Full L2L Tunnel
Hello,
I am curious to know if there is a way to make a full tunnel for a L2L option. I need to have all Internet traffic go through a trusted Internet connection. I know I can do this doing GRE over IPSec but was hoping for an alternative solution.
Thanks in advance
-Chris
Hi Cristopher,
When you create a LAN-to-LAN tunnel you define protected traffic in the crypto ACL, so if you would like to send all the traffic across the LAN-to-LAN tunnel, then do the following:
hostname(config)# access-list l2l_list extended permit ip 192.168.0.0 255.255.0.0 any
hostname(config)# crypto map abcmap 1 match address l2l_list
Where 192.168.0.0/16 is your LAN.
HTH.
Portu.
Please rate any helpful posts
Similar Messages
-
ASA - ICMP works on a L2L tunnel but TCP fails.
All,
I have just started to work with the ASA's and I have a couple of problems with two 5510 8.4(1) ASA's supporting a L2L tunnel.
Problem-1:
Below is the topology and currently the only config on these ASA's is what is required to get the LAN2LAN tunnel setup and nothing more. ASA01 and ASA02 are the tunnel termination devices.
LAN A->Routing device->ASA-01 ----->Internet<------------ASA-02<-Routing device<-LAN2
Below is what is working
- Tunnel is established between the ASA's.
- I can ping from LAN A to LAN B and viceversa.
Below is not what is working
- I cannot RDP from a device in LAN A to LAN B and vice versa.
What we found in troubleshooting when we initiate a RDP session from a server in LAN-A to Server in LAN-B.
- The packet capture on ASA - A shows that the SYN leaves the ingress(LAN interface).
- The packet capture on ASA - B shows that the SYN is leaving the LAN interface.
- Dont see a SYN-ACK on ASA-B. First we thought there might be a different reason(detailed below as problem-2) but we dont see the syn-ack on ASA-A either.
- Doing a asp-drop capture on ASA-B we saw that the SYN,ACK from server in LAN-B is being dropped with the following message
Drop-reason: (tcp-not-syn) First TCP packet not SYN
Any ideas on why ASA-B doesnt treat this is as a established tcp session?
Problem -2
On the packet capture wizard in ASDM if I do a capture on the LAN interface of the ASA02 I can only see packets leaving the ASA towards the LAN but I do not see anything coming back into the interface from the LAN interface. This works the same whether I do a ICMP or a TCP session(RDP).
For example - Ping from a server on LAN A to LAN B
- On ASA01
The packet capture wizard shows both icmp-echo from LAN-A and icmp-reply from LAN-B
- On ASA02
The packet capture wizard shows icmp-echo from LAN-A both not the icmp-reply from LAN-B.
I am not sure what the reason for both the problems above and the reasons might just be that my skill level with ASA's are just not there yet. Any guidance will be great appreciated.
Thanks,
VishnuHello Vishnu,
Any ideas on why ASA-B doesnt treat this is as a established tcp session?
This is happening because the ASA is not seeing the entire 3 way hanshake, Are you sure all the packets are going across the ASA??? I would recommend you to do captures on both inside interfaces just for RDP traffic and attach them to this post so I can correlate to determine if indeed the ASA is receving what it needs.
On the packet capture wizard in ASDM if I do a capture on the LAN interface of the ASA02 I can only see packets leaving the ASA towards the LAN but I do not see anything coming back into the interface from the LAN interface. This works the same whether I do a ICMP or a TCP session(RDP).
That's exactly the reason of why this problem is happening, Good job correlating the facts,
Resolution of the issues:
I would say the problem is on the Routing device between ASA-2 and the LAN-2...
Make sure the Routing device knows that in order to reach the LAN-1 it needs to send the traffic back to the ASA-2 as somehow this traffic is not making it on the right interface,
Remember to rate all of the helpful posts. That's as important as a Thanks.
Julio Carvajal Segura -
Two separate L2L tunnels between same two ASA
I have a large MPLS fully meshed network with two main locations, both of which have an ASA with internet access as well as the MPLS access. I need to be able to provide a backup connection between the two main locations in the event one of the MPLS links to one or the other goes down.
I am considering using a L2L IPSEC tunnel between the two ASA's but the interesting traffic for the tunnel is different depending on which of the links is down and there fore I would need two different tunnels. I have my servers and remote desktop servers at one of the main sites and the other main site has another organization attached to it externally that the servers must be able to access.
