload. message ID = 0
000310: Aug 6 18:47:03.295: ISAKMP:(2001): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 0x8B4C1924
000311: Aug 6 18:47:03.295: ISAKMP:(2001):SA authentication status:
authenticated
000312: Aug 6 18:47:03.295: ISAKMP:(2001):SA has been authenticated with 2.50.37.13
000313: Aug 6 18:47:03.295: ISAKMP:(2001):SA authentication status:
authenticated
000314: Aug 6 18:47:03.295: ISAKMP:(2001): Process initial contact,
bring down existing phase 1 and 2 SA's with local 92.98.211.242 remote 2.50.37.13 remote port 500
000315: Aug 6 18:47:03.295: ISAKMP: Trying to insert a peer 92.98.211.242/2.50.37.13/500/, and inserted successfully 8668106C.
000316: Aug 6 18:47:03.295: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
000317: Aug 6 18:47:03.295: ISAKMP:(2001):Old State = IKE_R_MM5 New State = IKE_R_MM5
000318: Aug 6 18:47:03.295: ISAKMP:(2001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
000319: Aug 6 18:47:03.295: ISAKMP (2001): ID payload
next-payload : 8
type : 1
address : 92.98.211.242
protocol : 17
port : 500
length : 12
000320: Aug 6 18:47:03.295: ISAKMP:(2001):Total payload length: 12
000321: Aug 6 18:47:03.295: ISAKMP:(2001): sending packet to 2.50.37.13 my_port 500 peer_port 500 (R) MM_KEY_EXCH
000322: Aug 6 18:47:03.295: ISAKMP:(2001):Sending an IKE IPv4 Packet.
000323: Aug 6 18:47:03.295: ISAKMP:(2001):Returning Actual lifetime: 1800
000324: Aug 6 18:47:03.299: ISAKMP: set new node -1235582904 to QM_IDLE
000325: Aug 6 18:47:03.299: ISAKMP:(2001):Sending NOTIFY RESPONDER_LIFETIME protocol 1
spi 2291695856, message ID = 3059384392
000326: Aug 6 18:47:03.299: ISAKMP:(2001): sending packet to 2.50.37.13 my_port 500 peer_port 500 (R) MM_KEY_EXCH
000327: Aug 6 18:47:03.299: ISAKMP:(2001):Sending an IKE IPv4 Packet.
000328: Aug 6 18:47:03.299: ISAKMP:(2001):purging node -1235582904
000329: Aug 6 18:47:03.299: ISAKMP: Sending phase 1 responder lifetime 1800
000330: Aug 6 18:47:03.299: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
000331: Aug 6 18:47:03.299: ISAKMP:(2001):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
000332: Aug 6 18:47:03.299: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
000333: Aug 6 18:47:03.299: ISAKMP:(2001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
000334: Aug 6 18:47:03.307: ISAKMP (2001): received packet from 2.50.37.13 dport 500 sport 500 Global (R) QM_IDLE
000335: Aug 6 18:47:03.307: ISAKMP: set new node -687536412 to QM_IDLE
000336: Aug 6 18:47:03.307: ISAKMP:(2001): processing HASH payload. message ID = 3607430884
000337: Aug 6 18:47:03.307: ISAKMP:(2001): processing SA payload. message ID = 3607430884
000338: Aug 6 18:47:03.307: ISAKMP:(2001):Checking IPSec proposal 1
000339: Aug 6 18:47:03.307: ISAKMP: transform 1, ESP_3DES
000340: Aug 6 18:47:03.307: ISAKMP: attributes in transform:
000341: Aug 6 18:47:03.307: ISAKMP: encaps is 1 (Tunnel)
000342: Aug 6 18:47:03.307: ISAKMP: SA life type in seconds
000343: Aug 6 18:47:03.307: ISAKMP: SA life duration (basic) of 3600
000344: Aug 6 18:47:03.307: ISAKMP: SA life type in kilobytes
000345: Aug 6 18:47:03.307: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
000346: Aug 6 18:47:03.307: ISAKMP: authenticator is HMAC-SHA
000347: Aug 6 18:47:03.307: ISAKMP:(2001):atts are acceptable.
000348: Aug 6 18:47:03.307: ISAKMP:(2001): processing NONCE payload. message ID = 3607430884
000349: Aug 6 18:47:03.311: ISAKMP:(2001): processing ID payload. message ID = 3607430884
000350: Aug 6 18:47:03.311: ISAKMP:(2001): processing ID payload. message ID = 3607430884
000351: Aug 6 18:47:03.311: ISAKMP:(2001):QM Responder gets spi
000352: Aug 6 18:47:03.311: ISAKMP:(2001):Node 3607430884, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
000353: Aug 6 18:47:03.311: ISAKMP:(2001):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
000354: Aug 6 18:47:03.311: ISAKMP:(2001): Creating IPSec SAs
000355: Aug 6 18:47:03.311: inbound SA from 2.50.37.13 to 92.98.211.242 (f/i) 0/ 0
(proxy 192.168.10.0 to 192.168.50.0)
000356: Aug 6 18:47:03.311: has spi 0x4C5A127C and conn_id 0
000357: Aug 6 18:47:03.311: lifetime of 3600 seconds
000358: Aug 6 18:47:03.311: lifetime of 4608000 kilobytes
000359: Aug 6 18:47:03.311: outbound SA from 92.98.211.242 to 2.50.37.13 (f/i) 0/0
(proxy 192.168.50.0 to 192.168.10.0)
000360: Aug 6 18:47:03.311: has spi 0x1E83EC91 and conn_id 0
000361: Aug 6 18:47:03.311: lifetime of 3600 seconds
000362: Aug 6 18:47:03.311: lifetime of 4608000 kilobytes
000363: Aug 6 18:47:03.311: ISAKMP:(2001): sending packet to 2.50.37.13 my_port 500 peer_port 500 (R) QM_IDLE
000364: Aug 6 18:47:03.311: ISAKMP:(2001):Sending an IKE IPv4 Packet.
000365: Aug 6 18:47:03.311: ISAKMP:(2001):Node 3607430884, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
000366: Aug 6 18:47:03.311: ISAKMP:(2001):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
000367: Aug 6 18:47:03.323: ISAKMP (2001): received packet from 2.50.37.13 dport 500 sport 500 Global (R) QM_IDLE
000368: Aug 6 18:47:03.323: ISAKMP:(2001):deleting node -687536412 error FALSE reason "QM done (await)"
000369: Aug 6 18:47:03.323: ISAKMP:(2001):Node 3607430884, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
000370: Aug 6 18:47:03.323: ISAKMP:(2001):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
000371: Aug 6 18:47:53.323: ISAKMP:(2001):purging node -687536412
ROUTER-A# sho crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
92.98.211.242 2.50.37.13 QM_IDLE 2001 ACTIVE
RUNNING CONFIGURATION OF ROUTER-A
Building configuration...