Is there a way of creating two separate L2L tunnels between the two ASA's? Could I perhaps assign two public IP addresses to each of the ASA's and then create the tunnels between different endpoints on each ASA?
Does anyone have another possible solution to the problem?
GeneYou should be able to do what you want using IP SLA. Please see this excellent blog post which documents one way to accomplish it.
Hope this helps. -
Oracle application having problem on PIX to ASA L2L tunnel.
Hi ALL,
My customer has performed a PIX migration to ASA5520 on last weekend. And the configuration on the new ASA5520 is almost the same as the original PIX515. There are several L2L vpn tunnel configuration on the ASA5520. After the migration, all VPN tunnel can establish without problem. But my customer found that their Oracle application running on one of the VPN tunnel has connectivity issue. This application did not have problem when in the original environment.
This VPN tunnel is a L2L tunnel between remote and main office. In remote office, the VPN endpoint is a PIX515E w/ OS 7.0(5). In main office is an ASA5520 with 7.2(2). The original firewall in main office is a PIX 515 w/ 7.0(5). The IPSec match address list is an IP network to IP network access list without port definition.
We found that the Oracle client on remote office can connect to the port opened on the Oracle server on main office. But after connected to the port on the server, the application will re-establish a new connection using random port between this client and server, and this new connection seems to not able to establish.
Anyone can tell me that is it possible to impact the Oracle application on this IPSec tunnel? The ACL is an IP to IP acl. What can I do to troubleshoot this issue? Why the issue rise on the new ASA implementation?
I'm looking forward to your reply! Please help!
JasonHi,
Here is the end to end troubleshooting steps for L2L tunnel.
Please check debug commands carefully you will get your key point where is troubble.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
Regards,
Dharmesh Purohit -
Creating L2L Tunnel to IOS Endpoint
Hey All,
Quick questions. I've been reviewing the guides on Cisco and have yet to find an example of what I'm looking for. The scenario is that there will be a client device that uses DHCP on the WAN side. This device can authenticate using IPSec to a VPN termination device. On our hub end we want to use a Cisco IOS router to terminate the connection. My question is that this will not be exactly a L2L tunnel, the endpoint has a configuration to build in a username to authenticate with. So it appears the tunnel with authenticate using a username a pre-shared key, rather than PSK and configured remote IP address (since this is DHCP). I've found an example of this on Cisco here: http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800ae459.shtml. Unfortunately the example is from an IOS DHCP endpoint to a 3000-series concentrator. Anyone have a config example of what I'm looking for?
-Mike
http://cs-mars.blogspot.comMike,
When you say client device. Is it like a router or is it a PC.
If it is a PC, take a look at this link
Link:1
http://www.cisco.com/en/US/partner/products/sw/secursw/ps2308/products_configuration_example09186a00801c4246.shtml
If it is a device like a router or so, you need to configure the router just like one in the link given above
Link2:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800945cf.shtml
But the server part is like Link 1.
Hope this helps.
Here is a good link for configuration of VPN on Cisco devices.
http://www.cisco.com/en/US/partner/tech/tk583/tk372/tech_configuration_examples_list.html
Rate this post, if it helps.
Thanks
Gilbert -
Long shot question about L2L tunnel
I have a Cisco 5540 that terminates one end of a L2L tunnel, the remote end is a Sonicwall TZ100. The tunnel is in place to carry voice traffic and I have a need to decrypt the traffic that's been captured in .cap file using Wireshark 1.8.5.
Anyone have any thoughts on how to go about getting the session keys from either device?Hi,
Nice find and interesting read. Might have to take a look at this at some point
Are you capturing traffic on the ASA "outside" interface?
I guess there must be a specific reason that you didnt capture the traffic before/after the tunnel on the "inside" interface of the ASA? Maybe see that the same traffic/data was passed on to the L2L VPN after the ASA had encrypted/encapsulated the traffic?
- Jouni -
Is it possible to allocate bandwidth to an application in an L2L tunnel?
Hi,
In an L2L tunnel, we wanted to allocate bandwidth for all users in Site A when accessing applications (Web-based and thick) in a server in Site B. The responses for both applications are not acceptable.