Current configuration : 29089 bytes
! Last configuration change at 21:31:11 PST Tue Aug 7 2012 by administrator
version 15.1
parser config cache interface
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
service compress-config
service sequence-numbers
hostname xxxxxxxxxxXX
boot-start-marker
boot-end-marker
enable secret 4 LcV6aBcc/53FoCJjXQMd7rBUDEpeevrK8V5jQVoJEhU
aaa new-model
aaa authentication login default local
aaa authentication login Foxtrot_sdm_easyvpn_xauth_ml_1 local
aaa authorization network Foxtrot_sdm_easyvpn_group_ml_1 local
aaa session-id common
clock timezone ZP4 4 0
clock summer-time PST recurring
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-4070447007
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4070447007
revocation-check none
rsakeypair TP-self-signed-4070447007
crypto pki certificate chain TP-self-signed-4070447007
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34303730 34343730 3037301E 170D3132 30373331 30353139
30375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30373034
34373030 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BBA6 F2C9A163 B7EAB25D 6C538A5B 29832F58 6B95D2C0 1FBE0E72 BD4E9585
6230CAD1 8DA4E337 5A11332C 36EAFF86 02D8C977 6CD2AA50 D76FB97F 52AE73AD
E777194B 011C95EB E2A588B4 3A7D618E F1D03E3F EF1A60FB 26372B63 9395002D
38126CC5 EA79E23C 40E0F331 76E7731E D03E2CE8 F1A0B5E9 B83AA780 D566A679
599F0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14C8BC47 90602FB0 18A8821A 85A3444F 874E2292 27301D06
03551D0E 04160414 C8BC4790 602FB018 A8821A85 A3444F87 4E229227 300D0609
2A864886 F70D0101 05050003 8181001B D0EA74FE 7EDD03FE 68733D87 6434D20B
80481807 DD4A488E FFEFA631 245F396F 5CADF523 1438A70B CA113994 9798483D
F59221EA 09EDB8FC 6D1DBBAE FE7FE4B9 E79F064F E930F347 B1CAD19B 01F5989A
8BCFDB1D 906163A4 C467E809 E988B610 FE613177 A815DFB0 97839F92 4A682E8F
43F08787 E08CBE70 E98DEBE7 BCD8B8
quit
dot11 syslog
ip source-route
ip cef
ip dhcp relay information trust-all
ip dhcp excluded-address 10.1.1.1 10.1.1.9
ip dhcp excluded-address 10.1.1.241 10.1.1.255
ip dhcp excluded-address 192.168.50.1 192.168.50.9
ip dhcp excluded-address 192.168.50.241 192.168.50.255
ip dhcp pool phone
network 10.1.1.0 255.255.255.0
default-router 10.1.1.1
option 150 ip 10.1.1.1
ip dhcp pool data
import all
network 192.168.50.0 255.255.255.0
default-router 192.168.50.1
ip inspect WAAS flush-timeout 10
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp router-traffic
ip inspect name SDM_LOW udp router-traffic
ip inspect name SDM_LOW vdolive
ip ddns update method sdm_ddns1
HTTP
add http://xxxxxxxs:[email protected]/nic/update?system=dyndns&[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
remove http://xxxxxxx:[email protected]/nic/update?system=dyndns&[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 2 0 0 0
interval minimum 1 0 0 0
no ipv6 cef
multilink bundle-name authenticated
stcapp ccm-group 1
stcapp
trunk group ALL_FXO
max-retry 5
voice-class cause-code 1
hunt-scheme longest-idle
voice call send-alert
voice rtp send-recv
voice service voip
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
no supplementary-service h450.2
no supplementary-service h450.3
supplementary-service h450.12
sip
no update-callerid
voice class codec 1
codec preference 1 g711ulaw
codec preference 2 g729r8
voice class h323 1
call start slow
voice class cause-code 1
no-circuit
voice register global
mode cme
source-address 10.1.1.1 port 5060
load 9971 sip9971.9-2-2
load 9951 sip9951.9-2-2
load 8961 sip8961.9-2-2
voice translation-rule 1000
rule 1 /.*/ //
voice translation-rule 1112
rule 1 /^9/ //
voice translation-rule 1113
rule 1 /^82\(...\)/ /\1/
voice translation-rule 1114
rule 1 /\(^...$\)/ /82\1/
voice translation-rule 2002
rule 1 /^6/ //
voice translation-rule 2222
rule 1 /^91900......./ //
rule 2 /^91976......./ //
voice translation-profile CALLER_ID_TRANSLATION_PROFILE
translate calling 1111
voice translation-profile CallBlocking
translate called 2222
voice translation-profile OUTGOING_TRANSLATION_PROFILE
translate called 1112
voice translation-profile XFER_TO_VM_PROFILE
translate redirect-called 2002
voice translation-profile multisiteInbound
translate called 1113
voice translation-profile multisiteOutbound
translate calling 1114
voice translation-profile nondialable
translate called 1000
voice-card 0
dspfarm
dsp services dspfarm
fax interface-type fax-mail
license udi pid UC560-FXO-K9 sn FHK1445F43M
archive
log config
logging enable
logging size 600
hidekeys
username administrator privilege 15 secret 4 LcV6aBcc/53FoCJjXQMd7rBUDEpeevrK8V5jQVoJEhU
username pingerID password 7 06505D771B185F
ip tftp source-interface Vlan90
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 1800
crypto isakmp key xxxxxxx address 0.0.0.0 0.0.0.0
crypto isakmp client configuration group EZVPN_GROUP_1
key xxxxxxx
dns 213.42.20.20
pool SDM_POOL_1
save-password
max-users 20
crypto isakmp profile sdm-ike-profile-1
match identity group EZVPN_GROUP_1
client authentication list Foxtrot_sdm_easyvpn_xauth_ml_1
isakmp authorization list Foxtrot_sdm_easyvpn_group_ml_1
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
crypto map multisite 1 ipsec-isakmp
description XXXXXXX
set peer xxxxxxxxxx.dyndns.biz dynamic
set transform-set ESP-3DES-SHA
match address 105
qos pre-classify
interface GigabitEthernet0/0
description $ETH-WAN$
no ip address
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
interface Integrated-Service-Engine0/0
description Interface used to manage integrated application modulecue is initialized with default IMAP group
ip unnumbered Vlan90
ip nat inside
ip virtual-reassembly in
service-module ip address 10.1.10.1 255.255.255.252
service-module ip default-gateway 10.1.10.2
interface GigabitEthernet0/1/0
switchport mode trunk
switchport voice vlan 100
no ip address
macro description cisco-switch
interface GigabitEthernet0/1/1
switchport voice vlan 100
no ip address
macro description cisco-phone
spanning-tree portfast
interface GigabitEthernet0/1/2
no ip address
macro description cisco-desktop
spanning-tree portfast
interface GigabitEthernet0/1/3
description Interface used to communicate with integrated service module
switchport access vlan 90
no ip address
service-module ip address 10.1.10.1 255.255.255.252
service-module ip default-gateway 10.1.10.2
interface Virtual-Template1 type tunnel
ip unnumbered Vlan1
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
interface Vlan1
description $FW_INSIDE$
ip address 192.168.50.1 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
h323-gateway voip bind srcaddr 192.168.50.1
interface Vlan90
description $FW_INSIDE$
ip address 10.1.10.2 255.255.255.252
ip access-group 103 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
interface Vlan100
description $FW_INSIDE$