The same VPN link between the two sites is also used by other applications i.e. DC replication, etc. and the Internet link used for VPN is also used for SMTP and Lotus Notes.
In Site A, the tunnel is terminated outside of the PIX 7.2(2) and Site B is terminated outside of ASA 5510 7.2(2). The routers infront of these firewalls have PBR such that PAT?ed address from the firewall is routed to the ADSL instead of the serial interface.
If we?ll upgrade the Internet line, I have to make sure that it will resolve the issue.
Thanks in advance.
Regards,
ArchieHi,
Thanks.
- The first challenge is where to apply QoS i.e. do traffic policing/allocate bandwidth for IPSec use. My guess is on the router but I'm not 100% sure.
-If on the router, what's the command?
- Once the first challenge is done, can I do traffic policing on applications inside VPN which are terminated on PIX and ASA?
Regards,
Archie -
I have our main site using a Cisco 5510 running 8.4.2 code and a remote site using a Cisco 5505 running 8.4.2 code. The main site has a T1 and the remote site is using a DSL connection. About every other day I have to reset the connection at the remote site. The process that I have found that works is to remove the nat statement, clear the cry ips sa and then add back the nat statement. The connection usually comes back up and a few minutes. I am trying to see what is causing this to drop. Does anybody have any ideas?
Thanks,
TJ9 local4.notice 10.10.10.1 May 18 2013 18:42:29: %ASA-5-752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1. Map Tag = outside_map. Map Sequence Number = 4.\n
2013-05-18 18:42:29 local4.debug 10.10.10.1 May 18 2013 18:42:29: %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0\n
2013-05-18 18:42:29 local4.warning 10.10.10.1 May 18 2013 18:42:29: %ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel. Map Tag = outside_map. Map Sequence Number = 4.\n
2013-05-18 18:42:29 local4.error 10.10.10.1 May 18 2013 18:42:29: %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= outside_map. Map Sequence Number = 4.\n
2013-05-18 18:42:29 local4.debug 10.10.10.1 May 18 2013 18:42:29: %ASA-7-752002: Tunnel Manager Removed entry. Map Tag = outside_map. Map Sequence Number = 4.\n
9 local4.notice 10.10.10.1 May 18 2013 18:42:29: %ASA-5-752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1. Map Tag = outside_map. Map Sequence Number = 4.\n
2013-05-18 18:42:29 local4.debug 10.10.10.1 May 18 2013 18:42:29: %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0\n
2013-05-18 18:42:29 local4.warning 10.10.10.1 May 18 2013 18:42:29: %ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel. Map Tag = outside_map. Map Sequence Number = 4.\n
2013-05-18 18:42:29 local4.error 10.10.10.1 May 18 2013 18:42:29: %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= outside_map. Map Sequence Number = 4.\n
2013-05-18 18:42:29 local4.debug 10.10.10.1 May 18 2013 18:42:29: %ASA-7-752002: Tunnel Manager Removed entry. Map Tag = outside_map. Map Sequence Number = 4
I just enabled the crypto ipsec 255 and will post that when it drops again.
Thanks,
TJ -
Reassign Peers ina VPN L2L tunnel
Curiosity question... I have 2 new ASA5515's that I am setting up for an equipment upgrade. IN the time before I swap them out I am using them as a sort of make-shift lab to get the L2L VPN setup going. I did not want to use current IP addresses for the test environment so I used bogus numbers.
My question is: Can I go back in and change the peer IP address and the local/remote address's without having to tear them down to factory specs again?
- Do I just reissue the Tunnel-Group X.X.X.X type IPsec-l2l command with the correct IP's?
I know there are a few other area's that I will have to change the peer IP as well, but the just of my question is can I do it or do I have to start over?
-JonJon
You shouldn't have to reconfigure them from scratch if that is what you are asking.
You just need to modify the peer IPs wherever they appear in your configuration.
Jon -
Cluster IP address thru L2L tunnel
I have 3 windows 2003 terminal servers setup for load balance using Windows Network Load Balance Manager. IP addresses 192.168.1.14, 192.168.1.15, 192.168.1.16 Cluster IP 192.168.1.40 multicast.
I have a remote site connected via site to site VPN tunnel using Cisco ASA5510 devices, subnet 192.168.100.1. On the local LAN(192.168.1.0) I can get connected to terminal servers using the cluster IP, at the remote site I can not. At the remote site I can connect to each TS using the actual IP address, I can ping the cluster IP address or the dns name and get a response. Can anybody think of any reason why I can not connect using the cluster IP address?
ThanksI have setup wireshark on my 192.168.1.0 subnet and setup a packet capture on the ASA5510. On the wireshark I see SYN packets coming in from my machine 192.168.100.102 to the cluster IP and I see SYN,ACK packets Src the cluster IP with the mac address of one of the terminal servers and the dst my IP address with the mac address of the ASA 5510. On the ASA5510 packet capture I only see the SYN packets from my machine coming in but no SYN,ACK packets going out. What happened to the SYN,ACK packets?
I did a packet capture when connecting to the actual IP address of the terminal server (Which Works) and compared the SYN,ACK packets from both and saw no difference. -
L2L tunnel up, not passing traffic...all of a sudden
I've had a tunnel in place on a 5505 to a remote network i don't control...so my troubleshooting there is limited. But the tunnel has been in place for over a year without issue. Suddenly it doesn't appear to be passing traffic. But it is in at least one direction.
Remote network:192.168.191.0/24
Local ASA side: 10.220.78.0/24
I had a constant ping started from 192.168.191.10 > 10.220.78.23
Which is a Windows server pinging a Windows workstation.
When i debug icmp on the ASA i get:
ICMP echo request from outside:192.168.191.10 to inside:10.220.78.23 ID=1 seq=2866 len=32
ICMP echo reply from inside:10.220.78.23 to outside:192.168.191.10 ID=1 seq=2866 len=32
Which confirms to me that the remote network is in fact traversing the tunnel and hitting the 10.220.78.23 device, which is in fact responding, and the reply is being sent out the ASA.
The tunnel negotiates and comes up any time I reset it, by all accounts it looks correct.
The problem is not limited to ICMP as I'm unable to net use or map drives, nor can 192.168.191.10 print to the printer at 10.220.78.20.
But once i saw the icmp trace output I pretty much figured it has to be on the remote end...so....
My question, can I absolutely infer from this that the issue resides on the remote end?Some additional info. Aside from the ping they have running from the remote network, which is shown in the above icmp trace, if i run packet tracer from the local network to the remote, tunnel's up/traffic is allowed. Not a big surprise since the tunnel does negotiate and stay up.
I captured packets from the ASA and I can see the local 10.220.78.23 device sending the reply to 192.168.191.10. Matching up with the icmp trace.
I had them run a packet capture on their firewall and confirmed, the ICMP requests from 192.168.191.10 are being encapsulated and sent on the tunnel. Again confirmed in my mind since i see the requests on the ASA. But they don't ever see the response.
There's no tcp adjust mss command on the ASA but there's this in the config:
ASA# sh run all sys
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
no sysopt noproxyarp inside
no sysopt noproxyarp outside
Any other ideas? -
Disable l2l tunnel on contentrator with snmp
hello
is it possible to disable a ipsec lan to lan tunnel with snmpset on a concentrator 3005? I found the following link http://www.cisco.com/warp/public/471/vpn3k_logout.html which shows how to terminate a tunnel.
thanks for answers!
AndreAs far as I know, this is not supported with SNMP
-
CSCth29311 - Dynamic L2L Tunnels can replace Static RRI Routes
He need to help
https://tools.cisco.com/bugsearch/bug/CSCth29311
crypto map CRYPTO-DEFAULT 160 match address Azure-crypto
crypto map CRYPTO-DEFAULT 160 set peer 137.117.161.73
crypto map CRYPTO-DEFAULT 160 set transform-set ESP-AES-256-SHA
crypto map CRYPTO-DEFAULT 160 set security-association lifetime seconds 3600
crypto map CRYPTO-DEFAULT 160 set security-association lifetime kilobytes 102400000
crypto map CRYPTO-DEFAULT 160 set reverse-route
crypto map CRYPTO-DEFAULT 170 match address Realtech-crypto
crypto map CRYPTO-DEFAULT 170 set peer 93.90.21.245
crypto map CRYPTO-DEFAULT 170 set transform-set ESP-AES-256-SHA
crypto map CRYPTO-DEFAULT 170 set security-association lifetime seconds 3600
crypto map CRYPTO-DEFAULT 170 set reverse-route
RSI-ASA1# sh ver
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)
Compiled on Tue 05-May-09 22:45 by builders
System image file is "disk0:/asa821-k8.bin"
Config file at boot was "startup-config"
RSI-ASA1 up 7 days 3 hours
failover cluster up 7 days 3 hours
Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: GigabitEthernet0/0 : address is 0026.0b31.522e, irq 9
1: Ext: GigabitEthernet0/1 : address is 0026.0b31.522f, irq 9
2: Ext: GigabitEthernet0/2 : address is 0026.0b31.5230, irq 9
3: Ext: GigabitEthernet0/3 : address is 0026.0b31.5231, irq 9
4: Ext: Management0/0 : address is 0026.0b31.5232, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 100
Total VPN Peers : 750
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has an ASA 5520 VPN Plus license.