ip address 10.1.1.1 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
interface Dialer0
description $FW_OUTSIDE$
mtu 1492
ip ddns update hostname xxxxxxxxxx.dyndns.biz
ip ddns update sdm_ddns1
ip address negotiated
ip access-group 104 in
ip mtu 1452
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname CCCCCC
ppp chap password 7 071739545611015445
ppp pap sent-username CCCCC password 7 122356324SDFDBDB
ppp ipcp dns request
ppp ipcp route default
crypto map multisite
ip local pool SDM_POOL_1 192.168.50.150 192.168.50.160
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http path flash:/gui
ip dns server
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.1.10.1 255.255.255.255 Vlan90
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration##NO_ACES_5##
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp any host 192.168.50.1 eq non500-isakmp
access-list 101 permit udp any host 192.168.50.1 eq isakmp
access-list 101 permit esp any host 192.168.50.1
access-list 101 permit ahp any host 192.168.50.1
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 101 permit ip any any
access-list 101 permit ip 10.1.10.0 0.0.0.3 any
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 remark auto generated by SDM firewall configuration##NO_ACES_7##
access-list 102 remark SDM_ACL Category=1
access-list 102 permit udp any host 10.1.1.1 eq non500-isakmp
access-list 102 permit udp any host 10.1.1.1 eq isakmp
access-list 102 permit esp any host 10.1.1.1
access-list 102 permit ahp any host 10.1.1.1
access-list 102 permit ip any any
access-list 102 permit tcp 10.1.10.0 0.0.0.3 any eq 2000
access-list 102 permit udp 10.1.10.0 0.0.0.3 any eq 2000
access-list 102 permit ip 192.168.50.0 0.0.0.255 any
access-list 102 permit ip 10.1.10.0 0.0.0.3 any
access-list 102 permit ip host 255.255.255.255 any
access-list 102 permit ip 127.0.0.0 0.255.255.255 any
access-list 103 remark auto generated by SDM firewall configuration##NO_ACES_7##
access-list 103 remark SDM_ACL Category=1
access-list 103 permit udp any host 10.1.10.2 eq non500-isakmp
access-list 103 permit udp any host 10.1.10.2 eq isakmp
access-list 103 permit esp any host 10.1.10.2
access-list 103 permit ahp any host 10.1.10.2
access-list 103 permit tcp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 103 permit udp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 103 permit ip 192.168.50.0 0.0.0.255 any
access-list 103 permit ip 10.1.1.0 0.0.0.255 any
access-list 103 permit ip host 255.255.255.255 any
access-list 103 permit ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration##NO_ACES_13##
access-list 104 remark SDM_ACL Category=1
access-list 104 permit ip 192.168.10.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 104 permit udp any any eq non500-isakmp
access-list 104 permit udp any any eq isakmp
access-list 104 permit esp any any
access-list 104 permit ahp any any
access-list 104 permit ip any any
access-list 104 permit ip 192.168.50.0 0.0.0.255 any
access-list 104 permit ip 10.1.10.0 0.0.0.3 any
access-list 104 permit ip 10.1.1.0 0.0.0.255 any
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any unreachable
access-list 104 permit ip 10.0.0.0 0.255.255.255 any
access-list 104 permit ip 172.16.0.0 0.15.255.255 any
access-list 104 permit ip 192.168.0.0 0.0.255.255 any
access-list 104 permit ip 127.0.0.0 0.255.255.255 any
access-list 104 permit ip host 255.255.255.255 any
access-list 104 permit ip host 0.0.0.0 any
access-list 105 remark CryptoACL for xxxxxxxxxx
access-list 105 remark SDM_ACL Category=4
access-list 105 permit ip 192.168.50.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 106 remark SDM_ACL Category=2
access-list 106 deny ip 192.168.50.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 106 permit ip 10.1.10.0 0.0.0.3 any
access-list 106 permit ip 192.168.50.0 0.0.0.255 any
access-list 106 permit ip 10.1.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
route-map SDM_RMAP_1 permit 1
match ip address 106
snmp-server community public RO
tftp-server flash:/phones/521_524/cp524g-8-1-17.bin alias cp524g-8-1-17.bin
tftp-server flash:/ringtones/Analog1.raw alias Analog1.raw
tftp-server flash:/ringtones/Analog2.raw alias Analog2.raw
tftp-server flash:/ringtones/AreYouThere.raw alias AreYouThere.raw
tftp-server flash:/ringtones/DistinctiveRingList.xml alias DistinctiveRingList.xml
tftp-server flash:/ringtones/RingList.xml alias RingList.xml
tftp-server flash:/ringtones/AreYouThereF.raw alias AreYouThereF.raw
tftp-server flash:/ringtones/Bass.raw alias Bass.raw
tftp-server flash:/ringtones/CallBack.raw alias CallBack.raw
tftp-server flash:/ringtones/Chime.raw alias Chime.raw
tftp-server flash:/ringtones/Classic1.raw alias Classic1.raw
tftp-server flash:/ringtones/Classic2.raw alias Classic2.raw
tftp-server flash:/ringtones/ClockShop.raw alias ClockShop.raw
tftp-server flash:/ringtones/Drums1.raw alias Drums1.raw
tftp-server flash:/ringtones/Drums2.raw alias Drums2.raw
tftp-server flash:/ringtones/FilmScore.raw alias FilmScore.raw
tftp-server flash:/ringtones/HarpSynth.raw alias HarpSynth.raw
tftp-server flash:/ringtones/Jamaica.raw alias Jamaica.raw
tftp-server flash:/ringtones/KotoEffect.raw alias KotoEffect.raw
tftp-server flash:/ringtones/MusicBox.raw alias MusicBox.raw
tftp-server flash:/ringtones/Piano1.raw alias Piano1.raw
tftp-server flash:/ringtones/Piano2.raw alias Piano2.raw
tftp-server flash:/ringtones/Pop.raw alias Pop.raw
tftp-server flash:/ringtones/Pulse1.raw alias Pulse1.raw
tftp-server flash:/ringtones/Ring1.raw alias Ring1.raw
tftp-server flash:/ringtones/Ring2.raw alias Ring2.raw
tftp-server flash:/ringtones/Ring3.raw alias Ring3.raw
tftp-server flash:/ringtones/Ring4.raw alias Ring4.raw
tftp-server flash:/ringtones/Ring5.raw alias Ring5.raw
tftp-server flash:/ringtones/Ring6.raw alias Ring6.raw
tftp-server flash:/ringtones/Ring7.raw alias Ring7.raw
tftp-server flash:/ringtones/Sax1.raw alias Sax1.raw
tftp-server flash:/ringtones/Sax2.raw alias Sax2.raw
tftp-server flash:/ringtones/Vibe.raw alias Vibe.raw
tftp-server flash:/Desktops/CampusNight.png
tftp-server flash:/Desktops/TN-CampusNight.png
tftp-server flash:/Desktops/CiscoFountain.png
tftp-server flash:/Desktops/TN-CiscoFountain.png
tftp-server flash:/Desktops/CiscoLogo.png
tftp-server flash:/Desktops/TN-CiscoLogo.png
tftp-server flash:/Desktops/Fountain.png
tftp-server flash:/Desktops/TN-Fountain.png
tftp-server flash:/Desktops/MorroRock.png
tftp-server flash:/Desktops/TN-MorroRock.png
tftp-server flash:/Desktops/NantucketFlowers.png
tftp-server flash:/Desktops/TN-NantucketFlowers.png
tftp-server flash:Desktops/320x212x16/List.xml
tftp-server flash:Desktops/320x212x12/List.xml
tftp-server flash:Desktops/320x216x16/List.xml
tftp-server flash:/bacdprompts/en_bacd_allagentsbusy.au alias en_bacd_allagentsbusy.au
tftp-server flash:/bacdprompts/en_bacd_disconnect.au alias en_bacd_disconnect.au