Serial Number: JMX1337L26T
Running Activation Key: 0x9207c551 0x203587d4 0xd41345a0 0x894cc424 0x0d371c93
Configuration register is 0x1
Configuration last modified by enable_15 at 01:29:41.324 CET Thu Dec 19 2013UPGRADE VERSION
El BUG está asociado a esta versión 8.2 (1) y tal como comenta Cisco en el workround habrá que remover y añadir manual la Crypto map . Pero evidentemente no es la mejor solución lo cual el fabricante recomienda hacer un upgrade de la versión a la 8.4.7 ED.
Vitor Morais BT Spain -
Cisco ASA 5505 L2L VPN Tunnel with one Dynamic IP
Hi Rizwan,
Thanks for your response. I updated the configuration per your response below... It still doesn't work. please see my new config files below. Please help. Thanks in advance for your help....
Hi Pinesh,
Please make follow changes on host: officeasa
remove this line below highlighted.
crypto dynamic-map L2LMap 1 match address Crypto_L2L
It is only because group1 is weak, so please change it to group2
crypto dynamic-map L2LMap 1 set pfs group1
route outside 10.10.6.0 255.255.255.0 96.xxx.xxx.117
Please make follow changes on host: homeasa
It is only because group1 is weak, so please change it to group2
crypto map L2Lmap 1 set pfs group1
route outside 10.10.5.0 255.255.255.0 xxx.xxx.xxx.xxx default gateway on homeasa.
Hope that helps, if not please open a new thread.
Thanks
Rizwan Rafeek
New config files..
Site-A: (Office):
Hostname: asaoffice
Inside: 10.10.5.0/254
Outside e0/0: Static IP 96.xxx.xxx.118/30
Site-B: (Home):
Hostname: asahome
Inside: 10.10.6.0/254
Outside e0/0: Dynamic IP (DG: 66.xxx.xxx.1)
SIte-A:
officeasa(config)# sh config
: Saved
: Written by enable_15 at 15:34:23.899 UTC Sat Mar 3 2012
ASA Version 8.2(5)
hostname officeasa
enable password xyz encrypted
passwd xyz encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 3
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
switchport access vlan 3
interface Ethernet0/4
switchport access vlan 3
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
switchport access vlan 3
interface Ethernet0/7
switchport access vlan 3
interface Vlan2
nameif outside
security-level 0
ip address 96.xxx.xxx.118 255.255.255.252
interface Vlan3
nameif inside
security-level 100
ip address 10.10.5.254 255.255.255.0
ftp mode passive
same-security-traffic permit inter-interface
access-list NONAT extended permit ip 10.10.5.0 255.255.255.0 192.168.100.0 255.2
access-list NONAT extended permit ip 10.10.5.0 255.255.255.0 10.10.6.0 255.255.2
access-list ormtST standard permit 10.10.5.0 255.255.255.0
access-list OCrypto_L2L extended permit ip 10.10.5.0 255.255.255.0 10.10.6.0 255
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool ormtIPP 192.168.100.100-192.168.100.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 96.xxx.xxx.117 1
route outside 10.10.6.0 255.255.255.0 96.xxx.xxx.117 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set OSite2Site esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map OL2LMap 1 set pfs
crypto dynamic-map OL2LMap 1 set transform-set OSite2Site
crypto dynamic-map OL2LMap 1 set reverse-route
crypto map out_L2lMap 65535 ipsec-isakmp dynamic OL2LMap
crypto map out_L2LMap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.10.5.101-10.10.5.132 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy ormtGP internal
group-policy ormtGP attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ormtST
address-pools value ormtIPP
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask enable default svc timeout 20
username user1 password abcxyz encrypted
username user1 attributes
service-type remote-access
tunnel-group ormtProfile type remote-access
tunnel-group ormtProfile general-attributes
default-group-policy ormtGP
tunnel-group ormtProfile webvpn-attributes
group-alias OFFICE enable
tunnel-group defaultL2LGroup type ipsec-l2l