tftp-server flash:/bacdprompts/en_bacd_enter_dest.au alias en_bacd_enter_dest.au
tftp-server flash:/bacdprompts/en_bacd_invalidoption.au alias en_bacd_invalidoption.au
tftp-server flash:/bacdprompts/en_bacd_music_on_hold.au alias en_bacd_music_on_hold.au
tftp-server flash:/bacdprompts/en_bacd_options_menu.au alias en_bacd_options_menu.au
tftp-server flash:/bacdprompts/en_bacd_welcome.au alias en_bacd_welcome.au
tftp-server flash:/bacdprompts/en_bacd_xferto_operator.au alias en_bacd_xferto_operator.au
radius-server attribute 31 send nas-port-detail
control-plane
voice-port 0/0/0
station-id number 401
caller-id enable
voice-port 0/0/1
station-id number 402
caller-id enable
voice-port 0/0/2
station-id number 403
caller-id enable
voice-port 0/0/3
station-id number 404
caller-id enable
voice-port 0/1/0
trunk-group ALL_FXO 64
connection plar opx 201
description Configured by CCA 4 FXO-0/1/0-OP
caller-id enable
voice-port 0/1/1
trunk-group ALL_FXO 64
connection plar opx 201
description Configured by CCA 4 FXO-0/1/1-OP
caller-id enable
voice-port 0/1/2
trunk-group ALL_FXO 64
connection plar opx 201
description Configured by CCA 4 FXO-0/1/2-OP
caller-id enable
voice-port 0/1/3
trunk-group ALL_FXO 64
connection plar opx 201
description Configured by CCA 4 FXO-0/1/3-OP
caller-id enable
voice-port 0/4/0
auto-cut-through
signal immediate
input gain auto-control -15
description Music On Hold Port
sccp local Vlan90
sccp ccm 10.1.1.1 identifier 1 version 4.0
sccp
sccp ccm group 1
associate ccm 1 priority 1
associate profile 2 register mtpd0d0fd057a40
dspfarm profile 2 transcode
description CCA transcoding for SIP Trunk Multisite Only
codec g729abr8
codec g729ar8
codec g711alaw
codec g711ulaw
maximum sessions 10
associate application SCCP
dial-peer cor custom
name internal
name local
name local-plus
name international
name national
name national-plus
name emergency
name toll-free
dial-peer cor list call-internal
member internal
dial-peer cor list call-local
member local
dial-peer cor list call-local-plus
member local-plus
dial-peer cor list call-national
member national
dial-peer cor list call-national-plus
member national-plus
dial-peer cor list call-international
member international
dial-peer cor list call-emergency
member emergency
dial-peer cor list call-toll-free
member toll-free
dial-peer cor list user-internal
member internal
member emergency
dial-peer cor list user-local
member internal
member local
member emergency
member toll-free
dial-peer cor list user-local-plus
member internal
member local
member local-plus
member emergency
member toll-free
dial-peer cor list user-national
member internal
member local
member local-plus
member national
member emergency
member toll-free
dial-peer cor list user-national-plus
member internal
member local
member local-plus
member national
member national-plus
member emergency
member toll-free
dial-peer cor list user-international
member internal
member local
member local-plus
member international
member national
member national-plus
member emergency
member toll-free
dial-peer voice 1 pots
destination-pattern 401
port 0/0/0
no sip-register
dial-peer voice 2 pots
destination-pattern 402
port 0/0/1
no sip-register
dial-peer voice 3 pots
destination-pattern 403
port 0/0/2
no sip-register
dial-peer voice 4 pots
destination-pattern 404
port 0/0/3
no sip-register
dial-peer voice 5 pots
description ** MOH Port **
destination-pattern ABC
port 0/4/0
no sip-register
dial-peer voice 6 pots
description ôcatch all dial peer for BRI/PRIö
translation-profile incoming nondialable
incoming called-number .%
direct-inward-dial
dial-peer voice 50 pots
description ** incoming dial peer **
incoming called-number .%
port 0/1/0
dial-peer voice 51 pots
description ** incoming dial peer **
incoming called-number .%
port 0/1/1
dial-peer voice 52 pots
description ** incoming dial peer **
incoming called-number .%
port 0/1/2
dial-peer voice 53 pots
description ** incoming dial peer **
incoming called-number .%
port 0/1/3
dial-peer voice 54 pots
description ** FXO pots dial-peer **
destination-pattern A0
port 0/1/0
no sip-register
dial-peer voice 55 pots
description ** FXO pots dial-peer **
destination-pattern A1
port 0/1/1
no sip-register
dial-peer voice 56 pots
description ** FXO pots dial-peer **
destination-pattern A2
port 0/1/2
no sip-register
dial-peer voice 57 pots
description ** FXO pots dial-peer **
destination-pattern A3
port 0/1/3
no sip-register
dial-peer voice 2000 voip
description ** cue voicemail pilot number **
translation-profile outgoing XFER_TO_VM_PROFILE
destination-pattern 399
b2bua
session protocol sipv2
session target ipv4:10.1.10.1
voice-class sip outbound-proxy ipv4:10.1.10.1
dtmf-relay rtp-nte
codec g711ulaw
no vad
dial-peer voice 58 pots
trunkgroup ALL_FXO
corlist outgoing call-emergency
description **CCA*North American-7-Digit*Emergency**
translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
preference 5
destination-pattern 9911
forward-digits all
no sip-register
dial-peer voice 59 pots
trunkgroup ALL_FXO
corlist outgoing call-emergency
description **CCA*North American-7-Digit*Emergency**
preference 5
destination-pattern 911
forward-digits all
no sip-register
dial-peer voice 60 pots
trunkgroup ALL_FXO
corlist outgoing call-local
description **CCA*North American-7-Digit*7-Digit Local**
translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
preference 5
destination-pattern 9[2-9]......
forward-digits all
no sip-register
dial-peer voice 61 pots
trunkgroup ALL_FXO
corlist outgoing call-local
description **CCA*North American-7-Digit*Service Numbers**
translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
preference 5
destination-pattern 9[2-9]11
forward-digits all
no sip-register
dial-peer voice 62 pots
trunkgroup ALL_FXO
corlist outgoing call-national
description **CCA*North American-7-Digit*Long Distance**
translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
preference 5
destination-pattern 91[2-9]..[2-9]......
forward-digits all
no sip-register
dial-peer voice 63 pots
trunkgroup ALL_FXO
corlist outgoing call-international
description **CCA*North American-7-Digit*International**
translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
preference 5
destination-pattern 9011T
forward-digits all
no sip-register
dial-peer voice 64 pots
trunkgroup ALL_FXO
corlist outgoing call-toll-free
description **CCA*North American-7-Digit*Toll-Free**
translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
preference 5
destination-pattern 91800.......
forward-digits all
no sip-register
dial-peer voice 65 pots
trunkgroup ALL_FXO
corlist outgoing call-toll-free
description **CCA*North American-7-Digit*Toll-Free**
translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
preference 5
destination-pattern 91888.......
forward-digits all
no sip-register
dial-peer voice 66 pots
trunkgroup ALL_FXO
corlist outgoing call-toll-free
description **CCA*North American-7-Digit*Toll-Free**
translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
preference 5
destination-pattern 91877.......
forward-digits all
no sip-register
dial-peer voice 67 pots
trunkgroup ALL_FXO
corlist outgoing call-toll-free
description **CCA*North American-7-Digit*Toll-Free**
translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
preference 5
destination-pattern 91866.......
forward-digits all
no sip-register
dial-peer voice 68 pots
trunkgroup ALL_FXO
corlist outgoing call-toll-free
description **CCA*North American-7-Digit*Toll-Free**
translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
preference 5
destination-pattern 91855.......
forward-digits all
no sip-register
dial-peer voice 2100 voip
corlist incoming call-internal
description **CCA*INTERSITE inbound call to xxxxxxxxxx
translation-profile incoming multisiteInbound
incoming called-number 82...
voice-class h323 1
dtmf-relay h245-alphanumeric
fax protocol cisco
no vad
dial-peer voice 2101 voip
corlist incoming call-internal
description **CCA*INTERSITE outbound calls to xxxxxxxxxx
translation-profile outgoing multisiteOutbound
destination-pattern 81...
session target ipv4:192.168.10.1
voice-class h323 1
dtmf-relay h245-alphanumeric
fax protocol cisco
no vad
no dial-peer outbound status-check pots
telephony-service
sdspfarm units 5
sdspfarm transcode sessions 10
sdspfarm tag 2 mtpd0d0fd057a40
video
fxo hook-flash
max-ephones 138
max-dn 600
ip source-address 10.1.1.1 port 2000
auto assign 1 to 1 type bri
calling-number initiator
service phone videoCapability 1
service phone ehookenable 1
service dnis overlay
service dnis dir-lookup
service dss
timeouts interdigit 5
system message Cisco Small Business
url services http://10.1.10.1/voiceview/common/login.do
url authentication http://10.1.10.1/voiceview/authentication/authenticateOn 12/01/12 12:06, JebediahShapnacker wrote:
>
> Hello.
>
> I would like to setup a site to site VPN between 2 of our site. We have
> Bordermanager .7 on one end and IPCop on the other.
i'm not familiar with Bordermanager version but be sure you're using 3.9
with sp2 and sp2_it1 applied.
There are not specific documents that i'm aware that explains conf
between ipcop and bm but if ipcop behaves as standard ipsec device, you
can use as a guideline some of the docs that explains how to configure
bm with third party firewalls.
- AppNote: CISCO IOS 12.2(11) T with NBM 3.8 Server
Novell Cool Solutions: AppNote
By Upendra Gopu
- BorderManager and Novell Security Manager Site-to-Site VPN
Novell Cool Solutions: Feature
By Jenn Bitondo
- Setting Up an IPSec VPN Tunnel between Nortel and an NBM 3.8.4 Server
Author Info
8 November 2006 - 7:37pm
Submitted by: kchendil
- AppNote: NBM to Openswan: Site-to-site VPN Made Easy
Novell Cool Solutions: AppNote
By Gaurav Vaidya
- AppNote: Interoperability of Cisco PIX 500 and NBM 3.8 VPN
Novell Cool Solutions: AppNote
By Sreekanth Settipalli
Digg This - Slashdot This
Posted: 28 Oct 2004
etc -
VPN users can't connect to a Site-To-Site branch office
I have an asa 5510 that allows people to VPN into it. they get a private IP address of 10.1.4.x when they connect.
All of my sites (subnets) that are on my MPLS network were always accessible from a vpn connection.
these include the subnets
192.168.0.x (NY)
192.168.2.x (Main Office)
192.168.3.x (Main Office)
192.168.10.x (IN)
192.168.20.x (GA)
etc..
recently we converted our NY office from MPLS to a Cable Connection and added a ASA5505 for a site to site tunnel.
all of the networks in every site are able to connect to the new NY Configuration without issue.
the only issue I have is when someone VPN's into our network from home, they can no longer access the NY site.
if I try to ping anything in the NY office from a VPN connection I get this:
5
Mar 08 2013
16:22:49
192.168.0.4
Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src fiber:10.1.4.32(LOCAL\user) dst fiber:192.168.0.4 (type 8, code 0) denied due to NAT reverse path failure
I'm not sure what I need to do to get this working, so any help would be appreciated.
Thanks,
LeeHello Lee,
make sure you add a line in the crypto ACL of the 2 ASAs of the L2L tunnel to allow traffic between the VPN pool and the NY subnet.
make sure you add the NY subnet in the split tunnel ACL if you are using split tunneling for the VPN clients.
and make sure you have the correct NAT rules to allow communication between the 2 subnets.
also, make sure that you have the same-security-traffic command as Jay advised.
Regards,
Othman -
UNABLE TO ACCESS THE INTERNET FROM LOCAL PROVIDER ON A SITE-TO-SITE VPN CONNECTION
Dear All,
I have a site-to-site connection from point A to point B. From point B i am unable to access the internet from local internet provider.
I am trying to ping from 192.168.20.1 the dns 8.8.8.8 but i receive the message "destination net unreachable".
When i run "show ip nat translation" i receive nothing.
The vpn connection is working properly, i can ping the other side 192.168.10/24
Below is the configuration of the cisco router on point B.