tunnel-group defaultL2LGroup ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:46d5c2e1ac91d73293f2fb1a0045180c
officeasa(config)#
Site-B:
Home ASA Configuration:
homeasa# sh config
: Saved
: Written by enable_15 at 15:48:42.479 UTC Sat Mar 3 2012
ASA Version 8.2(5)
hostname homeasa
enable password xyz encrypted
passwd xyz encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 3
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
switchport access vlan 3
interface Ethernet0/4
switchport access vlan 3
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
switchport access vlan 3
interface Ethernet0/7
switchport access vlan 3
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
nameif inside
security-level 100
ip address 10.10.6.254 255.255.255.0
ftp mode passive
same-security-traffic permit inter-interface
access-list NONAT extended permit ip 10.10.6.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list NONAT extended permit ip 10.10.6.0 255.255.255.0 10.10.5.0 255.255.255.0
access-list hrmtST standard permit 10.10.6.0 255.255.255.0
access-list Crypto_L2L extended permit ip 10.10.6.0 255.255.255.0 10.10.5.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool hrmtIPP 192.168.101.100-192.168.101.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 10.10.5.0 255.255.255.0 66.xxx.xxx.1 1 (IP address of the Dynamic IP from ISP)
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.6.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set Site2Site esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map L2Lmap 1 match address Crypto_L2L
crypto map L2Lmap 1 set peer 96.xxx.xxx.118
crypto map L2Lmap 1 set transform-set Site2Site
crypto map L2LMap 1 set pfs
crypto map L2LMap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.10.6.101-10.10.6.132 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy hrmtGP internal
group-policy hrmtGP attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value hrmtST
address-pools value hrmtIPP
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask enable default svc timeout 20
username user1 password abcxyz encrypted
username user1 attributes
service-type admin
tunnel-group hrmtProfile type remote-access
tunnel-group hrmtProfile general-attributes
default-group-policy hrmtGP
tunnel-group hrmtProfile webvpn-attributes
group-alias hrmtCGA enable
tunnel-group 96.xxx.xxx.118 type ipsec-l2l
tunnel-group 96.xxx.xxx.118 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d16a0d49f275612dff7e404f49bcc499
homeasa#Thanks Rizwan,
Still no luck. I can't even ping the otherside (office).. I am not sure if i'm running the debug rightway. Here are my results...
homeasa(config)# ping inside 10.10.5.254............. (Office CIsco ASA5505 IP on local side. I also tried pinging the server on other side (office) whic is @10.10.5.10 and got the same result)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.5.254, timeout is 2 seconds:
Success rate is 0
homeasa(config)# debug crypto isakmp 7
homeasa(config)# debug crypto ipsec 7
homeasa(config)# sho crypto isakmp 7
^
ERROR: % Invalid input detected at '^' marker.
homeasa(config)# sho crypto isakmp
There are no isakmp sas
Global IKE Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Notifys: 0
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 0
Out Packets: 0
Out Drop Packets: 0
Out Notifys: 0
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0
Global IPSec over TCP Statistics
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0
hjnavasa(config)# sh crypto ipsec sa peer 96.xxx.xxx.118
There are no ipsec sas
homeasa(config)# -
L2L issue, the tunnel does not getting up from one direction
Hello,
We have configure a L2L vpn between Asa and 1841 router. We are facing this issue.
The tunnel is not getting up from the 1841 site never. When we are trying to generate traffic from the ASA site the tunnel is up and we can see decryps and encryps packets.