dot11 syslog
ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.21.254
ip dhcp pool voice
network 192.168.21.0 255.255.255.0
default-router 192.168.21.254
option 150 ip 192.168.5.10
ip cef
ip domain name neocleous.ru
ip inspect name IOS_FIREWALL tcp
ip inspect name IOS_FIREWALL udp
ip inspect name IOS_FIREWALL icmp
ip inspect name IOS_FIREWALL h323
ip inspect name IOS_FIREWALL http
ip inspect name IOS_FIREWALL https
ip inspect name IOS_FIREWALL skinny
ip inspect name IOS_FIREWALL sip
no ipv6 cef
multilink bundle-name authenticated
vty-async
isdn switch-type primary-net5
redundancy
crypto isakmp policy 5
hash md5
authentication pre-share
group 2
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 28800
crypto isakmp policy 50
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key Pb85heuvMde9Wdac5Qohha7lziIf142u address [ip address]
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
crypto ipsec transform-set TRANSET esp-aes esp-sha-hmac
crypto ipsec transform-set TRANSET2 esp-des esp-md5-hmac
crypto ipsec df-bit clear
crypto map CryptoMAP1 ipsec-isakmp
set peer [ip address]
set transform-set TRANSET
match address CryptoACL
interface FastEthernet0/0
description Primary Provider
ip address [PUBLIC IP MAIN PROVIDER] 255.255.255.252
ip access-group outside_acl in
ip mtu 1390
ip nat outside
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
crypto map CryptoCY
crypto ipsec df-bit clear
interface FastEthernet0/1
description TO LAN
no ip address
load-interval 30
speed 100
full-duplex
interface FastEthernet0/1.1
description DATA VLAN
encapsulation dot1Q 20
ip address 192.168.20.254 255.255.255.0
ip access-group inside_acl in
ip nat inside
ip inspect IOS_FIREWALL in
ip virtual-reassembly in
ip tcp adjust-mss 1379
interface FastEthernet0/1.2
description VOICE VLAN
encapsulation dot1Q 21
ip address 192.168.21.254 255.255.255.0
interface Serial0/2/0:15
no ip address
encapsulation hdlc
isdn switch-type primary-net5
isdn incoming-voice voice
no cdp enable
interface FastEthernet0/3/0
no ip address
ip access-group outside_acl in
ip nat outside
ip virtual-reassembly in
shutdown
duplex auto
speed auto
crypto map CryptoCY
ip local pool VPNPool 192.168.23.2 192.168.23.10
ip forward-protocol nd
ip http server
no ip http secure-server
ip nat inside source list nat_list interface FastEthernet0/3/0 overload
ip route 0.0.0.0 0.0.0.0 [default gateway ip]
ip access-list standard VTY
permit 192.168.20.0 0.0.0.255
ip access-list extended CryptoACL
permit ip 192.168.20.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.21.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.21.0 0.0.0.255 192.168.6.0 0.0.0.255
permit ip 192.168.21.0 0.0.0.255 192.168.12.0 0.0.0.255
permit ip 192.168.21.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip host 192.168.22.1 192.168.5.0 0.0.0.255
permit ip host 192.168.20.1 192.168.5.0 0.0.0.255
permit ip host 192.168.22.1 192.168.6.0 0.0.0.255
ip access-list extended DFBIT_acl
permit tcp any any
ip access-list extended inside_acl
permit ip 192.168.20.0 0.0.0.255 host 192.168.3.35
permit ip 192.168.20.0 0.0.0.255 host 192.168.3.39
permit ip 192.168.20.0 0.0.0.255 host 192.168.3.23
permit ip 192.168.20.0 0.0.0.255 host 192.168.3.18
permit ip 192.168.20.0 0.0.0.255 host 192.168.3.55
permit ip 192.168.20.0 0.0.0.255 host 192.168.10.144
permit ip 192.168.20.0 0.0.0.255 host 192.168.10.146
permit ip 192.168.20.0 0.0.0.255 host 192.168.10.141
permit ip host 192.168.20.253 host 192.168.3.21
permit ip host 192.168.20.254 host 192.168.3.21
permit ip 192.168.20.0 0.0.0.255 host 192.168.3.10
permit ip 192.168.20.0 0.0.0.255 host 192.168.20.254
ip access-list extended nat_list
deny ip host 192.168.20.254 192.168.10.0 0.0.0.255
deny ip host 192.168.20.254 192.168.3.0 0.0.0.255
deny ip host 192.168.20.1 192.168.3.0 0.0.0.255
deny ip host 192.168.20.1 192.168.10.0 0.0.0.255
deny ip host 192.168.20.2 192.168.3.0 0.0.0.255
deny ip host 192.168.20.2 192.168.10.0 0.0.0.255
permit ip host 192.168.20.1 any
permit ip host 192.168.20.2 any
permit ip host 192.168.20.254 any
ip access-list extended outside_acl
permit gre any host [ip address]
permit esp any host [ip address]
deny ip any any
ip sla 2
icmp-echo 192.168.10.254 source-interface FastEthernet0/1.1
frequency 180
timeout 500
ip sla schedule 2 life forever start-time now
logging 192.168.3.21
route-map DFBIT_routemap permit 10
match ip address DFBIT_acl
set ip df 0
route-map ISP2 permit 10
match ip address nat_list
match interface FastEthernet0/3/0
route-map nonat permit 10
match ip address nonat_acl
route-map ISP1 permit 10
match ip address nat_list
match interface FastEthernet0/0You cannot access internet, because all traffic is tunneled for VPN !!!!
Please see cisco tech documentation and bypass traffic for internet.
eg. if lan traffic is going from site a to site b then through vpn
else
lan traffic to internet (any) should be out thorugh the vpn . -
Easy vpn or site-to-site vpn for back up connection?
Hi,
All of my remote sites are connected to HQ via MPLS circuits. I would like to create back link for those remote sites using 871 routers with DSL connection and terminate ipsec vpn tunnels at the outside interface of ASA5540 located at HQ.
The 871 routers will be configured HSRP standby mode. It becomes active and forward traffic when the main router of the remote site losses connection to HQ.
Questions:
1. Has anyone had similar requirements and use easy vpn as a solution? will site-to-site work better for this scenario?
2. How to make ASA5540 handle the routes properly when it sees the same subnets located on both Inside interface and the other end of the tunnel which is terminated at the outside interface?
Static routes are configured on the ASA.
3. I also try to avoid user entering username and password for interactive authentication in easy vpn.
Thanks so much in advance.
PHyes you can site-to-site VPN as a backup.
If the interface going to the backup connection is an interface different than the outside interface, and if the regular connection going down means that the outside interface will go down, then you only need an additional default route, but with a higher metric than your regular route.
But if both connections go out the same interface, or if the outside interface will not go down when the primary Internet connection goes down, then you'll need to take a different approach. ASA 7.2 code introduced a feature called "Standby ISP Support", which allows the firewall to keep an active track on an Internet connection, and if that connection
fails, switch to a different connection.
Try this link:
http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a00806403ec.html#wp1090243 -
2 x 2911 HSEC router 3 ADSL connections each Site ti Site VPN Load Balancing Failover
Hello,
My senario is as described in Title.
Site A Headquarters. The router is Cisco 2911HSEC with 3 ADSL connections
Site B Remote Office. The router is Cisco 2911HSEC with 3 ADSL connections and 10 Users.
All ADSL connections have static IPs and belong to same ISP.
Need - Site to Site VPN between the routers.
Client requests to load balance the traffic, due to poor ADSL speed and have a failover senarion in case an ADSL line goes down.
Any help will be appreciated.I don't believe you will find a One solution for this.
An idea would be to have all three ADSLs paired with ADSL on the other side.
Have 3 VTI (or GRE) tunnels up all the time (VRF-lite anybody?) and advertise routes to the other side with same metric.
This will cause IOS to load balance natively.
Potential problem: return path might not be the same as forward path, but it should not matter much for most applications.
Potential cool thing you can do: All the "magical" things in routing world (Did I head PfR?). FlexVPN on top to make it more flexible.
Benefit: Rely on IKE to bring down connections which are going down. Little-to-no management once it's up and running. -
TWO Site to Site VPN connections at the same locations
Hi:
We have two locations (Site A & Site B) and currently have a site to site vpn stood up that we allow both data and voice traffic to flow across. However, we have been having MAJOR issues with our voice quality and no luck with improvement using QoS settings, etc. Therefore, we would like to stand up another site to site connection to have only voice traffic to flow over and haven't been able to do so because at each side we only have a single block of IP's (/29) and it is my understanding that it isn't possible to have two separate VPN tunnels as I am describing when the subnet is the same, is that correct?
Moving forward, we are looking into adding a 2nd block of addresses to both sides, however, Comcast Business is telling us that it isn't possible with their service :(.
Does anyone have other options for me besides moving to a different ISP?
Thank you,
StangrideThis is a standard facet of most VPNs - the problem lies in your NAT router since both clients appear to come from the same IP address as far as the VPN server is concerned, and the router can't separate out the traffic.
There are a couple of solutions.
First, the built-in VPN server supports L2TP and PPTP protocols. You should be able to connect one system under each protocol, so that gets your two machines connected.
Second, you can replace your NAT router with one that supports multiple VPN clients (often termed 'VPN passthrough').
Third, setup a site-to-site tunnel so that your entire LAN is connected to the VPN (this saves you from having to run a separate VPN client on each machine, but is typically only worth it when you have more machines). -
From Azure unable to connect internal LAN network with windows RRAS site to site VPN
Hi All,
Below is my scenario.
Our side.
We have installed RRAS on Windows 2012 R2 on VMware and created a site to site VPN with azure.
on RRAS server we have two interfaces
eth0- 10.1.1.1
eth1- 10.1.1.2
We have natted(static nat) internal ip (eth0) 10.1.1.1 with public ip 1.1.1.1 (eg.).
On Azure,
We created a gateway, and two VMs.
VM1 = 11.11.11.1
VM2 = 11.11.11.2
Both VMs can ping each other.
VPN gateway on Azure and demand dial on RRAS server shows connected and, in and out data shows as well.
We can ping, tracert and rdp the RRAS server using both the interfaces IP [eth0- 10.1.1.1 , eth1- 10.1.1.2]
But we are unable to ping, tracert or rdp our other internal Lan machines on 10.1.x.x
So we can reach Azure VM from our RRAS and
we can reach RRAS server from Azure VM.
But we cannot reach our other internal Lan machines from Azure VM and from other internal Lan machine to Azure VM.
Please help?I will give you some pointers to check.
The reason for this could be one of the two
- local site in azure virtual network is not configured correctly
- route for the azure subnet is not setup correctly on rras server
Can you please validate the above?
Open the Routing and Remote access UI and verify that there is a static route for azure subnet and the interface is the public ip of the azure gateway.
Also verify that you have a local site created with the on-premises subnet and added in the azure virtual network.
What is the gateway specified in the on-premises VM. Provide it as the IP of eth1, the IP that is not natted
Is NAT allowing all traffic in or is it restricted to certain points.
This posting is provided "AS IS" with no warranties, and confers no rights -
How do I troubleshoot a site to site vpn connection?
I have a site to site vpn connection setup to a client site that functions fine except for 2 ip addresses on the client are not responding.
They insist the problem is at our end but I don't know how to troubleshoot it. The access rules are there for both the problematic IP addresses exactly the same as all the others which work fine.
The connection is over port 21.
Can anyone point me in the right direction to find the fault?
Thanks
GrahamThanks for the ongoing help Abhishek. Here are the results you requested:
Result of the command: "packet-tracer input inside tcp 78.129.151.9 21 172.16.157.164 21 detailed"
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group allow in interface Inside
access-list allow extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab8da840, priority=12, domain=permit, deny=false
hits=23185385, user_data=0xa8acab80, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab87da98, priority=0, domain=inspect-ip-options, deny=true
hits=26999122, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xac19fc90, priority=70, domain=encrypt, deny=false
hits=5, user_data=0x7c0e604, cs_id=0xab83dc88, reverse, flags=0x0, protocol=0
src ip=78.129.151.9, mask=255.255.255.255, port=0
dst ip=172.16.157.164, mask=255.255.255.255, port=0, dscp=0x0
Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group allow out interface Outside
access-list allow extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
out id=0xab8da4b8, priority=12, domain=permit, deny=false
hits=23344429, user_data=0xa8acac00, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xac19fbb0, priority=69, domain=ipsec-tunnel-flow, deny=false
hits=5, user_data=0x7c1089c, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=172.16.157.164, mask=255.255.255.255, port=0
dst ip=78.129.151.9, mask=255.255.255.255, port=0, dscp=0x0
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xab831ea0, priority=0, domain=inspect-ip-options, deny=true
hits=23303214, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 27682039, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow
Result of the command: "sh crypto isa sa"
1 IKE Peer: 94.128.3.13
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Result of the command: "sh crypto ipsec sa peer 94.128.3.130"
peer address: 94.128.3.130
Crypto map tag: VPNPEER, seq num: 40, local addr: 87.117.213.66
access-list HK extended permit ip host 78.129.151.9 host 172.16.158.72
local ident (addr/mask/prot/port): (78.129.151.9/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.16.158.72/255.255.255.255/0/0)
current_peer: 94.128.3.130
#pkts encaps: 134528, #pkts encrypt: 134528, #pkts digest: 134528
#pkts decaps: 134434, #pkts decrypt: 134434, #pkts verify: 134434
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 134528, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 87.117.213.66, remote crypto endpt.: 94.128.3.130
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: DC42A606
current inbound spi : 8D93AAC5
inbound esp sas:
spi: 0x8D93AAC5 (2375264965)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 20058112, crypto-map: VPNPEER
sa timing: remaining key lifetime (kB/sec): (1564526/2674)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xDC42A606 (3695355398)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 20058112, crypto-map: VPNPEER
sa timing: remaining key lifetime (kB/sec): (1565777/2674)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: VPNPEER, seq num: 40, local addr: 87.117.213.66
access-list HK extended permit ip host 78.129.151.9 host 172.16.158.11
local ident (addr/mask/prot/port): (78.129.151.9/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.16.158.11/255.255.255.255/0/0)
current_peer: 94.128.3.130
#pkts encaps: 48577, #pkts encrypt: 48577, #pkts digest: 48577
#pkts decaps: 55798, #pkts decrypt: 55798, #pkts verify: 55798
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 48577, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 87.117.213.66, remote crypto endpt.: 94.128.3.130
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: F6D08308
current inbound spi : 8DF816EB
inbound esp sas:
spi: 0x8DF816EB (2381846251)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 20058112, crypto-map: VPNPEER
sa timing: remaining key lifetime (kB/sec): (1565999/2672)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x000001FF
outbound esp sas:
spi: 0xF6D08308 (4140860168)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 20058112, crypto-map: VPNPEER
sa timing: remaining key lifetime (kB/sec): (1565999/2672)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: VPNPEER, seq num: 40, local addr: 87.117.213.66
access-list HK extended permit ip host 78.129.151.9 host 172.16.157.164
local ident (addr/mask/prot/port): (78.129.151.9/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.16.157.164/255.255.255.255/0/0)
current_peer: 94.128.3.130
#pkts encaps: 33383, #pkts encrypt: 33383, #pkts digest: 33383
#pkts decaps: 62020, #pkts decrypt: 62020, #pkts verify: 62020
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 33383, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 87.117.213.66, remote crypto endpt.: 94.128.3.130
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 4F1C0C7B
current inbound spi : E7AD7104
inbound esp sas:
spi: 0xE7AD7104 (3886903556)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 20058112, crypto-map: VPNPEER
sa timing: remaining key lifetime (kB/sec): (1554196/1167)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x4F1C0C7B (1327238267)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 20058112, crypto-map: VPNPEER
sa timing: remaining key lifetime (kB/sec): (1565786/1167)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: VPNPEER, seq num: 40, local addr: 87.117.213.66
access-list HK extended permit ip host 78.129.151.9 host 172.16.158.71
local ident (addr/mask/prot/port): (78.129.151.9/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.16.158.71/255.255.255.255/0/0)
current_peer: 94.128.3.130
#pkts encaps: 37285, #pkts encrypt: 37285, #pkts digest: 37285
#pkts decaps: 65179, #pkts decrypt: 65179, #pkts verify: 65179
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 37285, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 87.117.213.66, remote crypto endpt.: 94.128.3.130
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: A4FF525F
current inbound spi : 25C04F5C
inbound esp sas:
spi: 0x25C04F5C (633360220)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 20058112, crypto-map: VPNPEER