Router 1841 Config:
crypto isakmp policy 100
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key * address 213.249.XX.XX
crypto ipsec transform-set XXXXX esp-3des esp-md5-hmac
crypto map EKO_BG 100 ipsec-isakmp
set peer 213.249.x.x
set security-association lifetime seconds 28800
set transform-set XXXXX
set pfs group2
match address 111
interface FastEthernet0/0.2
encapsulation dot1Q 3338
ip address 212.200.30.130 255.255.255.252
ip nat outside
ip virtual-reassembly
crypto map XXXXX
ip nat pool nat_pool 93.87.XX.XX 93.87.XX.XX prefix-length 29
ip nat inside source list 101 pool nat_pool overload
ip nat inside source static 10.70.2.10 93.87.18.161
ip nat inside source static 10.70.25.10 93.87.18.162
ip nat inside source static 10.70.36.5 93.87.18.163
ip nat inside source static 10.70.39.10 93.87.18.164
ip nat inside source static 10.70.5.10 93.87.18.165
access-list 101 deny ip 10.70.200.0 0.0.0.255 any
access-list 101 permit ip 10.70.0.0 0.0.255.255 any
access-list 111 permit ip 10.70.200.0 0.0.0.255 172.40.10.100 0.0.0.3
Asa Config:
access-list inside_nat0_outbound extended permit ip 172.40.10.100 255.255.255.252 10.70.200.0 255.255.255.0
access-list outside_cryptomap_320 remark xxxxxxx
access-list outside_cryptomap_320 extended permit ip 172.40.10.100 255.255.255.252 10.70.200.0 255.255.255.0
access-list inside_pnat_outbound_V5 extended permit ip host 10.8.x.x 10.70.200.0 255.255.255.0
pager lines 24
nat (inside) 9 access-list inside_pnat_outbound_V5
crypto ipsec transform-set xxxxx esp-3des esp-md5-hmac
crypto map mymap 150 match address
crypto map mymap 150 set pfs
crypto map mymap 150 set peer XXXXXX
crypto map mymap 150 set transform-set XXX
crypto map mymap 150 set security-association lifetime seconds 28800
crypto map mymap 150 set security-association lifetime kilobytes 10000
crypto map mymap 320 match address outside_cryptomap_320
crypto map mymap 320 set pfs
crypto map mymap 320 set peer XXXXX
crypto map mymap 320 set transform-set XXXXX
crypto map mymap 320 set security-association lifetime seconds 28800
crypto map mymap 320 set security-association lifetime kilobytes 4608000
crypto map mymap 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map mymap interface outside
isakmp policy 150 authentication pre-share
isakmp policy 150 encryption 3des
isakmp policy 150 hash md5
isakmp policy 150 group 2
tunnel-group 212.200.x.x type ipsec-l2l
tunnel-group 212.200.x.x ipsec-attributes
pre-shared-key *
Please advise.
Thank you.hello Ashley,
thank you for this info. Now from the router site the tunneling is getting up and I can see packets but althought the tunnel is up it can not make telnet to our server (172.40.10.100) on a specific port.
We from ASA site can ping router Site and make telnet.
Any ideas???
Thank you all from your answers!
Maybe you are looking for
-
I have multiple Apple devices, Desktops, laptops, iPad, iPhones, etc. I somehow was able to sync the desktop at my vacation home with iColoud where I stored not only all the music I purchased through iTunes, but my entire CD collection. I have sinc
-
Previous month first data and previous month last date
can any body have query to get previous month first date and previous month last date. Ex: First day of the previous week: TIMESTAMPADD(SQL_TSI_DAY,-6, (TIMESTAMPADD(SQL_TSI_DAY, DAYOFWEEK(CURRENT_DATE) *-1,CURRENT_DATE))) Last day of the previous we
-
Integrating SAP-ERP system to SAP-SCM system via SAP-XI
Hi All, My requirement is to make a scenario for Integrating SAP-ERP system to SAP-SCM system via SAP-XI,Sender side is IDOC Adapter and Receiver side is Proxy.As iam not aware of the scenario procedure can any body could explain briefly step-by-step
-
Share to .pdf loses hyperlinks
Hi I have been trying to create a .pdf from Pages (ipad version) that contains hyperlinks. The hyperlinks work fine in the Pages document, but when I Share it and convert to .pdf the hyperlinks no longer work. I have installed Adobe Reader and GoodR
-
CONVERSION_EXIT_EAN11_INPUT
Hi, We have conversion routine EAN 11 in 0EANUPC infoobject. this contains a Functional module called CONVERSION_EXIT_EAN11_INPUT... Can anyone explain me the functionality of this functional module. regards.. Balaji