sa timing: remaining key lifetime (kB/sec): (1490798/1167)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xA4FF525F (2768196191)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 20058112, crypto-map: VPNPEER
sa timing: remaining key lifetime (kB/sec): (1564601/1167)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: VPNPEER, seq num: 40, local addr: 87.117.213.66
access-list HK extended permit ip host 78.129.151.9 host 172.16.158.73
local ident (addr/mask/prot/port): (78.129.151.9/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.16.158.73/255.255.255.255/0/0)
current_peer: 94.128.3.130
#pkts encaps: 2173002, #pkts encrypt: 2173002, #pkts digest: 2173002
#pkts decaps: 4166416, #pkts decrypt: 4166416, #pkts verify: 4166416
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2173002, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 87.117.213.66, remote crypto endpt.: 94.128.3.130
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: B5DAC5BA
current inbound spi : 8B01255A
inbound esp sas:
spi: 0x8B01255A (2332108122)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 20058112, crypto-map: VPNPEER
sa timing: remaining key lifetime (kB/sec): (934511/1915)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xB5DAC5BA (3051013562)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 20058112, crypto-map: VPNPEER
sa timing: remaining key lifetime (kB/sec): (1556432/1915)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: VPNPEER, seq num: 40, local addr: 87.117.213.66
access-list HK extended permit ip host 78.129.151.9 host 172.17.167.10
local ident (addr/mask/prot/port): (78.129.151.9/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.17.167.10/255.255.255.255/0/0)
current_peer: 94.128.3.130
#pkts encaps: 289506, #pkts encrypt: 289506, #pkts digest: 289506
#pkts decaps: 424145, #pkts decrypt: 424145, #pkts verify: 424145
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 289506, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 87.117.213.66, remote crypto endpt.: 94.128.3.130
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 66956330
current inbound spi : 55173067
inbound esp sas:
spi: 0x55173067 (1427583079)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 20058112, crypto-map: VPNPEER
sa timing: remaining key lifetime (kB/sec): (1552267/2682)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x66956330 (1721066288)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 20058112, crypto-map: VPNPEER
sa timing: remaining key lifetime (kB/sec): (1565576/2682)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001 -
Site to Site VPN connection for two Domain Controllers
I need to set up a site to site vpn connection using 2 pix 500 series firewalls to connect 2 domain controllers. Once the site to site vpn is established, do the servers automatically see each other for replication?
Thanx.My Active Directory guy has taken a good look at a small site-to-site VPN setup that I'm having a BIG problem with, and his answer is "They're supposed to." He said that as long as DC#2 (in the remote office) has the ability to resolve DNS for DC#1 (in the primary office) then the two should automatically replicate.
I have a two-office IPSec site-to-site tunnel between two 831's running 12.4.11T (soon to be upgraded to the latest 11T or even 15T1). XP SP2 machines in the remote office have full visibility back to the shares in the central office, and pings and nmap scans work perfectly in either direction, but my newly-added DC#2 in the remote office isn't replicating back to DC#1 (the original DC for the environment). I ran a full nmap scan from the central office against DC#2, and can see all of the expected ports/services open (e.g. 389(LDAP), 445 (msds), 135, 137, 3389, etc) but I can't view shares on DC#2 (or any other PC in the remote office) from the central office. Again, DC#2 and remote office PCs have no problem seeing shares back at headquarters.
Sorry for not being more helpful - hopefully someone out there can shed more light on the topic. If not, I'm going to call it into TAC and I'll let you know.
But again, from an Active Directory perspective this should 'just work' so it seems that either the IPSec tunnel or perhaps the "ip inspect" IOS CBAC firewalls are getting in the way. -
Site to site vpn for multipoint bridged connection
I have a point to multipoint wireless bridge connection that the customer wants to secure with an ASA 5505 at each location. Keep in mind that each remote is just an extension of the host network, all on the same IP range.
I was thinking that I could just setup an ipsec tunnel to each location from the host. Every example I see uses a different IP range for each location.
My question is, is that possible and how would I do that?No, the ASA can't bridge across IPSec VPN connections (I don't believe any IPSec implementation by any vendor directly supports bridging), so I don't think there's an easy solution. If you had IOS routers you could configure bridging across GRE tunnels, even that's not supported by Cisco so you'd still be pushing your luck a little bit. Probably the best solution would be to just bite the bullet, re-address the remote sites, and configure traditional site-to-site VPNs. You could try to get fancy and do NAT across the VPNs so that all the remote hosts would appear to be on the same subnet as the main site, but I think you'd just be asking for trouble doing that.
-
Can't ping from DC1 behind TMG1 to DC2 behind TMG2 on a site-to-site VPN connection
Hi,
I have a weird problem. I have two TMG servers on each site in a hyper-v lab environment. I have been able to establish the site-to-site VPN successfully however when I ping from DC1 behind TMG1(on site 1) to TMG2, DC2, i am able to ping. However the opposite
doesn't work. After some trial and error, I figured out that the one initiating the demand-dial request is able to ping the other site, not vice-versa..very strange. I would like to know whether ICMP requests could be achieved bi-directionally..
Secondly, I am able to ping from TMG1 to all the clients sitting behind TMG2 (including the TMG host), however the clients sitting behind TMG1 can't ping TMG2 neither any of the clients behind it. I tried every possible combination under the firewall policies
but of complete vain. hell, I am starting to develop a very bad feeling about this product because of making such simple tasks overly complex. I mean, if it were a Cisco or Sonicwall, we could have done this so easily.
What my final motive is to send LDAP requests from DC1 to DC2 and vice-versa over a site-to-site VPN so that I could set up 2 different sites in AD on different subnets and then proceed with configuring DAG. But if this simple thing turns out to be such
major roadblock, dunno how am I gonna pass DAG traffic over it.
Can someone PLEASE help me!! I am completely exhausted researching on this issue.
Regards,
DmanHi,
For site2site VPN, you must create proper network rule and network set and you need to create proper access rule to allow or deny the traffic between VPN network and any other network.
http://technet.microsoft.com/en-us/library/bb838949.aspx
Best Regards
Quan Gu
Maybe you are looking for
-
Hi, I am facing the problem that when I read the content of the texteditor, store it in a javascript variable, and then write it again into the editor area, all line breaks (not html line breaks, just the line breaks for the code structure) are gone.
-
Camera roll empty but shows 6.1 gb. Restored to original settings after backing up. When I restored the backup camera roll still shows 6.1 gb and is still empty. I imagine that the backup contains some corruption
-
Hi,can anybody help me my curve has 4 flashing lights i had a look at my battery and found the bottom white sticker had turned pink and 4 red x's on it I replaced the battery with a new one but still have these 4 flashing lights also have carried ou
-
Abstract class causes JNI GetByteArrayElements to crash
I'm having a problem with a subclass of an abstract class that is accessing a JNI function. I'm using Java 1.4.2. I started out with a single class that reads data from a serial port (via a JNI call) and then parses the data. When I test this class,
-
How to create RULES and MITIGATION COUNTROLS in GRC 5.3
Hi, We are working on GRC CC 5.3.Could you please refer some of step by step procedure documents for creating new RULES and MITIGATION COUNTROLS. Thanks & Regards, KKRao.